Академический Документы
Профессиональный Документы
Культура Документы
1Review
2On Distributed Denial of Service Current
3Defense Schemes
9 Abstract: Distributed Denial of Service (DDoS) attacks are a major threat to any network-based
10 service provider. The ability of an attacker to harness the power of a lot of compromised devices to
11 launch an attack makes it even more complex to handle. This complexity can increase even more
12 when several attackers coordinate to launch an attack on one victim. Moreover, attackers these
13 days do not need to be highly skilled to perpetrate an attack. Tools for orchestrating an attack can
14 easily be found online and require little to no knowledge about attack scripts to initiate an attack.
15 Studies have been done severally to develop defense mechanisms to detect and defend against
16 DDoS attacks. As defense schemes are designed and developed, attackers are also on the move to
17 evade these defense mechanisms and so there is a need for a continual study in developing
18 defense mechanisms. This paper discusses the current DDoS defense mechanisms, their strengths
19 and weaknesses. We also present an algorithm to defend against TCP, UDP and ICMP flooding
20 attacks.
231. Introduction
24 As of December 2017, it was estimated that the number of internet users was over 4 billion
25with a user growth of over 1000% within the past 18 years [1]. With the increase in dependability of
26the internet comes with it an important challenge: data availability. Data availability is a key
27requirement for a network system to be considered secure.
28 Distributed Denial of Service attacks are intentional attempts by malicious users to disrupt or
29degrade the quality of a network or service [2]. These attacks involve a number of compromised
30connected online devices, known as a botnet [3]. The use of botnets makes it easier for attackers to
31launch massive attacks due to the fact that they harness the power of a lot of devices for an attack.
32Attacks involving botnets also make it difficult to determine the exact source of the attack.
33Differentiating between flash crowds also poses a major challenge. Spoofed source addresses to
34hide source addresses make it even more difficult. These attacks have been around for several years,
35but in recent years, the scale of attacks have increased drastically. On 28th February 2018, Akamai
36reported a 1.3Tbps attack on GitHub [4]. A few days later, Arbor Networks reported a 1.7Tbps
37attack [5]. With attacks like these, there is the need to develop robust defense schemes to protect
38internet networks and services. In this paper we present current mechanisms for defending against
39DDoS attacks. We categorize these defense mechanisms according to the main functions they
40perform. We discuss their strengths and weaknesses and make some comparisons among them.
41This will help researchers further improve the current defense mechanisms for practical application.
42We also present an algorithm to defend against TCP, UDP and ICMP flooding-based attacks.
43 The rest of the paper is organized as follows: related surveys are presented in Section 2, Section
443 gives the criteria for papers included in this review, Section 4 describes DDoS attacks, Section 5
45presents the reviewed mechanisms to defend against attacks, Section 6 discusses and compares the
46mechanisms and Section 7 presents our algorithm and Section 8 concludes the paper.
96 In our paper, we present a taxonomy of DDoS attacks in the network layer and application
97layer. We categorize state of the art defense mechanisms based on the function they perform, that is,
98detection only, traceback only, mitigation only and detection and mitigation mechanisms. We
99discuss the defense mechanisms reviewed into detail and compare them fairly using performance
100metrics affecting the effectiveness of a defense solution whilst giving recommendations for future
101research.
120
6
7Technologies 2018, 6, x FOR PEER REVIEW 4 of 32
121
122 Figure 1. Simplified Attack Network.
123 A denial of service (DoS) attack is an attack in which an attacker seeks to overload a system to
124prevent the system from serving legitimate requests. DoS attacks are relatively simple and
125unsophisticated, involving just a single attacker. DoS attacks are easier to detect and defend against.
126Distributed DoS however, is a more sophisticated form of DoS. DDoS attacks involve a single
127attacker or multiple attackers, commandeering a large number of compromised devices (zombies or
128bots), which are collectively known as a botnet, to launch a denial of service attack on a target
129system (victim). Traffic originating from different sources makes it difficult to detect and defend
130against. Most attackers craft their attack traffic to look legitimate and may use spoofed addresses to
131launch the attacks, which make it more difficult to combat.
132 A DDoS attack is normally launched in two major phases. The attacker first builds the botnet
133by targeting poorly secured devices over the internet. DDoS attack programs are then installed on
134these devices. These zombies also scan for poorly secured devices and compromise them as well,
135building a large botnet. The second phase is launching the attack itself. Large volumes of traffic are
136generated by the zombies and are forwarded to the target system to overload it. The distributed
137nature of the source of traffic make it nearly impossible to distinguish from legitimate traffic.
138 Earlier, attackers had to perform each step of the attack manually. This meant an attacker
139needed to have a lot of information about the target system and also had to be very skillful to be
140able to launch an attack. In recent years however, DDoS attack tools have been developed and are
141available on the internet for download freely or for a little amount of money [13,14]. Such tools can
142be used by even the least skillful attacker. They do not require an attacker to understand much
143about the target system or even how the attack is perpetrated. Botnets can also be hired on the
144internet for very low amounts of money. These have made it easier for people to perpetrate attacks
145[15].
146 DDoS attacks can be classified under many categories. In this paper, attacks are classified
147under two broad headings: network/transport layer attacks and application layer attacks.
148Network/transport layer: Network/transport layer attacks are targeted at the network or transport
149layer. They are more common due to the ease of initiating them. We discuss a few of these attacks
150here.
151
152TCP SYN flooding: With the TCP (Transmission Control Protocol) SYN flooding attack, the attacker
153exploits the connection-oriented nature of TCP. A flood of packets is sent to the victim requesting
154connection without completing the TCP handshake. This leaves many half-open connections in the
155victim’s connection state memory, denying legitimate users from connecting [16].
156
157UDP flooding: With the UDP (User Datagram Protocol) attack, a large stream of UDP packets is sent
158to the victim, creating a congestion on the victim’s network [17].
8
9Technologies 2018, 6, x FOR PEER REVIEW 5 of 32
159
160ICMP Smurf: With this attack, the attacker spoofs the victim’s IP address as the source address to
161broadcast a large number of ICMP (Internet Control Message Protocol) packets on a network using
162an IP (Internet Protocol) broadcast address. The resultant response from devices on the network is a
163very large number of packets destined for the victim [18].
164
165Ping of Death: The attacker in a Ping of Death attack tries to crash a victim server by sending
166malformed or oversized packets with the ping command. Packets are fragmented and sent and
167when reassembled by the victim, end up with an oversized packet (packets larger than 65,535 bytes,
168which is the maximum size of a ping packet). A variation of this attack is the ping flood in which
169the attacker sends numerous ICMP packets in a ping command without waiting for a reply [19].
170
171Application layer: Application layer attacks target the application layer. They tend to disrupt
172operation of a specific application or server to prevent legitimate users from having access to it. We
173discuss some of these attacks here.
174
175DNS Amplification: Attacks of this nature rely on public DNS (Domain Name System) servers and a
176vulnerability in DNS server which makes them reply small queries with a large payload to flood a
177victim. The attacker sends queries with the victim’s IP address as the source and the much larger
178response is directed to the victim. Botnets are used to scale up the impact of the attack [20].
179
180HTTP fragmentation attack: With the HTTP (HyperText Transfer Protocol) fragmentation attack, the
181attacker establishes a connection with the victim server and sends traffic in fragments as slowly as
182possible. This causes the servers to maintain longer sessions as they wait to receive traffic from the
183attacker [6].
10
11Technologies 2018, 6, x FOR PEER REVIEW 6 of 32
205
206
207 Figure 2. Operation of algorithm in flow router [21].
208 Figure 2 depicts the operation of a flow router. When a flow router receives a packet, it takes
209the 5-tuple and calculates a hash key. The 5-tuple consists of the source and destination IP
210addresses, source and destination ports, and protocol in use. If the packet flow is a new one, the
211destination is checked by the algorithm. If it is not to the protected server, it is forwarded normally.
212If it is to the protected server, the system consults the pseudo state machine and inserts an entry for
213the new flow in the flow table. Once there is a flow entry for the flow in the table, the pseudo state
214machine checks if the flow is attack traffic. If the flow does not follow the procedure stated in the
215pseudo state machine, it is considered to be malicious. Appropriate actions can then be taken to
216stop the attack.
217 Though it works well against TCP, UDP and HTTP attacks, the bidirectional hashing algorithm
218used in SDM-P is computational expensive and uses more memory for the hash generation and
219creation of the hash tables. It may perform poorly in the presence of a huge attack.
12
13Technologies 2018, 6, x FOR PEER REVIEW 7 of 32
236
237
238 Figure 3. MOD scheme architecture [25].
239 Figure 3 shows the architecture and workflow of the DDPM scheme. When there is a sudden
240increase in network flow volume, the attack detector requests for an ID for the flow (1). The MOD
241server gives out the ID and stores information (source IP, timestamp) related to the ID given out in
242its database (2). The gateway embeds the ID into the header of the packets. A source IP query is sent
243to the MOD server with the ID if an attack is confirmed by the victim (3). The MOD server replies
244with the source IP address of the attacker(s) (4).
14
15Technologies 2018, 6, x FOR PEER REVIEW 8 of 32
245 According to the authors, this scheme is more scalable than traditional DPMs, however it has
246some limitations.
247 Since the whole system hinges on the performance of the MOD server, it can easily
248 be an attack target. Once it is knocked down, the entire system will fail.
249 Also, because of the amount of data the MOD server’s database will handle, it
250 reduces the speed of the network when information is being retrieved by the victim.
251 Network Address Translation (NAT) techniques enable IP address sharing. To
252 traceback to a specific source, the related MAC (Media Access Control) addresses have to
253 be included in the MOD database, which increases the information stored in the database.
254 Related to this work are [26-28].
255 The authors in [26] proposed a deterministic packet marking method. With this method, the
256packet source router divides its IP address in two (16bits each) and embeds it in two packets to
257enable the victim trace the source router of the packet. The fragment ID (16bits) and reserved flag
258(1bit) are used in marking the packet. In [27], the authors bettered the marking scheme used in and
259the authors in [28] proposed a flexible marking scheme, which varied the length of the marking ID
260depending on the network protocols in operation by including the type of service (TOS) field (8bits)
261in the marking process. Compared with related works, the DDPM is scalable and uses lower
262storage for IDs.
16
17Technologies 2018, 6, x FOR PEER REVIEW 9 of 32
294this will have an impact on legitimate connections. Also, attacks which area orchestrated to look
295like legitimate traffic will not be detected by the system.
296 Figure 4 shows a sample network with locations of the TDFA modules. The legitimate hosts
297are represented with ‘Hx’, the TA module communicates with the PF modules on the edge routers
298of the attack networks.
299 The TDFA system is capable of mitigating attacks from the source end, ensuring the victim
300does not feel the impact of the attack much before mitigation. However, it requires cooperation
301from all the edge routers in the network, a scenario which might be difficult to achieve in a large
302network.
303 [31-33] are some works related to TDFA.
304The authors in [31] proposed a defense system to rely only on the edge router for traceback and
305packet filtering. This system however can easily be defeated if the attack is from different sources
306spread across the internet. In [32] and [33], the authors proposed a path identification approach
307which places a path fingerprint in every packet. This method fails if the victim’s bandwidth is
308consumed by an attack since they only rely on packet filtering at the victim end.
309
18
19Technologies 2018, 6, x FOR PEER REVIEW 10 of 32
310
311 Figure 4. Sample module placement in a network [29].
320
20
21Technologies 2018, 6, x FOR PEER REVIEW 11 of 32
321
322 Figure 5. System architecture [34]
323
324 The scheme assumes that source IP addresses are not spoofed. During detection, the detection
325unit captures incoming packets within a time window and checks them against a blacklist to
326determine if their source addresses have been blacklisted. If the source is blacklisted, the packet is
327sent to the prevention unit without any further processing. If the source is not blacklisted, the
328packet is directed through a classifier to determine whether the packet is legitimate or malicious. A
329packet is considered malicious if its source requests to connect to the same destination more
330frequently than a set threshold. Legitimate packets are forwarded to their destination and malicious
331ones are forwarded to the prevention unit.
332The prevention unit has three main functions; it sends a signal to the system administrator of the
333attack, then adds the source address to the blacklist if it does not already exist in the blacklist, and
334finally drops the packet. Evaluation of the system was performed under single and multiple source
335attack scenarios and was found to be consistent, with 97 percent and 94 percent accuracy
336respectively. However, the system might be ineffective in an attack which involves a large botnet,
337with each device having a different IP address and sending requests below the connection requests
338threshold.
22
23Technologies 2018, 6, x FOR PEER REVIEW 12 of 32
346
347
348 Figure 6. System architecture and flow [36].
349 The head-end sensor, known as the Abnormal Traffic Detection Module (ATDM) tracks the
350amount of HTTP ‘Get’ requests per second. Based on the previous amount, the next amount can be
351predicted using the Kalman filter. The deviation between the predicted value and the actual value is
352compared with a set threshold and an abnormal event is reported if the deviation surpasses the
353threshold. The ATDM then sends an ‘ATTENTION’ signal to the detection module.
354 The detection module, known as DDoS attack detection module (DADM) runs only when it
355receives the ‘ATTENTION’ signal. The DADM is works with four variations of attack traffic:
356 1. Repeated Request AL-DDoS attack traffic: this attack traffic is directed towards the
357 homepage or a ‘hot’ webpage.
358 2. Recursive Request AL-DDoS Attack traffic: attack traffic is scattered over different web
359 pages.
360 3. Repeated Workload AL-DDoS Attack traffic: similar to the repeated request attack but
361 employs less bots in attack which continually send large image or database searching
362 operations requests.
363 4. Flash Crowds: this describes a surge in visits to a website, mostly after the announcement
364 of a new service or free software download.
365 The DADM traces each source address and requested webpage and records in the RFV the
366average frequencies. The current record is compared with a presumed normal record to determine
367if the type of traffic it is most likely to be using the distribution of the sources and destinations.
368Entropy is calculated and traffic is distinguished between attack traffic and flash crowds. Flash
369crowds usually have smaller ratio of entropy values.
370 The Filter Module (FM) receives malicious source IP addresses and stops the attack. A Bloom
371Filter [37] is used to filter traffic from the attack IP addresses.
372 A few limitations and open issues were discussed by the authors:
373 1. The autoregressive (AR) model does not present HTTP ‘Get’ traffic accurately and is used
374 because of its simplicity.
375 2. Attackers may be able to avoid detection by the system by increasing attack traffic slowly
376 until it surpasses the threshold.
24
25Technologies 2018, 6, x FOR PEER REVIEW 13 of 32
377 3. The proposed system and method incorporates many variables and parameters whose
378 optimized values may take time to determine.
379 4. Bloom Filters in the FM need to be reset after an attack since bots used in an attack may be
380 recovered by the legitimate users.
399
400The DaMask system enables individual defense mechanisms to be applied to individual user spaces
401in the cloud without affecting other users and also periodically updates itself to address the issues
402associated with dataset shift. However, it introduces some communication overhead and requires a
403few changes to the cloud service architecture.
26
27Technologies 2018, 6, x FOR PEER REVIEW 14 of 32
404
405 Figure 7. System workflow [38].
406
28
29Technologies 2018, 6, x FOR PEER REVIEW 15 of 32
414
415
416 Figure 8. RADAR Architecture [39].
417 The RADAR collector obtains rules, both static and dynamic, to extract information of
418suspicious flows and keeps them in the controller to enable the RADAR detector to be able to
419identify if there is an attack and also the RADAR locator to determine which flows contain the
420attacking traffic. It only extracts information about the flow when the flow is suspicious, that is,
421anomalies are detected in the flow.
422 The RADAR detector is alerted by the collector and identifies attacks using correlative analysis
423of the patterns of the anomalous flows received from different switches. It is able to detect which
424paths carry attack traffic. It then signals the locator to accurately locate the attack traffic.
425 The RADAR locator uses an adaptive correlation analysis of the changes of flow statistics on
426each path and victim as detected by the detector. Traffic is tagged attack if the locator detects the
427rate of statistic change is consistent with aggregated flows on the victim link. The attack traffic is
428identified and extracts the source and destination addresses and attack traffic is blocked.
