See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/279176025

DDoS Attacks and Countermeasures in Cyberspace

Conference Paper · March 2015

DOI: 10.1109/WSWAN.2015.7210322

CITATIONS READS

21 6,907

3 authors:

Khan Zeb Owais Baig

Concordia University Montreal King Saud University
34 PUBLICATIONS 319 CITATIONS 4 PUBLICATIONS 27 CITATIONS

SEE PROFILE SEE PROFILE

Muhammad Kamran Asif

King Saud University
9 PUBLICATIONS 69 CITATIONS

SEE PROFILE

All content following this page was uploaded by Khan Zeb on 25 June 2015.

The user has requested enhancement of the downloaded file.

 DDoS Attacks and Countermeasures in Cyberspace
1,2
Khan Zeb, 2Owais Baig, 2Muhammad Kamran Asif
ksailkhan@ksu.edu.sa, obaig@ksu.edu.sa, mkasif@ksu.edu.sa
1
Center of Excellence in Information Assurance (CoEIA), King Saud University, Riyadh, Saudi Arabia
2
Department of Electrical Engineering, King Saud University, Riyadh, Saudi Arabia

Abstract— In cyberspace, availability of the resources is the key but unfortunately with the fast growth of the Internet, the
component of cyber security along with confidentiality and number of attacks has been increased over the past years.
integrity. Distributed Denial of Service (DDoS) attack has According to the annual Computer Security Institute (CSI)
become one of the major threats to the availability of resources in computer crime and security survey 30 to 40% of the
computer networks. It is a challenging problem in the Internet.
participants in the conducted survey between 1999 and 2005
In this paper, we present a detailed study of DDoS attacks on the
Internet specifically the attacks due to protocols vulnerabilities in were victims of DoS attack [6]. Similarly, during the period of
the TCP/IP model, their countermeasures and various DDoS 2006 to 2009, 21 to 29% of the participants were victims of
attack mechanisms. We thoroughly review DDoS attacks defense DoS attack [7]. On September 28, 2012, DDoS attacks were
and analyze the strengths and weaknesses of different proposed carried on the major U.S. banks including JPMorgan Chase &
mechanisms. Co. (JPM) and Wells Fargo (WFC) & Co., breaching their
most advanced computer defenses and exposing the
Keywords— Cyber-attack, Cyber security, DDoS attack, vulnerability of their infrastructure [8]. According to the 2013
Mitigation, Vulnerability, DDoS Defense, Cyberspace Worldwide Infrastructure Security Report, DDoS attacks are
increasing in size. In 2014, it reached to 325 Gbps and around
I. INTRODUCTION 28,030 attacks over 10 Gbps are recorded between January
and September [9].
In a computer network, denial of service (DoS) takes place In this paper, we present a detailed study of DoS and
when any resource of interest such as operating system, DDoS attacks in the Internet, their victims and possible form
application, processing bandwidth, communications, routing of attacks, and the challenges in defending against these
services and memory or queue position is not available to attacks. Furthermore, to study the existing work that
intended users. DoS may occur due to high demand of contributes in solving these challenges and defending against
authentic users (e.g., congestion and flash crowd) or an un- various attacks. Since most of the DDoS attacks are due to the
malicious fault (e.g., network outage) or it may occur due to vulnerabilities in the protocols at different layers of the
malicious actions carried out by unauthentic users on the TCP/IP model of the Internet. Therefore, our study is mainly
network, which is a DoS attack (e.g., SYN flooding) [1]. DoS focused on the exploration of different sort of DDoS attacks
attacks can be executed in two ways. The first way is to resulting from protocol vulnerabilities at different layers.
exploit software vulnerabilities of a victim by sending The remainder of the paper is structured as follows:
malicious packets and down the system. These vulnerabilities Section II presents the classification of DDoS attacks based on
could arise in different protocols of protocol stack in the vulnerabilities in protocols at different layers of TCP/IP
TCP/IP layers of the internet model. Hence, the attackers model. In Section III, the proposed defense mechanisms and
exploit these vulnerabilities to attack a victim. The second mitigations are presented. Lastly, Section IV presents our
way is to use excessive unwanted traffic to capture the concluding remarks.
resources that could be used by authentic traffic. Although,
the former could be protected by fixing known vulnerabilities II. DDOS ATTACKS CLASSIFICATION: BASED ON
the latter cannot be prevented easily [2]. PROTOCOLS VULNERABILITIES IN TCP/IP
When multiple sources are involved in DoS attack traffic, MODEL
then it is called Distributed Denial of Service (DDoS) attack
as shown in Fig 1. In DDoS attack, the attacker also known as It is usually the vulnerabilities in the protocols of different
bot master exploits any vulnerability in the protocols at the layers of the Internet architecture, which intruders exploit to
respective layers shown. In this way it compromises different launch DoS attacks. Attacker exploits certain features or
systems in the same/different networks. These systems are implementation bugs in protocols at the victim side in order to
called zombies or bots. With the help of hundreds of make it compromise and resource deficient for legitimate
thousands or more of such zombies, the attacker launches a users or crash it. We broadly classify DDoS attacks into four
massive attack to deplete the resources of the victim and gets categories based on protocol vulnerabilities in the
it down. Thus, the DoS act as the basic building block for corresponding TCP/IP layers of the Internet model as shown
DDoS. The two differ mainly in its scale of attack and mode in Figure 2. Furthermore, Table I shows our detailed analysis
of operation. DoS attack use a single victim to generate the and classification of some well-known DDoS attacks from
malformed traffic while DDoS attack use hundreds or each category, their targets, ways of attacks and overall
thousands of attacked hosts to generate malicious traffic and impact on the target resources [10-18]. In terms of impact,
also coordinating the attack among the hosts which keep DDoS attack could either be disruptive, i.e., complete denial
amplifying the DDoS, and thus complicating the problem of of service, or degrading, i.e., consuming some portion of the
defense [3, 4]. target resources [10, 11]. Although all DDoS attacks are
The Internet was originally designed to facilitate the degrading in nature in one way or another.
research and educational communities with an open and
scalable network [5]. The security issues were of less concern
978-1-4799-8172-4/15/$31.00 ©2015 IEEE
 2) Router-Based Packet Filtering: This method uses
routing information to determine whether a valid packet has
arrived at a router with respect to its corresponding
source/destination addresses, given the reachability constraints
imposed by routing and network topology [21].
3) Source Address Validity Enforcement (SAVE)
Protocol: Messages that contain valid source address
information are propagated by SAVE to all destinations. Thus,
the intermediate routers builds a table containing blocks of
incoming valid source addresses to each of its links. Based on
this table the router determines that whether a packet comes
from the proper direction or not [22].
4) Hop count packet filtering (HCF): In this scheme
based on observations of the TTL value from the sender side,
the victim guesses the initial value of the TTL. The difference
between the observed and initial value of TTL is the hop
count. Usually the router creates a table of the most frequent
legitimate users and their corresponding hop counts. Thus,
Fig 1: Structure of a typical DDoS attack
according to this table, the spoofed packets are those packets
III. DEFENSE MECHANISMS that are either not present in the table or there is a mismatch
between hop counts and their source addresses according to
Defense against DDoS attacks is generally divided into the table. Consequently, based on this observation the victim
four areas, namely; attack prevention, attack detection, attack drops the spoofed packets [23].
source identification and attack reaction. We briefly describe
the well-known defense techniques under each area proposed B. Attack Detection
in the literature. The strengths and limitations of each
technique are tabulated in Table II. We also tabulate the ways In attack detection, we monitor and investigate the systems
of mitigating a DDoS attack on each of the TCP/IP layers in in order to determine such events that cause DoS. Attack
Table III [19]. detection can broadly be classified as conventional high rate
DDoS attack detection and low rate DDoS attack detection.
A. Attack Prevention Conventional high rate DDoS attacks overwhelm the victim’s
resources to deny service to legitimate users, whereas low rate
The main aim of attack prevention is to stop attacks prior DDoS attack aims to cause packet loss of legitimate users by
to actual damage. This approach comprises of schemes attacking with short bursts of packets periodically. In this
deployed in routers for filtering malicious packets and subsection, we briefly discuss only the conventional high rate
allowing only legitimate packets to pass. DDoS attack detection techniques, their corresponding
1) Ingress/Egress Filtering: Allows the incoming and strengths and weaknesses are discussed in Table II. Besides
outgoing traffic in the network only if the source addresses of this, we also list few well-known low rate DDoS attack
the traffic are in the range of expected IP addresses. In ingress detection techniques and their strengths and limitations in
filtering the traffic that enters to the local network is filtered, Table II. However, for their detailed description refer to the
while in egress filtering the traffic that leaves the local work in [24] and references therein.
network is filtered [20].

