Testing of DDoS Protection Solutions

Lukas Malina, Petr Dzurenda, Jan Hajny

malina@feec.vutbr.cz, dzurenda@phd.feec.vutbr.cz, hajny@feec.vutbr.cz
Faculty of Electrical Engineering and Communication
Brno University of Technology
Brno, Czech Republic

Abstract
Distributed Denial of Service (DDoS) attacks invade networks and web services
every day. Many current research projects and activities try to design various DDoS
protection solutions. Nevertheless, there are more and more advanced DDoS
attacks that are ingenious and powerful which may cause that many of these
comprehensive DDoS protection solutions are not so efficient and do not fully
mitigate advanced DDoS attacks. Accordingly, it is important to test DDoS
protection solutions and reveal their limitations and bottlenecks prior to employ
them into networks. This work deals with DoS and DDoS detection techniques
and presents the testing procedures of DDoS protection solutions. We describe
state of the art in detection techniques of current DDoS attacks. The techniques are
based on signature and anomaly detection. Other alternative approaches are also
evaluated and their advantages and drawbacks are discussed. Besides these detection
techniques, we survey the DDoS protection solutions and special DDoS protection
appliances and evaluate them.
Further, we introduce two testing procedures for observing the behaviour of
network security and DDoS protection appliances during the DDoS attacks. The
first testing procedure is based on a software DDoS generator that runs on
common server or personal computer. The paper also presents various software
DDoS generators and their specifications. The second testing procedure uses the
professional stress tester Spirent Avalanche which enables to generate various types
of DDoS attacks. This stress tester is able to mix legitimate traffic with DDoS
attacks and emulates various communication protocols and services. We evaluate
these testing procedures and present our experimental results of both approaches.
We focus on the performance and modularity of these testing procedures and the
range of possible DoS/DDoS attacks that can be generated.
Keywords: DoS Attacks, DDoS Attacks, DDoS protection, DDoS detection,
network, security, tests.

1 Introduction
Internet services, websites and web applications are frequently used by many clients
every day. These services must work correctly and must be available for users who
use them. Nevertheless, the Internet connection enables to various attackers to hit
these services and cause economic damages caused by the malfunction or
interruption of these services. Distributed denial of service attacks become very
frequent nowadays. Generally, a Denial of Service (DoS) attack is realized by one
host. Distributed DoS attacks are sent by more hosts or bots that are controlled by
an attacker. These attacks usually flood services at target devices connected to the
Internet. The basic principle of DDoS attacks is depicted in Figure 1. In the figure,
the combination of flood DDoS and amplification flood DDoS attacks is shown.
More information about types of DDoS attacks can be found in the paper [ 1 ].

Figure 1: The principle of DDoS attacks (Flood and Amplification attacks).

DoS/DDoS attacks are threats especially for highly-profiled web services and sites
of financial institutions, government and large corporations. Many of these
institutions use data centers that are very often targets for sophisticated and
powerful attacks. There are many solutions, techniques and appliances that try to
mitigate DoS/DDoS attacks. The testing of these solutions and devices provides
important information about the defense of the sites and services. The test outputs
can help to better configure the employed devices and fix the bottlenecks in the
security solutions. There are many test appliances that can provide this testing.
Nevertheless, these appliances are usually expensive. Therefore, owners of websites
and services are not able to test their security solutions and perform the stress tests
to detect bottlenecks and the limits of their sites.
In this paper, we present some state of the art DDoS detection techniques (Section
2) and protection solutions and appliances (Section 3). Then, we describe popular
DDoS testing tools and appliances (Section 4). The main contribution of this work
can be found in Sections 5 - 7 where we introduce the DDoS testing procedures
which are based on software DDoS generator (Section 5) and hardware appliance
(Section 6). Section 7 discusses the pros and cons of these two procedures and
compares them.

