JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617 

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG    71 

A Survey on DDoS Attacks in

Web- Referral Mechanism and Solution
for Mitigation
V. Govindasamy , V. Akila, E. Gayathri

Abstract—Distributed Denial of Service threats has become the real threat to the security of the Internet.
In the critical application areas, the information transmission must be kept secret and confidentiality
should be ensured. Such applications are space research, military applications and online transactions.
A web referral mechanism will defend against attacks by granting privilege URL to legitimate clients,
thereby ensuring protection against such attacks. This paper analyses the security measures adopted in
the web referral mechanism and presents a survey of the existing trace back mechanisms and mitigation
techniques. This paper aims at providing solution for the drawbacks in the current techniques.

Index Terms— Distributed Denial of Service threats – web referral mechanism – trace back mechanism –
attack mitigation.

——————————  ——————————
1 Introduction
phase of a product. Various tools are available to

T
HE key design feature of the Internet makes
it vulnerable to various kinds of attacks.
Some of the website attacks are sniffing,
snooping, IP spoofing, masquerading, access
attacks, injection and execution of malicious
software, object reusability and Distributed
Denial of Service (DDoS) attacks. The DDoS
attack disrupts the communication of the
legitimate client with the web server and
consumes network bandwidth by posing bogus
packets. Hence, client connection attempt will be
rejected by the web servers and the service
becomes unavailable. The DDoS attacks are more
common that exploit the weakness of the key
design infrastructure. Such attacks have been
reported in the most popular online trading sites
Amazon, e-bay and the news site cnn.com. DDoS
attacks are stealthier and tougher to trace as more
machines are involved in the attack. Effective
defense against DDoS attacks is a challenging
task as the vulnerabilities exploited by the
attacker to launch an attack will be introduced
during the design and implementation
detect such attacks but none of them are proved
to be efficient.
A solution to defend against Denial of Service
attacks is referral mechanism which is built upon
the existing relationships. In this mechanism the
legitimate client connection is retained even
during flooding attacks. The client’s legitimacy is
verified by means of authorization checks on the
certificate owned by the client. The referral
mechanism if combined with the autonomous
system, tracing will be effective as it monitors the
entire network by relatively monitoring few
points in the system. It uses packet marking
techniques and is enforced in the ID fields of the
IP addresses.
The rest of the paper is organized as follows:
The motivation is given in section 2. The DDoS
attack types are illustrated in section 3. Detailed
analysis of detection schemes are given in section
4. The defence mechanisms are explained in
section 5. Section 6 concludes the paper and
section 7 is for future enhancements

 Mr.V.Govindasamy is working as A.P in
I.T Dept of Pondicherry Engineering
College (PEC), Pin 605014, India.
 Mrs.V.Akila is employed in C.S.E Dept
of Pondicherry Engineering College,Pin
605014, India.
 Ms.E.Gayathri is pursuing her
M.Tech(I.S) at Pondicherry Engineering
College, Pin 605014, India.
2 Motivations
More DDoS attacks are happening every day.
This fact is not revealed to the public as it will
result in loss of customers for an organization or
online site. The loss incurred due to this attack
will be in terms of billions of dollars to replace
and repair the web server’s hardware and
software components. The factors which
motivated for DDoS attacks are as follows
1. Revenue Loss
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617 
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG    72 
2. Slow Network Performance the target’s allotted bandwidth and hence
3. Service Unavailability subsequent legitimate user requests will be left
4. Service Disruption unprocessed. Two main classifications are under
5. Processing Power Costs this bandwidth depletion attack they are
6. Communication Overhead

(i) Direct Flood Attack and

3 Attack Types (Ii) Reflection Flood Attack
A DDoS attack is one in which an attacker
intentionally tries to deny access to a specific In direct flood attack, the target is flooded
victim or target. It is done by sending large directly with multiple packets. The compromised
volume of useless packets from different hosts also will be involved in the attack as the
locations on the internet. The attack classification entire bandwidth is populated with bogus
is depicted in the Fig.1 packets the victim is unable to process those
requests. In the reflection flood attack, in certain
DDoS Attack scenarios attack will not be launched directly
Types towards the targeted system, but instead the
intermediate nodes play the reflectors role as
they start to send packets towards the victim by
assuming that it is the source to which it should
Bandwidth Resource
Depletion Depletion
reply.
Attacks Attacks
3.2. Resource depletion attacks
These attacks attempt to exhaust the target
system resources. The classification under the
resource depletion attacks are TCP SYN flood
Direct Flood Reflection attack, teardrop attack and TCP/IP stack attack.
Flood Attack
Attack The attacker will also send malformed packets in
this scenario to disrupt the network
communication.

Udp
4 Detection Schemes
Flood
Smur Fragg Dns
f le Reflection
Provision of security to web services is important
Ping
as there are series of attacks emerging everyday
Flood due to the advanced technologies and available
Tcp Syn free source DDoS tools. Hence solutions should
Flood
be provided rather than countermeasures in
Attack
Recursive
order to defend against DDoS attacks. The
Reflec
Http detection schemes [2] should be simple and
tion Teardrop robust and should not reveal any information
Floods
Attack regarding the IP address of the user. The
available detection schemes in web referral
Push & mechanism for DDoS attacks are listed in Table 1.
Ack
Attacks Tcp/Ip
Stack
Attack Detection Purpose
Sl.No Scheme
Land
1. MIB Detects attacks,
Attack
correlator and
precursors which
Fig 1: DDoS Attack classification caused the attack
2. MULTOPS Detects ongoing
bandwidth attacks

