Distributed Denial of Service Attacks
The more digitized our world becomes, the greater the usefulness of digital attacks become for malicious actors and the greater the threat is to those who rely on these digital services. This dynamic has fueled the rise of “hacktivism” — activism conducted using digital tools over networks. Targets of directed attacks can range from individuals and small businesses to corporations and governments. The motivations for digital attacks can be categorized into five major categories. Digital attackers or hacktivists can simply be looking for revenge, they can be financially motivated, they can be motivated by ideology or politics, they could be conducting cyberwarfare on behalf of a nation state or terrorist group, or they may simply be doing it for the intellectual challenge (Mahjabin et al., 2017) (Zargar et al., 2013, p. 2047–2048).
One of the most common digital attacks, both because of its simplicity and its effectiveness, is the Denial-of-Service (DoS) attack. The aim of a DoS attack is to disrupt the ability of a specific server to provide services to legitimate requests. This is achieved by overwhelming the server with a constant stream of fraudulent requests using otherwise benign packets. This is to say that the packets themselves have no malicious payload, but just the sheer volume of illegitimate traffic alone hinders the server’s ability to provide service to legitimate traffic. The effect is to deny the operators of the system from conducting business with its customers. Imagine an organized group of protestors who are angry with the city government. They plan to get their grievances heard by the government by disrupting the city’s public transportation system. On Monday morning at 8:00 am thousands of protestors simultaneously board the city’s buses and trains, packing them until they are full and the protestors don’t get off until the buses stop running for the day. Each protestor aboard a bus or train is an “illegitimate user” and this volume of transit-riders is much greater than the transit system is designed to handle. This means that everyone who intended to use the transit for their usual transport needs was unable to board. These are the “legitimate users” who were denied service from the transit system as a result of the system being overloaded by illegitimate users.
As will be discussed in greater technical depth in the next section (“How DDoS Attacks Work”), what supercharges a DoS attack and subsequently that which makes it so difficult to defend against is to make it a “distributed” denial-of-service (DDoS) attack. This involves harnessing an army of machines that are coordinated to attack a single target simultaneously. The first DDoS attack was reported by the Computer Incident Advisory Capability in 1999 (Zargar et al., 2013, p. 2046) and in the two decades since, they have only become more common and more damaging as online tools allow anyone who can follow simple instructions to execute an attack (Mahjabin et al., 2017, p. 2). Today, the Arbor Network tracks over 1000 significant DDoS attacks each day on systems around the world. The average severity of attacks has ballooned as well, going from a few dozen gigabits per second in 2007 to over 800 gigabits per second in 2017 (Mahjabin et al., 2017, p. 1–3). The most common targets are e-commerce sites, gaming sites, stock exchanges and banks (Mahjabin et al., 2017, p. 4). Some high profile targets have included Yahoo!, MasterCard, VISA, PayPal, Bank of America, Wells Fargo, HSBC, and CNN, for which the attacks cost each company potentially millions in lost revenue. Non-commercial targets have included WikiLeaks, and the governments of the United States, South Korea, China, Iran, and Estonia (Zargar et al., 2013, p. 2047) (Mahjabin et al., 2017, p. 3). Back in 2002, the 13 root servers that run the domain name translation service, i.e. the backbone of the internet infrastructure, was hit by a DDoS attack, causing the whole of the internet to be unusable for an hour (Zargar et al., 2013, p. 2046). These examples highlight the importance of understanding how a DDoS attack works, along with its many variants, and the technological challenge of detecting and defending against them.
How DDoS Attacks Work
A DoS attack is an attack on a system with the sole purpose of disabling the targets from communicating with their real users and voiding their attempt at accessing the desired resources. There are two ways in which a DoS attack can be launched, either by one single source flooding a system, or through a distributed attack.
Distributed Attacks
A DDoS attack is launched via multiple sources originating from multiple locations and are coordinated in their goals. By multiplying their attack power, the attacker is able to apply higher pressure on the target system through a much higher traffic volume. The second benefit comes from the fact that the attack is coming from many different locations, which gives the attacker the ability to vary the identifying nature of their packets. Since the attack packets are stemming from various locations the victim is unable to glean any identifying details about the attacker, making it a very difficult attack to both detect and defend against (Douligeris & Mitrokotsa, 2004, p. 1).