DDoS Attacks

Application Transport Internet Network Access

HTTP/HTTPS Flooding SYN Attack Frag, opentear VLAN Hopping

FTP Flooding UDP Flooding Nestea, TearDrop, Jolt MAC Flood
SSL/TLS ACK Flooding Smurf DHCP Attacks
Telnet DDoS PUSH, FIN, RST, URG Flood Fraggle ARP Attacks
SIP (VoIP) Flooding NetBIOS Flood Papasmurf
SMTP TCP NULL flood Smack
IRC TCP ECE flood IP address
Mail Bombs TCP Xmas IP Packet Option
SQL Slammer UDP port 0 IP non-existing protocol
Distributed Reflector/ DNS Flood Land attack Forged Source IP
DNS Cache poisoning etc IP spoofed
ICMP/IGMP Flooding

Fig 2: Taxonomy of DDoS attacks based on TCP/IP Layers

 TABLE I. TYPE OF DoS ATTACKS, THEIR TARGETS, WAYS OF ATTACKS AND IMPACTS

Layer Protocol Type of Attack Target Exploitation Impact

1. Higher connection/ high-workload request

HTTP, 1. HTTP/HTTPS • Server/End rates from the attacker compared to the 1. Disruptive
FTP, Flooding system legitimate users 2. Degrading
SMTP, 2. FTP Flooding resources 2. Large number of FTP connections 3. Degrading
POP, 3. SSL/TLS o Socket 3. Exploitation of the SSL handshake and 4. Degrading
IMAP, 4. Telnet DDoS o CPU negotiation process 5. Disruptive
Telnet, 5. SIP (VoIP) o Switch 4. Exploitation of Telnet server software on 6. Disruptive
DNS, RIP, Flooding o Capacity switch 7. Disruptive
Application Layer

SNMP, 6. SMTP o Memory 5. Higher rate of spoofed VoIP packets through 8. Degrading
RTP, 7. IRC o Disk/Database SIP with wide range of source IPs 9. Degrading
DHCP, 8. Mail Bombs bandwidth 6. Sending simple email messages to overload 10. Disruptive
NTP, SIP, 9. SQL Slammer o I/O bandwidth the SMTP server 11. Degrading
SSH, 10. Distributed 7. Botnet use IRC as a tool (C&C) for DoS
MGCP, Reflector/ attack
LDAP, etc. DNS Flood 8. Sending large volume of email to a mailbox
11. DNS Cache or email server
poisoning etc. 9. SQL Server and MSDE code buffer overflow
vulnerability is exploited
10. Recursive queries. Using third parties to hide
attack traffic sources
11. The insertion of fake address record for an
internet domain into the DNS to poison cache

• End users: 1. Establish half open connections by exploiting

TCP, UDP, 1. SYN Attack CPU TCP handshake process 1. Degrading
Protocol Vulnerability in TCP/IP protocol architecture

DCCP, 2. UDP Flooding 2. Spoofed (source IP) UDP datagrams 2. Disruptive

• Server
SCTP, 3. ACK Flooding 3. Wrong sequence number. 3. Degrading
o Web
RSVP, etc. 4. PUSH, FIN, 4. PUSH, FIN, RST or URG with spoofed 4. Degrading
o Mail
Transport Layer

