Research Paper By: Hasantha Alahakoon | 1: Introduction 1

Distributed Denial of Service (DDOS) Defence Solutions

1: Introduction Despite being a relatively old concept, Distributed Denial of Service attack, which was an overlooked

concept until then, gained its mass popularity only in year 2002 with the successful simultaneous

attacks on web services of Yahoo, CNN, Amazon and EBay. It is reported that, regardless of the high

security measures of those web servers, DDOS attacks brought down the web services for several

hours causing financial loses around 1.2 billion American dollars. On the other hand, according to the

2004 CSI/FBI ‘Computer Crime and Security Survey’, Distributed Denial of Service attack is listed as

one of the most financially expensive security incidents of the new decade (Gordon et al. 2004). So it

is apparent that Distributed Denial of Service attacks pose a very probable and a real threat to the

information infrastructure of the contemporary society and suitable measures to detect and prevent

them is of utmost important.

Therefore, in this qualitative research, the author would discuss various mechanisms of early detection

of DDOS attacks, ways and means of preventing Distributed Denial of Service attacks, and issues and

limitations of each of those prevention mechanisms. Due to the sheer volume of the literature

involved in the field of DDOS attacks, covering all of them in a brief paper like this is going to be

challenging and is by no means possible; therefore only the main concepts of DDOS defence will be

covered in-depth while others will only be discussed in a very abstract level.

This paper is organised as follows: In section 1.1, the paper would briefly review the concept of DOS

attack and the concept of DDOS attack. In section 2, the Literature Review, the paper would discuss

the existing implementations in the fields of DDOS defence at a very abstract level. In section 3.1, the

paper would critically discuss the advantages and disadvantages of different DDOS approaches. Then

the paper tries to identify the ‘Best DDOS Solution’ and then examines how IPv6 stands against the

current DDOS attacks. Finally the paper would draw the conclusions and direct grounds for future

work.

Before focusing on methods of detecting and preventing Distributed Denial of Service attacks, it is

vital to familiarize with the underlying concepts and basic mechanisms of DOS and DDOS attacks.

1.1: Denial of Service attacks (DOS) and Distributed Denial of Service

attacks (DDOS) According to Colarik and Janczewski in ‘Managerial Guide for Handling Cyber-Terrorism’, a DOS

attack is an attempt ‘to force a target system to become overloaded with activities that reduces its

capability to process legitimate tasks’(Janczewski & Colarik 2005, p.86).

A DOS attack can be in one of the two forms, a Vulnerability attack or a Flooding attack. In a

Vulnerability attack, the attacker exploits a vulnerability of a software package or a protocol by

sending malformed packets which would cause memory overflowing, excessive CPU cycles and

system reboots, thereby making the victim unreachable to the legitimate users. These kinds of attacks

can be easily remedied by the software vendor once the exploit is identified (Carl et al. 2006, p. 83).

Research Paper By: Hasantha Alahakoon | 2

On the other hand, a Flooding Attack, the subject of this paper, keeps sending the victim computer a

continuous stream of workload occupying all of the victim’s resources to the point that it can no

longer handle legitimate user requests. In a Flooding attack, the attacker could use one of, or a

combination of, SYN flood, UDP flood and Smurf attacks (Lau et al. 2000, p. 2276). Though these

kinds of attacks were very popular in the past, modern web servers can easily handle a DOS attack

from a single computer. Therefore the attackers have come up with a more powerful attacking

mechanism; the Distributed Denial of Service attacks (DDOS).

In a DDOS attack, the attacker infects several hundred computers in the cyber space, and uses those

computers to collectively attack the victim computer system. Because of the distributed nature of the

attack, the attack is more powerful than many of the web servers can handle. In a DDOS attack, the

attacker could use techniques such as Trinoo, Tribe Flood, Stacheldraht, Shaft and TFN2k along with

the other techniques described earlier under simples DOS attacks (Lau et al. 2000, p. 2276).

With the understanding of DOS and DDOS attacks, the author would like to discuss the current

approaches of DDOS detection and prevention in the following section.

Research Paper By: Hasantha Alahakoon | 2: Literature Review 3

2: Literature Review There are three main DDOS detection and prevention approaches that are practiced today. Those are

approaches based on DDOS detection at the:

1. Victim of the attack

2. Source of the attack

3. Intermediate network (Network level)

Therefore the available literature on DDOS attack detection and prevention methods can be

categorized into three main sections. Those are literature on DDOS detection at the victim, the

literature on DDOS detection at the source and the literature on DDOS detection at the network level.

