Faculty of Information Technology

Information Technology and Computer Science Department

Comp432
Computer Security

Prepared by:
Saleh Marmash Student no.1193300
Majed Alghoul Student no.1202940
Wael Ziada Student no.1191085

Instructor: Dr.Mohammad Alkhanafseh

Section: Sec.1
Date: 2024/Jan/09
Abstract
This research project aims to shed light on Distributed Denial of Service (DDoS) attacks. DDoS
attacks are like digital traffic jams that aim to disrupt websites or online services. We explore how these
attacks work, the methods to detect and prevent them, and the challenges faced by both defenders and
attackers.

In the introduction, we explain that DDoS attacks overwhelm websites by flooding them with traffic from
various sources. We highlight the impact on businesses causing disruptions and financial losses. We
compare DDoS attacks to traditional denial-of-service attacks and describe them as a group effort by
compromised devices.

The section on detection methods covers both traditional and modern approaches. Traditional methods
include signature-based detection and anomaly-based detection. We then delve into the power of
artificial intelligence (AI) in recognizing patterns within network traffic. We explain the basics of AI,
including supervised and unsupervised learning.

Moving on to prevention, we discuss strategies to guard websites against DDoS attacks. We use simple
analogies, like setting up strong guards and smart rules. Traffic filtering, load balancing, CAPTCHA, and
collaborative defense mechanisms are explained as tools to keep websites safe from unwanted digital
visitors.

We also explore DDoS attacks from the attacker's perspective. We break down how attacks start, why
attackers use a network of compromised devices, and how they try to avoid being caught. The need for
constant innovation in security measures is highlighted.

The project concludes with possible solutions to counteract sophisticated attacks. We suggest using
diverse machine learning models, involving both AI and human analysis, inspecting encrypted traffic, and
collaborating with other organizations to share information about attacks.

In summary, our research provides a beginner-friendly understanding of DDoS attacks, the methods to
detect and prevent them, and innovative solutions to strengthen digital defenses.
Table of Contents
Abstract......................................................................................................................................................2
1-Introduction............................................................................................................................................4
2-Detection.................................................................................................................................................5
2.1-Traditional Methods........................................................................................................................5
A) signature-based detection.........................................................................................................5
B) anomaly-based detection..........................................................................................................5
C) Rate limiting............................................................................................................................5
D) heuristic-based detection..........................................................................................................5
2.2-Modern Methods.............................................................................................................................6
A) deep learning............................................................................................................................6
B) out-of-band DDoS detection....................................................................................................6
3-Prevention...............................................................................................................................................7
3.1- Traffic filtering...........................................................................................................................7
3.2- Load Balancing...............................................................................................................................8
3.3- CAPTCHA and Challenge-Response Mechanisms:.....................................................................9
3.4-Collaborative Defense:....................................................................................................................9
3.5-Hybrid On-Premises and Cloud Solutions:...................................................................................9
4-DDoS from Attackers perspective:.....................................................................................................10
4.1 Bypass Detection Methods............................................................................................................10
4.2 Bypass Prevention methods..........................................................................................................11
5- Possible Solutions:...............................................................................................................................12
5.1 - Machine Learning Model Diversity:..........................................................................................12
5.2- AI-Augmented Human Intervention:.........................................................................................12
5.3- Encrypted Traffic Inspection:.....................................................................................................12
5.4- Collaboration and Information Sharing:....................................................................................12
6-Conclusion............................................................................................................................................13
7-Refernces...............................................................................................................................................14
1-Introduction
DDoS stands for Distributed Denial of Service. It’s a type of cyber-attack that aims to
make a website or an online service unavailable by overwhelming it with traffic from multiple
sources [1].
It's called Distributed because unlike a traditional DoS (Denial of service), a group of “zombie”
client as a subnet start making a huge number of requests together in a short period of time, these
zombies could be gathered in many ways, one common one is infecting millions of devices with
a malware that hides itself, and can be remotely called to make the requests on the behalf of the
attacker.
DDoS attacks are like big traffic jams clogging up a company's website so no one can visit it.
People sometimes do this to cause trouble for the company, making it hard for them to do their
work. This can be really bad for the business, costing them money and upsetting their customers.
Note that DDoS is not about stealing information, it’s just about denying it.

