![Fig. 6. StopIt architecture: How it installs filters on the sources of attack upon detecting the DDoS attack [95].](/figures/fig-6-stopit-architecture-how-it-installs-filters-on-the-13210ytu.webp)
![Fig. 7. Capability-based (capabilities) vs. datagram-based (Filters) mechanisms [102].](/figures/fig-7-capability-based-capabilities-vs-datagram-based-3tc2sgyi.webp)
![Fig. 5. A border router of a source AS (Rb) stamps source authentication information into the Passport header of an outbound packet. A border router of an intermediate or destination AS (Rc or Re) verifies this information [100].](/figures/fig-5-a-border-router-of-a-source-as-rb-stamps-source-2x469wie.webp)
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION 1
A Survey of Defense Mechanisms Against
Distributed Denial of Service (DDoS) Flooding
Attacks
Saman Taghavi Zargar, Member, IEEE, James Joshi, Member, IEEE, and David Tipper, Senior Member, IEEE
Abstract—Distributed Denial of Service (DDoS) flooding
attacks are one of the biggest concerns for security professionals.
DDoS flooding attacks are typically explicit attempts to disrupt
legitimate users’ access to services. Attackers usually gain access
to a large number of computers by exploiting their vulnerabilities
to set up attack armies (i.e., Botnets). Once an attack army has
been set up, an attacker can invoke a coordinated, large-scale
attack against one or more targets. Developing a comprehensive
defense mechanism against identified and anticipated DDoS
flooding attacks is a desired goal of the intrusion detection and
prevention research community. However, the development of
such a mechanism requires a comprehensive understanding of
the problem and the techniques that have been used thus far in
preventing, detecting, and responding to various DDoS flooding
attacks.
In this paper, we explore the scope of the DDoS flooding
attack problem and attempts to combat it. We categorize the
DDoS flooding attacks and classify existing countermeasures
based on where and when they prevent, detect, and respond to
the DDoS flooding attacks. Moreover, we highlight the need for
a comprehensive distributed and collaborative defense approach.
Our primary intention for this work is to stimulate the research
community into developing creative, effective, efficient, and
comprehensive prevention, detection, and response mechanisms
that address the DDoS flooding problem before, during and after
an actual attack.
Index Terms—Distributed Denial of Service (DDoS) flooding
attack, intrusion detection systems, intrusion prevention systems,
distributed DDoS defense, collaborative DDoS defense.
I. INTRODUCTION
D
ENIAL of Service (DoS) attacks, which are intended
attempts to stop legitimate users from accessing a
specific network resource, have been known to the network
research community since the early 1980s. In the summer
of 1999, the Computer Incident Advisory Capability (CIAC)
reported the first Distributed DoS (DDoS) attack incident [1]
and most of the DoS attacks since then have been distributed in
nature. Currently, there are two main methods to launch DDoS
attacks in the Internet. The first method is for the attacker
to send some malformed packets to the victim to confuse
a protocol or an application running on it (i.e., vulnerability
attack [2]). The other method, which is the most common one,
involves an attacker trying to do one or both of the following:
Manuscript received 3 Jun. 2012; revised 28 Dec. 2012; accepted 11 Feb.
2013; published online Feb. 2013.
S. Taghavi Zargar and D. Tipper are with the Telecommunications
and Networking Program, School of Information Sciences, University of
Pittsburgh, Pittsburgh, PA 15260 USA e-mail: (stzargar, dtipper@sis.pitt.edu)
J. Joshi is with the School of Information Sciences, University of Pittsburgh,
Pittsburgh, PA 15260 USA e-mail: (jjoshi@sis.pitt.edu)
(i) disrupt a legitimate user’s connectivity by exhausting
bandwidth, router processing capacity or network resources;
these are essentially network/transport-level flooding attacks
[2]; or
(ii) disrupt a legitimate user’s services by exhausting the
server resources (e.g., sockets, CPU, memory, disk/database
bandwidth, and I/O bandwidth); these essentially include
application-level flooding attacks [3].
