ArticlePDF Available

Distributed Denial of Service Prevention Techniques


Abstract and Figures

The significance of the DDoS problem and the increased occurrence, sophistication and strength of attacks has led to the dawn of numerous prevention mechanisms. Each proposed prevention mechanism has some unique advantages and disadvantages over the others. In this paper, we present a classification of available mechanisms that are proposed in literature on preventing Internet services from possible DDoS attacks and discuss the strengths and weaknesses of each mechanism. This provides better understanding of the problem and enables a security administrator to effectively equip his arsenal with proper prevention mechanisms for fighting against DDoS threat.
Content may be subject to copyright.
International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, 2010
Abstract The significance of the DDoS problem and the
increased occurrence, sophistication and strength of attacks has
led to the dawn of numerous prevention mechanisms. Each
proposed prevention mechanism has some unique advantages
and disadvantages over the others. In this paper, we present a
classification of available mechanisms that are proposed in
literature on preventing Internet services from possible DDoS
attacks and discuss the strengths and weaknesses of each
mechanism. This provides better understanding of the problem
and enables a security administrator to effectively equip his
arsenal with proper prevention mechanisms for fighting against
DDoS threat.
Index Terms DoS, DDoS, Network Security, Prevention.
A revolution came into the world of computer and
communication with the advent of Internet. Today, Internet
has become increasingly important to current society. It is
changing our way of communication, business mode, and even
everyday life [1]. Almost all the traditional services such as
banking, power, medicine, education and defense are
extended to Internet now. The impact of Internet on society
can be seen from the fig. 1 which shows exponential increase
in number of hosts interconnected through Internet [2].
Internet usage is growing at an exponential rate as
organizations, governments and citizens continue to increase
their reliance on this technology.
Fig. 1 Internet Domain Survey Host Count
Unfortunately with an increase in number of host, count of
attacks on Internet has also increased incredibly fast.
According to [3], a mere 171 vulnerabilities were reported in
Manuscript received April 1, 2009. This work was supported in part by the
Ministry of Human Resource Development, Government of India.
B. B. Gupta is with the Department of Electronics & Computer Engg., Indian
Institute of Technology, Roorkee, 247667 India. (phone: +91-9927713132;
R. C. Joshi is with the Department of Electronics & Computer Engg., Indian
Institute of Technology, Roorkee, 247667 India.
Manoj Misra is with the Department of Electronics & Computer Engg.,
Indian Institute of Technology, Roorkee, 247667 India.
1995, which boomed to 7236 in 2007. Already, the number for
the same for merely the third quarter of 2008 has gone up to
6058. Apart from these, a large number of vulnerabilities go
unreported every year. In particular, today DoS attack is one of
the most common and major threat to the Internet. In DoS
attack, goal of the attacker is to tie up chosen key resources at
the victim, usually by sending a high volume of seemingly
legitimate traffic requesting some services from the victim. It
reveals big loopholes not only in specific applications, but
also in the entire TCP/IP protocol suite. DoS attack is
considered to take place only when access to a computer or
network resource is intentionally blocked or degraded as a
result of malicious action taken by another user [4].
A DDoS attacker uses many machines to launch a
coordinated DOS attack against one or more targets [5]. It is
launched indirectly through many compromised computing
systems by sending a stream of useless aggregate traffic meant
to explode victim resources. As a side effect, they frequently
create network congestion on the way from a source to the
target, thus disrupting normal Internet operation. The
number of DDoS attack has been alarmingly increasing for the
last few years [6]. Many of today’s DDoS attacks are carried
out by organized criminals targeting financial institutions,
e-commerce, gambling sites etc [7].
A classification of a wide range of DDoS attacks found in
the wild is presented in [4, 8] that Internet providers and users
need to be aware of. Usually, it can be launched in two forms
[9]. The first form is to exploit software vulnerabilities of a
target by sending malformed packets and crash the system. The
second form is to use massive volumes of legitimate looking
but garbled packets to clogs up computational or
communication resources on the target machine so that it
cannot serve its legitimates users. The resources consumed by
attacks include network bandwidth, disk space, CPU time,
data structures, network connections, etc. While it is possible
to protect the first form of attack by patching known
vulnerabilities, the second form of attack cannot be so easily
prevented. The targets can be attacked simply because they are
connected to the public Internet.
The first publicly reported DDoS attacks appeared in the
late 1999 against a university [10]. These attacks quickly
became increasingly popular as communities of crackers
developed and released extremely sophisticated, user friendly
and automated toolkits [11, 12, 13, 14, 15, 16, 17, 18, 19] to
carry them out. At present, even people with little knowledge
can use them to carry out DDoS attacks. The impact of DoS
attacks can vary from minor inconvenience to users of a
website, to serious financial losses for companies that rely on
their on-line availability to do business.
Distributed Denial of Service Prevention
B. B. Gupta, Student Member, IEEE, R. C. Joshi, and Manoj Misra, Member, IEEE
International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, 2010
This paper presents overview of DDoS problem, available
DDoS attack tools, defense challenges and principles and a
classification of available mechanisms that are proposed in
literature on preventing Internet services from possible DDoS
attacks and discuss the strengths and weaknesses of each
mechanism. A summery of pending concerns draw attention to
core problems in existing mechanisms.
The remainder of the paper is organized as follows. Section
II contains overview of DDoS problem. Section III describes
variety of available DDoS attack tools in the details. Section
IV discusses defense challenges and principles. Classification
of available DDoS prevention mechanisms is described in
section V. Finally, Section VI concludes the paper and
presents further research scope.
A Distributed Denial of Service attack is commonly
characterized as an event in which a legitimate user or
organization is deprived of certain services, like web, email or
network connectivity, that they would normally expect to have.
DDoS is basically a resource overloading problem. The
resource can be bandwidth, memory, CPU cycles, file
descriptors, buffers etc. The attackers bombard scare resource
either by flood of packets or a single logic packet which can
activate a series of processes to exhaust the limited resource
[20]. In the Fig. 2 simplified Distributed DoS attack scenario
is illustrated. The figure shows that attacker uses three
zombie’s to generate high volume of malicious traffic to flood
the victim over the Internet thus rendering legitimate user
unable to access the service.
Legitimate User
Machine's Controlled by attacker
A1 A2 A3
Fig. 2 Illustration of the DDoS attack scenario
Extremely sophisticated, user friendly, automated and
powerful DDoS toolkits are available for attacking any victim,
so expertise is not necessarily required that attract naive users
to perform DDoS attacks.
Although DoS attacking strategies differ in time, studies
show that attackers mainly target the following resources to
cause damage on victim [8, 21].
Network bandwidth resources: This is related with the
capacity of the network links connecting servers to the wider
Internet or connectivity between the clients and their Internet
Service Providers (ISP). Most of the time, the bandwidth of
client’s internal network is less than its connectivity with the
external network. Thus the traffic that comes from the Internet
to the client may consume the entire bandwidth of the client’s
network. As a result, a legitimate request will not be able to get
service from the targeted network. In a DoS attack, the vast
majority of traffic directed at the target network is malicious;
generated either directly or indirectly by an attacker. These
attacks prevented 13,000 Bank of America ATM from
providing withdrawn services and paralyzed such large ISPs as
Freetel, SK Telecom, and KoreaTelecom on January 25, 2003.
1) System memory resources: An attack targeting system
memory resources typically aims to crash its network
handling software rather than consuming bandwidth with
large volume of traffic. Specific packets are sent to
confuse the operating system or other resources of the
victim’s machine. These include temporary buffer used to
store arriving packets, tables of open connections, and
similar memory data structures. Another system resource
attack uses packets whose structures trigger a bug in the
network software, overloading the target machine or
disabling its communication mechanism or making a host
crash, freeze or reboot which means the system can no
longer communicate over the network until the software is
2) System CPU resources/ Computational Capacity: An
attack targeting system’s CPU resources typically aims to
employ a sequence of queries to execute complex
commands and then overwhelmed the CPU. The Internet
key Exchange protocol (IKE) is the current IETF standard
for key establishment and SA parameter negotiation of
IPsec. However, IKE’s aggregate mode is still very
susceptible to DoS attacks against both computational
and memory resources because the server has to create
states for SA and compute Diffie-Hellman exponential
generation [22].
One of the major reason that make the DDoS attacks wide
spread and easy in the Internet is the availability of attacking
tools and the powerfulness of these tools to generate attacking
traffic. There are a variety of different DDoS attack tools on
the Internet that allow attackers to execute attacks on the target
system. Some of the most common tools are discussed below:
1) Trinoo [8, 11] can be used to launch a coordinated UDP
flooding attack against target system. Trinoo deploys
master/slave architecture and attacker controls a number
of Trinoo master machines. Communication between
attacker and master and between master and slave is
performed through TCP and UDP protocol, respectively.
Both master and slaves are password protected to prevent
them from being taken over by another attacker.
International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, 2010
attack tool
Commands used
Types of
Not encrypted
UDP flooding
Numeric code and
not encrypted
TCP flooding
UDP flooding
TCP flooding
UDP flooding
Mix flood
TCP flooding
UDP flooding
Not encrypted
TCP flooding
UDP flooding
Mix flood
Not encrypted
TCP flooding
Not encrypted
TCP flooding
UDP Flooding
an urgent
Not encrypted
TCP flooding
UDP flooding
Table I Summery of DDoS attack Tools
is a Windows version of trinoo that was first reported to
CERT on February 16th 2000.
2) TFN [12] uses a command line interface to communicate
between the attacker and the control master program but
offers no encryption between attacker and masters or
between masters and slaves. Communication between the
control masters and slaves is done via ICMP echo reply
packets. It can implement Smurf, SYN Flood, UDP Flood,
and ICMP Flood attacks.
3) TFN2K [13] is a more advanced version of the primitive
TFN network. It uses TCP, UDP, ICMP or all three to
communicate between the control master program and the
slave machines. TFN2K can implement Smurf, SYN,
UDP, and ICMP Flood attacks. Communication between
the real attacker and control master is encrypted using a
key-based CAST-256 algorithm. In addition to flooding,
TFN2K can also perform some vulnerability attacks by
sending malformed or invalid packets.
4) Stacheldraht [14] combines best features of both Trinoo
and TFN. It also has the ability to perform updates on the
slave machines automatically. It uses an encrypted TCP
connection for communication between the attacker and
master control program. Communication between the
master control program and attack daemons is conducted
using TCP and ICMP. Stacheldraht can implement Smurf,
SYN Flood, UDP Flood, and ICMP Flood attacks.
5) Shaft [15] has been modeled on Trinoo network. Other
than the port numbers being used for communication
International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, 2010
purpose, working of it is very similar to the Trinoo. Thus,
distinctive feature of Shaft is the ability to switch control
master servers and ports in real time, hence making
detection by intrusion detection tools difficult.
Communication between the control masters and slave
machines is achieved using UDP packets. The control
masters and the attacker communicate via a simple TCP
telnet connection. Shaft can implement UDP, ICMP, and
TCP flooding attack.
6) Mstream [16] is more primitive than any of the other
DDoS tools. It attacks target machine with a TCP ACK
flood. Communication is not encrypted and is performed
through TCP and UDP packets and the master connects
via telnet to zombie. Masters can be controlled remotely
by one or more attackers using a password protected
interactive login. Source addresses in attack packets are
spoofed at random. Unlike other DDoS tools, here,
masters are informed of access, successful or not, by
competing parties.
7) Knight [17] uses IRC as a control channel. It has been
reported that the tool is commonly being installed on
machines that were previously compromised by the
BackOrifice Trojan horse program. Knight can implement
SYN attacks, UDP Flood attacks, and an urgent pointer
flooder [19]. It is designed to run on Windows operating
systems and has features such as an automatic updater via
http or ftp, a checksum generator and more.
8) Trinity [18, 19] is also IRC based DDoS attack tool. It can
implement UDP, IP fragment, TCP SYN, TCP RST, TCP
ACK, and other flooding attacks. Each trinity
compromise machine joins a specified IRC channel and
waits for commands. Use of legitimate IRC service for
communication between attacker and agents eliminates
the need for a master machine and elevates the level of the
threat [4].
Table I shows a summary of different attack tools properties.
Source code of these attack tools can be easily downloaded
from the Internet. Even though these attack tools differ in the
commands used, types of attacks used, communication
techniques, and the presence of backdoors or self-upgrade
capability, all share the common object of attempting to
overwhelm a victim with an abundant amount of traffic that is
difficult to detect or filter.
Launching DDoS attacks on the victim machine is only a
matter of few keystrokes for the attacker. The victim can
prevent from these attacks at its network boundary by
configuring some sort of traditional security tools like access
list [23], firewall [24, 25], or intrusion detection system [26,
27] at its end. But the regular benign traffic to the victim’s
network is not protected and moreover the victim cannot have
access to other networks (e.g. the Internet).
With the present technology, many challenges are involved
in designing and implementing an effective DDoS defense
mechanism. Some of them are as follows [28]:
(a) Large number of unwitting participants, (b) No common
characteristics of DDoS streams, (c) Use of legitimate traffic
models by attackers, (d) No administrative domain
cooperation, (e) Automated tools, (f) Hidden identity of
participants, (g) Persistent security holes on the Internet, (h)
Lack of attack information and (i) Absence of standardized
evaluation and testing approaches.
Thus following five principles [29] are recommended by
robinson et al. in order to build an effective solution:
9) Since, DDoS is a distributed attack and because of high
volume and rate of attack packets, distributed instead of
centralized defense is the first principle of DDoS defense.
10) Secondly, High Normal Packet Survival Ratio (NPSR)
hence less collateral damage is the prime requirement for
a DDoS defense.
11) Third, a DDoS defense method should provide secure
communication for control messages in terms of
confidentiality, authentication of sources, integrity and
freshness of exchanged messages between defense nodes.
12) Fourth, as there is no centralized control for autonomous
systems (AS) in Internet, a partially and incrementally
deployable defense model which does not need
centralized control will be successful.
13) Fifth, a defense system must take into account future
compatibility issues such as interfacing with other
systems and negotiating different defense policies.
Similarly, Tupakula et. al. [30] presented following
characteristics that an ideal effective model against DDoS
attacks should have:
14) It should be invoked only during the attack times and at
other times it must allow the system to work normally. So
it should readily integrate with existing architecture with
minimum modifications.
15) It must provide simple, easy and effective solution to
counteract the attacking sources in preventing the attack.
16) It should identify the attack at the victim and prevent the
attack near to the attacking source.
17) It should prevent only the attack traffic from reaching
victim. That is, the model should be able to differentiate a
malicious traffic flow from a regular benign flow by
incorporating different attack signatures for different
attacking sources.
18) It should have fast response time and should respond
quickly to any changes in attack traffic pattern.
19) It should provide mechanisms for retaining the attack
evidence for any future legal proceedings.
Attack prevention methods try to stop all well known
signature based and broadcast based DDoS attacks from being
launched in the first place or edge routers, keeps all the
machines over Internet up to date with patches and fix security
holes. Attack prevention schemes are not enough to stop
DDoS attacks because there are always vulnerable to novel
and mixed attack types for which signatures and patches are
International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, 2010
not exist in the database.
Techniques for preventing against DDoS can be broadly
divided into two categories: (i) General techniques, which are
some common preventive measures [31] i.e. system protection,
replication of resources etc. that individual servers and ISPs
should follow so they do not become part of DDoS attack
process. (iii) Filtering techniques, which include ingress
filtering, egress filtering, router based packet filtering, history
based IP filtering, SAVE protocol etc.
A. General Techniques
1) Disabling unused services
The less there are applications and open ports in hosts, the
less there are chance to exploit vulnerabilities by attackers.
Therefore, if network services are not needed or unused, the
services should be disabled to prevent attacks, e.g. UDP echo,
character generation services [31].
2) Install latest security patches
Today, many DDoS attacks exploit vulnerabilities in target
system. So removing known security holes by installing all
relevant latest security patches prevents re-exploitation of
vulnerabilities in the target system [31].
3) Disabling IP broadcast
Defense against attacks that use intermediate broadcasting
nodes e.g. ICMP flood attacks, Smurf attacks etc. will be
successful only if host computers and all the neighboring
networks disable IP broadcast [32].
4) Firewalls
Firewalls can effectively prevent users from launching
simple flooding type attacks from machines behind the
firewall. Firewalls have simple rules such as to allow or deny
protocols, ports or IP addresses. But some complex attack e.g.
if there is an attack on port 80 (web service), firewalls cannot
prevent that attack because they cannot distinguish good
traffic from DoS attack traffic [24, 25].
5) Global defense infrastructure
A global deployable defense infrastructure can prevent from
many DDoS attacks by installing filtering rules in the most
important routers of the Internet. As Internet is administered
by various autonomous systems according their own local
security policies, such type of global defense architecture is
possible only in theory [31].
6) IP hopping
DDoS attacks can be prevented by changing location or IP
address of the active server proactively within a pool of
homogeneous servers or with a pre-specified set of IP address
ranges [31]. The victim computer’s IP address is invalidated by
changing it with a new one. Once the IP addresses change is
completed all internet routers will be informed and edge
routers will drop the attacking packets. Although this action
leaves the computer vulnerable because the attacker can
launch the attack at the new IP address, this option is practical
for DDoS attacks that are based on IP addresses. On the other
hand, attackers can make this technique useless by adding a
domain name service tracing function to the DDoS attack
B. Filtering Techniques
1) Ingress/Egress filtering
Ingress Filtering, proposed by Ferguson et al. [33], is a
restrictive mechanism to drop traffic with IP addresses that do
not match a domain prefix connected to the ingress router.
Egress filtering is an outbound filter, which ensures that only
assigned or allocated IP address space leaves the network. A
key requirement for ingress or egress filtering is knowledge of
the expected IP addresses at a particular port. For some
networks with complicated topologies, it is not easy to obtain
this knowledge.
One technique known as reverse path filtering [34] can help
to build this knowledge. This technique works as follows.
Generally, a router always knows which networks are
reachable via any of its interfaces. By looking up source
addresses of the incoming traffic, it is possible to check
whether the return path to that address would flow out the
same interface as the packet arrived upon. If they do, these
packets are allowed. Otherwise, they are dropped.
Unfortunately, this technique cannot operate effectively in
real networks where asymmetric Internet routes are not
uncommon. More importantly, both ingress and egress
filtering can be applied not only to IP addresses, but also
protocol type, port number, or any other criteria of importance.
Both ingress and egress filtering provide some opportunities
to throttle the attack power of DoS attacks. However, it is
difficult to deploy ingress/egress filtering universally. If the
attacker carefully chooses a network without ingress/egress
filtering to launch a spoofed DoS attack, the attack can go
undetected. Moreover, if an attack spoofs IP addresses from
within the subnet, the attack can go undetected as well.
Nowadays DDoS attacks do not need to use source address
spoofing to be effective. By exploiting a large number of
compromised hosts, attackers do not need to use spoofing to
take advantage of protocol vulnerabilities or to hide their
locations. For example, each legitimate HTTP Web page
request from 10,000 compromised hosts can bypass any
ingress/egress filtering, but in combination they can constitute
a powerful attack. Hence, ingress and egress filtering are
ineffective to stop DDoS attacks.
2) Router based packet filtering
Route based filtering, proposed by Park and Lee [35],
extends ingress filtering and uses the route information to
filter out spoofed IP packets. It is based on the principle that
for each link in the core of the Internet, there is only a limited
set of source addresses from which traffic on the link could
have originated.
If an unexpected source address appears in an IP packet on
a link, then it is assumed that the source address has been
spoofed, and hence the packet can be filtered. RPF uses
information about the BGP routing topology to filter traffic
with spoofed source addresses. Simulation results show that a
significant fraction of spoofed IP addresses can be filtered if
RPF is implemented in at least 18% of ASs in the Internet.
However, there are several limitations of this scheme. The first
limitation relates to the implementation of RPF in practice.
Given that the Internet contains more than 10,000 ASs, RPF
International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, 2010
would need to be implemented in at least 1800 ASs in order to
be effective, which is an onerous task to accomplish. The
second limitation is that RPF may drop legitimate packets if
there has recently been a route change. The third potential
limitation is that RPF relies on valid BGP messages to
configure the filter. If an attacker can hijack a BGP session
and disseminate bogus BGP messages, then it is possible to
mislead border routers to update filtering rules in favor of the
attacker. RPF is effective against randomly spoofed DoS
attacks. However, the filtering granularity of RPF is low. This
means that the attack traffic can still bypass the RPF filters by
carefully choosing the range of IP addresses to spoof. Hence,
RPF is ineffective against DDoS attacks. The router-based
packet filter is vulnerable to asymmetrical and dynamic
Internet routing as it does not provide a scheme to update the
routing information.
3) History based IP filtering
Generally, the set of source IP addresses that is seen during
normal operation tends to remain stable. In contrast, during
DoS attacks, most of the source IP addresses have not been
seen before. Peng et al. relies on the above idea and use IP
address database (IAD) to keep frequent source IP addresses.
During an attack, if the source address of a packet is not in
IAD, the packet is dropped. Hash based/Bloom filter
techniques are used for fast searching of IP in IAD. This
scheme is robust, and does not need the cooperation of the
whole Internet community [36].
However, history based packet filtering scheme is
ineffective when the attacks come from real IP addresses. In
addition, it requires an offline database to keep track of IP
addresses. Therefore, Cost of storage and information sharing
is very high.
4) Capability based method
Capability based mechanisms provides destination a way to
control the traffic directed towards itself. In this approach,
source first sends request packets to its destination. Router
marks (pre-capabilities) are added to request packet while
passing through the router. The destination may or may not
grant permission to the source to send. If permission is granted
then destination returns the capabilities, if not then it does not
supply the capabilities in the returned packet. The data
packets carrying the capabilities are then send to the
Table II Summary of filtering techniques for DDoS attacks prevention
destination via router. The main advantage achieved in this
architecture is that the destination can now control the traffic
according to its own policy, thereby reducing the chances of
DDoS attack, as packets without capabilities are treated as
legacy and might get dropped at the router when congestion
happens [37].
However, these systems offer strong protection for
established network flows, but responsible to generate a new
attack type known as DOC (Denial of Capability), which
prevents new capability-setup packets from reaching the
destination, limits the value of these systems. In addition,
these systems have high computational complexity and space
5) Secure overlay Service (SOS)
Secure Overlay Service proposed by Keromytis et al. [38]
defines an architecture called secure overlay service (SOS) to
secure the communication between the confirmed users and
the victim. All the traffic from a source point is verified by a
secure overlay access point (SOAP). Authenticated traffic will
be routed to a special overlay node called a beacon in an
anonymous manner by consistent hash mapping. The beacon
then forwards traffic to another special overlay node called a
Filtering Technique
Ingress/ Egress
-Prevents IP Spoofing
-Need global development
- Attacks with real IP addresses can not be prevented
RPF ( Route based
Packet Filtering)
-Work well with static routing
-Problem when dynamic routing is used
-Need wide implementation to be effective
History based
-Does not require cooperation of whole Internet
-Gives priority to the frequent packets in case of
congestion or attack
- Ineffective when the attacks come from real IP addresses
- Requires an offline database to keep track of IP addresses
-Depend on information collected
Capability based
-Provides destination a way to control the traffic it
-Incremental deployment
-Attacks against the request packets can not prevented (e.g.
ROC attack)
-High computational complexity and space requirement
-Works well for communication of predefined
source nodes
-Solution has limited scope e.g. not applicable to web servers
-Require introduction of a new routing protocol that itself
another security issue
-Filtering improperly addressed packets is
-incremental deployment
-During the transient period valid packets can be dropped
International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, 2010
secret servlet for further authentication, and the secret servlet
forwards verified traffic to the victim. The identity of the secret
servlet is revealed to the beacon via a secure protocol, and
remains a secret to the attacker. Finally, only traffic forwarded
by the secret servlet chosen by the victim can pass its
perimetric routers.
Secure Overlay Service (SOS) addresses the problem of
how to guarantee the communication between legitimate users
and a victim during DoS attacks. SOS can greatly reduce the
likelihood of a successful attack. The power of SOS is based
on the number and distribution level of SOAPs. However,
wide deployment of SOAPs is a difficult DoS defense
challenge. Moreover, the power of SOS is also based on the
anonymous routing protocol within the overlay nodes.
Unfortunately, the introduction of a new routing protocol is in
itself another security issue. If an attacker is able to breach the
security protection of some overlay node, then it can launch
the attack from inside the overlay network. Moreover, if
attackers can gain massive attack power, for example, via
worm spread, all the SOAPs can be paralyzed, and the target's
services will be disrupted.
6) SAVE: Source Address Validity Enforcement
Li et al. [39] have proposed a new protocol called the
Source Address Validity Enforcement (SAVE) protocol,
which enables routers to update the information of expected
source IP addresses on each link and block any IP packet with
an unexpected source IP address. The aim of the SAVE
protocol is to provide routers with information about the range
of source IP addresses that should be expected at each
interface. Similarly to the existing routing protocols, SAVE
constantly propagates messages containing valid source
address information from the source location to all
destinations. Hence, each router along the way is able to build
an incoming table that associates each link of the router with a
set of valid source address blocks. SAVE is a protocol that
enables the router to filter packets with spoofed source
addresses using incoming tables. It overcomes the
asymmetries of Internet routing by updating the incoming
tables on each router periodically.
However, SAVE needs to change the routing protocol,
which will take a long time to accomplish. If SAVE is not
universally deployed, attackers can always spoof the IP
addresses within networks that do not implement SAVE.
Moreover, even if SAVE were universally deployed, attackers
could still launch DDoS attacks using non spoofed source
Table II summarizes filtering techniques for DDoS attacks
To conclude, attack prevention aims to solve IP spoofing, a
fundamental weakness of the Internet. However, as attackers
gain control of larger numbers of compromised computers,
attackers can direct these “zombies” to attack using valid
source addresses. Since the communication between attackers
and “zombies” is encrypted, only “zombies” can be exposed
instead of attackers. According to the Internet Architecture
Working Group [40], the percentage of spoofed attacks is
declining. Only four out of 1127 customer-impacting DDoS
attacks on a large network used spoofed sources in 2004.
Moreover, security awareness is still not enough, so expecting
installation of security technologies and patches in large base
of Internet seems to be an ambitious goal in near future. To add
on, there exists no way out to enforce global deployment of a
particular security mechanism. Therefore, relying on attack
prevention schemes is not enough to stop DDoS attacks.
DoS attack causes either disruption or degradation on
victim’s shared resources, as a result preventing legitimate
users from their access right on those resources. DoS attack
may target on a specific component of computer, entire
computer system, certain networking infrastructure, or even
entire Internet infrastructure. Attacks can be either by exploits
the natural weakness of a system, which is known as logical
attacks or overloading the victim with high volume of traffic,
which is called flooding attacks. A distributed form of DoS
attack called DDoS attack, which is generated by many
compromised machines to coordinately hit a victim. DDoS
attacks are adversarial and constantly evolving. Once a
particular kind of attack is successfully countered, a slight
variation is designed that bypasses the defense and still
performs an effective attack.
In this paper, we covered an overview of the DDoS
problem, available DDoS attack tools, defense challenges and
principles, and a classification of available DDoS prevention
mechanisms. This provides better understanding of the
problem and enables a security administrator to effectively
equip his arsenal with proper prevention mechanisms for
fighting against DDoS threat. The current prevention
mechanisms reviewed in this paper are clearly far from
adequate to protect Internet from DDoS attack. The main
problem is that there are still many insecure machines over the
Internet that can be compromised to launch large-scale
coordinated DDoS attack. One promising direction is to
develop a comprehensive solution that encompasses several
defense activities to trap variety of DDoS attack. If one level
of defense fails, the others still have the possibility to defend
against attack. A successful intrusion requires all defense level
to fail.
The authors gratefully acknowledge the financial support of
the Ministry of Human Resource Development (MHRD),
Government of India for partial work reported in the paper.
[1] Leiner, B. M., Cerf, V. G., et. al. (2003). A Brief History of the
Internet. Internet Society.
[2] The ISC Internet Domain Survey. survey.
[3] CERT statistics. Available at: html.
[4] C. Douligeris, A. Mitrokotsa, “DDoS attacks and defense
mechanisms: classification and state-of-the-art,” Computer
Networks, Volume 44, Issue 5, pp. 643-666, April 2004.
[5] C. Douligeris, A. Mitrokotsa, “DDoS attacks and defense
mechanisms: classification,” in Proceedings of the 3rd IEEE
International Symposium on Signal Processing and Information
International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, 2010
Technology (ISSPIT 03), Darmstadt, Germany, pp. 190-193,
Dec. 14-17, 2003.
[6] D. Moore, C. Shannon, D. J. Brown, G. Voelker, S. Savage.
“Inferring Internet Denial-of-Service Activity”, ACM
Transactions on Computer Systems, 24 (2), pp 115-139, 2006.
[7] Juniper Network, “Combating Bots and Mitigating DDoS
Attacks (Solution brief)”, Juniper Networks, Inc, 2006.
[8] J. Mirkovic, P. Reiher, “A Taxonomy of DDoS Attack and
DDoS defense Mechanisms,” ACM SIGCOMM Computer
Communications Review, Volume 34, Issue 2, pp. 39-53,
April 2004.
[9] J. Molsa, “Mitigating denial of service attacks: A tutorial,”
Journal of computer security, 13, pp. 807-837, IOS Press,
[10] L. Garber, “Denial-of-service attacks rip the Internet,” IEEE
Computer, Volume 33, Issue 4, pp. 1217, Apr. 2000.
[11] D. Dittrich, “The DoS Project’s Trinoo Distributed Denial of
Service attack tool,” University of Washington, October 21,
1999. Available at:
[12] D. Dittrich, “The Tribe Flood Network Distributed Denial of
Service attack tool,” University of Washington, October 21,
1999. Available at:
[13] J. Barlow, W. Thrower, “TFN2K- An Analysis,” Axent
Security Team. February 10, 2000. Available at:
[14] D. Dittrich, “The Stacheldraht Distributed Denial of Service
attack tool,” University of Washington, December 1999.
Available at:
[15] S. Dietrich, N. Long, D. Dittrich, “Analyzing Distributed
Denial of Service tools: The Shaft Case,” in Proceedings of the
14th Systems Administration Conference (LISA 2000), New
Orleans, LA, USA, pp. 329-339, December 38, 2000.
[16] D. Dittrich, G. Weaver, S. Dietrich, and N. Long, “The
“Mstream” distributed denial of service attack too,” May
2000. Available at:
[17] Bysin, “Knight.c sourcecode,”, July
11, 2001. Available at: knight.c.
[18] B. Hancock, “Trinity v3, a DDoS tool,” hits the streets,
Computers Security 19(7), pp. 574, 2000.
[19] M. Marchesseau, „Trinity-Distributed Denial of Service
Attack Tool,“ 11 Sept, 2000. Available at:
[20] K. Kumar, R.C. Joshi and K. Singh, “An Integrated Approach
for Defending against Distributed Denial-of-Service (DDoS)
Attacks”, iriss, 2006, IIT Madras.
[21] B. Wang, H. Schulzrinne, “Analysis of Denial-of-Service
Attacks on Denial-of-Service Defensive Measures”,
GLOBECOM 2003, pp. 1339-43
[22] S. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A.D.
Keromytis, O. Reingold, “Efficient, DoS-resistant, secure key
exchange for Internet protocols,” In Proceedings of the 2001
Security Protocols International Workshop, April 2001,
Cambridge, England.
[23] S Hazelhurst, “Algorithms for Analysing Firewall and Router
Access Lists”, In proceddings of workshop on dependable IP
systems and plateforms (ICDSN), 2000.
[24] R. Oppliger, ”Internet Security: firewall and beyond,”
Communications of the ACM, Volume 40, Issue 5, pp. 92-102,
[25] McAfee, “Personal Firewall”. Available at: myapps/ firewall/ov_firewall.asp.
[26] Debar H, Dacier M, Wespi A, “Towards a taxonomy of
intrusion detection systems”, Computer Networks, Vol. 31,
[27] Bai, Y. Kobayashi, H., “Intrusion Detection System:
Technology and Development”, in the Proceedings of the 17th
International Conference on Advanced Information
Networking and Applications (AINA), pp. 710-715, march,
[28] K. Kumar, R.C. Joshi and K. Singh, “An Integrated Approach
for Defending against Distributed Denial-of-Service (DDoS)
Attacks,” IRISS, 2006, IIT Madras. Available at: iitr_krishan.pdf.
[29] M. Robinson, J. Mirkovic, M. Schnaider, S Michel, and P.
Reiher, “Challenges and principles of DDoS defense,”
SIGCOMM, 2003.
[30] U.K.Tupakula, V.Varadharajan "A Practical Method to
Counteract Denial of Service Attacks", Proceedings of the
Twenty-Sixth Australasian Conference on Computer Science,
ACSC2003, Springer Verlag, Australia. (Feb 2003).
[31] X. Geng, A.B. Whinston, Defeating Distributed Denial of
Service attacks, IEEE IT Professional 2 (4) (2000) 3642.
[32] Felix Lau, Rubin H. Stuart, Smith H. Michael, and et al.,
"Distributed Denial of Service Attacks," in Proceedings of
2000 IEEE International Conference on Systems, Man, and
Cybernetics, Nashville, TN, Vol.3, pp.2275-2280, 2000.
[33] P. Ferguson, and D. Senie, “Network ingress filtering:
Defeating denial of ser-vice attacks which employ IP source
address spoofing,” RFC 2267, the Internet Engineering T ask
Force (IETF), 1998.
[34] Baker, F. “Requirements for IP version 4 routers,” RFC 1812,
Internet Engineering Task Force (IETF).Go online to
[35] K. Park, and H. Lee, “On the effectiveness of router-based
packet filtering for distributed DoS attack prevention in
power-law Internets," Proceedings of the ACM SIGCOMM
Conference, 2001, pp. 15-26, 2001.
[36] T. Peng, C. Leckie, K. Ramamohanarao, “Protection from
Distributed Denial of Service attack using history-based IP
filtering,” in Proceedings of IEEE International Conference on
Communications (ICC 2003), Anchorage, AL, USA, Volume
1, pp. 482-486, 2003.
[37] T. Anderson, T. Roscoe, D. Wetherall, “Preventing Internet
Denial-of-Service with Capabilities,” In ACM SIGCOMM
Computer Communication Review, Volume 34, issue 1,
January 2004, pp. 39-44
[38] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure
Overlay Services,” in the Proceedings of. ACM SIGCOMM,
pp. 61-72, 2002.
[39] J. Li, J. Mirkovic, M. Wang, and P. Reither, “Save: Source
address validity enforcement protocol," Proceedings of IEEE
INFOCOM, 2002, pp. 1557-1566.
[40] M. Handley,Internet Architecture WG: DoS-resistant Internet
subgroup report,” 2005. Available at:
B. B. Gupta received the bachelor’s degree in
Information Technology in 2005 from Rajasthan
University, India. He is currently a PhD student in the
Department of Electronics and Computer
Engineering at Indian Institute of Technology,
Roorkee, India.
His research interests include defense
mechanisms for thwarting Denial of Service attacks,
Network security, Cryptography, Data mining and
Data structure and Algorithms. He is a student
member of IEEE.
R. C. Joshi received the bachelor’s degree in
Electrical Engineering from Allahabad University,
India in 1967. He received his master’s and PhD
degree in Electronics and Computer Engineering
from University of Roorkee, India in 1970 and 1980,
respectively. Currently, he is working as a Professor
at Indian Institute of Technology Roorkee, India.
He has served as Head of the Department twice
from Jan 1991 to Jan 1994 and from Jan 1997 to Dec 1999. He has been Head
of Institute Computer Centre (ICC), IIT Roorkee from March 1994- Dec 2005.
Prof. Joshi is in expert panel of various national committees like AICTE,
DRDO and MIT. He has a vast teaching experience exceeding 38 years at
graduate and postgraduate levels at IIT Roorkee. He has guided over 25 PhD
thesis, 150 M.E./M.Tech dissertations and 200 B.E./B.Tech projects. Prof.
Joshi has published over 250 research papers in National/International
Journals/Conferences and presented many in Europe, USA and Australia. He
has been awarded Gold Medal by Institute of Engineers for best paper. He has
International Journal of Computer and Electrical Engineering, Vol. 2, No. 2, April, 2010
chaired many national and international conferences and workshops. Presently,
he is actively involved in research in the field of Database management system,
Data mining, Bioinformatics, Information security, Reconfigurable systems and
Mobile computing.
Manoj Misra received the bachelor’s degree in
Electrical Engineering in 1983 from HBTI Kanpur,
India. He received his master’s and PhD degree in
Computer Engineering in 1986 and 1997 from
University of Roorkee, India and Newcastle upon
Tyne, UK, respectively. He is currently a Professor
at Indian Institute of Technology Roorkee.
