technologies

Review On Distributed Denial of Service Current Defense Schemes

Seth Djane Kotey 1 , Eric Tutu Tchao 1,2,* and James Dzisi Gadze 1,2

1 Department of Computer Engineering, Kwame Nkrumah University of Science and Technology (KNUST), PMB, Kumasi, Ghana; [email protected] (S.D.K.); [email protected] (J.D.G.) 2 Department of Electrical Engineering, Kwame Nkrumah University of Science and Technology (KNUST), PMB, Kumasi, Ghana * Correspondence: [email protected]; Tel.: +233-2499-79837



Received: 20 December 2018; Accepted: 16 January 2019; Published: 30 January 2019


Abstract: Distributed denial of service (DDoS) attacks are a major threat to any network-based service provider. The ability of an attacker to harness the power of a lot of compromised devices to launch an attack makes it even more complex to handle. This complexity can increase even more when several attackers coordinate to launch an attack on one victim. Moreover, attackers these days do not need to be highly skilled to perpetrate an attack. Tools for orchestrating an attack can easily be found online and require little to no knowledge about attack scripts to initiate an attack. Studies have been done severally to develop defense mechanisms to detect and defend against DDoS attacks. As defense schemes are designed and developed, attackers are also on the move to evade these defense mechanisms and so there is a need for a continual study in developing defense mechanisms. This paper discusses the current DDoS defense mechanisms, their strengths and weaknesses.

Keywords: distributed denial of service (DDoS); detection; defense; traceback; attack

1. Introduction As of December 2017, it was estimated that the number of internet users was over 4 billion with a user growth of over 1000% within the past 18 years [1]. With the increase in dependability of the internet comes with it an important challenge: data availability. Data availability is a key requirement for a network system to be considered secure. Distributed denial of service attacks are intentional attempts by malicious users to disrupt or degrade the quality of a network or service [2]. These attacks involve a number of compromised connected online devices, known as a botnet [3]. The use of botnets makes it easier for attackers to launch massive attacks due to the fact that they harness the power of a lot of devices for an attack. Attacks involving botnets also make it difficult to determine the exact source of the attack. Differentiating between flash crowds also poses a major challenge. Spoofed source addresses to hide source addresses make it even more difficult. These attacks have been around for several years, but in recent years, the scale of attacks have increased drastically. On 28 February 2018, Akamai reported a 1.3 TBps attack on GitHub [4]. A few days later, Arbor Networks reported a 1.7 TBps attack [5]. With attacks like these, there is the need to develop robust defense schemes to protect internet networks and services. In this paper, we present current mechanisms for defending against DDoS attacks. We categorize these defense mechanisms according to the main functions they perform. We discuss their strengths and weaknesses and make some comparisons among them. This will help researchers further improve the current defense mechanisms for practical application. The rest of the paper is organized as follows: related surveys are presented in Section2, Section3 gives the criteria for papers included in this review, Section4 describes DDoS attacks, Section5 presents the reviewed

Technologies 2019, 7, 19; doi:10.3390/technologies7010019 www.mdpi.com/journal/technologies Technologies 2019, 7, 19 2 of 24 mechanisms to defend against attacks, Section6 discusses and compares the mechanisms and Section7 concludes the paper.

2. Related DDoS Defense Surveys Zargar et al. presented a comprehensive overview of DDoS attacks and a classification of them based on network layer and application layer [6]. They also presented a classification of DDoS defense mechanisms based on OSI layer operation and the deployment location of the defense system; source based, destination based, network based, and hybrid (distributed) mechanisms. They further discussed the features, advantages, and disadvantages of defense mechanisms based on their deployment location. In addition, the authors categorized the defense systems by the point in time in which they begin operation (before the attack, during the attack, or after the attack). They then compared the performance of the defense mechanisms according to the classifications they used. Carlin et al. reviewed intrusion detection and prevention systems to mitigate potential DDoS attacks in the cloud [7]. They listed the most popular DDoS attacks on cloud systems, classified and discussed intrusion detection systems along with their challenges. Classification of the intrusion detection systems was knowledge-based and anomaly-based. Sub categorizations were done based on the scalability of the management system, user authentication and the response mechanism. Rashmi V. Deshmukh and Kailas K. Devadkar discussed DDoS attacks and provided a taxonomy of attacks in the cloud environment [8]. They classified defense mechanisms based on prevention, detection, and response to detection techniques. They also listed some factors to consider in selecting a defense solution in the cloud environment. Somani et al. presented insights into the characterization, prevention, detection, and mitigation mechanisms of DDoS attacks in the cloud environment [9]. They presented features of cloud computing which aid in mounting a successful DDoS attack. A taxonomy of DDoS solutions was also presented and the solutions were categorized under prevention, detection, and mitigation. They concluded by discussing considerations to be made in selecting a defense solution. Mahjabin et al. presented a review on different DDoS attacks [10]. They discussed attack phases in a DDoS attack, variations and evolutions of attacks as well as attackers’ targets and motivations. They classified and analyzed prevention and mitigation techniques based on their underlying principle of operation. Underlying principles for the prevention methods reviewed were filters, secure overlay service, load balancing, honeypots, and awareness-based prevention systems. Mitigation techniques were also categorized broadly based on detection, response, and tolerance-based systems. They concluded by listing the key features, advantages, and limitations of the prevention and detection mechanisms reviewed. Kalkan et al. presented DDoS attack scenarios in software defined networks (SDNs) [11]. Solutions to attacks were also broadly classified as intrinsic (having inherent properties) and extrinsic (depending on external factors). Solutions were also classified according to their defense function (detection, mitigation, and both detection and mitigation) and SDN switch intelligence (capable switch vs. dumb switch). Zare et al. came up with a paper reviewing papers on DDoS attacks and countermeasures between the years 2000 and 2016 [12]. They discussed intrusion detection systems and analyzed countermeasures against DDoS attacks based on the location of the defense mechanism; source-end, core-end, victim-end, and distributed defense. There has been a great number of surveys on DDoS defenses in previous years. DDoS attacks are on the rise and there is a constant need to present the state-of-the-art defense mechanisms to aid researches in their attempt to combat such attacks. In previous surveys however, most defense categorizations were done based on their underlying principle of operation and not the function they perform in defending against attacks. Defense mechanisms were also not discussed into detail to give a greater understanding of their operation. Also, the individual defense mechanisms were not compared with each other, but rather, comparisons were mainly done based on the underlying principle of operation or location of deployment of the defense mechanism. Technologies 2019, 7, 19 3 of 24

In our paper, we present a taxonomy of DDoS attacks in the network layer and application layer. We categorize state of the art defense mechanisms based on the function they perform, that is, detection only, tracebackTechnologies only, 2018 mitigation, 6, x FOR PEER only, REVIEW and detection and mitigation mechanisms. We discuss3 of the24 defense mechanisms reviewedIn our paper, into we detailpresent anda taxonomy compare of DDoS them atta fairlycks in the using network performance layer and application metrics layer. affecting the effectivenessWe ofcategorize a defense state solution of the art whilst defense giving mechanisms recommendations based on the function for future they research.perform, that is, detection only, traceback only, mitigation only, and detection and mitigation mechanisms. We 3. Survey Methodologydiscuss the defense mechanisms reviewed into detail and compare them fairly using performance metrics affecting the effectiveness of a defense solution whilst giving recommendations for future Literatureresearch. was collected by searching indexing databases. Cited papers in articles considered for review were also collected. Papers included for consideration provided DDoS detection, prevention or 3. Survey Methodology mitigating mechanisms. Papers published before 2013 were excluded mainly because attack rates and volumes have increasedLiterature drastically was collected in by the searching past few indexing years, databases. which Cited may papers render in articles older solutionsconsidered obsolete. for review were also collected. Papers included for consideration provided DDoS detection, The titlesprevention and abstracts or mitigating of themechanis collectedms. Papers literature published were before reviewed. 2013 were Papersexcluded which mainly didbecause not propose solutions toattack DDoS rates attacks and volumes from theirhave increased abstracts drastically were also in the excluded past few fromyears, thewhich review. may render Papers older proposing solutions tosolutions only denial obsolete. of service (DoS) attacks were also excluded, due to the relative simplicity of defending againstThe DoS titles attacks. and abstracts of the collected literature were reviewed. Papers which did not propose solutions to DDoS attacks from their abstracts were also excluded from the review. Papers Papersproposing containing solutions defense to only techniques denial of service which (DoS have) attacks been were improved also excluded, upon due in to subsequentthe relative papers were also excludedsimplicity of with defending the papers against containingDoS attacks. the most current improvement included. Finally, 15 papersPapers werecontaining selected defense to techni be reviewedques which in have this been paper. improved upon in subsequent papers were also excluded with the papers containing the most current improvement included. 4. DDoS AttackFinally, Taxonomy15 papers were selected to be reviewed in this paper. The distributed4. DDoS Attack nature Taxonomy of DDoS attacks tends to make it very difficult to defend against. Figure1 shows a simplifiedThe distributed attack network. nature of DDoS Real attackattacks tends networks to make involve it very difficult a lot more to defend devices. against. The Figure main aim of such an attack1 shows is to a simplified degrade attack networks, network. deplete Real attack network networks resources involve a and lot more to prevent devices. legitimateThe main aim users from of such an attack is to degrade networks, deplete network resources and to prevent legitimate users having access to network resources [6]. from having access to network resources [6].

FigureFigure 1. 1. SimplifiedSimplified attack attack network. network. A denial of service (DoS) attack is an attack in which an attacker seeks to overload a system to A denialprevent of servicethe system (DoS) from attack serving is legitimate an attack re inquests. which DoS an attacks attacker are seeksrelatively to simple overload and a system to preventunsophisticated, the system frominvolving serving just a single legitimate attacker. requests.DoS attacks are DoS easier attacks to detect are and relativelydefend against. simple and unsophisticated,Distributed involving DoS however, just ais singlea more sophisticated attacker. DoS form attacks of DoS. DDoS are easier attacks toinvolve detect a single and attacker defend against. Distributedor DoS multiple however, attackers, is acommandeering more sophisticated a large number form of of DoS.compromised DDoS attacksdevices (zombies involve or a singlebots), attacker which are collectively known as a botnet, to launch a denial of service attack on a target system or multiple(victim). attackers, Traffic commandeering originating from different a large sources number makes of it compromiseddifficult to detect devicesand defend (zombies against. or bots), which are collectively known as a botnet, to launch a denial of service attack on a target system (victim). Traffic originating from different sources makes it difficult to detect and defend against. Most attackers craft their attack traffic to look legitimate and may use spoofed addresses to launch the attacks, which make it more difficult to combat. A DDoS attack is normally launched in two major phases. The attacker first builds the botnet by targeting poorly secured devices over the internet. DDoS attack programs are then installed on these Technologies 2019, 7, 19 4 of 24 devices. These zombies also scan for poorly secured devices and compromise them as well, building a large botnet. The second phase is launching the attack itself. Large volumes of traffic are generated by the zombies and are forwarded to the target system to overload it. The distributed nature of the source of traffic make it nearly impossible to distinguish from legitimate traffic. Earlier, attackers had to perform each step of the attack manually. This meant an attacker needed to have a lot of information about the target system and also had to be very skillful to be able to launch an attack. In recent years however, DDoS attack tools have been developed and are available on the internet for download freely or for a little amount of money [13,14]. Such tools can be used by even the least skillful attacker. They do not require an attacker to understand much about the target system or even how the attack is perpetrated. Botnets can also be hired on the internet for very low amounts of money. These have made it easier for people to perpetrate attacks [15]. DDoS attacks can be classified under many categories. In this paper, attacks are classified under two broad headings: network/transport layer attacks and application layer attacks. Network/transport layer: Network/transport layer attacks are targeted at the network or transport layer. They are more common due to the ease of initiating them. We discuss a few of these attacks here.