Today, DDoS attacks are often launched by a network
of remotely controlled, well organized, and widely scattered
Zombies
1
or Botnet computers that are simultaneously and
continuously sending a large amount of traffic and/or service
requests to the target system. The target system either responds
so slowly as to be unusable or crashes completely [2],
[4]. Zombies or computers that are part of a botnet are
usually recruited through the use of worms, Trojan horses
or backdoors [5]–[7]. Employing the resources of recruited
computers to perform DDoS attacks allows attackers to launch
a much larger and more disruptive attack. Furthermore, it
becomes more complicated for the defense mechanisms to
recognize the original attacker because of the use of counterfeit
(i.e., spoofed) IP addresses by zombies under the control of
the attacker [8].
Many DDoS flooding attacks had been launched against
different organizations since the summer of 1999 [1]. Most of
the DDoS flooding attacks launched to date have tried to make
the victims’ services unavailable, leading to revenue losses
and increased costs of mitigating the attacks and restoring the
services. For instance, in February 2000, Yahoo! experienced
one of the first major DDoS flooding attacks that kept the
company’s services off the Internet for about 2 hours incurring
a significant loss in advertising revenue [9]. In October 2002, 9
of the 13 root servers
2
that provide the Domain Name System
(DNS) service to Internet users around the world shut down
for an hour because of a DDoS flooding attack [10]. Another
major DDoS flooding attack occurred in February 2004 that
made the SCO Group website inaccessible to legitimate users
[11]. This attack was launched by using systems that had
previously been infected by the Mydoom virus [11]. The virus
contained code that instructed thousands of infected computers
1
Those devices (e.g., computers, routers, etc.) controlled by attackers are
called zombies or bots which derives from the word ”robot.” The term bots
is commonly referred to software applications running as an automated task
over the Internet (Wikipedia, ”Internet bot”)
2
DNS root servers translate logical addresses such as www.google.com into
a corresponding physical IP address, so that users can connect to websites
through more easily remembered names rather than numbers.
2 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION
to access SCO’s website at the same time. The Mydoom virus
code was re-used to launch DDoS flooding attacks against
major government news media and financial websites in South
Korea and the United States in July 2009 [12], [13]. On
December 2010, a group calling themselves ”Anonymous”
orchestrated DDoS flooding attacks on organizations such as
Mastercard.com, PayPal, Visa.com and PostFinance [14]. The
attack brought down the Mastercard, PostFinance, and Visa
websites. Most recently since September 2012, online banking
sites of 9 major U.S. banks (i.e., Bank of America, Citigroup,
Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third
Bank, BB&T, and HSBC) have been continuously the targets
of series of powerful DDoS flooding attacks launched by a
foreign hacktivist group called ”Izz ad-Din al-Qassam Cyber
Fighters” [15]. Consequently, several online banking sites have
slowed or grounded to a halt before they get recovered several
minutes later.
Recent advances in DDoS defense mechanisms have put an
end to the era in which script-kiddies could download a tool
and launch an attack against almost any website. In today’s
DDoS attacks, attackers use more complicated methods to
launch an attack. Despite all of the efforts towards decreasing
the number of DDoS attack incidents, they have expanded
rapidly in the frequency and the size of the targeted networks
and computers. In a recent survey commissioned by VeriSign,
it has been found that 75% of respondents had experienced
one or more attacks between July 2008 and July 2009 [16].
Furthermore, a recent report from Arbor Networks
3
indicate
similar data. In their results, they showed that 69% of the
respondents had experienced at least one DDoS attack from
October 2009 through September 2010, and 25% had been
hit by ten such attacks per month [17]. According to Prolexic
Technologies, which offers services to protect against DDoS
attacks, there are 7000 DDoS attacks observed daily and
they believe this number is growing rapidly [18]. DDoS
attacks are also increasing in size, making them harder to
defend against. Arbor Networks found that there has been
around 100% increase in the attack size over 2010, with
attacks breaking the 100Gbps barrier for the first time [17].
