Douglas Stebila
Denial of service paper
April 21, 2009 at 02:10AM Research
Denial of service attacks are where an attacker tries to consume all the resources that a computer, such as a web server, has available -- filling up all of its memory or overloading its processor, for example. One of the most expensive operations that a web server performs is the cryptographic key agreement protocol, where it sets up a secure channel between the user's computer and the web server.
Before doing expensive operations like cryptography or database lookups, a server could request that the user "prove" it's not trying to cause trouble. One way of doing so is to give the user's computer a puzzle to solve, something that might take the user's computer a couple of seconds of hard work to solve, but the solution to which can be verified instantaneously by the server. This way, an attacker has to do a lot of work to create many requests to overload the web server, but a normal user is not too burdened by this requirement. These techniques have been known for some time, but how they should be used has only been studied in an ad hoc fashion.
Our work develops a formal mathematical model for how cryptographic communication protocols should try to resist denial of service attacks by using puzzles, similar to the formal mathematical models for the confidentiality of key agreement. We give a protocol that achieves these goals, and more importantly our framework could be used by many protocols to describe their denial of service resistance properties.
The main project I am working on during my postdoc here at QUT is further studying how to model denial of service, so this paper has been a great start to my work down here.