Printer Friendly

An empirical study on dos attacks and DDoS defense mechanism.


A Denial of Service attack involves attackers exploit suitable vulnerabilities for sending messages reach the abnormality or paralysis of business systems, else sends a large amount of usual messages to a single node quickly for run out the system resources results in business system failure. As long as administrators placed at top of patching vulnerabilities and optimizes the performance of business systems and the potential harm of a simple DoS attack is relatively minor. A Distributed Denial of Service attack utilizes multiple distributed attack sources based on DoS attack. The attackers uses the controlled bots (also referred to as zombies) typically large numbers and also distributed beyond various locations for attaining large number of DoS attacks by single or multiple targets.

The bots nets are developed rapidly in recent years, to cause DDoS traffic scale attack which increase the targets include business servers, Internet infrastructures such as firewalls, routers and DNS systems and also network bandwidth. The broader influence and the sphere making are improved by the attacks. The resources are specified at legitimate users where they aim for denial of service which is to be extended. The computer or network service resource attack can be defeated by any malicious user when incident is declared.

Lin Fan et al., (2010) describes DoS attack are realized by people for key security issues and also it is implemented to increases the security threat, protecting systems against DoS attack. The fast growing concern are improved by DoS attack which are noticed with more researchers where the attacker design a flow or system bug to report as a resource of a victim system, and also users can prevent from accessing the service or to degrade the quality of service which they get. For example, the operating systems with DoS were early work with type of resource exhaustion attack. Hence network performs DoS attacks finally and the distributed DoS attack by instance. The services are to be exhausted when supposed to be not available. The computer or network resource exists by DoS attack to avoid damage, e.g. a user account or network connection. The resource availability, and the affected will users are collate by attack. The DoS attack is not only necessary at the unique one but also materialized to resource exhaustion

The distributed denial-of-service attack causes denial of service with single target for multitude of compromised systems helps for the target system as detailed by Dinesh & Palvinder (2011). Effective messages are controlled by system services with legitimate user's reputed flood to retaining the system. Computer systems exploit and vulnerable to begin the hackers attack and make the DDoS master. It starts from the master system that identifies and communicates with other systems to load cracking tools available on the Internet at multiple compromised systems. The intruder instructs the controlled machines with single command to obtain many flood attacks against a specified target. The packets flood to the target causes a denial of service. The co-opted computers owners are typically unaware that their computers have been compromised and they are nevertheless like to harm degradation of service and malfunction. An intruder takes over the control of computer are said to be zombie or bot.

Remote or local access is prevented to prohibit convenient and secured service systems by an unauthorized addressed by DoS attacks with more complex and harder attack in it. Hence DDoS attacks are discrepant by reaction with more coincident of host in spite of host attack. DDoS attacks increases frequency in recent years, sophistication and severity increases fast in computer vulnerabilities (CERT 2006, Houle et al. 2001), which enable attackers to break and update other attacking tools in more computers. DoS attacks harm the wireless sensor because mobile nodes (such as laptops, cell phones, etc.) share the same physical media for transmitting and receiving signals and also mobile computing resources (such as bandwidth, CPU and power) are usually more used which are than available to wired nodes. A single attacker can easily forge, modify or inject packets in wireless network to interrupt connections between legitimate mobile nodes and cause DoS effects.

Related works in dos attacks:

DoS attacks are the class of attacks to initiate the single or group of individuals to exploit the Internet Protocol to extend or other users from legitimate access to systems and information. SMURF attacks are associated to DoS attacks from past, which is targeted at routers. If router forces to stop forwarding packets by an attacker, then all hosts are effectively disconnected behind the router. Now more forms of attacks are ready to attack web servers, mail servers and other services. DDoS on the other side is a combination of DoS attacks which is developed to stage or carried out from various hosts to produce the target host from further serving its function. DDoS termed that source of the attack is not coming from a single source, but multiple sources. DDoS are not eliminated by filtering the source IPs since it is taken from multiple points installed with agents. Some of the DDoS tools are Mstream, Trinoo, TFN2K (Tribe Flood Network), Stacheldraht and Shaft. An example for DDoS attack is bandwidth attack. Network administrators initially detect symptoms of uniform degradation of network or device performance. Uniformly performance could be degraded due to resource consumption of bandwidth attack. Peer-to-peer attack can occur to specific devices in the network, causes the CPU utilization to run up and also failure of the host to serve other users. Denial of Service Attacks provide network in other host to identify the pattern or signature of the attack while using sniffers or logging the router are caused to be attack extension.

Router and host logs are analyzed may or may not to show the real nature of the attack or it can cause false reporting. Some organizations install commercial network Intruder Detection System, mis-configured attack signature, and provided wrong alert indicators by experiences. A sniffer helps to identify the real threat at this point. Mis-configuration of devices such as hubs and routers can cause DoS effect based on experience. Hence, it is advisable not to eliminate packets until examined. Double edged sword, the source host (or spoofed host) is the DoS attacks which will be affected as much as the target host. Situation, an attacker will have to monitor due to this situation if the attack is successful to plant a sniffer in the spoofed network or the target network by Fig.1. The incidents involving smurf attacks are proven in this situation and syn flood attacks because these connections are requests to produce a massive spur of return packets to the source IP, and also it often cause a similar track to the source and the destination IP. The spoofed machine will be swamp using spoofed IP instead of return packets and it makes the attack very difficult to be noticed for the originator machine. Anyhow, it is difficult to spoof IPs, especially when the attacker is within a network to Ingress filters at the routers. There were a few incidents involving both parties experiencing handling Incident Response from my experience, DoS attack report, access the attack initiation and vice-versa, because of the fact that required firewalls will log only one direction of the traffic other than bi-directional. Further improving analysis and correlation of the logs retained that the attack was received from one of them.

Types of ddos attacks:

Garber (2000); Moore et at., (2001) describes several DoS attacks which are known and documented in the literature. Savage et at., (2001); Spafford & Garfinkel (1996), flooded a victim with an overwhelming amount of traffic which is the most common. The communication links and they warts all connections among the legitimate users clogs the unusual traffic, which result in shutting down an entire site or a branch of the network and published in February 2000. Garber (2000) describes several hours about the popular web sites Yahoo, E*TRADE, EBay, and CNN. Flooding attacks Kim et at., (2006)] are instantiated by TCP SYN flooding. Using this attack, it runs a Web server when the victim is host. A connection was opened by regular client with the server by sending a TCP SYN segment. The server allocates buffer by expected connection which replies with a TCP ACK segment half-open (backlogged) remains till the client acknowledges the ACK server and moves it to the established state.

After an expiration of a timer the buffer will be deallocated if the client does not send the ACK. The server can produce only a particular number of half-open connections after which all requests will be retained. A TCP SYN segment is send by attacker gained to establish a connection and also to make the server reserves buffer for it. The connection was not completed by the attacker. In spite, it uses more TCP SYNs, for the server to waste its memory and also to reach its limit for the backlogged connections. A high rate of sending such SYN requests keeps the server unable to satisfy connection requests from legitimate users. A tool to alleviate the SYN flooding attack is developed by Schuba et al., (1997). The tool looks for SYN segments starting from spoofed IP addresses and sends TCP RST segments to the server. RST segments terminate the half-open connections and free their associated buffers. Other flooding types of attacks include TCP ACK and RST flooding, ICMP and UDP echo-request flooding, and DNS request flooding described by Moore et al., (2001); Spafford & Garfinkel (1996). It is not by means of exhaustive.

When an attacker uses multiple hosts over the Internet to storm a victim, it affects the DoS attack more severely. To attain it, the attacker supports many hosts and provides attacking agents on them. All agents are signaled by the attacker simultaneously to attain an attack on a victim. Barros (2000) proves that DDoS attack can reach a high level of improvements by using reflectors. A reflector is a mirror type structures that reflects light. Many hosts such as Web servers, DNS servers, and routers are used as reflectors in the Internet because it reply to (or reflect) specific type of packets. Web servers replication are done at SYN requests, DNS servers reply to queries, and routers send ICMP packets (time exceeded or host unreachable) in response to specific IP packets. The attackers can attack these reflectors to attain DDoS attacks. For example, SYN request is send by an attacking agent to a reflector which specify the victim's IP address as the source address of the agent. The SYN ACK is send by a reflector to the victim. The reflectors in the Internet are million types and the attacker use of these reflectors to flood the victim's network for sending a large amount of packets. Paxson (2001) analyzes several Internet protocols and applications to concludes that DNS servers, Gnutella servers, and TCP-based servers are potential reflectors.

Some listed specific DDoS types are below

* SYN Flooding: The weakness of the TCP handshake is used by attacker and also sends an abundance of TCP SYN packets to the victim. It opens a lot of TCP connections by responds with ACK. Hand-shake was not finished by attacker, as in result, causes the half-open TCP connections to overflow the victim's incoming queue. SYN Flooding does not target specific Operating System, and also attack any system supporting TCP protocol.

