Our dependence on the internet for simple and time critical applications make availability of services a top security concern. There are many attacks to threaten the availability of service, but Distributed Denial of Service (DDoS) attack constitute one of the major and the most growing threat to severely degrade the system performance. DDoS defense has been matured over time and many solutions have been proposed to solve this problem. However, most of the research is focused on detecting and blocking this attack, which results in significant disruption before regaining system control and are not suitable for critical infrastructures. So, researchers come up with an interesting alternative, overlay based defensive approaches, which try to survive the attack by providing sustainable performance to the legitimate clients in attack situations. This article provides a review of the overlay based defensive techniques by categorizing them into two classes based on their underlying strategy: Proactive and Reactive approaches. The techniques within each category are discussed along with their advantages and disadvantages, and are studied comparatively with respect to relevant performance criteria. This paper also discusses the vulnerabilities of these architectures to guide the development of more robust procedures to combat DDoS attacks.
L.M.Aiello, M.Milanesio, G.Ruffo and R.Schifanella, An identity-based approach to secure P2P applications with Likir, in: Peer-to-Peer Networking and Applications, 2011, pp. 420–438.
2.
D.Andersen, H.Balakrishnan, F.Kaashoek and R.Morris, Resilient overlay networks, in: Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles, Banff, Alberta, Canada, 2001, pp. 131–145. doi:10.1145/502034.502048.
3.
D.G.Andersen, Mayday: Distributed filtering for Internet services, in: Proceedings of the Fourth USENIX Symposium on Internet Technologies and Systems, 2003, p. 3.
4.
D.G.Andersen, E.Shi, I.Stoica and A.Perrig, OverDoSe: A generic DDoS protection service using an overlay network, Technical report CMU-CS-06-114, Carnegie Mellon University, 2006.
5.
F.Baiardi and D.Sgandurra, Attestation of integrity of overlay networks, Journal of System Architecture57 (2011), 463–473. doi:10.1016/j.sysarc.2010.06.001.
6.
H.Beitollahi and G.Deconinck, An overlay protection layer against denial-of-service attacks, in: Proceedings of Parallel and Distributed Processing, 2008, pp. 1–8.
7.
H.Beitollahi and G.Deconinck, Analyzing well-known countermeasures against distributed denial of service attacks, Computer Communications35 (2012), 1312–1332. doi:10.1016/j.comcom.2012.04.008.
8.
T.Bu, S.Norden and T.Woo, A survivable DoS-resistant overlay network, Computer Networks50 (2006), 1281–1301. doi:10.1016/j.comnet.2005.06.010.
9.
M.Castro, P.Drusche, A.Ganesh, A.Rowstron and D.S.Wallach, Secure routing for structured peer-to-peer overlay networks, in: Proc. of the 5th Usenix Symposium on Operating Systems Design and Implementation, Boston, MA, 2002, pp. 299–314. doi:10.1145/1060289.1060317.
S.Chen, Y.Ling, R.Chow and Y.Xia, AID: A global anti dos service, Computer Networks51 (2007), 4252–4269. doi:10.1016/j.comnet.2007.05.005.
12.
C.Douligeris and A.Mitrokotsa, DDoS attacks and defense mechanism: Classification and state-of-the-art, Computer Networks44 (2004), 643–666. doi:10.1016/j.comnet.2003.10.003.
13.
P.Du and A.Nakao, Over court: DDoS mitigation through credit-based traffic segregation and path migration, Computer Communications33 (2010), 2164–2175. doi:10.1016/j.comcom.2010.09.009.
14.
P.Du and A.Nakao, DDoS defense deployment with egress and ingress filtering, in: Proc. ICC, 2010, pp. 1–6.
15.
M.Ficco and F.Palmieri, Introducing fraudulent energy consumption in cloud infrastructures: A new generation of denial-of-service attacks, IEEE Systems Journal99 (2015), 1–11.
Headlines, DDoS attacks against government and entertainment websites escalate, 2012, available at http://www.infosecisland.com/blogview/19543-DDoS-Attacks-AgainstGovernment-and-Entertainment-WebsitesEscalate.html (accessed August 2013).
