Taking aim at denial-of-service attacks

Arnold G. Reinhold reinhold at world.std.com
Tue May 20 11:03:39 PDT 2003 

One interesting aspect of using proof of work (POW) to protect 
against denial of service attacks is that it can be implemented and 
demonstrated without the need for widespread adoption. The basic idea 
(as I see it) is that the servers that handle end-user PCs have the 
ability to demand proof of work from the end users before accepting 
packets and give priority to the delivery of packets where required 
work has been demonstrated. Higher level servers then give priority 
to packets where POW has been demonstrated.

To establish an initial system, large user, such as the Federal 
Government, a large corporation or a consortium of universities, only 
has to insure that there is chain of POW-aware servers between 
several of its sites. The selected sites should then enjoy protection 
from DOS attacks for inter-site communications and this would be 
evident when such attacks occur. Additional sites could be added 
incrementally and, as long as proper standards are created and 
observed, different networks that adopt POW antiDOS can be linked 
merely by establishing a POW aware path between the nets. Since 
POWawareness would likely be just a software upgrade the technology 
should spread quite rapidly.

Arnold Reinhold


At 4:22 PM -0700 5/16/03, Steve Schear wrote:
>May 13, 2003, 6:01 AM PT
>
>BERKELEY, Calif.--Graduate students from Carnegie Mellon University 
>on Monday proposed two methods aimed at greatly reducing the effects 
>of Internet attacks.
>
>In two papers presented at the IEEE Symposium on Security and 
>Privacy here, the graduate students suggested simple modifications 
>to network software that could defeat denial-of-service attacks and 
>that could be implemented in the current protocol used by the 
>Internet. The symposium, sponsored by the Institute of Electrical 
>and Electronics Engineers, began Sunday and lasts through Wednesday.
>
>......
>
>The puzzle method
>The second presentation, also by a graduate student at Carnegie 
>Mellon, proposes that servers use "puzzles"--problems that take a 
>certain amount of processing time to solve--as a means of taxing any 
>computer that tries to communicate with the server. Such a 
>technique, which has also been suggested as a way to defeat spammers 
>who send unsolicited mass e-mail, would help defend against 
>denial-of-service attacks that attempt to tie up a victim server's 
>memory with hundreds or thousands of connections.
>
>The plan from XiaoFeng Wang asserts that such small tasks would 
>hardly be noticed by legitimate users, while attackers would have to 
>expend far more effort to do any damage. While others have suggested 
>similar methods, Wang added to his proposal an auction-like 
>transaction to further allow legitimate traffic to win out over 
>attacks.
>
>"Our mechanism enables each client to 'bid' for resources by tuning 
>the difficulty of the puzzles it solves and to adapt its bidding 
>strategy in response to apparent attacks," Wang stated in the paper 
>that outlined his findings.
>
>Bellovin also liked this idea but again said that certain issues 
>need to be resolved.
>
>"It will work up to a point," he said. "The problem is that spammers 
>and denial-of-service attacks are not using their own machines. If 
>they need 16 times as many computers, they can--most likely--easily 
>get that many more."
>
>http://news.com.com/2100-1009_3-1001200.html
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cypherpunks-legacy mailing list