You are on page 1of 11

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853

A Study On Denial-Of-Service Attacks And Their

Countermeasure Approaches
Anu Raheja1, Ajit Singh2 ,Priyanka Palival3
anuraheja40@gmail.com1 , ajit713@gmail.com2 , priyankapaliwal01@gmail.com3
Network is grouping of workstations and server that interconnect with each other for sharing of
Information. The information exchanged between stations need to be kept confidential. Attacker
is the one present in the network who try to intercept this confidential data and misuse it. So
security is the critical issue. There are various types of security attacks that can be implemented
in network. The biggest security threat to internet service is DDoS (Distributed denial of services)
attack. DDoS attack is the most destructive attack,involves the overwhelming of receiver with a
large amount of traffic which in turn prevent the authorized user to access legal services. There
are various mechanisms that has been developed for defence. This paper is mainly presenting the
basis of DDoS attack,classification of DDoS attack, need for Distributed defense system, overview
of ddos tools, Defence principles, comparative study of different defense mechanism.
Index Terms : DDoS, Attacks, Defense techniques, security



In a network of communication, large number of workstation communicate with each other. Each
workstation has private data that is to be transmitted between the stations. Security is the main issue
while transmitting and receiving information. For protection, several security mechanisms were
developed but these mechanisms do not help much. DDoS attacks are the most destructive attacks that
are reported to create havoc in networking field to most of the service providers and legitimated users.
DDoS attack make network services unavailable to the authorized users. DDoS can be implemented in
many ways like flooding attack, logic attack and protocol-based attack . Flooding attack is an attack which
floods the network so much in turn make the network congested. Logic attack is an attack which overflow
the buffer so much or exceed the limit of amount of packets recieved. In protocol-based attack attacker
analyse the behavior of TCP/IP functionality for the requirements of attacking.It does not weaken
TCP/IP functionality
An DDOS Attacks can be classified in many ways in terms of their nature and characterstics or its impact.
The taxonomy is also summarized in the figure 2.
A. Classification by Degree of Automation
Based on the degree of automation of the attack, the attack can be classified as manual, semi-automatic
and automatic DDoS attacks.
1. Manual Attacks

23 | 2015, IJAFRC All Rights Reserved

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853
Early DDoS attacks belong to this manual category. The attacker scan the remote machines for
the areas that is more prone to attack and installed the attack code over there, and then command the
onset of the attack.
2. Semi-Automatic Attacks
In semi-automatic attacks, the DDoS network consists of handler and agent machines. The
automated scripts are deployed for scanning the weak prone areas and installation of the attack code
over there. He then uses handler machines to specify the attack type and the victim's address
and to command the onset of the attack to agents, who send packets to the victim.
3. Automatic Attacks
Automatic DDoS attacks additionally automate the attack phase, thus avoiding the need for
communication between attacker and agent machines. The time of the onset of the attack,
attack type, duration and victim's address is preprogrammed in the attack code. It is obvious
that such deployment mechanisms offer minimal exposure to the attacker, since he is only involved
in issuing a single command the start of the attack script. The hardcoded attack specification
suggests a single-purpose use of the DDoS network. However, the propagation mechanisms
usually leave the backdoor to the compromised. machine open, enabling easy future access and
modification of the attack code. Both semi-automatic and automatic attacks recruit the agent
machines by deploying automatic scanning and propagation techniques. Based on the scanning
strategy, we differentiate between attacks that deploy random scanning, hit list scanning,
topological scanning, permutation scanning and local subnet scanning. We give a brief description
of these scanning techniques here and refer the reader to for a detailed description and performance
comparison. Attackers usually combine the scanning and exploitation phases, thus gaining a larger
agent population, and our description of scanning techniques relates to this model.
Attacks with Random Scanning
During random scanning each compromised host probes random addresses in the IP address space, using
a different seed. This potentially creates a high traffic volume since many machines probe the same
addresses. Code Red (CRv2) performed random scanning .

Attacks with Hitlist Scanning

A machine performing hitlist scanning probes all addresses from an externally supplied list. When it
detects the vulnerable machine, it sends one half of the initial hitlist to the recipient and keeps the
other half. This technique allows for great propagation speed (due to exponential spread) and no
collisions during the scanning phase. An attack deploying hitlist scanning could obtain the list from of domains that still support directed IP broadcast and can thus be used for a Smurf attack.
Attacks with Topological Scanning
Topological scanning uses the information on the compromised host to select new targets. All Email
worms use topological scanning, exploiting the information from address books for their spread.
Attacks with Permutation Scanning

24 | 2015, IJAFRC All Rights Reserved

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853
During permutation scanning, all compromised machines share a common pseudo-random
permutation of the IP address space; each IP address is mapped to an index in this permutation. A
machine begins scanning by using the index computed from its IP address as a starting point.
Whenever it sees an already infected machine, it chooses a new random start point. This has the
effect of providing a semi coordinated, comprehensive scan while maintaining the benefits of random
probing. This technique is described in as not yet deployed.
Attacks with Local Subnet Scanning
Local subnet scanning can be added to any of the previously described techniques to preferentially scan
for targets that reside on the same subnet as the compromised host. Using this technique, a single
copy of the scanning program can compromise many vulnerable machines behind a firewall. Code Red
II and Nimda Worm used local subnet scanning. Based on the attack code propagation mechanism,
we differentiate between attacks that deploy central source propagation, back-chaining propagation and
autonomous propagation .
Attacks with Central Source Propagation
During central source propagation, the attack code resides on a central server or set of servers. After
compromise of the agent machine, the code is downloaded from the central source through a file transfer
mechanism. The 1i0n worm operated in this manner.
Attacks with Back-chaining Propagation
During back-chaining propagation, the attack code is downloaded from the machine that was used to
exploit the system. The infected machine then becomes the source for the next propagation step. Backchaining propagation is more survivable than central-source propagation since it avoids a single
point of failure. The Ramen worm and Morris Worm used backchaining propagation.
Attacks with Autonomous Propagation
Autonomous propagation avoids the file retrieval step by injecting attack instructions directly into the
target host during the exploitation phase. Code Red , Warhol Worm and numerous E-mail worms use
autonomous propagation.
B. Classification by Exploited Vulnerability
Distributed denial-of-service attacks exploit different strategies to deny the service of the victim to its
clients. Based on the vulnerability that is targeted during an attack, we differentiate between
protocol attacks and brute-force attacks.

1. Protocol Attacks
Protocol attacks exploit a specific feature or implementation bug of some protocol installed at
the victim in order to consume excess amounts of its resources. Examples include the TCP SYN
attack, the CGI request attack and the authentication server attack. In the TCP SYN attack, the
exploited feature is the allocation of substantial space in a connection queue immediately upon
receipt of a TCP SYN request. The attacker initiates multiple connections that are never
25 | 2015, IJAFRC All Rights Reserved