TCP SYN flooding: With the TCP (transmission control protocol) SYN flooding attack, the attacker exploits the connection-oriented nature of TCP. A flood of packets is sent to the victim requesting connection without completing the TCP handshake. This leaves many half-open connections in the victim’s connection state memory, denying legitimate users from connecting. [16]

UDP flooding: With the UDP (user datagram protocol) attack, a large stream of UDP packets is sent to the victim, creating a congestion on the victim’s network. [17]

ICMP Smurf: With this attack, the attacker spoofs the victim’s IP address as the source address to broadcast a large number of ICMP (Internet control message protocol) packets on a network using an IP (Internet protocol) broadcast address. The resultant response from devices on the network is a very large number of packets destined for the victim. [18]

Ping of death: The attacker in a ping of death attack tries to crash a victim server by sending malformed or oversized packets with the ping command. Packets are fragmented and sent and when reassembled by the victim, end up with an oversized packet (packets larger than 65,535 bytes, which is the maximum size of a ping packet). A variation of this attack is the ping flood in which the attacker sends numerous ICMP packets in a ping command without waiting for a reply. [19]

Application layer: Application layer attacks target the application layer. They tend to disrupt operation of a specific application or server to prevent legitimate users from having access to it. We discuss some of these attacks here.

DNS Amplification: Attacks of this nature rely on public DNS (domain name system) servers and a vulnerability in DNS server which makes them reply small queries with a large payload to flood a victim. The attacker sends queries with the victim’s IP address as the source and the much larger response is directed to the victim. Botnets are used to scale up the impact of the attack. [20]

HTTP fragmentation attack: With the HTTP (hypertext transfer protocol) fragmentation attack, the attacker establishes a connection with the victim server and sends traffic in fragments as slowly as possible. This causes the servers to maintain longer sessions as they wait to receive traffic from the attacker. [6] Technologies 2019, 7, 19 5 of 24

5. Defense Mechanisms There are several defense mechanisms proposed to defend against DDoS attacks. Classification of these mechanisms can be done based on several criteria. In this paper, four categories are used in classification: attack detection only mechanisms, attack traceback only mechanisms, attack mitigation onlyTechnologies mechanisms, 2018, 6, x FOR and PEER detection REVIEW and mitigation mechanisms. 5 of 24

5.1. Detectionfragments Only Mechanismsas slowly as possible. This causes the servers to maintain longer sessions as they Detectionwait to onlyreceive mechanisms traffic from arethe defenseattacker [6]. mechanisms with the aim to detect the presence of an attack and report to the network administrator to take action. 5. Defense Mechanisms Service-OrientedThere are several DDoS defense Detection mechanisms Mechanism proposed Using to Pseudo defend State against (SDM-P) DDoS attacks. Classification of these mechanisms can be done based on several criteria. In this paper, four categories are used in Park et al. proposed a bidirectional flow-based detection scheme know as service-oriented DDoS classification: attack detection only mechanisms, attack traceback only mechanisms, attack mitigation detection mechanism using a pseudo state (SDM-P) [21]. SDM-P runs a bidirectional key hashing only mechanisms, and detection and mitigation mechanisms. algorithm on flow routers and maintains a hashing table and pseudo state machine. Pseudo session states5.1. Detection represent Only service Mechanisms procedure states as bit sequences. This enables flow routers which are optimized to analyze packets as bit sequences to understand and process service procedure state representations efficiently.Detection Some only proposed mechanisms schemes are relateddefense to mechanisms this are [22 –with24]. Thethe aim authors to detect in [22 the,23 presence] used a principalof an attack and report to the network administrator to take action. component analysis (PCA) tool to reduce the number of variables needed to analyze network traffic, reducing the amount of information needed to detect an attack. The authors in [24] used a support Service-Oriented DDoS Detection Mechanism Using Pseudo State (SDM-P) vector machine (SVM) for traffic classification. Both PCA and SVMs have good detection rates but are computationallyPark et al. proposed costly due a bidirectional to their requirement flow-based of detection several memory scheme readknow and as service-oriented writes. This makes DDoS them unsuitabledetection mechanism for use in routers using a for pseudo analyzing state real-time(SDM-P) network[21]. SDM-P traffic. runs a bidirectional key hashing algorithmFigure on2 depicts flow routers the operation and maintains of a flow a hashing router. table When and apseudo flow router state ma receiveschine. Pseudo a packet, session it takes states represent service procedure states as bit sequences. This enables flow routers which are the 5-tuple and calculates a hash key. The 5-tuple consists of the source and destination IP addresses, optimized to analyze packets as bit sequences to understand and process service procedure state source and destination ports, and protocol in use. If the packet flow is a new one, the destination is representations efficiently. Some proposed schemes related to this are [22–24]. The authors in [22] checked by the algorithm. If it is not to the protected server, it is forwarded normally. If it is to the and [23] used a principal component analysis (PCA) tool to reduce the number of variables needed protected server, the system consults the pseudo state machine and inserts an entry for the new flow in to analyze network traffic, reducing the amount of information needed to detect an attack. The theauthors flow table.in [24] Once used therea support is a flowvector entry machine for the (SVM) flow for in thetraffic table, classification. the pseudo Both state PCA machine and SVMs checks if thehave flow good is attack detection traffic. rates If but the are flow computationally does not follow costly the proceduredue to their stated requirement in the pseudoof several state memory machine, itread is considered and writes. to This be malicious.makes them Appropriate unsuitable for actions use in canrouters then for be analyzing taken to real-time stop the attack.network traffic.

FigureFigure 2. Operation 2. Operation of algorithm of algorithm in flow in flowrouter router [21]. [21].

Figure 2 depicts the operation of a flow router. When a flow router receives a packet, it takes the 5-tuple and calculates a hash key. The 5-tuple consists of the source and destination IP addresses, source and destination ports, and protocol in use. If the packet flow is a new one, the destination is checked by the algorithm. If it is not to the protected server, it is forwarded normally. If it is to the protected server, the system consults the pseudo state machine and inserts an entry for the new flow

TechnologiesTechnologies 2018,2019 6, x, FOR7, 19 PEER REVIEW 6 of 246 of 24 in the flow table. Once there is a flow entry for the flow in the table, the pseudo state machine checks Though it works well against TCP, UDP and HTTP attacks, the bidirectional hashing algorithm if theused flow in is SDM-P attack is computationaltraffic. If the expensive flow does and not uses follow more memory the procedure for the hash stated generation in the and pseudo creation state machine,of the it hash is considered tables. It may to be perform malicious. poorly Appropriate in the presence actions of a huge can attack.then be taken to stop the attack. Though it works well against TCP, UDP and HTTP attacks, the bidirectional hashing algorithm used 5.2.in SDM-P Traceback is Only computational Mechanisms expensive and uses more memory for the hash generation and creation ofTraceback the hash only tables. mechanisms It may perform seek to poorly trace the in attackthe presence as close of to a the huge source attack. as possible. These involve gathering certain information about attack packets and analyzing to determine an attack path. 5.2. Traceback Only Mechanisms Dynamical Deterministic Packet Marking (DDPM) Traceback only mechanisms seek to trace the attack as close to the source as possible. These Yu et al. proposed dynamic packet marking scheme based on the deterministic packet marking involve gathering certain information about attack packets and analyzing to determine an attack mechanism for traceback, capable of tracing to routers as close to the attack source as possible [25]. path. The proposed scheme uses a marking on demand (MOD) method to give out marking identities (IDs) dynamically. The system is capable of tracing DDoS attacks to all possible sources of attack. DynamicalThe marking Deterministic is done inPacket a way Marking to only capture (DDPM) routers related to the attack in cooperating internet Yudomains. et al. proposed A MOD server dynamic is set up packet centrally, marking along withsche ame DDoS based attack on detectorthe deterministic which monitors packet network marking mechanismflow at eachfor traceback, router or gateway.capable Theof tracing MOD serverto router is responsibles as close to for the generating attack source unique as IDs possible for each [25]. router and keeping a record of the ID-router IP in its database. The attack detector requests the ID and The proposed scheme uses a marking on demand (MOD) method to give out marking identities (IDs) marks the suspicious flow with the ID. If an attack is confirmed, the victim picks out the ID from the dynamically. The system is capable of tracing DDoS attacks to all possible sources of attack. The attack packets and identifies the IP addresses related to the attack (source addresses) from the MOD markingserver’s is done database. in a way to only capture routers related to the attack in cooperating internet domains. A MOD serverFigure 3is shows set up the centrally, architecture along and with workflow a DDoS of attack the DDPM detector scheme. which When monitors there is network a sudden flow at eachincrease router in or network gateway. flow The volume, MOD theserver attack is detectorresponsible requests for generating for an ID for unique the flow IDs (1). for The each MOD router and keepingserver gives a record out the of IDthe and ID-router stores information IP in its data (sourcebase. IP, The timestamp) attack detector related requests to the ID giventhe ID out and in marks its the suspiciousdatabase (2). flow The with gateway the ID. embeds If an theattack ID into is confirmed, the header ofthe the victim packets. picks A source out the IP ID query from is sentthe attack to packetsthe and MOD identifies server with the theIP addresses ID if an attack related is confirmed to the attack by the (source victim (3).addresses) The MOD from server the replies MOD withserver’s database.the source IP address of the attacker(s) (4).

FigureFigure 3. MOD 3. MOD scheme scheme architecture architecture [25]. [25 ].

FigureAccording 3 shows to the the architecture authors, this and scheme workflow is more scalableof the DDPM than traditional scheme. DPMs,When howeverthere is a it sudden has increasesome in limitations. network flow volume, the attack detector requests for an ID for the flow (1). The MOD server gives out the ID and stores information (source IP, timestamp) related to the ID given out in its database (2). The gateway embeds the ID into the header of the packets. A source IP query is sent to the MOD server with the ID if an attack is confirmed by the victim (3). The MOD server replies with the source IP address of the attacker(s) (4). According to the authors, this scheme is more scalable than traditional DPMs, however it has some limitations.

Technologies 2019, 7, 19 7 of 24

• Since the whole system hinges on the performance of the MOD server, it can easily be an attack target. Once it is knocked down, the entire system will fail. • Also, because of the amount of data the MOD server’s database will handle, it reduces the speed of the network when information is being retrieved by the victim. • Network address translation (NAT) techniques enable IP address sharing. To traceback to a specific source, the related MAC (Media Access Control) addresses have to be included in the MOD database, which increases the information stored in the database.