2 DDoS/DoS Detection Techniques

In this section, we describe basic DDoS/DoS detection techniques that try to detect
DoS/DDoS attacks in data traffic or in a network. The detection can help to
mitigate the damage effects of the attack. The detection must be fast, precise and
should produce a minimum number of false positive alerts. The detection
devices/tools are often called Intrusion Detection Systems (IDS). The study and
basic classification of IDS devices is presented in the work [ 2 ]. Generally, the
DDoS/DoS detection techniques can be divided on two approaches: signature
detection and anomaly detection. Nevertheless, we add the hybrid and alternative
detection techniques.

2.1

Signature detection techniques

The signature detection methods are based on the basic knowledge of DDoS
attacks patterns. These signatures/patterns are usually observed by security experts.
Then, the patterns are implemented into security network devices and IDS. These
devices must monitor packets and recognize the patterns of incoming DDoS
attacks. This type of the detection is fast but is effective only against already known
DDoS attacks. There are many DoS/DDoS attacks (e.g. TCP mixed flag attacks,

X-mas tree attacks) that can be easily detected by this technique. On the other
hand, the signature detection techniques are not able to recognize unknown
DoS/DDoS attacks. The more details about signature detection techniques can be
found in papers [ 3 ] and [ 4 ].

2.2

Anomaly detection techniques

This type of the detection method detects and classifies attacks by anomalies caused
in network traffic. There are attacks such as flooding attacks that use a large
amount of TCP-SYN, UDP or ICMP packets. This increase can be observed as an
anomaly in the normal network traffic. The classic anomaly detection techniques
can be based on the observation of the dynamic statistical properties in network
traffic, e.g., time to live, IP header information and other data. Some of these
techniques are described in papers [ 5 ], [ 6 ], [ 7 ]. The paper [ 8 ] presents the
possibility of using Artificial Intelligence (A.I.) tools, e.g., neural networks and
genetic algorithms, to detect unusual network traffic and the classification of DDoS
attacks.
A.I. methods are able to learn how normal network traffic looks like, and then, the
methods can detect and classify anomalies in the traffic. The main disadvantage of
the anomaly detection methods is a larger number of false positive alarms. The
anomaly detection methods are usually slower than signature detection methods
due to the observation of larger samples of data from the network traffic.
Nevertheless, these methods might detect unknown and new types of DDoS/DoS
attacks.

2.3

Hybrid and alternative detection techniques

These detection techniques are usually based on hybrid or alternative approaches.

The hybrid solutions that employ anomaly and signature methods have usually
higher computational and memory complexity. Nevertheless, these hybrid
techniques can combine advantages of signature and anomaly detection methods.
On the other hand, some trade-off between anomaly and signature detection
techniques must be set.
As a hybrid approach, Blazek et al. [ 9 ] propose a method based on statistical
analysis on the data from different network layers. Their method provides a selflearning process, the small delay of the attack detection and scalable computational
complexity. The paper [ 10 ] presents an alternative detection technique that is
based on a time series analysis. This method provides a proactively DDoS detection
by the correlation between victims traffic and attackers traffic. Key variables

(patterns) are extracted from the both traffics. Extracted variables can be calculated
by statistical tools, e.g., Granger Causality Test, Auto Regressive Model and so on.
Observed deviations from the normal profile then cause attack alarms.

3 DDoS/DoS Protection Solutions and Appliances

The section presents DDoS protection solutions and some DDoS protection
appliances and their evaluation. Firstly, we describe common security devices based
protection strategies. Secondly, we present some special anti-DDoS appliances and
finally, we describe cloud based DDoS/DoS protection solutions.

3.1

Common network security devices based protection

Network security devices such as firewalls, Intrusion Detection Systems (IDSs),

load balancing mechanisms and routers can be employed into comprehensive
DDoS protection solutions. Nevertheless, these devices have not been designed to
protect against DDoS attacks. Their imperfections are described in the paper [ 11 ].
For example, routers with configured Access Control Lists (ACLs) can defend
against simple and known DDoS attacks based on nonessential and unwanted
protocols but they are not able to block many attacks that spoof IP addresses.
Further, firewalls are designed to control access into and from private networks.
Nevertheless, firewalls can be easily saturated in their CPU and memory usages by
strong flood DDoS attacks. Firewalls usually do not employ antispoofing and
anomaly detection mechanisms.
IDSs provide usually signature-based application layer detection but they are not
designed for the DDoS mitigation. Besides these network security devices, the
redundant links and load balancing mechanisms are employed to keep legitimate
connections when client networks are under DDoS/DoS attacks. The cooperation
of these security devices and mechanisms has to be set and maintained. On the
other hand, this task is not so easy if the network employs the devices from various
vendors. Further, some large and sophisticated DDoS attacks can overcome these
security devices based protections.

