A Defense Framework for Flooding-based DDoS Attacks

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "A Defense Framework for Flooding-based DDoS Attacks"

Transcription

1 A Defense Framework for Flooding-based DDoS Attacks by Yonghua You A thesis submitted to the School of Computing in conformity with the requirements for the degree of Master of Science Queen s University Kingston, Ontario, Canada August 2007 Copyright c Yonghua You, 2007

2 Abstract Distributed denial of service (DDoS) attacks are widely regarded as a major threat to the Internet. A flooding-based DDoS attack is a very common way to attack a victim machine by sending a large amount of malicious traffic. Existing networklevel congestion control mechanisms are inadequate in preventing service quality from deteriorating because of these attacks. Although a number of techniques have been proposed to defeat DDoS attacks, it is still hard to detect and respond to floodingbased DDoS attacks due to a large number of attacking machines, the use of sourceaddress spoofing, and the similarities between legitimate and attack traffic. In this thesis, we propose a distributed framework which will help to improve the quality of service of internet service providers (ISP) for legitimate traffic under DDoS attacks. The distributed nature of DDoS problem requires a distributed solution. In this thesis, we propose a distance-based distributed DDoS defense framework which defends against attacks by coordinating between the distance-based DDoS defense systems of the source ends and the victim end. The proposed distance-based defense system has three major components: detection, traceback, and traffic control. In the detection component, two distance-based detection techniques are employed. The distance value of a packet indicates the number of hops the packet has traversed from i

3 an edge router to the victim. First, an average distance estimation DDoS detection technique is used to detect attacks based on the average distance values of the packets received at the victim end. Second, a distance-based traffic separation DDoS detection technique applies a traffic rate forecasting technique for identifying attack traffic within traffic that is separated based on distance values. For the traceback component, the existing Fast Internet Traceback (FIT) technique is employed to find remote edge routers which forward attack traffic to the victim. Based on the proposed distance-based rate limit mechanism, the traffic control component at the victim end requests the source-end defense systems to set up rate limits on these routers in order to efficiently reduce the amount of attack traffic. We evaluate the DDoS defense framework on a network simulation platform called NS2. We also evaluate the effectiveness of the two DDoS detection techniques independent of the proposed defense framework. The results demonstrate that both detection techniques are capable of detecting flooding-based DDoS attacks, and the defense framework can effectively control attack traffic in order to sustain the quality of service for legitimate traffic. Moreover, the framework shows better performance in defeating flooding-based DDoS attacks compared to the pushback technique, which uses a local aggregate congestion control mechanism to detect and control traffic flows that create congestion in a network. ii

4 Acknowledgments I am highly thankful to my supervisor, Dr. Mohammad Zulkernine, for guiding me through my research. I would also like to thank Dr. Scott Knight of the Royal Military College of Canada for his comments on the DDoS detection techniques. I am also grateful to my labmates for numerous discussions I have had with them. I am grateful to my wife, my two sons, and my parents for having faith in me and providing me the background motivation all through my life. This research is partially supported by Bell Canada and MITACS (Mathematics of Information Technology and Complex Systems), Canada. Mr. Anwar Haque and his colleagues in Bell Canada provided very valuable advices in designing this framework. iii

5 Table of Contents Abstract Acknowledgments Table of Contents List of Tables List of Figures i iii iv vii viii Chapter 1: Introduction Motivation Objective and Scope of the Research Overview of the Defense Framework Contributions Organization of the Thesis Chapter 2: Distributed Denial-of-Service Attacks Distributed Cooperative Architecture of DDoS IP Spoofing Flooding DDoS Attack Mechanisms Smurf: ICMP Flooding-based Attack TCP SYN Flooding-based Attack Trinoo: UDP Flooding-based Attack DNS Amplification Attack Summary Chapter 3: Related Work DDoS Detection IP Attributes-based DDoS Detection Traffic Volume-based DDoS Detection DDoS Response iv

6 3.2.1 Packet Filtering Rate Limiting DDoS Defense Framework Victim-end Defense Source-end Defense Distributed Defense Summary Chapter 4: Distance-based Defense Framework Overview of Defense Framework Detection Component Calculating Distance Using a Single-Bit Field Average Distance Estimation DDoS Detection Estimating Mean Distance Estimating Mean Absolute Deviation (MAD) DDoS Detection Algorithm Distance-Based Traffic Separation DDoS Detection Estimating Arrival Rate Estimating Deviation DDoS Detection Algorithm Integration of Two Detection Techniques Traceback Component Traffic Control Component Summary Chapter 5: Experiments and Results Overview of the Pushback Technique Simulation Setup Simulating Internet Topology Topology for Detection Evaluation Topology for Framework Evaluation Simulating Internet Data Traffic HTTP Traffic for Detection Evaluation HTTP Traffic for Framework Evaluation Simulating Attack Traffic Attack Traffic for Detection Evaluation Attack Traffic for Framework Evaluation Performance Metrics Metrics for Detection Evaluation Metrics for Framework Evaluation v

7 5.3 Detection Performance Adjustment of the Parameters Results: Average Distance Estimation DDoS Detection Results: Distance-based Traffic Separation DDoS Detection Defense Performance Average Latency of HTTP Transactions Failure Rate of HTTP Transaction Throughput of Legitimate Traffic Bandwidth Allocation of Traffic Drop Rate of Attack Traffic Drop Rate of Legitimate Traffic Discussions Different DDoS Attacks IP Spoofing Summary Chapter 6: Conclusion and Future Work Conclusion Future Work Bibliography vi

8 List of Tables 4.1 Symbols used in the listing are Symbols used in the distance-based traffic separation DDoS detection algorithm Symbols used in the rate limit algorithm Performance of The Average Distance Estimation DDoS Detection Performance of The Distance-based Traffic Separation DDoS Detection Average Latency of HTTP Transactions Failure Rates of HTTP Transactions Drop Rate of Attack Traffic Drop Rate of Legitimate Traffic vii

9 List of Figures 2.1 Typical architecture of a DDoS attack Architecture of a DDoS attack using reflectors A direct flooding-based DDoS attack A reflector flooding-based DDoS attack Comparison between Smurf broadcast amplification and DNS amplification A DNS amplification DDoS attack Distance-based distributed DDoS defense framework Illustration of distance-based distributed DDoS defense operation Conceptual architecture of the defense system IP header [83] FIT marking field diagram. Frag# is the fragment number field. [15] A DDoS attack in progress [79] DDoS detection based on average distance estimation when thr = 7.0, w= 0.7, and r = ROC curves of the average distance estimation DDoS detection technique DDoS detection based on the traffic separation for distance = No DDoS defense with ratio (9:1) Pushback with ratio (9:1) Distance-based DDoS defense with ratio (9:1) No DDoS defense with ratio (5:5) Pushback with ratio (5:5) Distance-based DDoS defense with ratio (5:5) No DDoS defense with 1 attacker Pushback with 1 attacker Distance-based DDoS defense with 1 attacker Bandwidth allocation at the congested link during a DDoS attack with ratio (9:1) Bandwidth allocation at the congested link during a DDoS attack with ratio (5:5) viii

10 5.16 Bandwidth allocation at the congested link during a DDoS attack with 1 attacker ix