Related to this work are [26–28]. The authors in [26] proposed a deterministic packet marking method. With this method, the packet source router divides its IP address in two (16 bits each) and embeds it in two packets to enable the victim trace the source router of the packet. The fragment ID (16 bits) and reserved flag (1 bit) are used in marking the packet. In [27], the authors bettered the marking scheme used in and the authors in [28] proposed a flexible marking scheme, which varied the length of the marking ID depending on the network protocols in operation by including the type of service (TOS) field (8 bits) in the marking process. Compared with related works, the DDPM is scalable and uses lower storage for IDs.

5.3. Detection and Mitigation Mechanisms Detection and mitigation schemes attempt to detect the presence of an attack and implement an attack mitigation mechanism autonomously. Legitimate traffic is differentiated from malicious ones and actions are taken by the system against malicious traffic.

5.3.1. TDFA: Traceback-Based Defense against DDoS Flooding Attacks Foroushani and Heywood proposed a defense against flooding attack based on traceback. TDFA has detection, traceback, and traffic control components [29]. The main aim of the scheme is to filter packets as close to the source as possible, thereby limiting the amount of attack packets received by the victim. This, if successfully implemented, reduces load on filtering routers and also maximizes the number of legitimate packets to reach their destination. The system works with coordination between victim end and source end defense systems. The TDFA detection component resides on the edge network at the victim end and detects anomalies in network traffic. The authors proposed to use existing detection tools and not to propose a new one. The traceback component uses the deterministic flow marking [30] (DFM) technique, which only requires participation of some edge routers on the attack path. The DFM consists of a DFM encoding module (DFME) running on the edge routers and a decoding module (DFMD) on the victim end. The DFME marks flows instead of packets and uses three identifiers for marking: the outside interface IP address of the edge router, the network interface identifier (NI-ID) and a node identifier (node-ID). The NI-ID is an identifier given to either the network MAC address interface or VLAN ID of the edge router. The node-ID is an identifier given to every source MAC address seen on incoming traffic from local networks. Only the edge routers are involved in marking. The traffic control component is made up of traffic adjustment (TA) and packet filtering (PF) modules. The TA operates on the victim network’s border gateway device and the TF operates on every edge router. After traceback, when the source of attack is found out, the TA notifies the defense system at the source end with a message containing information of the attack traffic. The PF does packet filtering on packets headed to the victim based on information received from the TA. A variable rate limit algorithm is proposed to control bandwidth consumption by routers forwarding the attack traffic. The varying rates are chosen based on traffic histories of the routers. Attack traffic is filtered as close to the source as possible to prevent an entry into the victim network. However, packet forwarding rate is reduced continually till packet drop rate is zero, and this Technologies 2018, 6, x FOR PEER REVIEW 8 of 24

Figure 4 shows a sample network with locations of the TDFA modules. The legitimate hosts are represented with ‘Hx’, the TA module communicates with the PF modules on the edge routers of the attack networks. The TDFA system is capable of mitigating attacks from the source end, ensuring the victim does not feel the impact of the attack much before mitigation. However, it requires cooperation from all the edge routers in the network, a scenario which might be difficult to achieve in a large network. ReferencesTechnologies 2019[31–33], 7, 19 are some works related to TDFA. 8 of 24 The authors in [31] proposed a defense system to rely only on the edge router for traceback and packet filtering.will This have system an impact however on legitimate can easily connections. be defeat Also,ed attacksif the attack which areis from orchestrated different to look sources like spread across thelegitimate internet. traffic In [32] will notand be [33], detected the authors by the system. proposed a path identification approach which places Figure4 shows a sample network with locations of the TDFA modules. The legitimate hosts are a path fingerprint in every packet. This method fails if the victim’s bandwidth is consumed by an represented with ‘Hx’, the TA module communicates with the PF modules on the edge routers of the attack sinceattack they networks. only rely on packet filtering at the victim end.

Figure Figure4. Sample 4. Sample module module placement placement in in a a network [29 [29].]. The TDFA system is capable of mitigating attacks from the source end, ensuring the victim does 5.3.2. Classifiernot feel the System impact for of the Detecting attack much and before Preventing mitigation. DDoS However, (CS_DDoS) it requires cooperation from all the edge routers in the network, a scenario which might be difficult to achieve in a large network. Sahi et al. proposed a classifier system known as CS_DDoS for DDoS TCP flood attack detection References [31–33] are some works related to TDFA. and preventionThe authorsin the in public [31] proposed cloud a[34]. defense During system todetection, rely only onthe the syst edgeem router determines for traceback if anda packet is legitimatepacket or from filtering. an Thisattacker system and however during can preven easily betion, defeated packets if the classified attack is from as malicious different sources are dropped and sourcespread IP acrossblacklisted. the internet. According In [32,33 to], the authorsauthors, proposed the least a path squares identification support approach vector whichmachine (LS- SVM) classifierplaces a path produced fingerprint the in best every performance packet. This method when fails tested if the as victim’s against bandwidth the K-nearest, is consumed naïve by Bayes, an attack since they only rely on packet filtering at the victim end. and multilayer perceptron [35]. The system architecture and workflow are shown in Figure 5. 5.3.2. Classifier System for Detecting and Preventing DDoS (CS_DDoS) Sahi et al. proposed a classifier system known as CS_DDoS for DDoS TCP flood attack detection and prevention in the public cloud [34]. During detection, the system determines if a packet is legitimate or from an attacker and during prevention, packets classified as malicious are dropped and source IP blacklisted. According to the authors, the least squares support vector machine (LS-SVM) classifier produced the best performance when tested as against the K-nearest, naïve Bayes, and multilayer perceptron [35]. The system architecture and workflow are shown in Figure5.

Technologies 2019, 7, 19 9 of 24 Technologies 2018, 6, x FOR PEER REVIEW 9 of 24

Figure 5. System architecture [34] Figure 5. System architecture [34]

The scheme assumes that source IP addresses are not spoofed. During detection, the detection unit capturescaptures incoming incoming packets packets within within a time a time window window and checks and checks them against them aagainst blacklist a toblacklist determine to determineif their source if their addresses source addresses have been have blacklisted. been blacklis If theted. source If the is source blacklisted, is blacklisted, the packet the ispacket sent tois sentthe preventionto the prevention unit without unit without any further any further processing. processing. If the If sourcethe source is not is not blacklisted, blacklisted, the the packet packet is isdirected directed through through a classifiera classifier to to determine determine whether whethe ther the packet packet is legitimateis legitimate or or malicious. malicious. A A packet packet is isconsidered considered malicious malicious if its if its source source requests requests to connect to connect to the to samethe same destination destination more more frequently frequently than than a set athreshold. set threshold. Legitimate Legitimate packets packets are forwarded are forwarde to theird destination to their destination and malicious and ones malicious are forwarded ones are to forwardedthe prevention to the unit. prevention unit. The prevention unit has three main functions; it sends a signal to the system administrator of the attack, attack, then then adds adds the the source source address address to tothe the blacklis blacklistt if it if does it does not notalready already exist exist in the in blacklist, the blacklist, and finallyand finally drops drops the thepacket. packet. Evaluation Evaluation of the of the system system was was performed performed under under single single and and multiple multiple source source attack scenariosscenarios and and was was found found to be to consistent, be consiste withnt, 97 with percent 97 andpercent 94 percent and 94 accuracy, percent respectively. accuracy, respectively.However, the However, system might the besystem ineffective might inbe an ineffective attack which in an involves attack awhich large botnet,involves with a large each botnet, device withhaving each a different device having IP address a differ andent sending IP address requests and below sending the requests connection below requests the connection threshold. requests threshold. 5.3.3. Application Layer DDoS Detection and Defense 5.3.3. Application Layer DDoS Detection and Defense Zhou et al. proposed a defense technique against application layer DDoS (AL-DDoS) attacks in heavy backboneZhou et al. web proposed traffic. According a defense technique to the authors, against the application mechanism layer can differentiate DDoS (AL-DDoS) between attacks flash incrowds heavy and backbone DDoS attacks web traffic. by examining According entropy to the of authors, traffic using the amechanism real-time frequency can differentiate vector (RFV) between [36]. flashThe system crowds architecture and DDoS andattacks flow by of examining the system entropy are shown of traffic in Figure using6. The a real-time RFV characterizes frequency trafficvector (RFV)in real time[36]. asThe a setsystem of models. architectu There defense and flow system of isthe modularized, system are consistingshown in ofFigure a head-end 6. The sensor, RFV characterizesa detection unit, traffic and in a real traffic time filter. as a set of models. The defense system is modularized, consisting of a head-endThe head-end sensor, sensor,a detection known unit, as and the abnormala traffic filter. traffic detection module (ATDM) tracks the amount of HTTP ‘Get’ requests per second. Based on the previous amount, the next amount can be predicted using the Kalman filter. The deviation between the predicted value and the actual value is compared with a set threshold and an abnormal event is reported if the deviation surpasses the threshold. The ATDM then sends an ‘ATTENTION’ signal to the detection module.

Technologies 2019, 7, 19 10 of 24 Technologies 2018, 6, x FOR PEER REVIEW 10 of 24

FigureFigure 6. System 6. System architecture architecture and andflow flow[36]. [36].

