Defense |
Description |
Autonomous? |
Attack type |
Protect? |
Detect? |
Respond? |
Placement |
DDoS condition mitigated |
D-WARD |
Detects suspicious flows by looking for aggressive sending pattern coupled with unresponsive destination, then rate limits all but classified-legitimate flows to the target. |
Yes |
Flooding TCP and ICMP, some UDP floods, no flash crowds |
No |
Yes, via TCP and ICMP ratio statistics and UDP application models |
Rate-limit outgoing traffic, let legitimate traffic through |
Source |
Relieves link congestion by controlling rate to the target |
SOS |
Defense nodes are organized into an overlay. Some nodes play the role of access points and authorize hosts (using third-party approach) whose traffic is then routed on the overlay to secure servlets. They encapsulate traffic and send it to distributed firewall which only permits traffic with servlets' IPs. Overlay uses Chord routing and is resilient to node failure. Victim is protected because its location is hidden and no access is permitted outside the overlay. |
No |
Servers are protected against unauthorized access |
Only authorized clients can access server via the overlay. Server location is hidden behind a distributed firewall. |
No |
No |
Distributed |
Only trusted hosts can access the server. |
WebSOS: Protecting Web Servers from DDoS Attacks |
Same as SOS but uses TLS so that it does not require modification of end hosts. |
No |
Web servers are protected against unauthorized access |
Yes, by surrounded secure overlay of hidden nodes |
No |
No |
Distributed |
Only trusted hosts can access the server. |
PacketScore |
Many traffic parameters are observed during normal operation and the system bulds value histograms. During an attack some parameters will diverge from their expected values and such traffic receive low packet score. Filtering is done by this score and a dynamic threshold is set for the filtering. |
Yes |
TCP, SYN, SQL slammer worms, nominal attacks |
No |
Scoring mechanism, by calculating conditional legitimate probabilities CLP (perform online traffic profiling of the incoming traffic and compare it with the nominal traffic) |
Selective packet discarding depending on the score.Build CDFs of CLP scores. Use load-shedding algorithnm to control the utilization of the victim |
Victim |
Relieves link congestion by controlling rate to the target |
DERM: Deterministic Edge Router Marking |
Ingress routers mark packets with deterministic mark. This mark is used at the victim for filtering. Authors assume separate IDS that identifies attack traffic and then the marks are simply read off the identified packets and inserted into filtering table. |
Yes |
Various attack, depending on IDS power. |
No |
No (assumes the existense of an IDS) |
Filtering packets when the HashMark of the packet (ID field) is not found in the local record table. |
Distributed |
Reduces rate of attack packets by filtering likely perpetrator's traffic |
SCAN - Scalable content access network |
Builds a content access network using distributed hash tables. Using clustering of documents to reduce maintenance and location costs, and deploys overlay monitoring and reconfiguration. |
No, requires distributed network |
Any DoS attack to an application which is protected by a mediator network of proxies |
Yes against proxy penetration and depletion attacks and against resource overlad |
No |
Yes, by proxy migration, removing compromized proxies (network reconfiguration) |
Distributed |
Relieves rate at the target by sharing the load |
SCOLD |
Target uses a set of proxies and a modified DNS protocol to redirect traffic from legitimate clients, during an attack, to proxies and thus exploit multipath routing and distribute load. Traffic from attack clients is not being redirected. |
No, requires proxies |
Flooding TCP and ICMP, some UDP floods, no flash crowds |
Yes, Control Messages use SSL and participants are authenticated |
No, assumes the existence of an IDS |
No |
Distributed |
Redirects traffic from congested links and blackholes traffic from attack hosts. |
Scalable DDoS Attack Protection |
This is in fact route-based filtering. It associates a source IP with an incoming interface at the router, sources that arrive on unexpected interfaces are dropped as spoofed. It removes close to 90% of spoofed packets if deployed at large ISPs. |
No, must be deployed at specific locations |
Spoofed traffic using distributed packet filtering on routers |
No |
Only spoofed traffic |
Drop spoofed traffic |
Distributed |
Removes spoofed traffic. |
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates |
Similar to route-based filtering, but uses local information to build incoming tables associating source IP with multiple possible interfaces. It removes close to 90% of spoofed packets if deployed at large ISPs. |
No, must be deployed at specific locations |
Spoofed traffic using distributed packet filtering on routers |
No |
Only spoofed traffic |
Drop spoofed traffic |
Distributed |
Removes spoofed traffic. |
Roaming Honeypots |
Server pool consists of servers and honeypots and their identities are changing over time. Trustworthy clients know location change function while attackers get caught by Honeypots who remember their IPs and filter attack traffic. |
No, requires client modification |
Any kind of DoS attack |
Yes protection against various attacks, since only authorized clients can access service |
Yes when servers work as honeypots |
All connections are dropped when server swithces from honeypot to normal activity, also traffic from identified attack IPs is filtered |
Victim, but requires client modification |
Reduces target overload by filtering traffic from attack sources |
History-based IP Filtering |
Victim keeps behavioral history for source IPs and, when attacked, filters out traffic from low-trust sources. Addresses that appear frequently or send sufficient number of packets in previous communication interval (2 weeks) are denoted as trustworthy. |
Yes |
Any kind of DoS attack |
No |
Yes, by detecting high server utilization |
Yes, by dropping traffic that is not from trustworthy sources |
Victim |
Reduces rate of attack packets by allowing only old client's traffic through |
Ingress filtering |
Exit routers filter outgoing traffic that does not carry an "inside" address and incoming traffic that does not carry an "outside" address. |
Yes |
Prevents all but subnet-spoofed traffic from the deploying network |
No |
No |
No |
Source |
Removes spoofed traffic |
Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring (SIM) |
Detects attacks by monitoring increase in new source IP addresses. They use sequential change-point detection (CUSUM) for better accuracy. |
Yes |
Spoofed attacks |
No |
Yes, via increase in number of sources |
No |
Victim |
None |
Hop-count filtering |
Filters spoofed packets based on the hop count as these cannot be spoofed |
Yes |
Spoofed attacks |
No |
No |
Yes, removes spoofed traffic |
Victim |
Removes spoofed traffic |
Stateless Internet Flow Filter (SIFF) |
Legitimate clients receive a capability token from the server and use it for future access to this server. Routers create capabilities by hashing source IPs with the router secret and destinations simply return capabilities back to clients to whom they wish to grant access. Traffic with capabilities receives priority treatment. |
No, requires client and router cooperation |
All attacks |
Yes, via prioritization of ticket-carrying traffic |
No |
No |
Victim, but requires client and router modification |
Reduces congestion by allowing only authorized client's traffic |
TVA - A DoS limiting network architecture |
Similar to SIFF, but prioritizes capabitility request traffic, keeps per flow state at routers and grants capability for certain number of packets, and uses longer marks. |
No, requires client and router cooperation |
All attacks |
Yes, via prioritization of ticket-carrying traffic |
No |
No |
Victim, but requires client and router modification |
Reduces congestion by allowing only authorized client's traffic |
ICMP-based traceback |
Routers sample with low probability the packets they forward and copy path information into ICMP messages sent to the destination. With enough Traceback messages from enough routers along the path, the traffic source and path can be determined. |
No |
Lengthy attacks (floods) have better chance to be traced back because they generate sufficient samples |
No |
No |
Yes, via tracing back only |
Intermediate routers and victim |
None |
Tracing based on link testing |
Detects DoS attacks by doing controlled flooding of loaded links and observing the perturbation of input packet rates. |
No |
Lengthy attacks (floods) have better chance to be traced back because they generate sufficient samples |
No |
No |
Yes, via tracing back only |
Intermediate routers and victim |
None |
SPIE - hash-based traceback |
SPIE routers a cache of packet digests for recently forwarded packets. These can be queried later to build an attack graph that enables traceback. |
No |
All attacks |
No |
No |
Yes, via tracing back only |
Intermediate routers and victim |
None |
Probabilistic Packet marking (PPM) |
Routers mark packets probabilistically and allowing a victim to reconstruct the attack path. |
No |
Lengthy attacks (floods) have better chance to be traced back because they generate sufficient samples |
No |
No |
Yes, via tracing back only |
Intermediate routers and victim |
None |
Pi: Path identification based on deterministic marking |
Routers mark packets deterministically and stack those marks. The victim can use marks to associate a source IP with a path identifier and thus filter out spoofed packets, or it can use it to identify high-volume paths. |
No |
All attacks |
No |
No |
Yes, via tracing back only |
Intermediate routers and victim |
None |