A Survey of Distributed Denial of Service Attacks and Defenses

Although different researches are fighting against DDoS attacks, even today, the deployment or development of effective methods and mechanisms of these researches cannot resist DDoS attacks. It is a hard problem to solve because it is multifaceted. There are multifarious ways of creating attacks that are extremely effective. Section 2 and  3 give an overview of the classification and types of the different DDoS attacks. Section 4 gives an overview of the commonly used defense mechanisms. I am interested in working on types of attacks that so far we have not been able to handle effectively. These are mainly low-rate attacks and their related works are mentioned in Section 5.

DDoS attacks possess immense threat to the current Internet community, which comprises over 3.5 billion users (Number of internet users worldwide, 2017). Figure 1 shows the year-wise growth statistics of DDoS attacks, collated from Arbor Networks: Worldwide Infrastructure Security Report (Arbor Network Special Report, 2014), Calyptix Security Blog (Calyptix Security, 2015), DDoS attack on Dyn(DDoS Attack on Dyn, 2016) in 2016 and the largest volumetric DDoS attack, ever recorded, on Github (DDoS Attack on Github, 2018). The 2016 Dyn cyberattack(DDoS Attack on Dyn, 2016), that took place on October 21, 2016 included multiple DDoS attacks targeting systems operated by Domain Name System (DNS) provider Dyn. It caused major Internet platforms and services to be unavailable to a large number of users spread across Europe and North America. And the magnitude of these attacks peaked to 1.2 Tbps.

The Github DDoS attack(DDoS Attack on Github, 2018) generated a flood of internet traffic that peaked at 1.35Tbps, making it the largest on record. Interestingly, no botnets were involved in this attack. Instead, the hackers went with an amplification attack. They spoofed GitHub’s IP address, and sent queries to several memcached servers that are typically used to speed up database-driven sites. The memcached systems then sent amplified responses from those requests to GitHub.

A computer or networked device under the control of an intruder is known as a bot. In general, in a DDoS attack, an attacker begins by exploiting a vulnerability in a computer system, making it the DDoS master bot. The attack master system identifies other vulnerable systems and gains control over them by either infecting the systems with malware or through bypassing the authentication controls. These systems are called DDoS slave bots. The attacker creates a command-and-control server to command the network of bots, referred to as a botnet.(Liu et al., 2009) Then, the attacker uses the traffic generated by the compromised devices to inundate the target so as to get its services down. Figure 2 represents a typical DDoS architecture (Douligeris and Mitrokotsa, 2004).

Also, the attackers aim that the DDoS attack packets do not reveal any obvious characteristic to segregate malicious and legitimate traffic. With minimal effort, the attackers aim to create the maximum-possible catastrophic impact.

The reasons or motivations behind DDoS attacks can be specific. But, in general, the major causes for DDoS attacks are as follows:

1. (1)

   Competition: DDoS attacks can be intended to cripple company operations, damage reputation and devastate sales, which may directly benefit competitors.

2. (2)

   Financial Gains: DDoS attacks can be used to achieve financial gains. Attackers can be hired, paid well or can even ask for ransom.

3. (3)

   Politics: DDoS attacks have the potential to digitally silence opposition parties. They can be used by political parties and terrorists.

4. (4)

   Revenge: Current employees, ex-employees, angry customers or anyone with a dispute may have a motive for a DDoS attack.

There are a wide variety of possible DDoS attacks. And it is challenging to represent all of them with a single classification. Different literatures have classified DDoS attacks in different ways (Mirkovic and Reiher, 2004; Specht and Lee, 2004; Zargar et al., 2013; Gupta and Badve, 2017). Arbor networks have classified DDoS attacks as volumetric attacks and application layer attacks. Volumetric attacks send a huge amount of traffic, or request packets, to a targeted network so as to overwhelm its bandwidth capabilities. Typically request sizes are in the 100’s of Gbps. However, recent attacks have scaled to over 1Tbps. Application-layer attacks generally require a lot less packets and bandwidth to get a website down. They are silent and small, when compared to network-layer attacks, but extremely disruptive.

Reference (Mirkovic and Reiher, 2004) presents the taxonomy of DDoS attacks and the different classifications include degree of automation, exploited weaknesses to deny service, source address validity, attack rate dynamics, possibility of characterization, persistence of agent set, victim type and impact on victim. Reference (Specht and Lee, 2004) portrays a taxonomy of a few major DDoS attacks, shown in Figure 3. It includes two major classes of DDoS attacks: bandwidth depletion and resource depletion attacks. Bandwidth depletion attacks flood the victim network with undesired traffic, preventing legitimate traffic from reaching the victim. And resource depletion attacks tie up the resources of a victim system making the victim unable to process legitimate requests.

The different DDoS attacks are enumerated below:

DDoS attacks pose immense threat to the resources of the victim and to the network bandwidth and infrastructure. Although for each attack, or a group of attacks, described in Section 3, there are specific defense mechanisms available in literature, some of the commonly used ways to mitigate DDoS attacks are as follows:

1. (1)

   Hop-count filtering: A commonly used defense is hop-count filtering (Jin et al., 2003) that filters packets that contain spoofed IP addresses. In this approach, the authors have used the concept that it is not possible to alter the number of hops of an IP packet when it travels from a source to a destination. Therefore, the authors have used this count to determine the validity of a packet. In this method, time to live value is used to count the number of hops. This hop counts are stored in a mapping table against each source address. Upon receiving a packet, the number of hops required for this packet is calculated and matched against the mapping table. A packet is detected as spoofed packet if a mismatch is found in this comparison. If a flow of packets is identified as a flow of spoofed packets, the filter discards those packets as a prevention of an attack. The deployment of such a technique is easier as it requires implementation in the victim’s system. But, it has a limitation in the process of hop count. As this method counts the number of hops based on time to live, the number of false positive is larger in this method. This is because the initial time to live value is usually different for different operating systems. Additionally, the attacker can forge valid hop counts in their packets which allows the packets to pass the filter. Finally, for a flood of malicious packets, the system cannot perform the calculation and comparison. Hence it becomes the victim of the DDoS attack.

2. (2)

   Source Address Validity Enforcement protocol: Source Address Validity Enforcement (SAVE) protocol (Li et al., 2002) enforces the routers to send messages containing updated source information to each destination routers connected to a source. Then, each router updates its forwarding table with current information and uses it to filter the packets based on the methods of RPF. Thus, it overcomes the problem encountered in the RPF for the asymmetric and dynamic nature of the Internet. However, implementation of such protocol requires a change in the existing routing protocol which is a time-consuming process. Also, a partial deployment of the protocol does not guarantee full success in filtering spoofed IP addresses.

3. (3)

   Rate Limiting: Rate limiting is one of common ways to defend the DDoS attacks. Generally, if the results of a detection mechanism are found to be partially successful, that is, if it produces large false negatives or cannot identify a precise distinction between the legitimate and malicious traffic, it is reasonable to apply rate limiting rather than filtering.

4. (4)

   Ingress/Egress filtering: Ingress/Egress filtering is a commonly used technique to prevent traffic with spoofed IP addresses to enter into a protected network. Basically, ingress filtering filters the malicious traffic destined to a local network and egress filtering discards the malicious traffic leaving a local network. Ingress filtering defined in RFC 226768 allows the traffic to enter the network which matches with a predefined range of domain prefixes of the network. If an attacker uses spoofed IP address that do not match with the prefixes, it is discarded at the routers. Thus, this filtering technique ensures prevention from DDoS attacks where spoofed IP addresses are used. However, it is not a useful mechanism in the cases where the valid IP addresses of the botnets are used as a source IP addresses during the attack. Also, the success of these filtering depends on the knowledge of the range of expected IP addresses for a port which is not always achievable for the complicated topologies used in different networks. Moreover, if an attacker uses some spoofed IP addresses that fall into the valid address range, the filters in the routers cannot detect the malicious traffic in such scenarios. Also, for these filters, itunneling is required for mobile IP users so that they are not filtered by the routers using ingress/egress filtering. Moreover, as it does not ensure incentives to the Internet Service Providers, it is partially deployed in the networks. Additionally, many Internet Service Providers do not enforce this approach.

