An overview and classification of ddos attacks
1 / 21

An Overview and Classification of DDoS Attacks - PowerPoint PPT Presentation

  • Uploaded on

An Overview and Classification of DDoS Attacks. A Taxonomy of DDoS Attack and DDoS Defense Mechanisms Authors- Jelena Mirkovic, University of Delaware Peter Reiher, UCLA Presentation by: Sagar Panchariya Masters Student. Table of Contents. DDoS definition

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'An Overview and Classification of DDoS Attacks' - kalb

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
An overview and classification of ddos attacks

An Overview and Classification of DDoS Attacks

A Taxonomy of DDoS Attack

and DDoS Defense Mechanisms

Authors-Jelena Mirkovic, University of Delaware

Peter Reiher, UCLA

Presentation by: Sagar Panchariya

Masters Student

Table of contents
Table of Contents

  • DDoS definition

  • How to inflict, entities involved, phases of attack, possible motives behind a DDoS attack,

  • What makes DDoS possible?

  • Classification of Attacks.

  • Video

  • Conclusion

  • References

What is a dos and ddos attack
What is a DoS and DDoS attack?

  • In its simplest form, a Denial of Service (DoS) attack is an attack against any system component that attempts to force that system component to limit, or even halt, normal services

  • In its simplest form, a Distributed Denial of Service (DDoS) attack is a DoS attack that occurs from more than one source, and/or from more than one location, at the same time.

How to inflict a ddos attack
How to inflict a DDoS attack

  • Simplest form of attacks is to consistently send a stream of packets to a victim, the stream occupies substantial resources of the legitimate client and rendering it’s services to be unavailable to legitimate clients.

  • Another approach is to send malformed packets to the victim’s machine to confuse the application and force to freeze or reboot.

  • An attack may also subvert the machines in a victim’s network so that the legal client cannot get the service.

Procedure to launch a ddos attack
Procedure to launch a DDoS attack:

  • 1.The recruit phase: It involves scanning of remote machines looking for security holes that will help breaking into.

  • 2. The exploit phase: After the discovery of vulnerable hosts their security loop holes in these machines are exploited to inject malicious code.

  • 3. The inject phase: The insertion of malicious code to control these hosts is the inject phase.

  • 4. The Use Phase: The infected machines are used to infect further machines.

Reasons for a ddos attacks
Reasons for a DDoS attacks:

  • 1. The ulterior motives are personal reasons; a significant number of DDoS attacks are perpetrated against home computers, presumably for purposes of revenge.

  • 2. Prestige, a successful attack on popular Web servers gains the respect of the hacker community.

  • 3. However, some DDoS attacks are performed for material gain (damaging a competitor's resources or blackmailing companies)

  • 4. Political reasons (a country at war could perpetrate attacks against its enemy's critical resources, potentially enlisting a significant portion of the entire country's computing power for this action).

Why ddos are easy
Why DDoS are easy?

  • The end to end service paradigm of the internet

  • Security is left up to end parties.

  • If one of the parties is misbehaving it can cause damage to its peer.

  • Intermediate network makes its hard to detect misbehaving peers and cant stop it.

  • The making of high bandwidth pathways in the intermediate network, while the end networks invested in as much bandwidth as they thought they might need.

  • Thus, malicious clients can misuse the abundant resources of the unwitting intermediate network for delivery of numerous messages to a less provisioned victim.

Need for classification
Need for Classification.

  • Classification can be useful in answering some of these questions:

  • Know different ways to perpetrate a DDoS attacks?

  • Solutions for what kind of attacks are designed and what solutions are still left to be designed?

  • Any novel kinds of DDoS attacks that can take place?

  • A classification gives a common vocabulary to the researchers to discuss and implement solution space for DDoS threats.

  • Understanding these threats, implementing them in a test bed environment, and using them to test defense systems will help researchers keep one step ahead of the attackers.

  • DA1: Manual

    The attacker does the entire phases recruit, exploit, infect and use phase manually. These kinds of attacks were the earliest kinds of DDoS attacks.

  • DA2: Semi-Automatic

     The recruit, exploit and infect phases are automated. In the use phase, the attacker specifies the attack type, onset, duration and the victim via the handler to agents, who send packets to the victim.

  • DA2: CM: Communication Mechanism

    Based on the communication mechanism deployed between agent and handler machines, attacks are further divide Direct and indirect communication.

  • DA2:CM1: Direct Communication

    During attacks with direct communication, the agent and handler machines need to know each other's identity in order to communicate.

  • DA2:CM2: Indirect Communication

    Attacks with indirect communication use some legitimate communication service to synchronize agent actions. Recent attacks have used IRC (Internet chat program) channels.

  • DA3: Automatic

    The start time of the attack, attack type, duration and victim are preprogrammed in the attack code. No need of further communication needed.

