Abstract
This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service attacks. We review the state-of-art mechanisms for defending against denial of service attacks, compare the strengths and weaknesses of each proposal, and discuss potential countermeasures against each defense mechanism. We conclude by highlighting opportunities for an integrated solution to solve the problem of distributed denial of service attacks.
- Abdelsayed, S., Glimsholt, D., Leckie, C., Ryan, S., and Shami, S. 2003. An efficient filter for denial-of-service bandwidth attacks. In Proceedings of the 46th IEEE Global Telecommunications Conference (GLOBECOM'03). 1353--1357.Google Scholar
- ARBOR. 2005. Worldwide ISP security report. Whitepaper. Arbor Networks, Lerington, MA.Google Scholar
- Baker, F. 1995. Requirements for IP version 4 routers. RFC 1812. Internet Engineering Task Force (IETF). Go online to www.ietf.org. Google Scholar
- Bellovin, S. 2000. The ICMP traceback message. IETF Internet Draft. Internet Engineering Task Force (IETF). Go online to www.ietf.orgGoogle Scholar
- Bernstein, D. J. 1996. SYN cookies. Go online to http://cr.yp.to/syncookies.html.Google Scholar
- Blažek, R. B., Kim, H., Rozovskii, B., and Tartakovsky, A. 2001. A novel approach to detection of “denial-of-service” attacks via adaptive sequential and batch-sequential change-point detection methods. In Proceedings of the 2001 IEEE Systems, Man and Cybernetics Information Assurance Workshop.Google Scholar
- Bloom, B. H. 1970. Space/time tradeoffs in hash coding with allowable errors. Commun. ACM 13, 7 (Jul.), 422--426. Google ScholarDigital Library
- Brodsky, B. E. and Darkhovsky, B. S. 1993. Nonparametric Methods in Change-point Problems. Kluwer Academic Publishers, Dordrecht, The Netherlands.Google Scholar
- Burch, H. and Cheswick, B. 2000. Tracing anonymous packets to their approximate source. In Proceedings of the 14th Systems Administration Conference (New Orleans, LA). Google ScholarDigital Library
- Cabrera, J. B. D., Lewis, L., Qin, X., Lee, W., Prasanth, R. K., Ravichandran, B., and Mehra, R. K. 2001. Proactive detection of distributed denial of service attacks using MIB traffic variables---a feasibility study. In Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management (Seattle, WA). 609--622.Google Scholar
- CAIDA. 2006. Nameserver DoS attack October 2002. Go online to http://www.caida.org/funding/dns-analysis/oct02dos.xml.Google Scholar
- CERT. 1996. CERT Advisory CA-1996-26: denial-of-service attack via ping. Go online to http://www.cert.org/advisories/CA-1996-26.html.Google Scholar
- CERT. 1998. CERT Advisory CA-1998-01: Smurf IP denial-of-service attacks. Go online to http://www.cert.org/advisories/CA-1998-01.html.Google Scholar
- CERT. 2001. CERT Advisory CA-2001-19: “Code Red” Worm exploiting buffer overflow in IIS indexing service DLL. Go online to http://www.cert.org/advisories/CA-2001-19.html.Google Scholar
- CERT. 2003. CERT Advisory CA-2003-19: Exploitation of vulnerabilities in Microsoft RPC Interface. Go online to http://www.cert.org/advisories/CA-2003-19.html.Google Scholar
- CERT. 2006. CERT/CC statistics. Go online to http://www.cert.org/stats/cert_stats.html.Google Scholar
- Chang, R. K. C. 2002. Defending against flooding-based distributed denial-of-service attacks: A tutorial. IEEE Commun. Mag. 40, 10 (Oct.), 42--51.Google ScholarDigital Library
- Chen, E. Y. 2006. Detecting dos attacks on SIP systems. In Proceedings of the 1st IEEE Workshop on VoIP Management and Security. 53--58.Google ScholarCross Ref
- Cheng, C.-M., Kung, H. T., and Tan, K.-S. 2002. Use of spectral analysis in defense against DoS attacks. In Proceedings of IEEE GLOBECOM 2002. 2143--2148.Google Scholar
- Cheng, G. 2006. Malware FAQ: Analysis on DDOS tool Stacheldraht v1.666. Go online to http://www.sans.org/resources/malwarefaq/stacheldraht.php.Google Scholar
