In this paper we provide an integrated defense solution that enables filtering and admission challenges to be implemented in a distributed manner throughout the network on behalf of the target. The admission challenge is provided through the client puzzles employed at the target. This scuttles any attempt made by the attacker to flood the target because until the client solves the puzzle it isn't granted access to the targets resources. If the attack persists or worsens, then the target could propagate a distress signal upstream to its Internet Service Provider (ISP), who could deploy proxy defenses at the ingress points to the ISP's network on behalf of the target. In general, the target's ISP could request other upstream ISPs to also deploy the defenses for the target by using the pushback technique, so that the attack traffic is blocked as close as possible to the source of the traffic. A key advantage of this proposed approach is that it could enable the defenders to harness greater computational resources in order to counteract the growth in attack power that is becoming available to attackers.

1. A. Juels and J. Brainard, "Client Puzzles: A Cryptographic Defense against Connection Depletion," in NDSS, 1999, pp. 151–165.
2. Alex C. Snoeren, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio Stephen T. Kent, and W. Timothy Strayer. Hash-based ip traceback. In Proceedings of the ACM SIGCOMM, pages 3–14, San Deigo
3. Angelos D. Keromytis, Vishal. Misra, and Dan. Rubenstein. SOS: Secure Overlay Services. In Proceedings of ACM SIGCOMM 2002, August 2002.
4. C. Dwork and M. Naor, "Pricing via Processing or Combatting Junk Mail," in Crypto, 1992.
5. CERT, "CERT Advisory CA-2004-02 Email-borne Viruses," http://www. cert. org/advisories/CA-2004-02. html, 2004.
6. Christos Papadopoulos, Robert Lindell, John Mehringer, Alefiya Hussain, and Ramesh Govindan. COSSACK: Coordinated Suppression of Simultaneous Attacks. In Proceeding of Discex III, Washington, DC, USC, April 2003.
7. Cisco Systems. Netflow services and applications. http://www. cisco. com/warp/public/732/netflowCisco Systems. Rmon. http://www. cisco. com/warp/public/614/4. html
8. Drew Dean, Matt Franklin, and Adam Stubblefield. An algebraic approach to IP traceback. In Proceedings of Network and Distributed Systems Security Symposium, San Diego, CA, February 2001.
9. D. Dean and A. Stubblefield, "Using Client Puzzles to Protect TLS," in 10th Annual USENIX Security Symposium, 2001.
10. Dawn X. Song and Adrian Perrig. Advanced and authenticated marking schemes for IP traceback. In Proceedings of the IEEE Infocom, Anchorage, Alaska, April 2001.
11. D. Moore, C. Shannon, and J. Brown, "Code-Red: A Case Study on the Spread and Victims of an InternetWorm," in Internet Measurement Workshop, November 2002.
12. Fu- Yuan Lee, Shiuhpyng shieh. "Defending against spoofed DDOS attack with path fingerprint"-www. elsevier. com/locate/cose
13. Haining Wang, Danlu Zhang, and Kang Shin. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, New York, NY, June 2002. IEEE.
14. Hal Burch and Bill Cheswick. Tracing anonymous packets totheir approximate source. In Proceedings of the USENIX LISA, pages 319–327, New Orleans, USA, Decemeber 2000. USENIX.
15. I. Clarke, O. Sandberg, B. Wiley, and T. Hong, "Freenet: A Distributed anonymous Information Storage and Retrieval System," Lecture Notes in Computer Science, vol. 2009, pp. 46+, 2001.
16. J. Leiwo, T. Aura, and P. Nikander, "Towards Network Denial of Service Resistant Protocols," in SEC, 2000, pp. 301–310.
17. L. von Ahn, M. Blum, N. Hopper, and J. Langford, "CAPTCHA: Using Hard AI Problems for Security," in Eurocrypt 2003. , 2003.
18. M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D. Wallach, "Security for Peer-to-Peer Routing Overlays," in Proceedings of OSDI, December 2002
19. M. Abadi, M. Burrows, M. Manasse, and T. Wobber, "Moderately Hard, Memory-bound Functions," 2003.
20. Martin Roesch. Snort - lightweight intrusion detection for networks. http://www. snort. org/docs/lisapaper. txt
21. Peter Reiher Jelena Mirkovic, Greg Prier. Attacking DDoS at the source. In Proceedings of the IEEE International Conference on Network Protocols, Paris, France, November 2002.
22. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. Controlling high bandwidth aggregates in the network. In ACM Computer Communication Review, July 2001
23. R. Merkle, "Secure Communications Over Insecure Channels," Communications of the ACM, vol. 21, no. 4, April 1978.
24. Robert Stone. Centertrack: An IP overlay network for tracking DoS floods. In Proceedings of the USENIX Security Symposium, pages 199–212, Denver, CO, USA, July 2000. USENIX.
25. [Steven Bellovin. ICMP traceback messages. IETF draft-bellovin-itrace-00. txt
26. S. Crosby and D. Wallach, "Denial of Service via Algorithmic Complexity Attacks," in USENIX Security Symposium, August 2003.
27. Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. Practical network support for IP traceback. In Proceedings of the ACM SIGCOMM Conference, pages 295–306, Stockholm, Sweeden, August 2000. ACM.
28. S. Staniford, V. Paxson, and N. Weaver, "How to 0wn the Internet in Your Spare Time," in 11th USENIX Security Symposium (Security '02), 2002.
29. Thomer M. Gil and Massimiliano Poletto. MULTOPS: A Data-Structure for bandwidth attack detection. In Proceedings of the USENIX Security Symposium, pages 23–38, Washington, DC, July 2001.
30. Vern Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23–24):2435–2463, Decemeber 1999.
31. Vern Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23–24):2435–2463, Decemeber 1999.

Client Puzzle Pushback Integrated Approach