A survey of distributed denial-of-service attack,prevention,and mitigation techniques

Attack synopsis based on degree of automation

Different phases and characteristics of the DDoS attacks can be manually set, controlled by the attacker, or it can be automated. Therefore, there are three different types of attack scenarios: manual, semi-automatic, and automatic which are introduced in the following.

Attack phases

In this section, different mechanisms involved in different attack phases are analyzed. There are three different phases of DDoS attacks which can be named as Phase I—recruiting attack armies, Phase II—propagation, and Phase III—attack. The details of these phases are listed in the following.

Phase II: propagation

The next phase after the generation of an attack army is to propagate the attack code to the compromised devices. This attack code includes information of the victim, time, and duration of the attack and so on. This section outlines this phase of the attack based on the research in Mirkovic and Reiher, ²³ Patrikakis et al., ²⁴ and Long and Thomas ³¹ :

Central source propagation. In the central source propagation mechanism, the attack code propagates from a central server to the compromised machine as shown in Figure 4(a). An example of this is a 1i0n worm which propagates in this manner. ³¹ Since every compromised device communicates and downloads the copy of the attack code from some central points, it introduces a huge amount of traffic in the network which may eventually lead to the attack discovery. Also, this technique has the potential to single point failure. Thus, if an attack is detected, removal of the central point may stop further infection and inclusion of the attack army.

Back-chaining propagation. In the back-chaining propagation, the compromised machine downloads the attack code from the infected machine. This scenario is shown in Figure 4(b). Basically, during the infection phase, the attacker manages a method which establishes a connection between the attacker and the compromised machine. The Trivial File Transfer Protocol (TFTP) can be used in this mechanism. ²⁴ A very well-known worm Ramen worm uses this propagation technique in the attack army creation process.

Autonomous propagation. In the autonomous propagation, as its name implies, all the attack codes are transferred automatically from the attacker to the infected system during the time of the exploitation, as shown in Figure 4(c). It does not require any further communication with any more systems to transfer the attack codes. Code-Red is an example worm which uses this propagation mechanism. ³¹ In the autonomous propagation, the traffic required to propagate the code is significantly limited as compared to the other two methods, and thus, it poses a limited chance to discover the attack.

OPEN IN VIEWER

Figure 4.

Attack code propagation: (a) central source propagation technique, (b) back-chaining propagation technique, ³¹ and (c) autonomous propagation technique. ³¹

The third phase of the DDoS attacks is to attempt the attack. There exists a lot of techniques to initialize and execute DDoS attacks which fall into different categories. As our analysis aims to understand the attacks in an elaborated and easy way, we dedicate an entire next section to describe the third phase of the DDoS attacks.

Resource depletion attacks

The goal of resource depletion attacks is to overflow or crash all of the major resources of the system such as memory, sockets, and CPU. There are two different ways to implement this type of attacks. In the first way, the attacker exploits some networks, transport and application layer protocols to achieve their goals. In the second way, malformed packets are used to perform the attacks.

Protocol exploit attacks

There are some major protocol-based attacks which exploit the weakness of the different network layer’s protocols. This forces the victim to use all of its CPU and memory to do some memory-intensive operations. For example, attacks of this group exploit transport layer protocols such as Transmission Control Protocol (TCP)^4,33 and some application layer protocols such as Hypertext Transfer Protocol (HTTP) and Session Initiation Protocol (SIP) in execution of the attacks. ⁴

TCP SYN attack

In a TCP SYN attack, the attacker exploits the three-way handshaking mechanism of TCP’s connection establishment process. During the connection establishment, TCP requires consecutive acknowledgements between the two parties who want to create a TCP connection. This is accomplished by the three-way handshaking. In three-way handshaking, at first, the SYN packet is sent from a client to a server to begin the handshaking. Upon receiving this SYN packet, the server acknowledges the client by sending a SYN + ACK packet. Finally, as a response to this packet, the client sends back the final ACK packet which completes the handshaking and establishes the TCP connection. During this process, the server stores all of the intermediate states in the memory stacks until the connection establishes or the time-out occurs due to look up and confirmation of the identity of the client. The attacker exploits this feature and floods server’s memory which eventually rejects connection requests from valid and legitimate users. In order to flood victim’s memory, the attacker does not complete the handshaking process and thus creates a huge number of incomplete connections. To establish this incomplete connection, the attacker spoofs the source with non-existing IP addresses and sends the SYN packets with these spoofed IP addresses. Upon receiving the packets, the server replies with the SYN + ACK packets, but since the source IPs do not exist, it never receives the ACK packets from the sources as shown in Figure 6. However, as the server waits for the ACK packets, eventually all of its connection tables become full. Thus, the attacker floods victims memory and successfully deprives the legitimate users. It is also possible to do this attack using the genuine IP of the compromised machines. In this case, the compromised source machines ignore the SYN + ACK messages received from the victim and thus could perform a successful SYN attack.

OPEN IN VIEWER

Figure 6.

TCP SYN attack. ³⁵

TCP PUSH + ACK attack

The goal of this type of attacks is to run out memory and CPU processing power to hinder the legitimate users from their usual service. In this attack, the compromised botnet agents send a large number of TCP packets and set “1” to the PUSH and ACK bits of the header. ³³ This forces the targeted victim to clear its memory stack and to send an acknowledgement to the client. Since the attacker floods the victim with this type of messages, eventually the victim’s processing power and memory overload and run out. As a result, it cannot process the requests from the legitimate clients and thus fail to establish communications with them.

HTTP flood attack

HTTP flood attack is another example of resource depletion attacks where the application layer protocol HTTP is exploited to attack a victim. Specifically, in this type of attacks, an attacker manipulates the HTTP GET and HTTP POST requests while talking to a server or a specific application. ³⁶ Here the concept is same as before, that is, overwhelming the resources to make the web server denies its legitimate users. In order to conduct this attack, it is required to set up a TCP connection with valid IP address. The attacker uses its botnets’ IP addresses to establish the connections. Figure 7 shows an example of HTTP flood attack which exploits the HTTP GET request. Here, the attacker executes an HTTP GET request to download a very large file. It sends multiple requests from its botnets. In response to this request, the victim performs a series of actions. As a response, it is required to read the file from the back-end storage, store it into working memory, as well as cut it into multiple packets to send it to the botnets. Thus, the response includes the use of the memory and processing power of the victim. Therefore, a large number of this type of requests flood the whole resources of the victim and make it unable to respond to the valid users. In order to make the detection of this type of attacks more difficult or even impossible, the attacker could also resolve the links attached to the response and follow those links. This makes the traffic generated by the attacker looks like a normal traffic.

OPEN IN VIEWER

Figure 7.

HTTP flood attack (exploits HTTP GET request). ³⁶

SIP flood attack

This is another example that exploits another application layer protocol named SIP, used in voice over IP (VOIP) call setup. An attack can be made using different types of SIP request messages (such as SIP REQUEST, SIP INVITE) or the SIP call control messages (SIP INFO, SIP NOTIFY, SIP RE-INVITE). ³⁷ The goal of this attack is to flood the proxy server or the SIP registration server (SIP REGISTRAR) and to consume all of its resources (CPU, memory, and network bandwidth) with the help of the attack army, as shown in Figure 8. Here, any army from the botnet sends thousands of messages to the SIP registrar server which is responsible to accept REGISTRAR requests as well as to keep records of the addresses and parameters of the user agents, unless it receives any server error message. As a result, the server overwhelms; the legitimate users experience service outage and cannot reach the server.

OPEN IN VIEWER

Figure 8.

SIP flood attack. ³⁷

Slow request/response attack

In this type of attacks, it slowly consumes all of the resources of the victim. Slowlories, ³⁸ HTTP fragmentation attack, ³⁹ Slowpost or RUDY (R.U. Dead Yet) attack, ⁴⁰ Slowreading attack ⁴¹ are some examples of this type of attacks. In Slowlories, the idea is to shut down the victim’s system using only one machine. It starts the attack with a partial HTTP request. Then it sends other header information at a regular interval so that the sockets remain open. This way it consumes all the sockets, and as a result, the web server rejects its legitimate clients. So far this type of attacks cannot be prevented but can be mitigated by setting restrictions on the number of connections or the minimum transfer rate of a client. The HTTP fragmentation attack partitions a HTTP packet into tiny possible fragments and sends those through a valid HTTP connection at the minimum possible rate. Thus, it holds the connection as long as possible and makes a web site down by multiple connections from a botnet. Slowpost or RUDY or slow request attack is also an application layer attack which exploits the form submission field of the websites. In this attack, the attacker opens multiple parallel HTTP POST connections. The attacker submits the information in the form filed in a very small sized packet (1 byte) in a very slow rate. Thus, the connections remain open for a very long time and use up all the connections in the server’s connection table. As a result, the server crashes and the attack becomes successful. The designer of Slow Read DDoS attack is Shekyan ⁴² who designed this attack to see the reaction of the HTTP server in case of slow response. The main idea behind this attack is to establish a connection using a valid HTTP request. But the attacker reads the response very slowly to make the connection open as long as possible. Thus, multiple such requests consume all the connections and make the server unavailable for the legitimate clients. In general, these slow HTTP attacks can be protected if a set of observations and rate limiting are applied to the flow. For example, rejecting unsupported HTTP connections or applying limit on the rate of the incoming data or limiting the length of the header or the body of the message and so on, could be a good protective step for slow HTTP attacks. ⁴³

Bandwidth depletion attack

The bandwidth depletion attack is another important type of attacks in the DDoS world. The attacker’s goal is to consume all of the network bandwidths of the victim’s system using the attack army. As a result, the victim denies service to the legitimate users for a small to large amounts of time until the attack is mitigated. The bandwidth depletion attack can also be protocol exploited, ⁴⁵ and it can be done by amplification where a reflector or amplifier is involved to increase the attack density as well as damage to the network. ⁴⁶ We will introduce this attack mechanism with related examples.

Protocol exploited attack

Protocol exploited attacks can use a transport layer protocol such as User Datagram Protocol (UDP) or a network layer protocol such as Internet Control Message Protocol (ICMP). Next, we will outline major types of attacks found in the research.^{4,15,20,23,32–34}

UDP flood attack

The UDP flood attack is a very common DDoS attack where an attacker sends a large stream of UDP packets from its attack army. Here the attacker can target a specific or a random port of the victim to inundate it. Generally, when a UDP packet is received to a system, it tries to identify the type of the application that is waiting on the destination port. When it becomes sure that no application is waiting, it responds with an ICMP packet as shown in Figure 9. The attacker uses spoofed IP addresses and continues sending the packets until all the bandwidths are consumed and the victim surrenders from its normal operation.

OPEN IN VIEWER

Figure 9.

UDP flood attack.

ICMP flood attack

The ICMP flood attack, also known as the ping flood attack, exploits the IP layer protocol ICMP’s ICMP_ECHO_REQUEST packets. This packet (ping) is used to check whether a remote host is alive or not. In DDoS attacks, the attacker sends this packet using the broadcast IP address. Thus, it is delivered to all of the machines in the victim’s network. The machines will reply to the spoofed source address that targets the victim with ICMP_ECHO_REPLY packet. Also, the attacker may use an intermediary network to inundate the victim. As a result, the bandwidth in victim’s network becomes saturated, and consequently, it rejects requests from the legitimate users. An example of this type is the “Smarf” attack which uses some intermediary networks, also known as the reflectors to intensify the attack. This scenario is shown in Figure 10.

OPEN IN VIEWER

Figure 10.

ICMP flood attack. ⁴

Fraggle attack

The fraggle attack is similar to the Smarf attack and is also obsolete nowadays. ⁴⁷ It sends UDP_ECHO packets to the network amplifiers to flood victims bandwidth or can send it to a particular port to create an infinite loop. Smarf and fraggle attacks are also known as the amplification attack which uses reflector(s) as their attack launchers. ²⁰ Any IP host who returns a packet in response to a received packet is known as the reflector. Therefore, routers, DNS servers, or web servers are the examples of reflectors. These reflectors trigger the attack by sending replies to the victim as responses to the received packets which contain spoofed source IP address as the IP address of the victim. The reflectors use their own legitimate IP addresses so they are detectable. However, the attacker who involves the reflectors in the attack remains hidden as it has spoofed its source IP to the IP of the victim.

Amplification attack

In this section, we are going to outline two very similar and common amplification attacks: DNS amplification attack and Network Time Protocol (NTP) amplification attack. The main idea behind these types of attacks is to generate a large response for a very small request and directing those responses to the victim which eventually consumes all bandwidths of the victim’s network.

DNS amplification attack

It is one of the most common attacks of today’s world which targets victim’s network bandwidth. In one example, the motivation of an attacker is to exploit the vulnerable features of a DNS to amplify an attack in a much larger scale.^48–50 This attack is also an example of a reflection attack which uses multiple open recursive DNS servers to send a huge number of UDP packets to flood a victim. Using different types of techniques involved in amplification, an attacker can raise the volume of the attack traffic which could result a catastrophic affect to the most secure victim’s system. The general scenario of the attack process is same as all of the other DDoS attacks: sending reflected responses to the spoofed source IP (victim’s IP) to consume network bandwidth. In general, the response made by a DNS is large as compared to the query sent to it. Therefore, by increasing the size of this response message, more bandwidth is consumed than the normal situation. An attacker can compromise an authoritative DNS server to achieve this. ⁴ Figure 11 illustrates this scenario. Here, at first, the attacker exploits authoritative DNS server and using that server, it discloses a sizable resource record (RR) of TXT type. This TXT type RR is used in DNS to make it possible to store information that have not been classified previously. ⁵¹ This can include host name, server name, or some information about a server or a data center. The attacker manipulates this record to increase the message size. Then the attacker launches the attack by the botnet and instructs them to send requests to the open DNS recursive servers and ask for the large messages. After resolving the requests, the open DNS servers send the amplified responses to the spoofed source address which is actually the address of the victim. Theoretically, in order to generate a 10 Gbps flood to the victim, only 140 Mbps initial traffic is sent from the botnet. ⁴ Also, to amplify the attack, the attacker may send DNS request using the extended DNS protocol (EDNSO). This extension supports large DNS messages. To increase the size of the message, the attacker can also use Domain Name System Security Extension (DNSSEC). Here, they can apply some cryptographic features which increases the message size. However, according to US-CERT, ⁵² most of the attacks observed by them use DNS “ANY” request. In a single request, it returns all possible known information regarding a DNS zone. Thus, the response gets larger which boosts up the traffic toward the victim.

OPEN IN VIEWER

Figure 11.

DNS amplification attack. ⁴

NTP amplification attack

This is very similar to the DNS amplification attack and it exploits NTP. ⁵³ NTP is used to synchronize the clocks of the machines connected to the Internet. ⁵⁴ In the DDoS attack, the attacker sends MON_GETLIST command to the NTP server which responds with the last 600 queries that have been made to the server. Thus, the response message is huge (approximately 19X bigger) as compared to the request message. ⁵³ The attacker spoofs the source IP address and directs all those responses to the victim’s machine. Thus, these amplified responses overwhelm victim’s network bandwidth and inhibits legitimate users to get into the server.

Infrastructure attack

The most catastrophic type of DDoS attacks is the infrastructure attack. The aim of this attack is to damage significant crucial elements of the Internet. Thus, it not only targets the bandwidth of the network but also the resources (memory, CPU) of the targeted system. For example, infrastructure attack aims the DNS, especially the root DNSs as they are the top hierarchical service points and provide services to all users of the Internet around the world. Since the DNS maintains a hierarchical structure, an attack of this type which targets only the root name servers could not put very serious impacts on the Internet service of the whole world. Commonly, attackers use DNS flooding techniques to launch the attack. In the DNS flooding attack, compromised attack army or botnet sends normal UDP requests to the DNS server. However, the amount of such requests is so enormous that it floods the system and eventually all of the resources are consumed. Thus, the system denies all legitimate requests for a significant amount of time. On 21 October 2002, an infrastructure attack was launched which targeted all 13 root name servers. ⁵⁵ This attack did not come out as a very successful one but introduced the attack of this type. Recently, exactly after 14 years, in 21 October 2016, the largest DDoS attack has targeted a major infrastructure known as the Dyn DNS. ¹ This system provides DNS address resolution service to more than 3,500 enterprisers which also include some renowned organization like Netflix, Twitter, Linkedin, and so on. ⁵⁶ It provides high-performance service with managed DNS infrastructure which includes numerous data centers located in multiple continents. It possesses the ability to analyze 3 billion data points per day. According to the source Dyn, ⁵⁶ in each month, 50 considerable DDoS attacks are detected and mitigated by the experienced DNS experts of Dyn. However, the irony is that in October’s DDoS attack, this high-performance system went down for a significant amount of time. The attackers involved millions of poorly secured IoT devices in this attack which are not powerful computers but some smart devices such as smart fridge, web cams, and digital video recorders (DVR). ⁵⁷ Thus, it introduces a significant threat in the current cyber security world. This is because, currently the number of IoT devices is 28.4 billion and this number is increasing in a massive rate. ⁵⁸ It was reported that in order to infect these huge number of devices, an open source botnet malware, “Mirai,” is used. This malware is designed to infect IoT devices and launch DDoS attacks based on instruction from the attacker. ⁵⁹ Finally, this attack has again bring up the necessity of a globally cooperated solution of the threats of the current world.

Zero-day attack

A zero-day attack happens in day 0 using some unknown security loopholes or vulnerabilities. It is called zero day because the vulnerabilities of the system are known at day one after the attack. Different security organizations or private software firms offer incentives and rewards to report the zero-day vulnerabilities. ⁶⁰ The impact and signature of this type of attacks is also unknown until the attack is launched.

Prevention using filters

In order to prevent the attack traffic, it is very important to filter them out. Filtering techniques mainly prevent a victim from the attacks as well as from being an unaware attacker. Basically, all filtering techniques are applied to the routers which ensure that only legitimate traffic can get access to a system. In this section, we are going to cover different filtering techniques found in the literature along with their success and failure in DDoS prevention.

Secure overlay

This is another preventive mechanism against DDoS which protects a subset of the networks.^80,81 The idea behind this method is to built up an overlay network on top of the IP network. This overlay network is the entry point for the outside network to establish a communication to the protected network. It is assumed that the isolation can be achieved if a protected network hides its IP addresses or uses a distributed firewall. This firewall ensures that only trusted traffic from the nodes of the overlay network can get entry to the protected network. Although this mechanism ensures prevention from the DDoS attack, it is applicable to a private network and is not appropriate for a public server.

Honeypots

A honeypot/honeynet is an interesting mechanism of DDoS prevention.^82,83 Here, honeypots/honeynets are some less secure systems which attract attackers to attack them. A honeynet mimics a legitimate network to trick an attacker so that the attacker thinks that it has attacked the actual system. Thus, the actual system remains protected. Not only that using a honeypot, it is also possible to extract important information (records of attack activity, tools, and software used for the attack) about an attacker. This information is further used to detect and prevent a DDoS attack and its attacker. However, this technique also suffers with some drawbacks. For example, the static and passive nature of the honeypots/honeynets does not ensure complete disguise from the attacker. Also, if the honeypot/honeynet cannot detect an attack using its signature-based detection tools, attack packets are forwarded to the actual destination.

Load balancing

This is an approach which tries to balance the loads of different systems so that no one system gets overloaded. ⁸⁴ The result of the load balancing helps to gain the optimal productivity as well as the maximum uptime. In cases when a server faces a DDoS attack, a load balancer ensures resilience as it reroutes traffic to another active and un-attacked servers. In order to ensure the maximum load balancing, a bandwidth increase is required on all critical connections. A good number of replicated servers and data centers are also required to ensure elimination of single point failure. It also helps to reduce the surface of the attack and introduces difficulty to exhaust existing resources and link saturation.

Prevention based on awareness

Recent DDoS attacks mostly the IoT botnet–based DDoS attacks require awareness of the IoT users. This is because the IoT devices are very poor in terms of security. Also, some DDoS attacks can be prevented if the general user takes preventive measures in their own system. It not only ensures their security from being attacked but also from being a zombie of the attack army. Followings are some initiatives from users’ side which can work to prevent a DDoS attack.

Detection

Detection of the attack is an important step to DDoS mitigation. Detection is very simple as the performance of the service or system degrades dramatically when an attack occurs. However, it is always challenging to differentiate the malicious flows from the legitimate flows. Sometimes, a response demands detection of the malicious events where another demands identification of the source of the attack. Two different techniques are found in the literature to detect malicious flows: signature-based detection and anomaly-based detection. On the other hand, attack source identification techniques are also important to identify the source of the attack.

Response mechanism

After the detection of the attack traffic or attack source, it is important to make a rapid response to mitigate the attack. A robust response mechanism can reduce or eliminate the impacts of a DDoS attack. In this section, we are going to identify some research activities in two different well-known response mechanisms: filtering or rate limiting and capability.

Tolerance

When the results of the detection algorithm come out to be unsuccessful or when it becomes hard to apply a detection process, it is important to find out the alternatives. Tolerance mechanism is the alternative to this. ¹³⁶ The techniques of tolerance mechanism work with a very little or even no knowledge about the result of the detection. Thus, it is the final stage of defense when the other stages (prevention and detection) fail. Thus, the goal of this mechanism is to provide maximum possible quality of service by minimizing the impacts of the attack. The research found in this field can be classified into congestion policing and fault tolerance.

DDoS attacks on clouds

Cloud or cloud computing is an online platform which provides “pay-as-you-go” or subscription-based access to different services such as storage, software development, audio/video streaming, data analysis, file sharing.^143,144 It is a highly scalable, distributed infrastructure which makes it easier to get the best cloud services from anywhere in the world. It also eliminates the cost of the infrastructure setup and maintenance and it provides auto-scaling (shrinking or expanding the resources on demand) which ensures high speed and productivity. However, this platform could also be the target of all kinds of attacks including data breach, computation breach, flooding attacks, DoS/DDoS attacks, cloud integrity attacks, cross-virtual machine (VM) attacks, timing attacks, VM co-residence attacks, and so on. ¹⁴⁵ For example, the difficulty to tackle cloud integrity attacks includes untrustworthy cloud servers and computational complexity of some approaches. Some recent counter approaches for cloud integrity attacks are listed as follows. In the work by Fu et al., ¹⁴⁶ a similarity search method for encrypted documents based on simhash is proposed to find similar encrypted documents stored in clouds. In the work by Xia et al., ¹⁴⁷ to prevent semi-honest cloud servers, image contents are encrypted via a stream cipher to add a watermark and indexed via a locality-sensitive hash. In the work by Fu et al., ¹⁴⁸ a multi-keyword fuzzy ranked search scheme is proposed for keyword-based search over encrypted outsourced data with keyword transformation and keyword weight. In the work by Fu et al., ¹⁴⁹ searchable encryption is based on content-aware search scheme using conceptual graphs with numerical vectors from linear forms and multi-keyword ranked search over encrypted cloud data. In the work by Fu et al., ¹⁵⁰ searchable encryption is based on conceptual graphs over encrypted outsourced data with sentence scoring in text summarization and Tregex to extract the topic sentences from documents to convert into conceptual graphs. In the work by Shen et al., ¹⁵¹ to counter the semi-trusted due to the cloud provider as the third party, a framework for urban data sharing by exploiting the attribute-based cryptography to support dynamic operations is proposed.

Clouds could also be the target of DDoS attacks. Info Security reported that in the first quarter of 2015, one-third of the DDoS mitigation services were applied to IT services/Cloud/SaaS sectors. ¹⁵² Cloud computing provides auto-scaling, pay-as-you-go accounting multi-tenancy service which makes it an attractive choice for the people around the world. But at the same time, these features are also very useful for a successful DDoS attack. ¹⁴⁴ In cloud infrastructure, cloud servers run many VMs to ensure services to the users. When an attacker attacks a server, the server may take this situation as a high resource utilization scenario. Then, the auto-scaling feature applies resource allocation, migration, or placement process to solve this overloaded situation. If this process continues, finally, the DDoS attack becomes successful and this attack imposes some direct and indirect effects on the services and revenues. IP spoofing, SYN flooding, buffer overflow, ping of death, and land attack are some example DDoS attacks in the cloud platforms. ¹⁵³ Defense against DDoS attacks on clouds can also be achieved in three different ways: attack prevention, attack detection, and attack mitigation. Attack prevention methods include challenge response authentication,^154–156 hidden servers or ports,^157,158 resource limit^159,160 techniques where attack detection methods utilize anomaly detection,^161,162 BotCloud detection^163,164 techniques to prevent and detect a DDoS attack. Furthermore, some mitigation techniques are also found, including resource scaling,^165,166 software-defined networking (SDN),^167,168 and so on, to mitigate DDoS attacks on clouds.

DDoS attacks on smart grids

Smart Grid is the evolution of the traditional power grid to a smart infrastructure which incorporates the Information and Communication Technologies (ICT) to the traditional electric power supply systems.^169–171 It is a distributed power source with automated maintenance and operating capabilities which improve reliability and quality of the power as well as enhance the capacity and efficiency of the traditional power systems. ¹⁷² It requires a robust communication network for its reliable access, process, and delivery of the information. This delivery becomes damaged or disrupted when a DoS attack gets success in the smart grid, and as indicated in the work by Liu et al., ¹⁷³ there are significant amount of attacks in smart grids. Moreover, in smart grid, it is very important to ensure the timing constraints of the transferred messages because this timing constraint is the benchmark to the reliable monitoring and control of the systems. This constraint also imposes a threat to the smart grid since the main impact of the DoS attack is to make the system unavailable to reach and this introduces delay to the transfer of the messages. In Smart Grid, DoS attacks can target different communication layers: network, transport, medium access control (MAC), and physical layers through flooding or jamming in the substations. ¹⁷¹ Also, the intelligent electronic devices (IEDs) or the supervisory control and data acquisition centers can be the target of DoS attacks. Thus, a successful DoS attack can cause severe service degradation as the control and monitoring operations depend on timely message transfer. Attack detection and attack mitigation mechanisms are two main defense methodologies against DoS attacks in smart grid. There are many different attack detection methods that work to detect DoS attacks in smart grid. Signal-based detection^174,175 and packet-based detection^174,176 methods work to detect jamming attacks in the networks. These detection schemes are also applicable for passive detection of the DoS attacks in wireless-based smart grid applications as well as general detection of DoS attacks. Moreover, rate limiting or filtering techniques to the network layer work to mitigate the impacts of DoS attacks in smart grid. Also, the jamming-resilient schemes that have been used in the wireless network can also be used to mitigate the DoS attacks in the wireless communication–dependent smart grid.

