A Survey on DDoS Attack and Defense Strategies: From Traditional Schemes to Current Techniques

Muhammad AAMIR, Mustafa Ali ZAIDI
2013 Interdisciplinary Information Sciences  
Distributed Denial of Service (DDoS) attacks exhaust victim's bandwidth or services. Traditional architecture of Internet is vulnerable to DDoS attacks and an ongoing cycle of attack & defense is observed. A recent attack report of year 2013 -'Quarter 1' from Prolexic Technologies identifies that 1.75 percent increase in total number of DDoS attacks has been recorded as compared to similar attacks of previous year's last quarter. In this paper, different types and techniques of DDoS attacks and
more » ... their countermeasures are surveyed. The significance of this paper is the coverage of many aspects of countering DDoS attacks including new research on the topic. We survey different papers describing methods of defense against DDoS attacks based on entropy variations, traffic anomaly parameters, neural networks, device level defense, botnet flux identifications, application layer DDoS defense and countermeasures in wireless networks, CCN & cloud computing environments. We also discuss some traditional methods of defense such as traceback and packet filtering techniques, so that readers can identify major differences between traditional and current techniques of defense against DDoS attacks. We identify that application layer DDoS attacks possess the ability to produce greater impact on the victim as they are driven by legitimate-like traffic, making it quite difficult to identify and distinguish from legitimate requests. The need of improved defense against such attacks is therefore more demanding in research. The study conducted in this paper can be helpful for readers and researchers to recognize better techniques of defense in current times against DDoS attacks and contribute with more research on this topic in the light of future challenges identified in this paper. unaware of the fact that there machines are being used as a part of some botnet. A typical architecture of DDoS attack is mentioned in Fig. 1 . The attack employs client server technology and a stream of data packets is sent to the victim for exhausting its services, connections, bandwidth etc. The data flood attack type of DoS is mostly used in DDoS attacks. With the evolution of internet, cyber attacks have also increased manifold. Earlier DDoS attacks were manual where attacker had to perform many steps before the launch of final attack, such as port scanning, identifying available machines in the public network to create botnet, inserting malware etc. With the passage of time, sophisticated attack tools have been developed to assist attackers in performing all or some steps automatically to reduce human effort. The attackers can just configure desired attack parameters and the rest is done by automated tools. Some common automated attack tools available are Trinoo, TFN (Tribe Flood Network), TFN2K, Stacheldraht, Shaft, Knight and Trinity. Some of them work on IRC (Internet Relay Chat) where handlers and zombies do not know identities of each other and the communication among them is done indirectly. The others are agent based in which communication is direct and handlers and zombies know each other's identity [3] . Therefore, when DDoS attacks are classified by the degree of automation, they are mentioned as Manual, Semi-automatic and Automatic attacks [1]. DDoS attacks are further classified by attack rate dynamics i.e., the way how rate of attack varies with respect to the passage of time. The classes are Continuous Rate and Variable Rate attacks [1]. In continuous rate, the attack has constant flow after it is executed. On the other hand, variable rate attack changes its impact and flow with time, making it more difficult to detect and respond. Within variable rate, the attack rate dynamics can further be implemented as Fluctuating or Increasing [1]. Moreover, based on the data rate of attack traffic in a given network, the attacks are also categorized as high rate and low rate DDoS attacks [4] . DDoS attacks are also classified in literature as 'by impact' i.e., it can be Disruptive in which the normal service is completely unavailable to users, or it can be Degrading in which the service is not completely unavailable but experiences considerable decrease in the productivity [1]. The major classification of DDoS attacks is 'by exploited vulnerability' [1] through which an adversary launches attack on the victim. The classification is given in Fig. 2 (as specified in [1] ). In the said classification, flood attack is used to bring down the victim's machine or network's bandwidth. It has a few major sub-classes like UDP flood, ICMP flood and TCP flood. In fact, all flooding attacks generated through DDoS can be of two types; direct attacks and reflector attacks [5] . In direct attacks, zombie machines directly attack the victim as shown in the attack architecture in Fig. 1 . On the other hand, in reflector attacks, zombies send request packets with spoofed IP (IP of the victim) in source address field to a number of other compromised machines (PCs, routers etc.) and the reply generated from such communications to disturb or destroy victim's resources. Therefore, traditional DDoS detection techniques are unable to identify such attacks. In these attacks, complete communication with the victim is established just like legitimate users and numerous connections are generated aiming to deny or degrade the service or bandwidth for legitimate clients. Application layer attacks are subject to the establishment of complete TCP connections with the victim. Therefore, the attacker has to disclose real IPs of zombie machines to the victim. Otherwise, it is not possible to make such connections. However, due to large number of zombies, the attacker does not worry about this attack limitation [5] . If such machines are identified and filtered at some stage, the attacker uses other group or pool of zombies to process the continuity of attack. After establishing TCP connections with the victim in a large number, the attacker starts communication through sending requests for relatively large processing such as downloading heavy image files or making database queries. In this way, resources are reserved against such attack traffic to deny or degrade the services for legitimate users. Effectively, application layer attacks are also flooding attacks and categorized as HTTP flood, HTTPS flood, FTP flood etc. Sometimes, they are collectively mentioned as GET floods. Motivation behind DDoS attacks ARP poisoning Cryptographic protection, Filtering, IDS. Authentication/Association request flood Cryptographic protection, protocol repair, client puzzle, IDS, decresing retry limit, signal strength info identification, RF fingerprint identification. Probe request flood Cryptographic protection, client puzzle, IDS, decresing retry limit, signal strength info identification, RF fingerprint identification. Deauthentication/Deassociation Cryptographic protection, MAC address spoof detection, IDS, delaying effects, signal strength info identification, RF fingerprint identification. Monopolizing attack Rapid frequency hopping, multi-hop forwarding, spatial retreat. Reactive attack Rapid frequency hopping, multi-hop forwarding, spatial retreat. Preamble attack Rapid frequency hopping, multi-hop forwarding, spatial retreat. Symbol attack Rapid frequency hopping, multi-hop forwarding, spatial retreat, forward error correction. Fig. 8. A form of DoS attack in WLAN [130]. AAMIR and ZAIDI
doi:10.4036/iis.2013.173 fatcat:pgvcutvfajejpmgatezon5ftdq