Distributed Denial of Service (DDoS) attacks has become one of the largest problems for computer users connected to the internet. Distributed Denial of Service attackers hijack secondary victim computers and use them to wage large scale attack against primary victim computers. Nowadays new tools are developed to mitigate Distributed Denial of Service attacks but attackers constantly developing new techniques to circumvent these new techniques . In this paper I am going to discuss how such an attack can be established outlining the layers involved with possible ways of tracing the attackers and taxonomy of the defense mechanisms that strive to counter these attacks.
A Denial of Service attack is an attack that will prevent the legitimate users from using network resources like websites, network services, web services etc. Denial of Service attack damages or corrupts computer system and others access to networks, systems, or services. Denial of Service attacks interrupts network services by flooding hosts with heavy traffic. The Distributed Denial of Service technique performs simultaneous attacks from many distributed sources . DDoS is a type of denial of Service attack which is a coordinated attack using the available services of the target systems that is performed and synchronized between more than one attacking host. The services which are under attack will be the primary victim while the compromised systems to launch the attack will be secondary victim. The secondary victim in Distributed Denial of Service attack will provides the attacker to launch more disruptive attack .
Distributed Denial of Service architecture consists of three layers (Figure 1). A client system operated by an attacker, a number of masters also known as handlers that are controlled by the client and a number of agents also called as daemons or zombies that are controlled by handlers . "In February of 2000, one of the first major Distributed Denial of Service attacks was waged against Yahoo.com, keeping it off the Internet for about 2 hours, costing it lost advertising revenue". "Another recent DDoS attack occurred on October 20, 2002 against the 13 root servers that manage the Internet. These root servers provide the Domain Name System (DNS) to internet users around the world. They translate logical addresses such as www.princeton.edu into a physical IP address so that computers can connect to the websites. If all 13 servers were to go down, there would be noticeable problems accessing the World Wide Web. Although the attack only lasted for an hour and the effects were hardly noticeable to the average Internet user, it caused 7 of the 13 root servers to shut down, demonstrating the vulnerability of the Internet to DDoS attacks". Distributed Denial of Service tools hide themselves within the systems such that the system administrators and users cannot detect them. The threat of Distributed Denial of Service attacks occurring depends on the intention of the attacker controlling the Distributed Denial of Service network.
Two types of Distributed Denial of Service attacks are Agent-Handler model and Internet Relay. The Agent-Handler models of Distributed Denial of Service attack include clients, handlers and agents (Figure 2). The client attacker communicates with the rest of the Distributed Denial of Service attack system. The handlers software packages available in the Internet in which the attacker's client uses to communicate with the agents. The agent software exists in trusted systems will carry out the attack . The attacker will communicates with handlers to identify the agents are up and running to schedule attacks and to upgrade agents.
The users of the agent computers have no knowledge that their system has been compromised and will be taking part in Distributed Denial of Service attacks. The agent will be instructed to communicate with single or multiple handlers. The attackers also try to place the handler software on the router or network servers which handle large traffic volume . The Internet Relay Chat based DDoS attack architecture is similar to agent handler. The difference is that instead of handler software used in network server, Internet Relay Chat communication channel used to connect the clients to the agent (Figure 3). The Internet Relay Chat channel also provides the attacker with an additional benefit of using legitimate Internet Relay Chat ports for sending commands to the agents. This result is tracking DDoS command packet more difficult for the system administrators .
Additionally, Internet Relay Chats server tends to have large volumes of traffic which make it easier for the attacker to hide in it. Also the attackers no need to maintain the list of agents, since the attacker can log in to the Internet Relay Chats server and get a list of all available agents. The agent program installed in the Internet Relay Chat network will communicate to its channel and notifies the attacker when the agents are in online mode . In both Internet Relay Chats based and Agent-Handler DDoS attack models the agents are referred as "secondary victims" or "zombies", and the target of the DDoS attack referred as the "primary victim" .
TAXONOMY OF DDoS ATTACKS 
There are wide varieties of DDoS attacks are available. The main DDoS attacks are bandwidth and resource depletion attacks. "A bandwidth depletion attack is designed to flood the victim network with unwanted traffic that prevents legitimate traffic from reaching the primary victim. A resource depletion attack is an attack that is designed to tie up the resources of a victim system making the victim unable to process legitimate requests for service" .A. DDoS Bandwidth Depletion Attacks 
Bandwidth depletion attacks can be characterized as flood attacks and amplification attacks. "A flood attack involves zombies sending large volumes of traffic to a victim system, to congest the victim system's network bandwidth with IP traffic. The victim system slows down, crashes, or suffers from saturated network bandwidth, preventing access by legitimate users. Flood attacks have been launched using both UDP (User Datagram Protocol) and ICMP (Internet Control Message Protocol) packets" . In UDP flood attack a large number of UDP packets are sent to random or specified port of the victim system. If the victim system does not run any application or program on the targeted port, it will send an ICMP packet to the source system stating a "destination port unreachable" message . The attacking DDoS program will spoof the source IP address of the packets that is attacked which helps to hide the identity of the secondary victims. The return packets from the victim system will be sent to the spoofed addresses but not sent back to the zombies . UDP flood attacks also consume the bandwidth of connections located near by the victim systems .
"An ICMP flood attack occurs when the zombies send large volumes of ICMP_ECHO_REPLY packets ("ping") to the victim system. These packets signal the victim system to reply and the combination of traffic saturates the bandwidth of the victim's network connection" . The source IP address of the ICMP packet may also be spoofed during these attacks .B. Amplification DDoS Attacks
An amplification attack involves the attacker or the zombies sending messages to a broadcast IP address, using this to cause all systems in the subnet reached by the broadcast address to send a reply to the victim system . The attackers will use amplification so as to increase the traffic volume in the attack . In Smurf attack the attacker sends packets to network amplifier to the victim IP address which s an example of amplification attack. In fragile attack the attacker sends packets to network amplifier using the UDP ECHO packets. This attack cause more damage by generating more bad traffic than Smurf attack .C. Attacks by Resource Depletion
A resource depletion attack is designed to utilize the resources of victim systems. This attack targets main server or process of the victim making it not to legitimize requests for service . The resource depletion attack can be of protocol exploit attack and malformed packet attacks. The protocol exploit attack can be of TCP SYN attack and PUSH + ACK attack . In TCP SYN attack, the attacker give command to zombies to send TCP SYN request to victim server in order to use the processor resources and prevent the main server from responding valid requests. It involves three way handshakes between the source and the receiving systems which send large volumes of TCP SYN packets to the victim along with the spoofed IP address. Hence the victim system will respond with ACK+SYN. Once a heavy volumes of SYN requests is processed by the main server there will not be any ACK+SYN response will be returned, the main server will ran out of resources and not able to respond to legitimate users . In PUSH+ACK attack the attacker send TCP packets along with PUSH and ACK bits. It will be triggered in the TCP packet header and instruct the victim to unload data in TCP buffer and acknowledgement will be sent once it is complete .D. Malformed Packet attacks
In Malformed Packet attacks, the attacker will instruct the zombies to send incorrect IP packets to victim system to crash them . IP address attack and IP packet option attack are the two types of malformed packet attacks . The same source and destination address will be contained in IP address attack where in IP packet attack, the malformed packet will randomize the IP packet fields and all the quality service bits will be set to one that cause the victim system to take additional process times to analyze the traffic .
Communication Layers involved in DDoS
The OSI Reference model divides communication in to seven layers, each performing specific function where the data being communicated (Figure 4). Hence it is possible to target any of the layers in a DDoS attack in which there is no electronic medium without an attack vendor . Once the lower layer is being attacked that the larger resource will be affected due to high layers rely on the services given by the lower layers . The attacks that happened in higher layers are more sophisticated and it tends to harder to detect and prevent .
In application layer attack that the application database will be corrupted so that there will be no processing of data is possible in the system . In presentation layer attack that the formatting tokens will be injected which cause the information presented will not be understandable . The session layer attack is done by submitting a logout message by identifier which is bound to other users . Transport layer attack includes SYN flood which cause the server to allocate large amount of resources for the connection which will not be completed . In Network layer attack it involves using 'Teardrop' by sending high fragmented spoofed address and refusing the deliver messages . In physical layer attack it involves unplugging of the network cable which is connected to the server .
DDoS attack Tools
There are number of DDoS attack tools available on the internet. Some of the tools are TFN, TFN2K, Trin00, and Stacheldraht . TFN was the fist DDoS tool that is named as Teletubby Flood Network or Tribal Flood Network . It involves the client which target the attack system and many daemons that serves as the listener for the client commands to perform actual DDoS attack . Trin00 involves three architecture which includes clients to send commands from the attacker, the master servers which control multiple daemons, forwarding the commands from the clients . TFN2K is similar to TFN but the only difference it that it adds encryption to its communication between daemons and clients . Stacheldraht is the combination of TFN and Trin00 which hides the source addresses of its traffic, also hide its presence and communication between the systems .
A number of proposals and partial solutions available for mitigating Distributed Denial of Service attacks . Those solutions and ideas helps in preventing certain aspects of DDoS attack . There is no comprehensive method to protect against all forms of DDoS attack . There are three important components of DDoS countermeasures which includes preventing secondary victims, detecting and neutralizing the handlers . Some of the techniques are Egress Filtering in which scans the packet headers of the IP packets and check to see if they meet necessary criteria. MIB Statistics is another method to identify DDoS attack . It will use Management Information Base data from routers to identify the DDoS attack .
Honeypots is an other deflects attacks techniques in which some of the systems are setup with limited security that is easy for the attacker to attack honeypot and not the actual system .
There is post attack component also done that involves network forensics . It involves packet trace back, tracing the attacker and collecting event logs to do forensic analysis and to discover the type of DDoS attack .
The Internet is an open network with security vulnerabilities. This made network attacks as a matter of everyday life within a network. DDoS attacks make network unavailable to legitimate users and cause serious damage if the critical system is primary victim. There are many approaches developed to prevent DDoS attack. The DDoS attack and defense taxonomy described in this paper will help to think us more effective solutions against Distributed Denial of service. Nowadays the DDoS attacks getting better and smarter and so must the network administrators as well. The best defense to any attack is knowledge. In summary, there are many DDoS tools available for hackers and those tools can be implemented easily to have disastrous effect in the networked systems. There are many new techniques have been developed to prevent these DDoS attacks but however those techniques are still being developed and evaluated. So the network administrators must keep up with the latest mitigation techniques and practices to help protect systems.
- Distributed Denial of Service (DDoS) and Botnet Attacks. An iDefense security Report, April 28,2006
- Paul J. Criscuolo. "Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht CIAC-2319". Department of Energy Computer Incident Advisory Capability (CIAC), UCRL-ID-136939, Rev.