research-article

Application Layer Denial-of-Service Attacks and Defense Mechanisms: A Survey

Authors:

Nikhil Tripathi,

Neminath HubballiAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 54, Issue 4

Article No.: 86, Pages 1 - 33

https://doi.org/10.1145/3448291

Published: 03 May 2021 Publication History

Abstract

Application layer Denial-of-Service (DoS) attacks are generated by exploiting vulnerabilities of the protocol implementation or its design. Unlike volumetric DoS attacks, these are stealthy in nature and target a specific application running on the victim. There are several attacks discovered against popular application layer protocols in recent years. In this article, we provide a structured and comprehensive survey of the existing application layer DoS attacks and defense mechanisms. We classify existing attacks and defense mechanisms into different categories, describe their working, and compare them based on relevant parameters. We conclude the article with directions for future research.

References

[1]

Erwin Adi, Zubair A. Baig, Philip Hingston, and Chiou-Peng Lam. 2016. Distributed denial-of-service attacks against HTTP/2 services. Cluster Computing 19, 1 (2016), 79--86.

Digital Library

[2]

Maurizio Aiello, Enrico Cambiaso, Maurizio Mongelli, and Gianluca Papaleo. 2014. An on-line intrusion detection approach to identify low-rate DoS attacks. In Proceedings of the International Carnahan Conference on Security Technology (ICCST’14). 1--6.

[3]

Maurizio Aiello, Gianluca Papaleo, and Enrico Cambiaso. 2014. SlowReq: A weapon for cyberwarfare operations. Characteristics, limits, performance, remediations. In Proceedings of the International Joint Conferences SOCO’13-CISIS’13-ICEUTE’13. 537--546.

[4]

Muhammad Ali Akbar and Muddassar Farooq. 2014. Securing SIP-based VoIP infrastructure against flooding attacks and spam over IP telephony. Knowledge and Information Systems 38, 2 (2014), 491--510.

[5]

Sebastian Anthony. 2015. GitHub Battles “Largest DDoS” in Site’s History, Targeted at Anti-Censorship Tools. Retrieved March 6, 2021 from https://arstechnica.com/information-technology/2015/03/github-battles-largest-ddos-in-sites-history-targeted-at-anti-censorship-tools/.

[6]

Jari Arkko, Gonzalo Camarillo, Tao Haukka, and Vesa Torvinen. 2003. Security Mechanism Agreement for the Session Initiation Protocol (SIP). RFC 3329. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc3329.

[7]

India Ashok. 2016. Hackers Leave Finnish Residents Cold After DDoS Attack Knocks Out Heating Systems. Retrieved March 6, 2021 from https://www.ibtimes.co.uk/hackers-leave-finnish-residents-cold-after-ddos-attack-knocks-out-heating-systems-1590639.

[8]

Hitesh Ballani and Paul Francis. 2008. Mitigating DNS DoS attacks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’08). 189--198.

Digital Library

[9]

Bradley Barth. 2017. DDoS Attacks Delay Trains, Halt Transportation Services in Sweden. Retrieved March 6, 2021 from https://www.scmagazineuk.com/ddos-attacks-delay-trains-halt-transportation-services-sweden/article/1473963.

[10]

Sajal Bhatia, George Mohay, Alan Tickle, and Ejaz Ahmed. 2011. Parametric differences between a real-world distributed denial-of-service attack and a flash event. In Proceedings of the International Conference on Availability, Reliability, and Security (ARES’11). 210--217.

Digital Library

[11]

Monowar H. Bhuyan, Hirak Kashyap, Dhruba Kumar Bhattacharyya, and Jugal K. Kalita. 2014. Detecting distributed denial of service attacks: Methods, tools and future directions. Computer Journal 57, 4 (2014), 537--556.

[12]

Security Boulevard. 2018. New DemonBot Discovered. Retrieved March 6, 2021 from https://securityboulevard.com/2018/10/new-demonbot-discovered/.

[13]

Randy Bush and Rob Austein. 2013. The Resource Public Key Infrastructure (RPKI) to Router Protocol. RFC 6810. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc6810.

[14]

Enrico Cambiaso, Gianluca Papaleo, and Maurizio Aiello. 2014. SlowDroid: Turning a smartphone into a mobile attack vector. In Proceedings of the International Conference on Future Internet of Things and Cloud (FITC’14). 405--410.

Digital Library

[15]

Enrico Cambiaso, Gianluca Papaleo, and Maurizio Aiello. 2017. Slowcomm: Design, development and performance evaluation of a new slow DoS attack. Journal of Information Security and Applications 35 (2017), 23--31.

Digital Library

[16]

Enrico Cambiaso, Gianluca Papaleo, Giovanni Chiola, and Maurizio Aiello. 2013. Slow DoS attacks: Definition and categorisation. International Journal of Trust Management in Computing and Communications 1, 3--4 (2013), 300--319.

[17]

Enrico Cambiaso, Gianluca Papaleo, Giovanni Chiola, and Maurizio Aiello. 2015. Designing and modeling the slow next DoS attack. In Proceedings of the International Joint Conference on Computational Intelligence in Security for Information Systems Conference (CISIS’15). 249--259.

[18]

Giovanni Chiola Cambiaso, Enrico and Maurizio Aiello. 2019. Introducing the SlowDrop attack. Computer Networks 150 (2019), 234--249.

[19]

Xiaofan Cao. 2007. Model Selection Based on Expected Squared Hellinger Distance. Colorado State University.

[20]

João Marcelo Ceron, Klaus Steding-Jessen, and Cristine Hoepers. 2012. Anatomy of SIP attacks. login:: The Magazine of USENIX & SAGE 37, 6 (2012), 25--32.

[21]

Eric Y. Chen. 2006. Detecting DoS attacks on SIP systems. In Proceedings of the Workshop on VoIP Management and Security (VOIPMS’06). 53--58.

[22]

Pawel Chwalinski, Roman Belavkin, and Xiaochun Cheng. 2013. Detection of application layer DDoS attack with clustering and likelihood analysis. In Proceedings of the GLOBECOM Workshops (GC Wkshps’13). 217--222.

[23]

Pawel Chwalinski, Roman Belavkin, and Xiaochun Cheng. 2013. Detection of application layer DDoS attacks with clustering and bayes factors. In Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics (SMC’13). 156--161.

Digital Library

[24]

Cisco. 2013. Dynamic ARP Inspection. Retrieved March 6, 2021 from http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html.

[25]

Cisco. 2013. Port Security. Retrieved March 6, 2021 from http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html.

[26]

Lucian Constantin. 2012. DDoS Attacks Against US Banks Peaked at 60 Gbps. Retrieved March 6, 2021 from https://www.cio.com/article/2389721/ddos-attacks-against-us-banks-peaked-at-60-gbps.html.

[27]

Apache. 2019. Apache Core Features. Retrieved March 6, 2021 from https://httpd.apache.org/docs/2.4/mod/core.html.

[28]

Mark R. Crispin. 2003. Internet Message Access Protocol—Version 4rev1. RFC 3501. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc3501.

[29]

GitHub. 2013. Cyber Attack Management for Metasploit. Retrieved March 6, 2021 from https://github.com/rsmudge/armitage.

[30]

Kaspersky Daily. 2016. How to Not Break the Internet. Retrieved March 6, 2021 from https://www.kaspersky.com/blog/attack-on-dyn-explained/13325/.

[31]

Yuri Gil Dantas, Vivek Nigam, and Iguatemi E. Fonseca. 2014. A selective defense for application layer DDoS attacks. In Proceedings of the Joint Intelligence and Security Informatics Conference (JISIC’14). 75--82.

[32]

Kathryn de Graaf, John Liddy, Paul Raison, John C. Scano, and Sanjay Wadhwa. 2013. Dynamic Host Configuration Protocol (DHCP) authentication using Challenge Handshake Authentication Protocol (CHAP). Patent No. US8555347B2. Issued October 8, 2013.

[33]

Jacques Demerjian and Ahmed Serhrouchni. 2004. DHCP authentication using certificates. In Proceedings of the IFIP International Information Security Conference (IFIP’04). 456--472.

[34]

Omer Deutsch, Neta Rozen Schiff, Danny Dolev, and Michael Schapira. 2018. Preventing (network) time travel with Chronos. In Proceedings of the Network and Distributed System Security Symposium (NDSS’18). 1--15.

[35]

GitHub. 2017. DHCPig. Retrieved March 6, 2021 from https://github.com/kamorin/DHCPig.

[36]

Tim Dierks and Christopher Allen. 1999. The TLS Protocol Version 1.0. RFC 2246. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc2246.

[37]

Christoph Dietzel, Georgios Smaragdakis, Matthias Wichtlhuber, and Anja Feldmann. 2018. Stellar: Network attack mitigation using advanced blackholing. In Proceedings of the International Conference on Emerging Networking Experiments and Technologies (CoNEXT’18). 152--164.

Digital Library

[38]

Lay G. Ding and Lin Liu. 2008. Modelling and analysis of the INVITE transaction of the session initiation protocol using coloured Petri nets. In Proceedings of the International Conference on Applications and Theory of Petri Nets (ATPN’08). 132--151.

[39]

Yanlan Ding and Guiping Su. 2007. Intrusion detection system for signal based SIP attacks through timed HCPN. In Proceedings of the International Conference on Availability, Reliability, and Security (ARES’07). 190--197.

Digital Library

[40]

GitHub. 2017. dns-flood-ng. Retrieved March 6, 2021 from https://github.com/cmosek/dns-flood-ng.

[41]

Christos Douligeris and Aikaterini Mitrokotsa. 2004. DDoS attacks and defense mechanisms: Classification and state-of-the-art. Computer Networks 44, 5 (2004), 643--666.

Digital Library

[42]

Benjamin Dowling, Douglas Stebila, and Greg Zaverucha. 2016. Authenticated network time synchronization. In Proceedings of the USENIX Security Symposium (USENIX Security’16). 823--840.

[43]

Ralph Droms. 1997. Dynamic Host Configuration Protocol. RFC 2131. Retrieved March 6, 2021 fromhttps://tools.ietf.org/html/rfc2131.

[44]

Surakarn Duangphasuk, Supakorn Kungpisdan, and Sumeena Hankla. 2011. Design and implementation of improved security protocols for DHCP using digital certificates. In Proceedings of the International Conference on Networks (ICN’11). 287--292.

Digital Library

[45]

Sven Ehlert, Dimitris Geneiatakis, and Thomas Magedanz. 2010. Survey of network security systems to counter SIP-based denial-of-service attacks. Computers & Security 29, 2 (2010), 225--243.

Digital Library

[46]

Sven Ehlert, Ge Zhang, Dimitris Geneiatakis, Georgios Kambourakis, Tasos Dagiuklas, Jiri Markl, and Dorgham Sisalem. 2008. Two layer denial of service prevention on SIP VoIP infrastructures. Computer Communications 31, 10 (2008), 2443--2456.

Digital Library

[47]

eSecurity Planet. 2018. Top 10 Distributed Denial of Service (DDoS) Protection Vendors. Retrieved March 6, 2021 from https://www.esecurityplanet.com/products/top-ddos-vendors.html.

[48]

Ryan Farley and Xinyuan Wang. 2012. VoIP shield: A transparent protection of deployed VoIP systems from SIP-based exploits. In Proceedings of the 2012 Network Operations and Management Symposium (NOMS’12). 486--489.

[49]

Laura Feinstein, Dan Schnackenberg, Ravindra Balupari, and Darrell Kindred. 2003. Statistical approaches to DDoS attack detection and response. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX’03). 303--314.

[50]

Roy T. Fielding, James Gettys, Jeffrey C. Mogul, Larry Masinter, Paul J. Leach, and Tim Berners-Lee. 1999. ypertext Transfer Protocol—HTTP/1.1. RFC 2616 Retrieved March 6, 2021 fromhttps://tools.ietf.org/html/rfc2616.

[51]

Michael Finsterbusch, Chris Richter, Eduardo Rocha, Jean-Alexander Muller, and Klaus Hanssgen. 2013. A survey of payload-based traffic classification approaches. IEEE Communications Surveys & Tutorials 16, 2 (2013), 1135--1156.

[52]

Forbes. 2014. The Largest Cyber Attack in History Has Been Hitting Hong Kong Sites. Retrieved March 6, 2021 from https://www.forbes.com/sites/parmyolson/2014/11/20/the-largest-cyber-attack-in-history-has-been-hitting-hong-kong-sites/.

[53]

Dimitris Geneiatakis, Georgios Kambourakis, Costas Lambrinoudakis, Tasos Dagiuklas, and Stefanos Gritzalis. 2007. A framework for protecting a SIP-based infrastructure against malformed message attacks. Computer Networks 51, 10 (2007), 2580--2593.

Digital Library

[54]

Dimitris Geneiatakis, Tasos Dagiuklas, Georgios Kambourakis, Costas Lambrinoudakis, Stefanos Gritzalis, Sven Ehlert, and Dorgham Sisalem. 2006. Survey of security vulnerabilities in session initiation protocol. IEEE Communications Surveys & Tutorials 8, 3 (2006), 68--81.

Digital Library

[55]

Dimitris Geneiatakis, Nikos Vrakas, and Costas Lambrinoudakis. 2009. Utilizing Bloom filters for detecting flooding attacks against SIP based services. Computers & Security 28, 7 (2009), 578--591.

Digital Library

[56]

Gobbler. 2003. Home Page. Retrieved March 6, 2021 from http://gobbler.sourceforge.net/.

[57]

Diksha Golait and Neminath Hubballi. 2016. VoIPFD: Voice over IP flooding detection. In Proceedings of the National Conference on Communication (NCC’16). 1--6.

[58]

Diksha Golait and Neminath Hubballi. 2017. Detecting anomalous behavior in VoIP systems: A discrete event system modeling. IEEE Transactions on Information Forensics and Security 12, 3 (2017), 730--745.

Digital Library

[59]

Hugo Gonzalez, Marc Antoine Gosselin-Lavigne, Natalia Stakhanova, and Ali A. Ghorbani. 2015. The impact of application-layer denial-of-service attacks. In Case Studies in Secure Computing: Achievements and Trends. CRC Press, Boca Raton, FL, 261--272.

[60]

Fanglu Guo, Jiawu Chen, and Tzi-Cker Chiueh. 2006. Spoof detection for preventing DoS attacks against DNS servers. In Proceedings of the International Conference on Distributed Computing Systems (ICDCS’06). 37--44.

[61]

M. Handley, H. Schulzrinne, E. Schooler, and J. Rosenberg. 1999. SIP: Session Initiation Protocol. RFC 2543. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc2543.

[62]

GitHub. 2018. HTTP Unbearable Load King. Retrieved March 6, 2021 from https://github.com/grafov/hulk.

[63]

CS Hub. 2018. Incident of the Week: DDoS Attack Hits 3 Banks Simultaneously. Retrieved March 6, 2021 from https://www.cshub.com/attacks/news/incident-of-the-week-ddos-attack-hits-3-banks.

[64]

Neminath Hubballi and Mayank Swarnkar. 2017. BitCoding: Protocol type agnostic robust bit level signatures for traffic classification. In Proceedings of the Global Communications Conference (GLOBECOMM’17). 1--6.

[65]

Neminath Hubballi and Mayank Swarnkar. 2018. BitCoding: Network traffic classification through encoded bit level signatures. IEEE/ACM Transactions on Networking 26, 5 (2018), 2334--2346.

Digital Library

[66]

Neminath Hubballi, Mayank Swarnkar, and Mauro Conti. 2020. BitProb: Probabilistic bit signatures for accurate application identification. IEEE Transactions on Network and Service Management 17, 3 (2020), 1730--1741.

[67]

Neminath Hubballi and Nikhil Tripathi. 2017. A closer look into DHCP starvation attack in wireless networks. Computers & Security 65, C (2017), 387--404.

[68]

Neminath Hubballi and Nikhil Tripathi. 2017. An event based technique for detecting spoofed IP packets. Journal of Information Security and Applications 35 (2017), 32--43.

