Distributed Denial Of Service Attacks

Characterization of defense mechanisms against distributed denial of service attacks



Characterization of defense mechanisms against distributed denial of service attacks

Introduction

Distributed denial of service (DDOS) attacks have emerged as a prevalent way to compromise the availability of networks or servers. Since these attacks have interrupted legitimate access to the networks or servers providing online services, they have imposed financial losses on e-commerce businesses (CERT/CC, 1999, Tran, 2000 and Yankee, 2000). To mitigate the impacts of DDOS attacks, it is important to develop defenses that can both detect and react against ongoing attacks. Although many DDOS defenses have been proposed, few of these proposals have been widely deployed at this point. The first step toward the wide deployment of DDOS defenses is to understand the performance tradeoffs and deployment costs of these defenses.

We review and categorize qualitatively current DDOS defense mechanisms that have appeared in the literature. The characterization is based on the attack detection algorithms and attack responses in a defense because the performance tradeoffs and deployment costs of a defense are dependent on them. An attack detection algorithm refers to the procedures which a defense uses to identify attacks based on available network information. An attack response refers to the mitigation strategies that a defense triggers once an attack is identified.

Our purpose is to provide insights to network operators and their managers so that they will know which defenses should be taken under what circumstances. The categories and characteristics listed in the paper will assist Internet Service Providers (ISPs) in considering the provision of DDOS defenses as network services to their subscribers, such as e-commerce companies.

This paper is organized as follows. The next section explains the scope and method of the characterization. Defenses in terms of attack detection algorithms are categorized under section “ Attack detection algorithms”. Defenses in terms of attack responses are categorized under section “ Attack responses”. Conclusions and discussions follow.

Scope and method of the characterization

Both firewall technology (Cheswick and Bellovin, 1994 and Zwicky et al., 2000) and intrusion detection systems (Axelsson, 2000, Debar et al., 1999 and Mukherjee et al., 1994) have been developed to detect and to respond against various kinds of Internet-based attacks. However, defenses which are specifically designed to respond against large-scale DDOS attacks (CERT/CC, 1999) have not drawn much attention until recent years. In particular, the DDOS attacks in February 2000 against multiple e-commerce web sites (Tran, 2000 and Yankee, 2000) highlight the potential risk and the severe impacts of DDOS attacks.

Current literature on the characterization of DDOS defenses is very limited, and each of the current works serves a different purpose than this paper. Most of the available DDOS literature review existing defenses. Among these, Savage et al. (2001) describes the pros and cons of various defenses most extensively, but their purpose is to compare these defenses with a proposed IP traceback method. The most similar work to this paper is the taxonomy of DDOS defense mechanisms (Mirkovic et ...