Creating a Botnet
The creation of a DDoS can be achieved through various frameworks wherein the attacker searches for machines with security vulnerabilities that are exploitable by embedded code that allows an attacker to assume command of the machines resources. These machines are then dedicated to becoming the handlers in the botnet hierarchy, and are given the ability to scan for and control other vulnerable machines by automatically embedding their code into thousands more (Zargar et al., 2013, p. 2050). These machines that are found by the handlers are referred to as “zombies”, who then remain on standby waiting for a command to attack (Zargar et al., 2013, p. 2050). By commanding a hierarchical structure, the attacker can focus on controlling only the handlers with the knowledge that control is indirectly implemented into the many lower-tier zombie machines as well. The botnet army is now on standby, ready for the launch directive. When the attack is ready, the attacker will give the command to the handlers and the code is passed down the hierarchy to be released with the sole purpose of causing havoc.
Types of DDoS Attacks
There are many different types of DDoS attacks that can be launched using methods that are becoming increasingly more complex and powerful through the development of more advanced technology and capabilities. DDoS attack styles can be separated into three categories: bandwidth depletion, resource depletion, and infrastructure attacks. Within these categories, there are many different types of attacks depending on the desired outcome (Zargar et al., 2013, p. 2048).
Bandwidth Depletion Attacks and UDP Flooding
The principal objective of a bandwidth depletion attack is to target the victim’s system with a botnet army in order to stop all legitimate users from using their network by exhausting all the available bandwidth, much like overcrowding a transit system with illegitimate riders. With thousands of zombies using up the bandwidth, the victim’s service is completely cut off from their normal functions until either the attack is paused or successfully defended against. If enough time passes, or the attack is done through a large enough web of zombie bots, the network can be heavily damaged, resulting in the need for extensive repairs. Within the category of bandwidth depletion attacks, many different types can be launched with specific goals in mind. For example, one of the most common bandwidth attacks is called a User Datagram Protocol (UDP) flood attack. There are many vulnerabilities when it comes to UDP transmission, including providing no guaranteed reliability, no flow control, and no congestion control. This makes it very susceptible to attackers who know how to manipulate these vulnerabilities. In a UDP flood attack, the attacker sends the machines a staggering measure of UDP bundles to the receiving ports, causing an overload to the point where there is no bandwidth left available and all operations cease to function (Zargar et al., 2013, p. 2048).
Resource Depletion Attacks and HTTP Flooding
Resource depletion attacks have similar methods to bandwidth depletion attacks, and both intend to cause an overload to the victim’s ability to interact with their users. The difference with resource depletion attacks is that they focus on attacking the victims’ resources directly, such as their memory and CPU (Zargar et al., 2013, p. 2049). Resource depletion attacks also have many ways in which an attack can be launched, targeting the victim’s application layer protocols or through packets that contain destructive payloads for the device that receives them (Zargar et al., 2013, p. 2051). An example of a resource depletion attack is called Hypertext Transmission Protocol (HTTP) flooding, wherein the attacker targets the GET and POST requests of their victim by sending very large files from every zombie in their botnet, requiring a response from the victim’s server to read these files and perform multiple actions. By attempting to respond to so many large files, the memory and processors of the victim are overwhelmed and ultimately crash, once again causing the victim to be unable to respond to their legitimate users (Zargar et al., 2013, p. 2051).
Infrastructure Attacks
Infrastructure attacks are one of the most destructive and wide-reaching DDoS attacks that are available and are a recent development in the hacking community. They focus on targeting both the victim’s bandwidth and resources simultaneously. By launching an infrastructure attack, the attacker aims at disrupting multiple victims through targeting major infrastructures that contain services to most of the world’s organizations (Zargar et al., 2013, p. 2047). By targeting the root of this structure through these kinds of attacks, they can have a cascading effect on many popular services at once, such as Netflix and Twitter, etc.. These attacks are once again done by flooding their victims with such a large number of resources and traffic that the systems have no other choice but to shut down, causing a service disruption.
