Revisiting Client Puzzles for State Exhaustion Attacks Resilience

Abstract: In this paper, we address the challenges facing the adoption of client puzzles as means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting the flood rate of malicious attackers while allocating resources for legitimate clients. Our results illustrate the benefits that the servers and clients amass from the deployment of TCP client puzzles and incentivize their adoption as means to enhance tolerance to multi-vectored DDoS attacks