Distributed Denial of Service (DDoS) Attacks Mitigation and
Packet Filtering Techniques: A Comprehensive Review
Ritu Maheshwari
Dr. C. Rama Krishna
Mr. M. Sridhar Brahma
PG Scholar
Department of Computer
Science & Engineering,
National Institute of Technical
Teachers’ Training and
Research,
Chandigarh, India
ritu.nitttr@gmail.com
Associate Professor
Department of Computer
Science & Engineering,
National Institute of Technical
Teachers’ Training and
Research,
Chandigarh, India
Sr. Manager-IT Operations
CAIRN Energy India Pvt. Ltd.
Sector-54,
Gurgaon, Haryana, India
sridharbrahma@yahoo.com
rkc_98@hotmail.com
Abstract— Distributed Denial of Service (DDoS) has become major threat to internet communication world causing
disruption of services. A DDoS attack is a DoS attack which relies on multiple compromised hosts in the network to
attack the victim, thereby, bringing down its performance. DDoS attacks degrade services to legitimate users by
expending communication and/or computational resources of the target. Its effects are characterized by the uninformed
delays and interruptions accompanied by undue losses. A number of mitigation techniques have been proposed in the
literature by various researchers. They enable us to distinguish between legitimate and illegitimate traffic and
accordingly either drop or detect the unwanted packets. Generally, attackers launch DDoS attacks by directing a
massive number of attack sources to send useless traffic to the victim. Majority of DDoS attack tools utilize IP Spoofing
technology that makes it very difficult to filter illegitimate packets from aggregated traffic as IP addresses can be forged
easily. This paper covers a comprehensive review on DDoS Attacks and Defense mechanisms and its Mitigation
Techniques.
Keywords— DDoS, TTL, Round Trip Time (RTT), filtering techniques, Hop Count, Hop Count Filtering (HCF), defense
mechanisms, mitigation techniques, probabilistic packet filtering
I.
INTRODUCTION
A Denial of Service (DoS) attack can be characterized as an attack with the purpose of preventing legitimate users
from using a victim servers or network resources. DDoS attack can be performed at network level, operating system
level and application level. Even the most popular Websites like Twitter, Facebook, Google etc couldn’t escape from
being hit by it, which caused millions of their users affected [20].
In DDoS attack, attacker fills the networks bandwidth with large amount of request packets, thus consuming the
bandwidth. In order to launch a DDoS attack, the attacker first scan millions of machines for vulnerable service and
other weakness, then gain access and compromise these zombies or slave machines. These infected machines can
recruit more zombies. When the assault starts, the real attacker hides the identity and sends orders to zombies to
perform the attacks. A DDoS attack is exemplified as a comprehensive and synchronized attack, initiated by a group
of negotiated hosts upon a victim network resource.
The most eye opener case was the DDoS incident that targeted White house, Federal Trade Commission and the
Department of the Treasury. A Botnet, comprised of 30,000–60,000 infected computers, had been used. The attack
traffic consumed 20-40 GBs of bandwidth/second. It was the largest attack traffic observed. Such attack caused
target outage for 4-5 days which was the longest outage duration ever.
According to the CIAC (Computer Incident Advisory Capability), the first reported large-scale DDoS attack occurred
in August, 1999, against a university. This attack shut down the victim’s network for more than two days. In February
7, 2000, several websites were attacked including Yahoo.com, which caused them to go offline for several hours,
more than 10,000 online servers in games such as Return to Castle Wolfenstein, Halo, Counter- Strike and many
others were also attacked [34]. As per Moore et al. [35] in some cases these DDoS attacks were able to produce
about 1 Gbit/s of attack traffic against a single victim.
In January 2001, Register.com was targeted, DNS servers were used as reflector in that attack [36]. On two
occasions to date, attackers have performed DNS Backbone DDoS Attacks on the DNS root servers. The first
occurred in October 2002 and disrupted service at 9 of the 13 root servers [4]. The second occurred in February
2007 and caused disruptions at two of the root servers [37], [40]. In January 2004, MyDoom attacked 1 million
computers. The backscatter analysis was used to assess the number, duration, and focus of DDoS attacks in the
Internet [38].
II.
DDOS ATTACKS AND ITS ARCHITECTURE
During attacks, the services of the network are intentionally blocked by the attacker. These attacks make the
network resources unavailable to the users [5]. Attack Pattern is a process of identifying attackers view, gives the
information about the type of attack, prerequisites of an attack, weakness of attack, the knowledge required to
perform an attack and all the information about the attack that had been happened in the network [1].
Two main classes of DDoS attacks are: bandwidth depletion and resource depletion attacks [9] as shown in Fig. 1.
A bandwidth depletion attack fills the victim network with unwanted traffic that prevents legitimate traffic from
reaching the victim system. A resource depletion attack ties up the resources of a victim system [2]. Two major
impacts of bandwidth attacks are: consumption of the host's resources and consumption of the network bandwidth,
which is more threatening than the first [12].
DDoS Attacks
Bandwidth Depletion
Flood Attack
UDP
ICMP
Resource Depletion
Protocol Exploit
Attack
TCP SYN
Amplification
Attack
SMURF
PUSHACK
Malformed
Packet Attack
FRAGGLE
IP Packet
Option
IP
Address
FIG. 1 TAXONOMY OF DDoS ATTACKS
Bandwidth Depletion attacks
A flood attack involves the zombies sending large volumes of traffic to a victim system, to congest the victim
system’s bandwidth [9]. An amplification attack involves either the attacker or the zombies sending messages to a
broadcast IP address, using this to cause all systems in the subnet reached by the broadcast address to send a
message to the victim system. This method amplifies malicious traffic that reduces the victim system’s bandwidth.
Flood Attacks: In a UDP Flood attack, a large number of UDP packets are sent by the attacker to either random or
specified ports on the victim system [2]. Due to this, there is saturation of the network and the depletion of available
bandwidth for legitimate service requests to the victim system [15]. ICMP Flood attacks exploit the Internet Control
Message Protocol (ICMP), which enables users to send an echo packet to a remote host to check whether it’s alive
[10]. A DDoS ICMP flood attack occurs when the zombies send large volumes of ICMP_ECHO_REPLY packets to
the victim system [9].
Amplification Attacks: A DDoS amplification attack is aimed at using the broadcast IP address to amplify and
reflect the attack traffic, and thus reduce the victim system’s bandwidth [2]. For this type of DDoS attack, the
attacker can send the broadcast message directly, or the attacker can use the agents to send the broadcast
message to increase the volume of attacking traffic [9]. In this attack, the broadcast IP address is used
Resource Depletion Attacks
DDoS resource depletion attacks involve the attacker sending packets that misuse network protocol
communications or sending malformed packets that tie up network resources so that none are left for legitimate
users [9].
Protocol Exploit Attacks: The Transmission Control Protocol (TCP) includes a full handshake between sender and
receiver, before data packets are sent. In a DDoS TCP SYN attack, the attacker instructs the zombies to send
bogus TCP SYN requests to a victim server in order to tie up the server’s processor resources, and hence prevent
the server from responding to legitimate requests [2]. The PUSH + ACK attack is similar to a TCP SYN attack in that
its goal is to deplete the resources of the victim system. In a PUSH + ACK attack, the attacking agents send TCP
packets with the PUSH and ACK bits set to one [9].
Malformed Packet Attacks: It is an attack where the attacker instructs the zombies to send incorrectly formed IP
packets to the victim system in order to crash the victim system. In an IP address attack, the packet contains the
same source and destination IP addresses [9]. This can confuse the operating system of the victim system and
cause the victim system to crash. In an IP packet options attack, a malformed packet may randomize the optional
fields within an IP packet and set all quality of service bits to one so that the victim system must use additional
processing time to analyze the traffic.
Two types of DDoS attack networks have emerged as shown in Fig. 2. These are the Agent-Handler model and the
Internet Relay Chat (IRC)-based model.
DDoS Attack Networks
Agent handler
IRC Based
Client handler
Communication
Secret/ Private
Channel
Agent handler
Communication
Public Channel
TCP
UDP
ICMP
FIG. 2: A TYPICAL SCENARIO OF DDoS ATTACKS
DDoS Agent Handler Attack Model: DDoS Agent-Handler attack network consists of clients, handlers, and agents.
The client is where the attacker communicates with the rest of the DDoS attack system. The handlers are software
packages located throughout the Internet that the attacker’s client uses to communicate with the agents [22]. In
descriptions of DDoS tools, the terms handler and agents are sometimes replaced with master and daemons,
respectively [8].
DDoS IRC-based Attack Model: It is similar to the Agent-Handler model except that instead of using a handler
program installed on a network server, an Internet Relay Chat (IRC) communication channel is used to connect the
client to the agents. An IRC channel provides an attacker with additional benefits such as the use of legitimate IRC
ports for sending commands to the agents. This makes tracking the DDoS command packets more difficult.
Additionally, IRC servers tend to have large volumes of traffic making it easier for the attacker to hide his presence
from a network administrator. In both IRC-based and Agent Handler DDoS attack models, the agents are referred as
secondary victims or zombies and the target of the DDoS attack is referred as the primary victim [9]. IRC is a multiuser, on-line chatting system. It allows computer users to create two-party or multi-party interconnections and type
messages in real time to each other [22].
III.
DDOS DEFENSE MECHANISMS AND MITIGATION TECHNIQUES
There are three essential components to DDoS countermeasures [3]. There is the component for preventing the
DDoS attack which includes preventing secondary victims and detecting and neutralizing handlers. There is the
component for dealing with a DDoS attack while it is in progress, including detecting or preventing the attack,
mitigating or stopping the attack, and deflecting the attack. Lastly, there is the post-attack component which involves
network forensics. Based on the underlying strategies, we can categorize current DDoS detection and defense
approaches into three categories: Proactive Mechanisms, Reactive Mechanisms and Post Attack Analysis [11].
Pro-Active or Preventive defense mechanisms:
Instead of detecting the attacks by using signatures (attack pattern) or anomaly behavior, these approaches try to
improve the reliability of the global Internet infrastructure by adding extra functionality to Internet components to
prevent attacks and vulnerability exploitation. Preventive mechanisms refer to the actions performed prior to an
attack either to eliminate the possibility of being a target of attacks or to aid the target to endure the effects of
attacks sufficiently. Several preventive countermeasures are [11]:
Planning a proper risk management strategy is a matter of preparing for attacks, determining what should be
protected, how and at what cost. It is a plan of procedures that guides the responses to various attacks and the
recovery of possible damages. It should estimate the effects different types of attack scenarios might have from
business level issues to technical level details.
Load balancing is a term referring to key services being distributed to multiple locations. Thus, in case an attack is
primarily engaged against a certain server or servers, the other servers may still be able to operate sufficiently.
Acquiring abundance of bandwidth is probably the most expensive, but perhaps the only feasible solution even in
extreme conditions. The aim is to acquire as much of bandwidth and other resources to retain operability even in
case of a powerful attack.
Filtering of all unnecessary traffic is a method addressing the problem in the most primal point of view. Filtering of
all unnecessary traffic is a precaution for protecting own host or hosts from being compromised and perhaps
consequently used in DDoS.
Reactive defense mechanisms:
If the IDS system can detect the DDoS attack packets accurately, filtering mechanism are used, which can filter out
the attack stream completely, even at the source network. If the IDS cannot detect the attack stream accurately, rate
limiting is used. Reactive mechanisms refer to the actions performed to mitigate the effects of one or more ongoing
attacks and they consist of detection and response procedures. The most important methods of this class are briefly
discussed in this paragraph.
Detection is the process of determining is the target under an attack; an attack must first be detected in order to
level an appropriate defensive response.
Response is the process of reaction after the detection procedure has verified that there is an attack in progress.
The majority of responsive methods include traffic filtering in some form.
Post attack analysis or Post-Active methods:
The purpose of post attack analysis is to either look for attack patterns that will be used by IDS or identify attackers
using packet tracing. The goal of packet tracing is to trace Internet traffic back to the true source. Post-active
methods refer to the actions performed after an attack has occurred attempting to mitigate the threat of DDoS in the
future.
Mitigation is the process to minimize the effect of an ongoing attack. The simplest and easiest method to perform
this is to drop the packets belonging to the attacker [5]. But the basic problem with this strategy is to distinguish
between legitimate or illegitimate client.
Pushback [42] enables routers to identify high bandwidth aggregates that contribute to congestion rate limit them. If
the congested router cannot control the aggregate itself, it requests its upstream neighbour’s help in rate limiting.
The performance of Pushback is good when attackers are collocated on a path separate from the legitimate traffic,
otherwise it inflicts collateral damage. Further, Pushback cannot work in non-contiguous deployment and cannot
detect attacks that do not congest core routers [18]. By pushing the defense frontier towards attack sources, more
legitimate traffic can be protected.
An improved version of this pushback scheme called Selective pushback [14] sends pushback messages to the
routers closest to the attack sources directly by analyzing the traffic distribution change of all upstream routers at the
target. The benefit of this scheme is twofold. First, traffic distribution analysis can locate attack sources more
accurately than purely volume-based approaches. Second, the pushback message can be sent to the routers
closest to the attack sources directly, which can mitigate the attack damage more quickly than the original pushback
scheme. But still accuracy of detection and deployment across multiple ISP domains remain big issues.
Active Security System (ASSYST) [10] supports distributed response with non-contiguous deployment, with nodes
equivalent to classifiers being deployed only at edge networks. COSSACK [7] similarly forms a multicast group of
defense nodes that are deployed at source and victim networks and cooperate in filtering the attack.
Yau et al. [17] propose a router throttle mechanism installed at the routers that are close to the victim. This defense
system incorporates only victim end and core defense mechanisms, and thus inflicts collateral damage to legitimate
traffic. A proactive approach is followed in the sense that before aggressive packets can converge to overwhelm a
server, routers along forwarding paths, regulate the contributing packet rates to more moderate levels.
DefCOM [33] provides added functionality to existing defenses so they can collaborate in DDoS detection and
response though a dynamically-built overlay. There are three types of DefCOM functionalities that are added to
existing routers or defense nodes. A single physical node can host more functionality at a time. The functionalities
are: (1) A classifier functionality is added to existing defenses that is capable of differentiating the legitimate from the
attack traffic. A classifier marks packets recognized as legitimate with a HIGH-priority mark that guarantees priority
handling by downstream DefCOM nodes. (2) A rate-limiter functionality is deployed by routers. During an attack, a
rate limiter runs a weighted fair share algorithm (WFSA) to prioritize traffic it forwards to the victim, and it rate limits
this traffic to preserve victim’s resources. (3) An alert generator functionality is added to defenses that can detect a
DoS attack. An alert generator propagates the attack alert to other DefCOM nodes using the overlay. The alert
contains the IP address of the attack’s victim and specifies a desired rate limit, e.g., the size of the victim’s
bottleneck link. Extra infrastructure for overlay and cooperation at all points of the Internet are big concerns.
Collateral damage depends upon accuracy of classifier.
ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and
enhanced performance [21].
In SIFF, all network traffic is separated into privileged and unprivileged packets, with the goal of protecting privileged
packets from unprivileged packet flooding, and allowing packet receivers to selectively terminate individual
privileged flows and have their packets be dropped deep in the network, before arriving near the victim [26].
IV.
RELATED WORK
PACKET FILTERING TECHNIQUES AND
HOP COUNT FILTERING
Packet filtering is “controlling access to a network by analyzing the incoming and outgoing packets and letting them
pass or halting them based on the IP address of the source and destination. Packet filtering is both a tool and a
technique that is a basic building block of network security [8]. The packet filter examines the header of the packet
and makes a determination of whether to pass or reject the packet based upon the contents of the header.
Probabilistic approach is the most widely used technique for uncertainty analysis of mathematical models [32]. In the
probabilistic approach, uncertainties are characterized by the probabilities associated with events. The probability of
an event can be interpreted in terms of the frequency of occurrence of that event. When a large number of samples
or experiments are considered, the probability of an event is defined as the ratio of the number of times the event
occurs to the total number of samples or experiments. A probability of 0 for an event means that the event will never
occur, and a probability of 1 indicates that the event will always occur.
Filtering Techniques [7]:
Ingress/Egress filtering: Ingress Filtering, proposed by Ferguson et al. [41], is a restrictive mechanism to drop
traffic with IP addresses that do not match a domain prefix connected to the ingress router. Egress filtering is an
outbound filter, which ensures that only assigned or allocated IP address space leaves the network. Unfortunately,
this technique cannot operate effectively in real networks where asymmetric Internet routes are not uncommon.
Both ingress and egress filtering provide some opportunities to throttle the attack power of DDoS attacks. However,
it is difficult to deploy ingress/egress filtering universally.
Router based packet filtering: Route based filtering, proposed by Park and Lee [39], extends ingress filtering and
uses the route information to filter out spoofed IP packets. It is based on the principle that for each link in the core of
the Internet, there is only a limited set of source addresses from which traffic on the link could have originated.
History based IP filtering: This scheme is robust, and does not need the cooperation of the whole Internet
community [13]. However, history based packet filtering scheme is ineffective when the attacks come from real IP
addresses. In addition, it requires an offline database to keep track of IP addresses. Therefore, Cost of storage and
information sharing is very high.
Capability based method: In this approach, source first sends request packets to its destination. Router marks are
added to request packet while passing through the router. The destination may or may not grant permission to the
source to send. The data packets carrying the capabilities are then send to the destination via router. The main
advantage is that the destination can now control the traffic according to its own policy, thereby reducing the
chances of DDoS attack [16].
Secure overlay Service (SOS): SOS secures the communication between the confirmed users and the victim. All
the traffic from a source point is verified by a secure overlay access point (SOAP). Authenticated traffic will be
routed to a special overlay node called a beacon in an anonymous manner by consistent hash mapping. SOS
addresses the problem of how to guarantee the communication between legitimate users and a victim during DoS
attacks [28].
SAVE: Source Address Validity Enforcement: Li et al. [43] have proposed a new protocol called the Source
Address Validity Enforcement (SAVE) protocol, which enables routers to update the information of expected source
IP addresses on each link and block any IP packet with an unexpected source IP address. The aim of the SAVE
protocol is to provide routers with information about the range of source IP addresses that should be expected at
each interface.
Hop Count Filtering (HCF): Hop Count (HC) is defined as the number of hops a packet traverses as it moves from
the sender to the receiver [30]. HC is not usually sent in the IP packet but is rather inferred from the IP Time-to-Live
Field (TTL). The main function of IP TTL field is to prevent packets from looping forever. The sender sets the initial
value of TTL. Each node on the path decrements the TTL value by one. If the TTL reaches zero, the packet is
discarded. The receiver can estimate the HC by subtracting the received TTL value from the closest initial TTL value
bigger than the received packet’s TTL. Usually, these initial TTL values are operating system dependent and are
limited to few possibilities which include 30, 32, 60, 64, 128, and 255 [23]. Therefore, guessing the initial TTL set by
the OS is possible without explicitly knowing what the OS is. It can even be used to prevent Distributed Denial of
Service attacks [23][19][27][25].
Principle working of this method is that number of hops between the source and destination can be used to assess
the authenticity of packet [29]. Although an attacker can forge any field in the IP header, he cannot falsify the
number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse,
an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an
Internet server can easily infer the hop-count information from the Time-to-Live field of the IP header [24]. Using a
mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate
ones.
Since hop-count values have a limited range, typically between 1 and 30, multiple IP addresses may have the same
hop-count values. Consequently, HCF cannot recognize forged packets whose source IP addresses has the same
hop-count value to a destination as that of a zombie. A good hop-count distribution should have two properties:
being symmetric around the mean value, and being reasonably diverse over the entire range. Symmetry is needed
to take advantage of the full range of hop-count values, and diversity helps maximize the effectiveness of HCF.
Ayman Mukaddam et al. [31] proposed the utilization of both Round Trip Time (RTT) and Hop Count to detect IP
Spoofing. RTT is the difference in time between the time a packet is sent and the times is corresponding reply is
received. This is a cumbersome technique when packets transmitted are lost in the network and are to be retransmitted. RTT is influenced by the distance between the sender and the receiver, link bandwidth and the queuing
behaviour of the nodes. This technique tries to eliminate the weakness of the HCF technique and relies both on
HCF and RTT technique instead of only on HCF. Now the attackers have to guess both Hop Count and RTT for the
spoofed packet to be considered legitimate. Since, these variables are independent, the probability of guessing both
the parameters correctly is lower than the probability of guessing only Hop Count correctly. Also, both parameters
cannot be spoofed easily as they are path and load dependent.
Xia Wang et al. [19] focussed on the elimination of the execution caused by the DDoS Attack and tracking its attack
source. They have used filters at the intermediate node on the basis of some fixed Hop Count threshold. So, by
using the variation of Hop Count Filtering technique, they are not protecting the end systems only but the whole
network is protected from traffic congestion.
Krishna Kumar et al. [27] proposed to detect IP spoofing by checking both the Hop Count and the path Identification
(PID) at every router. The PID is inserted in each IP Packet in the identification field. If both the Hop Count and the
PID match, then the packet is considered legitimate otherwise, the routers start attack detection process. The
algorithm requires a shared key between every pair of adjacent routers.
B.R. Swain et al. [32] proposed a probability based HCF technique over conventional HCF Technique resulting in
the saving of Computational Time. Usually, in conventional HCF 90% of erroneous packets are dropped [23] but in
their case, 80% to 85% of packets will be dropped with the reduction in memory overhead. Unlike the HCF
technique that checks every packet for its legitimacy, they check the packets till they reach n malicious packets.
After that m packets are allowed unchecked. Their packet analysis is based on probability of packet arrival p,
number of malicious packets n and number of legitimate packets m.
Haining Wang et al. [23] proposed HCF to remove IP packets at the very start of network processing. He considered
two HCF States in his work which are ‘learning’ state and ‘filtering’ State. HCF works in ‘learning’ state under normal
conditions and watch for abnormal TTL behaviours without discarding any packets. After detecting an attack,
mechanism switches to ‘filtering’ State to discard IP packets with mismatched Hop Counts. This HCF technique has
been used at the victim side. HCF is an important technique to remove the randomly spoofed IP traffic or random IP
Spoofing. But, attacker may also find the effective way by creating an effective IP2HC table to overcome HCF.
V.
INFERENCES DRAWN FROM RELATED WORK
There exists research work that only assures about the conventional HCF technique at the victim side, Probabilistic
HCF technique at the victim side, Distributed HCF technique at the intermediate nodes, RTT Computation along
with HCF at the victim side.
Ayman Mukaddam et al. [31] work has been proposed for victim side and conventional method of HCF has been
used which is time consuming and not very much effective.
Xia Wang et al. [19] have not tried to improve the packet filtering technique which is needed for elimination of
random IP spoofing.
Krishna Kumar et al. [27] proposed technique requires lot of computational time and more than usual memory space.
B.R. Swain et al. [32] check the packets till they reach n malicious packets. After that m packets are allowed
unchecked. This technique does not guarantee that the remaining unchecked packets will be legitimate only.
Haining Wang et al. [23] proposed the HCF technique for which an attacker may also find the effective way by
creating an effective IP2HC table to overcome HCF. Hence, this technique is also ineffective.
VI.
CONCLUSIONS AND FUTURE WORK
A number of mitigation techniques have been proposed in the literature by various researchers. They enable us to
distinguish between legitimate and illegitimate traffic and accordingly either drop or detect the unwanted packets.
HCF Technique is used to fight against IP spoofing. This technique, which is used to filter the malicious packets
from the total number of packets possess certain limitations pertaining to computational time, detection rate of
illegitimate packets while processing.
A mitigation technique will be utilized that is based on Distributed Hop Count Filtering (DHCF). It will be used in an
intermediate system. So, a new technique will be proposed for Probability based Distributed HCF using RTT.
The performance of probabilistic DHCF using RTT at intermediate nodes will be compared with the performance of
existing probabilistic HCF and conventional HCF along with RTT at victim side.
Our future work will examine the effectiveness of our new and unique combination of Probability based DHCF along
with RTT approach in respect of the following:
 Detection rate of malicious or illegitimate packets
 Computational Time for filtering malicious packets
It will ultimately prevent the victim server from the IP Spoofing based DDoS attacks correctly and effectively. It will
also minimize the wastage of CPU cycles by reducing the computation time for illegitimate packet filtering.
REFERENCES
[1]
A. Madhuri, A. Ramana Lakshmi, “Attack Patterns for Detecting and Preventing DDoS and Replay Attacks,” International Journal of
Engineering and Technology, vol. 2 (9), pp. 4850-4859, 2010.
[2]
G. Zhang and M. Parashar, “Cooperative Defence against DDoS Attacks,” Journal of Research and Practices in IT, vol. 38 (1), pp. 69-84,
February 2006.
[3]
R. Kumar, R. Karanam, R. Bobba, S. Raghunath, “DDoS Defense Mechanism,” IEEE International Conference on Future Networks, VIT
University, Vellore, India, pp. 254-257, 2009.
[4]
M. Sachdeva, G. Singh, K. Kumar, K. Singh, “DDoS incidents and their Impact: A Review,” The International Arab Journal of Information
Technology, vol. 7 (1), pp. 14-22, January, 2010.
[5]
Dhwani Garg, “DDOS Mitigation Techniques-A Survey,” International Conference on Advance Computing in Communication and
Networks, pp. 1302-1309, 2011
[6]
S. Specht, R. Lee, “Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures,” Technical Report CE-L2003-03,
pp.164, May 2003.
[7]
B.B. Gupta, R.C. Joshi, M. Mishra, “Distributed Denial of Service Prevention Techniques,” IEEE International Journal of Computer and
Electrical Engineering, vol. 2 (2), pp. 269-276, April, 2010.
[8]
Dan Strom, “The Packet Filter: A Basic Network Security Tool,” Global Information Assurance Certification Paper, 2002.
[9]
Simon Liu, “Surviving Distributed Denial-of-Service Attacks,” IEEE Journal on IT Professional, vol. 11 (5), pp. 51-53, 2009.
[10]
R. K. Chang, “Defending against flooding-based DDoS attacks: A tutorial”, IEEE Communications Magazine, vol. 40 (10), pp. 42-51,
October 2002.
[11]
L. Garber, “Denial-of-Service attack rip the Internet,” IEEE Journal on Computer, vol. 33 (4), pp. 12-17, 2000.
[12]
J. Molsa, “Mitigating denial of service attacks: A tutorial,” Journal on Computer Security, vol. 13, pp. 807-837, 2005.
[13]
T. Peng, C. Leckie, K. Ramamohanarao, “Protection from Distributed Denial of Service attack using history-based IP filtering,” IEEE
International Conference on Communications, vol. 1, pp. 482-486, 2003.
[14]
T. Peng, C. Leckie, K. Ramamohanarao, “Defending against distributed denial of service attack using selective pushback,” 9th IEEE
International Conference on Telecommunications, pp. 411-429, 2009.
[15]
Misha Singhal, “Design and Development of Anti-DoS/ DDoS Attacks Framework using IP/tables,” Thapar university, Patiala, Master’s
Thesis, June 2011.
[16]
T. Anderson, T. Roscoe, D. Wetherall, “Preventing Internet Denial-of-Service with Capabilities,” SIGCOMM Conference on Computer
Communication Review, ACM vol. 34 (1), pp. 39-44, January, 2004.
[17]
D.K.Y. Yau, J.C.S. Lui, F. Liang, Y. Yam, “Defending against distributed denial of service attacks with Max-Min fair server-centric router
throttles,” 10th IEEE International Workshop on Quality of Service, Purdue University, USA, pp. 35-44, 2002.
[18]
M. Sachdeva, G. Singh, K. Kumar, and K. Singh, “A comprehensive survey of distributed defense techniques against DDoS attacks,”
International Journal of Computer Science and Network Security, vol. 9 (12), pp. 7-15, December, 2009.
[19]
A Wang, Xia, Li Ming, Li Muhai, "A scheme of distributed hop-count filtering of traffic," International Communication Conference on
Wireless Mobile and Computing, pp. 516-521, 7-9 Dec.2009.
[20]
K. Arora, K. Kumar, M. Sachdeva, “Impact Analysis of Recent DDoS Attacks,” International Journal on Computer Science and
Engineering, vol. 3 (2), pp. 877-884, February 2011.
[21]
Paulo E. Ayres, Huizhong Sun, H. Jonathan Chao, “ALPi: A DDoS Defense System for High-Speed Networks,” IEEE Journal on Selected
Areas in Communications, vol. 24 (10), pp. 1864-1876, October 2006.
[22]
S. M. Specht, R. B. Lee, “Distributed denial of service: taxonomies of attacks, tools and countermeasures," ACM 17th International
Conference on Parallel and Distributed Computing Systems, pp. 543-550, September, 2004.
[23]
H. Wang, C.Jin and K. Shang, “Defense Against Spoofed IP Traffic Using Hop-Count Filtering,” IEEE Transaction on Networking, vol. 15
(1), pp. 40-53, February, 2007.
[24]
Fengli Zhang, Jig eng, Zinguang Qin, Mingtian Zhou, “Detecting the DDoS Attacks Based on SYN proxy and Hop-Count Filter,” IEEE
International Conference on Communications, Circuits and Systems, University of Electronic Science and Technology, China, pp. 457461, 11-13, July, 2007.
[25]
I. B. Mopari, S.G. Pukale, M.L. Dhore, "Detection and defense against DDoS attack with IP spoofing," IEEE International Conference on
Computing, Communication and Networking, Vishwakarma Institute of Technology, Pune, India, pp. 1-5, 18-20, December, 2008.
[26]
A. Yaar, A. Perrig, D. Song, “SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks,” IEEE Symposium on Security and
Privacy, Carneggie Melon University, Pittsburgh, USA, pp. 130-143, 9-12, May 2004.
[27]
B. Krishna Kumar, P.K. Kumar, R. Sukanesh, "Hop Count Based Packet Processing Approach to Counter DDoS Attacks," International
Conference on Recent Trends in Information, Telecommunication and Computing, PET Engineering College, Thirunelvelli, India, pp. 271273, 12-13, March, 2010.
[28]
A. D. Keromytis, V. Misra, D. Rubenstein, “Secure Overlay Services (SOS): A Critical Analysis,” 2nd IEEE International Conference on
Parallel, Distributed and Grid Computing, pp. 457-462, 2012.
[29]
Cheng Jin, Haining Wang, Kang G. Shin, “Hop-count filtering: an effective defense against spoofed traffic,” 2003, [Online]. Available:
http://www.citeseerx.ist.psu.edu
[30]
Ayman Mukaddam, Imad H. Elhajj, “Hop count variability,” 6th IEEE International Conference on Internet Technology and Secured
Transactions, American University of Beirut, Lebanon, pp. 240-244, 11-14, December , 2011.
[31]
Ayman Mukaddam, Imad H. Elhajj, “Round Trip Time to Improve Hop Count Filtering,” IEEE Symposium on Broadband Networks and
Fast Internet, American University of Beirut, Lebanon, pp. 66-72, 28-29, May, 2012.
[32]
Biswa Ranjan Swain, Bibhudatta Sahoo, “Mitigating DDoS attack and Saving Computational Time using a Probabilistic approach and
HCF method,” IEEE International Conference on Advance Computing, NIT, Rourkela, India, pp. 1170-1172, 6-7, March 2009.
[33]
G. Oikonomou, J. Mirkovic, P. Reiher, M. Robinson, “A Framework for a Collaborative DDoS Defense,” 22nd IEEE Annual Conference on
Computer Security Applications, delaware University, Newark, pp. 33-42, December, 2006.
[34]
P. S. Mann, D. Kumar, “Improving Network Performance and mitigate DDoS attacks using Analytical Approach under Collaborative
Software as a Service (SaaS) Cloud Computing Environment,” International Journal of Computer Science and Technology, vol. 2(1), pp.
119-122, March, 2011.
[35]
D. Moore, C. Shannon, D. Brown, G. Voelker, S. Savage, “Inferring Internet Denial of Service Activity,” ACM Transaction on Computer
Systems, New York, USA, vol. 24 (2), pp. 115-139, 2006.
[36]
D. Dittrich, “The Tribe Flood Network Distributed
staff.washington.edu/dittrich/misc/trinoo.analysis.txt.
[37]
C. Douligeris, A. Mitrokotsa, “DDoS Attacks and Defense Mechanisms: Classification and State of the Art,” Journal on Computer
Networks, vol. 44 (5), pp. 643-666, 2004.
[38]
D. Moore, G. Voelker, S. Savage, “Inferring Internet Denial of Service Activity,” 10th USENIX Symposium on Security, pp. 20-25, 2001.
[39]
K. Park, H. Lee, “On the effectiveness of router-based packet filtering for distributed DoS attack prevention in power-law Internets," ACM
SIGCOMM Conference, pp. 15-26, 2001.
[40]
S. Gibson, “The Strange
http://grc.com/dos/grcdos.htm.
[41]
P. Ferguson, and D. Senie, “Network ingress filtering: Defeating denial of ser-vice attacks which employ IP source address spoofing,”
RFC 2267, the Internet Engineering Task Force (IETF), 1998.
[42]
J. loannidis, S.M. Bellovin, “Implementing Pushback: Router-Based Defense against DDoS Attacks,” 2002, [Online]. Available:
www.cs.columbia.edu /~smb / papers/ pushback-impl.pdf
[43]
Li. Zhang, J. Mirkovic, M. Wang, and P. Reither, “Save: Source Address Validity Enforcement protocol," 21 st IEEE Annual Joint
Conference of IEEE Computer and Communications Societies, University of California, USA, vol. 3, pp. 1557-1566, 23-27, June, 2002.
Tale
of
the
Denial
Denial
of
of
Service
Service
Attacks
Attack
against
Tool,”
2007,
GRC.COM,”
[Online].
2007,
Available:
[Online].
http://
Available:
https://