DDoS Defense Mechanisms: A New Taxonomy

Ever expanding array of schemes for detection and prevention of Distributed Denial of Service (DDoS) attacks demands for a constant review and their categorization. As detection techniques have existed for a relatively longer period of time than defense mechanisms, researchers have categorized almost all the existing and expected forthcoming attacks. However, techniques for defense are still nurturing. Researchers have explored that there could be diverse ways of launching DDoS attacks. Consequently, need of defense strategy that adapts and responds autonomously to these variety of attacks is imperative. As more and more excavation is done in the arena of DDoS Defense Mechanisms, we understand that along with the conventional, well known DDoS Prevention and mitigation mechanism there are other factors that play equally important role in shielding a system from DDoS attacks. Deployment strategy, degree of cooperation of the internet host, code of behaviour while the system is already under attack, and post-attack analysis, etc, are such factors. In this paper, we have assorted the existing enormous defense mechanisms, and proposed an enhanced taxonomy that incorporates possible parameters that might influence DDoS Defense.

[1]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[2]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[3]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[4]  Nora Cuppens-Boulahia,et al.  Enabling automated threat response through the use of a dynamic security policy , 2007, Journal in Computer Virology.

[5]  Michael Weber,et al.  Protecting web servers from distributed denial of service attacks , 2001, WWW '01.

[6]  Partha Dasgupta,et al.  Defending Against Denial of Service Attacks Using Secure Name Resolution , 2003, Security and Management.

[7]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[8]  Zhiling Lan,et al.  Dynamic Load Balancing of SAMR Applications on Distributed Systems , 2001, ACM/IEEE SC 2001 Conference (SC'01).

[9]  Idit Keidar,et al.  Exposing and eliminating vulnerabilities to denial of service attacks in secure gossip-based multicast , 2004, International Conference on Dependable Systems and Networks, 2004.

[10]  Eugene H. Spafford,et al.  Network traffic tracking systems: folly in the large? , 2001, NSPW '00.

[11]  Rajesh Krishnan,et al.  Mitigating distributed denial of service attacks with dynamic resource pricing , 2001, Seventeenth Annual Computer Security Applications Conference.

[12]  Hong Zhu,et al.  NetBouncer: client-legitimacy-based high-performance DDoS filtering , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[13]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[14]  Mohammad Zulkernine,et al.  Detecting Flooding-Based DDoS Attacks , 2007, 2007 IEEE International Conference on Communications.

[15]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[16]  Bernhard Plattner,et al.  Adaptive distributed traffic control service for DDoS attack mitigation , 2005, 19th IEEE International Parallel and Distributed Processing Symposium.

[17]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[18]  C.A. Gunter,et al.  Mitigating DoS attack through selective bin verification , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[19]  Kotagiri Ramamohanarao,et al.  Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring , 2004, NETWORKING.

[20]  Usman Tariq,et al.  A Comprehensive Categorization of DDoS Attack and DDoS Defense Techniques , 2006, ADMA.

[21]  Hyeong-Ah Choi,et al.  Packet filtering for congestion control under DoS attacks , 2004, Second IEEE International Information Assurance Workshop, 2004. Proceedings..

[22]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[23]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.

[24]  Rocky K. C. Chang,et al.  Engineering of a global defense infrastructure for DDoS attacks , 2002, Proceedings 10th IEEE International Conference on Networks (ICON 2002). Towards Network Superiority (Cat. No.02EX588).

[25]  Christoforos E. Kozyrakis,et al.  Real-World Buffer Overflow Protection for Userspace and Kernelspace , 2008, USENIX Security Symposium.

[26]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[27]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[28]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[29]  B. Stephan Optimal filtering for denial of service mitigation , 2002, Proceedings of the 41st IEEE Conference on Decision and Control, 2002..

[30]  Hyeong-Ah Choi,et al.  Packet filtering to defend flooding-based DDoS attacks [Internet denial-of-service attacks] , 2004, 2004 IEEE/Sarnoff Symposium on Advances in Wired and Wireless Communications.

[31]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[32]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[33]  Jelena Mirkovic,et al.  A Framework for a Collaborative DDoS Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[34]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[35]  Jarmo Mölsä,et al.  Effectiveness of rate-limiting in mitigating flooding DOS attacks , 2004, Communications, Internet, and Information Technology.

[36]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[37]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM 2002.

[38]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[39]  D. L. Lough,et al.  A taxonomy of computer attacks with applications to wireless networks , 2001 .

[40]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[41]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[42]  M. Pollak Optimal Detection of a Change in Distribution , 1985 .

[43]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.