http://ijece.iaescore.com Distributed reflection denial of service attack: A critical

Info 2021 As the world becomes increasingly connected and the number of users grows exponentially and “things” go online, the prospect of cyberspace becoming a significant target for cybercriminals is a reality. Any host or device that is exposed on the internet is a prime target for cyberattacks. A denial-of-service (DoS) attack is accountable for the majority of these cyberattacks. Although various solutions have been proposed by researchers to mitigate this issue, cybercriminals always adapt their attack approach to circumvent countermeasures. One of the modified DoS attacks is known as distributed reflection denial-of-service attack (DRDoS). This type of attack is considered to be a more severe variant of the DoS attack and can be conducted in transmission control protocol (TCP) and user datagram protocol (UDP). However, this attack is not effective in the TCP protocol due to the three-way handshake approach that prevents this type of attack from passing through the network layer to the upper layers in the network stack. On the other hand, UDP is a connectionless protocol, so most of these DRDoS attacks pass through UDP. This study aims to examine and identify the differences between TCP-based and UDP-based DRDoS


INTRODUCTION
The phenomenal growth of internet use over the past decade illustrates the increasing social importance of the internet. This growth proves that the internet is not only a valuable tool for researchers but also a major part of the infrastructure of global society. This growth can be attributed to changes in traditional roles for doing the business by using the internet, which allows all transactions conducted on the internet. The government uses the internet to provide its citizens and the world at large with information and governmental services. The internet enables companies to share and exchange information among their divisions, suppliers, partners, and customers to increase operational efficiency [1]. Research and educational institutions depend on the internet as a medium for collaboration to enhance their research discoveries.
If we consider the previous years, specifically 1995, when the internet was used by the global population and analyze the growth curve until 2020 [2], we find that the percentage jumps dramatically in Figure 1. Amid this increase in the number of internet users [3], security challenges have started to grow [4] and internet penetration has increased in the 2009-2018 period at 24%-51%. The service provider wants to offer services to customers in the best and most secure ways. Thus, they take care of the field to provide secure services by addressing vulnerabilities on the service side. However, this task is nearly impossible to 5329 risk on network resources and propose possible solutions to minimize or reduce losses of the assets. Each report is represented as Q with numbers from 1 to 4 depending on its sequence in the report. Paper organization: The remaining sections of this paper are as follows: Section 2 explains a brief history of DDoS Attacks and show last trends in 10 Years for the attacks, brief display for a mechanism of DRDoS attack then Classifying these attacks are presented in section 3 and 4 respectively, The conclusion of the work is shown in section 5.

A BRIEF HISTORY OF DDOS ATTACKS
DoS attacks date back to the late 1980s. Launching such attacks requires technical skills and performed using powerful computer resources. In the early 1990s, DoS attacks were performed using automated tools by compromising the computing resources of a vulnerable machine. Using such tools has facilitated attacks on any target. Consequently, this condition has led to an increase in DoS attacks by the early 2000 when businesses moved to embrace the internet, and the websites of countless companies, including Microsoft and Amazon, witnessed distributed denial of service (DDoS) attacks. DDoS attacks utilize more than one machine to launch DoS attacks in a coordinated manner.
DDoS attacks are often performed using automated tools that are transformed into launching attacks through malware (Trojan or worms) that carry DoS payloads. Once a computer is compromised by malware, the infected machine initiates an attack on the defined target at a specific time. When multiple infected machines attack the target, the magnitude of attack increases considerably [8], [9].
