Mitigating bandwidth-exhaustion attacks using congestion puzzles

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2004, Pages 257-267

  Wang, Xiaofeng ^a   Reiter, Michael K ^b  

^a INDIANA UNIVERSITY   (United States)

^b CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Client puzzle; Denial of service

Indexed keywords

BANDWIDTH; COMPUTER CRIME; CONGESTION CONTROL (COMMUNICATION); INTERNET; NETWORK PROTOCOLS; ROUTERS; SERVERS;

CLIENT PUZZLES; CONGESTION PUZZLES (CP); DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS; INTERNETWORKING;

SECURITY OF DATA;

EID: 14844334596     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1030083.1030118     Document Type: Conference Paper

References (40)

1. The network simulator - ns-2. http://www.isi.edu/nsnam/ns/.
2. Overview of cisco 7500 series router, http://www.cisco.com/en/US/ products/hw/routers/ps359/prod_brochure09186a008009200c.html.
3. M. Abadi, M. Burrow, M. Manasse, and T. Wobber. Moderately hard, memory-bound functions. In Proceedings of the 10th Annual Network and Distributed System Security Symposium, 2003.
4. M. Adler. Tradeoffs in probabilistic packet marking for ip traceback. In Proceedings of 34th ACM Symposium on Theory of Computing (STOC-02), 2002.
5. T. Aura, P. Nikander, and J. Leiwo. Dos-resistant authentication with client puzzles. In Proceedings of the Cambridge Security Protocols Worshop 2000. LNCS, Springer-Verlag, 2000.
6. I. A. N. Authority. ICMP type numbers. November, 2003. http://www.iana.org/assignments/icmp-parameters.
7. M. Bellare and P. Rogaway. Random oracle are practical: A paradigm for designing efficient protocols. In Proceedings of First ACM Annual Conference on Computer and Communication Security, 1993.
8. S. Bellovin, M. Leech, and T. Taylor. The ICMP traceback messages. In Internet-Draft, draft-ietf-itrace-01.txt, December 1999. ftp://ftp.ietf.org/ internet-drafts/draft-ietf-itrace-01.txt.
9. D. Bertsekas and R. Gallager. Data Networks, Prentice-Hall, Englewood-Cliffs, New Jersey, USA, 1992.
10. B. Bloom. Space/time trade-offs in hash coding with allowable errors. Communications of ACM, 13(7):422-426, 1970.
11. H. Burch and B. Cheswick. Tracing anonymous packets to their approximate source. In Unpublished paper, December 1999.
12. Caida. Skitter. 2003. http://www.caida.org/tools/measurement/skitter.
13. D. Dean, M. Franklin, and A. Stubblefield. An algebraic approach to ip traceback. In Proceedings of Network and Distributed System Security Symposium (NDSS-01), February 2001.
14. D. Dean and A. Stubblefield. Using client puzzles to protect tls. In Proceedings of 10th Annual USENIX Security Symposium, 2001.
15. A. Demers, S. Keshav, and S. Shenker. Analysis and simulation of a fair queue algorithm. In Proceedings of ACM SIGCOMM, 1989.
16. W. Feng. The case for tcp/ip puzzles. In Proceedings of ACM SIGCOMM Future Directions in Network Architecture (FDNA-03), 2003.
17. P. Ferguson and D. Senie. RFC 2267: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, Jan. 1998. ftp://ftp.internic.net/rfc/rfc2267.txt,ftp://ftp.math.utah.edu/pub/rfc/rfc2267. txt.
18. S. Floyd and K. Fall. Promoting the use of end-to-end congestion control in the internet. IEEE/ACM Transactions on Networking, August 1999.
19. X. Geng and A. Whinston. Defeating distributed denial of service attacks. IEEE IT Professional, 2(4):36-41, July - August 2000.
20. V. Gligor. Guaranteeing access in spite of service-flooding attack. In R. Hirschfeld, editor, Proceedings of the Security Protocols Workshop, Lecture Notes in Computer Science. Springer-Verlag, 2004.
21. J. Ioannidis and S. Bellovin. Implementing pushback: Router-based defense against ddos attacks. In Proceedings of the Symposium on Network and Distributed System Security (NDSS-02), 2002.
22. C. Jin, H. Wang, and K. Shin. Hop-count filtering: An effective defense against spoofed traffic. In Proceedings of ACM CCS, 2003.
23. A. Juels and J. Brainard. Client puzzle: A cryptographic defense against connection depletion attacks. In S.Kent, editor, Proceedings of NDSS'99, pages 151-165, 1999.
24. J. Li, J. Mirkovic, and M. Wang. Save: Source address validity enforcement protocol. In Proceedings of IEEE INFOCOM, 2002.
25. R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. Controlling high bandwidth aggregates in the network. CCR, 32(3):62-73, July 2002.
26. R. Mahajan, S. Floyd, and D. Wetherall. Controlling high-bandwidth flows at the congested router. In Proceedings of ICNP, November 2001.
27. W. Morein, A. Stavrou, D. Cook, A. Keromytis, V. Misra, and D. Rubenstein. Using graphic turing tests to counter automated ddos attacks against web servers. In Proceedings of ACM CCS, 2003.
28. J. Postel. RFC 792: Internet Control Message Protocol, Sept. 1981. ftp://ftp.internic.net/rfc/rfc792.txt.
29. G. Price. A general attack model on hash-based client puzzles. In Proceedings of the 9th International Conference on Cryptography and Coding, 2003.
30. L. Sanchez, W. Milliken, A. Snoeren, F. Tchakountio, C. Jones, S. Kent, C. Partridge, and W. Strayer. Hardware support for a hash-based ip traceback. In Proceedings of the DARPA Information Survivability Conference and Exposition II, 2001. DISCEX'01.
31. S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Network support for ip traceback. In Proceedings of ACM SIGCOMM, August 2000.
32. D. Schnackenberg, K. Djahandari, and D. Sterne. Infrastructure for intrusion detection and response. In Proceedings of the DARPA Information Survivability Conference and Exposition 2000, March 2000.
33. A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer. Hash-based ip traceback. In Proceedings of the ACM SIGCOMM, August 2001.
34. D. Song and A. Perrig. Advanced and authenticated marking schemes for ip traceback. In Proceedings of IEEE INFOCOMM, April 2001.
35. I. Stoca, S. Shenker, and H. Zhang. Core-stateless fair queueing: Achieving approximately fair bandwidth allocations in high speed networks. In Proceedings of ACM SIGCOMM, 1998.
36. R. Stone. An ip overlay network for tracking dos floods. In Proceedings of USENIX Security Symposium, 2000.
37. J. Touch. RFC 1810: Report on MD5 performance, June 1995. ftp://ftp.internic.net/rfc/rfc1810.txt.ftp: //ftp.math.utah.edu/pub/rfc/rfc1810. txt.
38. X. Wang and M. Reiter. Defending against denial-of-service attacks with puzzle auctions. In IEEE Symposium on Security and Privacy, May 2003.
39. A. Yaar, A. Perrig, and D. Song. Pi: A path identification mechanism to defend against DDoS attacks. In IEEE Symposium on Security and Privacy, May 2003. http://www.ece.cmu.edu/~adrian/projects/pi.ps.
40. D. Yau, C. Liu, and F. Liang. Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In Proceedings of IEEE International Workshop on Quality of Service (IWQoS-02), 2002.