Distribution Denial of Service attacks has been one of the serious problems posing an enormous threat to the Internet industry (Mircovic et al.). As a result, due to the severe dangers associated with the DDoS, a lot of defense mechanisms have been introduced in order to counter those threats. Denial of Service (DoS) attacks can be defined as malicious attempts by a person or a group of individuals to prevent the legitimate Internet users from accessing information or services (Shelly, Vermaat). The attackers can do this by targeting other computers or network connections. They can also attack both the computer and the network of various sites that the Internet users try to use. Attackers can manage to prevent the Internet users from accessing their websites, email, and online accounts such as online banking accounts or any other services that depend on the computer.
Currently, one of the most common Denial of Service attack affecting the Internet users occurs in the process when the attacker floods a certain network with information (Rash). In such cases, when the user type an URL for a certain website into his or her browser to search for the information, the request is usually sent to the computer server of that site in order to view the page (Raghavan). The server always processes a certain number of sent requests at once, so if an attacker overloads the computer server with requests, the server cannot process the user’s request. This can be referred to as a denial of service since the user cannot access that site.
Additionally, an attacker can also use spam messages to start a similar attack on the Internet user account. Whether the user has an email account granted by his/her employer or an account available through the Internet service like Hotmail or Yahoo, the user gets a specific quota, which limits the data amount he/she can have in his/her account at a particular time. By sending large or numerous messages to the account, the attacker can easily consume the user’s quota, preventing him/her from receiving legitimate messages. On the other hand, Distributed Denial of Service (DDoS) attack can be defined as the process through which an attacker can use computers to attack one or many computers. An attacker can take control of the Internet on the victim's computer by taking advantage of security weaknesses. Then, an attacker can force the victim's computer to send large amounts of data to a certain website or send spam to specific email addresses (Douligeris). This attack is called distributed because the attacker uses many computers to start the service attack’s denial.
Description of DDoS Attack
Distributed Denial of Service (DoS) attack attempts to exhaust the resources of the victim. Such resources can be computing power, network bandwidth, or operation system data structures (Bosworth). In order to launch a Distributed Denial of Service, malicious users (attackers) start by building a network of computers that they intend to use in producing the volume of traffic needed in order to deny services to the targeted computer users.
In order to create such an attack network, attackers try to discover sites and hosts that are vulnerable in the network. Vulnerable hosts can be described as the hosts that might be running without antivirus software or those with outdated antivirus software or the hosts that might not be patched properly (Endler, Collier). Eventually, the identified vulnerable hosts get exploited by the attackers who gain access to these hosts using their vulnerability. The main aim of the attackers is to install new programs commonly known as attack tools, on the compromised hosts within the network. The hosts that run these attack tools can be referred to as zombies and can perform any attack under the attacker’s control, combination of many zombies together form what can be called an army.
Attackers change their tools continuously in order to evade these security systems. On the other hand, researchers endeavor to modify their approaches in order to prevent new attacks. The phenomenon of the Distributed Denial of Service is changing quickly, making it increasingly hard to grab a global view of this phenomenon. This paper covers various structures of the Distributed Denial of Service field by developing a taxonomy of the DDoS attacks and taxonomy of the DDoS defense systems. Additionally, the goal of this paper is to study the key features of attack and various security mechanisms. Also, the paper attempts to establish a better understanding of the problems of the Distributed Denial of Service (DDoS).
Another approach used by the attackers in performing the DDoS is to send a few deformed packets that usually confuse a protocol, or an application on the victim’s computer forcing it to reboot or freeze (Mircovic et al.). In September, 2002, severe attacks overloaded the Internet infrastructure instead of targeting specific victims. In addition, attackers can perform attacks by subverting machines in the network of the victim and consume key resources so that rightful users sharing the same network cannot get some inside or outside services.
In performing the attacks, first, the attacker recruits multiple agent machines; this can be done automatically by scanning the remote machines, as a way of discovering security holes that can enable subversion. After the process of looking for security holes, the attacker exploits discovered vulnerability in order to break into recruited machines and infect these machines with the attack code (Ec-Council). The exploit/infect phase is regularly automated, and the infected machines may be used in recruiting new agents. Additional recruit/exploit/infect strategy comprises distributing attack software. These software copies can be referred as Trojans (Giladi). For example, this Distribution Denial of Service can be performed by sending e-mail messages that contain infected attachments.
Performing attacks, the attackers use subverted agent machines to send the attack packets. These attackers frequently hide the identity of the subverted machines used in attack by hiding the source address. For example, they use fake source address on the header of the packets in order to hide the identity of the sender. Also, the attacker can fake the source address of the rightful user in the legitimate service requests usually directed at some servers, for instance DNS requests.
Taxonomy of DDoS Attacks
In order to devise the taxonomy of Distributed Denial of attacks, the means used in preparing and performing the attack such as infecting, recruiting and exploiting phases are considered. Also, the characteristics of the attack itself (use phase), as well as the effect the attack has on the victim, must be observed. Taxonomy of the DDoS attacks comprises certain criteria and classes, as it is shown below.
Classification by Degree of Automation
In this criteria exploiting, recruiting, infecting and use phases may be performed either manually or be automated. Additionally, under the degree of automation, attacks can be differed as automatic, semi-automatic, and manual DDoS attacks.
In manual DDoS, the attacker usually scans the remote machines manually for vulnerabilities, then breaks into machines, installs an attack code and finally, the attacker commands the start of the attack. Only the early Distributed Denial of service attacks belong to the manual category, but eventually, even actions of recruitment get automated (Douligeris).
In semi-automatic attacks, the Distributed Denial of Service network comprises the handler (master) and the agent (zombie, slave, and daemon) machines. In this category of attack, phases like recruiting, exploiting, and infecting get automated. On the other hand, in the use phase, the attacker tries to specify the type of attack, onset of the attack, duration of the attack as well as the victim through the handler to agents, who participate in sending packets to the victim (Mitrakas).
Additionally, automatic Distributed Denial of Service (DDoS) attacks automates the use phase, together with other phases that include recruiting, exploiting and infecting phases. This excludes the need for any form of communication between the network attacker and agent machines. The onset of the attack, type of attack, duration of attack and victim get preprogrammed in the attack code. Additionally, deployment mechanisms of the automatic DDoS attack offer minimum exposure to the network attacker, since he/she only gets involved in producing a single command at the onset of the recruitment. Under these criteria, the attack specification proposes a single-purpose use of the Distributed Denial of Service network, or the nature of the system that is inflexible. However, in this class, propagating methods leave the backdoor of the compromised machine open, this enables easy access and alteration of the attack code in future. In addition, if the agents communicate using IRC channels, these channels can be used to alter the existing code.
Host Scanning and Vulnerability
In this class, semi-automatic and automatic attacks usually recruit the agent machine through deployment of automatic scanning and propagation methods. This can happen through the use of Trojan and worms. The major objective of host scanning strategy is to choose network addresses of the machines that might be potentially vulnerable in order to scan it. Then vulnerability scanning goes through a chosen list of addresses and searches for vulnerabilities.
Taxonomy of DDoS Defense Mechanisms
Distributed Denial of Service has become a serious phenomenon; this has contributed to the introduction of several mechanisms known as DDoS defense mechanisms. Some of the mechanisms of a particular kind of the Distributed Denial of Service (DDoS) attack can be an attack on servers (Lee et al.). Additionally, some of the established mechanisms try to address all problems related to the Distributed Denial of Service. In DDoS defense mechanisms, many suggested approaches require particular elements to achieve their highest performance.
In order to address the problem of the Distributed Denial of Service, individuals should understand how those approaches can be combined in order to attempt to solve the issue of the DDoS more effectively or fully.
Classification by Activity Level
Taxonomy of the DDoS defense mechanisms can be classified by different criteria. These defense mechanisms can be distinguished as preventive and reactive mechanisms.
(a) Preventive Mechanisms
Preventive mechanism play a key role in eliminating the likelihood of Distributed Denial of Service attacks totally or allow victims to tolerate the attack without restricting legal clients from accessing the information. This class can further be divided into two mechanisms which include denial of service prevention mechanisms and attack prevention mechanisms (Saadawi).
Attack prevention mechanisms alter the configuration of the system to eradicate the likelihood of a Distributed Denial of Service attack. Prevention mechanisms can be divided further into protocol security mechanisms and system security mechanisms. System security mechanisms enhance the entire system’s security by guarding the system against illegal access by illegitimate users. Also, security mechanisms remove application bugs in the system and update protocol installation to avoid intrusion and misuse of the system. Systems that might be susceptible to intrusions can turn out to be victims of the attacks in which the attacker can delete or change the contents because they already have unrestricted access to the machine.
The prospective victims of the Distributed Denial of Service attacks can be besieged easily in case they deploy susceptible protocols. Some of the examples of security mechanisms consist of applications responsible for downloading and installing security scraps, monitored access to the machine, virus scanners, intrusion detection systems, firewall systems, capability-based systems, and access lists for critical resources. Although this approach may not be perfect, it can help in reducing the strength and rate of possible DDoS attacks.
On the other hand, protocol security mechanisms tackle the issue of inappropriate protocol design. In many cases, many protocols include operations that may be cheap to the user but expensive to the server. Protocols like these might be distorted to exhaust the resources of a particular server by introducing many concurrent transactions. Examples include the TCP SYN attack, authentication server attack, as well as the fragmented packet attack, in which the illegitimate users usually attack the victim with deformed packet fragments compelling it loses resources in resembling efforts.
(b) Reactive Mechanisms
Reactive mechanisms can also be referred to as Early Warning Systems. They attempt to detect the possible attack and respond to it instantly. Therefore, they control the effect of the attack on the victim. The main detection strategies under reactive mechanisms include anomaly detection, signature detection and hybrid systems. Signature detection method attempts to search for the patterns in the identified network traffic that match the signatures that are known from the database. The benefit of these approaches is that they can easily detect the known attacks, but they cannot detect new attacks. In addition, the signature database must be updated constantly in order to retain system’s reliability.
On the other hand, anomaly-based approaches compare the parameters of the normal network traffic with the observed traffic. This enables new attacks to be easily detected. As a way of preventing a false alarm, normal traffic model must be updated at all times and the threshold of classifying the anomaly must be modified properly.
Finally, the hybrid systems join signature detection and anomaly detection. These systems always update their signature database with various attacks that might be detected by the anomaly detection. Sometimes, the threat may be enormous since an attacker may fool the system by typifying normal traffic as an attack. In the situation like this, Intrusion Detection System (IDS) turns out to be an attack tool.
Immediately the attack gets detected, the reactive mechanisms respond to it. In this mechanism, the relief of the effects is the main concern. Some mechanisms always react by limiting the accepted traffic rate; this implies that the legitimate traffic may be blocked. In the situation like this, the solution comes through tracing back the approaches that attempt to recognize the attacker. In case the attackers get recognized, then it is obviously easy to filter their traffic regardless of their endeavors to spoof their address. The process of filtering can only be efficient if the attackers get detected correctly.