RST, URG (source IP, ports) 5. Disruptive

o Proxy
Flood 5. Enormous packets at UDP port 137 6. Degrading
o DNS
5. NetBIOS 6. TCP packets with no flag set 7. Degrading
o Certificate
Flood 7. Large number of TCP packets from different 8. Degrading
• Bandwidth
6. TCP NULL spoofed addresses with ECE flag set 9. Degrading
flood • Network 10. Disruptive
resources 8. TCP packets with PUSH, URG and FIN flags
7. TCP ECE set
flood • Router
processing 9. UDP Packet to port 0
8. TCP Xmas 10. Spoofed TCP SYN packet to an open port
9. UDP port 0 capacity
• Links with the same source and destination IP
10. Land attack address of victim
• Firewall crash

1. Frag, opentear • End users: 1. Creates and send new IP fragments initially,
IP, ICMP, 2. Nestea, CPU and withholding the later fragment 1. Degrading
IGMP TearDrop, Jolt 2. Generate overlapping IP fragments 2. Degrading
• Server
ARP, etc. 3. Smurf 3. Spoofed PING request to a broadcast address 3. Disruptive
o Web
4. Fraggle 4. Spoofed UDP datagrams to broadcast 4. Disruptive
o Mail
5. Papasmurf addresses to port 7 (echo port) 5. Disruptive
o Proxy
6. Smack 5. Combination of Smurf and Fraggle 6. Disruptive
o DNS
7. IP address 6. ICMP unreachable packets from random IP 7. Disruptive
o Certificate
Internet Layer

8. IP Packet addresses 8. Degrading

etc.
Option 7. Packets with same source and destination IP 9. Degrading
• Bandwidth
9. IP non-existing addresses 10. Degrading
• Network 11. Disruptive
protocol resources 8. False DNS reply packet containing
10. Forged Source malformed IP options field 12. Disruptive
• Router 13. Disruptive
IP processing 9. Flood with IP packets with reserved values in
11. IP spoofed capacity protocol field
12. ICMP • Links 10. Control the C2 server to activate the zombies
Flooding 11. Modified source IP addresses in the attack
• Firewall crash
13. IGMP packets
Flooding 12. Spoofed (source IP) ICMP echo requests
13. Forged (source IP) random IGMP messages

MAC: 1. VLAN • Network 1. Spoofed (MAC address) of a switch with

Ethernet, Hopping 802.1q 1. Degrading
•
Network Access Layer

Switches
Token ring, 2. MAC Flood 2. Multiple dummy Ethernet frames with 2. Disruptive
• DHCP server
Frame 3. DHCP Attacks spoofed MAC addresses 3. Disruptive
• End System: 4. Disruptive
relay, ATM 4. ARP Attacks Hosts 3. Broadcast DHCP request with spoofed MAC
etc., addresses
4. Spoofed ARP messages on LAN by
exploiting ARP protocol
 Conventional (High rate) DoS attack detection techniques instead of storing actual packets the digests of packets are
for High rate DoS attacks are divided into two groups: stored [30]. For the traceback, the target sends a traceback
signature-based detection and anomaly-based detection. In query to the upstream traceback routers. After the
signature-based detection, the known features of DoS attacks identification of this packet from its records, the router passes
are used for the detection, whereas in anomaly-based it to its neighbor routers. In this way the packet origin can be
detection, the normal traffic behavior is used for the detection trackbacked and identified.
of anomalies. [25].
D. Attack Reaction
1) Signature Based Detection: This mechanism
identifies unique patterns in known DoS attacks and In Attack Reaction, the victim responds to the attack after
differentiates them from normal patterns. Based on this detection. In these techniques the responsibility of detecting
differentiation, a database of known attack patterns is and fighting the attack lies on the victim itself.
constructed. These patterns are then used to identify the 1) Filtering and Limiting: Filtering mechanism filters
presence of malicious activities in the network [25]. the attack flows while rate-limiting mechanism rate-limits
1.1) MULTOPS: In this scheme, the packet rate is them. These mechanisms are carried out based on the
monitored for both up and down links for detection of DoS characterization of malicious traffic provided by detection
attacks [26]. It assumes the proportionality between packet mechanisms. Rate limiting is preferable in the scenarios where
rates of hosts during normal conditions. Thus, DoS attack is precise characterization of the attack traffic cannot be done or
detected if there is a proportional difference in these packet the detection has many false positives [25].
rates. 1.1) Pushback high-bandwidth aggregates: According to
1.2) Spectral Analysis: Usually the flow of DoS attack [31], aggregate-based congestion control (ACC) can be used
traffic does not follow the rules of TCP flow control protocols to control high bandwidth aggregates in the network. An
and their statistical features differ from normal flows. In aggregate is defined as the collection of packets from one or
spectral analysis, a signal is extracted based on the number of more flows having common properties. To identify and
packet arrivals in a fixed interval of time. The power spectral control an aggregate at a single router, ACC incorporates local
density of this signal will exhibit strong periodicity around its mechanisms. Moreover, a cooperative pushback mechanism
round-trip time in both directions of flow under normal queries upstream routers to control an aggregate. In case of
conditions, whereas an attack flow deviates from this severe congestion of the links indicated by high packet loss
behavior. Thus, based on this analysis DoS attack flows can rate, ACC is activated [25].
be identified [27]. 1.2) StopIt: The aim of this scheme is to prevent
2) Anomaly-Based DoS Detection: Statistical anomaly illegitimate traffic to the intended receiver without causing
detection comprises of two main parts: identification of damage to authentic sender hosts [32]. From the border
effective parameters (e.g., IP packet length, rate) to generate gateway updates, a StopIt server updates the addresses of
similarity measures, calculation of the similarity between other StopIt servers. The assumption is that StopIt servers can
predefined normal traffic profile and new traffic. For the authenticate their peers along with routers within its AS [25].
evaluation of differences between the monitoring traffic and 2) Capability: In these techniques the receivers are
the expected normal traffic, statistical methods that measure enabled to stop malicious senders.
the similarity such as chi-square and Kolmogrov-Smirnov 2.1) Stateless Internet Flow Filter (SIFF): To stop
tests [28, 29] are used. A DoS attack is detected if the unwanted flows from reaching the recipients network a SIFF
difference between the two traffic profiles is larger than a is designed in [33]. SIFF classifies Internet packet classes into
given threshold. privileged packets and unprivileged packets. Privileged
packets are subject to receiver’s control while unprivileged
C. Attack Source Identification packets are used in legacy traffic and in SIFF handshake. A
handshake process is initiated by sending a packet with its
Attack source identification aims to trace the attack capability field set to zero. This process is repeated by the
sources irrespective of the presence of erroneous information intermediate routers by marking into the capability fields.
in the source address fields of malicious requests. Forged IP Thus in this way the capability of the arriving packet is
source addresses and the stateless nature of IP routing prevent defined. The capability is sent back to the sender in case the
tracking IP traffic to its source. Attack source identification receiver wants to allow the sender to send privileged traffic.
techniques address this problem [2]. The subsequent packets are incorporated with the capability
1) IP Traceback by Active Interaction: Due to active by the senders which are privileged packets to the
interaction of routers with the attack traffic, the sources of intermediate routers. The routers forward the packets based on
attack are traced using the reaction of attack traffic [2]. the comparison of recomputed marking with the marking
2) Probabilistic IP Traceback Schemes: During the contained in the capability [25].
flow of incoming packets, each router probabilistically 2.2) Traffic Validation Architecture (TVA): This
embeds partial path information in them. Based on this technique limits the impact of DDoS floods. Using TVA
information, a target can traceback to the source by channels with capability are prevented from flooding attacks.
reconstructing the packet flow path [2]. Similarly, TVA [34] also limits attacks that flood the receiver
3) Hash-Based IP Traceback.: In this scheme, the using previously acquired capabilities. The process for
record of every incoming packet is kept by the router. To acquiring a capability is similar to that of SIFF.
minimize the memory constraint of storing packet records, a
Bloom filter is used. Moreover, for the protection of privacy,
 Table II. DEFENSE TECHNIQUES WITH STRENGTH AND WEAKNESSES

