Distributed Denial of Service (DoS) attacks are designed to prevent an attacker from interrupting the connection between a user and the resource they are using.
The number of DoS attacks increased massively in the early 2000s due to the availability of DoS tools by regular users. The main goal of the attack was to increase the use of computing power (such as increasing the load on the processor or RAM) or bandwidth. The final result of this attack was the interruption of access to services. Currently, DoS attacks are implemented by various distributed networks. This type of attack is distinguished as a distributed DoS attack (DDoS attack). The meaning of this attack is still the same-disabling user access to the resources used. Since there are more packets coming to the servers, the result is that the services are not available to users.
Protection against DoS / DDoS attacks itself is divided into three stages: prevention, detection, and response. The very fact of detection is one of the important steps in protecting against suspected DoS / DDoS attacks. But there is one caveat – since the number of DoS / DDoS attacks is currently huge, it becomes very problematic to detect this attack. Therefore, a high-quality method for detecting DoS / DDoS attacks should implement such factors as a short operating time and a low percentage of false positives.
Since DoS attacks are one of the most important and important problems in ensuring security on the Internet and mobile networks (including base stations), in order to improve security, it is necessary to implement active implementation of tools for their detection and prevention. Prevention and detection of DDoS attacks in this case can be attributed to the broad intrusion detection system (IDS). An IDS detection system is either software or hardware that is used to detect unauthorized traffic or actions that contradict the permitted policy of a given network. The IDS themselves are divided and classified by implementation of the audit source location as either host-based or network-based, as well as a combination of both.
In the first case, monitoring of audit data (such as application and operating system registration files) and the IDS itself is located on each host.
In the second case, network traffic is analyzed and monitored, and IDS is located separately from the hosts that it directly protects.
Overview of intrusion detection systems
Network IDS can be classified by detection methods: signature-based Method or-this method, also known as rule - based on misuse, allows you to detect an attack by comparing known attack signatures or patterns with the monitored traffic. A match indicates a potential attack. This method has a short operating time, allows you to detect most known attacks, and usually has a low frequency of false positives, i.e. it does not create an alarm for legal traffic.
Anomaly-based detection method-anomaly-based IDS, also known as behavior-based, work by comparing the behavior of network traffic with previous" normal " traffic behavior. Any deviation is considered a sign of an attack. The system acquires a normal traffic profile usually through training and tracks the traffic for any differences with the normal profile. Trained traffic is used to determine the threshold value for future detection. Detected anomalies help detect unknown attacks; however, using this method results in more frequent false positives than signature-based systems. In practice, the system can combine both signature-based and anomalous methods.
Methods for detecting DDoS attacks
One of the key parameters in the DDoS detection methodology is the threat detection time. Since the important point is that the detection mechanism can detect a DoS attack before the service starts to stop working. However, it is not always possible to distinguish DDoS traffic packets from user packets. This makes it very difficult to detect and increases the chances of attackers implementing a false alarm, which is a critical problem in detecting a DoS attack.
The classification of DDoS attack detection systems is similar to the classification of intrusion detection systems and there are two main systems.
Systems detect attacks based on used signatures - signature-based identification is usually used to identify known types of attacks. To detect an attack, you do not need any description of typical actions during it, but to detect these types of attacks, you need a database with known attack signatures. Detecting a virus or worm does not require a detailed description of its actions: how the worm finds a target, how it spreads itself, or what parts of memory it uses. When detected based on signatures, the payload is examined and processed regardless of whether it contains a worm. One huge test of a signature-based intrusion detection system is that each signature requires a section in the database, so the entire database can contain hundreds or even thousands of signatures. Each package must be mapped to an identical one in the database. This process can be very resource-intensive, it can use all the bandwidth and make this type of detection vulnerable to DoS attacks.
Anomaly-based attack detection-intrusion detection methods based on inconsistency recognize unusual activity and generate anomaly warnings in system or application actions. Common specific actions that might be intercepted include:
1) abuse of system agreements, such as hiding the IP address range and executing a standard agreement on a hidden port;
2) unique traffic patterns, such as more UDP packets compared to TCP;
3) suspicious examples in the application payload.
The greatest difficulties in using anomaly-based detection methods are determining the typical behavior of the system, selecting a limit for triggering an alert, and preventing false alerts. Users of the system are usually human, and their behavior is difficult to predict. If the normal model is not described in detail, many false positives will occur, and the detection system will experience the negative consequences of incorrect execution. Due to the development of machine learning tools, many researchers today prefer to use machine learning algorithms and artificial neural networks to detect various threats.
Classification of DDoS attacks prevention according to their deployment location
If a DDoS attack is detected, you cannot do anything other than manually fix the problem and disconnect the victim system from the network. DDoS attacks block many resources, such as limiting processor power and network bandwidth, memory, processing time, and so on.the Main goal of any DDoS protection mechanism is to detect DDoS attacks as soon as possible and stop Them as close to their sources as possible. DDoS protection schemes are divided into four classes depending on the deployment location: source, victim, intermediate routers, and distributed or hybrid security mechanism.