- Cheung, S. 2006. Denial of service against the domain name system. IEEE Sec. Pri. 4, 1, 40. Google ScholarDigital Library
- Clark, D. D. 1988. The design philosophy of the DARPA Internet protocols. In Proceedings of SIGCOMM (Stanford, CA). 106--114. Google ScholarDigital Library
- Davis, M. 2006. Building better bots: Open-source processes enable production-grade malware. Sage: Security Vision from McAfee Avert Labs 1, 1 (Jul.), 26--35.Google Scholar
- Dean, D., Franklin, M., and Stubblefield, A. 2002. An algebraic approach to IP traceback. ACM Trans. Inform. Syst. Sec. 5, 2 (May), 119--137. Google ScholarDigital Library
- Deering, S. and Hinden, R. 1998. Internet protocol, version 6 (IPv6) specification. RFC 2401. Internet Engineering Task Force (IETF). Go online to www.ietf.org.Google Scholar
- Denning, D. E. 1987. An intrusion-detection model. IEEE Trans. Softw. Eng. 13, 2, 222--232. Google ScholarDigital Library
- Dietrich, S., Long, N., and Dittrich, D. 2000. Analyzing distributed denial of service attack tools: The shaft case. In Proceedings of the 14th Systems Administration Conference (New Orleans, LA). 329--339. Google ScholarDigital Library
- Evans, D. and Larochelle, D. 2002. Improving security using extensible lightweight static analysis. IEEE Softw. 19, 1, 42--51. Google ScholarDigital Library
- Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827. Internet Engineering Task Force (IETF). Go online to www.ietf.org. Google Scholar
- Floyd, S. and Jacobson, V. 1993. Random early detection gateways for congestion avoidance. IEEE/ACM Trans. Netw. 1, 4 (Aug.), 397--413. Google ScholarDigital Library
- Floyd, S. and Jacobson, V. 1995. Link-sharing and resource management models for packet networks. IEEE/ACM Trans. Netw. 3, 4 (Aug.), 365--386. Google ScholarDigital Library
- Forrest, S. and Hofmeyr, S. 1999. Architecture for an artificial immune system. Evolution. Computat. J. 7, 1, 45--68.Google Scholar
- Garber, L. 2000. Denial-of-service attacks rip the Internet. IEEE Comput. 33, 4 (Apr.), 12--17. Google ScholarDigital Library
- Gemberling, B., Morrow, C., and Greene, B. 2001. ISP security-real world techniques. Presentation, NANOG. Go online to www.nanog.orgGoogle Scholar
- Geng, X. and Whinston, A. 2000. Defeating distributed denial of service attacks. IEEE IT Profess. 2, 4 (Jul./Aug.), 36--41. Google ScholarDigital Library
- Gibson, S. 2002. Distributed reflection denial of service. Go online to http://grc.com/dos/drdos.htm.Google Scholar
- Gil, T. M. and Poletto, M. 2001. Multops: A data-structure for bandwidth attack detection. In Proceedings of the 10th USENIX Security Symposium. Google ScholarDigital Library
- Gligor, V. D. 1984. A note on denial-of-service in operating systems. IEEE Trans. Softw. Eng. 10, 3, 320--324. Google ScholarDigital Library
- Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Richardson, R. 2005. 2005 CSI/FBI Computer Crime and Security Survey. Available online at www.GCSI.com.Google Scholar
- Handley, M. 2005. Internet Architecture WG: DoS-resistant Internet subgroup report. Available online at http://www.communications.net/object/download/1543/doc/mjh-dos-summary.pdf.Google Scholar
- Hardin, G. 1968. The tragedy of the commons. Science, 1243--1248.Google Scholar
- Honeynet. 2005. Know your enemy:tracking botnets. Whitepaper. The Honeynet Project&Research Alliance. Feb. Go online to www.honeynet.org/index.html.Google Scholar
- Hussain, A., Heidemann, J., and Papadopoulos, C. 2003. A framework for classifying denial of service attacks. In Proceedings of the ACM SIGCOMM Conference (Karlsruhe, Germany). 99--110. Google ScholarDigital Library
- Kandula, S., Katabi, D., Jacob, M., and Berger, A. W. 2005. Botz-4-Sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of the 2nd Symposium on Networked Systems Design and Implementation (NSDI), (Boston, MA). Google ScholarDigital Library
- Kargl, F., Maier, J., and Weber, M. 2001. Protecting web servers from distributed denial of service attacks. In Proceedings of the 10th International World Wide Web Conference. 130--143. Google ScholarDigital Library
- Kent, S. and Atkinson, R. 1998. Security architecture for the Internet protocol. RFC 2401. Internet Engineering Task Force (IETF). Go online to www.ietf.org. Google Scholar
- Keromytis, A. D., Misra, V., and Rubenstein, D. 2002. SOS: Secure overlay services. In Proceedings of the 2002 ACM SIGCOMM Conference. 61--72. Google ScholarDigital Library
- Kompella, R. R., Singh, S., and Varghese, G. 2004. On scalable attack detection in the network. In IMC '04: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. ACM Press, New York, NY, 187--200. Google ScholarDigital Library
- Kuhn, D., Walsh, T. J., and Fries, S. 2005. Security considerations for voice over IP systems. NIST Special Publication 800-58. National Institute of Science and Technology, Gaithersburg, MD. Google ScholarDigital Library
- Kulkarni, A., Bush, S., and Evans, S. 2001. Detecting distributed denial-of-service attacks using Kolmogorov complexity metrics. Tech. rep. 2001CRD176. GE Research&Development Center. Schectades, NY.Google Scholar
- Lau, F., Rubin, S. H., Smith, M. H., and Trajković, L. 2000. Distributed denial of service attacks. In Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics. Vol. 3. 2275--2280.Google Scholar
- Li, J., Mirkovic, J., Wang, M., Reither, P., and Zhang, L. 2002. Save: Source address validity enforcement protocol. In Proceedings of IEEE INFOCOM 2002. 1557--1566.Google Scholar
- Lipson, H. F. 2002. Tracking and tracing cyber-attacks: Technical challenges and global policy issues. Special rep. CMU/SEI-2002-SR-009. CERT Coordination Center. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.Google Scholar
- Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxson, V., and Shenker, S. 2002. Controlling high bandwidth aggregates in the network. ACM Comput. Commun. Rev. 32, 3 (Jul.), 62--73. Google ScholarDigital Library
- Manikopoulos, C. and Papavassiliou, S. 2002. Network intrusion and fault detection: A statistical anomaly approach. IEEE Commun. Mag. 40, 10 (Oct.), 76--82.Google ScholarDigital Library
- Measurement. 2005. The measurement factory DNS survey. Go online to http://dns.measurement-factory.com/surveys/sum1.html.Google Scholar
- Millen, J. K. 1992. A resource allocation model for denial of service. In Proceedings of the IEEE Symposium on Security and Privacy. 137--147.Google ScholarCross Ref
- Mirkovic, J., Dietrich, S., Dittrich, D., and Reiher, P. 2005. Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall, Engle Wood Cliffs, NJ. Google ScholarDigital Library
- Mirković, J., Prier, G., and Reiher, P. 2002. Attacking DDoS at the source. In Proceedings of ICNP 2002 (Paris, France). 312--321. Google ScholarDigital Library
- Mirkovic, J. and Reiher, P. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34, 2, 39--53. Google ScholarDigital Library
- Mirkovic, J., Robinson, M., Reiher, P., and Kuenning, G. 2003. Forming alliance for DDoS defenses. In Proceedings of the New Security Paradigms Workshop (NSPW 2003). ACM Press, New York, NY, 11--18. Google ScholarDigital Library
- Mockapetris, P. 1987a. Domain names---concepts and facilities. RFC 1034. Internet Engineering Task Force (IETF). Go online to www.ietf.org. Google Scholar
- Mockapetris, P. 1987b. Domain names---implementation and specification. RFC 1035, the Internet Engineering Task Force (IETF). Go online to www.ietf.org. Google Scholar
- Morein, W. G., Stavrou, A., Cook, D. L., Keromytis, A. D., Misra, V., and Rubenstein, D. 2003. Using graphic turing tests to counter automated ddos attacks against web servers. In Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), (Washington, DC). Google ScholarDigital Library