Defense Types of Defense Strengths Limitations

Mechanism techniques
• Ingress/Egress Filtering • Prevents source IP address spoofing of • Attacks with unspoofed source IP cannot
• Router-Based Packet Internet traffic be prevented
Filtering • Prevents IP spoofing for static routes • Difficult to deploy RPFs globally to
• Source Address Validity • Filters attack traffic before it reaches the make it effective
Attack Enforcement (SAVE) target, therefore, reduces collateral • Cannot prevent DDoS attack with valid
Prevention Protocol damage source IP address
• Hop count packet filtering • Handles flooding attacks without causing • HCF cannot prevent bandwidth flooding
(HCF) serious damage to legitimate traffic DDoS attacks
1) Conventional (High rate) 1)
DoS attack detection
9 Signature Based
o Data structure used for monitoring
Detection
packet rates vulnerable to memory
o MULTOPS o the exact attack source or destination exhausting attack
o Spectral Analysis addresses can be detected with
accuracy o Only valid for TCP flows
9 Anomaly-Based DoS o reduce false positives
Detection 9 need to tradeoff between processing
speed and detection accuracy
2) Low Rate Dos Attack
Detection (LDoS) 2)
Attack Detection • minimizes the number of affected TCP
• Dynamic Detection Method flows
• Periodic attack detection • Fails against Distributed LDOS Attack
• simple and effective against spoofed IP
(PAD) and Modeled attack • Depends on accuracy of fuzzy controller
packets
Detection Method (MAD) designer
• Packet and threshold • easy to implement and requires a very
• Depends on Threshold value set
percentage at target router’s small storage space
• Depends on known patterns matched
cache queue • easily deployable
• Detection of attacks at the • Fails against Distributed LDOS Attack
• improves TCP throughput in case of
Edge Routers attacks • Depends on known patterns matched
• RTO randomization
• with propoer threshold set easy to
• Detection Based on Self- differentiate between high rate and low
Similarity rate DDoS attack

• IP Traceback by Active • Information within the packet suffices • Technically trivial

Interaction without the need for generation of extra • Need wide deployment to be effective
• Probabilistic IP Traceback packets
• Potentially large deployment cost
Attack Source Schemes • simple and easy to implement
Identification • Hash-Based IP Traceback • can traceback the attack path even for
low volume packets received at the
victim
• Filtering and Limiting o Precise distinction of partial attack o Expensive to pushback each source in
flow by detection mechanisms helps in a DDoS attack
o Pushback high-
filtering out completely Requires manual configuration of
bandwidth aggregates o
o Prevents damage of legitimate traffic routers and StopIt servers to prevent
o StopIt
Attack Reaction o No need for inter-ISP or end-host/ISP DDoS flooding attack on them
• Capability cooperation
o Need wide deployment of SIFF
o SIFF o prevents flooding attak against mechanims to be effective
o TVA capability setup channel
o Depends on the accuracy of source
identification mechanisms

TABLE III: WAYS OF MITIGATION FOR DDOS ATTACKS BASED ON TCP/IP PROTOCOL SUITE

Layer Mitigation Options

• Monitor software applications that use sophisticated algorithms, technologies and approaches to detect attacks that are carried
out in Application layer.
• Offload SSL from the origin infrastructure
Application
Inspect attacks traffic signs in application traffic or policy violations at an applications delivery platform (ADP).
Forward re-encrypted traffic back to the origin infrastructure
• Updating the hardware and patching the known vulnerabilities.
ISPs use blackholing to prevent DDoS attacks.
Transport
Target completely isolates all traffic preventing further exploitation