* Ping of Death: The victim oversized IP packets are send by attacker, contain more than 65,536 bytes to cause the victim machine to crash.

* Process Table: An abundance of uncompleted connections to the victim server is send by an attacker. A new process is

* Created for each connection by victim until it cannot serve any more requests.

* Smurf Attack: The broadcast address is sent by an abundance of Internet Control Message Protocol (ICMP) "echo-request" packets, as the victim's IP as the source address. ICMP "echo-reply" packets are flooded by the victim.

* SSH Process Table: The SSH daemon is overflowed by the attacker in the victim system and it is similar to the process of table attacks.

* TCP Reset: The traffic for the "tcp connection" requests to the victim is listened by the attacker. Once the request is found, a spoofed TCP RESET packet to the victim is sent by the attacker and omits it to stop the TCP connection.

* Teardrop: IP fragments are created as a stream by the attacker with their offset field overlapped. This may crash when trying to reassemble these malformed fragments.

* UDP Packet Storm: A start packet was spoofed by the attacker and bridges between two victim nodes, with type of UDP output services (such as "chargen" or "echo") for generating various traffic into the network.

Analysis of ddos attacks:

The severeness and seriousness of DDoS attack enhance many defense mechanisms but the complete solution is no to be attained. The many factors which hit the advance of DDOS defense research detailed by JelenaMirkovic. The moment when DDoS attack is detected, it disconnects the harm from resources. Any type of reaction need resources, which are already been consumed by DDoS attack to drop out the harmful effect from all resources. The attack source trace back and identification can be carried out after the victim is disconnected. Detection, trackbacking the DDoS attack described by Chen (2004) proposed the number of methods. DDoS attack defense mechanisms contain several dimensions to be kept in mind by location of defense mechanism applied, defense mechanism works with protocol level and time when the mechanism is active

A. DDoS defense mechanisms based on deployment:

The implementation of defense mechanism is based on the classification of location. It differs by source based, destination based and network based described by JelenaMirkovic.

1.) Source based: Mechanisms are deployed near the sources of attack. It target on the restrictions of network customers from DDoS attacks generation.

* Ingress/Egress filtering at source's edge router: It detect the packets with spoofed IP address at the source's edge router described by Peng et al., (2007).

* D-WARD: It is a DDoS defense system used at source-end networks which autonomously detects and stops attacks starting from these networks described by JelenaMirkovic.

* MULTOPS: Multi-level tree for online packets statistics are abbreviated as MULTOPS. It is a group of nodes which forms tree structure contains packet rate statistics. The changes in packet rates dynamically adapt the shapes described by JelenaMirkovic. It is used by networks for source subnet to detect DDOS flooding attacks.

* MANAnef's reverse firewall: Reverse firewall works differ from a traditional firewall. It forwards the packets which are not replies by limiting the rate.

2.) Destination based: Mechanisms are deployed near the victim i.e. neither edge router nor the access router of the destination.

* IP Trace back mechanisms: IP Trace back is a technique to identify the origin of the spoofed user [57].

* Packet marking and filtering mechanisms: Here legitimate packets are pointed at the victim's side, it differ between legitimate and attack packets. There are different methods to implement these mechanisms described by SamantSaurabh (2013). For example, history based IP filtering detailed by Tao (2003), Hop-count filtering described by Haining, Path identifier by Yaar et al., (2003), based on the level of congestion provides packet dropping described by Kim et al., (2006).

3.) Network based: It is inside networks and on the routers of the autonomous systems described by Chan et al., (2006). Some network based defense mechanisms are route based packet filtering, detecting and filtering malicious routers etc.

B. DDoS defense mechanisms based on protocol:

The defense mechanisms can be classified to defend against the TCP/NETWORK level DDOS attacks and also mechanisms to defend against APPLICATION level DDOS attacks.

* TCP: This mechanism basically defends against DDoS attacks where TCP protocol is exploited. Some common defenses are:

* Filtering: The filtering techniques for packet filtering based on IP addresses represent the best current practices.

* Backlog increment: It is used in large backlogs and also in case of TCB buffers are exhausted, backlogs can be used.

* SYN-RECEIVED Timer reduction: The shortening of timeout period between receiving a SYN and reaping the created TCB for lack of progress is quickly implementable defense. Bogus connection attempts to persist long backlog for short time and free up space for legitimate connections very soon.

