Research Paper By: Hasantha Alahakoon | 1: Introduction 1
Distributed Denial of Service (DDOS) Defence Solutions
1: Introduction Despite being a relatively old concept, Distributed Denial of Service attack, which was an overlooked
concept until then, gained its mass popularity only in year 2002 with the successful simultaneous
attacks on web services of Yahoo, CNN, Amazon and EBay. It is reported that, regardless of the high
security measures of those web servers, DDOS attacks brought down the web services for several
hours causing financial loses around 1.2 billion American dollars. On the other hand, according to the
2004 CSI/FBI ‘Computer Crime and Security Survey’, Distributed Denial of Service attack is listed as
one of the most financially expensive security incidents of the new decade (Gordon et al. 2004). So it
is apparent that Distributed Denial of Service attacks pose a very probable and a real threat to the
information infrastructure of the contemporary society and suitable measures to detect and prevent
them is of utmost important.
Therefore, in this qualitative research, the author would discuss various mechanisms of early detection
of DDOS attacks, ways and means of preventing Distributed Denial of Service attacks, and issues and
limitations of each of those prevention mechanisms. Due to the sheer volume of the literature
involved in the field of DDOS attacks, covering all of them in a brief paper like this is going to be
challenging and is by no means possible; therefore only the main concepts of DDOS defence will be
covered in-depth while others will only be discussed in a very abstract level.
This paper is organised as follows: In section 1.1, the paper would briefly review the concept of DOS
attack and the concept of DDOS attack. In section 2, the Literature Review, the paper would discuss
the existing implementations in the fields of DDOS defence at a very abstract level. In section 3.1, the
paper would critically discuss the advantages and disadvantages of different DDOS approaches. Then
the paper tries to identify the ‘Best DDOS Solution’ and then examines how IPv6 stands against the
current DDOS attacks. Finally the paper would draw the conclusions and direct grounds for future
work.
Before focusing on methods of detecting and preventing Distributed Denial of Service attacks, it is
vital to familiarize with the underlying concepts and basic mechanisms of DOS and DDOS attacks.
1.1: Denial of Service attacks (DOS) and Distributed Denial of Service
attacks (DDOS) According to Colarik and Janczewski in ‘Managerial Guide for Handling Cyber-Terrorism’, a DOS
attack is an attempt ‘to force a target system to become overloaded with activities that reduces its
capability to process legitimate tasks’(Janczewski & Colarik 2005, p.86).
A DOS attack can be in one of the two forms, a Vulnerability attack or a Flooding attack. In a
Vulnerability attack, the attacker exploits a vulnerability of a software package or a protocol by
sending malformed packets which would cause memory overflowing, excessive CPU cycles and
system reboots, thereby making the victim unreachable to the legitimate users. These kinds of attacks
can be easily remedied by the software vendor once the exploit is identified (Carl et al. 2006, p. 83).
Research Paper By: Hasantha Alahakoon | 2
On the other hand, a Flooding Attack, the subject of this paper, keeps sending the victim computer a
continuous stream of workload occupying all of the victim’s resources to the point that it can no
longer handle legitimate user requests. In a Flooding attack, the attacker could use one of, or a
combination of, SYN flood, UDP flood and Smurf attacks (Lau et al. 2000, p. 2276). Though these
kinds of attacks were very popular in the past, modern web servers can easily handle a DOS attack
from a single computer. Therefore the attackers have come up with a more powerful attacking
mechanism; the Distributed Denial of Service attacks (DDOS).
In a DDOS attack, the attacker infects several hundred computers in the cyber space, and uses those
computers to collectively attack the victim computer system. Because of the distributed nature of the
attack, the attack is more powerful than many of the web servers can handle. In a DDOS attack, the
attacker could use techniques such as Trinoo, Tribe Flood, Stacheldraht, Shaft and TFN2k along with
the other techniques described earlier under simples DOS attacks (Lau et al. 2000, p. 2276).
With the understanding of DOS and DDOS attacks, the author would like to discuss the current
approaches of DDOS detection and prevention in the following section.
Research Paper By: Hasantha Alahakoon | 2: Literature Review 3
2: Literature Review There are three main DDOS detection and prevention approaches that are practiced today. Those are
approaches based on DDOS detection at the:
1. Victim of the attack
2. Source of the attack
3. Intermediate network (Network level)
Therefore the available literature on DDOS attack detection and prevention methods can be
categorized into three main sections. Those are literature on DDOS detection at the victim, the
literature on DDOS detection at the source and the literature on DDOS detection at the network level.
Because of the sheer amount of literature involved in each of the above mentioned DDOS detection
approaches, only the most prominent and well recognised implementations of each of the approaches
will be discussed in this section of the paper. The author believes that it is more important to have a
proper understanding of the prominent implementations of DDOS defence rather than skimming up
all the available DDOS defence implementations. Therefore, for each of the following
implementations, a brief description will be presented followed by a critical discussion of advantages
and disadvantages.
2.1: A Source-end Solution: D-WARD ‘Attacking DDOS at the Source’ describes a router based implementation, D-WARD, which is
capable of successfully identifying and preventing DDOS attacks when deployed at the source end of
the attack. D-WARD should be installed at the source router of the attack which connects the attacker
to the internet or in a separate unit that is connected to the source router which is capable of accessing
the router’s traffic statistics. D-WARD consists of two main modules; Observation module and
Throttling module (Mirkovic et al. 2002).
Once deployed, the observation module of D-WARD monitors both incoming and outgoing traffic
flows of each of its client computers. Those traffic flows are periodically compared against predefined
‘normal’ traffic models. If any anomaly is detected by the Observation module, the Throttling module
is invoked. The Throttling module dynamically controls the outgoing traffic limit for each of the
client based on the feedbacks from the Observation module. If the Observation module reports an
attempt of an attack, the Throttling module imposes an outgoing rate limit on that particular client. If
the subsequent observations confirms the attack, the outgoing rate is further reduced thus effectively
preventing a DDOS attack in its origin (Mirkovic et al. 2002).
According to Mirkovic et al, D-WARD has been tested with various DDOS attack types (Constant
rate attack, Pulsing attack, Increasing rate attack and Gradual pulse attack) and in all of the attacking
scenarios D-WARD has successfully detected the attacks. Further, the tests have reported that D-
WARD has only allowed less than 1% of the attacking packets to leave the source network. And also
the tests have reported that the amount of false positives of D-WARD are less than 0.5% which
implies that installing D-WARD on a network will not noticeably affect the legitimate traffic of the
network (Mirkovic et al. 2002).
But D-WARD is not without its down-sides. Firstly, a skilful attacker can exploit the functionality of
D-WARD and can use D-WARD itself to DDOS the network on which the D-WARD is installed on.
If the attacker can spoof the IP addresses of legitimate users of the network and if he can mimic
DDOS traffic patterns from those IP address, D-WARD would impose rate limits on all of those
Research Paper By: Hasantha Alahakoon | 2: Literature Review 4
clients thus making the current network DDOSed (Mirkovic et al. 2002). On the other hand, in-order
to unleash the maximum potential of D-WARD, it is necessary that all of the routers connected to the
internet install the D-WARD. In addition, D-WARD takes a long time to detect Increasing rate
attacks. Finally, D-WARD will only work when there is a single gateway router for a given network
which is not the case in most of the real world networks.
2.2: A Victim-end Solution: Strategic Firewall Placement Chatam, in his paper, ‘using strategic firewall placement to mitigate the effect of distributed denial of
service attacks’, propose a victim side solution for preventing DDOS attacks. According to Chatam,
stopping DDOS at its source is not feasible because it requires changing software in millions of
independent routers connected to the internet; so they propose a victim side solution (Chatam 2003).
One of the greatest disadvantages of victim side DDOS solutions is that regardless of the strength of
victim’s security policies, the communication link between the ISP and the organization becomes
clogged by the DDOS requests (because of the limited bandwidth provided for organizations by an
ISP) thus making the victim DDOSed even before the victim side DDOS solutions are activated
(Chatam 2003).
Chatam overcome this issue by introducing the concept of strategic firewall placement. In traditional
firewall placement, under a DDOS situation, the traffic cannot be transmitted through the low
bandwidth channel between the ISP and the organization. So the traffic is build up at the ISP and all
the packets are dropped before they reach the local firewall for packet filtering. But in ‘Strategic
Firewall placement’, the company’s firewall is moved to a location close to the ISP and since the
firewall is close to the ISP, it is now possible to connect the firewall to the ISP’s router through a high
speed link. The purpose of relocation of the firewall is to filter out unnecessary packets using the
firewall’s filtering policies before they enter the bottleneck link, thus making it harder for attackers to
DDOS a certain network (Chatam 2003).
‘Strategic Firewall placement’ has several benefits over D-WARD. ‘Strategic Firewall placement’
will prevent the company being a victim of reflected denial of service attacks which is a huge benefit
when compared to D-WARD. Furthermore, ‘Strategic Firewall placement’ addresses the issue of IP
spoofing, which made an adverse effect on the performance of D-WARD.
2.3: A Network Level Solution: Path Identifier As already pointer out under D-WARD, IP spoofing is one of, if not, the greatest complications
against the current DDOS attack defence mechanisms. IP spoofing not only makes it difficult to
determine the origin of an attacking packet, but also has enabled a new breed of DDOS attacks,
reflected DDOS attacks. Yaar et al. propose a remedy for the IP address spoofing, a network level
DDOS solution which is known as Pi.
In Path Identifier (Pi), every packet is marked with a unique identifier which would help the victim to
identify the path that the packet had travelled. If the victim identifies the packet as an attacking
packet, then he can drop all the packets that are traversing in the same path by filtering the particular
identifier, thus disabling the attacker’s ability to DDOS the victim’s information infrastructure (Yaar
et al. 2003).
Pi consists of two main modules, the packet markers and the packet filter. The packet markers are the
routers that are connected to the internet. Whenever a certain router forwards a data packet, it appends
the last n bits from the MD5 hash of its IP address to the IP identification field of the packet .As all
Research Paper By: Hasantha Alahakoon | 2: Literature Review 5
the routers that forward the packet append their IP address, it is possible for the victim to identify the
full path the packet had travelled (Yaar et al. 2003).
Packet filter on the other hand can be installed on the victim’s firewall. Packet filter reads the path
identifier (Pi marking) that is embedded on each of the packets and determine whether to accept a
packet or to drop. Since Pi is a per-packet deterministic approach, the packet filter can classify a
single packet as an attacking packet and the rest of the packets that carry the same path fingerprint
will be automatically dropped (Yaar et al. 2003).
Pi has several advantages when compared to other DDOS detection mechanisms such as D-WARD.
First and foremost, it is immune to IP spoofing. Even when an attacker uses spoofed IP address he can
still be easily traced back because all the IP address of the routers on the path are embedded inside the
IP packet. In addition, attackers can not use reflected DDOS attacks when Pi is practiced as the DNS
servers would check the IP packet’s path fingerprint before replying to the victim, thus reducing the
ability to attack a target by using reflected DDOS mechanism.
But, as with any other network based solution, Pi requires most of the router on the internet to
accommodate it in order to function properly. If only a small amount of routers deployed Pi, the path
signature will be incomplete and some of the legitimate traffic will be identified as otherwise by Pi.
Moreover, when all the routers in the path add the hash of their IP address, the packet is going to be
weighty and the communication overhead is going to be considerably high (Fletcher et al. 2005, p.
232).
In the above sections, some of the most prominent and widely accepted implementations of DDOS
prevention and detection were discussed. Each of those implementations had both advantages and
disadvantages, and there seems to be no clear winner in terms of the best DDOS defence mechanism.
Since this section of the paper only discussed the advantages and disadvantages that are specific for
each of the implementations, the need for a high level discussion that compares advantages and
disadvantages of each of the DDOS approaches (victim based, source based, network based) is
required. In the investigation section of this paper, section 3.1, a critical discussion comparing each of
the DDOS prevention approaches will be carried out.
On the other hand, most of the current DDOS detection and prevention methods, including the ones
that are described above, are designed for the IPv4 architecture. But with the rapid development of the
internet, it is inevitable that IPv6 is taking over the place of IPv4. IPv6 is providing more security
features and is promising to overcome many security holes such as the issue of IP spoofing. Though
there are such advantages in IPv6, some of the DDOS prevention methods might not function
properly with IPv6 architecture (Gil & Poletto 2001). So it is clear that IPv6 is presenting new
challenges for both the attackers and for the DDOS defenders. Therefore a comprehensive discussion
on how IPv6 would affect DDOS attacks and defending mechanisms is essential, and will be
presented in section 3.3.
Research Paper By: Hasantha Alahakoon | 3: Research 6
3: Research By reviewing the available literature in the field of DDOS prevention and detection, several key areas
have been identified that required further research.
As already mentioned in the beginning of the literature review section, there are three main
approaches for DDOS defence; victim’s end, source’s end and network level. For each of
those mechanisms, there are countless amounts of implementations and some of the renowned
ones are discussed in the literature review section. Since the discussion in the literature review
section is more focused on the advantages and disadvantages that are specific to that
implementation rather than for the approach as a whole, it is important to have a higher level
discussion on advantages and disadvantages of different DDOS defence approaches.
The discussion carried out in the literature review section pointed out both the advantages and
disadvantages of each of the DDOS defence implementations. From the discussion it was
clear that all of the implementations had some strengths and weaknesses. Judging by the
weeks and strengths of the different implementations, none of them could be pointed as the
‘be all and end all’ solution for DDOS defence. This raises the question for the best DDOS
defence approach, that is, of course, if there is any.
As already noted earlier, IPv6 architecture is taking over the internet. IPv6 is delivering some
of the most promising security features, one such being the IPSec protocol. IPSec promises
that it will address the issue of IP spoofing. So it is an interesting topic to see how the IPv6
architecture would affect the future of the DDOS attacks.
3.1: Comparison between different DDOS Defence approaches Different DDOS defence approaches try to detect or to stop DDOS attacks at different stages of the
lifecycle.
3.1.1: Source-end DDOS Solutions
Source-end DDOS defence mechanisms try to detect DDOS at the initial stage of the attack and to
stop it at its origin. Source-end DDOS defence mechanisms have several advantages when compared
to the other two. Detecting an attack at its source would help to defuse the attack at its earliest stage of
its life cycle, thus effectively reducing the damage that would cause otherwise. As the defence
mechanism is deployed at the source of the attack, it stops the attacking packets from entering into the
rest of the internet. This helps to reduce the congestion that would cause otherwise. And also, once the
attacking packets enter the internet and get mixed with the rest of the packets, attack detection is
considerably harder and filtering the packets would cause a high degree of collateral damage.
Since the defence mechanism is deployed very close to the origin of the attack, the volume of traffic
that has to be examined is significantly smaller when compared to victim and core routers. This
enables the use of more sophisticated traffic profiling strategies and for more complete per packet
processing. In addition, since the traffic diversity is limited when compared to network and victims
end defence mechanisms, the statistics gathered from the source-end Defence mechanisms are more
accurate. More accurate statistic gathering and extensive per-packet processing ensures high response
selectiveness in Source-end DDOS defence mechanisms (Mirkovic et al. 2002).
But Source-end DDOS defence solutions are not without faults. Firstly and most importantly, Source-
end DDOS solutions do not provide any security against incoming DDOS attacks. So installing a
source-end DDOS solution will not provide any direct benefit to the host network. On the other hand,
in order for the Source-end DDOS solutions to be effective, it is necessary that all of the edge routers
Research Paper By: Hasantha Alahakoon | 3: Research 7
implement that solution. But it is not so feasible to expect all the routers on the internet to implement
Source-end DDOS solutions given that they do not provide any protection to the host network.
In addition, it is very hard to detect DDOS attacks at the source because the traffic is not so aggregate.
It is nearly impossible to detect DDOS attacks by looking at the characteristics of single packets
because it is the aggregation of the packets that form a DDOS attack, rather than any characteristics of
the individual packets. Because of this, attackers can easily produce huge amount of normal looking
packets to the internet without being detected by the Source-end DDOS defence mechanisms (Gil &
Poletto 2001).
3.1.2: Victim-end DDOS Solutions
Victim-end DDOS solutions, the most widely used approach, try to defuse DDOS attack at its final
stage of the life cycle, at the victim of the attack. There could be number of reasons for the wide
popularity of the Victim-end DDOS solutions.
First and foremost, unlike when using a Source-end or a network level DDOS solution, Victim-end
DDOS solutions provide direct benefits to the host. This could be a huge motivator for network
administrator to use Victim-side DDOS solutions. It is the only DDOS solution that can stop an
incoming DDOS attack. Moreover, it is the only stand alone DDOS solution available. An individual
can not use Source-end or network level DDOS solutions to protect a set of hosts from being attacked
because they require large scale cooperation and drastic changes to the routing infrastructure to work
effectively (Lee & Shieh 2005, p.574).
