An Overview of DDoS attacks based on DNS

An Overview of DDoS attacks based on DNS Kamal Alieyan1, Mohammed M. Kadhum2, Mohammed Anbar3, Shafiq Ul Rehman4, Naser K. A. Alajmi5 1-4 National Advanced IPv6 Centre (NAV6) Universiti Sains Malaysia, 11800 Gelugor, Penang, Malaysia Email :( Kamal_alian, Kadhum, Anbar, Shafiq)@nav6.usm.my

Saad Al-Abdullah Academy for Security Sciences Abdulla Al Mubarak, Kuwait [email protected]

5

textbooks, we know security falls into three categories: confidentiality, availability, and integrity. It is obvious that DDoS attacks belong to the availability category[8]. Botnet-based DDoS attacks are considered a serious challenge for academic communities and companies because of the problem the legitimate traffic and the attack traffic differ in intention not in the content[9]. According to Verisign report in 2016, which is a global company for domain names and Internet security, there are notable trends in DDoS attacks against a widening field of victims across all industries and there are rising in the operational security of hacktivism operations such as the increased of size of attacks in 2015 (from the beginning of the year to end of the year)[10]. Botnets have been continually utilized for the purpose of reflection and amplification. Both of these techniques are frequently used in tandem as in the case of Smurf attack in which the attackers submit requests with spoofed source IP addresses (Reflection) to a large number of reflectors by abusing the IP broadcast feature of the packets[11]. In contrary to ordinary DDoS attacks, in which arsenal of bots plan an attack on a single targeted server, the new attack works by sending queries to DNS servers with the return address targeting the victim. In every case the main victim is the local DNS server itself. The exhaustion of bandwidth will affect the usual network operation very rapidly and eventually debilitate the target machine. One of the DDoS attack performed by botnet against DNS infrastructure is DNS amplification attacks which are regarded as the dominant kind of DDoS and they exploit both DNS protocol and infrastructure [12-14]. DNS is one of substantial component in the Internet infrastructure which translates domain names into IP address and vice versa[15]. DNS becomes more critical element of the Internet, and used by most of the networks. The attackers attempt to exploit the DNS infrastructure to gain illegal access, aiming at providing communication inaccessibility to the legitimate users. Therefore, the security of DNS infrastructure becomes very important and critical point in the Internet [16]. Currently, DNS protocol is prevalent to the use of distributed and reflective DDoS attacks [17]. According to Ha et al. [18], there are six participated botnets in 85% of all spamming emails showed in the Internet and the botnets were used to start DDoS attacks against DNS service. In case of

Abstract— Botnet-based Distributed Denial of Service (DDoS) attacks are considered as the main concerns and problems of today’s Internet. The damage of these attacks are very serious since the number of computers involved in these attacks is huge and distributed worldwide. However, many protocols such as Domain Name System (DNS) have several security vulnerabilities nowadays that are utilized by botnet attackers. The amplification attacks are the most popular attacks in the Internet which require robust hardware and software for security assurance. In this paper, we provide an overview of botnet-based DDoS attacks that use DNS as a basic infrastructure to launch attacks. We aim to make a better understanding of the most noted attacks to extend the knowledge about DDoS attacks and to analyze the importance of DNS services. Keywords—DDoS, Botnet, DDoS based botnet, DNS

I.

INTRODUCTION

Malicious attacks exploit Internet infrastructure to apply illegal actions. Over the last decade, one of the most significant threats in the Internet is botnet[1]. Botnet is composed of malicious programs known as bots. Bots are controlled remotely by the botmaster (called botnet attacker). Botnet grows dramatically around the world where around 500 million personal computers every year are infected[2]. It causes a significant damage to the global economy, where around USD$100 billion last year had lost[2]. Botnets are used for many purposes such as gaining economic profit, performing click frauds, identification theft, spamming, and DDoS attacks [3, 4]. Recently, botnets present threats to the Internet where millions of infected computers and the attackers use the diversity of bots to launch DDoS attack on Internet servers[1, 5]. DDoS attacks are intended attempts to stop legitimate users from accessing a specific network resources[6]. DDoS attacks aim exhausting some Internet resources in order to make the services unreachable for the legitimate or normal users by sending large amount of invalid requests to targeted servers that provide the services[7]. DDoS attack is a critical and continuous threat in cyber security. In general, DDoS attacks are implemented by either driving a victim computer to reset, or consuming its resources (e.g., CPU cycles, memory, or network bandwidth). As a result, the targeted computer will be no longer providing the intended services to its legitimate users. From classical