18.
R.Kaur, A.Sangal and K.Kumar, Secure overlay services (SOS): A critical analysis, in: Proceedings of Parallel Distributed and Grid Computing, 2012, pp. 457–462.
19.
A.D.Keromytis, V.Misra and D.Rubenstein, Using overlays to improve network security, in: Proceedings of SPIEITCom Conference on Scalability and Traffic Control in IP Networks II, 2002, pp. 245–254. doi:10.1117/12.475275.
20.
A.D.Keromytis, V.Misra and D.Rubenstein, SOS: An architecture for mitigating DDoS attacks, IEEE Journal on Selected Areas in Communication22 (2006), 176–188.
21.
J.Kurian and K.Sarac, FONet: A federated overlay network for DoS defense in the Internet, in: Global Internet Symposium, Barcelona, Spain, 2006.
G.Loukas and G.Oke, Protection against denial of service attacks: A survey, The Computer Journal53 (2010), 1020–1037. doi:10.1093/comjnl/bxp078.
24.
J.Mirkovic and P.Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communications Review34 (2004), 39–53. doi:10.1145/997150.997156.
25.
W.G.Morein, A.Stavrou, D.L.Cook, A.D.Keromytis, V.Misra and D.Rubenstein, Using graphic Turing tests to counter automated DDoS attacks against web servers, in: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS), 2003, pp. 8–19. doi:10.1145/948109.948114.
26.
F.Palmieri, M.Ficco and A.Castiglione, Adaptive stealth energy-related DoS attacks against cloud data centers, in: Proceedings of Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2014, pp. 265–272.
27.
F.Palmieri, S.Ricciardi, U.Fiore, M.Ficco and A.Castiglione, Energy-oriented denial of service attacks: An emerging menace for large cloud infrastructures, The Journal of Supercomputing71 (2015), 1620–1641. doi:10.1007/s11227-014-1242-6.
28.
C.Papadopoulos, R.Lindell, J.Mehringer, A.Hussain and R.Govindan, COSSACK: Coordinated suppression of simultaneous attacks, in: Proceedings of DISCEX, 2003, pp. 2–13.
29.
T.Peng, C.Leckie and K.Ramamohanarao, Survey of network based defense mechanisms countering the DoS and DDoS problems, ACM Computing Surveys39 (2007), 1–42. doi:10.1145/1216370.1216373.
30.
M.Srivatsa and L.Liu, Vulnerabilities and security threats in structured overlay networks: A quantitative analysis, in: Proceedings of Computer Security Applications, 2004, pp. 252–261.
31.
A.Stavrou, D.L.Cook, W.G.Morein, A.D.Keromytis, V.Misra and D.Rubenstein, WebSOS: An overlay-based system for protecting web servers from denial of service attacks, Computer Networks48 (2005), 781–807. doi:10.1016/j.comnet.2005.01.005.
32.
A.Stavrou and A.D.Keromytis, Countering dos attacks with stateless multipath overlays, in: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS’05), ACM, New York, USA, 2005, pp. 249–259. doi:10.1145/1102120.1102153.
33.
A.Stavrou, A.D.Keromytis, J.Nieh, V.Misra and D.Rubenstein, Move: An end-to-end solution to network denial of service, in: The ISOC Symposium on Network and Distributed System Security (SNDSS), 2005.
34.
I.Stoica, R.Morris, D.Karger, F.Kaashoek and H.Balakrishnan, Chord: A scalable peer-to-peer lookup service for Internet applications, IEEE/ACM Trans. Networking11 (2003), 17–32. doi:10.1109/TNET.2002.808407.
35.
X.Wang, S.Chellappan, P.Boyer and D.Xuan, On the effectiveness of secure overlay forwarding systems under intelligent distributed DoS attacks, IEEE Transactions on Parallel and Distributed Systems17(7) (2006), 619–632. doi:10.1109/TPDS.2006.93.
36.
D.Xuan, S.Chellappan, X.Wang and S.Wang, Analyzing the secure overlay services architecture under intelligent DDoS attacks, in: Proceedings of the 24th International Conference on Distributed Computing Systems, 2004, pp. 408–417.