He has guided several PhD theses, M.E./M.Tech.
Dissertations and completed various projects. His areas of interest include
Mobile computing, Distributed computing and Performance Evaluation. He is
a member of IEEE.
... Botnets are likely to traverse the network through using open services that will not be used, in the targeted network such as using UDP protocols along with using ports of a specific protocol [69]. Therefore the mitigation, in this case, is to ensure that only ports that are necessary to the network are left open. ...
... Therefore the mitigation, in this case, is to ensure that only ports that are necessary to the network are left open. Furthermore, Gupta et al. [69] suggests the use of ensuring regular security system and firewall updates to ensure that traffic that contains botnet code is denied access. This can be further justified by applying Access Control Lists (ACLs), a series of lists that define how traffic can flow through the network within Local Area Network (LAN). ...
... The lists would categorize if the computers had permission to communicate with certain devices or denied [10]. ACLs have similar functionalities to firewalls due to capabilities for traffic permission, and denial [69]. Despite firewall capabilities, it is important to ensure updates, as botmasters can create variations in their malware coding to penetrate the firewalls and elude detection. ...
Full-text available
Botnets have become increasingly common and progressively dangerous to both business and domestic networks alike. Due to the Covid-19 pandemic, a large quantity of the population has been performing corporate activities from their homes. This leads to speculation that most computer users and employees working remotely do not have proper defences against botnets, resulting in botnet infection propagating to other devices connected to the target network. Consequently, not only did botnet infection occur within the target user’s machine but also neighbouring devices. The focus of this paper is to review and investigate current state of the art and research works for both methods of infection, such as how a botnet could penetrate a system or network directly or indirectly, and standard detection strategies that had been used in the past. Furthermore, we investigate the capabilities of Artificial Intelligence (AI) to create innovative approaches for botnet detection to enable making predictions as to whether there are botnets present within a network. The paper also discusses methods that threat-actors may be used to infect target devices with botnet code. Machine learning algorithms are examined to determine how they may be used to assist AI-based detection and what advantages and disadvantages they would have to compare the most suitable algorithm businesses could use. Finally, current botnet prevention and countermeasures are discussed to determine how botnets can be prevented from corporate and domestic networks and ensure that future attacks can be prevented.
... (6) Trinity v3: It can generate TCP fragmentation flood, TCP RST packet floods, TCP random flag packet flood, and TCP established flood in addition to UDP, TCP-SYN, TCP NULL packet flood attacks. 54 It can generate spoofed IP packets, making it harder to detect the source of the attack. (7) Knight: The first use of this tool was in 2001. ...
... (7) Knight: The first use of this tool was in 2001. 54 It can work on a Windows-based operating system. It uses TCP SYN packets or UDP packets to flood the victim's system. ...
The purpose of this study is to provide an overview of distributed denial of service (DDoS) attack detection in intelligent systems. In recent times, due to the endemic COVID‐19, the use of intelligent systems has increased. However, these systems are easily affected by DDoS attacks. A DDoS attack is a reliable tool for cyber‐attackers because there is no efficient method which can detect or filter it properly. In this context, we analyze different types of DDoS attacks and defense techniques for intelligent systems. For the analysis, we used Scopus databases to collect relevant papers in English between 2014 and 2022. This study makes an important contribution to the field of DDoS attack detection for intelligent systems, providing a comprehensive overview of the field's evolution and current status, as well as a comprehensive, synthesized, and organized summary of various perspectives, definitions, and trends in the field.
... There are many tools that are available by which an attacker can start a DDoS attack like Trinoo [10], TFN [11], TFN2K [12], Mstream [13], Shaft [14], Knight [14]. Figure 1 represents the DDoS scenario in this; there are 'N' compromised machines which are represented as Attacker 1, Attacker 2,...., and Attacker N. ...
... There are many tools that are available by which an attacker can start a DDoS attack like Trinoo [10], TFN [11], TFN2K [12], Mstream [13], Shaft [14], Knight [14]. Figure 1 represents the DDoS scenario in this; there are 'N' compromised machines which are represented as Attacker 1, Attacker 2,...., and Attacker N. ...
Full-text available
Over the course of this year, more than a billion people have been afflicted by the COVID-19 outbreak. As long as individuals maintain their social distance, they should all be secure at this period. Because of this, there has been a rise in the usage of different online technologies, but at the same time, there has also been a rise in the likelihood of different cyber-attacks. A DDoS assault, the most prevalent and deadly of them all, impairs an online resource for its users. Thus, in this paper, we have proposed a filtering approach that can work efficiently in the COVID-19 scenario and detect the DDoS attack. We base our proposed approach on statistical methods like packet score and entropy variation for the identification of DDoS attack traffic. We have implemented our proposed approach on Omnet++ and for testing its efficiency we have checked it with different test cases. Our proposed approach detects the DDoS attack traffic with 96% accuracy and can also clearly have differentiated the DDoS attack traffic from the flash crowd.
... • Gupta et al. [35] highlighted that firewalls can be used as a preventive measure to drop suspicious packets that are routed to servers. • A Virtual Firewall (VF) which runs within a virtualized domain can be used to implement stateful security policies that travel with VMs as they move from one host to another. ...
... • IDS can be used for detecting attacks that have known signatures, and they can be used for detecting when a system misuse occurred [35]. • IDS are essential for identifying abnormal behaviors in a network [22]. ...
Full-text available
Existing classification systems of cloud computing security challenges have mostly excluded human error as a major root cause of cloud security issues. Therefore, we propose a new cloud security challenge classification system by adding Human Error as a category and retaining the most relevant categories—Network, Data Access, and Virtualization—from previous research. Through a literature survey, we identified effective defensive measures that are used by experts to combat these security challenges and we provided a mapping of the challenges to their defensive measures. Our findings reveal that there is, indeed, a case for human error to be included as a category in the classification of the security challenges encountered in cloud computing, and if cloud service providers (CSPs) and their customers are fully informed on the security challenges encountered in the cloud, both parties can fully benefit from the advantages this model of computing offers.
Full-text available
Attacks such as Distributed Denial of Service (DDoS) continue to menace the Internet. Attackers are able to use larger bandwidths because they concentrate on application layers. In order to create novel prevention strategies, it is crucial to understand the nature of distributed denial of service assaults. One of the most upsetting types of attacks on the Internet today is the distributed denial of service (DDoS) attack. When fundamental Internet infrastructure and services, such as the Domain Name System, are targeted or misused, such attacks become far more powerful and deadly (DNS). The DNS is a key component of the Internet's core infrastructure, and it plays a significant role in supporting many popular Internet applications like e-mail, VoIP, etc. in addition to translating human-readable names into IP addresses. Attacks such as Distributed Denial of Service (DDoS) continue to menace the Internet. Attackers are able to use larger bandwidths because they concentrate on application layers. In order to create novel prevention strategies, it is crucial to understand the nature of distributed denial of service assaults. The development of proactive preventative techniques is a crucial area of study, just like in other security-related fields. This essay examines recently released preventative measures. Additionally, it emphasizes the cloud era and how its systems are safeguarded against DDoS assaults
Smart grid and its undiscovered cyber vulnerabilities have arisen requirement of efficient and reliable methods for prevention, protection, detection and reparation. The article classifies and discusses different methods of performing denial of service (DoS) and distributed denial of service (DDoS) attacks and analyzes Packet Internet Groper (PING)/Internet Control Message Protocol (ICMP) flooding method in smart grid using a hardware prototype. Methods of prevention of bandwidth depletion and resource depletion attacks are classified and discussed in brief.KeywordsDenial of service attackDistributed denial of service attackPreventionSmart grid
In recent years, Distributed Denial of Services (DDoS) attacks have caused significant losses to industry and government due to an increasing number of devices connected to the Internet. These devices use services-over-Internet more frequently with services characterized and provided seamlessly by 5G, Cloud and Edge Computing. According to Cisco Annual Internet Report, the frequency of DoS/DDoS attacks has increased more than 2.5 times over the last 3 years and the average size of attacks is increasing steadily and approaching 1 Gbps. Therefore, there are cyber threats continuing to grow even with the development of new protection technologies. Our work is strongly motivated from with the goal to study and evaluate four Machine Learning models toward development of an Online Network Intrusion Detection System (N-IDS). This article studies on the application on three feature selection algorithms combined with four machine learning models applied to NIDS. We have implemented performance evaluation our proposed model on three up-to-date DoS/DDoS datasets. We have shown that Feature Importance and K-Nearest Neighbors’ algorithm (KNN) can give better results in all benchmark datasets than previous work and the empirical results of all four machine learning models and three feature selection algorithms are also presented in detail. © 2021 Tran Hoang Hai, Nguyen Trong Khiem and Nguyen Huu Phuc. This open access article is distributed under a Creative Commons Attribution (CC-BY) 4.0 license.
Full-text available
Cybercrime is an activity that creates disturbance in the working of computer networks. Cybercrime results as disgrace the information of many institutes and individuals. Cybercrimes are complex and difficult to turn down. Although it is complex matter but necessary to deal with its causes to prevent it. Current study aims to provide a roadmap for substantial Cybercrimes aspects including cybercrime primary causes, challenges and prevention methods. This study discussed specifically primary causes of cybercrime that are the root of these crimes. Leading to the objectives of study, we have conducted a comprehensive survey of existing state-of-the-art mechanisms which are being used to address the cybercrime challenges. Moreover, this study presented a critical analysis of determined mechanisms and suggested the best ways to prevent from cybercrime challenges by stopping perspective causes. The presented study can be considered as a leading roadmap toward prevention from cybercrimes.
Full-text available
Distributed denial-of-service (DDoS) is an increasingly worrying threat to availability of Internet resources. The variety and number of both attacks and defense approaches are overwhelming. An overview of DDoS problem, Attack: Modus Operandi, Classification of DDoS attacks, Defense Principles and Challenges, and state of art research gaps are presented. Thus a better understanding of the problem, current solution space and future scope are provided. Moreover different defense approaches: Prevention, Detection and Characterization, Tracing, and Tolerance and Mitigation to tackle DDoS problem are revisited and an integrated comprehensive solution is proposed.
Full-text available
"mstream" is more primitive than any of the other DDoS tools. Examination of reverse engineered and recovered C source code reveals the program to be in early development stages, with numerous bugs and an incomplete feature set compared with any of the other listed tools. The effectiveness of the stream/stream2 attack itself, however, means that it will still be disruptive to the victim (and agent) networks even with an attack network consisting of only a hand full of agents.
Full-text available
The following is an analysis of the DoS Project's "trinoo" (a.k.a. "trin00") master/slave programs, which implement a distributed network denial of service tool. Trinoo daemons were originally found in binary form on a number of Solaris 2.x systems, which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd", "cmsd" and "ttdbserverd". These attacks are described in CERT Incident Note 99-04: The trinoo daemons were originally believed to be UDP based, access-restricted remote command shells, possibly used in conjunction with sniffers to automate recovering sniffer logs. During investigation of these intrusions, the installation of a trinoo network was caught in the act and the trinoo source code was obtained from the account used to cache the intruders' tools and log files. This analysis was done using this recovered source code.
Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.
Intrusion-detection systems aim at detecting attacks against computer systems and networks, or against information systems in general, as it is difficult to provide provably secure information systems and maintain them in such a secure state for their entire lifetime and for every utilization. Sometimes, legacy or operational constraints do not even allow a fully secure information system to be realized at all. Therefore, the task of intrusion-detection systems is to monitor the usage of such systems and to detect the apparition of insecure states. They detect attempts and active misuse by legitimate users of the information systems or external parties to abuse their privileges or exploit security vulnerabilities. In this paper, we introduce a taxonomy of intrusion-detection systems that highlights the various aspects of this area. This taxonomy defines families of intrusion-detection systems according to their properties. It is illustrated by numerous examples from past and current projects.
Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today’s Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With little or no advance warning, a DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. Because of the seriousness of the problem many defense mechanisms have been proposed to combat these attacks. This paper presents a structural approach to the DDoS problem by developing a classification of DDoS attacks and DDoS defense mechanisms. Furthermore, important features of each attack and defense system category are described and advantages and disadvantages of each proposed scheme are outlined. The goal of the paper is to place some order into the existing attack and defense mechanisms, so that a better understanding of DDoS attacks can be achieved and subsequently more efficient and effective algorithms, techniques and procedures to combat these attacks may be developed.