Distributed Denial-of-Service (DDoS) attacks are becoming a major problem to both the internet and internet services. Congestion is caused by malicious hosts that are not obeying traditional end-to-end congestion control; the problem must be handled by routers. Functionality is added to each router to detect and preferentially drop packets that probably belong to an attack. Client puzzles have been advocated as a promising countermeasure to Denial-of-Service (DoS) attacks in the recent years. In order to identify the attackers, the victim server issues a puzzle to the client. When the client is able to solve the puzzle, it is assumed to be authentic and the traffic from it is allowed into the server. In order to attain the advantages of both pushback and puzzle solving techniques, a hybrid scheme called router-based pushback technique, which involves both techniques to solve the problem of DDoS attacks, is proposed. In this proposal, the puzzle-solving mechanism is pushed back to the core routers rather than to the victim. The router-based client puzzle mechanism checks the host system whether it is legitimate or not by providing a puzzle to be solved by the client.
Keywords: distributed denial-of-service, DDoS attacks, internet control message protocols, ICMP, simulation tools, hacking, internet routers, end-to-end congestion control, client puzzles, router-based pushback techniques, internet hosts, critical infrastructures, defence mechanisms