Nirbhay Ahlawat et al.

/ (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES

Vol No. 3, Issue No. 1, 052 - 060

Classification and Prevention of Distributed Denial of Service

Attacks

Nirbhay Ahlawat1and Chetan Sharma2

1
(M. Tech-CS Department, Subharti Institute of Technology and Engineering , Meerut,
nirbhay.ahlawat@gmail.com )
2
((M. Tech-VLSI Department, JSS Academy of Technical Education, Noida,
chetan2042@gmail.com )

T
ABSTRACT

Distributed Denial of Service (DDoS) attacks have become a real threat to the security of
the internet. A DDoS attack is the most advanced form of DoS attack. A DDoS attack can
ES
easily fake its source address (known as “spoofing”), which disguises the true origin of
the attack. Defending against DDoS is a challenging job due to use of IP spoofing and
destination based routing of the internet. In this paper we present a classification and
some preventiom techniques of DDoS attack, which can be explained in a way so that a
better understanding of DDoS attacks can be achieved. Many solution have been
proposed but none is able to completely stop an intense attack.
A
Keywords : DDOS attacks, DDoS classification, , prevention from attack.
such attack more difficult and the impact
INTRODUCTION
proportionally serve . DDoS exploits the
The network security becomes more and
IJ

inherent weakness of the DoS attack in

more serious with the rapid development
of network technology and application
.The distributed Denial of
(DDos) is relatively simple , yet very
powerful techniques to attack internet
resources . DDoS attacks add the many-
to-one dimension to the DoS problem
making the prevention and mitigation of
the network device level include attacks
that might be caused either by taking
Service advantage of bugs or weakness in
software or by trying to exhaust the
hardware resource of network device .
According to WWW security on
Distributed Denial of Service (DDoS)
attack , A DDoS attack uses many

ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved. Page 52

Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
Vol No. 3, Issue No. 1, 052 - 060

computer to launch a coordinate DoS protocol type and port number.

attack against one or more targets.
Distributed Denial of Service (DDoS)
attacks have become more sophisticated
in the last several years as the level of
attack automation has increased. Sample
and fully functional attack software is
readily available on the
Precompiled and ready to use programs
However, the disadvantage in doing this
is that there is no accurate way to
differentiate the normal traffic from the
malicious traffic.
Internet.

T
allow novice users to launch relatively
large scale attacks with little knowledge
of the underlying security exploits. In
the past year, Black Hats have taken
theoretical optimizations
propagation and applied them to the
fastest spreading worm
ES in worm

today.
Distributed Denial of Service (DDoS)
attacks are becoming an increasingly
frequent disturbance of the global
A
Internet.They are very hard to defend DDoS Attack (or Distributed Denial of
against because these attacks Service Attack) is the most advanced
consume.resources at the network and form of DoS attack. It is different from
other attacks by its ability to deploy its
IJ

transport layers, where it is difficult to

authenticate whether an
genuine or malicious. There are two
aims for DDoS attacks. The first is to
consume the resources of the host and
second is to consume the bandwidth of
the network.Current schemes to protect
the resources of the host drop incoming
packets according to fields, such as
access is weapons in a “distributed” way over the
internet and to aggregate these forces to
create lethal traffic. One main different
thing of DDoS attack which make him
different is that it never try to break the
victim’s system. The main goal of a
DDoS attack is to cause damage on a
victim either for personal reason , either

ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved. Page 53

Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
for material gain or for popularity.
DDoS make advantage of the internet
archietecture and this is that makes them
even more powerful.
DDoS Classification:
1) Classification by degree
automation Based on the degree of
automation of the attack DDoS attack
can be classified into manual, semi
automatic, and automatic DDoS attacks.
i) Manual Early DDoS attacks were
ES
manual this means that the early DDoS
strategy included the scanning of remote
machines for vulnerabilities, breaking
into them and installing the attack code.
ii)semi-automatic In this the DDoS
A
attack belongs in the agent-handler
attack model. The attacker scans and
compromises the handlers and agent by
using automated scripts. Semi-automatic
IJ
can be divide further to attacks with
direct communication and attack with
indirect communication.
iii)automatic the DDoS attacks the
communication between the attacker and
agent machines is completely avoided.
In most cases the attack phase is limited
to a single command.
ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Vol No. 3, Issue No. 1, 052 - 060
2) Classification by exploited
vulnerability DDoS according to the
exploited vulnerability can be divided
into following categories: flood attacks,
amplification attack, protocol exploit
attacks and malformed packet attacks.
of i) flood attack In this attack the
zombines send large volumes of IP
T
traffic to a victim system in order to
congest the victim system’s bandwidth.
The impact of packet stream sent by the
zombies to the victim system varies from
slowing it down or crashing the system
to saturation of the network bandwidth.
Some of the well-known flood attacks
are:-
 UDP flood attacks.
 ICMP flood attacks.
ii) amplification attack the attacker or
the agent exploit the broadcast IP
address feature found on most routers to
amplify and reflect the attack and send
message to a broadcast IP address. This
instruct the routers servicing the packets
within the network to send them to all
the IP addresses within the broadcast
address range. This way the malicious
traffic that is produced reduces the
victim system’s bandwidth. In this type
of DDoD attack. The attacker can send
the broadcast message directly, Or by
Page 54
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
the use of agents to send the broadcast
message in order to increase the volume
of attacking traffic. Reflector are used as
an intermediate nodes in amplification
attack. some of the well
amplification attack are:
 Smurf attacks.
 Fraggle attacks.
iii) protocol exploit attacks it exploit a
specific feature or implementation bug
of some protocol installed at the victim
in order to consume excess amount of its
ES
resources and a representative example
of protocol exploits attack is TCP SYN
attacks because TCP SYN attack exploit
the inherent weakness of the three way
handshake involved in the
connection setup. An attacker initiates an
SYN flooding attack by sending a large
A
number of SYN packets. SYN flood
result in the server being unable to
process other incoming connection as
IJ
the queue gets overloaded, example of
protocol exploit attack are:
 PUSH + ACK attacks.
 CGI request attacks.
 Authentication server attack.
iv) malformed packet attacks these type
of attack rely on incorrectly formed IP
packets that are sent from agent to the
victim in order to crash the victim
ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Vol No. 3, Issue No. 1, 052 - 060
system. The malformed packet attack
can be divided into two type of attacks.
IP address attack and IP packet options
attack. In IP address attack, the packet
known contain the same source and destination
IP addresses. This has result the confuse
operating system of the victim system
and the crash of the victim system. In an
IP packet options attack, a malformed
T
packet may randomize the optional
fields within an IP packet and set all
quality of service to bit to one. If this
attack is combined with the use of
multiple agent , it could lead to the crash
of the victim system.
3) Classification by attack rate
TCP dynamics :-
The attack rate dynamics DDoS attack
can be divided in continuous rate and
variable rate attacks.
i)continuous rate attacks comprise
attacks that after the onset of the attack
that are executed with full force and
without a break or decrement of force.
The impact of continuous rate attack is
very quick.
ii) variable rate attacks as their name
indicates “vary the attack rate” and thus
they avoid detection and immediate
response. Based on the rate change
mechanism we differentiate between
Page 55
Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
Vol No. 3, Issue No. 1, 052 - 060

attack with increasing rate and 1) Policies and Procedures

fluctuating rate. Increasing rate attacks
Security policies and procedures should
gradually lead to the exhaustion of
be developed .Security policies are a
victim’s resources, thus delaying
very important part of a service
detection of the attack. Fluctuating rate
provider’s overall security architecture
attacks have a wavy rate that is defined
and are critical for stopping abusive
by the victims behavior and response to
users. A service provider’s Acceptable
the attack.
Use Policy (AUP) is a key tool for
4) Classification by impact:-

T
removing abusive customers from their
Based on the impact of a DDoS attack
network. Service providers should also
we can divide DDoS attack to disruptive
establish an Incident Response Team
and degrading attacks.
(IRT) that is responsible for responding

to its clients.
ES
i)disruptive attacks these attacks lead to
the complete denial f the victim’s service

ii) degrading attacks the main aim of

to attacks.

2) New Product/Upgrade Design and

Testing
these type of attack is to consume some
The first line of defense is security
portion of a victim’s resources. This has
design and thorough testing of new or
as an effect the delay of the detection of
A
significantly Upgraded products,
the attack and at the same time an
services or platforms before a system is
immense damage to the system.
deployed in the production network.
Things to consider include:
IJ

Prevention:
 Operating system lockdown and
Since a DDos attack it launched from
removal of any unnecessary
multiple sources, it is often more
processes, services and software. This
difficult to detect and block than a DoS
should be done via scripts or by
attack. To prevent your system and
checklists preferably developed using
network from becoming a victim of DoS
industry best practices.
attacks, many preventative solutions are:
 Review of system protocols to ensure

communication paths are properly

authenticated and if necessary

ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved. Page 56

Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
Vol No. 3, Issue No. 1, 052 - 060

encrypted. any firewalls or router ACLs. This will

 Scanning of the systems to confirm
and mitigate, if necessary,
security risks found.
 If software source code is available,
security source code reviews should
be performed to eliminate buffer
overflows and other vulnerabilities.
allow operation personnel to address the
any most critical vulnerabilities first. The
number of network elements included in
the initial scans should be limited to a
reasonable size to allow personnel to fix
any issues before expanding the
scanning. Scanning should occur at least
once a quarter. Typical scanning tools

T
3) Patch Management include nmap and nessus. Scanning

Manual or automated procedures should should include both TCP and UDP ports;

be in place to address the ever increasing however, UDP scanning can take

load of patch management on servers

ES
and network elements. Care needs to be
taken as installation of patches can leave
a system open to new or previously
considerably longer, especially if the
scanning is done through a firewall.
Scanning has been known to break
services and even stop servers and

mitigated vulnerabilities when network elements from functioning

configuration files are replaced that were properly.