3.2

Special appliances based protection

The special DDoS/DoS protection appliances offer one single-box solutions that
can be plugged into networks or data centers to protect the services against the
various types of DDoS/DoS attacks. These special anti-DDoS appliances are

usually very computationally and memory powerful. They have good technical
support and can mitigate some unknown and large DDoS/DoS attacks.
Some of common DDoS/DoS protection appliances are shortly described in the
following text:

Radware DefensePro these series of appliances provide DDoS/DoS

mitigation by network-wide protection methods (behavioral analysis, SYN
protection, TCP/UDP scanning), server protection methods (connection
limit, server-cracking protection, HTTP mitigation), signature-based
protection methods and access control list. The models of Defense Pro
x4420, which are designed mainly for service providers and clouds, are able
to work with network throughputs up to 300 Gbps (model 3004420). The
series x420 and x412 provide network throughputs up to 40 Gbps
(12 Gbps respectively) and are designed for large data centers, e-commerce
and enterprises. The less performed series x016 and x06 are mainly for
medium sized data centers, e-commerce and Internet gateways with
network throughputs between 200 Mbps 3 Gbps.

Check Point DDoS Protector appliances these appliances block known

and unknown DDoS/DoS attacks. The several models of this DDoS
protection family are offered for large data centers (X420), datacenters
(X412) and enterprises (X06). The most powerful appliance X420 is able
to inspect and protects up to 40 Gbps network traffic. The dedicated
hardware acceleration is employed to defend against DDoS/DoS flood
attacks with rate up to 25 million packets per second (X420). The
technical specification of these appliances claims that detection and
protection against attacks is in less than 18 seconds. The Check Point
DDoS Protector appliances family protects against TCP, UDP, ICMP,
IGMP and Fragment DDoS attacks by using a behavioral (anomaly)
detection and against known DDoS attacks by using filters
(signature/pattern detection). Further, the appliances are able to protect
against application based DDoS/DoS attacks that run on HTTP, DNS
protocols.

FortiDDoS these DDoS attack mitigation appliances provide Layer 3, 4

and 7 DDoS flood mitigation, packet inspection and anomaly detection
techniques. This solution does not use any signature files. The packet
inspection is based on techniques such as predictive behavioral analysis,
heuristic analysis, granular deep packet inspection, continuous adaptive
rate limiting and stateful monitoring for specific attack vectors. FortiDDoS
appliances are offered in several models. The most powerful model

(2000B) is able to inspect bidirectional traffic up to 24 Gbps. The DDoS

attack mitigation response time is less than 2 seconds according to the
technical specification of the appliances.

RioRey RG-Series these appliances provide DDoS protection against

25 classes of DDoS attacks such as TCP, HTTP, UDP or ICMP based
attacks. The most powerful model (RG40) is able to work with 200 Gbps
bandwidth throughput in an off-ramp hairpined mode, and for in-line
applications, throughput is 100 Gb/s. The solution inspects up to
32 million packets per second. Detection and mitigation DDoS attacks is
automatic and does not use traffic patterns. DDoS detection time is 30 90 seconds and mitigation takes 90 120 seconds. The solution uses
source and destination IP White and Black lists.

Juniper DDoS Secure these appliances provide fine-grained DDoS

mitigation. DDoS Secure protects against flood and application-layer
DDoS attacks by using methods such as heuristic analysis and inspection,
dynamic and self-learning thresholds. The model 1200-SR/LR is able to
work with 10 Gbps bandwidth throughput, and a cluster solution can
work up to 160 Gb/s throughput.

