Revisiting Client Puzzles for State Exhaustion Attacks Resilience

Mohammad A. Noureddine; Ahmed M. Fawaz; Amanda Hsu; Cody Guldner; Sameer Vijay; Tamer Basar; William H. Sanders

doi:10.1109/DSN.2019.00067

Revisiting Client Puzzles for State Exhaustion Attacks Resilience

Mohammad A. Noureddine, Ahmed M. Fawaz, Amanda Hsu, Cody Guldner, Sameer Vijay, Tamer Basar, William H. Sanders

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.

Original language	English (US)
Title of host publication	Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	617-629
Number of pages	13
ISBN (Electronic)	9781728100562
DOIs	https://doi.org/10.1109/DSN.2019.00067
State	Published - Jun 2019
Event	49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 - Portland, United States Duration: Jun 24 2019 → Jun 27 2019

Publication series

Name	Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

Conference

Conference	49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019
Country	United States
City	Portland
Period	6/24/19 → 6/27/19

Keywords

Denial of Service Attacks
Proof-of-Work
Stackelberg Games
TCP

ASJC Scopus subject areas

Computer Networks and Communications
Safety, Risk, Reliability and Quality
Hardware and Architecture

Access to Document

10.1109/DSN.2019.00067

Fingerprint Dive into the research topics of 'Revisiting Client Puzzles for State Exhaustion Attacks Resilience'. Together they form a unique fingerprint.

Cite this

Noureddine, M. A., Fawaz, A. M., Hsu, A., Guldner, C., Vijay, S., Basar, T., & Sanders, W. H. (2019). Revisiting Client Puzzles for State Exhaustion Attacks Resilience. In Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 (pp. 617-629). [8809536] (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2019.00067

Revisiting Client Puzzles for State Exhaustion Attacks Resilience. / Noureddine, Mohammad A.; Fawaz, Ahmed M.; Hsu, Amanda; Guldner, Cody; Vijay, Sameer; Basar, Tamer ; Sanders, William H.

Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 617-629 8809536 (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Noureddine, MA, Fawaz, AM, Hsu, A, Guldner, C, Vijay, S, Basar, T & Sanders, WH 2019, Revisiting Client Puzzles for State Exhaustion Attacks Resilience. in Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019., 8809536, Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Institute of Electrical and Electronics Engineers Inc., pp. 617-629, 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Portland, United States, 6/24/19. https://doi.org/10.1109/DSN.2019.00067

Noureddine MA, Fawaz AM, Hsu A, Guldner C, Vijay S, Basar T et al. Revisiting Client Puzzles for State Exhaustion Attacks Resilience. In Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc. 2019. p. 617-629. 8809536. (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019). https://doi.org/10.1109/DSN.2019.00067

Noureddine, Mohammad A. ; Fawaz, Ahmed M. ; Hsu, Amanda ; Guldner, Cody ; Vijay, Sameer ; Basar, Tamer ; Sanders, William H. / Revisiting Client Puzzles for State Exhaustion Attacks Resilience. Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 617-629 (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019).

@inproceedings{3465dd7e8a894f16aa1f9e58449a7917,

title = "Revisiting Client Puzzles for State Exhaustion Attacks Resilience",

abstract = "In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.",

keywords = "Denial of Service Attacks, Proof-of-Work, Stackelberg Games, TCP",

author = "Noureddine, {Mohammad A.} and Fawaz, {Ahmed M.} and Amanda Hsu and Cody Guldner and Sameer Vijay and Tamer Basar and Sanders, {William H.}",

note = "Funding Information: Acknowledgments. We are grateful for the thoughtful comments and suggestions offered by our shepherd, Doug Blough, and the anonymous reviewers. We would like to thank Jenny Applequist for her editorial comments. This material is based upon work supported in part by the Department of Energy under Award Number DE-OE0000780, in part by the Office of Naval Research (ONR) MURI Grant N00014-16-1-2710, and in part by US Army Research Laboratory (ARL) Cooperative Agreement W911NF-17-2-0196. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof. Publisher Copyright: {\textcopyright} 2019 IEEE.; 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 ; Conference date: 24-06-2019 Through 27-06-2019",

year = "2019",

month = jun,

doi = "10.1109/DSN.2019.00067",

language = "English (US)",

series = "Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "617--629",

booktitle = "Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019",

address = "United States",

}

TY - GEN

T1 - Revisiting Client Puzzles for State Exhaustion Attacks Resilience

AU - Noureddine, Mohammad A.

AU - Fawaz, Ahmed M.

AU - Hsu, Amanda

AU - Guldner, Cody

AU - Vijay, Sameer

AU - Basar, Tamer

AU - Sanders, William H.

N1 - Funding Information: Acknowledgments. We are grateful for the thoughtful comments and suggestions offered by our shepherd, Doug Blough, and the anonymous reviewers. We would like to thank Jenny Applequist for her editorial comments. This material is based upon work supported in part by the Department of Energy under Award Number DE-OE0000780, in part by the Office of Naval Research (ONR) MURI Grant N00014-16-1-2710, and in part by US Army Research Laboratory (ARL) Cooperative Agreement W911NF-17-2-0196. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof. Publisher Copyright: © 2019 IEEE.

PY - 2019/6

Y1 - 2019/6

N2 - In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.

AB - In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.

KW - Denial of Service Attacks

KW - Proof-of-Work

KW - Stackelberg Games

KW - TCP

UR - http://www.scopus.com/inward/record.url?scp=85072130825&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072130825&partnerID=8YFLogxK

U2 - 10.1109/DSN.2019.00067

DO - 10.1109/DSN.2019.00067

M3 - Conference contribution

AN - SCOPUS:85072130825

T3 - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

SP - 617

EP - 629

BT - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

Y2 - 24 June 2019 through 27 June 2019

ER -

Revisiting Client Puzzles for State Exhaustion Attacks Resilience

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Cite this