TheThe detection head-end module,sensor, known known as as the DDoS abnormal attack traffic detection detection module module (DADM) (ATDM) runs tracks only when the it receivesamount the of HTTP ‘ATTENTION’ ‘Get’ requests signal. per The second. DADM Based is workson the withprevious four amount, variations the of next attack amount traffic: can be predicted using the Kalman filter. The deviation between the predicted value and the actual value is 1.comparedRepeated with request a set threshold AL-DDoS and attack an traffic:abnormal this event attack istraffic reported is directed if the deviation towards thesurpasses homepage the or threshold.a ‘hot’ The webpage. ATDM then sends an ‘ATTENTION’ signal to the detection module. 2. RecursiveThe detection request module, AL-DDoS known Attack as DDoS traffic: attack attack detection traffic ismodule scattered (DADM) over different runs only web when pages. it 3.receivesRepeated the ‘ATTENTION’ eorkload AL-DDoS signal. The Attack DADM traffic: is wo similarrks with to four the repeated variations request of attack attack traffic: but employs less1. Repeated bots in attack request which AL-DDoS continually attack sendtraffic: large this imageattack traffic or database is directed searching towards operations the homepage requests. 4. Flashor crowds:a ‘hot’ webpage. this describes a surge in visits to a website, mostly after the announcement of a2. newRecursive service request or free softwareAL-DDoS download. Attack traffic: attack traffic is scattered over different web pages. 3. Repeated eorkload AL-DDoS Attack traffic: similar to the repeated request attack but The DADMemploys traces less eachbots sourcein attack address which and continually requested send webpage large and image records or database in the RFV searching the average frequencies.operations The current requests. record is compared with a presumed normal record to determine if the type of traffic4. it isFlash most crowds: likely to this be usingdescribes the distributiona surge in visits of the to a sources website, and mostly destinations. after the Entropyannouncement is calculated of and traffica isnew distinguished service or free between software attack download. traffic and flash crowds. Flash crowds usually have smaller ratio ofThe entropy DADM values. traces each source address and requested webpage and records in the RFV the averageThe filterfrequencies. module The (FM) current receives record malicious is compared source with IP a presumed addresses normal and stops record the to attack. determine A bloom if filterthe type [37] of is usedtraffic to it filteris most traffic likely from to be the using attack the IPdistribution addresses. of the sources and destinations. Entropy is calculatedA few limitations and traffic and is distinguished open issues between were discussed attack traffic by the and authors: flash crowds. Flash crowds usually have smaller ratio of entropy values. 1. The autoregressive (AR) model does not present HTTP ‘Get’ traffic accurately and is used because The filter module (FM) receives malicious source IP addresses and stops the attack. A bloom of its simplicity. filter [37] is used to filter traffic from the attack IP addresses. 2. AttackersA few limitations may be ableand open to avoid issues detection were discussed by the system by the byauthors: increasing attack traffic slowly until it surpasses1. The autoregressive the threshold. (AR) model does not present HTTP ‘Get’ traffic accurately and is used 3. Thebecause proposed of systemits simplicity. and method incorporates many variables and parameters whose optimized values2. Attackers may take may time be able to determine. to avoid detection by the system by increasing attack traffic slowly 4. Bloomuntil filters it surpasses in the the FM threshold. need to be reset after an attack since bots used in an attack may be recovered3. The proposed by the legitimate system and users. method incorporates many variables and parameters whose optimized values may take time to determine. 5.3.4.4. DDoS Bloom Attack filters Mitigation in the FM Architecture need to be reset Using after Software-Defined an attack since bots Networking used in an (DaMask) attack may be recovered by the legitimate users. Wang et al. proposed an attack mitigation architecture in cloud computing using SDN (software defined networks) known as DaMask [38]. DaMask consists of two components: DaMask-D and 5.3.4. DDoS Attack Mitigation Architecture Using Software-Defined Networking (DaMask) DaMask-M. DaMask-D is an anomaly-based detection module and DaMask-M is the attack mitigation module.Wang DaMask et al. proposed was designed an attack to accomplish mitigation three arch mainitecture objectives; in cloud tocomputing be able to using protect SDN services (software in both publicdefined and networks) private clouds, known to as incur DaMask little computational[38]. DaMask consists overhead of andtwo tocomponents: have a low deploymentDaMask-D and cost. DaMask-M.The system DaMask-D separates is networkan anomaly-based traffic for differentdetection destinations module and by DaMask-M virtualization. is the Each attack virtual mitigation module. DaMask was designed to accomplish three main objectives; to be able to protect network for the different destinations is known as a slice and is isolated from other slices.

Technologies 2018, 6, x FOR PEER REVIEW 11 of 24

services in both public and private clouds, to incur little computational overhead and to have a low deployment cost. The system separates network traffic for different destinations by virtualization. Each virtual network for the different destinations is known as a slice and is isolated from other slices. DaMask-D uses anomaly-detection for attack detection. If an attack is detected, an alert is issued to the DaMask-M module, along with the packet. If the attack type is new, analysis is made on the Technologies 2019, 7, 19 11 of 24 packet to update the detection model. The DaMask-M module performs two operations: countermeasure selection and log generation. WhenDaMask-D an attack alert uses is anomaly-detection received, a countermeasure for attack detection.is selected If to an react. attack By isde detected,fault, the ancountermeasure alert is issued tois to the drop DaMask-M attack packets. module, Other along operations with the packet.which can If the be attackused are type forward is new, and analysis modify is for made advanced on the packetdefense to logic. update After the the detection countermeasure model. is selected, the policy is sent to the switch to take action. The attackThe packet DaMask-M with its module information performs is stored two operations:in the log database. countermeasure Figure 7 selection shows the and workflow log generation. of the WhenDaMask an system. attack alert is received, a countermeasure is selected to react. By default, the countermeasure is to dropThe DaMask attack packets. system Otherenables operations individual which defense can beme usedchanisms are forward to be applied and modify to individual for advanced user defensespaces in logic. the cloud After without the countermeasure affecting other is users selected, and thealso policy periodically is sent updates to the switch itself to address take action. the Theissues attack associated packet withwith itsdataset information shift. However, is stored init theintroduces log database. some Figure communication7 shows the overhead workflow and of therequires DaMask a few system. changes to the cloud service architecture.

FigureFigure 7. System 7. System workflow workflow [38]. [38 ].

The DaMask system enables individual defense mechanisms to be applied to individual user spaces in the cloud without affecting other users and also periodically updates itself to address the issues associated with dataset shift. However, it introduces some communication overhead and requires a few changes to the cloud service architecture.

5.3.5. Reinforcing Anti-DDoS Actions in Realtime (RADAR) Zheng et al. proposed a technique named reinforcing anti-DDoS action in realtime (RADAR), a real-time defense application built on commercial off-the-shelf (COTS) unmodified SDN switches to detect and defend against various flooding attacks through adaptive correlation analysis [39]. Attacks are detected by identifying certain attack features in suspicious flows. RADAR is an application built and placed in an SDN network. It has three main units; the collector unit, the detector unit and locator unit. The architecture of RADAR is shown in Figure8. The RADAR collector obtains rules, both static and dynamic, to extract information of suspicious flows and keeps them in the controller to enable the RADAR detector to be able to identify if there is an attack and also the RADAR locator to determine which flows contain the attacking traffic. It only extracts information about the flow when the flow is suspicious, that is, anomalies are detected in the flow. The RADAR detector is alerted by the collector and identifies attacks using correlative analysis of the patterns of the anomalous flows received from different switches. It is able to detect which paths carry attack traffic. It then signals the locator to accurately locate the attack traffic. Technologies 2018, 6, x FOR PEER REVIEW 12 of 24

5.3.5. Reinforcing Anti-DDoS Actions in Realtime (RADAR) Zheng et al. proposed a technique named reinforcing anti-DDoS action in realtime (RADAR), a real-time defense application built on commercial off-the-shelf (COTS) unmodified SDN switches to detect and defend against various flooding attacks through adaptive correlation analysis [39]. Attacks are detected by identifying certain attack features in suspicious flows. TechnologiesRADAR2019 ,is7, 19an application built and placed in an SDN network. It has three main units;12 ofthe 24 collector unit, the detector unit and locator unit. The architecture of RADAR is shown in Figure 8.

FigureFigure 8. RADAR 8. RADAR Architecture Architecture [39]. [39 ].

The RADAR locator uses an adaptive correlation analysis of the changes of flow statistics on each The RADAR collector obtains rules, both static and dynamic, to extract information of suspicious path and victim as detected by the detector. Traffic is tagged attack if the locator detects the rate of flows and keeps them in the controller to enable the RADAR detector to be able to identify if there is statistic change is consistent with aggregated flows on the victim link. The attack traffic is identified an attack and also the RADAR locator to determine which flows contain the attacking traffic. It only extractsand extracts information the source about and the destination flow when addresses the flow andis suspicious, attack traffic that is is, blocked. anomalies are detected in the flow.RADAR performance evaluation was conducted by the authors using both real hardware and simulationThe RADAR [40,41]. detector An advantage is alerted of the by systemthe collector is that an it doesd identifies not require attacks specialized using correlative switches, analysis it works ofwith the off-the-shelf patterns of SDNthe anomalous switches. However, flows received in the presencefrom different of a large switches. attack, communicationIt is able to detect overheads which pathscan increase carry attack greatly traffic. due toIt thethen number signals ofthe flow locator rules to being accurately used. locate the attack traffic. TheClosely RADAR related locator to the uses work an done adaptive the authors correlation of RADAR analysis are of [42 the–44 changes]. of flow statistics on each Inpath [42 and], the victim authors as detected proposed by a the traffic-engineering detector. Traffic modelis tagged to trackattack traffic if the sourcelocator ratedetects change the rate but ofrequires statistic major change changes is consistent in the wi SDNth aggregated switches and flows detects on the only victim link link. flooding. The attack Lee et traffic al. [43 is] identified proposed anda collaborative extracts the traffic-engineeringsource and destination model addresses to differentiate and attack between traffic is low-rate blocked. attacks and legitimate traffic.RADAR In [44], performance the authors presentedevaluation a was traffic-engineering conducted by the based authors analytical using framework both real hardware for defending and simulationlink-flooding [40,41]. attacks. An advantage of the system is that it does not require specialized switches, it works5.3.6. Softwarewith off-the-shelf Defined Anti-DDoS SDN switches. (SD-Anti-DDoS) However, in the presence of a large attack, communication overheads can increase greatly due to the number of flow rules being used. CloselyCui et al. related proposed to the a mechanismwork done the for authors defending of RADAR DDoS attacks are [42–44]. in SDNs. The mechanism, named softwareIn [42], defined the authors anti-DDoS proposed (SD-Anti-DDoS), a traffic-engineerin consists ofg model four modules: to track atraffic detection source trigger, rate change a detection but requiresmodule, major a traceback changes module in the and SDN a mitigationswitches and module detects [45 only]. Numerous link flooding. attack Lee mitigation et al. [43] schemes proposed had a collaborativebeen proposed traffic-engineering already but lacked model detection to methodsdifferentiate which between jump into low-rate action onlyattacks when and an attacklegitimate is in traffic.play. The In [44], authors the authors proposed presented a scheme a whichtraffic-engineering includes a trigger based mechanismanalytical framework for detection, for defending instead of link-floodingperiodically checking attacks. for attacks. Figure9 shows the workflow and component modules of the system. The attack detection trigger module controls the launching of the detection module. It uses 5.3.6.the packet_in Software abnormalDefined Anti-DDoS detection algorithm(SD-Anti-DDoS) message which is available only in SDN. The message contains relevant information about the ID of the switch and the reason why the packet is being sent to Cui et al. proposed a mechanism for defending DDoS attacks in SDNs. The mechanism, named the controller. software defined anti-DDoS (SD-Anti-DDoS), consists of four modules: a detection trigger, a The attack detection module is made up of a neural network model training stage and the real-time detection module, a traceback module and a mitigation module [45]. Numerous attack mitigation detection stage. It takes advantage of neural networks to differentiate legitimate traffic from malicious ones. Certain information of a flow is taken by the controller and the eigen values are taken and sent to the neural network for classification, whether it is legitimate or malicious. The back propagation neural network (BPNN) [46] is used to classify traffic flow accordingly. The neural network is trained at start-up using previously obtained extracted features. In the real-time detection stage, flow statistic messages about flows are sent to the controller by the switches. If the flow is considered to be malicious, Technologies 2018, 6, x FOR PEER REVIEW 13 of 24 schemesTechnologies had2019 been, 7, proposed 19 already but lacked detection methods which jump into action 13only of 24 when an attack is in play. The authors proposed a scheme which includes a trigger mechanism for detection, instead of periodically checking for attacks. Figure 9 shows the workflow and component modules its destination IP address is added to an attack list. If the malicious flow entries reach a pre-set upper of the system. threshold, an attack alert is generated.

FigureFigure 9. Workflow 9. Workflow and and components components [45]. [45].

TheThe attack attack detection traceback trigger module module works controls with the the detection launching module of the todetection trace the module. attack switch. It uses the packet_inThe switches abnormal in the detection attack path algorithm are found message using the which BPNN is modelavailable and only the whole in SDN. attack The path message is containslocated relevant using the information network topology, about the attacked ID of destination,the switch and markedthe reason attack why switches. the packet is being sent to the controller.The attack mitigation module begins operation when the attack path and source are found out. Traffic from the attack source is then blocked. The attack detection module is made up of a neural network model training stage and the real- The performance of the entire system and each module was implemented on the RYU [47] time detection stage. It takes advantage of neural networks to differentiate legitimate traffic from framework and evaluated by the authors using Mininet [48,49]. A critical advantage of this system is maliciousthat it onlyones. sends Certain an attackinformation trigger messageof a flow when is taken an attackby the is controller detected, reducingand the eigen CPU andvalues network are taken and loadsent used to the by theneural defense network mechanism for classification, when there is nowhether attack. it is legitimate or malicious. The back propagation neural network (BPNN) [46] is used to classify traffic flow accordingly. The neural network5.3.7. is Game trained Theoretical at start-up Holt-Winters using previously for Digital obta Signatureined extracted (GT-HWDS) features. In the real-time detection stage, flowDe statistic Assis et messages al. proposed about an flows independent are sent defense to the schemecontroller for softwareby the switches. defined networksIf the flow is considered(SDN) [50 to]. be Game malicious, Theoretical its Holt-Wintersdestination forIP address Digital Signature is added (GT-HWDS) to an attack combines list. If anthe independent malicious flow entriesdecision-making reach a pre-set model upper built threshol on gamed, an theory attack (GT) alert with is anomalygenerated. detection and identification from aThe Holt-Winters attack traceback for Digital module Signature works (HWDS) with systemthe detection [51,52]. Themodule defense to trace scheme the was attack proposed switch. to The switchesdefend in against the attack attacks path aimed are atfound the control using plane the BPNN of SDNs. model The system and the design whole and attack network path topology is located usingare the shown network in Figure topology, 10. attacked destination, and marked attack switches. The attack mitigation module begins operation when the attack path and source are found out. Traffic from the attack source is then blocked. The performance of the entire system and each module was implemented on the RYU [47] framework and evaluated by the authors using Mininet [48,49]. A critical advantage of this system is

Technologies 2018, 6, x FOR PEER REVIEW 14 of 24

that it only sends an attack trigger message when an attack is detected, reducing CPU and network load used by the defense mechanism when there is no attack.

5.3.7. Game Theoretical Holt-Winters for Digital Signature (GT-HWDS) De Assis et al. proposed an independent defense scheme for software defined networks (SDN) [50]. Game Theoretical Holt-Winters for Digital Signature (GT-HWDS) combines an independent decision-making model built on game theory (GT) with anomaly detection and identification from a Holt-Winters for Digital Signature (HWDS) system [51,52]. The defense scheme was proposed to defend against attacks aimed at the control plane of SDNs. The system design and network topology are shown in Figure 10. The system composes of three main parts; detection, identification and mitigation modules. The processes performed by these modules are done before data enters into the network making it Technologiesoperable 2019with, 7 any, 19 type of SDN setup. 14 of 24

Figure 10. System design [50]. Figure 10. System design [50]. The system composes of three main parts; detection, identification and mitigation modules. The HWDS system performs both the detection and information processes. The detection The processes performed by these modules are done before data enters into the network making it process uses a method that analyses seven parallel IP flow dimensions to characterize traffic. The operable with any type of SDN setup. dimensions analyzed are the entropy of the source and destination IP addresses and ports, bits per The HWDS system performs both the detection and information processes. The detection process second, packets per second and flows per second. The HWDS system creates a signature, known as uses a method that analyses seven parallel IP flow dimensions to characterize traffic. The dimensions the digital signature of network segment using flow analysis (DSNSF) for each analyzed dimension. analyzed are the entropy of the source and destination IP addresses and ports, bits per second, packets The signatures are compared with signatures of known attacks and if found to be similar, the per second and flows per second. The HWDS system creates a signature, known as the digital signature information and mitigation modules are activated. The information module relays information about of network segment using flow analysis (DSNSF) for each analyzed dimension. The signatures are the anomaly to both the network administrator and the mitigation module. compared with signatures of known attacks and if found to be similar, the information and mitigation The mitigation module uses the GT approach to take measures autonomously to mitigate the modules are activated. The information module relays information about the anomaly to both the attack. Calculations are made for an optimal defense strategy and the system performs the packet network administrator and the mitigation module. dropping and redirection to a honeypot for further analysis. The defense strategy is kept in play for The mitigation module uses the GT approach to take measures autonomously to mitigate the attack. an hour before the network resumes its normal operation mode. If another attack is detected within Calculations are made for an optimal defense strategy and the system performs the packet dropping and this period, a new defense strategy is calculated and the defense parameters will be updated. Only redirection to a honeypot for further analysis. The defense strategy is kept in play for an hour before packets with new source addresses are dropped or redirected to the honeypot. New sources are seen the network resumes its normal operation mode. If another attack is detected within this period, a new by the information module. defense strategy is calculated and the defense parameters will be updated. Only packets with new source addresses are dropped or redirected to the honeypot. New sources are seen by the information module. The HWDS system was compared with a Fuzzy-GADS (genetic algorithm with double strings) system [53] and was found to perform better with most of the tests. It works with known attacks hence new or modified attacks may not be detected. The framework of this system is related to what was proposed by [54] but is more precise in detection, employing a deeper search of signatures of attacks.

5.3.8. Detection and Defense Algorithms of Different Types of DDoS Attacks (DDAD) Yusof et al. proposed a DDoS detection and defense algorithm to defend against four types of attacks: UDP and TCP flooding, Smurf, and ping of death attacks [55]. The proposed detection algorithm checks if incoming traffic is normal or malicious. If packet arrival rate is greater than 100 packets/second, it is tagged malicious and will be dropped. A hybrid of Snort and IPTables is used by the defense system for deep packet inspection and to reduce incoming packet speed to protect Technologies 2018, 6, x FOR PEER REVIEW 15 of 24

The HWDS system was compared with a Fuzzy-GADS (genetic algorithm with double strings) system [53] and was found to perform better with most of the tests. It works with known attacks hence new or modified attacks may not be detected. The framework of this system is related to what was proposed by [54] but is more precise in detection, employing a deeper search of signatures of attacks.

5.3.8. Detection and Defense Algorithms of Different Types of DDoS Attacks (DDAD) Yusof et al. proposed a DDoS detection and defense algorithm to defend against four types of attacks: UDP and TCP flooding, Smurf, and ping of death attacks [55]. The proposed detection algorithm checks if incoming traffic is normal or malicious. If packet arrival rate is greater than 100 packets/second,Technologies 2019, 7, 19it is tagged malicious and will be dropped. A hybrid of Snort and IPTables is15 used of 24 by the defense system for deep packet inspection and to reduce incoming packet speed to protect the networkthe network in the in thepresence presence of an of anattack. attack. The The attacks attacks are are then then logged logged with with details details of of the the attack attack type, type, packetpacket size, size, severity severity of of the the attack, attack, duration duration of of the the attack, attack, and and attacker attacker source source address. address. Figure Figure 1111 showsshows thethe flow flow graph graph of of the the system. system. The The algorithm algorithm is is ye yett to to be be tested tested and and evaluated evaluated by the authors.

FigureFigure 11. 11.ProposedProposed design design flow flow [55]. [55 ].

5.4. Mitigation Only Mechanisms

Mitigation only schemes are designed to mitigate an attack. They assume attack detection is performed by an already existing algorithm.

5.4.1. VFence Jakaria et al. proposed a defense technique based on the network function virtualization (NFV) technology. VFence defends against attacks through a dynamic traffic filtering network [56]. The mechanism intercepts packets during an attack with the help of dynamic network agents. An overview of the system topology is shown in Figure 12. Technologies 2018, 6, x FOR PEER REVIEW 16 of 24

5.4. Mitigation Only Mechanisms Mitigation only schemes are designed to mitigate an attack. They assume attack detection is performed by an already existing algorithm.

5.4.1. VFence Jakaria et al. proposed a defense technique based on the network function virtualization (NFV) technology. VFence defends against attacks through a dynamic traffic filtering network [56]. The mechanism intercepts packets during an attack with the help of dynamic network agents. An overviewTechnologies 2019of the, 7, 19system topology is shown in Figure 12. 16 of 24

Figure 12. VFence defense topology [56]. Figure 12. VFence defense topology [56]. A dispatcher directs incoming traffic to an agent for processing. The distribution of packets is A dispatcher directs incoming traffic to an agent for processing. The distribution of packets is based on a dynamic agent assignment algorithm, which is performed in conformity with a forwarding based on a dynamic agent assignment algorithm, which is performed in conformity with a table. The forwarding table maps flows to handling agents and is updated each time a flow is forwarding table. The forwarding table maps flows to handling agents and is updated each time a established, expires or ends. Agents are deployed or retired based on the network flow. Agents are flow is established, expires or ends. Agents are deployed or retired based on the network flow. Agents added or deleted from the mapping as and when necessary. The agent, a dynamically created packet are added or deleted from the mapping as and when necessary. The agent, a dynamically created handler, filters out traffic with spoofed source IPs or known attack IPs and forwards legitimate traffic packet handler, filters out traffic with spoofed source IPs or known attack IPs and forwards legitimate to the destination. The agents can also act as a dynamic firewall to drop suspicious flows. The agents traffic to the destination. The agents can also act as a dynamic firewall to drop suspicious flows. The relay information on their utilization, termination, and completion of connections to the dispatcher for agents relay information on their utilization, termination, and completion of connections to the forwarding table updates. The number of active agents in the system at each point in time is dependent dispatcher for forwarding table updates. The number of active agents in the system at each point in on the flow of incoming packets. The higher the flow, the more the agents. The dispatchers and agents time is dependent on the flow of incoming packets. The higher the flow, the more the agents. The are virtualized network functions (VNF). A load balancing algorithm is used in directing packets to dispatchers and agents are virtualized network functions (VNF). A load balancing algorithm is used agents to evenly distribute the load among the agents and to avoid having a more than necessary in directing packets to agents to evenly distribute the load among the agents and to avoid having a number of agents. The system however, introduces a delay in the network more than necessary number of agents. The system however, introduces a delay in the network 5.4.2. Moving Target Defense Mechanism Against (MOTAG) Internet DDoS 5.4.2. Moving Target Defense Mechanism Against (MOTAG) Internet DDoS Wang et al. proposed MOTAG, a moving target defense mechanism against internet DDoS attacksWang [57]. et The al. mechanismproposed MOTAG, defends against a moving DDoS target attacks defense by employing mechanism dynamic against proxies internet to transmit DDoS attackstraffic between[57]. The authenticatedmechanism defends servers against and clients.DDoS attacks The scheme by employing was aimed dynamic at protecting proxies to sensitivetransmit trafficonline between services againstauthenticated attacks. servers Clients and are clients. shuffled The across scheme hidden was aimed proxies, at thatprotecting is, proxies sensitive with onlineIP addresses services known against to attacks. only legitimate Clients are clients, shuffled in the across event hidden of an attackproxies, using that ais, greedy proxies algorithm. with IP addressesThe system known architecture to only of legitimate MOTAG is clients, shown in Figurethe event 13. of The an authors attack using assumed a greedy that using algorithm. an effective The systemauthentication architecture scheme of MOTAG eliminates is shown the possibility in Figure of 13. attacks The authors from outside assumed sources that andusing so an the effective system authenticationwas designed to scheme counter eliminates attacks from the authenticatedpossibility of clients.attacksAn from external outside attack sources means and an so insider the system made wasknown designed a node to address counter toattacks an external from authenticated source for an cl attack,ients. An thus, external isolating attack and means blocking an insider that insider made knowndeals with a node the attack.address Each to an authenticated external source client for is an randomly attack, giventhus, isolating an active and proxy blocking node and that sees insider only the IP address of the proxy node assigned to it. MOTAG comprises four main inter-connected units; the authentication server, the filter ring, the proxy nodes and the application server. The application server is the provider of the online service to be protected. The authentication server gives out a token for every client-to-proxy session and limits the client’s throughput to a specific number of packets per session, which helps to detect the presence of an attack. Cryptographic puzzles must be solved by clients before they are authenticated. When an attack is ongoing, an additional number of nodes are created. All the nodes are grouped under either serving proxy nodes or shuffling proxy nodes. Serving nodes are relatively unchanging, providing service to known innocent users. Shuffling nodes are shuffled between suspicious clients and are replaced if TechnologiesTechnologies2019 2018, ,7 6,, 19 x FOR PEER REVIEW 1717 ofof 2424

deals with the attack. Each authenticated client is randomly given an active proxy node and sees only foundthe IP toaddress be under of the attack. proxy Shuffling node assigned is done to till it. the MOTAG malicious comprises clients four are found main inter-connected out. The main idea units; is thatthe authentication since the suspicious server, clients the filter are beingring, the moved proxy around nodes differentand the application nodes with server. different The IP application addresses, ifserver a new isnode the provider is attacked, of the the online insider service can only to be connectedprotected. to the new node. Shuffles are done till the actual malicious client is pinpointed.

FigureFigure 13. 13. MOTAGMOTAG Architecture Architecture [57]. [57 ].

ShufflingThe authentication and pairing server will becomegives out huge a token if there for areevery a lot client-to-proxy of clients assigned session to and a proxy limits node. the Attacksclient’s throughput from external to sourcesa specific cannot number be of fully packets prevented per session, and an which attack helps will to go detect on for the a long presence period of unyilan attack. offending Cryptographic client(s) arepuzzles pinpointed. must be Computing solved by clients capacity before and they bandwidth are authenticated. is reserved When to meet an needsattack ofis proxyongoing, nodes an additional as well as number to provide of nodes sufficient are capacitycreated. All to createthe nodes a large are numbergrouped of under additional either proxyserving nodes. proxy MOTAG nodes or is shuffling only capable proxy of nodes. mitigating Serving network nodes floodingare relatively attacks unchanging, on Internet providing services thatservice mandate to known client innocent authentication. users. Shuffling It is not suitable nodes are for securingshuffled openbetween Internet suspicious services clients designed and forare anonymousreplaced if found users. to be under attack. Shuffling is done till the malicious clients are found out. The mainNevertheless, idea is that since MOTAG the suspicious is resistant clients to brute-force are being moved attacks around from outsidersdifferent nodes due to with the different hidden proxyIP addresses, nodes. if a new node is attacked, the insider can only be connected to the new node. Shuffles are done till the actual malicious client is pinpointed. 5.4.3. Catch Me If You Can (CMIYC) Shuffling and pairing will become huge if there are a lot of clients assigned to a proxy node. AttacksJia et from al. proposed external asources cloud-enabled cannot movingbe fully targetpreven defenseted and system an attack based will on shuffling.go on for Thea long approach period usesunyil server offending replication client(s) and clientare pinpointed. reassignment Computin to make victimg capacity servers and moving bandwidth targets tois isolatereserved attacks to meet [58]. Theneeds scheme of proxy improves nodes onas well concepts as to proposed provide sufficient by the authors capacity ofMOTAG to create [a57 large]. During number an attack,of additional server replicationproxy nodes. is done MOTAG quickly is andonly selectively capable of in mitigating the cloud. Thenetwork attacked flooding servers attacks are replaced on Internet with the services replicated that serversmandate and client are taken authentication. offline after It clients is not are suitable moved for to thesecuring replica open servers. Internet The network services locations designed of thefor replicaanonymous servers users. are only known to the clients assigned to them. Shuffling of the servers is done when attackersNevertheless, attack the replicaMOTAG servers is resistant as well to to brute-force determine theattacks malicious from clients.outsiders A greedydue to the algorithm hidden is proxy used innodes. the shuffling process. The architecture of the mechanism is shown in Figure 14. A load balancer connects every new client to an active replica server using any assignment algorithm.5.4.3. Catch Replica Me If You servers Can admit(CMIYC) only the clients whose IP addresses are confirmed by the referring load balancer. During an attack, replacement replica servers are created across the cloud in different Jia et al. proposed a cloud-enabled moving target defense system based on shuffling. The locations and reassignment of clients is done. After reassignment is done, the attacked servers are approach uses server replication and client reassignment to make victim servers moving targets to taken offline and reused. Reassignment of clients to replica servers is done till the attacking clients are isolate attacks [58]. The scheme improves on concepts proposed by the authors of MOTAG [57]. isolated to one replica server. The coordination server keeps the entire state of the defense system and During an attack, server replication is done quickly and selectively in the cloud. The attacked servers controls real-time actions against the attacks. It is responsible for running the shuffling algorithm and are replaced with the replicated servers and are taken offline after clients are moved to the replica computing the optimal shuffling plan. servers. The network locations of the replica servers are only known to the clients assigned to them. Shuffling of the servers is done when attackers attack the replica servers as well to determine the

Technologies 2018, 6, x FOR PEER REVIEW 18 of 24 malicious clients. A greedy algorithm is used in the shuffling process. The architecture of the mechanismTechnologies is shown2019, 7, 19 in Figure 14. 18 of 24

Figure 14. System architecture [58]. Figure 14. System architecture [58]. The system was evaluated with simulation with MATLAB as well as a prototype implemented Ausing load the balancer Amazon connects EC2 [59] asevery a coordination new client server. to an The active system replica is very server effective using on attacks any assignment aimed at algorithm.static Replica locations servers and from admit naïve only bots. the However, clients thewhose system IP introducesaddresses someare confirmed amount of by latency the referring in the load balancer.network. During Also, latter an shufflesattack, replacement separate bots fromreplic benigna servers users are less created effectively across than the early cloud shuffles. in different locations and reassignment of clients is done. After reassignment is done, the attacked servers are 5.4.4. MultiQ taken offline and reused. Reassignment of clients to replica servers is done till the attacking clients are isolatedLim to one et al. replica proposed server. a scheduling-based The coordination architecture server keeps for the the controller entire state in SDNsof the fordefense continued system and controlsoperation real-time in the presence actions ofagainst an attack the [attacks.60]. The It assumption is responsible was thatfor running the attacker the doesshuffling not know algorithm the and computingexact location the oroptimal IP address shuffling of the SDNplan. controller and therefore floods a known server to overwhelm the controller. The proposed scheme, known as MultiQ, simply modifies the controller model to divide The system was evaluated with simulation with MATLAB as well as a prototype implemented the single request processing queue into a number of logical queues, each corresponding to a flow using the Amazon EC2 [59] as a coordination server. The system is very effective on attacks aimed at switch. The queues are then served with a scheduling algorithm. The proposed scheme was compared static locationswith two others, and from Static naïve and SingleQ bots. However, and found the to perform system better. introduces However, some the amount system may of latency be crippled in the network.if the Also, attack latter is generated shuffles from separate different bots networks. from benign users less effectively than early shuffles.

5.4.4. MultiQ5.4.5. An Effective DDoS Defense Scheme for SDN (EDSS) Lim etHuang al. proposed et al. proposed a scheduling-based a defense scheme architecture to protect thefor controllerthe controller in an in SDN SDNs from for attack continued [61]. operationThe systemin the presence predicts the of numberan attack of new[60]. requests The assumption based on the was Taylor that seriesthe attacker and directs does requests not know with the a prediction value beyond a previously set threshold to a security gateway. Rules are set in the security exact location or IP address of the SDN controller and therefore floods a known server to overwhelm gateway and requests that cause a drastic decrease in entropy are filtered out. The rules are sent to the controller. The proposed scheme, known as MultiQ, simply modifies the controller model to the controller, which in turn forwards them to each switch to direct flows consistent with the rules to dividea the honeypot. single request The system processing architecture queue is shown into a in number Figure 15 of. logical queues, each corresponding to a flow switch.Upon The arrival queues of aare packet then at served the Openflow with a switch, scheduling a check algorithm. is made for The rules proposed matching thescheme packet. was comparedIf there with is a ruletwo matchingothers, Static the packet, and actionSingleQ is taken and accordingly,found to perform else the packetbetter. is However, sent to the controllerthe system may beif crippled the prediction if the valueattack is is below generated the threshold from different or to the networks. security gateway if above the threshold. The security gateway determines if there is an attack or not by entropy and known attack patterns. 5.4.5. An Effective DDoS Defense Scheme for SDN (EDSS) Huang et al. proposed a defense scheme to protect the controller in an SDN from attack [61]. The system predicts the number of new requests based on the Taylor series and directs requests with a prediction value beyond a previously set threshold to a security gateway. Rules are set in the security gateway and requests that cause a drastic decrease in entropy are filtered out. The rules are sent to

Technologies 2018, 6, x FOR PEER REVIEW 19 of 24

Technologiesthe controller,2019, 7, 19 which in turn forwards them to each switch to direct flows consistent with the rules to19 of 24 a honeypot. The system architecture is shown in Figure 15.

FigureFigure 15.15. SystemSystem architecture architecture [61]. [61].

6. DiscussionUpon arrival of a packet at the Openflow switch, a check is made for rules matching the packet. If there is a rule matching the packet, action is taken accordingly, else the packet is sent to the controllerA number if ofthe defenseprediction mechanisms value is below have the been threshold discussed or to in the the security previous gateway section. if above Table 1the shows a summarythreshold. of evaluationsThe security conductedgateway determines by the various if there authors is an attack on their or not proposed by entropy mechanisms. and known Theattack absence of a standardpatterns. set of comparison metrics informed our decision to select some metrics to better have a fair comparison. Five performance metrics were chosen and we define them below. 6. Discussion A number of defense mechanismsTable have 1. Comparison been discu ofssed techniques in the previous section. Table. 1 shows a

summary of evaluations conducted by Detectionthe variou Rates authorsBenign on Packet their proposed mechanisms. The Defensive Mechanism Scalability Precision Overhead Cost absence of a standard set of comparison metrics(Accuracy) informed our decisionLoss to select some metrics to better have aSDM-P fair comparison. [6] D Five performance LOW metrics GOOD were chosen N/A and we define N/A them below. MEDIUM 1. Scalability: Scalability is the ability of the defense mechanisms to function effectively in the DDPM [10] T MEDIUM N/A N/A LOW MEDIUM event where there is an increase in attack traffic and attackers. 2.TDFA Detection [14] DM rate (Accuracy): N/A Accuracy is N/A the ability of the N/A attack detection N/A system to MEDIUM correctly CS_DDoSdetect [19 the] DM presence or GOOD absence of an attack, HIGH that is, the N/Atrue positives HIGHand negatives. MEDIUM AL_DDoS3. Benign Def. [packet22] DM loss: Benign GOOD packet loss GOOD is the number of N/A benign packets GOOD lost during an N/A attack. DaMask4. Precision: [24] DM Precision of N/A the system is GOOD the ability of the N/A system to detect N/A the presence HIGH of an attack (true positives) consistently. RADAR [25] DM MEDIUM HIGH N/A N/A LOW 5. Overhead cost: The overhead cost is the additional computational or communication cost the SD Anti-DDoS [31] DM N/A HIGH N/A GOOD LOW defense system adds to the network. GT-HWDSD is used [36 to] DMindicate detect MEDIUMion mechanisms HIGH in the table, N/AT is used for traceback, GOOD M is used N/A for mitigation,DDAD [and41] DMDM is used for N/A detection and N/Amitigation mechanisms. N/A N/A N/A TheVFence metrics [42] Mchosen provide N/A an idea of how N/A seamless the defense LOW mechanism N/A can be incorporated N/A into alreadyMOTAG existing [43] M systems LOWand networks whilst N/A still being effective. LOW Any network N/A security highdefense mechanism should be able to cope with a large data set over a large network with many connected CMIYC [44] M GOOD N/A LOW N/A LOW devices, should have a high success rate in ensuring the network is secure, should ensure legitimate MultiQ [46] M N/A N/A MEDIUM N/A N/A

EDSS [47] M N/A HIGH LOW HIGH N/A

1. Scalability: Scalability is the ability of the defense mechanisms to function effectively in the event where there is an increase in attack traffic and attackers. Technologies 2019, 7, 19 20 of 24

2. Detection rate (Accuracy): Accuracy is the ability of the attack detection system to correctly detect the presence or absence of an attack, that is, the true positives and negatives. 3. Benign packet loss: Benign packet loss is the number of benign packets lost during an attack. 4. Precision: Precision of the system is the ability of the system to detect the presence of an attack (true positives) consistently. 5. Overhead cost: The overhead cost is the additional computational or communication cost the defense system adds to the network.

D is used to indicate detection mechanisms in the table, T is used for traceback, M is used for mitigation, and DM is used for detection and mitigation mechanisms. The metrics chosen provide an idea of how seamless the defense mechanism can be incorporated into already existing systems and networks whilst still being effective. Any network security defense mechanism should be able to cope with a large data set over a large network with many connected devices, should have a high success rate in ensuring the network is secure, should ensure legitimate users are still able to have access to resources even in the event of an attack and should ensure there is no or negligible slowdown in the network. In view of these requirements, these five metrics were chosen. Scalability gives an idea of how the proposed system will cope if employed in a real-world scenario with a large network and multiple devices, as well as multiple attack sources. Scalability is an important metric which determines how effective or not a solution will be when adopted. Accuracy of the system helps to determine how correctly the system will detect the presence or absence of an attack. An inaccurate system will raise a lot of false alarms of an attack and will also not always detect an attack, making attack traffic flow through the system unnoticed. Benign packet loss provides information on how much benign packers are lost during an attack. One important reason for employing a DDoS defense mechanism is to ensure legitimate users have access to the network or service. Having a lot of lost benign traffic means a lot of retransmissions or requests from legitimate users or an inability of the requests to be processed, ultimately inconveniencing them. Precision helps to determine the consistency of the system in detecting the presence of an attack. The more consistent a system is, the easier it is to predict its effectiveness in managing an attack. Changes to the system to improve on its capabilities can also be done in future easily when it performs functions consistently. Overhead costs introduce some latency in the network. Most end users (legitimate users) accessing a network or service are interested in how quickly they can have their requests processed. Having a noticeable lag in the network inconveniences the end user. Evaluation of defense schemes with respect to the metrics chosen was done with information provided by the authors of the respective schemes in their published papers. The tests and results in these papers provided an idea of how the schemes performed with respect to the metrics chosen. However, not much information was provided for some schemes, making it impossible to evaluate them with respect to certain metrics. Also, defense mechanisms which were not tested were not given any evaluation report. A good detection or traceback mechanism should be quick to react, highly accurate, and precise in detecting an attack and should be able to perform effectively in the presence of large attack traffic. Traceback mechanisms should also be able to trace the attack back as close to the attack source or sources as possible. A good mitigation solution should have very low benign packets lost and should perform effectively in the presence of large volumes of attack traffic. Additionally, all defense mechanisms should have low overheads to avoid degrading the network further in the presence of an attack. Based on the results provided by the authors, we realized that the overhead costs for detection and traceback was significant and had impact on the network. RADAR, SD-Anti-DDoS, and CMIYC were found to have the lowest overhead costs to the network. Scalability was found to be generally medium for most of the systems, though more real-world tests would have to be conducted to concretely Technologies 2019, 7, 19 21 of 24 determine. Detection rates, precision, and benign packet loss were found to be generally acceptable across board. Further optimization needs to be done to reduce overhead costs for the mechanisms. Defense mechanisms need to have low computational and communication costs on the network as this would determine how fast the defense mechanism would operate in the event of an attack. A mechanism which is fast in communication alerts all necessary systems in the defense process quickly enough to prevent a creation of a time-gap, in which attack traffic can cause some damage before it is stopped. Scalability is also an issue which needs to be addressed further. With the increasing rates, volume and number of bots used in attacks, defense mechanisms should be able to perform effectively in the presence of a large attack. This is necessary to prevent an attack from overwhelming the defense mechanism to the point of ineffectiveness or increased degradation to the network, in which case the DDoS would have been successful. To be able to come up with a robust defense system, scalability and overhead costs should be optimized for real-world situations, since these metrics would determine how practical a solution is.

7. Conclusions With the increase in the scale, sophistication, and volume of modern-day DDoS attacks, it is important that more research is conducted to come up with very robust defenses to combat attacks. We have discussed the current DDoS defense mechanisms in this paper. We classified the defense mechanisms according to the main functions they perform, that is, detection, traceback, mitigation, and detection and mitigation. We also discussed their strengths and weaknesses. We found out that most of the solutions struggle with scalability and may not be able to perform effectively in the real world, considering the increased volume of attack bots and traffic involved in modern attacks. Most of the current solutions also added some significant extra computation and communication overhead to the network, which would have an impact on the network, possibly slowing it down some more, in a real-world scenario with large volumes of attack traffic. A comparison was made of the various mechanisms, however, not all solutions had results for the necessary metrics we used in the comparison. For such mechanisms, more test will have to be conducted to determine their actual performance based on the metrics we chose. Overall, most of the defense solutions reviewed performed acceptably well and more research should go into making them perform better, especially for a real-world scenario.

Author Contributions: Conceptualization, S.D.K. and E.T.T.; methodology, S.D.K. and E.T.T.; formal analysis, S.D.K., E.T.T. and J.D.G.; writing—original draft preparation, S.D.K.; writing—review and editing, S.D.K., E.T.T. and J.D.G.; supervision, E.T.T. and J.D.G. Funding: The APC was partially funded by stipend payments from the TWAS-ENEA Post-Doctoral Training Programme. Acknowledgments: This work forms part of a research project on Cloud-Based Integration Solution for Electricity Transmission in Ghana. The supervisor of this project is grateful to the Dr. Maria Valenti of ENEA Portici Research Centre and the TWAS-ENEA Post-Doctoral Training Programme for creating the platform to enable the main supervisor on this project share ideas with EU researchers. Conflicts of Interest: The authors declare no conflict of interest.

References

1. Internet World Stats. Available online: https://www.internetworldstats.com/stats (accessed on 12 October 2018). 2. Grance, T.; Kent, K.; Kim, B. NIST Computer Security Incident Handling Guide; Special Publication (NIST SP): Gaithersburg, MD, USA, 2004. 3. What Does DDoS mean? Imperva Incapsula Publication. Available online: https://www.incapsula.com/ ddos/denial-of-service (accessed on 12 October 2018). Technologies 2019, 7, 19 22 of 24

4. Wired. Available online: https://www.wired.com/story/github-ddos-memcached (accessed on 10 October 2018). 5. NETSCOUT. Available online: https://asert.arbornetworks.com/netscout-arbor-confirms-1-7-tbps-ddos- attack-terabit-attack-era-upon-us (accessed on 17 October 2018). 6. Zargar, S.T.; Joshi, J.; Tipper, D. A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. IEEE Commun. Surv. Tutor. 2013, 15, 2046–2069. [CrossRef] 7. Carlin, A.; Hammoudeh, M.; Aldabbas, O. Defence for Distributed Denial of Service Attacks in Cloud Computing. Procedia Comput. Sci. 2015, 73, 490–497. [CrossRef] 8. Deshmukh, R.V.; Devadkar, K.K. Understanding DDoS Attack & Its Effect in Cloud Environment. Procedia Comput. Sci. 2015, 49, 202–210. [CrossRef] 9. Somani, G.; Gaur, M.S.; Sanghi, D.; Conti, M.; Buyya, R. DDoS attacks in cloud computing: Issues, taxonomy, and future directions. Comput. Commun. 2017, 107, 30–48. [CrossRef] 10. Mahjabin, T.; Xiao, Y.; Sun, G.; Jiang, W. A survey of distributed denial-of-service attack, prevention, and mitigation techniques. Int. J. Distrib. Sens. Netw. 2017, 13. [CrossRef] 11. Kalkan, K.; Gur, G.; Alagoz, F. Defense Mechanisms Against DDoS Attacks in SDN Environment. IEEE Commun. Mag. 2017, 55, 175–179. [CrossRef] 12. Zare, H.; Azadi, M.; Olsen, P. Techniques for Detecting and Preventing Denial of Service Attacks (a Systematic Review Approach). In Advances in Intelligent Systems and Computing—In Information Technology-New Generations; Springer: Cham, Switzerland, 2018; Volume 558, pp. 151–157. 13. Booters, Stressers and DDoSERS. Imperva Incapsula Publication. Available online: https://www.incapsula. com/ddos/booters-stressers-ddosers.html (accessed on 17 October 2018). 14. Santanna, J.J.; van Rijswijk-Deij, R.; Hofstede, R.; Sperotto, A.; Wierbosch, M.; Granville, L.Z.; Pras, A. Booters—An analysis of DDoS-as-a-service attacks. In Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), Ottawa, ON, Canada, 11–15 May 2015. 15. Imperva Incapsula. Available online: https://www.incapsula.com/ddos/ddos-attack-scripts.html (accessed on 10 October 2018). 16. Wang, H.; Zhang, D.; Shin, K.G. Detecting SYN flooding attacks. In Proceedings of the Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies, New York, NY, USA, 23–27 June 2002; Volume 3. 17. Criscuolo, P.J. Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht. Department of Energy Computer Incident Advisory Capability Report, Feb 14, 2000. Available online: https://e-reports-ext.llnl.gov/pdf/237595.pdf (accessed on 10 October 2018). 18. Kumar, S. Smurf-based distributed denial of service (ddos) attack amplification in internet. In Proceedings of the Second International Conference on Internet Monitoring and Protection, San Jose, CA, USA, 1–5 July 2007. 19. Elleithy, K.M.; Blagovic, D.; Cheng, W.; Sideleau, P. Denial of Service Attack Techniques: Analysis, Implementation and Comparison. J. Syst. 2006, 3, 66–71. 20. Anagnostopoulos, M.; Kambourakis, G.; Kopanos, P.; Louloudakis, G.; Gritzalis, S. DNS amplification attack revisited. Comput. Secur. 2013, 39, 475–485. [CrossRef] 21. Park, P.; Yoo, S.; Ryu, H.; Park, J.; Kim, C.H.; Choi, S.I.; Ryou, J. A Service-Oriented DDoS Detection Mechanism Using Pseudo State in a Flow Router; Springer: Cham, Switzerland, 2014. 22. Shon, T.; Kim, Y.; Lee, C.; Moon, J. A machine learning framework for network anomaly detection using SVM and GA. In Proceedings of the 6th Annual IEEE SMC System, Man and Cybernetics Information Assurance Workshop, West Point, NY, USA, 15–17 June 2005; pp. 176–183. [CrossRef] 23. Tanachaiwiwiat, S.; Hwang, K. Differential packet filtering against DDoS flood attacks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), Los Angeles, CA, USA, 19 May 2003. 24. Lau, F.; Rubin, S.H.; Smith, M.H.; Trajkovic, L. Distributed Denial of Service Attacks. In Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, Nashville, TN, USA, 8–11 October 2000; Volume 3, pp. 2275–2280. [CrossRef] 25. Yu, S.; Zhou, W.; Guo, S.; Guo, M. A Dynamical Deterministic Packet Marking Scheme for DDoS Traceback. In Proceedings of the IEEE Global Communications Conference (GLOBECOM), Atlanta, GA, USA, 9–13 December 2013; pp. 729–734. [CrossRef] 26. Belenky, A.; Ansari, N. Ip traceback with deterministic packet marking. IEEE Commun. Lett. 2003, 7, 162–164. [CrossRef] Technologies 2019, 7, 19 23 of 24

27. Jin, G.; Yang, J. Deterministic packet marking based on redundant decomposition for IP traceback. IEEE Commun. Lett. 2006, 10, 204–206. [CrossRef] 28. Xiang, Y.; Zhou, W.; Guo, M. Flexible deterministic packet marking: An IP traceback system to find the real source of attacks. IEEE Trans. Parallel Distrib. Syst. 2009, 20, 567–580. [CrossRef] 29. Foroushani, V.A.; Zincir-Heywood, A.N. TDFA: Traceback-based Defense against DDoS Flooding Attacks. In Proceedings of the IEEE International Conference on Advanced Information Networking and Applications, Victoria, BC, Canada, 13–14 May 2014; pp. 597–604. [CrossRef] 30. Foroushani, V.A.; Zincir-Heywood, A.N. IP traceback through (authenticated) deterministic flow marking: An empirical evaluation. EURASIP J. Inf. Secur. 2013, 2013, 5. [CrossRef] 31. Chen, S.; Song, Q. Perimeter-based defense against high bandwidth DDoS attacks. IEEE Trans. Parallel Distrib. Syst. 2005, 16, 526–537. [CrossRef] 32. Yaar, A.; Perrig, A.; Song, D. StackPi: New packet marking and filtering mechanisms for DDoS and IP Spoofing Defense. IEEE J. Sel. Areas Commun. 2006, 24, 1853–1863. [CrossRef] 33. Chen, Y.; Shantanu, D.; Pulak, D. Detecting and preventing IP-spoofed distributed DoS attacks. Int. J. Netw. Secur. 2008, 7, 69–80. 34. Sahi, A.; Lai, D.; Li, Y.; Diykh, M. An Efficient DDoS TCP Flood Attack Detection and Prevention System in a Cloud Environment. IEEE Access 2017, 5, 6036–6048. [CrossRef] 35. Hameed, A.A.; Karlik, B.; Salman, M.S. Back-propagation algorithm with variable adaptive momentum. Knowl. Based Syst. 2016, 114, 79–87. [CrossRef] 36. Zhou, W.; Jia, W.; Wen, S.; Xiang, Y.; Zhou, W. Detection and defense of application-layer DDoS attacks in backbone web traffic. Future Gener. Comput. Syst. 2013, 38, 36–46. [CrossRef] 37. Broder, A.; Mitzenmacher, M. Network applications of bloom filters: A survey. Internet Math. 2004, 1, 485–509. [CrossRef] 38. Wang, B.; Zheng, Y.; Lou, W.; Hou, T.Y. DDoS attack protection in the era of cloud computing and Software-Defined Networking. Comput. Netw. 2015, 81, 308–319. [CrossRef] 39. Zheng, J.; Li, Q.; Gu, G.; Cao, J.; Yau, D.K.Y.; Wu, J. Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis. IEEE Trans. Inf. Forensics Secur. 2018, 13, 1838–1853. [CrossRef] 40. Caida. Available online: https://www.caida.org/data/passive/trace_stats/chicago-B/2015/?monitor= 20150219-130000.UTC (accessed on 17 October 2018). 41. Project Floodlight. Available online: https://www.projectfloodlight.org/floodlight (accessed on 17 October 2018). 42. Kang, S.K.; Gligor, V.D.; Sekar, V. SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks. In Proceedings of the Internet Society—Networks, Distributed Systems and Security Symposium, San Diego, CA, USA, 21–24 February 2016. 43. Lee, S.B.; Kang, S.M.; Gligor, V.D. CoDef: Collaborative Defense Against Large-scale Link-flooding Attacks. In Proceedings of the ACM International Conference on Emerging Networking Experiments and Technologies, Santa Barbara, CA, USA, 9–12 December 2013; pp. 417–428. [CrossRef] 44. Liaskos, C.; Kotronis, V.; Dimitropoulos, X. A Novel Framework for Modeling and Mitigating Distributed Link Flooding Attacks. In Proceedings of the IEEE International Conference on Computer Communications, San Francisco, CA, USA, 10–14 April 2016; pp. 1–9. [CrossRef] 45. Cui, Y.; Yan, L.; Li, S.; Xing, H.; Pan, W.; Zhu, J.; Zheng, X. SD-Anti-DDoS: Fast and Efficient DDoS Defense in Software-Defined Networks. J. Netw. Comput. Appl. 2016, 68, 65–79. [CrossRef] 46. Rumelhart, D.E.; Hinton, G.E.; Williams, R.J. Learning representations by back-propagating errors. Nature 1986, 323, 533–536. [CrossRef] 47. Ryu SDN Framework. Available online: http://osrg.github.io/ryu/ (accessed on 17 October 2018). 48. Mininet: An Instant Virtual Network on Your Laptop. Available online: http://mininet.org/ (accessed on 17 October 2018). 49. Lantz, B.; Heller, B.; McKeown, N. A network in a laptop: Rapid prototyping for software-defined networks. In Proceedings of the ACM SIGCOMM Workshop on Hot Topics in Networks, Monterey, CA, USA, 20–21 October 2010. [CrossRef] 50. De Assis, M.V.O.; Hamamoto, A.H.; Abrão, T.; Proença, L. A Game Theoretical Based System Using Holt-Winters and Genetic Algorithm with Fuzzy Logic for DoS/DDoS Mitigation on SDN Networks. IEEE Access 2017, 5, 9485–9496. [CrossRef] Technologies 2019, 7, 19 24 of 24

51. De Assis, M.V.O.; Rodrigues, J.; Proença, M.L. A novel anomaly detection system based on seven-dimensional flow analysis. In Proceedings of the IEEE Global Telecommunications Conference, Atlanta, GA, USA, 9–13 December 2013; pp. 735–740. [CrossRef] 52. De Assis, M.V.O.; Rodrigues, J.; Proença, M.L. A seven-dimensional flow analysis to help autonomous network management. Inf. Sci. 2014, 278, 900–913. [CrossRef] 53. Hamamoto, A.H.; Carvalho, L.F.; Proença, M.L. ACO and GA metaheuristics for anomaly detection. In Proceedings of the International Conference of the Chilean Computer Science Society, Santiago, Chile, 9–13 November 2015; pp. 1–6. [CrossRef] 54. Bedi, H.; Roy, S.; Shiva, S. Game theory-based defense mechanisms against DDoS attacks on TCP/TCP-friendly flows. In Proceedings of the IEEE Symposium on Computer Intelligence in Cyber Security, Paris, France, 11–15 April 2011; pp. 129–136. [CrossRef] 55. Mohd, A.M.Y.; Fakariah, H.M.A.; Darus, M. Detection and Defense Algorithms of Different Types of DDoS Attacks Using Machine Learning. In Computational Science and Technology; Springer: Singapore, 2018; pp. 370–379. 56. Jakaria, A.H.M.; Rashidi, B.; Rahman, M.; Fung, C.; Wei, Y. Dynamic DDoS Defense Resource Allocation using Network Function Virtualization. In Proceedings of the ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, Scottsdale, AZ, USA, 24 March 2017. [CrossRef] 57. Wang, H.; Jia, Q.; Fleck, D.; Powell, W.; Li, F.; Stavrou, A. A moving target DDoS defense mechanism. Comput. Commun. 2014, 46, 10–21. [CrossRef] 58. Jia, Q.; Wang, H.; Fleck, D.; Li, F.; Stavrou, A.; Powell, W. Catch Me if You Can: A Cloud-Enabled DDoS Defense. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks, Atlanta, GA, USA, 23–26 June 2014; pp. 264–275. [CrossRef] 59. Amazon Web Services. Available online: http://aws.amazon.com (accessed on 20 October 2018). 60. Lim, S.; Yang, S.; Kim, Y.; Yang, S.; Kim, H. Controller scheduling for continued SDN operation under DDoS attacks. Electron. Lett. 2015, 51, 1259–1261. [CrossRef] 61. Huang, X.; Du, X.; Song, B. An Effective DDoS Defense Scheme for SDN. In Proceedings of the IEEE International Conference on Communications (ICC), Paris, France, 21–25 May 2017; pp. 1–6. [CrossRef]

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).