One interesting aspect of using proof of work (POW) to protect against denial of service attacks is that it can be implemented and demonstrated without the need for widespread adoption. The basic idea (as I see it) is that the servers that handle end-user PCs have the ability to demand proof of work from the end users before accepting packets and give priority to the delivery of packets where required work has been demonstrated. Higher level servers then give priority to packets where POW has been demonstrated. To establish an initial system, large user, such as the Federal Government, a large corporation or a consortium of universities, only has to insure that there is chain of POW-aware servers between several of its sites. The selected sites should then enjoy protection from DOS attacks for inter-site communications and this would be evident when such attacks occur. Additional sites could be added incrementally and, as long as proper standards are created and observed, different networks that adopt POW antiDOS can be linked merely by establishing a POW aware path between the nets. Since POWawareness would likely be just a software upgrade the technology should spread quite rapidly. Arnold Reinhold At 4:22 PM -0700 5/16/03, Steve Schear wrote:
May 13, 2003, 6:01 AM PT
BERKELEY, Calif.--Graduate students from Carnegie Mellon University on Monday proposed two methods aimed at greatly reducing the effects of Internet attacks.
In two papers presented at the IEEE Symposium on Security and Privacy here, the graduate students suggested simple modifications to network software that could defeat denial-of-service attacks and that could be implemented in the current protocol used by the Internet. The symposium, sponsored by the Institute of Electrical and Electronics Engineers, began Sunday and lasts through Wednesday.
......
The puzzle method The second presentation, also by a graduate student at Carnegie Mellon, proposes that servers use "puzzles"--problems that take a certain amount of processing time to solve--as a means of taxing any computer that tries to communicate with the server. Such a technique, which has also been suggested as a way to defeat spammers who send unsolicited mass e-mail, would help defend against denial-of-service attacks that attempt to tie up a victim server's memory with hundreds or thousands of connections.
The plan from XiaoFeng Wang asserts that such small tasks would hardly be noticed by legitimate users, while attackers would have to expend far more effort to do any damage. While others have suggested similar methods, Wang added to his proposal an auction-like transaction to further allow legitimate traffic to win out over attacks.
"Our mechanism enables each client to 'bid' for resources by tuning the difficulty of the puzzles it solves and to adapt its bidding strategy in response to apparent attacks," Wang stated in the paper that outlined his findings.
Bellovin also liked this idea but again said that certain issues need to be resolved.
"It will work up to a point," he said. "The problem is that spammers and denial-of-service attacks are not using their own machines. If they need 16 times as many computers, they can--most likely--easily get that many more."
http://news.com.com/2100-1009_3-1001200.html
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com