* Oldest Half-Open TCB recycling: some implementations allow incoming SYNs to overwrite the oldest half-open TCB entry, once the entire backlog is exhausted. It works by assuming that legitimate connections are fully established for less time than the backlog is filled by incoming attack SYNs.

* SYN Cache: Server node contains global hash table to reach half-open states for all applications, where the original TCP are stored in the backlog queue for each application. As a result, the node produce larger number of half-open states and also SYN flood attack impacts can be reduced.

* SYN Cookies: It modifies the TCP protocol with server to delay resource allocation until the client address is justified. It support against SYN flood attacks. When the SYN queue fills up, the use of SYN Cookies allows a server to avoid dropping connections. Otherwise, the server behaves like the SYN queue which is enhanced. the server sends back the absolute SYN+ACK response to the client but eliminate the SYN queue entry. If the server receives a correct ACK response from the client, the server can reconstruct the SYN queue entry using information encoded in the TCP sequence number.

* Hybrid Approaches: The combination of SYN cache and SYN cookie techniques are done here. For example, if cache becomes full, then SYN cookies can be sent in spite of purging cache entries for the entry of new SYNs. These types of hybrid approaches contain a strong combination of the positive aspects for every approach.

* Firewalls and Proxies: Firewalls have simple rules to enter or emit protocols, ports or IP addresses. Some DDoS attacks are too difficult for today's firewalls, e.g. if attack on port 80 (web service), they cannot distinguish good traffic from DDoS attack traffic because, firewalls cannot prevent that attack. Additionally, firewalls are too interior in the network structure. The firewall gets the traffic even before the router may be affected. Nevertheless, firewalls effectively prevent users from simple flooding type attacks from machines behind the firewall.

4.) IP level defense mechanism: IP-Level DDoS attacks are used as countermeasure for defense mechanisms. some defense mechanisms are,

* SIP defender: An open security architecture called VoIP Defender is designed to watch the traffic flow between SIP servers and external users and proxies. The aim is to detect attacks directed at the protected SIP server and also a framework for attack prevention / mitigation described by Jens et al.,.

* Push back: It is a mechanism for defending against distributed denial-of-service (DDoS) attacks at IP level mechanism and allows a router to accept adjacent upstream routers for the limitation at rate of traffic.

* Approaches of puzzle: Here cryptographic puzzles are used as a countermeasure to attain low level denial of service attack such as IP-Layer flooding given by Brent et al.,.

5.) Application level defense mechanisms Application level attack is implemented to defend against the defense mechanisms. Http level attack is more difficult to trace due to its legitimate behavior. Application level DDoS is much less than to carry out a TCP or IP level DDoS attack because the amount of traffic are successfully carried out. So the techniques used to detect TCP or IP level DDoS attacks are inherit to detect application level DDOS attacks. Application level defense mechanisms can be:

* Page access behavior at Mitigation: On these basis, HTTP-flooding can be defended by Lei et al., (2011).

* DDOS shield: Detection of HTTP level DDOS attacks are used by statistical methods.

* Defense against tilt DDOS attacks: It check out user's features (e.g. request volume, instant and long-term behavior) throughout a connection session whether he is malicious user or not described by Huey-Ing et al., (2011).

C. Time of action at DDOS defense mechanisms:

Based on the action time, defense mechanisms types are followed:

1.) Before the attack: It basically prevents the attack from happening. It focused on fixing the bugs of protocol exploitation vulnerabilities etc. The various mechanisms are noted by Saman et al,.

2.) During the attack: Now its turn to detect after the prevention of attack. Mechanisms are used to detect the attack when it happens. There are various methods whereas; IDPS systems or firewalls can be used to detect the attack under this category.

3.) After the attack: Once the DDOS is detected, it traces back the source of attack.

D. Dynamic Denial of Service Attacks defense mechanism:

The node mobility and attack propagation are considered to introduce a new DoS attack called dynamic DoS attack by using various examples, illustrate a malicious node to enhance the effective scope of DoS attacks and how DoS attacks propagate for intermediate neighbors. The dynamic DoS attack propagation for simple semi-Markov process introduced to enhance the propagation rate of DoS attacks. The analytic results show the dynamic DoS attack strengthen with propagation ability which harm the network connectivity more severely and quickly detailed by the author Fei.

