- Email: [email protected]
Defense mechanisms against Distributed Denial of Service attacks : A survey
Computers and Electrical Engineering 72 (2018) 26–38
Contents lists available at ScienceDirect
Computers and Electrical Engineering journal homepage: www.elsevier.com/locate/compeleceng
Defense mechanisms against Distributed Denial of Service attacks : A surveyR Mousa Taghizadeh Manavi Young Researchers and Elite Club, Ardabil Branch, Islamic Azad University, Ardabil, Iran
a r t i c l e
i n f o
Article history: Received 1 November 2016 Revised 4 September 2018 Accepted 4 September 2018
Keywords: DDoS attack Bot Source-based Network-based Destination-based Hybrid mechanism
a b s t r a c t Distributed Denial of Service (DDoS) attacks are a group of collaborative attacks performed by attackers threatening internet security and violating services. In this attack, the attacker makes use of compromised systems to prevent legitimate users from having access to the server resources and use them to provide extensive attacks against the victim. In this paper, we surveyed defense mechanisms against DDoS attacks which are useful in internet. We categorized the mechanisms into two layer-based main groups of network/transport layer and application layer. Then, the network/transport layer is classified into four classes of source-based, network-based, destination-based and hybrid mechanisms, and the application layer mechanisms are categorized into two classes of destination-based and hybrid mechanisms. We surveyed important developments in each of the aforementioned classes and outlined new challenges. This survey paper provides a discussion of the difference between the aforementioned mechanisms categorizations based on characteristics of the way of detection, defense, and response as well as orientations for future researches. © 2018 Elsevier Ltd. All rights reserved.
1. Introduction Nowadays, the ever increasing growth of internet has become a factor of evolution in human life and it has been known as an effective, unavoidable technology to meet human life demands. The internet has its advantages and disadvantages like other available facilities. Advantages of internet include scalability and easy communication. In contrast, one of the main challenges of this technology is security, which has experienced numerous variations through time. Denial of Service (DoS) attack is a dangerous threat in the internet. In DoS attack, the attacker invades the intended victim (server) and makes the services offered to legitimate users unavailable. Consequently, DoS attack may be considered as a threat for internet availability [1]. By the advent of DoS attacks, different websites and servers such as Yahoo, eBay, and Amazon has been invaded by this kind of attack, which imposed huge financial losses to the companies and their servers. Since there was an attacker in DoS attack, it was not possible to perform heavy, extensive attacks and the attacker was identified easily. By the growth of internet in the last decade, however, the attackers’ function has developed and unfortunately, the system’s vulnerability in terms of security has increased; vulnerable systems have paved the way for attackers to perform massive attacks. Using this kind of attack is known as DDoS attack. This kind of attack, which acts cooperatively and is performed in large scale, is performed directly by compromised computers. An example of DDoS attack general architecture is shown in Fig. 1. In DDoS attack, there are two types of victims regarding the exploitation of compromised computers R
Reviews processed and recommended for publication to the Editor-in-Chief by Area Editor Dr. G. Martinez E-mail address: [email protected]
https://doi.org/10.1016/j.compeleceng.2018.09.001 0045-7906/© 2018 Elsevier Ltd. All rights reserved.
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
27
Fig. 1. The general architecture of DDoS attack.
by the attacker. The first victim type is the server, or in other words, it is the main target of the attacker and the attacker can exhaust its computational resources or make the victim’s communication link unavailable by flooding. The second type of victims includes vulnerable systems which are controlled by the attacker. Accordingly, first, the attacker compromises a large number of internet hosts by installing the software, and then installs the attack software on the compromised systems. These compromised systems are known as bots or agents, which are controlled by the attacker using handler systems. Such a network which is controlled by the attacker is called Botnet or Zombies network. In the next step, the attacker sends commands to the bots using handlers and bots invade the server by generating high volume packets. As a result, the server is not able to respond to a high volume of packets and its resources exhaust quickly. Nowadays, due to the progress made in DDoS attacks and new complex, destructive tools designed by attackers, novel defense mechanisms and methods have been proposed by the researchers, which are categorized in specific groups based on their application, location, and defense type. One popular categorization for defense mechanisms is based on the location of detection and defense against attack. Consequently, the proposed methods may be categorized into source-based, network-based (core), destination-based, and hybrid groups; this kind of categorization is referred to and used in [2]. Due to the extensive methods used in detecting DDoS attack and defending against them, different kinds of classifications in network/transport and application layers have been proposed in [3]. In this paper, we mostly divided the introduced mechanisms for DDoS attacks detection and defense into two main groups (Fig. 2) of network/transport layer and application layer, based on [2] classification. Due to different circumstances of layers in the network, defense mechanisms’ classification based on layers and protocol types separates each method properly based on the function and operational domain. In this paper, network/transport layer mechanisms are divided into four groups of source-based, network-based (core), destination-based, and hybrid (distributed) mechanisms, and the application layer is divided into two groups of destination-based (server side) and hybrid mechanisms (distributed). A number of review papers in the context of DDoS attacks and mechanisms have been presented before; but this review paper is different from previous papers in many aspects: (1) Basic DDoS attacks are introduced and described, since new attacks are based on basic attacks. (2) There are different categories of defense mechanisms where each category has its own advantages and disadvantages; since defense mechanisms are specified based on network or application nature, and also considering defense type, determining location and region of implementing mechanism significantly affects defense. Thus, in this paper, mechanisms are classified based on being network/transport or application, and defense location. (3) In classifying mechanisms based on location, defense location is specified based on
28
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Fig. 2. Classification of defense mechanisms against DDoS attack based on layers and location [2].
conditions of defense mechanism, or an efficient defense mechanism is designed based on advantages and disadvantages of a specific location, thus required profitability in detection and defense is obtained. (4) In this paper, different strong defense mechanisms presented to defend against DDoS attacks from 1998 to 2016 are investigated and included in classification to let researchers understand the developments in this context. Thus, considering the mentioned categorization, mechanisms are compared and evaluated based on their performance, activity type, advantages and disadvantages and this comparison describes details of each mechanism. The rest of the paper is organized as follows. Types of DDoS attacks in network/transport layer and application layer, as well as the concepts and terminology of defense are presented in Section 2. Section 3 classifies detection and defense mechanism against DDoS attack in network/transport layer and application layer and discusses them. Section 4 presents categorizing and comparing the proposed mechanisms. Section 5 refers to some open issues, and finally, Section 6 concludes the paper. 2. Types of DDoS attacks, defense concepts and terminology Since DDoS attacks are extensively active in network/transport layer and application layer, this section studies and introduces types of attacks in the aforementioned layers. Moreover, attacks in cloud computing and IoT are discussed in the following. Then, defense concepts and terminology used in prevention, detection and opposition mechanisms against DDoS attacks are described. 2.1. DDoS attack types Due to the threats and damages of DDoS attacks in layers 3, 4, and 7, in this section, attacks are categorized into two main groups of network/transport layer and application layer, and they are introduced in the respective group regarding their performance in a specific protocol. In the following, two classes are also assigned to attacks regarding cloud computing and IoT. 2.1.1. Network/transport layer attacks In this section, network/transport layer attacks are categorized into two types of flooding attacks and amplification attacks. Then, conventional attacks are introduced considering the invaded protocol in the intended category. Flooding attack: is an attack where the attacker sends a high volume of traffic to the victim system using bots and exhausts the system’s bandwidth. Examples of this type of attack are of UDP, ICMP, and SYN flooding attacks. Amplification attack: in this attack, attackers or bots use broadcast IP address features of routers and amplify and reflect the attack, and then send the messages to broadcast IP address. This method sends the packet to all IP addresses within broadcast address range and therefore, exhausts the bandwidth. Examples of amplification attacks include Smurf and Fraggle attacks [3]. 2.1.2. Application layer attacks In this section, different protocols attacks types in the application layer are discussed, as follows. HTTP flood: due to the validity of port 80 (Hypertext Transfer Protocol or HTTP) for firewalls, the attackers use this vulnerability in this attack and invade HTTP. The attacker bombards the web servers by HTTP requests and many resources of the victim servers are exhausted, as a result.
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
29
SIP flood: Voice over IP (VOIP) telephony mechanism is a novel scheme which has grown excessively due to its low cost and practicality. To support VOIP, Session Initiation Protocol (SIP) standard has been introduced in which SIP proxy servers admit and process call setup requests of VOIP customers by internet. Since call setup in VOIP is done based on request packets, attackers use these packets and invade SIP proxy server and flood, using spoof source IP addresses. 2.1.3. Attacks in the context of cloud computing In this section, some attacks in the context of cloud computing are investigated. Slowly-Increasing Polymorphic DDoS Attack Strategy or SIPDAS attack: Performing attack operations using hidden model by managing patterns of timed attack and considering specific disadvantages of target systems. X-DOS: This occurs when a XML message with malicious content is transmitted to a web server or web service to consume and deplete all resources. An example of X-DoS is known as forced parser attack. 2.1.4. Attacks in the context of internet of things In this section, IoT attacks are investigated. Simple Service Discovery Protocol (SSDP) attack: SSDP is a part of universal plug and play standard protocol which is activated on some home devices including routers and web-cams so that devices can find each other on the network and communicate with each other. But adversaries misuse these protocols and intrude the device using these protocols and make a set of damages to the devices and transmit a heavy traffic towards their targets by implementing DDoS attack. 2.2. Defense concepts and terminology In this section, some defense concepts and terminology are described. False positive: false positive is an event in which legitimate traffic features and patterns are similar to the attack traffic patterns. False negative: false negative is an event in which the attack traffic features are not similar to the attack traffic patterns. Flash crowd: legitimate requests coming to the server in specific, short time intervals from a high volume of legitimate users at the same time are called Flash crowd. Ingress/egress filtering: mechanisms setting systems or routers to prevent ingress/egress of illegal packets; ingress/ egress of packets is solely done based on legitimate IP address range. These mechanisms prevent anonymous attacks with spoof IP addresses [3]. 3. Defense mechanisms against DDoS attacks Since DDoS attacks take place in different layers of internet network, robust defense mechanisms such as prevention, detection, and response methods must be designed and used in different layers. Accordingly, a general categorization has been presented by Zargar et al. [2], which is proposed for layer-based classification of defense mechanisms and includes network/transport layer and application layer. Due to the different functionality of defense methods in each layer and for proper discrimination of mechanisms based on deployment location, we also used layer classification in this paper. Fig. 3 shows the mechanisms’ categorization based on deployment location. Our main goal in this paper is to collect novel, popular mechanisms based on the aforementioned categorization, and present each mechanism’s advantages and disadvantages. In this section, defense mechanisms against DDoS are divided into two main groups being reviewed. 3.1. Defense mechanisms of network/transport layer In this section, we first divide the presented defense mechanisms against DDoS attack, which are applicable in network/transport layer, into four categories and describe each group. Then, the presented mechanisms in each group, which are based on UDP, TCP, ICMP protocols, are introduced and discussed. 3.1.1. Source-based mechanisms In this section, we first describe source-based defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several source-based mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of source-based mechanisms: These mechanisms are designed and used for defense in the source region. The designed mechanisms for this point detect anomalous flows and packets passing by and perform defense actions such as filtering and rate limiting [2]. Source-based mechanisms: In this section, source-based defense mechanisms are introduced and described. Finally, some popular, applicable mechanisms are compared and reviewed. To detect and filter bandwidth DoS attacks, Abdelsayed et al. [4] have proposed a monitoring method called Tabulated Online Packet Statistics (TOPS), which uses heuristic rules to evaluate traffic. In this method, a fixed set of compact tables are used to monitor space and IP addresses domain, which is applicable in detecting the packet flow imbalance. A mechanism called reverse firewall has been proposed by MANAnet [5], which filters the outgoing packets in spite of conventional firewall. Since this method limits the packet transmission speed for the transmitter engine (attacker), it is effective in mitigating the effects of DDoS attacks planned inside the network. To detect DDoS attacks, Wang et al. [6] have proposed a
30 M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Fig. 3. Locations of defense mechanisms implementation against DDoS attacks [2].
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
31
Table 1 Popular source-based defense mechanisms and their characteristics. Mechanism Abdelsayed et al. [4]
Wang et al. [6]
Main idea Detecting flow imbalance based on the compact table and filtering bandwidth attacks based on heuristic rules. Detecting attack by predicting traffic state and extracting malicious address.
Type
Advantages
Disadvantages
Detection and prevention
•High accuracy. •Few
•Inefficiency in high
volume traffics.
computational resources required.
Detection
•Detecting low rate attack. •Extracting malicious address for responding.
•Memory required for
storage.
model based on quantitative measurements by which two proportion factors to compromised hosts are obtained, which have significant effect on traffic feature deviation. To detect subtle DDoS anomaly in monitors near to the attack source, a multi-phase detection scheme consisting of Network Traffic State (NTS), fine-grained singularity detection, and malicious address extraction engine has been proposed. In the proposed method, NTS prediction is used to determine the deviation rate of the network state in a monitoring point. Table 1 summarizes some of the popular source-based mechanisms discussed so far and introduces advantages and disadvantages of each one. 3.1.2. Network-based (core) mechanisms In this section, we first describe network-based defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several network-based mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of network-based mechanisms: These mechanisms are designed for defense in the network’s core or routers, and they make balance between detection accuracy and bandwidth consumption. These mechanisms may perform attack detection and traceback and stop attacks by rate limiting or filtering [2]. Network-based mechanisms: In this section, network-based defense mechanisms are introduced. Finally, some popular, applicable mechanisms are summarized. Since the bandwidth attack is a destructive attack in the internet, Gil and Poletto [7] have proposed a data structure called Multi-Level Tree for Online Packet Statistics (MULTOPS), as well as a heuristic method to detect attack. In this method, the network’s systems and routers use MULTOPS to collect packet rate statistics and the intended attack is detected by the heuristic method. MULTOPS method uses rates of host’s transmitting/receiving disproportional packet as a heuristic method in attack detection. Tao and Yu [8] have proposed a DDoS attack detection method in local networks, which uses flow entropy of local network’s routers to monitor the network traffic and export alert in case of flow entropy drop. Moreover, information distance has been used to discriminate DDoS attack from Flash crowds. The proposed method is a two-phase method based on information theory. In the first phase, evaluation of flow entropy in local network’s routers is done and an attack alert is exported if flow entropy experiences a significant drop in a time period. In the next phase, flows resulting in a drop in the flow entropy of routers are considered as suspicious flows. Zargar and Joshi [9] have proposed a distributed defense mechanism based on collaboration which detects DDoS flooding attacks in the vicinity of the attack source and respond to them. The proposed defense mechanism includes four main parts. The first part is the task assignment server, used to assign tasks. The second part is called the DiCoTraM mechanism, which is a traffic monitoring component monitoring the traffic flow. The third part is the DiCoDet mechanism, which is a detection mechanism distributing detection tasks in each router of the autonomous system. The last part is related to DiCoRes mechanism and response actions in each autonomous system’s router are done in this mechanism. Table 2 summarizes some of the popular network-based (core) mechanisms and describes details of each mechanism. 3.1.3. Destination-based (victim) mechanisms In this section, we first describe destination-based defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several destination-based mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of destination-based mechanisms: Victim-based detection and response approaches are usually used in destination side routers. Destination-based mechanisms are able to model the victim’s characteristics, detect any kind of anomaly, and respond to it. Moreover, they may easily discriminate legitimate traffic from attack traffic. The difficulties of these mechanisms include: not being appropriate for rate limiting or traffic filtering due to bandwidth waste, victim resources waste during DDoS attack, and attack detection solely after the attack reaches to the destination and depriving legitimate users from the service, as a result [2]. Destination-based mechanisms: In this section, destination-based defense mechanisms are described. Finally, some popular, applicable mechanisms are compared and summarized.
32
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Table 2 Popular network-based defense mechanisms and their properties. Mechanism
Type
Advantages
Disadvantages
Using data structure in the router to collect statistics and detect attack.
Detection and prevention
•Stabilizing legitimate
•Possible failures in
traffic flow in case of extensive attacks.
•Studying packet
Tao and Yu [8]
Attack detection by routers’ flow entropy.
Detection
Zargar et al. [10]
Monitoring coordinated traffic based on monitoring responsibilities.
Detection and monitoring
Gil and Poletto [7]
Main idea
•Exporting alert at the time of attack. •Real
simulation tool. •Supporting detection mechanism. •Overhead reduction. •Covering attack flows.
the random address. transmission only in IPV4. •Storage shortage. •Restrictive assumptions have been made. •Computational complexity. •Storage space. •Restrictive assumptions.
Table 3 Popular destination-based defense mechanisms and their properties. Mechanism
Main idea
Type
Advantages
Disadvantages
Zhang et al. [11]
Attack detection and prevention based on analyzing IP-based traffic behavior.
Detection and Prevention
•Flooding attack detection
•Storage consumption to
maintain information.
Wu et al. [12]
Attack detection based on decision tree and attacker traceback by traffic pattern matching.
Detection and Identification
Using detection method based on the pattern behavior and properties of traffic sources to discriminate traffic.
Detection
in the attack initiation level. •Low computational overhead. •Attack prevention. •Attack detection with proper false positive and false negative rate. •Accuracy in attack detection. •The ability of responding in short time intervals. •Secure communication channel between the components. •Low false positive and false negative. •Short time detection. •Applicable in detecting different attacks such as low volume traffic.
Thapngam et al. [15]
•Possible error in
discriminating normal traffic and detecting as the attack. •Storage overhead. •Lack of complexity discussion.
•Computational complexity. •Discrimination is solely based
on the packet transmission rate. •Detection in the victim side wastes the path’s bandwidth. •Delay caused by data survey and observation.
Zhang et al. [11] have proposed an immediate detection and prevention method for DDoS attacks which is implemented in the router near to the victim and performs attack detection and prevention based on analysis of IP-based traffic properties. The system samples transmission and reception traffic of each user periodically and decides whether it has normal property or not. Wu et al. [12] have proposed a DDoS attack detection mechanism based on decision tree. In the attack detection phase of the proposed method, a basic, normal traffic profile is constructed and if the network traffic deviates from the basic traffic profile, it will be detected as an attack. Chen and Park [13] have proposed an attack detection method which uses Pushback and packet marking. When an attack takes place, attack detection is done using the intrusion detection system installed on the victim. Then, a command is sent by the victim to upstream routers and the packets sent to the victim are marked with input interface information as soon as routers receive the command. Traffic traceback is done by the victim based on collecting the information of the input interface. Finally, the victim exports the command of filtering attack packets to the routers contributing to the attack detection. Due to the easy IP spoofing by DDoS attackers, Wang et al. [14] have proposed a method to authenticate IP packets, which has a simple mechanism and does not need to be supported by the network’s lower layers. Since each packet in the network carries hop-count information and the attackers in IP spoofing are not able to forge the packet’s hop-count field, the proposed method uses the information of the hop-counts the packet passes and differentiates attack packets from legitimate ones. Table 3 describes the main characteristics of popular destination-based (victim) mechanisms.
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
33
Table 4 Popular hybrid defense mechanisms and their properties. Mechanism Wang et al. [18]
Mirkovic et al. [19]
Rahmani et al. [20]
Main idea
Type
Advantages
Disadvantages
Using cooperative detection system against flood attacks and authenticating victim’s IP addresses.
Detection and Identification
•Scalability. •Attack
•Overhead of the victim’s IP address authentication. •Space
Using cooperation of different points in attack detection based on message exchange.
Detection and Prevention
Attack discrimination and detection based on total variation distance.
Detection
detection and the invaded victim authentication in first stages. •Decrease in the number of required packets for processing. •Defense by cooperation. •Attack neutralization without classifier nodes.
•Discriminating attack from Flash crowd. •High
accuracy and efficiency compared to methods based on entropy and volume. •Decreasing false negative and false positive.
requirement.
•Cooperation based on message exchange. •Damaging
the customer if classifier nodes are not present. •Necessity of the presence of rate limiting nodes. •Access to IP Header of each packet is required. •Some attacks may not be completely detected.
3.1.4. Hybrid (distributed) mechanisms In this section, we first describe the category of hybrid defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several hybrid mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of hybrid mechanisms: Since source-based, destination-based, and network-based deployment points have their own advantages and disadvantages, using cooperative approaches is necessary to deploy detection and response mechanisms. As a result, a possible choice is the hybrid or cooperative approach, where different points in the network cooperate and stop DDoS attacks. For example, hybrid mechanisms detect and discriminate the attack in destination and deploy rate limiting and filtering rules in the source or the network core based on the obtained result. Difficulty in cooperation between different networks that have to connect each other is one of the challenges of hybrid deployment [2]. Hybrid mechanisms: In this section, hybrid defense mechanisms are described. Finally, some popular, applicable mechanisms are reviewed. Yu et al. [16] have proposed a mechanism for IP traceback using information parameters. First off, packets passing from a router are classified into flows defined based on upstream router and packet destination address. In the periods where there are no attacks, routers study and record entropy variations. When an attack takes place, the victim performs the Pushback process. First, it is determined by the victim that which upstream router exists in the attack tree. Then, relevant requests enter to the immediate upstream routers by the victim and upstream routers are authenticated. Argyraki and Cheriton [17] have proposed an Active Internet Traffic Filtering (AITF) which is used against bandwidth flood attacks. In the proposed method, the packet receiver communicates with the source and requests to stop traffic transmission if anomaly is observed. Wang et al. [18] have proposed a cooperative DDoS detection system to detect flood attacks and authenticate invaded victims. The proposed scheme is source-oriented, implemented on multiple nodes across the network. The nodes used in the system are responsible for detecting local anomaly and authenticating victim’s IP addresses. The detection method starts based on evaluating the crossing packets and after anomaly detection, IP address authentication is done based on removal mechanism. Mirkovic et al. [19] have proposed a distributed method called Defensive Cooperative Overlay Mesh (DefCOM), which distributes the defense nodes in the internet core. In this method, all nodes create a peer to peer overlay for secure exchange of messages relevant to attack. When an attack happens, nodes near to the victim detect the attack and alarm other DefCOM overlays. Rahmani et al. [20] have proposed a two-phase approach based on breaks detection in distributing the size of connections, which uses the total variation distance to evaluate similarity between flows for DDoS attack detection, and generates alarms based on the abnormal variations in the size of connections distribution. Table 4 describes some of the popular hybrid mechanisms and their advantages and disadvantages.