3.1 Bandwidth depletion attacks 3. D-WARD The attacks are

The target system is flooded with massive detected based on
amount of unwanted traffic [1] which consumes steady backlog of
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617 
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG    73 
transient Identify the exact source or perpetrators who
connection traffic exploited such attack more precisely. It also
4. NOMAD Detects router should aid effective mitigation for the current
overload, mis attacks with minimal damage. For incremental
configuration, deployment, a new mechanism should require
overloaded or only minimal changes to the existing
intermittent links infrastructure. The effective defense [3]
and network methodologies against DDoS attacks are broadly
intrusion classified into two types as illustrated below
5. Honeypot Tracks the handler
or agent behaviour 5.1 Attack Trace back
to defend against The information is collected regarding the
future DDoS individual packet forwarding agents and an
installation attacks attack tree is constructed for router-level based
6. Non-adaptive Identifies pirators. on the gathered information. If the routing path
group testing Used in security taken by the particular packet is traced then the
and networking attack tree leaves can be identified. The trace
applications back mechanism are essential in order the clear
7. Live baiting Detects attackers the zombie attackers
using group testing
theory and it 5.2 Attack Mitigation
depends on the Various filtering mechanisms are used to
counting of request identify the impacts of the real-time ongoing
packets attacks. In order to mitigate from the attacks a
8. CAPATCHA Detects attackers legitimate packet needs to be differentiated from
by solving visual the malicious one. Several referral schemes are
recognition pattern used regarding this classification. Employing any
9. Session Defences against one of those packets can be identified as a one
scheduling intrusion attacks, originating from the legitimate user or attacker.
algorithm protocol attacks,
request flooding 6 Defense Functionalities
attacks,
asymmetric
The distributed nature of the DDoS attacks
attacks. Repeated
ensures the need of a successful defence
one shot attacks
mechanism to overcome the threat. Most of the
10. Resilient It detects new existing systems are efficient in successful
scheduling attacks based on defense. But, none offers the exact solution. Three
scheduling policy main defense functionalities [4] are mentioned as
and scheduler below
service rate
11. Agent Detects flooding (i) Attack Detection
detection attackers using (Ii) Rate Limiting
scheme randomized matrix (Iii)Traffic Differentiation
construction and
detection If the nodes collaborate and exchange the alert
algorithm messages, the resulting detection scheme will be
acceptable and addresses almost all the issues.
Table 1. Existing DDoS attack detection mechanism and Instead of offering defence measures in either
their purposes source or destination, combining the advantages
of source-end, victim-end and core-end, the
defense mechanisms yield better solution. The
nodes collaborate by exchanging messages and
packets will be marked as high or low for priority
handling. If the above collaboration functionality
is exploited then a single physical node has more
5 Defense Mechanism than one functionality.
6.1 Classifier
An ideal DDoS attack defense mechanism should
The entire traffic is classified into legitimate and
malicious ones. The legitimate packets are
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG    74
marked with high priority and others with low
priority.
6.2 Rate Limiting
This functionality is deployed by routers. If an
attack occurs, it runs a weighted fair share
algorithm in order to assign priority markings to
forward it towards the victim and the traffic is
rate limited to preserve the victim’s resources.
6.3 Alert Generator
It propagates the attack alert to neighbour nodes.
The alert message contains the IP address of the
victim and specifies the desired rate limit. The
direct neighbours which are in the same overlay
are called as peers. The peer networks are built
dynamically by using the traffic flow
information. The alert generator nodes will be
always active and examines all the traffic signs.
The classifiers and rate limiters are active only
during the attack. The activation is triggered by
an alert generator and conveyed to all the overlay
nodes. The high priority stamp receives better
service than the low priority stamp. The packet
marking mechanism is used to differentiate the
legitimate packet from malicious ones.
Fabrication and replay of the control messages
can be prevented by signing each message with
the sender’s private key. It is encrypted with the
help of session key by attaching a sequence
number to it. An attack can be defended by a
node by validating the control message in the
peer stamp which acts as a nonce.
7 Trace back Techniques
Probabilistic packet marking technique [3] marks
the packets, which is done by the router. Hence
the attack path can be reconstructed by the
victim. This technique traces anonymous packet
flooding towards the source. Each marked packet
represents the sample of the path it traversed.
Using these details, the source of attack traffic
can be easily detected. The enhanced scheme of
probabilistic packet marking is used to minimize
the false positive rate, and to reconstruct the
attack path. To overcome the computational
overhead, further enhancements can be done.
Let ‘d’ be the number of routers between the
victim and the attacker and ‘p’ be the probability
of packets sent by the attacker towards the
victim. It is represented by the formula
p(received unmarked packets) = (1-p)d
In ICMP Trace back scheme [5], ICMP packets
will be generated by the routers and sent to the
destination with lower probability. Using that
 