Internet Rate limit ICMP traffic

Reduce learning of MAC addresses on switch ports connected to end stations;
Network
Further authentication of discovered MAC addresses against an authentication, authorization and accounting (AAA) server.
Access
 IV. CONCLUSION [15] Manna, Mehdi Ebady, and Angela Amphawan. "Review of syn-flooding
attack detection mechanism." IJDPS, vol.3, no.1, Jan. 2012.
[16] Aamir, Muhammad, and Mustafa Ali Zaidi. "DDoS Attack and Defense:
In this paper, we present a brief survey of the origin of Review of Some Traditional and Current Techniques." In: CoRR
DDoS attacks, and some of the methods that have been abs/1401.6317 (2014).
developed for the detection and prevention of these attacks. [17] Alomari, Esraa, Selvakumar Manickam, B. B. Gupta, Shankar
The necessary factor in inhibiting a DoS attack is to enhance Karuppayah, and Rafeef Alfaris. "Botnet-based distributed denial of
service (DDoS) attacks on web servers: classification and art."
the reliability of global network infrastructure. We observed International Journal of Computer Applications, vol. 49, no.7, July
that most of the approaches deal with attack traffic detection 2012.
and filtering near the target. [18] Meena, Darshan Lal, and R. S. Jadon. "Distributed Denial of Service
DDoS attack is one of the major threats to both network Attacks and Their Suggested Defense Remedial Approaches."
International Journal, vol. 2, no. 4, Apr. 2014.
service providers and legitimate customers. Attackers [19] DDoS Quick Guide, White Paper, January 2014 .https://www.us-
continuously try to explore new vulnerabilities to intrude cert.gov/security-publications/DDoS-Quick-Guide
systems. We noticed that most of the protocols are vulnerable [20] P. Ferguson and D. Senie, Network ingress filtering: Defeating denial of
and prone to DoS attacks. Therefore, we need to devise an service attacks which employ IP source address spoofing, 2000.
[21] Park, Kihong, and H. Lee. "On the effectiveness of route-based packet
effective and integrated solution in prevention of DDoS filtering for distributed DoS attack prevention in power-law
attacks by upgrading the hardware together with patching internets." ACM SIGCOMM Computer Communication Review. vol.
software vulnerabilities. We conclude that in spite of 31. No. 4, pp. 15 – 26, 2001.
significant development in the area of detection, identification [22] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. "SAVE: Source
address validity enforcement protocol." In proceeding of Twenty-First
and prevention of DDoS attacks, yet the area is worth Annual Joint Conference of the IEEE Computer and Communications
researching. Societies (INFOCOM 2002), vol. 3, pp. 1557 – 1566, 2002.
[23] J, Cheng, H, Wang, and K. G. Shin. "Hop-count filtering: an effective
ACKNOWLEDGMENT defense against spoofed DDoS traffic." In Proceedings of the 10th ACM
conference on Computer and communications security, pp. 30 – 41
2003.
We extend our gratitude to the Center of Excellence in [24] R. Mathew, and V. Katkar. "Survey of low rate DoS attack detection
Information Assurance (CoEIA), King Saud University for mechanisms." In Proceedings of the International Conference &
funding this work. Workshop on Emerging Trends in Technology, pp. 955 – 958, 2011.
[25] Mehmud Abliz, “Internet Denial of Service Attacks and Defense
Mechanisms,” University of Pittsburgh Technical Report, No.TR-11-
REFERENCES 178, March 2011. http://www.cs.pitt.edu/~mehmud/docs/abliz11-TR-
11-178.pdf
[1] Gregg, D.M. Blackert, W.J. Heinbuch, D.V. Furnanage, “Assessing and [26] T. M. Gil, and M. Poletto, “MULTOPS: a data-structure for bandwidth
quantifying denial of service attacks,” in Proc. MILCOM, vol.1, pp. 76 attack detection,” in Proceedings of the 10th conference on USENIX