30
31Technologies 2018, 6, x FOR PEER REVIEW 16 of 32
429 RADAR performance evaluation was conducted by the authors using both real hardware and
430simulation [40,41]. An advantage of the system is that it does not require specialized switches, it
431works with off-the-shelf SDN switches. However, in the presence of a large attack, communication
432overheads can increase greatly due to the number of flow rules being used.
433 Closely related to the work done the authors of RADAR are [42-44].
434 In [42], the authors proposed a traffic-engineering model to track traffic source rate change but
435requires major changes in the SDN switches and detects only link flooding. Lee et al. [43] proposed
436a collaborative traffic-engineering model to differentiate between low-rate attacks and legitimate
437traffic. In [44], the authors presented a traffic-engineering based analytical framework for defending
438link-flooding attacks.
447
32
33Technologies 2018, 6, x FOR PEER REVIEW 17 of 32
448
449 Figure 9. Workflow and components [45].
450 The attack detection trigger module controls the launching of the detection module. It uses the
451packet_in abnormal detection algorithm message which is available only in SDN. The message
452contains relevant information about the id of the switch and the reason why the packet is being sent
453to the controller.
454 The attack detection module is made up of a neural network model training stage and the real-
455time detection stage. It takes advantage of neural networks to differentiate legitimate traffic from
456malicious ones. Certain information of a flow is taken by the controller and the eigen values are
457taken and sent to the neural network for classification, whether it is legitimate or malicious. The
458Back Propagation Neural Network (BPNN) [46] is used to classify traffic flow accordingly. The
459neural network is trained at start-up using previously obtained extracted features. In the real-time
460detection stage, flow statistic messages about flows are sent to the controller by the switches. If the
461flow is considered to be malicious, its destination IP address is added to an attack list. If the
462malicious flow entries reach a pre-set upper threshold, an attack alert is generated.
463 The attack traceback module works with the detection module to trace the attack switch. The
464switches in the attack path are found using the BPNN model and the whole attack path is located
465using the network topology, attacked destination and marked attack switches.
466 The attack mitigation module begins operation when the attack path and source are found out.
467Traffic from the attack source is then blocked.
468 The performance of the entire system and each module was implemented on the RYU [47]
469framework and evaluated by the authors using Mininet [48,49]. A critical advantage of this system
470is that it only sends an attack trigger message when an attack is detected, reducing CPU and
471network load used by the defense mechanism when there is no attack.
34
35Technologies 2018, 6, x FOR PEER REVIEW 18 of 32
473 De Assis et al. proposed an independent defense scheme for software defined networks (SDN)
474[50]. Game Theory-Holt-Winters for Digital Signature (GT-HWDS) combines an independent
475decision-making model built on game theory (GT) with anomaly detection and identification from a
476Holt-Winters for Digital Signature (HWDS) system [51,52]. The defense scheme was proposed to
477defend against attacks aimed at the control plane of SDNs. The system design and network
478topology are shown in Figure 10.
479The system composes of three main parts; detection, identification and mitigation modules. The
480processes performed by these modules are done before data enters into the network making it
481operable with any type of SDN setup.
482
483
484 Figure 10. System design [50].
485 The HWDS system performs both the detection and information processes. The detection
486process uses a method that analyses seven parallel IP flow dimensions to characterize traffic. The
487dimensions analyzed are the entropy of the source and destination IP addresses and ports, bits per
488second, packets per second and flows per second. The HWDS system creates a signature, known as
36
37Technologies 2018, 6, x FOR PEER REVIEW 19 of 32
489the Digital Signature of Network Segment using Flow analysis (DSNSF) for each analyzed
490dimension. The signatures are compared with signatures of known attacks and if found to be
491similar, the information and mitigation modules are activated. The information module relays
492information about the anomaly to both the network administrator and the mitigation module.
493 The mitigation module uses the GT approach to take measures autonomously to mitigate the
494attack. Calculations are made for an optimal defense strategy and the system performs the packet
495dropping and redirection to a honeypot for further analysis. The defense strategy is kept in play for
496an hour before the network resumes its normal operation mode. If another attack is detected within
497this period, a new defense strategy is calculated and the defense parameters will be updated. Only
498packets with new source addresses are dropped or redirected to the honeypot. New sources are
499seen by the information module.
500 The HWDS system was compared with a Fuzzy-GADS (Genetic Algorithm with Double
501Strings) system [53] and was found to perform better with most of the tests. It works with known
502attacks hence new or modified attacks may not be detected. The framework of this system is related
503to what was proposed by [54] but is more precise in detection, employing a deeper search of
504signatures of attacks.
5055.3.8. Detection and Defense Algorithms of Different Types of DDoS Attacks (DDAD)
506 Yusof et al. proposed a DDoS detection and defense algorithm to defend against four types of
507attacks: UDP and TCP flooding, Smurf and Ping of Death attacks [55]. The proposed detection
508algorithm checks if incoming traffic is normal or malicious. If packet arrival rate is greater than 100
509packets/second, it is tagged malicious and will be dropped. A hybrid of Snort and IPTables is used
510by the defense system for deep packet inspection and to reduce incoming packet speed to protect
511the network in the presence of an attack. The attacks are then logged with details of the attack type,
512packet size, severity of the attack, duration of the attack and attacker source address. Figure 11
513shows the flow graph of the system. The algorithm is yet to be tested and evaluated by the authors.
514
38
39Technologies 2018, 6, x FOR PEER REVIEW 20 of 32
515
516 Figure 11. Proposed design flow [55].
5205.4.1. VFence
521 Jakaria et al. proposed a defense technique based on the Network Function Virtualization
522(NFV) technology. VFence defends against attacks through a dynamic traffic filtering network [56].
523The mechanism intercepts packets during an attack with the help of dynamic network agents. An
524overview of the system topology is shown in Figure 12.
525
40
41Technologies 2018, 6, x FOR PEER REVIEW 21 of 32
526
527 Figure 12. VFence defense topology [56].
528 A dispatcher directs incoming traffic to an agent for processing. The distribution of packets is
529based on a dynamic agent assignment algorithm, which is performed in conformity with a
530forwarding table. The forwarding table maps flows to handling agents and is updated each time a
531flow is established, expires or ends. Agents are deployed or retired based on the network flow.
532Agents are added or deleted from the mapping as and when necessary. The agent, a dynamically
533created packet handler, filters out traffic with spoofed source IPs or known attack IPs and forwards
534legitimate traffic to the destination. The agents can also act as a dynamic firewall to drop suspicious
535flows. The agents relay information on their utilization, termination and completion of connections
536to the dispatcher for forwarding table updates. The number of active agents in the system at each
537point in time is dependent on the flow of incoming packets. The higher the flow, the more the
538agents. The dispatchers and agents are virtualized network functions (VNF). A load balancing
539algorithm is used in directing packets to agents to evenly distribute the load among the agents and
540to avoid having a more than necessary number of agents. The system however, introduces a delay
541in the network
5425.4.2. A MOving Target defense mechanism AGainst (MOTAG) against internet DDoS
543 Wang et al. proposed MOTAG, a Moving Target defense mechanism Against internet DDoS
544attacks [57]. The mechanism defends against DDoS attacks by employing dynamic proxies to
545transmit traffic between authenticated servers and clients. The scheme was aimed at protecting
546sensitive online services against attacks. Clients are shuffled across hidden proxies, that is, proxies
547with IP addresses known to only legitimate clients, in the event of an attack using a greedy
548algorithm. The system architecture of MOTAG is shown in Figure 13. The authors assumed that
549using an effective authentication scheme eliminates the possibility of attacks from outside sources
550and so the system was designed to counter attacks from authenticated clients. An external attack
551means an insider made known a node address to an external source for an attack, thus, isolating
552and blocking that insider deals with the attack. Each authenticated client is randomly given an
553active proxy node and sees only the IP address of the proxy node assigned to it. MOTAG comprises
554four main inter-connected units; the authentication server, the filter ring, the proxy nodes and the
555application server. The application server is the provider of the online service to be protected.
42
43Technologies 2018, 6, x FOR PEER REVIEW 22 of 32
556
557
558 Figure 13. The MOTAG Architecture [57].
559 The authentication server gives out a token for every client-to-proxy session and limits the
560client’s throughput to a specific number of packets per session, which helps to detect the presence
561of an attack. Cryptographic puzzles must be solved by clients before they are authenticated. When
562an attack is ongoing, an additional number of nodes are created. All the nodes are grouped under
563either serving proxy nodes or shuffling proxy nodes. Serving nodes are relatively unchanging,
564providing service to known innocent users. Shuffling nodes are shuffled between suspicious clients
565and are replaced if found to be under attack. Shuffling is done till the malicious clients are found
566out. The main idea is that since the suspicious clients are being moved around different nodes with
567different IP addresses, if a new node is attacked, the insider can only be connected to the new node.
568Shuffles are done till the actual malicious client is pinpointed.
569 Shuffling and pairing will become huge if there are a lot of clients assigned to a proxy node.
570Scalability. Attacks from external sources cannot be fully prevented. Attack and an attack will go on
571for a long period till offending client(s) are pinpointed. Computing capacity and bandwidth is
572reserved to meet needs of proxy nodes as well as to provide sufficient capacity to create a large
573number of additional proxy nodes.
574 Nevertheless, MOTAG is only capable of mitigating network flooding attacks on Internet
575services that mandate client authentication. It is not suitable for securing open Internet services
576designed for anonymous users. Furthermore, MOTAG does not offer protection against
577application-level flooding or other computational DDoS attacks.
578 Nevertheless, MOTAG is resistant to brute-force attacks from outsiders due to the hidden
579proxy nodes.
44
45Technologies 2018, 6, x FOR PEER REVIEW 23 of 32
590
591
592 Figure 14. System Architecture [58].
593 A load balancer connects every new client to an active replica server using any assignment
594algorithm. Replica servers admit only the clients whose IP addresses are confirmed by the referring
595load balancer. During an attack, replacement replica servers are created across the cloud in different
596locations and reassignment of clients is done. After reassignment is done, the attacked servers are
597taken offline and reused. Reassignment of clients to replica servers is done till the attacking clients
46
47Technologies 2018, 6, x FOR PEER REVIEW 24 of 32
598are isolated to one replica server. The coordination server keeps the entire state of the defense
599system and controls real-time actions against the attacks. It is responsible for running the shuffling
600algorithm and computing the optimal shuffling plan.
601 The system was evaluated with simulation with MATLAB as well as a prototype implemented
602using the Amazon EC2 [59] as a coordination server. The system is very effective on attacks aimed
603at static locations and from naïve bots. However, the system introduces some amount of latency in
604the network. Also, latter shuffles separate bots from benign users less effectively than early shuffles.
6055.4.4. MultiQ
606 Lim et al. proposed a scheduling-based architecture for the controller in SDNs for continued
607operation in the presence of an attack [60]. The assumption was that the attacker does not know the
608exact location or IP address of the SDN controller and therefore floods a known server to
609overwhelm the controller. The proposed scheme, known as MultiQ, simply modifies the controller
610model to divide the single request processing queue into a number of logical queues, each
611corresponding to a flow switch. The queues are then served with a scheduling algorithm. The
612proposed scheme was compared with two others, Static and SingleQ and found to perform better.