3.2. Application layer defense mechanisms In this section, we divide the defense mechanisms presented to confront DDoS in the application layer into two mechanisms groups of destination-based (server side) and hybrid mechanisms, and describe each group. Then, the mechanisms presented in each group which are based on HTTP, VOIP, and DNS protocols are introduced and discussed.
34
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Table 5 Popular destination-based defense mechanisms and their properties. Mechanism Jun et al. [22]
Liu and Chang [23]
Ranjan et al. [26]
Main idea
Type
Advantages
Disadvantages
Attack detection by entropy.
Detection
•Guaranteeing normal
•Lack of comparison and
traffic transmission and filtering suspicious traffic.
Using customer properties and scheduling requests to defend against attacks.
Response and Protection
accurate study of the proposed method with other detection methods, based on quality of service factors. •Dependence of defense on scheduling policies.
Defense against attacks by allocating suspicion metric and using this metric in scheduler for deciding about providing service for the request.
•Efficient service provided
for legitimate users. •Preventing resource waste. •Proper response
Detection and Protection
time and accuracy in detection. •Improving efficiency and response time of the victim.
•Not considering limitation
for simultaneous customers.
3.2.1. Destination-based (server side) mechanisms In this section, we describe destination-based defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several destination-based mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of destination-based mechanisms: Since the application layer is presented in the Client-Server model, servers are the destination and destination-based mechanisms are implemented in victim side or the destination side. Destination-based mechanisms are generally based on surveying behavioral characteristics and they can be presented as defense schemes of traffic detection, traffic filter and source traceback [2]. Destination-based mechanisms: In this section, destination-based defense mechanisms are introduced. Finally, some popular mechanisms are summarized. Akbar et al. [21] have proposed a low rate, multiple trait DDoS attack detection scheme which works based on Hellinger distance (HD). Since there are millions of users and connections in VOIP network, ISPs should use a cluster of servers. Jun et al. [22] have proposed a detection method based on entropy to guarantee normal traffic transmission and prevent abnormal traffic flood. Entropy is calculated based on the packet information during a specific time period and is used in detection. Liu and Chang [23] have proposed a Defense scheme Against Tilt DDoS attacks called DAT which determines whether the user is suspicious or not based on the feature of monitoring each user. Since the CAPTCHA [24] method has challenges ahead, Beitollahi and Deconinck [25] have proposed a scheme where each connection with the server is scored based on statistical analysis and the attack is detected based on the score. Ranjan et al. [26] have proposed a suspicion allocation mechanism which is used to detect anomaly of the application layer in parameters of session arrival, session request arrivals, and session workload profiles. In the proposed method, first, a continuous measure of suspicion is allocated to a session, where this measure is updated after each request. Table 5 summarizes the main properties of popular destination-based (server side) mechanisms and describes the details of each mechanism.
3.2.2. Hybrid mechanisms In this section, we first describe hybrid defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several hybrid mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of hybrid mechanisms: These mechanisms provide cooperation between Client/Server and detect attacks and respond to them in distributed form [2]. Hybrid mechanisms: In this section, hybrid defense mechanisms are described. Finally, some popular, applicable mechanisms are compared and summarized. Yu et al. [27] have proposed a detection algorithm which uses flow correlation coefficient as a similarity metric between suspicious flows. Since the similarity between DDoS attacks flows is much more than Flash crowd, using correlation coefficient is efficient. Yan et al. [28] have proposed a game-theoretic framework which evaluates DDoS attacks and defends. The proposed framework is able to model complex levels of the attacker and the defender’s strategic thinking and provides freedom in selecting distributions describing legitimate traffic. Yu et al. [29] have proposed a mechanism called Trust Management Helmet (TMH) to cope with DDoS session flooding attacks, which uses trust management. To establish connection, four user trust aspects are considered including short-term
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
35
Table 6 Popular hybrid defense mechanisms and their properties. Mechanism Yu et al. [27]
Tang et al. [30]
Main idea
Type
Advantages
Disadvantages
Using flow correlation coefficient to discriminate attack from Flash Crowd.
Detection
•Efficiency against unknown attacks. •Surveying the
•Not surveying computational complexity. •Storage space to
proposed method based on real data. •Efficiency versus current Botnets size.
Detecting and monitoring attacks based on meta-data and preventing attack by rate limiting rules.
Detection and Prevention
record information. •Dependence of analysis on assumptions. •Severe efficiency drop in Botnet big organization. •CPU computational cost. •Memory storage space. •Dependence of Rule capacity restriction on the accuracy of using IP address mass.
•Achieving monitoring speed of 9 Gbps for server protection. •Efficiency in detection.
Table 7 Characteristics of each class of network/transport layer. Defense location Source-based mechanisms
Network-based mechanisms Destinationbased mechanisms Hybrid mechanisms
Characteristics of defense location •Easy management of high volume attacks provided that distributed configuration is provided to cover path from source to target. •Implementing mechanism in source. •Ability to detect anomaly and suspicious packets. •Ability to filter traffic or limiting rate. •Ability to prevent flooding of middle networks and source. •Best filtering option. •Requiring less resources for defense. •Challenge in separating suspicious traffic from legal traffic and DDoS attack detection. •High performance in case of cooperation with destination-based mechanisms. •Implementing in network and middle routers. •Coordination among routers through exchanging evaluations,
observations and cooperation in defense. •Implementing principles of limiting rate due to adjacency to source. •If a region or router fails, cooperation of routers fails. •Difficulty in separating legal traffic from attack traffic. •Implementing in destination routers. •Detecting attack and responding attacks. •Easy separation of DoS traffic from legal traffic. •Inability to filter attack traffic and limiting rate. •Defense based on cooperation of different regions. •Strong and widespread defense according to cooperation. •Difficulty in providing cooperation platforms among different regions.
trust, long-term trust, negative trust and misusing trust, which are used for calculating the overall trust. Table 6 summarizes the main properties of popular hybrid mechanisms.
4. Results and comparison Here, a comparison of detection and defense mechanisms against DDoS attacks is presented. In this paper, defense mechanisms are categorized into network/transport and application groups, based on layer. The network/transport layer mechanisms are divided into four classes of source-based, network-based (core), destination-based (victim) and hybrid mechanisms, and application layer mechanisms are divided into destination-based (serve side) and hybrid mechanisms.
4.1. Network/transport layer In this section, mechanisms categorization is described based on network/transport layer, considering their differences and basic properties. Table 7 summarizes characteristics of all 4 classes of network/transport layer. In source-based mechanisms, high volume attacks may be easily managed, but the distributed configuration has to be provided for covering the path from the source to the victim [19]. These mechanisms are implemented in source points. There are several techniques with different functions for detecting attack flow, among which flow entropy can be mentioned. In this method, entropy of traffic flow is calculated according to traffic flow rate and attack is detected. Network-based (core) mechanisms are implemented in the network and intermediate routers. These mechanisms are run cooperatively between routers and all routers’ observations are transferred to other neighbor routers and they are cooperating in defense, as a result. As regards one of the problems in network-based mechanisms is sensitivity of appropriate cooperation among routers, and routers should cooperate accurately, various methods are proposed which are used to establish servers in different parts of network and these servers define responsibilities for each router so that each router monitors flows and covers DDoS attacks. Destination-based mechanisms are implemented in destination routers, detecting attack or responding to it. These mechanisms easily discriminate DoS traffic from legitimate traffic.whereas detection and defense are done in one region in the centric mechanism, the defense scheme will not be efficient. As a result, using hybrid (distributed) mechanisms, which are based on cooperation of nodes in different points of the network, results in coherent, robust defense.
36
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Table 8 Characteristics of each class of application layer. Defense location
Characteristics of defense location
Destination-based mechanisms Hybrid mechanisms
•Implementing mechanisms on the server side. •Easy implementation. •Ability to detect, filter and track based on traffic characteristics. •Ability to Implement based on cooperation of customer and server. •Ability to detect and respond attacks through cooperation of source and destination. •Difficulty of implementation because of providing cooperation.
4.2. Application layer In this section, details of categorization of defense mechanisms in application layer are discussed. Table 8 summarizes characteristics of each class of application layer. Since most protocols in the application layer are implemented in Client-Server form, destination-based mechanisms are run in the server side or the reverse proxy. These mechanisms are easily implementable and they model customers’ features based on the server’s observations. Moreover, they can perform detection, filtering and traceback of abnormal movements based on the traffic feature. Hybrid mechanisms may be implemented cooperatively between the customer and the server. As a result, attacks may be detected and responded based on cooperation between different points of source and destination. 5. Open issues Although various defense mechanisms have been proposed for handling DDoS attacks and some of them are also referred to in this review paper, but with the development of network and emergence of modern technologies and platforms in network domain, threats and attacks with new appearance and nature of DDoS are created every day and challenge new technologies. Thus, DDoS attacks should be explored and evaluated accurately and defensive operations should be employed. Considering the aforementioned discussion, in this section, existing challenges and future works which should be considered to handle attacks are presented, and also ideal approaches are suggested. 5.1. Challenges and suggestions in network, transport and application layer In this subsection, general and detailed challenges of network, transport and application layer which can be considered as future works are investigated. In addition, some approaches are presented considering challenges. By surveying different defense mechanisms in network layer and application layer, it has been observed that most mechanisms work centralized, having activity in a specific section. But, since DDoS attacks are very extensive and complex, detection and defense mechanisms have to work cooperatively. Due to the fact that source-based mechanisms do not have the remarkable ability to separate legal traffic from suspicious traffic, some mechanisms should be designed on source side which can separate traffic at first step of the network, based on traffic entrance behavior and measures like flow entropy. 5.2. Challenges and future works in cloud computing context In this subsection, challenges in cloud computing context which can be considered as future works are investigated. In addition, some approaches are presented to solve some of the challenges. Since DDoS attacks are designed and implemented with the purpose of suppressing internet services, therefore, this type of attacks will disrupt different types of vital services which companies have presented. One of the valuable technologies which is provided by Internet is cloud computing through which users can access different resources at anytime and anywhere. But, insomuch one of the main challenges of cloud computing is security and accessibility, this technology has become one of the potential targets of adversaries in DDoS attacks. 5.3. Challenges and future works in the context of internet of things In this subsection, challenges of IoT which can be considered as future works are investigated. Since IoT does not have a coherent with traffic protection, traffic protection should be considered. Moreover, since IoT is designed for new devices being open, defense mechanisms should have required adaptability and can detect attack patterns from non-attack patterns. Since limited services are offered in IoT and servicing requests is limited, legal requests pattern should be detected quickly and illegal requests should be blocked to prevent not serving legal requests. Since there are many malwares in IoT, malwares should be evaluated; considering malwares existing in IoT designed with DDoS objective, security gaps should be modified and comprehensive defense mechanisms with high defense capability should be included in IoT. Since existing devices in IoT do not have required security features, they are easily subject to DDoS attacks. Thus, in order to improve vulnerability of devices, security configuration and settings of the devices existing in IoT should be investigated to resolve existing gaps.
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
37
5.4. Challenges and future works in wireless sensor networks In this subsection, challenges of wireless sensor networks which can be considered as future studies are investigated. Implementing defense mechanisms considering factors like energy consumption of the node, node’s utilization from network bandwidth, type and frequency of the requests generated by the node in a specific time interval, similarity of generated traffics in the network, proportionality of the expected data at a specific time and location to generated data, should be able to detect adversary node and defend against it. Implementing defense mechanisms employing observer nodes in network which are connected to Sink node and gate and observe the sensor nodes, can detect adversaries and stop adversary operations. 5.5. Protection suggestions and required preliminaries in designing mechanisms for three layers, cloud computing and internet of things In this subsection, 4 items from necessary principles in designing defense systems and providing security of devices are mentioned which can be used to prevent, detect and respond DDoS attacks. (1) Designing systems and mechanisms for detecting amplification attacks and defending against them. (2) Evaluating proposed defensive methods based on real data and information of attack in real world and neglecting assumptions in designing mechanisms against DDoS attacks. (3) Modeling behaviors and contact features in designing defensive mechanisms against DDoS which are applied in VOIP applications. (4) Separating legal requests from illegal requests based on attacks’ history. 6. Conclusion In this paper, we have surveyed past and state of the art detection and defense mechanisms against DDoS attacks. Moreover, we have separated defense mechanisms based on the layer type into two main stages of network/transport layer and application layer, and distributed the network/transport layer into four classes of source-based, network-based (core), destination-based and hybrid mechanisms. Also, the application layer is categorized into two classes of destination-based and hybrid mechanisms. We have reviewed and compared several proposed mechanisms for each of these classes. In the network/transport layer, source-based mechanisms do not have the sufficient ability in discriminating the attack traffic from the legitimate traffic. Network-based mechanisms fail in case of failure in a section or a router. Destination-based mechanisms are not efficient in traffic filtering and rate limiting. As a result, for future works, the proposed methods should be implemented cooperatively and the platform for their cooperation has to be provided. Moreover, the infrastructure in the application layer mechanisms should be reinforced and better cooperation between the customer and the server has to be guaranteed in order to perform efficient defense against attacks. Acknowledgements This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors. References [1] Gupta B, Joshi R, Misra M. Ann based scheme to predict number of zombies in a DDoS attack.. Int J Netw Secur 2012;14(2):61–70. [2] Zargar ST, Joshi J, Tipper D. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tutor 2013;15(4):2046–69. doi:10.1109/SURV.2013.031413.00127. [3] Douligeris C, Mitrokotsa A. {DDoS} attacks and defense mechanisms: classification and state-of-the-art. Comput Netw 2004;44(5):643–66. doi:10.1016/ j.comnet.20 03.10.0 03. [4] Abdelsayed S, Glimsholt D, Leckie C, Ryan S, Shami S. An efficient filter for denial-of-service bandwidth attacks. In: Proceedings of the global telecommunications conference. GLOBECOM ’03, 3. IEEE; 2003. p. 1353–7. doi:10.1109/GLOCOM.2003.1258459. [5] MANAnet. The reverse firewall: defeating DDoS attacks emanating from a local area network. Cs3, Inc; 2001. [Accessed 10.04.16]. [6] Wang F, Wang H, Wang X, Su J. A new multistage approach to detect subtle {DDoS} attacks. Math Comput Model 2012;55(12):198–213. doi:10.1016/j. mcm.2011.02.025. [7] Gil TM, Poletto M. Multops: a data-structure for bandwidth attack detection.. In: Proceedings of the USENIX security symposium; 2001. p. 23–38. [8] Tao Y, Yu S. DDoS attack detection at local area networks using information theoretical metrics. In: Proceedings of the 2013 12th IEEE international conference on trust, security and privacy in computing and communications; 2013. p. 233–40. doi:10.1109/TrustCom.2013.32. [9] Zargar ST, Joshi J. Dicodefense: distributed collaborative defense against ddos flooding attacks. In: Proceedings of the IEEE symposium on security and privacy; 2013. [10] Zargar ST, Joshi J, Tipper D. Dicotram: a distributed and coordinated DDoS flooding attack tailored traffic monitoring. In: Proceedings of the 2014 IEEE 15th international conference on information reuse and integration (IEEE IRI 2014); 2014. p. 120–9. doi:10.1109/IRI.2014.7051881. [11] Zhang Y, Liu Q, Zhao G. A real-time ddos attack detection and prevention system based on per-ip traffic behavioral analysis. In: Proceedings of the 2010 3rd international conference on computer science and information technology, 2; 2010. p. 163–7. doi:10.1109/ICCSIT.2010.5563549. [12] Wu Y-C, Tseng H-R, Yang W, Jan R-H. DDoS detection and traceback with decision tree and grey relational analysis. Int J Ad Hoc Ubiquitous Comput 2011;7(2):121–36. doi:10.1504/IJAHUC.2011.038998. [13] Chen R, Park JM. Attack diagnosis: throttling distributed denial-of-service attacks close to the attack sources. In: Proceedings. 14th international conference on computer communications and networks. ICCCN 2005; 2005. p. 275–80. doi:10.1109/ICCCN.2005.1523866. [14] Wang H, Jin C, Shin KG. Defense against spoofed ip traffic using hop-count filtering. IEEE/ACM Trans Netw 2007;15(1):40–53. doi:10.1109/TNET.2006. 890133. [15] Thapngam T, Yu S, Zhou W, Makki SK. Distributed denial of service (ddos) detection by traffic pattern analysis. Peer-to-Peer Netw Appl 2014;7(4):346– 58. doi:10.1007/s12083-012-0173-3.
38
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
[16] Yu S, Zhou W, Doss R, Jia W. Traceback of ddos attacks using entropy variations. IEEE Trans Parallel Distrib Syst 2011;22(3):412–25. doi:10.1109/TPDS. 2010.97. [17] Argyraki K, Cheriton DR. Scalable network-layer defense against internet bandwidth-flooding attacks. IEEE/ACM Trans Netw 2009;17(4):1284–97. doi:10.1109/TNET.20 08.20 07431. [18] Wang F, Wang X, Su J, Xiao B. Vicsifter: a collaborative DDoS detection system with lightweight victim identification. In: Proceedings of the 2012 IEEE 11th international conference on trust, security and privacy in computing and communications; 2012. p. 215–22. doi:10.1109/TrustCom.2012.295. [19] Mirkovic J, Robinson M, Reiher P, Oikonomou G. Distributed defense against DDoS attacks. University of Delaware CIS Department technical report CIS-TR-20 05-0220 05;:1–12. [20] Rahmani H, Sahli N, Kamoun F. {DDoS} flooding attack detection scheme based on f-divergence. Comput Commun 2012;35(11):1380–91. doi:10.1016/ j.comcom.2012.04.002. [21] Akbar A, Basha SM, Sattar SA. Leveraging the sip load balancer to detect and mitigate DDoS attacks. In: Proceedings of the 2015 international conference on green computing and internet of things (ICGCIoT); 2015. p. 1204–8. doi:10.1109/ICGCIoT.2015.7380646. [22] Jun JH, Oh H, Kim SH. DDoS flooding attack detection through a step-by-step investigation. In: Proceedings of the 2011 IEEE 2nd international conference on networked embedded systems for enterprise applications; 2011. p. 1–5. doi:10.1109/NESEA.2011.6144944. [23] Liu HI, Chang KC. Defending systems against tilt ddos attacks. In: Poceedings of the 2011 6th international conference on telecommunication systems, services, and applications (TSSA); 2011. p. 22–7. doi:10.1109/TSSA.2011.6095400. [24] von Ahn L, Blum M, Langford J. Telling humans and computers apart automatically. Commun ACM 2004;47(2):56–60. doi:10.1145/966389.966390. [25] Beitollahi H, Deconinck G. Tackling application-layer {DDoS} attacks. Procedia Comput Sci 2012;10:432–41. doi:10.1016/j.procs.2012.06.056. [26] Ranjan S, Swaminathan R, Uysal M, Knightly EW. DDoS-resilient scheduling to counter application layer attacks under imperfect detection.. In: Proceedings of INFOCOM; 2006. [27] Yu S, Zhou W, Jia W, Guo S, Xiang Y, Tang F. Discriminating ddos attacks from flash crowds using flow correlation coefficient. IEEE Trans Parallel Distrib Syst 2012;23(6):1073–80. doi:10.1109/TPDS.2011.262. [28] Yan G, Lee R, Kent A, Wolpert D. Towards a Bayesian network game framework for evaluating DDoS attacks and defense. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security CCS ’12 ACM. New York, NY, USA; 2012. p. 553–66. doi:10.1145/2382196.2382255. [29] Yu J, Fang C, Lu L, Li Z. A lightweight mechanism to mitigate application layer DDoS attacks. Berlin, Heidelberg: Springer Berlin Heidelberg; 2009. p. 175–91. doi:10.1007/978- 3- 642- 10485- 5_13. Ch. Scalable information systems [30] Tang C, Tang A, Lee E, Tao L. Mitigating http flooding attacks with meta-data analysis. In: Proceedings of the 2015 IEEE 17th international conference on high performance computing and communications, 2015 IEEE 7th international symposium on cyberspace safety and security, and 2015 IEEE 12th international conference on embedded software and systems; 2015. p. 1406–11. doi:10.1109/HPCC- CSS- ICESS.2015.203. Mousa Taghizadeh Manavi received his B.Sc. from Islamic Azad University(IAU)-Ardabil Branch, Iran, in 2014 and M.Sc. degree in Computer EngineeringSoftware from Department of Computer Engineering, Islamic Azad University-Ardabil Science and Research Branch, 2017. He is currently a member of the Young Researchers Club at the IAU. His research interests include Network Security; Intrusion Detection; Wireless Sensor Networks; Congestion Control.
Contents lists available at ScienceDirect
Computers and Electrical Engineering journal homepage: www.elsevier.com/locate/compeleceng
Defense mechanisms against Distributed Denial of Service attacks : A surveyR Mousa Taghizadeh Manavi Young Researchers and Elite Club, Ardabil Branch, Islamic Azad University, Ardabil, Iran
a r t i c l e
i n f o
Article history: Received 1 November 2016 Revised 4 September 2018 Accepted 4 September 2018
Keywords: DDoS attack Bot Source-based Network-based Destination-based Hybrid mechanism
a b s t r a c t Distributed Denial of Service (DDoS) attacks are a group of collaborative attacks performed by attackers threatening internet security and violating services. In this attack, the attacker makes use of compromised systems to prevent legitimate users from having access to the server resources and use them to provide extensive attacks against the victim. In this paper, we surveyed defense mechanisms against DDoS attacks which are useful in internet. We categorized the mechanisms into two layer-based main groups of network/transport layer and application layer. Then, the network/transport layer is classified into four classes of source-based, network-based, destination-based and hybrid mechanisms, and the application layer mechanisms are categorized into two classes of destination-based and hybrid mechanisms. We surveyed important developments in each of the aforementioned classes and outlined new challenges. This survey paper provides a discussion of the difference between the aforementioned mechanisms categorizations based on characteristics of the way of detection, defense, and response as well as orientations for future researches. © 2018 Elsevier Ltd. All rights reserved.
1. Introduction Nowadays, the ever increasing growth of internet has become a factor of evolution in human life and it has been known as an effective, unavoidable technology to meet human life demands. The internet has its advantages and disadvantages like other available facilities. Advantages of internet include scalability and easy communication. In contrast, one of the main challenges of this technology is security, which has experienced numerous variations through time. Denial of Service (DoS) attack is a dangerous threat in the internet. In DoS attack, the attacker invades the intended victim (server) and makes the services offered to legitimate users unavailable. Consequently, DoS attack may be considered as a threat for internet availability [1]. By the advent of DoS attacks, different websites and servers such as Yahoo, eBay, and Amazon has been invaded by this kind of attack, which imposed huge financial losses to the companies and their servers. Since there was an attacker in DoS attack, it was not possible to perform heavy, extensive attacks and the attacker was identified easily. By the growth of internet in the last decade, however, the attackers’ function has developed and unfortunately, the system’s vulnerability in terms of security has increased; vulnerable systems have paved the way for attackers to perform massive attacks. Using this kind of attack is known as DDoS attack. This kind of attack, which acts cooperatively and is performed in large scale, is performed directly by compromised computers. An example of DDoS attack general architecture is shown in Fig. 1. In DDoS attack, there are two types of victims regarding the exploitation of compromised computers R
Reviews processed and recommended for publication to the Editor-in-Chief by Area Editor Dr. G. Martinez E-mail address: [email protected]
https://doi.org/10.1016/j.compeleceng.2018.09.001 0045-7906/© 2018 Elsevier Ltd. All rights reserved.
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
27
Fig. 1. The general architecture of DDoS attack.
by the attacker. The first victim type is the server, or in other words, it is the main target of the attacker and the attacker can exhaust its computational resources or make the victim’s communication link unavailable by flooding. The second type of victims includes vulnerable systems which are controlled by the attacker. Accordingly, first, the attacker compromises a large number of internet hosts by installing the software, and then installs the attack software on the compromised systems. These compromised systems are known as bots or agents, which are controlled by the attacker using handler systems. Such a network which is controlled by the attacker is called Botnet or Zombies network. In the next step, the attacker sends commands to the bots using handlers and bots invade the server by generating high volume packets. As a result, the server is not able to respond to a high volume of packets and its resources exhaust quickly. Nowadays, due to the progress made in DDoS attacks and new complex, destructive tools designed by attackers, novel defense mechanisms and methods have been proposed by the researchers, which are categorized in specific groups based on their application, location, and defense type. One popular categorization for defense mechanisms is based on the location of detection and defense against attack. Consequently, the proposed methods may be categorized into source-based, network-based (core), destination-based, and hybrid groups; this kind of categorization is referred to and used in [2]. Due to the extensive methods used in detecting DDoS attack and defending against them, different kinds of classifications in network/transport and application layers have been proposed in [3]. In this paper, we mostly divided the introduced mechanisms for DDoS attacks detection and defense into two main groups (Fig. 2) of network/transport layer and application layer, based on [2] classification. Due to different circumstances of layers in the network, defense mechanisms’ classification based on layers and protocol types separates each method properly based on the function and operational domain. In this paper, network/transport layer mechanisms are divided into four groups of source-based, network-based (core), destination-based, and hybrid (distributed) mechanisms, and the application layer is divided into two groups of destination-based (server side) and hybrid mechanisms (distributed). A number of review papers in the context of DDoS attacks and mechanisms have been presented before; but this review paper is different from previous papers in many aspects: (1) Basic DDoS attacks are introduced and described, since new attacks are based on basic attacks. (2) There are different categories of defense mechanisms where each category has its own advantages and disadvantages; since defense mechanisms are specified based on network or application nature, and also considering defense type, determining location and region of implementing mechanism significantly affects defense. Thus, in this paper, mechanisms are classified based on being network/transport or application, and defense location. (3) In classifying mechanisms based on location, defense location is specified based on
28
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Fig. 2. Classification of defense mechanisms against DDoS attack based on layers and location [2].
conditions of defense mechanism, or an efficient defense mechanism is designed based on advantages and disadvantages of a specific location, thus required profitability in detection and defense is obtained. (4) In this paper, different strong defense mechanisms presented to defend against DDoS attacks from 1998 to 2016 are investigated and included in classification to let researchers understand the developments in this context. Thus, considering the mentioned categorization, mechanisms are compared and evaluated based on their performance, activity type, advantages and disadvantages and this comparison describes details of each mechanism. The rest of the paper is organized as follows. Types of DDoS attacks in network/transport layer and application layer, as well as the concepts and terminology of defense are presented in Section 2. Section 3 classifies detection and defense mechanism against DDoS attack in network/transport layer and application layer and discusses them. Section 4 presents categorizing and comparing the proposed mechanisms. Section 5 refers to some open issues, and finally, Section 6 concludes the paper. 2. Types of DDoS attacks, defense concepts and terminology Since DDoS attacks are extensively active in network/transport layer and application layer, this section studies and introduces types of attacks in the aforementioned layers. Moreover, attacks in cloud computing and IoT are discussed in the following. Then, defense concepts and terminology used in prevention, detection and opposition mechanisms against DDoS attacks are described. 2.1. DDoS attack types Due to the threats and damages of DDoS attacks in layers 3, 4, and 7, in this section, attacks are categorized into two main groups of network/transport layer and application layer, and they are introduced in the respective group regarding their performance in a specific protocol. In the following, two classes are also assigned to attacks regarding cloud computing and IoT. 2.1.1. Network/transport layer attacks In this section, network/transport layer attacks are categorized into two types of flooding attacks and amplification attacks. Then, conventional attacks are introduced considering the invaded protocol in the intended category. Flooding attack: is an attack where the attacker sends a high volume of traffic to the victim system using bots and exhausts the system’s bandwidth. Examples of this type of attack are of UDP, ICMP, and SYN flooding attacks. Amplification attack: in this attack, attackers or bots use broadcast IP address features of routers and amplify and reflect the attack, and then send the messages to broadcast IP address. This method sends the packet to all IP addresses within broadcast address range and therefore, exhausts the bandwidth. Examples of amplification attacks include Smurf and Fraggle attacks [3]. 2.1.2. Application layer attacks In this section, different protocols attacks types in the application layer are discussed, as follows. HTTP flood: due to the validity of port 80 (Hypertext Transfer Protocol or HTTP) for firewalls, the attackers use this vulnerability in this attack and invade HTTP. The attacker bombards the web servers by HTTP requests and many resources of the victim servers are exhausted, as a result.
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
29
SIP flood: Voice over IP (VOIP) telephony mechanism is a novel scheme which has grown excessively due to its low cost and practicality. To support VOIP, Session Initiation Protocol (SIP) standard has been introduced in which SIP proxy servers admit and process call setup requests of VOIP customers by internet. Since call setup in VOIP is done based on request packets, attackers use these packets and invade SIP proxy server and flood, using spoof source IP addresses. 2.1.3. Attacks in the context of cloud computing In this section, some attacks in the context of cloud computing are investigated. Slowly-Increasing Polymorphic DDoS Attack Strategy or SIPDAS attack: Performing attack operations using hidden model by managing patterns of timed attack and considering specific disadvantages of target systems. X-DOS: This occurs when a XML message with malicious content is transmitted to a web server or web service to consume and deplete all resources. An example of X-DoS is known as forced parser attack. 2.1.4. Attacks in the context of internet of things In this section, IoT attacks are investigated. Simple Service Discovery Protocol (SSDP) attack: SSDP is a part of universal plug and play standard protocol which is activated on some home devices including routers and web-cams so that devices can find each other on the network and communicate with each other. But adversaries misuse these protocols and intrude the device using these protocols and make a set of damages to the devices and transmit a heavy traffic towards their targets by implementing DDoS attack. 2.2. Defense concepts and terminology In this section, some defense concepts and terminology are described. False positive: false positive is an event in which legitimate traffic features and patterns are similar to the attack traffic patterns. False negative: false negative is an event in which the attack traffic features are not similar to the attack traffic patterns. Flash crowd: legitimate requests coming to the server in specific, short time intervals from a high volume of legitimate users at the same time are called Flash crowd. Ingress/egress filtering: mechanisms setting systems or routers to prevent ingress/egress of illegal packets; ingress/ egress of packets is solely done based on legitimate IP address range. These mechanisms prevent anonymous attacks with spoof IP addresses [3]. 3. Defense mechanisms against DDoS attacks Since DDoS attacks take place in different layers of internet network, robust defense mechanisms such as prevention, detection, and response methods must be designed and used in different layers. Accordingly, a general categorization has been presented by Zargar et al. [2], which is proposed for layer-based classification of defense mechanisms and includes network/transport layer and application layer. Due to the different functionality of defense methods in each layer and for proper discrimination of mechanisms based on deployment location, we also used layer classification in this paper. Fig. 3 shows the mechanisms’ categorization based on deployment location. Our main goal in this paper is to collect novel, popular mechanisms based on the aforementioned categorization, and present each mechanism’s advantages and disadvantages. In this section, defense mechanisms against DDoS are divided into two main groups being reviewed. 3.1. Defense mechanisms of network/transport layer In this section, we first divide the presented defense mechanisms against DDoS attack, which are applicable in network/transport layer, into four categories and describe each group. Then, the presented mechanisms in each group, which are based on UDP, TCP, ICMP protocols, are introduced and discussed. 3.1.1. Source-based mechanisms In this section, we first describe source-based defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several source-based mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of source-based mechanisms: These mechanisms are designed and used for defense in the source region. The designed mechanisms for this point detect anomalous flows and packets passing by and perform defense actions such as filtering and rate limiting [2]. Source-based mechanisms: In this section, source-based defense mechanisms are introduced and described. Finally, some popular, applicable mechanisms are compared and reviewed. To detect and filter bandwidth DoS attacks, Abdelsayed et al. [4] have proposed a monitoring method called Tabulated Online Packet Statistics (TOPS), which uses heuristic rules to evaluate traffic. In this method, a fixed set of compact tables are used to monitor space and IP addresses domain, which is applicable in detecting the packet flow imbalance. A mechanism called reverse firewall has been proposed by MANAnet [5], which filters the outgoing packets in spite of conventional firewall. Since this method limits the packet transmission speed for the transmitter engine (attacker), it is effective in mitigating the effects of DDoS attacks planned inside the network. To detect DDoS attacks, Wang et al. [6] have proposed a
30 M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Fig. 3. Locations of defense mechanisms implementation against DDoS attacks [2].
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
31
Table 1 Popular source-based defense mechanisms and their characteristics. Mechanism Abdelsayed et al. [4]
Wang et al. [6]
Main idea Detecting flow imbalance based on the compact table and filtering bandwidth attacks based on heuristic rules. Detecting attack by predicting traffic state and extracting malicious address.
Type
Advantages
Disadvantages
Detection and prevention
•High accuracy. •Few
•Inefficiency in high
volume traffics.
computational resources required.
Detection
•Detecting low rate attack. •Extracting malicious address for responding.
•Memory required for
storage.
model based on quantitative measurements by which two proportion factors to compromised hosts are obtained, which have significant effect on traffic feature deviation. To detect subtle DDoS anomaly in monitors near to the attack source, a multi-phase detection scheme consisting of Network Traffic State (NTS), fine-grained singularity detection, and malicious address extraction engine has been proposed. In the proposed method, NTS prediction is used to determine the deviation rate of the network state in a monitoring point. Table 1 summarizes some of the popular source-based mechanisms discussed so far and introduces advantages and disadvantages of each one. 3.1.2. Network-based (core) mechanisms In this section, we first describe network-based defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several network-based mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of network-based mechanisms: These mechanisms are designed for defense in the network’s core or routers, and they make balance between detection accuracy and bandwidth consumption. These mechanisms may perform attack detection and traceback and stop attacks by rate limiting or filtering [2]. Network-based mechanisms: In this section, network-based defense mechanisms are introduced. Finally, some popular, applicable mechanisms are summarized. Since the bandwidth attack is a destructive attack in the internet, Gil and Poletto [7] have proposed a data structure called Multi-Level Tree for Online Packet Statistics (MULTOPS), as well as a heuristic method to detect attack. In this method, the network’s systems and routers use MULTOPS to collect packet rate statistics and the intended attack is detected by the heuristic method. MULTOPS method uses rates of host’s transmitting/receiving disproportional packet as a heuristic method in attack detection. Tao and Yu [8] have proposed a DDoS attack detection method in local networks, which uses flow entropy of local network’s routers to monitor the network traffic and export alert in case of flow entropy drop. Moreover, information distance has been used to discriminate DDoS attack from Flash crowds. The proposed method is a two-phase method based on information theory. In the first phase, evaluation of flow entropy in local network’s routers is done and an attack alert is exported if flow entropy experiences a significant drop in a time period. In the next phase, flows resulting in a drop in the flow entropy of routers are considered as suspicious flows. Zargar and Joshi [9] have proposed a distributed defense mechanism based on collaboration which detects DDoS flooding attacks in the vicinity of the attack source and respond to them. The proposed defense mechanism includes four main parts. The first part is the task assignment server, used to assign tasks. The second part is called the DiCoTraM mechanism, which is a traffic monitoring component monitoring the traffic flow. The third part is the DiCoDet mechanism, which is a detection mechanism distributing detection tasks in each router of the autonomous system. The last part is related to DiCoRes mechanism and response actions in each autonomous system’s router are done in this mechanism. Table 2 summarizes some of the popular network-based (core) mechanisms and describes details of each mechanism. 3.1.3. Destination-based (victim) mechanisms In this section, we first describe destination-based defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several destination-based mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of destination-based mechanisms: Victim-based detection and response approaches are usually used in destination side routers. Destination-based mechanisms are able to model the victim’s characteristics, detect any kind of anomaly, and respond to it. Moreover, they may easily discriminate legitimate traffic from attack traffic. The difficulties of these mechanisms include: not being appropriate for rate limiting or traffic filtering due to bandwidth waste, victim resources waste during DDoS attack, and attack detection solely after the attack reaches to the destination and depriving legitimate users from the service, as a result [2]. Destination-based mechanisms: In this section, destination-based defense mechanisms are described. Finally, some popular, applicable mechanisms are compared and summarized.
32
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Table 2 Popular network-based defense mechanisms and their properties. Mechanism
Type
Advantages
Disadvantages
Using data structure in the router to collect statistics and detect attack.
Detection and prevention
•Stabilizing legitimate
•Possible failures in
traffic flow in case of extensive attacks.
•Studying packet
Tao and Yu [8]
Attack detection by routers’ flow entropy.
Detection
Zargar et al. [10]
Monitoring coordinated traffic based on monitoring responsibilities.
Detection and monitoring
Gil and Poletto [7]
Main idea
•Exporting alert at the time of attack. •Real
simulation tool. •Supporting detection mechanism. •Overhead reduction. •Covering attack flows.
the random address. transmission only in IPV4. •Storage shortage. •Restrictive assumptions have been made. •Computational complexity. •Storage space. •Restrictive assumptions.
Table 3 Popular destination-based defense mechanisms and their properties. Mechanism
Main idea
Type
Advantages
Disadvantages
Zhang et al. [11]
Attack detection and prevention based on analyzing IP-based traffic behavior.
Detection and Prevention
•Flooding attack detection
•Storage consumption to
maintain information.
Wu et al. [12]
Attack detection based on decision tree and attacker traceback by traffic pattern matching.
Detection and Identification
Using detection method based on the pattern behavior and properties of traffic sources to discriminate traffic.
Detection
in the attack initiation level. •Low computational overhead. •Attack prevention. •Attack detection with proper false positive and false negative rate. •Accuracy in attack detection. •The ability of responding in short time intervals. •Secure communication channel between the components. •Low false positive and false negative. •Short time detection. •Applicable in detecting different attacks such as low volume traffic.
Thapngam et al. [15]
•Possible error in
discriminating normal traffic and detecting as the attack. •Storage overhead. •Lack of complexity discussion.
•Computational complexity. •Discrimination is solely based
on the packet transmission rate. •Detection in the victim side wastes the path’s bandwidth. •Delay caused by data survey and observation.
Zhang et al. [11] have proposed an immediate detection and prevention method for DDoS attacks which is implemented in the router near to the victim and performs attack detection and prevention based on analysis of IP-based traffic properties. The system samples transmission and reception traffic of each user periodically and decides whether it has normal property or not. Wu et al. [12] have proposed a DDoS attack detection mechanism based on decision tree. In the attack detection phase of the proposed method, a basic, normal traffic profile is constructed and if the network traffic deviates from the basic traffic profile, it will be detected as an attack. Chen and Park [13] have proposed an attack detection method which uses Pushback and packet marking. When an attack takes place, attack detection is done using the intrusion detection system installed on the victim. Then, a command is sent by the victim to upstream routers and the packets sent to the victim are marked with input interface information as soon as routers receive the command. Traffic traceback is done by the victim based on collecting the information of the input interface. Finally, the victim exports the command of filtering attack packets to the routers contributing to the attack detection. Due to the easy IP spoofing by DDoS attackers, Wang et al. [14] have proposed a method to authenticate IP packets, which has a simple mechanism and does not need to be supported by the network’s lower layers. Since each packet in the network carries hop-count information and the attackers in IP spoofing are not able to forge the packet’s hop-count field, the proposed method uses the information of the hop-counts the packet passes and differentiates attack packets from legitimate ones. Table 3 describes the main characteristics of popular destination-based (victim) mechanisms.
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
33
Table 4 Popular hybrid defense mechanisms and their properties. Mechanism Wang et al. [18]
Mirkovic et al. [19]
Rahmani et al. [20]
Main idea
Type
Advantages
Disadvantages
Using cooperative detection system against flood attacks and authenticating victim’s IP addresses.
Detection and Identification
•Scalability. •Attack
•Overhead of the victim’s IP address authentication. •Space
Using cooperation of different points in attack detection based on message exchange.
Detection and Prevention
Attack discrimination and detection based on total variation distance.
Detection
detection and the invaded victim authentication in first stages. •Decrease in the number of required packets for processing. •Defense by cooperation. •Attack neutralization without classifier nodes.
•Discriminating attack from Flash crowd. •High
accuracy and efficiency compared to methods based on entropy and volume. •Decreasing false negative and false positive.
requirement.
•Cooperation based on message exchange. •Damaging
the customer if classifier nodes are not present. •Necessity of the presence of rate limiting nodes. •Access to IP Header of each packet is required. •Some attacks may not be completely detected.
3.1.4. Hybrid (distributed) mechanisms In this section, we first describe the category of hybrid defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several hybrid mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of hybrid mechanisms: Since source-based, destination-based, and network-based deployment points have their own advantages and disadvantages, using cooperative approaches is necessary to deploy detection and response mechanisms. As a result, a possible choice is the hybrid or cooperative approach, where different points in the network cooperate and stop DDoS attacks. For example, hybrid mechanisms detect and discriminate the attack in destination and deploy rate limiting and filtering rules in the source or the network core based on the obtained result. Difficulty in cooperation between different networks that have to connect each other is one of the challenges of hybrid deployment [2]. Hybrid mechanisms: In this section, hybrid defense mechanisms are described. Finally, some popular, applicable mechanisms are reviewed. Yu et al. [16] have proposed a mechanism for IP traceback using information parameters. First off, packets passing from a router are classified into flows defined based on upstream router and packet destination address. In the periods where there are no attacks, routers study and record entropy variations. When an attack takes place, the victim performs the Pushback process. First, it is determined by the victim that which upstream router exists in the attack tree. Then, relevant requests enter to the immediate upstream routers by the victim and upstream routers are authenticated. Argyraki and Cheriton [17] have proposed an Active Internet Traffic Filtering (AITF) which is used against bandwidth flood attacks. In the proposed method, the packet receiver communicates with the source and requests to stop traffic transmission if anomaly is observed. Wang et al. [18] have proposed a cooperative DDoS detection system to detect flood attacks and authenticate invaded victims. The proposed scheme is source-oriented, implemented on multiple nodes across the network. The nodes used in the system are responsible for detecting local anomaly and authenticating victim’s IP addresses. The detection method starts based on evaluating the crossing packets and after anomaly detection, IP address authentication is done based on removal mechanism. Mirkovic et al. [19] have proposed a distributed method called Defensive Cooperative Overlay Mesh (DefCOM), which distributes the defense nodes in the internet core. In this method, all nodes create a peer to peer overlay for secure exchange of messages relevant to attack. When an attack happens, nodes near to the victim detect the attack and alarm other DefCOM overlays. Rahmani et al. [20] have proposed a two-phase approach based on breaks detection in distributing the size of connections, which uses the total variation distance to evaluate similarity between flows for DDoS attack detection, and generates alarms based on the abnormal variations in the size of connections distribution. Table 4 describes some of the popular hybrid mechanisms and their advantages and disadvantages.
