Survey of Network-Based Defense Mechanisms Counteringthe DoS and DDoS ProblemsTAO PENG, CHRISTOPHER LECKIE, and KOTAGIRI RAMAMOHANARAODepartment of Computer Science and Software Engineering, The University of Melbourne, AustraliaThis article presents a survey of denial of service attacks and the methods that have been proposed for defenseagainst these attacks. In this survey, we analyze the design decisions in the Internet that have created thepotential for denial of service attacks. We review the state-of-art mechanisms for defending against denial ofservice attacks, compare the strengths and weaknesses of each proposal, and discuss potential countermea-sures against each defense mechanism. We conclude by highlighting opportunities for an integrated solutionto solve the problem of distributed denial of service attacks.Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General—Securityand protection (e.g., firewalls); C.2.3 [Computer-Communication Network]—Network operationGeneral Terms: Reliability, SecurityAdditional Key Words and Phrases: Botnet, bandwidth attack, DNS reflector attack, DoS, DDoS, Internetsecurity, IP spoofing, IP traceback, IRC, resource management, SYN flood, VoIP securityACM Reference Format:Peng, T., Leckie, C., and Ramamohanarao, K. 2007. Survey of network-based defense mechanisms counteringthe DoS and DDoS problems. ACM Comput. Surv. 39, 1, Article 3 (April 2007), 42 pages DOI = 10.1145/1216370.1216373 http://doi.acm.org/10.1145/1216370.12163731. INTRODUCTIONThe Internet was originally designed for openness and scalability. The infrastructureis certainly working as envisioned by that yardstick. However, the price of this suc-cess has been poor security. For example, the Internet Protocol (IP) was designed tosupport ease of attachment of hosts to networks, and provides little support for veri-fying the contents of IP packet header fields [Clark 1988]. This makes it possible tofake the source address of packets, and hence difficult to identify the source of traf-fic. Moreover, there is no inherent support in the IP layer to check whether a sourceis authorized to access a service. Packets are delivered to their destination, and theserver at the destination must decide whether to accept and service these packets.While defenses such as firewalls can be added to protect servers, a key challenge forThis work was supported by the Australian Research Council.Authors’ addresses: Department of Computer Science and Software Engineering, ICT Building, 111Barry Street, The University of Melbourne, Parkville VIC 3052, Australia; email: {tpeng,caleckie}@csse.unimelb.edu.au,[email protected] to make digital or hard copies of part or all of this work for personal or classroom use is grantedwithout fee provided that copies are not made or distributed for profit or direct commercial advantage andthat copies show this notice on the first page or initial screen of a display along with the full citation. Copy-rights for components of this work owned by others than ACM must be honored. Abstracting with credit ispermitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any componentof this work in other works requires prior specific permission and/or a fee. Permissions may be requestedfrom Publications Dept., ACM, Inc., 2 Penn Plaza, Suite 701, New York, NY 10121-0701 USA, fax +1 (212)869-0481, or [email protected]2007 ACM 0360-0300/2007/04-ART3 $5.00. DOI 10.1145/1216370.1216373 http://doi.acm.org/10.1145/1216370.1216373ACM Computing Surveys, Vol. 39, No. 1, Article 3, Publication date: April 2007.2 T. Peng et al.defense is how to discriminate legitimate requests for service from malicious accessattempts.If it is easier for sources to generate service requests than it is for a server to checkthe validity of those requests, then it is difficult to protect the server from maliciousrequests that waste the resources of the server. This creates the opportunity for a classof attack known as a denial of service attack.A denial of service (DoS) attack aims to deny access by legitimate users to sharedservices or resources [Gligor 1984]. This can occur in a wide variety of contexts, fromoperating systems [Gligor 1984] to network-based services [Needham 1994]. On the In-ternet, a DoS attack aims to disrupt the service provided by a network or server. It canbe launched in two forms [Hussain et al. 2003]. The first form aims to crash a system bysending one or more carefully crafted packets that exploit a software vulnerability inthe target system. For example, the “ping-of-death” attack sends a large InternationalControl Message Protocol (ICMP) ping packet that is fragmented into multiple data-grams to a target system, which can cause certain operating systems to crash, freeze, orreboot due to buffer overflow [CERT 1996]. The second form is to use massive volumesof useless traffic to occupy all the resources that could service legitimate traffic. Whileit is possible to prevent the first form of attack by patching known vulnerabilities, thesecond form of attack cannot be so easily prevented. The targets can be attacked sim-ply because they are connected to the public Internet. In the rest of this article, unlessotherwise stated, when we use the term DoS attack, we are referring to the second formof attack that uses massive volumes of useless traffic.When the traffic of a DoS attack comes from multiple sources, it is called a distributeddenial of service (DDoS) attack. By using multiple attack sources, the power of a DDoSattack is amplified and the problem of defense is made more complicated. The impactof DDoS attacks can vary from minor inconvenience to users of a Web site to seriousfinancial losses for companies that rely on their online availability to do business. OnFebruary 9, 2000, Yahoo, eBay, Amazon.com, E*Trade, ZDnet, Buy.com, the FBI, andseveral other Web sites fell victim to DDoS attacks resulting in substantial damage andinconvenience [Garber 2000]. From December 2005 to January 2006, 1,500 separate IPaddresses were victims of DDoS attacks, with some attacks using traffic rates as highas 10 Gb/s [Scalzo 2006; Vaughn and Evron 2006].More importantly, traditional operations in essential services, such as banking, trans-portation, power, health, and defense, are being progressively replaced by cheaper, moreefficient Internet-based applications. Internet-based attacks can be
View Full Document
Unlocking...