E. Preventing Denial of Service (DoS) by security algorithms:

DoS attacks can be avoided by an efficient mechanism given by Ping Ding et al., (2007) for WLAN using Central Manager (CM).The three tables and a timer to detect DoS attacks are maintained by CM acts as back end server. The effect from login DoS attacks and improvement of WLANs with the help of the three tables T1, T2, T3 and timer are reduced by CM, either allows login or block it. The effects of a denial of service over a wireless network, by simulations using OMNeT++ network simulator are show by Malekzadeh et al. (2011) authors. A comparison between simulated and actual attack data is developed to simulate the data validation and presents required results. In simulation, several tests are conducted for verifying the throughput and delay of network traffic generation using TCP and UDP segments. The results produce a sudden fall to 0 bps throughput and increases up to delay, from 0 seconds to about 6 seconds of time where the attack is performed. It performs the amount of lost packets as 37.90% when the attack was in effect. It differ the simulation with the real model, so it can prove the results from attack mitigation, from this work, we can consider consistent with an actual attack). The technique of Sandstrom (2011) for denial of service detection and mitigation separates into three phases: Initialization, authentication and request. The authentication server selects a private key for the station and calculates with public key at initialization stage. It is performed before and also required once. To prevent denial of service type deauthentication and disassociation, it is given by (Arockiam and Vani, 2012) protocol based on large prime numbers factorization.

The station which initially enerates multiplication of two primes (p1 and n1). It is performed by AP to enerating another two prime numbers (p2 and n2). The numbers exchanges are done between the station and the AP at the authentication phase. If deauthentication packets are sending to some stakeholders, it also sends number p1 and p2 coupled to validate authentication for the package deauthentication. The tests are done by different prime numbers lengths (p and q) from 64, 128, 256 and 512 bits. In every case, this type of defense attack provides satisfaction, with spoofing deauthentication packets; the AP can ignore the bogus request. Taking a case of denial of service attack with frame control, (Malekzadeh et al., 2012) gives a method of channel reservation asked by attacker. Request to Send (RS) packet was too high, the AP receives reservation to broadcast a Clear to Send Packet (CSP) for channel reservation with window time to be request. If the AP packets are not received shortly, then it reverse back to channel reservation for featuring a denial of service. Throughput increase during the attack, with the result raised from 0.3 to 0.6 packets per time frame.

The study presented at (Lee et al., 2009) unused bits in 802.11i frames protocol. The authentication/association and de-authentication/disassociation frames are reproduced by the communication between stations with some sort of algorithm by inserting into random bits. All sent frames will set value and if it does not match the actual, it is rejected. The actual boxes are used to carry out the test which performs the data exchange by File Transfer Protocol (FTP). Some settings of bits provide success for some attacks according to our study used for verification compared to others which does not mitigate analyzed attacks. Soryal and Saadawi (2012), introduced a method of detection related to number of packets sent by a station containing CTS number received for this same station successfully. Every station probes channel with method called Markov Chain, to measure network throughput. Thus, the throughput attained for calculating Markov Chain and the amount of CTS frames received is checked. If this CTS frames number is greater than the throughput attained, then node is identified as an attacker and also MAC address is saved.

The frame control attacks is proposed (Mynemi and Huang, 2010) for generating and distributing keys shown in 802.11f protocol and generates a message authentication code by the generated key. The AP turns other APs over the channel initially and generates a number K, which sent over a TCP connection to other stations if none is found. Beyond the number K, it generates a sequence number S, with interval of channel reservation contained frames RTS/CTS. Results obtained to observe attacks which were not successful. This fact showed that DoS attacks become great demand and present a resulting efficiency and also many ways to reveal them. Thus the several malicious activities are needed to prevent as present the studies above. The Table.1 presents the summarized survey


The sensor network is difficult to prevent from DoS attacks. Here, the DoS attacks are specified and differentiated by varied attacking patterns. Learning of survey is the foremost to learn our knowledge basis and also different DDoS tools to specific time which involves defense mechanisms. Various counter-measures are noticed to introduced and implemented by these attacks. Learning of survey support security process and analyzed with attacks to give out pure security solutions. In this work, Hybrid support vector machine with ANFIS is proposed to detect the DoS attacks and can achieve not only high total accuracy but also improves the local accuracy of DoS attack detection.


Article history:

Received 3 September 2014

Received in revised form 30 October 2014

Accepted 4 November 2014


Arockiam, L. and B. Vani, 2012. Security algorithms to prevent Denial of Service (DoS) attacks in WLAN. Int. J. Wireless Commun. Netw. Technol, 2: 1-7.

Baber Aslam, M. Hasan Islam and Shoab A. Khan, 2008. Pseudo Randomized Sequence Number Based Solution to 802.11 Disassociation Denial of Service Attack, IEEE Xplore.