  • DA2 and DA3:HSS1: Random Scanning

    During random scanning, each compromised host probes random addresses in the IP address space3, using a different seed. there is a high amount of internetwork traffic. High number of machines are infected.

  • DA2 and DA3:HSS2: Local Subnet Scanning

    Local subnet scanning can be added to any of the previously described techniques to preferentially scan for targets that reside on the same subnet as the compromised host.

  • SAV1: Spoofed Source Address

    This is the prevalent type of attack since it is always to attacker's advantage to spoof the source address, avoid accountability, and possibly create more noise for detection.

  • SAV1: AR: Address Routability

    Based on the address routability we differentiate between routable source address and non-routable source address attacks.

  • SAV1:AR1: Routable Source Address

    Attacks that spoof routable addresses take over the IP address of another machine. This is sometimes done not to avoid accountability, but to perform a reflector attack on the machine whose address was hijacked.

  • SAV1:AR2: NonRoutable Source Address

    Attackers can spoof non-routable source addresses, some of which can belong to a reserved set of addresses (such as or be part of an assigned but not used address space of some network.

  • DA2and DA3:VSS1: Horizontal Scanning

    This is the common type of the scan for worms. Scanning machines are looking for a specific vulnerability, scanning the same destination port on all machines from the list, assembled through host scanning techniques.

  • DA2and DA3:VSS2: Vertical Scanning

    This is the common type of the scan for intrusions and multiple vector worms. Scanning machines probe multiple ports at a single destination, looking for any way to break in.

  • EW1:Semantic

    Semantic attacks exploit a specific feature or implementation bug of some protocol or application installed at the victim in order to consume excess amounts of its resources.

  • EW2:BruteForce

    Brute-force attacks are performed by initiating a vast amount of seemingly legitimate transactions. .

  • SAV1: ST: Spoofing Technique

    Spoofing technique defines how the attacker chooses the spoofed source address in its attack packets.

  • SAV1:ST1: Random Spoofed Source Address

    Many attacks spoof random source addresses in the attack packets, since this can simply be achieved by generating random 32-bit numbers and stamping packets with them.

  • SAV1:ST2: Subnet Spoofed Source Address

    In subnet spoofing, the attacker spoofs a random address from the address space assigned to the agent machine's subnet.

  • SAV1:ST4: Fixed Spoofed Source Address

    Attacker performing a reflector attack or wishing to place a blame for the attack on several specific machines would use fixed spoofing.

  • ARD: Attack Rate Dynamics

  • RD1: Constant Rate

    The majority of known attacks deploy a constant rate mechanism. After the onset is commanded, agent machines generate attack packets at a steady rate, usually as many as their resources permit.

  • RD2: Variable Rate

    Variable rate attacks vary the attack rate of an agent machine to delay or avoid detection and response.

  • RD2: RC: Rate Change Mechanism

    RD2:RC1: Increasing Rate

    Attacks that have a gradually increasing rate lead to a slow exhaustion of the victim's resources.

  • RD2: RC2: Fluctuating Rate

    Attacks that have a fluctuating rate adjust the attack rate based on the victim's behavior or preprogrammed timing, occasionally relieving the effect to avoid detection.

  • IV: Impact on the Victim

    Based on victim type

    IV1: Disruptive

    The goal of disruptive attacks is to completely deny the victim's service to its clients.

  • IV1: RM1: Possibility of Dynamic Recovery

    Depending on the possibility of dynamic recovery during or after the attack, we differentiate between self-recoverable, human-recoverable and non-recoverable attacks.

  • IV1 RM2: Self-Recoverable

    In the case of self-recoverable attacks, the victim recovers without any human intervention, as soon as the influx of attack packets has stopped.

  • IV1:RM3: Human-Recoverable

    A victim of a human-recoverable attack requires human intervention (e.g., rebooting the victim machine or reconfiguring it) for recovery, after the attack is stopped.

  • IV1:RM3: Non-Recoverable

    Non-recoverable attacks inflict permanent damage to victim's hardware. A new piece of hardware must be purchased for recovery.

  • IV: Degrading

    The goal of degrading attacks is to consume some (presumably constant) portion of a victim's resources, seriously degrading service to legitimate customers.


  • Multitude types of DDoS exist and there is no defined classification for them to study them using a hierarchy.

  • An attempt to structure the various forms of DDoS attacks known and some of the novel attacks which could be possible in the future using a classification scheme is made.

  • Future work

    Many new coming forms of DDoS attacks could be added to the classification under a existing level or creating a separate class altogether.


  • Shut Down A Website-Perl (with myspace hacker)



  • J. Mirkovic and P. Reiher, ”A Taxonomy of DDoS Attack and

    DDoS Defense Mechanisms,” ACM SIGCOMM Computer

    Communications Review(CCR), vol. 34, no. 2, April 2004, pp 39-54

  • Denial of Service Attack

  • Network Security: DoS vs DDoS attacks