Distributed Denial-of-Service (DDoS) Attacks and Defense Mechanisms in Various Web-Enabled Computing Platforms: Issues, Challenges, and Future Research Directions

In the early days of the Internet, one could provide scalable and flexible network conveniently, as the security issues were not a major concern. With the rapid increase in the Internet users over the past two decades, the victims of cyber-attacks have also grown significantly. According to the Internet Crime Report 2020 published by the Internet Crime Complaint Center (IC3) of Federal Bureau of Investigation (FBI), an enormous total of \$13.3 billion of victim losses have occurred due to cyber-attacks in the past five years out of which \$7.7 billion took place in the past two years only (IC3, 2020).

One of the early noticeable Internet security incidents that took place was the occurrence of the Morris Worm (Rochlis & Eichin, 1989) in 1988. Since then, the number as well as power of cyber-attacks have been increasing by the day. In the last decade, the relocation of financial and economic sectors from offline to online have also shifted the focus of attackers. In February 2020, the entire network infrastructure of UK cryptocurrency exchange EXMO was paralyzed by a high-scale DDoS attack with attack volume of 30 gbps (Haworth, 2021a). Another such attack knocked the New Zealand stock exchange offline for two days in a row (Haworth, 2020). Apart from the financial services, another sector that has presented itself as a major platform for DDoS attacks is Telecommunications sector. According to a study, the telecom sector rose from sixth most frequent DDoS target in Q4 2020 to the primary attack focus in Q1 2021 (Haworth, 2021b).

Year 2019 witnessed the rise of a global pandemic and consequently the businesses shifted their workforce to a full-time work from home model where majority users depend on relatively less secure infrastructure, paving the way for increased cyber-attacks (Bannister, 2020). According to PurpleSec 2021 threat report, cybercrime has escalated by 600\% due to Covid-19 pandemic (Firch, 2021). Along with the previously targeted sectors, like education and government departments, the coronavirus information websites also pose as potential targets to the attackers (Osborne, 2020). In a report published by the American technology and security company, Neustar Inc., the number of attacks mitigated by them have doubled from 2019 Q1 to 2020 Q1 (Leyden, 2020).

The principle behind a Distributed Denial-of-Service (DDoS) attack is to render the victim unavailable for its intended users by disrupting the services provisionally or perpetually. The DDoS attacks achieve efficacy by taking advantage of multiple affected computer systems as source of attack traffic, ranging from a dozen to a 100,000. One commonly used approach for executing a DDoS attack is to exhaust all the resources of a network or web server by sending exorbitant volumes of data packets at an excessive rate, leaving the server inoperable. The attacker generates several requests via multiple attack sources and the victim drains all its network resources like CPU capacity, memory space, etc. in fulfilling those requests, disallowing access to legitimate clients. Another common approach for DDoS attack is to generate deformed packets to baffle an application or a protocol, rendering the victim machine frozen.

2.2.4 Botnets

One common way to execute DDoS attacks is by taking advantage of many compromised machines called bots or zombies. These bots are connected to one another through the Internet, forming a group called a botnet. Every botnet has a Botmaster that communicates with all the bots, commanding them through a C&C server (Li et al., 2009) to carry out malicious activities. Figure 1 illustrates a DDoS attack carried out by an attacker that utilize a botnet. These bots take orders from the botmaster and perform specific tasks, may be repeatedly, to destroy the target network, system or web server.

Figure 1.

Botnet Employed DDoS Attack

2.2.4.1 Botnet Communications

The botnet communications are carried out by a Command and Control (C&C) server. The C&C server is a computer that is controlled by the attacker to send commands to zombie systems to carry out an attack. Several types of C&C mechanisms are proposed in the existing literature (Eslahi et al., 2012; Hoque et al., 2015; Khattak et al., 2013) and the C&C architectures used for communication are either centralized or decentralized:

• •

  Centralized C&C servers: In this approach, the botmaster is connected to the C&C server to command the bots and the bots are also connected to the server to receive commands and updates. The centralized C&C servers are simple to manage on account of their single point of failure, making the response fast.

• •

  IRC botnet (Zargar et al., 2013): The IRC (Internet Relay Chat) is a text-based chat system that allows computer users to communicate with multiple participants in a so-called conversation channel. In a botnet, the bots connect to a specific channel in the IRC server and wait for instructions. The IRC networks are relatively easy to construct. They use simple, low bandwidth communication methods, making them widely used to host botnets. Also, they are able to continually switch channels to avoid being taken down, making them an ideal choice for coordinating DDoS attacks and spam campaigns (Eslahi et al. 2012). When an IRC bot connects to a specific channel, it stays in the connected state, also known as the PUSH approach (Gu et al., 2008a).

• •

  HTTP botnet (Zargar et al., 2013): HTTP botnets use HTTP protocol for C&C communication and to control the bots (Koo et al., 2011). HTTP botnet C&C server works just like a normal web server and the bot works just like a normal web client. In a web-based botnet, bots connect to a specific URL or IP address described by the botmaster that plays the role of the C&C server (Hsu et al., 2017). Instead of the PUSH approach employed by the IRC botnet, the bots in the HTTP based botnet make use of a PULL approach. The bots need not stay in the connected state after connecting to the C&C server for the first time. Instead, the commands are posted on the specific web server and the bots regularly update themselves by visiting those web servers to get new commands at regular intervals, predefined by the botmaster (Eslahi et al. 2012; Gu et al., 2008b).

