Вы находитесь на странице: 1из 10

An Integrated Approach for Defending Against

Distributed Denial-of-Service (DDoS)



Distributed denial-of-service (DDoS) is scenario and often represents adetailed

an increasingly worrying threat to description of exactly how this attack
availability of Internet resources.DDoS works and why is it hard to cope with
Attacks have recently emerged as one of today. It discusses various defense principles
the most newsworthy, if not the greatest and challenges encountered. In the later
weaknesses of the Internet. The variety sections the modus operandi of the attacks
and number of both attacks and defense and its classification is explained .Finally
approaches are overwhelming. research issues in DDoS are highlighted
This paper attempts to explain and in the long term picture , an integrated
how they work, why they are hard to approach to the DDoS problem is proposed
combat today what will need to happen that will bring this class old problem under

if they are to be brought under control.. control , if not eliminate it entirely.

This paper ntroduces DDoS in the current

Thus a better understanding of
the problem, current solution space
and future scope are provided.


1. Abstract
2. Introduction
3. DDOS Overview
4. Defence Principles and Challenges
5. Attack:modus operandi
6. Classification of DDOS Attacks
7. Integrated Approach to combat DDOS
8. Conclusion
9. References
INTRODUCTION: information thefts. Even some of the
largest computer makers and the web-
Distributed denial-of-service(DDoS), is based service providers are not immune
a relatively simple, yet very powerful from this problem.[1] &[3]
technique to attack Internet resources.
With little or no advance warning , a
DDoS attack can abruptly drain
the computing and communication
resources of its victim within a short
time,until the attack is resolved or in
some cases slowly eat up the resources
with out being noticed. Thus these
disruptive or degrading attack flows
often lead to complete shutdowns of
Internet resources or at least cause
performance degradations.As per the
recen t survey conducted by FBI/CSI,
Douligeris et al. [4], Chen et al. [5],
these attacks are second most dreadful
and Mircovik et al. [6] have reviewed
attacks in terms of revenue losses after
various DDoS attack, and the defense solve DDoS problem. Section 9 finally
methods. Douligeris et al. [4] have concludes the paper.
highlighted architecture of DDoS attack,
Popular DDoS attacks & attack tools,
and provided technical classification
of attack defense methods.Chen et al. Open and best effort architecture of

[5]compared different attack detection Internet which made it so popular

algorithms on the basis of Granularity actually provides an opportunity for

of detection used, Network information dearthof attacks.Moreover intelligence

monitored, specific characteristics of asymmetry, IP spoofing, limited no.of

attack traffic, source of false positives resources, and distributed control

and limitations.They also characterized encourage attackers to launch attacks

various DoS efenses in terms ofresponse without being caught.

generation, response mechanism ,and

decision communication protocol used,
and overheads. Mircovik eal. [6] gave
good direction for DDoS research by
providing comprehensive taxonomies
of attack and defense mechanisms.
Moreover they critically brought the
forward weaknesses of various DDoS
defense classes which are useful for
future work in DDoS.The remainder
of this paper is organized as follows. Fig. 1. Packets drop under DDoS attack
Section II gives overview of DDoS.
Section III discusses the defense
Zombies and are collectively called bots
principles and the challenges. In
and the attack network is called botnet in
Section IV Attack: Modus Operandi
the hacker ’s community. The zombie
is presented. Section V provides
machines under control of handlers as
classification of DDoS attacks.
shown in Fig. 1 send attack packets
Section VI highlights research issues in
which converge at victim or its network
DDoS defense approaches.Se ction VII
to exhaust either its communication
proposes an integrated approach to
or computational resources. DDoS is
basically a resource overloading problem legitimate traffic. Traceback aims
.The resource can be bandwidth, the to locate the attack sources
memory,CPU cycles, file descriptors and regardless of the spoofed source IP
buffers etc. addresses in either process of attack

The attackers bombard scare resource (active) or after the attack (passive).

either by flood of packets or a single Tolerance and mitigation aims to

logic packet which can activate a eliminate or curtail the effects of an

series of processes to exhaust the attack and try to maximize the

limited resource. Here in the Fig.1 qualityof services (QoS) under

packets drop due to congested access attack.

link in victim network and buffer

overflow at victim due to large DEFENSE PRINCIPLES AND
number ofrequests are depicted.There CHALLENGES:
are four approaches to combat with Robinson et al. [7] have
DDoS menace as proposed by recommended five principles for
Douligeris et al. [4]: Prevention, designing effective DDoS defense
Detection and Characterization, mechanism. As DDoS is a distributed
Traceback, and Tolerance & attack and because of high volume
Mitigation. Attack prevention aims and rate of attack packets distributed
to fix security holes, such as instead of centralized defense is the
insecure protocols, weak first principle of DDoS defense.
authentication schemes and Secondly,High Normal Packet
vulnerable computer systems, Survival Ratio (NPSR) hence less
which can be used as collateral damage is the prime
stepping stones to launch a DoS requirement for a DDoS defense.
attack. This approach aims to
Third, a DDoS defense method
improve the global security level and
should provide secure
is the best solution to DoS attacks in
communication for control
theory. Attack detection aims to
messages in terms of
detect DDoS attacks in the
confidentiality, authentication of
process of an attack and
sources, integrity and freshness of
characterization helps to
exchanged messages between
discriminate attack traffic from
defense nodes. Fourth, a partially
and incrementally deployable Operating systems and network
defense model is successful as there protocols are developed with out
is no centralized control for applying security engineering which
autonomous systems (AS) in in result provide hackers a lot of
Internet. Fifth, a defense system insecure machines on Internet. These
must take into account future insecure/unpatched machines are used
compatibility issues such as by DDoS attackers as their army to
interfacing with other systems and launch attack as attacker gradually
negotiating different defense implants attack programs on these
policies. However with the insecure machines. Depending upon
present technology, development sophistication in logic of implanted
and implementation of a DDoS programs these compromised machines
defense model which can satisfy are called Handlers or Zombies and are
all of these defense principles in collectively called bots and the attack
general is very difficult in practice network is called botnet in hacker’s
due to several challenges such as : a) community. As shown in Fig. 2, the
Large number of unwitting zombie machines under the control
participants b) No common of handlers send attack packets
characteristics of DDoS streams c) which converge at victim or its n/w
Use of legitimate traffic models by to exhaust either its communication or
attackers d) No administrative computational resources.
domain cooperation e) Automated
tools f) Hidden identity of
participants g) Persistent security
holes on the Internet h) Lack of
attack information i)Absence of
standardized evaluation and
testing approaches.


