Survey of network-based defense mechanisms countering the DoS and DDoS problems

ACM Computing Surveys

Volumn 39, Issue 1, 2007, Pages

  Peng, Tao ^a   Leckie, Christopher ^a   Ramamohanarao, Kotagiri ^a  

^a UNIVERSITY OF MELBOURNE   (Australia)

Author keywords

Bandwidth attack; Botnet; DDoS; DNS reflector attack; DoS; Internet security; IP spoofing; IP traceback; IRC; Resource management; SYN flood; VoIP security

Indexed keywords

BANDWIDTH; COMPUTER CRIME; DATA PRIVACY; INTERNET; NETWORK PROTOCOLS; PROBLEM SOLVING; RESOURCE ALLOCATION;

BANDWIDTH ATTACK; BOTNET; DISTRIBUTED DENIAL OF SERVICE ATTACKS; DNS REFLECTOR ATTACK; INTERNET SECURITY; IP SPOOFING; IP TRACEBACK; VOIP SECURITY;

SECURITY OF DATA;

EID: 34147099073     PISSN: 03600300     EISSN: 15577341     Source Type: Journal    
DOI: 10.1145/1216370.1216373     Document Type: Review

References (97)

1. ABDELSAYED, S., GLIMSHOLT, D., LECKIE, C., RYAN, S., AND SHAMI, S. 2003. An efficient filter for denial-of-service bandwidth attacks. In Proceedings of the 46th IEEE Global Telecommunications Conference (GLOBECOM'08). 1353-1357.
2. ARBOR. 2005. Worldwide ISP security report. Whitepaper. Arbor Networks, Lerington, MA.
3. BAKER, F. 1995. Requirements for IP version 4 routers. RFC 1812. Internet Engineering Task Force (IETF). Go online to www.ietf.org.
4. BELLOVIN, S. 2000. The ICMP traceback message. IETF Internet Draft. Internet Engineering Task Force (IETF). Go online to www.iatf.org
5. BERNSTEIN, D. J. 1996. SYN cookies. Go online to http://cr.yp.to/syncookies.html.
6. BLAŽEK, R. B., KIM, H., ROZOVSKII, B., AND TARTAKOVSKY, A. 2001. A novel approach to detection of "denial-of-service" attacks via adaptive sequential and batch-sequential change-point detection methods. In Proceedings of the 2001 IEEE Systems, Man and Cybernetics Information Assurance Workshop.
7. BLOOM, B. H. 1970. Space/time tradeoffs in hash coding with allowable errors. Commun. ACM 13, 7 (Jul.), 422-426.
8. BRODSKY, B. E. AND DARKHOVSKY, B. S. 1993. Nonparametric Methods in Change-point Problems. Kluwer Academic Publishers, Dordrecht, The Netherlands.
9. BURCH, H. AND CHESWICK, B. 2000. Tracing anonymous packets to their approximate source. In Proceedings of the 14th Systems Administration Conference (New Orleans, LA).
10. CABRERA, J. B. D., LEWIS, L., QIN, X., LEE, W., PHASANTH, R. K., RAVICHANDRAN, B., AND MEHRA, R. K. 2001. Proactive detection of distributed denial of service attacks using MIB traffic variables - a feasibility study. In Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management (Seattle, WA). 609-622.
11. CAIDA. 2006. Nameserver DoS attack October 2002. Go online to http://www.caida.org/funding/dns-analysis/oct02dos.xml.
12. CERT. 1996. CERT Advisory CA-1996-26: denial-of-service attack via ping. Go online to http://www.cert.org/advisories/CA-1996-26.html.
13. CERT. 1998. CERT Advisory CA-1998-01: Smurf IP denial-of-service attacks. Go online to http://www.cert.org/advisories/CA-1998-01.html.
14. CERT. 2001. CERT Advisory CA-2001-19: "Code Red" Worm exploiting buffer overflow in US indexing service DLL. Go online to http://www.cert.org/advisories/CA-2001-19.html.
15. CERT. 2003. CERT Advisory CA-2003-19: Exploitation of vulnerabilities in Microsoft RFC Interface. Go online to http://www.cert.org/advisories/CA-2003-19. html.
16. CERT. 2006. CERT/CC statistics. Go online to http://www.cert.org/stats/ cert_stats.html.
17. CHANG, R. K. C. 2002. Defending against flooding-based distributed denial-of-service attacks: A tutorial. IEEE Commun. Mag. 40, 10 (Oct.), 42-51.
18. CHEN, E. Y. 2006. Detecting dos attacks on SIP systems. In Proceedings of the 1st IEEE Workshop on VoIP Management and Security, 53-58.
19. CHENG, C.-M., KUNG, H. T., AND TAN, K.-S. 2002. Use of spectral analysis in defense against DoS attacks. In Proceedings of IEEE GLOBECOM 2002. 2143-2148.
20. CHENG, G. 2006. Malware FAQ: Analysis on DDOS tool Stacheldraht v1.666. Go online to http://www. sans.org/rasources/malwarafaq/stachaldraht.php.
21. CHEUNG, S. 2006. Denial of service against the domain name system. IEEE Sec. Pri. 4, 1, 40.
22. CLARK, D.D. 1988. The design philosophy of the DARPA Internet protocols. In Proceedings of SIGCOMM (Stanford, CA). 106-114.
23. DAVIS, M. 2006. Building better bots: Open-source processes enable production-grade malware. Sage: Security Vision from McAfee Avert Labs 1, 1 (Jul.), 26-35.
24. DEAN, D., FHANKLIN, M., AND STUBBLEFIELD, A. 2002. An algebraic approach to IP traceback. ACM Trans. Inform. Syst. Sec. 5, 2 (May), 119-137.
25. DEERING, S. AND HINDEN, R. 1998. Internet protocol, version 6 (IPv6) specification. RFC 2401. Internet Engineering Task Force (IETF). Go online to www.ietf.org.
26. DENNING, D. E. 1987. An intrusion-detection model. IEEE Trans. Softw. Eng. 13, 2, 222-232.
27. DIETRICH, S., LONG, N., AND DITTRICH, D. 2000. Analyzing distributed denial of service attack tools: The shaft case. In Proceedings of the 14th Systems Administration Conference (New Orleans, LA). 329-339.
28. EVANS, D. AND LAROCHELLE, D. 2002. Improving security using extensible lightweight static analysis. IEEE Softw. 19, 1, 42-51.
29. FERGUSON, P. AND SENIE, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827. Internet Engineering Task Force (IETF). Go online to www.ietf.org.
30. FLOYD, S. AND JACOBSON, V. 1993. Random early detection gateways for congestion avoidance. IEEE / ACM Trans. Netw. 1, 4 (Aug.), 397-413.
31. FLOYD, S. AND JACOBSON, V. 1995. Link-sharing and resource management models for packet networks. IEEE/ACM Trans. Netw. 3, 4 (Aug.), 365-386.
32. FORREST, S. AND HOFMEYR, S. 1999. Architecture for an artificial immune system. Evolution. Computat. J. 7, 1, 45-68.
33. GAHBER, L. 2000. Denial-of-service attacks rip the Internet. IEEE Comput. 33, 4 (Apr.), 12-17.
34. GEMBERLING, B., MORROW, C., AND GREENE, B. 2001. ISP security-real world techniques. Presentation, NANOG. Go online to www.nanog.org
35. GENG, X. AND WHINSTON, A. 2000. Defeating distributed denial of service attacks. IEEE IT Profess. 2, 4 (Jul./Aug.), 36-41.
36. GIBSON, S. 2002. Distributed reflection denial of service. Go online to http://grc.com/dos/drdos.htm.
37. GIL, T. M. AND POLETTO, M. 2001. MULTOPS: A data-structure for bandwidth attack detection. In Proceedings of the 10th USENIX Security Symposium.
38. GLIGOR, V. D. 1984. A note on denial-of-service in operating systems. IEEE Trans. Softw. Eng. 10, 3, 320-324.
39. GORDON, L. A., LOEB, M. P., LUCYSHYN, W., AND RICHARDSON, R. 2005. 2005 CSI/FBI Computer Crime and Security Survey. Available online at www.GCSI.com.
40. HANDLEY, M. 2005. Internet Architecture WG: DoS-resistant Internet subgroup report. Available online at http://www.communications.net/ object/download/1543/doc/mjh-dos-summary.pdf.
41. HARDIN, G. 1968. The tragedy of the commons. Science, 1243-1248.
42. HONEYNET. 2005. Know your enemy:tracking botnets. Whitepaper. The Honeynet Project & Research Alliance. Feb. Go online to www.honaynet.org/index.html.
43. HUSSAIN, A., HEIDEMANN, J., AND PAPADOPOULOS, C. 2003. A framework for classifying denial of service attacks. In Proceedings of the ACM SIGCOMM Conference (Karlsruhe, Germany). 99-110.
44. KANDULA, S., KATABI, D., JACOB, M., AND BERGER, A. W. 2005. Botz-4-Sale: Surviving organized DDoS attacks that mimic flash crowds. In Proceedings of the 2nd Symposium on Networked Systems Design and Implementation (NSDI), (Boston, MA).
45. KARGL, F., MAIER, J., AND WEBER, M. 2001. Protecting web servers from distributed denial of service attacks. In. Proceedings of the 10th International World Wide Web Conference. 130-143.
46. KENT, S. AND ATKINSON, R. 1998. Security architecture for the Internet protocol. RFC 2401. Internet Engineering Task Force (IETF). Go online to www.ietf.org.
47. KEROMYTIS, A. D., MISRA, V., AND RUBENSTEIN, D. 2002. SOS: Secure overlay services. In Proceedings of the 2002 ACM SIGCOMM Conference. 61-72.
48. KOMPELLA, R. R., SINGH, S., AND VARGHESE, G. 2004. On scalable attack detection in the network. In IMC '04: Proceedings of the 4th ACM SIGCOMM Conference an Internet Measurement. ACM Press, New York, NY, 187-200.
49. KUHN, D., WALSH, T. J., AND FRIES, S. 2005. Security considerations for voice over IP systems. NIST Special Publication 800-58. National Institute of Science and Technology, Gaithersburg, MD.
50. KULKARNI, A., BUSH, S., AND EVANS, S. 2001. Detecting distributed denial-of-service attacks using Kolmogorov complexity metrics. Tech. rep. 2001CRD176. GE Research & Development Center. Schectades, NY.
51. LAU, F., RUBIN, S. H., SMITH, M. H., AND TRAJKOVIĆ, L. 2000. Distributed denial of service attacks. In Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics. Vol. 3. 2275-2280.
52. LI, J., MIRKOVIC, J., WANG, M., REITHER, P., AND ZHANG, L. 2002. Save: Source address validity enforcement protocol. In Proceedings of IEEE INFOCOM 2002. 1557-1566.
53. LIPSON, H. F. 2002. Tracking and tracing cyber-attacks: Technical challenges and global policy issues. Special rep. CMU/SEI-2002-SR-009. CERT Coordination Center. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.
54. MAHAJAN, R., BELLOVIN, S. M., FLOYD, S., IOANNIDIS, J., PAXSON, V., AND SHENKER, S. 2002. Controlling high bandwidth aggregates in the network. ACM Comput. Commun. Rev. 32, 3 (Jul.), 62-73.
55. MANIKOPOULOS, C. AND PAPAVASSILIOU, S. 2002. Network intrusion and fault detection: A statistical anomaly approach. IEEE Commun. Mag. 40, 10 (Oct.), 76-82.
56. MEASUREMENT. 2005. The measurement factory DNS survey. Go online to http://dns.measurement-factory.com/surveys/sum1.html.
57. MILLEN, J. K. 1992. A resource allocation model for denial of service. In Proceedings of the IEEE Symposium on Security and Privacy. 137-147.
58. MIHKOVIC, J., DIETRICH, S., DITTRICH, D., AND REIHER, P. 2005. Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall, Engle Wood Cliffs, NJ.
59. MIRKOVIĆ, J., PRIER, G., AND REIHER, P. 2002. Attacking DDoS at the source. In Proceedings of ICNP 2002 (Paris, France). 312-321.
60. MIHKOVIC, J. AND REIHER, P. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34, 2, 39-53.