DDoS attacks on smart homes

Through the emerging growth of the Internet and technology, our life is becoming smart day by day. As a consequence, a home of today is considered as a smart home if it is connected to a communication network. Using this connection, the resident of the home can control, monitor, and program all the smart home appliances (smart fridge, smart TV, security alarm, etc.) from a remote location. These smart home devices ease the life and increase security of a home owner. But at the same time, these devices may introduce an immense threat if they get attacked by any cyber attack. According to the work by Mantas et al., ¹⁷⁷ the security of a smart home depends on six main properties: confidentiality, integrity, authentication, authorization, non-repudiation, and availability. A DoS/DDoS attack targets availability of the smart devices by a partial or total interruption to the communication system. Auriemma ¹⁷⁸ and Nunes ¹⁷⁹ have reported that DoS attacks on smart TVs freeze the normal service and operation of the devices. To protect a smart device from the DoS attack, it is important to ensure authentication of the system. ¹⁸⁰ In this way, it will be possible to block unauthorized devices and services. Furthermore, more threatening scenario is the use of smart devices to create the botnets of the DDoS attacks. Smart devices are very vulnerable to become zombies since they are less secure devices. Most of the devices have factory built passwords. Therefore, it is very easy for attackers to take the control of such devices and make them the zombies of the attack army. As we have mentioned before, the attack on 21 October 2016 was mainly done by some “smart devices,” specifically the CCTV security cameras. ¹⁸¹ This attack involves tens of millions of IP addresses, most of which are from these smart devices. This attack is the largest (in size) in history. ¹⁸² Since these threats are not very old, till now the only way to prevent the smart devices from being a part of the botnet is to increase the security of the devices itself and it can be ensured by the manufacturers or the end users.

DDoS attacks on IoT systems

The IoTs interconnect network entities of different types ranging from a toaster at a home to a heart monitoring device implanted in a human body, a connected automobile, a smart grid infrastructure, or a web cam of a computer. Thus, the entities of the IoTs are called “highly heterogeneous” networked entities. ¹⁸³ In the work by Strategy and Unit, ¹⁸⁴ the International Telecommunication Union (ITU) has mentioned its vision toward the IoT world as the “technology to provide connectivity to anything.” DuBravac and Ratti ¹⁸⁵ have mentioned that in 2015, the number of connected devices has become 10–20 billion in number, whereas in 2003, there were only 500 million connected devices and in 5 years, the number of connected devices will increase to 40–50 billion in number. ¹⁸³ This scenario shows the tremendous growth of the IoT world which is good and bad at the same time. This is because, according to Trend Micro, Inc, ¹⁸⁶ too many of these IoT devices are not secured at all since the vendors or manufacturers of those devices are not concerned about the security issues of these devices. Moreover, some manufacturers hard coded the less secure credentials of the IoT devices which cannot be changed but they are very easy to guess. ¹⁸⁷ As a result, in the last few months of the 2016, the cyberworld has faced some of the largest (in size) DDoS attacks of its history on https://KrebsOnSecurity.com (620 Gbps), ¹⁸⁸ OVH attack (990 Gbps), ¹⁸⁹ and Dyn DNS (1.2 Tbps). ¹⁹⁰ All of these attacks have involved millions of IPs from all of these smart devices. As we have already mentioned in section “Prevention based on awareness,” it is very important to ensure device security through the actions from the device manufacturers and end users. On the other hand, as the IoT devices are working in different sophisticated areas such as health care, rescue service, connected vehicles, if these devices face a DoS attack, a catastrophic event may occur if the devices deny to communicate and provide services in critical situations. So far authentication is the solution to the DoS attacks in such devices. Thus, it is very important to put more attentions to this massively growing field of the Internet.

DDoS attacks on CPSs

According to the work by Baheti and Gill, ¹⁹¹ CPS refers to a new generation of systems with integrated computational and physical capabilities. Thus, it is a future system that will work as a bridge between the cyber and the physical worlds of computing. The main idea is to introduce enhanced control, monitoring, and coordination in different critical systems such as aerospace, health care, urban automobile. ¹⁹² As this system is also dependent on trusted communication, a DoS attack may incur significant threats to the availability and service of the system. This is an ongoing research issue to consider for a robust CPS in general.