5

A Detailed Review on
Security Issues in Layered
Architectures and Distributed
Denial Service of Attacks Over
IoT Environment
Rajarajan Ganesarathinam1*, Muthukumaran Singaravelu2
and K.N. Padma Pooja3
1
School of Computer Science and Engineering, Vellore Institute of Technology,
Vellore, India
2
Department of Computer Science and Engineering, Anna University,
Chennai, India
3
Department of Computer Science and Engineering, Thiagarajar College of
Engineering, Madurai, India

Abstract
The promising nature of the Internet, its related technologies, and the applica-
tions has brought a significant impact on human beings’ day-to-day activities in
the past three decades. As a part of its evolution, the current trend is the Internet
of Technology (IoT), which brings automation to the next level via connecting
the devices through the Internet, and its benefits are tremendous. Meanwhile,
the threats and attacks are also evolving and become an unstoppable menace to
IoT users and applications. In this chapter, we are presenting the various security
loopholes and concerns in the existing layered architectures of IoT. Out of many
attacks and threats over IoT, we have specifically chosen Distributed Denial of
Service (DDoS) attacks because of its severity in the IoT environment and dealt
extensively with the different categories of DDoS impact as well as a review of
existing countermeasures against DDoS in IoT. Further, this chapter addresses
critical challenges and future research directions concerning IoT security that
gives insights to the new researchers in this domain.

*Corresponding author: [email protected]

Uzzal Sharma, Parma Nand, Jyotir Moy Chatterjee, Vishal Jain, Noor Zaman Jhanjhi and R. Sujatha
(eds.) Cyber-Physical Systems: Foundations and Techniques, (85–122) © 2022 Scrivener Publishing
LLC
85
86 CyBeR-PHYSICAL SysteMS

Keywords: IoT security, internet attacks, distributed denial of service, layered

architecture, cyber systems

5.1 Introduction
Undoubtedly, the Internet has become an indispensable entity in all
walks of human life. Due to its tremendous growth, it becomes a basic
need for millions of people to meet their demands. The Internet is used
by approx- imately half of the world’s population [1, 2]. Taking
advantage of the Internet’s numerous benefits, another area known as the
Internet of Things uses the Internet to link objects and machines to
communicate with one another [3]. The aim of this cutting-edge
technology is to improve auto- mation by linking objects through the
Internet. As a result, sectors like government, healthcare, logistics,
agriculture, business, education, etc., are experiencing the impact of IoT
in socio-economic aspects and encourag- ing the researchers to explore
further in this technology to raise this digital world into another level [4–
7]. Thus, IoT is a digital ecosystem that caters applications to multiple
domains, as shown in Figure 5.1, by interoper- ability among the
physical devices. Because of its better outcomes and

SMART HOSPITAL
TRAIN SMART HOME

Internet of
Things

AEROPLANE
SMART CITIES

SMART DEVICES SMART CLASSES

SMART VEHICLES

Figure 5.1 Applications of IoT.

 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 87

60

Devices (in billions) 50

40

30

20

10

0
2012 2013 2014 2015 2016 2017 2018 2019 2020
Years

Figure 5.2 Growth of IoT devices in billions.

comforts in human life, the numbers of IoT devices are increasing year
by year. Figure 5.2 shows the trend of IoT devices population. Gartner
Inc. [8] forecasted that more than 125 billion Internet-linked gadgets
would be in practice, and by average, each person owns 15 connected
devices in 2030. To achieve the interconnectivity among the IoT devices
as well as to form a well-established infrastructure for IoT ecosystem,
multiple heterogeneous platforms, elements, architectures [9] are needed,
that will be discussed in next subsequent section.
On the other hand, by recognizing the buzz of IoT in market shares,
many firms and organizations have been driven to develop more IoT
devices as quickly as possible to sustain their positions, with the motive
of functionality, not on security. As a result, IoT security has been
severely affected [10, 11]. In the security perspective, the rush in the IoT
revolution so far with less focus on the security of IoT devices, leads to
the foundation of potential disaster [12]. Not only benefits, but there are
also multiple challenges like energy efficiency, interoperability of hetero-
geneous platforms, poor management, device identification, privacy and
trust encompassing IoT architecture [13]. The most important of these
concerns are security and privacy. Unless it is focused on proper motive
and care, IoT becomes the Internet of dangerous threats and attacks. The
infusion of more and more non-secure devices from the market and its
interconnectivity poison the IoT digital ecosystem [14–16]. Thus, the
abundance of IoT devices has the possibility of being prey to a variety
of malwares [17], which solicit attackers to inflict havoc in Figure 5.3.
Further details about the extensive nature of DDoS will be covered in the
subsequent sections.
88 CyBeR-PHYSICAL SysteMS

4
New Malwares

0
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
Years

Figure 5.3 DDoS capable IoT malware growth.

Out of many attacks in which IoT is subjected to, Distributed Denial

of Service (DDoS) is the complicated and dangerous attack over IoT.
The significant reason for considering this attack is due to its severity,
complex nature of perpetration, difficulty in the prevention and mainly
its gruesome impact. DDoS is the magnified form of Denial of Service
(DoS) attacks, which involves a group of remotely distributed bots [17,
18] that interrupt and deny services for users by flooding the target
machine or communica- tion links with massive amount of traffic in a
network. This attack gained so much of popularity in the year 2016,
because of DDoSing the IoT network with the help of a malware called
“Mirai” [19, 20] which infects hundreds of IoT devices with the volume
of 1.2 Tbps. This remains the most mas- sive DDoS attack over IoT till
now and becomes an eye-opener of security concerns in IoT platforms.
By using Mirai malware, attackers exploited the IoT using massive DDoS
attacks through simple procedures [21, 22]. The progressive nature of
DDoS capable malwares over IoT is shown.
The objectives of this chapter are manifold:

• Highlight the different models of IoT layered architecture

and its security concerns.
• Give a picture of DDoS attacks and its taxonomy.
• Address the pros and cons of existing solution mecha-
nisms for DDoS attacks and security loopholes in the IoT
environment
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 89

• Provide insights about critical challenges and future

research in this arena.

The rest of the chapter is organized as follows: Section 5.2 briefs about IoT
components, different layers of IoT architecture and its security
loopholes. Section 5.3 overviews about DDoS attacks, its working
mechanisms, classifi- cation and its impact over IoT in a detailed manner.
The extensive literature survey about solution mechanisms specific to
DDoS attacks in IoT are dis- cussed in Section 5.4. Section 5.5 suggests the
research challenges and further directions towards DDoS-free IoT. Section
5.6 concludes this review chapter.

5.2 IoT Components, Layered

Architectures, Security Threats
As highlighted in the introductory section, IoT is the heterogeneous com-
position of different technologies, platforms and devices embedded with
softwares.

5.2.1 IoT Components

Generically, there are six components involved in IoT infrastructure, as
shown in Figure 5.4. The details of the components are as follows:

1. Identity

6. Semantics 2. Sense

3. Communication
5.
Services

4. Compute

Figure 5.4 IoT components.

90 CyBeR-PHYSICAL SysteMS

(a) Identification: It facilitates the process of identifying

every device in the IoT network through naming and
address- ing. Naming means assigning a special name to
each object while addressing refers assigning a unique
address to every device. For example, Electron Product
Codes (EPC), ubiq- uitous codes, IPv6 are the popular
conventions commonly used [23].
(b) Sensing: it is the process of collecting the information
through various objects like actuators, smart sensors,
wear- able sensing objects, RFID tags, etc., and
transferring it to the cloud storage.
(c) Communication: Communication focuses mainly on
sending and receiving of files and other related informa-
tion among the devices through various technologies like
Bluetooth [24], RFID [25], LTE [26] and NFC [27].
(d) Computation: It means processing the collected informa-
tion obtained through sensors, and the type of computa-
tion varies with respect to the application. Many hardware
and software platforms like Arduino, Raspberry Pi, Intel
Galileo, Tiny OS [28], LiteOS [29], Android, etc., are
sup- porting this computation phase
(e) Services: There are the following four services provided
by IoT applications [30, 31].

(i) Identity-related service

(ii) Information aggregation service
(iii) Collaboration Service
(iv) Ubiquitous Service.

(f) Semantics: It is a significant component of IoT to carry

out its responsibilities. It collects the related information
and commands individual decisions to devices on demand.

5.2.2 IoT Layered Architectures

According to our findings, there is no single, uniform IoT architecture
that has been agreed upon by all researchers around the world. To meet
the demands of the moment, the research community suggested a variety
of architectures. Thus, the point of the architecture of the IoT ecosystem
is evolutionary; not a predefined one. This subsection analyzes the pros
and cons of the existing layered architecture of IoT.
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 91

THREE LAYER

APPLICATION LAYER

NETWORK LAYER

PERCEPTION LAYER

Figure 5.5 3-Layer architecture.

5.2.2.1 3-Layer Architecture

This is the very fundamental architecture to meet out the basic idea of
IoT. As shown in Figure 5.5, it has three layers, namely Perception,
Network (transport) and Application layers [32–34]. The perception
layer, also called as sensor layer, is responsible for identifying devices in
the IoT population and collects the information from those objects. The
type of sensors deployed in the IoT environment depends on the
application. The next layer is the network layer or transport layer acts as
a bridge between the application and perception layer. The primary
responsibility of the transport layer is to collaborate smart objects,
networking elements and networks with each other. The medium of
communication may be either wired or wireless. The application layer,
the final layer, is in charge of deliv- ering services to applications such as
smart homes, animal tracking, smart cities, healthcare, and so on.

5.2.2.2 4-Layer Architecture

The above stated 3-layer architecture is to fulfil only the basic need of
IoT, and there is no point of addressing security goals like authentication,
authorization, trust and confidentiality [35]. Hence, researchers proposed
a 4-layer architecture [36] to implement the missing features of the 3-
layer architecture. The following Figure 5.6 shows that it has an extra
one layer called the support layer. The responsibility of the remaining
three layers like perception, network, and application is similar to the 3-
layer architec- ture with extra care of device protection and encryption
mechanism.
The support layer comes in between perception and network layer.
The primary responsibility of this new layer in this architecture is to
provide
92 CyBeR-PHYSICAL SysteMS

FOUR LAYER

APPLICATION LAYER

NETWORK LAYER

SUPPORT LAYER

PERCEPTION LAYER

Figure 5.6 4-Layer architecture.

authentication and protection. That is, it allows the only authenticated

source of information to network layer through applying valid
mechanisms like pre-shared secret keys, passwords, etc. Also, it encrypts
the authenti- cated information so that confidentiality can be ensured.

FIVE LAYER

BUSINESS LAYER

APPLICATION LAYER

PROCESSING LAYER

TRANSPORT LAYER

PERCEPTION LAYER

Figure 5.7 5-Layer architecture.

 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 93

5.2.2.3 5-Layer Architecture

Researchers proposed another level of architecture called 5-layer
architec- ture [37–39] as an enhancement to the 4-layer scenario. Apart
from per- ception, network and application layer, it has an extra two
layers, namely processing and business layer, as shown in Figure 5.7. The
processing layer acts as a middleware that collects the information from
the network layer and eliminates unnecessary extra information. That is,
it performs the role of extracting the needful information from the
volume of information col- lected by sensors. Hence, it overcomes the
problem of big data process- ing and reduces the overhead involved.
Another new layer called business layer that acts as a manager of the
entire system. The primary responsibility includes privacy, managing and
controlling the applications, modeling the secure and robust data storage.

5.2.3 Associated Threats in the Layers

By analyzing the loopholes in the infrastructure of IoT, attackers are posing
threats with multiple variations, and as a result, the impact is acute. Table
5.1 shows the possible attacks over different layers.

5.2.3.1 Node Capture

This is a serious assault on the IoT’s perception layer. An attacker
compro- mises a main node, such as a gateway router, and gains
complete control over it. As a result, all information stored in memory
can be leaked, and it is a big menace [40].

5.2.3.2 Playback Attack

It is also known as a replay attack because it involves an attacker
intruding on the correspondence between the sender and the receiver and
capturing the genuine information from the sender’s end. Thus, an
attacker sends the same authenticated data to the receiver (victim) by
spoofing his identity and authenticity as the normal sender, so that victim
believes that message is from valid source [41].

5.2.3.3 Fake Node Augmentation

Here, an attacker gains control over IoT devices by adding a malicious
node into the system and inputs fake data. The underlying motive behind
94 CyBeR-PHYSICAL SysteMS

this attack is to block the transmission of real information. Likewise, if

many fake nodes are added, it paves the way for a massive collapse of
IoT infrastructure.

5.2.3.4 Timing Attack

By analyzing how long it takes to respond to a query, processing time,
and cryptographic algorithms, an attacker may identify vulnerabilities in
the system and extract critical information. This type of attack is
commonly possible in devices with less computing capabilities [42].

5.2.3.5 Bootstrap Attack

Before two devices start to communicate confidential information, some
assurance is needed to ensure that devices should be trusted. As a conse-
quence, a mechanism for configuring nodes during initial network setup,
also known as bootstrapping, is needed [43]. An attacker exploits this
mechanism during the bootstrapping phase to gain access to the device.

5.2.3.6 Jamming Attack

The attackers use jammers, which operate on the same frequency
spectrum as other communication devices and interfere with legal signal
transmis- sion [44, 45].

5.2.3.7 Kill Command Attack

This attack occurs only in RFID devices. During the manufacturing of
RFID tags, they have a password with write-protected access. Because of
the memory and processing limitations, an attacker can use brute force to
break the password, resulting in the tags being disabled [46].

5.2.3.8 Denial-of-Service (DoS) Attack

This DoS attack is the most famous attack in which an attacker compro-
mises the system and denies the services to legitimate devices or users.
The most dangerous form of DoS attack is Distributive DoS attack [47]
is explained in the next section.

5.2.3.9 Storage Attack

The collected information from sensors is stored in the cloud
environment or storage devices. The attackers exploit the cloud storage
and modify the correct details is called storage attack.
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 95

5.2.3.10 Exploit Attack

This attack is the substandard form DoS attack in which the attacker
probes the devices, system configuration, protocols, and extracts the
vulnerabil- ities in the system. Therefore, the attackers gain control and
breach the security limit [48].

5.2.3.11 Man-In-The-Middle (MITM) Attack

It is similar to Replay attack such that an intruder gains the control
between communications of two nodes as well as fabricate the legitimate
infor- mation with vulnerable source codes like worms, virus, trojans,
etc. The attacker hides his presence and lets the participating devices to
believe that information is from authenticated sources [49].

5.2.3.12 XSS Attack

It is a form of attack scenario that allows attackers to embed a malicious
client-side script into a popular website. Thus, attackers could change the
contents of the application and use the application in an illegal manner
[50].

5.2.3.13 Malicious Insider Attack

This type of attack is rare but possible. It happens from the compromised
user of IoT environment to do illegal activities. That is, authorized user
being an attacker malfunctions the complete IoT ecosystem from inside
[51, 52].

5.2.3.14 Malwares
The main motive behind the injection of malware into IoT is to steal the
confidentiality of information [53]. That is, applying worms, viruses,
spy- wares, trojans, adwares, etc., to interact with the system.

5.2.3.15 Zero-Day Attack

This refers to a security flaw in an application that the vendor is
unfamiliar with. As a result, the intruder uses it to gain power without the
user’s per- mission or understanding [54, 55].
96 CyBeR-PHYSICAL SysteMS

Table 5.1 Attacks in every layer of IoT architecture.

Attacks Layer involved Impact
Node Capture [18] Perception Memory leak
Playback attack [19] Perception Repudiation
Fake node Augmentation Perception Blocking real node
data transmission
Timing attack [20] Perception Indefinite delay in data
transfer
Bootstrapping attack [21] Perception Illegal intrusion and
exploitation
Jamming attack [22, 23] Perception Blocking of wireless channels
Kill command attack [24] Perception Disabling RFID tags
Denial of Service attack [25] Network Resource Exhaustion, device
crash
Storage attack Network Modification of original
information
Exploit Attack [26] Network Improper functionality of
protocol
MITM attack [27] Network Repudiation
Cross site scripting attack [28] Application Illegal modification of
contents in application
HTTP flooding attack Application Severe congestion,
Resource exhaustion
Regular expression attack Application Exhaustion of resources
Hash collision attack Application More collision in hash tables
Reprogramming attack Application Illegal code modification
in application
Malicious insider attack Support Authorized user with illegal
[29, 30] activities
Malwares [31] Processing Loss of confidentiality
Zero day attack [32, 33] Business Unpredictable
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 97

All types of attacks are harmful, and measures should be taken to pre-
vent or avoid these attacks. Out of many attacks which we discussed, the
most significant, dangerous, impactful attack over IoT environment is
Distributed Denial of Service Attacks (DDoS). The next section deals
with the DDoS attack over IoT in a significant manner.

5.3 Taxonomy of DDoS Attacks and Its

Working Mechanism in IoT
The Internet Telecommunication Union (ITU-T) defines DDoS as “pre-
vention of authorized access to resources or delay of time-critical opera-
tions”. This is a massive coordinated attack on the availability of victims’
or active network services, which is covertly launched through many
com- promised nodes [56].
DDoS attacks are not specific to IoT; Even before the advent of IoT, DDoS
menace exists in Internetworks from the year 2000 onward. However, the
arrival of IoT makes the DDoS attack more complex and powerful than
ever. Most of the attacks, including DDoS, understand the following
secu- rity issues on the Internet and perpetuate a variety of threats over it.

(a) Internet is interdependent: It makes no difference how

protected the victim is; its vulnerability to DDoS attacks is
determined by the protection of the rest of the Internet.
(b) Limited resources: The Internet entities like hosts,
network, services, etc., have limited resources that can be
saturated by attackers.
(c) No accountability: An IP packet contains field like source
IP and Destination IP. The entities like routers, gateways
simply process the source IP, destination IP entries with-
out validation. Thus, attacker perpetrates spoofing related
threats.(d). Distributed control: On the Internet, of course,
there is no way to deploy a global or centralized security
mechanism. Every network has its policies defined by its
administrators. Thus, it becomes a possibility of attackers
to gain control over some network. The research work in
[57] proposed Automated Trust Negotiation (ATN) to
deal with complex components of the Internet, but still,
solutions against evolving new threats are unaddressed.
98 CyBeR-PHYSICAL SysteMS

Stage 1: Exploitation
Stage 1: Recruitment

Stage 3: Communication

Stage 4: Attack

Figure 5.8 Phases of DDoS attack.

As shown in Figure 5.8, the DDoS attacks should go through the

follow- ing phases to perpetuate its strategy over victim [58, 59].

(i) Recruitment Phase: The attacker scans for vulnerable

devices in the IoT network. If found, it can be compro-
mised and used for further stages of attacks. Earlier, this
work was done manually; thereafter, automated tools are
evolved to scan the entire network for vulnerability in
just one click.
(ii) Exploitation Phase: The recruited machines with vulner-
abilities are injected with malicious code or software like
worms, viruses and Trojans to turn it into a botnet. The
botnetwork is the network of compromised nodes in IoT.
(iii) Communication Phase: The attacker mostly using
command-and-control infrastructure to communicate
among botnets. In this phase, all the attack-related infor-
mation like nature, longevity, type of attack, etc., can be
communicated to botnets.
(iv) Attack Phase: Finally, the attacker commands the botnets
to target the victim based on the communicated infor-
mation between attacker (master) and botnets (slaves).
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 99

In modern-day DDoS attacks, most of the attackers spoof-

ing their identity to complicate the traceback mechanism.

5.3.1 Taxonomy of DDoS Attacks

There are lots of classifications of DDoS attacks have been proposed in
the literature over the past few years. This section presents our improved
classification of DDoS attacks, which was generated by combining the
taxonomies proposed by [59–66]. We classified the DDoS attacks based
on the 12 parameters: Architecture, Vulnerability, Protocol, Automation,
Impact over the victim, Rate of attack, Persistence of agent set, Victim
type, Validity of Source address, Scanning, Propagation and Attack
traffic distribution.

5.3.1.1 Architectural Model

As highlighted in this section, most of the DDoS attack is perpetrated
using the mechanism called command-and-control Infrastructure [18].
Based on this, there are four different types of architecture namely Agent
Handler model, Internet Relay Chat model, Reflector Model and Peer-to-
Peer model used by attackers to carry out DDoS over victim.
The Agent-Handler mechanism (Figure 5.9(a)) contains three entities:
Client, Master (Handler) and slaves (Agents). The client is a device that
the attacker will use to communicate with agents. The agents (bots) are
the true perpetrators of DDoS attacks, acting on the client’s and handler’s
instructions. [62].
The Agent–Handler model is improved by the Reflector model (Figure
5.9(b)). Like the Agent–Handler model, it has client, handler, agent but
it has an extra component called a reflector. The reflectors are uninfected
machines induced by handlers to perpetrate attack over victim; instead of
agents. That is, agents, spoof the IP address of the victim and intention-
ally send the request to the reflector with spoofed source IP address of
the victim. As a result, reflectors flood the response to the victim, which
leads to a crash of the target. This type of DDoS is also called as
“Distributive Reflective Denial of Service” (DRDoS) [67, 68].
The Internet Relay Chat (IRC) based model is very similar to Agent-
Handler except that IRC protocol is connecting client and bots (Figure
5.9(c)) and it has advantages in attackers’ point of view like high
invisibil- ity, low traceability and high survivability [69].
The Peer-to-Peer (P2P) based model differs from C&C infrastructure
(Figure 5.9(d)) such that attacker issues commands to botnets relying on
100 CyBeR-PHYSICAL SysteMS

Client Client

Handlers
Handlers
Agents

Reflectors
Agents

Control Traffic
Attack Traffic
(Primary) Victim (Primary) Victim

(a) Agent Handler Model (b) Reflector Model

Clients
Clients

Agents
Agents

(Primary) Victim
(Primary) Victim
(c) IRC based model (d) Agent Handler Model

Figure 5.9 (a) Agent-Handler Model; (b) Reflector Model; (c) IRC based model; (d)
Peer- to-Peer model.

P2P network, not on C&C based network. As a result, the attacker has
some benefits like robustness, fault-tolerance compared to C&C model.

5.3.1.2 Exploited Vulnerability

Based on the vulnerability in the network, DDoS attacks are classified into
two different categories [18, 61, 63, 66]:
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 101

• Resource Depletion
• Bandwidth Depletion.

When a resource is depleted, malformed packets or mechanisms that

exploit an application are used to deny service. That is, either by
exploiting the vulnerabilities in the protocol like TCP-SYN, PUSH and
ACK or tam- pered IP packets are used to harm the network resources.
In bandwidth depletion attacks, the focus is clogging the network
band- width, CPU processing time, memory with the huge number of
legitimate traffic either through flooding or amplification mechanism
[18, 59, 60, 66,
69–71].

5.3.1.3 Protocol Level

Based on the attacks on protocols of different layers of the TCP/IP
model, DDoS can be classified into two categories:

• Network-level
• Application-level.

In the network level, protocols in the network or transport layer like

TCP, UDP, ICMP, etc., are exploited to conduct the attack and block the
services. On the other hand, application layer protocols like DNS, HTTP,
SMTP, etc., are used for flooding and amplification attack [71–73].

5.3.1.4 Degree of Automation

Based on how the attack is initiated, it can be classified into three
categories [18, 58, 59]:

• Manual
• Semi-automatic
• Automatic.

Nowadays, most of the attacks are fully automated so that impact is

severe and traceability is difficult.

5.3.1.5 Scanning Techniques

DDoS attacks can be classified into four groups based on how the
attacker searches the network for vulnerabilities and recruits bots for
attacks [18, 58].
102 CyBeR-PHYSICAL SysteMS

• Random Scanning
• Hitlist Scanning
• Permutation Scanning
• Local subnet Scanning.

In random scanning, no specific technique is used by the attacker to

scan the devices in the network for vulnerability. The attacker randomly
scans the IP address space and finds vulnerable hosts. The process of
scan- ning the list of hosts based on the known facts about the devices
and its vulnerabilities is called Hitlist scanning. In permutation scanning,
identi- ties of objects are found out by pseudo-random permutation of IP
address space.

5.3.1.6 Propagation Mechanism

Based on how the attack code is injected into devices, DDoS can be catego-
rized into three classes [18, 58]:
• Central Source Propagation
• Back-Chaining Propagation
• Autonomous Propagation.

In the central source propagation, the handler or malicious package is

stored in a central server. After recruiting vulnerable hosts, the attacker
injects the malicious code from the centralized source. However, there is
a possibility of a point of failure of centralized infrastructure. The attack
code is downloaded from the host and used to hack the device in the
Back- chaining technique. On the other hand, most of the modern-day
DDoS attackers make use of the autonomous propagation such that
malicious codes are directly injected into the host at the time of infection
itself. This is completely automated and no need for any third-party
intervention.

5.3.1.7 Impact Over the Victim

Based on the impact of DDoS attacks over the victim [58, 59], it can be
categorized as:
• Disruptive
• Degrading.

DDoS attacks that interrupt the victim’s services to legitimate users

for an extended period of time are known as disruptive DDoS attacks.
Anyhow
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 103

recovering from this disruptive attack depends on the sustenance of

victim infrastructure as well as the nature of DDoS attack. The
Degrading cate- gory means the motive of the attack is not to disrupt all
the service alto- gether, but stopping the most critical service in IoT for a
significant period.

5.3.1.8 Rate of Attack

Depending on the attack rate over the victim, the DDoS attack can be
clas- sified into the following:

• Constant Rate
• Variable Rate.

Constant rate DDoS attacks are described as attackers continuously

flood- ing packets towards the victim at peak rates. Variable-rate DDoS
attacks occur when the rate varies over time. Though the constant rate
has a large impact, the variable rate is better at hiding the existence of a
DDoS attack.

5.3.1.9 Persistence of Agents

The attackers use the same set of recruited agents during the attack
period or sometimes randomly vary the agents’ availability in order to
complicate the traceability. As a result, DDoS can be classified as either a
constant agent set or a variable agent set, depending on how the agent sets
are deployed.

5.3.1.10 Validity of Source Address

Depending on the source IP address of agents, DDoS can be classified as
spoofed source DDoS and Valid source DDoS. In spoofed source IP, the
attacker hides his presence under the mask of any random host IP, and it
fur- ther complicates the traceability features. It is an infrequent occasion
in the modern-day scenario that attackers are using actual valid source IP
address.

5.3.1.11 Type of Victim

Based on the target victim to be attacked, DDoS can be classified as
Host, Application, Network and Infrastructure based DDoS attacks.

5.3.1.12 Attack Traffic Distribution

The traffic rate can be either similar or dissimilar during the attack
104 CyBeR-PHYSICAL SysteMS
period. Based on the traffic of packets distribution, DDoS can be
classified into following [65, 74]:
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 105

• Isotropic
• Non-Isotropic.

In the case of Isotropic DDoS, the traffic distribution is uniform

throughout the attack duration. But in Non-Isotropic DDoS, it varies at
specific devices.

5.3.2 Working Mechanism of DDoS Attack

The overall scenario of modern-day DDoS attacks is represented in Figure
5.10. In general, the working mechanism of DDoS attack can be divided
into three phases: Attacking phase, Handling phase and Target phase.
The two crucial components in the attacking phase are bots and
botmas- ter. A bot is a malware package that includes rootkits, scanners,
SQL tem- plates, image scripts, and other components and serves as a
command and control server. Based on the nature of attack and
functionality, botmaster selects a specific set of the botnet [75, 76]. With
the help of agents, the attacker (botmaster) understands the various
loopholes in terms of secu- rity and its related features and left those
security holes to remain open for further phases. The attacker will find
more and more vulnerable IoT objects by consistently searching the web
with bots.
The handling phase has three essential components, namely C&C
server, loader and report server. A database (MySQL) of infected
devices and

Handling Environment

6. Malicious
New Bot Victims

Bot 8. Attack
5. Infect Command Brute Force
C&C Attack/
Legitimate
Packets
Target Server
7. Attack
3. Report Command Legitimate Packet Target Attacked Environment
4.
Check
Status

Report 1. Send
Server Command

Legitimate User

Centralized
Management
Interface
Attacking Environment

Figure 5.10 Working mechanism of DDoS attacks.

106 CyBeR-PHYSICAL SysteMS

related information is held on the C&C server. Most of the DDoS

attackers communicate with C&C server and agents through IRC mode,
whereas recent studies show HTTP botnets are also popular [77, 78].
That is, HTTP protocol is used for communication between the attacker
and C&C server. Later, the control panel of the C&C server is installed
in the infected machine so that attacker can exploit whatever in those IoT
devices without the knowledge of the owner of the device. Since the
victim host interacts with the C&C server at this stage, agents can easily
carry out attacks.
The target process consists of two components: newly infected devices
and the target server. Following the injection of malicious code into
hosts, all of the victim’s actions and original files are added to key
generators, which are then executed alongside the victim’s other
applications. When a user fills out a request, the username and password
are communicated automatically to the C&C server. After confirming the
botnets’ active status, the attacker directs the agents to attack the victim.
The command includes significant parameters like nature of the attack,
duration, time-to- live (TTL) and port number, etc.

5.4 Existing Solution Mechanisms Against

DDoS Over IoT
An extensive literature study has been conducted with respect to solution
mechanisms against DDoS in IoT, and the findings have been
categorized into detection and prevention strategies. That is, some work
is focusing only on how to detect variable rate DDoS attacks low-rate
DDoS and its related variants. Meanwhile, some researchers proposed
prevention mech- anism against DDoS. Hybrid strategies include both
detection and preven- tion mechanisms. This section elaborates the
literature details on existing countermeasures against DDoS in IoT and
compares the pros and cons of the work.

5.4.1 Detection Techniques

In [79], the honeynet solution is proposed against the effortless detection
of DDoS attacks. Honeypots are the decoy systems which lure the
attacker to probe the system [80]. This work combined the honeypots and
proposed a system called “Honeycloud”. These honeypots fingerprint the
attacker’s activities whenever suspicious known attack or blacklisted IP
contacted the IoT devices. Based on this, further processing can be
done to avoid
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 107

DDoS impact. It is effective only if the attacker is unaware of the

presence of honeypots. Otherwise, this technique itself is a serious threat
to existing IoT devices.
Many researchers proposed mechanisms to improve processing time
and scalability to counter the malicious attacks. In either case, attackers’
state-of-the-art strategies nullify the proposed mechanisms and increase
response time due to long latency. In the continuation of such effort, [81]
used Fog computing techniques to withstand DDoS attacks. The authors
proposed a model called “FOCUS—Fog Computing based Security
System” which provides two-level protection system. That is, a VPN is
used to secure the communication medium at the first level, followed by
the challenge–response authentication approach to detect illegitimate
traffic from a DDoS attack at the second level. The advantage of this
mechanism is less response time compared to other techniques and less
bandwidth consumption. However, accurate network traffic classifier is
essential for the second level (challenge–response mechanism) to detect a
DDoS attack with zero false-positive rates.
[82] proposed an innovative Intrusion Detection System based on
Artificial Neural Network. This ANN-IDS can be used as an offiine
frame- work to capture and analyze traffic between multiple IoT devices,
as well as to detect DDoS attacks in the IoT network. The experimental
demon- stration showed that this mechanism is 99% accurate in
classifying legit- imate and malicious traffic. However, it is not effective
against real-time responses.
In [83], the detection mechanism for both high-rate and low-rate
DDoS attack is proposed. In general, high-rate DDoS causes a sudden
surge in prompt traffic and low-rate DDoS happens at aperiodic intervals
so that it is complicated to detect. The authors proposed a two-layer
approach to detect these two variants of DDoS attacks. The metrics are
passed through the Detection with Average Filters unit in the first stage
to filter out the high-rate DDoS traffic (DAF). The remaining metrics are
passed through Detection with Discrete Fourier Transform (DDFT) to
detect low-rate DDoS traffic at the second stage. The main drawback of
this approach is high overhead and ineffective when high-rate and low-
rate malicious traf- fic are close enough.
Adeilson et al. [84] proposed a real-time DDoS detection system for
the Internet of Things (IoT) based on the rapidly increasing technology
of “Complex Event Processing” (CEP). This CEP architecture consists of
three main layers: Event filter, Event processor and Action Engine. The
event filter tests and tracks network traffic when the IoT system
experiences traffic flooding. The packet analyzer and attack detection
tools modules in
108 CyBeR-PHYSICAL SysteMS

the Event processor evaluate the type of DDoS attack and record its exis-
tence and properties. The action engine—the final layer—deals with sus-
picious attack traffic and blocks links to relevant resources. This
technique is advantageous in detecting the attack traffic with high
accuracy, but the false positive rate is computed as around 8%, which is
unacceptable in a real-time scenario.
The research work presented in [85] is about detecting the botnets
based on Power Spectral Density (PSD). The authors presented a model
called PsyBOG—a signal processing technique that finds the main
frequencies by using botnets’ periodic DNS queries. By observing the
simultaneous behavioral pattern as well as the periodic behavioral pattern
of DNS traffic, the botnet traffic, legitimate traffic and infrequent traffic
can be separated. The simulation-based experiment results showed that
this approach is via- ble for large-scale IoT systems as scalability is not
affected by voluminous traffic.
In [86], the use of machine learning techniques to detect malicious
traffic is proposed. This work presented a model called T-IDS: Advanced
Traffic-based Intrusion Detection System, which uses a network traffic
fea- ture collection, feature selection techniques, and a randomized data
parti- tioned learning model to detect intrusions (RDPLM). Voronoi-
based data partitioning and clustering is preferred for data reduction after
the dataset has been collected and preprocessed. Finally, based on the
input dataset’s heterogeneity, a meta-learning prototype with multiple
randomized trees is developed. This makes it easier to detect malicious
traffic, but the down- side is that when dealing with large sets of data, the
running time and com- puting capability of this model grows
exponentially.
In [87], the behavioral study of DNS registration is used to detect the
botnets. This approach focuses on early detection by analyzing the bots
during DNS registrations as well as communication with C&C servers.
By using the domain name generating algorithms and other tracking ser-
vices, the suspicious bots should be blacklisted. Since this methodology
is entirely focused on botnet datasets, such datasets must be provided
with care.
Thedetectionofmobilebotnetisabitcomplicatedthanstaticbotnetworks.
[88] proposed signature-based mobile botnet detection. This approach
has three modules, namely the multi-agent system, signature-based
detection and decision-action module. The multi-agent system manages
traffic and gathers information from various Android devices. The
detection module gathers data from the central server and uses pattern-
matching algorithms to identify known botnets. Finally, decision-module
decides the eviction of botnets from IoT. The main drawback in this
approach is it is ineffective
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 109

against new variants of botnets. It is limited to discover only known bot-

nets, not new attacks.
The DDoS attacks over the android platform are significantly
increased from the last 3 years. The authors of [89] suggested a structure
analysis test- ing framework-based methodology. This approach
comprises of five mod- ules with the objective of detecting DDoS attacks
on android platforms only. The first module collects the normal as well
as botnet applications installed among all IoT devices to perform
structured analysis. The sec- ond module uses the Android Asset
Packaging Tool (AAPT) to remove the android manifest file and
decompress the.apk file. The rest of the modules, segregate botnets from
the legitimate applications by applying machine learning algorithms. The
experimental results showed that it is very effec- tive in case of DDoS
over android platforms than previous strategies.
Natarajan et al. [90] presented a detection technique of stegabots
based on analysis of image entropy. It is useful because the change in
entropies shows a massive difference in the botnet binaries before and
after the image. However, scalability is a problem with this method.
Anitha et al.
[91] extended this image entropy-based detection to check whether a user
is a bot or not. This work focuses mainly on detecting stegabot in social
media networks.
The real-time DDoS detection protocol is proposed by [92] for
connection-oriented service in the network. The authors proposed a novel
system called sliding-mode observer, which is installed in gateway
routers and firewalls that diagnose attack traffic based on real-time queue
length. NS-2 based simulation experiments show that this approach is
practical.

