article

Mitigating denial of service attacks: a tutorial

Author:

Jarmo MölsäAuthors Info & Claims

Journal of Computer Security, Volume 13, Issue 6

Pages 807 - 837

Published: 01 December 2005 Publication History

Abstract

This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: a deployment and an attack phase. A DoS program must first be deployed on one or more compromised hosts before an attack is possible. Mitigation of DoS attacks requires thus defense mechanisms for both phases. Completely reliable protection against DoS attacks is, however, not possible. There will always be vulnerable hosts in the Internet. and many attack mechanisms are based on ordinary use of protocols, Defense in depth is thus needed to mitigate the effect of DoS attacks. This paper describes shortly many defense mechanisms proposed in the literature. The goal is not to implement all possible defenses. Instead, one should optimize the trade-off between security costs and acquired benefits in handling the most important risks. Mitigation of DoS attacks is thus closely related to risk management.

References

[1]

{1} D. Adkins, K. Lakshminarayanan, A. Perrig and I. Stoica, Towards a more functional and secure network infrastructure, University of California, Berkeley, Tech. Rep. UCB/CSD-03-1242, 2003.

[2]

{2} J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel and E. Stoner, State of the practice of intrusion detection technologies, Carnegie Mellon University, Software Engineering Institute. Tech. Rep. CMU/SEI-99-TR-028, Jan. 2000. {Online} Available: http://www.cert.org/archive/pdf/99tr028.pdf.

[3]

{3} I. Arce and E. Levy, An analysis of the Slapper worm, IEEE Security & Privacy 1(1) (2003), 82-87.

Digital Library

[4]

{4} S.M. Bellovin, The state of software security, Nov. 2002. {Online} Available: http://www.research. att.com/smb/talks/vuln-legal.ps.

[5]

{5} P. Bouchareine, Format string vulnerability, Hacker Emergency Response Team, Tech. Rep., July 2000.

[6]

{6} K.A. Bradley, S. Cheung, N. Puketza, B. Mukherjee and R.A. Olsson, Detecting disruptive routers: A distributed network monitoring approach, IEEE Network 12(5) (1998), 50-60.

[7]

{7} R. Bush, D. Karrenberg, M. Kosters and R. Plzak, Root name server operational requirements, Internet Engineering Task Force, Request for Comments RFC 2870, June 2000.

[8]

{8} CERT Coordination Center, Denial of service attacks, Oct. 1997. {Online} Available: http://www. cert.org/tech_tips/denial_of_service.html.

[9]

{9} CERT Coordination Center, Overview of attack trends, Feb. 2002. {Online} Available: http://www. cert.org/archive/pdf/attack_trends.pdf.

[10]

{10} A. Chakrabarti and G. Manimaran. Internet infrastructure security: A taxonomy, IEEE Network 16(6) (2002), 13-21.

Digital Library

[11]

{11} R.K. Chang, Defending against flooding-based distributed denial-of-service attacks: A tutorial, IEEE Commun. Mag. 40(10) (2002), 42-51.

Digital Library

[12]

{12} Cisco Systems, Inc., Characterizing and tracing packet floods using cisco routers, Feb. 2003.

[13]

{13} C. Cowan, Software security for open-source systems, IEEE Security & Privacy 1(1) (2003), 38-45.

Digital Library

[14]

{14} C. Cowan, S. Beattie, R.F. Day, C. Pu, P. Wagle and E. Walthinsen, Protecting systems from stack smashing attacks with StackGuard, in: Proceedings of the LinuxExpo, Raleigh, NC. USA, 1999.

[15]

{15} C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang and H. Hinton, Stack Guard: Automatic adaptive detection and prevention of buffer-overflow attacks, in: Proceedings of the 7th USENIX Security Conference. San Antonio, TX, 1998, pp. 63-78.

[16]

{16} S.A. Crosby and D.S. Wallach, Denial of Service via algorithmic complexity attacks, in: Proceedings of the 12th USENIX Security Symposium, Washington, DC, USA, 2003.

Digital Library

[17]

{17} R. Durst, T. Champion, B. Witten, E. Miller and L. Spagnuolo, Testing and evaluating computer intrusion detection systems, Communications of the ACM 42(7) (1999), 53-61.

[18]

{18} P. Ferguson and D. Senie, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, RFC 2827, May 2000.

[19]

{19} S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan and V. Paxson, Pushback messages for controlling aggregates in the network, July 2001, Internet draft drafft-floyd-pushback-messages-00.txt work in progress.

