Defeating DDoS using Productive Puzzles

In this paper, we present Productive Puzzles, a novel puzzle mechanism for defending against Distributed Denial of Service (DDoS) attacks. Productive puzzles aim to use tasks from real applications and services ? as opposed to repetitive cryptographic computations that only serve the security purpose ? as the work to be completed by the client, therefore making meaningful use of the client resources that would be wasted otherwise. We prove that tight bounds on the probability of successful cheating can be achieved by using only a small number of tasks in a productive puzzle. Hardness of productive puzzles is dynamically adjusted based on the server load and the cost of processing the client´s request, consequently making it harder for adversaries to leverage expensive requests in their attacks. Furthermore, a novel cache algorithm is introduced to prevent the puzzle solution replay attack that is a common threat to all puzzle based DDoS defense mechanisms. We evaluate the effectiveness of the productive puzzle scheme in a realistic experimental environment, and show that it provides nearly optimal puzzle based defense against DDoS attacks.