2242 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 4, FOURTH QUARTER 2015 Botnet in DDoS Attacks: Trends and Challenges Nazrul Hoque, Dhruba K. Bhattacharyya, and Jugal K. Kalita Abstract—Threats of distributed denial of service (DDoS) at- tacks have been increasing day-by-day due to rapid development of computer networks and associated infrastructure, and millions of software applications, large and small, addressing all varieties of tasks. Botnets pose a major threat to network security as they are widely used for many Internet crimes such as DDoS attacks, identity theft, email spamming, and click fraud. Botnet based DDoS attacks are catastrophic to the victim network as they can exhaust both network bandwidth and resources of the victim machine. This survey presents a comprehensive overview of DDoS attacks, their causes, types with a taxonomy, and technical details of various attack launching tools. A detailed discussion of several botnet architectures, tools developed using botnet architectures, and pros and cons analysis are also included. Furthermore, a list of important issues and research challenges is also reported. Index Terms—DDoS attack, botnet, mobile botnet, IP trace- back, DDoS prevention. I. I NTRODUCTION A S advances in networking technology help connect every nook and corner of the globe, the openness and scalability are giving birth to a large number of innovative, interesting and useful online applications. With the proliferation of these IT- enabled applications, more and more important and valuable information is flowing across public networks. Networks are usually designed to make efficient use of shared assets among network users [1] and network-based computer systems play a vital role in our personal as well as professional activities. Today, the Internet interconnects billions of computers, tablets and smartphones, providing a global communication, storage and computation infrastructure. Furthermore, the integration of mobile and wireless technologies with the Internet is currently ushering in an impressive array of new devices and applications. These tremendous technological advances in terms of speed, accuracy, reliability and robustness of the modern Internet has made significant impacts on our day-to-day activities and peo- ple now rely on the Internet to share valuable and confidential personal as well as business information with other network users. On the other hand, because of the high reliance on the Internet, some people also make use of the weaknesses of the Internet to paralyze it. For example, one of the major weak- Manuscript received January 8, 2015; revised May 8, 2015; accepted July 10, 2015. Date of publication July 16, 2015; date of current version November 18, 2015. This work is supported by MHRD, under FAST proposal and UGC, Government of India under SAP level-II. The authors are thankful to both the funding agencies. N. Hoque and D. K. Bhattacharyya are with the Department of Computer Science and Engineering, Tezpur University, Tezpur 784028, India (e-mail: nhoq@tezu.ernet.in; dkb@tezu.ernet.in). J. K. Kalita is with the Department of Computer Science, University of Colorado, Springs, CO 80309 USA (e-mail: jkalita@uccs.edu). Digital Object Identifier 10.1109/COMST.2015.2457491 Fig. 1. DDoS attack. nesses of the Internet is speed mismatch between edge routers and core routers. Inappropriate configuration of routers is also another common weakness of the Internet. Due to such weak- nesses, networked systems have often become the targets of various attacks, which are launched in order to unlawfully gain access to important and confidential information or to damage useful resources of a business competitor using different attack tools [2], [3]. Although, in the recent past, many significant de- velopments in constructing firewalls and cryptographic systems have taken place, they are not free from limitations. Defense mechanisms that identify intrusions provide another way to protect networked systems from attacks. In spite of all these safeguards, almost every day, new and complex attacks are being created. However, denial of service attacks are still the most frequent and usually the most devastating ones. A. Distributed Denial of Service (DDoS) Attack DDoS is a coordinated attack, generated by using many compromised hosts. An attacker initially identifies the vulner- abilities in a network to install malware programs on multiple machines to bring them under his control. Then the attacker uses these compromised hosts to send attack packets to the victim without the knowledge of the compromised hosts. De- pending on the attack packet intensity and the number of hosts used for attacking, commensurate damage occurs in the victim network. If the number of compromised hosts is very large, it may disrupt a network or a Web server in a very short period of time. Some examples of DDoS attacks include smurf, fraggle and SYN flooding. The aim of a DDoS attacker is to disrupt a network so that it cannot provide any services to legitimate users (Fig. 1). To launch an attack, an attacker generally follows four basic steps. (i) information gathering to scan a network to find vulnerable hosts to use them later to launch an attack, (ii) compromising the hosts to install malware or malicious programs in the com- promised hosts (called zombies) so that they can be controlled 1553-877X © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.