11 Chapter 1 Introduction 1.1 Motivation All Internet Service Providers (ISPs) face the problem of increasing amounts of unwanted traffic. Unwanted traffic is the data packets which consume limited resources like bandwidth and decrease the performance of the network, thus lowering the service quality of the network. Unwanted traffic can be produced by user misbehavior or explicit attacks like flooding-based Distributed Denial of Service (DDoS). A floodingbased DDoS attack is a very common way to attack a victim machine by sending a large amount of unwanted traffic. Network level congestion control can successfully throttle peak traffic to protect the whole network. However, it cannot prevent the quality of service (QoS) for legitimate traffic from going down because of attacks. DDoS is one of the major threats for the current Internet because of its ability to create a huge volume of unwanted traffic [1]. The primary goal of these attacks is to prevent access to a particular resource like a Web site [57]. The first reported 1

12 CHAPTER 1. INTRODUCTION 2 large-scale DDoS attack occurred in August, 1999, against the University of Minnesota [58]. This attack shut down the victim s network for more than two days. In the year 2000, a DDoS attack stopped several major commercial Web sites, including Yahoo and CNN, from performing their normal activities [58]. In [59], D. Moore et al. used backscatter analysis on three week-long datasets to assess the number, duration and focus of DDoS attacks, and to characterize their behavior. They found that more than 12,000 attacks had occurred against more than 5,000 distinct victims in February, In October, 2002, the Domain Name Systems (DNS) in the Cooperative Association for Internet Data Analysis (CAIDA) network became the victim of a heavy DDoS attack. Many legitimate users could not access web sites because their DNS requests were not able to reach root DNS servers. The congestion caused by the DDoS attack forced routers to drop these requests [60]. A more serious DNS-based DDoS attack was reported in March, 2006 [61]. Instead of attacking DNS servers directly, this new type of DDoS attack just used DNS servers as reflectors to create a stronger attack. This kind of DDoS is harder to be stopped than normal DDoS attacks due to complicated DNS protocols and interaction among multiple DNS servers. During two months, 1,500 individual Internet protocol addresses were attacked using this approach. Since the first reported DDoS happened in the summer of 1999, a large number of detection and response techniques have been proposed [58]. However, none of them gives reliable protection [62] for the victim. Two features of DDoS hinder the advancement of defense techniques. The first one is that it is hard to distinguish between DDoS attack traffic and normal traffic. The detection of the DDoS attack is

13 CHAPTER 1. INTRODUCTION 3 very hard under this situation. There is a lack of an effective differentiation mechanism that results in minimal collateral damage for legitimate traffic. The second one is that the sources of DDoS attacks are hard to be found out in a distributed network. A DDoS attack is difficult to be stopped quickly and effectively. 1.2 Objective and Scope of the Research The objective of this research is to help ISPs to control unwanted traffic by mitigating flooding-based DDoS attacks in IP-based networks. This thesis concentrates especially on the following objectives: 1. A detection technique should detect a DDoS attack with high reliability and at an early stage of the attack. 2. A response technique should drop most of the attack packets without sacrificing the QoS for legitimate traffic. 3. The defense framework should work effectively in distributed network environments. This thesis studies flooding-based DDoS attacks in computer networks using the Internet Protocol (IP). In fact, another type of DDoS attack, called a logic DDoS attack, can crash a victim without creating flooding-based traffic. It attacks the victim based on the exploitation of vulnerabilities in the victim [62]. A victim can counter these attacks by fixing its flaws after scanning vulnerabilities in its network. A logic DDoS attack does not create anomalous congestion in the network. This research focuses on flooding-based DDoS attack which is still one of the major threats for the current Internet.

14 CHAPTER 1. INTRODUCTION Overview of the Defense Framework In this thesis, we propose a distributed cooperative DDoS defense framework. Instead of deploying a defense system at a particular node in a network, we deploy our proposed distance-based defense system at each edge router in a network. Compared with routers in a backbone network, edge routers have enough resources (computing cycles, memory, etc.) to support a defense system because they have less traffic [33]. The defense system consists of three major components: detection, traceback, and traffic control. The detection component implements two proposed distance-based DDoS detection techniques (average distance estimation and distance-based traffic separation). The distance value of a packet indicates the number of hops the packet has traversed from an edge router to the victim. The trip of a packet from a router to another in the network is called a hop. The traceback component mainly focuses on analyzing incoming traffic in order to find out the addresses of the source-end edge routers. The traffic control component is triggered to set up fitting rate limits for attack traffic after receiving alert messages from other defense systems at the victim end. In a DDoS attack scenario, the proposed distributed framework defends against attacks by coordinating between the distance-based DDoS defense systems at the source ends and the victim end. A victim-end defense system detects unusual changes of incoming traffic in order to ferret out hidden attacks. When it finds that an attack is in progress, the following sequence of events follow: 1. Source finding: To find source-end edge routers, traditional methods rely on the topological knowledge in each node and iterative communication among nodes. In contrast, source finding in our framework uses the Fast Internet Traceback (FIT)

15 CHAPTER 1. INTRODUCTION 5 technique [15] which just needs edge routers to mark distance and their addresses into IP packets. Furthermore, source finding can be accomplished by the traceback component of the defense system at the victim end. 2. Broadcasting alert messages: The defense system at the victim end would only send alert messages to source-end nodes. 3. Rate Limiting: The traffic control component of a source-end defense system rules out attack traffic based on the information from the victim end. A distancebased rate limit mechanism is triggered to drop attack traffic at the source ends. Instead of penalizing each source-end router equally, the mechanism sets up different rate limits for routers based on how aggressively they are forwarding attack traffic to the victim. 1.4 Contributions The key contributions of this thesis include the following. 1. A distributed DDoS defense framework based on the proposed distance-based DDoS defense systems is presented. The response at the source ends and the detection at the victim end detect and erase attack traffic effectively. 2. An average distance estimation-based DDoS detection and a traffic separationbased DDoS detection techniques are proposed [78] 3. A distance-based attack traffic control mechanism is presented. 4. The proposed framework and the techniques are evaluated on a network simulation platform called NS2.

16 CHAPTER 1. INTRODUCTION Organization of the Thesis This thesis is organized as follows. In Chapter 2, a comprehensive description of DDoS is given, and both general attack mechanisms and some typical flooding-based DDoS attacks are discussed in detail. In Chapter 3, related techniques existing in the literature are compared and contrasted with our proposed techniques. Chapter 4 describes the proposed distance-based DDoS defense framework. Chapter 5 demonstrates the effectiveness of the proposed framework in a number of simulations using NS2. Finally, we conclude with a summary of contributions and discuss future work in Chapter 6.