– 80, 2001. Security Symposium, pp. 23-38, 2001.
[2] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of Network-Based [27] C. M. Cheng, H.T. Kung, K. S.Tan; "Use of spectral analysis in defense
Defense Mechanisms Countering the DoS and DDoS Problems” ACM against DoS attacks," In proceedings of IEEE Global
CSUR, vol. 39, no.3, pp. 38-47, 2007. Telecommunications Conference, GLOBECOM '02. vol.3, pp. 2143 –
[3] S. Karthik, R.M. Bhavadharini,, V.P. Arunachalam, “Analyzing 2148, Nov. 2002.
interaction between Denial of Service (DoS) attacks and threats,” in [28] Z. Zhang, J. Li, C. N. Manikopoulos, J. Jorgenson and J. Ucles. “HIDE:
Proceeding of ICCCn, pp.1 – 9, 2008, A hierarchical network intrusion detection system using statistical
[4] A. Mittal, Prof. A. K. Shrivastava, Dr. M. Manoria, “A Review of preprocessing and neural network classification,” In Proceedings of the
DDOS Attack and its Countermeasures in TCP Based Networks,” in 2001 IEEE Workshop on Information Assurance and Security, 2001.
IJCSES, vol. 2, no. 4, Nov. 2011, [29] C. Manikopoulos and S. Papavassiliou, “Network intrusion and fault
[5] Cert Coordination Center. Lipson, H. F, “Tracking and tracing cyber- detection: A statistical anomaly approach,” IEEE Comm.. Mag., vol. 40,
attacks: Technical challenges and global policy Issues,” Special report no. 10, pp. 76 – 82, Oct. 2002.
CMU/SEI-2002-SR-009, http://www.cert.org/archive/pdf/02sr009.pdf. [30] B. H. Bloom, “Space/time trade-offs in hash coding with allowable
[6] L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson, “CSI/FBI errors,” ACM communication magazine, vol. 13, no. 7, pp. 422 – 426,
computer crime and security survey,” Annual Report, 2005, July1970.
http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf. [31] R. Mahajan, et al., "Controlling high bandwidth aggregates in the
[7] S. Peters, “CSI/FBI computer crime and security survey,” Annual network."ACM SIGCOMM Computer Communication Review, vol. 32,
Report, 2009, no. 3, pp. 62 – 73, 2002.
http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey09_Comprehensive- [32] X. Liu, X, Yang, and Y, Lu, "To filter or to authorize: Network-layer
Edition.pdf. DoS defense against multimillion-node botnets." ACM SIGCOMM
[8] C. Strohm and E. Engleman, “Cyber Attacks on U.S. Banks Expose Computer Communication Review, vol. 38. no. 4, 2008.
Vulnerabilities,” http://www.businessweek.com, Sept 28, 2012 [Dec. 3, [33] A. Yaar, A. Perrig, and D. Song. "SIFF: A stateless internet flow filters
2012]. to mitigate DDoS flooding attacks." In proceedings of IEEE Symposium
[9] Arbor Network, "Annual Worldwide Infrastructure Security Report on Security and Privacy, pp.130 – 143, May 2004
(WISR)," available at http://www.arbornetworks.com/,Jan 28, 2014 [34] X. Yang, D. Wetherall, and T. Anderson. "A DoS-limiting network
[10] Mirkovic, Jelena, and P. Reiher. "A taxonomy of DDoS attack and architecture." ACM SIGCOMM Computer Communication Review,
DDoS defense mechanisms." ACM SIGCOMM Computer vol. 35, no. 4, pp. 241 – 252, 2005.
Communication Review, vol. 34, no. 2, pp. 39 – 53, Apr. 2004
[11] V. Paxson. “An analysis of using reflectors for distributed denial-of-
service attacks,” ACM Computer Communications Review, vol. 31, no.
3, pp. 38 – 47, 2001.
[12] Douligeris, Christos, and A. Mitrokotsa. "DDoS attacks and defense
mechanisms: classification and state-of-the-art." Computer Networks,
vol. 44, no. 5, 643 – 666, 2004.
[13] Rajkumar, M. Nene. "A Survey on Latest DoS Attacks: Classification
and Defense Mechanisms." IJIRCCE, vol. 1, no. 8, Oct. 2013.
[14] Zargar, Saman Taghavi, James Joshi, and David Tipper. "A survey of
defense mechanisms against distributed denial of service (DDoS)
flooding attacks." IEEE Communications Surveys & Tutorials, vol. 15,
no. 4, 2046 – 2069, 2013.

View publication stats