61. MIRKOVIC, J., ROBINSON, M., REIHER, P., AND KUENNING, G. 2003. Forming alliance for DDoS defenses. In Proceedings of the New Security Paradigms Workshop (NSPW 2003). ACM Press, New York, NY, 11-18.
62. MOCKAPETRIS, P. 1987a. Domain names - concepts and facilities. RFC 1034. Internet Engineering Task Force (IETF). Go online to www.ietf.org.
63. MOCKAPETRIS, P. 1987b. Domain names - implementation and specification. RFC 1035, the Internet Engineering Task Force (IETF). Go online to www.ietf.org.
64. MOHEIN, W. G., STAVROU, A., COOK, D. L., KEHOMYTIS, A. D., MISRA, V., AND RUBENSTEIN, D. 2003. Using graphic turing tests to counter automated ddos attacks against web servers. In Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), (Washington, DC).
65. MORROW, C. AND GEMBERLING, B. 2001. Blackhole route server and tracking traffic on an IP network. Go online to http://www.secsup.org/Tracking/.
66. NEEDHAM, R. M. 1994. Denial of service: an example. Commun. ACM 37, 11, 42-46.
67. PAPADOPOULOS, C., LINDELL, R., MEHRINGER, J., HUSSAIN, A., AND GOVINDAN, R. 2003. Cossack: Coordinated suppression of simultaneous attacks. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition (DISCEX 2003). Vol. 2. 94-96.
68. PARK, K. AND LEE, H. 2001a. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. In Proceedings of IEEE INFOCOM 2001. 338-347.
69. PARK, K. AND LEE, H. 2001b. On the effectiveness of router-based packet filtering for distributed DoS attack prevention in power-law Internets. In Proceedings of the 2001 ACM SIGCOMM Conference (San Diego, California, CA). 15-26.
70. PAXSON, V. 2001. An analysis of using reflectors for distributed denial-of-service attacks. ACM Comput. Commun. Rev. 31, 3 (Jul.), 38-47.
71. PENG, T., LECKIE, C., AND KOTAGIRI, R. 2004. Proactively detecting distributed denial of service attacks using source ip address monitoring. In Proceedings of the Third International IFIP-TC6 Networking Conference (Networking 2004). 771-782.
72. PENG, T., LECKIE, C., AND R AMAMOHANARAO, K. 2002a. Adjusted probabilistic packet marking for IP traceback. In Proceedings of the Second IFIP Networking Conference (Networking 2002). (Pisa, Italy). 697-708.
73. PENG, T., LECKIE, C., AND R AMAMOHANARAO, K. 2002b. Defending against distributed denial of service attack using selective pushback. In Proceedings of the 9th IEEE International Conference on Telecommunications (IGT 2002) (Bering, China). 411-429.
74. PENG, T., LECKIE, C., AND R AMAMOHANARAO, K. 2003. Prevention from distributed denial of service attacks using history-based IP filtering. In Proceeding of the 38th IEEE International Conference on Communications (ICC 2003) (Anchorage, Alaska). 482-486.
75. REKHTER, Y. AND LI, T. 1995. A border gateway protocol 4 (BGP-4). RFC 1771. Internet Engineering Task Force (IETF). Go online to www.ietf.org.
76. ROCHLIS, J. A. AND EICHIN, M. W. 1989. With microscope and tweezers: The worm from MIT's perspective. Commun. ACM 32, 6, 689-698.
77. ROSENBERG, J., SCHULZRINNE, H., CAMARILLO, G., JOHNSTON, A., PETERSON, J., SPARKS, R., HANDLEY, M., AND SCHOOLER, E. 2002. SIP: Session initiation protocol. RFC 3261. Internet Engineering Task Force (IETF). Go online to www.ietf.org.
78. SAVAGE, S., WETHERALL, D., KARLIN, A., AND ANDERSON, T. 2000. Practical network support for IP traceback. In Proceedings of the 2000 ACM SIGCOMM Conference. 295-306.
79. SCALZO, F. 2006. Recent dns reflector attacks. VeriSign. Go online to http://www.nanog.org/mtg-0606/pdf/frank-scalzo.pdf.
80. SCHUBA, C. L., KRSUL, I. V., KUHN, M. G., SPAFFORD, E. H., SUNDARAM, A., AND ZAMBONI, D. 1997. Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society, IEEE Computer Society Press, Los Alamitos, CA, 208-223.
81. SISALEM, D., EHLERT, S., GENEIATAKIS, D., KAMBOURAKIS, G., DAGIUKLAS, T., MARKL, J., ROKOS, M., BOTRON, O., RODRIGUEZ, J., AND LIU, J. 2005. Towards a secure and reliable VoIP infrastructure. Tech. rep. D2.1. SNOCER. May.
82. SNOEREN, A. C., PARTRIDGE, C., SANCHEZ, L. A., JONES, C. E., TCHAKOUNTIO, F., KENT, S. T., AND STRAYER, W. T. 2001. Hash-based IP traceback. In Proceedings of the 2001 ACM SIGCOMM Conference (San Diego, CA). 3-14.
83. SONG, D. X. AND PEHRIG, A. 2001. Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE INFOCOM 2001. 878-886.
84. SPATSCHECK, O. AND PETERSEN, L. L. 1999. Defending against denial of service attacks in Scout. In Proceedings of the 3rd Symposium on Operating Systems Design and Implementation.
85. STONE, R. 1999. Centertrack: An IP overlay network for tracking DoS floods. In Proceedings of the 9th USENIX Security Symposium (Denver, CO).
86. TUPAKULA, U. AND VARADHARAJAN, V. 2003. A practical method to counteract denial of service attacks. In Proceedings of the Twenty-Sixth Australasian Computer Science Conference (ACSC2003) (Adelaide, Australia). 275-284.
87. US-CERT. 2005. Technical cyber security alert TA05-210A. Cisco IOS IPv6 vulnerability. Go online to http://ww.us-cart.gov/cas/techalerts/TA05-210A.html.
88. VAUGHN, R. AND EVRON, G. 2006. DNS amplification attacks. Go online to http://www.isotf.org/news/ DNS-Amplification-Attacks.pdf. VIXIE, P. 1999. Extension mechanisms for DNS (EDNSO). RFC 2671. Internet Engineering Task Force (IETF). Go online to www.ietf.org.
89. VIXIE, P., SNEERINGER, G., AND SCHLEIFER, M. 2002. Events of 21-Oct-2002. Go online to www.isc.org/ops/f-root/october21.txt.
90. WALDVOGEL, M. 2002. Gossib vs. IP traceback rumors. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC 2002).
91. WANG, H., ZHANG, D., AND SHIN, K. G. 2002. Detecting SYN flooding attacks. In Proceedings of IEEE INFOCOM 2002. 1530-1539.
92. WANG, J. 1999. A survey of Web caching schemes for the internet. SIGCOMM Comput. Commun. Rev. 29, 5, 36-46.
93. WILLIAMS, P. D., ANCHOR, K. P., BEBO, J. L., GUNSCH, G. H., AND LAMONT, G. B. 2001. CDIS: Towards a computer immune system for detecting network intrusions. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. 117-133.
94. WRIGHT, G. R. AND STEVENS, W. R. 1995. TCP/IP Illustrated, The Implementation. Vol. 2. Addison-Wesley, Reading, MA.
95. WU, S. F., ZHANG, L., MASSEY, D., AND MANKIN, A. 2001. Intension-Driven ICMP Trace-Back. IETF Internet Draft. Go online to www.ietf.org.
96. YAU, D. K. Y., LUI, J. C. S., AND LIANG, F. 2002. Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In Proceedings of the IEEE International Workshop on Quality of Service (IWQoS) (Miami Beach, FL). 35-44.
97. ZHANG, Z., LI, J., MANIKOPOULOS, C., JORGENSON, J., AND UCLES, J. 2001. HIDE: A hierarchical network intrusion detection system using statistical preprocessing and neural network classification. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (United States Military Academy, West Point, NY).