• •

  Decentralized C&C servers: In this decentralized approach, the C&C botnet architecture is based on the peer-to-peer (P2P) communication protocol. A P2P botnet offers high flexibility to the network because every P2P node act as a bot as well as the C&C server. The P2P botnet is relatively complex to manage as there is no central server to propagate the commands defined by the botmaster. Each bot spreads the commands to its neighboring nodes until all the nodes receive the commands issued by the botmaster (Eslahi et al. 2012). There is no single specific channel or port for the bots to connect and thus P2P botnets are more difficult to detect, making them highly resistant to termination. The PULL approach renders a special advantage that even though some botnets are detected and taken down, the communication among the botmaster and other P2P nodes could continue (Su et al., 2018).

2.2.4.2 Botnet Functions

The basic functions that a botnet usually perform are infection and propagation, command and control and attack eventually. Apart from phishing emails and ‘water-holing’ techniques used in the early days of the Internet, a new infection and propagation method is being employed these days. It utilizes the steganographic techniques, which ‘embed’ the botnet code into a picture or a PDF document attached to an email that often mimics a colleague or friend. A new and unique form of botnets coming into play today are the Fast Flux Networks (FFNs) which promise high flexibility and availability (Al-Nawasrah et al., 2020). It keeps on changing the IP addresses of the domain names in order to avoid detection and prospective shutdown by intrusion detection systems. As noted above, the purpose of the botnet command and control is to enable the communication between the bots and botmaster. The fourth and supreme function of botnet is to attack. There are many potential malicious botnets, like BuleHero and Mirai, which perform various activities that include DDoS attacks, unsolicited spamming, stealing personal and financial information, click fraud and adware (Eslahi et al. 2012).

These are the attacks that exploit weaknesses in the application layer by opening connections and initiating new processes. These processes involve transaction requests that consume server resources like disk space and memory; subsequently, leaving the server unavailable to process the legitimate user requests. The application layer attacks (Dantas Silva et al., 2020; Yu et al., 2007) cause more damage however using very small bandwidth. Nevertheless, they are harder to detect since they are indistinguishable from legitimate traffic and cause similar impact to the services.

The VoIP Flooding (Riorey, 2012; Zargar et al., 2013) or SIP Flooding (Peng et al., 2007) attack is slightly different from application specific UDP packet flooding. The VoIP flood is carried out by attacking the victim server by heavily populating fake VoIP requests through an SIP (Session Initiation Protocol) connection from a wide range of IP addresses. Generally, the victim does not possess enough resources to process these valid as well as invalid requests together that results in server overloading. It is difficult to differentiate an attack from legitimate traffic due to the use of connection-less UDP protocol for transporting the packets. If the flood is launched from a botnet using non-spoofed IP addresses, the traffic appears to be originated from the legitimate VoIP servers. The SIP proxy servers and the call receivers are victims in this attack.

Figure 2.

Taxonomy of DDoS Attack

The HTTP GET/POST Flooding (Zargar et al., 2013) (a.k.a. Excessive VERB (Riorey, 2012)) attack damages the victim web server by continuously swamping it with valid HTTP GET/POST requests. Here, instead of IP spoofing, the attacker evades suspicion by utilizing a botnet with valid IP addresses to carry out the attack. Since the bots use their non-spoofed IP addresses, the defense mechanisms find these HTTP requests legitimate and do not flag them. A single bot can send a large number of HTTP GET/POST requests to execute an attack and hence the attacker can use significantly fewer number of bots to achieve a large-scale attack. Consequently, the target server can be completely crippled by a handful of bots in case of an HTTP DDoS attack.

The Single-session HTTP GET/POST Flooding (Zargar et al., 2013) or Excessive VERB Single Session (Riorey, 2012) attack is a request flooding attack that exploits a loophole in HTTP 1.1. It sends multiple requests, using a single HTTP session, which culminates in DDoS flooding attack. It allows attackers to generate plenty of requests using few sessions only. In other words, the attackers can evade the bound imposed by DDoS defense mechanisms on maximum sessions that a single user can initiate. The Single Session HTTP Flood aims the server’s assets to compromise the performance or targets complete system breakdown.

The Multiple HTTP GET/POST Flooding (Zargar et al., 2013) or Multiple VERB Single Request (Riorey, 2012) attacks were devised with workarounds to sidestep the defense mechanisms that block many incoming packets. Similar to Single Session HTTP flooding attack, this transformation of HTTP flood also exploits a loophole in the HTTP technology. The loophole enables a single HTTP session to make multiple HTTP requests by concealing them within a single HTTP packet instead of issuing them one after the other during an HTTP session. This trick allows an attack to stay invisible to net flow anomaly detection systems and to consume the server’s resources by keeping packet rates within permitted bounds.

The Protocol-based attacks or the state-exhaustion attacks are designed to exhaust the processing capacity of network resources as well as of intermediate communication equipment, like server and firewall, by targeting Layer 3 and Layer 4, with malicious connection requests.

The volumetric attacks are a classic type of DDoS that employ some amplification method, like requests from a botnet, to generate massive volume of traffic that saturate the bandwidth and paralyze the targeted site (Dantas Silva et al., 2020). One way to achieve the goals is by utilizing a botnet and multiple third-party machines that unwittingly participate in a DDoS attack on the target. The bots are instructed by the attacker to send spoofed traffic with victim’s IP address as the source to the third parties. The high volume of response generated by the third parties is then sent to the victim, constituting a Distributed Reflector Denial-of-Service (DRDoS) attack. The DRDoS attacks are asymmetric in nature because the response is much larger in volume than the original request sent.

In this type of DDoS attack, partially formed packets are generated and sent over the network as slow as possible in order to defy the session time out. The victim waits for the remainder of a packet for long periods and eventually becomes unavailable for legitimate users once the number of concurrent connections is maximized. These attacks are hard to detect as the common defense mechanisms rely on high packet rate and thus fail to identify the partially formed packets and let them through.

In the previous section, we have seen how DDoS attacks are perpetrated in traditional networked environments. The attacker first scans for potential remote machines with open ports to exploit. Once such vulnerable machines are located, the attacker infects them using an attack code and exploits them in order to create a botnet without the knowledge of their owners. The botnet is then utilized to perform DDoS attacks on the intended target. The target is flooded with myriads of requests either by a handful of machines or a single machine with spoofed IP address or by a bot army with non-spoofed valid IP addresses. The spoofing makes attack source identification near to impossible preventing the anonymity of the attacker. These requests overwhelm the target by consuming all its resources since the target puts its assets namely CPU computing time, network bandwidth, stack memory etc. in handling these requests. As the attack power escalates, the target pools additional resources trying to compute these requests and when the attack power is peaked, the target gets exhausted. This causes the target to crash and reboot, which blocks it from serving legitimate clients and falling prey to a successful DDoS attack.

The cloud computing has emerged as one of the most prominent technologies due to the on-demand availability of resources like storage and computing power. In addition to being cost-efficient, it provides multiple benefits to its users like flexibility, disaster recovery, increased collaboration etc. According to a study by the International Data Group (IDG, 2020), 81% of businesses are already using cloud technology in one capacity or another. With more and more data shifted over cloud, the cloud security is a new concern for the users. The DoS and DDoS attacks are the dominant barriers that impacts the availability of cloud.

Figure 3.

EDoS Attack Scenario

The on-demand and self-service are the characteristics of cloud technology that assist attackers to create a powerful botnet almost instantly by infecting a large number of devices in short time (Yan & Yu, 2015). Another reason behind increased DDoS attacks in cloud is the virtualization technology that lets attackers create multiple virtual machines using little disk space and thus launch more attacks at low cost. Due to the multi-tenant infrastructure of the cloud, the attack against a single cloud user result in the attack against all users of that cloud. In addition, a new breed of DDoS attacks, called the Economic Denial-of-Sustainability (EDoS) (Shawahna et al., 2018; Xiao & Xiao, 2012) are becoming prominent because the pay-per-use policy of cloud eliminates the key requirement for DDoS attacks i.e., resource bottleneck. The EDoS attack exploits the cloud elasticity and auto-scaling features to charge a cloud adopter bill an excessive cost resulting in large-scale service withdrawal or bankruptcy. Figure 3 illustrates the state of the cloud before and after an EDoS attack where attacker blocks the cloud resources using a botnet. In such case, the cloud continuously allocates additional resources as required and consequently, an exorbitant amount of bill is charged to the user.

Unlike the traditional centralized client-server network models, a peer-to-peer (P2P) network contains multiple connected computers with no central control to pass the data through. Figure 4 demonstrates the basic architectural difference in a server-based and a P2P network. All users that join the network are peers and hence allowed to receive and send files to other machines in the network. All the peers share resources like storage, computational power, and bandwidth. Thus, P2P file sharing can be exploited to spread malware and gather personal and financial information. Since each node also acts as router, the malware spreads faster aiding severe DDoS attacks in a P2P network (Naoumov & Ross, 2006; Yue et al., 2009). A study demonstrating the impact of a DDoS attack on a P2P network by simulating the same using Gia network is available in (Qwasmi et al., 2011).

Figure 4.

Server-based Network and Peer-to-Peer Network architecture

A query flood can be initiated in a P2P network by a malicious peer by broadcasting massive queries in the network, eventually paralyzing the network. A P2P network could also be used as an agent to carry out DDoS attack on the intended target. The peers can overwhelm the target by issuing huge query requests to exhaust the target’s resources like CPU processing, bandwidth, etc. Another way to execute DDoS attack in a decentralized network is by injecting junk data, which increases query time and turns over invalid results. This could be achieved either by index poisoning, where the attacker inserts fake records of target IP address and port number, or by route table poisoning, where the attacker tricks the peers into adding false neighbors in the route table (Qi, 2009).

The blockchain technology records information in a manner that makes it impossible to alter, hack, or evade the system. A blockchain can be visualized as a digital ledger of transactions that is duplicated and dispersed across the entire network of the blockchain. Within each block of the chain, there are multiple transactions. Whenever a new transaction takes place on the blockchain, every participant’s ledger appends a record of that transaction with a fixed cryptographic signature called a hash. This eliminates the chances of tampering with any of the blocks in a chain. In order to corrupt a blockchain, every block in the chain has to be changed, across all the distributed versions of the chain.

Prima facie blockchain appears unshakable however it is susceptible to several Internet attacks, like Sybil attack, 51% attack, Phishing attack, BGP Routing attack, and DDoS attacks (Wen et al., 2021). Various papers in the past have demonstrated many different ways to execute DDoS attacks in a blockchain environment (Saad et al., 2018; Wang & Li, 2019). Mirkin et al. (2020) explained a new form of DDoS attack called Blockchain Denial-of-Service (BDoS) that could seize the functioning of a blockchain with remarkably little resources. The attackers exploit the incentive mechanism of the system by utilizing their resources in discouraging the rational miners to stop mining. The attacker only publishes the header of a generated block, implying a decrease in the expected profitability of the rational miner. This causes the miner to stop mining and if a significant profitability decrease is achieved, all the miners stop mining. At this point, the attacker can also stop mining with an advantage of one block originally generated. It causes the blockchain to halt eventually.

Another type of DDoS attack is presented by Wu et al. (2020) that targets the mining pools. The mining pools are a collection of miners that come together and pool their respective mining powers to successfully mine a block and earn steady rewards. These miners are unable to find a block individually owing to their limited resources. The miners in a mining pool share the earned reward proportional to their respective mining power. Saad et al. (2019) discussed another form of DDoS attack on the memory pool where an attacker can consume entire memory by issuing invalid transactions and preventing further mining. Higher the size of mempool, higher is the mining fee paid by the user. By flooding the mempool with invalidated transactions, the attacker tricks the user into paying more.

The Internet of Things (IoT) is a revolutionary technology that connects a device with an ON/OFF switch to billions of other such devices and to the Internet. It is an enormous network of wide array of devices, ranging from smart vehicles that can detect objects in their way to healthcare devices that include highly popular fitness trackers counting heart rate. The sensors embedded in these devices continuously collect and share data among themselves and the cloud for further computations. This gigantic network is getting bigger by the day, merging digital and physical universes, with more and more devices connecting to it. According to a study by Juniper Research (Juniper, 2020), an increase of 130% in the number of IoT connections is expected over the next three years, rising from 35 billion in 2020 to 83 billion in 2024.

Figure 5.

IoT Network acting as a botnet for a DDoS attack

The data collected by sensors may be extremely sensitive in some cases, making security a prime concern in IoT networks. A wide range of attacks on IoT devices, including DDoS attacks, have been discussed by Munshi et al. (2020). The botnets, like Mirai (Kolias et al., 2017), pose a serious threat of DDoS attacks to IoT networks. Recently, the A10 networks have tracked down approximately 12.5 million unique source addresses of exploited hosts in their DDoS threat report (A10, 2020). Apart from DDoS attacks on itself, IoT network can also be utilized by an attacker to infect other devices. An attacker can infect single IoT device with minimal effort owing to the modicum security standards, turning it into a zombie. Subsequently, attacker can utilize the zombie to infect the entire cloud, to which the zombie IoT device sends the recorded data. Consequently, all the unsecured connected IoT devices are affected. Therefore, turning IoT network into a powerful and well-connected botnet that can carry out DDoS attack of high magnitude. Figure 5 illustrates an IoT network being utilized by an attacker to execute a DDoS attack against a target. In such cases, the attacker's goal is not to interfere with a user’s daily tasks, but to harness hundreds and thousands of devices creating a robust zombie army that is capable of bringing an otherwise secure corporate network to its knees in a matter of seconds.

The rapid increase in number of consumers and their growing requirement for modern networks have advocated the development Software-defined Networking (SDN) in the past decade. The SDN architecture has addressed various drawbacks of traditional networks, like manual configuration, less agility, and complex infrastructure, by centralized software monitoring, flexible operational procedures, infrastructure abstraction, etc. This increases the efficiency and consequently the performance of entire network. The SDN provides these advantages by decoupling the data plane from the control plane and a standardized OpenFlow protocol is implemented on interface between the layers.

The inherent architecture of SDN provides it with the capability to detect and mitigate DDoS attacks effectively in a cloud-based network, but this basic structure also renders SDN vulnerable to DDoS attacks on itself. The separation of data plane and control presents attackers with new attack planes (Dong et al., 2019). Figure 6 illustrates a DDoS attack scenario on an SDN architecture. In one such attack scenario, the attacker floods the SDN network with fake requests. The SDN switches hand over these requests, containing no valid return address or packet source IP, to the controller for computation. These requests overwhelm the controller and renders the network frozen. The controller waits for return address keeping the connection active for long time which consequently leaving the network unreachable for legitimate users. The aim of attacker in such attack cases is not to gather any confidential information but to deplete the resources of controller by wasting time (Parashar et al., 2019).

Figure 6.

DDoS attack on SDN controller

The upcoming 5G network technology is expected to meet various critical requirements like extremely low latency, increased reliability, efficiency, availability, superior performance, and enormous network capacity along with breakneck data rates. As a result, many different fields, like augmented reality (AR), virtual reality (VR), healthcare etc., are awaiting the onset of 5G technology. With the upsurge of 5G technology the Cyber-Physical Systems (CPS) (Humayed et al., 2017), employed across various domains involving critical infrastructures, will depend heavily on cellular networks, exposing to a wide array of Internet attacks (He et al., 2018; Mavoungou et al., 2016).

The DDoS attacks in a cellular network can be particularly destructive since the extent of attack is two folds: First, DDoS attack of a significant scale can excessively infect and influence a network and all its legitimate users. Secondly, CPSs are an intricate integration of digital and physical systems, a DDoS attack in cellular networks can be more disastrous and lasting, depending on the application domain. The attacker can exploit various vulnerabilities, to carry out multiple attacks like silent call (He et al., 2018; Tu et al., 2015), SMS flooding (He et al., 2018; Murynets & Jover, 2013), and signaling (Gupta et al., 2013; He et al., 2018) and DDoS attacks. These attacks utilize a vast botnet, containing plenty of malware/spyware infected mobile devices, which can perpetrate an attack or gather personal/financial information on botmaster's commands.

A smart city (Chen et al., 2020) is a centralized framework primarily composed to tackle growing urbanization challenges. A smart city consists of billions of IoT devices that utilize technology in daily tasks like smart cooking, smart lighting, smart vehicles, traffic management, water treatment and supply, trash management, power grid management, etc. The ultimate goal of developing a smart city is to develop a sustainable and technology-enabled infrastructure. The IoT plays a considerably major role in achieving this goal by enabling communication and data sharing among the devices. The IoT devices collect data using the built-in sensors and store it on the cloud for further usage.

Utilizing IoT to such an enormous extent exposes its vulnerabilities that could easily be utilized to gain control over the network and thus posing serious risk to residents and authorities. Among a multitude of cyber-attacks, DDoS attacks appear to be most threatening. The smart cities are based on a centralized infrastructure, and a high magnitude DDoS attack to the central command of a smart city can wreak havoc and cause catastrophic damage to devices, residents, and eventually to economy. A smart city offers an overabundance of devices, e.g., traffic lights, that when recruited to a botnet, can increase the severity of attack many folds.

The mobile applications are also highly susceptible to a diverse range of cyber-attacks. The DDoS attacks in mobile applications are major cause of concern for two reasons: first, profiling application users is fairly easy for an attacker through their mobile devices and hence many mobile apps like Facebook, LinkedIn, Ola, Airbnb, Uber, etc. are highly vulnerable to such infections. Second, the mobile applications are quite easy to create and relatively less secure and thus plenty of e-commerce and online payment apps, containing sensitive information, are susceptible to such malware. Unfortunately, there is no way to differentiate between a legitimate app and a malicious one. Once such malevolent application is downloaded in the mobile device, the application may open up some vulnerabilities in the device by installing backdoors that can be used to command and control it. Once the device is infected by the attacker, it could be under attack or be used to carry out attack on other devices or networks as a bot. Figure 7 demonstrates the formation of a mobile botnet using a malicious application. As many as half a million infected mobile devices can be utilized in executing an attack on a target, raising the number of requests generated per second to multi-millions. Therefore, the mobile devices are easy targets to infect, control and propagate malware across other mobile devices via malicious mobile applications.

Figure 7.

Botnet formation using mobile applications

In this section, we briefly cover some early DDoS defense approaches that laid the foundation upon which the modern detection and mitigation techniques now stand.

Ingress/Egress packet filtering (Aamir & Zaidi, 2014; Peng et al., 2007; Zargar et al., 2013) is one of the early countermeasures against DDoS attacks, deployed at the edge routers of the networks. The Ingress filtering involves monitoring the packets arriving in the network and the Egress filters examine outbound packets originating within the network. Similarly, the Ingress filtering permits only trusted networks to send traffic inside a network, while the Egress filtering stops the attacks emerging from a compromised device within the network. If the packets are routed using illegitimate address, the Ingress/Egress filters drop them.

Another packet filtering technique is Hop Count Filtering (HCF) (Aamir & Zaidi, 2014; Wang et al., 2007; Zargar et al., 2013). In HCF, incoming packets are scanned for their Time-To-Live (TTL) field in the IP header and an IP-to-Hop-Count (IP2HC) mapping table is maintained by the victim router, that contains the information about the hop counts for multiple IP addresses. The TTL value of a packet gets decremented by 1 as it traverses through each router, and the victim router is only able to see the final TTL value. The router reads from each incoming packet the final TTL value along with the source IP address. An initial TTL value is predicted, and the difference between the initial and final TTL value provides the final hop count. If the final hop count matches the hop count value corresponding to the source IP address in the IP2HC table, the packet is validated, else the packet is dropped.

The IP Traceback is also a well-known approach that has been widely used to determine the actual address of the attacker. Several papers have proposed different mechanisms for IP traceback (Aamir & Zaidi, 2014; Peng et al., 2007; Zargar et al., 2013). Chae et al. (2007) put forward a structure of agent systems, containing IDS which detects a malicious packet and alerts the server system about the attack by embedding the packet in an ICMP Traceback (iTrace) message. Xiang & Zhou (2005) proposed a packet marking mechanism that tags the incoming packets with a mark that contains the source IP address at edge ingress routers and thus eliminating the possibility of mark-spoofing. The mechanism also allocates a segment number to each mark that help in reconstructing the source IP address of the packet.

As explained in Section 4.2, the DDoS attacks in a cloud-based environment could end up having some disastrous consequences. Thus, many proposals exist to handle it. Table 3 presents a comparison of multiple DDoS defense approaches in cloud computing along with their strengths and weaknesses. Joshi et al. (2012) proposed a Cloud Trace Back (CTB) model for attack detection, along with a trained back propagation Neural Network (NN), called Cloud Protector defense system, for attack mitigation. Being located before the Web Server, any service request passed on to the server initially passes through the CTB, positioned at the edge routers, where it is marked with a Cloud Trace Back Mark (CTM) tag and then sent to the actual server. In case of an attack, a reconstructed CTM tag can pinpoint the attack source and the Cloud Protector detects and filters out any malicious packet from that address. The results show a reasonable detection rate based on training and test data sets.

