Detecting, Preventing or Mitigating Distributed Dos (DDOS) Attacks
The Internet continues to be a critical subject due to the increasing attacks based on the major universal communication infrastructures. This study identifies the one detection and two mitigation approaches in developing content to show that DDoS are becoming common in daily business operations.
Rationale for selecting the papers
The first research paper I selected is titled "Mitigating Dos Attacks Using Performance Model-Driven Adaptive Algorithms" by Barna and others. The article is recent and goes in length in elucidating the most invaluable method of mitigating DDoS. I also selected this article because it goes in lengths showing how DDoS affects the operations of an organization warranting the adoption of succinct measures in case of an attack.
I also selected an article by Rahmani, Sahli, and Kamoun, titled "Distributed Denial-Of-Service Attack Detection Scheme-Based Joint-Entropy" as it elucidates clearly the best way of detecting DDoS in an organization's IT systems. Besides showing the threats posed by DDoS, the article confirms that Scheme-Based Joint-Entropy detects the attacks accurately.
The third article by Tripathi, et al. (2013) titled "Hadoop-Based Defense Solution To Handle Distributed Denial Of Service (DDoS)" shows how the MapReduce programming model can be used with other techniques to mitigate DDoS attacks. The article show shows how attackers often evolve and come up with new attack techniques warranting the adopting of diverse mitigation measures.
Background
For purposes of reducing false positive rates, many parameters have been used in providing accurate normal profiles and increasing the computational overheads to mitigate DDoS attacks. Hybrid attack mitigation has optimistic features of the pattern and anomaly-based models. The approaches achieve the scope of low false negatives and positives, high detection accuracy, and increment in cyber conviction levels. Although the hybrid attack mitigation approaches decrease false positive rates, they increase the cost and complexity of implementation. Third party involvement brings on board mechanisms deployed within third-party detection without handling the detection process and relying on external third parties that signal the occurrence of attacks (Carl, Kesidis, Brooks, & Rai, 2006).
Distributed Denial of Service attacks consuming the resources of target machines and the victim's ability to use web services efficiently. Besides, the attacks cause serious problems to Internet societies and users. DoS attacks become distributed and large-scale when attempts are coordinated to exhaust network capabilities by making enormous requests that overload the machine of the victim. The machine becomes incapacitated to provide services to the legitimate user while the network performances are deteriorated.
The change-point detectors treat legitimate flash crowds in terms of DDoS attacks since they may be classified as occurrences of false positives. The peaks report attacks even though they encounter network issues or the Internet Control Message Protocol aspects or legitimate peaks that have shorter durations. The element of the purchase has more of the proposed works and mechanism monitoring that takes into consideration the useful connections. This scope includes the active training and testing periods. The mechanism enables users to have better precision for calculated joint-entropy values and reduce the risks of false positives.
First Detection Strategy
One of the commonly identified attacks includes "Denial of Service." The tool includes highly damageable attacks that degrade network's quality in terms of service as well as other hard-to-predict ways. Detection deliverables of distributed denial-of-service include the scope of information distance detector, change-point detection, wavelet analysis, and activity profiling. The change-point detection method is based on features of specific the DDoS attacks. However, it remains highly accessible to external hackers who mimic the features to fool user's detection approach (Rahmani, Sahli & Kamoun, 2012). The open architecture of the Internet allows hackers to spoof sources of IP addresses due to the attack packets and the real IP addresses and their distribution while acting against source address algorithms for distribution-based detection.
Hackers change logic value of the transistor -- transistor relationship and the attack packets based on the real distances between victims and zombies for purposes of countering hop-count methods of detection. These events become hard to detect in real time through observing traffic. The relationship becomes harder in case observed networks carry larger traffic amounts while drowning the malicious ones. For this reason, the approach of exposing and accurately detecting malicious traffic is a detectable problem.
In flying the radar, attackers may mimic the flash crowds' behaviors for the sudden increment of legitimate traffic. For instance, most fans access official websites while important matches are ongoing. Many people check on the CNN website during the 'breaking news' segment. DDoS...
