New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Stanford University Ari Juels, RSA Laboratories Alex Halderman, Princeton University Ed Felten, Princeton University Client Puzzles • DoS attack the attackers consume resources quickly • May not be enough resources left for a regular client Attackers Server Request Request Request Request Request User Request Client Puzzles • • Client puzzles slow down an attacker by making him solve a moderately hard challenge before granting a resource Typically, partially invert a hash function Attackers Server Request y,z x, where H(x|y)=z User Request y’,z’ x’, where H(x|y)=z Client Puzzles Client Puzzles can potentially be used to protect many different kinds of resources – – – – Email SPAM [DN’92] TCP SYN buffers [JB’99] CPU on SSL connections [JB’99, DS’02] Database Queries • Resource intensive queries • DRM? – IP packets Shortcomings of Client Puzzles 1) Puzzle-solving delay after user request – User must wait for his machine to solve puzzle – Is this a problem? [JB’99] show 1s delay for TCP syn buffer… – However, they do their analysis under 20 attackers – Lesson: Delay depends upon number of attackers and scarcity of resource Shortcomings of Client Puzzles 2) Server hash computation per submitted solution – Hash overhead ~1us computation time – Typically small relative to resource given – Attack by flooding server with incorrect solutions – Impractical if protecting a low level service such as IP layer Our Solution • Outsource puzzle creation – Puzzles created are independent of client or server using them • Solve for access to “channels” on servers – Assume internal routing structure is resistant to eavesdropping Outsourcing Puzzles • Bastion service distributes puzzles – Global Service – Bastion operation is independent of servers and clients using it Scalability 1 2 N Outsourcing Puzzles • Since puzzles are independent of bastion can use robust systems to distribute puzzles • Leverage point 1 2 N Solving for Channels • Client solves for a random channel • Next time period uses solved channel as solution • Solution can be transformed to work on any server Time 507 1 2 N Solving for Channels • Client solves for a random channel • Next time period uses solved channel as solution • Solution can be transformed to work on any server Time 507 507 Solving for Channels • Client solves for a random channel • Next time period uses solved channel as solution • Solution can be transformed to work on any server Time Server A check PKA Server B B 507 507 507 PK 1 507 check 1 507 Attackers and Channels • Attacker can only get resources allotted to channels he has solved puzzles for Attackers 157 678 PKA 157 678 Server A 157 507 678 PKA 507 507 Puzzle Construction • • • • N Channels P(x,d): Puzzle hiding x of difficulty d H : Hash function xi : Randomly chosen each iteration Puzzle for channel i 1 2 Public Key of Server A Xi=gx mod p, P(xi,d) i Y=ga N H(gax ) i Token for channel i on server A Client and Server Operation Time j-1 Client j j+1 Solve puzzle for period j+1 • Pick random channel • Solve puzzle for channel Use solution computed during period j-1 •Have solution xi for channel i •For server with public key Y=ga compute Yx =gax as token for channel i i i Server Compute all N tokens for period j+1 • Public key = ga • For all Xi=gx compute Xia =gax i i •Use tokens computed during period j-1 •Request on channel i, do a quick comparison on token list •Keep track of resources granted per channel Key Points • User does not wait for puzzle to be solved • Bytestring comparison per claimed solution • Primary bottleneck is # of channels the server computes tokens for (exponentiations) – Will improve as processor speeds increase – Can give out Xi before Puz(xi,d) An Example Time cycles of 20 minutes N=20,000 channels ~5% of a high end server’s computing time Set puzzle difficulty so typical machine can have 2 solutions 1,000 attackers with 1,000 solutions; 1/10 of channels Regular user has 2 random channels each 10% chance of being occupied by adversary 1% that both are occupied Prototype Implementation Rate limits number of new TCP connections After SYN packet must wait n seconds before another on channel Sends two previously computed tokens 48 SYN 167 48 298 HTTP Server to simulate Bastion Flooding Attack Experiment Attacker submits several false solutions Comparison to Traditional Client Puzzles Our Approach • Proactive approach; solves puzzles in preparation Traditional Client Puzzles • Enter client puzzle operation in reaction to an attack – Uses resources when not under attack (server & client) • Solution is ready immediately for user request •User waits for client to solve • Bitstring comparison per claimed solution •Hash computation per claimed solution – IP layer Comparison to Traditional Client Puzzles Our Approach • Use solutions at multiple protocols (e.g. TCP, SSL, Database queries) • Number of channels available should increase as servers can do PK operations faster Traditional Client Puzzles • Unclear how should manage protecting multiple protocols Extensions • Identity-Based server public keys • More flexible number of channels per server • Random Beacon for Bastion – Loose universal puzzle property • More efficient PK crypto – Smaller key sizes (key life is shorter) Conclusions • Propose a new client puzzle outsourcing technique for protecting against DoS attacks • Trade off extra average case effort in exchange for low-user delay and efficient solution verification