In addition, a Distributed Denial of service attack is originating from several sources that are scattered
throughout the internet. As already pointed out, such attacks are hard to be detected at the source of
the attack. After the aggregation of packets from those various sources is a DDOS attack made. So it
is imperative to look at the collection of the packets to successfully detect a DDOS attack, rather than
looking at individual packets. So, undoubtedly the best place to deploy a DDOS defence solution is at
where the packets from various sources aggregate, at the victim of the attack. Moreover, as the victim-
end DDOS solutions looks at the aggregation of the packets, the accuracy is higher when compared to
source-end DDOS solutions that look at not so aggregate data to detect attacks.
Though the aggregation of packets makes Victim-end solutions more accurate, it also acts as a double
edged sword for such solutions. Most of the time the high packet rates at the victim causes the
network to be DDOSed even before the packets can be analysed. In addition, as there is a huge
amount of traffic at the victim of the attack, complex detection strategies and comprehensive per-
packet processing can not be done. This reduces the response selectiveness in such DDOS solutions.
Moreover, as the Victim-end DDOS solutions deal with the aggregation of packets, any packet
filtering mechanism will cause a high degree of collateral damage (Mirkovic et al. 2002).
3.1.3: The intermediate network (Network level) DDOS Solutions
Network level DDOS solutions try to detect DDOS attacks that are propagating through the internet.
In this approach, the attack packets are expected to be filtered by the core routers in the internet
cooperatively. The network level DDOS solutions function by either trace backing the attack traffics
or by filtering attack packets on the fly with the help of core routers and ISPs.
This is the distributed answer for the Distributed denial of service attacks. Since the detection points
are distributed throughout the internet, they can handle a high volume of packets. The resources can
be allocated dynamically depending on the attack because of the distributed nature of the defence
Research Paper By: Hasantha Alahakoon | 3: Research 8
solution. And the detection is hidden since it is not done in the path of the attack (Asosheh &
Ramezani 2008).
In addition, Network level DDOS solutions can not be DDOSed by the attackers unlike source-end
and victim-end solutions. This is because the solution is spread throughout the internet and because
the resources needed for defence can be allocated when and where necessary. Furthermore network
level DDOS defence mechanisms are immune to IP spoofing and they have the ability to pinpoint the
attackers (Asosheh & Ramezani 2008).
However Network level DDOS solutions require internet wide cooperation for DDOS detection. If
some of the routers in the internet do not implement the solution, there is a high possibility of
legitimate traffic being identified as attacking traffic. On the other hand, the complex cooperation
required for Network level DDOS solutions might not be even feasible due to the heterogeneous
nature of the internet. In addition, these solutions require significant enhancements to be made on the
current routing infrastructure which might not be supported by legacy routers. Some Network level
solutions require packet filtering to be done on the core routers in addition to the traditional packet
filtering which might add a considerable latency to the packets (Lee & Shieh 2005, p.574).
In victim-end and source-end DDOS solutions, the attacking traffic is always passing through a
central point; so the attack signature can be easily identified by examining the traffic passing through
that point. But in network level DDOS solutions, the attacking traffic is scattered throughout the
internet and therefore the attack detection is not as accurate as in the other two cases (Asosheh &
Ramezani 2008).
3.2: The Best DDOS Defence Approach: victim, source or intermediate? In this section of the paper, the author tries to identify, the best DDOS defence approach or the
approach that will be leading in the future of DDOS defence. In the previous section, strengths and
weaknesses of different DDOS defence approaches were discussed. Just like their implementations,
which were discussed in the ‘Literature Review’ section, they too had various strengths and
weaknesses. Gauging by those strengths and weaknesses, it is really hard, if not impossible, to point
out a single approach as the best DDOS defence solution or as the future of the DDOS defence
solutions.
So the author believes that the best DDOS solution or the solution that will be leading in the future is
neither the victim-end, source-end nor intermediate solutions, but a combination of all of them. The
author believes that the best DDOS defence solution is yet to be developed. It (‘Best DDOS
approach’) will be a solution that combines the strengths of each of the above approaches and a
solution that neutralises the down sides of the current approaches. The best DDOS defence will only
be achieved when a solution is developed which takes the best of all worlds by forming a
collaborative network of source-end, victim-end and intermediate DDOS approaches.
3.2.1: ‘Best DDOS approach’
In this solution, the victim-end, source-end and intermediate network implementations will be
deployed in their respective places, but more importantly, they will be reinforcing each other and will
be communicating with each other constructing a huge Distributed Defence network to address the
threat of Distributed Denial of service attacks.
As already mentioned under ‘Source-end DDOS Solutions’, one of the biggest strengths of Source-
end DDOS defence mechanisms are their ability to perform sophisticated traffic profiling strategies
and to perform complex per packet processing. The ‘Best DDOS approach’ will be utilising this
Research Paper By: Hasantha Alahakoon | 3: Research 9
strength to detect attacks, to collect detailed statistics of the attack and to neutralise the attack if
possible. Under the ‘Best DDOS approach’, once an attack is detected the Source-end DDOS defence
will also notify the core routers (intermediate defence systems) about the attack.
As already mentioned, one of the biggest drawbacks of Source-end DDOS approaches are their
inability to detect attacks accurately because of the limited traffic aggregation. In the ‘Best DDOS
approach’ this will not be a problem because the attacking traffic that was not detected initially by the
Source-end Defence will be detected along the way either by the intermediate or victim-end DDOS
defence.
As already pointed out, intermediate solutions are capable of handling high volume of traffic. But they
are unable to accurately detect attacks as the attack packets are scattered throughout the internet. But
with the ‘Best DDOS approach’, as the source-end DDOS solutions notify the intermediate defences
upon an attack, the core routers know exactly where to look for attack signatures. Since intermediate
defences are aware of the attack packets’ paths and since they are capable of handling high volume of
traffic, they can successfully drop all, or at least the majority, of the attacking packets. Another
drawback that was mentioned earlier is that intermediate defences add latency to the packets as they
have to examine each and every packet in addition to packet forwarding. This weakness is overcome
in the ‘Best DDOS approach’ as intermediate defences do not need to examine each and every packet;
they have to examine packets in the path provided by the Source-end defences only upon a
notification.
Since the majority of the attack packets are dropped by the source-end and intermediate defences,
victim-end solutions will not be overwhelmed by the massive amount of traffic under the ‘Best DDOS
approach’. This removes a major drawback of traditional victim-end DDOS solutions. Because of
this, it is now possible to examine the remaining traffic more comprehensively by the victim-end
DDOS solutions. As already mentioned under ‘Victim-end DDOS Solutions’, one of the main
advantages of victim-end defences is their high accuracy rate. This strength will be reinforced by the
‘Best DDOS approach’ as it is now possible to employ more sophisticated attack detection algorithms
at the victim’s end due to lower rate of traffic. More sophisticated attack detection algorithms and
lower rate of traffic will ensure that the remaining attack packets will be stopped at a greater accuracy
which in turn significantly lowers the collateral damage.
The above few paragraphs discussed the author’s ‘Best DDOS approach’, how it reinforces the
strengths of the current DDOS solutions and how it overcomes the weaknesses where possible. It
should be also worth noting that the ‘Best DDOS approach’ is not something that can be implemented
overnight. It is a long path for perfection. It requires significant changes to the current internet
infrastructure. But in order to address the issue of DDOS, the current piecemeal approaches are not
sufficient; a drastic infrastructural change is essential. Though this can not be achieved overnight,
careful planning of the future implementations of the network infrastructure will ensure a day where
the internet is immune to Distributed Denial of Service attacks.
Until then, it is important to see how the next instalment of the internet (IPv6) stands against the tests
of DDOS attacks.
3.3: IPv6 vs. DDOS Internet is evolving by the day. Soon IPv4 is going to be totally replaced by the IPv6 protocol. IPv6 is
providing many security features which were not available under IPv4. IPSec is one of them. So it is
important to see how IPv6 and IPSec would shape the faith of the future of the internet, to see how
Research Paper By: Hasantha Alahakoon | 3: Research 10
IPv6 would stand against the test of DDOS and to see if the future of the internet will be immune to
DDOS attacks.
Neighbour Discovery protocol is one of the most important segments of IPv6. It solves some of the
problems related to interaction between computers in a network such as Address Resolution,
Neighbour Unreachability Detection and Duplicate Address Detection in IPv6 (Hines 2004).But
unfortunately, Neighbour Discovery protocol of IPv6 introduces new breed of DOS attacks. Attackers
could exploit some of the loop holes in Neighbour Discovery protocol in IPv6 and use them to DOS
networks.
