article

A taxonomy of DDoS attack and DDoS defense mechanisms

Authors:

Jelena Mirkovic,

Peter ReiherAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 34, Issue 2

Pages 39 - 53

https://doi.org/10.1145/997150.997156

Published: 01 April 2004 Publication History

Abstract

Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.

References

[1]

D. G. Andersen. Mayday: Distributed filtering for internet services. In Proceedings of 4th Usenix Symposium on Internet Technologies and Systems, March 2003.

Digital Library

[2]

D. G. Andersen, H. Balakrishnan, M. F. Kaashoek, and R. Morris. Resilient Overlay Networks. In Proceedings of 18th ACM SOSP, October 2001.

Digital Library

[3]

T. Anderson, T. Roscoe, and D. Wetherall. Preventing internet denial-of-service with capabilities. In In Proceedings of HotNets II, November 2003.

[4]

Arbor Networks. The Peakflow Platform. http://www.arbornetworks.com.

[5]

T. Aura, P. Nikander, and J. Leiwo. DOS-Resistant Authentication with Client Puzzles. Lecture Notes in Computer Science, 2133, 2001.

Digital Library

[6]

S. Axelsson. Intrusion detection systems: A survey and taxonomy. Technical Report 99-15, Department of Computer Engineering, Chalmers University, March 2000.

[7]

P. Barford, J. Kline, D. Plonka, and A. Ron. A signal analysis of network traffic anomalies. In In Proceedings of the 2nd ACM SIGCOMM Internet Measurement Workshop, November 2002.

Digital Library

[8]

BBN Technologies. Applications that participate in their own defense. http://www.bbn.com/infosec/apod.html.

[9]

BBN Technologies. Intrusion tolerance by unpredictability and adaptation. http://www.bbn.com/infosec/itua.html.

[10]

S. Bellovin, M. Leech, and T. Taylor. ICMP Traceback Messages. Internet draft, work in progress, October 2001.

[11]

D. J. Bernstein. Syn cookies. http://cr.yp.to/syncookies.html.

[12]

CERT CC. CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html.

[13]

CERT CC. Code Red II. http://www.cert.org/incident_notes/IN-2001-09.html.

[14]

CERT CC. Denial of Service Attacks. http://www.cert.org/tech_tips/denial_of_service.html.

[15]

CERT CC. DoS using nameservers. http://www.cert.org/incident_notes/IN-2000-04.html.

[16]

CERT CC. erkms and li0n worms. http://www.cert.org/incident_notes/IN-2001-03.html.

[17]

CERT CC. Nimda worm. http://www.cert.org/advisories/CA-2001-26.html.

[18]

CERT CC. Ramen worm. http://www.cert.org/incident_notes/IN-2001-01.html.

[19]

CERT CC. Smurf attack. http://www.cert.org/advisories/CA-1998-01.html.

[20]

CERT CC. TCP SYN flooding and IP spoofing attacks. http://www.cert.org/advisories/CA-1996-21.html.

[21]

CERT CC. Trends in Denial of Service Attack Technology, October 2001. http://www.cert.org/archive/pdf/DoS_trends.pdf.

[22]

Cisco. Strategies to protect against Distributed Denial of Service Attacks. http://www.cisco.com/warp/public/707/newsflash.html.

[23]

Cs3. Inc. MANAnet DDoS White Papers. http://www.cs3-inc.com/mananet.html.

[24]

T. Darmohray and R. Oliver. Hot spares for DDoS attacks. http://www.usenix.org/publications/login/2000-7/apropos.html.

[25]

D. Dean, M. Franklin, and A. Stubblefield. An algebraic approach to IP Traceback. In Proceedings of the 2001 Network and Distributed System Security Symposium, February 2001.

[26]

H. Debar, M. Dacier, and A. Wespi. Towards a taxonomy of intrusion-detection systems. In Computer Networks, volume 31(8), pages 805--822, April 1999.

Digital Library

[27]

D. Dittrich. The DoS Project's trinoo distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/trinoo.analysis.

[28]

D. Dittrich. The Tribe Flood Network distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/tfn.analysis.txt.

[29]

D. Dittrich, G. Weaver, S. Dietrich, and N. Long. The mstream distributed denial of service attack tool. http://staff.washington.edu/dittrich/misc/ mstream.analysis.txt.

[30]

P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing. RFC 2827, May 2000.

Digital Library

[31]

A. Garg and A. L. N. Reddy. Mitigation of DoS attacks through QoS Regulation. In Proceedings of IWQOS workshop, May 2002.

[32]

T. M. Gil and M. Poletto. MULTOPS: a data-structure for bandwidth attack detection. In Proceedings of 10th Usenix Security Symposium, August 2001.

Digital Library

[33]

K. Hafner and J. Markoff. Cyberpunk: Outlaws and hackers on the computer frontier. Simon & Schuster, 1991.

Digital Library

[34]

G. Hardin. The Tragedy of the Commons. Science, 162(1968):1243--1248, 1968.

[35]

J. D. Howard. An analysis of security incidents on the Internet. PhD thesis, Carnegie Mellon University, August 1998.

Digital Library

[36]

J. D. Howard and T. A. Longstaff. A common language for computer security incidents.

[37]

A. Hussain, J. Heidemann, and C. Papadopoulos. A Framework for Classifying Denial of Service Attack. In Proceedings of SIGCOMM 2003, 2003.

Digital Library

[38]

Information Sciences Institute. Dynabone. http://www.isi.edu/dynabone/.

[39]

J. Ioannidis and S. M. Bellovin. Pushback: Router-Based Defense Against DDoS Attacks. In Proceedings of NDSS, February 2002.

[40]

A. Juels and J. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of the 1999 Networks and distributed system security symposium, March 1999.

[41]

F. Kargl, J. Maier, and M. Weber. Protecting web servers from distributed denial of service attacks. In Proceedings of 10th International World Wide Web Conference, May 2001.

Digital Library

[42]

A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proceedings of SIGCOMM 2002, 2002.

Digital Library

[43]

F. Lau, S. H. Rubin, M. H. Smith, and L. Trajkovic. Distributed Denial of Service Attacks. In IEEE International Conference on Systems, Man, and Cybernetics, pages 2275--2280, Nashville, TN, USA, October 2000.

[44]

J. Leiwo, P. Nikander, and T. Aura. Towards network denial of service resistant protocols. In Proceedings of the 15th International Information Security Conference, August 2000.

Digital Library

[45]

J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. SAVE: Source Address Validity Enforcement Protocol. In Proceedings of INFOCOM 2002, June 2002. to appear.

[46]

R. Mahajan, S. Bellovin, S. Floyd, V. Paxson, and S. Shenker. Controlling high bandwidth aggregates in the network. ACM Computer Communications Review, 32(3), July 2002.

Digital Library

[47]

G. R. Malan, D. Watson, F. Jahanian, and P. Howell. Transport and Application Protocol Scrubbing. In Proceedings of INFOCOM 2000, pages 1381--1390, 2000.

[48]

Mazu Networks. Mazu Technical White Papers. http://www.mazunetworks.com/white_papers/.

[49]

McAfee. Personal Firewall. http://www.mcafee.com/myapps/firewall/ov_firewall.asp

[50]

C. Meadows. A formal framework and evaluation method for network denial of service. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, June 1999.

Digital Library

[51]

J. Mirkovic. D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks. PhD thesis, University of California Los Angeles, August 2003.

Digital Library

[52]

J. Mirkovic, G. Prier, and P. Reiher. Attacking DDoS at the Source. In Proceedings of the ICNP 2002, November 2002.

Digital Library

[53]

D. Moore. The spread of the code red worm (crv2). http://www.caida.org/analysis/security/codered/coderedv2_analysis.xml.

[54]

D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 2001 USENIX Security Symposium, 2001.

Digital Library

[55]

R. Naraine. Massive DDoS Attack Hit DNS Root Servers, October 2002. http://www.esecurityplanet.com/trends/article/0,10751_1486981,00.html.

[56]

National Infrastructure Protection Center. Advisory 01-014: New Scanning Activity (with W32-Leave.worm) Exploiting SubSeven Victims, June 2001. http://www.nipc.gov/warnings/advisories/2001/01-014.htm.

[57]

E. O'Brien. NetBouncer : A practical client legitimacy-based DDoS defense via ingress filtering. http://www.nai.com/research/nailabs/development-solutions/netbouncer.asp.

[58]

K. Park and H. Lee. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets. In Proceedings of ACM SIGCOMM 2001, August 2001.

Digital Library

[59]

V. Paxson. An analysis of using reflectors for distributed denial-of-service attacks. ACM Computer Communications Review (CCR), 31(3), July 2001.

Digital Library

[60]

V. Razmov. Denial of Service Attacks and How to Defend Against Them. http://www.cs.washington.edu/homes/valentin/ papers/DoSAttacks.pdf.

[61]

SANS Institute. NAPTHA: A new type of Denial of Service Attack, December 2000. http://rr.sans.org/threats/naptha2.php.

[62]

S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. In Proceedings of ACM SIGCOMM 2000, August 2000.

Digital Library

[63]

C. Schuba, I. Krsul, M. Kuhn, G. Spafford, A. Sundaram, and D. Zamboni. Analysis of a denial of service attack on TCP. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, May 1997.

Digital Library

[64]

S. Dietrich, N. Long, and D. Dittrich. An Analysis of the "shaft" distributed denial of service tool. In Proceedings of LISA 2000, 2000. http://www.adelphi.edu/ spock/shaft-lisa2000.pdf.

Digital Library

[65]

A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-Based IP Traceback. In Proceedings of ACM SIGCOMM 2001, August 2001.

Digital Library

[66]

D. X. Song and A. Perrig. Advanced and authenticated marking schemes for IP Traceback. In Proceedings of IEEE Infocom 2001, 2001.

[67]

Sourcefire. Snort: The Open Source Network Intrusion Detection System.

[68]

O. Spatscheck and L. L. Petersen. Defending Against Denial of Service Attacks in Scout. In Proceedings of the 3rd Symposium on Operating Systems Design and Implementation, February 1999.

Digital Library

[69]

S. Staniford, J. Hoagland, and J. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2), 2002.

Digital Library

[70]

S. Staniford, V. Paxson, and N. Weaver. How to own the internet in your spare time, 2002. In Proceedings of the 11th USENIX Security Symposium.

Digital Library

[71]

Tripwire. Tripwire for servers. http://www.tripwire.com/products/servers/.

[72]

N. Weaver. Warhol Worm. http://www.cs.berkeley.edu/nweaver/worms.pdf.

[73]

M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In 18th Annual Computer Security Applications Conference, December 2002.

Digital Library

[74]

J. Yan, S. Early, and R. Anderson. The XenoService - A Distributed Defeat for Distributed Denial of Service. In Proceedings of ISW 2000, Oct. 2000.

[75]

V. Yegneswaran, P. Barford, and J. Ullrich. Internet intrusions: Global characteristics and prevalence. In In Proceedings of the 2003 ACM SIGMETRICS International conference on Measurement and Modeling of Computer Systems, pages 138--147, 2003.

Digital Library

[76]

Y. L. Zheng and J. Leiwo. A Method to Implement a Denial of Service Protection Base. In Information Security and Privacy, volume 1270 of LNCS, pages 90--101, 1997.

Digital Library

Cited By

Kumari MTripathi N(2025)Detecting interest flooding attacks in NDN: A probability-based event-driven approachComputers & Security10.1016/j.cose.2024.104124148(104124)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104124
K JShukla P(2024)DDOS Attack Packet Detection and Prevention On a Large-Scale Network Utilising the Bi-Directional Long Short Term Memory NetworkJournal of Machine and Computing10.53759/7669/jmc202404011(105-113)Online publication date: 5-Jan-2024
https://doi.org/10.53759/7669/jmc202404011
Sarveswara Gupta PVenkateswarlu BKarthikeya SKumar Chandol MSumanth V(2024)Safeguarding Smart Horizons: Crafting the Future of IOT Security Through Intrusion Detection and PreventionInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24JUN2043(2888-2897)Online publication date: 20-Jul-2024
https://doi.org/10.38124/ijisrt/IJISRT24JUN2043
Show More Cited By

