BOX 8.3

Attack Diffusion

As noted in Section 2.1 (Interconnected Information Technology Everywhere, All the Time) in this report, increased interconnection creates interdependencies and vulnerabilities. Nevertheless, it may also be possible to leverage such interconnections to defensive advantage.

To illustrate the point, consider a denial-of-service (DOS) attack, which fundamentally depends on volume to saturate a victim.1 Interconnection could, in principle, enable the automatic diffusion of incoming traffic across multiple “absorption servers.” (An absorption server is intended primarily to absorb traffic rather than to provide full-scale services.) While no one would-be victim could reasonably afford to acquire a large enough infrastructure to absorb a large DOS attack, a service company could provide a diffusion infrastructure and make it available to customers. When a customer experienced a DOS attack, it could use its connectivity to shunt the traffic to this diffusion infrastructure.

At least one company provides such a service today. But the approaches are not without potential problems. For example, the Domain Name System may be used to diffuse requests to one of a number of servers. But doing so reveals the destination address of individual absorption servers, which in principle might still leave them vulnerable to attack. Methods to hide the individual absorption servers are known, but they have potential undesirable effects on service under non-attack conditions. Further, automatic attack diffusion can conflict with occasional user or Internet service provider desires for explicit control over routing paths.


1David D. Clark, “Requirements for a Future Internet: Security as a Case Study,” December 2005; available at

some sort of puzzle. A good puzzle is hard to compute but relatively cheap to check. Examples include calculating a hash function where some bits of the input are specified by the defender, and the output has to have some number of high-order bits that are zeroes. Most such schemes are based on a 1992 proposal by Dwork and Naor22; adaptations to network denial-of-service attacks include TCP Client Puzzles23 and TLS Puzzles.24


Cynthia Dwork and Moni Naor, “Pricing via Processing or Combatting Junk Mail,” Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology, 740: 139-147, Lecture Notes in Computer Science, Springer-Verlag, London, 1992.


A. Juels and J. Brainard, “Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks,” pp. 151-165 in Proceedings of the 1999 Network and Distributed Security Symposium, S. Kent (ed.), Internet Society, Reston, Va., 1999.


Drew Dean and Adam Stubblefield, “Using Client Puzzles to Protect TLS,” Proceedings of the 10th Conference on USENIX Security Symposium, 10: 1, 2001, USENIX Association, Berkeley, Calif.; available at

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement