IEEE SYSTEMS JOURNAL, VOL. 11, NO.

4, DECEMBER 2017 2761

Filtering-Based Defense Mechanisms Against

DDoS Attacks: A Survey
Kübra Kalkan , Gürkan Gür, and Fatih Alagöz

Abstract—This paper presents a comprehensive survey on

filtering-based defense mechanisms against distributed denial of
service (DDoS) attacks. Several filtering techniques are analyzed
and their advantages and disadvantages are presented. In order
to help network security analysts choose the most appropriate
mechanism according to their security requirements, a compar-
ative classification of these methods is provided. The relevant
research efforts are identified and discussed for rendering the
current state of the art in the literature. This classification will
also serve researchers to address weaknesses of these filtering
methods, and thus mitigate DDoS attacks using more effective
defense mechanisms.
Index Terms—Denial of service (DoS), distributed denial of
service (DDoS), internet security, intrusion detection and
prevention systems, traffic filtering.
I. INTRODUCTION Fig. 1. Classification of DDoS attack studies.

ENIAL of Service (DoS) attacks have become a serious

D problem with the ubiquitous proliferation of IP-based sys-
tems. Although it was already known in the 1980s, it has become
CNN, eBay, and Amazon [5]. For these Information Commu-
nication Technology (ICT) systems, even brief periods of inac-
a predominant issue for network and information security over cessibility can result in huge financial and business losses [6].
the last two decades. In 1984, DoS attacks were defined as the For instance, in 2010 the websites of Mastercard, PayPal, Visa,
cases of “intruder preventing legitimate users to access shared and PostFinance were shut down by DDoS attacks in response
resources by using almost all available services” [1]. In other to their involvement in the banning of donations to WikiLeaks
words, the simple strategy behind a DoS attack is to deny the [7]. DDoS is not only used to cause financial and reputational
use of system services/resources to legitimate users and degrade damage, but also for political reasons. There was a DDoS attack
system availability. The fundamental mechanism for DoS attack on the White House Website in 2002 [8], and in a 2009 media
execution is to send a flood of superfluous network traffic to the website were attacked in Belarus because of a political issue
target so that it cannot respond to genuine requests for services between Georgia and Russia [9]. Similarly in 2009, during the
or information. If multiple sources are used by the attacker(s), Israel and Palestinian conflict in Gaza, both sides utilized DDoS
this is known as Distributed Denial of Service (DDoS), and is attacks against the websites of their opponents [10]. Likewise in
much more catastrophic than DoS [2]. Currently, botnet tools 2013, during the Gezi Park revolt in Turkey, many governmental
available on the Internet provide attackers with massive DDoS websites were put out of service by DDoS attacks.
resources and a high level of stealth against countermeasures. As a general phenomenon, the scale and size of recent DDoS
Other DoS attacks include the physical destruction of computer attacks have increased. According to Prolexic 2014-Q1 Global
hardware and the use of electromagnetic interference designed DDoS Global Attack Report [11], total attacks increased by 18%
to destroy unshielded electronic equipment via current or volt- compared to the same quarter of the previous year. Although the
age surges [3]. average attack duration reduced by 24%, from 22.88 to 17.38 h,
The first documented DoS attack occurred in 1999 at the the average peak attack bandwidth increased by 114% from
University of Minnesota [4]. It blocked the computer system 4.53 to 9.70 Gbps and the peak packets-per-second rate went
for more than two days. In 2000, DDoS attacks were carried up by 87% from 10.60 to 19.80 Mpps. Wider bandwidths for
out against major Internet and media companies such as Yahoo, Internet end-points and increasing hyperconnectivity have also
increased the practicality of these types of attack. Moreover, the
proliferation of Cyber-Physical Systems (CPSs) has brought
Manuscript received October 28, 2014; revised October 16, 2015, March
14, 2016, and June 27, 2016; accepted August 16, 2016. Date of publication the inclusion of previously uncharted territories such as Internet
September 27, 2016; date of current version November 22, 2017. This work of Things (IoT) and machine-to-machine networks into the
was supported in part under TUBITAK TEYDEB Project STS No. 3141000. at-risk domain.
The authors are with the SATLAB, Department of Computer Engineering,
Due to the increasing size and widespread occurrence of
Bogazici University, Istanbul 34342, Turkey (e-mail: kubra.kalkan@boun.
edu.tr; [email protected]; [email protected]). DDoS attacks, they have become a major research topic for
Digital Object Identifier 10.1109/JSYST.2016.2602848 academicians and security engineers. Fig. 1 depicts the global

1937-9234 © 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.
2762 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

picture of research areas related to DDoS attacks. Proposals in results in false alarms that are termed false positives. Accord-
the literature can be grouped as those works that are related to ingly, a good detection technique should be able to identify
attack types, attack tools, and defense mechanisms. A potent DDoS attacks quickly and have a low false positive rate. Since
network security strategy needs to consider DDoS attacks to a DDoS attack is a type of intrusion, initial DDoS detection
support security efforts, and the initial phase of these efforts techniques were classified as intrusion detection systems (IDS).
has focused on how to define and convey the features and types IDSs rely on two types of detection approach, namely anomaly
of DDoS [12], [13]. Some of the more famous attack types based and misuse (signature) detection based [13]. In the
are: TCP SYN Flood attack, SQL Slammer Worm attack, UDP anomaly-based detection, normal behavior is learned through
Flood, Ping of Death, DNS Amplification, and NTP attacks. a long period of training and the abnormal deviation is then
There are also various studies that focus on the features, detected during operation. Misuse detection, on the other hand,
advantages/disadvantages, and classification of the attack tools examines several a priori exploits and the pattern or signature
[12], [13]. DDoS attacks use several tools to deplete the system of these exploits is then determined. If any similar pattern is
resources of their targets. These include: Trinoo [14], TFN detected, it is marked as an attack. However, it is known that
[15], TFN2K [16], Stacheldraht [17], mstream [18], Shaft [19], it is difficult to determine a pattern or signature since attackers
Trinity [20], and Knight [21]. In consideration of all these often change the type and content of their attack [35]. For this
efforts, the main aim of DDoS research is to facilitate defense reason, it is generally accepted that misuse detection is not
capabilities and devise elements of a security infrastructure, efficient against DDoS attacks [36].
which can overcome DDoS attacks. In that regard, the basic In addition to the basic duality of anomaly versus signature-
defense toolkit against DDoS includes the capability for both based DDoS attacks, other classifications have also been pro-
detection and prevention. Detection mechanisms are explained posed for DDoS detection techniques. According to You et al.
in Section II. Prevention mechanisms are classified as capability [37], classification can be based on the principle of utilizing the
based and filtering based. Our main focus is on filtering-based IP attributes of the packets. IP-Attributes-based DDoS Detection
mechanisms, which are explained in detail in Section III. can use attributes such as the source IP address [38], time-to-
The main functions of intrusion prevention include iden- live (TTL) [39], distance [37], and a combination of multiple
tifying malicious activities, logging information about them, attributes [40] such as protocol type, packet size, and server
actively preventing/blocking them, and reporting these inci- port number. Another method, Traffic Volume based DDoS De-
dents to security administrators. Intrusion prevention systems tection, analyzes the overall traffic structure and attempts to find
are placed in-line and can take actions such as sending an alarm, anomalies according to levels of deviation from normal traffic
dropping malicious packets, resetting the connection, and/or volume [41].
blocking traffic from the offending IP address [32]. As shown In [42] and [43], DDoS detection techniques are classified
in Fig. 1, prevention mechanisms can be classified as being ei- according to the algorithms used for detection. According to
ther capability based or filtering based [33]. In capability-based this taxonomy, there are three groups: activity profiling (statisti-
mechanisms, the sender must obtain explicit authorization from cal techniques), sequential change-point, and wavelet analysis.
the receiver before sending significant amounts of traffic. This This classification is extended by Beitollahi et al. [22] to four
authorization is called capability. These mechanisms are an- groups with the addition of neural networks (for a summary,
alyzed in [34]. Filter-based mechanisms, however, use traffic see Table I). In activity profiling, packet header information is
filtering that is a very effective and widely employed mecha- utilized to construct the profile of a traffic flow. The elapsed time
nism for network security in terms of intrusion prevention. In between similar consecutive packets having the same address
this study, we deal with filtering-based methods since (to the and port numbers reveals the average packet rate, or so called
best of our knowledge) there is no comprehensive treatment activity level. To detect an attack, this reference model is then
that focuses on this topic and DDoS in the current literature. compared with current traffic via statistical techniques. If the
Our main goal is to construct an exhaustive categorization of traffic behaves differently than this reference model, an attack
existing filtering methods and provide a detailed comparison. is declared. In [23], entropy and Chi-Square statistical tech-
We hope that this study will also be instrumental for the un- niques are used to obtain the statistical distribution of features
derstanding of these mechanisms and will assist in the choice for data traffic flows. Based on these calculations, any abnormal
of the most appropriate according to the specific contexts and behavior of a flow is detected by comparing it to normal traf-
circumstances. In addition, this study establishes a baseline for fic statistics. In [24], after entropy calculation, Lee et al. used
any proposed filtering method against DDoS attacks. clustering techniques in order to identify anomalies in traffic
This paper is structured as follows: In the following section, a with respect to normal flow rates. By considering the features
literature review of DDoS detection mechanisms is presented. In of traffic, several variables can be determined. These variables
Section III, filtering-based defense mechanisms are explained. are then normalized to eliminate the effect of the difference be-
Section IV contains the classification and comparison of filtering tween their scales. Normalization is applied with the following
mechanisms. Section V discusses several research directions and formula:
future perspectives for filtering methods. Finally, Section VI
concludes the paper. x − x̄
z= (1)
s
II. DDOS DETECTION MECHANISMS
DDoS attacks generally use packets that are very similar where x is the value of each variable, x̄ is the mean of the sample
to those of legitimate users, thereby making their detection a dataset, and s is the sample standard deviation. Also, in order
challenging task. In addition, this virtual indistinguishability to measure any dissimilarities between the clusters, Euclidean
KALKAN et al.: FILTERING-BASED DEFENSE MECHANISMS AGAINST DDoS ATTACKS: A SURVEY 2763

TABLE I
CLASSIFICATION OF DDOS DETECTION MECHANISMS [22]

distance is utilized, which is mechanisms are vital since they intercept attacks intended to
 n harm a large number of machines. In this study, an analysis and

D(x, y) =  (xi − yi )2 (2) classification of filtering mechanisms are carried out to allow
i=−1 a better understanding and comparison of the pros and cons of
these methods. For that purpose, two types of taxonomies are
where x and y are two records that will be clustered and n is the applied: the first is based on the features of collaboration, and
number of variables. After calculating the distance measures, the second is based on response time.
the cluster numbers are determined by the cubic clustering cri- Collaboration-based classification is described in Section III-
terion method [44]. In another work, instead of clustering, the A, and response time based classification is explained in
Kolmogorov–Smirnov (KS) technique is utilized for the calcu- Section III-B.
lation of relevant statistical distributions [25].
In wavelet analysis methods [26], [27], a physical layer is en-
rolled into the analysis, and the physical layer signal is handled
in terms of its spectral components. Anomalies are detected by A. Collaboration-Based Classification
analyzing the energy of the spectral window. In contrast, the Filtering mechanisms can be classified according to their de-
traffic is analyzed as a time series by sequential change-point gree of collaboration. In some circumstances, machines or nodes
methods. Initially, traffic data are filtered in terms of address, need to cooperate in order to learn and make decisions regarding
port, and protocol, followed by a representation in the time do- filter application and choice. This type of filtering is called co-
main. Traffic statistics are then used to pinpoint the changes operative filtering, which is an alternative to individual filtering.
caused by an attack. If the attack started at time λ, the change 1) Cooperative Filtering: Cooperative filtering requires a
in the time domain will be λ or greater than λ. In [28] and trusted communication mechanism between collaborating ma-
[29], a cumulative sum (CUSUM) scheme is utilized to find that chines. In this type, the most important criterion is to commu-
change point. It monitors the deviation of short-term behav- nicate and make filtering decisions synchronously during the
ior from the incumbent long-term behavior. If the cumulative defense phase. During the initialization phases, communication
difference is larger than an established threshold, an attack is de- is utilized to obtain information about routing, and the overall
clared. Finally, in neural network based methods, visualization network topology is not considered as a classification factor.
techniques are combined with machine learning algorithms in In other words, in cooperative filtering mechanisms, machines
order to detect DDoS attacks. Traffic attributes are used to train need to communicate during the entire filtering phase, and not
neural networks and visualization techniques are then used to just during preparatory information exchanges such as the Bor-
show the existence of possible attacks. Several neural network der Gateway Protocol (BGP), routing and IP tabling. These
algorithms such as radial basis function (RBF) [30] and learning mechanisms can quickly interfere with an attack since it allows
vector quantization (LVQ) [31] are employed for these purposes. the dynamic communication of filtering conditions and rapidly
prevents the spreading of the attack in the network.
III. FILTERING-BASED DDOS DEFENSE MECHANISMS 2) Individual Filtering: Individual filtering supports a stand-
The detection of DDoS (or any kind of network attack) must alone network device. In other words, the filtering mechanism
be supported by a defense mechanism (countermeasure) to pro- is installed and runs on a single machine that then decides and
duce any concrete benefit. To this end, the filtering and elimi- creates its own filters. It is easy to deploy since it does not need
nation of “hostile” packets and flows is a very effective DDoS to cooperate, communicate with, or trust other machines. In
countermeasure against system damage. A filter is essentially a addition, the response time against an attack is shorter since it
rule that either allows or denies a packet’s entry into the sys- does not suffer from the latency and communication overheads
tem [45]. They are generally installed on routers since they incurred by cooperation. However, it may be inadequate for
allow or block packets before they can enter a domain. These large-scale, multi-source-to-multi-point attacks.
2764 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

B. Response Time Based Classification

Filtering mechanisms can also be classified according to
point-in-time of their reaction. A filtering defense mechanism
can be activated before or after the start of a DDoS attack. A
similar classification is proposed by Hakem et al. [22]. How-
ever, this does not focus on filtering mechanisms. Instead, it is a
classification of all the countermeasures against DDoS attacks
in terms of the reaction time. From the filtering perspective,
there are both proactive and reactive mechanisms.
1) Proactive Filtering: Proactive filtering is a preventive Fig. 2. RDPF [47]. The attacker is at AS6, which spoofs AS1 and the victim
is at AS3. An RPDF installed at AS5 will block packets from AS1 to AS3 since
mechanism that is employed before a DDoS attack starts. Since no other transmission is possible within this topology.
it is proactive, it needs to be successful in its estimation of in-
coming malicious packets. It may cause some system load since
it has to be permanently active. Thus, there is a tradeoff be- AS6. If the RPDF is installed at AS5, it will block any packets
tween the additional burden of the prevention mechanism and that have AS1 as their source address and AS3 as their desti-
the possible impact of a DDoS attack. nation address. Since AS5 knows the topology, it can conclude
2) Reactive Filtering: Reactive filtering is employed after a that these packets should go on AS1-AS2-AS3 path and should
DDoS attack has started. In this scenario, the initial detection not continue to AS5. Thus, AS5 prevents the attack targeting
of the attack triggers the reactive system. Subsequently, reactive AS3. As it is a preventive mechanism, RPDF is considered to
filtering participates in the action(s) and prevents DDoS packets be proactive. In addition, it is also an individual filtering mech-
from spreading throughout the network. It does not produce any anism since it does not need any collaborative communication
extra system load since it is only activated after an attack is regarding filters.
detected. An RDPF mechanism of this type could be a promising solu-
tion against randomly spoofed IP addresses. However, it cannot
C. Analysis of Filtering Mechanisms prevent intelligently spoofed IP addresses. If the IP address of a
In this section, several proposed filtering techniques in the valid AS is spoofed according to the network topology, RPDF
literature are analyzed in order to examine their pros and cons. cannot prevent a DDoS attack. In addition, this system has a
Moreover, these mechanisms are classified according to their limitation regarding topological changes in dynamic environ-
collaboration and response time properties in accordance with ments such as ad hoc networks. For instance, if AS2 is out of
the categorization employed by this study. order for some reason, packets from AS1 to AS3 will follow
1) Ingress/Egress Filtering: RFC 2827 defines ingress and the path as AS1-AS0-AS4-AS6-AS5-AS3 path. In this case, the
egress filtering mechanisms [46]. Ingress filtering refers to the RPDF in AS5 will mistake legitimate packets for attack packets
filtering of incoming packets to a network, whereas egress fil- and block them. In addition, RPDF can only be successful if it
tering refers to the filtering of outgoing packets from a network. is deployed across a significant portion of the Internet. In other
This mechanism is proactive since it prevents DDoS attack words, it exhibits the “network effect,” where the benefit or util-
packets from entering a network. Moreover, it is an individ- ity of a mechanism or technology is exponentially related to
ual filtering mechanism that does not need to cooperate with its number of adopters or proliferation level. Furthermore, this
other routers to make filtering decisions. It can be an effective system requires some modifications to BGP messages. It is no
countermeasure against IP spoofing [36]. However, it is not a small matter to change the common protocols that are widely in
comprehensive solution. This is because spoofed IP addresses use. However, RPDF reduces the performance of routers, since
can also occur within the range of permitted IP addresses. Ad- each packet should be checked, and can only block spoofed
ditionally, various DDoS attacks do not need to use IP spoofing; packets while current DDoS attacks mostly use zombies, which
they may use compromised machines as zombies and utilize eliminate the need for IP spoofing.
their valid IP addresses. In addition, despite the fact that it can 3) Source Address Validity Enforcement (SAVE): Li et al.
be a promising solution for leaf networks since they have a sim- propose a defense model called SAVE [48], which solves the
ple structure, it is less instrumental for complex networks as problem of dynamic changes for routing in RPDF [47]. In this
it is not easy to obtain accurate topological information for IP method, the source location periodically sends messages with
ranges. It also suffers from a performance cost as it is required valid source addresses to all destinations. This signaling enables
to check the range of every packet. Finally, the network that routers to instantly recognize accurate paths, and accordingly IP
contains the router will not benefit directly from egress filtering ranges. As each router knows the expected IP addresses, they
since it can only prevent attacks against other networks. block packets with addresses that are out of this range. Routers
2) Route-Based Distributed Packet Filtering (RDPF): In receive valid addresses from incoming tables. This model is
[47], an RDPF mechanism is proposed. It suggests a filtering proactive since it prevents packets with invalid addresses. In
model that considers route and network topology information addition, it is individual as it does not require to decide on filters
while generating filters. In this model, filters are installed on the cooperatively. This method is more promising than RPDF due
routers of autonomous systems (ASs). ASs are networks that to its periodic update of path information. In a similar fashion
are under the control of a single administration mechanism. The to RPDF, however, it cannot prevent attacks from intelligently
example in Fig. 2 shows this mechanism. In this example, the at- spoofed addresses within valid ranges. In order to provide peri-
tacker is at AS6 which spoofs the IP address of AS1. The victim odic updates, SAVE needs to change existing routing protocols,
is at AS3, which is the destination node of the DDoS packets of which can incur high computational and communication costs.
KALKAN et al.: FILTERING-BASED DEFENSE MECHANISMS AGAINST DDoS ATTACKS: A SURVEY 2765

4) Hop Count Filtering (HCF): Jin et al. propose an HCF mechanism’s simplification of the rules, it decreases the burden
mechanism against DDoS attacks [49]. This method is based of filtering. However, as it does not use any cryptography, it is
on the principle of considering the TTL values of packets. The easy to locate the Secret Servlet. When an attacker acquires this
initial TTL value is estimated, and the current value is then sub- information, the system can be crippled easily [22]. Moreover,
tracted from it. As a result, the number of hops that a packet has if a passive attacker can eavesdrop on the victim, the IP address
traveled can be inferred. As the hop count can be readily calcu- of the Secure Servlet may become compromised.
lated, a mapping table may be created for legitimate IP addresses 7) Pushback: In [53], Mahajan et al. propose a scheme
and their hop numbers. In this method, there are two states: alert called Pushback, which rate limits the aggregated traffic from
and action. Under normal conditions, this mechanism remains a congested router to its upstream counterparts. In this scheme,
in an alert state in which TTL behavior is monitored and no congestion is detected locally at the router level. According to
packets are discarded. When an attack is detected, the HCF the level of this congestion, an appropriate rate limit can be
mechanism switches to an active state in which packets with locally determined. Following this, the congested router asks
abnormal hop counts are discarded. the upstream routers to rate limit the traffic. The Pushback op-
As this intervention is carried out after a DDoS attack is de- eration is then propagated to the upstream routers. This is the
tected, this mechanism is considered to be reactive. In addition, first scheme that proposes a collaborative strategy against DDoS
it is an individual filtering mechanism since it does not require attacks. The Pushback scheme is effective only if the attacking
collaboration to make filtering decisions. HCF is a light-weight, traffic follows a different path from any legitimate traffic. Oth-
simple, and low-storage mechanism. However, it is not an ulti- erwise, the legitimate traffic will also be punished since it shares
mate solution since an attacker can passively monitor and obtain the same link as the attack. Moreover, this technique incurs high
the IP address of a legitimate user and learn its hop count, and computational costs since each router along the path between
then create a packet with these values. This model does not deal attacker and victim is involved in the propagation of information
with dynamic IP addresses that are very common in today’s signaling, including the rate limits. In addition, it does not block
Internet, and does not offer any solutions for network address all traffic from the attacker, it only limits the attack traffic. This
translation (NAT) devices that allow multiple users to use the scheme is considered to be both cooperative and reactive as it
same IP address. Finally, if the path for a source IP changes due acts cooperatively after traffic congestion.
to congestion (or any other reason), its hop count will change 8) Active Internet Traffic Filtering (AITF): Argyraki et al.
and thus the packets of legitimate users may be rejected. propose a filtering mechanism called AITF [54], which uses a
5) PacketScore: A PacketScore scheme [50] is a statistical route record scheme to learn the path of each packet. The border
filtering mechanism wherein each packet is analyzed according routers of each AS participate in recording that path. Filters are
to its attribute values and is given a score calculated according then generated according to these paths. When a DDoS attack
to these attributes. A packet is announced as legitimate if its is detected, packets coming from this path are to be blocked.
values are below a given dynamic score threshold when they are The targeted system also attempts to filter out the attack as close
compared with a baseline profile. This baseline profile is gener- to its source as possible. In that way, the attack will be pre-
ated based on the Bayesian theorem [51]. It is considered to be vented from spreading through the network. However, in order
an individual filtering mechanism since it performs analysis on to provide this structure, collaboration between various routers is
its own and then determines its own filters. It is also considered necessary.
to be proactive since it blocks packets according to a scoring This mechanism is considered as both cooperative and re-
approach. Since it is a statistical method, it can deal with novel active. Despite the fact that it is beneficial for the prevention
DDoS attack types. Moreover, it works well for nonspoofed at- of DDoS attacks, it still has some drawbacks. First of all, the
tacks since it does not solely have a source address attribute, but route record technique adds some system load in terms of packet
also other attributes that help it to detect attack packets. How- length and packet processing. Since packets travel through sev-
ever, it still has some drawbacks. Due to its statistical approach, eral border gateway routers, they can cause unnecessary frag-
it works well for large volume attacks but cannot filter low- mentation that results in processing overheads. Additionally,
volume attacks. The PacketScore scheme needs to establish a gateway routers have a limited capacity for filters, and this can
baseline profile that does not include any evidence of an attack. be exploited by attackers sending fake filters. This method also
However, finding a quiet, i.e., attack-free, and sufficiently long requires significant changes to the network infrastructure.
period on today’s Internet is quite challenging. 9) StopIt: Liu et al. propose a filtering mechanism called
6) Secure Overlay Services (SOS): According to the best of StopIt [55]. This scheme involves a closed control channel,
our knowledge, SOS [52] is the first model that is both proac- which means that each interacting pair knows each other’s iden-
tive and cooperative. It suggests an onion-like model in which tity. Additionally, it allows any destination to stop attack traffic
users’ packets are authenticated at secure overlay access points from any source. The StopIt system architecture is depicted in
that route the traffic through overlay nodes to beacon nodes. Fig. 3. In this mechanism, each AS has its own StopIt server
Each beacon node then forward the packets to a secret node that handles filter requests. In a typical flow, a victim (V) installs
called a Secret Servlet, which is known by only a limited num- a filter to block an attacker (A). V sends a filter request to its
ber of entities in the SOS architecture. The Secret Servlet then access router (Rv). The Rv sends this request to its StopIt server.
sends the packets to their destinations. The destinations will Following this, AS3’s StopIt server sends the request to AS1’s
only accept packets that come from the Secret Servlet. The SOS StopIt server. It communicates with the access router of the at-
model is considered to be cooperative since it is distributed over tacker (Ra). Ra installs this filter and sends a StopIt request to the
the network and filter decisions are made cooperatively. It is also attacker. If the attack does not cease, it will be punished by the
considered to be proactive since it is constantly active. By this Ra. The thin arrows in Fig. 3 show the filter request exchanges
2766 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