- Morrow, C. and Gemberling, B. 2001. Blackhole route server and tracking traffic on an IP network. Go online to http://www.secsup.org/Tracking/.Google Scholar
- Needham, R. M. 1994. Denial of service: an example. Commun. ACM 37, 11, 42--46. Google ScholarDigital Library
- Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., and Govindan, R. 2003. Cossack: Coordinated suppression of simultaneous attacks. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX 2003). Vol. 2. 94--96.Google ScholarCross Ref
- Park, K. and Lee, H. 2001a. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. In Proceedings of IEEE INFOCOM 2001. 338--347.Google Scholar
- Park, K. and Lee, H. 2001b. On the effectiveness of router-based packet filtering for distributed DoS attack prevention in power-law Internets. In Proceedings of the 2001 ACM SIGCOMM Conference (San Diego, California, CA). 15--26. Google ScholarDigital Library
- Paxson, V. 2001. An analysis of using reflectors for distributed denial-of-service attacks. ACM Comput. Commun. Rev. 31, 3 (Jul.), 38--47. Google ScholarDigital Library
- Peng, T., Leckie, C., and Kotagiri, R. 2004. Proactively detecting distributed denial of service attacks using source ip address monitoring. In Proceedings of the Third International IFIP-TC6 Networking Conference (Networking 2004). 771--782.Google Scholar
- Peng, T., Leckie, C., and Ramamohanarao, K. 2002a. Adjusted probabilistic packet marking for IP traceback. In Proceedings of the Second IFIP Networking Conference (Networking 2002). (Pisa, Italy). 697--708. Google ScholarDigital Library
- Peng, T., Leckie, C., and Ramamohanarao, K. 2002b. Defending against distributed denial of service attack using selective pushback. In Proceedings of the 9th IEEE International Conference on Telecommunications (ICT 2002) (Beijing, China). 411--429.Google Scholar
- Peng, T., Leckie, C., and Ramamohanarao, K. 2003. Prevention from distributed denial of service attacks using history-based IP filtering. In Proceeding of the 38th IEEE International Conference on Communications (ICC 2003) (Anchorage, Alaska). 482--486.Google Scholar
- Rekhter, Y. and Li, T. 1995. A border gateway protocol 4 (BGP-4). RFC 1771. Internet Engineering Task Force (IETF). Go online to www.ietf.org. Google Scholar
- Rochlis, J. A. and Eichin, M. W. 1989. With microscope and tweezers: The worm from MIT's perspective. Commun. ACM 32, 6, 689--698. Google ScholarDigital Library
- Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and Schooler, E. 2002. SIP: Session initiation protocol. RFC 3261. Internet Engineering Task Force (IETF). Go online to www.ietf.org. Google Scholar
- Savage, S., Wetherall, D., Karlin, A., and Anderson, T. 2000. Practical network support for IP traceback. In Proceedings of the 2000 ACM SIGCOMM Conference. 295--306. Google ScholarDigital Library
- Scalzo, F. 2006. Recent dns reflector attacks. VeriSign. Go online to http://www.nanog.org/mtg-0606/pdf/frank-scalzo.pdf.Google Scholar
- Schuba, C. L., Krsul, I. V., Kuhn, M. G., Spafford, E. H., Sundaram, A., and Zamboni, D. 1997. Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society, IEEE Computer Society Press, Los Alamitos, CA, 208--223. Google ScholarDigital Library
- Sisalem, D., Ehlert, S., Geneiatakis, D., Kambourakis, G., Dagiuklas, T., Markl, J., Rokos, M., Botron, O., Rodriguez, J., and Liu, J. 2005. Towards a secure and reliable VoIP infrastructure. Tech. rep. D2.1. SNOCER. May.Google Scholar
- Snoeren, A. C., Partridge, C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Kent, S. T., and Strayer, W. T. 2001. Hash-based IP traceback. In Proceedings of the 2001 ACM SIGCOMM Conference (San Diego, CA). 3--14. Google ScholarDigital Library
- Song, D. X. and Perrig, A. 2001. Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE INFOCOM 2001. 878--886.Google Scholar