17 Chapter 2 Distributed Denial-of-Service Attacks As one of the major security problems in the current Internet, a denial-of-service (DoS) attack always attempts to stop the victim from serving legitimate users. A distributed denial-of-service (DDoS) attack is a DoS attack which relies on multiple compromised hosts in the network to attack the victim. There are two types of DDoS attacks. The first type of DDoS attack has the aim of attacking the victim to force it out of service for legitimate users by exploiting software and protocol vulnerabilities of the system [62]. The second type of DDoS attack is based on a huge volume of attack traffic, which is known as a flooding-based DDoS attack. A flooding-based DDoS attack attempts to congest the victim s network bandwidth with real-looking but unwanted IP data. As a result, legitimate IP packets cannot reach the victim due to a lack of bandwidth resource. To amplify the effects and hide real attackers, DDoS attacks can be run in two different distributed coordinated fashions. In the first one, the attacker compromises a number of agents and manipulates the agents to send 7

18 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS 8 attack traffic to the victim. The second method makes it even harder to determine the attack sources because it uses reflectors. A reflector is any host that will return a packet if it receives a request packet [63]. For example, a Web server can be reflector because it will return a HTTP response packet after receiving a HTTP request packet. The attacker sends request packets to severs and fakes victim s address as the source address. Therefore, the servers will send back the response packets to the real victim. If the number of reflectors is large enough, the victim network will suffer exceptional traffic congestion. Before we introduce the DDoS attack architectures and mechanisms, we give two basic definitions. First, the DDoS attack traffic is the traffic which is produced or triggered by the compromised agents. Second, the legitimate traffic is the traffic which is produced by the normal hosts. In this chapter, we analyze two basic distributed architectures of flooding-based DDoS attacks and common IP spoofing techniques used by DDoS attacks. Furthermore, we specify the basic mechanism of floodingbased DDoS attacks and list three typical flooding-based DDoS attacks. 2.1 Distributed Cooperative Architecture of DDoS Before real attack traffic reaches the victim, the attacker must cooperate with all its DDoS agents. Therefore, there must be control channels between the agents and the attacker [62]. This cooperation requires all agents send traffic based on commands received from the attacker. The network which consists of the attacker, agents, and control channels is called the attack networks. In [64], attack networks are divided into three types: the agent-handle model, the Internet Relay Chat (IRC)-based model, and the reflector model.

19 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS 9 Figure 2.1: Typical architecture of a DDoS attack The agent-handler model consists of three components: attacker, handlers, and agents. Fig. 2.1 illustrates the typical architecture of the model. One attacker sends control messages to the previously compromised agents through a number of handlers, instructing them to produce unwanted traffic and send it to the victim. The architecture of IRC-based model is not that much different than that of the agenthandler model except that instead of communication between an attacker and agents based on handlers, an IRC communication channel is used to connect the attacker to agents [64]. Fig. 2.2 illustrates the architecture of an attack network in the reflector model. The reflector layer makes a major difference from the typical DDoS attack architecture. In the request messages, the agents modify the source address field in the IP header using the victim s address to replace the real agents addresses. Then, the

20 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS 10 Figure 2.2: Architecture of a DDoS attack using reflectors reflectors will in turn generate response messages to the victim. As a result, the flooding traffic which reaches the victim is not from a few hundred agents, but from a million reflectors [63]. An exceedingly diffused reflector-based DDoS attack raises the bar for tracing out the real attacker by hiding the attacker behind a large number of reflectors. Unlike some types of DDoS attacks, the reflector does not need to serve as an amplifier [63]. This means that reflectors still can serve other legitimate requests properly even when they are generating attack traffic. The attacker does not need to compromise reflectors to control their behaviors in the way that agents need to be compromised. Therefore, any host which will return a response if it receives a request can be a reflector. These features facilitate the attacker s task of launching an attack because it just needs to compromise a small number of agents and find a sufficient number of reflectors.

21 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS IP Spoofing IP spoofing is used in all DDoS attacks as a basic mechanism to hide the real address of agents or the attacker. In a classical DDoS attack, the agents randomly spoof the source addresses in the IP header. In a reflector-based DDoS attack, agents must put the victim s address in the source address field. The spoofed addresses can be addresses of either existing or non-existing hosts. To avoid ingress filtering, the attacker can use addresses that are valid in the internal network because non-existing addresses have a high possibility of being filtered out. In the real-world, it is possible to launch an attack without IP spoofing if the attacker can compromise enough hosts. For this situation, the attacker would consider how to avoid to be traced out. Usually, the attacker will use a chain of compromised hosts. Tracing a chain which extends across multiple countries is very hard to be achieved. Furthermore, to compromise poorly monitored hosts in a network will make tracing more difficult due to a lack of information. In these situations, IP spoofing is not a necessary step for hiding the attacker. 2.3 Flooding DDoS Attack Mechanisms Flooding-based DDoS attacks involve agents or reflectors sending a large volume of unwanted traffic to the victim. The victim will be out of service for legitimate traffic because its connection resources are used up. Common connection resources include bandwidth and connection control in the victim system. Generally, flooding-based DDoS attacks consist of two types: direct and reflector attacks [65]. Fig. 2.3 is another view of the process of a direct flooding-based DDoS attack. The architecture

22 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS 12 Figure 2.3: A direct flooding-based DDoS attack of the direct attack is same as the typical DDoS attack illustrated in Fig The agents send the Transmission Control Protocol/Internet Protocol (TCP), the Internet Control Message Protocol (ICMP), the User Datagram Protocol (UDP), and other packets to the victim directly. The response packets from the victim will reach the spoofed receivers due to IP spoofing. In a reflector attack, presented in Fig. 2.4, the response packets from reflectors truly attack the victim. No response packets need be sent back to reflectors from the victim. The key factors to accomplishing a reflector attack include: setting the victim address in the source field of the IP header and finding enough reflectors. Basically, an attacker can utilize any protocol as the network layer platform for a flooding-based attack [62]. Direct attacks usually choose three mechanisms: TCP SYN flooding, ICMP echo flooding, and UDP data flooding [66]. The TCP SYN flooding mechanism is different from the other two mechanisms. It causes the victim to run out of all available TCP connection control resources by sending a large number of TCP SYN packets. The victim cannot accept a new connection from a legitimate user without new available

23 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS 13 Figure 2.4: A reflector flooding-based DDoS attack control resources. ICMP echo flooding-based attacks will consume all available bandwidth as a large number of ICMP ECHO REPLY packets arrive at the victim. UDP data flooding-based attacks achieve the same result as ICMP echo attacks by sending a large number of UDP packets to either random or specified ports on the victim [64]. Reflector attacks rely on protocol features in the victim. Any protocol which will send a response message to the victim can be utilized for a reflector attack. To create a stronger reflector attack, the attacker can utilize the packet amplification technique. An amplifier is used between the agents and the real reflectors. It broadcasts the request packets from agents to all reflectors address of which are within the broadcast address range. Most routers support the IP broadcast feature in current network [64]. Therefore, there exist a large number of potential amplifiers. This helps an attacker increase the volume of an attack with a lesser reflectors-finding cost. For attacks which target the bandwidth of the victim, the architecture of the victim network decides how large a volume of attack traffic is needed. Increasing the bandwidth of links and erasing bottleneck links in its own network can increase

24 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS 14 the ability of a victim to tolerate flooding-based attacks. An attack which target connection control resources usually relies on flaws of the control mechanism of the operating system of the victim. Regularly updating software patches for the operating system can fix these problems and avoid being effectively attacked in future. In the following subsections, we present some of typical flooding-based DDoS attacks Smurf: ICMP Flooding-based Attack A Smurf attack is a typical attack using amplifiers. ICMP is the protocol platform for this attack [68]. Usually, ICMP REQUEST and ECHO REPLY messages are used for carrying control information. For example, a network management system can use ICMP messages to fetch the status of a router. In a Smurf attack, the source address field of a ICMP ECHO REQUEST message is set as the victim address. Therefore, the ICMP ECHO REPLY message will be sent to the victim instead of the real request message sender (the attack agent). In fact, it is a kind of reflector attack illustrated in Fig To amplify the effect, the ECHO REQUEST messages could be sent to an amplifier which can broadcast messages to all IP addresses in its subnet. If there are n hosts in the subnet, the victim will receive n ECHO REPLY messages. A large number of ICMP ECHO REPLY messages will consume all bandwidth in the victim. A Smurf attack can happen because of poor security considerations when implementing an ICMP protocol. Turning off the IP broadcast function in a router can lower the risk to trigger attacks. However, it is not a realistic solution to discard all the benefits of IP broadcast.