Generally, special appliances developed by IT network security companies are

usually focused on large data centers and e-commerce clients. The main advantage
of these appliances is their single-box usage and high performance that is demanded
in these large scale networks. The cons of these special appliances are their
expensive costs (tens thousands euros) and the restricted expansion of the
protection solution if clients extend their data centers or networks.

3.3

Cloud based protection

Nowadays, there are many cloud based DDoS protection providers who offer
DDoS/DoS protection as a service. This service is especially used by small-medium
businesses and enterprise-level companies who cannot afford the special anti-DDoS
appliances. When a DDoS/DoS attack is detected at the client side, whole inbound traffic is redirect to a cloud DDoS protection technology, more precisely,
the nearest cloud center of the provider, which employs DDoS filtering techniques
to remove the DDoS traffic and route the legitimate traffic back to the client.
The cloud DDoS protection services and providers such as Incapsula, Defense.net,
Prolexic DDoS Mitigation Services, Verising DDoS Protection Services,
CloudFlare Enterprise, Nexusguard and others rent their services usually for one
year per thousands to tens thousands euros. Nevertheless, using the cloud based

DDoS protection services can be less expensive for certain types of clients
(small/medium high-profiled ecommerce companies) than employing the special
anti-DDoS appliances. On the other hand, the detection and mitigation of the
DDoS/DoS attacks take longer time due to the routing.

4 DDoS/DoS Testing Tools and Appliances

In this section, we describe existing DDoS/DoS testing appliances and tools.
Testing the protection of appliances and network devices against DoS and DDoS
attacks can be realized by generating these attacks by SW tools and HW devices.
Besides these software tools and hardware appliances, there are many DDoS online
tests that are provided as a service by many web sites, e.g. ipstresstest.com,
iDDos.net, redwolfsecurity.com, IONBooter.com. Nevertheless, we focus solely on
special HW appliances and SW tools that can be used in our laboratory
DoS/DDoS test procedures. These devices and tools which can be appropriate for
certain laboratory testing are described in the following subsections.

4.1

Software DDoS/DoS generators/testers

Software DDoS generators and program tools are usually easy to acquire. These
tools can be often open source and can be downloaded for free. The tools can be
started on common computers and servers which are plugged to a target which is
testing.
Some popular software DDoS/DoS generators and tools are shortly described in
the following text:

Low Orbit Ion Canon (LOIC) this open source tool, which is written
in C#, provides stress testing and can generate various flooding HTTP,
TCP and UDP attacks. LOIC is easy to use due to the graphic interface
and enables DDoS attacks when is used by multiple users.

XOIC this tool is similar to LOIC. The tool provides DoS attacks based
on TCP, UDP, ICMP and HTTP protocols that is efficient against small
websites.

DDOSSIM this program, which is written in C++, enables to simulate

several zombie hosts having random IP addresses. The tool generates
DDoS attacks such as TCP-connection-based attacks, Application layerbased DDoS attacks, HTTP DDoS attacks, SMTP DDoS attacks and
TCP flood attacks on random ports. DDOSSIM runs on Linux systems.

PyLoris this tool, which is written in Python, can be used for testing
servers. The tool provides a simple graphic interface and enables to
generate various DoS attacks based on protocols such as HTTP, FTP,
SMTP, IMAP and Telnet to hit the concrete service.

OWASP DOS HTTP POST this tool performs DoS attacks based on
the HTTP protocol. The tool has been developed by OWASP (Open Web
Application Security Project) group to provide a L7 DoS testing tool for
websites.

SlowLoris this DoS tool enables to generate only one type of a slow
denial of service attack. The tool poisons a HTTP server due to the
holding the connections open by sending partial HTTP requests. This
tool, which is programmed in Perl, does not provide TCP/UDP DoS
attacks and other flood attacks.

R-U-D-Y this DoS tool enables to create HTTP POST-based DoS

attacks. The tool generates low and slow attacks which generate only few
connections but keeps the connections open for long time period.

