DDoS Prevention: Review and Issues

Abstract

Networks connected to the Internet are always susceptible to distributed denial-of-service (DDoS) attacks. In spite of a lot of different DDoS defense mechanisms in place, DDoS attacks still happen. These mechanisms fall under the category of DDoS detection, DDoS mitigation, and DDoS prevention. Although DDoS detection and mitigation are well defined and understood terms, DDoS prevention is used with different meanings in the literature. Concerning reflection-based DDoS amplification attacks, in this paper, we define ideal prevention and true prevention. Former is an ideal situation in which primarily the security of all the Internet hosts is well up to the mark and does not allow them to become participating members of DDoS attacks, whereas later is a practically feasible situation in which the network itself can prevent and mitigate DDoS attack within some fixed time interval. We also provide the literature review of DDoS prevention techniques and argue that the ones which conform to the definition of ideal prevention or true prevention are either not dynamic, are computationally expensive, or not scalable; thus, practically not feasible.