Digital Library

[69]

Intesab Hussain, Soufiene Djahel, Zonghua Zhang, and Farid Nait-Abdesselam. 2015. A comprehensive study of flooding attack consequences and countermeasures in session initiation protocol SIP. Security and Communication Networks 8, 18 (2015), 4436--4451.

Digital Library

[70]

Imperva. 2017. Q4 2017 Global DDoS Threat Landscape. Retrieved March 6, 2021 from https://www.incapsula.com/ddos-report/ddos-report-q4-2017.html.

[71]

Imperva. 2017. Slowloris. Retrieved March 6, 2021 from https://www.imperva.com/learn/application-security/slowloris/.

[72]

Imperva. 2019. 2019 Global DDoS Threat Landscape Report. Retrieved March 6, 2021 from https://www.imperva.com/blog/2019-global-ddos-threat-landscape-report/.

[73]

Qualys Inc.2012. Are You Ready for Slow Reading? Retrieved March 6, 2021 fromhttps://blog.qualys.com/securitylabs/2012/01/05/slow-read.

[74]

Mordor Intelligence. 2019. DDoS Protection Market - Growth, Trends, COVID-19 Impact, And Forecasts (2021-2026). Retrieved March 6, 2021 from https://www.mordorintelligence.com/industry-reports/ddos-protection-market.

[75]

Kali Tools. 2006. inviteflood Package Description. Retrieved March 6, 2021 from https://tools.kali.org/sniffingspoofing/inviteflood.

[76]

Hossein Hadian Jazi, Hugo Gonzalez, Natalia Stakhanova, and Ali A. Ghorbani. 2017. Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling. Computer Networks 121 (2017), 25--36.

Digital Library

[77]

Khundrakpam Johnson Singh, Khelchandra Thongam, and Tanmay De. 2016. Entropy-based application layer DDoS attack detection using artificial neural networks. Entropy 18, 10 (2016), 1--17.

[78]

Jose Jair Santanna, Roland van Rijswijk-Deij, Rick Hofstede, Anna Sperotto, Mark Wierbosch, Lisandro Zambenedetti Granville, and Aiko Pras. 2015. Booters—An analysis of DDoS-as-a-Service attacks. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management (IM’15). 243--251.

[79]

Georgios Kambourakis, Tassos Moschos, Dimitris Geneiatakis, and Stefanos Gritzalis. 2007. Detecting DNS amplification attacks. In Proceedings of the International Workshop on Critical Information Infrastructures Security (CRITIS’07). 185--196.

[80]

Angelos D. Keromytis. 2012. A comprehensive survey of voice over IP security research. IEEE Communications Surveys and Tutorials 14, 2 (2012), 514--537.

[81]

John C. Klensin. 2008. Simple Mail Transfer Protocol. RFC 5321. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc5321.

[82]

Abdelkader Lahmadi and Olivier Festor. 2012. A framework for automated exploit prevention from known vulnerabilities in voice over IP services. IEEE Transactions on Network and Service Management 9, 2 (2012), 114--127.

[83]

Sangjae Lee, Gisung Kim, and Sehun Kim. 2011. Sequence-order-independent network profiling for detecting application layer DDoS attacks. EURASIP Journal on Wireless Communications and Networking 2011, 1 (2011), 50.

[84]

Dave Lewis. 2017. The DDoS Attack Against Dyn One Year Later. Retrieved March 6, 2021 from https://www.forbes.com/sites/davelewis/2017/10/23/the-ddos-attack-against-dyn-one-year-later/.

[85]

Allan Liska. 2016. NTP Security: A Quick-Start Guide. Apress.

[86]

Lin Liu. 2009. Verification of the SIP transaction using coloured Petri nets. In Proceedings of the Australasian Conference on Computer Science (ACSC’09). 75--84.

[87]

Lin Liu. 2011. Uncovering SIP vulnerabilities to DoS attacks using coloured Petri nets. In Proceedings of the International Conference on Trust, Security, and Privacy in Computing and Communications (TrustCom’11). 29--36.

Digital Library

[88]

GitHub. 2019. Low Orbit Ion Cannon. Retrieved March 6, 2021 from https://github.com/NewEraCracker/LOIC.

[89]

Prasanta C. Mahalanobis. 1936. On the generalised distance in statistics. National Institute of Sciences of India 2, 1 (1936), 49--55.

[90]

Aanchal Malhotra, Isaac E. Cohen, Erik Brakke, and Sharon Goldberg. 2016. Attacking the network time protocol. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16).

[91]

Aanchal Malhotra and Sharon Goldberg. 2016. Attacking NTP’s authenticated broadcast mode. ACM SIGCOMM Computer Communication Review 46, 2 (2016), 12--17.

Digital Library

[92]

A. Malhotra, M. Van Gundy, M. Varia, H. Kennedy, J. Gardner, and S. Goldberg. 2017. The security of NTP’s datagram protocol. In Proceedings of the International Conference on Financial Cryptography and Data Security (FC’17). 405--423.

[93]

Enterprise Management. 2020. Top 10 DDoS Protection Vendors. Retrieved March 6, 2021 from https://www.em360tech.com/continuity/tech-news/top-ten/top-10-ddos-protection-vendors/.

[94]

Georgios Mantas, Natalia Stakhanova, Hugo Gonzalez, Hossein Hadian Jazi, and Ali A. Ghorbani. 2015. Application-layer denial of service attacks: Taxonomy and survey. International Journal of Information and Computer Security 7, 2/3/4 (2015), 216--239.

Digital Library

[95]

Hyacinth Mascarenhas. 2016. Massive ‘Test’ Cyberattacks Using Mirai Botnet Temporarily Knock Out Liberia’s Internet. Retrieved March 6, 2021 from https://www.ibtimes.co.uk/liberia-goes-offline-temporarily-massive-test-cyberattacks-hit-west-african-nation-1589820.

[96]

Anil Mehta, Neda Hantehzadeh, Vijay K. Gurbani, Tin Kam Ho, Jun Koshiko, and Ramanarayanan Viswanathan. 2011. On the inefficacy of Euclidean classifiers for detecting self-similar session initiation protocol (SIP) messages. In Proceedings of the International Symposium on Integrated Network Management (IM’11) and Workshops. 329--336.

[97]

GitHub. 2018. Metasploit. Retrieved March 6, 2021 from https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers.

[98]

Microsoft. 2019. What Is Azure Web Application Firewall on Azure Application Gateway? Retrieved March 6, 2021 from https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview.

[99]

D. Mills, J. Martin, J. Burbank, and W. Kasch. 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc2616.

[100]

NUJP. 2019. DDoS Attacks on NUJP, Alternative Media Continue. Retrieved March 6, 2021 from https://nujp.org/headlines/ddos-attacks-on-nujp-alternative-media-continue/.

[101]

Jelena Mirkovic and Peter Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review 34, 2 (2004), 39--53.

Digital Library

[102]

Tal Mizrahi. 2012. Slave diversity: Using multiple paths to improve the accuracy of clock synchronization protocols. In Proceedings of the International Symposium on Precision Clock Synchronization for Measurement, Control, and Communication (ISPCS’12). 1--6.

[103]

Tal Mizrahi. 2014. Security Requirements of Time Protocols in Packet Switched Networks. RFC 7384 (Informational). Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc7384.

[104]

SourceForge. 2013. mod_antiloris. Retrieved March 6, 2021 from https://sourceforge.net/projects/mod-antiloris/.

[105]

Dominia.org. 2002. mod_limitipconn. Retrieved March 6, 2020 from http://dominia.org/djao/limitipconn.html.

[106]

Apache. 2019. mod_reqtimeout. Retrieved March 6, 2021 from https://httpd.apache.org/docs/trunk/mod/mod_reqtimeout.html.

[107]

Jarmo Mölsä. 2005. Mitigating denial of service attacks: A tutorial. Journal of Computer Security 13, 6 (2005), 807--837.

Digital Library

[108]

Maurizio Mongelli, Maurizio Aiello, Enrico Cambiaso, and Gianluca Papaleo. 2015. Detection of DoS attacks through Fourier transform and mutual information. In Proceedings of the International Conference on Communications (ICC’15). 7204--7209.

[109]

Phil Muncaster. 2017. Anonymous Attacks Spanish Government Sites. Retrieved March 6, 2021 from https://www.infosecurity-magazine.com/news/anonymous-attacks-spanish/.

[110]

Mohamed Nassar and Olivier Festor. 2008. Monitoring SIP traffic using support vector machines. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection (RAID’08). 311--330.

Digital Library

[111]

Jema David Ndibwile, A. Govardhan, Kazuya Okada, and Youki Kadobayashi. 2015. Web server protection against application layer DDoS attacks using machine learning and traffic authentication. In Proceedings of the Annual Computer Software and Applications Conference (COMPSAC’15). 261--267.

Digital Library

[112]

Georgios Oikonomou and Jelena Mirkovic. 2009. Modeling human behavior for defense against flash-crowd attacks. In Proceedings of the International Conference on Communications (ICC’09). 1--6.

[113]

Rachel Rose O’Leary. 2017. Bitcoin Gold Website Down Following DDoS Attack. Retrieved March 6, 2021 from https://www.coindesk.com/bitcoin-gold-website-following-massive-ddos-attack.

[114]

Vasileios Pappas, Dan Massey, and Lixia Zhang. 2007. Enhancing DNS resilience against denial of service attacks. In Proceedings of the International Conference on Dependable Systems and Networks (DSN’07). 450--459.

Digital Library

[115]

Michael Patrick. 2001. DHCP Relay Agent Information Option. RFC 3046. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc3046.

[116]

Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao. 2007. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Computing Surveys 39, 1 (2007), 1--42.

Digital Library

[117]

David C. Plummer. 1982. An Ethernet Address Resolution Protocol. RFC 826. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc826.

[118]

Jon Postel and Joyce Reynolds. 1985. File Transfer Protocol (FTP). RFC 959. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc959.

[119]

Amit Praseed and P. Santhi Thilagam. 2019. DDoS attacks at the application layer: Challenges and research perspectives for safeguarding web applications. IEEE Communications Surveys & Tutorials 21, 1 (2019), 661--685.

[120]

Supranamaya Ranjan, Ram Swaminathan, Mustafa Uysal, Antonio Nucci, and Edward Knightly. 2009. DDoS-Shield: DDoS-resilient scheduling to counter application layer attacks. IEEE/ACM Transaction on Networking 17, 1 (2009), 26--39.

Digital Library

[121]

DARK Reading. 2018. ‘Torii’ Breaks New Ground for IoT Malware. Retrieved March 6, 2021 from https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930.