When IPSec is not configured in IPv6, attackers could use a ‘Duplicate Address Detection attack’ to
DOS clients. When a computer wants to connect to a network by assigning an IP address for him,
under ‘Neighbour Discovery Protocol’ he multicasts a ‘Duplicate Address Detection’ packet. But an
attacker could use a packet sniffer to listen to any ‘Duplicate Address Detection’ packets and reply to
them pretending that IP address is in use. Doing so would prevent any computers from connecting to a
network thus DOSing the network (Yang et al. 2007).
Another DOS attack made available in IPv6 is ‘Bogus On-Link Prefix attack’. Under Neighbour
Discovery protocol, if the destination computer is on-link with the sender, the sender would not send
the packet to the router for routing; it will send the packet directly to the destination instead. Attackers
exploit this feature by sending fake ‘Router Advertisements’ messages specifying the destination is
on-link with the sender. So the sender tries to send packets directly to a destination which does not
exist, thereby creating a DOS attack (Yang et al. 2007).
‘Parameter spoofing attack’ is another mechanism that can be used to DOS a network under IPv6
without IPSec configured. Under Neighbour Discovery protocol, when computers need to send
packets to destinations out of the network, they use the information provided by the ‘Router
Advertisements’. Attackers could use forged ‘Router Advertisements’ with false information to
disrupt the activities of a network (Narten et al. 1998).
In addition to the above mentioned newly found attack mechanisms (which are exploits of Neighbour
Discovery Protocol of IPv6), according to Yang & Shi, some of the traditional DDOS methods such
as TCP-Flood, UDP Flood and ICMP Flood are still effective against IPv6 networks. However, they
have also stated that other traditional attack mechanisms like Smurf and amplification attacks are not
effective against IPv6 even when IPSec is not enabled (Yang et al. 2007). This is because according to
the IPv6 specification, a response is not generated to any packet with an IPv6 multicast destination
address (Conta & Deering 1998).
From the above discussion it is clear that IPv6 does not provide any explicit security against DOS
and DDOS attacks with the exception for the Smurf and Amplification attacks. IPv6’s Neighbour
Discovery Protocol has introduced a new set of DOS mechanisms instead.
However, Yang et al. studies show that if IPSec is configured with IPv6, they can resist all of the
above mentioned attacks based on the ‘Neighbour Discovery Protocol’. In addition they further
pointed out, that IPSec can indeed resist any DOS and DDOS attacks which are originated from
spoofed IP addresses. But IPSec still falls flat if the attackers use their real IP addresses to launch a
DDOS attack. If the attackers use their real IP address to launch DDOS attacks, the network could be
a victim even when IPSec is configured with IPv6 (Yang et al. 2007).
Research Paper By: Hasantha Alahakoon | 11
So it is clear that IPSec and IPv6 is not the end for the all of the DOS and DDOS attacks. But IPSec
can be seen as a step in the right direction. Attackers almost always use spoofed IP addresses to
launch DDOS attacks to cover their identity, but with IPSec, attacking with spoofed IP addresses is
not possible anymore. This would undoubtedly change the future of the DDOS attacks. But it is
important to note that, attackers could always launch attacks from foreign countries such as Greece,
Ireland and Austria where there are no clear regulations about DDOS attacks (European Commission
2002).
Research Paper By: Hasantha Alahakoon | 4: Conclusion 12
4: Conclusion In this paper, various DDOS defence approaches and their main implementations were discussed.
Both the approaches and their implementations had various strengths and weaknesses in their own
merit. Victim-end solutions were more accurate, but they were mostly overwhelmed by the requests.
Source-end solutions were capable of performing more sophisticated traffic profiling, but they fail at
accurate detection of attacks. Intermediate solutions on the other hand, were capable of handling
massive amount of traffic, but similar to Source-end solutions, they too failed at accurate attack
detection. So it was made clear that none of these approaches on their own could make an internet that
is completely immune to DDOS attacks.
So the author proposed a novel approach to DDOS prevention, the ‘Best DDOS approach’. In this
approach Victim-end, Source-end and Intermediate DDOS solutions work collaboratively, reinforcing
and communicating with each other constructing a Distributed Defence network to address the issue
of DDOS attacks. Similar to the other DDOS solutions, ‘Best DDOS approach’ too has several
weaknesses; the biggest being the need for drastic changes to the internet infrastructure. But the
author believes that, if the future implementations of the internet are carefully planned with more
focus allocated for internet security, it is possible to achieve an internet that is totally immune to
DDOS attacks.
Since the ‘Best DDOS approach’ is a long term plan for perfection, the paper then examined how the
immediate instalment of the internet, IPv6, faces the challenges of DDOS. But as opposing to making
the internet resistant to DDOS, IPv6 had introduced some new complications which favour the DDOS
attackers. However IPSec, once configured, had the ability to defuse all those new complications
along with the existing DDOS attack mechanisms that are launched through spoofed IP addresses.
This would undoubtedly change the future of DDOS attacks.
The author believes that, though IPv6 and IPSec is not the ‘be all and end all’ solution for DDOS, it is
however a step in the right direction. With IPSec, spoofed attacks are not possible anymore; that is a
one less hassle for the existing DDOS defence solutions. DDOS defence is not something that can be
achieved overnight; it is a long path that has to be laid carefully with more focus oriented to internet
security. With the each iteration of the internet, the existing loopholes have to be addressed, and the
strengths have to be reinforced. The future research on DDOS defence has to be more focused on a
collaborative DDOS defence rather than on piecemeal solutions. There should be a distributed answer
for distributed attacks. This however, is not something that can be achieved by the individual
researchers; the world governing bodies and security professionals have to get together to put up such
a DDOS defence solution.
Research Paper By: Hasantha Alahakoon | 5: References: 13
5: References: Asosheh, A & Ramezani, N 2008, A Comprehensive Taxonomy of DDoS Attacks and Defense
Mechanism Applying in a Smart Classification, World Scientific and Engineering Academy and
Society (WSEAS), Stevens Point.
Carl, G, Kesidis, G, Brooks, RR & Rai, S 2006, Denial-of-Service Attack- Detection Techniques,
IEEE Educational Activities Department, Piscataway.
Chatam, JW 2003, Using Strategic Firewall Placement to Mitigate the Effects of Distributed Denial of
Service Attacks, Masters Thesis, Auburn University.
Conta, A & Deering, S 1998, Internet Control Message Protocol (ICMPv6) for the Internet
Protocol Version 6 (IPv6) Specification, RFC Editor, United States.
European Commission 2002, Handbook of Legislative Procedures of Computer and Network Misuse
in EU Countries
Fletcher, HW, Richardson, K, Carlisle ,MC & Hamilton JA 2005, Evaluating Secure Overlay Services
through OPNET Simulation, ACCR publications, San Diego.
Gil,TM & Poletto, M 2001, MULTOPS: a data-structure for bandwidth attack detection,
USENIX Association, Berkeley.
Gordon, LA, Loeb ,MP, Lucyshyn ,W & Richardson, R 2004, 2004 CSI/FBI Computer Crime and
Security Survey, Computer Security Institution, San Fransisco.
Hines, A 2004, Neighbour Discovery in IPv6, University of Paderborn.
Janczewski, LJ & Colarik, A 2005, Managerial Guide for Handling Cyber-Terrorism and Information
Warfare, Idea Group Publishing, Hershey.
Lau, F, Rubin, SH, Smith, MH & Trajkovic, L 2000, Distributed Denial of Service Attacks, IEEE
Explore, Nashville.
Lee, FY & Shieh, S 2005, Defending against spoofed DDoS attacks with path fingerprint, Department
of Computer Science and Information Engineering, National Chiao Tung University Taiwan.
Mirkovic, J, Prier, G & Reiher, P 2002, Attacking DDoS at the Source, IEEE Computer Society,
Washington.
Narten, T, Nordmark, E & Simpson, W 1998, Neighbour Discovery for IP Version 6, RFC Editor,
United States.
Yaar, A, Perrig, A & Song, D 2003, Pi: a path identification mechanism to defend against DDoS
attacks, IEEE Computer Society, Carnegie Mellon University.
Yang, X, Ma, T & Shi, Y 2007, Typical DoS/DDoS Threats under IPv6, IEEE Computer Society,
Guadeloupe City.
Top Related