Mitigation approach at DDOS attacks using
crypto encoded puzzles
Shahzad Ahmed Malik, Middlesex University
administrators life. At this point of time when this paper is
Abstract— This paper is aimed at discussing how DDOS begin written there are many forms and ways of controlling or
(Denial Service of Attacks) have been the recent and most trace back mechanisms in the form of research by various
successful way of computer warfare. While this paper will look
researchers and some of them even tried and implemented by
insightfully into the existing methods of preventing these attacks,
it is also aimed at providing my personal opinions on how it could various security giants including “Symantec.Inc”
be prevented keeping security considerations in mind. This paper ,”McAfee.Inc” , “Cisco” etc.
will also take a detailed look at how cryptographic puzzles can be
used to aid in mitigation of DDOS and its advantages and II. BASIC WORKING AND VARIOUS FORMS OF DDOS
A. How the DDOS ball was set rolling:
This paper will conclude that though there are many methods
to try and trace back and prevent DDOS, the only way of actually
stopping or preventing an attack is by combining many forms of
prevention all together in one system. Basically I will stress upon
the idea that “Prevention is better than cure”.
Index Terms—Computer Network Security, Computer
I. SO WHAT IS DDOS?
T he term DDOS (Distributed Denial Of service) is actually
derived from the term DOS (Denial of Service). The main
aim of the attack is to take out a victim computer or a target by
use of a built army of several hundreds of computers within or
outside the network. This method of attack is so successful
and destroying because of its widespread effects. The usage of
multiple computers aka master computers who use the other
computers aka zombie computers to generate voluminous
traffic to the victim is the base of the attack .
Figure 1- Diagram showing the structure of DOS, DDOS
and DDOS using reflectors.
There are several ways of causing these attacks and with
increasing complexity of the networks , the attacks and the
means by which the attacks are being carried out is growing in
DDOS works with the principle that the attacker takes
complexity too. One of the main reasons of success and hence
control of many master computers and hence using the
a growing difficulty in controlling these attacks are the trace
software loaded on the master computer, it is used to attract
back mechanisms. The usage of maser and zombie computers
zombie computers to build the army.
within or outside the network especially with requests being
made to look placed by the victim itself makes
Now the term zombie computers are just names given by
the trace back very hard and a nightmare in every system
attackers to the computers that belong to respectable networks
of multinational co operations, universities within or outside
The attacker would also have taken careful notice to ensure
that there are not many zombie/slave computers attached to
the same reflector as this would prevent trace back of the
whole attacking army.
By using this attack zombie computers are unaware of their
actions or data stream packets requests or otherwise sent by
them through their network. The use of zombie computers 
make the trace back of the attacker a very difficult and almost
impossible and heavily time consuming task. The recent
coming of technology and with the inventions of IDS  and
the combination of the firewall and the IPS  systems has
made the tracking of the package and also led to the invention
of many techniques to prevent while the attack is still active or
if the active is already done and gone , to trace back to a
certain permissible degree. The techniques used for these will
be explained in the next section as I will explain the current
techniques in place for preventing DDOS attacks.
B. DDOS using reflectors.
As described above distributed denial of service (DDOS)
being performed by the use of masters and slaves and thus
complicating the trace back of the attacker nevertheless making
the attack a very successful one.
As more and more methods came up of tracing back these
normal DDOS attacks using especially ITRACE , SPIE
and probabilistic packet marking , the tracing back of
packages sent by the attacking zombie/slave computers became
feasible and implementation and enforcement was a thought at
many levels. More on the above quoted trace back mechanisms
will be discussed in the next section.
In the reflection way of attacking, the attacker makes use of the III. POSSIBLE EXISTING WAYS OF LIMITING THE ATTACKS
slaves to send data to the free available web servers or other
hosts. “So, for example, all Web servers, DNS servers,
and routers are reflectors, since they will return SYN A. ITRACE 
ACKs or RSTs in response to SYN or other TCP Bellovin’s proposed scheme was initially designed for tracking
packets”  . Why these attacks are successful and make back packets where the source of the packets that caused the
them so difficult in tracing back so difficult is that since the attacks was unknown. In this method the process basically told
zombie computers send fake requests by spoofing the victims that the routers that forwarded the data could send icmp data
ip address , so on the available techniques of “reverse ip trace back to the destinations and hence with high traffic volume
back” the process as long and tedious as it is , it comes back flow they would eventually trace back as to which source had
and shows the victim itself. it come to the respective router and then routed to the victim
The limitation also being that since it’s a web server or a free that the packet was being targeted at.
unused host that is being used as reflector millions of them
are being taken over by the attacker hence taking the task of In this method eventually the ICMP packets would give the
the trace back to a new horrifying level .In addition the web location of the zombie/slave computer that was used .
server/ reflector should have maintained clear logs of all the
traffic that they receive on a particular day which will have to The main limitation of this technique was that it needed a high
be analysed by contacting hundreds of ISP’s and network volume of data to be processed and hence sure of the location
providers and system administrators.
of the slave and hence otherwise could not be processed if the amount of data. Every single packet of data between the victim
attack was not active at that point of time. and a particular router can be queried and found the location of
The record of the packet being queried has to be present on
the router recording the hashes and this is only possible ad
only highly effective in the case of an going attack when the
B. Probability Packet marking  network traffic is high and in the middle of the action.
In this method we are implementing the system that a set of IV. PROPOSAL FOR STOPPING ATTACK USING CRYPTO PUZZLES
routers that router data in to the main network marks the data
packets with a very highly compressed piece of hidden code This principle is based on the principle that a client
that the target computer/server can decode. This form of trace requesting for services should exhaust its own resources before
back is and has proved to pave ways to many other forms of the server exhausts its own resources. .
research as there are many more wider forms of this trackback
research going on . In this method the victim is able to trace
back the path every data packet that been encode by the packet
mark which will eventually lead to the location of a slave .
This method also eventually failed as with the coming and
usage of reflectors or massive amount of slaves in the order of
millions , the computational data was way too large for
analytical or trace back purposes.
C. SPIE 
This principle of preventing the attacks was considered very
famous and considered a good breakthrough in the field of
using game theory.
Fig 3-Representation of traffic isolation A. Working Principle
When a server comes under attack it distributes cryptographic
This technique is based on a principle that every packet that puzzles to all the hosts requiring services from the server. BY
is going through the router is marked and categorized with a doing this, though we are utilizing the server computational
set of hashes. By using the principle a packet’s set destination resources, we are using more of the host computer resources
and hence the path it travelled after leaving the router can be that is demanding or requiring services.
found by sending customized queries to the routers and hence
The crypto graphic puzzles that are being distributed are being
obtaining the path of the same. It technically isolates the
distributed from the server itself to the hosts demanding
packet and puts a unique hash to it so that it can be easily be
service and it also has many sub divisions based on difficulty
found and trace backed. The advantage being that this and also on time which guarantees legitimate users service
technique of tracing back can also be used for every small
while the attacker is at bay as the attacker is lost on how to
resolve the puzzle.
The method succeeds in many ways and in recent studies they  Tom Spring (2006, June 20) [Online]. Available “Spam
have also proved that it has proved effective almost more than Slayer: Slaying Spam-Spewing Zombie PCs,” PC World,
eighty percent rate of proven success rate of less utilization on  NIST CSRC SP 800-94, (2007, February). “Guide to
routers and more than seventy percent of less utilization on Intrusion Detection and Prevention Systems (IDPS)”,
individual host and servers . This is basically credited to the  Symantec (2003, February 27th ( , [Online] , Available:
fact that once the puzzles are released the users on solving the http://www.symantec.com/connect/articles/intrusion-prevention-systems-
same are given rights or services on the server and the attackers next-step-evolution-ids
 S. Bellovin, (2000, March) [Online]“ICMP Traceback Messages,”
who are not able to solve the puzzles are not given any service Available : http://www.research.att.com/smb/papers/draft-bellovin-itrace-
hence rendering the attack ineffective. 00.txt
 A. Snoeren, C. Partridge, L. Sanchez, W. Strayer, C. Jonesand F.
Tchakountio (2001, August), “Hash-Based IP Traceback,”
B. Disadvantages and why didn’t it work? Proc.ACM/SIGCOMM.
 S. Savage, D. Wetherall, A. Karlin and T. Anderson (2000,
August)“Practical Network Support for IP Traceback,” Proc.
The method though a brilliant one, was yet susceptible and not ACM/SIGCOMM, pp. 295–306.
 Vern Paxson, , “An Analysis of Using Reﬂectors for Distributed Denial-
irons clad solution to the attacker spoofing the IP address of of-Service Attacks” AT&T Center for Internet Research at
the host itself. The attacker could take over the zombie/slave ICSI.International Computer Science Institute Berkeley, CA USAY.
computer hence using the same computational; power to solve  Aura T, Nikander P and Leiwo .J, (April 2000) “DOS-Resistant
Authentication with client puzzles “ , Cambridge security protocol
the cryptographic puzzle.
Yet another disadvantage or hurdle was that the cryptographic
puzzle technique only got triggered in the event of an active
attack, and if the attacker as in the reflector technique did a
“divide and rule” and divided the army and attacked the system
, the server continue operation as usual and the system would
break down eventually.
Also one of the main and foremost disadvantages was that the
system could be turned on itself as the server could exhaust all
the resources generating and routing cryptographic puzzles to
all the resources requesting access as a prerequisite hence
causing a legitimate shut down on itself.
In this paper , keeping in mind the scope and reach of the
same many but few methods of trace back have been discussed
but it’s to the ultimate result and knowledge that with the
ongoing research there is yet a silver bullet panache yet to be
discovered for this form of attack.
By the end of this paper I recommend that keeping the
advantages and disadvantages of various methods in mind, it’s
better to have a holistic approach and implement a system with
a multitude of options built on it and using various methods of
prevention and trace back. A cumulative system does not
guarantee a complete stop to all attacks but yet guarantees
better protection and readiness.
Having a combative system also adds to the overhead and also
to massive security costs that any institution will have to take
the brunt of to provide security for themselves. Hence I
conclude this paper by saying that “Prevention is better than