[20]

{20} S. Forrest, S.A. Hofmeyr, A. Somayaji and T.A. Longstaff, A sense of self for Unix processes, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 1996, pp. 120-128.

Digital Library

[21]

{21} L. Garber, Denial-of-Service attacks rip the Internet, IEEE Computer 33(4) (2000), 12-17.

Digital Library

[22]

{22} D. Gollmann, Computer Security, John Wiley & Sons, Chichester, England, 1999.

[23]

{23} B. Guha and B. Mukherjee, Network security via reverse engineering of TCP code: Vulnerability analysis and proposed solutions, IEEE Network 11(4) (1997), 40-48.

[24]

{24} J. Haines, D.K. Ryder, L. Tinnel and S. Taylor, Validation of sensor alert correlators, IEEE Security & Privacy 1(1) (2003), 46-56.

Digital Library

[25]

{25} M. Handley, V. Paxson and C. Kreibich, Network intrusion detection: Evasion, traffic normalization. and end-to-end protocol semantics, in: Proceedings of the 10th USENIX Security Symposium, 2001.

[26]

{26} K.J. Houle, G.M. Weaver, N. Long and R. Thomas, Trends of Service Attack Technology . CERT Coordination Center, Oct. 2001. {Online} Available: http://www.cert.org/archive/pdf/ DoS_trends.pdf.

[27]

{27} A. Householder, A. Manion, L. Pesante, G.M. Weaver and R. Thomas, Managing the Threat of Denial-of-Service Attacks, CERT Coordination Center, Oct. 2001.

[28]

{28} J.D. Howard, An analysis of security incidents on the Internet 1989-1995, PhD dissertation. Carnegie Mellon University, April 1997.

[29]

{29} C. Huitema, Routing in the Internet, 2nd edn, Prentice Hall PTR, Upper Saddle River, NJ, USA. 2000.

[30]

{30} T. Killalea Recommended Internet Service Provider Security Services and Procedures. RFC 3013, Nov. 2000.

[31]

{31} Lawrence Livermore National Laboratory and Sandia National Laboratories, Intrusion detection and response, Dec. 1996. {Online} Available: http://www.all.net/journal/ntb/ids.html.

[32]

{32} G. Lawton, Virus wars: Fewer attacks, new threats, IEEE Computer, 35(12) (2002), 22-24.

Digital Library

[33]

{33} W. Lee, W. Fan, M. Miller, S.J. Stolfo and E, Zadok, Toward cost-sensitive modeling for intrusion detection and response, Journal of Computer Security 10(1-2) (2002).

[34]

{34} R.P. Lippmann, D.J. Fried, I. Graf, J.W. Haines, K.R. Kendall, D. McClung, D. Weber, S.E. Webster, D. Wyschogrod, R.K. Cunningham and M.A. Zissman, Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation, in: Proceedings of the DARPA Information Survivability Conference and Exposition, 2000.

Digital Library

[35]

{35} R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson and S. Shenker, Controlling high bandwidth aggregates in the network. ACM SIGCOMM Computer Communication Review 32(3) (2002), 62-73.

Digital Library

[36]

{36} C. Manikopoulos and S. Papavassiliou, Network intrusion and fault detection: A statistical anomaly approach, IEEE Commun. MaG. 40(10) (2002), 76-82.

Digital Library

[37]

{37} J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review 34(2) (2004), 39-53.

[38]

{38} J. Mölsä Effetiveness of rate-limitting in mitigating flooding DoS attacks, in: Proceedings of the Third IASTED International Conference on Communications, Internet and Information Technology at St. Thomas, US Virgin Islands, M.H. Hamza, ed., ACTA Press, Anaheim, CA, USA, 2004, pp. 155-160.

[39]

{39} J. Mölsä, Mitigating DoS attacks against the DNS with dynamic TTL values, in: Proceedings of the Ninth Nordic Workshop on Secure IT Systems, S. Liimatainen and T. Virtanen, eds, Espoo, Finland, 2004, pp. 118-124.

[40]

{40} D. Moore, V. Paxson, S. Savage, C. Shannon. S. Staniford and N. Weaver, Inside the Slammer worm, IEEE Security & Privacy 1(4) (2003), 33-39.

Digital Library

[41]

{41} D. Moore, C. Shannon and J. Brown, Code-Red: a case study on the spread and victims of an Internet worm, in: Proceedings of the Internet Measurement Workshop, Marseille, France, 2002.

Digital Library

[42]

{42} D. Moore, C. Shannon, G.M. Voelker and S. Savage, Internet quarantine: Requirements for containing self-propagating code, in: Proceedings of the IEEE Infocom, 2003.

