Defending web services against denial of service attacks using client puzzles

CPU usage of Java Metro web service under flooding attack with various puzzle scenarios.


The interoperable and loosely-coupled web services architecture, while beneficial, can be resource-intensive, and is thus susceptible to denial of service (DoS) attacks in which an attacker can use a relatively insignificant amount of resources to exhaust the computational resources of a web service. We investigate the effectiveness of defending web services from DoS attacks using client puzzles, a cryptographic countermeasure which provides a form of gradual authentication by requiring the client to solve some computationally difficult problems before access is granted. In particular, we describe a mechanism for integrating a hash-based puzzle into existing web services frameworks and analyze the effectiveness of the countermeasure using a variety of scenarios on a network test bed. Client puzzles are an effective defence against flooding attacks. They can also mitigate certain types of semantic-based attacks, although they may not be the optimal solution.

Keywords: client puzzles, denial of service attacks, web services

Winner of the best paper award.


Suriadi Suriadi, Douglas Stebila, Andrew Clark, Hua Liu. Defending web services against denial of service attacks using client puzzles. In Proc. 9th IEEE International Conference on Web Services (ICWS) 2011, pp. 25-32. IEEE, July 2011. © IEEE.




This research was supported by:
  • Australia–India Strategic Research Fund (AISRF) project TA020002