Although the attacks shown in Fig. protocols by zombie machines for
2 are already existing but their not obeying CONGWIN and
classification is not included in [4] & RECWND setting at sending hosts.
[6]. In order DDoS Attack Types
to defeat aggregate based defense, 1
attackers try to distribute attack 2

traffic uniformly throughout all Isotropic 3 4 Control

ingress points of attacked Non Isotopic Data

autonomous system. This is

called isotropic distribution of
TCP UDP ICMP congestion flow
attack traffic whereas if attack
traffic is aggregated in certain parts
of Internet more then it called Non- 1.Attack Traffic Distribution
isotropic distribution of attack 2. Attack Packets Used
traffic. On the other hand network
3.Protocol Used
protocols based classification of
4.Protocol Modification
DDoS attacks basically divide DDoS
attacks into TCP,UDP,and ICMP
protocols as for semantic and brute INTEGRATEDAPPROAC
force attacks either of these H TO COMBAT DDOS:
protocol packets are used. Third
classification is on the basis of Already work done in DDoS
attackpacketsused. Semantic DDoS defense has concentrated either
attacks are normally launched with individually on the Prevention,
control packets like TCP SYN, Detection & Characterization,
TCP FIN, ICMP echo packets Tracing, and Filtering / Rate
whereas for launching brute force limiting or in groups likethe
DDoS attacks control as Detection & Characterization
well as data packets like HTTP, with filtering,and tracing with
FTP (involving TCP), UDP, and filtering/ rate limiting.
ICMP bogus packets can be So there is no other technique
used. Lastly classification is done Where integration of all the
on the basis of change in open source Four approaches is available.
code of congestion or flow control However if we see issues and
challenges as well as NPSR of All well known signatures based and
current defense techniques under broadcast based attacks can be
varied attacks, we can say that stopped at edges of an ISP using
onlyawellthough the integrated higher layer headers to help
solution can completely eliminate preserve bandwidth wasted in the
this problem in the long run for core as traditionally firewalls are
safer and QoS based E-business placed near victim. Then our
on Internet. detection nodes after finding signs
We propose to give an ISP of attack try to characterize the
level integrated solution consisting attack
of four modules: (a) Prevent (b) packets. Once characterization is done
Detect & Characterize (c) Trace then depending upon network/server
back (d) Filter or Rate limit. A based attack, an appropriate
highlevel function diagram is controller is chosen which can send
given below: secured control messages to edge
routers even under attack. Control
messages include attack signatures
and rate limits for particular attack
signatures. Attack signatures help to
traceback ingress edges of ISP from
where attack traffic enters and rate
limits attack at edges. An adaptive
rate limiting after considering
of attack traffic filtered at edges,
arrival rate of traffic, processing
capacity left of server and strength
of attack detection and
Fig.4.Higher Level functional characterization provided by detect
diagram for DDoS defense and appropriate values of rate limits
to apply at edges of an ISP. So by
As shown in Fig. 4, prevention is this initially if we are not able to
first module thatinteracts with properly characterize then also
attack as well as legitimate traffic. minimal NPSR will be maintained
and after sufficient collection of attack: Modus Operadi, classification
attack traffic for better of DDoS attacks ,defense principles
characterization, adaptive rate and challenges are presented in
limiting can fully protect our ISP and this paper.Potential research issues are
servers. also highlighted and we propose
Various defense principles being an ISP level integrated approach
satisfied by our proposed approach are to combat.DDoS menace.
explained below:

 Prevention, detection and

tracingmodules are to be loaded at
edges routers so a distributed defense
and not centralized.
 Initially when the attack
is detected but not characterized
properly in that stage tolerance
module helps in providing the
some service to legitimate clients .
As strength of the characterization
increases with time more limiting of
attack traffic hence better NPSR is
made possible.
 For tracing ,detection , and
rate limiting secure controlled
messages are to be exchanged
which have perfect blend of security
and the minimum possible overheads.
 Attack signature generated
will be as per the standard
signature notification protocols so that
our model can interact with others.

An overview of DDoS problem,

REFERENCES:-  P.Ferguson and

D.Senie,”Network ingress
 DDoS attacks block Microsoft filtering Defeating denial of
web sites,CNN Headline service attacks which employ
News,Jan 26,2001. IP source address spooting”
 D.Feinsten,D.Schnackenberg,” RFC 2267,the Internet
statistical approaches to DDoS Engineering Task
Approaches to DDoS Attack Force(IETF),1998.
Detection and
response,:Processings of the
 “DDoS attacks “ on yahoo

k,E-Trade,CNN Headline