Protection Against Denial of Service Attacks: A Survey

Denial of service (DoS) is a prevalent threat in today's networks because DoS attacks are easy to launch, while defending a network resource against them is disproportionately difficult. Despite the extensive research in recent years, DoS attacks continue to harm, as the attackers adapt to the newer protection mechanisms. For this reason, we start our survey with a historical timeline of DoS incidents, where we illustrate the variety of types, targets and motives for such attacks and how they evolved during the last two decades. We then provide an extensive literature review on the existing research on DoS protection with an emphasis on the research of the last years and the most demanding aspects of defence. These include traceback, detection, classification of incoming traffic, response in the presence of an attack and mathematical modelling of attack and defence mechanisms. Our discussion aims to identify the trends in DoS attacks, the weaknesses of protection approaches and the qualities that modern ones should exhibit, so as to suggest new directions that DoS research can follow.

[1]  Jalal Ale Ahmad,et al.  A Comprehensive Taxonomy of DDoS Attacks and Defense Mechanism Applying in a Smart Classification , 2008 .

[2]  Erol Gelenbe,et al.  Defending networks against denial-of-service attacks , 2004, SPIE Security + Defence.

[3]  Sanguk Noh,et al.  Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning , 2003, IDEAL.

[4]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[5]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[6]  Andrew H. Sung,et al.  Computational Intelligent Techniques for Detecting Denial of Service Attacks , 2004, IEA/AIE.

[7]  Erol Gelenbe,et al.  Users and services in intelligent networks , 2005, Next Generation Internet Networks, 2005.

[8]  Erol Gelenbe,et al.  Cognitive packet networks: QoS and performance , 2002, Proceedings. 10th IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems.

[9]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[10]  Kang G. Shin,et al.  Hop-Count Filtering : An Effective Defense Against Spoofed Traffic , 2003 .

[11]  Pekka Nikander,et al.  DOS-resistant authentication with client puzzles. Discussion , 2001 .

[12]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[13]  Ari Juels,et al.  $evwu Dfw , 1998 .

[14]  Jun Xu,et al.  IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[15]  Jitendra Malik,et al.  Recognizing objects in adversarial clutter: breaking a visual CAPTCHA , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[16]  Daniel S. Yeung,et al.  Multiple Classifier System with Feature Grouping for Intrusion Detection: Mutual Information Approach , 2005, KES.

[17]  Nirwan Ansari,et al.  Differentiating Malicious DDoS Attack Traffic from Normal TCP Flows by Proactive Tests , 2006, IEEE Communications Letters.

[18]  Georgia Sakellari,et al.  The Cognitive Packet Network: A Survey , 2010, Comput. J..

[19]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[20]  Stephen F. Bush,et al.  Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics , 2005, Journal of Network and Systems Management.

[21]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[22]  Dorgham Sisalem,et al.  Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms , 2006, IEEE Network.

[23]  Rajesh Krishnan,et al.  Mitigating distributed denial of service attacks with dynamic resource pricing , 2001, Seventeenth Annual Computer Security Applications Conference.

[24]  T. Znati,et al.  Proactive server roaming for mitigating denial-of-service attacks , 2003, International Conference on Information Technology: Research and Education, 2003. Proceedings. ITRE2003..

[25]  Erol Gelenbe,et al.  Self-aware networks and QoS , 2004, Proceedings of the IEEE.

[26]  Franco Zambonelli,et al.  A survey of autonomic communications , 2006, TAAS.

[27]  Ioannis G. Tsoulos,et al.  Feature Selection for Robust Detection of Distributed Denial-of-Service Attacks Using Genetic Algorithms , 2004, SETN.

[28]  Ki Hoon Kwon,et al.  DDoS attack detection method using cluster analysis , 2008, Expert Syst. Appl..

[29]  Gyungho Lee,et al.  DDoS Attack Detection and Wavelets , 2003, Proceedings. 12th International Conference on Computer Communications and Networks (IEEE Cat. No.03EX712).

[30]  Andrew H. Sung,et al.  The Feature Selection and Intrusion Detection Problems , 2004, ASIAN.

[31]  Angelos D. Keromytis,et al.  Using graphic turing tests to counter automated DDoS attacks against web servers , 2003, CCS '03.

[32]  Rami G. Melhem,et al.  Roaming honeypots for mitigating service-level denial-of-service attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[33]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[34]  David G. Andersen,et al.  Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[35]  Dimitris Gavrilis,et al.  Real-time detection of distributed denial-of-service attacks using RBF networks and statistical features , 2005, Comput. Networks.

[36]  John S. Heidemann,et al.  Identification of Repeated Denial of Service Attacks , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[37]  Kevin Hemenway,et al.  Spidering Hacks , 2003 .

[38]  Daniel S. Yeung,et al.  Empirical Study on Fusion Methods Using Ensemble of RBFNN for Network Intrusion Detection , 2005, ICMLC.

[39]  Dongming Lu,et al.  Combining Cross-Correlation and Fuzzy Classification to Detect Distributed Denial-of-Service Attacks , 2006, International Conference on Computational Science.

[40]  Hong Zhu,et al.  NetBouncer: client-legitimacy-based high-performance DDoS filtering , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[41]  Jonathan M. Smith,et al.  USENIX Association , 2000 .

[42]  Rami G. Melhem,et al.  Live Baiting for Service-Level DoS Attackers , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[43]  E. Gelenbe,et al.  A multiple criteria, measurement-based admission control mechanism for Self-Aware Networks , 2008, 2008 Third International Conference on Communications and Networking in China.

[44]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[45]  Erol Gelenbe,et al.  Learning in the Recurrent Random Neural Network , 1992, Neural Computation.

[46]  Georgios Loukas,et al.  A Denial of Service Detector based on Maximum Likelihood Detection and the Random Neural Network , 2007, Comput. J..

[47]  Erol Gelenbe,et al.  Admission of QoS aware users in a smart network , 2008, TAAS.

[48]  Michael K. Reiter,et al.  A multi-layer framework for puzzle-based denial-of-service defense , 2008, International Journal of Information Security.

[49]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[50]  N.D. Georganas,et al.  Self-Similar Processes in Communications Networks , 1998, IEEE Trans. Inf. Theory.

[51]  Kamil Saraç,et al.  A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking , 2008, IEEE Transactions on Parallel and Distributed Systems.

[52]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[53]  Ming Li,et al.  An approach to reliably identifying signs of DDOS flood attacks based on LRD traffic pattern recognition , 2004, Comput. Secur..

[54]  Erol Gelenbe,et al.  Measurement and performance of a cognitive packet network , 2001, Comput. Networks.

[55]  C. Q. Lee,et al.  The Computer Journal , 1958, Nature.

[56]  Aleksandar Kuzmanovic,et al.  Low-rate TCP-targeted denial of service attacks and counter strategies , 2006, IEEE/ACM Trans. Netw..

[57]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[58]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[59]  Michael E. Lesk,et al.  The New Front Line: Estonia under Cyberassault , 2007, IEEE Security & Privacy.

[60]  Kotagiri Ramamohanarao,et al.  Detecting Distributed Denial of Service Attacks by Sharing Distributed Beliefs , 2003, ACISP.

[61]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[62]  Basil S. Maglaris,et al.  Towards multisensor data fusion for DoS detection , 2004, SAC '04.

[63]  H. Jonathan Chao,et al.  PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks , 2006, IEEE Transactions on Dependable and Secure Computing.

[64]  Olivier Bonaventure,et al.  Understanding the Long-Term Self-Similarity of Internet Traffic , 2001, QofIS.

[65]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[66]  Hassan Aljifri,et al.  IP Traceback: A New Denial-of-Service Deterrent? , 2003, IEEE Secur. Priv..

[67]  Daniel S. Yeung,et al.  Construction of High Precision RBFNN with Low False Alarm for Detecting Flooding Based Denial of Service Attacks Using Stochastic Sensitivity Measure , 2005, ICMLC.

[68]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[69]  Ramesh Govindan,et al.  COSSACK: Coordinated Suppression of Simultaneous Attacks , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[70]  Ming Zeng,et al.  A Novel DDoS Attack Detecting Algorithm Based on the Continuous Wavelet Transform , 2004, AWCC.

[71]  A. L. Narasimha Reddy,et al.  Statistical Techniques for Detecting Traffic Anomalies Through Packet Header Data , 2008, IEEE/ACM Transactions on Networking.

[72]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[73]  M. Gladwell The Tipping Point , 2000 .

[74]  Andreas Terzis,et al.  On the effect of router buffer sizes on low-rate denial of service attacks , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[75]  Gavrilis Dimitris,et al.  Feature Selection for Robust Detection of Distributed Denial-of-Service Attacks Using Genetic Algorithms , 2004 .

