Title page for ETD etd-04262005-104452

Type of Document

Master's Thesis

Author

McNevin, Timothy John

Author's Email Address

tmcnevin@vt.edu

URN

etd-04262005-104452

Title

Mitigating Network-Based Denial-of-Service Attacks with Client Puzzles

Degree

Master of Science

Department

Electrical and Computer Engineering

Advisory Committee

Advisor Name	Title
Park, Jung-Min Jerry	Committee Chair
Marchany, Randolph C.	Committee Member
Midkiff, Scott F.	Committee Member

Keywords

Client puzzles
Denial-of-Service countermeasures
Distributed Denial-of-Service Attacks
Denial-of-Service Attacks

Date of Defense

2005-04-15

Availability

unrestricted

Abstract

Over the past few years, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks have become more of a threat than ever. These attacks are aimed at denying or degrading service for a legitimate user by any means necessary. The need to propose and research novel methods to mitigate them has become a critical research issue in network security. Recently, client puzzle protocols have received attention as a method for combating DoS and DDoS attacks. In a client puzzle protocol, the client is forced to solve a cryptographic puzzle before it can request any operation from a remote server or host. This thesis presents the framework and design of two different client puzzle protocols: Puzzle TCP and Chained Puzzles.

Puzzle TCP, or pTCP, is a modification to the Transmission Control Protocol (TCP) that supports the use of client puzzles at the transport layer and is designed to help combat various DoS attacks that target TCP. In this protocol, when a server is under attack, each client is required to solve a cryptographic puzzle before the connection can be established. This thesis presents the design and implementation of pTCP, which was embedded into the Linux kernel, and demonstrates how effective it can be at defending against specific attacks on the transport layer.

Chained Puzzles is an extension to the Internet Protocol (IP) that utilizes client puzzles to mitigate the crippling effects of a large-scale DDoS flooding attack by forcing each client to solve a cryptographic problem before allowing them to send packets into the network. This thesis also presents the design of Chained Puzzles and verifies its effectiveness with simulation results during large-scale DDoS flooding attacks.

Files

Filename		Size	Approximate Download Time (Hours:Minutes:Seconds)
Filename		Size	28.8 Modem	56K Modem	ISDN (64 Kb)	ISDN (128 Kb)	Higher-speed Access
	tjm_thesis.pdf	1.02 Mb	00:04:44	00:02:26	00:02:08	00:01:04	00:00:05