Denial of Service attacks (DoS) are orchestrated in such a way as to saturate the resources of a web service/server [1]. The attack prevents other users from using any resources, resulting in a denial of service to legitimate users. A DoS will incapacitate a network or computer from providing normal services [2]. A Distributed Denial of Service attack (DDoS) is a coordinated DoS attack directed toward a target, utilizing multiple computers [3]. The number of DDoS attacks has increased substantially over the years [4]. In 2013, the largest attack was recorded at 300 Gbps, and then in 2014, the attack size increased to 400 Gbps. The time it took to carry out the attack is also only present for a shorter duration ranging from a few minutes to a few hours [2].
Since the dawn of the internet, DoS or DDoS attacks have been a favorite weapon of cybercriminals simply because it was easy and caused a significant effect. While it is hard to verifiably pinpoint the first DDoS attack incident, most sources believe that the first large-scale attack happened in 1999 when the target was the University of Minnesota’s IRC server. It brought down 227 systems and caused the university’s server to be offline for several days [3].
To classify DDoS attacks, it is important to note the ways of organizing and executing the attack, the characteristics of the attack, and its effects on the target. DDoS attacks can also be classified based upon amount of automation they entail, that is, manual, semi-automated, or automated (paraphrased from [4]).
The early DDoS attacks were mostly manual in nature, with the attacker scanning remote systems for vulnerability, then breaking in and putting the attack code in place. After that, the attacker simply directed the attack to start [4].
Semi-automated attacks involve networks of DDoS machines that consist of handler (master) and agent (slave) machines. The attacker uses automated scripts to scan and compromise machines and install the attack code. Then, handler machines are used to establish the type of attack, the target’s address, and then initiate the attack to agents who are responsible for sending packets to targets [4].
In automated DDoS attacks, the attack phase is also done automatically. This removes communication between agent machines and attackers. The attack code is preprogrammed with the time to start the attack, type of attack, target’s address and length of attack [4].
Though there are several attack types, this paper outlines four key attack types which are:
The SSDP was created initially to help devices find and connect to each other and it is part of the Universal Plug and Play (UPnP) protocol. SSDP was introduced in 1999, and it uses UDP port 1900 for communication. Like other types of attacks such as DNS and NTP amplification, in this scenario the attacker sends specifically constructed requests to an SSDP-enabled device, and the response is sent to the victim’s system. Compromised networks, home applications, and networks are utilized by botnets to execute an SSDP-based attack [5].
A TCP SYN flood attack is performed by inundating the network of a victim with an extraordinarily high volume of TCP SYN requests that eventually overload the current resources of the network [6].
During an NTP amplification attack, the attacker modifies the source of the NTP query to appear as though it originated from the victim’s address. Then, the attacker sends one or more NTP servers the setup for responding to the spoofed query. Finally, the NTP servers send a flood of responses back to the victim’s IP address (the spoofed source address) [7].
A Domain Name Server (DNS) amplification attack is a common form of DDoS attack that makes use of open, public DNS servers that are used to overwhelm the network of an intended target by the DNS response traffic. [8]
At the end of 2013 and the beginning of 2014, the most obvious pattern that emerged in DDoS attacks was a pronounced increase in the frequency and prevalence of amplification attacks. According to Symantec’s Global Intelligence Network, DNS amplification attacks rose by 183% from January through August of 2014. Similarly, ICMP flood attacks increased 293% by the end of March 2014, although that number dropped by the end of August 2014, down to 75%. There was a surge in NTP amplification attacks, which increased by a factor of 275%. The average attack bandwidth also declined by 14%, reducing to 7.76 Gbps in quarter two of 2014. [2]
In the fourth quarter of 2015, the largest DDoS attack became 309 Gbps, which is a significant increase from the previous record attack of 149 Gbps from the third quarter of 2015. The fourth quarter of 2015 saw four DDoS attacks exceed 30 million Packets Per Second (MPPS), and two of those attacks exceeded 50 Mpps. The types of attacks were primarily DNS reflection and NTP amplification [9].
The detection process involves two main steps: identifying an attack and identifying the attacker. An attacker can be identified by any one of the few traceback methods. But before an attack can shut down the system, it should be detected, which can often be accomplished through routine monitoring. Regular monitoring has the potential to catch DoS attacks much earlier when they become prevalent, but before they overload the victim system. DoS detection methods can be divided, as with general IDS, into anomaly detection and signature detection. Signature detection relies on commonly accepted patterns associated with the DoS attacks, while anomaly detection relies on the normal deviations in traffic that underline most DoS attacks [10]. A survey conducted by Arbor Networks [11] reported that the primary tools used by respondents to detect DoS attacks were NetFlow analyzers, second the firewall logs.
The detection process involves two main steps: identifying an attack and identifying the attacker. An attacker can be identified by any one of the few traceback meAccess Control Lists (ACLs) and Intelligent DDoS Mitigation Systems (IDMS) have become the two most favored response mechanisms to mitigate Distributed Denial of Service (DDoS) attacks given that the usage of firewalls is dropping [12]. thods. But before an attack can shut down the system, it should be detected, which can often be accomplished through routine monitoring. Regular monitoring has the potential to catch DoS attacks much earlier when they become prevalent, but before they overload the victim system. DoS detection methods can be divided, as with general IDS, into anomaly detection and signature detection. Signature detection relies on commonly accepted patterns associated with the DoS attacks, while anomaly detection relies on the normal deviations in traffic that underline most DoS attacks [10]. A survey conducted by Arbor Networks [11] reported that the primary tools used by respondents to detect DoS attacks were NetFlow analyzers, second the firewall logs.
Two major challenges arise when generating DDoS defense. These challenges would pertain to technical challenges and societal challenges.
DDoS attacks are distributed, the similarity of packets to genuine packets, and usage of IP spoofing constitute the main technical issues in developing a DDoS defense system that is effective [13].
DDoS defense systems require specific deployment patterns to work effectively. Deployment patterns fall into categories like full deployment, continuous deployment, large-spread-out deployment, full deployment at points on the internet, changing protocols that are mainly deployed on the internet, and all real clients who are secure deploying defenses. However, the deployment patterns discussed are considered impractical when it comes to protecting a generic end network from DDoS attacks [13].
Previously done studies may have considered DDoS attacks, but no studies or research effort has been expended on trends of DDoS attacks over a defined year span of three years (2013 to 2015). Thus, this study is important for determining attack trends for the time-period above.
To explore recent trends in DDoS attacks during the years 2013 to 2015 and the mitigation strategies developed to address it.
The objective of this study is to describe different types of DoS and DDoS attacks and their amplification and reflection types, outline DoS attacks that have taken place between 2013 to 2015, and review mitigation strategies that have been used against these attacks.
The study aims to describe DoS attacks that occurred during the period of 2013 to 2015. However, this research is limited only to perusing secondary data and analyzing, with no primary data collection or quantitative analysis.
The research is limited to the analysis of secondary data; however, it examines existing data on DDoS attacks that have been published in reputable journals as well as news articles. The data analyzed provides perspective on the serious threat that DDoS attacks pose and their impact on organizations.
This chapter starts with the definitions of the concepts of the Denial of Service and Distributed Denial of Service, followed briefly with the first known DoS attack and categorizes the taxonomies of DoS in automation, being manual and semi-automatic and automatic; followed then by the different types of DDoS DDoS attacks including but not limited to; SSDP, TCP SYN flooding, NTP, DNS amplification, and etc. DDoS trends are then discussed with improvements in terms of bandwidth and design mechanisms as well as from a detection and mitigative approaches to DDoS. Next, mitigation strategies are discussed as in use to alleviate DDoS defense and technical and social challenges to the defense are considered. The chapter concludes with a problem statement, aims and objectives, limitations and significance of the study.
[1] M. Abliz, “Internet Denial of Service Attacks and Defense Mechanisms,” University of Pittsburgh, 2011.
[2] C. Wueest, “Security Response:The continued rise of DDoS attacks,” 2014.
[3] S. Hoffman, “DDoS: A Brief History,” Fortinet, Mar-2013.
[4] L. K. Somal and K. S. Virk, “Classification of Distributed Denial of Service Attacks – Architecture, Taxonomy and Tools,” Int. J. Adv. Res. Comput. Sci. Technol., vol. 2, no. 2, pp. 118–122, 2014.
[5] Ntt Innovation Institute, “Distributed Denial Of Service Observations,” CA, United States, 2015.
[6] D. D. Rani, T. V. S. Krishna, G.Dayanandam, and T.V.Rao, “TCP Syn Flood Attack Detection And Prevention,” Int. J. Comput. Trends Technol. (IJCTT, vol. 4, no. 10, pp. 3412–3417, 2010.
[7] US-CERT, “NTP Amplification Attacks Using CVE-2013-5211,” us-cert.gov, 2014.
[8] US-CERT, “DNS Amplification Attacks,” Us-cert.gov, 2013. .
[9] Akamai, “akamai’s [state of the internet] / security Q4 2015 report,” 2015.
[10] M. Alenezi and M. J. Reed, “Methodologies for detecting DoS/DDoS attacks against network servers,” Colchester, UK, 2012.
[11] Arbor Network, “Worldwide Infrastructure Security Report,” arbornetworks, 2016.
[12] Arbor Networks, “Worldwide Infrastructure Security Report,” Arbornetworks, 2014.
[13] D. Dittrich, J. Mirkovic, P. Reiher, and S. Dietrich, Internet Denial of Service: Attack and Defense Mechanisms. United States: Pearson Education, 2004.