[76]  Erol Gelenbe,et al.  A self-aware approach to denial of service defence , 2007, Comput. Networks.

[77]  Hai-Tao He,et al.  Detecting Anomalous Network Traffic with Combined Fuzzy-Based Approaches , 2005, ICIC.

[78]  Krzysztof Cetnarowicz,et al.  Behavior Based Detection of Unfavorable Resources , 2004, International Conference on Computational Science.

[79]  Nirwan Ansari,et al.  Low rate TCP denial-of-service attack detection at edge routers , 2005, IEEE Communications Letters.

[80]  Y. Tatar,et al.  Detection SYN Flooding Attacks Using Fuzzy Logic , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[81]  Aleksandar Kuzmanovic,et al.  Low-rate TCP-targeted denial of service attacks and counter strategies , 2006, TNET.

[82]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[83]  Mihui Kim,et al.  A Combined Data Mining Approach for DDoS Attack Detection , 2004, ICOIN.

[84]  Andrew H. Sung,et al.  Intrusion detection using an ensemble of intelligent paradigms , 2005, J. Netw. Comput. Appl..

[85]  Fabio Roli,et al.  Fusion of multiple classifiers for intrusion detection in computer networks , 2003, Pattern Recognit. Lett..

[86]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[87]  M. Uysal,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[88]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[89]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[90]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[91]  Erol Gelenbe,et al.  An autonomic approach to denial of service defence , 2005, Sixth IEEE International Symposium on a World of Wireless Mobile and Multimedia Networks.

[92]  Ronaldo M. Salles,et al.  An AS-level overlay network for IP traceback , 2009, IEEE Network.

[93]  Georgia Sakellari,et al.  Adaptive resilience of the cognitive packet network in the presence of network worms , 2009 .

[94]  Fang-Yie Leu,et al.  Intrusion Detection with CUSUM for TCP-Based DDoS , 2005, EUC Workshops.

[95]  Greg Shipley,et al.  ISS RealSecure pushes past newer IDS players , 1999 .

[96]  Virgil D. Gligor,et al.  A Note on the Denial-of-Service Problem , 1983, 1983 IEEE Symposium on Security and Privacy.

[97]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[98]  Kanta Matsuura,et al.  Detection of Unknown DoS Attacks by Kolmogorov-Complexity Fluctuation , 2005, CISC.

[99]  Ming Li,et al.  Fractional Gaussian Noise: A Tool of Characterizing Traffic for Detection Purpose , 2004, AWCC.

[100]  Chan-Hyun Youn,et al.  A Probe Detection Model Using the Analysis of the Fuzzy Cognitive Maps , 2005, ICCSA.

[101]  Y. Xiang,et al.  Detecting DDOS attack based on network self-similarity , 2004 .

[102]  W. Polonsky,et al.  The Tipping Point , 2007, The Diabetes educator.

[103]  Otto Carlos Muniz Bandeira Duarte,et al.  Towards Stateless Single-Packet IP Traceback , 2007, 32nd IEEE Conference on Local Computer Networks (LCN 2007).

[104]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[105]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[106]  Vijay Varadharajan,et al.  Analysis of traceback techniques , 2006, ACSW.

[107]  A. L. Narasimha Reddy,et al.  Mitigation of DoS attacks through QoS regulation , 2004, Microprocess. Microsystems.

[108]  Tae Ho Cho,et al.  Modeling and Simulation for Detecting a Distributed Denial of Service Attack , 2002, Australian Joint Conference on Artificial Intelligence.

[109]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[110]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[111]  Rasool Jalili,et al.  Detection of Distributed Denial of Service Attacks Using Statistical Pre-processor and Unsupervised Neural Networks , 2005, ISPEC.

[112]  Kai Hwang,et al.  Collaborative detection and filtering of shrew DDoS attacks using spectral analysis , 2006, J. Parallel Distributed Comput..

[113]  H. Jonathan Chao,et al.  ALPi: A DDoS Defense System for High-Speed Networks , 2006, IEEE Journal on Selected Areas in Communications.

[114]  José Carlos Brustoloni,et al.  Protecting electronic commerce from distributed denial-of-service attacks , 2002, WWW '02.

[115]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[116]  Amar Aissani Queueing Analysis for Networks Under DoS Attack , 2008, ICCSA.

[117]  Tao Zou,et al.  An Automatic and Generic Early-Bird System for Internet Backbone Based on Traffic Anomaly Detection , 2005, ICN.