Fig. 3. StopIt [55]. Victim (V) sends filter to its access router (Rv), which communicates with its StopIt server. The StopIt server of AS3 communicates with the
StopIt server of AS1 in order to reach the attacker. The StopIt server of AS1 communicates with the access router (Ra), which blocks traffic after filter installation.

to its upstream routers. In Phase 4, as soon as the attack stops,

the scores of the corresponding filters are decreased and these
filters are revocated from the FRs.
The PFS phases are depicted in Fig. 4(a). FRs 1, 2, 3, and
4 probabilistically mark their addresses as 1, 2, 3, and 4, re-
spectively. The large arrow shows the packets generated by the
attacker. The victim collects 1, 2, 3, and 4, and creates filters
by combining these markings. It then sends filters to FR4. FR4
creates a filter schedule and chooses the best k filters according
to scores determined by frequency and recency. The filters are
propagated from FR4 to FR1 on a hop-by-hop basis. At the end
of the attack, FR4 evicts the useless filters. The PFS scheme
propagates filters to an optimal location closer to the attack.
Also, it maximizes its effectiveness since it chooses the best
k filters according to frequency and recency of filter requests.
These filters are chosen according to their scores Sn (I) which
are calculated as
Fig. 4. PFS schemes. (a) Fixed probabilistic filter scheduling (PFS) [45]. Pn −t (I) Pn (I)
Sn (I) = Sn −1 (I) − + −γ (3)
(b) Adaptive probabilistic filter scheduling (APFS) [57]. n n
between the mutually-identified peers, whereas the thick ones where Sn (I) is the score of the filter I at the current time n.
show the network traffic flow. After filter installation, the traf- Parameter t denotes time window, whereas γ is the penalty used
fic is blocked between A and Ra. This scheme uses a passport to decrease the filter score in order for it to be used for filter
system to make secure authentication [56]. The passport adds revocation in Phase 4. Pn (I) is calculated as
tokens to packets that allow the ASs to verify that the source Pn (I) = F · m + R · (tc − tp ) (4)
address is valid.
The StopIt scheme is considered to be both a cooperative and where F is the weight of frequency and R is the weight of
reactive approach. The most important advantage of the StopIt recency. Parameter m denotes how many times the filter is used
system is the capability of its on-the-fly filter installation during while tc and tp show the current and previous packet arrival
DDoS attacks. Routers do not drop filter requests during attacks times related with the filter, respectively. This equation leads
since the StopIt servers deal with filtering. However, this system to a dynamic list of filters with different scores, i.e., different
requires the configuration of the routers and the StopIt servers levels of suitability. The best k filters are then chosen from this
to identify each other and all their hosts before communication. list.
This deployment process is not a trivial matter since there are The PFS scheme is considered to be cooperative since the
several ASs, and each AS may have thousands of nodes. filters are decided and propagated in collaboration. It is also
10) Probabilistic Filter Scheduling (PFS): In [45], Seo et al. considered to be reactive since it stops an attack after receiving
define a filter technique that deals with not only filtering, but filter requests that follow the detection of a DDoS attack by
also its scheduling and how to find the best locations for fil- a victim. The PFS algorithm also induces some system load.
ters. The proposed scheme is called the PFS. It has four main In addition, it requires a security agreement between routers
phases. In Phase 1, path identification is provided by using for them to accept filters. It also includes marking overwriting
the probabilistic packet marking technique. A filter router (FR) since all nodes have fixed probabilistic packet marking. In or-
probabilistically writes its own IP address to the IP header of der to improve this scheme, another approach called Adaptive
the packets. In Phase 2, the victim collects all the markings and Probabilistic Filter Scheduling (APFS) is proposed, which is
constructs marking values to request a filter. In Phase 3, a FR discussed in the following section.
that receives several filter requests applies a filter scheduling 11) Adaptive Probabilistic Filter Scheduling: In [57], Seo
policy and chooses the best k filters. It then sends these filters et al. improve on their PFS scheme [45] and propose APFS.
KALKAN et al.: FILTERING-BASED DEFENSE MECHANISMS AGAINST DDoS ATTACKS: A SURVEY 2767

TABLE II
KEY ATTRIBUTES AND COMPARISON OF DEFENSE MECHANISMS

This addresses the filter scheduling problem by adaptive packet mechanisms. Deployment difficulty can be an important crite-
marking. As mentioned in the previous section, path identifi- rion in filtering mechanism selection. It is relatively easy to
cation is provided by using probabilistic packet marking. FR deploy them: Ingress/Eggress Filtering [46], RDPF [47], SAVE
probabilistically adds its IP address to the IP header of a packet. [48], HCF [49], and PacketScore [50] since only one machine
In fixed marking, all FRs have the same marking probability, is involved in the system. On the other hand, it is hard to deploy
whereas in adaptive marking all FRs mark according to their SOS [52], Pushback [53], AITF [54], StopIt [55], PFS [45],
own adaptive probability. This probability is specified by each and APFS [57] since multiple network nodes and machines are
router and is based on filtering effectiveness. Filtering effective- involved in these processes.
ness is determined by the following three parameters. Communication overhead is another issue that needs to be
1) HOP: How many hops will it take to reach attacker from considered while choosing appropriate filtering mechanisms.
this FR? If a filter is constructed via communication between several
2) RES: How many filters can this FR accept? machines, accuracy is achieved at the expense of increasing the
3) DEG: How many links does this FR have? communication overhead. SOS [52], Pushback [53], AITF [54],
According to these factors, the victim of a DDoS attack will StopIt [55], PFS [45], and APFS [57] mechanisms decide on
receive more filters from more effective FR(s) and will be able filters cooperatively and have higher communication overheads
choose such FR(s) in the filter scheduling phase. In addition, it whereas other methods do not suffer from this burden.
will propagate the filter to the most effective router first, which Scalability is the ability of a network to grow in size and
leads to the more rapid blocking of the DDoS attack. APFS handle increasing traffic volumes while still performing at an
modifies Phase 1 of PFS by considering filtering effectiveness adequate level of service quality. SOS [52], Pushback [53], AITF
as a factor. In PFS, most of the markings received by the victim [54], StopIt [55], PFS [45], and APFS [57] are more scalable
come from FRs that are close to the victim, because the victim since several machines are utilized, and this allows increasing
side routers overwrite markings that come from the attackers numbers of users to be handled. It would be more difficult to
side. This marking overwriting will decrease the effectiveness of tackle this situation with a single machine, as in the case of
the defense and cause hop-by-hop filtering. On the other hand, in the other mechanisms. The distributed nature of these systems
APFS, the probability of marking on the attacker side’s is higher, allows for different mitigation techniques to be used during
and most of the markings received by the victim come from core periods of high traffic load.
FRs. As depicted in Fig. 4(b), the most effective FR will have a Finally, the APE of a defense mechanism is another impor-
higher probability level, which is FR3 in this case. This feature tant feature that needs to be evaluated by network security ex-
leads to the direct propagation of filters to this router which perts. Attack packets occupy parts of the network infrastructure
solves the hop-by-hop filtering problem. In a similar manner to and waste system resources. Especially in DDoS attacks, they
PFS, APFS is also considered to be a cooperative and reactive prevent the system from working efficiently since the number
scheme. of packets is very large. If they are stonewalled early in the
network, system performance can be protected. Thus, the APE
D. Attribute Based Comparison of Filtering Mechanisms metric measures how early a network can eliminate attack pack-
In this part, various filtering mechanisms are compared ac- ets. It is formally illustrated as in the following equation where
cording to four key dimensions, namely their deployment diffi- AP is the total number of attack packets, disi shows the discard
culty, communication overhead, scalability, and attack preven- hop of attack packet i and pi show the path length of an attack
tion efficiency (APE). This information is presented in Table II. packet i,
Filtering mechanisms are deployed on routers that are not AP disi
easy to access but which require a very high level of avail- i=1 p i
ability. Thus, more effort is needed in order to deploy these APE = 1 − . (5)
AP
2768 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

TABLE III
ADVANTAGES AND DISADVANTAGES OF DDOS DEFENSE MECHANISMS

According to the APE definition and performance results, models have their own pros and cons, it is not possible to state
SOS [52], Pushback [53], AITF [54], StopIt [55], PFS [45], and that one of these mechanisms is a superior solution for all
APFS [57] have high APE since they can stonewall an attack DDoS attacks. For this reason, network administrators need to
near its source. This outcome is to be expected since these are choose the most appropriate according to their requirements.
more sophisticated mechanisms that operate at the expense In order to provide an easier way to understand and decide,
of their deployment complexity and their communication a fundamental classification of these methods is provided in
overheads. Table IV. According to this matrix, there are four main types
of filtering-based defense mechanisms: individual + proactive
IV. CLASSIFICATION OF FILTERING TECHNIQUES filtering, cooperative + proactive filtering, individual + reactive
According to the analysis given in Section III, a general view filtering, and cooperative + reactive filtering.
of the techniques under discussion as well as their advantages Individual proactive filtering allows easy deployment and
and disadvantages are shown in Table III. Since all of the quick intervention that interferes with a DDoS attack before
KALKAN et al.: FILTERING-BASED DEFENSE MECHANISMS AGAINST DDoS ATTACKS: A SURVEY 2769

TABLE IV
CLASSIFICATION OF DDOS DEFENSE MECHANISMS BASED ON
COOPERATION AND ACTION-TIME TRAITS

it can impair network operations. However, it is always active,

and this results in a heavier system load. If these beneficial
properties are more important, Ingress/Egress Filtering [46],
RDPF [47], SAVE [48], and PacketScore [50] mechanisms can
be adopted. On the other hand, the cooperative proactive filter-
ing allows both collaborative and preventive mechanisms. When
this is deployed across a network, it allows the opportunity to
block a DDoS attack near its source before it can expand and
affect the entire network. In addition, this will be more accu-
rate than individual mechanisms since filter choice and applica-
tion can be decided with more visibility and knowledge of the
network. However, according to the best of our knowledge, there
is only one mechanism that is both cooperative and proactive
in the current literature [52]. This scenario is challenging since
cooperation should be accepted by all peers when no attack is
in effect. Therefore, this topic deserves more effort and contri-
butions from the security research community. Fig. 5. Recent advances in IP networks and emerging research topics for
filtering-based DDoS defense. These topics are also valid for general network
Individual reactive filtering is activated after a DDoS attack is security research. Large-scale systems and cloud computing with increasing
detected and it allows easy deployment. If there is a requirement heterogenity, mobility, and content-centric operation are drivers toward future
for a mechanism that should be active only for a short duration, Internet. Moreover, better statistical and machine learning schemes, and coor-
since any extra system load is not possible and there is no means dinated reactions are important topics for both the current and future Internet
regarding filtering-based defense.
to deploy it through the network, then this type is preferable.
HCF [49] has such properties. On the other hand, cooperative
and installation of such software is common for harder-to-
reactive filtering allows collaborative decision making after a
control computation and communication environments.
DDoS attack is detected. Pushback [53], AITF [54], StopIt [55],
3) Cyberphysical systems (CPSs): CPSs are “integrations of
PFS [45], and APFS [57] are all activated after detection and
computation and physical processes.” Embedded comput-
filters are propagated through communicating machines. The
ers and networks monitor and control physical processes,
practical implementations of this topic have been extensively
usually with feedback loops where the physical processes
explored in the literature.
affect computations and vice versa. The security of such
systems requires a comprehensive and holistic view of
V. RESEARCH DIRECTIONS FOR FILTERING-BASED
computers, software, hardware, networks, and physical
DDOS DEFENSE
processes [58].
The recent advances in Internet technology, devices and soft- Due to these circumstances, the complexity of DDoS defense
ware have created a more complicated environment for DDoS for supporting fundamental security objectives has become ex-
defense. The leading phenomena in that regard can be listed tremely high. In that regard, the application of filtering-based
as follows [2]: network defenses in domain-specific scenarios for emerging
1) Heterogeneous environments and hyperconnectivity of technologies and systems poses some fundamental challenges.
users and systems: Networks are becoming more and These factors have resulted in the following implications for
more heterogeneous with the integration and deployment relevant future research directions.
of different systems, devices, and software. Moreover, 1) Complexity: The filtering mechanisms may become very
the “network” aspect of information security has reached complex due to increasing system size and diversity. This
an unprecedented level since the proliferation of the In- implication is also magnified by the diversification of net-
ternet and smart mobile devices has enabled “anytime, work functions and services.
anywhere” connectivity. 2) Validity: Due to the rapid evolution of ICT systems, a
2) Circulation of software from untrusted and unknown de- highly effective filtering scheme may quickly become
velopers: The Internet and the spread of mobile devices obsolete. A typical example is the emerging content-
have enabled the dramatic and widespread circulation of centric operation, which identifies content rather than
free software from unknown sources. The instant retrieval network locations by enabling the addressing schemes
2770 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

facilitated by application-level/social considerations. The physical level, jamming and signal suppression can also put
incumbent design of the conventional IP is altered and the these systems out of service.
operation mode is transformed to a more service and Due to the distributed nature of such systems, cooperative
content-oriented structure [59]. Filtering-based defense filtering mechanisms can be developed to defend against DDoS
schemes will have to adapt to this change. attacks. However, the fragmentation and scale of these systems
3) Generality: The filtering methods need to be more tailored makes their communication requirements harder to satisfy.
toward specific systems rather than being widely applica-
ble. This situation limits the usability of such schemes. B. Cloud Computing
The tradeoff between generality and being optimized for In this technology, the infrastructure is potentially shared by
certain situations deserves further research. The inher- millions of users and applications are hosted in centralized com-
ently fragmented and diverse CPSs are challenging in this putational facilities such as data centers. Thus, a DDoS attack
regard. could be catastrophic for a cloud computing system. According
These challenges also render the future directions for re- to the Alert Logic Cloud Security Report 2014 [64], attacks on
search on filtering-based DDoS defense. The emerging targeted cloud computing systems are expected to increase with the con-
and coordinated attacks weaken the strength of conventional solidation of ICT services on clouds, i.e., traditional enterprise
defense methods. Moreover, defending the network boundary is workloads are increasingly moving to the cloud. With more and
becoming almost unattainable since the boundary itself is now more companies adopting cloud-based systems due to modern
extremely obscure [2]. Therefore, novel filtering approaches and working practices, the attacks and threat level are perpetually
systems are necessary to strengthen network protection against increasing. Moreover, this trend has created a loss of visibility
DDoS attacks. The main threads in that topic are shown in and control, which has been magnified by the externalization
Fig. 5 and can be broadly divided into the groups described in of IT services. The advantages of cloud-based services, such as
the following sections. workplace flexibility and service elasticity, need accompanying
security investments in software, hardware, and employee train-
A. Large-Scale Distributed Systems ing. For this reason, it is essential to have a powerful filtering-
Large-scale distributed systems have a dynamic infras- based defense mechanism that will prevent the interruption of
tructure that lacks the centralized control of a network [60]. services for a very large user-base. These systems are suitable
This attribute makes the system more vulnerable to DDoS for a centralized paradigm regarding filtering-based solutions.
attacks. The transformation of the current Internet to the Moreover, they are intended to be scalable and efficient [65].
Internet of Things (IoT), and the augmentation of diverse In [66], Chonka et al. offer a solution to traceback and to find
devices, especially mobile nodes, is an important driver for the source of HTTP-DoS and XML-DoS attacks, and introduce
this issue. The widespread proliferation of networked mobile the use of a back propagation neutral network, called cloud
devices such as smartphones has had a profound effect on protector, which was programmed to detect and filter such at-
computer networks, with more advanced and always-connected tack traffic.
devices communicating seamlessly to provide a richer and C. Multipoint Coordinated Reactions and Countermeasure
more immersive service to their users. For instance, according Synchronization
to the IDC Worldwide Quarterly Mobile Phone Tracker [61],
the worldwide smartphone market reached a new level in 2013, In cooperative filtering, reaction is not coordinated from a
with one billion units shipped in a single year. central point; instead network nodes communicate and decide
Next-generation mobile devices have a variety of network on the most appropriate filtering mechanism. This situation re-
interfaces and host feature-rich mobile applications [62]. Al- quires multipoint coordinated reactions. It is necessary that the
though their capabilities have improved both the user experi- coordination protocol is developed carefully by considering a
ence and the utility of mobile devices, vulnerabilities in mobile selection of diverse circumstances [67]. Moreover, the synchro-
device frameworks and operating systems provide exploits for nization of the cooperating parties is essential. If it is lost, some
large-scale attackers. The perpetual OS and application changes obsolete filters may remain active on different parts of the sys-
of mobile devices, with the constant deployment of new gener- tem. That issue may cause normal traffic to be refused (false pos-
ations of hardware, makes the implementation of security mea- itive) or attack-related traffic can be granted access by mistake
sures more difficult. The devices themselves are also multiin- (false negative). Therefore, synchronization and coordination
terface and multipurpose appliances with sophisticated designs, algorithms need to be developed.
and this exacerbates the security challenges. Moreover, the avail-
ability and secure operation of these communication substrates D. Signaling Among Cooperators
has become more important since an ever increasing number In a cooperative filtering mechanism, the communication pro-
of human activities relies on them. For instance, IoT involves tocol between the cooperating parties should be designed in
vital application areas such as health monitoring and networked an optimal way. Sporadic and continuous signaling is used to
smart homes. DDoS attacks against these devices may prove to provide timely and valid information regarding filters. Thus,
have critical, and potentially fatal results. Such systems cannot it will be cumbersome to an unacceptable extent if this infor-
withstand the significant computational overheads required to mation exchange is not well designed in terms of size, redun-
implement typical countermeasures and packet processing, and dancy, reliability, number of end-points, and frequency. This
may easily become inoperable due to energy depletion [63]. requirement is especially evident for large-scale and distributed
Therefore, low-complexity traffic filtering is essential. At the infrastructures such as cloud computing systems [68]. There-
KALKAN et al.: FILTERING-BASED DEFENSE MECHANISMS AGAINST DDoS ATTACKS: A SURVEY 2771

fore, efficient communication protocols are necessary. The wide VI. CONCLUSION
range of IP-based networked systems in terms of capabilities This paper has presented a comprehensive treatment of
makes this research question far more challenging. Addition- filtering-based DDoS defense mechanisms. First, some proper-
ally, filter data structure and related information exchange for ties of DDoS detection mechanisms were explained. Following
an information-centric future Internet is an important research this, the overall description of several DDoS defense techniques
topic [69]. and their analysis were given. This work specifically proposed
a classification approach for filtering techniques. They can be
E. Better Statistical and Machine Learning Models classified according to their timing and collaborative properties.
In order to differentiate abnormal traffic from its baseline Regarding their temporal characteristics, they can be classified
counterpart, statistical and machine learning models are utilized as either proactive or reactive according to their defensive action
in filtering-based defense mechanisms. Thus, better statistical time. In addition, they can either be considered as individual or
models such as hybrid approaches will improve the performance cooperative. Several filtering techniques were analyzed in detail,
of the filtering models [70]. The availability and volume of data and their tradeoffs were presented. According to this classifica-
create potent challenges for these schemes. The inherent algo- tion, it is possible to state that there are not many methods
rithmic challenges for machine learning come into effect since which are both proactive and collaborative. This type is im-
data volume can be huge in some cases, but may not be available portant since it prevents an attack from expanding near to its
at all in others. For anomaly and signature-based analysis, more source. In addition, it can provide more accurate filters than
robust and scalable schemes are desired to provide filtering sup- individual mechanisms, since these filters are chosen coopera-
port. This research thread is a general topic and is valid for both tively in consideration of instant information from several parts
the current and future Internet. of the network. Our study is intended to:
1) offer guidance to network security engineers as to which
defense mechanism is more suited to their requirements;
F. Emergence of Network Softwarization for Future Internet:
2) highlight which improvements are needed for these mech-
SDN and NFV anisms;
Network Softwarization refers to the common trend that 3) identify an unexplored area in proactive and collaborative
infuses a software-centric paradigm into network infrastruc- filtering mechanisms;
tures to facilitate automation, flexibility, and programmability. 4) assist researchers to learn and compare defense mecha-
These traits are instrumental for the acceleration of service de- nisms and support them in finding their research direction
ployment and facilitating infrastructure management in future more easily.
networks entailing IoT, content-centric operation, cloud-based Moreover, this study has identified some research directions
services and extensive segments of heterogeneous mobile net- for ICT systems regarding filtering mechanisms and DDoS de-
works. Software-defined networking (SDN) and Network Func- fense techniques. The burgeoning criticality of such systems and
tion Virtualization (NFV) are two key driving factors of this their ubiquity make these research topics fundamental scientific
phenomenon. In the SDN architecture, the control and data challenges for the operation and success of future communica-
planes are decoupled and the network intelligence is logically tion networks.
centralized in software-based controllers. An SDN controller
REFERENCES
provides a programmatic interface to the network where appli-
cations can be written to perform management tasks and offer [1] V. D. Gligor, “A note on denial-of-service in operating systems,” IEEE
Trans. Softw. Eng., vol. SE-10, no. 3, pp. 320–324, May1984.
new functionalities. The control is centralized and applications
[2] G. Gür, S. Bahtiyar, and F. Alagöz, “Security analysis of computer net-
are written as if the network were a unified system [71]. The works: Key concepts and methodologies,” in Modeling and Simulation of
adaptability and programmability of software-defined manage- Computer Networks and Systems: Methodologies and Applications, F. Z.
ment is a promising characteristic for better filtering mecha- M. S. Obaidat and P. Nicopolitidis, Ed. San Mateo, CA, USA: Morgan
Kaufmann, 2014.
nisms. However, data collection and analysis functions should [3] K. Geers, Strategic Cyber Security. Tallinn, Estonia: CCD COE Publica-
be considered with regard for the inherent scalability and com- tions, 2011.
plexity issues in this setting. The possibility of using flow table [4] G. C. Kessler, “Defenses Against Distributed Denial of Service Attacks,”
based [72] and architectural solutions [73] are evident. How- SANS Inst., vol. 2002, 2000.
[5] L. Garber, “Denial-of-service attacks rip the Internet,” Computer, vol. 33,
ever, the tendency to propose smarter switches rather than dumb no. 4, pp. 12–17, Apr. 2000.
ones, which is basically against the SDN paradigm, is a poten- [6] S. Bahtiyar, G. Gür, and L. Altay, “Security assessment of payment sys-
tial by-product of the advanced filtering mechanisms for SDN. tems under PCI DSS incompatibilities,” in ICT Systems Security and
Privacy Protection (ser. IFIP Advances in Information and Communica-
Filtering based on SDN flows and the relevant overheads in tion Technology), N. Cuppens-Boulahia, F. Cuppens, S. Jajodia, A. Abou
terms of communication, processing, and storage have yet to be El Kalam, and T. Sans, Eds. Berlin, Germany: Springer, 2014, vol. 428,
explored. pp. 395–402.
NFV brings a more fluidic network in which core functions [7] “Operation payback cripples MasterCard site in revenge for WikiLeaks
ban,” Dec. 8, 2010. [Online]. Available: http://www.guardian.co.uk/
are dynamically installed, migrated, and chained to create ser- media/2010/dec/08/operation-payback-mastercard-website-wikileaks
vices [74]. This operation is a challenge for filtering mechanisms [8] D. Evans and D. Larochelle, “Improving security using extensible
due to the volatile traffic characteristics and varying function lightweight static analysis,” IEEE Softw., vol. 19, no. 1, pp. 42–51, Jan.
2002.
topology [75]. In this regard, service-topology aware packet
[9] J. Nazario, “DDoS floods in Belarus: Political motivations,” 2009.
filtering and progressive filtering over middle boxes may be a [Online]. Available: http://asert.arbornetworks.com/2009/06/ddos-floods-
promising direction for future research. in-belarus-political-motivations/
2772 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

[10] J. Nazario, “The effects of war: Gaza and Israel,” Jan. 2009. [Online]. [37] Y. You, M. Zulkernine, and A. Haque, “Detecting flooding-based DDoS
Available: http://asert.arbornetworks.com/2009/01/the-effects-of-war- attacks,” in IEEE Int. Conf. Commun., Jun. 2007, pp. 1229–1234.
gaza-and-israel/ [38] T. Peng, C. Leckie, and K. Ramamohanarao, “ Proactively detecting dis-
[11] Prolexic, “Prolexic report: 2014-Q1 global DDoS global attack re- tributed denial of service attacks using source IP address monitoring,” in
port,” 2014. [Online]. Available: http://www.prolexic.com/knowledge Networking. Berlin, Germany: Springer, 2004, vol. 3042, pp. 771–782.
-center/prolexic-download/prolexic-quarterly-global-ddos-attack-report- [39] R. Talpade, G. Kim, and S. Khurana, “NOMAD: Traffic-based network
q114.html monitoring framework for anomaly detection,” in IEEE Int. Symp. Comput.
[12] S. M. Specht, “Distributed denial of service: Taxonomies of attacks, tools Commun., 1999, pp. 442–451.
and countermeasures,” in Proc. Int. Workshop Security Parallel Distrib [40] Y. Kim, J. -Y. Jo, and K. K. Suh, “Baseline profile stability for network
Syst., 2004, 2004, pp. 543–550. anomaly detection,” in Proc. 3rd Int. Conf. Inf. Technol, New Gener., 2006,
[13] A. Mitrokotsa and C. Douligeris, “DDoS attacks and defense mechanisms: pp. 720–725.
Classification and state-of-the-art,” Comput. Netw., vol. 44, no. 5, pp. 643– [41] S. Lee, H. Kim, J. Na, and J. Jang, “Abnormal traffic detection and its
666, Apr. 2004. implementation,” in IEEE 7th Int. Conf. Adv. Commun. Technol., 2005,
[14] P. J. Criscuolo, “Distributed denial of service—TrinOO, tribe flood vol. 1, pp. 246–250.
network, tribe flood network 2000, and stacheldraht,” Dept. Energy [42] G. Carl, G. Kesidis, R. R. Brooks, and S. Rai, “Denial-of-service attack-
Comput. Incident Advisory, CIAC-2319, UCRL-ID-136939, Rev. 1, detection techniques,” IEEE Internet Comput., vol. 10, no. 1, pp. 82–89,
2000. 2006.
[15] D. Dittrich, “The tribe flood network distributed denial of service attack [43] M. Alenezi and M. Reed, “Methodologies for detecting DoS/DDoS attacks
tool,” Seattle, WA, USA: Univ. Washington, 1999. against network servers,” in 7th Int. Conf. Syst. Netw. Commun., 2012,
[16] J. Barlow and W. Thrower, “TFN2K—An analysis,” 2000. [Online]. pp. 92–98.
Available: http://security.royans.net/info/posts/bugtraqddos2.shtml [44] M. A. Nemeth, “Applied multivariate methods for data analysis,” Techno-
[17] D. Dittrich, “The stacheldraht distributed denial of service attack tool,” metrics, vol. 42, no. 2, pp. 211–211, 2000.
Seattle, WA, USA: Univ. Washington, 1999. [45] D. Seo, H. Lee, and A. Perrig, “PFS: Probabilistic filter scheduling against
[18] S. D. D. Dittrich, G. Weaver, and N. Long, “The mstream distributed distributed denial-of-service attacks,” in IEEE 36th Conf. Local Comput.
denial of service attack tool,” Seattle, WA, USA: Univ. Washington, 2000. Netw., Oct. 2011, pp. 9–17.
[19] S. Dietrich, N. Long, and D. Dittrich, “Analyzing distributed denial of [46] P. Ferguson and D. Senie, “Network ingress filtering: Defeating denial of
service tools: The shaft case,” in Proc. 14th USENIX Conf. Syst. Admin., service attacks which employ IP source address spoofing,” Internet Re-
2000, pp. 329–340. quests for Comments, RFC Editor, RFC 2827, 2000. [Online]. Available:
[20] B. Hancock, “Trinity v3, a DDoS tool, hits the streets,” Comput. Secur., https://www.ietf.org/rfc/rfc2827.txt
vol. 19, no. 7, p. 574, 2000. [47] K. Park and H. Lee, “On the effectiveness of route-based packet filtering
[21] CERT Coordination Center, “CERT advisory CA-2001–20 continu- for distributed DoS attack prevention in power-law Internets,” SIGCOMM
ing threats to home users,” 2001. [Online]. Available: http://www. Comput. Commun. Rev., vol. 31, no. 4, pp. 15–26, 2001.
cert.org/advisories/CA-2001–20.html [48] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang, “SAVE: Source
[22] H. Beitollahi and G. Deconinck, “Analyzing well-known countermeasures address validity enforcement protocol,” in IEEE INFOCOM 2002,
against distributed denial of service attacks,” Comput. Commun., vol. 35, pp. 1557–1566.
no. 11, pp. 1312–1332, 2012. [49] C. Jin, H. Wang, and K. G. Shin, “Hop-count filtering: An effective de-
[23] L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred, “Statisti- fense against spoofed DDoS traffic,” in Proc. 10th ACM Conf. Comput.
cal approaches to DDoS attack detection and response,” in DARPA Inf. Commun. Security, 2003, pp. 30–41.
Survivability Conf. Expo., Apr. 2003, pp. 303–314. [50] Y. Kim, W. C. Lau, M. C. Chuah, and H. J. Chao, “PacketScore: Statistics-
[24] K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim, “DDoS attack detec- based overload control against distributed denial-of-service attacks,” in
tion method using cluster analysis,” Expert Syst. Appl., vol. 34, no. 3, INFOCOM 2004, vol. 4, pp. 2594–2604.
pp. 1659–1665, Apr. 2008. [51] D. S. Sivia, Data Analysis: A Bayesian Tutorial. London, U.K.: Oxford
[25] A. Toledo and X. Wang, “Robust detection of MAC layer denial-of-service Univ. Press, 1996.
attacks in CSMA/CA wireless networks,” IEEE Trans. Inf. Forensics Se- [52] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: An architecture for
curity, vol. 3, no. 3, pp. 347–358, Sep. 2008. mitigating DDoS attacks,” IEEE J. Sel. Areas Commun., vol. 22, no. 1,
[26] P. Barford, J. Kline, D. Plonka, and A. Ron, “A signal analysis of net- pp. 176–188, Jan. 2004.
work traffic anomalies,” in Proc. 2nd ACM SIGCOMM Workshop Internet [53] R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and
Meas., 2002, pp. 71–82. S. Shenker, “Controlling high bandwidth aggregates in the network,” ACM
[27] L. F. Lu, M. L. Huang, M. Orgun, and J.-W. Zhang, “An improved wavelet SIGCOMM Comput. Comm. Rev., vol. 32, no. 3, pp. 62–73, 2002.
analysis method for detecting DDoS attacks,” in 4th Int. Conf. Netw. Syst. [54] K. Argyraki and D. R. Cheriton, “Active Internet traffic filtering: Real-
Security, Sep. 2010, pp. 318–322. time response to denial-of-service attacks,” in Proc. Annu. Conf. USENIX
[28] Y. Chen, K. Hwang, and W.-S. Ku, “Collaborative detection of DDoS Annu. Tech. Conf., 2005, pp. 10–10.
attacks over multiple network domains,” IEEE Trans. Parallel Distrib. [55] X. Liu, X. Yang, and Y. Lu, “To filter or to authorize: Network-layer DoS
Syst., vol. 18, no. 12, pp. 1649–1662, Dec. 2007. defense against multimillion-node botnets,” in ACM SIGCOMM Comput.
[29] H. Wang, D. Zhang, and K. Shin, “Change-point monitoring for the de- Comm. Rev., vol. 38, no. 4, ACM, pp. 195–206, 2008.
tection of DoS attacks,” IEEE Trans. Dependable Secure Comput., vol. 1, [56] X. Liu, A. Li, X. Yang, and D. Wetherall, “Passport: Secure and adopt-
no. 4, pp. 193–208, Oct. 2004. able source authentication,” in Proc. 5th USENIX Symp. Netw. Syst. Des.
[30] R. Karimazad and A. Faraahi, “An anomaly-based method for DDoS Implementation, 2008, pp. 365–378.
attacks detection using RBF neural networks,” in Int. Proc. Comput. Sci. [57] D. Seo, H. Lee, and A. Perrig, “APFS: Adaptive probabilistic filter
Inf. Technol., 2011, vol. 11, pp. 44–48. scheduling against distributed denial-of-service attacks,” Comput. Secu-
[31] J. Li, Y. Liu, and L. Gu, “DDoS attack detection based on neural network,” rity, vol. 39, pp. 366–385, 2013.
in 2nd Int. Symp. Aware Comput., Nov. 2010, pp. 196–199. [58] R. Mitchell and I.-R. Chen, “A survey of intrusion detection techniques
[32] K. Scarfone and P. Mell, “Guide to intrusion detection and prevention for cyber-physical systems,” ACM Comput. Surv., vol. 46, no. 4, pp. 55:1–
systems (IDPS),” Nat. Inst. Standards Technol., Gaithersburg, MD, USA, 55:29, Mar. 2014.
NIST Special Pub., vol. 800, no. 2007, p. 94, 2007. [59] G. Gür, “Energy-aware cache management at the wireless network
[33] S. Mishra and R. Pateriya, “A comparative study on capability v/s. filtering edge for information-centric operation,” J. Netw. Comput Appl., vol. 57,
based defense mechanisms,” Int. J. Comput. Appl., vol. 93, no. 11, pp. 29– pp. 33–42, 2015.
35, 2014. [60] F. Cappello et al., “Computing on large-scale distributed systems: Xtrem
[34] V. Kambhampati, C. Papadopoulos, and D. Massey, “A taxonomy of web architecture, programming models, security, tests and convergence
capabilities based DDoS defense architectures,” in 2011 9th IEEE/ACS with grid,” Future Gener. Comput. Syst., vol. 21, no. 3, pp. 417–437,
Int. Conf. Comput. Syst. Appl., 2011, pp. 157–164. Mar. 2005.
[35] R. R. Kompella, S. Singh, and G. Varghese, “On scalable attack detection [61] IDC, “IDC report: 2013 IDC worldwide quarterly mobile phone
in the network,” in 4th ACM SIGCOMM Conf. Internet Meas., 2004, tracker,” 2014. [Online]. Available from http://www.idc.com/tracker/
pp. 187–200. showproductinfo.jsp?prod_id=37
[36] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based [62] S.-H. Seo, A. Gupta, A. M. Sallam, E. Bertino, and K. Yim, “Detecting
defense mechanisms countering the DoS and DDoS problems,” ACM mobile malware threats to homeland security through static analysis,” J.
Comput. Surv., vol. 39, no. 1, pp. 3–45, Apr. 2007. Netw. Comput. Appl., vol. 38, no. 0, pp. 43–53, 2014.
KALKAN et al.: FILTERING-BASED DEFENSE MECHANISMS AGAINST DDoS ATTACKS: A SURVEY 2773

[63] L. M. L. Oliveira, J. J. P. C. Rodrigues, A. F. de Sousa, and J. Lloret, Kübra Kalkan received the M.S. and B.S. degrees
“Denial of service mitigation approach for IPv6-enabled smart object from the Computer Science and Engineering Depart-
networks,” Concurrency Comput.: Pract. Experience, vol. 25, no. 1, ment, Sabanci University, Istanbul, Turkey, in 2011
pp. 129–142, 2013. and 2009, respectively, and is currently working to-
[64] Alert Logic, “Alert logic spring 2014 cloud security report,” 2014. ward the Ph.D. degree in computer engineering at
[Online]. Available: http://www.alertlogic.com/resources/cloud-security- Bogazici University, Istanbul, Turkey.
report/ She is currently a Member of the Satellite Net-
[65] Q. Chen, W. Lin, W. Dou, and S. Yu, “CBF: A packet filtering method works Research Laboratory (SATLAB), Bogazici
for DDoS attack defense in cloud environment,” in IEEE 9th Int. Conf. University. She is also a Teaching Assistant with Is-
Dependable, Autonomic Secure Comput., Dec. 2011, pp. 427–434. tanbul Medeniyet University. Her current research in-
[66] A. Chonka, Y. Xiang, W. Zhou, and A. Bonti, “Cloud security defence to terests include network security, computer networks,
protect cloud computing against HTTP-DoS and XML-DoS attacks,” J. and wireless networks.
Netw. Comput. Appl., vol. 34, no. 4, pp. 1097–1107, 2011.
[67] H. Beitollahi and G. Deconinck, “A cooperative mechanism to defense
against distributed denial of service attacks,” in Proc. IEEE 10th Int. Conf.
Trust, Secur. Privacy. Comput Commun, Nov. 2011, pp. 11–20.
[68] A. Waqas, Z. Yusof, A. Shah, and N. Mahmood, “Sharing of attacks Gürkan Gür received the B.S. degree in electrical
information across clouds for improving security: A conceptual frame- engineering and the Ph.D. degree in computer engi-
work,” in 2014 Int. Conf. Comput., Commun., Control Technol., Sep. 2014, neering from Bogazici University, Istanbul, Turkey,
pp. 255–260. in 2001 and 2013, respectively.
[69] A. Compagno, M. Conti, P. Gasti, and G. Tsudik, “Poseidon: Mitigating He is a member of the Satellite Networks Research
interest flooding DDoS attacks in named data networking,” in IEEE 38th Laboratory (SATLAB) and a Researcher with the
Conf. Local Comput. Netw., 2013, pp. 630–638. Telecommunications and Informatics Technologies
[70] T. Shon and J. Moon, “A hybrid machine learning approach to network Research Center, Bogazici University. His research
anomaly detection,” Inf. Sci., vol. 177, no. 18, pp. 3799–3821, 2007. interests include cognitive radios, green wireless
[71] H. Selvi, S. Güner, G. Gür, and F. Alagöz, “The controller placement communications, network security, and information-
problem in software defined mobile networks (SDMN),” in Software centric networking.
Defined Mobile Networks (SDMN). Hoboken, NJ, USA: Wiley, 2015,
pp. 129–147.
[72] H. T. N. Tri and K. Kim, “Assessing the impact of resource attack
in software defined network,” in 2015 Int. Conf. Inf. Netw., Jan. 2015, Fatih Alagöz received the B.Sc. degree in electrical
pp. 420–425. engineering from Middle East Technical University,
[73] D. Chourishi, A. Miri, M. Milic, and S. Ismaeel, “Role-based multiple Ankara, Turkey, in 1992, and the D.Sc. degree in
controllers for load balancing and security in SDN,” in 2015 IEEE Int. electrical engineering from George Washington Uni-
Humanitarian Technol. Conf., May 2015, pp. 1–4. versity, Washington, DC, USA, in 2000.
[74] D. V. Bernardo and B. B. Chua, “Introduction and analysis of SDN and He is currently a Professor with the Department
NFV security architecture (SN-SECA),” in 29th IEEE Int. Conf. Adv. Inf. of Computer Engineering, Bogazici University, Is-
Netw. Appl., 2015, pp. 796–801. tanbul, Turkey. His research interests include cogni-
[75] A. Gember-Jacobson and A. Akella, “Improving the safety, scalability, tive radios, wireless networks, network security, and
and efficiency of network function state transfers,” in Proc. 2015 ACM UWB communications.
SIGCOMM Workshop Hot Top. Middleboxes Netw. Funct. Virtualization,
2015, pp. 43–48.