Methods for Detecting and Preventing Distributed DOS (DDOS) Attacks

Distributed DOS (DDOS) Attacks

Distributed Denial-of-service is unavailability of network resources or servers to the users due to malicious attempts of individuals, where there is suspension and interupting of network services of the internet connected host/computer (Kumarasamy, & Dr. Asokan, 2011). It involves creation of network congestion whereby focus of high traffic volume on a system disrupts its operations. This prevents the packet in targeting system from ever reaching the intended destination. Packets forwarding has a path of unregulated network readily exploited by hackers. DOS attackers target DNS security that is critical to exploit their resources though making it unavailable to the users (Lioy, Maino, Marian, & Mazzocchi, 2000).

Today, the vulnerable system in the modern internet allows employment of coordinated attack by attackers, which is larger scale, known as DDoS (Bhuyan, Kashyap, Bhattacharyya, & Kalita, 2012). Organizations are experiencing flooding of DDoS attacks, which are well-organized causing system crash or making it unusable due to simultaneous large amount of traffic sent to a system target by botnets (Zargar, Joshi, & Tipper, 2013). In the past, attacks included an attack on Yahoo organization’s site in February of 2000, where services were temporarily unavailable in the internet for hours due to DDoS flooding.

According to Zargar, et al., (2013), there were major attacks on the Domain Name System (DNS) in October of 2002, and SCO Group in February of 2004, where both sites went down for hours resulting to inaccessibility of their services to the users who were legitimate. Additionally, websites of PayPal, MasterCard, Post-Finance, and Visa received DDoS flooding in December of 2010 by a group ‘Anonymous’, which damaged their online reputation (Zargar, et al., 2013). Recently, U.S. banks, such as Wells Fargo, Bank of America, and HSBC have been flooded with DDoS attacks by foreign groups.

Methods of Detecting DDoS Attacks

To help understand methods of detecting DDoS attacks, the paper will explain their categories and how DDoS attacks operate. There are sematic attacks, where the attacker takes an advantage of communication flaws by sending malformed packets through a single machine (Fu, 2012). The semantic prevention is corresponding to bug replacement that is included in the protocols of the network. Next, brute force attack is a DDoS attack, which is widespread (Fu, 2012). Brute force attacks entail the traffic flooding, which is legitimate, and overcrowd the networks leading to the service’s inaccessibility for the legitimate user. The DDoS attacks, which are common in the community, are the SYN flooding, which exploits the TCP servers when in the state of leading to half connections (Eddy, 2007). The attacker utilizes compromised machines to overwhelm the network of the user through simultaneously flooding his packets (Fu, 2012). The brute force attacks include the ICMP flooding and UDP flooding. Thus, after understanding the types of DDoS attacks, it is necessary to evaluate DDoS detection methods (Zargar et al., 2013).

According to Fu (2012), Network Intrusion Detection Systems (NIDs) involve a systematic system for detecting DDoS attacks. The NID methods of detection provide for the knowledge-based, soft computing and statistical methods deployed to assist the legitimate user to detect any attacks, assist the victims in detection (Fu, 2012).

Knowledge Based Detection Method

Knowledge based method involves the anomaly-based detection and signature-based detection, used in malicious activities detecting. Signature-based detection method is used in detection of malformed packets and virus security threats, which are commonly known through searching individual packets with specific patterns (Zargar et al., 2013). Anomaly-based detection method detects threats of security through checking for behaviors of the set of packets that are abnormal.

However, where variations in behaviors of the traffic are abrupt, the best detection method to use is the anomaly-based detection. This is due to seemingly legitimate malicious packets when individually analyzed for flooding-based DDoS attacks (Kumarasamy, & Dr. Asokan, 2011). According to Fu (2012), the anomaly-based detection method is categorized as on-line DDoS detection, and off-line detection, which involves the use of systematic methods in analyzing network traffic, the distribution features of main characteristics so as to find attacks. According to Bhuyan et al. (2012), one common structure to monitor traffic characteristics in order to detect DDoS attacks by routers is the MULTOPS (Multi-Level Tree for Online Packet Statistics).

Methods of Preventing DDoS Attacks

According to Fu (2012), the avoidance of DDoS attacks involves a level of appliance that is many-sided to allow the victims to detect the sources and destination of host problems. There is a necessity to employ a port-hopping method, which is a many-sided defense method, and Sieve method, to ensure prevention of same type of attacks (Fu, 2012).

Port-Hopping Prevention Method

This method allows the periodical communication of multiparty applications via ports and prevents attackers from accessing and disrupting the communication ports (Fu, 2012). This application involves communication parties synchronizing through synchronized clocks and acknowledgement-based synchronization mechanisms. The acknowledgment situation involves a direct attack to an open port identified by the attacker (Fu, 2012). To prevent DDoS attack, where the receiver and the sender of messages utilize the acknowledgements to change port number’s destinations, the clocks are supposed to have the same rate. The values of the clocks have bounded differences due to drift of clocks, which is bounded.

Sieve Prevention Method

Sieve method allows prevention of bandwidth-flooding attacks, where filtering occurs for attackers’ models and packets through lightweight authenticators (Fu, 2012). The Sieve method prevents DDoS attacks through providing a connection setup for servers that are protected and to the clients who are legitimate. The method allows for prevention of DDoS attacks through utilizing the mechanism of overlay of networks at the network level. Sieve method utilizes IP addresses in the authentication process to allow users to send packets at different times to different points though the filtering process (Bhuyan et al., 2012). The attackers take time in configuring the filtering rules, thus allowing the port not to be flooded with DDoS attacks. Sieve method of prevention protects establishment of connections through partitioning of network hosts into domains with quota per time (Fu, 2012). The domains are used to send the request of connection to a server, where attackers find it hard to compromise domains sending sources. The request from legitimate clients utilizes the mechanism of overlay node if a domain becomes infected, thus preventing additional DDoS attacks (Zargar et al., 2013).

Strengths of Implementing the Methods

Methods of detecting and preventing of falling under many IT applications and complexity need to be well operated. The advantages of the methods include the following:

• The deploying of detection and response system in Sieve prevention method at the source hosts provide filtering of traffic of attacks thus saving resources.
• The knowledge-based detection method is easier to implement as it is engaged with victims who are near the detection hosts.
• The port-hopping method provides destination, network, and source in tackling of DDoS attacks due to the availability of various levels of communication.

Weakness of Implementing the Methods

The methods, which have slight disadvantages due to the presence of advanced attacks, include:

• The port-hopping is a complex method due to communication scattering within the distributed components.
• The sieve method cannot accurately differentiate DDoS attacks that are legitimate due to high volume of traffic.
• The knowledge-based detection method, which detects DDoS attacks before they compromise data of victims, is slow and some resources are wasted on the way.
• The deployment of these methods is not welcome in organizations due to lack of payment of the services’ expenses resulting to low motivation.

Conclusion

In conclusion, DDoS attacks have advanced with time and different stakeholders are involved in the deployment of methods of detection and prevention of DDoS attacks, who have to innovate and be ready to spend on the internet infrastructure mechanisms necessary in setting up of secure communication and information. An efficient method for DDoS attacks’ detection is the knowledge-based method. The most efficient methods for DDoS attacks’ prevention are the port-hoping method and sieve method. The core purpose of these methods is to ensure sufficient security, whilst maintaining an ample performance of network.