DDoS Attacks—Analysis and Prevention
G. Dayanandam, T. V. Rao, D. Bujji Babu and S. Nalini Durga
Abstract Distributed Denial-of-Service (DDoS) attacks overwhelm the critical
resources of a target server in order to reject its services to the legitimate clients and
attack mainly on the availability in the Confidentiality Integrity Availability
(CIA) triad in Internet-based applications. In this paper, we analyze three major
components of DDoS defense mechanisms such as DDoS detection, DDoS mitigation, and IP traceback. In the first step, we need to detect all DDoS attacks using
any intrusion detection system to pinpoint the exact packet characteristics of the
attack. We classify the attack traffic based on packet characteristics. The classification can lead to mitigate an attack. Mitigation scheme uses rate limits and filters
the malicious packets. IP traceback is capable of tracing IP packets to their sources
without depending upon source address field of the IP header. IP traceback
mechanisms are used to identify true source address and to refuse spoofed IP
addresses. Finally, in this paper we proposed a novel mechanism to defend DDoS
attacks at network layer and application layer.
⋅
⋅
Keywords DDoS
Availability
Intrusion detection
Packet filtering
Rate limiting
IP spoofing
⋅
⋅
⋅
IP traceback
G. Dayanandam (✉)
ANUCET, ANU, Guntur 522510, India
e-mail: gdayanandam@gmail.com
T. V. Rao
Mangalagiri 522503, India
e-mail: tv_venkat@yahoo.com
D. Bujji Babu
QISCET, Ongole 523001, India
e-mail: bujjibict@gmail.com
S. Nalini Durga
Sri Padmavati Mahila Visvavidyalayam, Tirupati, Andhra Pradesh, India
e-mail: nalini.seeramsetti@gmail.com
© Springer Nature Singapore Pte Ltd. 2019
H. S. Saini et al. (eds.), Innovations in Computer Science and Engineering,
Lecture Notes in Networks and Systems 32,
https://doi.org/10.1007/978-981-10-8201-6_1
1
2
G. Dayanandam et al.
1 Introduction
Today, the Internet has become more admired for people and businesses to perform
tasks easily. The use of Internet in the business model is the best choice for
generating significant revenue to the individual and business organizations. At the
same time, many chances are for attackers to steal the information, disrupt the
services, or change the permissions of authorized users.
Malicious users are motive to perform illegal operations on any of the crucial
components of the security of the CIA triad [1], i.e., Confidentiality, Integrity, and
Availability.
According to Fig. 1, Confidentiality is a mechanism to protect the information
from disclosure to unauthorized users. Information plays key role in today’s world,
in most of the areas like bank account statements, personal information, credit card
number, trade secrets, government documents, and many more areas. Every human
being wishes to keep their personal information in secure manner.
Integrity means the modifications can be done by the authorized persons not by
the unauthorized one, because tampered information may lead to various losses
such as financial loss, public security….
Availability refers to providing information to authorized persons when they
need. The primary aim of DDoS attack is to make information unavailable when
authorized person looks for it.
Denial-of-Service Attack: A Denial-of-Service attack [2] is often abbreviated as
DoS attack which is a malicious attack. This type of attack is performed from one
attacker machine (host) to target machine (victim) as shown in Fig. 2. Many DoS
attacks are performed based on the weakness in the TCP/IP protocol.
Distributed Denial-of-Service Attack: A Distributed Denial-of-Service attack
[2] is also called as DDoS attack. In this attack, the victim computer receives huge
number of packets from huge number of host computers those are compromised,
which exhaust victim computer resources, such as memory, and will lead to
unavailability of data to authorized users (Fig. 3).
Fig. 1 CIA triad
DDoS Attacks—Analysis and Prevention
3
Fig. 2 Denial-of-Service attack
Fig. 3 Distributed Denial-of-Service attack
A DoS attack is different from a DDoS attack. In the DoS attack, the attacker
typically uses one computer to perform attack on victim, whereas in DDoS attack,
the attacker may use multiple computers to perform attack on victim.
This paper is organized as follows. Section 2 provides history of DDoS attacks.
Section 3 provides motivation of DDoS attacks. Section 4 gives defense against
DDoS attacks. Section 5 gives existing DDoS defense mechanisms. Proposed
DDoS defense solution is given in Sect. 6. Conclusion is given in Sect. 7.
2 History of DDoS Attacks
The first-ever DoS attack is performed in 1974 by David Dennis. The following
table shows the year-by-year DDoS attacks that were happened (Table 1).
