A New Approach to Defend against Ddos

We propose a mechanism which combines the advantage of cryptographic client puzzle and hop count filtering as a countermeasure to spoofed DOS attack. Once the communication channel has been established then HCF starts its work wherein an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. We propose a technique that permit the outsourcing of puzzles—their distribution via a robust external service that we call a bastion. Our outsourcings techniques help eliminate puzzle distribution as a point of compromise. Our design has three main advantages over prior approaches. First, it is more resistant to DoS attacks aimed at the puzzle mechanism. Second, it is cheap enough to apply at the IP level, though it also works at higher levels of the protocol stack. Third, it allows clients to solve puzzles online, reducing the need for users to wait while their computers solve puzzles. We implement and evaluate this technique in the Linux kernel, demonstrating its effectiveness with experimental measurements.