[43]

{43} D. Moore, G.M Voelker and S. Savage, Inferring Intemet denial-of-service activity, in: Proceedings of the 10th USENIX Security Symposium, Waashington, DC, 2001.

[44]

{44} P. Mueller and G. Shipley. Dragon claws its way to the top, Network Computing (August 20) (2001) 45-67.

[45]

{45} B. Mukherjee, L.T. Heberlein and K.N. Levitt, Network intrusion detection, IEEE Network 8(3) (1994), 26-41.

Digital Library

[46]

{46} S. Northcutt and J. Novak, Network Intrusion Detection, 3rd edn. New Riders Publishing, Indiana, IN, 2002,

[47]

{47} P. Papadimitratos and Z.J. Haas, Securing the Internet routing infrastructure, IEEE Commun. Mag. 40(10) (2002), 60-68.

Digital Library

[48]

{48} V. Paxson, Bro: A system for detecting network intruders in real time, Computer Networks 31(23-24) (1999), 2435-2463.

Digital Library

[49]

{49} V. Paxson, An analysis of using reflectors for distributed denial-of-service attacks, ACM SIGCOMM Computer Communication Review 31(3) (2001).

Digital Library

[50]

{50} T.H. Ptacek and T.N. Newsham, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, Secure Networks, Inc., 1998.

[51]

{51} J, Reason, Managing the Risks of Organizational Accidents, Ashgate Publishing Company, Burlington, USA, 1997.

[52]

{52} C.L. Schuba, I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram and D. Zamboni, Analysis of a Denial of Service attack on TCP, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 1997, pp. 208-223. {Online} Available: https://www.cerias.purdue.edu/techreportsssl/public/97-06.ps.

[53]

{53} SecuriTeam, Kiss of Death - a new Denial of Service attack, 1999.

[54]

{54} D. Senie, Changing the Default for Directed Broadcasts in Routers, RFC 2644, 1999.

[55]

{55} C. Shannon and D. Moore. The spread of the Witty worm, CAIDA, Tcch. Rep., 2004.

[56]

{56} C. Shannon. D. Moore and K.C. Claffy, Beyond folklore: Observations on fragmented traffic. IEEE/ACM Trans. Networking 10(6)(2002) 709-720.

Digital Library

[57]

{57} S. Staniford, V. Paxson and N. Weaver, How to Own the Internet in your spare time, in: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, 2002.

Digital Library

[58]

{58} D. Sterne, K. Djahandari, B. Wilson, B. Babson, D. Schnackenberg, H. Holliday and T. Reid, Autonomic response to distributed Denial of Service attacks, in: Proceedings of Recent Advances in Intrusion Detection, 4th International Symposium, Davis, CA, 2001, pp. 134-149.

Digital Library

[59]

{59} R. Stone, Centertrack: An IP overlay network for tracking DoS floods, in: Proceedings of the 9th USENIX Security Symposium, Denver, CO, 2000.

[60]

{60} US Department of Homeland Security, Critical infrastructure, glossary of terms and acronyms.

[61]

{61} C.D. Wickens and J.G. Hollands, Engineering Psychology and Human Performance, 3rd edn. Prentice Hall, Upper Saddle River, NJ, USA, 2000.

[62]

{62} M.M. Williamson, Throttling viruses: Restricting propagation to defeat malicious mobile code, HP laboratories, Bristol, Tech. Rep. HPL-2002-172, June 2002.

[63]

{63} J.M. Wing, A call to action: Look beyond the horizon, IEEE Security & Privacy 1(6) (2003), 62-67.

Digital Library

[64]

{64} Y. Zhang and V. Paxson, Detecting backdoors, in: Proceedings of the 9th USENIX Security Symposium , Denver, CO, 2000.

Digital Library

[65]

{65} Y. Zhang and V. Paxson, Detecting stepping stones, in: Proceedings of the 9th USENIX Security Symposium, Denver, CO, 2000.

Digital Library

Cited By

Singh AGupta B(2022)Distributed Denial-of-Service (DDoS) Attacks and Defense Mechanisms in Various Web-Enabled Computing PlatformsInternational Journal on Semantic Web & Information Systems10.4018/IJSWIS.29714318:1(1-43)Online publication date: 15-Apr-2022
https://dl.acm.org/doi/10.4018/IJSWIS.297143
Tripathi NHubballi N(2021)Application Layer Denial-of-Service Attacks and Defense MechanismsACM Computing Surveys10.1145/344829154:4(1-33)Online publication date: 3-May-2021
https://dl.acm.org/doi/10.1145/3448291
Yousaf ALoan ABabiceanu RMaglaras LYousaf O(2018)Convergence of detection probability, computational gains, and asymptotic analysis of an algorithm for physical‐layer intrusion detection systemTransactions on Emerging Telecommunications Technologies10.1002/ett.343029:8Online publication date: 6-Aug-2018
https://dl.acm.org/doi/10.1002/ett.3430
Show More Cited By

Index Terms

Mitigating denial of service attacks: a tutorial

Recommendations

Application Layer Denial-of-Service Attacks and Defense Mechanisms: A Survey

Application layer Denial-of-Service (DoS) attacks are generated by exploiting vulnerabilities of the protocol implementation or its design. Unlike volumetric DoS attacks, these are stealthy in nature and target a specific application running on the ...
Denial of service attacks, defences and research challenges

This paper presents a review of current denial of service (DoS) attack and defence concepts, from a theoretical ad practical point of view. Seriousness of DoS attacks is tangible and they present one of the most significant threats to assurance of ...
Taxonomy of Distributed Denial of Service DDoS Attacks and Defense Mechanisms in Present Era of Smartphone Devices

This article describes how in the summer of 1999, the Computer Incident Advisory Capability first reported about Distributed Denial of Service DDoS attack incidents and the nature of Denial of Service DoS attacks in a distributed environment that ...

Comments

Information & Contributors

Information

Published In

cover image Journal of Computer Security

Journal of Computer Security Volume 13, Issue 6

December 2005

96 pages

ISSN:0926-227X

Issue’s Table of Contents

Publisher

IOS Press

Netherlands

Publication History

Published: 01 December 2005

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Singh AGupta B(2022)Distributed Denial-of-Service (DDoS) Attacks and Defense Mechanisms in Various Web-Enabled Computing PlatformsInternational Journal on Semantic Web & Information Systems10.4018/IJSWIS.29714318:1(1-43)Online publication date: 15-Apr-2022
https://dl.acm.org/doi/10.4018/IJSWIS.297143
Tripathi NHubballi N(2021)Application Layer Denial-of-Service Attacks and Defense MechanismsACM Computing Surveys10.1145/344829154:4(1-33)Online publication date: 3-May-2021
https://dl.acm.org/doi/10.1145/3448291
Yousaf ALoan ABabiceanu RMaglaras LYousaf O(2018)Convergence of detection probability, computational gains, and asymptotic analysis of an algorithm for physical‐layer intrusion detection systemTransactions on Emerging Telecommunications Technologies10.1002/ett.343029:8Online publication date: 6-Aug-2018
https://dl.acm.org/doi/10.1002/ett.3430
Al-Hurani EAl-Zoubi H(2017)Mitigation of DOS Attacks on Video Trafficin Wireless Networks for better QoSProceedings of the 8th International Conference on Computer Modeling and Simulation10.1145/3036331.3050416(166-169)Online publication date: 20-Jan-2017
https://dl.acm.org/doi/10.1145/3036331.3050416
Grammenos DLugmayr A(2012)Little red-smart-hoodProceeding of the 16th International Academic MindTrek Conference10.1145/2393132.2393145(57-60)Online publication date: 3-Oct-2012
https://dl.acm.org/doi/10.1145/2393132.2393145
Sourav KMishra DPotdar VMukhopadhyay D(2012)DDoS detection and defenseProceedings of the CUBE International Information Technology Conference10.1145/2381716.2381859(749-752)Online publication date: 3-Sep-2012
https://dl.acm.org/doi/10.1145/2381716.2381859
Ali KBoutaba R(2009)Applying Kernel methods to anomaly based intrusion detection systemsProceedings of the Second international conference on Global Information Infrastructure Symposium10.5555/1719570.1719622(318-321)Online publication date: 22-Jun-2009
https://dl.acm.org/doi/10.5555/1719570.1719622
Ali KAib IBoutaba R(2009)P2P-AISProceedings of the Second international conference on Global Information Infrastructure Symposium10.5555/1719570.1719621(314-317)Online publication date: 22-Jun-2009
https://dl.acm.org/doi/10.5555/1719570.1719621
Gupta BJoshi RMisra M(2009)An efficient analytical solution to thwart DDoS attacks in public domainProceedings of the International Conference on Advances in Computing, Communication and Control10.1145/1523103.1523203(503-509)Online publication date: 23-Jan-2009
https://dl.acm.org/doi/10.1145/1523103.1523203

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents