Distributed Denial of Service:Taxonomies of Attacks, Tools and Countermeasures

Stephen M. SpechtElectrical EngineeringPrinceton UniversityPrinceton, NJ 08544

stephen.specht@us.army.mil

Ruby B. LeeElectrical EngineeringPrinceton UniversityPrinceton, NJ 08544rblee@princeton.edu

Abstract

Distributed Denial of Service (DDoS) attackshave become a large problem for users of computersystems connected to the Internet. DDoS attackers hijacksecondary victim systems using them to wage acoordinated large-scale attack against primary victimsystems. As new countermeasures are developed toprevent or mitigate DDoS attacks, attackers are constantlydeveloping new methods to circumvent these newcountermeasures.

In this paper, we describe DDoS attack modelsand propose taxonomies to characterize the scope ofDDoS attacks, the characteristics of the software attacktools used, and the countermeasures available. Thesetaxonomies illustrate similarities and patterns in differentDDoS attacks and tools, to assist in the development ofmore generalized solutions to countering DDoS attacks,including new derivative attacks.

1 INTRODUCTION

A Denial of Service (DoS) attack is an attackwith the purpose of preventing legitimate users from usinga specified network resource such as a website, webservice, or computer system [1]. A Distributed Denial ofService (DDoS) attack is a coordinated attack on theavailability of services of a given target system or networkthat is launched indirectly through many compromisedcomputing systems. The services under attack are thoseof the “primary victim”, while the compromised systemsused to launch the attack are often called the “secondaryvictims.” The use of secondary victims in a DDoS attackprovides the attacker with the ability to wage a muchlarger and more disruptive attack while remaininganonymous since the secondary victims actually performthe attack making it more difficult for network forensics totrack down the real attacker.

In February of 2000, one of the first major DDoSattacks was waged against Yahoo.com, keeping it off theInternet for about 2 hours, costing it lost advertisingrevenue [2]. Recently, attackers used a series of DDoS

attacks against a variety of companies providing anti-spamservices [3]. These attacks caused many of them to shutdown their services.

DDoS attacks are relatively new and not wellunderstood. This paper proposes taxonomies forunderstanding different DDoS attacks, tools, andcountermeasures. We hope these taxonomies aid inunderstanding the scope of DDoS attacks, leading to morecomprehensive solutions or countermeasures to cover bothknown attacks and those that have not yet occurred. Thispaper is also the first to characterize the setup andinstallation techniques of DDoS attack architectures,identifying both active and passive classes.

In Section 2 we describe classes of DDoS attackarchitectures. In Section 3 we present our taxonomy forDDoS attacks. In Section 4 we present the softwarecharacteristics for DDoS attack tools emphasizing howthese tools are setup on secondary victim systems. InSection 5 we present a taxonomy of different DDoScountermeasures. We conclude in Section 6. 2 DDoS ATTACK ARCHITECTURES

Two types of DDoS attack networks haveemerged: the Agent-Handler model and the Internet RelayChat (IRC)-based model.

The Agent-Handler model of a DDoS attackconsists of clients, handlers, and agents (see Figure 1).The client is where the attacker communicates with therest of the DDoS attack system. The handlers are softwarepackages located throughout the Internet that theattacker’s client uses to communicate with the agents. Theagent software exists in compromised systems that willeventually carry out the attack. The attackercommunicates with any number of handlers to identifywhich agents are up and running, when to scheduleattacks, or when to upgrade agents. The owners and usersof the agent systems typically have no knowledge thattheir system has been compromised and will be taking partin a DDoS attack. Depending on how the attackerconfigures the DDoS attack network, agents can be

This work was supported in part by NSF CCR-0208946. Stephen Specht is now a Computer Engineer with the US Army Information Operations Division, Fort Monmouth, NJ.

Stephen M. Specht and Ruby B. Lee, Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures. Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems, 2004 International Workshop on Security in Parallel and Distributed Systems, pp. 543-550, September 2004

instructed to communicate with a single handler ormultiple handlers. Usually, attackers will try to place thehandler software on a compromised router or networkserver that handles large volumes of traffic. This makes itharder to identify messages between the client and handlerand between the handler and agents. In descriptions ofDDoS tools, the terms “handler” and “agents” aresometimes replaced with “master” and “daemons”,respectively.

The IRC-based DDoS attack architecture issimilar to the Agent-Handler model except that instead ofusing a handler program installed on a network server, anIRC (Internet Relay Chat) communication channel is usedto connect the client to the agents. An IRC channelprovides an attacker with additional benefits such as theuse of “legitimate” IRC ports for sending commands tothe agents [4]. This makes tracking the DDoS commandpackets more difficult. Additionally, IRC servers tend tohave large volumes of traffic making it easier for theattacker to hide his presence. Another advantage is thatthe attacker does not need to maintain a list of the agents,since he can log on to the IRC server and see a list of allavailable agents [4]. The agent software installed in theIRC network usually communicates to the IRC channeland notifies the attacker when the agent is up and running.

In an IRC-based DDoS attack architecture, theagents are often referred to as “Zombie Bots” or “Bots”.

In both IRC-based and Agent-Handler DDoS attackmodels, we refer to the agents as “secondary victims” or“zombies”, and the target of the DDoS attack as the“primary victim”. Well-designed agent software uses onlya small proportion of resources (memory and bandwidth)so that the users of secondary-victim systems experienceminimal performance impact when their systemparticipates in a DDoS attack.

3 DDoS ATTACK TAXONOMY

There are a wide variety of DDoS attacks. Wepropose a taxonomy of the main DDoS attack methods inFigure 3. There are two main classes of DDoS attacks:bandwidth depletion and resource depletion attacks. Abandwidth depletion attack is designed to flood the victimnetwork with unwanted traffic that prevents legitimatetraffic from reaching the primary victim. A resourcedepletion attack is an attack that is designed to tie up theresources of a victim system making the victim unable toprocess legitimate requests for service.

3.1 Bandwidth Depletion Attacks

Bandwidth depletion attacks can be characterizedas flood attacks and amplification attacks.

Flood Attacks. A flood attack involveszombies sending large volumes of traffic to a victimsystem, to congest the victim system’s network bandwidthwith IP traffic. The victim system slows down, crashes, orsuffers from saturated network bandwidth, preventingaccess by legitimate users. Flood attacks have beenlaunched using both UDP (User Datagram Protocol) andICMP (Internet Control Message Protocol) packets.

In a UDP Flood attack, a large number of UDPpackets are sent to either random or specified ports on thevictim system. The victim system tries to process theincoming data to determine which applications haverequested data. If the victim system is not running anyapplications on the targeted port, it will send out an ICMPpacket to the sending system indicating a “destination portunreachable” message [5].

Often, the attacking DDoS tool will also spoofthe source IP address of the attacking packets. This helpshide the identity of the secondary victims since returnpackets from the victim system are not sent back to thezombies, but to the spoofed addresses. UDP flood attacksmay also fill the bandwidth of connections located aroundthe victim system. This often impacts systems located nearthe victim.

An ICMP flood attack occurs when the zombiessend large volumes of ICMP_ECHO_REPLY packets(“ping”) to the victim system. These packets signal thevictim system to reply and the combination of traffic

Figure 2: DDoS IRC-Based Attack Model

A … A

…Attacker Attacker Client

IRC

A … A

Victim

Agent

…Attacker

H H H . . . . H

Client

Handler

A … A

Attacker

A … A A … AAgent

Victim

Figure 1: DDOS Agent-Handler Attack Model

saturates the bandwidth of the victim’s networkconnection [5]. During this attack, the source IP address ofthe ICMP packet may also be spoofed.

Amplification Attacks. An amplification attackinvolves the attacker or the zombies sending messages to abroadcast IP address, using this to cause all systems in thesubnet reached by the broadcast address to send a reply tothe victim system. The broadcast IP address feature isfound on most routers; when a sending system specifies abroadcast IP address as the destination address, the routersreplicate the packet and send it to all the IP addresseswithin the broadcast address range. In this attack, thebroadcast IP address is used to amplify and reflect theattack traffic, and thus reduce the victim system’sbandwidth.

The attacker can send the broadcast messagedirectly, or use the agents to send the broadcast messageto increase the volume of attacking traffic. If the attackerdecides to send the broadcast message directly, this attackprovides the attacker with the ability to use the systemswithin the broadcast network as zombies without needingto infiltrate them or install any agent software.

A DDoS Smurf attack is an example of anamplification attack where the attacker sends packets to anetwork amplifier (a system supporting broadcastaddressing), with the return address spoofed to thevictim’s IP address. The attacking packets are typicallyICMP ECHO REQUESTs, which are packets (similar to a“ping”) that request the receiver to generate an ICMPECHO REPLY packet [6]. The amplifier sends the ICMPECHO REQUEST packets to all of the systems within thebroadcast address range, and each of these systems willreturn an ICMP ECHO REPLY to the target victim’s IPaddress [7]. This type of attack amplifies the original packettens or hundreds of times.

Another example is the DDoS Fraggle attack, wherethe attacker sends packets to a network amplifier, usingUDP ECHO packets [8]. There is a variation of the

Fraggle attack where the UDP ECHO packets are sent tothe port that supports character generation (chargen, port19 in Unix systems), with the return address spoofed tothe victim’s echo service (echo, port 7 in Unix systems)creating an infinite loop [9]. The UDP Fraggle packet willtarget the character generator in the systems reached bythe broadcast address. These systems each generate acharacter to send to the echo service in the victim system,which will send an echo packet back to the charactergenerator, and the process repeats. This attack cangenerate more bad traffic and cause more damage than aSmurf attack.

3.2 Resource Depletion Attacks

DDoS resource depletion attacks involve theattacker sending packets that misuse network protocolcommunications or are malformed. Network resources aretied up so that none are left for legitimate users.

Protocol Exploit Attacks. We give twoexamples, one misusing the TCP SYN (Transfer ControlProtocol Synchronize) protocol, and the other misusingthe PUSH+ACK protocol.

In a DDoS TCP SYN attack, the attackerinstructs the zombies to send bogus TCP SYN requests toa victim server in order to tie up the server’s processorresources, and hence prevent the server from respondingto legitimate requests. The TCP SYN attack exploits thethree-way handshake between the sending system and thereceiving system by sending large volumes of TCP SYNpackets to the victim system with spoofed source IPaddresses, so the victim system responds to a non-requesting system with the ACK+SYN. When a largevolume of SYN requests are being processed by a serverand none of the ACK+SYN responses are returned, theserver eventually runs out of processor and memoryresources, and is unable to respond to legitimate users.

In a PUSH + ACK attack, the attacking agentssend TCP packets with the PUSH and ACK bits set to

one. These triggers in the TCP packetheader instruct the victim system tounload all data in the TCP buffer(regardless of whether or not the bufferis full) and send an acknowledgementwhen complete. If this process isrepeated with multiple agents, thereceiving system cannot process thelarge volume of incoming packets andthe victim system will crash.

Malformed Packet attacks.A malformed packet attack is an attackwhere the attacker instructs the zombiesto send incorrectly formed IP packets tothe victim system in order to crash it.

Figure 3: DDoS Attack TaxonomyDDoS Attack

Bandwidth Depletion Resource Depletion

Flood Attack Protocol Exploit Attack Malformed Packet Attack

Amplification Attack

UDP ICMP Smurf Fraggle TCP SYN PUSH + ACK

IP Address IP Packet OptionsRandom Port Same Port Direct Loop

There are at least two types of malformed packet attacks.In an IP address attack, the packet contains the samesource and destination IP addresses. This can confuse theoperating system of the victim system and can cause thevictim system to crash. In an IP packet options attack, amalformed packet may randomize the optional fieldswithin an IP packet and set all quality of service bits toone so that the victim system must use additionalprocessing time to analyze the traffic. If this attack ismultiplied, it can exhaust the processing ability of thevictim system.

4 DDoS ATTACK TOOLS

DDoS attack tools include a number of commonsoftware characteristics. Figure 4 shows some of thesecommon elements: how agents are setup, agent activation,whether the communication is encrypted, and whichoperating systems (OS) are supported.

4.1 DDoS Agent Setup

We classify the ways that attackers installmalicious DDoS agent code onto a secondary victimsystem as either active or passive. Active DDoS agentinstallation methods typically involve the attackerscanning the network for systems with knownvulnerabilities, running scripts to break into the system,and stealthily installing the DDoS agent software. Inpassive DDoS installation methods, the secondary victimunwittingly causes the DDoS agent software to beinstalled by opening a corrupted file or visiting acorrupted web-site.

Active Scanning. Before installing DDoSsoftware, attackers first run scanning tools, such as theport scanner Nmap, to identify potential secondary victimsystems. Nmap allows attackers to select ranges of IPaddresses to scan. The tool will then proceed to searchthe Internet for each of these IP addresses and returninformation that each IP address is broadcasting such asopen TCP and UDP ports and the specific OS of thescanned system [10]. An attacker selects secondary victimtargets from this list, targeting software and backdoorvulnerabilities.

Once the attacker has scanned for a list ofvulnerable systems, he will need to exploit thevulnerability to gain access to the secondary victim systemand install the DDoS agent code. There are many sourceson the Internet, such as the Common Vulnerabilities andExposures (CVE) organization, which publicly lists over2,000 of the known vulnerabilities of different systems [11].This information is available so network administratorscan make their systems more secure; however, it alsoprovides attackers with data about existing vulnerabilities.

A common software vulnerability is the bufferoverflow problem. A buffer is a continuous block ofmemory (with a finite size) that serves as a temporary datastorage area within a computer. A buffer overflow is anattack that sends more data into the buffer than the size ofthe buffer. This causes the extra data to overwrite otherinformation adjacent to the buffer in the memory stack,such as a procedure return address [13]. This can cause thecomputer to return from a procedure call to maliciouscode included in the data that overwrites the buffer. This

malicious code can beused to start a programof the attacker’schoosing (such as aDDoS Agent) orprovide access to thevictim’s computer sothat the attacker caninstall the DDoS Agentcode.

An example ofa backdoorvulnerability is aTrojan horse program.This is a program thatappears to perform auseful function, but inreality contains hiddencode that eitherexecutes malicious actsor provides a backdoorfor unauthorized accessto some privilegedsystem function [12].

Figure 4: DDoS Software Tools (Characteristics)

OS Supported

Solaris Windows Linux Unix

Lie & Wait

Actively Poll

DDoS Software Tool

Agent Activation

Method

Attack Network Communication

Client-Handler

Handler-Agent

None

Handler – Agent

IRC Based

Yes, Private or

Secret Channel

No, Public

Channel

No

Hide with Rootkit

Buffer Overflow

Trojan Horse

Program

Active Scanning

Software/ Backdoor

Vulnerability

Agent Setup

Bugged Website

Corrupted File

Installation

Passive

Yes

Protocol

TCP UDP ICMP

Encryption

Trojan horse programs are installed on a victim’s systemby the attacker and allow the attacker to gain control of auser’s computer without the user knowing. In the case ofa DDoS attack tool setup, Trojan horse programs alreadyinstalled on a victim system might be used by the attackerto gain access to a secondary victim’s system allowing theattacker to install the DDoS agent code.

Passive DDoS Agent Installation. Passivemethods typically involve the attacker sharing corruptfiles or building web sites that take advantage of knownvulnerabilities in a secondary victim’s web browser.

A corrupted file has malicious code embeddedwithin it. When the victim system tries to view or executethis file, it will become infected with the malicious code.One popular technique is for attackers to generate a textfile with the name of the binary executable code for aDDoS agent embedded within it. They rename the textfile with a very long name with the .txt extension withinthe name when the real extension is .exe. For instance, thefile might be newfile.txt_this_is_a_ddos_agent.exe. Ifonly the first few characters of the file are displayed to theuser, it will appear as if this file is a text file, not anexecutable file. In this example, the newfile name wouldneed to be around 150 chars long so most windowssystems would not show the full file name [15]. As soon asa user launches the file, his system will become infectedwith the DDoS agent software. Corrupt files can beexchanged in different ways such as IRC file sharing,Gnutella networks, and by e-mailing corrupt files tovictims.

