Internet Denial of Service Attacks and Defense Mechanisms

developments in this area in recent years. In this article, we present an in-depth study of the denial of service problem in the Internet, and provide a comprehensive survey of attacks and their countermeasures. We investigate various DoS attack mechanisms, derive a more practical taxonomy of attack mechanisms, and summarize the challenges in DoS defense. We critically review the state of the art in DoS defense, analyze the strengths and weaknesses of dierent proposals, and conclude a comprehensive taxonomy of various defense mechanisms.

[1]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[2]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[3]  Jon Postel,et al.  User Datagram Protocol , 1980, RFC.

[4]  Jon Postel,et al.  Internet Control Message Protocol , 1981, RFC.

[5]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[6]  Virgil D. Gligor A Note on Denial-of-Service in Operating Systems , 1984, IEEE Transactions on Software Engineering.

[7]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[8]  R. Lathe Phd by thesis , 1988, Nature.

[9]  Virgil D. Gligor,et al.  A formal specification and verification method for the prevention of denial of service , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[10]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[11]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[12]  Marshall T. Rose Convention for defining traps for use with the SNMP , 1991, RFC.

[13]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[14]  B. Brodsky,et al.  Nonparametric Methods in Change Point Problems , 1993 .

[15]  Laurent Joncheray A Simple Active Attack Against TCP , 1995, USENIX Security Symposium.

[16]  David D. Clark,et al.  The design philosophy of the DARPA internet protocols , 1988, SIGCOMM '88.

[17]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[18]  Fred Baker,et al.  Requirements for IP Version 4 Routers , 1995, RFC.

[19]  Gary Scott Malkin Internet Users' Glossary , 1996, RFC.

[20]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[21]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[22]  T. Bass,et al.  E-mail bombs and countermeasures: cyber attacks on availability and brand integrity , 1998, IEEE Netw..

[23]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[24]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[25]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[26]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[27]  Ari Juels,et al.  $evwu Dfw , 1998 .

[28]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[29]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[30]  Gitae Kim,et al.  NOMAD: traffic-based network monitoring framework for anomaly detection , 1999, Proceedings IEEE International Symposium on Computers and Communications (Cat. No.PR00250).

[31]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[32]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[33]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[34]  Ross J. Anderson,et al.  The XenoService { A Distributed Defeat for Distributed Denial of Service , 2000 .

[35]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[36]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[37]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[38]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[39]  R. Power CSI/FBI computer crime and security survey , 2001 .

[40]  J. M. Pullen,et al.  Countering denial-of-service attacks using congestion triggered packet sampling and filtering , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[41]  Kihong Park,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[42]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[43]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[44]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[45]  David L. Black,et al.  The Addition of Explicit Congestion Notification (ECN) to IP , 2001, RFC.

[46]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[47]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[48]  Ramesh Govindan,et al.  An empirical study of router response to large BGP routing table load , 2002, IMW '02.

[49]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[50]  H. Lipson Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues , 2002 .

[51]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[52]  Internet Assigned Numbers Authority Special-Use IPv4 Addresses , 2002, RFC.

[53]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[54]  Randy Bush,et al.  Some Internet Architectural Guidelines and Philosophy , 2002, RFC.

[55]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[56]  Brad Cain,et al.  Internet Group Management Protocol, Version 3 , 2002, RFC.

[57]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[58]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[59]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[60]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[61]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[62]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[63]  Ion Stoica,et al.  Towards a More Functional and Secure Network Infrastructure , 2003 .

[64]  Christopher Leckie,et al.  An efficient filter for denial-of-service bandwidth attacks , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[65]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[66]  Ralph Droms,et al.  What's In A Name: Thoughts from the NSRG , 2003 .

[67]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[68]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[69]  Wu-chang Feng,et al.  The case for TCP/IP puzzles , 2003, FDNA '03.

[70]  Geraint Price A General Attack Model on Hash-Based Client Puzzles , 2003, IMACC.

[71]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[72]  David Wetherall,et al.  Robust Explicit Congestion Notification (ECN) Signaling with Nonces , 2003, RFC.

[73]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[74]  T. Grance,et al.  Computer Security Incident Handling Guide , 2004 .

[75]  Kotagiri Ramamohanarao,et al.  Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring , 2004, NETWORKING.

[76]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[77]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[78]  Michal Szymaniak,et al.  Replication for web hosting systems , 2004, CSUR.

[79]  Brent Waters,et al.  New client puzzle outsourcing techniques for DoS resistance , 2004, CCS '04.

[80]  J. Crowcroft,et al.  Honeycomb: creating intrusion detection signatures using honeypots , 2004, Comput. Commun. Rev..

[81]  Michael K. Reiter,et al.  Mitigating bandwidth-exhaustion attacks using congestion puzzles , 2004, CCS '04.

[82]  I. Stoica,et al.  Internet indirection infrastructure , 2002, SIGCOMM '02.

[83]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[84]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[85]  Constantinos Dovrolis,et al.  Beware of BGP attacks , 2004, CCRV.

[86]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[87]  Miao Ma,et al.  Mitigating denial of service attacks with password puzzles , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[88]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[89]  Thomas Johnson,et al.  Computer Security Incident Handling Guide , 2005 .

[90]  Arnaud Jacquet,et al.  Policing congestion response in an internetwork using re-feedback , 2005, SIGCOMM '05.

[91]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[92]  Stephen F. Bush,et al.  Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics , 2005, Journal of Network and Systems Management.

[93]  Xiaowei Yang,et al.  A DoS-limiting network architecture , 2005, SIGCOMM '05.

[94]  Antoine Joux,et al.  Improved low-density subset sum algorithms , 1992, computational complexity.

[95]  Wu-chi Feng,et al.  Design and implementation of network puzzles , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[96]  Fayez Al-Shraideh,et al.  Host Identity Protocol , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[97]  John S. Heidemann,et al.  Identification of Repeated Denial of Service Attacks , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[98]  Pekka Nikander,et al.  Host Identity Protocol (HIP) Architecture , 2006, RFC.

[99]  Dorgham Sisalem,et al.  Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms , 2006, IEEE Network.

[100]  Bogdan Groza,et al.  On Chained Cryptographic Puzzles , 2006 .

[101]  Michael Menth,et al.  Capacity overprovisioning for networks with resilience requirements , 2006, SIGCOMM.

[102]  Mark Handley,et al.  Internet Denial-of-Service Considerations , 2006, RFC.

[103]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[104]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[105]  George Varghese,et al.  On Scalable Attack Detection in the Network , 2004, IEEE/ACM Transactions on Networking.

[106]  Colin Boyd,et al.  Toward Non-parallelizable Client Puzzles , 2007, CANS.

[107]  Fred Baker Cisco IP Version 4 Source Guard , 2007 .

[108]  Robert W. Shirey,et al.  Internet Security Glossary, Version 2 , 2007, RFC.

[109]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[110]  NikanderP.,et al.  Host Identity Protocol (HIP) , 2008 .

[111]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[112]  Jalal Ale Ahmad,et al.  A Comprehensive Taxonomy of DDoS Attacks and Defense Mechanism Applying in a Smart Classification , 2008 .

[113]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[114]  Pekka Nikander,et al.  Host Identity Protocol , 2005 .

[115]  Paul Francis,et al.  Mitigating DNS DoS attacks , 2008, CCS.

[116]  Michelle Cotton,et al.  Special Use IPv4 Addresses , 2010, RFC.

[117]  Xin Liu,et al.  NetFence: preventing internet denial of service from inside out , 2010, SIGCOMM '10.

[118]  Qijun Gu,et al.  Denial of Service Attacks , 2012 .