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853
completed, thus filling up the connection queue indefinitely. In the CGI request attack, the
attacker consumes the CPU time of the victim by issuing multiple CGI requests. In the
authentication server attack, the attacker exploits the fact that the signature verification
process consumes significantly more resources than bogus signature generation. He sends
numerous bogus authentication requests to the server, tying up its resources.
2. Brute-force Attacks
Brute-force attacks are performed by initiating a vast amount of seemingly legitimate
transactions. Since an upstream network can usually deliver higher traffic volume than the victim
network can handle, this exhausts the victim's resources. We further divide brute-force attacks based
on the relation of packet contents with victim services into filterable and non-filterable attacks.
3. Filterable Attacks
Filterable attacks use bogus packets or packets for non-critical services of the victim's operation,
and thus can be filtered by a firewall. Examples of such attacks are a UDP flood attack or an ICMP
request flood attack on a Web server.
4. Non-filterable Attacks
Non-filterable attacks use packets that request legitimate services from the victim. Thus,
filtering all packets that match the attack signature would lead to an immediate denial of the
specified service to both attackers and the legitimate clients. Examples are a HTTP request flood
targeting a Web server or a DNS request flood targeting a name server.
The line between protocol and brute force attacks is thin. Protocol attacks also overwhelm a victim's
resources with excess traffic, and badly designed protocol features at remote hosts are frequently
used to perform "reflector" brute-force attacks, such as the DNS request attack or the Smurf attack.
The difference is that a victim can mitigate the effect of protocol attacks by modifying the
deployed protocols at its site, while it is helpless against brute-force attacks due to their misuse of
legitimate services (non-filterable attacks) or due to its own limited resources (a victim can do
nothing about an attack that swamps its network bandwidth).
Countering protocol attacks by modifying the deployed protocol pushes the corresponding attack
mechanism into the brute-force category. For example, if the victim deploys TCP SYN cookies to
combat TCP SYN attacks, it will still be vulnerable to TCP SYN attacks that generate more requests
than its network can accommodate. However, the brute-force attacks need to generate a much higher
volume of attack packets than protocol attacks, to inflict damage at the victim. So by modifying the
deployed protocols the victim pushes the vulnerability limit higher. Evidently, classification of the
specific attack needs to take into account both the attack mechanisms used and the victim's
configuration. It is interesting to note that the variability of attack packet contents is determined by
the exploited vulnerability. Packets comprising protocol and non-filterable brute force attacks must
specify some valid header fields and possibly some valid contents. For example TCP SYN attack
packets cannot vary the protocol or flag field, and HTTP flood packets must belong to an
established TCP connection and therefore cannot spoof source addresses, unless they hijack
connections from legitimate clients.
C. Classification by Attack Rate
26 | 2015, IJAFRC All Rights Reserved

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853

Depending on the attack rate dynamics we differentiate between continuous rate and variable rate
1. Continuous Rate Attacks
The majority of known attacks deploy a continuous rate mechanism. After the onset is commanded
agent machines generate the attack packets with full force. This sudden packet flood disrupts
the victim's services quickly, and thus leads to attack detection.
2. Variable Rate Attacks
Variable rate attacks are more cautious in their engagement, and they vary the attack rate to
avoid detection and response.
Based on the rate change mechanism we differentiate between attacks with increasing rate
and fluctuating rate.
D. Classification by Impact
We can also classify the dos attacks depend on the impact of a DDoS attack on the victim we differentiate
between disruptive and degrading attacks.


Disruptive Attacks
In disruptive attacks, the victim's service to its clients completely vanishes. All current attacks belong
to this category.

2. Degrading Attacks
The goal of degrading attacks would be to consume some (presumably constant) portion of a
victim's resources. Since these attacks do not lead to total service disruption, they could remain
undetected for a significant time period. On the other hand, damage inflicted on the victim
could be immense. For example, an attack that effectively ties up 30% of the victim's resources
would lead to denial of service to some percentage of customers during high load periods, and
possibly slower average service. Some customers, dissatisfied with the quality, would
consequently change their service provider and victim would thus lose income. Alternately, the
false load could result in a victim spending money to upgrade its servers and networks.

27 | 2015, IJAFRC All Rights Reserved

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853

Fig 1. DOS Attacks Classification


Traffic filtering, Traffic analysis, Traffic monitoring are the main function in defense system. There are
two ways of implementing, one is centralized and other is distributed. In the centralized defence system,
all workstations are placed at same place. It has higher possibility of being attack because it consists of
lesser number of resources are available for defense against DDoS attack.These resources are placed at
victim site. The centralized defense mechanism only concentrated on the victim node.The Distributed
system overcome shortcoming of the centralized system.In this defence system, components are placed
at multiple place. It has less possibility of being attack because more resources are available for fighting
against these attack. Distributed Defence system can find any attacker node in network.
DDOS Tools are used which are discussed as under. Attackers analyze the current trends following in the
network security field and adjust their attacks to defeat current defense mechanisms:-

1. Trinoo: This tool is used to launch a coordinated and constant-size UDP packets in a bulk on victim
machine and can lauch UDPFlood against one or many IP addresses. UDP packets are also used to
target random ports on the victim machine. Trinoo does not spoof source addresses although it can
easily be extended to include this capability.
2. Tribe Flood Network (TFN) :- This tool can generate UDP and ICMP echo request floods,ICMP
directed broadcast, TCP SYN floods. It can spoof source IP addresses and also randomize the target
ports. Communication between handlers and agents occurs exclusively through ICMP_ECHO_REPLY
3. Stacheldraht :- In this tool, features of Trinoo and TFN are combined. Communication Channels are
also encrypted. Communication is performed through Transmission Control Packets and Internet
Control Message Protocol packets.
4. TFN2K is the variant of TFN. TFN2K traffic is difficult to recognize and filter. This tool make the use
of User Datagram Protocol, Transmission Control Protocol- SYN, Internet Control Message
Protocol_ECHO flood and the attack type can be varied during the attack.This tool can forge packets
that appear to come from neighboring machines. All communication between handlers and agents is
encrypted and base-64 encoded.
28 | 2015, IJAFRC All Rights Reserved

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853
5. The Code Red worm is self-propagating malicious code which has the higher possibility of being
attacked on Microsoft IIS server. Synchronized attack is achieved through pre-programming.
6. Shaft this tool uses Transmission Control Protocol, Internet Control Message Protocol or User
Datagram Protocol packets in bulk to perform the attack, and these three protocols can be deployed
easily to perform attack. User Datagram Protocol is used for communication between agents and
handlers, and messages exchanged are not in encrypted form. This randomizes the source IP address
and the source port in packets. It also send the constant size packets during the attack.
The Principles are::
The Rate Limiting mechanism is the mechanism that will limit the number of the packet received from
sender.If the ddos attack is suspected,then this mechanism can be used. It does not incur lot of the
This mechanism can be used to protect themselves from IPSpoofing attack and make it difficult for
attacker to launch attack using spoofed IP address.
In this method, we trace back the forged IP packet to original source that was intercepted by attacker.
Traceback can bee implemented in three ways.
a)Link testing scheme
b)ICMP trace back message
c)packet marketing scheme.
This is a very simple method to defense from attack. Three way handshakes will first establish a
connection before sharing of data. If attacker spoof the IP address during connection establishment, then
attack can be performed. It is major disadvantage of this method.
It is the method, attack can be prevented by using a hop-count filtering mapping table.Using that table we
can easily identify the spoofed IP address.This mechanism is to be used at the beginning of network
The seriousness of DDoS attack have led to proposal of many defense mechanisms but the complete
solution is yet to achieved. This is because, there are certain factors that hinder the advance of DDOS
29 | 2015, IJAFRC All Rights Reserved

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853
defense research. But usually, the moment DDoS attack is detected, nothing else can be done except for
disconnecting the victim from resources. Because any type of reaction will need resources, which are
actually already been consumed by DDoS attack, so it is better to drop out the victim from all resources.
After the victim is disconnected, the attack source traceback and identification can be carried out. There
are number of methods proposed for detecting, trackbacking the DDoS attack attacks. While categorizing
DDoS attack defense mechanisms there are several dimensions that are to be kept in mind like location of
defense mechanism deployed, protocol level on which defense mechanism works, time when the
mechanism is active. These categories can further be classified::
A. DDoSdefense mechanisms based on deployment
This classification is based on the location of implementation of defense mechanism. This can further be
categorize as source based, destination based and network based.
1) Source based: Here the mechanisms are deployed near the sources of attack. These mechanisms
basically focus on restricting the network customers from generating DDoS attacks. There are various
mechanisms that are source based, some major ones are: Ingress/Egress filtering at sources edge
router. These techniques are proposed to detect the packets with spoofed IP address at the sources edge
a. D-WARD: D-WARD is a DDoSdefense system deployed at source-end networks that autonomously
detectsand stops attacks originating from these networks.
b. MULTOPS: Multi-level tree for online packets statistics as abbreviated MULTOPS is a group of
nodes in form of tree structure that contains packet rate statistics. The changes in packet rates
are shown by dynamically adapting the shapes. MULTOPS is used by networks at source subnet to
detect DDOS flooding attacks.
c. MANAnets reverse firewall: Reverse firewall works in a different way from a traditional firewall.
It limits the rate at which it forwards the packets which are not replies.
2) Destination based :Under this category, mechanisms are deployed near the victim i.e. either at the
edge router or the access router of the destination.
a. IP Traceback mechanisms: A technique to identify the origin of the spoofed user is known as the
IP Traceback.
b. Packet marking and filtering mechanisms: In this scheme, legitimate packets are marked so that
at the victims side, a difference can be made between legitimate and attack packets. There are
several ways to implement these mechanisms. For example, history based IP filtering, Hop-count
filtering, Path identifier, packet dropping based on the level of congestion.
3) Network based :These mechanisms are mainly deployed inside networks and on the routers of the
autonomous Systems. Some of the network based defense mechanisms are route based packet filtering,
detecting and filtering malicious routers etc.
B. DDoSdefense mechanisms based on protocol
Under this category the defense mechanisms can be classified as the mechanisms to defend against the
TCP/NETWORK level DDOS attacks and mechanisms to defend against APPLICATION level DDOS attacks.

30 | 2015, IJAFRC All Rights Reserved

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853
1) TCP: These types of mechanisms are basically deployed to defend against DDoS attacks where TCP
protocol is exploited. Some of the common defenses are:
a. Filtering: The filtering techniques represent the best current practices for packet filtering based
on IP addresses
b. Increasing Backlog: This technique focuses on use of large backlogs so that in case TCB buffers
are exhausted, backlogs can be used.
c. Reducing SYN-RECEIVED Timer: Another quickly implementable defense is shortening the
timeout period between receiving a SYN and reaping the created TCB for lack of progress. A
shorter timer will keep bogus connection attempts from persisting for as long in the backlog and
thus free up space for legitimate connections sooner.
d. Recycling the Oldest Half-Open TCB: Once the entire backlog is exhausted, some implementations
allow incoming SYNs to overwrite the oldest half-open TCB entry. This works under the
assumption that legitimate connections can be fully established in less time than the backlog can
be filled by incoming attack SYNs.
e. SYN Cache: Here the server node has a global hash table to keep half-open states of all
applications, while in the original TCP these are stored in the backlog queue provided for each
application. As a result, the node can have a larger number of half-open states and the impact of a
SYN flood attack can be reduced.
f. SYN Cookies: SYN cookies modify the TCP protocol handling of the server by delaying allocation
of resources until the client address has been verified. This technique used to guard against SYN
flood attacks. The use of SYN Cookies allows a server to avoid dropping connections when the
SYN queue fills up. Instead, the server behaves as if the SYN queue had been enlarged. The server
sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry. If
the server then receives a subsequent ACK response from the client, the server is able to
reconstruct the SYN queue entry using information encoded in the TCP sequence number.
g. Hybrid Approaches: The SYN cache and SYN cookie techniques can be combined. For example, in
the event that the cache becomes full, then SYN cookies can be sent instead of purging cache
entries upon the arrival of new SYNs. Such hybrid approaches may provide a strong combination
of the positive aspects of each approach.
h. Firewalls and Proxies: Firewalls have simple rules such as to allow or deny protocols, ports or IP
addresses. Some DDoS attacks are too complex for today's firewalls, e.g. if there is an attack on
port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good
traffic from DDoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. The
router may be affected even before the firewall gets the traffic. Nonetheless, firewalls can
effectively prevent users from launching simple flooding type attacks from machines behind the
2) IP level defense mechanism: These defense mechanisms are used as countermeasure to IP-Level DDoS
Following are some defense mechanisms.
a. SIP defender: VoIP Defender, an open security architecture that is designed to monitor the traffic
flow between SIP servers and external users and proxies. The goal is to detect attacks directed at
the protected SIP server and provide a framework for attack prevention / mitigation.
b. Push back: Pushback is a mechanism for defending against distributed denial-of-service (DDoS)
attacks at IP level. It is a mechanism that allows a router to request adjacent upstream routers to
limit the rate of traffic.