Agrawal and Tapaswi (2017) have presented a lightweight approach in order to detect and filter out spoofed DDoS attack packets. The approach is based on two major assumptions: first, the firewall present at the entry point of the cluster is already configured to detect and filter out the previously blacklisted IP addresses and therefore only the traffic from legitimate and spoofed IP addresses is passed on to the detection system. Second, the behavior of attack traffic differs from that of normal packets in terms of flow count i.e., the number of packets. Based on above two assumptions, filtered traffic is captured by Wireshark and the corresponding packet count is utilized in detecting and mitigating the attack.

Zhao et al. (2009) proposed a novel approach utilizing a Virtual Machine Monitor (VMM) containing a detector, tagger, and a duplicator program. In an attack scenario, as and when the number of available resources reach below threshold, the VMM detects an attack and duplicates the operating system as well as the tagged applications to an isolated environment and hence it successfully breaks out of a DDoS attack without crashing down. One major limitation of this approach is the resource wastage when no attack is present. The isolated environment is created however remains idle until an attack is detected.

A solution to the shortcomings of the cloud technology is addressed by Edge Computing. It is a distributed architecture that pushes some amount of memory and processing power to the edge of the network, close to the source of data, instead of a cloud-based environment. Edge computing boosts real-time results by minimizing latency and bandwidth consumption since the data has to be sent to the edge of the network, instead of all the way to the cloud. He et al. (2021) proposed a game-theoretical approach to mitigate DDoS attacks in the edge servers by finding sub-optimal solutions to large-scale DDoS mitigation problems, called Edge DDoS Mitigation Game (EDMGame). EDMGame simulates each request generated by the users in an edge network, as individual players, allocating specific edge servers for computation by finding a mitigation strategy that contains one allocation decision for each request and maximizing the benefit. EDMGame uses an algorithm that, on completing, results in a final mitigation strategy constituting all individual allocation decisions made in parallel.

Software-Defined Networking (SDN) is an emerging paradigm that attempts to centralize the currently decentralized system as a means to upgrade network performance. SDN utilizes software applications to program the network with the aim to control the network intelligently, thus making network troubleshooting easier. Several researchers have moved towards employing SDN for DDoS attack mitigation. Table 4 presents a comparison of multiple DDoS defense approaches in SDN-based environment along with their strengths and weaknesses. SDN and DDoS attacks have a contrary interconnection with each other. While separating the data plane from control plane increase the chances of DDoS detection, it also introduces new attack dynamics with SDN being prone to DDoS attacks as well.

Hong et al. (2017) came up with a Slow HTTP DDoS Defense Application (SHDA) that utilizes SDN controllers to subdue a Slowloris or Slow HTTP POST attack. It starts a timer as soon as the first partial packet arrives after a threshold number of concurrent connections are established with the server. In case the timer expires before completing the request, SHDA blocks the packets and terminates the connection, notifying the server about the source IP address. One limitation of SHDA is the false alarms generated in case of slow users that complete the requests after the timer expires, misidentifying them as attackers.

Thomas & James (2017) have presented another approach for detecting DDoS attacks utilizing a third-party traffic monitoring application in SDN, called Iftop. Iftop analyzes the traffic for a specific period of time in order to observe the bandwidth and source addresses of incoming packets. After the evaluation, if the DDoS attack conditions, based on the throughput of the client, are met, the traffic is classified as malicious and sent to the SDN controller for a detailed analysis to reduce false alarms. The attack packets are dropped and the source address is blocked by the firewall to prevent any further transactions.

Sambandam et al. (2018) brought forward an entropy-based detection of DDoS attack in an IoT network using Raspberry Pi. Entropy defines the randomness of traffic in a network. In case of a DDoS attack, entropy drops significantly since majority traffic arrives from a handful of attack sources. Sambandam et al. (2018) monitored the entropy level of the network with every incoming packet and during an attack, a substantial increase in packet rate drops the entropy below threshold value, notifying the occurrence of a possible DDoS attack.

Another method to detect DDoS attacks based on incoming traffic behavior is presented by Abdulkarem & Dawod (2020) utilizing an SDN application developed with a Python script. The proposed solution utilizes Open vSwitches in an SDN architecture to detect abnormal traffic behavior at the earliest possible stage. SDN controller extracts IP address of the biggest data source, sending huge volumes of data to the server. The switches implement a packet filtering rule in order to drop the malicious packets and let the normal traffic smoothly reach the server.

Bhushan & Gupta (2018) proposed a mechanism based on probability distribution of flow rule hit count in the absence of DDoS attack and maintaining a flow lookup table for packet forwarding. This is achieved using a counter field in the flow entry which gets incremented as the packet traverses through the network. The count of DDoS attack packets is usually higher than normal traffic. Probability distribution of incoming traffic flow rate is calculated when it surpasses the threshold and compared with the probability distribution calculated with no attack. A difference between the values, higher than a specific threshold value, is considered as a notification of potential DDoS attacks and mitigation scheme is activated, dropping all requests arriving from the attacker.