Tors Hammer this program, which is written in Python, uses HTTP

POST-based DoS attacks. The attacks can be sent anonymously via TOR
network.

Others there are many tools that can be used for testing or for hacking,
such as GoldenEye HTTP Denial Of Service Tool, DAVOSET, HULK
(HTTP Unbearable Load King).

Many of described software DDoS/DoS tools focus solely on testing web servers
such as OWASP DOS HTTP POST tool, SlowLoris, R-U-D-Y, Tors Hammer,
HULK. Some tools such as LOIC, XOIC, DDOSSIM and PyLoris can be used to
test other services such as SMTP, FTP and can be used to flood servers and test
their limits.

4.2

Hardware DDoS/DoS generators/testers

There are appliances that can serve as hardware DDoS generators. These appliances
mainly serve as powerful stress testers, traffic and protocol emulators and enable to
test the network devices or whole network segments and solutions. These
appliances are usually based on multi-core processors, strong memory and network
interfaces with high throughput. These hardware based DDoS testers are very
powerful and can generate large traffic and DDoS attacks. The main disadvantage
of these appliances is their cost.

Common hardware DDoS generators and appliances are shortly described in the
following text:

Spirent Avalanche 3100 B this appliance enables to generate 16 types of

DoS/DDoS attacks (L2/L4), 3500+ L7 application attacks and mix these
attacks into the normal traffic. Avalanche 3100B, which is depicted in
Figure 2, provides 10 Gbps fiber interfaces and generates up to 300 000
HTTPS requests per second or 30 million concurrent connections. The
appliance emulates various protocols at the layers 4 7 and can simulate
real behavior of the website clients. Avalanche 3100B is able to generate
a large traffic with DoS/DDoS attacks to test servers, sites or whole
network parts. Moreover, the emulation of the client and server sides can
be performed in the same time. Therefore, the appliance is able to test
network defense devices, firewalls, routers and so on. There is also an
attack designer component which is the part of this tester and enables to
add own attacks.

Ixia Xcellon-Ultra XT this appliance emulates various protocols at the

layers 4 7 (clients and servers). The performance of the appliance
depends on the type of the hardware chassis. For example, the strongest
type XT80-V2 provides 8 x 10 GE ports and is able to generate 3 million
HTTP connections per second and 400 000 SSL connections per second.
The appliance also can emulate well-known DDoS attacks.

Figure 2: Spirent Avalanche 3100 B stress tester.

5 Software Based DDoS/DoS Testing Procedure

In this section, we present our proposal of a software based DDoS/DoS testing
procedure. We describe chosen testing topology with chosen devices and the details
of the procedure. Then, we present the performance results of this procedure.

5.1

Testing topology and procedure description

The testing topology consists of two switches (Cisco Catalyst 2960 and Linksys
EG008W), a server/pc which generates DoS traffic a SW DoS generator,
a control terminal, service/site clients (a voluntary node which emulates clients or
routed real clients traffic) and a tested device. This testing topology which is based
on the software DoS generator is depicted in Figure 3.

Figure 3: Testing topology with software-based DoS generator.

The most important part is the SW DoS generator node. We use a server with
Linux OS (Debian 7.4). This device must have two network interfaces with high
throughput (at least 1 Gbps). The first interface is used for configuration and
remote control. The second interface is used for sending the DoS traffic to a tested
device. The generator can employ any existed software DDoS testers that are
described in Section 4.1 but we use a simple script to generate DDoS/DoS attacks.
The implemented DoS tester program which generates DoS attacks is written in
Python. The program provides 5 types of DoS attacks, namely TCP-SYN DoS
attack, TCP-RST DoS attack, TCP Xmas DoS attack, UDP flood attack and ARP
DoS attack.

The hardware of the SW DoS generator node should be powerful (strong CPU and
memory) to generate a large number of packets. Tested device can be a webserver,
a firewall, a router and so on. If we want test webservers or other services, we
should emulate website/service clients traffic by a client emulator application and
mix it with DoS traffic by using highly performed switch (Switch 2) to get real
results. If we test a firewall or a router performance and DoS mitigation functions,
we can generate DoS attacks directly (Switch 2 is not needed). The control terminal
is used for remote control and configuration of the nodes and devices in the testing
topology via Switch 1.

5.2

Testing the performance results

We test our procedure with two differently powerful hardware nodes (HW1: CPU
Intel Xeon E5310 @1,6 GHz RAM 2GB / 333MHz, , HW2: CPU Intel Xeon
E3440 @2,53 GHz RAM 8GB / 1 333MHz). Figure 4 shows how the hardware
specification of the SW DoS generator is important. The more powerful device
HW2 is able to generate more DDoS packets than device HW1 (HW2 around
204000 255000 packets per second and HW1 around 171000 238000 packets
per second). The most packets can be generated by using the ARP flood attack.
Nevertheless in practice, the number of packets can be limited by network interface
used (1 Gbps in this measurement).

Figure 4: Comparison of software-based DoS generator performance

which runs on different hardware platforms.

6 Appliance Based DDoS/DoS Testing Procedure

In this section, we present an appliance based testing procedure. We describe the
testing topology and details of this procedure. Then, we show some example
results.

6.1

Testing topology and procedure description

The testing topology consists of one switch (Cisco Catalyst 2960), a test appliance
which generates normal traffic and DDoS/DoS traffic, a control terminal and
a tested device. This testing topology which is based on DDoS/DoS test appliance
is depicted in Figure 5.

Figure 5: Testing topology with DDoS/DoS test appliance.

The most important part of this procedure is the test appliance. We use Spirent
Avalanche 3100B stress tester. This tester which is shortly described in Section 4.2
is used for generating DDoS/DoS traffic and normal traffic from emulated clients
or servers. The tester provides 16 types of DDoS/DoS attacks. Furthermore, there
is an attack designer component which can be used to implement the new attacks
for testing purposes. The advantage is that the emulations of the client and
server/service sides are in one single device. The tester is able to generate more
attacks at one time and mix them with emulated traffic to get more real results.
Thus, we can test a wide range of network security devices and network services.
The control terminal is used for remote control and configuration of the test
appliance and the tested device in the topology via Switch 1. The connection
between the test appliance and tested devices should have high throughput (e.g. 10
Gbps fiber interfaces). The example of results with tested device Firewall ASA 5510
during SYN flood attacks is depicted in Figure 6.

Figure 6: Throughput of Cisco Firewall ASA 5510 with DDoS SYN flood attacks.

6.2

Testing the performance results

Spirent Avalanche 3100 B has several interfaces with 10 Gbps and 1 Gbps
throughput. The appliance by using 1 Gbps interface is able to generate huge
number DDoS packets (up to several million) per second until the link saturation.
By using one 10 Gbps interface, this appliance is able to generate around 7.5
million DDoS packets (SYN flood) per second. Avalanche 3100 B is able to mix
the normal and DDoS traffic. Further, we can configure many options of DDoS
attacks (rate, delay, iterance, duration and so on) and test more DDoS attacks in
one test scenario.

7 Evaluation of Testing Procedures

In the following text, we evaluate both presented procedures and describe their
advantages and drawbacks.
The main advantages of the software based DDoS testing procedure usually are low
costs and easy-to-deploy in various networks. Nevertheless, the disadvantages of
this procedure usually are a less number of DDoS/DoS attacks, limited setup of the
attacks, clients/servers emulation has to be done at another device and the
performance of DDoS traffic depending on servers HW specifications.
The main advantages of the appliance based DDoS testing procedure usually are
a sufficient number of DDoS/DoS attacks, advanced setup of the attacks,
clients/servers emulation in the same device, mixing the normal and DDoS traffic,

strong performance of the attacks due to strong HW specifications of the

appliances and technical support. On the other hand, the main disadvantage of the
appliance based DDoS testing procedure usually is higher cost of the main test
appliance.
The software based DDoS testing procedure is suitable for testing the small and
medium sized networks and devices employed in these networks. The appliance
based procedure is more suitable for testing the medium and large sized networks
and for professional testing the various security network devices that must be
comprehensively tested.

8 Conclusions
In this paper, we described and evaluated the basic DDoS/DoS detection
techniques (anomaly, signature and hybrid) and three DDoS/DoS protection
approaches (security network devices based, Anti-DoS appliance based and cloud
based). The cloud based DDoS mitigation solutions are more appropriate for small
and medium sized networks due to modest costs, a high percentage of the DDoS
mitigation and solid detection and mitigation response times (minutes).
Nevertheless, the anti-DDoS/DoS appliance based protection solutions are usually
more costly than cloud based protection solutions but they should be employ in
high-profiled large e-commerce and data centers due to faster DDoS/DoS detection
and mitigation and the higher frequency of attacks.
The paper also describes some common hardware and software based DDoS/DoS
generators and testers and their specifications and two DDoS/DoS testing
procedures are presented. The software based testing procedure is able to test some
basic DoS/DDoS attacks and flood less performed network devices to get their
limits. For example, the DDoS SYN attack is generated up to 208 000 packets per
second. The appliance based testing procedure is able to test this DDoS SYN attack
up to 7.5 million packets per seconds if Avalanche 3100B with 10 Gbps interface is
employed. For the professional testing of larger networks and some special security
devices, the appliance based procedure is more appropriate than software based
procedure due to their performance and configuration options.

Acknowledgements
Research described in this paper was financed by the National Sustainability
Program under grant LO1401, by the Czech Science Foundation under grant no.
14-25298P and the Technology Agency of the Czech Republic project
TA0301081. For the research, infrastructure of the SIX Center was used.

References
[1]

Dzurenda, P., Martinasek, Z., Malina, L.: Network Protection Against

DDoS Attacks. International Journal of Advances in Telecommunications,
Electrotechnics, Signals and Systems 4, no. 1, pp. 8-14, 2015.

[2]

Alenezi, M., and Reed, M.: Methodologies for detecting DoS/DDoS attacks
against network servers, in ICSNC 2012, The Seventh International
Conference on Systems and Networks Communications, pp. 92-98, 2012.

[3]

Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network based defense
mechanisms countering the DoS and DDoS problems, ACM Computing
Surveys (CSUR), vol. 39, p. 42 pages, 2007.

[4]

Kompella, R. R., Singh, S., Varghese, G.: On scalable attack detection in the
network, in Proceedings of the 4th ACM SIGCOMM Conference on Internet
Measurement. ACM Press, New York, pp. 187-200, 2004.

[5]

You, Y., Zulkernine, M., Haque, A.: Detecting flooding-based DDoS

attacks, pp. 1229-1234, 2007.

[6]

Talpade, R., Kim, G., Khurana, S.: NOMAD: Traffic-based network

monitoring framework for anomaly detection," in Fourth IEEE Symposium
on Computers and Communications, pp. 442-451, 1999.

[7]

Kim, Y., Jo, J. Y., Suh, K. K.: Baseline profile stability for network anomaly
detection, International Journal of Network Security, vol. 6, No.1, pp. 60
66, 2008.

[8]

Jalili, R., Imani-Mehr, F., Amini, M., Shahriari, H. R.: Detection of

distributed denial of service attacks using statistical pre-processor and
unsupervised neural networks, in Information Security Practice and
Experience. Springer, pp. 192203, 2005.

[9]

Blazek, R. B., Kim, H., Rozovskii, B., Tartakovsky, A.: A novel approach to
detection of denial-of-service attacks via adaptive sequential and batchsequential change-point detection methods, pp. 220-226, 2001.

[ 10 ] Cabrera, J. B. D. et al.: Proactive detection of distributed denial of service

attacks using mib traffic variables-a feasibility study, pp. 609-622, 2001.
[ 11 ] Defeating DDOS Attacks, Cisco Systems, Inc., white paper, pages 11, 2004.