Therefore, protecting resources from these frequent and large
DDoS attacks necessitates the research community to focus on
developing a comprehensive DDoS defense mechanism that
can appropriately respond to DDoS attacks before, during and
after an actual attack.
Several taxonomies of DDoS attacks and defense
mechanisms tailored to particular environments have been
proposed in the literature [19]–[21]. Geng et al. focus on
aspects of DDoS attacks unique to wireless ad hoc networks
in [19]. Wood et al. concentrate on distinct features of DDoS
attacks unique to wireless sensor networks in [20].
In this paper, we focus on DDoS flooding attacks and
defense mechanisms in wired networked systems. Here, our
goal is to categorize the existing DDoS flooding attacks and
to provide a comprehensive survey of defense mechanisms
categorized based on where and when they detect and respond
to DDoS flooding attacks. Such a study of DDoS flooding
3
Arbor networks include 111 IP network operators worldwide.
attacks and the presented survey is important to understand
the critical issues related to this important network security
problem so as to build more comprehensive and effective
defense mechanisms.
The rest of this paper is organized as follows: In Section
II, we provide some insights into the motivation of attackers
in launching DDoS attacks. In section III, we describe
our categorization of different DDoS flooding attacks. We
categorize DDoS flooding attacks into two types based on the
protocol level that is targeted: network/transport-level attacks
and application-level attacks. Then we enumerate some of
the major attacks in each category. In section IV, we briefly
review the structure of botnets and major botnet types that
could be employed by attackers to launch DDoS flooding
attacks. In section V, we describe our classification of the
defense mechanisms for DDoS flooding attacks and discuss
various defense mechanisms against DDoS flooding attacks.
We classify the defense mechanisms against the two types of
DDoS flooding attacks that we present in section III using
two criteria. First we classify both the defense mechanisms
against network/transport-level DDoS flooding attacks and the
defense mechanisms against application-level DDoS flooding
attacks based on the location where prevention, detection, and
response to the DDoS flooding attacks occur. Then we classify
both types of defense mechanisms based on the point in time
when they prevent, detect, and respond to DDoS flooding
attacks. Finally, we highlight the need for a comprehensive
distributed and collaborative defense solution against DDoS
flooding attacks by enumerating some of the important
advantages of distributed DDoS defense mechanisms over
centralized ones. In section VI, we enumerate some of the
metrics that can be used in evaluating various DDoS defense
mechanisms; we have also qualitatively compared the defense
mechanisms against DDoS flooding attacks based on their
deployment location. In section VII, we briefly describe
the cyber-insurance policies and their role, as part of the
cyber risk management of a complete cyber defense strategy,
against DDoS flooding attacks. Finally, section VIII concludes
our paper and provides some insights for implementing a
comprehensive distributed collaborative defense mechanism
against DDoS flooding attacks.
II. DDOS: ATTACKERS’ INCENTIVES
DDoS attackers are usually motivated by various incentives.
We can categorize DDoS attacks based on the motivation of
the attackers into five main categories:
1) Financial/economical gain: These attacks are a major
concern of corporations. Because of the nature of their
incentive, attackers of this category are usually the most
technical and the most experienced attackers. Attacks
that are launched for financial gain are often the most
dangerous and hard-to-stop attacks.
2) Revenge: Attackers of this category are generally
frustrated individuals, possibly with lower technical
skills, who usually carry out attacks as a response to a
perceived injustice.
3) Ideological belief : Attackers who belong to this category
are motivated by their ideological beliefs to attack their
ZARGAR et al.: A SURVEY OF DEFENSE MECHANISMS AGAINST DISTRIBUTED DENIAL OF SERVICE (DDOS) FLOODING ATTACKS 3
targets [22]. This category is currently one of the major
incentives for the attackers to launch DDoS attacks. For
instance, political incentives have led to recent sabotages
in Estonia 2007 [23], Iran 2009 [24] and WikiLeaks 2010
[25].
