Revisiting Client Puzzles for State Exhaustion Attacks Resilience

TL;DR

This paper models and implements client puzzles within TCP to defend against state exhaustion DDoS attacks, demonstrating their effectiveness in experimental evaluations.

Contribution

It introduces a game-theoretic approach to select puzzle difficulties and implements client puzzles in Linux TCP, showing improved attack resilience.

Findings

Client puzzles increase TCP handshake resilience to DDoS attacks.

The Stackelberg game approach optimizes puzzle difficulty for better defense.

Experimental results confirm the effectiveness of the solution.

Abstract

In this paper, we address the challenges facing the adoption of client puzzles as means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting the flood rate of malicious attackers while allocating resources for legitimate clients. Our results illustrate the benefits that the servers and clients amass from the deployment of TCP client puzzles and incentivize their adoption as means to enhance tolerance to multi-vectored DDoS attacks