We propose a framework and methodology for quantifying the effect of denial of service (DoS) attacks on a distributed system. We present a systematic study of the resistance of gossip-based multicast protocols to DoS attacks. We show that even distributed and randomized gossip-based protocols, which eliminate single points of failure, do not necessarily eliminate vulnerabilities to DoS attacks. We propose Drum – a simple gossip-based multicast protocol that eliminates such vulnerabilities. Drum was implemented in Java and tested on a large cluster. We show, using closed-form mathematical analysis, simulations, and empirical tests, that Drum survives severe DoS attacks. 1

Abstract—This paper proposes a coordinated defense scheme of distributed denial of service (DDoS) network attacks, based on the backward-propagation, on-off control strategy. When a DDoS attack is in effect, a high concentration of malicious packet streams are routed to the victim in a short time, making it a hot spot. A similar problem has been observed in multiprocessor systems, where a hot spot is formed when a large number of processors access simultaneously shared variables in the same memory module. Despite the similar terminologies used here, solutions for multiprocessor hot spot problems cannot be applied to that in the Internet, because the hot traffic in DDoS may only represent a small fraction of the Internet traffic, and the attack strategies on the Internet are far more sophisticated than that in the multiprocessor systems. The performance impact on the hot spot is related to the total hot packet rate that can be tolerated by the victim. We present a backward pressure propagation, feedback control scheme to defend DDoS attacks. We use a generic network model to analyze the dynamics of network traffic, and develop the algorithms for rate-based and queue-length-based feedback control. We show a simple design to implement our control scheme on a practical switch queue architecture. Index Terms—Coordinated defense, distributed denial of service (DDoS) attack, hot spots, on–off control, web server. I.

Abstract—Distributed denial-of-service (DDoS) is an increasingly worrying threat to availability of Internet resources. The variety and number of both attacks and defense approaches are overwhelming. An overview of DDoS problem, Attack: Modus Operandi, Classification of DDoS attacks, Defense Principles and Challenges, and state of art research gaps are presented. Thus a better understanding of the problem, current solution space and future scope are provided. Moreover different defense approaches: Prevention, Detection and Characterization, Tracing, and Tolerance and Mitigation to tackle DDoS problem are revisited and an integrated comprehensive solution is proposed.

Cooperative technological solutions for Distributed Denial-of-Service (DDoS) attacks are already available, yet organizations in the best position to implement them lack incentive to do so, and the victims of DDoS attacks cannot find effective methods to motivate them. In this article we discuss two components of the technological solutions to DDoS attacks: cooperative filtering and cooperative traffic smoothing by caching. We then analyze the broken incentive chain in each of these technological solutions. As a remedy, we propose usage-based pricing and Capacity Provision Networks, which enable victims to disseminate enough incentive along attack paths to stimulate cooperation against DDoS attacks. Categories and Subject Descriptors: K.4.1 [Computers and Society]: Public Policy Issues— Abuse and crime involving computers; Use/abuse of power; K.4.4 [Computers and Society]:

Distributed Denial of Service attacks pose a serious threat to the online applications like banking, trade, and e-commerce which are dependent on availability of Internet. Defending Internet from these attacks has become the need of the hour for sustainable development of any economy. Most of the research work in this area focuses on developing defense against these attacks without considering its practical deployment on the Internet. They evaluate the defense through simulation or experimenting in controlled environments. However a sincere thought is required to deploy these defense mechanisms in an incrementally acceptable way on the Internet. In this paper, the focus is on deployment aspect of defense system against DDoS attacks. The DDoS defense system in general is anatomized and need for distributed defense as compared to centralized defense has been highlighted. All possible defense locations on the Internet are critically analyzed for suitability of DDoS defense system deployment. A review of existing distributed defense schemes in terms of deployment is also carried out. Based on Internet structure, its working, and desired DDoS defense characteristics, ISP domain is chosen for deployment. However extending cooperation among ISPs and secure framework for communication among ISPs remain future concerns of our work.