A multi-layer framework for puzzle-based denial-of-service defense

摘要

Client puzzles have been advocated as a promising countermeasure to denial-of-service (DoS) attacks in recent years. However, how to operationalize this idea in network protocol stacks still has not been sufficiently studied. In this paper, we describe our research on a multi-layer puzzle-based DoS defense architecture, which embeds puzzle techniques into both end-to-end and IP-layer services. Specifically, our research results in two new puzzle techniques: puzzle auctions for end-to-end protection and congestion puzzles for IP-layer protection. We present the designs of these approaches and evaluations of their efficacy. We demonstrate that our techniques effectively mitigate DoS threats to IP, TCP and application protocols; maintain full interoperability with legacy systems; and support incremental deployment. We also provide a game theoretic analysis that sheds light on the potential to use client puzzles for incentive engineering: the costs of solving puzzles on an attackers' behalf could motivate computer owners to more aggressively cleanse their computers of malware, in turn hindering the attacker from capturing a large number of computers with which it can launch DoS attacks.