Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Data Privacy Management

International Workshop on Autonomous and Spontaneous Security

DPM 2009, SETOP 2009: Data Privacy Management and Autonomous Spontaneous Security pp 222–236Cite as

DDoS Defense Mechanisms: A New Taxonomy

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5939))

Abstract

Ever expanding array of schemes for detection and prevention of Distributed Denial of Service (DDoS) attacks demands for a constant review and their categorization. As detection techniques have existed for a relatively longer period of time than defense mechanisms, researchers have categorized almost all the existing and expected forthcoming attacks. However, techniques for defense are still nurturing. Researchers have explored that there could be diverse ways of launching DDoS attacks. Consequently, need of defense strategy that adapts and responds autonomously to these variety of attacks is imperative. As more and more excavation is done in the arena of DDoS Defense Mechanisms, we understand that along with the conventional, well known DDoS Prevention and mitigation mechanism there are other factors that play equally important role in shielding a system from DDoS attacks. Deployment strategy, degree of cooperation of the internet host, code of behaviour while the system is already under attack, and post-attack analysis, etc, are such factors. In this paper, we have assorted the existing enormous defense mechanisms, and proposed an enhanced taxonomy that incorporates possible parameters that might influence DDoS Defense.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Specht, S.M., Lee, R.B.: Distributed denial of service: taxonomies of attacks, tools and countermeasures. In: Proceedings of the 17th ICPADS, pp. 543–550 (2004)

    Google Scholar 

  2. You, Y., Zulkernine, M., Haque, A.: Detecting Flooding-based DDoS attacks. In: Proceedings of IEEE International Conference on Communications, pp. 1229–1234 (2007)

    Google Scholar 

  3. Loannidis, J., Bellovin, S.: Implementing pushback: router-based defense against DDoS attacks. In: Proceedings of the Network and Distributed System Security Symposium (2002)

    Google Scholar 

  4. Daniels, T.E., Spafford, E.H.: Network Traffic Tracking Systems: Folly in the Large. In: Proceedings of the 2000 Workshop on New Security Paradigms, pp. 119–124 (2000)

    Google Scholar 

  5. Peng, T., Ramamohanarao, K., Leckie, C.: Protection from distributed denial of service attacks using history-based IP filtering. Proceedings of the IEEE 1, 482–486 (2003)

    Google Scholar 

  6. http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html

  7. Lau, F., Rubin, S.H., Smith, M.H., Trajkovic, L.: Distributed denial of service attacks. In: IEEE International Conference on Systems, Man and Cybernetics, vol. 3, pp. 2275–2280 (2000)

    Google Scholar 

  8. Fan, Y.: Defeating Denial of Service attacks with source router preferential dropping. Master thesis: Queens’s University, Kingston Canada (2003)

    Google Scholar 

  9. Savage, S., Wetherall, D., Karlin, A.R., Anderson, T.: Practical network support for IP traceback. In: SIGCOMM, pp. 295–306 (2000)

    Google Scholar 

  10. Carl, G., Kesidis, G., Brooks, R.R., Rai, S.: Denial of-service attack-detection techniques. IEEE Internet Computing 10(1), 82–89 (2006)

    Article  Google Scholar 

  11. Chang, R.K.: Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial. IEEE Communications Magazine 40(10), 42–51 (2002)

    Article  Google Scholar 

  12. Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. United States (2000), http://rfc.net/rfc2827.html

  13. Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Proceedings of the 10th CCS 2003. ACM, New York (2003)

    Google Scholar 

  14. Sherr, M., et al.: Mitigating DoS attack through selective bin verification. In: Proceedings of IEEE ICNP Workshop, pp. 7–12 (2005)

    Google Scholar 

  15. Mirkovic, J., Reiher, P.: A Taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review 34(2), 39–53 (2004)

    Article  Google Scholar 

  16. Yau, D.K.Y., Lui, J.C.S., Liang, F., Yam, Y.: Defending Against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles. IEEE/ACM (TON) 13(1), 29–42 (2005)

    Article  Google Scholar 

  17. Peng, T., Christopher, L., Kotagiri, R.: Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring. In: IEEE Infocom 2004, Hong-Kong (2004)

    Google Scholar 

  18. Xiang, Y., Zhou, W., Chowdhury, M.: A survey of active and passive defense mechanisms against DDoS attacks. TR C04/02, Deakin University, Australia (2004)

    Google Scholar 

  19. Mls, J.: Effectiveness of rate-limiting in mitigating flooding DoS attacks. In: Proceedings of the Third IASTED International Conference, pp. 155–160 (2004)

    Google Scholar 

  20. Feinstein, L., Schnackenberg, D., Balupari, R., Kindred, D.: Statistical approaches to DDoS attack detection and response. In: Proceedings of the DARPA, vol. 1, pp. 303–314 (2003)

    Google Scholar 

  21. Dubendorfer, T., Bossardt, M., Plattner, B.: Adaptive distributed traffic control service for DDoS attack mitigation. In: Proceedings of 19th. IEEE, Los Alamitos (2005)

    Google Scholar 

  22. Mirkovic, J., Reiher, P.: D-WARD: a source-end defense against flooding denial-of-service attacks. IEEE Transactions on Dependable and Secure Computing 2(3), 216–232 (2005)

    Article  Google Scholar 

  23. Yan, J., Early, S., Anderson, R.: The XenoService: a distributed defeat for distributed denial of service. In: Proceedings of ISW (2000)

    Google Scholar 

  24. Thomas, R., Mark, B., Johnson, T., Croall, J.: NetBouncer: client-legitimacy-based high-performance DDoS Filtering. In: Proceedings of the DARPA, vol. 1, pp. 14–25 (2003)

    Google Scholar 

  25. Mirkovic, J., Robinson, M., Reiher, P., Oikonomou, G.: A framework for collaborative DDoS defense. In: Proceedings of ACSAC (2006)

    Google Scholar 

  26. Carl, G., Kesidis, G., Brooks, R., Rai, S.: Denial-of-service attack detection techniques. IEEE Internet Computing 10(1), 82–89 (2006)

    Article  Google Scholar 

  27. Champagne, D., Lee, R.B.: Scope of DDoS countermeasures: taxonomy of proposed solutions and design goals for real-world deployment. Princeton Univ. Tech. Report CE-L2005-007 (2005)

    Google Scholar 

  28. Keromytis, A.D., et al.: SOS: secure overlay services. In: Proceedings of the 2002 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 61–72 (2002)

    Google Scholar 

  29. Mankins, D., et al.: Mitigating distributed denial of service attacks with dynamic resource pricing. In: Proceedings of the Computer Security Applications Conference, pp. 411–421 (2001)

    Google Scholar 

  30. Hu, Y.H., et al.: Packet filtering for congestion control under DoS attacks. In: Proceedings of the 2nd IEEE Int. Information Assurance Workshop, pp. 3–18 (2004)

    Google Scholar 

  31. Yaar, A., et al.: Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of the 2003 Symposium on Security and Privacy, pp. 93–107 (2003)

    Google Scholar 

  32. Dalton, M., et al.: Real-World Buffer Overflow Protection for User-space and Kernel-space. In: Proceedings of the 17th conference on Security symposium, pp. 395–410 (2008)

    Google Scholar 

  33. Park, K., Lee, H.: On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In: Proceedings of ACM SIGCOMM 2001 (2001)

    Google Scholar 

  34. Lough, D.L.: A Taxonomy of: Computer Attacks with Applications to Wireless Networks. PhD thesis: Virginia Tech, Computer Engineering Department (2001)

    Google Scholar 

  35. Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the 7th Annual USENIX Security Symposium, San Antonio, Texas (1998)

    Google Scholar 

  36. Pollak, M.: Optimal detection of a change in distribution. Ann. Statist. 13, 206–227 (1986)

    Article  MathSciNet  Google Scholar 

  37. Cheng, C.M., Kung, H.T., Tan, K.S.: Use of Spectral Analysis in Defense Against DoS Attacks. In: Proceedings of GLOBECOM 2002, vol. 3, pp. 2143–2148. IEEE, Los Alamitos (2002)

    Google Scholar 

  38. Sourcefire. Snort: The Open Source Network Intrusion Detection System, http://www.snort.org/

  39. Wan, K.K.K., Chang, R.K.C.: Engineering of a global defense infrastructure for DDoS attacks. In: Proceedings of the IEEE International Conference on Networks, pp. 419–427 (2002)

    Google Scholar 

  40. Usman, T.: A Comprehensive Categorization of DDoS Attack and DDoS Defense Techniques. In: Li, X., Zaïane, O.R., Li, Z.-h. (eds.) ADMA 2006. LNCS (LNAI), vol. 4093, pp. 1025–1036. Springer, Heidelberg (2006)

    Google Scholar 

  41. Kargl, F., Maier, J., Weber, M.: Protecting web servers from Distributed Denial of Service attacks. In: Proceedings of the 10th International Conference on WWW, Hong Kong, pp. 514–524 (2001)

    Google Scholar 

  42. Jones, J.: Distributed Denial of Service Attacks: Defenses. A Special Publication: Technical report, Global Integrity (2000)

    Google Scholar 

  43. Lan, Z., Taylor, V.E., Bryan, G.: Dynamic Load Balancing of SAMR Applications on Distributed Systems. In: Supercomputing, ACM/IEEE 2001 Conference Publication (2001)

    Google Scholar 

  44. Snoeren, A.C., Balakrishnan, H., Kaashoek, M.F.: The Migrate Approach to Internet Mobility. In: Proceedings of the Oxygen Student Workshop (2001)

    Google Scholar 

  45. Dewan, P., Dasgupta, P., Karamcheti, V.: Defending against Denial of Service attacks using Secure Name resolution. In: Proceedings of SAM 2003 (2003)

    Google Scholar 

  46. Stephan, B.: Optimal filtering for denial of service mitigation. In: Proceedings of the 41st IEEE Conference on Decision and Control, vol. 2, pp. 1428–1433 (2002)

    Google Scholar 

  47. Hu, Y.H., Choi, H., Choi, H.A.: Packet Filtering to Defend Flooding-Based DDoS Attacks. In: Advances in Wired and Wireless Communication, IEEE/Sarnoff Symposium, pp. 39–42 (2004)

    Google Scholar 

  48. Gupta, B.B., Misra, M., Joshi, R.C.: An ISP Level Solution to Combat DDoS Attacks using Combined Statistical Based Approach, pp. 102–110. JIAS: Dynamic Publishers Inc., USA (2008)

    Google Scholar 

  49. Hussain, A., Heidemann, J., Papadopoulos, C.: A Framework for Classifying Denial of Service Attacks. In: Proceedings of the ACM SIGCOMM Conference, Karlsruhe, Germany (2003)

    Google Scholar 

  50. Badishi, G., Keidar, I., Sasson, A.: Exposing and eliminating vulnerabilities to denial of service attacks in secure gossip-based multicast. In: The International Conference on DSN, pp. 223–232 (2004)

    Google Scholar 

  51. Estan, C., Varghese, G.: New directions in traffic measurement and accounting. In: Proceedings of the 2001 ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, pp. 75–80 (2001)

    Google Scholar 

  52. Debar, H., Thomas, Y., Cuppens, F., Cuppens-Boulahia, N.: Enabling automated threat response through the use of a dynamic security policy. Journal in Computer Virology 3(3), 195–210 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information science, University of Otago, New Zealand

    Astha Keshariya & Noria Foukia

Authors
  1. Astha Keshariya
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Noria Foukia
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. TELECOM Bretagne, Campus de Rennes 2, rue de la Chataigneraie, 35512, Cesson Sevigne, Cedex, France

    Joaquin Garcia-Alfaro

  2. IIA-CSIC, Campus UAB, 08193, Bellaterra, Spain

    Guillermo Navarro-Arribas

  3. TELECOM Bretagne, 2 rue de la châtaigneraie, 35512, Cesson Sévigné Cedex, France

    Nora Cuppens-Boulahia

  4. Institut Eurécom, 2229 Route des Crêtes - BP 193, 06904, Sophia Antipolis Cedex, France

    Yves Roudier

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Keshariya, A., Foukia, N. (2010). DDoS Defense Mechanisms: A New Taxonomy. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2009 2009. Lecture Notes in Computer Science, vol 5939. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11207-2_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-11207-2_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-11206-5

  • Online ISBN: 978-3-642-11207-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation