Rate limiting client puzzle schemes for denial-of-service mitigation

Denial-of-service (DoS) attacks are on the rise in recent years and many cryptographic client puzzle schemes have been proposed for mitigating such attacks. Nonetheless, these schemes lack a strategy for setting the puzzle difficulty parameter which is an important issue for the legitimate users as they should not be unfairly delayed during low server loads. In this paper, we propose a leaky bucket rate limiting queue mechanism to set the puzzle difficulty according to a queue delay. This mechanism will rate limit the number of incoming requests to prevent server overloading. As a result, DoS attackers have to spend more time to solve harder puzzles which reduces their rate of attack success. We compare the effectiveness of the proposed mechanism on both hash reversal and repeated squaring client puzzles. We also demonstrate that the latter provides better DoS resistance as it ensures a lower server load and does not unfairly penalize mobile device users unnecessarily.