Scope of DDoS Countermeasures : Taxonomy of Proposed Solutions and Design Goals for Real-World Deployment

—Distributed Denial of Service (DDoS) attacks have been plaguing the Internet for several years. They cause economic losses due to the unavailability of services and potentially serious security problems due to incapacitation of critical infrastructures. Such severe implications lead the research community to strive to find DDoS countermeasures. In spite of all the ideas that have been developed, a practical and comprehensive defense system has yet to be deployed Internet-wide. Through a novel taxonomy, this paper classifies and describes DDoS countermeasures developed by industry and academia. To our knowledge, our taxonomy is the first to unify such a large body of work into a single, detailed classification. Based on the analysis of these ideas, we then introduce design goals and principles that can guide the development of a practical DDoS solution.

[1]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[2]  Christine E. Jones,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[3]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[4]  José Carlos Brustoloni,et al.  Protecting electronic commerce from distributed denial-of-service attacks , 2002, WWW.

[5]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[6]  Larry L. Peterson,et al.  Defending against denial of service attacks in Scout , 1999, OSDI '99.

[7]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[8]  Ruby B. Lee,et al.  Enlisting Hardware Architecture to Thwart Malicious Code Injection , 2004, SPC.

[9]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[10]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[11]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[12]  Peter Druschel,et al.  Lazy receiver processing (LRP): a network subsystem architecture for server systems , 1996, OSDI '96.

[13]  Philip N. Klein,et al.  Using router stamping to identify the source of IP packets , 2000, CCS.

[14]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.

[15]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[16]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[17]  Miguel A. Lejeune,et al.  Awareness of Distributed Denial of Service Attacks' Dangers: Role of Internet Pricing Mechanisms , 2002 .

[18]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[19]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[20]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[21]  Hyeong-Ah Choi,et al.  Packet filtering for congestion control under DoS attacks , 2004, Second IEEE International Information Assurance Workshop, 2004. Proceedings..

[22]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[23]  Mooi Choo Chuah,et al.  Packetscore: statistics-based overload control against distributed denial-of-service attacks , 2004, IEEE INFOCOM 2004.

[24]  Kihong Park,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[25]  Rajesh Krishnan,et al.  Mitigating distributed denial of service attacks with dynamic resource pricing , 2001, Seventeenth Annual Computer Security Applications Conference.

[26]  Rami G. Melhem,et al.  Design and analysis of a replicated elusive server scheme for mitigating denial of service attacks , 2004, J. Syst. Softw..

[27]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[28]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..