Because of the sheer amount of literature involved in each of the above mentioned DDOS detection

approaches, only the most prominent and well recognised implementations of each of the approaches

will be discussed in this section of the paper. The author believes that it is more important to have a

proper understanding of the prominent implementations of DDOS defence rather than skimming up

all the available DDOS defence implementations. Therefore, for each of the following

implementations, a brief description will be presented followed by a critical discussion of advantages

and disadvantages.

2.1: A Source-end Solution: D-WARD ‘Attacking DDOS at the Source’ describes a router based implementation, D-WARD, which is

capable of successfully identifying and preventing DDOS attacks when deployed at the source end of

the attack. D-WARD should be installed at the source router of the attack which connects the attacker

to the internet or in a separate unit that is connected to the source router which is capable of accessing

the router’s traffic statistics. D-WARD consists of two main modules; Observation module and

Throttling module (Mirkovic et al. 2002).

Once deployed, the observation module of D-WARD monitors both incoming and outgoing traffic

flows of each of its client computers. Those traffic flows are periodically compared against predefined

‘normal’ traffic models. If any anomaly is detected by the Observation module, the Throttling module

is invoked. The Throttling module dynamically controls the outgoing traffic limit for each of the

client based on the feedbacks from the Observation module. If the Observation module reports an

attempt of an attack, the Throttling module imposes an outgoing rate limit on that particular client. If

the subsequent observations confirms the attack, the outgoing rate is further reduced thus effectively

preventing a DDOS attack in its origin (Mirkovic et al. 2002).

According to Mirkovic et al, D-WARD has been tested with various DDOS attack types (Constant

rate attack, Pulsing attack, Increasing rate attack and Gradual pulse attack) and in all of the attacking

scenarios D-WARD has successfully detected the attacks. Further, the tests have reported that D-

WARD has only allowed less than 1% of the attacking packets to leave the source network. And also

the tests have reported that the amount of false positives of D-WARD are less than 0.5% which

implies that installing D-WARD on a network will not noticeably affect the legitimate traffic of the

network (Mirkovic et al. 2002).

But D-WARD is not without its down-sides. Firstly, a skilful attacker can exploit the functionality of

D-WARD and can use D-WARD itself to DDOS the network on which the D-WARD is installed on.

If the attacker can spoof the IP addresses of legitimate users of the network and if he can mimic

DDOS traffic patterns from those IP address, D-WARD would impose rate limits on all of those

Research Paper By: Hasantha Alahakoon | 2: Literature Review 4

clients thus making the current network DDOSed (Mirkovic et al. 2002). On the other hand, in-order

to unleash the maximum potential of D-WARD, it is necessary that all of the routers connected to the

internet install the D-WARD. In addition, D-WARD takes a long time to detect Increasing rate

attacks. Finally, D-WARD will only work when there is a single gateway router for a given network

which is not the case in most of the real world networks.

2.2: A Victim-end Solution: Strategic Firewall Placement Chatam, in his paper, ‘using strategic firewall placement to mitigate the effect of distributed denial of

service attacks’, propose a victim side solution for preventing DDOS attacks. According to Chatam,

stopping DDOS at its source is not feasible because it requires changing software in millions of

independent routers connected to the internet; so they propose a victim side solution (Chatam 2003).

One of the greatest disadvantages of victim side DDOS solutions is that regardless of the strength of

victim’s security policies, the communication link between the ISP and the organization becomes

clogged by the DDOS requests (because of the limited bandwidth provided for organizations by an

ISP) thus making the victim DDOSed even before the victim side DDOS solutions are activated

(Chatam 2003).

Chatam overcome this issue by introducing the concept of strategic firewall placement. In traditional

firewall placement, under a DDOS situation, the traffic cannot be transmitted through the low

bandwidth channel between the ISP and the organization. So the traffic is build up at the ISP and all

the packets are dropped before they reach the local firewall for packet filtering. But in ‘Strategic

Firewall placement’, the company’s firewall is moved to a location close to the ISP and since the

firewall is close to the ISP, it is now possible to connect the firewall to the ISP’s router through a high

speed link. The purpose of relocation of the firewall is to filter out unnecessary packets using the

firewall’s filtering policies before they enter the bottleneck link, thus making it harder for attackers to

DDOS a certain network (Chatam 2003).

