There are many types of threats that exist over the considerably large network of computers and users we call the World Wide Web or the internet. Cyber Hacking is one of the most common forms of threats alongside with other common ones such as viruses, Trojans and worms. All of these were designed to compromise the normally-stable connection of users to the internet and even local area networks.
DoS (Denial of Service) and DDos (Distributed Denial of Service) are some of the most common and disabling types of attacks that could be targeted against an internet or local area network. It can cripple a server’s performance which could also lead to huge losses in productivity and even profit for companies and other for-profit organizations.
Even though the nature of a DoS and a DDoS attack are fairly known to information technology and internet security experts and some people who know some basic principles of maintaining a secured internet and local area network, it has been a challenge for website and network administrators to have the ability to detect whether their respective networks or domains have already been infiltrated by a DoS or DDoS attacker and also to detect the extent by which the internet or network security has been breached; prevent the occurrence of such attacks; and lastly to lessen the effects which would most likely be considered as damages to the network, and basically every individual and corporate entities involved, regardless whether the damaged properties are considered as virtual and physical.
The objective of this paper is to discuss three carefully selected journal articles that revolve around the internet and network security topic, particularly around DoS and DDos Attacks. Each journal article will be discussed separately and upon deliberation of the level of evidence and the perceived reliability and validity of the trial or review conducted, the author will pick at least three recommendation that could either fall on the detection, prevention, or mitigation strategy category.
Distributed Denial of Service Attack Principles and Defense Mechanisms
The objective of this study was to discuss to the readers some of the most basic and at some point, advanced principles and mechanisms—mechanisms that are more often than not technical, behind DoS and DDoS attacks. The author also aimed to describe some of the common tools and measures that could help internet and network administrators minimize their vulnerability to such attacks. Basically, this article was crafted as a review article, presenting a comprehensive compilation of key information that one can find from various literatures about DoS and DDoS; and based on that information, certain control and preventive measures were prescribed.
The author provided a brief explanation of the different events that should be involved in a DoS or DDos attack before it could be classified as one. The author continued the review by classifying the different types of DoS and DDoS attacks based on different categories and provided a brief explanation of each. For example, a DDoS attack can be classified according to the type of resource (Random Access Memory, CPU Processing Power, Bandwidth, etc.) that it consumes which includes, but are not limited to, attacks that consume Inner Resources and Network Transmission Resources.
Ying (2011) described an inner resource attack as an attack that is committed by the attacker gaining control of a certain number (most likely greater than one) of host machines and sends packets to these machines which contain certain commands which in turn, orders these machines to make contact with the target Web Server; and a network transmission resources attack as an attack that instructs target hosts (computers) to send a certain type of packet called ICMP ECHO packets to different hosts within the same internet or local area network. These ICMP ECHO packets are actually just the tip of the iceberg because such packets are only taken or used as gangplanks for a much bigger goal. As soon as these ICMP ECHO packets have been received by the target hosts, they would most likely be interpreted as bogus packets, triggering the target hosts to respond by sending response packets to the target websites which in this case, are the attackers’ real targets.
Direct and Gangplank DDoS were also described. The author described a direct DDoS attack as an attack that targets the main corpse computers instead of just the other one which is the sub-corpse. Generally, Direct DDoS attacks are much harder to trace and detect due to the involvement of the main-corpse. Obviously, gaining control of the main corpse computer will result to more flexible means of initiating further attacks and a relatively more flexible network of attack.
Gangplank DDoS attacks on the other hand are attacks which target sub-corpse computers contrary to the direct ones which target the main corpse computers. The sub-corpse computers serve as the gangplank or bridge for attack to be initiated.
One bright idea that talks about the prevention of DDoS attacks in the future (after a recent one) was keeping a regularly updated source or reference of traces and tracks recognition of DoS and DDoS attacks. The author has placed more emphasis on the development of a preventive strategy for future attacks because they believed that attempting to recognize attack sources is the first step in solving problems that are the result of a DoS or DDoS attacks. It’s a practical solution to the problem and in a way, it can also be considered as a mitigation strategy considering the fact that the author identifies it as a control strategy.
It cannot be 100 percent guaranteed that a highly-preventive and stiff network security will remain secured because of the fact that every security system has a loophole and all the attackers have to do is to identify such loopholes and take advantage of it. Therefore, mitigating and preventing would, at times, be a good choice.
Mitigating Application Layer Distributed Denial of Service Attacks via Effective Trust Management
There can be 5 Transmission Control Protocol/Internet Protocol Layers that can be involved in any attack, including DoS and DDoS attacks. The Application Layer, Transport Layer, Internet Layer, Data Link Layer, and Physical Layer are actually vulnerably to virtually any kind of attacks, depending on the attacker’s goals and intentions. However, one of the most common points of entry or simply where the attacks usually occur is the Application Layer. In this journal article, the author basically tried to propose, through research and trial-based evidences, a new way of mitigating application layer DDoS and quite possibly DoS attacks since these two are very closely related.
The intervention that the authors are proposing involves the use of a trust management platform via what they call the TMH or Trust Management Helmet. TMH is a java-based third party entity, which utilizes a “lightweight mitigation mechanism that uses trust to differentiate legitimate users from attackers” . However, the use of trust in detecting and mitigating DoS and DDoS attacks could more often than not be interpreted as subjective. It is important to know that in websites that are usually targeted by attackers, objectivity is of utmost importance because these sites can be e-commerce, and state government websites.
However, trust evaluation using TMH cannot automatically be classified as an objective way of mitigating the effects of these attacks. This is because it evaluates “trust” to clients based on a range of factors which includes the visiting history (shows how the regularity and patterns of visits), license identification and verification. Theoretically, all information, especially the licenses, with the use of a TMH are cryptographically secured and are therefore invulnerable against tampering, forgery, and other types of spoofing attacks that are necessary to trigger a DoS or DDoS attack.
The authors have noted however, that the use of TMH can only be treated as a partial solution to the problems that usually arise in the mitigation of DDoS or DoS attacks. This may be due to the fact that TMHs are only usable and thus effective on attacks that target the application layer of networks. The use of TMHs’ effectiveness in mitigating the effects of DoS and DDoS attacks were tested through a simulation process wherein a server, equipped with a java-based TMH platform, had been targeted for a session flooding attack.
Protecting Dynamic Mobile Agent against Denial of Service Attacks
Mobile agents in a network or over the internet are becoming a common trend especially now that we are living in a time wherein a device’s portability is considered to be a golden criterion. In this journal article, the authors have identified the different weaknesses of mobile agents, emphasizing on their vulnerability to DoS and DDoS attacks. It was stated that “mobile agents are software programs migrating from one node to another to fulfill the task of its owner” and are usually associated with reduced network latencies, network traffic and increased vulnerabilities to attacks including, but are not limited to, DoS and DDoS attacks.
In this article, the authors proposed a solution for website and network administrators that use mobile agents to prevent malicious attacks. Their proposed solution involves the use of a server, separated from the main server called the “guard” which was supposed to use a certain algorithm. Basically, the guard is a third-party entity, (separate from the website server) which usually receives the flood of requests in a DoS or DDoS attack and the host machines, and which also checks the agent’s source code (SC) and route (R) as presented in the following algorithm :
j : Stands for the host i.e. jth host.
id : It is the unique identifier of the agent.
sc : It denotes the source code of the agent.
i/p : Denotes the input conditions for the agent at
o/p : Denotes the output of the agent at host j.
r : Predefined route(set of trusted hosts).
r’ : Actual/Updated route (set of visited hosts)
The guard actually detects the correctness of every variable involved in a mobile agent-host-server process and stores records (aka acknowledgement) for future references which contain the signature of the “valid” host. If in the future, a request has been initiated and after the authentication performed by the guard it has been identified that that request does not contain the same acknowledgement information as before, then that request will be classified as malicious. In a way this mechanism seems to be a good way of not only preventing but also avoiding DoS and DDoS attacks.
So far, the identified measures are the updating of DoS and DDoS sources after a recent attack (mitigation), the use of a Trust Management Helmet (preventive/detection), and the use of a Guard server (preventive/detection). All of these have their pros and cons but one thing in common about these three is that they all have loopholes. Again, this may be attributed to the fact that no particular type of security is fool-proof and even if the authors of a program, algorithm, or a process claim that they have found a way to provide 100 percent protection against malicious attacks such as DoS and DDoS attacks, their claims would be invalid in time as the attackers discover how to unlock the secrets and take advantage of the loopholes of a certain security platform. Nevertheless, these measures can be a very promising anti-DoS and DDoS strategy.