DDoS defence mechanisms are countermeasure mechanisms to mitigate DDoS attacks.
Based on DDoS attack classification, DDoS defence mechanisms are classified into network- level based and application-level based mechanisms [2]. Network-level based defence mechanism is deployed to mitigate DDoS attacks under network layers. It is also cat- egorised into source-based, network-based, destination-based and hybrid mechanisms based on deployment location. Application-level based defence mechanism is deployed to mitigate DDoS attacks that exploit the application layer vulnerabilities. Detail information of each mechanism is discussed in the following.
Network-based defence mechanism
• Source-based mechanism: These mechanisms are deployed near the source of the attack to prevent customer network from generating DDoS attack. These mecha- nisms are deployed at the access router of source’s local network or at the access routers of an autonomous system (AS) that connects to the source’s edge routers.
Port Ingress/Egress Filtering (PIEF) is proposed by Ferguson [15] to filter spoofed
CHAPTER 2. BACKGROUND AND RELATED WORK
packets. The ingress and egress name depends on its deployment position. Ingress filtering method is deployed to filter inbound traffic. Spoofed packets are blocked when coming through this filter. Egress filtering method filters outbound traffic to ensure that spoofed or malicious packets will never leave internal network. IPSec protocol can eliminate IP spoofing packets by authenticating source address before delivering packets, but this method is not widely used because of high overhead.
• Destination-based mechanism: The destination-based mechanisms are deployed near the victim side to detect and mitigate the DDoS attacks. Management Informa- tion Base (MIB) [16] provides method to monitor network traffic and routing statis- tic. MIB can be used at victim side to detect DDoS attacks. Wang et al. [17] pro- posed a method named Hop-Count Filtering (HCF) to filter spoofed packets based on the number of hops that packets traversed before arriving at the victim. Each packet travelling on the network has its own initial Time-To-Live (TTL) value. When a packet traverses a router (hop), its TTL value will be decreased one before forward- ing to next hop. Those packets in which TTL is equal to zero will be dropped, and the router will send message "TTL Exceeded in Transit" to the source. Therefore, packet’s hop count value could not be spoofed. Hop-count value is calculated by comparing initial TTL to final TTL value when it arrives at the destination. While not being attacked, IP address and its hop count value will be collected and con- structed in IP-to-Hop-Count (IP2HC) tables. When DDoS attack occurs, packets’ IP and hop-count value will be compared to IP2HC. If it does match IP2HC table, it is a legitimated packet; otherwise, it is a spoofed packet and will be dropped. The paper claimed that HCF can identify 90% of spoofed packets. Ritu et al. [18] combined probabilistic and round trip time in Distributed Probabilistic HCF-Round trip time (DPHCF-RTT). Packets will be checked once by intermediate DPHCF-RTT routers (nodes), then forwarded to the victim. The larger number of intermediate routers implemented, the higher detection rate of malicious packets is. The paper claimed that detection rate is up to 99.33%.
• Network-based mechanism: These mechanisms are mainly deployed on the routers of the ASs. It detects attack traffic and creates a proper response to stop it at the intermediate network level. The detecting and filtering malicious routers [19] is a method of this mechanism. The Watchers [2] detect misbehaving routers exploited by an attacker that support DDoS attack such as misrouting packets. The route-based packet filtering method [20] extends PIEF to the routers in the core of the Internet to filter malicious packets.
• Hybrid (Distributed) mechanism: There is no strong mechanism to mitigate DDoS attack effectively. DDoS attack traffic has accurately been detected when it reaches the destination, but mitigation is not effective at the destination. At the source of the
CHAPTER 2. BACKGROUND AND RELATED WORK
attack, it is hard to detect DDoS, but it can be prevented completely at this place.
The hybrid (distributed) mechanism is researched to corporate other mechanisms to mitigate DDoS effectively. Active internet traffic filtering (AITF) [21] is a hybrid mechanism that enables a receiver to deny all the traffic by default and only accepts the traffic that belongs to the established connection. The alternative configuration could be that receiver accepts all traffic by default and only denies the traffic if it is identified as malicious or undesirable. This method needs the corporation of all internet service provider (ISP) to receive the request from receiver and filter traffic from its source. The StopIt [22] is a hybrid mechanism that enables each receiver to stop the attack from the source. Each AS installs a server named StopIt server to provide service to filtering malicious traffic when receiving requests from hosts or other StopIt servers. When the receiver receives malicious traffic, it will send a StopIt request to the StopIt server locating in the same AS with the traffic source and destination information. This StopIt server will send the StopIt request to the StopIt server of the AS from where the traffic comes. Then the StopIt server from source AS will request the router connecting to the host that generates the traffic to block the traffic. This mechanism needs the corporation of all ASs on the Internet. The Figure 2.4 shows how the StopIt mechanism works.
Figure 2.4: StopIt mechanism
Application-based defence mechanism
• Destination-based (Server side) mechanism: Most of the application-layer proto- col organised as a client-server model. A server is a process which is implemented as a specific service (e.g., DNS server, Web server, Email server). A client is a process that requests a service from a server. Therefore, most of these mechanisms closely implement and observe the server to monitor clients’ behaviours so that they can
CHAPTER 2. BACKGROUND AND RELATED WORK
detect and drop or limit the rate of the malicious requests. DNS Amplification At- tacks Detector (DAAD) [23] is an example of this mechanism. DAAD is a proactive mechanism to detect potential DNS amplification attacks. This mechanism collects the DNS requests and replies using IPTraf tool [24]. Then, DAAD stores the cap- tured data into MySQL database to classify. If a reply does not match any request in a time frame, it is a suspicious packet and a firewall rule is updated to filter the attacker’s IP address.
• Hybrid (Distributed) mechanism: This type of mechanism employs collaboration between client and server to detect and react to the attacks. For instance, Kandula et al. propose a system to protect web cluster from application DDoS attacks. This system employs Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) [25]. This mechanism differentiates DDoS flooding bots from human by requesting the client to solve a puzzle. If the puzzle is solved, the client is a legitimate user. Otherwise, the client is suspicious and is filtered.