Determining Interventions to Prevent DDoS Attacks

‘
INTL 647 - Cyber Issue Paper
Deonte Allen
American Military University
INTL 647: Cyber Intelligence
July 5, 2021
INTL 647 - CYBER ISSUE PAPER
Introduction 
The distributed denial-of-service (DDoS) is a form of denial-of-service (DoS) attack that disrupts the network traffic or victim's computer overload where there is an overload of the requested information flows. Computers launch repeated attacks and they target knocking out our company's servers and computers, which makes it difficult and impossible to access services via the Internet There has been increased launch of DDoS attacks where users, including clients who cannot access websites and there, is overuse of the result of the resources. Typically, too many requests, slowdown services, but the DDoS attacks go further to stop services through the use of multiple devices that agree to execute the attack at the same time. Various flooding techniques are used to overwhelm computer resources mostly through botnets, which are connected computers that are infected and target the victim(s) simultaneously. There are cases of users inadvertently being involved where there are zombie computers used for denial-of-service attacks. Hackers also work closely together in launching DDoS attacks and gaining control over the victims’ computers. 
Research question 
* What interventions are adequate to prevent and protects against DDoS attacks?
Background 
Increasingly, there are more threats from attackers and hackers using different strategies to compromise computer systems, servers, cloud computing, and networks. It is expected that organizations implement internet and computer system security control, but are more sophisticated attackers who can coordinate large-scale attacks using many systems and networks. DDoS attacks flood sources with traffic, and they are different ways that they deny the use of services. For instance, there is the saturation of the systems such that requests remain incomplete there is the exploitation of vulnerabilities. DDoS attacks are a concern as they can go on for a long time and seriously affect the computer system including different servers and devices connected to a network. Even as only a small share of attacks is meant to steal and change data, they do damage organizations and can potentially cause huge losses. Sometimes the attacks are a test for bigger attacks such as the ransomware types of attacks.
Improving security is essential to ensure that services or applications are still available. However, the attacks may also target shared infrastructure that is not well protected, but there is recognition of the need to detect DDoS attacks(s) before there is widespread damage. Improving network security helps to protect the system integrity, architecture data, information, and network. Identifying the intruders and analyzing the traffic patterns are helpful to improve security. In addition, to avoid and prevent DDoS attacks, there is the identification of suspicious flows to prevent malicious packets from attackers. To ensure there is a secure system, there should be a focus on confidentiality, integrity, and availability of the assets and information by authorized users.
 Purpose statement
* To evaluate strategies to prevent, protect and detect DDoS attacks
Literature Review
* The two main targets of DDoS attacks are network bandwidth depletion and host resources depletion attacks (Verma, Arif & Husain, 2018, p. 108). The bandwidth depletion attack or Brute Force Attack is associated with malicious requests that consume the internet bandwidth (transfer speed) (Saxena and Dey 2019). This in turn overwhelms the internet traffic and disrupts services. The bandwidth depletion attacks can further be classified into flood attacks and amplification attacks. There may be zombie computes already infiltrated by attackers and are connected remotely to flood the target computers (Saxena & Dey 2019). In the case of amplification attacks, the zombies send multiple requests to an IP address, and there are numerous replay messages using the spoofed IPs.
* The resource depletion attack or semantic or vulnerability attack occurs when attackers exploit vulnerabilities and make the resources unavailable to legitimate users Saxena & Dey 2019). These attacks are meant to limit and prevent access to resources, applications, and protocols (Saxena & Dey 2019). The resource depletion attacks can also cause resource exhaustion and the common ways these attacks are used include exploiting the Domain Name System (DNS), HyperText Transfer Protocol Secure HTTPS) or HyperText Transfer Protocol (HTTP) (Saxena & Dey 2019).
Balobaid, Alawad & Aljasim (2016) focus on the impact of DoS and DDoS attacks on cloud computing and the mitigation measures against these attacks. To improve security, there is a need to evaluate vulnerability to DoS and DDoS attacks and implement detection models. Defenses protect against attacks on cloud services are applicable in different areas of computer services and applications that are vulnerable to DDoS and DDoS attacks. Botnets and the DoS and DDoS attacks are increasingly used to compromise cloud services. In cloud infrastructures, there are various applications and services that exchange data and information. There are masked sophisticated attacks on computer systems and protection requires going beyond firewall protection.
Network firewalls are necessary to defend against intrusions and traffic floods, but this is just the first line of defense and it is necessary to evaluate the firewall performance (Sheth & Thakker (2013) compared the performance and effectiveness of different network firewall protection systems in defending against DDoS attacks. However, it is still a challenge to defend against DDoS attacks as the attacks vary and if the detection system. This is especially the case where the detection system does not detect the source of traffic and suspicious behaviors (Dhindsa & Bhushan, 2019). Firewalls are combined with DDoS monitoring tools help to detect and reroute malicious and affected traffic outside for further analysis and to ensure that services are still to the legitimate users.
Detecting irregularities in the network environment requires good detection accuracy and DDoS attack identification and analysis is crucial to supporting mitigation and improving network security. Saxena and Dey (2020) recommended that one way to identify the source of the DDoS attack in cloud services is through the “third party auditor-based packet traceback approach”. The approach is based on Weibull distribution to determine the source based on the identification factor and analysis of the traffic pattern. Various data integrity methods have been proposed in cloud services and network security to defend to improve DDoS mitigation measures, but the most useful is feasible and accurate. Detecting malicious traffic patterns and packets and intrusion prevention are helpful when there are attacks that spoof the system and are not easy to detect.
Dhindsa & Bhushan (2019) focused on the effectiveness of a flow-based monitoring system to detect and defend against DDoS attacks targeted at the cluster-based ad hoc networks. Ad hoc networks allow computers to communicate with each other without requiring wired networks, wireless routers, or access points. Tracing DDoS attackers is essential to improve security where there is a focus on preventing attacks through monitoring. The vulnerabilities in a network infrastructure increase the risk of network intrusion, but with a flow-based monitoring approach that detects the attack traffic in clusters, it is easier to determine the suspicious activities in network traffic (Dhindsa & Bhushan, 2019). Additionally, there are threshold levels to compare the suspicious follows against the normal traffic is useful to detect packets from the suspicious flow. However, there is a need to test whether the method is accurate in different settings where there are more sophisticated attacks that spoof the systems and are not easy to detect.
User authentication remains essential to protecting against DDoS attacks and the blockchain platform is one option that facilitates secure information sharing and is tamper-proof. Blockchain is a form of decentralized network and decentralization improves resilience against DDoS attacks since attacks at one point do not affect the whole system (Wani et al., 2021). Centralized systems are prone to attacks, but there has been increased interest in decentralized blockchain systems to improve defense against malicious attackers. Enhanced encryption when using blockchain is also necessary in detecting and defending against DDoS attacks. Individuals and companies increasingly rely on blockchain to facilitate information sharing and research DDoS detection and mitigation approaches in blockchain technology provide insights on how to improve network security. Collaboration is also common among blockchain users and this may increase the risk of malicious attacks if there are vulnerabilities and threats.
Theoretical Framework
Cohen and Felson (1979) proposed the Routine Activities Theory (RAT) that explains there are three elements of a crime where there is a motivated offender, suitable target, or victim in an environment lacking a capable guardian to prevent the crime (Hsieh & Wang, 2018, p.335). RAT has been chiefly used to study cyber victimization and is helpful to understand the risks of cybercrime and factors that protect against cyber crimes and attacks. Different factors determine an individual or organization is vulnerable to cybercrime and attacks. The theory is predictive as it indicates where and when a crime is most likely to occur. There are differences in exposure, vulnerabilities, and risks to DDoS attacks. The RAT framework could explain cybersecurity gaps even as the theory has focused chiefly on cyber victimization in research on cybercrime. However, the framework does not focus on an attacker's motivation but rather the characteristics of the crime or attack (Hsieh & Wang, 2018, p. 3350).
DDoS attacks disrupt services for legitimate users and overwhelm the network resources making it more challenging to access services. The DDoS attacks are based on exploiting vulnerabilities where and there is a large-scale launch of attacks. Attackers and hackers target the layers of network infrastructure, and they launch application-layer attacks, protocol attacks, and volume-based attacks. 
Application layer attacks
The application layer attack - This attack method undermines the application layer and causes the service to stop operational. Attackers exploit the design deficiencies in the protocols of this layer, design flaws, or implementation of the applications. Application layer attacks may appear as innocuous requests and are particularly destructive as it takes time to detect the types of DDoS attacks. The requests per second (RPS) indicates the extent of the attack, but some DDoS attacks have combined application-layer attacks with the other types o of DDoS attacks.
 Protocol attacks
The protocol attacks approach focuses on the weaknesses in a protocol by exploiting the server resources of the server or load balancers and firewalls. This type of attack is measured packets per second (PPS). Among the example of protocol attacks are:
* TCP Fragmentation Attacks - The attacker overwhelms and targets the network's TCP / IP reassembly mechanisms, disrupting the target's ability to gather fragmented data packets. The data packets received by the network cannot be organized or processed, and they then overwhelm the system.
* SYN Floodatatcks: This is a type of DDoS attack where the...