4) Intellectual Challenge: Attackers of this category attack
the targeted systems to experiment and learn how to
launch various attacks. They are usually young hacking
enthusiasts who want to show off their capabilities.
Nowadays, there exist various easy to use attack tools
and botnets to rent that even a computer amateur can
avail of in order to launch a successful DDoS attack.
5) Cyberwarfare: Attackers of this category usually belong
to the military or terrorist organizations of a country
and they are politically motivated to attack a wide
range of critical sections of another country [26],
[27]. The potential targets of these attacks include,
but not limited to, executive civilian departments and
agencies, private/public financial organizations (e.g.,
national/commercial banks), energy/water infrastructures
(e.g., [28]), and telecommunications and mobile service
providers. Cyberwar attackers can be considered as very
well trained individuals with ample resources. Attackers
expend a great deal of time and resources towards
disruption of services, which may severely paralyze a
country and incur significant economic impacts.
There have been a few papers in the literature that focus on
analyzing the attackers’ incentives and how those incentives
could be modeled in such a way that decision-making models
could be established to stop and respond to these attacks [22],
[29]. For instance in [29], the authors aim to model and infer
attackers’ intents, objectives, and strategies in order to provide
a predictive or proactive cyber defense. In a similar study
recently conducted by Fultz et al. [22], attackers’ motives
and behaviors when they are faced with diverse defense
patterns, strategies, and the degree of in-dependency have
been analyzed. In doing so, Fultz et al. [22] propose a game
theoretic approach to model security decision-making in which
attackers aim to deny service and defenders try hard to secure
their assets at the same time. Results show that the threat
of prosecution could be enough to prevent an attacker from
attacking the system; however, when the number of attackers
increases, this equilibrium becomes increasingly unbalanced.
One of the fundamental attack prevention methods is to
lessen the attackers’ interests in attacking their targets. For
instance, new policies could be developed and employed.
Hence, studying the attackers’ incentives in launching DDoS
attacks is a promising future research direction. For instance,
researchers can conduct survey or interview studies with
the hackers and cyber-criminals, study recent incidents, and
best/worst prevention/defense practices in order to get some
insights in attackers’ motivations and incentives [30]. Studying
attackers’ incentives help develop effective policies to prevent
attacks. Such policies should eventually lead to loss of interest
by attackers (e.g., attack targets become either technically
impossible to attack or incur substantial financial losses,
attackers face imprisonment up to life).
III. DDOS ATTACK: SCOPE AND CLASSIFICATION
The distributed nature of DDoS attacks makes them
extremely difficult to combat or traceback. Attackers normally
use spoofed (fake) IP addresses in order to hide their true
identity, which makes the traceback of DDoS attacks even
more difficult. Furthermore, there are security vulnerabilities
in many Internet hosts that intruders can exploit. Moreover,
incidents of attacks that target the application layer are
increasing rapidly. One of the necessary steps towards
deploying a comprehensive DDoS defense mechanism is
to understand all the aspects of DDoS attacks. Various
classifications of DDoS attacks have been proposed in the
literature over the past decade [1], [2], [31]–[34], [36]. In this
survey, we are interested in providing a classification of DDoS
flooding attacks based on the protocol level at which the attack
works. We review various DDoS flooding incidents of each
category, some of which have been well reviewed/analyzed
in [1], [2], [31]–[34], [36] and the rest are recent trends of
DDoS flooding attacks. In this paper, we mainly focus on
DDoS flooding attacks as one of the most common forms of
DDoS attacks. Vulnerability attacks, in which attackers exploit
some vulnerabilities or implementation bugs in the software
implementation of a service to bring that down, are not the
focus of this paper.