‘Strategic Firewall placement’ has several benefits over D-WARD. ‘Strategic Firewall placement’

will prevent the company being a victim of reflected denial of service attacks which is a huge benefit

when compared to D-WARD. Furthermore, ‘Strategic Firewall placement’ addresses the issue of IP

spoofing, which made an adverse effect on the performance of D-WARD.

2.3: A Network Level Solution: Path Identifier As already pointer out under D-WARD, IP spoofing is one of, if not, the greatest complications

against the current DDOS attack defence mechanisms. IP spoofing not only makes it difficult to

determine the origin of an attacking packet, but also has enabled a new breed of DDOS attacks,

reflected DDOS attacks. Yaar et al. propose a remedy for the IP address spoofing, a network level

DDOS solution which is known as Pi.

In Path Identifier (Pi), every packet is marked with a unique identifier which would help the victim to

identify the path that the packet had travelled. If the victim identifies the packet as an attacking

packet, then he can drop all the packets that are traversing in the same path by filtering the particular

identifier, thus disabling the attacker’s ability to DDOS the victim’s information infrastructure (Yaar

et al. 2003).

Pi consists of two main modules, the packet markers and the packet filter. The packet markers are the

routers that are connected to the internet. Whenever a certain router forwards a data packet, it appends

the last n bits from the MD5 hash of its IP address to the IP identification field of the packet .As all

Research Paper By: Hasantha Alahakoon | 2: Literature Review 5

the routers that forward the packet append their IP address, it is possible for the victim to identify the

full path the packet had travelled (Yaar et al. 2003).

Packet filter on the other hand can be installed on the victim’s firewall. Packet filter reads the path

identifier (Pi marking) that is embedded on each of the packets and determine whether to accept a

packet or to drop. Since Pi is a per-packet deterministic approach, the packet filter can classify a

single packet as an attacking packet and the rest of the packets that carry the same path fingerprint

will be automatically dropped (Yaar et al. 2003).

Pi has several advantages when compared to other DDOS detection mechanisms such as D-WARD.

First and foremost, it is immune to IP spoofing. Even when an attacker uses spoofed IP address he can

still be easily traced back because all the IP address of the routers on the path are embedded inside the

IP packet. In addition, attackers can not use reflected DDOS attacks when Pi is practiced as the DNS

servers would check the IP packet’s path fingerprint before replying to the victim, thus reducing the

ability to attack a target by using reflected DDOS mechanism.

But, as with any other network based solution, Pi requires most of the router on the internet to

accommodate it in order to function properly. If only a small amount of routers deployed Pi, the path

signature will be incomplete and some of the legitimate traffic will be identified as otherwise by Pi.

Moreover, when all the routers in the path add the hash of their IP address, the packet is going to be

weighty and the communication overhead is going to be considerably high (Fletcher et al. 2005, p.

232).

In the above sections, some of the most prominent and widely accepted implementations of DDOS

prevention and detection were discussed. Each of those implementations had both advantages and

disadvantages, and there seems to be no clear winner in terms of the best DDOS defence mechanism.

Since this section of the paper only discussed the advantages and disadvantages that are specific for

each of the implementations, the need for a high level discussion that compares advantages and

disadvantages of each of the DDOS approaches (victim based, source based, network based) is

required. In the investigation section of this paper, section 3.1, a critical discussion comparing each of

the DDOS prevention approaches will be carried out.

On the other hand, most of the current DDOS detection and prevention methods, including the ones

that are described above, are designed for the IPv4 architecture. But with the rapid development of the

internet, it is inevitable that IPv6 is taking over the place of IPv4. IPv6 is providing more security

features and is promising to overcome many security holes such as the issue of IP spoofing. Though

there are such advantages in IPv6, some of the DDOS prevention methods might not function

properly with IPv6 architecture (Gil & Poletto 2001). So it is clear that IPv6 is presenting new

challenges for both the attackers and for the DDOS defenders. Therefore a comprehensive discussion

on how IPv6 would affect DDOS attacks and defending mechanisms is essential, and will be

presented in section 3.3.

Research Paper By: Hasantha Alahakoon | 3: Research 6

3: Research By reviewing the available literature in the field of DDOS prevention and detection, several key areas

have been identified that required further research.

As already mentioned in the beginning of the literature review section, there are three main

approaches for DDOS defence; victim’s end, source’s end and network level. For each of

those mechanisms, there are countless amounts of implementations and some of the renowned

ones are discussed in the literature review section. Since the discussion in the literature review

section is more focused on the advantages and disadvantages that are specific to that

implementation rather than for the approach as a whole, it is important to have a higher level

discussion on advantages and disadvantages of different DDOS defence approaches.

The discussion carried out in the literature review section pointed out both the advantages and

disadvantages of each of the DDOS defence implementations. From the discussion it was

clear that all of the implementations had some strengths and weaknesses. Judging by the

weeks and strengths of the different implementations, none of them could be pointed as the

‘be all and end all’ solution for DDOS defence. This raises the question for the best DDOS

defence approach, that is, of course, if there is any.

As already noted earlier, IPv6 architecture is taking over the internet. IPv6 is delivering some

of the most promising security features, one such being the IPSec protocol. IPSec promises

that it will address the issue of IP spoofing. So it is an interesting topic to see how the IPv6

architecture would affect the future of the DDOS attacks.

3.1: Comparison between different DDOS Defence approaches Different DDOS defence approaches try to detect or to stop DDOS attacks at different stages of the

lifecycle.

3.1.1: Source-end DDOS Solutions

Source-end DDOS defence mechanisms try to detect DDOS at the initial stage of the attack and to

stop it at its origin. Source-end DDOS defence mechanisms have several advantages when compared

to the other two. Detecting an attack at its source would help to defuse the attack at its earliest stage of

its life cycle, thus effectively reducing the damage that would cause otherwise. As the defence

mechanism is deployed at the source of the attack, it stops the attacking packets from entering into the

rest of the internet. This helps to reduce the congestion that would cause otherwise. And also, once the

attacking packets enter the internet and get mixed with the rest of the packets, attack detection is

considerably harder and filtering the packets would cause a high degree of collateral damage.

Since the defence mechanism is deployed very close to the origin of the attack, the volume of traffic

that has to be examined is significantly smaller when compared to victim and core routers. This

enables the use of more sophisticated traffic profiling strategies and for more complete per packet

processing. In addition, since the traffic diversity is limited when compared to network and victims

end defence mechanisms, the statistics gathered from the source-end Defence mechanisms are more

accurate. More accurate statistic gathering and extensive per-packet processing ensures high response

selectiveness in Source-end DDOS defence mechanisms (Mirkovic et al. 2002).

But Source-end DDOS defence solutions are not without faults. Firstly and most importantly, Source-

end DDOS solutions do not provide any security against incoming DDOS attacks. So installing a

source-end DDOS solution will not provide any direct benefit to the host network. On the other hand,

in order for the Source-end DDOS solutions to be effective, it is necessary that all of the edge routers

Research Paper By: Hasantha Alahakoon | 3: Research 7

implement that solution. But it is not so feasible to expect all the routers on the internet to implement

Source-end DDOS solutions given that they do not provide any protection to the host network.

In addition, it is very hard to detect DDOS attacks at the source because the traffic is not so aggregate.

It is nearly impossible to detect DDOS attacks by looking at the characteristics of single packets

because it is the aggregation of the packets that form a DDOS attack, rather than any characteristics of

the individual packets. Because of this, attackers can easily produce huge amount of normal looking

packets to the internet without being detected by the Source-end DDOS defence mechanisms (Gil &

Poletto 2001).

3.1.2: Victim-end DDOS Solutions

Victim-end DDOS solutions, the most widely used approach, try to defuse DDOS attack at its final

stage of the life cycle, at the victim of the attack. There could be number of reasons for the wide

popularity of the Victim-end DDOS solutions.

First and foremost, unlike when using a Source-end or a network level DDOS solution, Victim-end

DDOS solutions provide direct benefits to the host. This could be a huge motivator for network

administrator to use Victim-side DDOS solutions. It is the only DDOS solution that can stop an

incoming DDOS attack. Moreover, it is the only stand alone DDOS solution available. An individual

can not use Source-end or network level DDOS solutions to protect a set of hosts from being attacked

because they require large scale cooperation and drastic changes to the routing infrastructure to work

effectively (Lee & Shieh 2005, p.574).