1 978-1-5090-1325-8/16/$31.00 ©2016 IEEE

276

ICTC 2016

amplification or reflection with organization’s reputation will be effected badly[19]. Nowadays, the local DNS servers for organization become possible attractive target for attackers that may result in low productivity, unavailable for using in business, and an accretion in operational cost[19]. Furthermore, the growth of the internal DNS DDoS attacks leads to decrease the performance and increase the possibility of failure. Moreover, if the organization has DNS hijack in case of the reflection/amplification attacks, this organization will have a negative influence on its brand and losses its revenue [20]. One of most components in DNS infrastructure is the name server that plays an important role to provide the vital information about domains names. Recently, amplification DDoS attacks target these name servers and abuse it to target different victims[21]. II.

Figure 1. Source Arbor Networks, Inc [26]

Based on the mechanism used, there are two common types of DDoS attacks. Yu [8] had presented the typical and Distributed Reflection Denial of Service (DRDoS) strategies of the DDoS attacks. For both categories, the malicious code was installed in the compromised hosts while being recruited throughout the scanning process. For the typical DDoS attack (illustrated in Figure 2), the C&C server is coordinated and instructed (ordered) by an attacker, and thus, it manages and activates bots. Precisely, an attack command is sent to the C&C server by the attacker, where all of the hibernated attack processes on the bots are triggered. Via these processes, C&C servers can activate those bots and instruct them to launch an attack on a particular machine (victim). In turn, the activated bots simultaneously conduct a big amount of data packets to the victim, over-utilizing and exhausting its resources with useless requests.

DDOS ATTACKS INCDENTS AND DDOS TAXONOMY

Distributed denial-of-service attacks can happen to any device on any network. Several networks exist in financial institutes such as banks, high profile multinational corporations such as Yahoo, eBay, E Trade, Buy, Amazon, Twitter, and Facebook, or high security government institutes such as defense agencies, were victim to DDoS attacks[22]. It was reported by Arora, K et al. [22] that an attack had targeted Register.com in January 2001, where DNS servers had been utilized as reflector. DNS Backbone DDoS Attacks were launched on Internet DNS root servers consecutively, interrupting services in 9 of 13 internet root servers in October 2002[6] and two Internet root servers in February 2007. Furthermore, taking advantage of the vulnerabilities of DNS servers processes, another DNS amplification that creates potent DDoS attacks was examined in 2009 [23]. Correspondingly, DDoS attacks were performed on the domain Register.com resulted in 24 hours service interruption in November 2010[24]. Based on the recorded DDoS attacks that showed the high potentials of attackers, it is believed that DDoS attacks will continue. According to Zargar et al.[6] the DDoS attacks can be classified into two types based on the protocol level targeted: Network-level DDoS attacks and application-level DDoS attacks. The network level DDoS attacks overload a service by using up bandwidth, while the application level DDoS attacks overload a service or database with application calls. The research scope of this paper is on the application level attacks. These attacks aim to prevent the services to normal users by consuming the servers resources such as CPU, memory, I\O bandwidth, database bandwidth [25]. The application level DDoS attacks such as HTTP, DNS, Session Initiation Protocol (SIP), or SMTP have similar benign traffic characteristics so they consume little bandwidth and are considered as furtive attacks. According to arbor network [26], which is specialist in DDoS attacks, DNS attacks remains the most commonly used, where it is reported it as the major types of recent DDoS flooding attacks as shown in figure 1. The DNS amplification attacks described in section IV of this paper.

Figure 2.Typical DDoS attack strategy[8]

In contrast to the typical DDOS attack, launching DRDoS attack requires C&C servers and reflectors in the network, as illustrated in Figure 3. As with the typical DDoS attack, the attacker fully manages C&C servers; and hence it is able to instruct bots. Besides that, responding to the C&C servers’ commands, bots can connect to an innocent normal host (known as a reflector) and send a stream of request packets that includes the victim’s IP address as the source IP address. This drives the infected host to response to the victim, believing that the victim is initiating the requests. Consequently, a huge traffic volume would arrive the victim from the reflectors whenever a connection to the victim is established.

2 277

with the IP address in the IP message header. Attacker exploits these open DNS servers in order to carry out their malicious activities, forge and spoof the source IP address of the target. This is done by sending query to the open DNS servers and having it responds back until it eventually fails. In order to intensify the volume of the attack, attacker chooses multiple open DNS servers to perform the DoS or DDoS attack against the target. In order to make certain that solution’s defenses are kept updated on latest and evolving threats as they emerge, with no necessity for patching, hardware-accelerated DNS DDoS mitigation can be utilized in order to maintain the integrity of the system and its availability even under severe attack. By differentiating the dissimilar types of query and its normal rates, the use of smart rate thresholds can drastically decelerate the DNS DDoS and flood attacks without denying services to its legitimate users. As an example, the sourcebased throttling, capable to detect the abnormal queries by the source and will cause the failure of the brute-force method. On the other hand, destination-based throttling will identify the abnormal increase in traffic grouped by target domains. Internal DNS security solution that is efficient will restrain APTs and malware from exploiting the DNS. It will also prevent data exfiltration and protect the mission critical DNS infrastructure from attacks, without the necessity to an organization to amend its network architecture. In defense from the extensive range of DNS-based attacks to maximize service availability, an internal DNS security solution will utilizes the methods outlined below in order to constantly monitor, detect, and drop DNS attacks such as DNS DDoS, exploits, cache poisoning as well as DNS tunneling.

Figure 3.Distributed Reflection Denial of Service (DRDoS) attack strategy[8]

III.

THREATS TO DNS AND DNS SECURITY

As a vital part of the network architecture, DNS must not be kept susceptible to attacks. Due to this reason and the fact that it has been easily manipulated in the past, DNS has become greatly targeted for attacks. Organizations often adopt a weak link of DNS DDoS protection in its cyber security policy. Attacks on DNS such as DNS reflection and amplification DDoS attacks and flooding attacks are some of the attackers’ most preferred methods. Other threats that can be carried out against DNS services also include redirection or cache poisoning and registrar hijacking. A secure DNS DDoS is a highly crucial element of a network and web security approach[19]. DDoS attacks are turning increasingly larger and more complex. A recent report has comprehensively reported a world record of 550Gbps attack last year. A survey has been carried out by the Arbor Networks 11th Annual Worldwide Infrastructure Security Report (WISR) towards businesses and service providers, to examine the main cyber security trends and concerns faced by organizations, and the measures they adopt in order to alleviate those threats. It cautioned that cyber extortion, cloud attacks and firewall breakdown are highly likely to increase. However, DDoS attacks remained the highest occurring threat. DNS Open Resolver is a type of a DNS server that serves every client by providing name resolution not considering whether the requestor belongs to its domain or not. Queries made by any client are entertained by returning a response and no administrative control need to be configured. Due to this reason, open resolver is highly attractive to attackers and its vulnerability can be manipulated by attackers to perform malicious behaviors and attacks against DNS servers. A name server that is open to any client is highly susceptible to Denial of Service and Distributed Denial of Service (DDoS) attacks. Attackers exploit the open DNS servers in order to maximize the volume of the attack as well as spoofing the IP addresses to hide its source, resulting in the DoS or DDoS attacks. In this situation, the resolver send the query to these open recursive name servers and spoof the IP address of the target. This can be carried out without difficulty as DNS uses UDP based packets that makes it easy for the attackers tempering

IV.

DNS AMPLIFICATION

DNS amplification attacks intensify the power of a botnet when targeting a victim. The fundamental technique of this attack is by spoofing the IP of the intentional target and sending a request for a large DNS zone file any number of open recursive DNS servers. The DNS servers will blindly respond to the request by delivering the large DNS zone response to the attack target. For instance, a recent Spamhouse attack saw a request data approximately 36 bytes in length, however the response data was around 3000 bytes, which means the attackers has efficiently intensify the bandwidth used by a factor of 100. In addition, as the responses have exceeded the Maximum Transmission Unit (MTU), the packets were fragmented and the reassembly required further exaggerates the problem faced by the target. This kind of attack is known as an IP spoofing attack. The recommended first approach for defense is by implementing BCP38 (Best Common Practices) that aid in cutting down the IP spoofing. In addition, recursive servers must be limited to your organization (or solely Business-to-business (B2B) clients). Authoritative servers should also be configured with DNS response rate limiting. Final recommended step is to either get hold of a mitigation service or acquire equipments that offer purpose-built DDoS defense.

3 278

outgoing data traffic was monitored at the source network, and the compared to certain flow models that are created base on normal traffic. It was observed that the attacker does not decrease its outgoing traffic although it has been inform about the congestion at the victim side. Therefore, D-WARD restricts the traffic of the suspected senders at routers on the link towards a certain host. DDoS Control Server (DCS)-based PacketScore method for organizing reports received from routers across the Internet was proposed by Kim et al[31]. Suspicious packets of the traffic are marked with a “score” by Routers that have particular reporting capabilities (called DetectingDifferentiating-Discarding Routers (3D-R)). Score value reveals the possibility that these packets can be engaged in an attack. The marked packets are filtered by 3D-Rs according to the score threshold set by DCS. The score distribution of attacking packets is considered in setting the threshold value in addition to the amount of traffic at the victim. Attack Diagnostic (AD) system was proposed by Chen and Park [32] where DoS attack is identified close to the victim, while packet filtering is performed nearby the attacker. Packet marking and pushback-alike technique have been utilized in AD for traceback and to notify the source networks. Likewise, packing marking is combined with packet filtering in Track[33]. Nevertheless, AD and Track are not appropriate protection systems to prevent or handle amplification attacks as the traceback technique used does not trace back to the actual attacker rather than the amplifier[29]. Flow correlation was utilized by Yu et al.[34] and Wei[35] et al. for detecting DDoS attacks. However, by accessing the data collected by multiple routers, Yu’s approaches able to differentiate attacks from flash crowds. A technique to protect a DNS server from amplifying DDoS attacks was recently proposed by Arafat[36]. In particular, it prevents the attacks that target the bandwidth usage of the victim server. An innovative defense based on IP tables and routine fail2ban detection was developed where attack flows are identified according to the load at the server. This is useful as identifying bad flows according to the patterns of incoming traffic only is challenging. Through the experimental results, the performance analysis confirmed that technique present an effective, flexible, and robust solution for amplifying DDoS attack on DNS. An effective and secure domain name server (DNS) cyber shelter from DDoS attacks was introduced by Hong[37]. The proposed DNS cyber shelter is capable of detecting the packets of DDoS attack and blocks the senders of those packets. Since it is necessary to recognize the event of DoS attacks before it actually occurs, Fultz et al.[38] utilized a game theoretical method to anticipate DDoS attacks. It was realized that attackers perform attacks only if defenders have insufficient protection (i.e not enough investment on security has been done).

Figure 4. Vertical of DDoS attacks mitigated by Akamai[27]

Commercial anti-DDoS services and equipment providers mostly provides built in anti-spoofing technologies that perform a fine catch-all on even the most complicated attacks. This type of DNS Amplification attack campaign has mainly targeted the financial services industry. One of its latest DNS amplification attack was observed on Jan. 10, 2016 by Akamai SIRT team[27]. They also seen over 400 DDoS attack campaigns in the past 3 months, and these DNS amplification attacks have affected several industries. Figure 4 illustrates the distribution by industry vertical on DDoS campaigns alleviated by Akamai. The Primary targeted industry vertical, Online Gaming, comprises of 52.42% of attacks. V.

PREVENTION AND DEFENSE TECHNIQUES

From prevention perspective to improving security but not completely removing the DDoS threat, there are some recommended procedures for handling DNS amplification attacks such as monitoring the network to check on the abnormal traffic. Also, disabling open recursion on name servers from external sources and only accepting recursive DNS originated from trusted sources has been proposed as an effective prevention mechanism to diminish amplification vector of DNS amplification attacks[28]. This section briefly discusses the most effective defense mechanisms against application-level DDoS flooding attacks related to DNS. Kambourakis[14] proposed DNS Amplification Attacks Detector (DAAD) method that is implemented in the destination side (DNS server). DAAD records the network activities in lookup tables at the victim’s network. These activities, such as outgoing DNS requests from the bots and incoming responses to those requests, are compared where mismatched outgoing requests and are labeled as suspicious. Furthermore, DAAD has the ability to modify firewall rules in order to filter the request packets. However, the system needs to be more general in detection method[29]. Mirkovic et al.[30] had proposed a mechanism, called DWARD, which operates at the attack source to particularly perceive DoS attacks that have high amount of traffic, or includes spoofed packets. In D-WARD, incoming and

VI.

CONCLUSION

DDoS attack is regarded as one of the primary threat to the internet. This paper presented an overview of the botnet-based

4 279

DDoS attacks that exploits DNS, the fundamental network infrastructure, to develop attacks. Academic and industry researchers have recommended several strategies to guard against DDoS based threats on DNS. Despite these efforts and contributions, DDoS attacks remain a huge threat. Attackers counter attack every effort made in patching vulnerabilities by exploring some other weaknesses that can be exploited in communication protocols. The defense mechanism has also been exploited by the attackers that enabled them to control these mechanisms as well as generating false alarms and causing catastrophic outcomes. Furthermore, the most prominent attacks have been discussed with the aim of extending the knowledge on DDoS attacks and to examine the importance of DNS service due to the recent rise in DNS amplification attacks.

[17] [18]

[19] [20]

[21] [22] [23]

REFERENCES [1] [2]

[3]

[4] [5] [6]

[7] [8] [9] [10]

[11] [12] [13] [14] [15] [16]

G. Kirubavathi and R. Anitha, "Botnet detection via mining of traffic flow characteristics," Computers & Electrical Engineering, vol. 50, pp. 91-101, 2016. S. Lysenko, O. Pomorova, O. Savenko, A. Kryshchuk, and K. Bobrovnikova, "DNS-based anti-evasion technique for botnets detection," in Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015 IEEE 8th International Conference on, 2015, pp. 453-458. J. Kwon, J. Kim, J. Lee, H. Lee, and A. Perrig, "PsyBoG: Power spectral density analysis for detecting botnet groups," in Malicious and Unwanted Software: The Americas (MALWARE), 2014 9th International Conference on, 2014, pp. 85-92. K. Alieyan, A. ALmomani, A. Manasrah, and M. M. Kadhum, "A survey of botnet detection based on DNS," Neural Computing and Applications, pp. 1-18, 2015. M. Anagnostopoulos, G. Kambourakis, and S. Gritzalis, "New facets of mobile botnet: architecture and evaluation," International Journal of Information Security, pp. 1-19, 2015. S. T. Zargar, J. Joshi, and D. Tipper, "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks," IEEE Communications Surveys & Tutorials, vol. 15, pp. 2046-2069, 2013. B. Sieklik, R. Macfarlane, and W. J. Buchanan, "Evaluation of TFTP DDoS amplification attack," Computers & Security, vol. 57, pp. 67-92, 2016. S. Yu, Distributed Denial of Service Attack and Defense: Springer, 2014. B. Al-Duwairi, Z. Al-Qudahy, and M. Govindarasu, "A novel scheme for mitigating botnet-based DDoS attacks," Journal of Networks, vol. 8, pp. 297-306, 2013.

[24] [25] [26] [27]

2016. [28] [29] [30] [31]

[32]

[33]

https://www.verisign.com/en_US/forms/confirmation/reportcybert hreatstrends.xhtml, "2016 Cyberthreats and Trends Report," VERISIGN2016. S. Taghavi Zargar, "Towards Coordinated, Network-Wide Traffic Monitoring for Early Detection of DDoS Flooding Attacks," University of Pittsburgh, 2014. R. Vaughn and G. Evron, "DNS amplification attacks," Go online to http://www.isotf.org/news/DNS-Amplification-Attacks. pdf, 2006. M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, and S. Gritzalis, "DNS amplification attack revisited," Computers & Security, vol. 39, pp. 475-485, 2013. G. Kambourakis, T. Moschos, D. Geneiatakis, and S. Gritzalis, "Detecting DNS amplification attacks," in Critical information infrastructures security, ed: Springer, 2007, pp. 185-196. S. Rastegari, M. I. Saripan, and M. F. A. Rasid, "Detection of denial of service attacks against domain name system using neural networks," arXiv preprint arXiv:0912.1815, 2009. M. Jalalzai, W. Shahid, and M. Iqbal, "DNS security challenges and best practices to deploy secure DNS with digital signatures," in

[34]

[35] [36] [37] [38]

5 280

Applied Sciences and Technology (IBCAST), 2015 12th International Bhurban Conference on, 2015, pp. 280-285. C. Rossow, "Amplification Hell: Revisiting Network Protocols for DDoS Abuse," in NDSS, 2014. D. T. Ha, G. Yan, S. Eidenbenz, and H. Q. Ngo, "On the effectiveness of structural detection and defense against P2P-based botnets," in Dependable Systems & Networks, 2009. DSN'09. IEEE/IFIP International Conference on, 2009, pp. 297-306. C. Marrison, "Understanding the threats to DNS and how to secure it," Network Security, vol. 2015, pp. 8-10, 2015. C. Fachkha, E. Bou-Harb, and M. Debbabi, "Fingerprinting internet DNS amplification DDoS activities," in 2014 6th International Conference on New Technologies, Mobility and Security (NTMS), 2014, pp. 1-5. H. Binsalleeh, "Analysis of Malware and Domain Name System Traffic," Concordia University, 2014. K. Arora, K. Kumar, and M. Sachdeva, "Impact Analysis of Recent DDoS Attacks." S. Raghavan and E. Dawson, An Investigation Into the Detection and Mitigation of Denial of Service (DoS) Attacks: Critical Information Infrastructure Protection: Springer Science & Business Media, 2011. D. Kaur, M. Sachdeva, and K. Kumar, "Recent DDoS Incidents and Their Impact," International Journal of Scientific & Engineering Research, vol. 3, pp. 1-6, 2012. S. Ranjan, R. Swaminathan, M. Uysal, and E. W. Knightly, "DDoS-Resilient Scheduling to Counter Application Layer Attacks Under Imperfect Detection," in INFOCOM, 2006. A. Network, "Worldwide infrastructure security report," ed, 2015. Akamai, "https://www.akamai.com/uk/en/multimedia/documents/state-ofthe-internet/dnssec-amplification-ddos-security-bulletin.pdf," Security Bulletin: DNSSEC Amplification DDoS S. T. Zargar, "Towards Coordinated, Network-Wide Traffic Monitoring for Early Detection of DDoS Flooding Attacks," University of Pittsburgh, 2014. F. J. Ryba, M. Orlinski, M. Wählisch, C. Rossow, and T. C. Schmidt, "Amplification and DRDoS Attack Defense--A Survey and New Perspectives," arXiv preprint arXiv:1505.07892, 2015. J. Mirkovic, G. Prier, and P. Reiher, "Attacking DDoS at the source," in Network Protocols, 2002. Proceedings. 10th IEEE International Conference on, 2002, pp. 312-321. Y. Kim, W. C. Lau, M. C. Chuah, and H. J. Chao, "PacketScore: a statistics-based packet filtering scheme against distributed denialof-service attacks," IEEE transactions on dependable and secure computing, vol. 3, p. 141, 2006. R. Chen and J.-M. Park, "Attack Diagnosis: Throttling distributed denial-of-service attacks close to the attack sources," in Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005., 2005, pp. 275-280. R. Chen, J.-M. Park, and R. Marchany, "TRACK: A novel approach for defending against distributed denial-of-service attacks," Technical P~ eport TR ECE—O6-02. Dept. of Electrical and Computer Engineering, Virginia Tech, 2006. S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, "Discriminating DDoS attacks from flash crowds using flow correlation coefficient," IEEE Transactions on Parallel and Distributed Systems, vol. 23, pp. 1073-1080, 2012. W. Wei, F. Chen, Y. Xia, and G. Jin, "A rank correlation based detection against distributed reflection DoS attacks," IEEE Communications Letters, vol. 17, pp. 173-175, 2013. M. Y. Arafat, M. M. Alam, and F. Ahmed, "A Realistic Approach and Mitigation Techniques for Amplifying DDOS Attack on DNS." S. Hong, "Efficient and secure DNS cyber shelter on DDoS attacks," Journal of Computer Virology and Hacking Techniques, vol. 11, pp. 129-136, 2015. N. Fultz and J. Grossklags, "Blue versus red: Towards a model of distributed security attacks," in International Conference on Financial Cryptography and Data Security, 2009, pp. 167-183.