An empirical study on dos attacks and DDoS defense mechanism.
A Denial of Service attack involves attackers exploit suitable vulnerabilities for sending messages reach the abnormality or paralysis of business systems, else sends a large amount of usual messages to a single node quickly for run out the system resources results in business system failure. As long as administrators placed at top of patching vulnerabilities and optimizes the performance of business systems and the potential harm of a simple DoS attack is relatively minor. A Distributed Denial of Service attack utilizes multiple distributed attack sources based on DoS attack. The attackers uses the controlled bots (also referred to as zombies) typically large numbers and also distributed beyond various locations for attaining large number of DoS attacks by single or multiple targets.
The bots nets are developed rapidly in recent years, to cause DDoS traffic scale attack which increase the targets include business servers, Internet infrastructures such as firewalls, routers and DNS systems and also network bandwidth. The broader influence and the sphere making are improved by the attacks. The resources are specified at legitimate users where they aim for denial of service which is to be extended. The computer or network service resource attack can be defeated by any malicious user when incident is declared.
Lin Fan et al., (2010) describes DoS attack are realized by people for key security issues and also it is implemented to increases the security threat, protecting systems against DoS attack. The fast growing concern are improved by DoS attack which are noticed with more researchers where the attacker design a flow or system bug to report as a resource of a victim system, and also users can prevent from accessing the service or to degrade the quality of service which they get. For example, the operating systems with DoS were early work with type of resource exhaustion attack. Hence network performs DoS attacks finally and the distributed DoS attack by instance. The services are to be exhausted when supposed to be not available. The computer or network resource exists by DoS attack to avoid damage, e.g. a user account or network connection. The resource availability, and the affected will users are collate by attack. The DoS attack is not only necessary at the unique one but also materialized to resource exhaustion
The distributed denial-of-service attack causes denial of service with single target for multitude of compromised systems helps for the target system as detailed by Dinesh & Palvinder (2011). Effective messages are controlled by system services with legitimate user's reputed flood to retaining the system. Computer systems exploit and vulnerable to begin the hackers attack and make the DDoS master. It starts from the master system that identifies and communicates with other systems to load cracking tools available on the Internet at multiple compromised systems. The intruder instructs the controlled machines with single command to obtain many flood attacks against a specified target. The packets flood to the target causes a denial of service. The co-opted computers owners are typically unaware that their computers have been compromised and they are nevertheless like to harm degradation of service and malfunction. An intruder takes over the control of computer are said to be zombie or bot.
Remote or local access is prevented to prohibit convenient and secured service systems by an unauthorized addressed by DoS attacks with more complex and harder attack in it. Hence DDoS attacks are discrepant by reaction with more coincident of host in spite of host attack. DDoS attacks increases frequency in recent years, sophistication and severity increases fast in computer vulnerabilities (CERT 2006, Houle et al. 2001), which enable attackers to break and update other attacking tools in more computers. DoS attacks harm the wireless sensor because mobile nodes (such as laptops, cell phones, etc.) share the same physical media for transmitting and receiving signals and also mobile computing resources (such as bandwidth, CPU and power) are usually more used which are than available to wired nodes. A single attacker can easily forge, modify or inject packets in wireless network to interrupt connections between legitimate mobile nodes and cause DoS effects.
Related works in dos attacks:
DoS attacks are the class of attacks to initiate the single or group of individuals to exploit the Internet Protocol to extend or other users from legitimate access to systems and information. SMURF attacks are associated to DoS attacks from past, which is targeted at routers. If router forces to stop forwarding packets by an attacker, then all hosts are effectively disconnected behind the router. Now more forms of attacks are ready to attack web servers, mail servers and other services. DDoS on the other side is a combination of DoS attacks which is developed to stage or carried out from various hosts to produce the target host from further serving its function. DDoS termed that source of the attack is not coming from a single source, but multiple sources. DDoS are not eliminated by filtering the source IPs since it is taken from multiple points installed with agents. Some of the DDoS tools are Mstream, Trinoo, TFN2K (Tribe Flood Network), Stacheldraht and Shaft. An example for DDoS attack is bandwidth attack. Network administrators initially detect symptoms of uniform degradation of network or device performance. Uniformly performance could be degraded due to resource consumption of bandwidth attack. Peer-to-peer attack can occur to specific devices in the network, causes the CPU utilization to run up and also failure of the host to serve other users. Denial of Service Attacks provide network in other host to identify the pattern or signature of the attack while using sniffers or logging the router are caused to be attack extension.
Router and host logs are analyzed may or may not to show the real nature of the attack or it can cause false reporting. Some organizations install commercial network Intruder Detection System, mis-configured attack signature, and provided wrong alert indicators by experiences. A sniffer helps to identify the real threat at this point. Mis-configuration of devices such as hubs and routers can cause DoS effect based on experience. Hence, it is advisable not to eliminate packets until examined. Double edged sword, the source host (or spoofed host) is the DoS attacks which will be affected as much as the target host. Situation, an attacker will have to monitor due to this situation if the attack is successful to plant a sniffer in the spoofed network or the target network by Fig.1. The incidents involving smurf attacks are proven in this situation and syn flood attacks because these connections are requests to produce a massive spur of return packets to the source IP, and also it often cause a similar track to the source and the destination IP. The spoofed machine will be swamp using spoofed IP instead of return packets and it makes the attack very difficult to be noticed for the originator machine. Anyhow, it is difficult to spoof IPs, especially when the attacker is within a network to Ingress filters at the routers. There were a few incidents involving both parties experiencing handling Incident Response from my experience, DoS attack report, access the attack initiation and vice-versa, because of the fact that required firewalls will log only one direction of the traffic other than bi-directional. Further improving analysis and correlation of the logs retained that the attack was received from one of them.
Types of ddos attacks:
Garber (2000); Moore et at., (2001) describes several DoS attacks which are known and documented in the literature. Savage et at., (2001); Spafford & Garfinkel (1996), flooded a victim with an overwhelming amount of traffic which is the most common. The communication links and they warts all connections among the legitimate users clogs the unusual traffic, which result in shutting down an entire site or a branch of the network and published in February 2000. Garber (2000) describes several hours about the popular web sites Yahoo, E*TRADE, EBay, and CNN. Flooding attacks Kim et at., (2006)] are instantiated by TCP SYN flooding. Using this attack, it runs a Web server when the victim is host. A connection was opened by regular client with the server by sending a TCP SYN segment. The server allocates buffer by expected connection which replies with a TCP ACK segment half-open (backlogged) remains till the client acknowledges the ACK server and moves it to the established state.
After an expiration of a timer the buffer will be deallocated if the client does not send the ACK. The server can produce only a particular number of half-open connections after which all requests will be retained. A TCP SYN segment is send by attacker gained to establish a connection and also to make the server reserves buffer for it. The connection was not completed by the attacker. In spite, it uses more TCP SYNs, for the server to waste its memory and also to reach its limit for the backlogged connections. A high rate of sending such SYN requests keeps the server unable to satisfy connection requests from legitimate users. A tool to alleviate the SYN flooding attack is developed by Schuba et al., (1997). The tool looks for SYN segments starting from spoofed IP addresses and sends TCP RST segments to the server. RST segments terminate the half-open connections and free their associated buffers. Other flooding types of attacks include TCP ACK and RST flooding, ICMP and UDP echo-request flooding, and DNS request flooding described by Moore et al., (2001); Spafford & Garfinkel (1996). It is not by means of exhaustive.
When an attacker uses multiple hosts over the Internet to storm a victim, it affects the DoS attack more severely. To attain it, the attacker supports many hosts and provides attacking agents on them. All agents are signaled by the attacker simultaneously to attain an attack on a victim. Barros (2000) proves that DDoS attack can reach a high level of improvements by using reflectors. A reflector is a mirror type structures that reflects light. Many hosts such as Web servers, DNS servers, and routers are used as reflectors in the Internet because it reply to (or reflect) specific type of packets. Web servers replication are done at SYN requests, DNS servers reply to queries, and routers send ICMP packets (time exceeded or host unreachable) in response to specific IP packets. The attackers can attack these reflectors to attain DDoS attacks. For example, SYN request is send by an attacking agent to a reflector which specify the victim's IP address as the source address of the agent. The SYN ACK is send by a reflector to the victim. The reflectors in the Internet are million types and the attacker use of these reflectors to flood the victim's network for sending a large amount of packets. Paxson (2001) analyzes several Internet protocols and applications to concludes that DNS servers, Gnutella servers, and TCP-based servers are potential reflectors.