Otherwise, it is possible to raise false alarms. The bigger challenge includes determining the defense mechanism for purposes of discriminating DDoS flooding attacks among flash events (Rahmani, Sahli & Kamoun, 2012). The implications are rather severe in times that people fail to identify them. Further, attackers mimic traffic features from flash crowds with the aim of disabling the detectors such as the appearance of false negatives (Carl, Kesidis, Brooks, & Rai, 2006).
The Change-Point Detection is diverse. The approach is applicable to many forms of networks including wireless area network, local area network, and high-speed link. The high-speed lines allow for constraints determination where the scope of connections remains a large application of the central limit theorems. The approach remains valid to use low-speed networks using the gamma distribution, unlike central limit theorem. Further, the approach needs more access towards IP headers of all packets while extracting only the timestamp, source, and other destination IP addresses (Rahmani, Sahli & Kamoun, 2012). The scheme confirms validity of the approach within high-speed line networks. Additionally, joint-entropy calculation is skewed based on the size and number of overall connections. The knowledge of the parameters allows for the full definition of volume traffic granularities while concluding that the results remain valid aspects of various forms of variations. Further, the detection scheme does not allow for detection of all attacks completely. The volume-based schemes illustrate the possibilities of false-negative cases occurring in the short-term DDoS attacks that do not impact on the detectable disruption in connection distribution or traffic volume.
The outcomes of the approach show that it is better as compared to other entropy-based approaches. The concept bears more accuracy based on the low-rate and intelligence attacks. The scheme only needs more access to IP headers for each of the packets as well as a practical implementation of real-time high-speed links. Lastly, when traffic connection distribution of the attacks is similar to the legitimate traffic, it becomes impossible to continue detecting attacks (Rahmani, Sahli & Kamoun, 2012). In addition, it remains difficult for the scope of the definition to interpret thresholds that allow them to take into consideration the high-rate and low-rate attacks.
First Mitigation Strategy
This section discusses the Signature-based mitigation approach as a way of addressing the identified problems. DDoS attacks are distributed and coordinated at a large-scale attempt for flooding networks with more packets that are difficult to handle among victim networks. The victim lacks the ability of providing the services to the legitimate users as well as the network performance that undergo great deterioration. The attacks exhaust resources availed to victim's networks including memory, bandwidth, and computing power. The system that suffers from the attack and whose services have faced inadequacies are called on the "primary victims" who were registered on the "secondary victims" and systems that are used in originating such attacks. The secondary victims give the attackers the ability to create powerful DDoS attacks making it difficult to continue tracking the real attackers (Tripathi, Gupta, Mishra, & Veluru, 2013).
For DDoS attacks, the attacking schemes select compromised machines such as those that have loopholes, and the networks of compromised machines are popular as botnet. The botnets have further instructions to execute damaging commands while consuming the resources availed on the victim's systems. The attacks are launched using approaches aimed at sending a malicious packet attached to a virus and worms within running applications called vulnerability attacks (Tripathi, Gupta, Mishra, & Veluru, 2013). The alternative and most common method includes the debilitation of victim's system through exhaustion of resources including input-output bandwidth, CPU, database bandwidth, and memory. The DDoS mitigation mechanism is classified based on the primary criterions. Mitigation timing involves the passive detection as a mitigation approach that which is achieved through the analysis of logs after attackers finish the mission. The detection elements are on time in case attacks are detected in time for the attacks and other proactive detection prior the approaches target the machines or ruin the service (Carl, Kesidis, Brooks, & Rai, 2006).
Mitigation activities present various aspects of detection approaches. Based on the mitigation activity, the categorization allows for signature-based involvement such as prior knowledge for the attack signatures. SNORT mitigation techniques are widely used in developing preventative concepts and implementation policies. Anomaly-based schemes treat the incoming traffic as a violation of normal profiles. For mitigating DDoS attacks, it is important to know the overall normal behaviors for hosts and find deviations from such behavior. The included challenges for the anomaly-…