613However, the system may be crippled if the attack is generated from different networks.
621
48
49Technologies 2018, 6, x FOR PEER REVIEW 25 of 32
622
623 Figure 15. System Architecture [61].
624 Upon arrival of a packet at the Openflow switch, a check is made for rules matching the
625packet. If there is a rule matching the packet, action is taken accordingly, else the packet is sent to
626the controller if the prediction value is below the threshold or to the security gateway if above the
627threshold. The security gateway determines if there is an attack or not by entropy and known attack
628patterns.
6296. Discussion
630 A number of defense mechanisms have been discussed in the previous section. Table. 1 shows
631a summary of evaluations conducted by the various authors on their proposed mechanisms. The
632absence of a standard set of comparison metrics informed our decision to select some metrics to
633better have a fair comparison. Five performance metrics were chosen and we define them below.
634 1. Scalability: Scalability is the ability of the defense mechanisms to function effectively in the
635 event where there is an increase in attack traffic and attackers.
636 2. Detection rate (Accuracy): Accuracy is the ability of the attack detection system to correctly
637 detect as muchthe presence or absence of an attack traffic as possible, that is, the true
638 positives and negatives.
639 3. Benign Packet loss: Benign packet loss is the number of benign packets lost during an
640 attack.
641 4. Precision: Precision of the system is the ability of the system to detect the presence of an
642 attack with little error, that is, low false(true positives and negatives) consistently.
643 5. Overhead cost: The overhead cost is the additional computational or communication cost
644 the defense system adds to the network.
645 D is used to indicate Detection mechanisms in the table. T is used for Traceback, M is used for
646Mitigation and DM is used for Detection and Mitigation mechanisms.
647 The metrics chosen provide an idea of how seamless the defense mechanism can be
648incorporated into already existing systems and networks whilst still being effective. Any network
649security defense mechanism should be able to cope with a large data set over a large network with
650many connected devices, should have a high success rate in ensuring the network is secure, should
651ensure legitimate users are still able to have access to resources even in the event of an attack and
652should ensure there is no or negligible slow down in the network. In view of these requirements,
653these five metrics were chosen.
50
51Technologies 2018, 6, x FOR PEER REVIEW 26 of 32
654 Scalability gives an idea of how the proposed system will cope if employed in a real-world
655scenario with a large network and multiple devices, as well as multiple attack sources. Scalability is
656an important metric which determines how effective or not a solution will be when adopted.
657 Accuracy of the system helps to determine how correctly the system will detect the presence or
658absence of an attack. An inaccurate system will raise a lot of false alarms of an attack and will also
659not always detect an attack, making attack traffic flow through the system unnoticed.
660 Benign packet loss provides information on how much benign packers are lost during an
661attack. One important reason for employing a DDoS defense mechanism is to ensure legitimate
662users have access to the network or service. Having a lot of lost benign traffic means a lot of
663retransmissions or requests from legitimate users or an inability of the requests to be processed,
664ultimately inconveniencing them.
665 Precision helps to determine the consistency of the system in detecting the presence of an
666attack. The more consistent a system is, the easier it is to predict its effectiveness in managing an
667attack. Changes to the system to improve on its capabilities can also be done in future easily when it
668performs functions consistently.
669 Overhead costs introduce some latency in the network. Most end users (legitimate users)
670accessing a network or service are interested in how quickly they can have their requests processed.
671Having a noticeable lag in the network inconveniences the end user.
672 Evaluation of defense schemes with respect to the metrics chosen was done with information
673provided by the authors of the respective schemes in their published papers. The tests and results
674in these papers provided an idea of how the schemes performed with respect to the metrics chosen.
675However, not much information was provided for some schemes, making it impossible to evaluate
676them with respect to certain metrics. Also, defense mechanisms which were not tested were not
677given any evaluation report.
678
686defense mechanisms should have low overheads to avoid degrading the network further in the
687presence of an attack.
688 Based on the results provided by the authors, we realized that the overhead costs for detection
689and traceback was significant and had impact on the network. RADAR, SD-Anti-DDoS and CMIYC
690were found to have the lowest overhead costs to the network. Scalability was found to be generally
691medium for most of the systems, though more real-world tests would have to be conducted to
692concretely determine. Detection rates, precision and benign packet loss were found to be generally
693acceptable across board.
694 Further optimization needs to be done to reduce overhead costs for the mechanisms. Defense
695mechanisms need to have low computational and communication costs on the network as this
696would determine how fast the defense mechanism would operate in the event of an attack. A
697mechanism which is fast in communication alerts all necessary systems in the defense process
698quickly enough to prevent a creation of a time-gap, in which attack traffic can cause some damage
699before it is stopped.
700 Scalability is also an issue which needs to be addressed further. With the increasing rates,
701volume and number of bots used in attacks, defense mechanisms should be able to perform
702effectively in the presence of a large attack. This is necessary to prevent an attack from
703overwhelming the defense mechanism to the point of ineffectiveness or increased degradation to
704the network, in which case the DDoS would have been successful.
705 To be able to come up with a robust defense system, scalability and overhead costs should be
706optimized for real-world situations, since these metrics would determine how practical a solution
707is.
54
55Technologies 2018, 6, x FOR PEER REVIEW 28 of 32
726
727 Figure 16. Flowchart of the algorithm.
7288
56
57Technologies 2018, 6, x FOR PEER REVIEW 29 of 32
7297. Conclusion
730 With the increase in the scale, sophistication and volume of modern day DDoS attacks, it is
731important that more research is conducted to come up with very robust defenses to combat attacks.
732 We have discussed the current DDoS defense mechanisms in this paper. We classified the
733defense mechanisms according to the main functions they perform, that is, detection, traceback,
734mitigation and detection and mitigation. We also discussed their strengths and weaknesses. We
735found out that most of the solutions struggle with scalability and may not be able to perform
736effectively in the real world, considering the increased volume of attack bots and traffic involved in
737modern attacks. Most of the current solutions also added some significant extra computation and
738communication overhead to the network, which would have an impact on the network, possibly
739slowing it down some more, in a real-world scenario with large volumes of attack traffic.
740 A comparison was made of the various mechanisms, however, not all solutions had results for
741the necessary metrics we used in the comparison. For such mechanisms, more test will have to be
742conducted to determine their actual performance based on the metrics we chose. Overall, most of
743the defense solutions reviewed performed acceptably well and more research should go into
744making them perform better, especially for a real-world scenario.
745References
7461. Internet World Stats. Available online: https://www.internetworldstats.com/stats (Last Accessed 12
747 October 2018)
7482. Grance, T.; Kent, K.; Kim, B. NIST Computer Security Incident Handling Guide, 2004.
7493. Imperva Incapsula. Available online: https://www.incapsula.com/ddos/denial-of-service (Last Accessed
750 12 October 2018)
7514. Wired. Available online: https://www.wired.com/story/github-ddos-memcached (Last Accessed 10
752 October 2018)
7535. NETSCOUT. Available online: https://asert.arbornetworks.com/netscout-arbor-confirms-1-7-tbps-ddos-
754 attack-terabit-attack-era-upon-us (Last Accessed 17 October 2018)
7556. Zargar, S.T.; Joshi, J.; Tipper, D. A Survey of Defense Mechanisms Against Distributed Denial of Service
756 (DDoS) Flooding Attacks. IEEE Communications Surveys & Tutorials 2013, volume 15, no. 4, pp. 2046-2069,
757 doi: 10.1109/SURV.2013.031413.00127.
7587. Carlin, A.; Hammoudeh, M; Aldabbas, O. Defence for Distributed Denial of Service Attacks in Cloud
759 Computing. Procedia Computer Science 2015, 73, pp. 490-497, doi: 10.1016/j.procs.2015.12.037.
7608. Deshmukh, R.V.; Devadkar, K.K. Understanding DDoS Attack & Its Effect in Cloud Environment.
761 Procedia Computer Science 2015, 49, pp. 202-210, doi: 10.1016/j.procs.2015.04.245.
7629. Somani, G.; Gaur, M.S.; Sanghi, D.; Conti, M.; Buyya, R. DDoS attacks in cloud computing: Issues,
763 taxonomy, and future directions. Computer Communications 2017, volume 107, pp. 30-48,
764 http://dx.doi.org/10.1016/j.comcom.2017.03.010.
76510. Mahjabin, T.; Xiao, Y.; Sun, G.; Jiang, W. A survey of distributed denial-of-service attack, prevention, and
766 mitigation techniques. International Journal of Distributed Sensor Networks 2017, Vol, 13(12), DOI:
767 10.1177/1550147717741463.
76811. Kalkan, K.; Gur, G.; Alagoz, F. Defense Mechanisms Against DDoS Attacks in SDN Environment. IEEE
769 Communications Magazine 2017, DOI: 10.1109/MCOM.2017.1600970.
77012. Zare, H.; Azadi, M.; Olsen, P. Techniques for Detecting and Preventing Denial of Service Attacks (a
771 Systematic Review Approach). In book: Information Technology-New Generations 2018, pp. 151-157, DOI:
772 10.1007/978-3-319-54978-1_21.
77313. Imperva Incapsula. Available online: https://www.incapsula.com/ddos/booters-stressers-ddosers.html
774 (Last Accessed 17 October 2018)
77514. Santanna, J.J. et al. Booters—An analysis of DDoS-as-a-service attacks. Integrated Network Management
776 (IM) 2015.
77715. Imperva Incapsula. Available online: https://www.incapsula.com/ddos/ddos-attack-scripts.html (Last
778 Accessed 10 October 2018)
77916. Wang, H.; Zhang, D.; Shin, K.G. Detecting SYN flooding attacks. IEEE INFOCOM 2002. Twenty-First
780 Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE. Vol. 3.
58
59Technologies 2018, 6, x FOR PEER REVIEW 30 of 32
78117. Criscuolo, P.J. Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000,
782 And Stacheldraht CIAC-2319. Department of Energy Computer Incident Advisory Capability (CIAC),
783 UCRL-ID-136939, Rev. 1., Lawrence Livermore National Laboratory, Feb 14, 2000.
78418. Kumar, S. Smurf-based distributed denial of service (ddos) attack amplification in internet. Internet
785 Monitoring and Protection 2007. Second International Conference on. IEEE.
78619. Elleithy, K.M.; Blagovic, D.; Cheng, W.; Sideleau, P. Denial of Service Attack Techniques: Analysis,
787 Implementation and Comparison. Journal of Systemics, Cybernetics and Informatics 2006, volume 3, pp. 66-71.
78820. Anagnostopoulos, M.; Kambourakis, G.; Kopanos, P.; Louloudakis, G.; Gritzalis, S. DNS amplification
789 attack revisited. Computers & Security 2013, Volume 39, pp. 475-485, DOI: 10.1016/j.cose.2013.10.001.
79021. Park, P. et al. A Service-oriented DDoS detection mechanism using pseudo state in a flow router. Springer
791 Science + Business Media 2014, DOI: 10.1007/s11042-014-2100-5.
79222. Shon, T.; Kim, Y.; Lee, C.; Moon, J. A machine learning framework for network anomaly detection using
793 SVM and GA. Proceedings from the 6th Annual IEEE System, Man and Cybernetics Information Assurance
794 Workshop, SMC 2005, pp. 176-183, DOI: 10.1109/IAW.2005.1495950.
79523. Tanachaiwiwiat, S.; Hwang, K. Differential packet filtering against DDoS flood attacks. Proc. ACM
796 Conference on Computer and Communications Security (CCS) 2003.
79724. Lau, F.; Rubin, S.H.; Smith, M.H.; Trajkovic, L. Distributed Denial of Service Attacks. Systems, Man and
798 Cybernetics IEEE International Conference 2000, Volume 3, pp. 2275-2280, DOI: 10.1109/ICSMC.2000.886455.
79925. Yu, S.; Zhou, W.; Guo, S.; Guo, M. A Dynamical Deterministic Packet Marking Scheme for DDoS
800 Traceback. IEEE Global Communications Conference (GLOBECOM) 2013, pp. 729-734, DOI:
801 10.1109/GLOCOM.2013.6831159
80226. Belenky, A.; Ansari, N. Ip traceback with deterministic packet marking. IEEE Communications Letters 2003,
803 vol. 7, no. 4, pp. 162–164, DOI: 10.1109/LCOMM.2003.811200.
80427. Jin, G.; Yang, J. Deterministic packet marking based on redundant decomposition for ip traceback. IEEE
805 Communications Letters 2006, vol. 10, no. 3, pp. 204–206, DOI: 10.1109/LCOMM.2006.1603385.
80628. Xiang, Y.; Zhou, W.; Guo, M. Flexible deterministic packet marking: An ip traceback system to find the
807 real source of attacks. IEEE Transactions on Parallel and Distributed Systems 2009, vol. 20, no. 4, pp. 567-580,
808 DOI: 10.1109/TPDS.2008.132.
80929. Foroushani, V.A.; Zincir-Heywood, A.N. TDFA: Traceback-based Defense against DDoS Flooding
810 Attacks. IEEE International Conference on Advanced Information Networking and Applications 2014, pp. 597-
811 604, DOI 10.1109/AINA.2014.73
81230. Foroushani, V.A.; Zincir-Heywood, A.N. IP traceback through (authenticated) deterministic flow
813 marking: an empirical evaluation. EURASIP Journal on Information Security 2013, DOI: 10.1186/1687-417X-
814 2013-5.
81531. Chen, S.; Song, Q.; Perimeter-based defense against high bandwidth DDoS attacks. IEEE Transactions on
816 Parallel and Distributed Systems 2005, vol. 16, no. 6, pp. 526–537, doi: 10.1109/TPDS.2005.74
81732. Yaar, A.; Perrig, A.; Song, D. StackPi: new packet marking and filtering mechanisms for DDoS and IP
818 Spoofing Defense. IEEE Journal on Selected Areas in Communications 2006, vol. 24, no. 10, pp. 1853–1863,
819 DOI: 10.1109/JSAC.2006.877138.
82033. Chen, Y.; Shantanu, D.; Pulak, D. Detecting and preventing IP-spoofed distributed DoS attacks.
821 International Journal of Network Security 2008, vol. 7, no. 1, pp. 69–80.
82234. Sahi, A.; Lai, D.; Li, Y.; Diykh, M. An Efficient DDoS TCP Flood Attack Detection and Prevention System
823 in a Cloud Environment. IEEE Access PP (99) 2017, DOI: 10.1109/ACCESS.2017.2688460
82435. Hameed, A.A.; Karlik, B.; Salman, M.S. Back-propagation algorithm with variable adaptive momentum.
825 Knowledge-Based Systems 2016, vol. 114, pp. 79-87, DOI: 10.1016/j.knosys.2016.10.001
82636. Zhou, W.; Jia, W.; Wen, S.; Xiang, Y.; Zhou, W. Detection and defense of application-layer DDoS attacks
827 in backbone web traffic. Future Generation Computer Systems 2013, Volume 38, pp. 36-46, DOI:
828 10.1016/j.future.2013.08.002
82937. Broder, A.; Mitzenmacher, M. Network applications of bloom filters: A survey. Internet Mathematics 2002,
830 vol. 1, pp. 636–646, DOI: 10.1080/15427951.2004.10129096.
83138. Wang, B.; Zheng, Y.; Lou, W.; Hou, T.Y. DDoS attack protection in the era of cloud computing and
832 Software-Defined Networking. Computer Networks 2015, DOI: 10.1016/j.comnet.2015.02.026
83339. Zheng, J.; Li, Q.; Gu, G.; Cao, J.; Yau, D.K.Y.; Wu, J. Realtime DDoS Defense Using COTS SDN Switches
834 via Adaptive Correlation Analysis. IEEE Transactions on Information Forensics and Security 2018, vol. 13, no.
835 7, pp. 1838-1853, doi: 10.1109/TIFS.2018.2805600
60
61Technologies 2018, 6, x FOR PEER REVIEW 31 of 32
62
63Technologies 2018, 6, x FOR PEER REVIEW 32 of 32
888 © 2018 by the authors. Submitted for possible open access publication under the terms
889 and conditions of the Creative Commons Attribution (CC BY) license
890 (http://creativecommons.org/licenses/by/4.0/).
64