As we mentioned earlier, DDoS flooding attacks can be
classified into two categories based on the protocol level that
is targeted:
A. Network/transport-level DDoS flooding attacks: These
attacks have been mostly launched using TCP, UDP, ICMP and
DNS protocol packets. There are four types of attacks in this
category [2], [36]:
A.1 Flooding attacks: Attackers focus on disrupting
legitimate user’s connectivity by exhausting victim network’s
bandwidth (e.g., Spoofed/non-spoofed UDP flood, ICMP
flood, DNS flood, VoIP Flood and etc. [32], [35]).
A.2 Protocol exploitation flooding attacks: Attackers
exploit specific features or implementation bugs of some of
the victim’s protocols in order to consume excess amounts of
the victim’s resources (e.g., TCP SYN flood, TCP SYN-ACK
flood, ACK & PUSH ACK flood, RST/FIN flood and etc. [32],
[35]).
A.3 Reflection-based flooding attacks: Attackers usually
send forged requests (e.g., ICMP echo request) instead of
direct requests to the reflectors; hence, those reflectors send
their replies to the victim and exhaust victim’s resources (e.g.,
Smurf and Fraggle attacks) [32], [36].
A.4 Amplification-based flooding attacks: Attackers exploit
services to generate large messages or multiple messages for
each message they receive to amplify the traffic towards the
victim. Botnets have been constantly used for both reflection
and amplification purposes. Reflection and amplification
techniques are usually employed in tandem as in the case
of Smurf attack where the attackers send requests with
spoofed source IP addresses (Reflection) to a large number
of reflectors by exploiting IP broadcast feature of the packets
(Amplification) [32], [36].
All of the above attack types with their details have
been well presented in [2], [32], [35], [36]. Hence, we skip
4 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION
further explanation of these attacks; instead we focus on the
application-level DDoS flooding attacks as they are growing
rapidly and becoming more severe problems as they are
stealthier than the network/transport-level flooding attacks and
they masquerade as flash crowds.
B. Application-level DDoS flooding attacks: These attacks
focus on disrupting legitimate user’s services by exhausting the
server resources (e.g., Sockets, CPU, memory, disk/database
bandwidth, and I/O bandwidth) [3]. Application-level DDoS
attacks generally consume less bandwidth and are stealthier
in nature compared to volumetric attacks since they are
very similar to benign traffic. However, application-level
DDoS flooding attacks usually have the same impact to
the services since they target specific characteristics of
applications such as HTTP, DNS, or Session Initiation
Protocol (SIP). Here we briefly describe the DNS amplification
flooding attack and the SIP flooding attack as two of
the famous application-level reflection/amplification flooding
attacks embracing DNS and SIP protocols. Then we classify
various flavors of application-level flooding attacks that
employ the HTTP protocol since these attacks are consistently
reported as the major types of recent DDoS flooding attacks
[38].
B.1 Reflection/amplification based flooding attacks
[2], [36]: These attacks use the same techniques as
their network/transport-level peers (i.e., sending forged
application-level protocol requests to the large number of
reflectors). For instance, the DNS amplification attack employs
both reflection and amplification techniques. The attackers
(zombies) generate small DNS queries with forged source IP
addresses which can generate a large volume of network traffic
since DNS response messages may be substantially larger than
DNS query messages. Then this large volume of network
traffic is directed towards the targeted system to paralyze
it. Another application-level attack example that employs
reflection technique is VoIP flooding [35]. This attack is a
variation of an application specific UDP flooding. Attackers
usually send spoofed VoIP packets through SIP at a very
high packet rate and with a very large source IP range.
The victim VoIP server has to distinguish the proper VoIP
connections from the forged ones that consume significant
amount of resources. VoIP flooding can overwhelm a network
with packets with randomized or fixed source IP addresses. If
the source IP address has not been changed the VoIP flooding
attack mimics traffic from large VoIP servers and can be very
difficult to identify since it resembles good traffic.
