Distributed Denial-of-Service Attacks: Comparison
Please note this is a comparison between Version 2 by Amina Yu and Version 1 by Tariq Hussain.

With the rapid advancement and transformation of technology, information and communication technologies (ICT), in particular, has attracted everyone’s attention. The attackers took advantage of this and can be caused serious problems, such as malware attacks, ransomware, SQL injection attack, and so etcon. One of the dominant attacks, known as distributed denial-of-service (DDoS), has been observed as the main reason for information hacking.

  • attacks detection
  • two-step clustering
  • outliers detection

1. Introduction

In recent few years, the advent of the Internet has introduced mankind to the most fascinating technologies and services. The majority of the world’s population is now connected via the Internet [1]. According to the June 2019 Statistical Report on Internet Users, there were a total of 4.33 billion active Internet users, which was 56% of the total world population [2]. The report also mentioned that China was the largest consumer of the internet, with 829 million of active internet users. With the development of science and technology, computer networks [3] spread into people’s lives, bringing people’s lives together more than ever with a wide range of spectra affecting each section and improving everyday life [4,5][4][5]. It has many capabilities and applications for distance education, office automation [6], e-commerce, digital currencies [7], online payments, social media and communication [8]. At the same time, it has many flaws in its network architecture that make it vulnerable for people and their credentials [9,10][9][10]. Since the initial design of the network was poor, as the security factor was not properly considered, there are many difficulties in finding security loopholes, which [11,12][11][12] can easily be maliciously exploited and infringe upon the private and property security of others or affect the normal provision of network services [13,14][13][14].
With the growth of network applications, the internet security factor becomes more and more serious [15]. However, where there is interest, there is contention, and the Internet is not an exception [16,17][16][17]. The internet designers paid more attention to the efficiency of message delivery and less attention to security [18,19][18][19]. So, as time has passed, more and more networks have been exposed to security problems, and the forms of network attacks have become diverse, from the initial worm virus to Trojans and phishing, as well as from system vulnerability to the use of web scripts, network security faces more and more challenges. According to the survey [20], on average, a successful cyber-attack takes place every 20 s worldwide. The nature of network security is becoming more and more stringent. Attack and defense have become a new means of “war” [21].
In early 2015, China incorporated cybersecurity into national security as a complete strategy [22]. Numerous types of attacks are classified as social engineering penetration attacks, password cracking, intrusion attacks, cross-site scripting (XSS) attacks, SQL injection attacks, cross-site request forgery (CSRF) attacks, arp-spoofing attacks, phishing attacks, denial-of-service (DoS) attacks, Trojan horse attacks, etc. [23]. When it comes to multi-network attacks, DoS attacks are considered to be the most dangerous for the Internet [24,25][24][25].
Cybersecurity is becoming more and more crucial with the growth of the Internet and its services. The Internet and its services touch nearly 4.5 billion active users, representing 58% of the entire population of the world. So, as internet usage is increasing [26[26][27],27], cybercrime rates are also increasing, damaging or infringing on the personal information of billions of users.
The researchers’ attention on this topic has increased, due to the rise of cyber threats and people’s total dependency on the internet, making it more and more important to detect and mitigate cyber threads. Denial-of-service (DoS) attacks first became dangerous [28] with the invention of their distributed category, known as distributed denial-of-service, and they became too severe with the advent of low-rate denial-of-service attacks. Low-rate denial-of-service attacks are more severe, as they behave similar to legitimate traffic while passing through the network, making them very difficult to detect through the available detection mechanisms, meaning they easily fool the available techniques and can disrupt the network by consuming its resources and capacity [29,30][29][30].
The proposed research includes the mechanism to detectlow-rate LDDoSdistributed denial-of-service (LDDoS) attacks, since they are dangerous and increasing so fast. More specifically, wthe focus is on the early detection of new cyber threats, called LDDoS. To detect LDDoS attacks, we it is proposed athat a clustering-based mechanism. In the proposed mechanism, we performed experiments  experiments are performed using two-step clustering techniques to detect the LDDoS after analyzing the anomalous properties of TCP traffic caused by LDDoS attacks.
The pre-cluster step uses a sequential clustering approach. It scans the data sets one after the other and uses the distance criterion to decide whether the current data set is to be merged with the previously formed clusters or whether a new cluster needs to be created. For the distance, we used the Mahalanobis distance is used. The method is implemented by constructing a modified cluster feature (CF) tree. Cluster formation is the second step that groups the sub-clusters resulting from the pre-clustering step into the desired number of clusters. Since the number of sub-clusters is much less than the number of original records, traditional clustering methods can be used effectively. The agglomerative hierarchical clustering technique was adopted for the two-step method because it works well with the auto-cluster.
The two-step cluster analysis method analyzes the TCP traffic on a large timescale, which can result in a high false-positive rate. Therefore, another method based on the analysis of TCP traffic is proposed to reduce the false alarm rate. From a small timescale perspective, TCP traffic fell off quickly and then recovered under LDDoS attacks [31]. The range of the TCP traffic is much larger than the normal network in short attack duration, so we split each detection unit (DU) iwas splited in the suspected cluster into many test pieces (TP), with each TP having k samples. The TP must be greater than the attack period T, so that we can get a full TCP traffic changing process could be gotten.

2. DDoS Attacks

The history of DoS began in the 1980s and early 1990s; however, due to the low usage of the Internet, it was not highlighted as what we have today. The alternative idea to this arose when the use of the Internet began to rapidly evolve and connect to the source of the medium [1].
An attack called SYN FLOOD by DoS crippled all internet facilities in New York City, in which a group of ISPs, called Panix, went offline for a week, while Internet usage and web services using that terminology in the New York Times and Internet Chess Club were deactivated [2]. Later, researchers started working on solving this problem and created an effective method such kinds of attacks can be stopped before impersonation and eavesdropping. After two months of the incident, they released a solution to the DoS attack as a product. The idea of this commercial product was to detect the incoming SYN packets from DoS and prevent them from being triggered and executed in a system. The solution was good but failed on the live webcam, and many products went offline [3,4][3][4].
The authors of [5,6][5][6] proposed a SYN-based technique where the DoS attacks were detected and recognized. For this idea, they proposed a novel scheme called intrusion detection for DoS attacks. It is clear from the algorithm that the proposed mechanism uses the flooding approach, in which the spoofed packets are triggered to detect the DoS attack on the packets. From executing the booby trap mechanism, the authors had to use an alternate path to forward the data. The authors had to be used. It of[7][8][9] [7,8,9]was proposed a technique for TCP/ICMP packets, in order to detect the DoS attacks on the packets during transmission. A dedicated path is used to transfer data from one client to another. A ping method [10] was introduced to detect the DoS attacks where the victim was TCP/ICMP packets.
AuIthors in[11] [11]was proposed tha t a report using IRC-based DDoS attacks to execute. To do this, they introduced a robust technique to be applied to the devices from both the sender and receiver sides. The attackers used the legitimate commands sent to the client and server, mimicking each other in nature. The attacks were difficult to detect, due to their friendly nature [11]. They reported that IRC must be the best edition of the product, as well as to utilize all its resources and detection approaches to detect the attacks of DDoS. TheIt authorwas stated that these attacks can be friendly, which is difficult to detect. The solution is to use the ping command, which uses a unique ID. This ID is kept open only for the registered users and those for whom there was no ID, in order to trigger the attacks [13].
TheIt [14][15][16][17][18][19][20][21][22] wauthors in [14,15,16,17,18,19,20,21,22] s reported on DDoS attacks, introducing its new types, i.e., Teardrop and Bonk. These were the types of DDoS attacks that can conquer any security tier. The key factor was that the main course needs to interface in order to run abnormally.
The authors of [23,24,25,26,27,28,29,30,31,32][23][24][25][26][27][28][29][30][31][32] reported on wormholes in DDoS attacks, which are observed as a disaster for any kind of wireless and wired media. They had reported that this malicious activity can damage any kind of software and slow down the speed of any hardware and software by stealthily installing it while running in another program. In today’s world, DoS attacks are being pronounced as DDoS attacks because distributed devices or botnets are used and controlled to disrupt the victim’s target network.
Distributed denial-of-service attacks are the advanced version of denial-of-service attacks; they use the same paradigm to disturb the network of the victims but in a distributed manner. The date 22 July 1999 is ominous in the history of computing. On that day, a computer at the University of Minnesota was suddenly attacked by a network of 114 other computers, which were infected with a malicious script called Trin00 [1]. This marks the start of the distributed version of the denial-of-service attacks. DDoS is considered to be one of the most dangerous attacks to date, due to its magnitude and power to completely abandon the services of the victims for a better range of time.
The distributed version of DoS attacks still poses the major threat to network security and its infrastructure, as well as the entire Internet world, but it gained momentum after the invention of new low pulsing denial-of-service attacks, recently known as low-rate DoS attacks, which are known to attract more attentive attacks. These attacks use very little bandwidth to transmit attacks to the victim’s server, and they can easily trick the built-in detection mechanism for distributed DoS attacks because they move slowly and constantly, similar to legitimate traffic.
DoS attack technology has continued to evolve, and the destructiveness is also increasing. Especially in recent years, a kind of LDDoS has emerged that is more threatening than traditional DDoS attacks. Although the traditional DDoS attack is very destructive, it has a common characteristic, due to its attack principle, since the attacker, through a kind of pressure (sledgehammer), has to send many attack packets to the target, forcing the attacker to maintain an attack flow with high frequency and speed. This characteristic causes all types of traditional DoS attacks to have an anomalous statistical characteristic, compared to normal network traffic, making them relatively easy to detect. Therefore, many DoS detection methods take these abnormal statistical characteristics as a feature to identify DoS attacks. Once an attack is detected, the packet filtering mechanism is activated to discard all packets transmitted by the data stream with attack characteristics. Low-rate DDoS attacks are quite different from traditional DDoS attacks, as their traffic is similar to legitimate traffic.
A low-rate DDoS attacker exploits the vulnerability of the TCP’s congestion control mechanism by periodically sending burst attack packets repeatedly over short periods of time (pulsing attack) or continuously launching attack packets at a constant low rate (constant attack). As these attacks reduce the average number of attack packets to avoid being detected by existing detection schemes, it is difficult to distinguish such attacks from legitimate traffic with a large measurable distance gap and low false-negative rate. The biggest feature is that it does not need to maintain the high-speed attack flow and exhausts all available resources on the victim’s side. Instead, it uses the security and vulnerability in the common adaptive mechanism (such as the congestion control mechanism of TCP) in the network protocol or application services to periodically burst in a specific short time interval, in order to send many attack packets and reduce the service performance to the attacked end. The LDDoS attack only sends data in a specific time interval and does not send any data in other periods of time of the same cycle. The intermittent attack feature makes the average rate of attack flow relatively low, which is not different from the data flow of legitimate user’s data flow, and no longer exhibits the above abnormal statistical characteristics.
It is difficult to use the existing methods to prevent this. It can be assumed that an LDDoS attack is an improved form of a traditional DoS attack. Compared with traditional DDoS attacks, it has a more targeted approach, so the attack efficiency has been greatly improved, and it evades detection and prevention. The emergence of LDDoS attacks brings new challenges to the research of attack prevention. The research on LDDoS attacks is still in its infancy, but the related research work has mainly appeared in recent years, showing that it has received enough attention [10]. In 2003, Aleksandar of Rice University first proposed a low-rate denial-of-service attack on TCP protocol at Sigcom, the highest rating conference on computer networks. This attack mainly targets the loopholes in the TCP congestion control mechanism. On ICNP (in 2004) and Infocom (in 2005), Giurgiu proposed the ROQ attack [21]. It also aimed at the congestion control in the TCP protocol and loopholes in the router queue management mechanism, causing the performance of certain routers to degrade. This type of attack has also appeared in the network layer. Therefore, it is an urgent problem in the field of network security to propose the detection and prevention methods for this kind of attack.

References

  1. Wu, Z.; Zhang, L.; Yue, M. Low-rate DoS attacks detection based on network multifractal. IEEE Trans. Dependable Secur. Comput. 2015, 13, 559–567.
  2. Wu, Z.; Wang, M.; Yan, C.; Yue, M. Low-rate DoS attack flows filtering based on frequency spectral analysis. China Commun. 2017, 14, 98–112.
  3. Tang, D.; Chen, K.; Chen, X.; Liu, H.; Li, X. Adaptive EWMA Method based on abnormal network traffic for LDoS attacks. Math. Probl. Eng. 2014, 2014, 496376.
  4. Chen, H.; Meng, C.; Shan, Z.; Fu, Z.; Bhargava, B.K. A novel Low-rate Denial of Service attack detection approach in ZigBee wireless sensor network by combining Hilbert-Huang Transformation and Trust Evaluation. IEEE Access 2019, 7, 32853–32866.
  5. Zhou, L.; Liao, M.; Yuan, C.; Zhang, H. Low-rate DDoS attack detection using expectation of packet size. Secur. Commun. Netw. 2017, 2017, 3691629.
  6. Bhuyan, M.H.; Elmroth, E. Multi-scale low-rate DDoS attack detection using the generalized total variation metric. In Proceedings of the 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), Orlando, FL, USA, 17–20 December 2018; pp. 1040–1047.
  7. Xiang, Y.; Li, K.; Zhou, W. Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 2011, 6, 426–437.
  8. Kuzmanovic, A.; Knightly, E.W. Low-rate TCP-targeted denial of service attacks and counter strategies. IEEE/Acm Trans. Netw. 2006, 14, 683–696.
  9. Two Step Cluster Algorithm. Available online: https://www.ibm.com/support/knowledgecenter/en/SSLVMB_24.0.0/spss/base/idh_twostep_main.html (accessed on 6 June 2022).
  10. Rahman, M.U.; Rahman, Z.U.; Fayaz, M.; Abbas, S.; ShahSani, R.K. Performance analysis of tcp/aqm under low-rate denial-of-service attacks. In Proceedings of the 2016 International Conference on Inventive Computation Technologies (ICICT), Coimbatore, India, 26–27 August 2016; Volume 3, pp. 1–5.
  11. Toklu, S.; Şimşek, M. Two-layer approach for mixed high-rate and low-rate distributed denial of service (DDoS) attack detection and filtering. Arab. J. Sci. Eng. 2018, 43, 7923–7931.
  12. WIDE Project Datasets. Available online: http://mawi.wide.ad.jp/mawi/ (accessed on 6 June 2022).
  13. Silva, A.; Pontes, E.; Zhou, F.; Guelf, A.; Kofuji, S. PRBS/EWMA based model for predicting burst attacks (Brute Froce, DoS) in computer networks. In Proceedings of the Ninth International Conference on Digital Information Management (ICDIM 2014), Phitsanulok, Thailand, 29 September 2014–1 October 2014; pp. 194–200.
  14. Wankhede, S.; Kshirsagar, D. DoS attack detection using machine learning and neural network. In Proceedings of the 2018 Fourth International Conference on Computing Communication Control and Automation (ICCUBEA), Pune, India, 16–18 August 2018; pp. 1–5.
  15. Zhang, Y.; Shi, Y. A Slow Rate Denial-of-Service Attack Against HTTP/2. In Proceedings of the 2018 IEEE 4th International Conference on Computer and Communications (ICCC), Chengdu, China, 7–10 December 2018; pp. 1388–1391.
  16. Alzahrani, S.; Hong, L. Detection of distributed denial of service (DDoS) attacks using artificial intelligence on cloud. In Proceedings of the 2018 IEEE World Congress on Services (SERVICES), San Francisco, CA, USA, 2–7 July 2018; pp. 35–36.
  17. LBNL/ICSI Enterprise Tracing Project. Available online: http://www.icir.org/enterprise-tracing/ (accessed on 6 June 2022).
  18. Bhosale, K.S.; Nenova, M.; Iliev, G. The distributed denial of service attacks (DDoS) prevention mechanisms on application layer. In Proceedings of the 2017 13th International Conference on Advanced Technologies, Systems and Services in Telecommunications (TELSIKS), Nis, Serbia, 18–20 October 2017; pp. 136–139.
  19. Bhuyan, M.H.; Bhattacharyya, D.K.; Kalita, J.K. An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recognit. Lett. 2015, 51, 1–7.
  20. Zhou, W.; Jia, W.; Wen, S.; Xiang, Y.; Zhou, W. Detection and defense of application-layer DDoS attacks in backbone web traffic. Future Gener. Comput. Syst. 2014, 38, 36–46.
  21. Aladi, J.H.; Wagner, C.; Garibaldi, J.M. A simplified method of FOU design utlising simulated annealing. In Proceedings of the 2015 IEEE International Conference on Systems, Man, and Cybernetics, Hong Kong, China, 9–12 October 2015; pp. 2255–2261.
  22. Zhi-Jun, W.; Hai-Tao, Z.; Ming-Hua, W.; Bao-Song, P. MSABMS-based approach of detecting LDoS attack. Comput. Secur. 2012, 31, 402–417.
  23. McGregory, S. Preparing for the next DDoS attack. Netw. Secur. 2013, 2013, 5–6.
  24. Bertino, E.; Islam, N. Botnets and internet of things security. Computer 2017, 50, 76–79.
  25. Yevsieieva, O.; Helalat, S.M. Analysis of the impact of the slow HTTP DOS and DDOS attacks on the cloud environment. In Proceedings of the 2017 4th International Scientific-Practical Conference Problems of Infocommunications. Science and Technology (PIC S&T), Kharkov, Ukraine, 10–13 October 2017; pp. 519–523.
  26. Xiao, L.; Wan, X.; Lu, X.; Zhang, Y.; Wu, D. IoT security techniques based on machine learning: How do IoT devices use AI to enhance security? IEEE Signal Processing Mag. 2018, 35, 41–49.
  27. Shinde, P.J.; Chatterjee, M. A Novel Approach for Classification and Detection of DOS Attacks. In Proceedings of the 2018 International Conference on Smart City and Emerging Technology (ICSCET), Mumbai, India, 5 January 2018; pp. 1–6.
  28. Park, T.; Cho, D.; Kim, H. An effective classification for DoS attacks in wireless sensor networks. In Proceedings of the 2018 Tenth international conference on ubiquitous and future networks (ICUFN), Prague, Czech Republic, 3–6 July 2018; pp. 689–692.
  29. Kajwadkar, S.; Jain, V.K. A novel algorithm for DoS and DDoS attack detection in Internet of things. In Proceedings of the 2018 Conference on Information and Communication Technology (CICT), Jabalpur, India, 26–28 October 2018; pp. 1–4.
  30. Maza, S.; Touahria, M. Feature selection for intrusion detection using new multi-objective estimation of distribution algorithms. Appl. Intell. 2019, 49, 4237–4257.
  31. Pu, C.; Song, T. Hatchetman attack: A denial of service attack against routing in low power and lossy networks. In Proceedings of the 2018 5th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2018 4th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), Shanghai, China, 22–24 June 2018; pp. 12–17.
  32. Wu, X.; Tang, D.; Tang, L.; Man, J.; Zhan, S.; Liu, Q. A low-rate dos attack detection method based on hilbert spectrum and correlation. In Proceedings of the 2018 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), Guangzhou, China, 8–12 October 2018; pp. 1358–1363.
More
Video Production Service