Implementation and Performance Analysis of IP-Layer Chained Puzzles

As Distributed Denial-of-Service attacks become more prevalent and sophisticated, a promising new mechanism designed to defeat these attacks is client puzzles. Client puzzles force a computational load on clients before their traffic is forwarded thereby slowing the rate at which a client can inject traffic into the network. Chained puzzles are a type of IP-layer puzzle that require a series of puzzles to be solved while relieving servers of the burden of generating puzzles, thus reducing overhead on the router, an objective critical to the success of any puzzle mechanism. In this paper, we describe details of our implementation of IPlayer chained puzzles in the Linux kernel and provide results and analysis of puzzle overhead incurred by kernels running the protocol. We also demonstrate the effectiveness of chained puzzles to reduce the rate at which clients can send packets into the network and show that chained puzzles can effectively defeat a Denial-of-Service attack.