In addition, a Distributed Denial of service attack is originating from several sources that are scattered

throughout the internet. As already pointed out, such attacks are hard to be detected at the source of

the attack. After the aggregation of packets from those various sources is a DDOS attack made. So it

is imperative to look at the collection of the packets to successfully detect a DDOS attack, rather than

looking at individual packets. So, undoubtedly the best place to deploy a DDOS defence solution is at

where the packets from various sources aggregate, at the victim of the attack. Moreover, as the victim-

end DDOS solutions looks at the aggregation of the packets, the accuracy is higher when compared to

source-end DDOS solutions that look at not so aggregate data to detect attacks.

Though the aggregation of packets makes Victim-end solutions more accurate, it also acts as a double

edged sword for such solutions. Most of the time the high packet rates at the victim causes the

network to be DDOSed even before the packets can be analysed. In addition, as there is a huge

amount of traffic at the victim of the attack, complex detection strategies and comprehensive per-

packet processing can not be done. This reduces the response selectiveness in such DDOS solutions.

Moreover, as the Victim-end DDOS solutions deal with the aggregation of packets, any packet

filtering mechanism will cause a high degree of collateral damage (Mirkovic et al. 2002).

3.1.3: The intermediate network (Network level) DDOS Solutions

Network level DDOS solutions try to detect DDOS attacks that are propagating through the internet.

In this approach, the attack packets are expected to be filtered by the core routers in the internet

cooperatively. The network level DDOS solutions function by either trace backing the attack traffics

or by filtering attack packets on the fly with the help of core routers and ISPs.

This is the distributed answer for the Distributed denial of service attacks. Since the detection points

are distributed throughout the internet, they can handle a high volume of packets. The resources can

be allocated dynamically depending on the attack because of the distributed nature of the defence

Research Paper By: Hasantha Alahakoon | 3: Research 8

solution. And the detection is hidden since it is not done in the path of the attack (Asosheh &

Ramezani 2008).

In addition, Network level DDOS solutions can not be DDOSed by the attackers unlike source-end

and victim-end solutions. This is because the solution is spread throughout the internet and because

the resources needed for defence can be allocated when and where necessary. Furthermore network

level DDOS defence mechanisms are immune to IP spoofing and they have the ability to pinpoint the

attackers (Asosheh & Ramezani 2008).

However Network level DDOS solutions require internet wide cooperation for DDOS detection. If

some of the routers in the internet do not implement the solution, there is a high possibility of

legitimate traffic being identified as attacking traffic. On the other hand, the complex cooperation

required for Network level DDOS solutions might not be even feasible due to the heterogeneous

nature of the internet. In addition, these solutions require significant enhancements to be made on the

current routing infrastructure which might not be supported by legacy routers. Some Network level

solutions require packet filtering to be done on the core routers in addition to the traditional packet

filtering which might add a considerable latency to the packets (Lee & Shieh 2005, p.574).

In victim-end and source-end DDOS solutions, the attacking traffic is always passing through a

central point; so the attack signature can be easily identified by examining the traffic passing through

that point. But in network level DDOS solutions, the attacking traffic is scattered throughout the

internet and therefore the attack detection is not as accurate as in the other two cases (Asosheh &

Ramezani 2008).

3.2: The Best DDOS Defence Approach: victim, source or intermediate? In this section of the paper, the author tries to identify, the best DDOS defence approach or the

approach that will be leading in the future of DDOS defence. In the previous section, strengths and

weaknesses of different DDOS defence approaches were discussed. Just like their implementations,

which were discussed in the ‘Literature Review’ section, they too had various strengths and

weaknesses. Gauging by those strengths and weaknesses, it is really hard, if not impossible, to point

out a single approach as the best DDOS defence solution or as the future of the DDOS defence

solutions.

So the author believes that the best DDOS solution or the solution that will be leading in the future is

neither the victim-end, source-end nor intermediate solutions, but a combination of all of them. The

author believes that the best DDOS defence solution is yet to be developed. It (‘Best DDOS

approach’) will be a solution that combines the strengths of each of the above approaches and a

solution that neutralises the down sides of the current approaches. The best DDOS defence will only

be achieved when a solution is developed which takes the best of all worlds by forming a

collaborative network of source-end, victim-end and intermediate DDOS approaches.