Another passive DDoS agent installationtechnique uses a bugged web site. A vulnerability foundon web browsers allows the attacker to create websiteswith code or commands to trap a victim. When thevictim’s web browser views the web page or tries toaccess content, the web page indirectly downloads orinstalls malicious code (e.g., a DDoS agent). One exampleof this type of attack exploits a bug in Microsoft’s InternetExplorer (IE) versions 5.5 and 6.0. These versions of IEcontain ActiveX, a technology developed by Microsoft toenable control within IE for viewing specific plug-inapplications embedded within website code by allowingthe IE web browser to automatically download clientbinary code specified by the website being viewed [14].Attackers use malicious code inserted into a web page totake advantage of ActiveX and instead of downloadinglegitimate client software, the attacker can set up ActiveXto download hostile code, such as a DDoS agent.

Root kits are programs that are used by theattacker after installation of handler or agent software toremove log files and any other records that might indicatethat the attacker was using the system [16]. Attackers mayadditionally use the root kit tools to create backdoors sothat they will be able to access the victim’s system in the

future [17]. Root kit tools are typically used when handlersoftware is installed since one handler can be critical forthe DDoS network to work and since handler programsare usually installed within ISP or corporate networkswhere the possibility of detection is higher.

4.2 Attack Network Communication

The DDoS agent-handler and handler-clientcommunication can be via TCP, UDP, and/or ICMPprotocols.

Some DDoS attack tools also make use ofencrypted communication within the DDoS attacknetwork. Agent-handler DDoS attacks might useencrypted communications either between the client-handlers and/or between the handlers-agents. IRC-basedDDoS attacks may use either a public, private, or secretchannel to communicate between the agents and thehandlers. Both private and secret IRC channels provideencryption; private channels (not the data or users) appearin the IRC server’s channel list but secret channels do not.

There are two key methods for DDoS agentactivation. In some DDoS tools, the agents actively pollthe handlers or IRC channel for instructions, whereas inother DDoS tools, the agents will wait for communicationfrom either the handler or the IRC channel.

4.3 Operating Systems Supported

DDoS attack tools are typically designed to becompatible with different operating systems (OS). AnyOS system (such as Unix, Linux, Solaris, or Windows)may have DDoS agent or handler code designed to workon it. Typically, the handler code is designed to supportan OS that would be located on a server or workstation ateither a corporate or ISP site (i.e.Unix, Linux, or Solaris).Agent code is usually designed for a Windows platformsince many attackers target residential Internet users withDSL and cable modems (for higher attacking bandwidth)and these users typically use Windows. 5 DDoS COUNTERMEAUSRES

The countermeasures proposed for preventing aDDoS attack are currently partial solutions at best. Thereis currently no comprehensive method to protect againstall known forms of DDoS attacks. Also, many derivativeDDoS attacks are continually being developed byattackers to bypass each new countermeasure employed.More research is needed, and the purpose for this paper isto characterize the nature and scope of DDoS attacks andtools to facilitate such research. We propose apreliminary taxonomy of DDoS Countermeasures inFigure 5.

There are three categories of DDoScountermeasures. First, preventing the setup of the DDoSattack network, including preventing secondary victimsand detecting and neutralizing handlers. Second, dealingwith a DDoS attack while it is in progress, includingdetecting or preventing, mitigating or stopping, anddeflecting the attack. Third, there is the post-attackcategory involving network forensics.

5.1 Prevent Secondary Victims

One of the best methods to prevent DDoS attacksis for the secondary victim systems to prevent themselvesfrom participating in the attack. This requires aheightened awareness of security issues and preventiontechniques from all Internet users.

To prevent secondary victims from becominginfected with the DDoS agent software, these systemsmust continually monitor their own security. They mustcheck to make sure that no agent programs have beeninstalled on their systems and make sure they are notindirectly sending agent traffic into the network. Becausethe Internet is so de-centralized, with so many differenthardware and software platforms, it is quite difficult forusers to implement the right protective measures such asanti-Trojan software. To be successful, end users musthave the resources to afford protective measures and theknowledge to choose the right protections. Additionally,secondary victims must identify when they areparticipating in a DDoS attack, and if so, they need toknow how to stop it. These tasks are daunting for theaverage “web-surfer”.

Recent work has proposed built-in mechanismsin the core hardware and software of computing systemsthat can provide defenses against malicious code insertionthrough buffer overflow violations [18]. This cansignificantly reduce the probability of a system beingcompromised as a secondary victim for a DDoS attack.