31 | 2015, IJAFRC All Rights Reserved

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853
c. Puzzle based approaches: In this defense mechanism cryptographic puzzles are used as a
countermeasure to low level denial of service attack such as IP-Layer flooding .
3) Application level defense mechanisms: These defense mechanisms are implemented to defend against
application level attack. Because http level attack is more difficult to trace due to its legitimate behavior.
Amount of traffic used to successfully carry out application level DDoS is much less than to carry out a
TCP or IP level DDoS attack. That is why the techniques used to detect TCP or IP level DDoS attacks are
incapable to detect application level DDOS attacks. Application level defense mechanisms can be:
a. Mitigation on the page access behavior: On the basis of page access behavior, HTTP-flooding can
be defended.
b. DDOS shield: Here statistical methods are used to detect HTTP level DDOS attacks.
c. Defense against tilt DDOS attacks: This monitors a users features (e.g. request volume, instant
and long-term behavior) throughout a connection session to determine whether he is malicious
user or not.
C. DDOS defense mechanisms based on time of action based on the time of action, defense mechanisms
can be of following types:
1) Before the attack: These attack mechanisms are basically deployed to prevent the attack from
happening. Mostof these mechanisms are focused on fixing the bugs such as protocol exploits system
vulnerabilities etc. There are many mechanisms mentioned in.
2) During the attack: After the prevention of attack, now its turn to detect the attack. Mechanisms in this
category are deployed to detect the attack when it happens. There are various methods to detect the
attack. IDPS systems or firewalls can be used under this category.
3) After the attack: These mechanisms are deployed to act once the DDOS is detected and to trace back
the source of attack.
With the help of this paper, we are able to study about the several dos attack types & various defence
mechanisms. We have also discussed several DDOS tools. This study will help security professionals to
analyze which tool can be used for particular type of attack and defense principles also help security
professionals to come up with robust security solution.

Divya Kuriakose ,A Survey on DDoS Attacks and Approaches.


Rajkumar, Manisha&Jitendra NeneA Survey on Latest DoS






MEHMUD ABLIZ ,Internet Denial of Service Attacks and Defense Mechanisms.


Rajeshwari.S, Malathi & Regina.B A Survey on Characterization of Defense Mechanisms in DDOS


32 | 2015, IJAFRC All Rights Reserved

Attacks:Classification and Defense

International Journal of Advance Foundation and Research in Computer (IJAFRC)

Volume 2, Issue 8, August - 2015. ISSN 2348 4853

Jelena Mirkovic & Peter Reiher , A Taxonomy of DDoS Attack and DDoS Defense Mechanisms


Christos Douligeris, Aikaterini Mitrokotsa , DDoS attacks and defense mechanisms: classification
and state-of-the-art.


Mohd. Jameel Hashmi, Manish Saxena and Dr. Rajesh Saini Classification of DDoS Attacks and
their Defense Techniques using Intrusion Prevention System


The denial-of-service aftermath, (2000).


VeriSign.(2009, April 11) DDos Protection Services, Network Intelligence[online].


Khaled M. Elleithy Denial of Service Attack Techniques: Analysis,Imp.& comp.


A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin and
Peter Reiher.


Seema Gulati - Mitigating ROQ Attacks using Flow Monitoring Method.


H. Garantla- Evaluation of Firewall Effects on Network Performance.


Arshey.M Prevention Strategies and Network Intrusion Prevention Techniques for



Gayatri Bhatti -A Meliorated Defense Mechanism for Flooding Based Attacks.


Neha Titarmare- DDOS Detection using Attack Model.


Jack Myers -Modeling DDoS Attacks with IP Spoofing and Hop-Count Defense Measure Using
OPNET Modeler.

33 | 2015, IJAFRC All Rights Reserved