Recommendations

A comprehensive categorization of DDoS attack and DDoS defense techniques
ADMA'06: Proceedings of the Second international conference on Advanced Data Mining and Applications

Distributed Denial of Service (DDoS) attack is the greatest security fear for IT managers. With in no time, thousands of vulnerable computers can flood victim website by choking legitimate traffic. Several specific security measurements are deployed to ...
DDoS attacks and defense mechanisms: classification and state-of-the-art

Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today's Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With ...
DDoS defense mechanisms: a new taxonomy
DPM'09/SETOP'09: Proceedings of the 4th international workshop, and Second international conference on Data Privacy Management and Autonomous Spontaneous Security

Ever expanding array of schemes for detection and prevention of Distributed Denial of Service (DDoS) attacks demands for a constant review and their categorization. As detection techniques have existed for a relatively longer period of time than defense ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 34, Issue 2

April 2004

151 pages

ISSN:0146-4833

DOI:10.1145/997150

Issue’s Table of Contents

Copyright © 2004 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 April 2004

Published in SIGCOMM-CCR Volume 34, Issue 2

Check for updates

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1,265
Total Citations
View Citations
19,444
Total Downloads

Downloads (Last 12 months)920
Downloads (Last 6 weeks)73

Reflects downloads up to 22 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kumari MTripathi N(2025)Detecting interest flooding attacks in NDN: A probability-based event-driven approachComputers & Security10.1016/j.cose.2024.104124148(104124)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104124
K JShukla P(2024)DDOS Attack Packet Detection and Prevention On a Large-Scale Network Utilising the Bi-Directional Long Short Term Memory NetworkJournal of Machine and Computing10.53759/7669/jmc202404011(105-113)Online publication date: 5-Jan-2024
https://doi.org/10.53759/7669/jmc202404011
Sarveswara Gupta PVenkateswarlu BKarthikeya SKumar Chandol MSumanth V(2024)Safeguarding Smart Horizons: Crafting the Future of IOT Security Through Intrusion Detection and PreventionInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24JUN2043(2888-2897)Online publication date: 20-Jul-2024
https://doi.org/10.38124/ijisrt/IJISRT24JUN2043
AlSaleh IAl-Samawi ANissirat L(2024)Novel Machine Learning Approach for DDoS Cloud Detection: Bayesian-Based CNN and Data Fusion EnhancementsSensors10.3390/s2405141824:5(1418)Online publication date: 22-Feb-2024
https://doi.org/10.3390/s24051418
Canavese DMannella LRegano LBasile C(2024)Security at the Edge for Resource-Limited IoT DevicesSensors10.3390/s2402059024:2(590)Online publication date: 17-Jan-2024
https://doi.org/10.3390/s24020590
Tripi GIacobelli ARinieri LPrandini M(2024)Security and Trust in the 6G Era: Risks and MitigationsElectronics10.3390/electronics1311216213:11(2162)Online publication date: 1-Jun-2024
https://doi.org/10.3390/electronics13112162
Alabi CUgboya I(2024)Autonomous Vehicle Sensor Network Security Framework Using Anomaly Detection and Resource LimitationSSRN Electronic Journal10.2139/ssrn.4839942Online publication date: 2024
https://doi.org/10.2139/ssrn.4839942
Wang H(2024)Enhancing Accuracy for Super Spreader Identification in High-Speed Data StreamsProceedings of the VLDB Endowment10.14778/3681954.368198817:11(3124-3137)Online publication date: 30-Aug-2024
https://doi.org/10.14778/3681954.3681988
Naidoo JDulek RButler SBaily B(2024)Reporting a Cyber Security Breach: How Organizations RespondInternational Journal of Business Communication10.1177/23294884241236201Online publication date: 11-Mar-2024
https://doi.org/10.1177/23294884241236201
Kayan HHeartfield RRana OBurnap PPerera C(2024)CASPER: Context-Aware IoT Anomaly Detection System for Industrial Robotic ArmsACM Transactions on Internet of Things10.1145/36704145:3(1-36)Online publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1145/3670414
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents