On the Impact of DoS Attacks on Internet Traffic

On the Impact of DoS Attacks on Internet Traffic

Introduction

Denial of Service (DoS) attacks is undoubtedly a very serious problem in the Internet, whose impact has been well demonstrated in the computer network literature. The main aim of DoS is the disruption of services by attempting to limit access to a machine or service instead of subverting the service itself. This kind of attack aims at rendering a network incapable of providing normal service by targeting either the network's bandwidth or its connectivity. These attacks achieve their goal by sending at a victim a stream of packets that swamps his network or processing capacity denying access to his regular clients. In the not so distant past, there have been some large-scale attacks targeting high profile Internet sites.

DDoS attacks are comprised of packet streams from disparate sources. These attacks engage the power of a vast number of coordinated Internet hosts to consume some critical resource at the target and deny the service to legitimate clients. The traffic is usually so aggregated that it is difficult to distinguish legitimate packets from attack packets. More importantly, the attack volume can be larger than the system can handle. Unless special care is taken, a DDoS victim can suffer from damages ranging from system shutdown and file corruption, to total or partial loss of services.

Characteristics and DoS

There are no apparent characteristics of DDoS streams that could be directly and wholesalely used for their detection and filtering. The attacks achieve their desired effect by the sheer volume of attack packets, and can afford to vary all packet fields to avoid characterization and tracing.

Once an attack is identified, the immediate response is to identify the attack source and block its traffic accordingly. The blocking part is usually performed under manual control (e.g. by contacting the administrators of upstream routers and enabling access control lists) since an automated response system might cause further service degradation in response to a false alarm. Automated intrusion response systems do exist, but they are deployed only after a period of self-learning (for the ones that employ neural computation in order to discover the DDoS traffic) or testing (for the ones that operate on static rules). Improving attack source identification, techniques can expedite the capture of attackers and deter other attack attempts. There are many approaches that target the tracing and identifying of the real attack source.

IP traceback traces the attacks back towards their origin, so one can find out the true identity of the attacker and achieve detection of asymmetric routes, as well as path characterization. Some factors that render IP traceback difficult is the stateless nature of Internet routing and the lack of source accountability in the TCP/IP protocol. For efficient IP traceback it is necessary to compute and construct the attack path. It is also necessary to have a low router overhead and low false positive rate. Furthermore, a large number of packets are required to reconstruct the attack ...