5.4.2 Prevention Mechanisms

Senie et al. [93] suggested ingress–egress filtering as a packet filtering
tech- nique. That is, filtering out the incoming and outgoing malicious
packets with the spoofed IP address. This mechanism gained popularity
at the early stages, but it was failed when DDoS attackers using legitimate
IP addresses. Lee et al. [94] presented a score based packet filtering
technique to drop malicious packets. That is, based on the traffic features
of both incom- ing and outgoing packets, a score count is assigned to it.
If the difference between the measured and threshold scores is greater
than the threshold, the packet is considered an attack and is discarded. In
real-time DDoS, this feature predicted the malicious packets and dropped
them with the success rate of 80%.
A weight-fair throttling mechanism is proposed in [95] to avoid DDoS
110 CyBeR-PHYSICAL SysteMS
attacks on the web server at the upstream router. The leaky bucket
algorithm
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 111

at the upstream router regulates the packet flow towards the web server.
If the voluminous traffic more than the capacity of the server reaches the
edge router, this mechanism throttle the flow and prevent the crash of the
web server. Secure Overlay Service (SOS) is also once considered as a
pre- vention mechanism against DDoS, but its scope is narrow, and it is
ineffec- tive against new routing protocol having in-built security
loopholes. The working mechanism of SOS is presented in [96].
Nowadays, DDoS attackers are exploiting the features of Software
Defined Networking (SDN) and making it as a source platform for con-
ducting DDoS attacks over IoT environment [97] introduced the S-Flow
technique, which combines the potential of SDN with traffic flow and
defines a metric called DCN to quantify packet flow distribution and
inten- sity. As an extension of this work, [98] presented floodlight-based
guard system in which anti-spoofing module of source IP and S-Flow
technology is combined to make sFlow-RT is efficient against IP spoofing
based DDoS attacks in SDN.
The work presented in [99] is exclusively for Service Oriented
Architecture of IoT to deal against DDoS attacks. The authors proposed a
model called Learning Automata to thwart DDoS in SOA based IoT plat-
forms. The significant feature in this approach is that it builds on the top
of cross-layer technology and so it is instrumental in capturing attack
packets with less overhead. The more in-depth analysis of this working
mechanism is found in [99].
To minimize the effect of DDoS attacks, [100] proposes a construc-
tive auto-responsive honeypot architecture. The main goal of this system
is to keep the network stable by making resources inaccessible to DDoS
attackers. The NS-2 based simulation results proved that this technique
had reduced the false-negative rate. But the main drawback is more over-
head in the network.The classifier System DDoS is introduced in [101] as
a way to detect and prevent DDoS attacks by sorting incoming packets
and making an inference using classifiers. The authors proposed four
different classifiers to segregate and blacklist malicious traffic with the
assumption that IP spoofing is not involved. Therefore, it is working only
for legitimate IP packets, not for spoofed IP addresses. The experimental
results were tested using k-fold validation, which showed that it is 97%
accurate with a kappa coefficient of 0.89 under single attack and 94%
accurate with a kappa coefficient of 0.9 under multiple attacks.
The collaborative efforts by IBM and Akamai lead to the development
of multi-faceted prevention mechanism against DDoS attack called
“Kona Site Defender”. This is robust in handling DDoS attacks in such a
way that request traffic load is redirected to various geographically
distributed
Table 5.2 Summary of existing countermeasures against DDoS

110 CyBeR-PHYSICAL SysteMS

attacks.
Existing
countermeasures Mode Operation scenario Advantages Disadvantages
Honeynet cloud Detection Eavesdropping of • Attackers mode of • High overhead
[79] attackers’ activities operations can be • False positive rate is high
known
• Effective fingerprinting
of attacker’s signature
FOCUS [81] Detection VPN and Challenge • Less overhead • Accurate network classifier
response authentication • Quick detection of is needed; otherwise false
method attacks positive rate would be
• Less processing high
time and bandwidth
ANN-IDS [82] Detection Artificial Neural Network • 99% accurate • Unreliable against real-time
based traffic analysis attack packets
Variable Rate Detection Detection Average • Separate Low-rate and • High overhead
DDoS detection Filter (DAF) and High-rate DDoS traffic • Ineffective when high
[83] Detection with and low-rate traffic are
Discrete Fourier close enough
Transform (DDFT)
Real-time DDoS Detection Complex Event Processing • Very effective • False positive rate is 8 %
detection [84] (CEP)
(Continued)
Table 5.2 Summary of existing countermeasures against DDoS attacks. (Continued)
Existing
countermeasures Mode Operation scenario Advantages Disadvantages
PsyBoG [85] Detection Behavioral pattern of DNS • Supports Scalability • Effective only for
DNS traffic
T-IDS [86] Detection Randomized Data • Quick identification • Time complexity and
Partitioned Learning of malicious traffic computational power is

SeCURITY IssUes ANd DDoS AttACKS OveR IoT 111

Model (RDPLM) high for large data sets
Behavioral study of Detection Domain Name Generating • Botnet Identification • Sampling of flow
DNS [87] Algorithm monitoring by
ISP
Signature based Detection Multi-agent, Signature- • Less overhead • Ineffective against
mobile botnet detection, Decision- • Lightweight detection anomaly based attacks
detection [88] action Module approach for smart
devices
Android based Detection Feature selection • Very effective
DDoS detection and Android
[89] Asset Packaging
Tools (AAPT)
Stegabot detection Detection Image Entropy • Effective in • Scalability is not supported.
[90, 91] detecting stegabots
in social media
networks
(Continued)
Table 5.2 Summary of existing countermeasures against DDoS attacks. (Continued)

112 CyBeR-PHYSICAL SysteMS

Existing
countermeasures Mode Operation scenario Advantages Disadvantages
Ingress–Egress Prevention Filtering malicious • Spoofed IP packets • Ineffective against
Filtering [93] packets at upstream and are easily identified legitimate IP flood.
downstream routers
Score based Filter Prevention Assigning Score to • Success rate is 80 % • High overhead and
[94] incoming and outgoing processing
packets
Weight fair throttle Prevention Leaky bucket algorithm • Effective against • Failed in preventing variable
[95] all flooding attacks rate DDoS traffic
S-Flow [97] Prevention SDN and DCN • Detection and • Unreliable when attacks
prevention of attack are launched from multiple
in early phases SDN networks.
Floodlight based Prevention Anti-spoofing module • Suitable for SDN • Single point of failure
Guard system is possible
[98]
Learning Automata Prevention Service-Oriented • Optimized Energy and • Unreliable false positive
[99] Architecture of computational resources as well as false negative
IoT rate
Classifier DDoS Prevention Deep-learning accurate • 94% accurate against • Ineffective against
system [101] classifiers simultaneous multiple spoofed IP addresses
attacks
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 113

servers and filters the attack traffic from the incoming traffic flow [102].
Table 5.2 summarizes the merits and demerits of existing solution
mechanisms.

5.5 Challenges and Research Directions

Though IoT supports and benefits multiple sectors, it faces more
challenges than its outputs. The section focuses on addressing the critical
challenges in the IoT environment in security aspects so that the new
researchers in the domain explore it for a further step towards a secure
IoT environment.

• Naming and Identifying the objects in the IoT environment

is a bit complex. IPv4 was initially used to give IoT
devices a unique address. Later, it was replaced by IPv6
because of increasing demand and spoofing problems in
IPv4. Further research exploration is necessary in terms of
benchmark- ing the naming and identifying techniques of
IoT devices dynamically in the network.
• Trust, and Privacy management is the need of the hour of
IoT. Its scope is more prominent than security because
users are providing their private or personal information to
IoT objects. Therefore privacy must be entirely ensured to
the dependents of IoT. Researchers have suggested a
number of strategies to provide trust and privacy, but there
are still some problems. Hence it is the most crucial
priority in the research domain to ensure holistic trust and
privacy.
• As per estimation, by 2030, around 100 billion devices
could be part of IoT. These objects collect and store an
enormous amount of information. Unless we have an
efficient big- data processing mechanism, managing the
vast knowledge and its computation become a big issue.
Hence the focus is needed in this dimension.
• Another issue in the IoT environment is authentication,
followed by authorization. The usual way of authenticat-
ing the objects by username and password are replaced by
access cards, retina scan, fingerprints, and voice
recognition. Accessibility of resources should be given to
only authenti- cated objects. Much effort is required in this
area because this is the entry point of most of the attacks.
Attackers imperson- ate themselves as legitimate objects in
Table 5.2 Summary of existing countermeasures against DDoS attacks. (Continued)
IoT and collapse the
114 CyBeR-PHYSICAL SysteMS

Table 5.3 DDoS capable malwares.

Malware DDoS-architecture Source - code
Linux.Hydra IRC-based Open Source
Psybot IRC-based Reverse Eng.
Tsunami IRC-based Reverse Eng.
Kaiten IRC-based Reverse Eng.
Chuck Norris IRC-based Reverse Eng.
Zendran IRC-based Open Source
Aidra IRC-based Open Source
Bashlite Agent–Handler Open Source
Torlus Agent–Handler Open Source
XOR. DDoS Agent–Handler Reverse Eng.
Remaiten IRC-based Reverse Eng.
Mirai Agent–Handler Open Source

applications. Although research has attempted the solution

for authentication and authorization problems in IoT [103,
104], still the loopholes persist. Thus, attention is needed in
this path.
• The main reason for the threat prone environment of any
Internet-based technology or network is, the focus is
always on functionality than security—the manufacturers’
devices for IoT with the emphasis only on providing full-
fledged services at the user end without considering.
• As security practitioners, attackers are also continuously
doing research on developing botnets and malwares spe-
cific to IoT. The popularity of DDoS-capable malwares is
very much from 2016 onward because of dangerous mal-
ware called “Mirai” that compromised around 500,000 IoT
devices and paved the way for the biggest DDoS attack of
1.2Tbps [21, 22, 105]. It is estimated that from 2012 to till
date, 3 to 4 new malwares are developed by attackers that
are compromising IoT devices [6]. The details of the
malwares
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 115

and its features are represented in Table 5.3. Hence it is

very essential to develop techniques to nullify the impact
of those malwares over IoT environment.

5.6 Conclusion
The impact of IoT in the upcoming years is unstoppable. This technol-
ogy would be the driving force of bringing automation to the next level.
Meanwhile, the security issues and loopholes are also tightly binding with IoT
architectures. As a result, dangerous attacks like DDoS, botnet based
attacks, etc., are causing havoc to well-developed IoT application. Unless
it is dealt with needful research in the critical time, IoT becomes “Internet of
Threats”. Motivated by this exacerbated situation, we have articulated the
security loop- holes in the layered architectures of IoT. In specific, we have
chosen
Distributed Denial of Service (DDoS) attacks, and its menace over the
IoT infrastructure is analyzed extensively along with its up-to-date taxon-
omy. From the detailed survey of the existing solution mechanism
against DDoS over IoT environment, the general issues are identified,
and critical challenges are sorted out for further research. Therefore, it is
an urgent requirement to standardize the protocols compounding the
security of IoT to create robust post-quantum IoT paradigm.

References
1. Internet Users. Available online: http://www.Internetlivestats.com/Internet-
users/ (accessed on 07 May 2020).
2. Global Internet Usage. Available online: https://www.en.wikipedia.org/wiki/
Global_Internet_usage/(accessed on 07 May 2017).
3. Oppitz, M. and Tomsu, P., Inventing the Cloud Century: How Cloudiness
Keeps Changing Our Life, Economy and Technology, Springer, Cham,
2017.
4. Hongbo, Z., Longxiang, Y., Qi, Z., Shi, J., Ubiquitous information service net-
works and technology based on the convergence of communications, com-
puting and control. J. Commun. Inf. Netw., 1, 1, 98–110, 2016.
5. Yichuan, W., Yefei, Z., Xinhong, H., Wenjiang, J., Weigang, M., Game
strategies for distributed denial of service defense in the Cloud of Things.
J. Commun. Inf. Networks., 11, 44, 143–155, 2016.
6. Irina, B., Tanczer, L., Carr, M., Blackstock, J., Regulating IoT: Enabling or
Disabling the Capacity of the Internet of Things? Risk Regul., 12–15,
2017;33, August. https://core.ac.uk/download/pdf/81675775.pdf
116 CyBeR-PHYSICAL SysteMS

7. Zhang, C. and Green, R., Communication security in internet of thing:

Preventive measure and avoid DDoS attack over IoT network. Simul. Ser.,
47, 3, 8–15, 2015.
8. IoT devices prediction. Available online:
https://www.gartner.com/insights/ (accessed on 06 May 2020).
9. Bello, O., Zeadally, S., Badra, M., Network layer inter-operation of
Deviceto- Device communication technologies in Internet of Things (IoT).
Ad. Hoc. Netw., 57.
10. Granjal, J. and Silva, J.S., Security for the Internet of Things : A Survey of
Existing Protocols and Open Research issues, IEEE communications on
Surveys and Tutorials, 2015.
11. Arias, O., Wurm, J., Hoang, K., Jin, Y., Privacy and Security in Internet of
Things and Wearable Devices. IEEE Trans. Multi-Scale Comput. Syst., 1,
2, 99–109, 2015.
12. Dragoni, N., Gieretta, A., Mazzara, M., The Internet of Hackable Things,
in: Proceedings of the 5th International Conference in Software
Engineering for Defense Applications (SEDA16) Advances in Intelligent
Systems and Computing, P. Ciancarini, S. Litvinov, A. Messina, A. Sillitti,
G. Succi (Eds.), Springer, 2017.
13. Yaqoob, I., Ahmed, E., Hashem, I.A.T. et al., Internet of Things
Architecture: Recent Advances, Taxonomy, Requirements, and Open
Challenges. IEEE Wirel. Commun., 24, 3, 10–16, 2017.
14. Hughes, D., Silent risk: new incarnations of longstanding threats. Netw.
Secur., 2016, 8, 17–20, 2016,
15. Shukla, S.K., Editorial: cyber security, IoT, block chains—risks and
opportu- nities. ACM Trans. Embed. Comput. Syst. (TECS), 16, 3, article 62,
1–2, 2017.
16. Goyal, R., Dragoni, N., Spognardi, A., Mind the tracker you wear - A secu-
rity analysis of wearable health trackers. Proc. ACM Symp. Appl. Comput.,
pp. 131–136, 2016;04-08-Apri.
17. Hoque, N., Bhattacharyya, D.K., Kalita, J.K., Botnet in DDoS Attacks: Trends
and Challenges. IEEE Commun. Surv. Tutor., 17, 4, 2242–2270, 2015.
18. Asosheh, A. and Ramezani, N.A., comprehensive taxonomy of DDoS
attacks and defense mechanism applying in a smart classification. WSEAS
Trans. Comput., 7, 4, 281–290, 2008.
19. York, K., Dyn statement on 10/21/2016 DDoS attack, Dyn Blog, 2016.
http:// dyn.com/blog/dyn-statement-on-10212016-ddosattack/.
20. Hilton, S., Dyn analysis summary of friday october 21 attack, Dyn Blog, 2016.
http://dyn.com/blog/dyn analysis-summary-offriday-october-21-attack/.
21. Angrishi, K., Turning Internet of Things(IoT) into Internet of
Vulnerabilities (IoV): IoT Botnets. Published online 2017:1-17.
http://arxiv.org/ abs/1702.03681.
22. Klaba, O., OVH suffers 1.1 Tbps DDoS attack, in: Tech. Rep., SC
Magazine, 2016.
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 117