- Spatscheck, O. and Petersen, L. L. 1999. Defending against denial of service attacks in Scout. In Proceedings of the 3rd Symposium on Operating Systems Design and Implementation. Google ScholarDigital Library
- Stone, R. 1999. Centertrack: An IP overlay network for tracking DoS floods. In Proceedings of the 9th USENIX Security Symposium (Denver, CO). Google ScholarDigital Library
- Tupakula, U. and Varadharajan, V. 2003. A practical method to counteract denial of service attacks. In Proceedings of the Twenty-Sixth Australasian Computer Science Conference (ACSC2003) (Adelaide, Australia). 275--284. Google ScholarDigital Library
- US-CERT. 2005. Technical cyber security alert TA05-210A. Cisco IOS IPv6 vulnerability. Go online to http://www.us-cert.gov/cas/techalerts/TA05-210A.html.Google Scholar
- Vaughn, R. and Evron, G. 2006. DNS amplification attacks. Go online to http://www.isotf.org/news/DNS-Amplification-Attacks.pdf.Google Scholar
- Vixie, P. 1999. Extension mechanisms for DNS (EDNS0). RFC 2671. Internet Engineering Task Force (IETF). Go online to www.ietf.org. Google Scholar
- Vixie, P., Sneeringer, G., and Schleifer, M. 2002. Events of 21-Oct-2002. Go online to www.isc.org/ops/f-root/october21.txt.Google Scholar
- Waldvogel, M. 2002. Gossib vs. IP traceback rumors. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC 2002). Google ScholarDigital Library
- Wang, H., Zhang, D., and Shin, K. G. 2002. Detecting SYN flooding attacks. In Proceedings of IEEE INFOCOM 2002. 1530--1539.Google Scholar
- Wang, J. 1999. A survey of Web caching schemes for the internet. SIGCOMM Comput. Commun. Rev. 29, 5, 36--46. Google ScholarDigital Library
- Williams, P. D., Anchor, K. P., Bebo, J. L., Gunsch, G. H., and Lamont, G. B. 2001. CDIS: Towards a computer immune system for detecting network intrusions. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. 117--133. Google ScholarDigital Library
- Wright, G. R. and Stevens, W. R. 1995. TCP/IP Illustrated, The Implementation. Vol. 2. Addison-Wesley, Reading, MA. Google ScholarDigital Library
- Wu, S. F., Zhang, L., Massey, D., and Mankin, A. 2001. Intension-Driven ICMP Trace-Back. IETF Internet Draft. Go online to www.ietf.org.Google Scholar
- Yau, D. K. Y., Lui, J. C. S., and Liang, F. 2002. Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In Proceedings of the IEEE International Workshop on Quality of Service (IWQoS) (Miami Beach, FL). 35--44.Google Scholar
- Zhang, Z., Li, J., Manikopoulos, C., Jorgenson, J., and Ucles, J. 2001. HIDE: A hierarchical network intrusion detection system using statistical preprocessing and neural network classification. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (United States Military Academy, West Point, NY).Google Scholar
Index Terms
- Survey of network-based defense mechanisms countering the DoS and DDoS problems
Recommendations
Machine learning combating DOS and DDOS attacks
In recent years, technology is booming at a breakneck speed as so the need of security. Vulnerabilities in the layers of the OSI model and the networks are paving new ways for intruders and hackers to steal the confidential information. Security attacks ...
DDoS detection and defense: client termination approach
CUBE '12: Proceedings of the CUBE International Information Technology ConferenceA Denial-of-Service attack (DoS) or Distributed Denial-of-Service (DDoS) is an attempt by an attacker to make a computer or network resource unavailable to its legitimate users. In general it is specified by an event in which legitimate user(s) is/are ...
On modeling and simulation of game theory-based defense mechanisms against DoS and DDoS attacks
SpringSim '10: Proceedings of the 2010 Spring Simulation MulticonferenceAs cyber attacks continue to grow in number, scope, and severity, the cyber security problem has become increasingly important and challenging to both academic researchers and industry practitioners. We explore the applicability of game theoretic ...
Comments