 
iTrace, messages will be generated to support the
victim for identifying the possible slaves. The
DDoS slaves occupy only small amount of traffic
which implies the overhead will be minimal
while identifying them.
If a router receives push back signal [5], it will
monitor the aggregates which arrives inside the
network from different links and the
corresponding congestion links are identified.
The deployment of filters in upstream routers
depends on the capability of the downstream
router’s aggregate estimation property. If the
aggregates arrive at the same rate in all the links,
then legitimate traffic cannot be differentiated
from the malicious one which is the drawback of
this push back scheme.
8 Attack Mitigation
Pi is a packet marking mechanism [6], which is
used to mitigate the attacks effectively. It
explains how pi-marks are generated if a packet
traverses along the router to its destination. Each
router includes the number ‘n’ in the IP
identification field where ‘n’ is the constant
which is equal to 1 or 2. The MD5 hashes of the
last ‘n’ bits are concatenated with the IP address
of the routers will serve as the marking bits.
Marking bits are cached in order to avoid the
recalculation.
The improved scheme of pi is stack pi [7], which
consists of two new marking methods namely,
Stack based marking and Write-ahead marking
to improve the performance. Upon receiving a
packet, IP identification field will be shifted to
left ‘n’ bits and is written into the place of least
significant bits. The router simply pushes the
marking field into the stack. In the write ahead
process, each router needs to substitute its own
IP address for the last hop address and the next
hop IP address to mark the bits.
In Hop count filtering [8], an attacker cannot
falsify the number of hops taken by the packet to
reach its destination. Only the IP field in the
packet can be forged. By clustering the address
prefixes based on hop-counts, it builds an IP2HC
mapping table in order to detect the IP spoofed
packets. The spoofed packets will be discarded as
soon as it is identified. The deterministic bit
marking scheme, identifies the attack packets and
drops them. All the packets originating from the
same location, if it arrives at the destination have
the common path signature.
In hash based path identification [9] scheme, to
consume the victim’s resources a large number of
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG    75
malicious packets are forwarded towards it. The
victim should have the ability to distinguish
between the legitimate traffic and malicious ones.
To have this differentiation, the path information
should be embedded in each of the forwarded
packet. Each router hashes its IP address with
MD5 to reduce the collision of marks. The value
of the IP ID field should be initialized to 0, before
it is transmitted to the routers. The victim server
capabilities are divided into two groups namely,
high capability and low capability victim servers.
The work of high capability victim server is to
accept all legitimate packets including a few
malicious ones. And its vice-versa is the low
capability victim server.
9 Limitations
The web-referral mechanism supports only
clients who pose the fixed IP address. It can be
extended using the dynamic NAT, which
generates the client’s capability using the IP
prefix instead of the whole address. Bandwidth
utilisation among the users can be better
managed by the using capability tokens to
control the usage among the clients.
The web-referral mechanism could also break
SSL/TLS service, because the Privilege URLs are
not encoded using domain names instead they
use IP addresses. One way to solve this problem
is to confine the capability token in the port
number field.
Discovery of referrers are not transparent to the
clients. Simply the request will be sent online.
The clients are not aware of the process in the
search procedure. A solution to solve this
problem is to have the client’s ISP be its referrer.
The referrer mechanism requires modifications to
the edge routers for capability verification and
address translation which in turn affects the
deployment. But, it is considered to be feasible
when compared with other existing mechanisms.
It is possible to avoid the changes in the edge
router. It can be done by attaching an external
device which is capable of performing the tasks
at high speed.
The existing attack mitigation techniques focus
on detecting the attack, after it floods the
network with unwanted traffic. The drawback of
this mechanism is that it consumes network
bandwidth by flooding packets. The better
solution to this problem can be provided by
monitoring the network traffic before being it
floods the target. For this, a Stateless Internet
Flow Filter (SIFF) [10] can be used which can stop
individual traffic flows before it enters inside the
 
 
network. Its capabilities are based on the
information, which is inserted in the packets.
The capability is generated by each router and is
marked in the fields of the packet.
This approach divides the Internet traffic into
privileged and unprivileged. Privileged packets
always have high priority than unprivileged
ones. For obtaining a privileged channel, the
client must obtain its own capability. If a
privileged packet is forwarded, the router checks
the embedded capability to verify the markings.
If the markings match, then it will be forwarded
else discarded. Valid markings will be
maintained by the routers. If the attack path is
detected, then further connection attempts from
that particular user will not be allowed inside the
network, thereby preventing it from consuming
network bandwidth.
10 Conclusion
Every day new attacks are launched by the
attackers due to technological advancement. Also
the available freeware tools are numerous. In
order to detect the attack, various trace back
mechanisms exist but none offers an appropriate
solution. The drawbacks in the trace back
mechanisms need high process and storage costs,
little scalability and poor performance. The
existing attack mitigation techniques offers a
better protection, but leaves the system open to
bandwidth consumption which in turn leads to
system slow down and performance. Hence, the
proposed solution SIFF addresses these issues by
monitoring the network links to trace the
attackers. In the referral mechanism the
confidentiality of the privileged URL is not
achieved by any of the existing techniques which
lead to security related issues.
11 Future Enhancement
The confidentiality of the privilege URL should
be maintained by the client, if violated leads to
cross site scripting attacks. After obtaining the
privilege URL if the client browses any other
social networking sites which may not be secure.
If that site is malicious, then cross site scripting
attack is exploited against the privilege URL. On
obtaining the privilege URL, the attacker can
later impersonate the web server as an
authorized client.
A mitigation or solution that can be done to
ensure the confidentiality can be achieved using
the Reverse Proxy concept, as it intercepts the
communication and detects the attacks. The
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 12, DECEMBER 2010, ISSN 2151‐9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/  
WWW.JOURNALOFCOMPUTING.ORG    76
proxy is placed in between the client and the web
server. It intercepts each and every response and
applies various steps to determine whether the
page contains any malicious script or not. After
applies various steps to determine whether the
page contains any malicious script or not. After
verification, it is forwarded to the client, hence
the name Reverse Proxy.
References
[1] Ahmed Saafan, “Distributed Denial of Service Attacks:
Explain nation, classification and suggested Solutions”,
2009.
[2] Dalia Nashat, Xiaohong Jiang and Susumu Horiguchi, “
On the Detection of DDoS Attackers for Large-Scale
Networks”, IEEE International Conference on e-
Business Engineering, pp.206-212, 2009.
[3] M. Muthuprasanna and G. Manimaran, “Distributed
Divide-and-conquer techniques for effective DDoS
attack defences”, The 28th International Conference on
Distributed Computing Systems, pp.93-102, 2008.
 
 
[10] Abraham Yaar Adrian Perrig Dawn Song,” SIFF: A
Stateless Internet Flow Filter to Mitigate DDoS
Flooding Attacks”, Proceedings of IEEE symposium
on Security and Privacy,pp.130-143,2004
V.Govindasamy received his B.Tech (CSE) from
Pondicherry Engineering College, Puducherry (1996) and
M.E (CSE) from Vellore Engineering College, Vellore
(2000). He is currently employed at Pondicherry
Engineering College as Assistant Professor in the
department of Information Technology. His areas of
interests include Business Intelligence, Uncertain Data
Management and Network Security.
V.Akila received her B.E (CSE) from Bharathidasan
University (1996) and M.E (CSE) from Anna University
(2006). She is currently employed at Pondicherry
Engineering College as Assistant Professor in the
department of Computer Science and Engineering. Her
areas of interests are Software Engineering, Software
Architecture and Network Security.
E.Gayathri received her B.Tech (CSE) from RajivGandhi
College of Engineering and Technology, Puducherry, India
(2009). She is currently pursuing her M.Tech(IS) in
Pondicherry Engineering College, Puducherry, India . Her
field of interests include Web Services, Web Technology
and Information Security.

[4] George Oikonomou, Jelena Mirkovic, Peter Reiher and

Max Robinson, “A Framework for A Colloborative
DDoS Defense”, Proceedings of the 22nd Annual
Computer Security Applications Conference (ACSAC
’06), 2006.

[5] Allison Mankin, Dan Massey, Chien-Lung Wu, S. Felix

Wu and Lixia Zhang, “On Design and Evaluation of
“Intention-Driven” ICMP Traceback”, Proceedings of
Tenth International Conference on Computer
Communications and Networks, pp.159-165, 2001

[6] Stefan Savage, David Wetherall, Member, IEEE, Anna

Karlin, and Tom Anderson, et al, “Network Support for
IP Traceback,” IEEE/ACM Transactions on
Networking, vol. 9, no. 3, pp.226–237, June 2001.

[7] Abraham Yaar, Adrian Perrig, Member, IEEE, and

Dawn Song, “StackPi: New Packet Marking and
Filtering Mechanisms for DDoS and IP Spoofing
Defense,” IEEE Journal on Selected Areas in
Comunications, vol. 24, no. 10, pp. 1853–1863, October
2006.

[8] C. Jin, H. Wang and K. G. Shin, “Hop-Count Filtering:

An Effective Defense against Spoofed Traffic,” ACM
International Conference on Computer and
Comunications Security, Washington D.C., pp. 30–
41, October 2003.

[9] Guang Jin, Fei Zhang, Yuan Li, Honghao Zhang,

Jiangbo Qian, “A Hash-based Path Identification
Scheme for DDoS Attacks Defense”, IEEE Ninth
International Conference on Computer and
Information Technology, 2009.