Recent DDoS attacks appear to have more control over the compromised machines. Instead of infecting the machine with malware that performs a specific task, a new generation of malware has been developed in the form of backdoors or bots. Bots allow attackers to have complete control over computers and can issue commands to infected systems to coordinate and launch DDoS attacks [10]- [12]. A group of infected machines are usually networked together to muster strength in launching attacks. Such a network of infected machines of bots is called a botnet. Since the mid-2000s, DDoS attacks originating from botnets have grown in magnitude and effectiveness as attackers start using redefined techniques to take control of computers to initiate more effective and powerful attacks as shown in Figure 3. Since then, botnets have become one of the most significant threats to the internet especially in web-based business transactions. DDoS attacks aim to interrupt the supply of services by crippling network and storage capacity of the authorized users [13]- [15]. The main challenge in network security is how to ensure safety from the attacks; moreover, several types of attacks prevent legitimate users from using the services provided to them, and these types of attacks are called DDoS. The attackers update their methods to intensify the damaging effect of their actions on the victim side. Several years ago, the attackers produced an upgraded version of the DDoS attack with huge destructive power and a new attack mechanism; this type is called distributed reflection denial-of-service (DRDoS) attack. The traditional defense techniques are helpless in a standoff against these types of attacks. Researchers have proposed several new methods to detect or mitigate the attacks. These techniques are produced based on several factors such as number of hosts in the network, architecture and speed of the network, and others. Each method has advantages and disadvantages. Some organizations or companies want to install defense methods but others may want to install it on the network side to minimize costs. Data traffic consists of two types, namely, packet or flow traffic. Thus, the data traffic and its features can influence the creation of the defense method. The defense method based on packet traffic is used in low-speed networks and focuses on one or more of these features: packet filter, packet similarity, packet size, packet per unit time, response packet size, and others. The method based on flow traffic is appropriate for transmitting a large amount of traffic through a high-speed network.

MECHANISM OF DRDOS ATTACK
The DRDoS attack differs from its predecessor, the DDoS attack, because it extends the DDoS attack by including IP spoofing while making the attack complex. This condition renders existing DDoS attack detection and mitigation techniques ineffective against DRDoS attacks. The distributed reflection DoS attack consists of two phases: first is IP spoofing to hide attackers by using the reflector and second is amplification used to maximize the size of responses relative to the request size [16]- [18]. The main feature of the DRDoS attack, which makes this type different from the DDoS attack, is that it does not assault the destination directly but rather sends demand packets through a go-between, an exploitable "reflector" that also involves spoofing the sender's IP address [19].
As Figure 4 shows the mechanism of amplification attack according to the following steps: the first step is the IP spoofing by the attacker by sending bots to broadcast spoofed demand packets that specify destination addresses as the prey address to the reflectors. Then, the reflectors respond to the demand with response packets and in a normal way send them to the prey. As an outcome, the prey is crushed by reflected reply packets [20]. To make the attack strong and difficult to detect for that purpose the attacker be using the IP spoofing not only to hide identity but for the reason mention [21], in the beginning, this point and these techniques are employed in the DRDoS attack with the reflector which makes it distinct from the rest types attacks.  The first part is the reflector, a legal host or hosts used by the attacker to flood the prey network or web server by generating slaves spoofing the prey address [22], [23].  The second part is the amplifier (amplification), a third party used to increase the volume of traffic reflected by the victim considerably [24]. Amplification attacks cause serious challenges to network security because of their privacy and amplification characteristics [20]. The scale of the answer packet in some protocols is larger than that of a message packet. By abusing this function, attackers may generate a large volume of traffic [25] from a relatively small traffic volume. Abused servers are called amplifiers from this function [26].

CLASSIFICATION OF DRDOS ATTACKS
The DRDoS attacks can be classified into two kinds depending on the transport layer that we have used, as shown in Figure 5. Attacking nodes create several requests in which the IP address of the source is replaced by the IP address of the host being targeted. Such requests are sent to servers or other tools that can be used to represent network traffic. The responses to these questions are sent to the target node. The traffic reflection process increases the difficulty of finding the true source of the attack [27].
This study on the DRDoS attack based on the TCP protocol is found in the SYN and BGP, whereas the DRDoS attack based on UDP [28] protocol is found in DNS, NTP, SNMP, and SSDP. The DRDoS attack preferred the UDP on TCP because the three-way handshake method is used in the TCP/IP to check if the legality of the traffic is confirmed using a three-way handshake such that the amplification is not possible. The packet size is not amplified to the large size in the DRDoS attack because this type of attack cannot pass through the TCP/IP protocol. If it passes through this protocol, then the effect is minimal compared with the effect of this attack if amplification occurs. As shown in Figure 6, the most common DRDoS attack classes are shown by both the TCP and UDP protocols.
Increasingly rampant DDoS attacks, particularly attacks by DRDoS with UDPs, have become a global problem [29], [30]. DRDoS attacks, which focus on UDP reflection and amplification, can produce hundreds of gigabits per second of attack traffic, and has become a major threat to internet safety [31]. These attacks violate UDP-based network protocols that send a higher response compared with the request size. Many studies have also shown that UDP-based bandwidth amplification of DRDoS attacks can expand traffic by a factor of 500 [32], [33].

DRDoS attacks based on TCP protocol
Many researchers have worked to improve the border gateway protocol (BGP) and enhance it by using various techniques to detect or mitigate attacks, especially DRDoS attacks. Thus, in our research area, we aim to shed light on the techniques used to detect and mitigate the BGP protocol by DRDoS attack. TCPbased DRDoS attacks were studied, but they only occur during the link establishment step due to the threeway handshake procedure and have no major amplification impact [31]. The protocols based on TCP, such as FTP and Telnet, have the highest number of amplifiers, as shown by data from scanning a random IP address for the popular protocols [34]. In Table 1, the authors review the strengths and weaknesses of each research paper discussed as well as the methods that were used.
Li et al. [35] the new kind of HTTP amplification assault is called Range-based Amplification assault. Two types of range-based amplification (RangeAmp) assaults are presented in this study, which enables attackers to exploit the vulnerabilities of Range implementation and harm CDNs' DDoS security mechanisms. Specifically, small byte range (SBR) and overlapping byte range (OBR) attacks are included in the RangeAmp attacks. In this type of attack not only the outgoing bandwidth of the origin servers deployed behind CDNs, but also the bandwidth of CDN proxy nodes can be massively depleted by attackers. The mitigation mechanism consists of three sides: server-side, CDN-side, and protocol-side. At the server-side, a local DOS defense is enforced. Requests for attacks are no different from harmless requests and come from CDN nodes that are widely spread. It is difficult for the source server to effectively protect against it without disrupting normal services. In the CDN-side, modify particular implementation on requests for range. Based on the characteristics of RangeAmp attacks, CDNs can detect and intercept malicious range requests but the important approach is to enhance the Range header handling policy. The SBR attack is triggered by the deletion policy and expansion policy. The Laziness strategy can therefore be followed by CDNs to fully protect against the SBR attack. But this also makes it difficult for CDNs to benefit from spectrum demands. A safer approach is to follow the strategy of extension, but not to expand the range of bytes too far. At the protocol-side: A Revise an RFC that is well-defined and security-aware. RangeAmp risks are basically caused by vague definitions and inadequate security considerations of the specifications. On the mailing list of the HTTP working group, we will continue to address this threat. We believe that in a future updated RFC, particularly for the HTTP middle-boxes, a more precise limit of the Range header should be specified CDNs, like.
Miller and Pelsser [36] try to classify the attack that happened in BGP by using the Nlacholing technique in the BGP to mitigate DDoS attacks. The autonomous system (AS) is the part in which the internet consists of single or multiple networks controlled by one entity. However, BGP is a routing protocol with less authentication on the path source and checks the validity of the paths. The ASes can declare illegal paths for pseudo they do not have, pull part of the traffic to these prefixes or all. Backes et al. [37] proposed a solution based on the idea that the assailant cannot guess or juggle the number of leaps between the amplifier and victim. Hop-count filtering (HCF) technique is used to analyze the time-to-live (TTL) of entering packets. The authors investigated the assumption that the attacker does not discover the valid TTL value. By using a mixture of BGP data and trace routing, we construct analytical models that perform checks and evaluates the TTL within a threshold value. The drawback of the technique is that the assailant uses a mixture of BGP and trace routing data to construct analytical models in the threshold TTL value for the victim.
Lu et al [38] proposed a new mechanism that focuses on the reflection of SYN/ACK based on TCP protocol. This mechanism can detect the evil twin attack (ETA) in WLANs. The proposed mechanism consists of three stages: target access point (AP) set selection, reflection component, and judgment component. The first stage includes the search for the APs, and then selecting two or more that have an identical SSID; these select points are the entrance to the next stage. The second stage is the most important and is the core of the new mechanism to regulate the structural link between objective APs by using the TCP handshake through the demand-reply reflection of SYN/ACK packets. To start our mechanism, two co-op

5333
WNICs on the client side are used to individually begin the TCP handshake and observe the obscurity of the predictable SYN/ACK packets in both directions. The result of this observation is the input to the next stage to execute the closing ETA confirmation. This mechanism is called bi-directional SYN reflection because it employs the reflection in the second stage. The last stage is responsible for deciding the presence of an ETA and distinguishes diverse ETA models depending on an outcome of bi-directional SYN reflection achieved by the second stage. The network environment can be classified by this stage into three states: a safe network, an unsafe network with series ETA, and an unsafe network with parallel ETA.

DRDoS based on UDP protocol
An attacker who plans to launch attacks such as a DRDoS attack exploits the UDP protocol to perform their attack because of UDP properties, which sometimes enable the abuse of vulnerabilities in the protocols. The DRDoS attackers exploit the policy and rules of UDP communication, especially those that belong to the increased size of the response for the request, and maybe a DRDoS attack that is employed to drive through these points and start their attack [16]. In Table 2, the authors review the strengths and weaknesses of each research paper discussed as well as the methods that were used.
The UDP provides many services through several protocols based on UDP as a transport protocol, and the policy does not verify the IP addresses of sources when responding to any request; thus, many servers, which are called "reflectors" due to their functionality, will be abused [26]. The UDP protocol allows the amplification/reflection of the response that will lead to producing hundreds or thousands of gigabits per second of attack traffic. Thus, the DRDoS attacks become an influential threat to internet security [31]. The huge UDP traffic is amplified by the attacker, and the attacker is directed to the target by flooding the bandwidth of the victim by using P2P networks to store agent attack data before the attack process [39].
Gao et al. [16] suggested a new approach that detects a DRDoS attack. When many packets appear frequently in shortened time and these packets consist only IP header without TCP or UDP header portion, as a result, that will lead to appear huge quantities of UDP packets with major volume. The amplification used in the DRDoS attack produces a gap between the size of the response to the request to be greater than the normal response size. The packet amplification factor in the DRDoS attack is larger than the bandwidth amplification factor based on the gross number of all sent packets to the destination at the period.
This behavior leads to difficulty in discovering the attack based on the total UDP packet volume. One protocol used to launch the DRDoS attack means that only one port is used to perform the attack and all packets pass through this port, thereby generating maximum traffic. This system consists of three parts: implementation, calculation of features, and detection. In each part, steps include collecting the data and focusing on the display of the packet states and the influx of the feature volume extract. Detection is based on a timer to decide whether an attack has occurred or not.
Wei et al. [17] suggested an algorithm called rank correlation-based detection (RCD), which has two scenarios: one attacker and many reflectors. In both scenarios, one of the attackers falsifies requests to the inverter and randomly arranges the first scenario with a steady rate, e.g., leaving bandwidth and the second scenario with a depressed but changing rate. The alarm is switched on 10 seconds after the occurrence of the attack. to distinguish the proportion of packet rate of assaulting from the legal streams by using a threshold; it's found that: We can distinguish the two correlation types with the wide domain of assault packet rate. The false negative and false positive can be fulfilled in low value. Once fishy streams are discovered, RCD begins to calculate the rank correlation between stream couples and produces a crucial warning depending on the preset sill.
Huang et al. [29] suggested a new solution called "increasing expenses and weak authentication" (IEWA) to protect the NTP protocol, which is a UDP-based protocol, from DRDoS attacks. The new method focuses on several factors such as communication overhead, server storage costs, client storage costs, computation costs of the server, and computation costs of the client. The Monlist can be abused by the attacker in the NTP protocol when it is enabled. Moreover, it contains the IP addresses of the last 600 clients. The proposed method IEWA is a strategy that combines growing expenses and low authentication.
The steady-state opportunity in the system when using the IEWA increases from 0.93 to 0.98. Two scenarios are assumed: First is that the number of client demands is not restricted, and second, we have restricted the number of client demands even though the client makes endless service demands that do not appear as a DoS attack. The IEWA strategy in this situation is proof against both DRDoS and DoS attacks.
The traditional or classical techniques for attack detection may be ineffective sometimes especially with the network that has huge data because of the impact of large network traffic that floods important signals of assaults. Therefore, Jing et al [20] suggested a method that uses sketch techniques to detect amplification assaults. The authors plan a reversible sketch based on Chinese remainder theorem (CRT-RS), which has been used to immediately gather network traffic and thereafter observe the unforeseen differences in a one-to-one mapping among demand packets and reply packets to distinguish amplification assault traffic. At each row in CRT-RS, when the occurrence of aberrant buckets is discovered, the addresses of the reply packets are counted and blacklisted as a malignant provenance. To check if the incoming source address was in the blacklist, we use the abloom filter, and then if the IP address exists, then traffic filtering is performed. This study mainly aims to detect an amplification attack to utilize CRT-RS by analyzing traffic behavior and reconstructing the aberrant IP addresses in a reverse manner. This approach is a good and effective solution for large network traffic. This simple method is not needed as a requirement for recording the complex features of traffic. The final results show that this method carefully detects amplification assaults.
