Defending against flooding-based distributed denial-of-service attacks: a tutorial

Author

Chang, Rocky K C

Author_Institution

Hong Kong Polytech. Univ., Kowloon, China

Volume

40

Issue

10

fYear

2002

fDate

10/1/2002 12:00:00 AM

Firstpage

42

Lastpage

51

Abstract

Flooding-based distributed denial-of-service (DDoS) attack presents a very serious threat to the stability of the Internet. In a typical DDoS attack, a large number of compromised hosts are amassed to send useless packets to jam a victim, or its Internet connection, or both. In the last two years, it was discovered that DDoS attack methods and tools are becoming more sophisticated, effective, and also more difficult to trace to the real attackers. On the defense side, current technologies are still unable to withstand large-scale attacks. The main purpose of this article is therefore twofold. The first one is to describe various DDoS attack methods, and to present a systematic review and evaluation of the existing defense mechanisms. The second is to discuss a longer-term solution, dubbed the Internet-firewall approach, that attempts to intercept attack packets in the Internet core, well before reaching the victim.

Keywords

Internet; authorisation; packet switching; telecommunication security; DDoS attack methods; DDoS attack tools; Internet firewall; Internet stability; attack packets interception; distributed attack detection; flooding-based distributed denial-of-service attacks; large-scale attacks; reflector attacks; tutorial; Companies; Computer crime; Cryptography; IP networks; Large-scale systems; Protocols; Security; Stability; Tutorial; Web and internet services;

fLanguage

English

Journal_Title

Communications Magazine, IEEE

Publisher

ieee

ISSN

0163-6804

Type

jour

DOI

10.1109/MCOM.2002.1039856

Filename

1039856