23. Koshizuka, N. and Sakamura, K., Ubiquitous ID: Standards for ubiquitous
computing and the internet of things. IEEE Pervasive Comput., 9, 4, 98–
101, 2010.
24. McDermott-Wells, P., What is Bluetooth? IEEE Potentials, 23, 5, 33–35, 2005.
25. Want, R., An introduction to RFID technology. IEEE Pervasive Comput., 5, 1,
25–33, 2006.
26. Crosby, G.V. and Vafa, F., Wireless sensor networks and LTE-A network
con- vergence. Proc. - Conf. Local Comput. Networks, 2013, LCN, pp.
731–734, October 2013.
27. Want, R., Near field communication. IEEE Pervasive Comput., 10, 3, 4–7,
2011.
28. Levis P. et al. (2005) TinyOS: An Operating System for Sensor Networks.
In: Weber W., Rabaey J.M., Aarts E. (eds), Ambient Intell., Springer,
Berlin, Heidelberg. https://doi.org/10.1007/3-540-27139-2_7.
29. Cao, Q., Abdelzaher, T., Stankovic, J., He, T., The LiteOS operating
system: Towards Unix-like abstractions for wireless sensor networks. Proc.
- 2008 Int. Conf. Inf. Process Sens. Networks, IPSN 2008, pp. 233–244,
Published online 2008.
30. Xing, X.J., Wang, J.L., Li, M.D., Services and key technologies of the
Internet of Things. ZTE Commun., 8, 2, 2010.
31. Gigli, M. and Koo, S., Internet of Things: Services and Applications
Categorization. Adv. Internet Things, 01, 02, 27–31, 2011.
32. Mashal, I., Alsaryrah, O., Chung, T.Y., Yang, C.Z., Kuo, W.H., Agrawal,
D.P., Choices for interaction with things on Internet and underlying issues.
Ad. Hoc. Netw., 28, 68–90, 2015.
33. Mashal, I., Alsaryrah, O., Chung, T.Y., Yang, C.Z., Kuo, W.H., Agrawal,
D.P., Choices for interaction with things on Internet and underlying issues.
Ad. Hoc. Netw., 28, 68–90, 2015.
34. Said, O. and Masud, M., Towards internet of things: Survey and future
vision. Int. J. Comput. Netw., 5, 1, 1–17, 2013. http://www.cscjournals.org/
csc/manuscript/Journals/IJCN/volume5/Issue1/IJCN-265.pdf.
35. Simpson, A.K., Roesner, F., Kohno, T., Securing vulnerable home IoT devices
with an in-hub security manager. 2017 IEEE Int. Conf. Pervasive Comput.
Commun. Work PerCom Work 2017, pp. 551–556, 2017;(PerLS).
36. Darwish, D.G. and Square, E., Improved Layered Architecture for Internet
of Things. Int. J. Comput. Acad. Res., 4, 4, 214–223, 2015.
http://www.meacse. org/ijcar.
37. Madakam, S., Ramaswamy, R., Tripathi, S., Internet of Things (IoT): A
Literature Review. J. Comput. Commun., 03, 05, 164–173, 2015.
38. Khan, R., Khan, S.U., Zaheer, R., Khan, S., Future internet: The internet of
things architecture, possible applications and key challenges. Proc - 10th
Int. Conf. Front Inf. Technol. FIT 2012, 2012, pp. 257–260, April 2017.
39. Sethi, P. and Sarangi, S.R., Internet of Things: Architectures, Protocols,
and Applications. J. Electr. Comput. Eng., 2017, 9324035, 25, 2017.
118 CyBeR-PHYSICAL SysteMS

40. Vivekananda Bharathi, M., Tanguturi, R.C., Jayakumar, C., Selvamani, K.,
Node capture attack in Wireless Sensor Network: A survey. IEEE Int.
Conf. Comput. Intell. Comput. Res. ICCIC 2012, 2012;(i, 2012).
41. Puthal, D., Nepal, S., Ranjan, R., Chen, J., Threats to Networking Cloud
and Edge Datacenters in the Internet of Things. IEEE Cloud Comput., 3, 3,
64–71, 2016, doi: 10.1109/MCC.2016.63.
42. Brumley, D. and Boneh, D., Remote timing attacks are practical. Comput.
Netw., 48, 5, 701–716, 2005.
43. Sonar, K. and Upadhyay, H., A Survey : DDOS Attack on Internet of
Things. 10, 11, 58–63, 2014.
44. Nguyen, A.T., Mokdad, L., Ben-Othman, J., Solution of detecting jamming
attacks in vehicle ad hoc networks. MSWiM 2013 - Proc 16th ACM Int.
Conf. Model Anal. Simul. Wirel. Mob. Syst., pp. 405–410, Published online
2013.
45. Thakur, N., Introduction to Jamming Attacks and Prevention Techniques
using Honeypots in Wireless Networks. IRACST –Int. J. Comput. Sci. Inf.
Technol. Secur., 3, 2, 2249–9555, 2013.
46. Ahmadian, Z., Salmasizadeh, M., Aref, M.R., Desynchronization attack on
RAPP ultralightweight authentication protocol. Inf. Process Lett., 113, 7,
205–209, 2013.
47. Prabhakar, S., Network Security in Digitalization: Attacks and Defence. Int.
J. Res. Comput. Appl. Rob., www.ijrcar.com. 5, 46–52, 2017,
http://www.ijrcar. com/Volume_5_Issue_5/v5i512.pdf.
48. Exploit Attack in Network Layer Available online. http://searchsecurity.
techtarget.com/definition/exploit/ (accessed on 07 May 2020).
49. Conti, M., Dragoni, N., Lesyk, V., A Survey of Man in the Middle Attacks.
IEEE Commun. Surv. Tutor., 18, 3, 2027–2051, 2016.
50. Gupta, S. and Gupta, B.B., Cross-Site Scripting (XSS) attacks and defense
mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng.
Manage., 8, 512–530, 2017.
51. Sanzgiri, A. and Dasgupta, D., Classification of insider threat detection
techniques. Proc. 11th Annu. Cyber Inf. Secur. Res. Conf. CISRC 2016, 5–
8, Published online 2016.
52. Nurse, J.R.C., Erola, A., Agrafiotis, I., Goldsmith, M., Creese, S., Smart
Insiders: Exploring the Threat from Insiders Using the Internet-of-Things.
Proc. - 2015 Int. Work Secur. Internet Things, SIoT 2015, pp. 5–14,
Published online 2016.
53. Canzanese, R., Kam, M., Mancoridis, S., Toward an automatic, online
behav- ioral Malware classification system. Int. Conf. Self-Adaptive Self-
Organizing Syst. SASO, pp. 111–120, Published online 2013.
54. Bilge, L. and Dumitras, T., Before we knew it: An empirical study of zero-
day attacks in the real world. Proc. ACM Conf. Comput. Commun. Secur.
2012,
pp. 833–844, October 2012.
55. Kaur, R. and Singh, M., A survey on zero-day polymorphic worm
detection techniques. IEEE Commun. Surv. Tutor., 16, 3, 1520–1549, 2014.
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 119

56. Rajarajan, G. and Ganesan, L., A decoy framework to protect server from
wireless network worms. Wirel. Pers. Commun., 94, 4, 1965–1978, 2017.
57. Dragoni, N., Massacci, F., Saidane, A., A self-protecting and self-healing
framework for negotiating services and trust in autonomic communication
systems. Comput. Netw., 53, 10, 1628–1648, 2009.
58. Mirkovic, J. and Reiher, P., A taxonomy of DdoS attack and DdoS defense
mechanisms. Comput. Commun. Rev., 34, 2, 39–53, 2004.
59. Douligeris, C. and Mitrokotsa, A., DdoS attacks and defense mechanisms:
Classification and state-of-the-art. Comput. Netw., 44, 5, 643–666, 2004.
60. Tariq, U., Hong, M.P., Lhee, K.S., A comprehensive categorization of
DDoS attack and DDoS defense techniques. Lect. Notes Comput. Sci.
(including Subser Lect Notes Artif. Intell. Lect Notes Bioinformatics), 4093
LNAI(Mic):1025–1036, 2006.
61. Hussain, A., Heidemann, J., Papadopoulos, C., A Framework for
Classifying Denial of Service Attacks. Comput. Commun. Rev., 33, 4, 99–
110, 2003.
62. Alomari, E., Manickam S, B., Gupta, B., Karuppayah, S., Alfaris, R.,
Botnet- based Distributed Denial of Service (DDoS) Attacks on Web
Servers: Classification and Art. Int. J. Comput. Appl., 49, 7, 24–32, 2012.
63. Specht, S.M. and Lee, R.B., Distributed Denial of Service: Taxonomies of
Attacks, Tools and Countermeasures. Int. Work Secur. Parallel Distrib.
Syst., 9, 543–550, 2004.
64. RioRey Inc, Taxonomy of DDoS Attacks, 2014. https://www.servermania.
com/gallery/resources/RioRey Taxonomy DDoS Attacks 2.6 2014.pdf.
65. Kumar, K., Joshi, R.C., Singh, K., An Integrated Approach for Defending
Against Distributed Denial-of-Service (DDoS ) Attacks. Iriss, 1–6,
Published online 2006.
66. Singh, E.G. and Gupta, E.M., Distributed denial-of-service. International
Journal of Computer and Electrical Engineering (IJCEE), 2, 2, 268–276,
2010.
67. Paxson, V., An analysis of using reflectors for distributed denial-of-service
attacks. ACMSIGCOMM Comput. Commun. Rev., 31, 3, 38–47, 2001.
68. Gibson, S., DRDoS:Description and Analysis of A Potent, in: Increasingly
Prevalent, and Worrisome Internet Attack, Gibson Research Corporation,
Dayton, Ohio, United States, 2002.
69. Sharafaldin, I., Lashkari, A.H., Hakak, S., Ghorbani, A.A., Developing
Realistic Distributed Denial of Service (DDoS) Attack Dataset and
Taxonomy, in: 2019 International Carnahan Conference on Security
Technology (ICCST),
pp. 1–8, 2019.
70. Chang, R., Defendinf against Flooding-Based Distributed Denial-of-
Service Attacks: A Tutorial. IEEE Commun. Mag., 40, 10, 42–51, 2002,
October.
71. Zargar, S.T., Joshi, J., Tipper, D., A survey of defense mechanisms against
distributed denial of service (DDOS) flooding attacks. IEEE Commun.
Surv. Tutor., 15, 4, 2046–2069, 2013.
120 CyBeR-PHYSICAL SysteMS

72. Ranjan, S., Swaminathan, R., Uysal, M., Knightly, E., DDoS-resilient sched-
uling to counter application layer attacks under imperfect detection. Proc.-
IEEE INFOCOM, pp. 1–13, Published online 2006.
73. Networks, A., Thegrowingthreatofapplication-Layer DDoSattacks. Tech. Rep.,
2011, https://dsimg.ubm-us.net/envelope/126712/324232/1298913706623_
AB_ALDDoS_EN_LGQ1.pdf.
74. Gupta, B.B., Joshi, R.C., Misra, M., Defending against distributed denial of
service attacks: Issues and challenges. Inf. Secur. J., 18, 5, 224–247, 2009.
75. Taking charge of the IoT’s security vulnerabilities (White Paper), 2017.
76. Cao, C., Guan, L., Liu, P., Gao, N., Lin, J., Xiang, J., Hey, you, keep away
from my device: remotely implanting a virus expeller to defeat Mirai on
IoT devices. 1–15, Published online 2017, http://arxiv.org/abs/1706.05779.
77. Sood, A.K., Zeadally, S., Bansal, R., Cybercrime at a scale: A practical
study of deployments of HTTP-based botnet command and control panels.
IEEE Commun. Mag., 55, 7, 22–28, 2017.
78. Darwish, A., El-Gendy, M.M., Hassanien, A.E., A new hybrid
cryptosystem for Internet of Things applications, in: Multimedia Forensics
and Security, vol. 115, pp. 365–380, 2016.
79. Gupta, A. and Gupta, B., Honeynettrap: Framework to detect and miti-
gate ddos attacks using heterogeneous honeynet, in: 2017 International
Conference on Communication and Signal Processing (ICCSP), IEEE,
pp. 1906–1911, 2017.
80. Weiler, N., Honeypots for distributed denial-of-service attacks, 109–114,
ISBN 0-7695-1748-X, 02, 2002.
81. Alharbi, S., Rodriguez, P., Maharaja, R., Iyer, P., Bose, N., Ye, Z., FOCUS:
A fog computing-based security system for the Internet of Things, in: 2018
15th IEEE Annual Consumer Communications Networking Conference
(CCNC),
pp. 1–5, 2018.
82. E. Hodo et al., Threat analysis of IoT networks using artificial neural
network intrusion detection system, 2016 International Symposium on
Networks, Computers and Communications (ISNCC), 1–6, 2016.
83. Toklu, S. and Simsek, M., Two-layer approach for mixed high-rate and
low- rate distributed denial of service (ddos) attack detection and filtering.
Arab.
J. Sci. Eng., 43, 12, 7923–7931, 2018.
84. da Silva Cardoso, A.M., Lopes, R.F., Magalhaes, F.B.V., Real-time ddos
detec- tion based on complex event processing for iot, in: 2018 IEEE/ACM
Third International Conference on Internet-of-Things Design and
Implementation (IoTDI), IEEE, pp. 273–274, 2018.
85. Kwon, J., Lee, J., Lee, H., Perrig, A., PsyBoG: A scalable botnet detection
method for large-scale DNS traffic. Comput. Netw., 97, 48–73, 2016.
86. Al-Jarrah, O.Y., Alhussein, O., Yoo, P.D., Muhaidat, S., Taha, K., Kim,
K., Data Randomization and Cluster-Based Partitioning for Botnet
Intrusion Detection. IEEE Trans. Cybern., 46, 8, 1796–1806, 2016.
 SeCURITY IssUes ANd DDoS AttACKS OveR IoT 121

87. Dietz, C., Sperotto, A., Dreo, G. et al., How to Achieve Early Botnet
Detection at the Provider Level ? 10th IFIP International Conference on
Autonomous Infrastructure, Management and Security (AIMS), pp.142–
146, Munich, Germany, Jun 2016.
88. Alzahrani, A.J. and Ghorbani, A.A., SMS mobile botnet detection using a
multi-agent system: Research in progress. ACM Int. Conf. Proceeding Ser.,
Published online 2014.
89. Kirubavathi, G. and Anitha, R., Structural analysis and detection of android
botnets using machine learning techniques. Int. J. Inf. Secur., 17, 2, 153–
167, 2018.
90. Natarajan, V., Sheen, S., Anitha, R., Detection of StegoBot: A covert
social network botnet. ACM Int. Conf. Proceeding Ser., pp. 36–41,
Published online 2012.
91. Venkatachalam, N. and Anitha, R., A multi-feature approach to detect
Stegobot: a covert multimedia social network botnet. Multimed. Tools
Appl., 76, 4, 6079–6096, 2017.
92. Han, F., Xu, L., Yu, X., Tari, Z., Feng, Y., Hu, J., Sliding-mode observers
for real-time DDoS detection. Proc. 2016 IEEE 11th Conf. Ind. Electron
Appl. ICIEA 2016, pp. 825–830, 2016;(51577039).
93. Ferguson, P. and Senie, D., Network ingress filtering: Defeating denial of
ser- vice attacks which employ IP source address spoofing, in: RFC 2827,
2001.
94. Lee, Y., Lee, W., Shin, G., Kim, K., Assessing the impact of dos attacks on
iot gateway, in: Advanced Multimedia and Ubiquitous Engineering, pp. 252–
257, Springer, 2017.
95. Wisthoff, M., Ddos countermeasures, in: Information Technology - New
Generations, pp. 915–919, Springer, 2018.
96. Keromytis, A.D., Misra, V., Rubenstein, D., SOS: secure overlay services.
In Proceedings of the 2002 conference on Applications, technologies,
architectures, and protocols for computer communications (SIGCOMM '02),
Association for Computing Machinery, New York, NY, USA, 61–72, 2002.
97. Lu, Y. and Wang, M., An easy defense mechanism against botnet-based
DDoS flooding attack originated in SDN environment using sFlow. ACM
Int. Conf. Proceeding Ser., pp. 14–20, 2016;15-17-June.
98. Liu, J., Lai, Y., Zhang, S., FL-GUARD: A detection and defense system
for DDoS attack in SDN. ACM Int. Conf. Proceeding Ser., pp. 107–111,
Published online 2017.
99. Misra, S., Venkata Krishna, P., Agarwal, H., Saxena, A., Obaidat, M.S., A
learning automata based solution for preventing distributed denial of
service in internet of things. Proc - 2011 IEEE Int. Conf. Internet Things
Cyber, Phys. Soc. Comput. iThings/CPSCom 2011, pp. 114–122, Published
online 2011.
100. Sardana, A. and Joshi, R., An auto-responsive honeypot architecture for
dynamic resource allocation and QoS adaptation in DDoS attacked net-
works. Comput. Commun., 32, 12, 1384–1399, 2009.
122 CyBeR-PHYSICAL SysteMS

101. Sahi, A., Lai, D., Li, Y., Diykh, M., An Efficient DDoS TCP Flood Attack
Detection and Prevention System in a Cloud Environment. IEEE Access, 5,
c, 6036–6048, 2017.
102. Kamboj, P., Trivedi, M.C., Yadav, V.K., Singh, V.K., Detectiontechniques
of ddos attacks: A survey, in: 2017 4th IEEE Uttar Pradesh Section
International Conference on Electrical, Computer and Electronics (UPCON),
IEEE, pp. 675– 679, 2017.
103. Shang, W., Ding, Q., Marianantoni, A., Burke, J., Zhang, L., Securing
build- ing management systems using named data networking. IEEE Netw.,
28, 3, 50–56, 2014.
104. Liu, J., Xiao, Y., Chen, C.L.P., Authentication and access control in the
Internet of things. Proc. - 32nd IEEE Int. Conf. Distrib. Comput. Syst.
Work ICDCSW 2012, pp. 588–592, Published online 2012.
105. Millman, R., KrebsOnSecurity hit with record DDoS,
KrebsonSecurityBlog, 2016.
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/.