DDoS Research Paper
Click here to load reader
-
Upload
matthew-waldron -
Category
Documents
-
view
75 -
download
0
Transcript of DDoS Research Paper
![Page 1: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/1.jpg)
Running head: DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 1
DDoS Attack Analysis and Mitigation Strategies
Matthew Waldron
Central Connecticut State University
![Page 2: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/2.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 2
Abstract
This paper explores several reputable technology papers that report on the analysis of DDoS
attacks regarding their motives, impact on business, types of attacks, and advanced methods to
prevent, detect, and mitigate them. DDoS attacks remain one of the most pervasive and crippling
cyber security threats. An in-depth look at DDoS attacks may shed light on the increased severity
of these attacks and present ways in which businesses can better defend their networks against
them. This paper’s purpose is to define and analyze DDoS attacks by using information gathered
from many sources to provide a comprehensive analysis. Most importantly, new strategies and
technologies, their benefits and limitations, will be examined.
![Page 3: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/3.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 3
Table of Contents
Cover Page 1
Abstract 2
Table of Contents 3
Introduction 4
Brief History 4
Impact on Business 5
Types of Attacks 6
Attack Tools 8
Preventative Measures 8
Detection Strategies 10
Mitigation Strategies 11
Conclusion 14
Appendix 15
References 17
![Page 4: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/4.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 4
DDoS Attack Analysis and Mitigation Strategies
The invention, implementation, and widespread adoption of the Internet remains one of
the most significant technological achievements in human history. The Internet has changed the
way in which we process information, communicate, interact with others, and how we conduct
business and commerce. Unfortunately, cyber-attacks have increased in scale and sophistication
and have been effective in disrupting this communication. DDoS attacks are just one of many
attacks, but remain at the forefront of cyber-warfare. They are conducted by a malicious party or
entity. Their purpose is to disrupt the availability of a website on the Internet by flooding the web
server with illegitimate requests to overload the server and prevent legitimate requests from
getting through (Radware, 2013). According to Radware (2013), it is estimated that more than
7000 DDoS attacks occur daily. Businesses need to be better prepared to defend against these
types of attacks. If they don’t then that means clients won’t have reliable access to crucial
information such as financial / bank statements, medical records, e-commerce transactions, and
services. Downtime caused by DDoS attacks can incur heavy costs and can even bring the most
robust networks to their knees. More must be done to prepare future technologists and business
entities from these crippling cyber-attacks.
The history of DDoS attacks traces back to the early days of the Internet. According to
Fortinet (2013), the first documented large scale DDoS attack occurred in on an IRC server at the
University of Minnesota in 1999. It effected over 200 systems and left the server unusable for
days. Later in the early 2000’s, many high profile traffic generators such as CNN, Amazon, and
EBay were hit with attacks and prevented users from accessing their webpage for several hours
(Fortinet, 2013). Things turned ugly in 2005 when hackers resorted to extortion. In 2005, a
programmer created a worm that opened a backdoor on Windows computers that connected to an
![Page 5: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/5.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 5
IRC server that secretly waited for instructions. This was one of the first uses of the command
and control aspect of DDoS attacks that remain crucial for their destructive capabilities. Using
these techniques, hackers began demanding payments from companies in return for protection,
but these companies were often exploited by them instead (Radware, 2013). According to
Fortinet (2013), since 2010, the rise of hacktivism took hold and DDoS attacks became the
vessel of such ideologies. Most notably, the hacker group Anonymous has been associated with
several high profile DDoS attacks. Many examples include their assault against PayPal,
MasterCard, and Visa because they terminated their services with whistleblower WikiLeaks
while exposing their vulnerabilities (Radware, 2013). More recently, the rise of application
attacks target specific services for depletion and are much harder to detect (Fortinet, 2013). With
a clear understanding of DDoS attack’s history, their impact on business has been disastrous in
the past several years.
The impact DDoS attacks have on business is enormous. In a survey of 450 businesses
conducted by Neustar, in 2013, nearly 60% of business surveyed said they were hit with a DDoS
attack in the past year, up from 35% in 2012. Also, 95% of businesses said they view the DDoS
threat the same or more serious than in previous years. Arbor’s analytics conducted from
hundreds of businesses concluded that 88% of attacks lasted up to an hour. In 2014, 87% of
business said that they were attacked more than once per year and, surprisingly, 17% of
respondents said they lost count (Neustar, 2014). The size of the largest reported DDoS attack in
2014 reached 400Gbps with attacks ranging between 1 – 5 Gbps increasing three-fold. (Neustar,
2014; Arbor, 2014). The costs incurred of DDoS attacks can be tremendous. According to
Neustar (2014), 14% of business surveyed said that a DDoS caused outage can incur costs
between $50K and $100K assuming that the majority of attacks last half a day. One-third of
![Page 6: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/6.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 6
companies said half a day would cost them upwards of $500K. Interestingly, companies that lose
more than $50K are more likely to start heavily investing in greater DDoS protection
technologies (Neustar, 2014). Customer attrition is another result of increased attacks. According
to Radware (2013), Google engineers determined that a customer will not wait an extra 400
milliseconds for a webpage to load on average. If a company’s website is down for even a
moment, this can cost a large company millions in lost revenue. A down website prevents
customers from accessing information, making purchases, or using services. Lost revenue and
customer attrition may not be the only elements in danger. More worrisome is the growing trend
of smoke screening. DDoS attacks, more often than not, are used to distract a busy IT staff while
the attackers steal sensitive data. According to Neustar (2014), “55% of DDoS targets were also
victims of theft. Attackers stole funds, customer data, and intellectual property” (p. 7). With the
threat of DDoS attacks increasing daily, the majority of business fail to enact effective security
measures. According to Arbor (2013), “The proportion of respondents who practice DDoS
defense simulations has decreased from 49 percent to 45 percent” (p. 78) while 55% say they
never run defense simulations. Also, most companies still use technologies that are not designed
for DDoS mitigation and can actually exacerbate the problem. With an understanding of the
impact and implications of DDoS attacks, the types of attacks and tools used must be understood
so as to properly mitigate them.
There are many different types of DDoS attacks and can be categorized into three main
categories: volume-based, application, and low-rate (Cisco, 2013). Volume-based attacks are
commonplace. The attackers flood their targets with a large volume of packets that are carried
out by botnets (multiple compromised systems controlled by an attacker) which overwhelm
networking equipment. Application attacks target the application layer; HTTP being the most
![Page 7: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/7.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 7
common protocol exploited. They can be more destructive than volume-based because they
require fewer connections to be just as effective. Low-rate attacks aim to keep connections alive
for before the time to live value expires and also exploit application weaknesses and flaws
(Cisco, 2013). Here are some specific types of DDoS attacks. The first one is called the ICMP
flood attack. According to Cisco (2013), this was the first method implemented by attackers and
takes advantage of the ICMP protocol by flooding its target with ICMP echo (ping) requests and
slows down the network infrastructure. A UDP flood attack is very similar to the ICMP attack
except that it uses UDP (connectionless) packets in high volumes to render network
infrastructure inoperable (Radware, 2013). A smurf attack broadcasts a ping request to all
devices on the network, similar to an ICMP flood attack, but the source address is changed to
that of the victim (called spoofing). It seems as though the victim is requesting a response, so the
other devices will flood it with responses thus overwhelming the victim computer (Ciampa,
2015). A SYN flood attack takes advantage of the system in which devices initiate a session.
This is done through SYN packets (to initialize the connection) and ACK packets (an
acknowledgement of the initial request). A SYN flood attack, similar to a smurf attack, modifies
the source address of the originating packet and assigns it to unreachable computer addresses.
The server will wait for a response for a given amount of time while receiving more false
requests. The cycle continues until the server runs out of resources (Ciampa, 2015). Lastly, DNS
Amplification attacks involve an attacker requesting a DNS lookup from a DNS server with a
spoofed address directed towards the victim. The DNS server, without any way to verify the
validity of the address, unknowingly sends the responses to the victim (Cisco, 2013). There are
many tools available to the hacker to carry out these attacks more efficiently.