Another strategy is for network service providersand network administrators to add dynamic pricing tonetwork usage, to encourage secondary victims to becomemore active in preventing themselves from becoming partof a DDoS attack. If providers chose to charge differentlyfor the use of different resources, they would be betterable to identify legitimate users. This system would makeit easier to prevent attackers from entering the network [19].Additionally, secondary victims who might be charged foraccessing the Internet may become more conscious of thetraffic they send into the network and hence may do abetter job of policing themselves to verify that they are notparticipating in a DDoS attack.

5.2 Detect and Neutralize Handlers

An important method for stopping DDoS attacksis to detect and neutralize handlers. One technique is tostudy the communication protocols and traffic patternsbetween handlers and clients or handlers and agents, inorder to identify network nodes that might be infectedwith handler code. Since there are far fewer DDoShandlers deployed than agents, shutting down a fewhandlers can render multiple agents useless therebyneutralizing a DDoS attack.

5.3 Detect or Prevent Potential Attacks

To detect or prevent a potential DDoS attack thatis being launched, egress filtering and MIB (ManagementInformation Base) statistics can be used.

Egress filtering refers to the scanning of IPpacket headers leaving a network and checking to see ifthey meet certain criteria. If the packets pass the criteria,they are routed outside of the sub-network from whichthey originated. Otherwise, the packets will not be sent.Since DDoS attacks often use spoofed IP addresses, thereis a good probability that the source addresses of DDoSattack packets will not represent the source address of avalid user on a specific sub-network. If the networkadministrator places a firewall in the sub-network to filter

out any trafficwithout anoriginating IPaddress from thesubnet, manyDDoS packetswith spoofed IPaddresses will bediscarded.

Anothermethod beingstudied toidentify when aDDoS attack isoccurring uses

Figure 5: DDoS Countermeasures

DDoS Countermeasures

Detect and Neutralize Handlers

Detect/Prevent Secondary Victims

Detect/Prevent Potential Attacks

Mitigate/Stop Attacks

Deflect Attacks Post-Attack Forensics

Individual Users Network Service Providers

Egress Filtering

MIB Statistics

Install Software Patches

Built-in Defenses

Dynamic Pricing

HoneypotsLoad

BalancingThrottling Drop

RequestsTraffic Pattern

Analysis

Packet Traceback

Event Logs

Shadow Real Network Resources

Study Attack

the MIB statistics from routers. Router MIB data includesparameters that indicate different packet and routingstatistics. Identifying statistical patterns in differentparameters during a DDoS attack [20] looks promising forpossibly mapping ICMP, UDP, and TCP packet statisticalabnormalities to specific DDoS attacks. Work in this areacould provide methods for identifying when a DDoSattack is happening and how to adjust network parametersto compensate for the attacking traffic.

5.4 Mitigating the Effects of DDoS Attacks

Load balancing can improve both normalperformance as well as mitigate a DDoS attack. Networkproviders can increase bandwidth on critical connectionsto prevent them from going down in an attack.Additionally, providers can replicate servers and provideadditional failsafe protection if some go down during aDDoS attack.

Throttling is another technique proposed toprevent servers from going down. The Max-min Fairserver-centric router throttle method[21] sets up routers thataccess a server with logic to adjust (throttle) incomingtraffic to levels that will be safe for the server to process.This can prevent flood damage to servers. Additionally,this method can be extended to throttle DDoS attackingtraffic versus legitimate user traffic for better results. Thismethod is still in the experimental stage, however similartechniques to throttling are being implemented by networkoperators. The difficulty with implementing throttling isthat it is hard to decipher legitimate traffic from malicioustraffic.

5.5 Deflect Attacks

Honeypots are systems intentionally set up withlimited security to be an enticement for an attacker’sattack. Honeypots serve to deflect attacks from hitting thesystems they are protecting as well as serving as a meansfor gaining information about attackers by storing a recordof their activity and learning what types of attacks andsoftware tools the attacker is using. Current researchdiscusses the use of honeypots that mimic all aspects of alegitimate network (such as web servers, mail servers,clients, etc.) in order to attract potential DDoS attackers[22]. The goal of this type of honeypot is to lure an attackerto install either handler or agent code within the honeypot,thereby allowing the honeypot owner to track the handleror agent behavior and better understand how to defendagainst future DDoS installation attacks.

5.6 Post-Attack Forensics

If traffic pattern data is stored during a DDoSattack, this data can be analyzed post-attack to look forspecific characteristics within the attacking traffic. Thischaracteristic data can be used for updating load balancing

and throttling countermeasures to increase their efficiencyand protection ability. Additionally, DDoS attack trafficpatterns can help network administrators develop newfiltering techniques for preventing DDoS attack trafficfrom entering or leaving their networks.

To help identify the attackers, packet tracebacktechniques are proposed [23]. The concept involves tracingInternet traffic back to it’s source (rather than that of aspoofed source IP address). This technique helps toidentify the attacker. Additionally, when the attackersends different types of attacking traffic, this methodassists in providing the victim system with informationthat might help develop filters to block the attack.

A model for developing a Network TrafficTracking System that would identify and track user trafficthroughout a network has been proposed [24]. This modelcan be very successful within a closed networkenvironment where internal client systems can be fullymanaged by a central network administrator who can trackindividual end-user actions. This method begins to breakdown over widely distributed networks [24].

Network administrators can also keep event logsof the DDoS attack information in order to do a forensicanalysis and to assist law enforcement in the event theattacker does severe damage. Using Honeypots and othernetwork equipment such as firewalls, packet sniffers, andserver logs, providers can store all the events thatoccurred during the setup and execution of the attack.This allows network administrators to discover what typeof DDoS attack (or combination of attacks) was used.

6 CONCLUSION

DDoS attacks make a networked system orservice unavailable to legitimate users. These attacks arean annoyance at a minimum, or can be seriously damagingif a critical system is the primary victim. Loss of networkresources causes economic loss, work delays, and loss ofcommunication between network users. Solutions must bedeveloped to prevent these DDoS attacks.

We have proposed taxonomies of DDoS attacks,tools, and countermeasures in this paper to help scope theDDoS problem and to facilitate more comprehensivesolutions. More detailed descriptions and DDoS examplesare available in [25]. There are many DDoS attack toolsavailable to attackers. These tools are easy to implementand can have disastrous effects. There are methods ofpreventing these attacks from succeeding, however, manyof these are still being developed and evaluated. It isessential, that as the Internet and Internet usage expand,more comprehensive solutions and countermeasures toDDoS attacks be developed, verified, and implemented.

7 REFERENCES

[1] David Karig and Ruby Lee, “Remote Denial of ServiceAttacks and Countermeasures,” Princeton UniversityDepartment of Electrical Engineering Technical Report CE-L2001-002, Oct 2001.

[2] “Yahoo on Trail of Site Hackers”, Wired.com, Feb 8, 2000.http://www.wired.com/news/business/0,1367,34221,00.html (15May 2003).

[3] Brunker, Mike. “Spam Block Lists Bombed to Oblivion”.MSNBC.COM 24 Sept 2003.http://www.msnbc.msn.com/id/3088113/ (Jul 5, 2004).

[4] Kevin J. Houle. “Trends in Denial of Service AttackTechnology”. CERT Coordination Center, Carnegie MellonSoftware Engineering Institute. Oct 2001.www.nanog.org/mtg-0110/ppt/houle.ppt. (14 Mar 2003).

[5] Paul J. Criscuolo. “Distributed Denial of Service Trin00,Tribe Flood Network, Tribe Flood Network 2000, AndStacheldraht CIAC-2319”. Department of Energy ComputerIncident Advisory Capability (CIAC), UCRL-ID-136939, Rev.1., Lawrence Livermore National Laboratory, Feb 14, 2000.

[6] TFreak. “smurf.c”, www.phreak.org. Oct 1997.www.phreak.org/archives/exploits/denial/smurf.c (6 May 2003).

[7] Federal Computer Incident Response Center (FedCIRC),“Defense Tactics for Distributed Denial of Service Attacks”.Washington, DC, 2000.

[8] TFreak. “fraggle.c”, www.phreak.org. www.phreak.org/archives/exploits/denial/fraggle.c (6 May 2003).

[9] Martin, Michael J., “Router Expert: Smurf/Fraggle AttackDefense Using SACLS”, Networking Tips and Newsletters,www.searchnetwork.techtarget.com. Oct 2002.http://searchnetworking.techtarget.com/tip/1,289483,sid7_gci856112,00.html (6 May 2003).

[10] “Nmap Stealth Port Scanner Introduction”, Insecure.org.August 2002. http://www.insecure.org/nmap/. (8 Apr 2003).[11] “CVE (version 20020625)”, Common Vulnerabilities andExposures. Mar 27, 2002. http://cve.mitre.org/cve/. (9 Apr2003).

[12] Colon E. Pelaez and John Bowles, “Computer Viruses”,System Theory, 1991, Twenty-Third Southeastern Symposium,pp. 513-517, Mar 1999.

[13] Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, andJonathan Walpole, “Buffer Overflows: Attacks and Defenses forthe Vulnerability of the Decade”, DARPA InformationSurvivability Conference and Exposition, 2000. Vol. 2, pp. 119-129, 2000.

[14] Microsoft. “How to Write Active X Controls for MicrosoftWindows CE2.1”, Microsoft Corporation. Jun 1999.http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnce21/html/activexce.asp. (5 Apr 2003).

[15] Dancho Danchev. “The Complete Windows TrojansPaper”, BCVG Network Security. Oct 22, 2002.http://www.ebcvg.com/articles.php?id=91. (9 Apr 2003).

[16] David Dittrich. “The DoS Project’s “trinoo” DistributedDenial of Service Attack Tool”. University of Washington, Oct21, 1999. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt (8 Apr 2003).

[17] Alex Noordergraff. “How Hackers Do It: Tricks, Tools,and Techniques”, Sun BluePrints™ OnLine. Part No.: 816-4816-10, Revision 1.0. May 2002. http://www.sun.com/solutions/blueprints/0502/816-4816-10.pdf. (8 Apr 2003).

[18] Ruby Lee, David Karig, Patrick McGregor and Zhijie Shi,“Enlisting Hardware Architecture to Thwart Malicious CodeInjection”, Proceedings of the International Conference onSecurity in Pervasive Computing (SPC-2003), LNCS 2802, pp.237-252, Springer Verlag, March 2003.

[19] David Mankins, Rajesh Krishnan, Ceilyn Boyd, John Zao,and Michael Frentz, “Mitigating Distributed Denial of ServiceAttacks with Dynamic Resource Pricing”, Computer SecurityApplications Conference, 2001. ACSAC 2001. Proceedings 17th

Annual, pp. 411-421, 2001.

[20] Joao B. D. Cabrera, Lundy Lewis, Xinzhou Qin, WenkeLee, Ravi K. Prasanth, B. Ravichandran, and Ramon K. Mehra,“Proactive Detection of Distributed Denial of Service AttacksUsing MIB Traffic Variables – A Feasibility Study”, IntegratedNetwork Management Proceedings, pp. 609-622, 2001.

[21] David K. Yau, John C. S. Lui, and Feng Liang, “DefendingAgainst Distributed Denial of Service Attacks with Max-minFair Server-centric Router Throttles”, Quality of Service, 2002Tenth IEEE International Workshop, pp. 35-44, 2002.

[22] Nathalie Weiler. “Honeypots for Distributed Denial ofService”, Enabling Technologies: Infrastructure forCollaborative Enterprises, 2002. WET ICE 2002. Proceedings.Eleventh IEEE International Workshops, 2002. pp. 109-114.

[23] Vern Paxon, “An Analysis of Using Reflectors forDistributed Denial of Service Attacks”, ACM SIGCOMMComputer Communication Review, Vol. 31, Iss. 3, Jul 2001.

[24] Thomas E. Daniels and Eugene H. Spafford, “NetworkTraffic Tracking Systems: Folly in the Large?”, Proceedings ofthe 2000 Workshop on New Security Paradigms, Feb. 2001.

[25] Stephen Specht and Ruby Lee, “Distributed Denial ofService: Taxonomies of Networks, Attacks, Tools, andCountermeasures,” Princeton University Department ofElectrical Engineering Technical Report CE-L2003-03, May2003