1.1 DDOS ATTACK OVERVIEW
One of the major threats to cyber security is Distributed Denial-of-Service (DDoS) attacks in which victim networks are bombarded with a high volume of attack packets originating from a large number of machines. The aim of such attacks is to overload the victim with a flood of packets and render it incapable of performing normal services for legitimate users. In a typical three-tier DDoS attack, the attacker first compromises relay hosts called agents, which in turn compromise attack machines called zombies that transmit attack packets to the victim. Packets sent from zombie machines may have spoofed source IP addresses to make tracing difficult. DDoS attacks can be launched by unsophisticated casual attackers using widely available DDoS attack tools such as Trinoo, TCP Flooding Networks 2000(TFN2K), Stachedraht, etc.
Since an attack in February 2000 that targeted several high profile Web sites, including Yahoo, CNN, eBay, etc., the frequency and magnitude of DDoS attacks has been increasing rapidly, making it a growing concern in our Internet-dependent society. According to a 2003 CSI/FBI Computer Crime and Security Survey, 42 percent of respondents of the survey had suffered from DDoS attacks, 28 percent reported financial losses due to DDoS attacks, and the average losses due to DDoS attacks had increased 4.8 times since the year 2002. Recently, the FBI listed a suspect in the Most Wanted list for the charge of launching a DDoS attack against a competitor’s Web site.
The DDoS problem has attracted much attention from the research community recently. In our observation, there are three major branches of research in DDoS, namely,
1) Attack detection, e.g., by monitoring protocol behavior,
2) Attack trace back, e.g., by packet marking, and
3) Attack traffic filtering by Packet Score scheme
Distributed denial-of-service attacks (DDoS) pose an immense threat to the Internet, and consequently many defense mechanisms have been proposed to combat them. Attackers constantly modify their tools to bypass these security systems, and researchers in turn modify their approaches to handle new attacks. The DDoS field is evolving quickly, and it is becoming increasingly hard to grasp a global view of the problem. This paper strives to introduce some structure to the DDoS field by developing a taxonomy of DDoS attacks and DDoS defense systems. The goal of the paper is to highlight the important features of both attack and security mechanisms and stimulate discussions that might lead to a better understanding of the DDoS problem.
A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service . A distributed denial-of-service attack deploys multiple machines to attain this goal. The service is denied by sending a stream of packets to a victim that either consumes some key resource, thus rendering it unavailable to legitimate clients, or provides the attacker with unlimited access to the victim machine so he can inflict arbitrary damage.
1.2 DDOS ATTACK STRATEGY
In order to perform a distributed denial-of-service attack, the attacker needs to recruit the multiple agent (slave) machines. This process is usually performed automatically through scanning of remote machines, looking for security holes that would enable subversion. Vulnerable machines are then exploited by using the discovered vulnerability to gain access to the machine, and they are infected with the attack code. The exploit/infection phase is also automated, and the infected machines can be used for further recruitment of new agents. Agent machines perform the attack against the victim. Attackers usually hide the identity of the agent machines during the attack through...