The proliferation of e-business applications and mission-critical military communications has raised serious concerns on network security on the Internet. The advent of the lethal Denial of Service (DoS) attack and its advanced variant, the Distributed DoS (DDoS) attack are troublesome intruders on our usage and dependence on the Internet. The detrimental impact of DoS/DDoS attacks has been demonstrated again and again, even on such high-profile sites as Yahoo, CNN, Ebay and Amazon.
In a DDoS attack, an attacker sends a large volume of malicious traffic to a victim. For example, a DDoS attacker may infiltrate one or a plurality of computers at various data centers via a computer system connected to the Internet. Often the attacker will access the Internet through an Internet Service Provider (ISP). The attacker can then place the plurality of computers at the data centers under its control by use of a malicious software program. When the attacker issues a command, these computers can simultaneously send out large volumes of data at various times to the victim preventing the victim from responding to legitimate Internet traffic and messages.
Currently, DDoS attacks are probably the most ferocious threats to the Internet community. DDoS attacks exploit and consume the limited available resources of a system by sending superficially normal but really useless packets to degrade/corrupt the victim system, thus severely hampering the victim system from serving its normal clients. Typical resources that get drained in DoS/DDoS attacks are network bandwidth, CPU cycles of the target host, and specific TCP/IP protocol stack structure such as fragmentation buffer and TCP SYN buffer. In addition, readily accessible attack scripts prevalent in the Internet significantly decrease the technical hurdle to bombard DDoS attacks. Lack of accounting in the Internet further allures crackers to take their chances to attack others without worrying about any subsequent penalties.
It is well known that it is rather easy to launch, but difficult to defend, a DDoS attack. The underlying reasons include: (1) IP spoofing (i.e., attack packets routinely carry forged source IP addresses, which effectively conceal the identity of attack sources and deter the efforts of detection, defense, and tracing); (2) the distributed nature of the DDoS attack (i.e., a huge number of sources generate attack traffic simultaneously that impose an overwhelming burden on any countermeasure by invoking issues of scalability to handle increasingly powerful attacks); (3) no simple mechanism for the victim to distinguish the normal packets from the lethal attack traffic.
As a result of the above, improving the sustainability of networks and hosts (especially servers) by defending against DDoS attacks are an important goal in this technology area. A critical issue in DDoS defense is how to isolate the attack traffic from the normal traffic. This issue is referred to as “traffic differentiation” and is of great importance because the goal of DDoS attack is to severely degrade the performance of target hosts and networks or even completely deprive the victim of the capability of serving its normal clients. With the knowledge of which is “attack” and which is “normal” traffic in hand, the victim is ready to defeat a DDoS attack by reacting differently according to the type of traffic (i.e., attack or normal).
In addition, given the diverse DDoS attack patterns, another issue of importance is how to contain as many DDoS attack patterns as possible. Exemplary DDoS attack patterns are given in: C. Douligeris and A. Mitrokotsa, “DDoS attacks and defense mechanisms: classification and state-of-the-art,” Computer Networks, vol. 44, pp. 643-666, 2004; and J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS defense mechanisms,” ACM SIGCOMM Computer Communications Review, vol. 34, no. 2, pp. 39-53, April 2004.
From the perspective of protocol exploits, DDoS attacks may be TCP, UDP, ICMP, or other protocols based. Some attacks use the combination of different protocols as shown in Table 1 below. From the point of view of the attack rate, most attacks are high-speed flood-based while a novel and more sophisticated attack is low-rate DDoS attack as given in: R. Chang, “Defending against flooding-based, Distributed Denial of Service attacks: a tutorial,” IEEE Communications Magazine, vol. 40, no. 10, pp. 42-51, 2002; and A. Kuzmanovic and E. knightly, “Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants),” ACM SIGCOMM 2003, August 2003, pp. 75-86.
TABLE 1Diverse DDoS attack toolsProtocols UsedDoS/DDoS Attack Tools/NamesTCP onlySYN flood, RST flood, mstreamUDP onlytrinoo, shaftICMP onlyPing of death, flood pinging, SmurfCombinations of TCP, UDP,TFN, TFN2k, MIX, Stacheldraht,and ICMPtrinity, v3
Unfortunately, in contrast to attack schemes, defense schemes do not keep pace with the evolution of DDoS attacks. Most background art DDoS defense schemes aim to address one or two types of DDoS attacks and are inefficient and ineffective to the wide spectrum of possible patterns of DDoS attacks.