B.2 HTTP flooding attacks [3], [35], [37], [39]: There are
four types of attacks in this category:
B.2.1 Session flooding attacks: In this type of attack,
session connection request rates from the attackers are higher
than the requests from the legitimate users; hence, this
exhausts the server resources and leads to DDoS flooding
attack on the server. One of the famous attacks in this category
is the HTTP get/post flooding attack (a.k.a., excessive VERB)
[35] in which attackers generate a large number of valid HTTP
requests (get/post) to a victim web server. Attackers usually
employ botnets to launch these attacks. Since each of the bots
can generate a large number of valid requests (usually more
than 10 requests a second) there is no need for a large number
of bots to launch a successful attack. HTTP get/post flooding
attacks are non-spoofed attacks.
B.2.2 Request flooding attacks: In this type of attack,
attackers send sessions that contain more number of requests
than usual and leads to a DDoS flooding attack on the
server. One of the well-known attacks in this category is the
single-session HTTP get/post flooding (a.k.a., excessive VERB
single session) [35]. This attack is a variation of HTTP get/post
flooding attack which employs the feature of HTTP 1.1 to
allow multiple requests within a single HTTP session. Hence,
the attacker can limit the session rate of an HTTP attack and
bypass session rate limitation defense mechanisms of many
security systems.
B.2.3 Asymmetric attacks: In this type of attack, attackers
send sessions that contain high-workload requests. Here, we
enumerate some of the famous attacks in this category.
B.2.3.a Multiple HTTP get/post flood (a.k.a., multiple VERB
single request) [35]: This attack is also a variation of HTTP
get/post flood attack. Here, an attacker creates multiple HTTP
requests by forming a single packet embedded with multiple
requests and without issuing them one after another within a
single HTTP session [35]. This way attacker can still maintain
high loads on the victim server with a low attack packet rate
which makes the attacker nearly invisible to netflow anomaly
detection techniques. Also, attackers can easily bypass deep
packet inspection techniques if they carefully select the HTTP
VERB.
B.2.3.b Faulty Application [35]: In this attack, attackers
take advantage of websites with poor designs or improper
integration with databases. For instance, they can employ
SQL-like injections to generate requests to lock up database
queries. These attacks are highly specific and effective because
they consume server resources (memory, CPU, etc.).
B.2.4 Slow request/response attacks: In this type of attack,
attackers send sessions that contain high-workload requests.
There are a number of famous attacks in this category that we
describe in the following.
B.2.4.a Slowloris attack (a.k.a, slow headers attack) [40]:
Slowloris is a HTTP get-based attack that can bring down
a Web server using a limited number of machines or even
a single machine. The attacker sends partial HTTP requests
(not a complete set of request headers [41]) that continuously
and rapidly grow, slowly update, and never close. The attack
continues until all available sockets are taken up by these
requests and the Web server becomes inaccessible. Attackers’
source addresses are usually not spoofed.
B.2.4.b HTTP fragmentation attack [35]: Similar to
Slowloris, the goal of this attack is to bring down a Web
server by holding up the HTTP connections for a long time
without raising any alarms. Attackers (bots) (non-spoofed)
establish a valid HTTP connection with a web server. Then
they fragment legitimate HTTP packets into tiny fragments
and send each fragment as slow as the server time out allows.
Using this approach, by opening multiple sessions on each bot,
the attacker can silently bring down a Web server with just a
handful of bots.
B.2.4.c Slowpost attack (a.k.a, slow request bodies or
ZARGAR et al.: A SURVEY OF DEFENSE MECHANISMS AGAINST DISTRIBUTED DENIAL OF SERVICE (DDOS) FLOODING ATTACKS 5
R-U-Dead-Yet (RUDY) attack) [42]: Wong et al. present a very
similar attack to Slowloris that send HTTP post commands
slowly to bring down Web servers. The attacker sends a
complete HTTP header that defines the ”content-length” field
of the post message body as it sends this request for benign
traffic. Then it sends the data to fill the message body at a
rate of one byte every two minutes. Hence, the server waits
for each message body to be completed while Slowpost attack
grows rapidly which causes the DDoS flooding attack on the
Web server.
B.2.4.d Slowreading attack (a.k.a, slow response attack)
[43]: Shekyan presents another type of attack in this category
which works by slowly reading the response instead of slowly
sending the requests. This attack achieves its purpose by
setting a smaller receive window-size than the target server’s
send buffer. The TCP protocol maintains open connections
even if there is no data communication; hence, the attacker
can force the server to keep a large number of connections
open and eventually causes the DDoS flooding attack on the
server.
The message here is that DDoS, like most malicious
security threats, is multidimensional. One must be prepared
to detect and counter both the more well-known attacks that
aggressively assault systems and the novel attacks that will slip
in and undermine systems before you know what hit them.
IV. BOTNET-BASED DDOS ATTACKS
As mentioned earlier, botnets are the dominant mechanisms
that facilitate DDoS flooding attacks on computer networks
or applications. Most of the recent and most problematic
application layer DDoS flooding attacks have employed
botnets. In this section, we present a comprehensive study of
current botnet architectures and the tools that have been used
to launch DDoS flooding attacks.
According to Peng et al. [32], there are two main reasons
that make the development of an effective DDoS defense
mechanism even more challenging when attackers employ
zombies to launch DDoS flooding attacks. First, a large
number of zombies involved in the attack facilitates attackers
to make the attacks larger in scale and more disruptive.
Second, zombies’ IP addresses are usually spoofed under
the control of the attacker, which makes it very difficult to
traceback the attack traffic even to the zombies.
Usually a group of zombies that are controlled by an
attacker (a.k.a. Master) form a botnet. Botnets consist of
masters, handlers, and bots (a.k.a. Agents), as depicted in
Figure 1. The handlers are means of communication that
attackers (i.e., masters) use to communicate indirectly with
their bots (i.e., to command and control their army). For
instance, handlers can be programs installed on a set of
compromised devices (e.g., network servers) that attackers
communicate with to send commands. However, most of these
installed programs leave unique footprints behind that are
detectable with current antivirus software. Hence, currently
attackers use other methods (e.g., Internet Relay Chat (IRC))
to communicate with their bots in order to send commands and
control them. Bots are devices that have been compromised
Fig. 1. Elements of a Botnet.
by the handlers. Bots are those systems that will eventually
carry out the attack on the victim’s system. Figure 1 shows
all the elements of a botnet. Botnets can have hundreds of
various implementations. Based on how bots are controlled by
the masters, botnets are classified into three major categories
[8], [44]: IRC-based, Web-based, and P2P-based. Since the
first two categories have been widely used to launch DDoS
flooding attacks, we briefly explain them and introduce some
of the tools that have been used in each category.
1) IRC-based [45]: IRC is an on-line text-based instant
messaging protocol in the Internet. It has client/server
architecture with default channels to communicate
between servers. IRC can connect hundreds of clients
via multiple servers. Using IRC channels as handlers,
attackers can use legitimate IRC ports to send commands
to the bots making it much more difficult to track
the DDoS command and control structure. Furthermore,
an attacker can easily hide his presence because of
the large volume of traffic that IRC servers usually
have. Additionally, an attacker can easily share files to
distribute the malicious code. Moreover, attackers can
simply log on to the IRC server and see the list of
all the available bots instead of maintaining their list
locally at their site. The major limitation of botnets with
a centralized command and control (C&C) infrastructure
such as IRC-based botnets is that the servers are a
potential central points of failure. That is, the entire
botnet can be shutdown if the defender captures the C&C
servers. Several well-known IRC-based botnet tools have
been developed and used over the years for launching
DDoS attacks such as: Trinity v3 [46] (conducts UDP,
TCP SYN, TCP ACK, and TCP NUL flood attacks), and
Kaiten [47] (conducts UDP, TCP, SYN, and PUSH+ACH
flood attacks).
2) Web-based (a.k.a., HTTP-based [48]): More recently,
botnets have started using HTTP as a communication
protocol to send commands to the bots making it much
more difficult to track the DDoS command and control
structure. Web-based botnets do not maintain connections