![Page 8: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/8.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 8
The use of botnets is one major tool used to send a large volume of attacks directed at a
server. Attackers often have hundreds, even several thousands of these “zombie computers” at
their disposal. According to Radware (2013), “large botnets can often be rented out by anyone
willing to pay as little as $100 per day to use them” (p. 42). People with limited knowledge of
hacking now have the ability to take down large websites. Another tool is the Low Orbit Ion
Cannon (LOIC). It is an open source flooding tool that can generate an enormous amount of
traffic such as HTTP, TCP, and UDP. The software was originally designed for developers who
wanted to test the resiliency of their servers under a heavy traffic load, but hackers used it instead
to wage war against their victims. Groups like Anonymous used LOIC as the weapon of choice,
but it has declined in popularity because it fails to mask the sender’s IP Address. HOIC is
LOIC’s successor and it boasts new features including the ability to use special scripts that allow
greater precision when launching attacks (Radware, 2014). Both LOIC and HOIC are designed
for brute-force flooding attacks. Slowloris, however, capitalizes on the procedures to initiate a
session. According to Radware (2013), the program creates a condition by utilizing slow HTTP
requests. When these packets are sent slowly to the server, it will wait for the remaining packet
chunks to arrive. If enough of these are sent, this can overwhelm the server (Radware, 2014). It
is important to be aware of the most significant attack types and tools so that we may prevent
future attacks from happening.
Preventative measures are the first important step to protect a company from the growing
threat of DDoS attacks. First on the list are Access Control Lists. According to Ramachandran
(2003), ACL’s are “rules which can be applied on a router or switch to filter unwanted traffic”
(p. 4). One method is to identify attack traffic. Once identified the security administrator can
configure an ACL to deny and drop any traffic matching the signature on the edge router.
![Page 9: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/9.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 9
However, there are downsides. Manually updating ACL’s can be quite laborious especially
during times of heavy DDoS flooding. DDoS attack methods can vary and the time required to
manually update the ACL’s can be too time consuming. ACL’s consume CPU resources and can
degrade the edge router performance (Ramachandran, 2003). More recently however, ACL’s are
used more as a detection strategy because ACL logs provide in-depth insight into network traffic
(Cisco, 2013). Device Security is the bread and butter of network security and can also defend
the network against DDoS attacks. Changing the router default configurations and passwords
will harden the hardware and make it less susceptible to attacks that could try and hack the
routers. Any unnecessary services should be shutdown to lessen the attack vector. Also, one
should be wary of protocols such as CDP because they advertise important device information on
the network. All networks should be using the latest secure protocols such as SNMPv.3 as
opposed to v.1 and v.2 (Ramachandran, 2003). Another preventive technique is tightening the
connection timeouts and limits which protects against SYN flood attacks. As discussed before, a
SYN flood attack takes advantage of the system in which devices initiate a session and creates a
special condition called an embryonic connection. According to Cisco (2010), an embryonic
connection, “is a connection request that has not finished the necessary handshake between
source and destination” (p. 1). By reducing the length of time before a timeout occurs, a
crippling SYN flood attack can be prevented. Load balancers are devices that act as reverse
proxies that distribute traffic to servers. They can be configured to limit connection attempts and
distribute traffic loads efficiently so the clustered hardware is less likely to be overwhelmed if
only one device was present (Cisco, 2010). Another preventative technique is a flood guard
which protects against SYN flood attacks by configuring the maximum number of unanswered
SYN requests (Ciampa, 2015). Lastly, honeypots can be configured with limited security to
![Page 10: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/10.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 10
entice attackers to target them rather than the actual network. Once configured, the idea is that
the attacker installs a handler or piece of code to understand its behavior in order to defend the
network better (Ciampa, 2015). With a clear understanding of prevention strategies, detection
strategies are essential for spotting attacks before they overwhelm the network.