Machine Learning is coming across as one of the major approaches to overcome DDoS attacks in recent years. Several literatures propose DDoS detection mechanisms based on machine learning approaches like Naïve Bayes, K-Nearest Neighbors (KNN), Random Forest, Decision Tree, Fuzzy Logic, etc. Table 5 presents a comparison of multiple DDoS defense approaches that utilize machine learning algorithms along with their strengths and weaknesses. Dong & Sarem (2019) proposed a DDoS Detection Algorithm based on Machine Learning (DDAML) that makes use of an improved K-Nearest Neighbors algorithm to identify the malicious data packets in an SDN environment. Another research by Fouladi et al. (2016) proposes a monitoring system based on packet sampling mechanism. It creates two metrics based on Distant Fourier Transform (DFT) and Distant Wavelet Transform (DWT) and a Naïve Bayes classifier uses them as features to identify an attack.

Vishwakarma & Jain (2019) presented a machine learning centric approach to detect botnet-based DDoS attacks in an IoT environment. The proposed system utilizes IoT honeypot devices to fascinate the attackers into targeting the vulnerabilities and generate a log file of all the extracted information about the attack, like the type of malware, type of application or protocol it targets, C&C server, port number, etc. Based on the log file, a real-time implementable machine learning model is trained and accurately classifies the malware families based on its features. The only drawback to this approach is the implementation cost incurred. The classifier has to be implemented on each IoT device of the network separately.

Lin et al. (2015) proposed an Intrusion Detection System (IDS) based on a novel approach, called Cluster Center and Nearest Neighbors (CANN), by combining two well-known machine learning algorithms. In CANN, two distances for each data point from training and testing data sets are calculated. One, from data point to the cluster center and the other, from data point to the nearest neighbors in the same cluster. The aggregate value of these two distances results in a new feature value for training and test set which is utilized by the IDS for DDoS detection.

Sudar et al. (2021) presented a DDoS detection method utilizing machine learning algorithms along with SDN-based architecture. The proposed method employed highly accurate and significantly less complex machine learning algorithms, called Decision Tree (DT) and Support Vector Machine (SVM) for the classification of incoming data traffic into normal or attack. After the model training and feature extraction phases, SVM and DT classify the dataset as malicious if the flag value comes out to be 1. In such cases, the Open vSwitches notify the SDN controller to update the flow table and drop the attack traffic.

Jia et al. (2017) put forward an innovative detection mechanism by combining various component classifiers based on Singular Value Decomposition (SVD) and Rotation Forest Method (RFM). It involves a voting system that outputs the final classification mechanism for attack detection. Alsirhani et al. (2019) utilized a similar approach by employing a Fuzzy Logic system to yield a dynamic classification algorithm which is used to detect DDoS attack traffic from normal traffic. Only a single classification algorithm, out of Naïve Bayes, Entropy-based Decision Tree, Gini Decision Tree, and Random Forest algorithm, is used at any specific time for classification of incoming data traffic.

Recently, the deep learning has emerged as a popular class of machine learning though it was first proposed way back in 2009 by Hinton (2009). Table 6 outlines a comparison of various DDoS defense mechanisms that rely on deep learning approaches along with their relative strengths and weaknesses. The deep learning can be considered as a powerful extension of the conventional machine learning approaches that utilizes Artificial Neural Networks (ANN) to imitate the working of human brain. The major benefits of Deep Learning, which have made it a preferable research option over the traditional machine learning models, are the maximal utilization of unstructured data, improved quality results, and the elimination of feature engineering as well as data labelling.

Li et al. (2018) came up with a DDoS defense architecture centered on Deep Learning that utilizes Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), and Convolutional Neural Network (CNN) in SDN-based environment. In this approach, after constructing a feature matrix of all the features extracted from data packets of OpenFlow switch, a detector module determines whether the data packets are malicious in nature or not. If so, a statistics module examines the frequency of all features and establishes a weight, according to which a flow entry is recorded in the flow table. The OpenFlow switch deals with the attack packets as specified in the table.

Yuan et al. (2017) used another Deep Learning defense approach, called DeepDefense, that creates a DDoS detection system using RNN and CNN. The detection system utilizes the historical information of data packets to determine their legitimacy. For detecting and locating the repeated patterns in the incoming data that represents a DDoS attack, this historical information is fed to the RNN and attack is detected.

Roopak et al. (2019) came forward with an approach to detect cyber-attacks in IoT networks using four different Deep Learning classification models: Multi-Layer Perceptron (MLP) model, CNN model, Long-Short Term Memory (LSTM), and CNN+LSTM hybrid model. These approaches are highly resource-intensive and unpractical to be deployed into real world.

Doriguzzi-Corin et al. (2020) proposed LUCID, a lightweight Deep Learning technique that utilizes CNN to differentiate malicious traffic from safe traffic. After usual computation of CNN like preprocessing, feature extraction, padding, and normalization, the output of CNN is passed through a sigmoidal function, constraining the final output to 0 and 1. The data flow is considered safe if output is below 0.5.

Another Deep Learning approach by Hussain et al. (2020) employs CNN for early detection of DDoS attacks in a 5G cellular network. The model assembles already-available call detail record (CDR) data containing three activity values: outgoing calls, outgoing SMS and Internet usage, associated with every cell in the network. The CNN detects the legitimacy of new incoming traffic based on training process over past CDR data.

Big data analysis refers to the comprehensive analysis of large amounts of data to identify recurring patterns and interconnections. Big Data Analysis takes faster and better decisions and a considerably low cost for storing large volumes of data, making it a quite advantageous approach for DDoS detection. Several novel Big Data centered approaches have been proposed by researchers in past few years. Table 7 presents a comparison of multiple DDoS defense mechanisms that utilize approaches based on big data analytics, along with their strengths and weaknesses.

Hameed & Ali (2016) have proposed a Hadoop based approach for DDoS flooding attack detection, called HADEC, by applying Hadoop Distributed File System (HDFS) and MapReduce. HADEC consists of a capturing server and a detection server. After the capturing server captures live traffic based on the parameters configured by the admin, the results are stored in a log file which is sent to the detection server. The detection server saves the file in HDFS and applies MapReduce based detection algorithm before notifying the administrator about the results.

Mizukoshi & Munetomo (2015) came up with a Hadoop based clustering approach utilizing Genetic Algorithm (GA) and entropy-based DDoS detection. In this approach, the incoming network traffic is captured and examined by two different modules. The module containing Genetic Algorithm develops a packet profile by detecting the features of incoming packets and stores the profile in the DDoS filtering rule base module. The entropy-base module detects DDoS attack by analyzing the frequencies of packet source IP addresses. In case of an attack, the DDoS filtering rule base module is notified, which detects attack packet features and filters out packets arriving from malicious clients, thus blocking a DDoS attack.

Xu et al. (2019) proposed a detection method for DRDoS using Deep Forest model in a Big Data environment. The model utilizes statistical information of DRDoS attack flow. Based on this information, a Host based DRDoS Threat Index (HDTI) is created. Using the HDTI, each IP address in the network flow is classified into one of the four categories: normal, upstream, downstream, or mixed upstream and downstream (MUD). The data packets coming from normal IP addresses are allowed to pass. All the service requests coming from upstream identified IP addresses and all the service responses sending to the downstream identified IP address are filtered out. If the IP address is recognized as MUD, all the request and response packets for that IP are filtered.

Cheng et al. (2018) proposed a prediction approach where the model is trained based on normal and attack traffic extracted from the network. Based on the training, a network flow abnormal index value is created to detect the attack flow in the network. For a certain time, interval, a feature value, called the PDRA, is calculated based on some parameters that includes number of new users, average accessing rate of each new user, number of old users, etc. The PDRA is passed on to the classifier which classifies the traffic into one of the three categories: normal, hotspot event, or DDoS attack.

The blockchain has grabbed the attention of both, attackers and researchers owing to its decentralized infrastructure and consensus-based mechanism. A flurry of papers has been published highlighting new form of potential attacks in a blockchain-based environment. The growing concern due to these evolved attacks has inspired several researchers to come up with effective countermeasures in order to mitigate the attack and prevent the blockchain from crash (Wen et al., 2021). Table 8 presents a comparison of various DDoS defense mechanisms that successfully prevent, detect, and mitigate the potential attack scenarios in blockchains, along with their strengths and weaknesses.

Wu et al. (2020) addressed the dynamic nature of mining pools and proposed a novel approach based on Game-Theory to mitigate a mining pool DDoS attack. Mining pools refers to a consortium of miners that are unable to find a block individually, pooling their individual limited amount of mining powers and distributing the reward proportionally. To detect an attack, Wu et al. (2020) proposed a game-model defined by a random probability distribution. A Nash learning algorithm is used to define the competition among multiple mining pools as random game.

Saad et al. (2018) came up with a fee-based solution to detect and prevent the mempool flooding DDoS attacks. In the fee-based system, a minimum relay fee is charged to every incoming transaction at the memory pool, until a threshold mempool size is reached. Post that threshold, a minimum mining fee is imposed alongside the relay fee to be accepted in the mempool queue. Charging these fees guarantees the elimination of invalidated transactions that are generated just to fill the mempool. Further steps can also be taken to prevent the attacks, like increasing the minimum fee and prioritizing the mempool queue according to the paid fee.

Another solution presented by Saad et al. (2019), is an age-based solution that prevents the flooding of mempool. The proposed solution is based on the assumption that the attacker has paid both the mining and relay fees to get the malicious transaction accepted. Instead of accepting transactions in the mempool first and then discarding it after miners eventually rejects them, a minimum age criterion is applied for getting accepted into the mempool. The average age of all new transactions is calculated with the help of all their parent transactions. Without having a minimum number of confirmations or “minimum age limit”, no transaction is accepted in the mempool. The only way of getting accepted in the mempool requires the attacker to get the transactions verified and wait for them to acquire sufficient confirmations.

Mirkin et al. (2020) demonstrated some countermeasures for mitigating BDoS attacks. Except Bitcoin, BDoS attacks in other contemporary blockchains, like Ethereum, can be prevented using Uncle Block mechanism which rewards the miners regardless of whether they are the first ones to mine it. This eliminates the reduction in profitability, a key element for BDoS attacks, that discourages the rational miners from mining. Another means to thwart BDoS attacks is by defining a time interval between reception of the block header and the reception of the actual block. Note that in case of an attack, only the block header is provided. If the actual block is not presented before the timeout expires, the header is not considered as a potential block.

Abou El Houda et al. (2019) proposed Cochain-SC, utilizing SDN and Ethereum smart contracts, which involves detection and mitigation of DDoS attacks on both, inter-domain and intra-domain levels. Cochain-SC involves strong inter-domain collaboration between multiple domains using smart contracts which contains different collaborators and an intra-domain model containing an entropy-based scheme for detecting the attack, a Naïve Bayes-based scheme for classifying the detected traffic as malign or benign and a mitigation scheme for dropping the illegitimate traffic. Once the attack is mitigated, the list of malicious IP addresses is updated and shared with all the collaborators in the smart contract.