Some listed specific DDoS types are below
* SYN Flooding: The weakness of the TCP handshake is used by attacker and also sends an abundance of TCP SYN packets to the victim. It opens a lot of TCP connections by responds with ACK. Hand-shake was not finished by attacker, as in result, causes the half-open TCP connections to overflow the victim's incoming queue. SYN Flooding does not target specific Operating System, and also attack any system supporting TCP protocol.
* Ping of Death: The victim oversized IP packets are send by attacker, contain more than 65,536 bytes to cause the victim machine to crash.
* Process Table: An abundance of uncompleted connections to the victim server is send by an attacker. A new process is
* Created for each connection by victim until it cannot serve any more requests.
* Smurf Attack: The broadcast address is sent by an abundance of Internet Control Message Protocol (ICMP) "echo-request" packets, as the victim's IP as the source address. ICMP "echo-reply" packets are flooded by the victim.
* SSH Process Table: The SSH daemon is overflowed by the attacker in the victim system and it is similar to the process of table attacks.
* TCP Reset: The traffic for the "tcp connection" requests to the victim is listened by the attacker. Once the request is found, a spoofed TCP RESET packet to the victim is sent by the attacker and omits it to stop the TCP connection.
* Teardrop: IP fragments are created as a stream by the attacker with their offset field overlapped. This may crash when trying to reassemble these malformed fragments.
* UDP Packet Storm: A start packet was spoofed by the attacker and bridges between two victim nodes, with type of UDP output services (such as "chargen" or "echo") for generating various traffic into the network.
Analysis of ddos attacks:
The severeness and seriousness of DDoS attack enhance many defense mechanisms but the complete solution is no to be attained. The many factors which hit the advance of DDOS defense research detailed by JelenaMirkovic. The moment when DDoS attack is detected, it disconnects the harm from resources. Any type of reaction need resources, which are already been consumed by DDoS attack to drop out the harmful effect from all resources. The attack source trace back and identification can be carried out after the victim is disconnected. Detection, trackbacking the DDoS attack described by Chen (2004) proposed the number of methods. DDoS attack defense mechanisms contain several dimensions to be kept in mind by location of defense mechanism applied, defense mechanism works with protocol level and time when the mechanism is active
A. DDoS defense mechanisms based on deployment:
The implementation of defense mechanism is based on the classification of location. It differs by source based, destination based and network based described by JelenaMirkovic.
1.) Source based: Mechanisms are deployed near the sources of attack. It target on the restrictions of network customers from DDoS attacks generation.
* Ingress/Egress filtering at source's edge router: It detect the packets with spoofed IP address at the source's edge router described by Peng et al., (2007).
* D-WARD: It is a DDoS defense system used at source-end networks which autonomously detects and stops attacks starting from these networks described by JelenaMirkovic.
* MULTOPS: Multi-level tree for online packets statistics are abbreviated as MULTOPS. It is a group of nodes which forms tree structure contains packet rate statistics. The changes in packet rates dynamically adapt the shapes described by JelenaMirkovic. It is used by networks for source subnet to detect DDOS flooding attacks.
* MANAnef's reverse firewall: Reverse firewall works differ from a traditional firewall. It forwards the packets which are not replies by limiting the rate.
2.) Destination based: Mechanisms are deployed near the victim i.e. neither edge router nor the access router of the destination.
* IP Trace back mechanisms: IP Trace back is a technique to identify the origin of the spoofed user .
* Packet marking and filtering mechanisms: Here legitimate packets are pointed at the victim's side, it differ between legitimate and attack packets. There are different methods to implement these mechanisms described by SamantSaurabh (2013). For example, history based IP filtering detailed by Tao (2003), Hop-count filtering described by Haining, Path identifier by Yaar et al., (2003), based on the level of congestion provides packet dropping described by Kim et al., (2006).
3.) Network based: It is inside networks and on the routers of the autonomous systems described by Chan et al., (2006). Some network based defense mechanisms are route based packet filtering, detecting and filtering malicious routers etc.
B. DDoS defense mechanisms based on protocol:
The defense mechanisms can be classified to defend against the TCP/NETWORK level DDOS attacks and also mechanisms to defend against APPLICATION level DDOS attacks.
* TCP: This mechanism basically defends against DDoS attacks where TCP protocol is exploited. Some common defenses are:
* Filtering: The filtering techniques for packet filtering based on IP addresses represent the best current practices.
* Backlog increment: It is used in large backlogs and also in case of TCB buffers are exhausted, backlogs can be used.
* SYN-RECEIVED Timer reduction: The shortening of timeout period between receiving a SYN and reaping the created TCB for lack of progress is quickly implementable defense. Bogus connection attempts to persist long backlog for short time and free up space for legitimate connections very soon.
* Oldest Half-Open TCB recycling: some implementations allow incoming SYNs to overwrite the oldest half-open TCB entry, once the entire backlog is exhausted. It works by assuming that legitimate connections are fully established for less time than the backlog is filled by incoming attack SYNs.
* SYN Cache: Server node contains global hash table to reach half-open states for all applications, where the original TCP are stored in the backlog queue for each application. As a result, the node produce larger number of half-open states and also SYN flood attack impacts can be reduced.
* SYN Cookies: It modifies the TCP protocol with server to delay resource allocation until the client address is justified. It support against SYN flood attacks. When the SYN queue fills up, the use of SYN Cookies allows a server to avoid dropping connections. Otherwise, the server behaves like the SYN queue which is enhanced. the server sends back the absolute SYN+ACK response to the client but eliminate the SYN queue entry. If the server receives a correct ACK response from the client, the server can reconstruct the SYN queue entry using information encoded in the TCP sequence number.
* Hybrid Approaches: The combination of SYN cache and SYN cookie techniques are done here. For example, if cache becomes full, then SYN cookies can be sent in spite of purging cache entries for the entry of new SYNs. These types of hybrid approaches contain a strong combination of the positive aspects for every approach.
* Firewalls and Proxies: Firewalls have simple rules to enter or emit protocols, ports or IP addresses. Some DDoS attacks are too difficult for today's firewalls, e.g. if attack on port 80 (web service), they cannot distinguish good traffic from DDoS attack traffic because, firewalls cannot prevent that attack. Additionally, firewalls are too interior in the network structure. The firewall gets the traffic even before the router may be affected. Nevertheless, firewalls effectively prevent users from simple flooding type attacks from machines behind the firewall.
4.) IP level defense mechanism: IP-Level DDoS attacks are used as countermeasure for defense mechanisms. some defense mechanisms are,
* SIP defender: An open security architecture called VoIP Defender is designed to watch the traffic flow between SIP servers and external users and proxies. The aim is to detect attacks directed at the protected SIP server and also a framework for attack prevention / mitigation described by Jens et al.,.
* Push back: It is a mechanism for defending against distributed denial-of-service (DDoS) attacks at IP level mechanism and allows a router to accept adjacent upstream routers for the limitation at rate of traffic.
* Approaches of puzzle: Here cryptographic puzzles are used as a countermeasure to attain low level denial of service attack such as IP-Layer flooding given by Brent et al.,.
5.) Application level defense mechanisms Application level attack is implemented to defend against the defense mechanisms. Http level attack is more difficult to trace due to its legitimate behavior. Application level DDoS is much less than to carry out a TCP or IP level DDoS attack because the amount of traffic are successfully carried out. So the techniques used to detect TCP or IP level DDoS attacks are inherit to detect application level DDOS attacks. Application level defense mechanisms can be:
* Page access behavior at Mitigation: On these basis, HTTP-flooding can be defended by Lei et al., (2011).
* DDOS shield: Detection of HTTP level DDOS attacks are used by statistical methods.
* Defense against tilt DDOS attacks: It check out user's features (e.g. request volume, instant and long-term behavior) throughout a connection session whether he is malicious user or not described by Huey-Ing et al., (2011).
C. Time of action at DDOS defense mechanisms:
Based on the action time, defense mechanisms types are followed:
1.) Before the attack: It basically prevents the attack from happening. It focused on fixing the bugs of protocol exploitation vulnerabilities etc. The various mechanisms are noted by Saman et al,.
2.) During the attack: Now its turn to detect after the prevention of attack. Mechanisms are used to detect the attack when it happens. There are various methods whereas; IDPS systems or firewalls can be used to detect the attack under this category.
3.) After the attack: Once the DDOS is detected, it traces back the source of attack.
D. Dynamic Denial of Service Attacks defense mechanism:
The node mobility and attack propagation are considered to introduce a new DoS attack called dynamic DoS attack by using various examples, illustrate a malicious node to enhance the effective scope of DoS attacks and how DoS attacks propagate for intermediate neighbors. The dynamic DoS attack propagation for simple semi-Markov process introduced to enhance the propagation rate of DoS attacks. The analytic results show the dynamic DoS attack strengthen with propagation ability which harm the network connectivity more severely and quickly detailed by the author Fei.