A
previous secured.
5) Management and Control Plane
Protection
4) Scanning/Auditing
Protection of the management and
On-going scanning and auditing of
IJ

control planes is critical for the

servers and network elements is a critical
successful operation of an ISP. It is
part of network security management.
easier to discuss both topics together
Configuration management is a difficult
because the router configuration to
task in a large network with hundreds of
protect both is similar in many ways.
people making changes on different
Authenticated and encrypted protocols
parts of the network. Scanning should
are preferred for router management.
begin by focusing on the most critical
Protocols must be accepted only from
network elements and servers from an
trusted hosts.
outsider’s vantage point, from outside

ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved. Page 57

Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
Vol No. 3, Issue No. 1, 052 - 060

Steps to protect the control plane 7) Disable any unused or unneeded

include: protection of the route engine network services.

using filters, authentication and integrity

This can limit the ability of an intruder
verification of routing protocol updates,
to take advantage of those services to
rate limiting of diagnostic protocols and
execute a denial-of-service attack.
filtering of routing prefix updates sent
from customers and peers 8) Observe your system performance and
establish baselines for ordinary activity.
a) Router Access

T
Use the baseline to gauge unusual levels
b) Router Engine Protection
of disk activity, CPU usage, or network
c) Prefix Filtering traffic.

6) FW/IDS/IPS
ES
Firewalls, Intrusion Detection Systems
(IDS), and Intrusion Prevention Systems
9) Use Tripwire or a similar tool to detect
changes

in configuration information or other

(IPS) can be useful devices for files.
protecting backbone services. All servers
CONCLUSION:
exposed on the Internet should have all
A
The cycle of attacking and defending is
non-essential services turned off and
like a game. When someone finds a way
some type of host based firewall
to attack a system, someone else tries to
installed on the system. Separate
defend against this attack. The attacker
network based firewalls can also be
IJ

then tries harder to defeat the protection.

installed but the cost of the systems can
It become a cycle that never seems to
outweigh the benefit. If firewalls are
end. DDoS attack present a serious
deployed, an IDS behind the firewall
problem in the internet and it is very
should be considered to monitor for
crucial to detect DDoS attack as their
unauthorized activity.
early launching stage before widespread
a) DNS Considerations damage is done to legitimate
applications on the victim’s system, but
b) Other Services
if once the DDoS attack is detected. We

ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved. Page 58

Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
Vol No. 3, Issue No. 1, 052 - 060

knows the exact router or network http://lasr.cs.ucla.edu/ddos/ucla_tech_re

domain where the anomaly was port_020018.pdf.
observed. This paper will help in raising [5] T. Anderson et al., “Rocketfuel: An
awareness and helping people to know in ISP Topology Mapping Engine,”
detail about the DDoS attack. In addition http://www.cs.washington.edu/research/
this classification and prevention can be networking rocketfuel/, 2006.
used for analyzing and performing [6] Jelena Mirkovic, Sven. Dietrich,
attack detection. David Dittrich, and Peter Reiher,
Internet Denial of Service: Attack and

T
REFERENCES Defense Mechanisms, Prentice Hall,
[1] CERT Coordination Center, Denial 2004.
of service attacks. Available from [7] K. J. Houle, G. M. Weaver, and N.
<http://www.cert.org/tec_tips/denial ES Long, R. Thomas, “Trends in Denial of
_of_service.html>. Service Attack Technology”, Technical
[2] Jin C., Wang H., and Shin K.O, Report, CERT Coordination Center,
“Hop-Count Filtering: An Effective 2001.
Defence against Spoofed Traffic, “ in [8] David K. Y. Yau, John C. S. Lui, and
th
Proc. 10 ACM Conference on Feng Liang. Defending against
computer and Communication Security, distributed denial-of-service attacks
A
pp. 30-41. with max-min fair server-centric
[3] Zhaole c., Lee M, "An IP Traceback router throttles. In Proceedings of
Technique against Denial-of-Service IEEE International Workshop on
Attacks," in Proc. 19th Annual
IJ

Quality of Service (IWQoS), Miami

Computer Security Applications Beach, FL, May 2002. Cheswick B.,
Conference. Burch H. The Internet Mapping
[4] Mirkovic J., Martin J., Reiher P, "A Project. Lumeta Corporation.
Taxonomy of DDoS Attacks and DDoS Available online:
Defense Mechanisms," Computer http://research.lumeta.com/ches/map/
Science Department, University of .
California, Los Angeles. Available [9] Mirkovic J., Martin J., Reiher P. A
online: Taxonomy of DDoS Attacks and

ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved. Page 59

Nirbhay Ahlawat et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
Vol No. 3, Issue No. 1, 052 - 060

DDoS Defense Mechanisms. [10] Todd B. Distributed Denial of

Computer Science Department, Service Attacks. 18 February 2000.
University of California, Los Available
Angeles. Available online: online:http://www.linuxsecurity.com
http://lasr.cs.ucla.edu/ddos/ucla_tech /resource_files/intrusion_detection/d
_report_020018.p. dos faq.html.

T
ES
A
IJ

ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved. Page 60