Detecting Distributed Denial of Service Attacks: Methods, Tools and Future Directions

The minimal processing and best-e↵ort forwarding of any packet, malicious or not, was the prime concern when the Internet was designed. This architecture creates an unregulated network path, which can be exploited by any cyber attacker motivated by revenge, prestige, politics or money. Denial-of-service (DoS) attacks exploit this to target critical Web services [1, 2, 3, 4, 5]. This type of attack is intended to make a computer resource unavailable to its legitimate users. Denial of service attack programs have been around for many years. Old single source attacks are now countered easily by many defense mechanisms and the source of these attacks can be easily rebu↵ed or shut down with improved tracking capabilities. However, with the astounding growth of the Internet during the last decade, an increasingly large number of vulnerable systems are now available to attackers. Attackers can now employ a large number of these vulnerable hosts to launch an attack instead of using a single server, an approach which is not very e↵ective and detected easily. A distributed denial of service (DDoS) attack [1, 6] is a large-scale, coordinated attack on the availability of services of a victim system or network resources, launched indirectly through many compromised computers on the Internet. The first well-documented DDoS attack appears to have occurred in August 1999, when a DDoS tool called Trinoo was deployed in at least 227 systems, to flood a single University of Minnesota computer, which was knocked down for more than two days1. The first largescale DDoS attack took place on February 20001. On February 7, Yahoo! was the victim of a DDoS attack during which its Internet portal was inaccessible for three hours. On February 8, Amazon, Buy.com, CNN and eBay were all hit by DDoS attacks that caused them to either stop functioning completely or slowed them down significantly1. DDoS attack networks follow two types of architectures: the Agent-Handler architecture and the Internet Relay Chat (IRC)-based architecture as discussed by [7]. The Agent-Handler architecture for DDoS attacks is comprised of clients, handlers, and agents (see Figure 6). The attacker communicates with the rest of the DDoS attack system at the client systems. The handlers are often software packages located throughout the Internet that are used by the client to communicate with the agents. Instances of the agent software are placed in the compromised systems that finally carry out the attack. The owners and users of the agent systems are generally unaware of the situation. In the IRC-based DDoS attack architecture, an IRC communication channel is used to connect the client(s) to the agents. IRC

[1]  Manish Parashar,et al.  Cooperative Defence Against DDoS Attacks , 2006, J. Res. Pract. Inf. Technol..

[2]  Jugal K. Kalita,et al.  A Survey of Outlier Detection Methods in Network Anomaly Identification , 2011, Comput. J..

[3]  Alex Delis,et al.  An Inline Detection and Prevention Framework for Distributed Denial of Service Attacks , 2007, Comput. J..

[4]  Jeff Gilchrist,et al.  The CAST-256 Encryption Algorithm , 1999, RFC.

[5]  B. B. Gupta,et al.  ANN Based Scheme to Predict Number of Zombies in a DDoS Attack , 2012, Int. J. Netw. Secur..

[6]  Erol Gelenbe,et al.  Steps toward self-aware networks , 2009, CACM.

[7]  Raouf Boutaba,et al.  FireCol: A Collaborative Protection Network for the Detection of Flooding DDoS Attacks , 2012, IEEE/ACM Transactions on Networking.

[8]  Wanlei Zhou,et al.  Traceback of DDoS Attacks Using Entropy Variations , 2011, IEEE Transactions on Parallel and Distributed Systems.

[9]  Qinghua Zheng,et al.  A new way to detect DDoS attacks within single router , 2008, 2008 11th IEEE Singapore International Conference on Communication Systems.

[10]  Antonio Nucci,et al.  Robust and efficient detection of DDoS attacks for large-scale internet , 2007, Comput. Networks.

[11]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[12]  E. Gelenbe Search in unknown random environments. , 2010, Physical review. E, Statistical, nonlinear, and soft matter physics.

[13]  A. Haar Zur Theorie der orthogonalen Funktionensysteme , 1910 .

[14]  Nicholas R. Jennings,et al.  Hyperion - Next-Generation Battlespace Information Services , 2007, Comput. J..

[15]  Dhruba Kumar Bhattacharyya,et al.  A DDoS attack detection mechanism based on protocol specific traffic features , 2012, CCSEIT '12.

[16]  Wuu Yang,et al.  DDoS Detection and Traceback with Decision Tree and Grey Relational Analysis , 2009, 2009 Third International Conference on Multimedia and Ubiquitous Engineering.

[17]  Ki Hoon Kwon,et al.  DDoS attack detection method using cluster analysis , 2008, Expert Syst. Appl..

[18]  Sven Dietrich,et al.  Analyzing Distributed Denial of Service Tools: The Shaft Case , 2000, LISA.

[19]  Georgios Loukas,et al.  Protection Against Denial of Service Attacks: A Survey , 2010, Comput. J..

[20]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.

[21]  N. Jeyanthi,et al.  An Entropy Based Approach to Detect and Distinguish DDoS Attacks from Flash Crowds in VoIP Networks , 2012, Int. J. Netw. Secur..

[22]  S. Selvakumar,et al.  Distributed denial of service attack detection using an ensemble of neural classifier , 2011, Comput. Commun..

[23]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[24]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[25]  Antonio Pescapè,et al.  A cascade architecture for DoS attacks detection based on the wavelet transform , 2009, J. Comput. Secur..

[26]  Dimitris Gavrilis,et al.  Real-time detection of distributed denial-of-service attacks using RBF networks and statistical features , 2005, Comput. Networks.

[27]  Erol Gelenbe,et al.  A self-aware approach to denial of service defence , 2007, Comput. Networks.

[28]  Gyungho Lee,et al.  DDoS Attack Detection and Wavelets , 2003, Proceedings. 12th International Conference on Computer Communications and Networks (IEEE Cat. No.03EX712).

[29]  Chin-Ling Chen A New Detection Method for Distributed Denial-of-Service Attack Traffic based on Statistical Test , 2009, J. Univers. Comput. Sci..

[30]  Jianping Yin,et al.  DDoS Attack Detection Method Based on Linear Prediction Model , 2009, ICIC.

[31]  Jugal K. Kalita,et al.  Surveying Port Scans and Their Detection Methodologies , 2011, Comput. J..

[32]  Yongsun Choi,et al.  Proactive Detection of DDoS Attacks Utilizing k-NN Classifier in an Anti-DDos Framework , 2010 .

[33]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[34]  Kai Hwang,et al.  Distributed Change-Point Detection of DDoS Attacks over Multiple Network Domains ∗ , 2006 .

[35]  Farouk Kamoun,et al.  Joint Entropy Analysis Model for DDoS Attack Detection , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[36]  Bill Hancock,et al.  Trinity v3, a DDoS Tool, Hits the Streets , 2000, Computers & security.

[37]  Georgios Loukas,et al.  A Denial of Service Detector based on Maximum Likelihood Detection and the Random Neural Network , 2007, Comput. J..

[38]  Guangxue Yue,et al.  DDoS Detection System Based on Data Mining , 2010 .

[39]  Gang Wei,et al.  A prediction-based detection algorithm against distributed denial-of-service attacks , 2009, IWCMC.

[40]  K Badrinath,et al.  A Survey on Solutions to Distributed Denial of Service Attacks , 2013 .

[41]  Rasool Jalili,et al.  Detection of Distributed Denial of Service Attacks Using Statistical Pre-processor and Unsupervised Neural Networks , 2005, ISPEC.

[42]  Hong Zhu,et al.  NetBouncer: client-legitimacy-based high-performance DDoS filtering , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[43]  Shibiao Lin Tzi-cker Chiueh A Survey on Solutions to Distributed Denial of Service Attacks , 2006 .

[44]  Raphael C.-W. Phan,et al.  Augmented Attack Tree Modeling of Distributed Denial of Services and Tree Based Attack Detection Method , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[45]  Abusayeed Saifullah Defending Against Distributed Denial-of-Service Attacks With Weight-Fair Router Throttling , 2009 .

[46]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[47]  Kai Hwang,et al.  NetShield: Protocol Anomaly Detection with Datamining Against DDoS Attacks , 2003 .

[48]  Jianping Yin,et al.  DDoS Attack Detection Using IP Address Feature Interaction , 2009, 2009 International Conference on Intelligent Networking and Collaborative Systems.

[49]  Srinivasan Seshan,et al.  Detecting DDoS Attacks on ISP Networks , 2003 .

[50]  Vasilios Katos,et al.  Real time DDoS detection using fuzzy estimators , 2012, Comput. Secur..

[51]  Jianhua Li,et al.  Enhancing DDoS Flood Attack Detection via Intelligent Fuzzy Logic , 2010, Informatica.

[52]  J. C. Dunn,et al.  A Fuzzy Relative of the ISODATA Process and Its Use in Detecting Compact Well-Separated Clusters , 1973 .

[53]  C. Q. Lee,et al.  The Computer Journal , 1958, Nature.

[54]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[55]  Vyas Sekar,et al.  LADS: Large-scale Automated DDoS Detection System , 2006, USENIX Annual Technical Conference, General Track.

[56]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[57]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[58]  Thiagarajan Hamsapriya,et al.  Statistical Segregation Method to Minimize the False Detections During DDoS Attacks , 2011, Int. J. Netw. Secur..

[59]  Robert D. Nowak,et al.  A Neyman-Pearson approach to statistical learning , 2005, IEEE Transactions on Information Theory.

[60]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[61]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[62]  Инна Чухно Kaspersky Internet Security , 2015 .

[63]  Ming Li,et al.  A New Approach for Detecting DDoS Attacks Based on Wavelet Analysis , 2009, 2009 2nd International Congress on Image and Signal Processing.

[64]  A. Rungsawang,et al.  Distributed denial of service detection using TCP/IP header and traffic measurement analysis , 2004, IEEE International Symposium on Communications and Information Technology, 2004. ISCIT 2004..

[65]  Kotagiri Ramamohanarao,et al.  Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring , 2004, NETWORKING.

[66]  Ahmad Faraahi,et al.  An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks , 2011 .

[67]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[68]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .