Professional Documents
Culture Documents
DDoS Attacks and Defense Mechanisms Classification
DDoS Attacks and Defense Mechanisms Classification
www.elsevier.com/locate/comnet
Abstract
Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in
todays Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With little or no advance warning, a DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. Because of the seriousness of the problem many defense
mechanisms have been proposed to combat these attacks. This paper presents a structural approach to the DDoS
problem by developing a classication of DDoS attacks and DDoS defense mechanisms. Furthermore, important
features of each attack and defense system category are described and advantages and disadvantages of each proposed
scheme are outlined. The goal of the paper is to place some order into the existing attack and defense mechanisms, so
that a better understanding of DDoS attacks can be achieved and subsequently more ecient and eective algorithms,
techniques and procedures to combat these attacks may be developed.
2003 Elsevier B.V. All rights reserved.
Keywords: DoS attacks; DDoS attacks; Defenses; Network security; Intrusion detection
1. Introduction
Denial of Service (DoS) attacks are undoubtedly
a very serious problem in the Internet, whose impact has been well demonstrated in the computer
network literature. The main aim of a DoS is the
disruption of services by attempting to limit access
to a machine or service instead of subverting the
service itself. This kind of attack aims at rendering
a network incapable of providing normal service by
*
1389-1286/$ - see front matter 2003 Elsevier B.V. All rights reserved.
doi:10.1016/j.comnet.2003.10.003
644
Internet system architecture, its open resource access model, which ironically, also happens to be its
greatest advantage.
DDoS attacks are comprised of packet streams
from disparate sources. These attacks engage the
power of a vast number of coordinated Internet
hosts to consume some critical resource at the
target and deny the service to legitimate clients.
The trac is usually so aggregated that it is dicult to distinguish legitimate packets from attack
packets. More importantly, the attack volume can
be larger than the system can handle. Unless special care is taken, a DDoS victim can suer from
damages ranging from system shutdown and le
corruption, to total or partial loss of services.
There are no apparent characteristics of DDoS
streams that could be directly and wholesalely
used for their detection and ltering. The attacks
achieve their desired eect by the sheer volume of
attack packets, and can aord to vary all packet
elds to avoid characterization and tracing.
Extremely sophisticated, user-friendly and
powerful DDoS toolkits are available to potential
attackers increasing the danger of becoming a
victim in a DoS or a DDoS attack. DDoS
attacking programs have very simple logic structures and small memory sizes making them relatively easy to implement and hide. Attackers
constantly modify their tools to bypass security
systems developed by system managers and
researchers, who are in a constant alert to modify
their approaches to handle new attacks.
The DDoS eld is evolving quickly, thus
becoming increasingly hard to grasp a global view
of the problem. Although there is no panacea for all
avors of DDoS, there are several countermeasures
that focus on either making the attack more dicult or on making the attacker accountable.
In this paper, we try to introduce some structure to the DDoS eld by presenting the state-ofthe-art in the eld through a classication of
DDoS attacks and a classication of the defense
mechanisms that can be used to combat these attacks. The classication of attacks includes both
known and potential attack mechanisms. In each
attack category we dene special and important
features and characteristics. We also classify published approaches of defense mechanisms and even
though we point out vulnerabilities of certain defense systems, our purpose is not criticize the defense mechanisms but to describe the existing
problems so that they might be solved.
Following this introduction, the paper is organized as follows. Section 2 investigates rst the
problem of DoS attacks and then presents a classication of DoS attacks. Section 3 introduces the
problem of DDoS attacks, gives the basic characteristics of well-known DDoS tools and presents a
taxonomy of DDoS attacks. Section 4 presents the
DDoS defense problems and proposes a classication of DDoS defense mechanisms, while Section 6 concludes the paper.
2. DoS attacks
2.1. Dening DoS attacks
According to the WWW Security FAQ [4] a
DoS attack can be described as an attack designed
to render a computer or network incapable of
providing normal services. A DoS attack is considered to take place only when access to a computer or network resource is intentionally blocked
or degraded as a result of malicious action taken
by another user. These attacks dont necessarily
damage data directly or permanently, but they
intentionally compromise the availability of the
resources.
The most common DoS attacks target the
computer networks bandwidth or connectivity.
Bandwidth attacks ood the network with such a
high volume of trac that all available network
resources are consumed and legitimate user requests cannot get through, resulting in degraded
productivity. Connectivity attacks ood a computer with such a high volume of connection requests, that all available operating system
resources are consumed, and the computer can no
longer process legitimate user requests.
2.2. DoS attack classication
DoS attacks can be classied into ve categories
based on the attacked protocol level, as illustrated
in Fig. 1 [5].
645
Network
Device
level
OS level
Application
level
Data flood
Protocol
feature
attack
DoS attacks in the Network Device Level include attacks that might be caused either by taking
advantage of bugs or weaknesses in software, or
by trying to exhaust the hardware resources of
network devices. One example of a network device
exploit is the one that is caused by a buer overrun
error in the password checking routine. Using
these exploits certain Cisco 7xx routers [6] could be
crashed by connecting to the routers via telnet and
entering extremely long passwords.
In the OS level DoS attacks take advantage of
the ways operating systems implement protocols.
One example of this category of DoS attacks is the
Ping of Death attack [7]. In this attack, ICMP
echo requests having total data sizes greater than
the maximum IP standard size are sent to the
targeted victim. This attack often has the eect of
crashing the victims machine.
Application-based attacks try to settle a machine
or a service out of order either by taking advantage of specic bugs in network applications that
are running on the target host or by using such
applications to drain the resources of their victim.
It is also possible that the attacker may have found
points of high algorithmic complexity and exploits
them in order to consume all available resources
on a remote host. One example of an applicationbased attack is the nger bomb [8]. A malicious
user could cause the nger routine to be recursively executed on the hostname, potentially
exhausting the resources of the host.
In data ooding attacks, an attacker attempts to
use the bandwidth available to a network, host or
device at its greatest extent, by sending massive
quantities of data and so causing it to process
3. DDoS attacks
3.1. Dening DDoS attacks
According to the WWW Security FAQ [4] on
Distributed Denial of Service (DDoS) attacks: A
DDoS attack uses many computers to launch a
coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the eectiveness of the DoS
signicantly by harnessing the resources of multiple unwitting accomplice computers, which serve
as attack platforms. The DDoS attack is the most
646
Control Traffic
Flood Traffic
Attacker
Handler
Agent
Agent
Handler
Agent
Handler
Agent
Victim
Fig. 2. Architecture of DDoS attacks.
Agent
Agent
647
648
649
650
Classification
by degree of
automation
Manual
Classification
by exploited
vulnerability
DDoS Attacks
Flood attack
Semi-Automatic
UDP flood
Direct
ICMP flood
Indirect
Automatic
Classification by
attack rate dynamics
Continuous
Classification
by impact
Disruptive
Variable
Degrading
Fluctuating
Amplification attack
Increasing
Smurf attack
Fraggle attack
Protocol Exploit Attacks
Malformed Packet attack
Fig. 3. Classication of DDoS attacks.
651
652
Malformed packet attacks [32] rely on incorrectly formed IP packets that are sent from
agents to the victim in order to crash the victim
system. The malformed packet attacks can be divided in two types of attacks: IP address attack
and IP packet options attack. In an IP address
attack, the packet contains the same source
and destination IP addresses. This has as a result
the confusion of the operating system of the victim system and the crash of the victim system. In
an IP packet options attack, a malformed packet
may randomize the optional elds within an IP
packet and set all quality of service bits to one.
This would have as a result the use of additional
processing time by the victim in order to analyze
the trac. If this attack is combined with the use
of multiple agents, it could lead to the crash of
the victim system.
3.4.3. Classication by attack rate dynamics
Depending on the attack rate dynamics DDoS
attacks can be divided in continuous rate and variable rate attacks.
Continuous rate attacks comprise attacks that
after the onset of the attack are executed with
full force and without a break or decrement of
force. The impact of such an attack is very
quick.
Variable rate attacks as their name indicates,
vary the attack rate and thus they avoid detection and immediate response. Based on the rate
change mechanism we dierentiate between attacks with increasing rate and uctuating rate.
Increasing rate attacks gradually lead to the
exhaustion of victims resources, thus delaying
detection of the attack. Fluctuating rate attacks
have a wavy rate that is dened by the victims
behavior and response to the attack, at times
decreasing the rate in order to avoid detection.
3.4.4. Classication by impact
Based on the impact of a DDoS attack we can
divide DDoS attacks to disruptive and degrading
attacks.
Disruptive attacks lead to the complete denial of
the victims service to its clients.
Intrusion
Intrusion
Intrusion
Intrusion
Prevention,
Detection,
Tolerance and Mitigation, and
Response.
653
5. Classication by activity
5.1. Intrusion prevention
The best mitigation strategy against any attack
is to completely prevent the attack. In this stage we
try to stop DDoS attacks from being launched in
the rst place. There are many DDoS defense
mechanisms that try to prevent systems from attacks:
Using globally coordinated lters, attacking
packets can be stopped, before they aggregate to
lethal proportions. Filtering mechanisms can be
divided into the following categories:
Ingress ltering is an approach to set up a router
such that to disallow incoming packets with illegitimate source addresses into the network. Ingress
ltering, proposed by Ferguson and Senie [39], is a
restrictive mechanism to drop trac with IP address that does not match a domain prex connected to the ingress router. This mechanism can
drastically reduce the DoS attack by IP spoong if
all domains use it. Sometimes legitimate trac can
be discarded by an ingress ltering when Mobile IP
[40] is used to attach a mobile node to a foreign
network.
Egress ltering [41] is an outbound lter, which
ensures that only assigned or allocated IP address
space leaves the network. Egress lters do not help
to save resource wastage of the domain where the
packet is originated but it protects other domains
from possible attacks. Besides the placement issue,
both ingress and egress lters have similar behavior.
Route-based distributed packet ltering has
been proposed by Park and Lee [42]. This approach is capable of ltering out a large portion
of spoofed IP packets and preventing attack
packets from reaching their targets as well as to
help in IP traceback. Route-based lters use the
route information to lter out spoofed IP packets,
making this their main dierence from ingress ltering. If route-based lters are partially deployed,
a synergistic ltering eect is possible, so that
spoofed IP ows are prevented from reaching
other Autonomous Systems. Furthermore, since
routes on the Internet change with time [43] it is a
great challenge for route-based lters to be
654
Intrusion
Prevention
Intrusion Detection
Using Globally
Coordinated Filters
Ingress
Filtering
Egress
Filtering
Route-Based
Distributed
Packet Filtering
History-based
IP filtering
Classification by
location
Intrusion
Response
Anomaly
Detection
Statistical
analysis
techniques
Data mining
techniques
Rate limiting
techniques
Misuse
Detection
IP Traceback
ICMP
Traceback
Applying
Security Patches
Quality Of
Service
Intermediate
Network
Source
Network
IntServ
Probabilistic
Packet
Marking
Hash-based
IP Traceback
Center-Track
Disabling
Unused Services
Fault
Tolerance
Victim
Network
Link-testing
Traceback
Sleepy
Traceback
Secure Overlay
Services
Intrusion
Tolerance
And Mitigation
DiffServ
Class-based
queuing
Proactive
Server Roaming
Resource
accounting
Traffic Pattern
Analysis
Resource
pricing
Analysis of
event logs
Replication
Pushback
Changing IP
Address
Throttling
Disabling IP
Broadcasts
Load
Balancing
Honeypots
Disabling unused services [46] is another approach in order to prevent DDoS attacks. If UDP
echo or character generator services are not required, disabling them will help to defend against
these attacks. In general, if network services are
not needed or unused, the services should be disabled to prevent attacks.
Applying security patches [46], can armor the
hosts against DDoS attacks. The host computers
should update themselves with the latest security
patches for the bugs present and use the latest
techniques available to minimize the eect of
DDoS attack.
Changing IP address [46], is another simple
solution to a DDoS attack in order to invalidate
the victim computers IP address by changing it
with a new one. This is called moving target defense. Once the IP address change is completed all
Internet routers will have been informed, and edge
routers will drop the attacking packets. Although
this action leaves the computer vulnerable because
the attacker can launch the attack at the new IP
address, this option is practical for local DDoS
attacks, which are based on IP addresses. On the
other hand, attackers can render this technique a
futile process by adding a domain name service
tracing function to the DDoS attack tools.
By disabling IP broadcasts [46], host computers
can no longer be used as ampliers in ICMP Flood
and Smurf attacks. However, a defense against this
attack will be successful only if all the neighboring
networks disable IP broadcasts.
Load balancing [32] is a simple approach that
enables network providers to increase the provided
bandwidth on critical connections and prevent
them from going down in the event of an attack.
Additional failsafe protection can be the use the
replication of servers in the case some go down
during a DDoS attack. Furthermore, in a multiple-server architecture the balance of the load is
necessary so that both the improvement of normal
performance as well as the prevention or mitigation of the eect of a DDoS attack can be
achieved.
Honeypots [47] can also be used in order to
prevent DDoS attacks. Honeypots are systems
that are set up with limited security and can be
used to trick the attacker to attack the honeypot
655
656
657
658
Probabilistic packet marking (PPM) was originally introduced by Savage et al. [65], who described ecient ways to encode partial route path
information and include the traceback data in IP
packets. It is an approach that can be applied
during or after an attack, and it does not require
any additional network trac, router storage, or
packet size increase. Even though it is not impossible to reconstruct an ordered network path using
an unordered collection of router samples, it requires the victim to receive a large amount of
packets. The advantage of this approach is that no
extra trac is generated, since the extra information is bound to the packets. Furthermore, there is
no interaction with ISPs and this mechanism can
be used to trace attacks after an attack has completed.
On the other hand, there is a backward
incompatibility as IP marking on the ID eld
conicts with IPsec [66] in which the Authentication Header encrypts the identication header.
Moreover probabilistic ID-eld marking requires
modications of Internet routing devices to generate such marks on the y. The reconstruction of
an attack path [67] by the victim demands a high
computation overhead. High false positives are
generated when multiple attackers initiate DDoS.
This approach is not robust against a compromised router. Ioannidis and Bellovin [68] argue
that even though the attack path has been identied, it is not clear what are the next tasks that
must follow.
Song and Perrig [67] improved the performance
of PPM and suggested the use of hash chains for
authenticating routers. They use a 5-bit distance
eld, but they do not fragment router messages.
This marking scheme is ecient and accurate in
the presence of a large number of DDoS and a
clever encoding scheme is used to reduce the
storage space requirements. On the other hand,
this mechanism assumes that the victim has a map
of upstream routers to all attackers and its incremental deployment is not supported.
Dean et al. [69] introduced an interesting algebraic approach to PPM. This scheme does not
require an upstream router map to construct an
attack path. But like the system proposed in [65]
this scheme shares similar backwards compatibil-
659
660
sarial behavior. They identify allotting a priority mechanism to desirable clients as being key,
and punish clients that cause load on the server.
The drawback of this approach is that a malicious user can populate the system with fake
request at a low price, thus driving up the price
for legitimate users. Mankins et al. recommendation to solve this is partitioning resources
into classes and using dierent pricing functions
for each class.
Various autonomous architectures have been
proposed that demonstrate intrusion tolerance
during DDoS bandwidth consumption attacks.
The XenoService [88] is an infrastructure of a
distributed network of web hosts that respond
to an attack on any website by replicating the
web site rapidly and widely among XenoService
servers, thereby allowing the attacked site to
acquire more network connectivity to absorb a
packet ood. Although such infrastructure can
ensure QoS during DDoS attacks, it is doubtful
that a large number of ISPs will adopt such an
infrastructure quickly.
The pushback architecture is a promising
mitigation technique where the idea is to notify
upstream routers to rate-limit or drop specic
trac identied as poor (aggregate). In the
Aggregate-based Congestion Control (ACC)
[68] an aggregate is dened as a subset of the
trac with an identiable property [89].
According to [68], a pushback daemon determines whether there is an indication of any attacks by running a detection algorithm. The
incremental deployment of this approach is
possible and furthermore, there is no need for
upstream routers. On the other hand, there is a
great storage requirement for the pushback
daemon, so that dropped packets from the ratelimiter and the output queue, can be analyzed.
DARPA has supported research on sophisticated autonomous response systems based on
the Cooperative Intrusion Traceback and Response Architecture (CITRA) and the Intruder
Detection and Isolation Protocol (IDIP) [90].
IDIP is a special protocol for reporting intrusions and coordinating attack trace-back and
response actions among network devices. The
CITRA network components can be IDSs,
661
662
6. Conclusions
Undoubtedly, DDoS attacks present a serious
problem in the Internet and challenge its rate of
growth and wide acceptance by the general public,
skeptical government and businesses.
In this paper, we tried to achieve a clear view of
the DDoS attack problem and the numerous defense solutions that have been proposed. Having,
this clear view of the problem, our thinking is
claried and this way we can nd more eective
solutions to the problem of DDoS attacks.
One great advantage of the development of
DDoS attack and defense classications is that
References
[1] CERT Coordination Center, Denial of Service attacks,
Available from <http://www.cert.org/tech_tips/denial_of_
service.html>.
[2] Computer Security Institute and Federal Bureau of Investigation, CSI/FBI Computer crime and security survey
2001, CSI, March 2001, Available from <http://www.gocsi.com>.
[3] D. Moore, G. Voelker, S. Savage, Inferring Internet Denial
of Service activity, in: Proceedings of the USENIX Security
Symposium, Washington, DC, USA, 2001, pp. 922.
[4] L.D. Stein, J.N. Stewart, The World Wide Web Security
FAQ, version 3.1.2, February 4, 2002, Available from
<http://www.w3.org/Security/Faq>.
[5] D. Karig, R. Lee, Remote Denial of Service Attacks and
countermeasures, Department of Electrical Engineering,
Princeton University, Technical Report CE-L2001-002,
October 2001.
[6] CIAC, Information Bulletin, I-020: Cisco 7xx password
buer overow, Available from <http://ciac.llnl.gov/ciac/
bulletins/i-020.shtml>.
[7] Kenney, Malachi, Ping of Death, January 1997, Available from <http://www.insecure.org/sploits/ping-o-death.
html>.
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
663
from
<http://www.research.att.com/~smb/papers/draftbellovin-itrace-00.txt>.
D. Dittrich, The Stacheldraht Distributed Denial of
Service attack tool, University of Washington, December
1999, Available from <http://sta.washington.edu/dittrich/
misc/stacheldraht.analysis.txt>.
D. Dittrich, G. Weaver, S. Dietrich, N. Long, The
mstream Distributed Denial of Service attack tool, May
2000, Available from <http://sta.washington.edu/dittrich/
misc.mstream.analysis.txt>.
S. Dietrich, N. Long, D. Dittrich, Analyzing Distributed
Denial of Service tools: the Shaft Case, in: Proceedings of
the 14th Systems Administration Conference (LISA 2000),
New Orleans, LA, USA, December 38, 2000, pp. 329
339.
B. Hancock, Trinity v3, a DDoS tool, hits the streets,
Computers Security 19 (7) (2000) 574.
CERT Coordination Center, Carnegie Mellon Software
Engineering Institute, CERT Advisory CA-200120 Continuing threats to home users, 23, 2001, Available from <http://www.cert.org/advisories/CA-2001-20.
html>.
Bysin, Knight.c sourcecode, PacketStormSecurity.nl July
11, 2001, Available from <http://packetstormsecurity.nl/
distributed/knight.c>.
J. Mirkovic, J. Martin, P. Reiher, A taxonomy of DDoS
attacks and DDoS defense mechanisms, UCLA CSD
Technical Report no. 020018.
R.B. Lee, Taxonomies of Distributed Denial of Service
networks, attacks, tools and countermeasures, Princeton
University, Available from <http://www.ee.princeton.edu/
~rblee>.
V. Paxson, An analysis of using reectors for Distributed
Denial of Service attacks, ACM Computer Communication Review 31 (3) (2001) 3847.
R.K.C. Chang, Defending against ooding-based, Distributed Denial of Service attacks: a tutorial, IEEE Communications Magazine 40 (10) (2002) 4251.
Daemon9, Route, Innity, IP-spoong demystied: trustrelationship exploitation, Phrack Magazine, Guild Productions, kid, June 1996.
C.A. Huegen, The latest in Denial of Service attacks:
Smurng description and information to minimize eects,
2000, Available from <http://www.pentics.net/denial-ofservice/white-papers/smurf.cgi>.
S. Bellovin, Security problems in the TCP/IP protocol
suite, Computer Communications Review 19 (2) (1989) 32
48.
Cisco Systems, Inc., Dening strategies to protect against
TCP SYN Denial of Service attacks, 1999, Available from
<http://www.cisco.com/warp/public/707/4.html>.
P. Ferguson, D. Senie, Network ingress ltering: defeating
Denial of Service attacks which employ IP source address
spoong, in: RFC 2827, 2001.
C. Perkins, IP mobility support for IPv4, IETF RFC 3344,
2002.
664
[73]
[74]
[75]
[76]
[77]
[78]
[79]
[80]
[81]
[82]
[83]
[84]
[85]
[86]
[87]
[88]
[89]
[90]
[91]
[92]
[93]
[94]
[95]
[96]
[97]
665
666
[98]
[99]
[100]
[101]
[102]