Barros, C., 2000. A proposal for ICMP traceback messages. Internet Draft, Sept. 18, 2000.

Brent, R. Waters, Ari Juels, chrissTunnell, Edward W. Felten, 2004. "Puzzle Outsourcing for IP-Level DoS Resistance", ACM Conference on Computer and Communications Security-CCS, pp: 246-256.

CERT, 1996. CERT Advisory cA-1996-21 TCP SYN flooding and IP spoofing attacks. Available at: (Date of access: January 2.

Chan, E.Y.K., 2006. Intrusion Detection Routers: Design, Implementation and Evaluation Using an Experimental Testbed, IEEE J. Sel. Areas Commun, 24(10): 1889-1900.

Chen, L.C., T.A. Longstaff, K.M. Carley, 2004. "Characterization of defense mechanisms against distributed denial of service attacks", Computers & Security, 23(8): 665-678.

Chibiao Liu and James Yu, 2007. A Solution to Wireless LAN Authentication and Association DoS Attacks, IAENG International Journal of Computer Science, August.

Dinesh Kumar and Palvinder Singh Mann, 2011. "Improving Network Performance and Mitigate Attacks using Analytical Approach under Collaborative Software as a Service (SAAS) Cloud Computing Environment", IJCST, 2(1): 0976-8491.

Fei Xing Wenye Wang, 2006. 'Understanding Dynamic Denial of Service Attacks in Mobile Ad Hoc Networks', Department of Electrical and Computer Engineering North Carolina State University, Raleigh, MILCOM, Military Communications Conference-MILCOM.

Ferguson, P., 2000. "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", Published in 2000.

Garber, L., 2000. Denial of Service attacks rip the Internet. IEEE Computer, 33(4): 12-17.

Haining Wang, Cheng Jin, G. Kang Shin, 2007. " Defense Against Spoofed IP Traffic Using Hop-Count Filtering", Networking, IEEE/ACM Transactions on, 15(1).

Houle, K.J. and G.M. Weaver, 2001. Trends in denial of service attack technology. Available at: (Date of access: January 2.

Huey-Ing Liu, Kuo-Chao Chang, 2011. "Defending Systems Against Tilt DDoS Attacks", The 6th International Conference on Telecommunication Systems, Services, and Applications 2011

Jelena Mirkovi'c Gregory Prier Peter Reiher, 2002. "Attacking DDoS at the Source", International Conference on Network Protocols-ICNP, pp: 312-321.

Jelena Mirkovic, Peter Reiher, 2004. "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms", Computer Communication Review-CCR, 34(2): 39-53.

Jens Fiedler, Tomas Kupka, Sven Ehlert, Prof. Dr. Thomas, Dr. Dorgham Sisalem, 2007. "VoIP Defender: Highly Scalable S IP-based Security Architecture", Published in 2007.

Kim, Y., W.C. Lau, M.C. Chuah and H.J. Chao, 2006. Packet Score: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks, IEEE Trans. Dependable Secure Computing, 3(2): 141-155.

Lee, Y.S., H.T. Chien and W.N. Tsai, 2009. Using random bit authentication to defend IEEE 802.11 DoS Attacks. J. Inform. Sci. Eng., 25: 1485-1500.

Lei Zhang, Shui Yu, Di Wu, Paul Watters, "A Survey on Latest Botnet Attack and Defense", 2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11

Lin Fan, 2010. "A Group Tracing and Filtering Tree for REST DDoS in Cloud Computing", International Journal of Digital Content Technology and its Applications, 4(9).

Malekzadeh, M., A.A.A. Ghani and S. Subramaniam, 2012. A new security model to prevent denial of service attacks and violation of availability in wireless networks. Int. J. Commun. Syst., 25: 903925. DOI: 10.1002/dac.1296

Malekzadeh, M., A.A.A. Ghani, S. Subramaniam and J.M. Desa, 2011. Reliability of omnet++ in wireless networks dos attacks: Simulation Vs testbed. Int. J. Netw. Security, 13: 13-21.

Moore, D., G.M. Voelker and S. Savage, 2001. Inferring Internet denial-of-service activity. In Proc. USENIX Security Symposium, Washington D.C.

Mynemi, S. and D. Huang, 2010. IEEE 802.11 Wireless LAN control frame protection. Proceedings of the 7th IEEE Consumer Communications and Networking Conference, Jan. 9-12, IEEE Xplore Press, Las Vegas, NV., pp: 9-12. DOI: 10.1109/CCNC.2010.5421585

Paxson, V., 2001, An analysis of using reflectors for distributed denial-of-service attacks. ACM Computer Communication Review, 31(3).

Peng, T., C. Leckie and K. Ramamohanarao, 2007. " Survey of network-based defense mechanisms countering the DoS and DDoS problems", ACM Comput. Surv. 39, 1, Article 3.

Ping Ding, JoAnne Hollida and Aslihan Celik, 2007. Central Manager: A Solution to Avoid Denial of Service Attacks for Wireless LANs, International Journal of Network Security, 4(1): 35-44.

Samant Saurabh, Ashok Singh Sairam, 2013. "A More Accurate Completion Condition for Attack-Graph Reconstruction in Probabilistic Packet Marking Algorithm", 978-1-4673-5952-8/13/$31.00 c 2013 IEEE

SamanTaghaviZargar, James Joshi and David Tipper, 2013. "A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS)Flooding Attacks", IEEE Communications Surveys & Tutorials, Accepted For Publication.

Sandstrom, H., 2011. A Survey of the Denial of Service Problem. In: Reducing the Denial of Service Attacks in WLANs, Singh, R. and T.P. Sharma, (Eds.), Detecting and World Congress Information Communication Technologies, pp: 968-973.

Savage, S., D. Wetherall, A. Karlin and T. Anderson, 2001. Network support for IP traceback. IEEE/ACM Transaction on Networking, 9(3): 226-237.

Schuba, C.L., I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram and D. Zamboni, 1997. Analysis of a denial of service attack on tcp. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA.

Soryal, J. and T. Saadawi, 2012. IEEE 802.11 denial of service attack detection in manet. Proceedings of the Telecommunications Symposium, Apr. 18-20, IEEE Xplore Press, London, pp: 1-8. DOI: 10.1109/WTS.2012.6266083

Spafford, G. and S. Garfinkel, 1996. Practical Unix and Internet Security. O'Reilly & Associates, Inc, second edition.

Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao, 2003. "Protection from Distributed Denial of Service Attack Using History-based IP Filtering", story-based IP filtering, ICC "03.May, 1: 482-486.

Yaar, A., A. Perrig and D. Song, 2003. Pi: A Path Identification Mechanism to Defend against DDoS Attacks, in IEEE Symposium on Security and Privacy, pp: 93.

Zeeshan Shafi Khan, Nabila Akram, KhaledAlghathbarl, Muhammad She, RashiMehmood, 2010. "Secure Single Packet IP Traceback Mechanism to Identify the Source", Published in 2010.

Dr. S. Angel Latha Mary, E. Sabaridha, A.N. Sivagami, M. Usha Rani

Department of CSE, Karpagam College of Engineering, Coimbatore, India,

Corresponding Author: Dr. S. Angel Latha Mary, Department of CSE, Karpagam College of Engineering, Coimbatore, India

Tel: +91 9842242882,

Table 1: Analysis on DoS Attacks.

S.No   Defense Mechanisms     Advantages        Limitations

1      Ingress/Egress         spoofed IP        If their addresses
       filtering for          addresses at      are still in the
       source's edge router   the source's      Valid internal IP
                              edge routers      address range,
                              are used to       Spoofed packets will
                              detect and        not be detected
                              filter packets
                              based on the
                              valid IP
                              address range
                              internal to the

2      D-WARD                 Traffic           More memory space
                              originating       and CPU cycles are
                              from a network    accepted than some
                              at the border     of the network-
                              of the source     based defense
                              network attack    mechanisms
                              can be stopped

3      MULTOPS                DDOS flooding     Dynamic tree
                              attacks are       structure is used
                              detected and      for monitoring
                              filtered based    packet rates for
                              on significant    every IP address to
                              difference        produce vulnerable
                              between the       target for a memory
                              rates of          exhaustion attack
                              traffic going
                              to and coming
                              from a host or

4      MANAnef's reverse      The forwards      It requires the
       firewall               packets are not   administrators"
                              replies to        involvement and also
                              other packets     manual
                              with limited
                              rate which
                              forwarded in
                              the other

5      IP Trace back          The forged IP     Many trace back
       mechanisms             packets are       mechanisms have
                              traces back to    heavy computational,
                              their true        network or
                              sources other     management overheads
                              than the          with serious
                              spoofed IP        deployment and
                              addresses         operational

6      Packet marking and     Legitimate        When strength of
       filtering mechanisms   packets are       attackers increases,
                              marked for each   it filters to become
                              router with       ineffective and they
                              their path to     cannot installed
                              the destination   properly
                              so that causes
                              "traffic attack
                              can filter the
                              edge router".

