Abstract
Ever expanding array of schemes for detection and prevention of Distributed Denial of Service (DDoS) attacks demands for a constant review and their categorization. As detection techniques have existed for a relatively longer period of time than defense mechanisms, researchers have categorized almost all the existing and expected forthcoming attacks. However, techniques for defense are still nurturing. Researchers have explored that there could be diverse ways of launching DDoS attacks. Consequently, need of defense strategy that adapts and responds autonomously to these variety of attacks is imperative. As more and more excavation is done in the arena of DDoS Defense Mechanisms, we understand that along with the conventional, well known DDoS Prevention and mitigation mechanism there are other factors that play equally important role in shielding a system from DDoS attacks. Deployment strategy, degree of cooperation of the internet host, code of behaviour while the system is already under attack, and post-attack analysis, etc, are such factors. In this paper, we have assorted the existing enormous defense mechanisms, and proposed an enhanced taxonomy that incorporates possible parameters that might influence DDoS Defense.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Specht, S.M., Lee, R.B.: Distributed denial of service: taxonomies of attacks, tools and countermeasures. In: Proceedings of the 17th ICPADS, pp. 543–550 (2004)
You, Y., Zulkernine, M., Haque, A.: Detecting Flooding-based DDoS attacks. In: Proceedings of IEEE International Conference on Communications, pp. 1229–1234 (2007)
Loannidis, J., Bellovin, S.: Implementing pushback: router-based defense against DDoS attacks. In: Proceedings of the Network and Distributed System Security Symposium (2002)
Daniels, T.E., Spafford, E.H.: Network Traffic Tracking Systems: Folly in the Large. In: Proceedings of the 2000 Workshop on New Security Paradigms, pp. 119–124 (2000)
Peng, T., Ramamohanarao, K., Leckie, C.: Protection from distributed denial of service attacks using history-based IP filtering. Proceedings of the IEEE 1, 482–486 (2003)
http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
Lau, F., Rubin, S.H., Smith, M.H., Trajkovic, L.: Distributed denial of service attacks. In: IEEE International Conference on Systems, Man and Cybernetics, vol. 3, pp. 2275–2280 (2000)
Fan, Y.: Defeating Denial of Service attacks with source router preferential dropping. Master thesis: Queens’s University, Kingston Canada (2003)
Savage, S., Wetherall, D., Karlin, A.R., Anderson, T.: Practical network support for IP traceback. In: SIGCOMM, pp. 295–306 (2000)
Carl, G., Kesidis, G., Brooks, R.R., Rai, S.: Denial of-service attack-detection techniques. IEEE Internet Computing 10(1), 82–89 (2006)
Chang, R.K.: Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial. IEEE Communications Magazine 40(10), 42–51 (2002)
Ferguson, P., Senie, D.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. United States (2000), http://rfc.net/rfc2827.html
Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Proceedings of the 10th CCS 2003. ACM, New York (2003)
Sherr, M., et al.: Mitigating DoS attack through selective bin verification. In: Proceedings of IEEE ICNP Workshop, pp. 7–12 (2005)
Mirkovic, J., Reiher, P.: A Taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review 34(2), 39–53 (2004)
Yau, D.K.Y., Lui, J.C.S., Liang, F., Yam, Y.: Defending Against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles. IEEE/ACM (TON) 13(1), 29–42 (2005)
Peng, T., Christopher, L., Kotagiri, R.: Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring. In: IEEE Infocom 2004, Hong-Kong (2004)
Xiang, Y., Zhou, W., Chowdhury, M.: A survey of active and passive defense mechanisms against DDoS attacks. TR C04/02, Deakin University, Australia (2004)
Mls, J.: Effectiveness of rate-limiting in mitigating flooding DoS attacks. In: Proceedings of the Third IASTED International Conference, pp. 155–160 (2004)
Feinstein, L., Schnackenberg, D., Balupari, R., Kindred, D.: Statistical approaches to DDoS attack detection and response. In: Proceedings of the DARPA, vol. 1, pp. 303–314 (2003)
Dubendorfer, T., Bossardt, M., Plattner, B.: Adaptive distributed traffic control service for DDoS attack mitigation. In: Proceedings of 19th. IEEE, Los Alamitos (2005)
Mirkovic, J., Reiher, P.: D-WARD: a source-end defense against flooding denial-of-service attacks. IEEE Transactions on Dependable and Secure Computing 2(3), 216–232 (2005)
Yan, J., Early, S., Anderson, R.: The XenoService: a distributed defeat for distributed denial of service. In: Proceedings of ISW (2000)
Thomas, R., Mark, B., Johnson, T., Croall, J.: NetBouncer: client-legitimacy-based high-performance DDoS Filtering. In: Proceedings of the DARPA, vol. 1, pp. 14–25 (2003)
Mirkovic, J., Robinson, M., Reiher, P., Oikonomou, G.: A framework for collaborative DDoS defense. In: Proceedings of ACSAC (2006)
Carl, G., Kesidis, G., Brooks, R., Rai, S.: Denial-of-service attack detection techniques. IEEE Internet Computing 10(1), 82–89 (2006)
Champagne, D., Lee, R.B.: Scope of DDoS countermeasures: taxonomy of proposed solutions and design goals for real-world deployment. Princeton Univ. Tech. Report CE-L2005-007 (2005)
Keromytis, A.D., et al.: SOS: secure overlay services. In: Proceedings of the 2002 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 61–72 (2002)
Mankins, D., et al.: Mitigating distributed denial of service attacks with dynamic resource pricing. In: Proceedings of the Computer Security Applications Conference, pp. 411–421 (2001)
Hu, Y.H., et al.: Packet filtering for congestion control under DoS attacks. In: Proceedings of the 2nd IEEE Int. Information Assurance Workshop, pp. 3–18 (2004)
Yaar, A., et al.: Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of the 2003 Symposium on Security and Privacy, pp. 93–107 (2003)
Dalton, M., et al.: Real-World Buffer Overflow Protection for User-space and Kernel-space. In: Proceedings of the 17th conference on Security symposium, pp. 395–410 (2008)
Park, K., Lee, H.: On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In: Proceedings of ACM SIGCOMM 2001 (2001)
Lough, D.L.: A Taxonomy of: Computer Attacks with Applications to Wireless Networks. PhD thesis: Virginia Tech, Computer Engineering Department (2001)
Paxson, V.: Bro: A system for detecting network intruders in real-time. In: Proceedings of the 7th Annual USENIX Security Symposium, San Antonio, Texas (1998)
Pollak, M.: Optimal detection of a change in distribution. Ann. Statist. 13, 206–227 (1986)
Cheng, C.M., Kung, H.T., Tan, K.S.: Use of Spectral Analysis in Defense Against DoS Attacks. In: Proceedings of GLOBECOM 2002, vol. 3, pp. 2143–2148. IEEE, Los Alamitos (2002)
Sourcefire. Snort: The Open Source Network Intrusion Detection System, http://www.snort.org/
Wan, K.K.K., Chang, R.K.C.: Engineering of a global defense infrastructure for DDoS attacks. In: Proceedings of the IEEE International Conference on Networks, pp. 419–427 (2002)
Usman, T.: A Comprehensive Categorization of DDoS Attack and DDoS Defense Techniques. In: Li, X., Zaïane, O.R., Li, Z.-h. (eds.) ADMA 2006. LNCS (LNAI), vol. 4093, pp. 1025–1036. Springer, Heidelberg (2006)
Kargl, F., Maier, J., Weber, M.: Protecting web servers from Distributed Denial of Service attacks. In: Proceedings of the 10th International Conference on WWW, Hong Kong, pp. 514–524 (2001)
Jones, J.: Distributed Denial of Service Attacks: Defenses. A Special Publication: Technical report, Global Integrity (2000)
Lan, Z., Taylor, V.E., Bryan, G.: Dynamic Load Balancing of SAMR Applications on Distributed Systems. In: Supercomputing, ACM/IEEE 2001 Conference Publication (2001)
Snoeren, A.C., Balakrishnan, H., Kaashoek, M.F.: The Migrate Approach to Internet Mobility. In: Proceedings of the Oxygen Student Workshop (2001)
Dewan, P., Dasgupta, P., Karamcheti, V.: Defending against Denial of Service attacks using Secure Name resolution. In: Proceedings of SAM 2003 (2003)
Stephan, B.: Optimal filtering for denial of service mitigation. In: Proceedings of the 41st IEEE Conference on Decision and Control, vol. 2, pp. 1428–1433 (2002)
Hu, Y.H., Choi, H., Choi, H.A.: Packet Filtering to Defend Flooding-Based DDoS Attacks. In: Advances in Wired and Wireless Communication, IEEE/Sarnoff Symposium, pp. 39–42 (2004)
Gupta, B.B., Misra, M., Joshi, R.C.: An ISP Level Solution to Combat DDoS Attacks using Combined Statistical Based Approach, pp. 102–110. JIAS: Dynamic Publishers Inc., USA (2008)
Hussain, A., Heidemann, J., Papadopoulos, C.: A Framework for Classifying Denial of Service Attacks. In: Proceedings of the ACM SIGCOMM Conference, Karlsruhe, Germany (2003)
Badishi, G., Keidar, I., Sasson, A.: Exposing and eliminating vulnerabilities to denial of service attacks in secure gossip-based multicast. In: The International Conference on DSN, pp. 223–232 (2004)
Estan, C., Varghese, G.: New directions in traffic measurement and accounting. In: Proceedings of the 2001 ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, pp. 75–80 (2001)
Debar, H., Thomas, Y., Cuppens, F., Cuppens-Boulahia, N.: Enabling automated threat response through the use of a dynamic security policy. Journal in Computer Virology 3(3), 195–210 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Keshariya, A., Foukia, N. (2010). DDoS Defense Mechanisms: A New Taxonomy. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2009 2009. Lecture Notes in Computer Science, vol 5939. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11207-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-11207-2_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11206-5
Online ISBN: 978-3-642-11207-2
eBook Packages: Computer ScienceComputer Science (R0)