2.1. DDoS

Cyber attacks are a chronic matter of the Internet in today’s world. Any attack that aims to disrupt the smooth running of a service in any way is a Denial of Service (DoS) attack. If such an attack involves several machines attacking at the same time (usually tens of thousands), the attack is called distributed, in short DDoS.

The target of a DDoS attack is a specific machine device, service, or even the infrastructure of the institution. A successful attack disrupts the normal operation of a service or network and causes damage to the owner, which is quantifiable according to the nature of the system. There are different ways to implement a DDoS attack. Next, the basic types of DDoS attacks used in the case study are described. The ability of users to use IoT sensors during such attacks was tested. DDoS attack performance was examined in real time according to various scenarios.

During TCP connection establishment in classic server–client model, server has to receive a SYN (synchronize) packet from a client. Consequently, the server binds some resources for such half-open TCP connection and sends back a SYN-ACK packet to the client. Since the server resources are limited, if a client never sends back an ACK (acknowledgment) packet and if a large amount of SYN packets from many other malicious clients are sent, the resources available on the server can be exceeded and the server cannot connect to any other new clients, Figure 2. Such form of DDoS attack is called SYN flood [25].

SYN flood Distributed Denial of Service (DDoS) attack.

HTTP Get flood attack is one of the most usual types of DDoS attacks of an application layer. During the HTTP Get flood attack, an attacker uses legitimate IP addresses which appear to be authentic sources, so the web server receives and processes the HTTP Get requests continuously. If a large number of requests are sent, the web server is overwhelmed and the server cannot process any other new HTTP Get requests, Figure 3. A detection scheme based on identifying spoofed IP addresses or a blacklisting of IP addresses is not fully successful [26].

HTTP Get flood DDoS attack.

SSL/TLS flood or SSL/TLS DDoS attack uses the need to expend computing power of the server when building a secure TLS connection. The attacker loads the server’s resources beyond its limits and shuts it down during TLS negotiation by sending a large amount of garbage to the server or constantly asking to renegotiate the connection. SSL/TLS flood mainly consumes web server’s CPU resources, Figure 4. Mitigating an attack is not easy because establishing an SSL/TLS connection requires a lot of resources and the attacker’s requests appear to be legitimate [27].

SSL/TLS flood DDoS attack.