Accession Number:

ADA447006

Title:

Mitigating Distributed Denial of Service Attacks in an Anonymous Routing Environment: Client Puzzles and Tor

Descriptive Note:

Master's thesis

Corporate Author:

AIR FORCE INST OF TECH WRIGHT-PATTERSON AFB OH SCHOOL OF ENGINEERING AND MANAGEMENT

Personal Author(s):

Report Date:

2006-03-01

Pagination or Media Count:

122.0

Abstract:

Online intelligence operations use the Internet to gather information on the activities of U.S. adversaries. The security of these operations is paramount, and one way to avoid being linked to the Department of Defense DoD is to use anonymous communication systems. One such system, Tor, makes interactive TCP services anonymous. Tor uses the Transport Layer Security TLS protocol and is thus vulnerable to a distributed denial-of-service DDoS attack that can significantly delay data traversing the Tor network. This research uses client puzzles to mitigate TLS DDoS attacks. A novel puzzle protocol, the Memoryless Puzzle Protocol MPP, is conceived, implemented, and analyzed for anonymity and DDoS vulnerabilities. Consequently, four new secondary DDoS and anonymity attacks are identified and defenses are proposed. Furthermore, analysis of the MPP identified and resolved two important shortcomings of the generalized client puzzle technique. Attacks that normally induce victim CPU utilization rates of 80-100 are reduced to below 70. Also, the puzzle implementation allows for user-data latency to be reduced by close to 50 during a large-scale attack .Finally, experimental results show successful mitigation can occur without sending a puzzle to every requesting client. By adjusting the maximum puzzle strength, CPU utilization can be capped at 70 even when an arbitrary client has only a 30 chance of receiving a puzzle.

Subject Categories:

  • Computer Systems
  • Computer Systems Management and Standards
  • Military Intelligence

Distribution Statement:

APPROVED FOR PUBLIC RELEASE