3.2.1: ‘Best DDOS approach’

In this solution, the victim-end, source-end and intermediate network implementations will be

deployed in their respective places, but more importantly, they will be reinforcing each other and will

be communicating with each other constructing a huge Distributed Defence network to address the

threat of Distributed Denial of service attacks.

As already mentioned under ‘Source-end DDOS Solutions’, one of the biggest strengths of Source-

end DDOS defence mechanisms are their ability to perform sophisticated traffic profiling strategies

and to perform complex per packet processing. The ‘Best DDOS approach’ will be utilising this

Research Paper By: Hasantha Alahakoon | 3: Research 9

strength to detect attacks, to collect detailed statistics of the attack and to neutralise the attack if

possible. Under the ‘Best DDOS approach’, once an attack is detected the Source-end DDOS defence

will also notify the core routers (intermediate defence systems) about the attack.

As already mentioned, one of the biggest drawbacks of Source-end DDOS approaches are their

inability to detect attacks accurately because of the limited traffic aggregation. In the ‘Best DDOS

approach’ this will not be a problem because the attacking traffic that was not detected initially by the

Source-end Defence will be detected along the way either by the intermediate or victim-end DDOS

defence.

As already pointed out, intermediate solutions are capable of handling high volume of traffic. But they

are unable to accurately detect attacks as the attack packets are scattered throughout the internet. But

with the ‘Best DDOS approach’, as the source-end DDOS solutions notify the intermediate defences

upon an attack, the core routers know exactly where to look for attack signatures. Since intermediate

defences are aware of the attack packets’ paths and since they are capable of handling high volume of

traffic, they can successfully drop all, or at least the majority, of the attacking packets. Another

drawback that was mentioned earlier is that intermediate defences add latency to the packets as they

have to examine each and every packet in addition to packet forwarding. This weakness is overcome

in the ‘Best DDOS approach’ as intermediate defences do not need to examine each and every packet;

they have to examine packets in the path provided by the Source-end defences only upon a

notification.

Since the majority of the attack packets are dropped by the source-end and intermediate defences,

victim-end solutions will not be overwhelmed by the massive amount of traffic under the ‘Best DDOS

approach’. This removes a major drawback of traditional victim-end DDOS solutions. Because of

this, it is now possible to examine the remaining traffic more comprehensively by the victim-end

DDOS solutions. As already mentioned under ‘Victim-end DDOS Solutions’, one of the main

advantages of victim-end defences is their high accuracy rate. This strength will be reinforced by the

‘Best DDOS approach’ as it is now possible to employ more sophisticated attack detection algorithms

at the victim’s end due to lower rate of traffic. More sophisticated attack detection algorithms and

lower rate of traffic will ensure that the remaining attack packets will be stopped at a greater accuracy

which in turn significantly lowers the collateral damage.

The above few paragraphs discussed the author’s ‘Best DDOS approach’, how it reinforces the

strengths of the current DDOS solutions and how it overcomes the weaknesses where possible. It

should be also worth noting that the ‘Best DDOS approach’ is not something that can be implemented

overnight. It is a long path for perfection. It requires significant changes to the current internet

infrastructure. But in order to address the issue of DDOS, the current piecemeal approaches are not

sufficient; a drastic infrastructural change is essential. Though this can not be achieved overnight,

careful planning of the future implementations of the network infrastructure will ensure a day where

the internet is immune to Distributed Denial of Service attacks.

Until then, it is important to see how the next instalment of the internet (IPv6) stands against the tests

of DDOS attacks.

3.3: IPv6 vs. DDOS Internet is evolving by the day. Soon IPv4 is going to be totally replaced by the IPv6 protocol. IPv6 is

providing many security features which were not available under IPv4. IPSec is one of them. So it is

important to see how IPv6 and IPSec would shape the faith of the future of the internet, to see how

Research Paper By: Hasantha Alahakoon | 3: Research 10

IPv6 would stand against the test of DDOS and to see if the future of the internet will be immune to

DDOS attacks.

Neighbour Discovery protocol is one of the most important segments of IPv6. It solves some of the

problems related to interaction between computers in a network such as Address Resolution,

Neighbour Unreachability Detection and Duplicate Address Detection in IPv6 (Hines 2004).But

unfortunately, Neighbour Discovery protocol of IPv6 introduces new breed of DOS attacks. Attackers

could exploit some of the loop holes in Neighbour Discovery protocol in IPv6 and use them to DOS

networks.

When IPSec is not configured in IPv6, attackers could use a ‘Duplicate Address Detection attack’ to

DOS clients. When a computer wants to connect to a network by assigning an IP address for him,

under ‘Neighbour Discovery Protocol’ he multicasts a ‘Duplicate Address Detection’ packet. But an

attacker could use a packet sniffer to listen to any ‘Duplicate Address Detection’ packets and reply to

them pretending that IP address is in use. Doing so would prevent any computers from connecting to a

network thus DOSing the network (Yang et al. 2007).

Another DOS attack made available in IPv6 is ‘Bogus On-Link Prefix attack’. Under Neighbour

Discovery protocol, if the destination computer is on-link with the sender, the sender would not send

the packet to the router for routing; it will send the packet directly to the destination instead. Attackers

exploit this feature by sending fake ‘Router Advertisements’ messages specifying the destination is

on-link with the sender. So the sender tries to send packets directly to a destination which does not

exist, thereby creating a DOS attack (Yang et al. 2007).

‘Parameter spoofing attack’ is another mechanism that can be used to DOS a network under IPv6

without IPSec configured. Under Neighbour Discovery protocol, when computers need to send

packets to destinations out of the network, they use the information provided by the ‘Router

Advertisements’. Attackers could use forged ‘Router Advertisements’ with false information to

disrupt the activities of a network (Narten et al. 1998).

In addition to the above mentioned newly found attack mechanisms (which are exploits of Neighbour

Discovery Protocol of IPv6), according to Yang & Shi, some of the traditional DDOS methods such

as TCP-Flood, UDP Flood and ICMP Flood are still effective against IPv6 networks. However, they

have also stated that other traditional attack mechanisms like Smurf and amplification attacks are not

effective against IPv6 even when IPSec is not enabled (Yang et al. 2007). This is because according to

the IPv6 specification, a response is not generated to any packet with an IPv6 multicast destination

address (Conta & Deering 1998).

From the above discussion it is clear that IPv6 does not provide any explicit security against DOS

and DDOS attacks with the exception for the Smurf and Amplification attacks. IPv6’s Neighbour

Discovery Protocol has introduced a new set of DOS mechanisms instead.

However, Yang et al. studies show that if IPSec is configured with IPv6, they can resist all of the

above mentioned attacks based on the ‘Neighbour Discovery Protocol’. In addition they further

pointed out, that IPSec can indeed resist any DOS and DDOS attacks which are originated from

spoofed IP addresses. But IPSec still falls flat if the attackers use their real IP addresses to launch a

DDOS attack. If the attackers use their real IP address to launch DDOS attacks, the network could be

a victim even when IPSec is configured with IPv6 (Yang et al. 2007).

Research Paper By: Hasantha Alahakoon | 11

So it is clear that IPSec and IPv6 is not the end for the all of the DOS and DDOS attacks. But IPSec

can be seen as a step in the right direction. Attackers almost always use spoofed IP addresses to

launch DDOS attacks to cover their identity, but with IPSec, attacking with spoofed IP addresses is

not possible anymore. This would undoubtedly change the future of the DDOS attacks. But it is

important to note that, attackers could always launch attacks from foreign countries such as Greece,

Ireland and Austria where there are no clear regulations about DDOS attacks (European Commission

2002).

Research Paper By: Hasantha Alahakoon | 4: Conclusion 12

4: Conclusion In this paper, various DDOS defence approaches and their main implementations were discussed.

Both the approaches and their implementations had various strengths and weaknesses in their own

merit. Victim-end solutions were more accurate, but they were mostly overwhelmed by the requests.

Source-end solutions were capable of performing more sophisticated traffic profiling, but they fail at

accurate detection of attacks. Intermediate solutions on the other hand, were capable of handling

massive amount of traffic, but similar to Source-end solutions, they too failed at accurate attack

detection. So it was made clear that none of these approaches on their own could make an internet that

is completely immune to DDOS attacks.

So the author proposed a novel approach to DDOS prevention, the ‘Best DDOS approach’. In this

approach Victim-end, Source-end and Intermediate DDOS solutions work collaboratively, reinforcing

and communicating with each other constructing a Distributed Defence network to address the issue

of DDOS attacks. Similar to the other DDOS solutions, ‘Best DDOS approach’ too has several

weaknesses; the biggest being the need for drastic changes to the internet infrastructure. But the

author believes that, if the future implementations of the internet are carefully planned with more

focus allocated for internet security, it is possible to achieve an internet that is totally immune to

DDOS attacks.

Since the ‘Best DDOS approach’ is a long term plan for perfection, the paper then examined how the

immediate instalment of the internet, IPv6, faces the challenges of DDOS. But as opposing to making

the internet resistant to DDOS, IPv6 had introduced some new complications which favour the DDOS

attackers. However IPSec, once configured, had the ability to defuse all those new complications

along with the existing DDOS attack mechanisms that are launched through spoofed IP addresses.

This would undoubtedly change the future of DDOS attacks.

The author believes that, though IPv6 and IPSec is not the ‘be all and end all’ solution for DDOS, it is

however a step in the right direction. With IPSec, spoofed attacks are not possible anymore; that is a

one less hassle for the existing DDOS defence solutions. DDOS defence is not something that can be

achieved overnight; it is a long path that has to be laid carefully with more focus oriented to internet

security. With the each iteration of the internet, the existing loopholes have to be addressed, and the

strengths have to be reinforced. The future research on DDOS defence has to be more focused on a

collaborative DDOS defence rather than on piecemeal solutions. There should be a distributed answer

for distributed attacks. This however, is not something that can be achieved by the individual

researchers; the world governing bodies and security professionals have to get together to put up such

a DDOS defence solution.

Research Paper By: Hasantha Alahakoon | 5: References: 13

5: References: Asosheh, A & Ramezani, N 2008, A Comprehensive Taxonomy of DDoS Attacks and Defense

Mechanism Applying in a Smart Classification, World Scientific and Engineering Academy and

Society (WSEAS), Stevens Point.

Carl, G, Kesidis, G, Brooks, RR & Rai, S 2006, Denial-of-Service Attack- Detection Techniques,

IEEE Educational Activities Department, Piscataway.

Chatam, JW 2003, Using Strategic Firewall Placement to Mitigate the Effects of Distributed Denial of

Service Attacks, Masters Thesis, Auburn University.

Conta, A & Deering, S 1998, Internet Control Message Protocol (ICMPv6) for the Internet

Protocol Version 6 (IPv6) Specification, RFC Editor, United States.

European Commission 2002, Handbook of Legislative Procedures of Computer and Network Misuse

in EU Countries

Fletcher, HW, Richardson, K, Carlisle ,MC & Hamilton JA 2005, Evaluating Secure Overlay Services

through OPNET Simulation, ACCR publications, San Diego.

Gil,TM & Poletto, M 2001, MULTOPS: a data-structure for bandwidth attack detection,

USENIX Association, Berkeley.

Gordon, LA, Loeb ,MP, Lucyshyn ,W & Richardson, R 2004, 2004 CSI/FBI Computer Crime and

Security Survey, Computer Security Institution, San Fransisco.

Hines, A 2004, Neighbour Discovery in IPv6, University of Paderborn.

Janczewski, LJ & Colarik, A 2005, Managerial Guide for Handling Cyber-Terrorism and Information

Warfare, Idea Group Publishing, Hershey.

Lau, F, Rubin, SH, Smith, MH & Trajkovic, L 2000, Distributed Denial of Service Attacks, IEEE

Explore, Nashville.

Lee, FY & Shieh, S 2005, Defending against spoofed DDoS attacks with path fingerprint, Department

of Computer Science and Information Engineering, National Chiao Tung University Taiwan.

Mirkovic, J, Prier, G & Reiher, P 2002, Attacking DDoS at the Source, IEEE Computer Society,

Washington.

Narten, T, Nordmark, E & Simpson, W 1998, Neighbour Discovery for IP Version 6, RFC Editor,

United States.

Yaar, A, Perrig, A & Song, D 2003, Pi: a path identification mechanism to defend against DDoS

attacks, IEEE Computer Society, Carnegie Mellon University.

Yang, X, Ma, T & Shi, Y 2007, Typical DoS/DDoS Threats under IPv6, IEEE Computer Society,

Guadeloupe City.