E. Preventing Denial of Service (DoS) by security algorithms:
DoS attacks can be avoided by an efficient mechanism given by Ping Ding et al., (2007) for WLAN using Central Manager (CM).The three tables and a timer to detect DoS attacks are maintained by CM acts as back end server. The effect from login DoS attacks and improvement of WLANs with the help of the three tables T1, T2, T3 and timer are reduced by CM, either allows login or block it. The effects of a denial of service over a wireless network, by simulations using OMNeT++ network simulator are show by Malekzadeh et al. (2011) authors. A comparison between simulated and actual attack data is developed to simulate the data validation and presents required results. In simulation, several tests are conducted for verifying the throughput and delay of network traffic generation using TCP and UDP segments. The results produce a sudden fall to 0 bps throughput and increases up to delay, from 0 seconds to about 6 seconds of time where the attack is performed. It performs the amount of lost packets as 37.90% when the attack was in effect. It differ the simulation with the real model, so it can prove the results from attack mitigation, from this work, we can consider consistent with an actual attack). The technique of Sandstrom (2011) for denial of service detection and mitigation separates into three phases: Initialization, authentication and request. The authentication server selects a private key for the station and calculates with public key at initialization stage. It is performed before and also required once. To prevent denial of service type deauthentication and disassociation, it is given by (Arockiam and Vani, 2012) protocol based on large prime numbers factorization.
The station which initially enerates multiplication of two primes (p1 and n1). It is performed by AP to enerating another two prime numbers (p2 and n2). The numbers exchanges are done between the station and the AP at the authentication phase. If deauthentication packets are sending to some stakeholders, it also sends number p1 and p2 coupled to validate authentication for the package deauthentication. The tests are done by different prime numbers lengths (p and q) from 64, 128, 256 and 512 bits. In every case, this type of defense attack provides satisfaction, with spoofing deauthentication packets; the AP can ignore the bogus request. Taking a case of denial of service attack with frame control, (Malekzadeh et al., 2012) gives a method of channel reservation asked by attacker. Request to Send (RS) packet was too high, the AP receives reservation to broadcast a Clear to Send Packet (CSP) for channel reservation with window time to be request. If the AP packets are not received shortly, then it reverse back to channel reservation for featuring a denial of service. Throughput increase during the attack, with the result raised from 0.3 to 0.6 packets per time frame.
The study presented at (Lee et al., 2009) unused bits in 802.11i frames protocol. The authentication/association and de-authentication/disassociation frames are reproduced by the communication between stations with some sort of algorithm by inserting into random bits. All sent frames will set value and if it does not match the actual, it is rejected. The actual boxes are used to carry out the test which performs the data exchange by File Transfer Protocol (FTP). Some settings of bits provide success for some attacks according to our study used for verification compared to others which does not mitigate analyzed attacks. Soryal and Saadawi (2012), introduced a method of detection related to number of packets sent by a station containing CTS number received for this same station successfully. Every station probes channel with method called Markov Chain, to measure network throughput. Thus, the throughput attained for calculating Markov Chain and the amount of CTS frames received is checked. If this CTS frames number is greater than the throughput attained, then node is identified as an attacker and also MAC address is saved.
The frame control attacks is proposed (Mynemi and Huang, 2010) for generating and distributing keys shown in 802.11f protocol and generates a message authentication code by the generated key. The AP turns other APs over the channel initially and generates a number K, which sent over a TCP connection to other stations if none is found. Beyond the number K, it generates a sequence number S, with interval of channel reservation contained frames RTS/CTS. Results obtained to observe attacks which were not successful. This fact showed that DoS attacks become great demand and present a resulting efficiency and also many ways to reveal them. Thus the several malicious activities are needed to prevent as present the studies above. The Table.1 presents the summarized survey
The sensor network is difficult to prevent from DoS attacks. Here, the DoS attacks are specified and differentiated by varied attacking patterns. Learning of survey is the foremost to learn our knowledge basis and also different DDoS tools to specific time which involves defense mechanisms. Various counter-measures are noticed to introduced and implemented by these attacks. Learning of survey support security process and analyzed with attacks to give out pure security solutions. In this work, Hybrid support vector machine with ANFIS is proposed to detect the DoS attacks and can achieve not only high total accuracy but also improves the local accuracy of DoS attack detection.
Received 3 September 2014
Received in revised form 30 October 2014
Accepted 4 November 2014
Arockiam, L. and B. Vani, 2012. Security algorithms to prevent Denial of Service (DoS) attacks in WLAN. Int. J. Wireless Commun. Netw. Technol, 2: 1-7.
Baber Aslam, M. Hasan Islam and Shoab A. Khan, 2008. Pseudo Randomized Sequence Number Based Solution to 802.11 Disassociation Denial of Service Attack, IEEE Xplore.
Barros, C., 2000. A proposal for ICMP traceback messages. Internet Draft http://www.research.att.com/lists/ietfitrace/2000/09/msg00044.html, Sept. 18, 2000.
Brent, R. Waters, Ari Juels, chrissTunnell, Edward W. Felten, 2004. "Puzzle Outsourcing for IP-Level DoS Resistance", ACM Conference on Computer and Communications Security-CCS, pp: 246-256.
CERT, 1996. CERT Advisory cA-1996-21 TCP SYN flooding and IP spoofing attacks. Available at: http://www.cert.org/advisories/CA-1996-21.html. (Date of access: January 2.
Chan, E.Y.K., 2006. Intrusion Detection Routers: Design, Implementation and Evaluation Using an Experimental Testbed, IEEE J. Sel. Areas Commun, 24(10): 1889-1900.
Chen, L.C., T.A. Longstaff, K.M. Carley, 2004. "Characterization of defense mechanisms against distributed denial of service attacks", Computers & Security, 23(8): 665-678.
Chibiao Liu and James Yu, 2007. A Solution to Wireless LAN Authentication and Association DoS Attacks, IAENG International Journal of Computer Science, August.
Dinesh Kumar and Palvinder Singh Mann, 2011. "Improving Network Performance and Mitigate Attacks using Analytical Approach under Collaborative Software as a Service (SAAS) Cloud Computing Environment", IJCST, 2(1): 0976-8491.
Fei Xing Wenye Wang, 2006. 'Understanding Dynamic Denial of Service Attacks in Mobile Ad Hoc Networks', Department of Electrical and Computer Engineering North Carolina State University, Raleigh, MILCOM, Military Communications Conference-MILCOM.
Ferguson, P., 2000. "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", Published in 2000.
Garber, L., 2000. Denial of Service attacks rip the Internet. IEEE Computer, 33(4): 12-17.
Haining Wang, Cheng Jin, G. Kang Shin, 2007. " Defense Against Spoofed IP Traffic Using Hop-Count Filtering", Networking, IEEE/ACM Transactions on, 15(1).
Houle, K.J. and G.M. Weaver, 2001. Trends in denial of service attack technology. Available at: http://www.cert.org/archive/pdf/DoS_trends.pdf. (Date of access: January 2.
Huey-Ing Liu, Kuo-Chao Chang, 2011. "Defending Systems Against Tilt DDoS Attacks", The 6th International Conference on Telecommunication Systems, Services, and Applications 2011
Jelena Mirkovi'c Gregory Prier Peter Reiher, 2002. "Attacking DDoS at the Source" www.cs3inc.com/pubs/ps_MANAnet-Reverse-Firewall.pdf, International Conference on Network Protocols-ICNP, pp: 312-321.
Jelena Mirkovic, Peter Reiher, 2004. "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms", Computer Communication Review-CCR, 34(2): 39-53.
Jens Fiedler, Tomas Kupka, Sven Ehlert, Prof. Dr. Thomas, Dr. Dorgham Sisalem, 2007. "VoIP Defender: Highly Scalable S IP-based Security Architecture", Published in 2007.
Kim, Y., W.C. Lau, M.C. Chuah and H.J. Chao, 2006. Packet Score: A Statistics-Based Packet Filtering Scheme against Distributed Denial-of-Service Attacks, IEEE Trans. Dependable Secure Computing, 3(2): 141-155.
Lee, Y.S., H.T. Chien and W.N. Tsai, 2009. Using random bit authentication to defend IEEE 802.11 DoS Attacks. J. Inform. Sci. Eng., 25: 1485-1500.
Lei Zhang, Shui Yu, Di Wu, Paul Watters, "A Survey on Latest Botnet Attack and Defense", 2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11
Lin Fan, 2010. "A Group Tracing and Filtering Tree for REST DDoS in Cloud Computing", International Journal of Digital Content Technology and its Applications, 4(9).
Malekzadeh, M., A.A.A. Ghani and S. Subramaniam, 2012. A new security model to prevent denial of service attacks and violation of availability in wireless networks. Int. J. Commun. Syst., 25: 903925. DOI: 10.1002/dac.1296
Malekzadeh, M., A.A.A. Ghani, S. Subramaniam and J.M. Desa, 2011. Reliability of omnet++ in wireless networks dos attacks: Simulation Vs testbed. Int. J. Netw. Security, 13: 13-21.
Moore, D., G.M. Voelker and S. Savage, 2001. Inferring Internet denial-of-service activity. In Proc. USENIX Security Symposium, Washington D.C.
Mynemi, S. and D. Huang, 2010. IEEE 802.11 Wireless LAN control frame protection. Proceedings of the 7th IEEE Consumer Communications and Networking Conference, Jan. 9-12, IEEE Xplore Press, Las Vegas, NV., pp: 9-12. DOI: 10.1109/CCNC.2010.5421585
Paxson, V., 2001, An analysis of using reflectors for distributed denial-of-service attacks. ACM Computer Communication Review, 31(3).
Peng, T., C. Leckie and K. Ramamohanarao, 2007. " Survey of network-based defense mechanisms countering the DoS and DDoS problems", ACM Comput. Surv. 39, 1, Article 3.
Ping Ding, JoAnne Hollida and Aslihan Celik, 2007. Central Manager: A Solution to Avoid Denial of Service Attacks for Wireless LANs, International Journal of Network Security, 4(1): 35-44.
Samant Saurabh, Ashok Singh Sairam, 2013. "A More Accurate Completion Condition for Attack-Graph Reconstruction in Probabilistic Packet Marking Algorithm", 978-1-4673-5952-8/13/$31.00 c 2013 IEEE
SamanTaghaviZargar, James Joshi and David Tipper, 2013. "A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS)Flooding Attacks", IEEE Communications Surveys & Tutorials, Accepted For Publication.
Sandstrom, H., 2011. A Survey of the Denial of Service Problem. In: Reducing the Denial of Service Attacks in WLANs, Singh, R. and T.P. Sharma, (Eds.), Detecting and World Congress Information Communication Technologies, pp: 968-973.
Savage, S., D. Wetherall, A. Karlin and T. Anderson, 2001. Network support for IP traceback. IEEE/ACM Transaction on Networking, 9(3): 226-237.
Schuba, C.L., I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram and D. Zamboni, 1997. Analysis of a denial of service attack on tcp. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA.
Soryal, J. and T. Saadawi, 2012. IEEE 802.11 denial of service attack detection in manet. Proceedings of the Telecommunications Symposium, Apr. 18-20, IEEE Xplore Press, London, pp: 1-8. DOI: 10.1109/WTS.2012.6266083
Spafford, G. and S. Garfinkel, 1996. Practical Unix and Internet Security. O'Reilly & Associates, Inc, second edition.
Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao, 2003. "Protection from Distributed Denial of Service Attack Using History-based IP Filtering", story-based IP filtering, ICC "03.May, 1: 482-486.
Yaar, A., A. Perrig and D. Song, 2003. Pi: A Path Identification Mechanism to Defend against DDoS Attacks, in IEEE Symposium on Security and Privacy, pp: 93.
Zeeshan Shafi Khan, Nabila Akram, KhaledAlghathbarl, Muhammad She, RashiMehmood, 2010. "Secure Single Packet IP Traceback Mechanism to Identify the Source", Published in 2010.
Dr. S. Angel Latha Mary, E. Sabaridha, A.N. Sivagami, M. Usha Rani
Department of CSE, Karpagam College of Engineering, Coimbatore, India, email@example.com
Corresponding Author: Dr. S. Angel Latha Mary, Department of CSE, Karpagam College of Engineering, Coimbatore, India
Tel: +91 9842242882, E-mail:firstname.lastname@example.org
Table 1: Analysis on DoS Attacks. S.No Defense Mechanisms Advantages Limitations 1 Ingress/Egress spoofed IP If their addresses filtering for addresses at are still in the source's edge router the source's Valid internal IP edge routers address range, are used to Spoofed packets will detect and not be detected filter packets based on the valid IP address range internal to the network 2 D-WARD Traffic More memory space originating and CPU cycles are from a network accepted than some at the border of the network- of the source based defense network attack mechanisms can be stopped 3 MULTOPS DDOS flooding Dynamic tree attacks are structure is used detected and for monitoring filtered based packet rates for on significant every IP address to difference produce vulnerable between the target for a memory rates of exhaustion attack traffic going to and coming from a host or subnet 4 MANAnef's reverse The forwards It requires the firewall packets are not administrators" replies to involvement and also other packets manual with limited rate which recently forwarded in the other direction 5 IP Trace back The forged IP Many trace back mechanisms packets are mechanisms have traces back to heavy computational, their true network or sources other management overheads than the with serious spoofed IP deployment and addresses operational challenges 6 Packet marking and Legitimate When strength of filtering mechanisms packets are attackers increases, marked for each it filters to become router with ineffective and they their path to cannot installed the destination properly so that causes "traffic attack can filter the edge router". 7 Backlog increment The overflowing The use of linear occurs at the list traversal host's backlog functioned with of connecting attempt to free sockets can be state linked with reduced stale connection attempts are known to be pure solution. 8 SYN-RECEIVED Timer The tighter The tighter limit of reduction limit of time time is applied when is applied when a TCB enters the a TCB enters SYNRECEIVED state the SYNRECEIVED for not advancing state for not when it may be advancing when reaped it may be reaped 9 Oldest Half-Open TCB When entire when the attacking recycling backlog is packet rate is high exhausted, it and/or the backlog allows incoming Size is small, it syns to fails. It is not a overwrite with robust Defense. the oldest half-open TCB entry. 10 SYN Cache The secret bits Difficult for secret prevents an bits to prevent an attacker from attacker being able to target specific Hash values are effective. 11 SYN Cookies Causes absolute Some of the TCB data zero state only can fit into which is the 32-bit Sequence generated by a Number field, received SYN therefore TCP options required for high improvement which may disabled SYN-acks. It is not retransmitted, because retransmission would require state 12 Firewalls and SYN flooding SYN flooding attacks Proxies attacks can be can be defeated defeated 13 IP level defense Used to prevent Difficult to mechanism SIP servers implement it. Works only at ip level 14 Page access behavior HTTP-GET False positives are at the mitigation flooding large to mitigate attacks can be it. prevented. 15 Denial of Service delay of Throughput from DoS assess RTS/CTS in packets are is suddenly dropped. simulations and in incremented real scenario from 0 to 6 seconds and packet loss rate of 37.9% 16 Phases can be DoS attacks can Security must be differentiated into be detect in improved in phases. generation, exchange authentication and authentication and DoS flood by public key. are reduced during the authentication phase and the probe request. 17 factoring of very Prime numbers Complexity must be large prime numbers with varying improved can be performed bit, the model was successful by neglecting de- authentication attacks. 18 If useful package A result Time complexity was not sent within obtained in the a time interval, network repeal the channel throughput is reservation request testing scenarios with rise of 0.3 to 0. 6 packets per time interval. 19 Unused bits are used Use of 5 bits Computational in the header to or more random Complexity generate random numbers, numbers. mitigation is expected to be occurred. 20 Markov chain is used The test shown High bandwidth to get more accurate that the model consumption rate throughput to was successful receive CTS frames by detecting by the host. The that the check result of the Markov is made of the chain and the DoS quantity and attack is detected, attacker MAC if this ratio is address. greater than CTS 21 An approach towards Tests produce Misleading genuine generation and that the client stations distribution of network keys. throughput for UDP traffic value was 28.4 Mbps and the mitigation model of the throughput value was 27.6 Mbps 22 Hybrid support Propose a new It can achieve not vector machine with hybrid only high total ANFIS based DoS classification accuracy but also attack detection system called improves the local SVM-ANFIS based accuracy of DoS on Support attack detection. Vector Machines and Adaptive Neuro Fuzzy Inference System for DoS attack detection.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Distributed Denial of Service|
|Author:||Mary, S. Angel Latha; Sabaridha, E.; Sivagami, A.N.; Rani, M. Usha|
|Publication:||Advances in Natural and Applied Sciences|
|Date:||Oct 1, 2014|
|Previous Article:||A new approach of data gathering using mobile sink and support-in cluster head in WSN.|
|Next Article:||Auditability-aware data scheduling for privacy preserved third-party auditing.|