4
G. Dayanandam et al.
Table 1 History of DDoS attacks [3, 4]
S.
no
Year of
attack
Type of attack
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1988
1990
1990
2000
2001
2001
2002
2003
2004
2005
2006
2007
2008
2009
2009
2009
17
18
19
20
2009
2009
2009
2010
21
2011
2012
22
23
24
25
26
27
28
2013
2013
2014
2014
2014
2015
2016
Morris worm and first DDoS attack
Simple and width-based DDoS and IRC chat floods
UDP flood attack using Trinoo
Attack on Yahoo, E-bay, and Amazon
Mafiaboy gets 8 months for DDoS attacks
Code red worm attacks on Web site for US White House
DDoS flood disrupts service at nine of the 13 DNS root servers
Attack on Al-Jazeera
SCO faced DDoS attacks from more than 16 M copies of Mydoom
E-bay DDoS attack
Storm pay battling sustained DDoS attack
Estonian DDoS attacks suggest political motivation
Georgia president Web site under DDoS attack
DDoS attack hobbles sites, including Amazon
Attacks on ultra DNS, https://Register.com, The Pirate Bay
Attacks South Korean and American Web sites + Washington Post,
NYSE
Attacks on Iranian Government Web sites
Attacks on Facebook, Twitter, and Google
DDoS attacks against Russian blog
DDoS attack targets Wikileaks, Wikileaks sympathizers target master
card, Paypal, VISA
Wordpress.com attack, DDoS on CIA Web site, Operation Tunisia,
Operation Sony, Operation Syria, Operation Megaupload, Operation
Russia, Operation INDIA, Operation Japan
DDoS attacks on South Korean Web sites
Spamhaus suffered highest possible DDoS attack
Multiple gaming platform, JP Morgan Chase, Bank of America
SSDP flood
UPnP attacks
Github
Russian banks and RIO olympics
3 Motivation of DDoS Attacks
Attackers are motivated to perform DDoS attacks. There are different types of
motivation factors based on the attacker’s behavior. Motivation factors can be
classified [5] as
Financial Gain: Attackers main objective is financial gain. This type of people
is highly skilled and difficult to detect.
DDoS Attacks—Analysis and Prevention
5
Global ApplicaƟon and Network
Security Report-2011
25
TCP-SYN Flood
VOIP
DNS
HTTPS
HTTPS
ApplicaƟon(54%)
7
6
2
6
2
IPV6
9
tcp-others
13
udp
9
icmp
21
SMTP
30
25
20
15
10
5
0
Network(46%)
Fig. 4 Global application and network security report—2011 [7]
Professional Skills: Attackers who are passionate to know their vulnerability
and the strength of security mechanism.
Revenge: Attackers who are so much discouraged and low-skilled persons are
ready to tack vengeance.
Cyber Warfare: Attackers who are highly capable and knowledgeable persons
are belong to organizations of a country to defend their organizations [6].
DDoS attacks are performed over the years due to the poor preparation by the
most organizations. Latest attacks use multiple vectors in a single attack campaign
targeting multiple elements an organizations network infrastructure and its applications. Fifty-four percent of attacks are performed on application layer and 46% at
the network layer (Fig. 4).
4 Defense Against DDoS Attacks
DDoS attacks are commonly used threats on today’s network infrastructure. Up to
now, even many methods exist to defend DDoS attacks; they need to improve their
efficiency. DDoS attack mitigation is a big task, but we need to prevent such types
of attacks. This would require putting more effort to improve the security over the
organizations’ network. We can divide the mitigation of the DDoS attack into three
categories, i.e., before the attack, during the attack, and after the attack.
a. Before the Attack: As we all know that prevention is better than cure. So,
before facing the DDoS attack problem, we need to reduce the zero-day attacks,
i.e., before attacker identifies exploits, administrators of the organization taken
care of the new vulnerabilities of the same organization. So, administrators need
to identify zero-day attacks early before attackers find such vulnerabilities and
prepare patches for them to reduce the DDoS attack. Snort is a best tool to detect
DDoS attacks.
6
G. Dayanandam et al.
DDoS Attack Detection Methods: Here we want to present the literature on
existing DDoS attack detection methods. DDoS attack detection methods can be
classified into five categories [8]. They are
Statistical-based methods
Knowledge-based methods
Soft computing methods
Data mining methods
Machine learning methods
Statistical-Based Methods involve the steps of data gathering, applying some
statistical methods to the gathered data, and taking the decision of whether the data
is authorized or not. Statistical-based methods are classified into two types. They
are threshold detection and profile-based detection.
Threshold detection is based on some threshold value of some parameters. If any
one parameter value exceeds threshold value, then the intrusion is assumed.
Profile-based anomaly detection concentrates on previous behavior characteristics and then detecting significant deviations.
Knowledge-Based Methods are also called rule-based methods. These methods
involve detecting intrusions by previous knowledge of the pattern and give a pattern
of activity that is suspicious or not. Knowledge-based methods are classified into
two types. They are rule-based anomaly detection and rule-based penetration
identification.
Rule-based anomaly detection involves historical audit records and generates
automatic rules to identify useful patterns.
Rule-based penetration identification involves identifying known signatures that
would cause known weaknesses.
Soft Computing Methods involve low cost, tractable, and robust computing in
the presence of uncertainty. There are two types of soft computing techniques. They
are artificial neural networks (ANNs) and support vector machines (SVMs).
ANN methods are used to develop new nonlinear systems accepting large
number of input and output and their relationship.
SVM methods are used to classify the data based on their relationship between
independent variables and target variables.
Data Mining Methods detect patterns in large amounts of data and use these
patterns to detect future instances in similar data. They have lesser true positive
rates than signature-based methods. These systems are more complex.
Machine Learning Methods include latest statistical methods for classification
and regression techniques. These methods include GLM, GBM, Random Forest and
Neural networks.
Firewall is placed before our private network which guards from all types of
attacks that are initiated through Internet.
b. During the Attack: It is very difficult to stop DDoS attack during attack period.
We require cooperation between the organization and the upstream routers. So,
DDoS Attacks—Analysis and Prevention
7
we need to implement some mechanism at router level to reduce the effect of
DDoS attack.
c. After the Attack: After identifying the attack, the intrusion response team
gathers data and is capable of identifying the type of attack being carried out.
Sources of DDoS attack networks can be identified by analyzing the gathered
data. In future, we can stop the packets that are received from identified DDoS
attack networks. DDoS attacks are performed on the basis of weakness in TCP/
IP architecture. Even though we protect our network from DDoS attacks, we
cannot stop the attacks from the bots in the Internet. Up to now, there is no
single solution that can solve all types of DDoS attacks efficiently.
DDoS attacks can be defended in three responsive steps. They are DDoS attack
detection, DDoS mitigation, and IP traceback. In first step, we need to detect all
DDoS attacks using any intrusion detection system to pinpoint the exact packet
characteristics of the attack. This classification can then lead to an attack mitigation
scheme that rate limits or filters the malicious packets. IP traceback scheme is
concurrently performed while attack mitigation takes place. Using this, we will find
true source of the packets and avoid IP spoofing attacks.
5 Existing DDoS Defense Mechanisms
Ingress/Egress Filtering [9, 10]: By using this method, it is very difficult for
attackers to perform DDoS attacks using IP spoofing mechanisms. Firewall is a
better solution to stop IP spoofing attacks. Firewall applies ingress filtering to filter
the inward traffic and egress filtering to filter outward traffic. If we implement
ingress/egress filtering using firewall, we can stop DDoS attacks effectively against
IP spoofing attacks.
IP traceback mechanisms: IP traceback is the process of tracking the true sources
of the forged IP packets. E. Y. Chen and A. Yonezawa [11] proposed DDoS attack
countermeasure in three stages. In the detection stage, they performed two threshold
tests to look for deviation increase in traffic rate. In the segregation stage, they
found protocol used for attack and then formulate number of strategies to help us to
create accumulate filter rules that can effectively segregate attack traffic from
authorized traffic. Finally, they proposed the mitigation of DDoS attack by blocking
the malicious traffic at upstream and kill the zombies if possible. Yang. X and W.
Zhou [12] proposed flexible deterministic packet marking (FDPM) to perform a
large-scale IP traceback to defend against DDoS attacks.
Rate limiting mechanisms: Rate limiting mechanisms only limit the malicious
packets but not legitimate packets. Researchers proposed various rate limiting
mechanisms in [13–17] by noticing an asymmetry between the packets travels to
and from a network.
8
G. Dayanandam et al.
IP blacklisting and IP rate control methods [18] are also used to mitigate DDoS
attacks. In IP rate control mechanisms, rate control controls the no. of requests per
IP address and blocks additional request when one of a set of thresholds is executed.
6 Proposed DDoS Defense Solution
DDoS defense mechanism is used to monitor, manage, and mitigate the impacts of
these types of malicious DDoS attacks. We identified the attack machines and
stopped the attack using access control list, system log, modular policy framework,
and resource limiting. We can pass authorized data to server by placing firewall
before the server to detect and prevent the DDoS attacks (Fig. 5).
Here we used access control list (ACL) to control all types of attacks. By using
ACLs, we block unnecessary data in real time. We allowed only Web applications
and denied other applications by using ACL commands. System log is used to
analyze the incoming data to particular target. Modular policy framework rules are
basic requirement for organizations. Attackers use more number of sessions per
second, whereas normal user need not use too many sessions per second. So we
allow only limited sessions to reduce attacker traffic by the firewall. In our
approach, MPF and ACLs are used to detect and prevent network- and
application-level attacks. Firewall not allows any traffic without matching the
conditions. We can defend the attacker traffic by placing a firewall before the server.
Fig. 5 Architecture for implementing novel method for prevention of bandwidth DDoS attacks
DDoS Attacks—Analysis and Prevention
9
7 Conclusion
The success rate of the security of an organization depends on how it copes with
DDoS attacks. We defended the DDoS attacks with implementing a firewall.
Firewall may go down if attack traffic increased rapidly. If an organization is
targeted by DDoS attack, the organization may suffer from financial loss, reputation
damage, revenge, and cyber warfare due to lack of proper defense mechanisms.
When traffic rapidly increases, in future, the DDoS attacks can be defended with
implementing Intrusion Detection System (IDS) or Intrusion Prevention System
(IPS) along with firewall.
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA.
http://www.omnisecu.com/ccnasecurity/types-of-network-attacks.php.
https://security.radware.com/…/DDoS_Handbook/DDoS_Handbook.pdf.
ShwetaTripathi, Brij Gupta, Ammar Almomani, Anupama Mishra, Suresh Veluru, Hadoop
Based Defense Solution to Handle Distributed Denial of Service (DDoS) Attacks”, Journal of
Information Security, 2013, 4, 150–164.
A. ALmomani, T.-C. Wan, B. B. Gupta, A. Altaher, E. A. Lmomani and S. Ramadass, “A
Survey of Phishing Email Filtering Techniques,” IEEE Communications Surveys & Tutorials,
Vol. PP, No. 99, 2013, pp. 1–21.
S. Zargar, J. Joshi and D. Tipper, “A Survey of Defense Mechanisms against Distributed
Denial of Service (DDoS) Flooding Attacks,” Communications Surveys & Tutorials, IEEE,
Vol. PP, No. 99, 2013, pp. 1–24. https://doi.org/10.1109/surv.2013.031413.001272011.
Global Application & Network Security Report: https://security.radware.com/WorkArea/
DownloadAsset.aspx?id=795.
Monowar H. Bhuyan, H. J. Kashyap, D. K. Bhattacharyya and J. K. Kalita, “Detecting
Distributed Denial of Service Attacks: Methods, Tools and Future Directions”, The computer
Journal, 57 (4), 537–556.
P. Ferguson et al. RFC 2267. Network Ingress Filtering: Defeating Denial of Service Attacks
which employ IP Source Address Spoofing. Technical report, The Internet Society, 1998.
SANS Institute. Egress filtering v 0.2, 2000. http://www.sans.org/y2k/egress.htm.
Eric Y. Chen* + and Akinori Yonezawa, “Practical Techniques for Defending against DDoS
Attacks”, 2005 IEEE.
“Yang Xiang and Wanlei Zhou,” A Defense System Against DDoS Attacks by Large-Scale IP
Traceback”, 2005 IEEE.
MULTOPS: a data-structure for bandwidth attack detection. Thomer M. Gil, Massimiliano
Poletto. In the Proceedings of the 10th USENIX Security Symposium, Washington D.C.,
August 2001.
Vern Paxson, Steve Bellovin, Sally Floyd and Ratul Mahajan. Controlling high bandwidth
aggregates in the network. Technical report.
Jelena Mirkovic, Peter Reiher, Gregory Prier. Attacking DDoS at the source. International
Conference on Network protocols, 2002.
10
G. Dayanandam et al.
16. David Yau, John C. S. Lui, Feng Liang. Defending against distributed denial of service
attacks using max-min fair server centric router throttles. IEEE international conference on
Quality of Service. 2002.
17. Vern Paxson, Steve Bellovin, John Ioannidis, Kireete Kompella, Sally Floyd and Ratul
Mahajan. Pushback messages for controlling high bandwidth aggregates in the network.
Internet Draft, work in progress.
18. https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/.