In this chapter we discuss Distributed Denial of Service (DDoS) attacks in networks such as the Internet, which have become significantly prevalent over the recent years. We explain how DDoS attacks are performed and consider the ideal solution characteristics for defending against the DDoS attacks in the Internet. Then we present different research directions and thoroughly analyse some of the important techniques that have been recently proposed. Our analysis confirms that none of the proposed techniques can efficiently and completely counteract the DDoS attacks. Furthermore, as networks become more complex, they become even more vulnerable to DoS attacks when some of the proposed techniques are deployed in the Internet. The gap between the tools that can generate DDoS attacks and the tools that can detect or prevent DDoS attacks continues to increase. Finally, we briefly outline some best practices that the users are urged to follow to minimise the DoS attacks in the Internet.
The DDoS architecture is shown in Figure 1. There can be several handlers in the case of DDoS and each handler is capable of controlling multiple zombies. The attacker does the major part of her/his work in identifying and creating the handlers. The attacker initiates a scan on a number of hosts in the Internet for a known vulnerability. If a vulnerable host is found, the attacker gains root access to the machine by compromising it and install attack tools on the compromised machines. The compromised machines that are controlled by an attacker are called handlers. There can be several handlers in the case of DDoS attacks. The handlers can be randomly located in the Internet and the communication between the attacker and the handlers can be encrypted. There can be several stages in the handler mechanism and the handlers do not directly conduct the attack on the victim machines. As the number of stages within the handler mechanism increases, it becomes more difficult to trace the attacker.
Key Terms in this Chapter
Attack Signatures: pattern of traffic that enables differentiation between the good packets and the attack packets.
Handlers: Compromised machines which controls zombies
Input Debugging: is a process of determining the approximate spoofed source of attack through hop-by-hop traceback.
Denial of Service (DoS): is an attempt by attackers to prevent access to resources by legitimate users for which they have authorisation
Zombies: Compromised machines that flood the victim’s machine or network with attack traffic.
Distributed Denial of Service (DDoS): an attacker compromises several hosts on the Internet and then uses these compromised computers to launch coordinated attacks on victim machines.