Figure 1: What is a DDoS Attack [1]

2-Detection
DDoS attacks are frustrating to both the firms that being attacked and the users that have been cut
off of whatever services these firms provide, so then the need to deal with such attack emerged around
any firm that provides any sort of service, and due to that many traditional solutions were proposed and
used such as rate based detection and many others, and especially after the rise of AI, modern methods
appeared to be affective in detecting and even classifying DDoS attacks, some of the main traditional and
moder methods include the following:

2.1-Traditional Methods
These are methods proposed and used traditionally before the introduction of AI solutions to try
to help with detecting DDoS attacks, and they include the following:

A) signature-based detection
a detection method that relies on predefined patterns or signatures of known attack types. This method is
akin to antivirus software, where a database of attack signatures is maintained, and incoming traffic is
scrutinized for matches [2], [3]

B) anomaly-based detection
detection method that involves systems that continuously monitor network and application
behavior. Unusual patterns or spikes in traffic can be quickly identified, triggering automated responses
or alerting administrators to potential DDoS attacks [2], [3].

C) Rate limiting
Rate limiting is a simple but effective way to detect DDoS attacks, it involves setting predefined
thresholds for incoming traffic and blocking or slowing down connections that surpass these
limits.

D) heuristic-based detection
Heuristic-based detection leverages predetermined rules and heuristics to identify abnormal
patterns or behaviors that might indicate a DDoS attack.

Despite their historical significance, traditional DDoS detection methods face challenges in keeping
up effectively in the modern-day cyber security field, especially with the evolving attack vectors, so
then modern techniques and methods evolved as well to cover the modern-day security needs
especially DDoS attacks, which solely depend on ai for recognizing deep patterns in the day-to-day
traffic.
2.2-Modern Methods

As AI was found effective in recognizing deeper patterns than any human could notice, it was
implemented in detecting DDoS attacks, and as the landscape of cybersecurity grew bigger, more
sophisticated methods of detection were required, to deal with the more difficult ways of hiding the attack
from being detected, all of these methods rely on deep learning, which effectively letting an AI model
analyze and recognize hidden patterns in the traffic, so it can differentiate between a genuine traffic and a
DDoS zombie or a subnet.

A) deep learning
Deep learning is the backbone of modern DDoS detection methods, it’s a small field inside the
bigger machine learning field [4].

Learning involves feeding a basic model data for it to conclude a pattern from it, which could be
either:

1) Supervised learning: involves training an AI model on pre labeled data, so then it can learn
how these labels look in terms of data and find the pattern that classifies them correctly.
2) Unsupervised learning: involves training an AI model using unlabeled data, so hidden
distributions of data can be found.

Machine learning works on smaller datasets, and classifies data into labeled classes, which
helps detecting known threats, while deep learning can detect patterns in unlabeled
environment which is useful in the case of detecting unfamiliar DDoS attack patterns, so then
a hybrid approach that contains the two will help cover high percentages of these attacks.

B) out-of-band DDoS detection

This kind of detection emerges as a strategic ally, harnessing flow data from NetFlow, J-Flow,
sFlow, and IPFIX-enabled routers and switches. By analyzing this flow data, security systems can
swiftly identify and thwart attacks, operating on the periphery to ensure minimal disruption to the
regular flow of digital traffic [5]
3-Prevention
DDoS prevention is like setting up strong guards and smart rules to protect your website from too
much unwanted traffic. It uses tools to spot and stop this bad traffic, keeps an eye on data coming in, and
quickly deals with problems to keep your site safe and running smoothly. It's about being ready, spotting
trouble early, and having a good plan to stop attacks before they cause harm. There are several ways to do
DDoS Prevention:

3.1- Traffic filtering

Traffic filtering is basically some sort of algorithm that filters and checks who can enter your website and
who can’t, it’s a way to stop unwanted visitors from going in your website and let the good visitors in, it’s
a way for guarding your system from entering bad data [6]. Traffic filtering might work in different ways:

A- Checking IDs at the begging

Traffic filtering looks at the data trying to enter your site and manages to find the difference
between normal visitors (like customers or normal users) and unwanted data (attack data).

B- Smart Lists (Whitelists and Backlists):

Whitelists are like VIP list, only data from specific users or specific IPs are allowed to enter,
others are not. In the other hand blacklists are the exact opposite; Blacklists blocks any data from known
bad resources like someone who is trying to hack your system or some unknown country that you don’t
want to access your data.

C- Rules and Patterns (Setting up filters):

The filtering system has rules, letting only certain number of people and data at a time. For
example, limiting the requests per minute for a user. If data tries to weirdly or comes in too fast, the
filtering system gets suspicious and blocks it.

D- Constant learning (Updating filters):

The filtering system learns from what’s happening. If it seems a new type of bad visitor, it
remembers and stops them and make a prevention from that type of bad visitors.
3.2- Load Balancing
Load balancing is a prevention method that is used when too many people try to enter through the
same server of your website, it gets crowded and then, nobody can get in t, but if you have traffic
management system (and multiple servers), people can enter your website through different servers,
making servers less crowded and allowing everyone to move smoothly with more performance. The Load
Balancer acts like a smart manager who directs the visitors to multiple servers instead of one server,
ensuring no single server gets overwhelmed. Here’s how load balancer manages your servers:

A- Spreading out traffic:

During a DDoS attack, your website gets a flood of traffic, much more than it can handle. The
load balancer spreads out this traffic across multiple servers. It's like “Distributing of the attacks to
multiple servers” so no server gets stuck, and your website remains smooth.

B- Redundancy and Fault Tolerance:

If one server gets too busy or even stops working under the heavy traffic, the load balancer
redirects traffic to the other servers. This ensures that even if one part of your service is under attack, the
whole system doesn’t stop. It's like if one door into the building is blocked, the manager (Load Balancer)
quickly guides people to other doors (Other servers).

C- Efficiency and speed:

Load balancers can also check which server is the least busy and direct traffic there. This makes
sure that every visitor gets served as quickly as possible, avoiding long waits. It's like a smart system in a
busy restaurant that knows which table to seat guests at so that everyone gets served fast.

D- Health Checks:

Good load balancers constantly check the health of each server. If a server is not responding or is too
slow, the load balancer stops sending traffic there and redirects it to healthier servers. It's like having a
quality check for each server to ensure it’s working well and there are no offline servers.

E- Scalability:

In times of heavy traffic, like during a DDoS attack, you might need more servers to handle the
load. Load balancers can work with systems in the cloud to handle the load. Load balancers can work
with systems in the cloud to automatically add more servers when needed and then spread the traffic to
these new servers. It's like adding more servers or more space when you see more many people are
coming to visit you.
3.3- CAPTCHA and Challenge-Response Mechanisms:
Implement CAPTCHA challenges or other user verification mechanisms to ensure that incoming
traffic is generated by real users rather than automated scripts. This can help mitigate DDoS attacks that
rely on automated bots.

3.4-Collaborative Defense:
Participate in collaborative defense efforts with industry peers and organizations. Sharing
information about DDoS attacks and best practices can contribute to a collective effort to combat
evolving threats effectively. For example: imagine two companies like META and Google, and they want
to build a defensive DDoS, they would obviously make some sort of system to trade data to acknowledge
both DDoS attackers in their system and give the information for each other.

3.5-Hybrid On-Premises and Cloud Solutions:

Combine on-premises security measures with cloud-based DDoS protection. Hybrid solutions can
provide a more comprehensive defense strategy, allowing for scalability and flexibility during high-traffic
events (The same as above point, but they both collaborate to make a new DDoS prevention system).
4-DDoS from Attackers perspective:
How does a DDoS attack start? Initially, the attacker floods the server with a barrage of requests,
overwhelming its capacity and inducing a crash, rendering it inoperable. However, in antiquated systems,
this activity is often flagged as anomalous. Consequently, the device executing the attack encounters
preventive measures, impeding its direct access to the server. then attacker then resorts to leveraging a
network of compromised devices, known as a zombie network. By orchestrating requests through these
infected devices, the assault gains a more distributed and resilient nature. To exacerbate the challenge for
the server, the attacker employs evasion tactics. Operatives, acting as agents of the attacker, then
commence inundating the server with requests, making it arduous for the server to promptly block all
devices involved. As a result, the server succumbs to the onslaught, experiencing a debilitating crash.

4.1 Bypass Detection Methods

This underscores the need to explore alternative methods for detecting DDoS attacks. Among
these approaches is the utilization of artificial intelligence for attack detection. However, it's crucial to
admit that attackers can exploit artificial intelligence to elude detection by employing sophisticated
techniques such as:

A- Adaptive Behavior:

Developing DDoS attacks that can adapt and change their behavior in response to AI-based detection,
making them harder to identify.

B- Traffic Mimicry:

Utilizing AI to generate traffic patterns that closely resemble legitimate user behavior, making it
challenging for AI-based detection systems to differentiate between genuine and malicious traffic.

C- Evasion Techniques:

Creating AI-driven evasion techniques to exploit vulnerabilities in AI-based detection systems, allowing
the attacks to go undetected. This involves crafting attacks that specifically target weaknesses in the
algorithms or models used for threat detection.

D- Automated Targeting:

Leveraging AI to automate the targeting process, enabling attackers to identify and exploit weaknesses
in target systems more effectively.
4.2 Bypass Prevention methods
Attackers employ diverse strategies to potentially bypass DDoS prevention methods, demonstrating a
persistent challenge.

Firstly, they may attempt to evade traffic filtering by disguising malicious activities as normal visitor
traffic. This involves sophisticated tactics to mimic legitimate interactions, making it challenging for
filtering algorithms to distinguish between harmful and benign data.

Secondly, attackers could overwhelm load balancers through large-scale attacks, disrupting the efficient
distribution of traffic to healthy servers. This not only hampers the responsiveness of the system but also
poses a risk of server overloads.

