ATaxonomyofDDoSAttacksandDDoSDefenseMechanisms JelenaMirkovic,JaniceMartinandPeterReiher ComputerScienceDepartment UniversityofCalifornia,LosAngeles Technicalreport#020018
Abstract Thispaperproposesataxonomyofdistributeddenial-of-serviceattacksandataxonomyofthedefensemechanisms thatstrivetocountertheseattacks.Theattacktaxonomyis illustratedusingbothknownandpotentialattackmechanisms. Alongwiththisclassificationwediscussimportantfeaturesof eachattackcategorythatinturndefinethechallenges involvedincombatingthesethreats.Thedefensesystem taxonomyisillustratedusingonlythecurrentlyknown approaches.Thegoalofthepaperistoimposesomeorderinto themultitudeofexistingattackanddefensemechanismsthat wouldleadtoabetterunderstandingofchallengesinthe distributeddenial-of-servicefield.
1.Introduction Distributeddenial-of-serviceattacks(DDoS)pose animmensethreattotheInternet,and consequentlymanydefensemechanismshavebeen proposedtocombatthem.Attackersconstantly modifytheirtoolstobypassthesesecuritysystems, andresearchersinturnmodifytheirapproachesto handlenewattacks.TheDDoSfieldisevolving quickly,anditisbecomingincreasinglyhardto graspaglobalviewoftheproblem.Thispaper strivestointroducesomestructuretotheDDoS fieldbydevelopingataxonomyofDDoSattacks andDDoSdefensesystems.Thegoalofthepaper istohighlighttheimportantfeaturesofbothattack andsecuritymechanismsandstimulatediscussions thatmightleadtoabetterunderstandingofthe DDoSproblem. Theproposedtaxonomiesarecompleteinthe followingsense:theattacktaxonomycovers knownattacksandalsothosethathavenot currentlyappearedbutarepotentialthreatsthat wouldaffectcurrentdefensemechanisms;the defensesystemstaxonomycoversnotonly publishedapproachesbutalsosomecommercial approachesthataresufficientlydocumentedtobe analyzed.Alongwithclassification,weemphasize importantfeaturesofeachattackordefensesystem category,andproviderepresentativeexamplesof existingmechanisms.Thispaperdoesnotpropose
oradvocateanyspecificDDoSdefense mechanism.Eventhoughsomesectionsmight pointoutvulnerabilitiesofcertainclassesof defensesystems,ourpurposeisnottocriticizebut todrawattentiontotheseproblemssothatthey mightbesolved.
Followingthisintroduction,thepaperisorganized asfollows.Section2investigatestheproblemof DDoSattacks,andSection3proposestheir taxonomy;Section4proposesataxonomyof DDoSdefensesystems.Section5providesan overviewofrelatedworkandSection6concludes thepaper.
2.DDoSAttackOverview Adenial-of-serviceattackischaracterizedbyan explicitattemptbyattackerstopreventlegitimate usersofaservicefromusingthatservice[1].A distributeddenial-of-serviceattackdeploys multiplemachinestoattainthisgoal.Theserviceis deniedbysendingastreamofpacketstoavictim thateitherconsumessomekeyresource,thus renderingitunavailabletolegitimateclients,or providestheattackerwithunlimitedaccesstothe victimmachinesohecaninflictarbitrarydamage. Thissectionwillanswerthefollowingquestions: 1.le?ssibStaDoDsopatkcWhmatesak 2.?urccwdoHoaesehtoskcatt 3.r?ytdhoecyuoWch 2.1.InternetArchitecture TheInternetwasdesignedwithfunctionality,not security,inmind,anditwasindeedverysuccessful inreachingthisgoal.Itoffersitsparticipantsfast, easyandcheapcommunicationmechanisms, enforcedwithvarioushigher-levelprotocolsthat ensurereliableortimelydeliveryofmessagesora certainlevelofqualityofservice.Internetdesign followstheend-to-endparadigm:communicating endhostsdeploycomplexfunctionalitiesto achievedesiredserviceguarantees,whilethe intermediatenetworkprovidesthebare-minimum, best-effortservice.TheInternetismanagedina
1