A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks
Summary (3 min read)
Introduction
- The authors explore the scope of the DDoS flooding attack problem and attempts to combat it.
- Experienced one of the first major DDoS flooding attacks that kept the company’s services off the Internet for about 2 hours incurring a significant loss in advertising revenue [9].
- The virus contained code that instructed thousands of infected computers 1Those devices (e.g., computers, routers, etc.) controlled by attackers are called zombies or bots which derives from the word ”robot.”.
- Arbor Networks found that there has been around 100% increase in the attack size over 2010, with attacks breaking the 100Gbps barrier for the first time [17].
- In section V, the authors describe their classification of the defense mechanisms for DDoS flooding attacks and discuss various defense mechanisms against DDoS flooding attacks.
II. DDOS: ATTACKERS’ INCENTIVES
- DDoS attackers are usually motivated by various incentives.
- Because of the nature of their incentive, attackers of this category are usually the most technical and the most experienced attackers.
- Attackers of this category usually belong to the military or terrorist organizations of a country and they are politically motivated to attack a wide range of critical sections of another country [26], [27], also known as 5) Cyberwarfare.
- There have been a few papers in the literature that focus on analyzing the attackers’ incentives and how those incentives could be modeled in such a way that decision-making models could be established to stop and respond to these attacks [22], [29].
III. DDOS ATTACK: SCOPE AND CLASSIFICATION
- The distributed nature of DDoS attacks makes them extremely difficult to combat or traceback.
- The authors review various DDoS flooding incidents of each category, some of which have been well reviewed/analyzed in [1], [2], [31]–[34], [36] and the rest are recent trends of DDoS flooding attacks.
- These attacks have been mostly launched using TCP, UDP, ICMP and DNS protocol packets.
- VoIP flooding can overwhelm a network with packets with randomized or fixed source IP addresses.
- Attackers send sessions that contain high-workload requests.
IV. BOTNET-BASED DDOS ATTACKS
- As mentioned earlier, botnets are the dominant mechanisms that facilitate DDoS flooding attacks on computer networks or applications.
- Handlers can be programs installed on a set of compromised devices (e.g., network servers) that attackers communicate with to send commands.
- Hence, currently attackers use other methods (e.g., Internet Relay Chat (IRC)) to communicate with their bots in order to send commands and control them.
- IRC can connect hundreds of clients via multiple servers.
- Several well-known IRC-based botnet tools have been developed and used over the years for launching DDoS attacks such as: Trinity v3 [46] (conducts UDP, TCP SYN, TCP ACK, and TCP NUL flood attacks), and Kaiten [47] (conducts UDP, TCP, SYN, and PUSH+ACH flood attacks).
V. DDOS DEFENSE: SCOPE AND CLASSIFICATION
- Usually by the time a DDoS flooding attack is detected, there is nothing that can be done except to disconnect the victim from the network and manually fix the problem.
- Obviously, it is desirable to respond to the attack flows closer to the sources of the attacks, but there is always a trade-off between accuracy of the detection and how close to the source of attack the prevention and response mechanism can stop or respond to the attack.
- Moreover, the number of normal packets that reach the victims even when the victims are under a DDoS attack (i.e., in the middle of a DDoS attack) increases when response mechanisms (e.g., packet filtering) drop the attack packets closer to the sources of the attack.
- The second criterion for classification is the point of time when the DDoS defense mechanisms should act in response to a possible DDoS flooding attack.
- Based on this criterion the authors classify both defense mechanisms against application-level and network/transport-level DDoS flooding attacks into three categories (i.e., three points of defense against the flooding attack): before the attack (attack prevention), during the attack (attack detection), and after the attack (attack source identification and response) [2].
A. Classification based on the deployment location
- A.1. Defense mechanisms against network/transport-level DDoS flooding attacks.
- These mechanisms are deployed inside networks and mainly on the routers of the ASs [78].
- In the following, the authors discuss the defense mechanisms against application-level DDoS flooding attacks in each of the categories of the first classification criterion.
- This mechanism uses statistical methods to detect characteristics of HTTP sessions and employs rate-limiting as the primary defense mechanism.
- Some of the detection mechanisms detect attack flows when the network links are congested to a certain level [77] [126].
VI. DDOS DEFENSE: PERFORMANCE MEASUREMENT METRICS
- Many mitigation and defense mechanisms to address DDoS attacks have already been proposed in the literature.
- The strength of a defense mechanism can be measured by various metrics depending on how well it can prevent, detect, and stop the attacks.
- F. False negative rate (B/(A+B)): Ratio of false negative outcomes of the defense mechanism over total negative outcomes of the defense mechanism.
VII. CYBER-INSURANCE & DDOS FLOODING ATTACK
- Prevention, protection, and mitigation of cyber attacks solely by a combination of technical and operational/procedural means is not a complete cyber defense strategy.
- In all of the traditional insurance policies (e.g., earthquake/fire protection) offered by insurance companies, there are some requirements that the property owner should meet (e.g., policies, standards) before obtaining the insurance [138].
- These steps may include employing various information/network security standards, privacy policies, and information/network security assessment frameworks (e.g., Bell Labs security framework [140], ITU X.805 standard [141], ISO 27002 standard [142]) that most of the time requires significant investments by the IT organizations.
- Service providers can enforce specific policies to insure the security of their customers’ received services.
VIII. CONCLUSIONS AND FUTURE DIRECTIONS
- The authors have presented a comprehensive classification of various DDoS defense mechanisms along with their advantages and disadvantages based on where and when they detect and respond to DDoS flooding attacks.
- An ideal comprehensive DDoS defense mechanism must have specific features to combat DDoS flooding attacks both in real-time and as close as possible to the attack sources.
- Furthermore, the collateral damage is high at intermediate networks because there is not enough memory and CPU cycles to profile the traffic.
- The main challenge in order to achieve this goal is that there should be some economic incentives among different service providers in order to achieve highly cooperative defense mechanisms.
- The rapid growth of collaborative environments such as Cloud Computing [146] and the Internet of Things (IoT) [147]–[149] leads to a large number of application developments both in and for such environments.
Did you find this useful? Give us your feedback
Citations
736 citations
684 citations
669 citations
Cites background or methods from "A Survey of Defense Mechanisms Agai..."
...every packet passing through the router using Bloom Filter, which is a hash structure to reduce the memory requirement to store packet records [35]....
[...]
...They generally consume less bandwidth and are stealthier in nature compared to volumetric attacks, since they are very similar to benign traffic [35]....
[...]
...1) Network/transport-level DDoS flooding attacks: These attacks have been mostly launched using TCP, UDP, ICMP and DNS protocol packets and focus on disrupting legitimate user’s connectivity by exhausting victim network’s bandwidth [35]....
[...]
...HTTP sessions and employs rate-limiting as the primary defense mechanism [35], [63])....
[...]
...Since attackers cooperate to perform successful attacks, defenders must also form alliances and collaborate with each other to defeat DDoS attacks [35]....
[...]
437 citations
272 citations
Additional excerpts
...The surveys [21,22] have includedmost of these work....
[...]
References
3,455 citations
"A Survey of Defense Mechanisms Agai..." refers methods in this paper
...Although the IPSec protocol [56], [57] can address this problem by authenticating the source addresses of IP packets, this method is not widely deployed among service providers because of its increased overhead....
[...]
1,866 citations
1,596 citations
1,525 citations
1,480 citations
"A Survey of Defense Mechanisms Agai..." refers methods in this paper
...Although the IPSec protocol [56], [57] can address this problem by authenticating the source addresses of IP packets, this method...
[...]
Related Papers (5)
Frequently Asked Questions (13)
Q2. What is the main limitation of botnets with a centralized command and control infrastructure?
The major limitation of botnets with a centralized command and control (C&C) infrastructure such as IRC-based botnets is that the servers are a potential central points of failure.
Q3. What are some of the popular policies associated with obtaining cyber-insurance?
Service Level Agreement (SLA 10) is currently one of the popular policy practices associated with obtaining cyber-insurance policies (e.g., IntruGuard [143], Neustar SiteProtect [144], and Cisco service provider infrastructure security techniques [145]).
Q4. What are the main challenges of implementing traceback?
One of the fundamental deployment and operational challenges is ensuring a sufficient number of routers that support traceback before it is effective.
Q5. What is the dropping threshold for the selective packet discarding method?
The dropping threshold for the packet discarding method is dynamically adjusted based on (1) the score distribution of recent incoming packets and (2) the current level of overload of the system.
Q6. What are the main reasons why of the private individuals and organizations are reluctant towards cyber-insurance?
most of the private individuals and organizations are reluctant towards these investments because they believe that their investments will not be entirely effective since most of their systems are somehow connected to the outside systems by either the Internet or other networked environments and those systems may be insecure; hence, they may put their own systems at risk [138].
Q7. What are the main reasons that make the development of an effective DDoS defense mechanism even more?
According to Peng et al. [32], there are two main reasons that make the development of an effective DDoS defense mechanism even more challenging when attackers employ zombies to launch DDoS flooding attacks.
Q8. What are the main problems of the capability-based mechanisms?
as the authors mentioned earlier, in order to prove the effectiveness of the capability-based mechanisms, one must first suggest a practical way to secure the capability setup channel, as well as a efficient algorithm for choosing what capabilities to offer to unknown sources; these are both challenging problems to address.
Q9. What is the classification of the defense mechanisms against network/transport-level DDoS flooding attacks?
The authors classify the defense mechanisms against network/transport-level DDoS flooding attacks into four categories: source-based, destination-based, network-based, and hybrid (a.k.a. distributed) and the defense mechanisms against application-level DDoS flooding attacks into two categories: destination-based, and hybrid (a.k.a. distributed) based on their deployment location.
Q10. What are the mechanisms that aim to mark legitimate packets at each router?
These mechanisms aim to mark legitimate packets at each router along their path to the destination so that victims’ edge routers can filter the attack traffic.
Q11. What is the main reason why attackers use zombies to launch DDoS flooding attacks?
a large number of zombies involved in the attack facilitates attackers to make the attacks larger in scale and more disruptive.
Q12. What is the classification of the defense mechanisms against network-level DDoS flooding attacks?
Based on this criterion the authors classify both defense mechanisms against application-level and network/transport-level DDoS flooding attacks into three categories (i.e., three points of defense against the flooding attack): before the attack (attack prevention), during the attack (attack detection), and after the attack (attack source identification and response) [2].
Q13. What is the main reason why attackers use IRC to communicate with their bots?
currently attackers use other methods (e.g., Internet Relay Chat (IRC)) to communicate with their bots in order to send commands and control them.