Mitigating denial of service attacks with password puzzles

The client puzzles have been proposed as an important mechanism in defending against distributed denial-of-service (DDoS) attacks. In this paper we propose a new IP layer client puzzles scheme, password puzzles (PP). In this scheme a puzzle issuer; on the behalf of a receiver, responds to requests with puzzles that a sender must solve before sending in any packet to a receiver. We design two new puzzle types, hash-chain-reversal puzzles and multiple-hash-chains-reversal puzzles, with which a sender is expected to reverse one (multiple) hash chain(s) and send in packets with valid passwords (i.e., solutions of puzzles) to the receiver. Our design achieves three main properties. First, the PP scheme is able to generate puzzles with different difficulties flexibly for various clients. Second, a puzzle issuer is able to generate puzzles at a per-flow and per-packet basis. Third, the PP scheme is able to converge to be a "non-puzzle " protocol.