Chapter 8 Denial-of-Service Attacks Aikaterini Mitrokotsa and Christos Douligeris 8.1 INTRODUCTION Availability requires that computer systems function normally without loss of resources to legitimate users. One of the most challenging issues to availability is the denial-of- service (DoS) attack. DoS attacks constitute one of the major threats and among the hardest security problems in today’s Internet. The main aim of a DoS is the disruption of services by attempting to limit access to a machine or service. Depending on the attackers’ strategy, the target resources may be the file system space, the process space, the network band- width, or the network connections. These attacks achieve their goal by sending at a victim a stream of packets in order to exhaust the bandwidth of its network traffic or its process- ing capacity denying or degrading service to legitimate users. There have been some large-scale attacks targeting high-profile Internet sites [1–3]. Distributed denial-of-service (DDoS) attacks add the many-to-one dimension to the DoS problem, making the prevention and mitigation of such attacks more difficult and the impact proportionally severe. These attacks use many Internet hosts in order to exhaust the resources of the target and cause DoS to legitimate clients. The traffic is usually so aggregated that it is difficult to distinguish legitimate packets from attack packets. More importantly, the attack volume can be larger than the system can handle. There are no apparent characteristics of DDoS streams that could be directly and wholesalely used for their detection and filtering. The attacks achieve their desired effect by sending large amounts of network traffic and by varying packet fields in order to avoid characterization and tracing. Extremely sophisticated, “user-friendly,” and power- ful DDoS toolkits are available to potential attackers, increasing the danger of becoming a victim in a DoS or a DDoS attack, as essential systems are ill prepared to defend themselves. The consequences of DoS attacks are extremely serious and financially disastrous, as can be seen by frequent headlines naming the most recent victim of a DoS attack. In Feb- ruary 2001, University of California at San Diego (UCSD) [3] network researchers from the San Diego Supercomputer Center (SDSC) and the Jacobs School of Engineering ana- lyzed the pattern of DoS attacks against the computers of corporations, universities, and private individuals. They proposed a new technique, called “backscatter analysis.” This technique estimates the worldwide DoS activity. This research provided the only data 117 Network Security: Current Status and Future Directions , Edited by C. Douligeris and D. N. Serpanos Copyright © 2007 the Institute of Electrical and Electronics Engineers, Inc.