Protection mechanisms installed on the attack source side - in this type of DDoS protection mechanisms, tools are deployed on the attack source side to prevent users from creating DDoS attacks on the network. With this approach, source devices identify malicious packets in outgoing traffic and filter or restrict traffic. Detecting and preventing a DDoS attack on a source is the best possible protection, since legal traffic is subject to minimal damage.
Protection mechanisms installed on the attack victim's side - in this type of DDoS protection mechanism, the victim detects, filters, or limits the speed of malicious incoming traffic on the victim's network routers, i.e., networks that provide web services. Legitimate and attacking traffic can be clearly identified using either intrusion detection based on misuse or intrusion detection based on anomalies. However, attack traffic reaching the victim may fail or degrade the quality of services and dramatically reduce the bandwidth.
Security mechanisms installed on intermediate routers - any router in the network can independently attempt to detect malicious traffic and filter or limit the speed of traffic. It can also adjust the balance between detection accuracy and attack bandwidth consumption. Detection and tracking of attack sources is made easy by the collaboration of multiple network routers. At this point of protection, all traffic is combined, i.e. both attackers and legitimate packets arrive at the router, and this is the best place to limit the speed of all traffic.
Distributed or hybrid protection mechanisms - this type of protection can be the best strategy against DDoS attacks. Hybrid defense mechanisms are deployed (or their components are distributed) in multiple locations, such as the source of the attack, victims, or intermediate networks, and interaction usually occurs between deployment points. Router mechanisms are best suited for limiting the speed of all types of traffic, whereas victim-side mechanisms can accurately detect attack traffic in a combination of legitimate and attacking packets. Therefore, using this DDoS protection strategy may be more profitable.
Detection is one of the key steps in protecting against DoS / DDoS attacks, but because of the large number of different types of attacks, detecting such attacks becomes problematic. In practice, it is very difficult to develop and implement DDoS protection mechanisms. In real-time networks, it is not possible to meet all the requirements for DDoS detection, because the various performance parameters must be accurately and appropriately balanced. This article provides a brief description of various mechanisms for detecting and mitigating the consequences of DDoS attacks, and discusses the methods used in these mechanisms. A broad classification of security architectures is presented, reviewed, and their advantages and disadvantages are indicated based on where and when attacks are detected and responded to.
- Ahamad T., Aljumah A. Detection and defense mechanism against DDoS in MANET. Indian J. Sci. Technol., 2015, vol. 8, no. 33. DOI: 10.17485/ijst/2015/v8i33/80152 URL: http://www.indjst.org/index.php/indjst/article/view/80152
- Arora K., Kumar K., Sachdeva M. Impact Analysis of Recent DDoS Attacks. IJCSE, 2011, vol. 3, no. 2, pp. 877–883.
- Douligeris C., Mitrokotsa A. DDoS attacks and defense mechanisms: a classification. Proc. 3rd IEEE Int. Symp. on Signal Processing and Information Technology, 2003. DOI: 10.1109/ISSPIT.2003.1341092 URL: https://ieeexplore.ieee.org/document/1341092
- Hachem N., Ben Mustapha Y., Granadillo G.G., et al. Botnets: lifecycle and taxonomy. Conf. on Network and Information Systems Security, 2011. DOI: 10.1109/SAR-SSI.2011.5931395 URL: https://ieeexplore.ieee.org/document/5931395
- Mahajan D., Sachdeva M. DDoS attack prevention and mitigation techniques - a review. Int. J. Comput. Appl., 2013, vol. 67, no. 19, pp. 21–24. DOI: 10.5120/11504-7221 URL: https://research.ijcaonline.org/volume67/number19/pxc3887221.pdf
- Munivara Prasad K., Rama Mohan Reddy A., Venugopal Rao K. DoS and DDoS attacks: defense, detection and traceback mechanisms–a survey. GJCST, 2014, no. 7-E. URL: https://globaljournals.org/GJCST_Volume14/3-DoS-and-DDoS-Attacks-Defense- Detection.pdf
- Parwani D., Dutta A., Kumar Shukla P., et al. Various techniques of DDoS attacks detec-tion and prevention at cloud: a survey. Orient. J. Comp. Sci. and Technol., 2015, vol. 8, no. 2. URL: http://www.computerscijournal.org/?p=1983
- Shaikh F., Bou-Harb E., Crichigno J., et al. A machine learning model for classifying un-solicited IoT devices by observing network telescopes. IEEE IWCMC, 2018. DOI: 10.1109/IWCMC.2018.8450404 URL: https://ieeexplore.ieee.org/document/8450404
- Tripathi S., Gupta B., Almomani A., et al. Hadoop based defense solution to handle distributed denial of service DDoS attacks. J. Inf. Secur., 2013, vol. 4, no. 3, pp. 150–164. DOI: 10.4236/jis.2013.43018 URL: http://www.scirp.org/journal/paperinformation. aspx?paperid=34629
- Uddin M., Alsaqour R., Abdelhaq M. Intrusion detection system to detect DDoS attack in gnutella hybrid P2P network. Indian J. Sci. Technol., 2013, vol. 6, no. 2, pp. 71–83.