Data Security and

Encryption
Assignment # 2
Protecting Electronic Commerce
From

Distributed Denial-of-Service

Attacks
Submitted to:
Dr. Adnan Ahmad

Submitted by:
Ammar Umer
DDP-SP13-BSE-016
Anam Naimat
DDP-SP13-BSE-018

Date: 14-11-2016

TREE-STRUCTURE
Attack Mechanisms

Denial
of
Denial of
Service
Service

Distribute
Distribute
dd Dos
Dos
Congestiv
Congestiv
e/
e/
Protocol
Protocol
Attacks
Attacks

Volume
Volume
Based
Based
Attacks
Attacks
UDP
UDP
Floods
Floods

ICMP
ICMP
Floods
Floods

Advance
Advance
Persistanc
Persistanc
ee Dos
Dos

SpoofSpoofPacket
Packet
Floods
Floods

SYN
SYN
Floods
Floods

Applicatio
Applicatio
nn Layer
Layer
Attacks
Attacks

Fragment
Fragment
ed
ed Packet
Packet
Attacks
Attacks

Death
Pill
Death Pill
Attack
Attack

Smurf
Smurf
DDos
DDos

Ping
Ping of
of
Death
Death

Teardrop
Teardrop

Land
Land

NTP
NTP
Amplificat
Amplificat
ion
ion

Slowloris
Slowloris

GET/POST
GET/POST

Protection Mechanism

VIPnet Protects Against

Congestion Attacks A QoS-based
defense Architecture

Apache
Apache
Attacks
Attacks

OS
OS
Vulnerabil
Vulnerabil
ities
ities

DDoS attacks can be broadly divided into three types:

Volume Based Attacks
Includes UDP floods, ICMP floods, and other spoofed-packet floods. The attacks goal is to
saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (Bps).
Protocol/Congestion Attacks
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This
type of attack consumes actual server resources, or those of intermediate communication
equipment, such as firewalls and load balancers, and is measured in Packets per second.
Application Layer Attacks
Includes low-and-slow attacks, GET/POST floods, attacks that target Apache, Windows or
OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests,
the goal of these attacks is to crash the web server, and the magnitude is measured in Requests
per second.

VIPnet Mitigate Congestive DDoS Attacks

Congestive DoS attacks are particularly challenging because victims cannot protect themselves
without other parties cooperation. Moreover,the current Internet architecture makes it easy for
attackers to mount and remain unaccountable for such attacks. This paper introduces a new QoSbased defense architecture that limits the effects of congestive DoS attacks on e-merchants.
VIPnet allows e-merchants to have ISPs carry the traffic of the e-merchants best clients,called
VIPs,in a privileged class of service. The VIP class enjoys better quality of service and is
insulated from congestion,whether malicious or not,in the regular class. DoS attacks against VIPs

are difficult to mount and sustain because attackers cannot forge VIP rights, attackers cannot
easily find and infiltrate computers with active VIP rights for an intended victim,and VIP rights
are term- and usage-limited. Consequently, VIPnet can protect a (perhaps major) portion of an emerchants revenues from the effects of congestion and DoS attacks. For this service,e-merchants
pay a fee to ISPs,thus amortizing the necessary investment.