7      Backlog increment      The overflowing   The use of linear
                              occurs at the     list traversal
                              host's backlog    functioned with
                              of connecting     attempt to free
                              sockets can be    state linked with
                              reduced           stale connection
                                                attempts are known
                                                to be pure solution.

8      SYN-RECEIVED Timer     The tighter       The tighter limit of
       reduction              limit of time     time is applied when
                              is applied when   a TCB enters the
                              a TCB enters      SYNRECEIVED state
                              the SYNRECEIVED   for not advancing
                              state for not     when it may be
                              advancing when    reaped
                              it may be

9      Oldest Half-Open TCB   When entire       when the attacking
       recycling              backlog is        packet rate is high
                              exhausted, it     and/or the backlog
                              allows incoming   Size is small, it
                              syns to           fails. It is not a
                              overwrite with    robust Defense.
                              the oldest
                              half-open TCB

10     SYN Cache              The secret bits   Difficult for secret
                              prevents an       bits to prevent an
                              attacker from     attacker
                              being able to
                              target specific
                              Hash values are

11     SYN Cookies            Causes absolute   Some of the TCB data
                              zero state        only can fit into
                              which is          the 32-bit Sequence
                              generated by a    Number field,
                              received SYN      therefore TCP
                                                options required for
                                                high improvement
                                                which may disabled
                                                SYN-acks. It is not
                                                retransmission would
                                                require state

12     Firewalls and          SYN flooding      SYN flooding attacks
       Proxies                attacks can be    can be defeated

13     IP level defense       Used to prevent   Difficult to
       mechanism              SIP servers       implement it. Works
                                                only at ip level

14     Page access behavior   HTTP-GET          False positives are
       at the mitigation      flooding          large to mitigate
                              attacks can be    it.

15     Denial of Service      delay of          Throughput from DoS
       assess RTS/CTS in      packets are       is suddenly dropped.
       simulations and in     incremented
       real scenario          from 0 to 6
                              seconds and
                              packet loss
                              rate of 37.9%

16     Phases can be          DoS attacks can   Security must be
       differentiated into    be detect in      improved in phases.
       generation, exchange   authentication
       and authentication     and DoS flood
       by public key.         are reduced
                              during the
                              phase and the
                              probe request.

17     factoring of very      Prime numbers     Complexity must be
       large prime numbers    with varying      improved
       can be performed       bit, the model
                              was successful
                              by neglecting

18     If useful package      A result          Time complexity
       was not sent within    obtained in the
       a time interval,       network
       repeal the channel     throughput is
       reservation request    testing
                              scenarios with
                              rise of 0.3 to
                              0. 6 packets
                              per time

19     Unused bits are used   Use of 5 bits     Computational
       in the header to       or more random    Complexity
       generate random        numbers,
       numbers.               mitigation is
                              expected to be

20     Markov chain is used   The test shown    High bandwidth
       to get more accurate   that the model    consumption rate
       throughput to          was successful
       receive CTS frames     by detecting
       by the host. The       that the check
       result of the Markov   is made of the
       chain and the DoS      quantity and
       attack is detected,    attacker MAC
       if this ratio is       address.
       greater than CTS

21     An approach towards    Tests produce     Misleading genuine
       generation and         that the          client stations
       distribution of        network
       keys.                  throughput for
                              UDP traffic
                              value was 28.4
                              Mbps and the
                              model of the
                              value was 27.6

22     Hybrid support         Propose a new     It can achieve not
       vector machine with    hybrid            only high total
       ANFIS based DoS        classification    accuracy but also
       attack detection       system called     improves the local
                              SVM-ANFIS based   accuracy of DoS
                              on Support        attack detection.
                              Vector Machines
                              and Adaptive
                              Neuro Fuzzy
                              System for DoS
COPYRIGHT 2014 American-Eurasian Network for Scientific Information
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2014 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Distributed Denial of Service
Author:Mary, S. Angel Latha; Sabaridha, E.; Sivagami, A.N.; Rani, M. Usha
Publication:Advances in Natural and Applied Sciences
Article Type:Report
Date:Oct 1, 2014
Previous Article:A new approach of data gathering using mobile sink and support-in cluster head in WSN.
Next Article:Auditability-aware data scheduling for privacy preserved third-party auditing.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters