Defending against distributed denial of service attacks: Issues and challenges

Information Security Journal

Volumn 18, Issue 5, 2009, Pages 224-247

  Gupta, B B ^a   Joshi, R C ^a   Misra, Manoj ^a  

^a INDIAN INSTITUTE OF TECHNOLOGY ROORKEE   (India)

Author keywords

Attack mechanisms; Defense mechanisms; Distributed Denial of Service (DDoS); Network security

Indexed keywords

EID: 85016036959     PISSN: 19393555     EISSN: 19393547     Source Type: Journal    
DOI: 10.1080/19393550903317070     Document Type: Article

References (108)

1. Abdelsayed, S., Glimsholt, D., Leckie, C., Ryan, S., and Shami, S. (2003). An efficient filter for denial-of-service bandwidth attacks. In Proceedings of IEEE Global Telecommunications Conference (GLOBECOM'03), Volume 3, pp 1353-1357.
2. Abennett. (2001, May). CERT hit by DDoS attack for a third day. Available at http://www.itworld.com/IDG010524CERT2
3. Akamai. (2004, June). Press release: Akamai provides insight into Internet denial of service attack. Available at http://www.akamai.com/en/html/about/press/press459.html
4. Andersen, D.G., Balakrishnan, H., Kaashoek, M.F., and Morris, R. (2001, October). Resilient overlay networks. In Proceedings of 18th ACM SOSP, pp. 131-145, Banff, Canada.
5. Andrews, J. (2004). Understanding TCP reset attacks. Available at http://kerneltrap.org/node/3072
6. AusCERT. (2005). 2005 Australian computer crime and security survey. Tech. Report, Australian Computer Emergency Response Team. Available at http://www.auscert.org.au/crimesurvey
7. Azrina, R., and Othman, R. (n.d.). Understanding the various types of denial of service attack. Available at www.niser.org.my/resources/dos_attack.pdf
8. Bai, Y., and Kobayashi, H. (2003, March). Intrusion detection system: Technology and development. In Proceedings of the 17th International Conference on Advanced Information Networking and Applications (AINA), pp. 710-715.
9. Barlow, J., and Thrower, W. (2000, February 10). TFN2K—an analysis. Axent Security Team. Available at http://security.royans.net/info/posts/bugtraq_ddos2.shtml
10. Belenky, A., and Ansari, N. (2003). IP traceback with deterministic packet marking. IEEE Communication Letter, 7(4), 162-164.
11. Bellovin, S., Leech, M., and Taylor, T. (2001, October). ICMP trace- back messages. Internet draft: draft-ietf-itrace-01.txt, work in progress.
12. Bencsath, B., and Vajda, I. (2004). Protection against DDoS attacks based on traffic level measurements. In Proceedings of the Western Simulation Multi Conference, San Diego, CA, pp. 22-28.
13. Blazek, R.B., Kim, H., Rozovskii, B., and Tartakovsky, A. (2001). –A novel approach to detection of denial-of-service attacks via adaptive sequential and batch sequential change-point detection methods,— in Proceedings of IEEE Systems, Man and Cybernetics Information Assurance Workshop, pp. 220-226, 2001.
14. Burton, H. Bloom. (1970, July). Space/time trade-offs in hash coding with allowable errors. Communications of the ACM (CACM), 13(7), 422-426.
15. Bush, R., Karrenberg, D., Kosters, M., and Plzak, R. (2000, June). Root name server operational requirements. BCP40, RFC 2870.
16. Bysin. (2001, July 11). Knight.c sourcecode. PacketStormSecurity.nl.
17. Available at http://packetstormsecurity.nl/distributed/knight.c
18. CERT. (1996, September). CERT advisory CA-1996-21 TCP SYN Flooding and IP spoofing attacks.
19. CERT Coordination Center (1999). Denial of service tools. Available at http://www.cert.org/advisories/CA-1999-17.html
20. CERT Coordination Center. (n.d.). Mail bomb attack. Available at http://www.cert.org/tech_tips/email_bombing_spamming.html
21. CERT Coordination Center. (2001). Carnegie Mellon Software Engineering Institute, CERT Advisory CA-2001-20 Continuing threats to home users, 23. Available at http://www.cert.org/advisories/CA-2001-20.html
22. CERT Statistics. Available at http://www.cert.org/stats/cert_stats.html CGI request attack. (n.d.). Available at http://cpan.uwinnipeg.ca/htdocs/CGI.pm/CGI.html
23. Chen, Y., Hwang, K., and Ku, W. (2007, December). Collaborative detection of DDoS attacks over multiple network domains. IEEE Transaction on Parallel and Distributed Systems, TPDS-0228-0806, 18(12).
24. Cheng, C.M., Kung, H.T., and Tan, K.S. (2002). Use of spectral analysis in defense against DoS attacks. In Proceedings of IEEE GLOBECOM 2002, Taipei, Taiwan, pp. 2143-2148.
25. Cheung, S. (2006, January/February). Denial of service against the domain name system. IEEE Security & Privacy, 4(1), 40-45.
26. Darmohray, T., and Oliver, R. (2000). Hot spares for DDoS attacks. Available at http://www.usenix.org/publications/login/2000-7/apropos.html
27. Dean, D., Franklin, M., and Stubblefield, A. (2002). An algebraic approach to IP traceback. ACM Trans. Inform. System Security, 5(2), 119-137.
28. Debar, H., Dacier, M., and Wespi, A. (1999). Towards a taxonomy of intrusion detection systems. Computer Networks, 31.
29. Demers, A., Keshav, S., and Shenker, S. (1990). Analysis and simulation of a fair queuing algorithm. Journal of Internetworking Research and Experience, 1(1), pp. 3-26.
30. Dietrich, S., Long, N., and Dittrich, D. (2000). Analyzing distributed denial of service tools: The Shaft case. In Proceedings of the 14th Systems Administration Conference (LISA 2000), New Orleans, LA, December 3-8, pp. 329-339.
31. Dittrich, D., Weaver, G., Dietrich, S., and Long, N. (2000, May). The –Mstream— distributed denial of service attack too. Available at http://staff.washington.edu/dittrich/misc/mstream.analysis.txt
32. Dittrich, D. (1999, October 21). The DoS project's Trinoo distributed denial of service attack tool. University of Washington. Available at http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
33. Dittrich, D. (1999, October 21). The tribe flood network distributed denial of service attack tool. University of Washington. Available at http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
34. Dittrich, D. (1999, December). The Stacheldraht distributed denial of service attack tool. University of Washington. Available at http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt
35. Douligeris, C., and Mitrokotsa, A. (2003). DDoS attacks and defense mechanisms: Classification. In Proceedings of the 3rd IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 03), pp. 190-193, Darmstadt, Germany, December 14-17.
36. Douligeris, C., and Mitrokotsa, A. (2004, April). DDoS attacks and defense mechanisms: Classification and state-of-the-art. Computer Networks, 44(5), 643-666.
37. Farrow, R. (n.d.). TCP SYN Flooding attacks and remedies. Network Computing Unix World. Available at http://www.networkcomputing. com/unixworld/security/004/004.txt.html
38. Feinstein, L., Schnackenberg, D., Balupari, R., and Kindred, D. (2003). Statistical approaches to DDoS attack detection and response. In Proceedings of DISCEX'03, Washington, DC, Vol. 1, pp. 303-314.
39. Ferguson, P., and Senie, D. (2001). Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827.
40. Floyd, S., and Jacobon, V. (1993). Random early detection gateways for congestion avoidance. IEEE/ACM Trans. on Networking, 1(4), 397-413.
41. Floyd, S., and Fall, K. (1999, August). Promoting the use of end-to-end congestion control in the Internet. IEEE/ACM Trans. on Networking, 7(4), 458-472.
42. Floyd, S., Bellovin, S., Loannidis, J., Kompella, K., Mahajan, R., and Paxson, V. (2001). Pushback messages for controlling aggregates in the network. Available at draft-floyd-pushback-messages-00.txt
43. Galli, P. (2006, March). DoS attack brings down Sun Grid demo. Available at http://www.eweek.com/article2/0,1895,1941574,00.asp
44. Garber, L. (2000, April). Denial-of-service attacks rip the Internet. IEEE Computer, 33(4), 12-17.
45. Geng, X., and Whinston, A.B. (2000). Defeating distributed denial of service attacks. IEEE IT Professional, 2(4), 36-42.
46. Gibson, S. (2002, March). The strange tale of the attacks against GRC.COM. Available at http://grc.com/dos/grcdos.htm
47. Gil, T.M., and Poletto, M. (2001). Multops: A data-structure for bandwidth attack detection. In Proceedings of the 10th USENIX Security Symposium, Washington, DC, pp. 23-38.
48. Global incident analysis center-special notice-egress filtering v 0.2. Available at http://www.sans.org/y2k/egress.htm
49. Gonsalves, C. (2004, June). Akamai DDoS attack whacks Web traffic. Available at http://www.eweek.com/article2/0,1895,1612739,00.asp
50. Gordon, L.A., Loeb, M.P., Lucyshyn, W., and Richardson, R. (2005). 2005 CSI/FBI computer crime and security survey. Tech. Report, Computer Security Institute. Available at www.GCSI.com
51. Gupta, B.B., Misra, M. and Joshi, R.C. (2008). An ISP level solution to combat DDoS attacks using combined statistical based approach. International Journal of Information Assurance and Security (JIAS), 3(2), 102-110.
52. Gupta, B.B., Misra, M., and Joshi, R.C. (2008). FVBA: A combined statistical approach for low rate degrading and high bandwidth disruptive DDoS attacks detection in ISP domain. In Proceedings of 16th IEEE International Conference On Networks (ICON-2008), New Delhi, India, Dec. 12-14, pp. 34-37.
53. Gupta, B.B., Kumar, K., Singh, K., and Joshi, R.C. (2007). Distributed approach to detect DDoS attacks in ISP domain using entropy. In Proceedings of International Conference on Advanced Communication System (ICACS-2007), India, pp. 101-108.
54. Hancock, B. (2000). Trinity v3, a DDoS tool, hits the streets. Computers Security, 19(7), 574.
55. Handley, M. (2005). Internet architecture WG: DoS-resistant Internet subgroup report. Available at http://www.communications.net/object/download/1543/doc/mjh-dos-summary.pdf
56. Hazelhurst, S. (2000). Algorithms for analyzing firewall and router access lists. In Proceedings of Workshop on Dependable IP Systems and Platforms (ICDSN).
57. Howard, J. (1998, August). An analysis of security incidents on the Internet 1989-1995. PhD thesis, Carnegie Mellon University.
58. Huegen, C.A. (2000). The latest in denial of service attacks: –SMURFING— description and information to minimize effects. Available at http://www.pentics.net/denial-of-service/white-papers/smurf.txt
59. Hwang, K., Cai, M., Chen, Y., and Qin, M. (2007). Hybrid intrusion detection with weighted signature generation over anomalous Internet episodes. IEEE Transaction on Dependable and Secure Computing, 4(1), 41-55.
60. IRC Security. (n.d.). Available at http://www.irchelp.org/irchelp/security
61. J-063: Domain name system (DNS) denial of service (DoS) attacks. (1999). Available at http://www.securityfocus.com/advisories/1727
62. Javvin network management & security. (n.d.). UDP Flood attack. Available at http://www.javvin.com/networkSecurity/UDPFloodAttack.html
63. Kenney, M. (n.d.). Ping of death attack. Available at http://insecure.org/sploits/ping-o-death.html
64. Keromytis, A.D., Misra, V., and Rubenstein, D. (2002). SOS: Secure overlay services. In Proceedings of ACM SIGCOMM, pp. 61-72.
65. Khattab, S.M., Sangpachatanaruk, C., Melhem, R., Mosse, D., and Znati, T. (2003, August). Proactive server roaming for mitigating denial of service attacks. In Proceedings of the 1st International Conference on International Technology: Research and Education (ITRE 03), Newark, NJ, pp. 500-504.
66. Kim, D. (2006, August). A study on introducing Six Sigma theory in the library for service competitiveness enhancement. In Proceedings of the World Library and Information Congress: 72nd IFLA General Conference and Council, Seoul, Korea, pp. 20-24
67. Kumar, K., Joshi, R.C., and Singh, K. (2006). An integrated approach for defending against distributed denial-of-service (DDoS) attacks. In Proceedings of IRISS-2006, IIT Madras. Available at www.cs.iitm.ernet.in/-iriss06/iitr_krishan.pdf
68. Lakhina, A., Crovella, M., and Diot, C. (2005). Mining anomalies using traffic feature distributions. ACM SIGCOMM Computer Communication Review, 35(4), 217-228.
69. Lau, F., Stuart, R.H., Michael, S.H., et al. (2000). Distributed denial of service attacks. In Proceedings of 2000 IEEE International Conference on Systems, Man, and Cybernetics, Nashville, TN, Vol.3, pp. 2275-2280.
70. Lee, R.B. (2003). Taxonomies of distributed denial of service networks, attacks, tools and countermeasures. Princeton University. Available at http://www.ee.princeton.edu/-rblee
71. Lee, W., Stolfo, S.J., and Mok, K.W. (1999). A data mining framework for building intrusion detection models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 9-12, pp. 120-132.
72. Lee, W., and Stolfo, S. (2000). A framework for constructing features and models for intrusion detection systems. ACM Trans. Information and System Security (TISSEC), 3(4), 227-261.
73. Leyden, J. (2002, April). Scottish ISP floored as DDoS attacks escalate. Available at http://www.theregister.co.uk/2002/04/09/scottish_isp_ floored_as_ddos
74. Leiner, B.M., Cerf, V.G., et. al. (2003). A brief history of the Internet. Internet Society. Available at http://www.isoc.org
75. Li, M., Li, M., and Jiang, X. (2008). DDoS attacks detection model and its applications. WSEAS Transactions on Computers, 7(8), 1159-1168.
76. Li, J., Mirkovic, J., Wang, M., Reiher P., and Zhang, L. (2002). SAVE: Source address validity enforcement protocol. In Proceedings of IEEE INFOCOM, pp. 1557-1566.
77. Limwiwatkul, L., and Rungsawang, A. (2004, October). Distributed denial of service detection using TCP/IP header and traffic measurement analysis. In Proceedings of IEEE International Symposium on Communications and Information Technology (ISCIT 2004), pp. 605-610.
78. Mankin, A., and Ramakrishnan, K. (1991, August). Gateway congestion control survey. IETF RFC 1254. Available at http://www.rfc-editor. org/rfc.html
79. Marchesseau, M. (2000, September). Trinity-distributed denial of service attack tool. Available at http://www.giac.org/certified_professionals/practicals/gsec/0123.php
80. McAfee. (n.d.) Personal Firewall. Available at http://www.mcafee.com/myapps/firewal l/ov_f irewall.asp
81. Mckenny, P. (1990). Stochastic fairness queuing. In Proceeding of IEEE INFOCOM, Piscataway, NJ, pp. 733-740.
82. Mirkovic, J., Prier, G., and Reiher, P. (2002). Attacking DDoS at the source. In Proceedings of ICNP-2002, Paris, France, pp. 312-321.
83. Mirkovic, J., and Reiher, P. (2004, April). A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communications Review, 34(2), 39-53.
84. Mirkovic, J., Robinson, M., and Reiher, P. (2003). Forming alliance for DDoS defenses. In Proceedings of New Security Paradigmes Workshop (NSPW 2003), ACM Press, New York, NY, August 11-18.
85. Molsa, J. (2005). Mitigating denial of service attacks: A tutorial. Journal of Computer Security, 13, 807-837.
86. Moore, D., Shannon, C., Brown, D.J., Voelker, G., and Savage, S. (2006). Inferring Internet denial-of-service activity. ACM Transactions on Computer Systems, 24(2), 115-139.
87. Oppliger, R. (1997). Internet security: Firewall and beyond. Communications of the ACM, 40(5), 92-102.
88. Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., and Govindan, R. (2003, April). COSSACK: Coordinated suppression of simultaneous attacks. In Proceedings of the DARPA Information Survivability Conference and Exposition, Vol. 1, pp. 2-13.
89. Park, K., and Lee, H. (2001). On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In Proceedings of the ACM SIGCOMM 2001 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, ACM Press, New York, pp. 15-26, 2001.
90. Paxson, V. (2001). An analysis of using reflectors for distributed denial-of- service attacks. ACM SIGCOMM Computer Communications Review (CCR), 31(3), 38-47.
91. Paxson, V. (1999). Bro: A system for detecting network intruders in realtime. International Journal of Computer and Telecommunication Networking, 31(24), 2435-2463.
92. Peng, T., Leckie, C., and Ramamohanarao, K. (2003). Protection from distributed denial of service attack using history-based IP filtering. In Proceedings of IEEE International Conference on Communications (ICC2003), Anchorage, AL, Volume 1, pp. 482-486.
93. Raisinghani, M.S., Ette, H., Pierce, R., Cannon, G., and Daripaly, P. (2005). Six Sigma: concepts, tools, and applications. Journal of Industrial Management & Data Systems, 105(4), 491-505.
94. Ramkumar, G.D., Ranka, S., and Tsur, S. (1998). Weighted association rules: Model and algorithm. In Proceedings of Fourth ACM Int'l Conf. Knowledge Discovery and Data Mining. Available at http://www.cs.ucla.edu/-czdemo/tsur/Papers/wis.ps
95. Robinson, M., Mirkovic, J., Schnaider, M., Michel, S., and Reiher, P. (2003). Challenges and principles of DDoS defense. SIGCOMM.
96. Roesch, M. (1999, November). Snort-lightweight intrusion detection for networks. In Proceedings of the USE NIX Systems Administration Conference (LISA '99), pp. 229-238.
97. Savage, S., Wetherall, D., Karlin, A., and Anderson, T. (2000, August). Practical network support for IP traceback. In Proceedings of ACM SIGCOMM 2000, Stockholm, Sweden, pp. 295-306.
98. Scalzo, F. (2006). Recent DNS reflector attacks. VeriSign. Available at http://www.nanog.org/mtg-0606/pdf/frank-scalzo.pdf
99. Schuba, C., Krsul, I., Kuhn, M., Spafford, G., Sundaram, A., and Zamboni, D. (1997, May). Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy.
100. Singh Negi, C. (2001, September). Using network management system to detect distributed denial of service attacks. Master's thesis, Naval Postgraduate School Monterey, CA.
101. Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., and Strayer, W.T. (2001, August). Hash-based IP traceback. In Proceedings of ACM SIGCOMM 2001, San Diego, CA, pp. 3-14.
102. Song, D.X., and Perrig, A. (2001). Advanced and authenticated marking schemes for IP T raceback. In Proceedings of IEEE INFOCOM, pp. 878-886.
103. Teardrop attacks. (n.d.). Available at http://www.physnet.uni-hamburg. de/physnet/security/vulnerability/teardrop.html
104. The ISC Internet Domain Survey. Available at https://www.isc.org/solutions/survey
105. Weiler, N. (2002, June). Honeypots for distributed denial of service attacks. In Proceedings of the Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE'02), pp. 109-114, Pittsburgh, PA.
106. Wikipedia. (n.d.). DNS request attack. Available at http://en.wikipedia. org/wiki/DNS_cache_poisoning
107. Wikipedia. (n.d.). LAND attack. Available at http://en.wikipedia.org/wiki/LAND
108. Xiang, Y., Zhou, W., and Chowdhury, M. (2004). A survey of active and passive defense mechanisms against DDoS attacks. Technical Report, TR C04/02, School of Information Technology, Deakin University, Australia.