Client Puzzle Protocols as Countermeasure against Automated Threats to Web Applications

Abstract

Proof-of-work (PoW) schemes implemented in client puzzle protocols (CPPs) have been proposed as a protection from Denial-of-Service (DoS) attacks against internet facing servers. A CPP designed to thwart attacks against a certain client-server protocol is layered independently on top of this protocol or is integrated into it. Such a general solution requires a great deal of standardization. On the other hand, different web applications that may also become targets of DoS attacks can be protected by different schemes, which greatly reduces standardization requirements and makes implementations substantially easier. In the present study, we discuss the utility of CPPs as a practical layer of protection of web applications against DoS and other automated threat events. We define several requirements that must be met by such CPPs, and we propose a general concept and a particular PoW algorithm that fulfills these requirements. The general concept includes recursive definition of sub-puzzles and partial server-side solution verification. The proposed PoW algorithm is based on this concept and on hash inversion/collision tasks. We also introduce a few prototype implementations of this algorithm in JavaScript, WebAssembly, Python, and C, and we present the results of some benchmark tests comparing the performances of these implementations on different hardware. These results show that CPPs can provide an effective layer of mitigation against certain automated threats to web applications.