5. (5)

   Load balancing: The key function of a load balancer is to spread workloads across multiple servers to prevent overloading servers, optimize productivity, and maximize uptime. Load balancers also add resiliency by re-routing live traffic from one server to another if a server is under a DDoS attack. Therefore, load balancers help to eliminate single points of failure and reduce the attack surface. Load Balancing is an approach which tries to balance the loads of different systems so that no one system gets overloaded. The result of the load balancing helps to gain the optimal productivity and the maximum uptime. In order to ensure the maximum load balancing, a bandwidth increase is required on all critical connections. A good number of replicated servers and data centers are required to guarantee elimination of single point of failure.

6. (6)

   Martian address filtering and source address validation: Martian address filtering is defined in RFC 1812. It works for filtering spoofed IP addresses that are generated from a limited set of addresses. This filtering ensures that a router must not forward any packet which has an invalid source or destination IP address. These invalid IP addresses range from reserved or special IP addresses as well as the unallocated range of IP addresses. Additionally, it ensures that any packet with the destination IP address 255.255.255.255/32 must be discarded at the router.

   Source address validation is also specified in RFC 1812 and implemented in the routers. In this filtering mechanism, the router compares the source address of a packet with the logical interface of the packet where it is received. If this interface does not match with the interface where the packet needs to be destined to reach the specified source address, the router discards the packet. Thus, it can filter packets with spoofed source IP addresses. However, the rate of the false positive may become high for the asymmetric routes of the Internet. This asymmetric nature does not guarantee the match of the interfaces upon receiving or return of a packet from a specific source address. Thus, this filtering may discard a large number of legitimate traffics. However, the essential issue here is that not all routers in the Internet implement these approaches.

7. (7)

   Capability-based response: This mechanism can help prevent flooding related DDoS attacks. The receiver cannot control how much traffic it would receive. There exists flow control and congestion control mechanisms, but a misbehaving sender does not care about it. Therefore, the techniques involved in capability-based DDoS response work to discern a solution to control such misbehaving sender. Stateless inter flow filter (SIFF)134 and traffic validation architecture (TVA)135 are two example methods of this type.

8. (8)

   Route-based Packet Filtering: Route-based Packet Filtering(RPF) filters packets with spoofed source IP addresses. This filtering technique enhances the scope of the ingress filtering by providing service to the core routers. It does provide filtering based on the route information of a packet in each link of a core router. It depends on the principle that each link of the core router accepts traffic from only a limited number of source addresses. Thus, an IP packet which has a different source address than this set of addresses is discarded by the core routers as it appears to be spoofed to the router. In order to implement this technique, it requires information of the Border Gateway Protocol routing topology. According to the simulation of Park and Lee,(Park and Lee, 2001) a significant success of the technique will be achieved if 18% of the autonomous systems implement this filtering technique. However, this number is found impractical in current Internet scenario. Additionally, in order to include the source addresses in the BGP message, it is required to modify the scheme used in BGP messaging. This increases the message size and processing time of the BGP messages. Moreover, if the routers do not maintain updated information, this technique can discard legitimate packets for unwanted root change. Also, as RPF filters packets are based on BGP messaging information, an attacker can deceive root information and filtering rules by stealing BGP sessions. Finally, the attacker can carefully choose IP addresses that do not resemble the spoofed IPs. This can make the method ineffective in protecting DDoS from spoofed IP. Reference (Duan et al., 2008) extends the idea of Park and Lee(Park and Lee, 2001) by designing a packet filtering mechanism which considers update messages of local BGP to filter out spoofed IP addresses. This method is easy to deploy on the current architecture which relies on the BGP routing protocol. It also reduces the rate of false positive and simplifies IP traceback process.

9. (9)

   History-based filtering: History-based filtering is a packet marking–based filtering technique where the history of the normal traffic is used to filter out the malicious traffic(Peng et al., 2003). Here, the destination of an attack maintains a database of IP addresses. This database comprises IP addresses which are commonly found in the destination. Therefore, when a bandwidth attack is targeted to this system, the system only allows those IP addresses that appear in their database and discards all other IP packets. However, this filtering technique cannot successfully detect and discard the malicious flow if an attacker can simulate its attack traffic as a normal traffic.

10. (10)

    Path identifier: The path identifier method (Yaar et al., 2003) eliminates packets based on a path identifier that identifies the path of the attacker. Identifying the path is a deterministic approach where each packet is stamped with an identifier based on the path it has traveled. The packets that travel the same path contain the same identifier. Thus, if the victim can identify a packet traveling from the attacker, it can filter all the subsequent packets sent by the attacker. This approach works well when half of the routers get involved to mark the packets. Because it works with a small sized identification field, there remains the possibility that different paths can show the same path information. Therefore, it can give false-positives and false-negatives. Reference (Yaar et al., 2006) proposes an improved version of the path identifier approach called StackPi that improves path identifier’s performance in terms of incremental deployment. Additionally the improved filtering mechanism is capable of identifying malicious flows based on just a single packet. As per the paper, this method can provide a reasonable amount of DDoS protection only if 20% of the routers implement this marking scheme. However, this method does not consider the detection of spoofed IP address packets rather it marks and filters a malicious packet based on the deterministic packet marking mechanism. Moreover, a host or router looking for the path information through this method may need to have some supportive software as well as expense of processing making this method difficult to deploy, as mentioned in reference (Beverly et al., 2009).

11. (11)

    PacketScore: PacketScore (Kim et al., 2006) is a proactive filtering technique that uses Bayes theorem to compute conditional legitimate probability(CLP). The conditional legitimate probability is used to determine the likelihood of a legitimate packet based on the baseline profile value and the attribute value of a packet. The packet filtering works based on this CLP value and a dynamic threshold. As the filtering takes into account the statistical analysis, this method works well for new attack signatures as well as non spoofed attack traffics. However, this method requires a large amount of storage to deal with the increasing number of attack attributes. It introduces a DDoS defense scheme that supports automated online attack characterizations and accurate attack packet discarding based on statistical processing. The key idea is to prioritize a packet based on a score which estimates its legitimacy given the attribute values it carries. Once the score of a packet is computed, this scheme performs score-based selective packet discarding where the dropping threshold is dynamically adjusted based on the score distribution of recent incoming packets and the current level of system overload.

12. (12)

    Secure overlay: The idea behind secure overlay (Adkins et al., 2003) is to build up an overlay network on top of the IP network. It uses three principles: (i) enabling end-hosts to communicate without revealing their IP address, (ii) giving end-hosts control to defend against Denial-of-Service (DoS) attacks at the overlay level, and (iii) making sure that the added functionality does not introduce vulnerabilities not present in the Internet. This overlay network is the entry point for the outside network to establish a communication to the protected network. It is assumed that the isolation can be achieved if a protected network hides its IP addresses or uses a distributed firewall. This firewall ensures that only trusted traffic from the nodes of the overlay network can get entry to the protected network. Although this mechanism ensures prevention from the DDoS attack, it is applicable to a private network.

13. (13)

    Honeypots: A honeypot (Weiler, 2002) attracts attackers to attack them. Therefore, the actual system remains protected. Also, honeypots can be used to extract important information like records of attack activity, tools, and software used for the attack which can reveal information about an attacker. This information is further used to detect and mitigate a DDoS attack. But this technique also contains some drawbacks. For example, the static and passive nature of the honeypots do not guarantee complete concealing from the attacker.

14. (14)

    Changing IP addresses: Changing IP address technique (Geng and Whinston, 2000) allows the computer system changes its IP address to invalidate an old address which may be the potential target of the DDoS attacks. This approach works for an IP address based attack. However, this also incurs a lot of overheads such as updating different entry information. This method works well till the attacker does not get informed about the new IP address. This approach provides the technological futility of addressing the problem solely at the local level.

15. (15)

    Congestion policing: The goal of a bandwidth flooding attack is to congest the resource(Deng et al., 2010). The impact of this type of attacks can be reduced or eliminated by applying congestion policing mechanism. Re-feedback(Briscoe et al., 2005) and NetFence(Liu et al., 2010) are two example mechanisms where congestion policing is applied to defend DDoS attacks. Re-feedback ensures metrics in data headers such as time to live and congestion notification will arrive at each relay carrying a truthful prediction of the remainder of their path. NetFence uses a secure congestion policing feedback, to enable robust congestion policing inside the network.

16. (16)

    Applying security patches: It is also required to update all security patches regularly to ensure that the system is not affected by bugs or worms. Also, in order to prevent IoT botnet’s generation, it is mandatory to change the default or generic passwords of the IoT devices.86 This is an important awareness from the users side that can fight against the massive IoT–based DDoS attacks. However, the irony is that most of the users of the IoT devices are not aware of the threats or even they do not know the name of the DDoS attacks. When an attacker compromises a device for the DDoS army, the user of the device does not notice any change in their performance or behavior. Thus, stealthily they help in the attack without even knowing the name of the attack that they are participating.

Low-rate DDoS attacks are not handled effectively by the current defense mechanisms. These attacks have ability of concealing their traffic because they are very much like normal traffic. They have the capacity to elude the current anomaly-based detection schemes. Instead of exhausting the network bandwidth, these attacks deny service at the device level. They deplete the resources at the service or the operating system, making it difficult for the device unable to process legitimate clients’ traffic. These attacks are challenging to detect at the network level since they generate requests at low rate. Examples of such attacks are Flash Crowd Attack, TCP Shrew Attack(Kuzmanovic and Knightly, 2003), Slowloris Attack, Hash-Collision Attack, described in 3.3.

Instead of a generic approach, most defenses focus on just a single variant. There is no generic framework to handle all low-rate DDoS attacks.

Some related work for the slow attacks is as follows:

1. (1)

   Reference Architecture: Reference (Shtern et al., 2014) proposes a reference architecture for defense against low-rate DDoS attacks, enabled by a Software Defined Infrastructure(SDI). Here, both network and computational resources are provisioned and modified on demand to achieve the mitigation goals. The suspicious traffic is detected and redirected to the Shark Tank system, which is created on-demand. The Shark Tank system is a separate cluster which possesses full application capabilities designed to monitor suspicious users. The key feature of the Shark Tank is to act as a restricted area for the attacker so that they can be placed under close surveillance. It does absorb the damage from the DDoS attacks and allows the system to learn from these attacks for future reference.

2. (2)

   Collaborative Detection and Filtering: Reference (Chen and Hwang, 2006) presents a defense by combining discrete Fourier transform (DFT) and a hypothesis test framework to cope with shrew attacks. By computing the autocorrelation sequence of sampled time series and converting them into frequency-domain spectrum using DFT, the authors find that the power spectrum density (PSD) of a traffic stream containing shrew attacks that has much higher energy in low-frequency band than that appears in the spectrum for legitimate TCP/UDP traffic streams. Based on this distinction, we develop a distributed collaborative detection and filtering (CDF) scheme to detect and segregate the shrew attack flows from legitimate TCP/UDP traffic flows. In addition to software implementation, the scheme can be implemented by network processor or reconfigurable hardware. The DSP hardware pushes spectral analysis down to the lower packet-processing layer. If the packets are processed by hardware and malicious flows are filtered out timely, the router workload will not increase much in the presence of shrew attacks.

3. (3)

   Randomization on TCP Retransmission Timeout (RTO): Reference (Yang et al., 2004) proposes randomization on TCP RTO as defense against such attacks. With RTO randomization, an attacker cannot predict the next TCP timeout and consequently cannot inject the burst at the exact instant. The authors show that randomization can effectively mitigate the impact of DDoS attacks while maintaining fairness and friendliness to other connections.

4. (4)

   HAWK: Reference (Kwok et al., 2005) proposes a new stateful adaptive queue management technique called HAWK (Halting Anomaly with Weighted choKing) which works by judiciously identifying malicious shrew packet flows using a small flow table and dropping such packets decisively to halt the attack such that well-behaved TCP sessions can re-gain their bandwidth shares. The authors show that HAWK is highly agile.

5. (5)

   Shrew Attack Protection: Reference (Chang et al., 2010) presents a simple priority-tagging filtering mechanism, called SAP (Shrew Attack Protection), that protects well-behaved TCP flows against low-rate TCP-targeted Shrew attacks. In this method, a router maintains a simple set of counters and keeps track of the drop rate for each potential victim. If the monitored drop rates are low, all packets are treated as normal and equally compete to be admitted to the output queue and only dropped based on the AQM (Active Queue Management) policy when the output queue is almost full. However, if the drop rate for a certain victim becomes higher than some dynamically determined threshold (called fair drop rate), the router treats packets for this victim as high-priority, and these high-priority packets are preferentially admitted to the output queue. SAP marks victim packets as high priority until their drop rate is below the fair drop rate. By preferentially dropping normal packets to protect high-priority packets, SAP can prevent low rate TCP-targeted Shrew attacks from causing a well-behaved TCP flow to lose multiple consecutive packets repeatedly. This technique protects well-behaved TCP flows away from near zero throughput when under an attack.

6. (6)

   Treat as application-level attacks and discern anomalies: A way of detecting low rate DDoS attacks is to treat them as application-level attacks and look for anomalies in the payload of the incoming service requests. This is the approach taken by DDoS defense providers and requires costly deep-packet inspection. Reference (Jonker et al., 2016) presents an investigation in the adoption of cloud-based DDoS Protection Service providers worldwide. The authors focus on nine leading providers according to namely Akamai, CenturyLink, CloudFlare, DOSarrest, F5 Networks, Incapsula, Level 3, Neustar, and Verisign. The investigation is done on the basis of long-term, active DNS measurements, which allows for a given domain name, to verify if traffic diversion towards a DDoS Protection Service is in place or not.

7. (7)

   Feature Feature Score(FFSc): Reference (Hoque et al., 2016) introduces a statistical measure called Feature Feature Score (FFSc) for multivariate data analysis to distinguish DDoS attack traffic from normal traffic. The authors extract three features of network traffic, entropy of source IPs, variation of source IPs and packet rate to analyze the behavior of network traffic for attack detection. They build profiles of these features during normal operation and detect attack traffic as the traffic that deviates from these profiles.

8. (8)

   New Information Metrics: Reference (Xiang et al., 2011) proposes that the generalized entropy and information distance metrics outperform the traditional Shannon entropy and Kullback–Leibler distance metrics for the low-rate DDoS attack detection in terms of early detection, lower false positive rates, and stabilities. It proposes an effective IP traceback scheme based on an information distance metric that can trace all attacks back to their own local area networks (LANs) in a short time. The proposed generalized entropy metric can detect attacks several hops earlier than the traditional Shannon metric approach. The proposed information distance metric outperforms the popular Kullback-Leibler divergence approach as it can enlarge the adjudication distance and then obtain the optimal detection sensitivity.

9. (9)

   Expectation of Packet Size(EPS): Reference (Zhou et al., 2017) presents a measurement, expectation of packet size, that is based on the distribution difference of the packet size to distinguish low-rate DDoS attacks from legitimate traffic. The authors propose an expectation of packet size measurement to distinguish attack traffic from legitimate traffic. The proposed method is independent of the attack pattern; therefore, it can avoid the inherent shortcomings of the signature-based metric. Moreover, this approach can achieve a large distance gap between the attack traffics and the legitimate traffics, which could further contribute to a low false-positive rate.

10. (10)

    Traffic Cluster Entropy: Reference (Sachdeva and Kumar, 2014) proposes traffic cluster entropy as detection metric not only to detect DDoS attacks but also to distinguish DDoS attacks from Flash Events. The authors show that when flash events are triggered, source address entropy increases but the corresponding traffic cluster entropy does not increase. However, when DDoS attack is launched, traffic cluster entropy also increases along with source address entropy.

11. (11)

    E–LDAT: Reference (Bhuyan et al., 2016) proposes E‐LDAT, a lightweight extended‐entropy metric‐based system for both DDoS flooding attack detection and IP traceback. It aims to identify DDoS attacks effectively by measuring the metric difference between legitimate traffic and attack traffic. IP traceback is performed using the metric values for an attack sample detected by the detection scheme. This approach uses a generalized entropy metric with packet intensity computation on the sampled network traffic with respect to time. The authors show that E‐LDAT works well for detecting four classes of DDoS flooding attacks, including constant rate, pulsing rate, increasing rate and subgroup attacks.

12. (12)

    Machine Learning: Reference (Saied et al., 2016) proposes machine learning to detect and mitigate known and unknown DDoS attacks in real time environments. The authors chose an Artificial Neural Network (ANN) algorithm to detect DDoS attacks based on specific characteristic features (patterns) that separate DDoS attack traffic from genuine traffic.

13. (13)

    Flow Correlation Coefficient: Reference (Yu et al., 2012) proposes a discrimination algorithm using flow correlation coefficient as a similarity metric among suspicious flows. The authors present theoretical proofs for the feasibility of the proposed discrimination method.

14. (14)

    Multifractal Detrended Fluctuation Analysis(MF–DFA): Reference (Wu et al., 2016) proposes the algorithm of multifractal detrended fluctuation analysis to explore the change in terms of multifractal characteristics over a small scale of network traffic due to low rate DDoS attacks. Through wavelet analysis, the singularity and bursty of network traffic under low rate DDoS attacks are estimated by using Holder exponent. The difference values, known as D–value, of Holder exponent of network traffic between normal and under low rate DDoS attack situations are calculated. The D–value is used as the basis to determine low rate DDoS attacks. A detection threshold is set based on the statistical results. The presence of low rate DDoS attacks can be confirmed through comparing D–value with detection threshold. Experiments on detection performance have been performed in the test-bed network and simulation platform. The extensive experimental results are congruent with the theoretical analysis.

15. (15)

    FlowTrApp: Reference (Buragohain and Medhi, 2016) proposes DDoS defense using FlowTrApp. Software Defined Network (SDN) provides a central control over the network which helps in getting the global view of the network. FlowTrApp which performs DDoS detection and mitigation using some bounds on two per flow based traffic parameters that is flow rate and flow duration of a flow. It attempts to detect attack traffic ranging from low rate to high rate and long lived to short lived attacks using an SDN engine consisting of sFlow based flow analytics engine sFlow-RT and an OpenFlow controller.

16. (16)

    K–Nearest Neighbors traffic classification with correlation analysis (CKNN): Reference (Xiao et al., 2015) presents a detection approach based on K-nearest neighbors traffic classification with correlation analysis to detect DDoS attacks. The approach exploits correlation information of training data to improve the classification accuracy and reduce the overhead caused by the density of training data. Aiming at solving the huge cost, the authors also present a grid-based method named r-polling method for reducing training data involved in the calculation.

17. (17)

    Matching Pursuit and Orthogonal Matching Pursuit algorithms: Reference (Andrysiak et al., 2013) proposes to use Matching Pursuit and Orthogonal Matching Pursuit algorithms for DDoS detection. The major contribution of the paper is the proposition of 1D KSVD algorithm as well as its tree based structure representation (clusters), that can be applied to detect low-rate DDoS attacks and network anomalies. The method maintains the features of malicious traffic in form of tree to improve the classification performance and to optimize the implementation in terms of time complexity.

In this paper, we presented the classification and literature review of DDoS attacks. In spite of scrupulous research over the years to mitigate DDoS attacks, they still exist today, in fact, with larger intensities and impacts as there are different angles to consider. We also described some of the commonly used defense mechanisms. Also, we presented a literature review of the defenses for low-rate DDoS attacks that have not been handled effectively till today.