Preventative strategies are good until an actual attack occurs. The first line of defense is
to have an accurate means of detecting attacks. Packet capturing devices such as Wireshark,
snoop, and tcpdump are useful for this purpose, but one must establish a baseline of normal
traffic activity before an abnormal activity can be detected. The benefits of packet capture
analysis are numerous as they can provide a granular picture of the types of traffic entering and
leaving the network (Cisco, 2013). Similar to packet capturing is Cisco’s IOS Netflow.
According to Cisco (2013), Netflow “is a form of network telemetry that Cisco routers and
switches can collect locally or push” (p. 14). Netflow provides macro packet information such as
source and destination IP address and the port protocol to quickly detect anomalies in the
network (Cisco, 2013). Intrusion Prevention / Detection System alarms are another method in
detecting attacks. IDS / IPS devices are traditionally used in tandem with firewalls. An IDS
device monitor’s traffic flow for any suspicious activities and can signal an alarm once detected.
An IPS system goes a step further and can take precautionary measures to mitigate attacks. Many
technologists believe IDS / IPS devices are good for DDoS mitigation, but this is largely false.
According to Arbor (2013), devices such as IPS systems and firewalls do little to mitigate DDoS
attacks because they are stateful devices and are often the first devices to be overwhelmed when
an attack occurs. They protect against known threats, but fail to monitor attacks across multiple
sessions and are susceptible to more subtitle attacks such as slowloris. (Arbor, 2011). According
to an Arbor (2013) survey, “42 percent of respondents indicated that their firewalls or IDS/IPS
![Page 11: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/11.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 11
systems were compromised by a DDoS attack” (p. 65). The focus on these devices, however, is
on their alarm and monitoring capabilities. While false positives can be common, the alarms and
log messages generated by these devices can be valuable for detecting an attack (Cisco, 2013).
IPS systems can also be configured to take a specific action to mitigate future attacks if enough
information is known such as dropping a connection from a specific source. However, one
should be wary of inadvertently dropping too much legitimate traffic. The goal of DDoS
prevention and mitigation is to allow as much legitimate traffic as possible (Cisco, 2013). Lastly,
DNS logs are good for detecting a DDoS attack. The DNS protocol is used for locating services
and computer through friendly names and is used by many applications. A closer inspection of
the DNS log chart1 (Figure 1) reveals key information. Notice the spike between 20:00 and 21:00
with a spike over 400 queries at night compared to an average peak of 300 during the work day.
This type of unusual behavior can indicate an attack (Cisco, 2013). With a clear understanding of
detection strategies, mitigation techniques are essential for stopping DDoS attacks dead in their
tracks.
Mitigation strategies are crucial for a business security posture. Effective means to
mitigate DDoS attacks remains one of the most challenging tasks in security. As we have seen
before, DDoS attacks have grown very sophisticated in the past decade and masquerade
exceptionally well as legitimate traffic. Firewalls, IDS, and IPS systems are essential for overall
network security, but are often useless for DDoS mitigation. There is no straightforward solution
for effective DDoS mitigation, but there are multiple strategies that provide reasonable coverage.
A common strategy is to employ the use of Remotely Triggered Black Hole Filtering (RTBH).
When an attack is detected, all undesirable traffic is dropped entirely at the network edge (Cisco,
1 Please refer to Figure 1 in the Appendix section for the DNS log chart.
![Page 12: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/12.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 12
2013). There is a lot of information concerning RTBH, but only the two main types of RTBH
will be mentioned. Destination based filtering uses a technique to black hole traffic directed
towards the IP address of being attacked2. The device that is triggered by the attack sends an
IPBG update to other edge routers telling them to send traffic to their null interface. This
technique has obvious pitfalls. Destination-Based RTBH will drop legitimate traffic too. Source-
Based RTBH attempts to mitigate these issues. This method allows for packets to be dropped on
a specific IP address. When an attack occurs, the attacker’s IP address is discovered and all
packets sent from this address are dropped3 (Cisco, 2005). This technique relies heavily on
Unicast reverse path forwarding (Cisco, 2013). Unicast reverse path forwarding is a mitigation
technique that verifies the reachability of the source addresses being forwarded on routers.
Normally, a router only cares about the destination of the packet, however in uRPF, the packet is
discarded if the source address cannot be verified. This helps protect against DDoS attacks
because it is commonplace for such attacks to spoof IP address directed towards the network
(Cisco, 2013). There are two modes for uRPF. Loose mode checks to see if there is an entry for
the source in the routing table. Strict mode performs the same check as loose mode, but does an
additional check to make sure the packet is received on the same interface the device would use
to forward it. Strict mode is more likely to drop legitimate traffic, so it should be used carefully
(Cisco, 2013). Similar in fashion are Sinkholes. It is a method where attack traffic is diverted to
a dedicated network that can withstand it. It is similar to honeypots because the main focus of
this strategy is to divert the attack to a segmented network where the malicious activity can be
carefully analyzed (Ramachandran, 2003). All the previously mentioned strategies involve the
actual business performing the mitigation. However, ISP providers have additional capabilities to
2 Please refer to Figure 2 in the Appendix section for the Destination-Based RTBH diagram. 3 Please refer to Figure 3 in the Appendix section for the Source-Based RTBH diagram.
![Page 13: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/13.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 13
further mitigate attacks. They use a technique called traffic scrubbing. According to
Ramachandran (2003), “Scrubbers have capabilities, which allow them to distinguish between
good and bad traffic. They mitigate DDoS attacks by forwarding only good traffic and dropping
attack traffic” (p. 9). Companies such as Arbor Networks, Verizon, and AT&T offer traffic
scrubbing. Each company has its own advanced methods to determine bad traffic. Advanced
traffic analysis and anomaly detection is used to provide the most coverage (Cisco, 2013). As
mentioned before, IDS / IPS devices and firewalls are increasingly overwhelmed by DDoS
attacks. A newer solution is the utilization of Intelligent DDoS Mitigation Systems. One of the
pioneers of this new technology is Arbor Networks. Their main technical solution is called
Peakflow SP solution and Peakflow SP Threat Management System (TMS)4. There are some
notable advantages of using Peakflow. Peakflow can surgically remove threats supporting up to
40GB/s. Arbor’s scalability can effectively combat volumetric attacks (Arbor, 2012). Arbor
offers cloud signaling. On-premise mitigation has trouble with volumetric attacks, while ISP
mitigation can be slow to respond to concurrent threats. Cloud signaling is the combination of
ISP and on-premise mitigation for an effective layered security. Arbor’s Threat Level Analysis
System (ATLAS) boasts real-time advanced analytics and deep packet inspection techniques to
root out even the most persistent DDoS attacks (Arbor, 2012). An important aspect of Arbor’s
IDMS is the utilization of multi-layered DDoS techniques for effective mitigation. Another new
mitigation technique is reputation-based blocking. This technique uses web-filtering to mitigate
attacks. Certain sites may contain viruses and Trojans and it is important to block these sites
(Cisco, 2013). How does this relate to DDoS mitigation? Earlier, I mentioned that DDoS smoke
screening is an increasing concern among businesses. It is very likely that a business will
4 Please refer to Figure 4 in the Appendix section for Arbor’s IDMS diagram.
![Page 14: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/14.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 14
experience a decrease in DDoS attacks if malware infections from unsafe websites decrease.
Therefore, businesses can better protect their assets and information. Lastly, geographic
dispersion techniques represent an effective technique for DDoS mitigation. This solution uses a
routing mechanism called Anycast. Anycast allows traffic to be routed to many destination
nodes. The offending DDoS attack will be dispersed across multiple points across a geographical
area. This technique saw success when a group of white hackers stopped a DDoS attack that put
the Spamhaus website offline by using geographic dispersion mitigation (Cisco, 2013).
DDoS attacks have become a formidable force to guard against in the past decade. As
attackers find new ways to bring large scale networks to their knees, businesses must invest more
time in a security posture that will protect and defend against these types of attacks. Attackers
are motivated by money or personal ideologies and have access to a variety of tools that can
cripple a network. The average DDoS attack can incur thousands of dollars of lost revenue and
stolen data. The size and complexity of attacks make them hard to mitigate. Proper
implementation of prevention, detection, and mitigation strategies is necessary for a business’s
survival. As we move forward in the 21st century, DDoS attacks will continue to be a problem,
but human ingenuity will prevail and continue to improve technology for greater DDoS
prevention and mitigation.
![Page 15: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/15.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 15
Appendix
Figure 1 - DNS log chart
(Cisco, 2013, 19)
Figure 2 - Destination-Based RBTH
(Cisco, 2005, 2)
![Page 16: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/16.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 16
Figure 3 - Source-Based RTBH
(Cisco, 2005, 4)
Figure 4 – Arbor IDMS
(Arbor, 2012, 10)
![Page 17: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/17.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 17
References
Arbor Networks Inc. (2011). Why Firewalls and Intrusion Prevention Systems (IPS) Fall Short
on DDoS Protection THE RISK OF CHOOSING THE WRONG TECHNOLOGY FOR
DDOS PROTECTION. Retrieved April 4, 2016, from
http://www.techdata.com/arbornetworks/files/ARBOR_TB_IPS_EN.PDF
Arbor Networks Inc. (2012). Layered Intelligent DDoS Mitigation Systems. Retrieved April 4,
2016, from https://www.arbornetworks.com/images/documents/White Papers and
Research/WP_IDMS_SP_EN2012.pdf
Arbor Networks Inc. (2014). Worldwide Infrastructure Security Report. Retrieved April 4, 2016,
from http://pages.arbornetworks.com/rs/arbor/images/WISR2014.pdf
Ciampa, M. D. (2015). Security guide to network security fundamentals. Boston, MA: Course
Technology, Cengage Learning.
Cisco. (2005). REMOTELY TRIGGERED BLACK HOLE FILTERING— DESTINATION
BASED AND SOURCE BASED. Retrieved April 4, 2016, from
http://www.cisco.com/c/dam/en/us/products/collateral/security/ios-network-foundation-
protection-nfp/prod_white_paper0900aecd80313fac.pdf
Cisco. (2010). Chapter 53: Configuring Connection Limits and Timeouts. In Cisco ASA 5500
Series Configuration Guide using the CLI (pp. 53-1-53-5). San Hose, CA: Cisco.
Cisco. (2013). A Cisco Guide to Defending Against Distributed Denial of Service Attacks.
Retrieved April 4, 2016, from http://www.cisco.com/c/en/us/about/security-center/guide-
ddos-defense.html
Hoffman, S. (2013, March 25). DDoS: A Brief History. Retrieved April 4, 2016, from
https://blog.fortinet.com/post/ddos-a-brief-history
![Page 18: DDoS Research Paper](https://reader038.fdocuments.us/reader038/viewer/2022100504/5887544c1a28ab16498b47f9/html5/thumbnails/18.jpg)
DDoS ATTACK ANALYSIS AND MITIGATION STRATEGIES 18
Hoffman, S. (2013, March 27). DDoS: A Brief History, Part II. Retrieved April 4, 2016, from
https://blog.fortinet.com/post/ddos-a-brief-history-part-ii
Neustar, Inc. (2014). THE DANGER DEEPENS: Neustar Annual DDoS Attacks and Impact
Report. Retrieved April 4, 2016, from
https://www.neustar.biz/resources/whitepapers/ddos-protection/2014-annual-ddos-
attacks-and-impact-report.pdf
Radware. (2013). DDoS Survival Handbook. Retrieved April 4, 2016, from
https://security.radware.com/uploadedFiles/Resources_and_Content/DDoS_Handbook/D
DoS_Handbook.pdf
Ramachandran, V., & Nandi, S. (2003). Bleeding Edge DDoS Mitigation Techniques for ISPs.
Retrieved April 4, 2016, from
http://www.vivekramachandran.com/docs/ddos_paper_Vivek_Sukumar.pdf