25 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS TCP SYN Flooding-based Attack During the construction of a normal TCP connection, the client should accomplish a negotiation process with the server. First, the client sends a TCP SYN packet to the server carrying client information to request a connection. Then, the server dispatches a connection block in the memory and sends back a TCP SYS-ACK packet which contains a sequence number and other server information. Finally, the client will confirm it has received the server information by sending a TCP ACK packet back to the server again. This is called the 3-way handshake mechanism. After a connection has been constructed, the actual TCP data communication can be started. During the 3-way handshake, an important feature is that the number of received TCP SYN packets at the server decides the number of memory blocks used for TCP connection control. Therefore, the server will run out of memory if it receives a large number of TCP SYN packets in a short period of time. Eventually, this situation leads the server to be unreachable by other clients. This is the basic mechanism of TCP SYN attacks. In a real TCP SYN attack, the attacker will use the IP spoofing technique. The victim will receive a large number of TCP SYN packets with the spoofed addresses of non-existing hosts [62]. However, the victim cannot receive any TCP ACK packets because no hosts will respond to its TCP SYN ACK packets. Thus, the attack will result in a number of half-open connections in server memory. As a result, the server cannot serve new connection requests because it is out of memory. In a worse situation, the server will be crashed. One of the proposed solutions is to lower the TCP timeout in order to increase the speed of memory recycling. However, most solutions just focus on improvements to victim system s tolerance for the attack instead of on TCP SYN flooding traffic

26 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS 16 control Trinoo: UDP Flooding-based Attack A UDP flooding-based attack attacks the victim using UDP, a sessionless computer networking protocol. When a UDP flood attack happens, the victim will receive a large number of UDP packets at a number of random ports. As a result, the victim will try to determine the application listening at that port. If no application is found, the victim should reply with an ICMP Destination Unreachable packet. Usually, a UDP flooding-based attack fills the bandwidth of the connection at the victim end. Therefore, the connection will not be available for legitimate traffic. Basically, a UDP flooding-based attack is a direct attack. However, it can be a reflector attack for another victim if the attacker sets another victim s address in the source address field instead of a random address. As the illustration in Fig. 2.3 shows, the spoofed receiver becomes another victim. Unlike in the TCP protocol, UDP-based communication between sender and receiver has no built-in mechanisms to maintain flows when the network conditions are changing. In fact, there do not exist any flow control mechanisms to deal with the congestion created by UDP. Moreover, spoofed UDP traffic is even harder to be detected at the victim end than a spoofed TCP traffic. To construct a TCP connection, there is a 3-way handshake negotiation mechanism and the victim can detect the spoofed packets during negotiation. In contrast, UDP does not have a negotiation mechanism because it is a connectionless protocol. Therefore, an attacker can spoof a packet easily. To deal with UDP attacks, the victim needs to rely on the defense systems in its upstream network to stop malicious UDP packets.

27 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS DNS Amplification Attack According to VeriSign s security chief, they were attacked in March 2006 by a DNS amplification attack which was significantly larger than any normal DDoS attack [77]. A DNS amplification attack is a relatively new kind of reflector attack. It uses recursive name servers to create an amplification effect similar to the now-aged Smurf attack [67]. A direct comparison between Smurf and DNS amplification is presented in Fig A Smurf attacker sends a packet to an amplifier to broadcast the packet Figure 2.5: Comparison between Smurf broadcast amplification and DNS amplification to all hosts in the subnet, each of whom will respond with a response packet. In DNS amplification, the sender sends a packet of very small size. However, the DNS sever sends back a response packet with a much larger size. Another important feature of a DNS amplification attack is that it must forge the victim s address in the source address field in a DNS query packet. Therefore, the DNS server will send a response packet to the victim. The basic process is illustrated in Fig Specifications of

28 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS 18 even more complex DNS amplification attacks are available in [67]. Figure 2.6: A DNS amplification DDoS attack It is even harder to defend against DNS amplification attacks than to defend against normal DDoS attacks because of the complex interactive mechanisms between clients and DNS server, and among the DNS servers themselves. 2.4 Summary We presented a survey of flooding-based DDoS attacks in this chapter. In a typical DDoS attack network, an attacker sends commands to compromised agents and ask them send a large volume of traffic to overwhelm the bottleneck link in the victim network. To hide the attacker itself more deeply, a DDoS attack can construct an attack network with a reflector-based architecture. In the network, an attacker sends a packet whose source address has been set as the victim s address to reflectors.

29 CHAPTER 2. DISTRIBUTED DENIAL-OF-SERVICE ATTACKS 19 The response messages will be sent to the victim as attack traffic. IP spoofing is a common feature of DDoS attacks by spoofing the real addresses in the IP packet. To avoid ingress filtering, IP spoofing can use valid addresses in the internal network. There are two basic mechanisms for flooding-based attacks. In the first mechanism, an agent creates attack traffic which directly heads to the victim. In contrast, the second mechanism relies on the response traffic from reflectors to overwhelm the victim. A few typical flooding-based DDoS attacks show that a DDoS attacker can create attack traffic by using multiple existing protocols (TCP, ICMP, UDP, etc.). Moreover, the newly evolved DDoS attacks can create attack traffic based on the current DNS mechanism. Recently reported events indicate that flooding-based DDoS attacks is still one of the major threats for current Internet security. In the literature, there are a number of DDoS detection, traceback, and response techniques invented to deal with the threat. In addition, a number of frameworks are proposed to achieve more effective DDoS defense. In the next chapter, we summary those efforts related to our studies.