[122]

Joy Reo. 2016. DDoS Attacks Plague Olympic & Brazilian Government Websites. Retrieved March 6, 2021 from https://www.corero.com/blog/ddos-attacks-plague-olympic-brazilian-government-websites/.

[123]

Brennen Reynolds and Dipak Ghosal. 2003. Secure IP telephony using multi-layered protection. In Proceedings of the Network and Distributed System Security Symposium (NDSS’03). 1--15.

[124]

Teri Robinson. 2020. FBI Warns of DDoS Attack on State-Level Voter Registration Website. Retrieved August 16, 2020 from https://www.scmagazine.com/home/security-news/fbi-warns-of-ddos-attack-on-state-level-voter-registration-website/.

[125]

Jonathan Rosenberg, Henning Schulzrinne, Gonzalo Camarillo, Alan Johnston, Jon Peterson, Robert Sparks, Mark Handley, and Eve Schooler. 2002. SIP: Session Initiation Protocol. RFC 3261. Retrieved March 6, 2021 from https://tools.ietf.org/html/rfc3261.

[126]

Christian Rossow. 2014. Amplification hell: Revisiting network protocols for DDoS abuse. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14). 1--15.

[127]

Packet Storm. 2011. R-U-Dead-Yet Denial of Service Tool 2.2. Retrieved March 6, 2021 from https://packetstormsecurity.com/files/97738/R-U-Dead-Yet-Denial-Of-Service-Tool-2.2.html.

[128]

Scapy. 2019. Welcome to Scapy’s Documentation! Retrieved March 6, 2021 fromhttps://scapy.readthedocs.io/en/latest/.

[129]

Mathew J. Schwartz. 2016. DDoS Attack Slams HSBC. Retrieved March 6, 2021 from https://www.bankinfosecurity.com/ddos-attack-slams-hsbc-a-8835.

[130]

Murat Semerci, Ali Taylan Cemgil, and Bulent Sankur. 2018. An intelligent cyber security system against DDoS attacks in SIP networks. Computer Networks 136 (2018), 137--154.

[131]

Hemant Sengar, Haining Wang, Duminda Wijesekera, and Sushil Jajodia. 2008. Detecting VoIP floods using the Hellinger distance. IEEE Transactions on Parallel and Distributed Systems 19, 6 (2008), 794--805.

Digital Library

[132]

Dongwon Seo, Heejo Lee, and Ejovi Nuwere. 2013. SIPAD: SIP--VoIP anomaly detection using a stateful rule tree. Computer Communications 36, 5 (2013), 562--574.

Digital Library

[133]

Amey Shevtekar and Nirwan Ansari. 2009. Is it congestion or a DDoS attack?IEEE Communications Letters 13, 7 (2009), 546--548.

[134]

Alexander Shpiner, Yoram Revah, and Tal Mizrahi. 2013. Multi-path time protocols. In Proceedings of the IEEE International Symposium on Precision Clock Synchronization for Measurement, Control, and Communication (ISPCS’13). 1--6.

[135]

Mark Shtern, Roni Sandel, Marin Litoiu, Chris Bachalo, and Vasileios Theodorou. 2014. Towards mitigation of low and slow application DDoS attacks. In Proceedings of the International Conference on Cloud Engineering (IC2E’14). 604--609.

Digital Library

[136]

Karanpreet Singh, Paramvir Singh, and Krishan Kumar. 2017. Application layer HTTP-GET flood DDoS attacks: Research landscape and challenges. Computers & Security 65, C (2017), 344--372.

[137]

Karanpreet Singh, Paramvir Singh, and Krishan Kumar. 2018. User behaviour analytics-based classification of application layer HTTP-GET flood attacks. Journal of Network and Computer Applications 112 (2018), 97--114.

Digital Library

[138]

Khundrakpam Johnson Singh and Tanmay De. 2017. MLP-GA based algorithm to detect application layer DDoS attack. Journal of Information Security and Applications 36 (2017), 145--153.

Digital Library

[139]

Sujatha Sivabalan and P. J. Radcliffe. 2013. A novel framework to detect and block DDoS attack at the application layer. In Proceedings of the Conference on Tencon-Spring (TENCON’13). 578--582.

[140]

Network Security Team of CNR Italy. 2015. Download SlowDroid DoS Tool 0.87.5 APK. Retrieved March 6, 2021 from https://downloadapk.net/SlowDroid-DoS-Tool.html.

[141]

Sergey Shekyan. 2017. Application Layer DoS attack simulator. Retrieved March 6, 2021 from https://github.com/shekyan/slowhttptest.

[142]

Oscar Andersson. 2013. Slowloris. Retrieved March 6, 2021 from https://github.com/Ogglas/Orignal-Slowloris-HTTP-DoS/blob/master/slowloris.pl.

[143]

StarTrinity. 2019. StarTrinity SIP Tester (Call Generator, Simulator)—VoIP Monitoring and Testing Tool.Retrieved March 6, 2021 from http://startrinity.com/VoIP/SipTester/SipTester.aspx.

[144]

Zhiyang Su, Hao Ma, Xiaojun Zhang, and Bei Zhang. 2011. Secure DHCPv6 that uses RSA authentication integrated with self-certified address. In Proceedings of the International Workshop on Cyberspace Safety and Security (CSS’11). 39--44.

[145]

Changhua Sun, Bin Liu, and Lei Shi. 2008. Efficient and low-cost hardware defense against DNS amplification attacks. In Proceedings of the Global Telecommunications Conference (GLOBECOM’08). 1--5.

[146]

Suriadi Suriadi, Douglas Stebila, Andrew Clark, and Hua Liu. 2011. Defending web services against denial of service attacks using client puzzles. In Proceedings of the International Conference on Web Services (ICWS’11). 25--32.

Digital Library

[147]

Jin Tang and Yu Cheng. 2011. Quick detection of stealthy SIP flooding attacks in VoIP networks. In Proceedings of the International Conference on Communications (ICC’11). 1--5.

[148]

Jin Tang, Yu Cheng, Yong Hao, and Wei Song. 2014. SIP flooding attack detection with a multi-dimensional sketch design. IEEE Transactions on Dependable and Secure Computing 11, 6 (2014), 582--595.

[149]

Jin Tang, Yu Cheng, and Chi Zhou. 2009. Sketch-based SIP flooding detection using Hellinger distance. In Proceedings of the Global Telecommunications Conference (GLOBECOM’09). 1--6.

[150]

CA Technologies. 2018. Insider Threat 2018 Report. Retrieved March 6, 2021 from https://ca-security.inforisktoday.com/whitepapers/insider-threat-2018-report-w-4131.

[151]

NTPsec. 2019. Welcome to NTPsec. Retrieved March 6, 2021 from https://www.ntpsec.org/.

[152]

Nikhil Tripathi and Neminath Hubballi. 2015. Exploiting DHCP server-side IP address conflict detection: A DHCP starvation attack. In Proceedings of the International Conference on Advanced Networks and Telecommunications Systems (ANTS’15). 19--21.

[153]

Nikhil Tripathi and Neminath Hubballi. 2016. A probabilistic anomaly detection scheme to detect DHCP starvation attacks. In Proceedings of the International Conference on Advanced Networks and Telecommunications Systems (ANTS’16). 1--6.

[154]

Nikhil Tripathi and Neminath Hubballi. 2018. Detecting stealth DHCP starvation attack using machine learning approach. Journal of Computer Virology and Hacking Techniques 14, 3 (2018), 233--244.

[155]

Nikhil Tripathi and Neminath Hubballi. 2018. Slow rate denial of service attacks against HTTP/2 and detection. Computers & Security 72, C (2018), 255--272.

[156]

Nikhil Tripathi and Neminath Hubballi. 2021. Preventing time synchronization in NTP broadcast mode. Computers & Security 102 (2021), 102--135.

[157]

Nikhil Tripathi, Neminath Hubballi, and Yogendra Singh. 2016. How secure are web servers? An empirical study of slow HTTP DoS attacks and detection. In Proceedings of the International Conference on Availability, Reliability, and Security (ARES’16). 454--463.

[158]

Nikhil Tripathi and Babu M. Mehtre. 2013. An ICMP based secondary cache approach for the detection and prevention of ARP poisoning. In Proceedings of the International Conference on Computational Intelligence and Computing Research (ICCIC’13). 1--6.

[159]

Nikhil Tripathi and Babu M. Mehtre. 2014. Analysis of various ARP poisoning mitigation techniques: A comparison. In Proceedings of the International Conference on Control, Instrumentation, Communication, and Computational Technologies (ICCICCT’14). 125--132.

[160]

Nikhil Tripathi, Mayank Swarnkar, and Neminath Hubballi. 2017. DNS spoofing in local networks made easy. In Proceedings of the International Conference on Advanced Networks and Telecommunications Systems (ANTS’17). 1--6.

[161]

Tripwire. 2016. DYN Restores Service After DDoS Attack Downed Twitter, Spotify, Others. Retrieved March 6, 2021 from https://www.tripwire.com/state-of-security/latest-security-news/dyn-restores-service-ddos-attack-brought-twitter-spotify-others/.

[162]

Ravichander Vaidyanathan, Abhrajit Ghosh, Yuu-Heng Cheng, Akira Yamada, and Yutaka Miyake. 2012. Method and apparatus for detecting spoofed network traffic. Patent No. US8281397B2. Issued October 2, 2012.

[163]

Jin Wang, Xiaolong Yang, and Keping Long. 2011. Web DDoS detection schemes based on measuring user’s access behavior with large deviation. In Proceedings of the Global Telecommunications Conference (GLOBECOM’11). 1--5.

[164]

Yu-Sung Wu, Saurabh Bagchi, Sachin Garg, and Navjot Singh. 2004. SCIDIVE: A stateful and cross protocol intrusion detection architecture for voice-over-IP environments. In Proceedings of the International Conference on Dependable Systems and Networks (DSN’04). 433--442.

[165]

Yi Xie and Shun-Zheng Yu. 2009. A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors. IEEE/ACM Transactions on Networking 17, 1 (2009), 54--65.

Digital Library

[166]

Yi Xie and Shun-Zheng Yu. 2009. Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Transactions on Networking 17, 1 (2009), 15--25.

Digital Library

[167]

Chuan Xu, Guofeng Zhao, Gaogang Xie, and Shui Yu. 2014. Detection on application layer DDoS using random walk model. In Proceedings of the International Conference on Communications (ICC’14). 707--712.

[168]

Takeshi Yatagai, Takamasa Isohara, and Iwao Sasase. 2007. Detection of HTTP-GET flood attack based on analysis of page access behavior. In Proceedings of the Pacific Rim Conference on Communications, Computers, and Signal Processing (PacRim’07). 232--235.

[169]

Saman Taghavi Zargar, James Joshi, and David Tipper. 2013. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Communications Surveys & Tutorials 15, 4 (2013), 2046--2069.

[170]

Heng Zhang, Ahmed Taha, Ruben Trapero, Jesus Luna, and Neeraj Suri. 2016. SENTRY: A novel approach for mitigating application layer DDoS threats. In Proceedings of the International Conference on Trust, Security, and Privacy in Computing and Communications (TrustCom’16). 465--472.

[171]

Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, and Nikita Somaiya. 2015. Connection-oriented DNS to improve privacy and security. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’15). 171--186.

Digital Library

Cited By

Kumari MTripathi N(2025)Detecting interest flooding attacks in NDN: A probability-based event-driven approachComputers & Security10.1016/j.cose.2024.104124148(104124)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104124
Reed ADooley LMostefaoui S(2024)The Guardian Node Slow DoS Detection Model for Real-Time Application in IoT NetworksSensors10.3390/s2417558124:17(5581)Online publication date: 28-Aug-2024
https://doi.org/10.3390/s24175581
Sheeraz MDurad MParacha MMohsin SKazmi SMaple C(2024)Revolutionizing SIEM Security: An Innovative Correlation Engine Design for Multi-Layered Attack DetectionSensors10.3390/s2415490124:15(4901)Online publication date: 28-Jul-2024
https://doi.org/10.3390/s24154901
Show More Cited By

Index Terms

Application Layer Denial-of-Service Attacks and Defense Mechanisms: A Survey
1. Networks
  1. Network protocols
    1. Application layer protocols
    2. Protocol correctness
      1. Protocol testing and verification
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Network security
    1. Denial-of-service attacks
    2. Firewalls

Recommendations

Mitigating denial of service attacks: a tutorial

This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Characterization of defense mechanisms against distributed denial of service attacks

We propose a characterization of distributed denial of service (DDOS) defenses where reaction points are network-based and attack responses are active. The purpose is to provide a framework for comparing the performance and deployment of DDOS defenses. ...
DDoS attacks and defense mechanisms: classification and state-of-the-art

Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today's Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 54, Issue 4

May 2022

782 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3464463

Editor:
Albert Zomaya
University of Sydney, Australia

Issue’s Table of Contents

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 May 2021

Accepted: 01 January 2021

Revised: 01 December 2020

Received: 01 September 2019

Published in CSUR Volume 54, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
1,263
Total Downloads

Downloads (Last 12 months)228
Downloads (Last 6 weeks)33

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kumari MTripathi N(2025)Detecting interest flooding attacks in NDN: A probability-based event-driven approachComputers & Security10.1016/j.cose.2024.104124148(104124)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104124
Reed ADooley LMostefaoui S(2024)The Guardian Node Slow DoS Detection Model for Real-Time Application in IoT NetworksSensors10.3390/s2417558124:17(5581)Online publication date: 28-Aug-2024
https://doi.org/10.3390/s24175581
Sheeraz MDurad MParacha MMohsin SKazmi SMaple C(2024)Revolutionizing SIEM Security: An Innovative Correlation Engine Design for Multi-Layered Attack DetectionSensors10.3390/s2415490124:15(4901)Online publication date: 28-Jul-2024
https://doi.org/10.3390/s24154901
Lee CLin CChang ZWang CWei H(2024)Joint Resource Allocation and Intrusion Prevention System Deployment for Edge ComputingIEEE Transactions on Services Computing10.1109/TSC.2024.344131317:5(2502-2515)Online publication date: Sep-2024
https://doi.org/10.1109/TSC.2024.3441313
Kukadiya PJain THubballi N(2024)Reducing the Impact of DoS Attack on Static and Dynamic SE Using a Deep Learning-Based ModelIEEE Transactions on Industrial Informatics10.1109/TII.2024.340945720:10(11644-11654)Online publication date: Oct-2024
https://doi.org/10.1109/TII.2024.3409457
Wu HLiu Q(2024)Secure Leader-Follower Consensus for Multi-agent Systems under Asynchronous DoS Attacks via State Estimation Method2024 2nd International Conference on Mechatronics, Control and Robotics (ICMCR)10.1109/ICMCR60777.2024.10482250(93-97)Online publication date: 27-Feb-2024
https://doi.org/10.1109/ICMCR60777.2024.10482250
D NR MS.B GC MN RD V K(2024)Detection of Distributed Denial of Service in the Application Layer of Iot Using Machine Learning2024 2nd International Conference on Artificial Intelligence and Machine Learning Applications Theme: Healthcare and Internet of Things (AIMLA)10.1109/AIMLA59606.2024.10531377(1-6)Online publication date: 15-Mar-2024
https://doi.org/10.1109/AIMLA59606.2024.10531377
Ming LLeau YXie Y(2024)Distributed Denial of Service Attack in HTTP/2: Review on Security Issues and Future ChallengesIEEE Access10.1109/ACCESS.2024.337101312(33296-33308)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3371013
Li YLi X(2024)Improved nonlinear model‐free adaptive iterative learning control in DoS attack environmentIET Control Theory & Applications10.1049/cth2.1254918:7(825-833)Online publication date: 27-Feb-2024
https://doi.org/10.1049/cth2.12549
Jin HJeon GAneka Choi HJeon SSeo J(2024)A threat modeling framework for IoT-Based botnet attacksHeliyon10.1016/j.heliyon.2024.e3919210:20(e39192)Online publication date: Oct-2024
https://doi.org/10.1016/j.heliyon.2024.e39192
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents