You are on page 1of 12

Edited by Foxit Reader

Copyright(C) by Foxit Software Company,2005-2008


For Evaluation Only.

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms


Jelena Mirkovic, Janice Martin and Peter Reiher
Computer Science Department
University of California, Los Angeles
Technical report #020018

or advocate any specific DDoS defense


Abstract mechanism. Even though some sections might
This paper proposes a taxonomy of distributed denial-of- point out vulnerabilities of certain classes of
service attacks and a taxonomy of the defense mechanisms defense systems, our purpose is not to criticize but
that strive to counter these attacks. The attack taxonomy is to draw attention to these problems so that they
illustrated using both known and potential attack mechanisms. might be solved.
Along with this classification we discuss important features of
each attack category that in turn define the challenges Following this introduction, the paper is organized
involved in combating these threats. The defense system as follows. Section 2 investigates the problem of
taxonomy is illustrated using only the currently known DDoS attacks, and Section 3 proposes their
approaches. The goal of the paper is to impose some order into
taxonomy; Section 4 proposes a taxonomy of
the multitude of existing attack and defense mechanisms that
would lead to a better understanding of challenges in the DDoS defense systems. Section 5 provides an
distributed denial-of-service field. overview of related work and Section 6 concludes
the paper.
1. Introduction
Distributed denial-of-service attacks (DDoS) pose 2. DDoS Attack Overview
an immense threat to the Internet, and A denial-of-service attack is characterized by an
consequently many defense mechanisms have been explicit attempt by attackers to prevent legitimate
proposed to combat them. Attackers constantly users of a service from using that service [1]. A
modify their tools to bypass these security systems, distributed denial-of-service attack deploys
and researchers in turn modify their approaches to multiple machines to attain this goal. The service is
handle new attacks. The DDoS field is evolving denied by sending a stream of packets to a victim
quickly, and it is becoming increasingly hard to that either consumes some key resource, thus
grasp a global view of the problem. This paper rendering it unavailable to legitimate clients, or
strives to introduce some structure to the DDoS provides the attacker with unlimited access to the
field by developing a taxonomy of DDoS attacks victim machine so he can inflict arbitrary damage.
and DDoS defense systems. The goal of the paper This section will answer the following questions:
is to highlight the important features of both attack 1. What makes DDoS attacks possible?
and security mechanisms and stimulate discussions 2. How do these attacks occur?
that might lead to a better understanding of the 3. Why do they occur?
DDoS problem. 2.1. Internet Architecture
The proposed taxonomies are complete in the The Internet was designed with functionality, not
following sense: the attack taxonomy covers security, in mind, and it was indeed very successful
known attacks and also those that have not in reaching this goal. It offers its participants fast,
currently appeared but are potential threats that easy and cheap communication mechanisms,
would affect current defense mechanisms; the enforced with various higher-level protocols that
defense systems taxonomy covers not only ensure reliable or timely delivery of messages or a
published approaches but also some commercial certain level of quality of service. Internet design
approaches that are sufficiently documented to be follows the end-to-end paradigm: communicating
analyzed. Along with classification, we emphasize end hosts deploy complex functionalities to
important features of each attack or defense system achieve desired service guarantees, while the
category, and provide representative examples of intermediate network provides the bare-minimum,
existing mechanisms. This paper does not propose best-effort service. The Internet is managed in a

1
distributed manner; therefore no common policy of the source address field in packets. The agent
can be enforced among its participants. Such machines can thus be reused for future attacks.
design opens several security issues that provide 2.3. DDoS Goals
opportunities for distributed denial-of-service
The goal of a DDoS attack is to inflict damage on
attacks:
the victim, either for personal reasons (a significant
1. Internet security is highly interdependent. number of DDoS attacks are against home
DDoS attacks are commonly launched from computers, presumably for purposes of revenge),
systems that are subverted through security- for material gain (damaging competitor's
related compromises. Regardless of how well resources) or for popularity (successful attacks on
secured the victim system may be, its popular Web servers gain the respect of the hacker
susceptibility to DDoS attacks depends on the community).
state of security in the rest of the global
Internet [2].
3. Taxonomy of DDoS Attacks
2. Internet resources are limited. Each Internet
In order to devise a taxonomy of distributed denial-
host has limited resources that can be
of-service attacks we observe the means used to
consumed by a sufficient number of users.
prepare and perform the attack, the characteristics
3. Power of many is greater than power of few. of the attack itself and the effect it has on the
Coordinated and simultaneous malicious victim. Various classification criteria are indicated
actions by some participants can always be in bold type. Figure 1 summarizes the taxonomy.
detrimental to others, if the resources of the
attackers are greater than the resources of the 3.1. Classification by Degree of
victims. Automation
4. Intelligence and resources are not collocated. During the attack preparation, the attacker needs to
An end-to-end communication paradigm led to locate prospective agent machines and infect them
locating most of the intelligence needed for with the attack code. Based on the degree of
service guarantees with end hosts. At the same automation of the attack, we differentiate between
time, a desire for large throughput led to the manual, semi-automatic and automatic DDoS
design of high bandwidth pathways in the attacks.
intermediate network. Thus, malicious clients Manual Attacks
can misuse the abundant resources of
Only the early DDoS attacks belonged to the
unwitting network for delivery of numerous manual category. The attacker scanned remote
messages to a victim.
machines for vulnerabilities, broke into them and
2.2. DDoS Attack Strategy installed the attack code, and then commanded the
In order to perform a distributed denial-of-service onset of the attack. All of these actions were soon
attack, the attacker needs to recruit the multiple automated, leading to development of semi-
agent (slave) machines. This process is usually automatic DDoS attacks, the category where most
performed automatically through scanning of contemporary attacks belong.
remote machines, looking for security holes that Semi-Automatic Attacks
would enable subversion. Vulnerable machines are
then exploited by using the discovered In semi-automatic attacks, the DDoS network
vulnerability to gain access to the machine, and consists of handler (master) and agent (slave,
they are infected with the attack code. The daemon) machines. The attacker deploys
exploit/infection phase is also automated, and the automated scripts for scanning and compromise of
infected machines can be used for further those machines and installation of the attack code.
recruitment of new agents (see discussion of He then uses handler machines to specify the
propagation techniques in Section 3.1 and in [6]). attack type and the victim's address and to
Agent machines perform the attack against the command the onset of the attack to agents, who
victim. Attackers usually hide the identity of the send packets to the victim.
agent machines during the attack through spoofing

2
DDoS Attacks
Classification by Classification by Classification by
degree of exploited attack rate Classification by
automation vulnerability dynamics impact
Manual
Random Continuous
Semi-Automatic Classification by Disruptive
scanning strategy Hitlist Variable
Classification by Degrading
communication Topological Classification by
Protocol rate change
mechanism Permutation
Brute-force mechanism
Direct Local Subnet Classification by
Indirect relation of packet Fluctuating
Classification by contents with victim Increasing
Central
propagation services
Source
Automatic mechanism Back-chaining Filterable
Autonomous Non-filterable

Figure 1: Taxonomy of distributed denial-of-service attacks


Based on the communication mechanism communications to the control point may not be
deployed between agent and handler machines we easily differentiated from legitimate network
divide semi-automatic attacks into attacks with traffic. The agents do not incorporate a listening
direct communication and attacks with indirect port that is easily detectable with network
communication. scanners. An attacker controls the agents using
IRC communications channels. Thus, discovery
Attacks with direct communication of a single agent may lead no further than the
During attacks with direct communication, the identification of one or more IRC servers and
agent and handler machines need to know each channel names used by the DDoS network. From
other's identity in order to communicate. This is there, identification of the DDoS network
achieved by hard-coding the IP address of the depends on the ability to track agents currently
handler machines in the attack code that is later connected to the IRC server. Although the IRC
installed on the agent. Each agent then reports its service is the only current example of indirect
readiness to the handlers, who store its IP address communication, there is nothing to prevent
in a file for later communication. The obvious attackers from subverting other legitimate
drawback of this approach is that discovery of services for similar purposes.
one compromised machine can expose the whole
DDoS network. Also, since agents and handlers Automatic Attacks
listen to network connections, they are Automatic DDoS attacks additionally automate the
identifiable by network scanners. attack phase, thus avoiding the need for
communication between attacker and agent
Attacks with indirect communication
machines. The time of the onset of the attack,
Attacks with indirect communication deploy a attack type, duration and victim's address is
level of indirection to increase the survivability preprogrammed in the attack code. It is obvious
of a DDoS network. Recent attacks provide the that such deployment mechanisms offer minimal
example of using IRC channels [2] for exposure to the attacker, since he is only involved
agent/handler communication. The use of IRC in issuing a single command – the start of the
services replaces the function of a handler, since attack script. The hardcoded attack specification
the IRC channel offers sufficient anonymity to suggests a single-purpose use of the DDoS
the attacker. Since DDoS agents establish network. However, the propagation mechanisms
outbound connections to a standard service port usually leave the backdoor to the compromised
used by a legitimate network service, agent

3
machine open, enabling easy future access and starting point. Whenever it sees an already
modification of the attack code. infected machine, it chooses a new random start
Both semi-automatic and automatic attacks recruit point. This has the effect of providing a semi-
the agent machines by deploying automatic coordinated, comprehensive scan while
scanning and propagation techniques. Based on the maintaining the benefits of random probing. This
scanning strategy, we differentiate between technique is described in [6] as not yet deployed.
attacks that deploy random scanning, hitlist Attacks with Local Subnet Scanning
scanning, topological scanning, permutation Local subnet scanning can be added to any of the
scanning and local subnet scanning. We give a previously described techniques to preferentially
brief description of these scanning techniques here scan for targets that reside on the same subnet as
and refer the reader to [6] for a detailed description the compromised host. Using this technique, a
and performance comparison. Attackers usually single copy of the scanning program can
combine the scanning and exploitation phases, thus compromise many vulnerable machines behind a
gaining a larger agent population, and our firewall. Code Red II [8] and Nimda Worm [9]
description of scanning techniques relates to this used local subnet scanning.
model.
Based on the attack code propagation
Attacks with Random Scanning mechanism, we differentiate between attacks that
During random scanning each compromised host deploy central source propagation, back-chaining
probes random addresses in the IP address space, propagation and autonomous propagation [2].
using a different seed. This potentially creates a Attacks with Central Source Propagation
high traffic volume since many machines probe
the same addresses. Code Red (CRv2) performed During central source propagation, the attack
random scanning [7]. code resides on a central server or set of servers.
After compromise of the agent machine, the code
Attacks with Hitlist Scanning is downloaded from the central source through a
A machine performing hitlist scanning probes all file transfer mechanism. The 1i0n [4] worm
addresses from an externally supplied list. When operated in this manner.
it detects the vulnerable machine, it sends one Attacks with Back-chaining Propagation
half of the initial hitlist to the recipient and keeps
the other half. This technique allows for great During back-chaining propagation, the attack
propagation speed (due to exponential spread) code is downloaded from the machine that was
and no collisions during the scanning phase. An used to exploit the system. The infected machine
attack deploying hitlist scanning could obtain the then becomes the source for the next propagation
list from netscan.org of domains that still support step. Back-chaining propagation is more
directed IP broadcast and can thus be used for a survivable than central-source propagation since
Smurf attack. it avoids a single point of failure. The Ramen
worm [5] and Morris Worm [19] used back-
Attacks with Topological Scanning chaining propagation.
Topological scanning uses the information on the Attacks with Autonomous Propagation
compromised host to select new targets. All E-
mail worms use topological scanning, exploiting Autonomous propagation avoids the file retrieval
the information from address books for their step by injecting attack instructions directly into
spread. the target host during the exploitation phase.
Code Red [3], Warhol Worm [6] and numerous
Attacks with Permutation Scanning E-mail worms use autonomous propagation.
During permutation scanning, all compromised 3.2. Classification by Exploited
machines share a common pseudo-random Vulnerability
permutation of the IP address space; each IP
address is mapped to an index in this Distributed denial-of-service attacks exploit
permutation. A machine begins scanning by different strategies to deny the service of the victim
using the index computed from its IP address as a to its clients. Based on the vulnerability that is

4
targeted during an attack, we differentiate The line between protocol and brute force attacks
between protocol attacks and brute-force attacks. is thin. Protocol attacks also overwhelm a victim's
resources with excess traffic, and badly designed
Protocol Attacks
protocol features at remote hosts are frequently
Protocol attacks exploit a specific feature or used to perform "reflector" brute-force attacks,
implementation bug of some protocol installed at such as the DNS request attack [10] or the Smurf
the victim in order to consume excess amounts of attack [11].
its resources. Examples include the TCP SYN The difference is that a victim can mitigate the
attack, the CGI request attack and the effect of protocol attacks by modifying the
authentication server attack. deployed protocols at its site, while it is helpless
In the TCP SYN attack, the exploited feature is the against brute-force attacks due to their misuse of
allocation of substantial space in a connection legitimate services (non-filterable attacks) or due
queue immediately upon receipt of a TCP SYN to its own limited resources (a victim can do
request. The attacker initiates multiple connections nothing about an attack that swamps its network
that are never completed, thus filling up the bandwidth).
connection queue indefinitely. In the CGI request Countering protocol attacks by modifying the
attack, the attacker consumes the CPU time of the deployed protocol pushes the corresponding attack
victim by issuing multiple CGI requests. In the mechanism into the brute-force category. For
authentication server attack, the attacker exploits example, if the victim deploys TCP SYN cookies
the fact that the signature verification process [55] to combat TCP SYN attacks, it will still be
consumes significantly more resources than bogus vulnerable to TCP SYN attacks that generate more
signature generation. He sends numerous bogus requests than its network can accommodate.
authentication requests to the server, tying up its However, the brute-force attacks need to generate a
resources. much higher volume of attack packets than
Brute-force Attacks protocol attacks, to inflict damage at the victim. So
Brute-force attacks are performed by initiating a by modifying the deployed protocols the victim
vast amount of seemingly legitimate transactions. pushes the vulnerability limit higher. Evidently,
Since an upstream network can usually deliver classification of the specific attack needs to take
higher traffic volume than the victim network can into account both the attack mechanisms used and
handle, this exhausts the victim's resources. the victim's configuration.
We further divide brute-force attacks based on the It is interesting to note that the variability of attack
packet contents is determined by the exploited
relation of packet contents with victim services
into filterable and non-filterable attacks. vulnerability. Packets comprising protocol and
non-filterable brute force attacks must specify
Filterable Attacks some valid header fields and possibly some valid
Filterable attacks use bogus packets or packets contents. For example TCP SYN attack packets
for non-critical services of the victim's operation, cannot vary the protocol or flag field, and HTTP
and thus can be filtered by a firewall. Examples flood packets must belong to an established TCP
of such attacks are a UDP flood attack or an connection and therefore cannot spoof source
ICMP request flood attack on a Web server. addresses, unless they hijack connections from
legitimate clients.
Non-filterable Attacks
Non-filterable attacks use packets that request 3.3. Classification by Attack Rate
legitimate services from the victim. Thus, Dynamics
filtering all packets that match the attack Depending on the attack rate dynamics we
signature would lead to an immediate denial of differentiate between continuous rate and variable
the specified service to both attackers and the rate attacks.
legitimate clients. Examples are a HTTP request
Continuous Rate Attacks
flood targeting a Web server or a DNS request
flood targeting a name server. The majority of known attacks deploy a continuous
rate mechanism. After the onset is commanded,

5
agent machines generate the attack packets with effectively ties up 30% of the victim's resources
full force. This sudden packet flood disrupts the would lead to denial of service to some percentage
victim's services quickly, and thus leads to attack of customers during high load periods, and
detection. possibly slower average service. Some customers,
dissatisfied with the quality, would consequently
Variable Rate Attacks
change their service provider and victim would
Variable rate attacks are more cautious in their thus lose income. Alternately, the false load could
engagement, and they vary the attack rate to avoid result in a victim spending money to upgrade its
detection and response. servers and networks.
Based on the rate change mechanism we
differentiate between attacks with increasing rate 4. Taxonomy of DDoS Defense
and fluctuating rate.
Mechanisms
Increasing Rate Attacks The seriousness of the DDoS problem and the
Attacks that have a gradually increasing rate lead increased frequency of DDoS attacks have led to
to a slow exhaustion of victim's resources. A the advent of numerous DDoS defense
state change of the victim could be so gradual mechanisms. Some of these mechanisms address a
that its services degrade slowly over a long time specific kind of DDoS attack such as attacks on
period, thus delaying detection of the attack. Web servers or authentication servers. Other
Fluctuating Rate Attacks approaches attempt to solve the entire generic
DDoS problem. Most of the proposed approaches
Attacks that have a fluctuating rate adjust the
require certain features to achieve their peak
attack rate based on the victim's behavior,
performance, and will perform quite differently if
occasionally relieving the effect to avoid
deployed in an environment where these
detection. At the extreme end, there is the
requirements are not met.
example of pulsing attacks. During pulsing
attacks, agent hosts periodically abort the attack As is frequently pointed out, there is no "silver
and resume it at a later time. If this behavior is bullet" against DDoS attacks. Therefore we need to
simultaneous for all agents, the victim understand not only each existing DDoS defense
experiences periodic service disruptions. If, approach, but also how those approaches might be
however, agents are divided into groups who combined together to effectively and completely
coordinate so that one group is always active, solve the problem. The proposed taxonomy, shown
then the victim experiences continuous denial of in Figure 2, should help us reach this goal. Various
service. classification criteria are indicated in bold type.
3.4. Classification by Impact 4.1. Classification by Activity Level
Depending on the impact of a DDoS attack on the Based on the activity level of DDoS defense
victim we differentiate between disruptive and mechanisms, we differentiate between preventive
degrading attacks. and reactive mechanisms.
Disruptive Attacks Preventive Mechanisms
The goal of disruptive attacks is to completely The goal of preventive mechanisms is either to
deny the victim's service to its clients. All currently eliminate the possibility of DDoS attacks
known attacks belong to this category. altogether or to enable potential victims to endure
the attack without denying services to legitimate
Degrading Attacks clients. According to these goals we further divide
The goal of degrading attacks would be to preventive mechanisms into attack prevention and
consume some (presumably constant) portion of a denial-of-service prevention mechanisms.
victim's resources. Since these attacks do not lead
Attack Prevention Mechanisms
to total service disruption, they could remain
undetected for a significant time period. On the Attack prevention mechanisms modify the
other hand, damage inflicted on the victim could system configuration to eliminate the possibility
be immense. For example, an attack that of a DDoS attack. Based on the target they

6
DDoS Defense Mechanisms
Classification by
activity level Classification by Classification by
Preventive Reactive cooperation location
degree
Classification by Classification by
prevention goal detection strategy
Attack prevention Pattern Classification by
Classification by response strategy Victim network
Anomaly
secured target Intermediate network
System Security Hybrid
Agent identification Source network
Protocol Security Third-party
Source
Rate-limiting
DoS prevention Autonomous
Filtering
Classification by Cooperative
prevention method Reconfiguration
Interdependent
Resource Accounting
Resource Multiplication

Figure 2: Taxonomy of distributed denial-of-service defense mechanisms


secure, we further divide them into system doing a good job here will certainly decrease
security and protocol security mechanisms. the frequency and strength of DDoS attacks.
System Security Mechanisms Protocol Security Mechanisms
System security mechanisms increase the Protocol security mechanisms address the
overall security of the system, guarding against problem of bad protocol design. Many
illegitimate accesses to the machine, removing protocols contain operations that are cheap for
application bugs and updating protocol the client but expensive for the server. Such
installations to prevent intrusions and misuse protocols can be misused to exhaust the
of the system. DDoS attacks owe their power resources of a server by initiating large
to large numbers of subverted machines that numbers of simultaneous transactions. Classic
cooperatively generate the attack streams. If misuse examples are the TCP SYN attack, the
these machines were secured, the attackers authentication server attack, and the
would lose their army and the DDoS threat fragmented packet attack, in which the attacker
would then disappear. On the other hand, bombards the victim with malformed packet
systems vulnerable to intrusions can fragments forcing it to waste its resources on
themselves become victims of DDoS attacks in reassembling attempts. Examples of protocol
which the attacker, having gained unlimited security mechanisms include guidelines for a
access to the machine, deletes or alters its safe protocol design in which resources are
contents. Potential victims of DDoS attacks committed to the client only after sufficient
can be easily overwhelmed if they deploy authentication is done ([28], [12]), or the client
vulnerable protocols. Examples of system has paid a sufficient price [31], deployment of
security mechanisms include monitored access powerful proxy server that completes TCP
to the machine [20], applications that connections [29], etc.
download and install security patches, firewall Deploying comprehensive protocol and system
systems [43], virus scanners [44], intrusion security mechanisms can make the victim
detection systems [17], access lists for critical completely resilient to protocol attacks. Also,
resources [46], capability-based systems [53] these approaches are inherently compatible with
and client-legitimacy-based systems [54]. The and complementary to all other approaches.
history of computer security suggests that this
approach can never be 100% effective, but Denial-of-Service Prevention Mechanisms

7
Denial-of-service prevention mechanisms enable deploy pattern detection, anomaly detection,
the victim to endure attack attempts without hybrid detection, and third-party detection.
denying service to legitimate clients. This is done Mechanisms with Pattern Attack Detection
either by enforcing policies for resource
consumption or by ensuring that abundant Mechanisms that deploy pattern detection store
resources exist so that legitimate clients will not the signatures of known attacks in a database.
be affected by the attack. Consequently, based on Each communication is monitored and compared
the prevention method, we differentiate between with database entries to discover occurrences of
resource accounting and resource multiplication DDoS attacks. Occasionally, the database is
mechanisms. updated with new attack signatures. The obvious
drawback of this detection mechanism is that it
Resource Accounting Mechanisms can only detect known attacks, and it is usually
Resource accounting mechanisms police the helpless against new attacks or even slight
access of each user to resources based on the variations of old attacks that cannot be matched
privileges of the user and his behavior. Such to the stored signature. On the other hand, known
mechanisms guarantee fair service to attacks are easily and reliably detected, and no
legitimate well-behaving users. In order to false positives are encountered.
avoid user identity theft, they are usually
Mechanisms with Anomaly Attack Detection
coupled with legitimacy-based access
mechanisms that verify the user's identity. Mechanisms that deploy anomaly detection have
Approaches proposed in ([27], [30], [32], [33], a model of normal system behavior, such as a
[34]) illustrate resource accounting model of normal traffic dynamics or expected
mechanisms. system performance. The current state of the
system is periodically compared with the models
Resource Multiplication Mechanisms
to detect anomalies. Approaches presented in
Resource multiplication mechanisms provide ([35], [36], [38], [39], [45], [48], [50], [51], [52])
an abundance of resources to counter DDoS provide examples of mechanisms that use
threats. The straightforward example is a anomaly detection.
system that deploys a pool of servers with a
The advantage of anomaly detection over pattern
load balancer and installs high bandwidth links
detection is that unknown attacks can be
between itself and upstream routers. This
discovered. However, anomaly-based detection has
approach essentially raises the bar on how
to address two issues:
many machines must participate in an attack to
be effective. While not providing perfect 1. Threshold setting. Anomalies are detected
protection, for those who can afford the costs, when the current system state differs from the
this approach has often proven sufficient. For model by a certain threshold. The setting of a
example, Microsoft has used it to weather low threshold leads to many false positives,
large DDoS attacks. while a high threshold reduces the sensitivity
of the detection mechanism.
Reactive Mechanisms
2. Model update. Systems and communication
Reactive mechanisms strive to alleviate the impact patterns evolve with time, and models need to
of an attack on the victim. In order to attain this be updated to reflect this change. Anomaly-
goal they need to detect the attack and respond to based systems usually perform automatic
it. model update using statistics gathered at a time
The goal of attack detection is to detect every when no attack was detected. This approach
attempted DDoS attack as early as possible and to makes the detection mechanism vulnerable to
have a low degree of false positives. Upon attack increasing rate attacks that can mistrain models
detection, steps can be taken to characterize the and delay or even avoid attack detection.
packets belonging to the attack stream and provide
Mechanisms with Hybrid Attack Detection
this characterization to the response mechanism.
Mechanisms that deploy hybrid detection
We classify reactive mechanisms based on the
combine the pattern-based and anomaly-based
attack detection strategy into mechanisms that

8
detection, using data about attacks discovered attack stream. The disadvantage is that they allow
through an anomaly detection mechanism to some attack traffic through, so extremely high
devise new attack signatures and update the scale attacks might still be effective even if all
database. Many intrusion detection systems use traffic streams are rate-limited.
hybrid detection. Filtering Mechanisms
If these systems are fully automated, properly Filtering mechanisms use the characterization
extracting a signature from a detected attack can provided by a detection mechanism to filter out
be challenging. The system must be careful not to the attack stream completely. Examples include
permit attackers to fool it into detecting normal dynamically deployed firewalls [22], and also a
behavior as an attack signature, or the system commercial system TrafficMaster [48]. Unless
itself becomes a denial-of-service tool. detection strategy is very reliable, filtering
Mechanisms with Third-Party Attack mechanisms run the risk of accidentally denying
Detection service to legitimate traffic. Worse, clever
Mechanisms that deploy third-party detection do attackers might leverage them as denial-of-
not handle the detection process themselves, but service tools.
rely on an external message that signals the Reconfiguration Mechanisms
occurrence of the attack and provides attack Reconfiguration mechanisms change the
characterization. Examples of mechanisms that topology of the victim or the intermediate
use third-party detection are easily found among network to either add more resources to the
traceback mechanisms ([21], [23], [24], [26], victim or to isolate the attack machines.
[41]). Examples include reconfigurable overlay
The goal of the attack response is to relieve the networks ([37], [38]), resource replication
impact of the attack on the victim, while imposing services [35], attack isolation strategies ([49],
minimal collateral damage to legitimate clients of [51]), etc.
the victim. We classify reactive mechanisms based Reactive DDoS defense mechanisms can perform
on the response strategy into mechanisms that detection and response either alone or in
deploy agent identification, rate-limiting, filtering cooperation with other entities in the Internet.
and reconfiguration approaches. Based on the cooperation degree we differentiate
Agent Identification Mechanisms between autonomous, cooperative and
interdependent mechanisms.
Agent identification mechanisms provide the
Autonomous Mechanisms
victim with information about the identity of the
machines that are performing the attack. This Autonomous mechanisms perform independent
information can then be combined with other attack detection and response. They are usually
response approaches to alleviate the impact of the deployed at a single point in the Internet and act
attack. Agent identification examples include locally. Firewalls and intrusion detection systems
numerous traceback techniques ([21], [23], [24], provide an easy example of autonomous
[26], [41]) and approaches that eliminate mechanisms.
spoofing ([25], [40]), thus enabling use of the Cooperative Mechanisms
source address field for agent identification. Cooperative mechanisms are capable of
Rate-Limiting Mechanisms autonomous detection and response, but can
Rate-limiting mechanisms impose a rate limit on achieve significantly better performance through
a stream that has been characterized as malicious cooperation with other entities. Mechanisms
by the detection mechanism. Examples of rate- deploying pushback [36] provide examples of
limiting mechanisms are found in ([36], [39], cooperative mechanisms. They detect the
[45], [50]). Rate limiting is a lenient response occurrence of a DDoS attack by observing
technique that is usually deployed when the congestion in a router's buffer, characterize the
detection mechanism has a high level of false traffic that creates the congestion, and act locally
positives or cannot precisely characterize the to impose a rate limit on that traffic. However,

9
they achieve significantly better performance if expenses associated with this service.
the rate limit requests can be propagated to Mechanisms proposed in ([39], [45]) provide
upstream routers who otherwise may be unaware examples of source-network mechanisms.
of the attack.
Interdependent Mechanisms 5. Related Work
Interdependent mechanisms cannot operate Although distributed denial-of-service attacks have
autonomously; they rely on other entities either been recognized as a serious problem, we are not
for attack detection or for efficient response. aware of any other attempt to introduce formal
Traceback mechanisms ([21], [23], [24], [26], classification into the DDoS attack mechanisms.
[41]) provide examples of interdependent The reason might lay in the use of fairly simple
mechanisms. A traceback mechanism deployed attack tools that have dominated most DDoS
on a single router would provide almost no incidents. Those tools performed full-force
benefit. flooding attacks using several types of packets. As
defense mechanisms are deployed to counter these
4.2. Classification by Deployment
simple attacks, we expect to be faced with more
Location complex strategies.
With regard to a deployment location, we In [15] authors present classification of denial-of-
differentiate between DDoS mechanisms deployed service attacks according to the type of the target
at the victim, intermediate, or source network. (e.g. firewall, Web server, router), a resource that
Victim-Network Mechanisms the attack consumes (network bandwidth, TCP/IP
stack) and the exploited vulnerability (bug or
DDoS defense mechanisms deployed at the overload). This classification focuses more on the
victim network protect this network from DDoS actual attack phase, while we are interested in
attacks and respond to detected attacks by looking at the complete attack mechanism in order
alleviating the impact on the victim. Historically, to highlight features that are specific to distributed
most defense systems were located at the victim attacks.
since it suffered the greatest impact of the attack
In [14] and [16] Howard proposes a taxonomy of
and was therefore the most motivated to sacrifice
computer and network attacks. This taxonomy
some resources for increased security. Resource
focuses on computer attacks in general and does
accounting ([27], [30], [32], [33], [34]) and
not sufficiently highlight features particular to
protocol security mechanisms ([28], [12], [31],
distributed denial-of-service attacks.
[29]) provide examples of these systems.
CERT is currently undertaking the initiative to
Intermediate-Network Mechanisms devise a comprehensive taxonomy of computer
DDoS defense mechanisms deployed at the incidents as part of the design of common incident
intermediate network provide infrastructural data format and exchange procedures, but
service to a large number of Internet hosts. unfortunately their results are not yet available.
Victims of DDoS attacks can contact the We are not aware of any attempt to formally
infrastructure and request the service, possibly classify DDoS defense systems, although similar
providing adequate compensation. Pushback [36] works exist in field of intrusion detection systems
and traceback ([21], [23], [24], [26], [41]) ([16], [18]) and offer informative reading for
techniques are examples of intermediate-network researchers in the DDoS defense field.
mechanisms.
Source-Network Mechanisms 6. Conclusion
The goal of DDoS defense mechanisms deployed Distributed denial of service attacks are a complex
at the source network is to prevent customers and serious problem, and consequently, numerous
using this network from generating DDoS approaches have been proposed to counter them.
attacks. Such mechanisms are necessary and The multitude of current attack and defense
desirable, but motivation for their deployment is mechanisms obscures the global view of the DDoS
low since it is unclear who would pay the problem. This paper is a first attempt to cut

10
through the obscurity and achieve a clear view of References
the problem and its solutions. The taxonomies [1] CERT Coordination Center, "Denial of Service Attacks,"
described here are intended to help the community http://www.cert.org/tech_tips/denial_of_service.html
[2] CERT Coordination Center, "Trends in Denial of Service Attack
think about the threats we face and the measures Technology," October 2001,
we can use to counter those threats. http://www.cert.org/archive/pdf/DoS_trends.pdf
[3] CERT Coordination Center, "Code Red,"
One positive benefit we foresee from development http://www.cert.org/incident_notes/IN-2001-08.html
of DDoS taxonomies is to foster easier cooperation [4] CERT Coordination Center, "erkms and li0n worms,"
http://www.cert.org/incident_notes/IN-2001-03.html
among researchers on DDoS defense mechanisms. [5] CERT Coordination Center, "Ramen worm,"
Attackers cooperate to exchange attack code and http://www.cert.org/incident_notes/IN-2001-01.html
information about vulnerable machines, and to [6] N. Weaver, "Warhol Worm,"
http://www.cs.berkeley.edu/~nweaver/warhol.html
organize their agents into coordinated networks to [7] D. Moore, "The spread of the code red worm (crv2),"
achieve immense power and survivability. The http://www.caida.org/analysis/security/code-
Internet community must be equally cooperative red/coderedv2_analysis.xml.
[8] CERT Coordination Center, "Code Red II,"
among itself to counter this threat. Good http://www.cert.org/incident_notes/IN-2001-09.html
taxonomies for DDoS attack and defense [9] CERT Coordination Center, "Nimda worm,"
http://www.cert.org/advisories/CA-2001-26.html
mechanisms will facilitate communications and [10] CERT Coordination Center, "DoS using nameservers,"
offer the community a common language to http://www.cert.org/incident_notes/IN-2000-04.html
discuss their solutions. They will also clarify how [11] CERT Coordination Center, "Smurf attack,"
http://www.cert.org/advisories/CA-1998-01.html
different mechanisms are likely to work in concert, [12] C. Meadows, "A formal framework and evaluation method for
and identify areas of remaining weakness that network denial of service," In Proceedings of the 12th IEEE
require additional mechanisms. Similarly, the Computer Security Foundations Workshop, June 1999.
[13] Cisco, "Strategies to protect against Distributed Denial of
research community needs to develop common Service Attacks,"
metrics and benchmarks to evaluate the efficacy of http://www.cisco.com/warp/public/707/newsflash.html
[14] J. D. Howard, "An analysis of security incidents on the Internet,"
DDoS defense mechanisms, and these taxonomies PhD thesis, Carnegie Mellon University, August 1998.
can be helpful in shaping these tasks, as well. [15] F. Kargl, J. Maier and M. Weber, "Protecting web servers from
distributed denial of service attacks," In Proceedings of 10th
We do not claim that these taxonomies are International World Wide Web Conference, May 2001
complete and all-encompassing. We must not be [16] J. D. Howard and T. A. Longstaff, "A common language for
deceived by the simplicity of the current attacks; computer security incidents," Sandia Report: SAND98-8667,
Sandia National Laboratories,
for the attackers this simplicity arises more from http://www.cert.org/research/taxonomy_988667.pdf
convenience than necessity. As defense [17] S. Axelsson, "Intrusion detection systems: A survey and
taxonomy," Technical Report 99-15, Department of Computer
mechanisms are deployed to counter simple Engineering, Chalmers University, March 2000.
attacks, we are likely to see more complex attack [18] H. Debar, M. Dacier, and A. Wespi, "Towards a taxonomy of
scenarios. Many more attack possibilities exist and intrusion-detection systems," Computer Networks, 31(8):805-
822, April 1999.
must be addressed before we can completely [19] K. Hafner and J. Markoff, Cyberpunk: Outlaws and hackers on
handle the DDoS threat, and some of them are the computer frontier, Simon & Schuster, 1991.
likely to be outside the current boundaries of the [20] Tripwire, "Tripwire for servers,"
http://www.tripwire.com/products/servers/
taxonomies presented here. Thus, these taxonomies [21] D. X. Song and A. Perrig, "Advanced and authenticated marking
are likely to require expansion and refinement as schemes for IP Traceback," IEEE Infocom 2001.
[22] T. Darmohray and R. Oliver, "Hot spares for DDoS attacks,"
new threats and defense mechanisms are http://www.usenix.org/publications/login/2000-7/apropos.html.
discovered. [23] D. Dean, M. Franklin and A. Stubblefield, "An algebraic
approach to IP Traceback," In Proceedings of the 2001 Network
The DDoS attack taxonomy and DDoS defense and Distributed System Security Symposium, February 2001.
taxonomy outlined in this paper are useful to the [24] S. M. Bellovin, "ICMP traceback messages," Internet draft,
extent that they clarify our thinking and guide us to http://search.ietf.org/internet-drafts/draft-ietf-itrace-01.txt, Oct.
2001.
more effective solutions to the problem of [25] P. Ferguson and D. Senie, "Network ingress filtering: Defeating
distributed denial-of-service. The ultimate value of denial of service attacks which employ IP source address
the work described here will thus be in the degree spoofing," RFC 2267, January 1998
[26] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical
of discussion and future research that it provokes. network support for IP Traceback," In Proceedings of 2000
ACM SIGCOMM Conference, Aug. 2000.
[27] A. Juels and J. Brainard, "Client puzzles: A cryptographic
countermeasure against connection depletion attacks," In

11
Proceedings of the 1999 Networks and distributed system [41] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F.
security symposium (NDSS'99), Mar 1999. Tchakountio, S. T. Kent, W. T. Strayer, "Hash-Based IP
[28] J. Leiwo, P. Nikander, and T. Aura, "Towards network denial of Traceback," In Proceedings of ACM SIGCOMM 2001
service resistant protocols," In Proceedings of the 15th Conference on Applications, Technologies, Architectures, and
International Information Security Conference (IFIP/SEC 2000), Protocols for Computer Communication, August 2001
August 2000. [42] R. Stone. "CenterTrack: An IP Overlay Network for Tracking
[29] C. Schuba, I. Krsul, M. Kuhn, G. Spafford, A. Sundaram, and D. DoS Floods," In Proccedings of 9th USENIX Security
Zamboni, "Analysis of a denial of service attack on TCP," In Symposium, August 2000.
Proceedings of the 1997 IEEE Symposium on Security and [43] McAfee, "Personal Firewall,"
Privacy, May 1997. http://www.mcafee.com/myapps/firewall/ov_firewall.asp
[30] Y. L. Zheng and J. Leiwo, "A method to implement a denial of [44] McAfee,"VirusScan Online,"
service protection base," In Information Security and Privacy, http://www.mcafee.com/myapps/vso/default.asp
volume 1270 of LNCS, pages 90--101, 1997. [45] Mananet, "Reverse Firewall," http://www.cs3-
[31] T. Aura, P. Nikander, and J. Leiwo, "DOS-resistant inc.com/ps_rfw.html
authentication with client puzzles," In Proceedings of the 8th [46] Cisco, "Strategies to protect against distributed denial of service
International Workshop on Security Protocols attacks," http://www.cisco.com/warp/public/707/newsflash.html
[32] O. Spatscheck and L. Peterson, "Defending against denial-of [47] D. Moore, H. Xiao, "Cisco quality of service and DDoS,"
service requests in Scout," In Proceedings of the 1999 http://www.mitre.org/support/papers/tech_papers_01/moore_cis
USENIX/ACM Symposium on Operating System Design and co/index.shtml
Implementation, February 1999. [48] Mazu Networks, "Dynamically Provisioned Monitoring,"
[33] A. Garg and A. L. Narasimha Reddy, "Mitigating denial of http://www.mazunetworks.com/white_papers/provmon-toc.html
service attacks using QoS regulation," Texas A & M University [49] Asta Networks, "Vantage System Overview,"
Tech report, TAMU-ECE-2001-06 http://www.astanetworks.com/products/vantage/
[34] F. Lau, S. H. Rubin, M. H. Smith, and Lj. Trajkovic, [50] Arbor Networks, "PeakFlow DoS for Hosting Providers
"Distributed denial of service attacks,'' In Proceedings of 2000 Datasheet,"
IEEE International Conference on Systems, Man, and http://www.arbornetworks.com/up_media/up_files/PFDoS_Serv
Cybernetics, October 2000. Prov_1.6.pdf
[35] J. Yan, S. Early, R. Anderson, "The XenoService – A distributed [51] BBN Technologies, "Applications that participate in their own
defeat for distributed denial of service", In Proceedings of ISW defense," http://www.bbn.com/infosec/apod.html
2000, October 2000. [52] BBN Technologies, "Intrusion tolerance by unpredictability and
[36] S.Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan and adaptation," http://www.bbn.com/infosec/itua.html
V. Paxson, “Pushback Messages for Controlling aggregates in [53] J. Shapiro and N. Hardy, "EROS: A principle-driven operating
the Network," Internet draft, Work in progress, system from the ground up," IEEE Software, pp. 26-33,
http://search.ietf.org/internet-drafts/draft-floyd-pushback- January/February 2002.
messages-00.txt, July 2001. [54] E.O'Brien,"NetBouncer : A practical client-legitimacy-based
[37] D. G. Andersen, H. Balakrishnan, M. F. Kaashoek, R. Morris, DDoS defense via ingress filtering,"
"Resilient Overlay Networks," In Proceedings of 18th ACM http://www.nai.com/research/nailabs/development-
SOSP, October 2001. solutions/netbouncer.asp
[38] Information Sciences Institute, "Dynabone," [55] CERT Coordination Center, "TCP SYN flooding and IP
http://www.isi.edu/dynabone/ spoofing attacks," http://www.cert.org/advisories/CA-1996-
[39] T. M. Gil and M. Poleto, "MULTOPS: a data-structure for 21.html
bandwidth attack detection," In Proceedings of 10th Usenix
Security Symposium, August 2001.
[40] J. Li, J. Mirkovic, M. Wang, P. Reiher and L. Zhang, "SAVE:
Source address validity enforcement protocol," In Proceedings
of INFOCOM 2002, June 2002. To appear.

12