Furthermore, advanced attackers may utilize intricate methods to bypass CAPTCHA and challenge-
response mechanisms, allowing automated bots to seamlessly blend in with real user traffic. This
highlights the need for constant innovation in authentication and verification mechanisms.

Additionally, the adaptability of attackers poses a significant threat. They may adjust strategies to counter
collaborative defense efforts, exploiting novel attack vectors not yet recognized by collective defense
systems.
5- Possible Solutions:
This section will discuss possible solutions for the attackers’ view to prevent bypassing its defenses
mechanisms, this includes implementing AI, Humans, and Other Decryption and security mechanisms
and methods.

5.1 - Machine Learning Model Diversity:

Deploying diverse machine learning models for attack detection. A combination of models with different
architectures and algorithms can increase the overall resilience of the system. This makes it more
challenging for attackers to predict and exploit the weaknesses of a specific model.

5.2- AI-Augmented Human Intervention:

Integrating AI-driven detection with human expertise will create a collaborative defense
approach. Human analysts can provide context and make judgment calls that may be challenging for AI
alone. A fusion of AI and human analysis can enhance the accuracy of threat detection. Humans are the
main factor here.

5.3- Encrypted Traffic Inspection:

Employing advanced techniques for inspecting encrypted traffic. Attackers may use encryption to
hide their malicious activities. Implement solutions that can decrypt and inspect traffic without hurting
user privacy, enabling the detection of malicious behavior within encrypted packets.

5.4- Collaboration and Information Sharing:

collaboration among organizations to share threat intelligence and experiences related to
DDoS attacks. A collective defense approach can help identify new attack patterns and improve
the overall resilience of AI-based detection systems.
6-Conclusion
The research project on Distributed Denial of Service (DDoS) attacks has provided a
comprehensive understanding of the nature of these cyber-attacks, their detection, prevention, and the
challenges faced by both defenders and attackers. The project has shed light on the disruptive impact of
DDoS attacks, likening them to digital traffic jams that aim to disrupt websites or online services. It has
emphasized the significant financial and operational implications for businesses, highlighting the need for
robust defense strategies.
The project has delved into the methods of detecting DDoS attacks, covering both traditional and modern
approaches. Traditional detection methods, such as signature-based and anomaly-based detection, have
been discussed, along with the incorporation of artificial intelligence (AI) for recognizing deep patterns in
day-to-day traffic. This highlights the evolving nature of defense mechanisms in response to the changing
landscape of cyber threats.
Furthermore, the project has explored various prevention strategies to guard websites against DDoS
attacks. These strategies include traffic filtering, load balancing, CAPTCHA, and collaborative defense
mechanisms. The project has also highlighted the need for constant innovation in security measures to
counteract the adaptability of attackers and their sophisticated evasion tactics.
In addition, the project has proposed possible solutions to counteract sophisticated DDoS attacks. These
solutions involve the use of diverse machine learning models, the inspection of encrypted traffic, and
collaboration with other organizations to share information about attacks. This collaborative approach to
defense underscores the interconnected nature of cyber security and the importance of collective efforts in
mitigating cyber threats.
Overall, the research project aims to provide a beginner-friendly understanding of DDoS attacks, the
methods to detect and prevent them, and innovative solutions to strengthen digital defenses. It serves as a
valuable resource for individuals and organizations seeking to enhance their knowledge and preparedness
in the face of evolving cyber security challenges.
 7-Refernces
[1] One Login, “What is a DDoS Attack,” https://www.onelogin.com/learn/ddos-attack.

[2] A. M. A.-M. and A. M. K. Kazeem B. Adedeji, “DDoS Attack and Detection Methods in Internet-Enabled
Networks: Concept, Research Perspectives, and Challenges,” https://www.mdpi.com/2224-
2708/12/4/51.

[3] Mateusz Gniewkowski, “An Overview of DoS and DDoS Attack Detection Techniques,”
https://link.springer.com/chapter/10.1007/978-3-030-48256-5_23.

[4] K. K. & S. B. Meenakshi Mittal, “Deep learning approaches for detecting DDoS attacks: a
systematic review,” https://link.springer.com/article/10.1007/s00500-021-06608-1.

[5] D. Z. F. A. R. S. A. and B. Y. Ivandro Ortet Lopes, “Towards Effective Detection of Recent DDoS Attacks: A
Deep Learning Approach,” https://www.hindawi.com/journals/scn/2021/5710028/.

[6] Katerina Argyraki David R. Cheriton, “Active Internet Traffic Filtering: Real-Time Response to Denial-of-
Service Attacks,” https://www.usenix.org/legacy/event/usenix05/tech/general/full_papers/argyraki/
argyraki_html/.