Article Preview
Top1. Introduction
The internet has grown tremendously in a very short period of time and has become a necessity for everyone in every corners of the world. Through the Internet infrastructure, people can share their files, communicate with each other from distant places in real time and also performed tasks cooperatively from different places by contributing their computing resources. Furthermore, one can easily join the network and communicate with any other system in the network. These services also come with a lot of vulnerabilities. Attacks can take many forms, ranging from an attack on the physical IT (Information Technology) environment, overloading of network connection capacity, or through exploitation of application weaknesses (Bahaa & Al-Musawi, 2012).
Gligor et al. defined DoS (Denial of Service) as a group of authorized users of a specific service that deny service of another group or authorized users (Yu & Gligor, 1990). Here, the former group makes the specified service unavailable to the latter group for a period of time which exceeds the intended waiting time. Network components are at risk of DoS for two main reasons.
First, the resources such as bandwidth, processing power, and storage capacities of targeted servers are limited and so networks and systems can be exhausted by DoS attacks. Second, Internet security is highly interdependent and the weakest link in the chain may be controlled by someone else who is not a legitimate user, thus taking away the ability to be self-reliant (Fu, Papatriantafilou, & Tsigas, 2012).
In DDoS attacks, attackers do not use a single system or host for their attacks but a cluster of several computers to do a coordinated attack. The evolution of solutions to resolve or prevent the occurrence of the attacks in turn promotes the evolution of the attacks itself. Nowadays DoS attacks have been evolved to DDoS attacks (Kumar & Selvakumar, 2011). DDoS attacks can be classified into three categories: First, Application-layer DDoS attacks which target windows, apache, open BSD (Berkeley Software Distribution), or other software with vulnerabilities and could crash the servers. These attacks utilized malicious packets which appear to be legitimate application layer (layer 7) requests to the server and later crash it. The layer 7 DDoS attack includes attacks on Apache HTTP (Hyper Text Transfer Protocol) Server, Microsoft IIS, and includes tools such as Slowloris (National Cybersecurity and Communications Integration Center, 2014; Occupyweb, 2015).
Second, a protocol DDoS attacks which deals with attacks on the protocol level. This category includes SYN (Synchronous flag) flood, Ping of Death, etc. These attacks often use the server's resources rather than bandwidth going to and from the server. They can also use the resources of the network equipment on the periphery of the server such as firewalls, intrusion detection systems, and switches. Smurf attacks (a type of protocol level DDoS attack) use ICMP (Internet Control Message Protocol) to broadcast a spoofed IP. Fraggle attacks are same as the Smurf but use UDP (User Datagram Protocol). SYN floods, ping of deaths sends oversized ICMP with the same destination, source IP, port.
Third, volume-based DDoS attacks include ICMP floods, UDP floods, and other kind of flood attacks that are performed through spoofed packets. These attacks are the simplest. The attacker simply sends a large volume of packets to the target thereby using up all the target’s resources like bandwidth, CPU (Central Processing Unit) and memory, etc.
There are two main reasons for people’s interests in launching the DDoS attack. Firstly, there are various effective easy-to-use automatic tools available freely for attacking any victim and it does not required expertise. Secondly, it is usually impossible to locate the attacker’s whereabouts without extensive human interaction or without new features in most routers of the Internet (Abhilash & Kumar, 2011; Chang, 2000).