3.2. Application layer defense mechanisms In this section, we divide the defense mechanisms presented to confront DDoS in the application layer into two mechanisms groups of destination-based (server side) and hybrid mechanisms, and describe each group. Then, the mechanisms presented in each group which are based on HTTP, VOIP, and DNS protocols are introduced and discussed.
34
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Table 5 Popular destination-based defense mechanisms and their properties. Mechanism Jun et al. [22]
Liu and Chang [23]
Ranjan et al. [26]
Main idea
Type
Advantages
Disadvantages
Attack detection by entropy.
Detection
•Guaranteeing normal
•Lack of comparison and
traffic transmission and filtering suspicious traffic.
Using customer properties and scheduling requests to defend against attacks.
Response and Protection
accurate study of the proposed method with other detection methods, based on quality of service factors. •Dependence of defense on scheduling policies.
Defense against attacks by allocating suspicion metric and using this metric in scheduler for deciding about providing service for the request.
•Efficient service provided
for legitimate users. •Preventing resource waste. •Proper response
Detection and Protection
time and accuracy in detection. •Improving efficiency and response time of the victim.
•Not considering limitation
for simultaneous customers.
3.2.1. Destination-based (server side) mechanisms In this section, we describe destination-based defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several destination-based mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of destination-based mechanisms: Since the application layer is presented in the Client-Server model, servers are the destination and destination-based mechanisms are implemented in victim side or the destination side. Destination-based mechanisms are generally based on surveying behavioral characteristics and they can be presented as defense schemes of traffic detection, traffic filter and source traceback [2]. Destination-based mechanisms: In this section, destination-based defense mechanisms are introduced. Finally, some popular mechanisms are summarized. Akbar et al. [21] have proposed a low rate, multiple trait DDoS attack detection scheme which works based on Hellinger distance (HD). Since there are millions of users and connections in VOIP network, ISPs should use a cluster of servers. Jun et al. [22] have proposed a detection method based on entropy to guarantee normal traffic transmission and prevent abnormal traffic flood. Entropy is calculated based on the packet information during a specific time period and is used in detection. Liu and Chang [23] have proposed a Defense scheme Against Tilt DDoS attacks called DAT which determines whether the user is suspicious or not based on the feature of monitoring each user. Since the CAPTCHA [24] method has challenges ahead, Beitollahi and Deconinck [25] have proposed a scheme where each connection with the server is scored based on statistical analysis and the attack is detected based on the score. Ranjan et al. [26] have proposed a suspicion allocation mechanism which is used to detect anomaly of the application layer in parameters of session arrival, session request arrivals, and session workload profiles. In the proposed method, first, a continuous measure of suspicion is allocated to a session, where this measure is updated after each request. Table 5 summarizes the main properties of popular destination-based (server side) mechanisms and describes the details of each mechanism.
3.2.2. Hybrid mechanisms In this section, we first describe hybrid defense mechanisms against DDoS attacks and their basic properties. Second, we discuss several hybrid mechanisms. Finally, some of the discussed defense mechanisms are compared and described. Overview of hybrid mechanisms: These mechanisms provide cooperation between Client/Server and detect attacks and respond to them in distributed form [2]. Hybrid mechanisms: In this section, hybrid defense mechanisms are described. Finally, some popular, applicable mechanisms are compared and summarized. Yu et al. [27] have proposed a detection algorithm which uses flow correlation coefficient as a similarity metric between suspicious flows. Since the similarity between DDoS attacks flows is much more than Flash crowd, using correlation coefficient is efficient. Yan et al. [28] have proposed a game-theoretic framework which evaluates DDoS attacks and defends. The proposed framework is able to model complex levels of the attacker and the defender’s strategic thinking and provides freedom in selecting distributions describing legitimate traffic. Yu et al. [29] have proposed a mechanism called Trust Management Helmet (TMH) to cope with DDoS session flooding attacks, which uses trust management. To establish connection, four user trust aspects are considered including short-term
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
35
Table 6 Popular hybrid defense mechanisms and their properties. Mechanism Yu et al. [27]
Tang et al. [30]
Main idea
Type
Advantages
Disadvantages
Using flow correlation coefficient to discriminate attack from Flash Crowd.
Detection
•Efficiency against unknown attacks. •Surveying the
•Not surveying computational complexity. •Storage space to
proposed method based on real data. •Efficiency versus current Botnets size.
Detecting and monitoring attacks based on meta-data and preventing attack by rate limiting rules.
Detection and Prevention
record information. •Dependence of analysis on assumptions. •Severe efficiency drop in Botnet big organization. •CPU computational cost. •Memory storage space. •Dependence of Rule capacity restriction on the accuracy of using IP address mass.
•Achieving monitoring speed of 9 Gbps for server protection. •Efficiency in detection.
Table 7 Characteristics of each class of network/transport layer. Defense location Source-based mechanisms
Network-based mechanisms Destinationbased mechanisms Hybrid mechanisms
Characteristics of defense location •Easy management of high volume attacks provided that distributed configuration is provided to cover path from source to target. •Implementing mechanism in source. •Ability to detect anomaly and suspicious packets. •Ability to filter traffic or limiting rate. •Ability to prevent flooding of middle networks and source. •Best filtering option. •Requiring less resources for defense. •Challenge in separating suspicious traffic from legal traffic and DDoS attack detection. •High performance in case of cooperation with destination-based mechanisms. •Implementing in network and middle routers. •Coordination among routers through exchanging evaluations,
observations and cooperation in defense. •Implementing principles of limiting rate due to adjacency to source. •If a region or router fails, cooperation of routers fails. •Difficulty in separating legal traffic from attack traffic. •Implementing in destination routers. •Detecting attack and responding attacks. •Easy separation of DoS traffic from legal traffic. •Inability to filter attack traffic and limiting rate. •Defense based on cooperation of different regions. •Strong and widespread defense according to cooperation. •Difficulty in providing cooperation platforms among different regions.
trust, long-term trust, negative trust and misusing trust, which are used for calculating the overall trust. Table 6 summarizes the main properties of popular hybrid mechanisms.
4. Results and comparison Here, a comparison of detection and defense mechanisms against DDoS attacks is presented. In this paper, defense mechanisms are categorized into network/transport and application groups, based on layer. The network/transport layer mechanisms are divided into four classes of source-based, network-based (core), destination-based (victim) and hybrid mechanisms, and application layer mechanisms are divided into destination-based (serve side) and hybrid mechanisms.
4.1. Network/transport layer In this section, mechanisms categorization is described based on network/transport layer, considering their differences and basic properties. Table 7 summarizes characteristics of all 4 classes of network/transport layer. In source-based mechanisms, high volume attacks may be easily managed, but the distributed configuration has to be provided for covering the path from the source to the victim [19]. These mechanisms are implemented in source points. There are several techniques with different functions for detecting attack flow, among which flow entropy can be mentioned. In this method, entropy of traffic flow is calculated according to traffic flow rate and attack is detected. Network-based (core) mechanisms are implemented in the network and intermediate routers. These mechanisms are run cooperatively between routers and all routers’ observations are transferred to other neighbor routers and they are cooperating in defense, as a result. As regards one of the problems in network-based mechanisms is sensitivity of appropriate cooperation among routers, and routers should cooperate accurately, various methods are proposed which are used to establish servers in different parts of network and these servers define responsibilities for each router so that each router monitors flows and covers DDoS attacks. Destination-based mechanisms are implemented in destination routers, detecting attack or responding to it. These mechanisms easily discriminate DoS traffic from legitimate traffic.whereas detection and defense are done in one region in the centric mechanism, the defense scheme will not be efficient. As a result, using hybrid (distributed) mechanisms, which are based on cooperation of nodes in different points of the network, results in coherent, robust defense.
36
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
Table 8 Characteristics of each class of application layer. Defense location
Characteristics of defense location
Destination-based mechanisms Hybrid mechanisms
•Implementing mechanisms on the server side. •Easy implementation. •Ability to detect, filter and track based on traffic characteristics. •Ability to Implement based on cooperation of customer and server. •Ability to detect and respond attacks through cooperation of source and destination. •Difficulty of implementation because of providing cooperation.
4.2. Application layer In this section, details of categorization of defense mechanisms in application layer are discussed. Table 8 summarizes characteristics of each class of application layer. Since most protocols in the application layer are implemented in Client-Server form, destination-based mechanisms are run in the server side or the reverse proxy. These mechanisms are easily implementable and they model customers’ features based on the server’s observations. Moreover, they can perform detection, filtering and traceback of abnormal movements based on the traffic feature. Hybrid mechanisms may be implemented cooperatively between the customer and the server. As a result, attacks may be detected and responded based on cooperation between different points of source and destination. 5. Open issues Although various defense mechanisms have been proposed for handling DDoS attacks and some of them are also referred to in this review paper, but with the development of network and emergence of modern technologies and platforms in network domain, threats and attacks with new appearance and nature of DDoS are created every day and challenge new technologies. Thus, DDoS attacks should be explored and evaluated accurately and defensive operations should be employed. Considering the aforementioned discussion, in this section, existing challenges and future works which should be considered to handle attacks are presented, and also ideal approaches are suggested. 5.1. Challenges and suggestions in network, transport and application layer In this subsection, general and detailed challenges of network, transport and application layer which can be considered as future works are investigated. In addition, some approaches are presented considering challenges. By surveying different defense mechanisms in network layer and application layer, it has been observed that most mechanisms work centralized, having activity in a specific section. But, since DDoS attacks are very extensive and complex, detection and defense mechanisms have to work cooperatively. Due to the fact that source-based mechanisms do not have the remarkable ability to separate legal traffic from suspicious traffic, some mechanisms should be designed on source side which can separate traffic at first step of the network, based on traffic entrance behavior and measures like flow entropy. 5.2. Challenges and future works in cloud computing context In this subsection, challenges in cloud computing context which can be considered as future works are investigated. In addition, some approaches are presented to solve some of the challenges. Since DDoS attacks are designed and implemented with the purpose of suppressing internet services, therefore, this type of attacks will disrupt different types of vital services which companies have presented. One of the valuable technologies which is provided by Internet is cloud computing through which users can access different resources at anytime and anywhere. But, insomuch one of the main challenges of cloud computing is security and accessibility, this technology has become one of the potential targets of adversaries in DDoS attacks. 5.3. Challenges and future works in the context of internet of things In this subsection, challenges of IoT which can be considered as future works are investigated. Since IoT does not have a coherent with traffic protection, traffic protection should be considered. Moreover, since IoT is designed for new devices being open, defense mechanisms should have required adaptability and can detect attack patterns from non-attack patterns. Since limited services are offered in IoT and servicing requests is limited, legal requests pattern should be detected quickly and illegal requests should be blocked to prevent not serving legal requests. Since there are many malwares in IoT, malwares should be evaluated; considering malwares existing in IoT designed with DDoS objective, security gaps should be modified and comprehensive defense mechanisms with high defense capability should be included in IoT. Since existing devices in IoT do not have required security features, they are easily subject to DDoS attacks. Thus, in order to improve vulnerability of devices, security configuration and settings of the devices existing in IoT should be investigated to resolve existing gaps.
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
37
5.4. Challenges and future works in wireless sensor networks In this subsection, challenges of wireless sensor networks which can be considered as future studies are investigated. Implementing defense mechanisms considering factors like energy consumption of the node, node’s utilization from network bandwidth, type and frequency of the requests generated by the node in a specific time interval, similarity of generated traffics in the network, proportionality of the expected data at a specific time and location to generated data, should be able to detect adversary node and defend against it. Implementing defense mechanisms employing observer nodes in network which are connected to Sink node and gate and observe the sensor nodes, can detect adversaries and stop adversary operations. 5.5. Protection suggestions and required preliminaries in designing mechanisms for three layers, cloud computing and internet of things In this subsection, 4 items from necessary principles in designing defense systems and providing security of devices are mentioned which can be used to prevent, detect and respond DDoS attacks. (1) Designing systems and mechanisms for detecting amplification attacks and defending against them. (2) Evaluating proposed defensive methods based on real data and information of attack in real world and neglecting assumptions in designing mechanisms against DDoS attacks. (3) Modeling behaviors and contact features in designing defensive mechanisms against DDoS which are applied in VOIP applications. (4) Separating legal requests from illegal requests based on attacks’ history. 6. Conclusion In this paper, we have surveyed past and state of the art detection and defense mechanisms against DDoS attacks. Moreover, we have separated defense mechanisms based on the layer type into two main stages of network/transport layer and application layer, and distributed the network/transport layer into four classes of source-based, network-based (core), destination-based and hybrid mechanisms. Also, the application layer is categorized into two classes of destination-based and hybrid mechanisms. We have reviewed and compared several proposed mechanisms for each of these classes. In the network/transport layer, source-based mechanisms do not have the sufficient ability in discriminating the attack traffic from the legitimate traffic. Network-based mechanisms fail in case of failure in a section or a router. Destination-based mechanisms are not efficient in traffic filtering and rate limiting. As a result, for future works, the proposed methods should be implemented cooperatively and the platform for their cooperation has to be provided. Moreover, the infrastructure in the application layer mechanisms should be reinforced and better cooperation between the customer and the server has to be guaranteed in order to perform efficient defense against attacks. Acknowledgements This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors. References [1] Gupta B, Joshi R, Misra M. Ann based scheme to predict number of zombies in a DDoS attack.. Int J Netw Secur 2012;14(2):61–70. [2] Zargar ST, Joshi J, Tipper D. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tutor 2013;15(4):2046–69. doi:10.1109/SURV.2013.031413.00127. [3] Douligeris C, Mitrokotsa A. {DDoS} attacks and defense mechanisms: classification and state-of-the-art. Comput Netw 2004;44(5):643–66. doi:10.1016/ j.comnet.20 03.10.0 03. [4] Abdelsayed S, Glimsholt D, Leckie C, Ryan S, Shami S. An efficient filter for denial-of-service bandwidth attacks. In: Proceedings of the global telecommunications conference. GLOBECOM ’03, 3. IEEE; 2003. p. 1353–7. doi:10.1109/GLOCOM.2003.1258459. [5] MANAnet. The reverse firewall: defeating DDoS attacks emanating from a local area network. Cs3, Inc; 2001. [Accessed 10.04.16]. [6] Wang F, Wang H, Wang X, Su J. A new multistage approach to detect subtle {DDoS} attacks. Math Comput Model 2012;55(12):198–213. doi:10.1016/j. mcm.2011.02.025. [7] Gil TM, Poletto M. Multops: a data-structure for bandwidth attack detection.. In: Proceedings of the USENIX security symposium; 2001. p. 23–38. [8] Tao Y, Yu S. DDoS attack detection at local area networks using information theoretical metrics. In: Proceedings of the 2013 12th IEEE international conference on trust, security and privacy in computing and communications; 2013. p. 233–40. doi:10.1109/TrustCom.2013.32. [9] Zargar ST, Joshi J. Dicodefense: distributed collaborative defense against ddos flooding attacks. In: Proceedings of the IEEE symposium on security and privacy; 2013. [10] Zargar ST, Joshi J, Tipper D. Dicotram: a distributed and coordinated DDoS flooding attack tailored traffic monitoring. In: Proceedings of the 2014 IEEE 15th international conference on information reuse and integration (IEEE IRI 2014); 2014. p. 120–9. doi:10.1109/IRI.2014.7051881. [11] Zhang Y, Liu Q, Zhao G. A real-time ddos attack detection and prevention system based on per-ip traffic behavioral analysis. In: Proceedings of the 2010 3rd international conference on computer science and information technology, 2; 2010. p. 163–7. doi:10.1109/ICCSIT.2010.5563549. [12] Wu Y-C, Tseng H-R, Yang W, Jan R-H. DDoS detection and traceback with decision tree and grey relational analysis. Int J Ad Hoc Ubiquitous Comput 2011;7(2):121–36. doi:10.1504/IJAHUC.2011.038998. [13] Chen R, Park JM. Attack diagnosis: throttling distributed denial-of-service attacks close to the attack sources. In: Proceedings. 14th international conference on computer communications and networks. ICCCN 2005; 2005. p. 275–80. doi:10.1109/ICCCN.2005.1523866. [14] Wang H, Jin C, Shin KG. Defense against spoofed ip traffic using hop-count filtering. IEEE/ACM Trans Netw 2007;15(1):40–53. doi:10.1109/TNET.2006. 890133. [15] Thapngam T, Yu S, Zhou W, Makki SK. Distributed denial of service (ddos) detection by traffic pattern analysis. Peer-to-Peer Netw Appl 2014;7(4):346– 58. doi:10.1007/s12083-012-0173-3.
38
M.T. Manavi / Computers and Electrical Engineering 72 (2018) 26–38
[16] Yu S, Zhou W, Doss R, Jia W. Traceback of ddos attacks using entropy variations. IEEE Trans Parallel Distrib Syst 2011;22(3):412–25. doi:10.1109/TPDS. 2010.97. [17] Argyraki K, Cheriton DR. Scalable network-layer defense against internet bandwidth-flooding attacks. IEEE/ACM Trans Netw 2009;17(4):1284–97. doi:10.1109/TNET.20 08.20 07431. [18] Wang F, Wang X, Su J, Xiao B. Vicsifter: a collaborative DDoS detection system with lightweight victim identification. In: Proceedings of the 2012 IEEE 11th international conference on trust, security and privacy in computing and communications; 2012. p. 215–22. doi:10.1109/TrustCom.2012.295. [19] Mirkovic J, Robinson M, Reiher P, Oikonomou G. Distributed defense against DDoS attacks. University of Delaware CIS Department technical report CIS-TR-20 05-0220 05;:1–12. [20] Rahmani H, Sahli N, Kamoun F. {DDoS} flooding attack detection scheme based on f-divergence. Comput Commun 2012;35(11):1380–91. doi:10.1016/ j.comcom.2012.04.002. [21] Akbar A, Basha SM, Sattar SA. Leveraging the sip load balancer to detect and mitigate DDoS attacks. In: Proceedings of the 2015 international conference on green computing and internet of things (ICGCIoT); 2015. p. 1204–8. doi:10.1109/ICGCIoT.2015.7380646. [22] Jun JH, Oh H, Kim SH. DDoS flooding attack detection through a step-by-step investigation. In: Proceedings of the 2011 IEEE 2nd international conference on networked embedded systems for enterprise applications; 2011. p. 1–5. doi:10.1109/NESEA.2011.6144944. [23] Liu HI, Chang KC. Defending systems against tilt ddos attacks. In: Poceedings of the 2011 6th international conference on telecommunication systems, services, and applications (TSSA); 2011. p. 22–7. doi:10.1109/TSSA.2011.6095400. [24] von Ahn L, Blum M, Langford J. Telling humans and computers apart automatically. Commun ACM 2004;47(2):56–60. doi:10.1145/966389.966390. [25] Beitollahi H, Deconinck G. Tackling application-layer {DDoS} attacks. Procedia Comput Sci 2012;10:432–41. doi:10.1016/j.procs.2012.06.056. [26] Ranjan S, Swaminathan R, Uysal M, Knightly EW. DDoS-resilient scheduling to counter application layer attacks under imperfect detection.. In: Proceedings of INFOCOM; 2006. [27] Yu S, Zhou W, Jia W, Guo S, Xiang Y, Tang F. Discriminating ddos attacks from flash crowds using flow correlation coefficient. IEEE Trans Parallel Distrib Syst 2012;23(6):1073–80. doi:10.1109/TPDS.2011.262. [28] Yan G, Lee R, Kent A, Wolpert D. Towards a Bayesian network game framework for evaluating DDoS attacks and defense. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security CCS ’12 ACM. New York, NY, USA; 2012. p. 553–66. doi:10.1145/2382196.2382255. [29] Yu J, Fang C, Lu L, Li Z. A lightweight mechanism to mitigate application layer DDoS attacks. Berlin, Heidelberg: Springer Berlin Heidelberg; 2009. p. 175–91. doi:10.1007/978- 3- 642- 10485- 5_13. Ch. Scalable information systems [30] Tang C, Tang A, Lee E, Tao L. Mitigating http flooding attacks with meta-data analysis. In: Proceedings of the 2015 IEEE 17th international conference on high performance computing and communications, 2015 IEEE 7th international symposium on cyberspace safety and security, and 2015 IEEE 12th international conference on embedded software and systems; 2015. p. 1406–11. doi:10.1109/HPCC- CSS- ICESS.2015.203. Mousa Taghizadeh Manavi received his B.Sc. from Islamic Azad University(IAU)-Ardabil Branch, Iran, in 2014 and M.Sc. degree in Computer EngineeringSoftware from Department of Computer Engineering, Islamic Azad University-Ardabil Science and Research Branch, 2017. He is currently a member of the Young Researchers Club at the IAU. His research interests include Network Security; Intrusion Detection; Wireless Sensor Networks; Congestion Control.