30 Chapter 3 Related Work In this chapter, we compare and contrast our work with some related work. As we mentioned before that our proposed framework has three major components, the related work are divided based on the following three issues: DDoS detection, DDoS response, and DDoS defense framework. In Section 3.1, we focus on comparing and contrasting the two proposed distance-based DDoS techniques with other detection techniques. The other detection techniques mainly include IP attributes-based DDoS detection and traffic volume-based DDoS detection. Current DDoS response techniques can mainly be divided into two types: packet filtering and rate limiting. We summarize the studies of the above two types and contrast the proposed distancebased Max-Min fair share rate limit algorithm with other rate limit algorithms in Section 3.2. Defense frameworks can be categorized into three types based on the location of the defense system in the network: victim-end defense, source-end defense, and distributed defense. In Section 3.3, we introduce some existing frameworks and compare them to our proposed DDoS defense framework. 20

31 CHAPTER 3. RELATED WORK DDoS Detection DDoS detection is usually the first step in the battle for DDoS attacks. Any DDoS detection technique always attempts to detect an attack by observing anomalous changes in IP attributes or traffic volume because there do not exist clear DDoS attack signatures. From a network topology point of view, DDoS attack traffic comes from a number of routers. It will definitely change the statistical distribution of the traffic topology. Traffic topology for a host is a map of upstream routers that are traversed by the traffic sent to the receiving host (victim). As mentioned in Section 1.3, a distance value of a packet is the number of hops the packet has traversed from one edge router to a victim host. We think that distance-based DDoS detction techniques can detect the anomalous changes of traffic topology led by DDoS attack traffic. For this propose, we propose two distance-based DDoS detection techniques: average distance estimation and distance-based traffic separation. The average distance estimation DDoS detection technique works on distance metric directly. It detects an attack based on the fact that the changes of traffic topology will lead to the changes of average distance values. The distance-based traffic separation DDoS detection technique uses distance metric indirectly. The technique needs to work on separated traffic based on distance values. It detects an attack based on the fact that the changes of separated traffic correlate to the changes of traffic topology. In the following two subsections, we analyze some current DDoS detection techniques based on IP attributes and traffic volume, and specify the improvements gained by our two distance-based detection techniques.

32 CHAPTER 3. RELATED WORK IP Attributes-based DDoS Detection A number of works treat anomalies as deviations in a number of IP attributes, e.g., source IP address [4], TTL [5], and the combination of multiple attributes [8]. In [4], a simple scheme is proposed to detect DDoS attacks by monitoring the increase of new IP addresses. TTL is used by Jung et al. for the analysis of Internet Website load performance [9]. A DDoS attack usually creates network congestion and changes the statistical distribution of the TTL attribute in traffic. Based on this idea, Talpade et al. [5] propose a TTL-based statistical model to detect anomalies created by DDoS attacks. Unfortunately, the technique s performance is not satisfactory because the changes in final TTL values cannot reflect the anomalous changes in the traffic topology directly. In our distance-based techniques, we use TTL to compute distance value. We believe that the changes in distance values directly represent the changes of traffic topology when DDoS attacks happen. To achieve better performance, some studies combine multiple IP attributes together. In [8], Kim et al. construct a baseline profile on a number of attribute combinations, such as IP protocol-type and packet-size, source IP prefix and TTL values, as well as server port number and protocol-type, etc. However, these combinations cannot improve performance if the combined attributes are not related to the anomalous changes created by the DDoS attacks. Moreover, a combination of the attributes definitely will make computation more complex and possibly increase the false positive rate. Feinstein et al. [10] design a DDoS detection technique by computing entropy and frequency-sorted distributions of the selected attributes instead of using IP attributes directly. However, this performance still depends on the attribute used for the computation of the entropy.

33 CHAPTER 3. RELATED WORK 23 We believe that the key issue is to identify an indicator which reflects anomalous changes very well. Distance is a relatively better choice based on our studies. Therefore, we construct our average estimation DDoS detection technique based on the distance values directly Traffic Volume-based DDoS Detection A large number of traffic volume-based anomaly detection works exist in the literature. In [11], Gil and Poletto propose a heuristic data structure MULTOPS (Multi-Level Tree for Online Packet Statistics). They use a multi-level tree that keeps packet rate statistics for subnet prefixes at different aggregate levels. Normal traffic usually has a proportional rate to or from hosts and subnets. Therefore, an attack will be detected when MULTOPS observes a disproportional rate of traffic. To directly detect anomalies in traffic rate, Jiang et al. [12] develop an anomaly-tolerant nonstationary traffic prediction technique. Network anomalies can be detected as deviations in overall traffic volume. A similar idea is used by Lee et al. [13] except that they use the exponential smoothing technique to predict traffic rate and the mean absolute deviation (MAD) model to detect anomalous changes of traffic rate. Unfortunately, they do not get satisfactory results because the exponential smoothing technique is too simple to accurately predict complex and dynamic traffic rate. On the other hand, some highly accurate prediction techniques are not suitable for real-time traffic volume prediction due to the high computational complexity. For example, FBM [18] and FARIMA [19] are not appropriate for this purpose because both include lots of complex calculation [24]. In contrast, the computational complexity of the Minimum Mean Square Error (MMSE) prediction technique is not very high.

34 CHAPTER 3. RELATED WORK 24 MMSE prediction technique predict the traffic volume using a linear combination of the current and previous values of traffic volume. In addition, the performance of MMSE is almost as good as FBM or FARIMA based on Wenyu et al. study in [24]. Therefore, we believe that the MMSE technique is very suitable for computing traffic volume in real-time. Another problem with existing studies is that they apply their techniques for anomaly detection of aggregate traffic. However, it is very hard to detect the trivial anomalous changes of aggregate traffic rate during the early stages of a DDoS attack because the attack traffic is actually still a small partition of the entire traffic at the victim end. To deal with this situation, we propose a new strategy based on traffic separation, where traffic is categorized based on distance values. If we analyze each traffic flow separately, it is much easier to distinguish anomalous traffic from normal traffic. Gao et al. [24] show that MMSE is efficient traffic rate prediction technique. We use MMSE to predict the normal traffic rate on each separated traffic flow, and the MAD-based deviation model helps detect attacks. This distance-based separation strategy and its combination with the MAD-based deviation model is a unique feature of our distance-based traffic separation DDoS detection technique. 3.2 DDoS Response After a DDoS attack has been detected, response techniques attempt to control incoming traffic by packet filtering or rate limit techniques. Based on the studies done by J. Mölsä et al. [44], packet filtering techniques can cause more damage to legitimate traffic than rate limit techniques because it is difficult to distinguish DDoS traffic from normal traffic [53]. Therefore, in our framework, we propose a distance-based rate

35 CHAPTER 3. RELATED WORK 25 limit technique. In the following two subsections, we discuss packet filtering and rate limit techniques separately. In addition, we will compare and contrast our rate limit technique with other rate limit techniques Packet Filtering To counter DDoS attacks, one of the most straightforward methods is to filter out malicious traffic flows. Packet filtering is usually accomplished at routers based on clearly-defined attack signatures, such as obviously wrong source addresses. However, DDoS attack traffic cannot be filtered out if it uses packets that request legitimate services [54]. Another common drawback of packet filtering is that it usually needs to be deployed widely in order to protect the victim. Ingress filtering was initially proposed in RFC2267 [80], which has been replaced by a newer version RFC2827 [56]. Ingress filtering enables a router to check a packet for its source address, and drop packets which carry invalid addresses. To distinguish between valid and invalid addresses, the best place to deploy it is at edge routers where address ownership is relatively simple and clear. If ingress filtering is widely deployed, spoofed IP address DDoS attack traffic has fewer opportunities to enter into the Internet. However, it cannot work if an attacker spoofs a IP address which is valid in the local internal network. In addition, it does not help the victim to defend against attacks which are not using spoofed IP addresses. Y.-H. Hu et al. propose a time-window-based packet filtering mechanism in [50]. It works before the regular queue management operation in a router. Based on a sliding time-window size of which is dynamically changed, it identifies and drops malicious and aggressively increasing attack flows. However, collateral damage for

36 CHAPTER 3. RELATED WORK 26 legitimate traffic is unavoidable because it does not distinguish between attack and legitimate packets. T. Peng et al. propose a history-based IP filtering mechanism to stop attack packets from entering into the Internet at edge routers [33]. After analyzing normal IP traffic, they find that most IP addresses in legitimate packets arriving at a server reappear regularly. Edge routers save all IP addresses which have been proved to be legitimate in its previous connection history. Then, when the victim is suffering from a high level of congestion, routers will drop packets which do not exist in the database. A drawback of the mechanism is that it cannot work if an attacker uses the addresses which are stored in the database. Hop-Count filtering is a mechanism proposed by C. Jin et al. to counter spoofed IP address DDoS attacks [24]. After analyzing attack tools used at the time, they found that all tools do not change the TTL field in the IP header. Therefore, the hop number can be inferred from the TTL field. This mechanism classifies the packets based on address prefixes and builds an accurate IP to hop-count mapping table. Then, when the network experiences a high level of congestion, the mechanism will drop those packets whose hop number does not match the mapping table. An obvious drawback of the mechanism is that it can be tricked if an attacker spoofs the initial value of the TTL field, and spoofing the TTL field is not more difficult than spoofing other fields in the IP header. Another drawback is still collateral damage for legitimate traffic. Under a high level of congestion, congestion control mechanisms will often reroute legitimate packets, which may change their hop numbers. Then, they will be dropped because they no longer match the mapping table. In [51], L. Feinstein et al. propose a statistical mechanism to defend against

37 CHAPTER 3. RELATED WORK 27 DDoS attack by analyzing the entropy and calculating the chi-square statistic of IP attributes. The mechanism divides source addresses into a few bins based on their frequency. During detection, the chi-square statistic detection component finds out source addresses which belong to bins in which distributions of frequencies are anomalous. Then, a number of static filtering rules will be set up to filter out packets from these bins. An obvious drawback of the mechanism is that it does not provide good performance on attacks with no spoofed packets. For this kind of attacks, the frequency of source address variation is small and not easily detectable. In addition, one bin of source addresses may include a number of legitimate addresses, and the static filtering rules will harm them too. S. Tanachaiwiwat et al. propose an adaptive packet filtering mechanism [47] to defend against DDoS attacks by providing differential QoS for attack and legitimate traffic. The mechanism requires the routers to store a packet before forwarding it. In routers, the mechanism increases the IP counter by one and resets the time to the maximum value in the active IP table based on the address in the packet. The routers decide QoS for this packet based on the current IP counter value. Usually, legitimate packets get higher IP counter values because legitimate addresses often appear regularly. In contrast, a large number of spoofed IP addresses will turn up when attacks happen. Of course, their IP counter values will be very low. The mechanism does not distinguish between legitimate and attack packets. It just attempts to sustain high QoS for legitimate traffic. However, it cannot protect a new legitimate connection during an attack because their IP counter values are low too. Furthermore, it can be tricked to forward attack traffic with high QoS when an attacker uses IP addresses which have high IP counter values. In this situation, the router will help attack traffic

Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by

More information

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Keyur Chauhan 1,Vivek Prasad 2 1 Student, Institute of Technology, Nirma University (India) 2 Assistant Professor,

More information

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

Announcements. No question session this week

Announcements. No question session this week Announcements No question session this week Stretch break DoS attacks In Feb. 2000, Yahoo s router kept crashing - Engineers had problems with it before, but this was worse - Turned out they were being

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

Review of DDoS and Flooding Attacks in MANET

Review of DDoS and Flooding Attacks in MANET Review of DDoS and Flooding Attacks in MANET Mohan K Mali 1, Pramod A Jadhav 2 Dept. of Information Tchnology, Bharati Vidyapeeth Deemed University College of Engineering, Pune-43 Abstract-- The flooding

More information

SECURING APACHE : DOS & DDOS ATTACKS - I

SECURING APACHE : DOS & DDOS ATTACKS - I SECURING APACHE : DOS & DDOS ATTACKS - I In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era. Denial

More information

DDoS Attack and Defense: Review of Some Traditional and Current Techniques

DDoS Attack and Defense: Review of Some Traditional and Current Techniques 1 DDoS Attack and Defense: Review of Some Traditional and Current Techniques Muhammad Aamir and Mustafa Ali Zaidi SZABIST, Karachi, Pakistan Abstract Distributed Denial of Service (DDoS) attacks exhaust

More information

Denial of Service. Tom Chen SMU tchen@engr.smu.edu

Denial of Service. Tom Chen SMU tchen@engr.smu.edu Denial of Service Tom Chen SMU tchen@engr.smu.edu Outline Introduction Basics of DoS Distributed DoS (DDoS) Defenses Tracing Attacks TC/BUPT/8704 SMU Engineering p. 2 Introduction What is DoS? 4 types

More information

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

An Efficient Filter for Denial-of-Service Bandwidth Attacks

An Efficient Filter for Denial-of-Service Bandwidth Attacks An Efficient Filter for Denial-of-Service Bandwidth Attacks Samuel Abdelsayed, David Glimsholt, Christopher Leckie, Simon Ryan and Samer Shami Department of Electrical and Electronic Engineering ARC Special

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks 2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh

More information

Gaurav Gupta CMSC 681

Gaurav Gupta CMSC 681 Gaurav Gupta CMSC 681 Abstract A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing Denial of Service for users of the

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

Abstract. Introduction. Section I. What is Denial of Service Attack?

Abstract. Introduction. Section I. What is Denial of Service Attack? Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss

More information

Denial of Service (DoS)

Denial of Service (DoS) Intrusion Detection, Denial of Service (DoS) Prepared By:Murad M. Ali Supervised By: Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT), Amman s campus-2006 Denial of Service (DoS) What is DoS

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

Network Bandwidth Denial of Service (DoS)

Network Bandwidth Denial of Service (DoS) Network Bandwidth Denial of Service (DoS) Angelos D. Keromytis Department of Computer Science Columbia University Synonyms Network flooding attack, packet flooding attack, network DoS Related Concepts

More information

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,

More information

Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

More information

Journal of Global Research in Computer Science. ANALYSIS OF DDoS ATTACKS IN DISTRIBUTED PEER TO PEER NETWORKS

Journal of Global Research in Computer Science. ANALYSIS OF DDoS ATTACKS IN DISTRIBUTED PEER TO PEER NETWORKS Volume 2, No. 7, July 2011 Journal of Global Research in Computer Science RESEARCH PAPER Available Online at www.jgrcs.info ANALYSIS OF DDoS ATTACKS IN DISTRIBUTED PEER TO PEER NETWORKS Vooka Pavan Kumar

More information

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor

More information

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski Denial of Service attacks: analysis and countermeasures Marek Ostaszewski DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended

More information

Survey on DDoS Attack Detection and Prevention in Cloud

Survey on DDoS Attack Detection and Prevention in Cloud Survey on DDoS Detection and Prevention in Cloud Patel Ankita Fenil Khatiwala Computer Department, Uka Tarsadia University, Bardoli, Surat, Gujrat Abstract: Cloud is becoming a dominant computing platform

More information

Denial of Service Attacks, What They are and How to Combat Them

Denial of Service Attacks, What They are and How to Combat Them Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

Survey on DDoS Attack in Cloud Environment

Survey on DDoS Attack in Cloud Environment Available online at www.ijiere.com International Journal of Innovative and Emerging Research in Engineering e-issn: 2394-3343 p-issn: 2394-5494 Survey on DDoS in Cloud Environment Kirtesh Agrawal and Nikita

More information

Survey on DDoS Attacks and its Detection & Defence Approaches

Survey on DDoS Attacks and its Detection & Defence Approaches International Journal of Science and Modern Engineering (IJISME) Survey on DDoS Attacks and its Detection & Defence Approaches Nisha H. Bhandari Abstract In Cloud environment, cloud servers providing requested

More information

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India

More information

Mitigation of DDoS Attack using a Probabilistic Approach & End System based Strategy. Master of Technology. Computer Science and Engineering

Mitigation of DDoS Attack using a Probabilistic Approach & End System based Strategy. Master of Technology. Computer Science and Engineering Mitigation of DDoS Attack using a Probabilistic Approach & End System based Strategy A thesis submitted in partial fulfillment of the requirements for the degree of Master of Technology in Computer Science

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

DDoS Basics. internet: unique numbers that identify areas and unique machines on the network.

DDoS Basics. internet: unique numbers that identify areas and unique machines on the network. DDoS Basics Introduction Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade services provided by a computer at a given Internet Protocol 1 (IP) address. This paper will explain,

More information

Yahoo Attack. Is DDoS a Real Problem?

Yahoo Attack. Is DDoS a Real Problem? Is DDoS a Real Problem? Yes, attacks happen every day One study reported ~4,000 per week 1 On a wide variety of targets Tend to be highly successful There are few good existing mechanisms to stop them

More information

Analysis and Detection of DDoS Attacks in the Internet Backbone using Netflow Logs

Analysis and Detection of DDoS Attacks in the Internet Backbone using Netflow Logs Institut für Technische Informatik und Kommunikationsnetze Daniel Reichle Analysis and Detection of DDoS Attacks in the Internet Backbone using Netflow Logs Diploma Thesis DA-2005.06

More information

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS : DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s

More information

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial

More information

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks Sau Fan LEE (ID: 3484135) Computer Science Department, University of Auckland Email: slee283@ec.auckland.ac.nz Abstract A denial-of-service

More information

Game-based Analysis of Denial-of- Service Prevention Protocols. Ajay Mahimkar Class Project: CS 395T

Game-based Analysis of Denial-of- Service Prevention Protocols. Ajay Mahimkar Class Project: CS 395T Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T Overview Introduction to DDoS Attacks Current DDoS Defense Strategies Client Puzzle Protocols for DoS

More information

Denial Of Service. Types of attacks

Denial Of Service. Types of attacks Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Network Security - DDoS

Network Security - DDoS Network Security - DDoS What is computer network security and why is important Types and Strategies of DDoS Attacks DDoS Attack Prevention Conclusion What is Network Security Network Security is a huge

More information

The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet

The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet The Coremelt Attack Ahren Studer and Adrian Perrig 1 We ve Come to Rely on the Internet Critical for businesses Up to date market information for trading Access to online stores One minute down time =

More information

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015 Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,

More information

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks Provider-Based Deterministic Packet Marking against Distributed DoS Attacks Vasilios A. Siris and Ilias Stavrakis Institute of Computer Science, Foundation for Research and Technology - Hellas (FORTH)

More information

2.2 Methods of Distributed Denial of Service Attacks. 2.1 Methods of Denial of Service Attacks

2.2 Methods of Distributed Denial of Service Attacks. 2.1 Methods of Denial of Service Attacks Distributed Denial of Service Attacks Felix Lau Simon Fraser University Burnaby, BC, Canada V5A 1S6 fwlau@cs.sfu.ca Stuart H. Rubin SPAWAR Systems Center San Diego, CA, USA 92152-5001 srubin@spawar.navy.mil

More information

Attack and Defense Techniques

Attack and Defense Techniques Network Security Attack and Defense Techniques Anna Sperotto, Ramin Sadre Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attack Taxonomy Many different kind of

More information

Protecting Web Servers from DoS/DDoS Flooding Attacks A Technical Overview. Noureldien A. Noureldien College of Technological Sciences Omdurman, Sudan

Protecting Web Servers from DoS/DDoS Flooding Attacks A Technical Overview. Noureldien A. Noureldien College of Technological Sciences Omdurman, Sudan Protecting Web Servers from DoS/DDoS Flooding Attacks A Technical Overview Noureldien A. Noureldien College of Technological Sciences Omdurman, Sudan Email: noureldien@hotmail.com Abstract Recently many

More information

NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS

NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS Iustin PRIESCU, PhD Titu Maiorescu University, Bucharest Sebastian NICOLAESCU, PhD Verizon Business, New York, USA Rodica NEAGU, MBA Outpost24,

More information

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013 the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point

More information

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges

More information

Denial of Service Attacks

Denial of Service Attacks (DoS) What Can be DoSed? First Internet DoS Attack The TCP State Diagram SYN Flooding Anti-Spoofing Better Data Structures Attacking Compact Data Structures Generic Solution SYN Cookies It s Not Perfect

More information

Queuing Algorithms Performance against Buffer Size and Attack Intensities

Queuing Algorithms Performance against Buffer Size and Attack Intensities Global Journal of Business Management and Information Technology. Volume 1, Number 2 (2011), pp. 141-157 Research India Publications http://www.ripublication.com Queuing Algorithms Performance against

More information

Distributed Denial of Service Attack Tools

Distributed Denial of Service Attack Tools Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily

More information

DDoS Protection Technology White Paper

DDoS Protection Technology White Paper DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of

More information

Brocade NetIron Denial of Service Prevention

Brocade NetIron Denial of Service Prevention White Paper Brocade NetIron Denial of Service Prevention This white paper documents the best practices for Denial of Service Attack Prevention on Brocade NetIron platforms. Table of Contents Brocade NetIron

More information

NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS A METHOD FOR MITIGATING DENIAL OF SERVICE ATTACKS ON DIFFERENTIATED SERVICES NETWORKS

NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS A METHOD FOR MITIGATING DENIAL OF SERVICE ATTACKS ON DIFFERENTIATED SERVICES NETWORKS NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS A METHOD FOR MITIGATING DENIAL OF SERVICE ATTACKS ON DIFFERENTIATED SERVICES NETWORKS by Matthew J. Braun September 2002 Thesis Advisor: Geoffrey Xie

More information

Depth-in-Defense Approach against DDoS

Depth-in-Defense Approach against DDoS 6th WSEAS International Conference on Information Security and Privacy, Tenerife, Spain, December 14-16, 2007 102 Depth-in-Defense Approach against DDoS Rabia Sirhindi, Asma Basharat and Ahmad Raza Cheema

More information

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection

Technical Series. A Prolexic White Paper. Firewalls: Limitations When Applied to DDoS Protection A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial

More information

Distributed Denial of Service Attacks & Defenses

Distributed Denial of Service Attacks & Defenses Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources:

More information

Denial of Service and Anomaly Detection

Denial of Service and Anomaly Detection Denial of Service and Anomaly Detection Vasilios A. Siris Institute of Computer Science (ICS) FORTH, Crete, Greece vsiris@ics.forth.gr SCAMPI BoF, Zagreb, May 21 2002 Overview! What the problem is and

More information

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals Denial of Service Attacks Notes derived from Michael R. Grimaila s originals Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident

More information

Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application

More information

Automated Mitigation of the Largest and Smartest DDoS Attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks Datasheet Protection Automated Mitigation of the Largest and Smartest Attacks Incapsula secures websites against the largest and smartest types of attacks - including network, protocol and application

More information

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu. DDoS and IP Traceback. Overview

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu. DDoS and IP Traceback. Overview DDoS and IP Traceback Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu Louisiana State University DDoS and IP Traceback - 1 Overview Distributed Denial of Service

More information

Low-rate TCP-targeted Denial of Service Attack Defense

Low-rate TCP-targeted Denial of Service Attack Defense Low-rate TCP-targeted Denial of Service Attack Defense Johnny Tsao Petros Efstathopoulos University of California, Los Angeles, Computer Science Department Los Angeles, CA E-mail: {johnny5t, pefstath}@cs.ucla.edu

More information

Distributed Denial of Service

Distributed Denial of Service Distributed Denial of Service Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@Csc.LSU.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc7502_04/ Louisiana

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview

More information

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Journal homepage: www.mjret.in DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Maharudra V. Phalke, Atul D. Khude,Ganesh T. Bodkhe, Sudam A. Chole Information Technology, PVPIT Bhavdhan Pune,India maharudra90@gmail.com,

More information

Defenses against Distributed Denial of Service Attacks. Internet Threat: DDoS Attacks

Defenses against Distributed Denial of Service Attacks. Internet Threat: DDoS Attacks Defenses against Distributed Denial of Service Attacks Adrian Perrig, Dawn Song, Avi Yaar CMU Internet Threat: DDoS Attacks Denial of Service (DoS) attack: consumption (exhaustion) of resources to deny

More information

AN INFRASTRUCTURE TO DEFEND AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACK. Wan, Kwok Kin Kalman

AN INFRASTRUCTURE TO DEFEND AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACK. Wan, Kwok Kin Kalman AN INFRASTRUCTURE TO DEFEND AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACK by Wan, Kwok Kin Kalman MSc in Information Technology The Hong Kong Polytechnic University June 2001 i Abstract of dissertation

More information

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Internet Protocol: IP packet headers. vendredi 18 octobre 13 Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)

More information

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS

A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS , pp-29-33 Available online at http://www.bioinfo.in/contents.php?id=55 A COMPREHENSIVE STUDY OF DDOS ATTACKS AND DEFENSE MECHANISMS SHUCHI JUYAL 1 AND RADHIKA PRABHAKAR 2 Department of Computer Application,

More information

DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach

DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach Anurag Kochar 1 1 Computer Science Engineering Department, LNCT, Bhopal, Madhya Pradesh, India, anuragkochar99@gmail.com

More information

DDoS Overview and Incident Response Guide. July 2014

DDoS Overview and Incident Response Guide. July 2014 DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target

More information

Inferring Internet Denial-of

Inferring Internet Denial-of Inferring Internet Denial-of of-service Activity Geoffrey M. Voelker University of California, San Diego Joint work with David Moore (CAIDA/UCSD) and Stefan Savage (UCSD) Simple Question We were interested

More information

Security Technology White Paper

Security Technology White Paper Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without

More information

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks Enabling Precise Defense against New DDoS Attacks 1 Key Points: DDoS attacks are more prone to targeting the application layer. Traditional attack detection and defensive measures fail to defend against

More information

Modern Denial of Service Protection

Modern Denial of Service Protection Modern Denial of Service Protection What is a Denial of Service Attack? A Denial of Service (DoS) attack is generally defined as a network-based attack that disables one or more resources, such as a network

More information

SECURING APACHE : DOS & DDOS ATTACKS - II

SECURING APACHE : DOS & DDOS ATTACKS - II SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,

More information

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014 DRDoS Attacks: Latest Threats and Countermeasures Larry J. Blunk Spring 2014 MJTS 4/1/2014 Outline Evolution and history of DDoS attacks Overview of DRDoS attacks Ongoing DNS based attacks Recent NTP monlist

More information

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright

More information

Application of Netflow logs in Analysis and Detection of DDoS Attacks

Application of Netflow logs in Analysis and Detection of DDoS Attacks International Journal of Computer and Internet Security. ISSN 0974-2247 Volume 8, Number 1 (2016), pp. 1-8 International Research Publication House http://www.irphouse.com Application of Netflow logs in

More information

An Integrated Defense Approach for Distributed Denial of Service Attacks In Mobile Ad-Hoc Network

An Integrated Defense Approach for Distributed Denial of Service Attacks In Mobile Ad-Hoc Network An Integrated Defense Approach for Distributed Denial of Service Attacks In Mobile Ad-Hoc Network Karthikeyan Thyagarajan School of Computing Science and Engineering, VIT University, Vellore-14, Tamil

More information

DoS/DDoS Attacks and Protection on VoIP/UC

DoS/DDoS Attacks and Protection on VoIP/UC DoS/DDoS Attacks and Protection on VoIP/UC Presented by: Sipera Systems Agenda What are DoS and DDoS Attacks? VoIP/UC is different Impact of DoS attacks on VoIP Protection techniques 2 UC Security Requirements

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network Pioneering Technologies for a Better Internet Cs3, Inc. 5777 W. Century Blvd. Suite 1185 Los Angeles, CA 90045-5600 Phone: 310-337-3013 Fax: 310-337-3012 Email: info@cs3-inc.com The Reverse Firewall: Defeating

More information

SECURITY FLAWS IN INTERNET VOTING SYSTEM

SECURITY FLAWS IN INTERNET VOTING SYSTEM SECURITY FLAWS IN INTERNET VOTING SYSTEM Sandeep Mudana Computer Science Department University of Auckland Email: smud022@ec.auckland.ac.nz Abstract With the rapid growth in computer networks and internet,

More information

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE WE ARE NOT FOR EVERYONE JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME Don t let a DDoS attack bring your online business to a halt we can protect any server in any location DON T GET STUCK ON THE ROAD OF

More information

Analysis of a Distributed Denial-of-Service Attack

Analysis of a Distributed Denial-of-Service Attack Analysis of a Distributed Denial-of-Service Attack Ka Hung HUI and OnChing YUE Mobile Technologies Centre (MobiTeC) The Chinese University of Hong Kong Abstract DDoS is a growing problem in cyber security.

More information

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory Denial of Service (DoS) attacks and countermeasures Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory Definitions of DoS/DDoS attacks Denial of Service is the prevention of authorised access

More information