DDoS Detection Methods
There are many methods available that allow a host to discover they are the target of a flooding attack. It is important to note that all the detection techniques that apply to DDoS attacks also apply to non-distributed DoS attacks (Carl et al., 2006, p. 82). Detection methods are both varied and versatile and thus can be useful tools against many types of flooding attacks.
Activity Profiling
The simplest method used to detect the presence of a DDos attack is activity profiling. To get the activity profile this method monitors the header information of network packets (Carl et al., 2006, p. 84) to see what types of packets are flooding the network. However, in order to perform activity profiling, it is necessary to have a means to detect the network as well as a way to monitor the packets. The activity profiling method looks at the average packet rate of similar consecutive packets with similarities in their addresses, ports and protocols (Carl et al., 2006, p. 84). Distinct clusters of similar packet headers in an environment of increased overall packet volume can thus be an indication of an ongoing DDoS attack (Carl et al., 2006, p. 84). A drawback of this method is that it requires constant monitoring of the network. In order to look at the activity profiles of packets we can use network monitoring software. Software like wireshark makes it possible to collect data regarding network flow because of its ability to “listen” to the target system network (Sogut et al., 2021, p. 16). We can use network tools such as wireshark to detect abnormal network traffic via activity profiling and then use human judgements to infer whether the system is under attack by looking at information regarding a packet’s source port, source IP address, destination IP address, destination port, etc. (Sogut et al., 2021, p. 16, table 1).
Sequential Change-Point Detection
Another method that is used to detect the presence of DDoS attacks is called sequential change-point detection. When analyzing the network traffic pattern, the change-point method looks for abrupt changes in statistical patterns of traffic that may be induced by an attack (Lu et al., 2007, p.5039). Traffic data is stored as a time series after being filtered based on addresses, ports, or protocols (Carl et al., 2006, p. 84–85). The time series is essentially a representation of a packet cluster’s activity over a given timeframe (Carl et al., 2006, p. 85). A cumulative sum algorithm is then applied and, in order to see whether a flooding attack is occuring, the algorithm compares actual traffic statistics against the expected local averages in the traffic, looking for deviations (Carl et al., 2006, p. 85).
Wavelet Analysis
Another algorithmic detection method is called wavelet analysis. A study by Li and Lee (2005, p. 1) describes that in order to detect traffic related to DDoS attacks, energy distribution based on wavelet analysis can be used. When conducting a wavelet analysis there will be limited variation in energy distribution if the behavior of the traffic is kept constant over time whereas there will be significant energy distribution deviation in a short time period if there is attack traffic introduced in the network (Li & Lee, 2005, p. 1). This approach to detecting DDoS attacks is similar in nature to that of the sequential change-point detection approach in that both look for a significant change in expected patterns (just with regard to different types of data) which often represents the occurrence of a flooding attack.
DDoS Defense Methods
Now that a DDoS attack has been detected, what can be done about it? Defense approaches to DDoS attacks include a combination of attack detection, traffic categorization, and response tools. There are numerous ways to counter these cyber assaults depending on the type of DDoS attack. Although there are many different DDoS defense techniques, they all share the same purpose: to block unauthorized traffic and allow legitimate traffic to go through. Due to the rapidly-evolving methods and intensity of the attacks, DDoS defense methods must adapt quickly as well.
DDoS Flooding Defense
DDoS flooding attacks are often quite destructive. “Usually by the time a DDoS flooding attack is detected, there is nothing that can be done except to disconnect the victim from the network and manually fix the problem” (Zargar et al., 2013, p. 2051) which will require a great deal of money and effort from the machine/service owner to fix. DDoS flooding attacks affect not only the intended victim, but generally waste a great deal of resources (processing time, space, etc.), along all the connections leading to the victim machine as well (Zargar et al., 2013, p. 2051). Therefore, it is crucial that any DDoS flooding defense techniques should be able to detect and prevent these attacks not just as soon as possible but preferably as early in the botnet chain as possible. The detection and response can be executed at any node on the path between the source of the attacks and their intended destination (Zargar et al., 2013, p. 2051). To be able to properly deal with these attacks, the type of attack must first be identified. DDoS flooding attacks can be divided into two categories depending on the protocol level that they target: Network/Transport-level DDoS flooding attacks and Application-level DDoS flooding attacks (Zargar et al., 2013, p. 2052). From that point, there are two different sets of criteria to classify the defense mechanisms against these two types of DDoS flooding attacks: deployment-location-based and time-based (Zargar et al., 2013, p. 2052).
Deployment-Location-Based Defense Mechanisms
Zargar et al. (p. 2053) uses the deployment location to divide the defense techniques for Network/Transport-level layer attacks into four smaller categories: source-based, destination-based, network-based, and hybrid (a.k.a. distributed), while the defense mechanisms used against Application-level DDoS flooding attacks are only classified into two smaller sections: destination-based and hybrid (a.k.a distributed).
Techniques Used Against Network/Transport-level DDoS Flooding Attacks
The first of many useful techniques used against Network/Transport-level DDoS flooding attacks is called history-based internet protocol (IP) address filtering. This method belongs to the destination-based mechanisms, in which detection and response is mostly done at the destination of the attacks (Zargar et al., 2013, p. 2054). Victims of DDoS attacks can create a whitelist of acceptable source IP addresses based on their network history (Zargar et al., 2013, p. 2054). The defender can then use an IP address database to store all the IP addresses that usually arrive at the target and mark these addresses as legitimate and prevent the IP addresses that are not in the database from connecting (Zargar et al., 2013, p. 2054). This mechanism also helps the destination host to better manage resources as well as prevent bandwidth depletion during a DDoS attack (Zargar et al., 2013, p. 2054). No defense method is perfect and history-based IP filtering is no exception. This technique will get crushed under any large-scale DDoS attack that can mimic normal and legitimate traffic behavior (Zargar et al., 2013, p. 2054).
Most of the destination-based defense techniques cannot precisely detect and respond to the attacks before they reach the victim, eating up resources along the path to its target (Zargar et al., 2013, p. 2055). This is where the network-based mechanisms come in handy. These defense techniques are initiated inside the network routers (Zargar et al., 2013, p. 2055). One of the many useful network-based mechanisms available is route-based packet filtering. Incoming packets at the core of the internet typically originate from a limited number of sources, therefore, if an unknown source address appears in a packet on a link, then it will be assumed as illegitimate and that packet will be filtered out (Zargar et al., 2013, p. 2055). This helps in saving on resources such as memory and CPU for legitimate packets by not responding to the illegitimate ones. Nonetheless, this technique cannot work against DDoS attacks if attackers are either not spoofing their source IP addresses or are able to spoof the right source IP addresses that are not going to be filtered (Zargar et al., 2013, p. 2055).
It has been previously highlighted how infrastructure attacks can be the most destructive form of attacks since they can disrupt multiple victims by targeting major infrastructure. For these kinds of attacks, hybrid (a.k.a distributed) mechanisms have shown to be effective when used against them. One technique in particular is called attack diagnosis (AD). When an attack is detected, the AD protocol is invoked, which sends commands to its upstream routers to begin marking each packet intended for the victim with information about the input interface that processed it. This allows the victim to trace back bad traffic to its source and subsequently commands AD-enabled routers to filter our packets from this source (Zargar et al., 2013, p. 2056).
Techniques Used Against Application-level DDoS Flooding Attacks
Most of the application layer protocols are organized in the form of client-server design where a server is always on and is waiting to carry out a specific task (e.g., DNS server, Web server, Database server) at the request of a client. Therefore, the destination-based mechanisms among the techniques used against Application-level DDoS flooding attacks can also be seen as server-side mechanisms (Zargar et al., 2013, p. 2060). DDoS-Shield is one of the great examples of destination-based defense mechanisms. It examines the characteristics of HTTP sessions and uses rate-limiting as the primary defense technique (Zargar et al., 2013, p. 2060). This method is useful against bandwidth-depleting attacks (Zargar et al., 2013, p. 2060).
Outright Attack Prevention
Attack prevention techniques are the most efficient way to eliminate the effects of bandwidth depletion, resource depletion, and infrastructure attacks (Zargar et al., 2013, p. 2061). System and protocol measures that may be taken include removing bugs, preventing unauthorized accesses to machines, updating installed protocols, etc. (Zargar et al., 2013, p. 2062). There are also reconfiguration techniques whereby further resources are added to the potential victim network topology in order to tolerate a DDoS attack or to the intermediate network in order to isolate an attack (Zargar et al., 2013, p. 2062). Load balancing and flow control is also a good way to prevent overloaded links, where load balancing improves performance and mitigation against DDoS attacks, while flow control prevents the servers from shutting down (Zargar et al., 2013, p. 2062).
Difficulties and Challenges
There are many challenges and difficulties along the path to implementing defense mechanisms against DDoS attacks. Countering DDoS attacks requires accurate detection and mitigation of many different attack methods and other complicated tasks (Zlomislić et al., 2017, p. 668). A major challenge is the variability of attack rate, which includes low, high, and dynamic attack rates (Zlomislić et al., 2017, p. 668). Low rate attacks often do not breach normal traffic distribution whereas high rate attacks could be identical to regular traffic peaks, which can be difficult to discern for filtering defense mechanisms (Zlomislić et al., 2017). The next difficulty is that we often do not see the scenario of a perfect attack detection/mitigation. In the best-case scenario of 100% DDoS attack detection, mitigation mechanisms must also be perfectly efficient, not to mention adaptable to new forms of attack and attacks that change their behaviour while in process. Attacks that achieve any service outage whatsoever must be considered successful attacks, and therefore the most effective countermeasures are the proactive and preventative techniques outlined above (Zlomislić et al., 2017, p. 668).
Future Trends in DDoS Defense
With the rapid development of technology, Zargar et al. (p. 2065) believes that combining source address authentication, link capabilities, and filtering techniques in a collaborative and cooperative way across networks will offer the most robust defense against DDoS flooding attacks in the future. Moreover, Zargar et al. (p. 2065) advise taking into account attacker incentives which could lead to the development of motivation-based defense strategies. It is also likely that future networks will be built with the ability to provide cross-layer analysis of traffic in order to more efficiently detect and defend against potential flooding attempts (Zargar et al., 2013, p. 2065). Finally, at the human level, stricter cyber crime laws and the enforcement of them, combined with more robust cyber-insurance policies that require anti-DDoS measures to be implemented would go a long way to stemming the tide of DDoS flooding attacks (Zargar et al., 2013, p. 2065).
Contributors: Joel Conley, Julian Garside, Paraspreet Atwal, Duc Le
References
Carl, G., Kesidis, G., Brooks, R. R., & Rai, S. (2006). Denial-of-Service Attack Detection Techniques. IEEE Internet Computing, 10(1), 82–89. https://doi.org/10.1109/MIC.2006.5
Douligeris, C., & Mitrokotsa, A. (2004, April 5). DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks, 44(5), 643–666. https://doi.org/10.1016/j.comnet.2003.10.003.
Li, L., & Lee, G. (2005). DDoS Attack Detection and Wavelets. Telecommunication Systems, 28(3), 435–451. http://dx.doi.org/10.1007/s11235-004-5581-0
Lu, K., Wu, D., Fan, J., Todorovic, S., & Nucci, A. (2007, December 19). Robust and Efficient Detection of DDoS Attacks for Large-Scale Internet. Computer Networks, 51(18), 5036–5056. https://doi.org/10.1016/j.comnet.2007.08.008
Mahjabin, T., Xiao, Y., Sung, G., & Jiang, W. (2017, December 13). A Survey of Distributed Denial-of-Service Attack, Prevention, and Mitigation Techniques. International Journal of Distributed Sensor Networks, 13(12), 1–33. https://doi.org/10.1177/1550147717741463
Sogut, E., Oyucu, S., & Erdem, O. A. (2021). Detecting Different Types of Distributed Denial of Service Attacks. Gazi Universitesi Fen Bilimleri Dergisi, 9(1), 12–25. https://doi.org/10.29109/gujsc.840126
Zargar, S. T., Joshi, J., & Tipper, D. (2013, March 28). A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. Institute of Electrical and Electronics Engineers, 15(4), 2046–2069. https://doi.org/10.1109/SURV.2013.031413.00127
Zlomislić, V., Fertalj, K., & Sruk, V. (2017). Denial of Service Attacks, Defences and Research Challenges. Cluster Computing, 661–671. https://doi.org/10.1007/s10586-017-0730-x