Lukaseder et al. [40] proposed a mechanism that works on classifying legal or illegal reply packets in DRDoS attacks. The packets receivable from the target host can be classified into four kinds: legal demands and replies and illegal demands and replies. The demand packets are isolated from the reply packets, which are based on UDP protocol. The malicious replies should be filtered because DRDoS attacks can only come from replies. The mitigation scheme of DRDoS analyzes and filters only these reply packets based on the analysis of the incoming replies to distinguish between legal and illegal replies. The replies are legal if and only if the destination host sends comparable demands in advance. For this purpose, modified NAT is applied when the attack occurs. NAT is activated and the origin IP address of the assault goal is a substitute through the alias IP address outside UDP-based demands. The second differentiator isolates the demands from the replies to be eligible for use NAT only for the outside demands not for outside replies.
The pseudonym IP address has to be more complex to be guessing, so it's not comfortable potential for an attacker to shift their assault to the pseudonym IP address. However, the attacker can disclose the pseudonym IP address if the network traffic is monitored at the goal. For this reason, one can change the address in an orderly manner through a grace period.
Deli et al. [41] suggested a fully automatic analysis tool. When measuring the amplification factor for several protocols, the researchers show that these protocols and servers are vulnerable according to their mechanism. The measurement and identification both rely on traffic information from specific ISP, and distinguishes the questionable traffic stream that has a particular style, such as height amplification factors. The model suggested by the authors consists of three parts: attacker, amplifier, and victim. Each part complements the others to complete the work of this model. The first part (attacker) wants to tuck the maximum bandwidth of the prey by reflecting a massive volume of amplified traffic by using the second part. Then, in the second part, some protocols attract the attacker because of their vulnerable points that build-up in the server, and most of these protocols are based on UDP in transmissions. When a server replies to the request from the client, sometimes the size of the reply packet is larger than the request size and appears to be an abnormal reply. This feature can be exploited when spoofing IP address is potential from the first part side. When the first part sends the data, the third part is not the immediate goal. However, the prey undergoes overcrowding in traffic, which is sent from the second part.
Mittal [42] focuses on the NTP protocol and how to protect this protocol from DRDoS attacks. To detect and mitigate the DRDoS attacks, the suggested model uses a graphical processing unit (GPU) with the prey machine called hybrid computing system. The results showed that the hybrid (CPU-GPU) computing machine is better than the simple machine (CPU only) and more effective in amplification response. When this model was tested, five systems were employed: attacker, compromised, reflector (NTP server), prey machine, and legal user. The attacker uses the Metasploit tool to establish a link with the weak machines after searching for the weak points in the system. When this link is found, the connection is obtained. The attacker starts posting demands to synchronize with the reflector by sending UDP demand packets to the NTP server through IP spoofing. The attacker uses Bit-Twist tool to capture the aforementioned packets and modifies the origin IP address. The Monlist contains the last 600 hosts that link to the NTP server. This leads to the creation of 600 modified packages, which are sent to NTP through the compromised system through Monlist rule by Bit-Twist tool help. Huge traffic floods the NTP server by using the Bit-Twist tool, which generates a new Monlist content that is posted with details to the prey linked to the NTP server. Three main influential factors (CPU, main memory, and bandwidth) are used to compare the hybrid and normal systems before and after the attacks. Our hybrid machine system shows that the CPU consumption decreases and response is better during the DRDoS attack when using the system rather than a normal machine. Also, memory in the hybrid machine is less than what is needed in the normal machine. However, our hybrid machine cannot reduce the effectiveness of the DRDoS attack on the bandwidth. During the occurrence of the attack, the legal users were unable to use services as a result of the large traffic that saturates the bandwidth. Nevertheless, the hybrid machine in the experiment is better than the normal machine. The attacks in the past years have shown a new mechanism and numerous effects on the victim's side. A critical aspect is the reflection/amplification assault, which has many types, including store and forward DRDoS (SF-DRDoS) based on the idea of store and flood at peer-to-peer networks. These attacks demonstrate a large amplification factor. Fraiwan et al. [39] proposed a new method to detect and mitigate these types of attacks based on crawling and filtering. The new defense strategy is based on distinguishing potential reflector nodes by simulating the attackers' demeanor besides foiling their actions. It is possible to get information concerning potential reflector nodes through crawling Kad in every limited period time. In this condition, a Bloom filter is used to discover anomalous traffic at this moment with large filenames. Then, after the filtering is completed to exclude the onslaught packets, the crawling techniques that exist in the literature can be classified into two classes: iterative and recursive. Often, the iterative crawling fails to find some nodes and crawls to the identical nodes. This situation leads to wasted bandwidth and increment ID space. Two critical metrics are used in the crawling process evaluation: accuracy of the crawler and traffic cost-effectiveness (TCE). Based on the aforementioned metrics, the recursive crawling is best in detecting potentially large numbers of nodes than the iterative crawling with high TCE value. When one of the specific inputs is equal to 0, the filter does not filter the nodes and allows packets to push through. When they are all 1, the node is presumably inserted into the filter without any false positives.
Chen et al. [43] have employed two modern techniques, namely, SDN technique and ML algorithm, to produce and design a new system that is able to detect and prevent a DRDoS package automatically. The proposed system consists of two main components: detection agent and open networking operating system (ONOS). The first component, i.e., the detection agent, consists of two parts: the first part is responsible for observing the network by using netmate tool, and the second part is created through a machine learning algorithm called a classifier. The second main component, which is the ONOS, works in a manner similar to the SDN controller. It provides an OpenFlow protocol and allows various RESTful APIs to determine specific vectors in a limited time interval. Then, the result is used to teach a prototype by ML algorithms to classification by using a netmate tool. The next step is training the ML model. In training, both regular and malignant flows of DNS requests and responses are required. During the reflection attack, the increase of the stream to the victim occurs by posting a huge amount of demands in a short time. This operation to produce huge response packets to the reflect, continuously the attacker asking for special domain names plus several fixed orders. The standard deviation from the attackers' side in packet size appears to be zero. The pattern of traffic is dissimilar to that of normal ones. As the average volume of response packets is larger than regular and the standard deviation is near zero ... so by chosen, each feature is linked to backward packets. Only the chosen packets are checked, and this feature decreases the load on the detection agent.
Meitei et al. [44] employed two important techniques: machine learning (ML) algorithms and attribute selection algorithms. The first part is the ML algorithms, which uses four supervised ML algorithms: decision tree, multilayer perceptron, naïve Bayes, and SVM. Furthermore, they used three attribute selection algorithms: information gain (IG), gain ratio (GR), and chi-square, which are applied to the chosen parameters. The main task of this study is to analyze the DNS queries.
Three important steps taken to complete the suggested scheme are the method of how to select parameters, how to train and test ML algorithms, and the way of parameter diminution. chosen eight elected statistical feature dataset i.e. arrival time of the packet, occurrence of IP per unit time, answer and authority and additional of resource records, and minimum and maximum and an average of packet size. The next step is training and testing by using the classification and clustering algorithm for the selected features by selecting the same number of IP addresses for both normal and attack DNS queries. By using the feature selection algorithms IG, GR, and chi-square to diminish repetitive parameters and drop unnecessary features, both operations minimize computational time and exhibit high detection accuracy.
To detect DNS amplification attacks, Cai et al. [45] focus on three features that affect the detection method according to their vision. These features are used in the DNS server to discriminate the normal a certain time from that abnormal. These features are recurrence of DNS demands, rate of amplified data traffic at a certain time (reply traffic/demand traffic), and amount of grown packet in a certain period. The third feature, which is the ratio of the number of the response packets to that of demand packets in one unit time, not only increases the accuracy of detection however it be easier to determine real-time data. A K-means machine-learning algorithm is used to distinguish between the normal and abnormal packets by classifying them into abnormal and normal clusters, after classifying the packets into clusters through K-means algorithm from the detection model and determining the reference points. The main drawback of the study may be the method of determining the weight per feature and placing the same weight on the three features.
Böttger et al. [24] suggested a model for detection amplification attacks; this model relies on observing and distinguishing traffic. When a client wants to connect to the server, a PairFlow is formed. Many UDP flows are also produced by aggregating those collections of flows. The PairFlow appears and contains the client IP, IP and port of the server, payload dispatch to the server, payload dispatch to the client, and recording period interval for the PairFlow to determine average rates. In the test stage, we select a certain time, i.e.,10 minutes for the PairFlow, as active/inactive in that time interval. Additional criteria are used to detect amplification attacks, i.e., request and response packet size similarity, request and response payload, similarity, unsolicited messages, and IP spoofing. The attacker sometimes attempts to avoid detection, i.e., low traffic generates a low attack factor less than our detection threshold. If payload entropy and demand packet lengths can be adapted, then the mass of attack traffic need not be diminished. Minimizing the detection threshold is possible to detect the low attack factor but at the same time increases the false positive alarm.
Liu et al. [46] one of the main reasons for increasing the reflection attacks on SSDP is the proliferation of IoT devices. Previously many approaches were suggested to detect and mitigate the Reflection attacks on SSDP but this method is more effective and modernity because it employs the bots as defense methods and this approach is called a multi-location defence scheme (MLDS). Three principal features that distinguish it from other approaches are: the mechanism of the MLDS begins from assault source to prey via assaulting link, also not based on detection of assaults, and the main and novelty key is to utilized bot as defenders. The deployment of various protection strategies to multiple locations from the above study will make the defence work efficiently in the entire attack link, from the source initiating the attack to the victim. This is why we are developing the MLDS.
Kim et al. [47] proposed a method to prevent the DNS amplification attacks. by utilizing the history queries of DNS based on SDN they proposed a method to prevent the DNS amplification attacks. This technique proactively and reactively acts to reduce the effects of these attacks on native DNS servers. there are two kinds of DNS packets are A and ANY, the A for normal packets, and ANY for the attacker packets. The proposed mechanism relies on a one-to-one technique, i.e., for each response, a corresponding request exists. The orphan pairs are classified as suspicious immediately, thereby enabling the protection of the local DNS servers. it contains two principal components are switch and SDN controller. Understanding the behavior of any attack is important to produce the perfect technique to detect or mitigate from that type of attack.
Thus, Huistra [48] focuses on the fingerprints of the attack, and because the attacks that are attacking the DNS are the most famous types of DRDoS attack, this work focuses on DNS attacks and how to distinguish and analyze the behavior of the DNS attacks. When designing a detection scheme for DNS reflection attack, this work needs much information to obtain excellent results. Some of the information include the IP address of both the host and the server, the request and reply time of DNS, the size DNS request and its response, and source, destination port for DNS query. The scenario of this approach depends on the consistent size of both the request and response. When the size of the request and response is inconsistent, the attacker exploits this feature. Furthermore, the attacker can employ a small or large number of DNS servers for the attack. In the NetFlow scenario, some information is lost, i.e., the size of every packet and individual capture time because of the aggregation method. This study does not include detection of attacks that use various sizes of requests.
El Houda et al. [49] the suggested model called WisdomSDN that used to detect and mitigate the DNS amplification attacks.the restricted and monitoring on DNS requests/responses by using a one-to-one technique to recognize the illegitimate DND demands and replies. the results show that the WisdomSDN achieves a high rate of detection and a low rate of false-positive. Dodia and Zhauniarovich [50] this method focus on filtering garbage traffic to prevent upcoming amplification demands from accessing amplifiers inside the provider network, protecting vulnerable services from abuse. this prototype will track spoofed traffic and filter it out at the ISP network's edge. This eliminates garbage traffic caused by network amplifiers, saving ISPs and their customers time and money.

CONCLUSION
This study focused on cybersecurity because the number of internet users is growing dramatically and the various devices connected to the internet are the main challenge in the field of security. When it is denial legitimate user from the services that are provided. The DoS attack is a popular form of these challenges. The more effective version is the distributed DoS attack, but attackers improve the DDoS attacks to produce robust attacks with devastating effects on the victim's side. This attack is called the DRDoS attacks, which has been the focus of network security research in previous years because of the volume of attacks and their effects. This type of attacks prefers the UDP protocols. Thus, most of the papers focused on the services that rely on UDP protocols. We compared the papers in terms of method used and the feature selection as well detection performance. To the best of our knowledge, our paper is the first to classify this type of attack based on transport protocols, such as DRDoS attacks based on TCP protocol and DRDoS attacks based on UDP protocol. We aim to focus on a special protocol in the future, which is the most popular among other protocols that have been and will continue to be the target of DRDoS attacks.