Characterizing DDoS attacks and flash events: Review, research gaps and future directions

A Distributed Denial of Service (DDoS) attack is an austere menace to network security. Nowadays in a technological era, DDoS attacks pose a severe threat to widely used Internet-based services and applications. Disruption of these services even for a fraction of time lead to huge financial losses. A Flash event (FE) is similar to a DDoS attack wherein a large number of legitimate users starts accessing a particular service concurrently leading to the denial of service. Both of these events cause overloading of network resources such as bandwidth, CPU, Memory to legitimate users and result in limited accessibility. Nowadays most of the DDoS attacks use the logical semantics of HTTP protocol to launch a similar kind of attack traffic as that of legitimate traffic which makes the distinction between the two very challenging. Many researchers have tried to discriminate these two types of traffic, but none of them has been able to provide any effective solution yet. This paper systematically reviews 40 such prominent research papers from 2002 to till date for providing insight into the problem of discriminating DDoS and FEs. This article dowries and deliberates the list of traffic feature rationales and detection metrics used by the fellow researchers at both macro and micro level. Such a pragmatic list of rationales would surely be helpful to provide more robust and efficient solutions. The paper also highlights open issues, research challenges and future directions in this area.