Denial of Service (DDoS) Mitigation Using Blockchain—A Comprehensive Insight

: Distributed Denial of Service (DDoS) attack is a major threat impeding service to legitimate requests on any network. Although the ﬁrst DDoS attack was reported in 1996, the complexity and sophistication of these attacks has been ever increasing. A 2 TBps attack was reported in mid-August 2020 directed towards critical infrastructure, such as ﬁnance, amidst the COVID-19 pandemic. It is estimated that these attacks will double, reaching over 15 million, in the next 2 years. A number of mitigation schemes have been designed and developed since its inception but the increasing complexity demands advanced solutions based on emerging technologies. Blockchain has emerged as a promising and viable technology for DDoS mitigation. The inherent and fundamental characteristics of blockchain such as decentralization, internal and external trustless attitude, immutability, integrity, anonymity and veriﬁability have proven to be strong candidates, in tackling this deadly cyber threat. This survey discusses different approaches for DDoS mitigation using blockchain in varied domains to date. The paper aims at providing a comprehensive review, highlighting all necessary details, strengths, challenges and limitations of different approaches. It is intended to serve as a single platform to understand the mechanics of current approaches to enhance research and development in the DDoS mitigation domain.


Introduction
A distributed denial of service (DDoS) attack is a special type of denial of service attack that overwhelms the target or the related infrastructure with malicious traffic.This is achieved using bots, a network of malware compromised computers and other devices, under the remote control of an attacker (refer to illustration in Figure 1) [1].It severely hampers the bandwidth and connectivity leading to disruption of all services on the network [2].Cloud ecosystems suffer maximum loses due to complete service denial and service degradation [3].The primary target of DDoS attack is availability of resources for genuine users.The malicious flooding overloads the network, exceeding its bandwidth capabilities and disrupting the services [4].The target range varies from financial institutions, health care providers and government agencies to low key public networks [2].
It is difficult to distinguish the attack traffic in a DDoS attack because of its similarity to the legitimate traffic [5].They behave very closely to normal network packets, albeit in higher quantities and concentration towards the victim [6].This is more prevalent during the early stages of attack, especially in low-rate and low-traffic attacks [5].The attack is usually measured in volumetric parameters such as packets-per-second, bits-per-second and connections-per-second [6].A malicious attack from a small number of nodes is easier to detect and mitigate.DDoS uses a significantly large number of nodes, and the collective behavior drastically severs any chance of serving non-malicious requests [7].The compromised devices transfer a large volume of packets without any breaks over the network, tricking the victim into recognizing them as legitimate traffic.As a result, not only does the host communicate with different devices but with different types of packets as well [8].DDoS attack has been proven as a resource battleground between the defenders and attackers; the more the resources, the higher the chance of success [9].DDoS attacks can be classified as brute-force attacks, spoofing attacks and flooding attacks.Flooding attacks are the most common and severe among the three, thwarting the network bandwidth and blocking all legitimate requests.Survival approaches are focused on single target victims and require victims to detect and manage the attack themselves.However, a network wide flood requires mitigation approaches before it reaches the victims, making it suitable for multi-targeted attack.DDoS cannot be blocked or prevented altogether by installing software patches and deploying appliances.Therefore, Internet service providers either use scrubbing services or over provision their networks.Both the methods are financially not feasible [10].
The DDoS architecture consists mainly of zombies based on handlers' models and Internet relay-chat.All communications between the handler and the attack are usually encrypted, making the attack invisible from detection.Attackers spoof MAC and IP addresses and are geographically well distributed, making detection a tedious effort.
DDoS attacks have rapidly evolved over time and have become very sophisticated.DDoS attacks severely affect an organization's computing, financial and infrastructural resources [11].The number of DDoS attacks has increased exponentially over the years, not even sparing major cloud service providers such as Microsoft and Amazon EC2 [5].Around 79 countries were affected by DDoS attacks during the first quarter of 2018.The longest attack duration was about 297 h [12].A 1.3 TBps attack was reported affecting GitHub.A 1.7 TBps attack was reported later following the attack on GitHub [13].Some established banks were severely affected by a peak 160 Gbps and 32 million packets per second DDoS attack in April 2019 [14].Monetary losses of about $491 billion were reported in 2014 alone [11].Amidst the COVID-19 pandemic (mid-August 2020), a world-wide DDoS extortion attack amounting to 2TBps, targeting finance and the travel industry, was reported by NetScout [15].It is predicted that DDoS attacks will double from 7.9 million in 2018 to 15.4 million by 2023 [16].These numbers, attack traffic and timings clearly indicate the threat severity of DDoS attacks [14].

Problem Statement
Given the limitations and current state of the aforementioned approaches and everincreasing erudition of DDoS attacks, there is a demand and need for more efficient solutions based on new technologies for detection and mitigation.In this context, blockchain has emerged as a promising partner, leveraging its fundamental characteristics of decentralization, internal and external trustless attitude, immutability, integrity, anonymity and verifiability to tackle DDoS attacks.

Motivation
It is necessary to have a holistic understanding about the application of new technologies in order to enhance the efficiency.Therefore, it is important to conduct a comprehensive survey about DDoS mitigation using blockchain technology.To the best of our knowledge, there does not exist a single survey discussing advancements specifically related to DDoS mitigation employing blockchain.Either the surveys focus on other DDoS mitigation technologies and techniques or include some of the blockchain-based studies for a particular domain as a part of their review.Therefore, this review aims to cover this knowledge gap in order for this domain to research novel and effective solutions using blockchain.

Objectives/Contributions
Following the discussion, this paper mainly intends to achieve the following objectives: 1.
To discuss current applications of blockchain for DDoS mitigation in all related domains 2.
To provide a comprehensive review of researches surrounding this domain 3.
To classify mitigation approaches based on the dominant method/technology/technique 4.
To tabulate essential findings of all related papers, providing a quick insight about the progress in this field of study

Paper Organization
The remainder of the paper is structured as follows: Section 2 lays the foundation of the domain knowledge by discussing key concepts in DDoS attacks and blockchain.Section 3 details the process of this review, including inclusion and exclusion criteria.Section 4 presents the in-depth comprehensive review of the extracted relevant studies in this domain.Finally, Section 5 highlights limitations and opportunities, while Section 6 concludes the study, highlighting the need to pursue the domain of the current study.

DDoS Attack Types
DDoS attacks are aimed at denying service access to legitimate users targeting availability of network resources.The attack procedure relies heavily upon distributed access to devices exploiting known vulnerabilities [36].Attacks are targeted at various layers of the network infrastructure, e.g., application layer, transport layer, etc. [37,38].Based on the network architecture, DDoS attacks are classified as follows [39]: Application layer attacks: This is a layer seven network architecture attack aimed at target resource exhaustion leading to denial of service [38].The attacker leverages application or system vulnerabilities, causing network instability.These attacks are often mistaken as implementation errors because of the low rate traffic required to execute them successfully.Examples include HTTP flood, Slowloris and Zero-day attack.An HTTP flood is an attack whereby continuous access is requested from multiple devices, exhausting the capabilities of the targeted device.A typical setup for an HTTP flood is presented in Figure 2. Slowloris sends incomplete requests at predefined intervals, aiming at keeping the request channels engaged for an extended period of time, preventing legitimate access to the target devices [37][38][39][40][41].

2.
Resource exhaustion attack: Network layer and transport layer vulnerabilities are exploited by this DDoS attack.These are also referred as state exhaustion attacks depleting computing resources such as computational power and primary and secondary memories.Since this attack exploits protocol vulnerabilities in addition to being voluminous, it forms a hybrid between specific messages and volume being sent to the victim.TCP SYN floods send SYN messages to the victim but provide no confirmation to the victim for establishment of a connection with spoofed source IP addresses.In this manner, the target resources are exhausted over time, since it responds to each hand shake but never receives any confirmation from the attacker [37,41].
Other examples include Ping of Death, which are ping packets greater than 65,535 bytes, making the victim inaccessible, and Smurf attack, which destabilizes the victim services by sending a large volume of ICMP packets [39,41].As seen in Figure 4, the attacker creates a network packet attached to a false IP address (spoofing), transmitting an ICMP ping message.The network nodes are required to reply.The replies follow an infinite loop by being sent back to the network IPs.

3.
Volumetric attacks: Massive amounts of data are sent to the victim using botnets or other amplification methods, exhausting the bandwidth between the target and larger network/internet.UDP protocol is commonly used to exploit any excessive increase in packet size.DNS amplification attacks perform service requests to change the source address field with the victim's address, causing response amplification by the servers and exhausting the victim bandwidth, as demonstrated in Figure 3 [37,40,41].Similarly, ICMP floods send abnormal packets to target servers, making them inaccessible to legitimate requests [39][40][41].

Blockchain
Blockchain aims at cryptographically secured list of records on globally available computing devices.These records are publicly certifiable, immutable and sequentially generated known as blocks.It is a distributed record keeping the ledger accessible to numerous nodes for record keeping.It is an interconnected chain of nodes starting with the genesis block with every next block, storing information about the previous node (see Figure 5).The nodes in this network possess the capability of accepting or rejecting data transactions by constantly observing the data blocks.Each record in these blocks is timestamped and added upon verification throughout the chain.Cryptographic hash functions map a random size input message to a fixed size output message given by {0,1}* − {0,1} n [44].While it might not replace the traditional information sharing mechanisms completely, it represents a new paradigm in secure verifiable and immutable information sharing.
The blockchain is based on the following significant building blocks: database, block, hash, miner, transaction and consensus mechanism [45].

1.
Database: This aspect covers blockchains' fundamental capability or buildup of storing the information in a non-traditional method and structure (rows and columns).It stores all transaction records of the participating users with high throughput, no central control and immutable records, among others.

2.
Blocks: Blocks store data associated with different transactions among the participating users.They are chained together storing hash values of previous blocks, forming a loop of tightly interconnected data.Typically divided into two, the header contains information about the block in the chain, while the latter part is associated with storing the actual transactional data [45,46].3.
Hash: These are complex mathematical problems responsible for identification and verification.Miners must solve these problems in order to trace a block, while the hash function for two messages cannot be the same, allowing verification.A hash table is maintained for efficient indexing while the next blocks store hashes of previous blocks in the chain [45,47,48].

4.
Miner: A network node that solves a computational problem locating a new block is referred as a block miner.New transactions are broadcasted across the chain, and participants efforts are rewarded based on proof-of-work.The generated block is accepted into the chain when the miners start working on the next block, so that the previous hash is stored, ensuring continuity of the chain [45,47].

5.
Transaction: This is the smallest amount of task information stored in a block once verified by majority participants in the chain.The records are accessible throughout while being immutable [45,48].Figure 5 is a detailed infographic about transaction execution flow inside a blockchain.6.
Consensus: Consensus over records is a key characteristic in blockchain achieved via various consensus mechanism.The famous ones are Proof of Work (PoW) and Proof of Stake (PoS); the former ones reward based on proof of the work for block generation while the latter distributes work based on a participant's virtual currency tokens [45,46].

Review Methodology
The step-wise review methodology employed for this study is as follows: 1.
Selection of relevant and appropriate digital libraries for search of relevant literature.

2.
Design and refinement of search terms based on essential keywords concerning the subject of the study.

3.
Refinement of retrieved results based on relevant search filters to studies associated with the domain.

4.
Selection of studies defining inclusion and exclusion criteria based on title, abstract, keywords and content.

Sources
Scopus (https://www.scopus.com)indexes all major relevant digital libraries and journals in computer science and engineering.It also has a user-friendly and comprehensive search design.Therefore, it was used as the primary search engine for this review.

Search Methodology:
The search for relevant literature can be summed up in the following steps: 1.
The search term was based on the keywords that directly relate to the topic under discussion.The search term used in this review was "DDoS" AND "Mitigation" AND "Using" AND "Blockchain" IN "All Fields", to include all possible studies relating to the keyword domains.The search retrieved a total of 368 research articles.

2.
The following filters were applied to the retrieved results a.
Limit by Subject Area-Results were filtered by Computer Science AND Engineering AND Mathematics AND Decision Sciences AND Multidisciplinary.A total of 359 documents were displayed.However, this study wanted to verify that the unrelated subject areas do not contain any related researches.Multiple related documents were found categorized in unrelated domains.Hence, the filter was removed, setting the number of primary documents back to 368.

b.
Exclude by Document Type-Results were filtered by Review and Conference Review.However, in a separate search, these documents were checked to verify any reviews written in this domain.Exclusion yielded 317 documents.c.
Limit by Language-Filter results by English.Six items were dropped, leaving the number of items to 313 documents.

Inclusion and Exclusion Criteria
This review primarily selected documents based on titles and abstracts of the retrieved researches.However, no study was excluded only on the basis of title and abstract, unless a full text analysis deemed it irrelevant to the current review.The criteria are as follows: 1.
Inclusion Criteria a.
Studies reporting usage of blockchain for DDoS mitigation b.
All studies in this domain to date were included (2015-2021)

Exclusion Criteria
a.
Studies reporting only DDoS or DDoS mitigation or blockchain b.
Other surveys about DDoS mitigation c.
Studies dealing with protection of blockchain or its applications d.
Unavailable full prints such as Symposiums and Workshops e.
Surveys were filtered during the search Out of the 313 documents, 36 studies were chosen based on the aforementioned criterion.These 36 studies were analyzed, and a comprehensive review was presented in the proceeding section.They were further tabulated for ease of use highlighting essential points for almost all of them.

Comprehensive Review
The design of mitigation schemes usually involves multi-faceted architecture in an attempt to increase the effectiveness.Other methods/technologies have been used in association with blockchain.As such, the subsequent sections analyze the solutions reviewed by this study, categorized based on the dominant method/technology.The classification does not undermine the role of blockchain for DDoS mitigation in all the discussed approaches.A taxonomical flowchart was also proposed, as seen in Figure 6, for an intuitive understanding of the domain under discussion.The review is divided into six sub-sections as follows: Cochain-SC proposes network schemes governed by blockchain using SDN and smart contracts for DDoS mitigation at an inter and intra domain level.The Ethereum smart contract-based scheme helps multiple SDN-based domains to mitigate DDoS by sharing attack information.Intra domain DDoS attack detection is performed by an Intra Entropy-based scheme and Intra Bayes-based scheme by measuring the randomness and anomalies in the network traffic.The randomness is measured using sFlow, whereby it performs flow aggregation during the DDoS attack.The entropy calculation using Shannon's information theory measures the randomness of data based on the principle that the flow of traffic towards the victim's IP address increases substantially and is concentrated towards the victim, leading to an increase in the entropy.A binary machine learning classifier determines the change as legitimate or illegitimate.Suspected packets are dropped based on defined network rules for mitigation.The victim domain shares the information over the SDN-connected nodes where each SDN controller retrieves the list of illegitimate IPs for attack detection and mitigation.Experimental results indicated that the proposed setup is efficient and cost effective.The implementation is simulated using mininet, Scapy's Python library and Hping3 while keeping the attack rate between 100 to 500 Mbps [50].Co-IoT leverages the SDN controller of the victim's network to detect and mitigate a DDoS attack in IoT devices.At the same time a domain-wide notification of the attacker is shared via an Ethereum smart contract.The remaining SDN nodes are thus ready to block any incoming traffic from the attack domain.The basic detection and mitigation schemes completely rely on efficiency of SDN controllers [51].Similar work has been reported by [52].A similar setup specifically for Mirai botnet is presented in [53], reporting a true detection rate of 95%.Simulations were conducted in a custom developed simulator in Java.
In [54], researchers presented a collaborative generic hardware and defense capability shared DDoS mitigation scheme.The framework includes software-defined networks for customized security policies in a software style for managing applications (Ryu-open source) and network function virtualization (sFlow or NetFlow) for enforcing the security policies using generic hardware, Ethereum-based blockchain for advertising and sharing near real time threat information (14 s, time to mine a block) and smart contracts dedicated to define the rules of collaboration and information sharing.The framework's major strength seems to be the usage of generic hardware through network function virtualization.

Blockchain and Smart Contracts
The centralized controller mechanism in resource-constrained SDNs make them prone to network attacks, including DDoS.A decentralized private blockchain can be used for setting flow rules for fog nodes acting as SDN controllers and other devices in the network.Private blockchain enables miners to revert to previous flow rules or blocks as soon as the miners detect faulty flow rules in the network.The data immutability of private blockchain does not guarantee its security from devices using the same hash key and genesis file.Enhanced encryption of the flow rules before block insertion is thus required.The performance of such a setup was measured on a Raspberry Pi device as SDN controllers, machines with i5 processors as miners and the go-Ethereum-based private blockchain.Since the SDN control mechanism is decentralized, results demonstrate that other fog nodes are able to retract back to the previous flow as soon as one of the nodes is under attack.The deployment architecture in the fog layer helps to reduce the latency and energy consumption [55].A distributed peer to peer network using blockchain to protect data integrity and confidentiality in enterprise networks was implemented in [56].The hybrid architecture involves deployment of a smart contract using blockchain.Blockchain enables shared protection while smart contract distributes the rules among the host nodes in the network.It measures received response amount verses the predefined maximum response count.Any abnormalities are further inspected and the attacker IP address is blacklisted.Once the DDoS packet flooding is detected, mitigation script is activated leading to drop of packets to zero by blocking the blacklisted IP, indicating the success of the mitigation framework.Opendaylight and mininet are used for network setup, python for smart contracts while no information has been provided about blockchain except that it is private.A major limitation in this approach is the predefined packet response rate.Any packet transmission above the predefined rules, even legitimate, is likely to get blocked due to the nature of implementation.Reference [57] focuses on blockchain expansion inside an IoT network to securely store assets-configuration files from SDN or NFV.The problem domain is specifically expanding the blockchain in fog to avoid 51% attack so that the IoT network can be protected reliably using the blockchain.Blockchain is essentially used as a ledger in their network setup for user authentication as a protection against DDoS attacks.A similar conceptual framework was reported by [58] using SDN controllers imbedded in the smart contract for detection and mitigation.The information sharing is proposed at a global or intra level, similar to [50].
A public permissioned blockchain tries to fill in the gaps between public permissionless and private consortium networks in order to achieve the best of both models.A cyber threat intelligence platform using open-source permissioned blockchain is discussed in [59].The blockchain is essentially used for record-keeping, and smart contracts are used to guarantee immutable logic.With software defined networking to enhance the mitigation, this serves as a collaborative platform for DDoS mitigation.The collaborative platform leverages blockchain capabilities of tamper proof data and secure information sharing between the network participants for the mitigation process.This has been implemented on a HLF blockchain to evaluate the performance in a multi domain SDN setup.The SDN setup is simulated using Kathara, Ryu and OpenVSSwitch on Ubuntu 16.04.The traffic is constantly monitored against a blacklist host log in HLF, which is continuously updated and shared among the network.On detection, the blacklisted IP is blocked instantaneously based on logical rules set up in the smart contract.Secure information sharing among collaborators is the essential mitigation mechanism.However, the results indicate decreased latency and transaction throughput, highlighting the need for highpower computing.
BlockSDSec uses blockchain as a service for DDoS mitigation in SDNs.The SDN framework uses OpenFlow (OF) protocol to establish communication between the controller and switches.The main idea is to use blockchain upon the OF switches to maintain data integrity from any form of tampering due to a DDoS attack while contacting the controller.Moreover, data from each layer for the SDN is also added to the block, ensuring integrity and validation.The entire experiment focuses on the deployment with no details of the testing scenario.Particularly, the setup has not been tested for DDoS resilience [60].Similar data transfer at the OF level was reported in [61].Blockchain networks at application level and device level were added in [62].Each node is seemingly a part of the blockchain network possessing a unique hash and relative hashes.This helps the devices to recover from any falsified data without the controller's immediate attention.Implementation details are scarce and it most likely seems like a conceptual framework.A blockchain-based middle layer between infrastructure and control layers in UAV stores communication and controller information, acting as a secure immutable and transparent middleman.Each communication is stored as a transaction on the nodes keeping track of any malicious UAV transmissions and avoiding single point failure [63].
Smart meters provide real time pricing, energy consumption, automate diagnostics, billing, monitoring, etc.These smart meters have been flooded with DDoS attacks making them new vectors for cyber-attacks.The centralized access control mechanism is at the core of these attacks.The paper presents a decentralized access control architecture using smart contracts on Ethereum.Blockchain-based access control is efficient and immutable.The decentralized architecture is implemented using Ropsten, Ethereum's official test net.All the smart devices are connected through a peer to peer network, while an access control contract is designed based on blockchain smart contract.This contract manages subjectobject pairing through the defined rules.Any interaction/action between the subject and object is governed by the rules in the contract.The architecture was implemented and tested using the Ganache simulator and Ropsten, while the smart contract deployment used the truffle framework.The authors concluded that the decentralized access mechanism achieves higher security and efficiency in maintaining the network [64].

Blockchain Structure
A decentralized CDN mitigation scheme using private blockchain was discussed in [65].The configuration consists of permission nodes acting as block generators using the Byzantine Fault Tolerance family algorithm.The bandwidth for node creation is provided by a separate set of nodes referred to as bandwidth nodes.It is important to distinguish between the two entities because it minimizes the possibilities of block modification while using bandwidth, ensuring the safety of the contract record and creation of reliable nodes.The structure is deemed robust as the integrity is tightly controlled by hub nodes in the decentralized structure.A major limitation of IoT networks is a centralized point of control which can be overcome using blockchain's decentralized properties.Each device is associated with a node in the blockchain containing hash and timestamp.All the information generated by the devices is associated with the respective block.Any information tampering following a network intrusion is detected by matching device data with the node data.Since the data on the node cannot be tampered, the IoT device and communication is reverted to the previous state, thereby protecting the data generated by IoT devices [66].
Reference [67] proposes a biologically inspired collaborative DDoS detection framework using blockchain, smart contract and fuzzy neural networks.Each collaborator is hosted on a private blockchain protecting their privacy and not sharing their data with other collaborators.Fuzzy neural networks are used in the smart contract to detect and filter the experimental results.Upon detection of abnormal data, the results are uploaded into a public blockchain accessible to all collaborators of the system.The users can download these results onto their private blocks requiring no direct communication between the participants.This experiment was conducted using the Hyperledger-fabric.Experimental results conclude that the system required an average of 1.66 ms to store each piece of information with detection accuracy of 0.89 and a recall of 0.87.

Artificial Intelligence
Machine learning techniques such as KNN, decision trees and random forest have proven capable of DDoS detection.Blockchain can be used to securely store the blacklisted IP addresses.An Ethereum-based blockchain running a smart contract storing the malicious IPs along with their timestamp is reported in [68].The server is informed to block the associated traffic.The IP is unblocked automatically after a set threshold time by fetching the blocked IP from the blockchain ledger.The authors argue that the blockchain-based enhancement provides additional security to existing DDoS mitigation models.LSTM is used for DDoS detection utilizing blockchain for permission to edge devices to perform actions [69].IoT devices are relatively unsecure compared to traditional network nodes.
The proposed model analyzes the network traffic on edge devices connected via blockchain.The analysis process yields abnormal behavioral patterns and implements the attack defense mechanism through smart contracts deployed over the nodes.Attacks are detected using the LSTM-based model.The system architecture leverages blockchain's resource owner control release in the first block and passes on based on request.The request is granted based on the access control policy stored inside the blockchain, granting automatic permissions to edge devices for actions over the blockchain network.A similar conceptual model is presented in [20] using SDN, RNN-LSTM and smart contracts.
Traditionally, software-defined industrial networks rely on a centralized controller, leading to an inevitable single point of failure due to a service denial attack.A deep learning-based blockchain framework, whereby switch authenticity is controlled by the blockchain and anomaly detection is done by a deep Boltzmann machine, is presented in [61].Each switch is registered on the blockchain using the zero-knowledge proof concept and verified using consensus mechanisms.Deep learning-based models are deployed to identify characteristics of DDoS attacks over the network.The framework was tested using a mininet emulator-two servers for traffic flow generation and virtual PX as the DBM flow analyzer.The deep learning model was trained using the KDD dataset for anomaly detection in network systems.A 5-10% increase in detection efficiency was reported from the experiment, while the computational costs were comparatively higher than previous models.
A virtual parallel blockchain with heterogenous ensemble learning protects the actual blockchain-based network from direct DDoS attacks.The mechanism is based on creating an artificial blockchain based on virtual reality parallel tactics and connected to the original blockchain.DDoS detection and mitigation is guided by ensemble learning distributed over the virtual blockchain nodes.Since these blockchains are mirror copies of each other, the artificial blockchain effectively guides the detection and defense of DDoS attacks in actual blockchain.Learning transfer based on computation, experimentation and evaluation constantly optimizes the original blockchain for attack management.AdaBoost and random forest are used as ensemble learning strategies by integrating lightweight classifiers such as CART and ID3.The detection and mitigation strategy in artificial blockchain demonstrates good performance and optimizes and guides the original blockchain against the DDoS attacks effectively.The experimental results were demonstrated in the artificial blockchain, while the learning and optimization process of the original blockchain has not been verified experimentally [70].

Collaborative Platforms
BloSS is a cooperative and collaborative prototype for threat information sharing based on an incentive model using blockchain, smart contracts and software-defined networking.Collaborators post information about new threats on the blockchain whereby data is first stored in IPFS and the associated hash is stored in a block on Ethereum.Sensitive information is encrypted over the blockchain-based network as confidentiality and integrity are essential in any cooperative model.An experimental evaluation to determine costbenefit analysis using Truffle and Ganache was conducted in [71].A global simulation across geographical nodes was also conducted using AWS.This modeling has been proven successful on both local and global networks.[71,72].A similar signaling mechanism, SC-FLARE, was separately presented by the authors in [73].Participants usually lack motivation in cooperative defense systems.An incentive-based reputation mechanism for BloSS has been demonstrated in [74].In a real-world setting, the final burden of rejecting traffic is on a cyber security analyst.Reference [75] proposes a visualization dashboard for BloSS.Distributed ledger technologies can be very useful for signaling, coordination and orchestration using blockchain-based smart contracts.SOChain's detection mechanism is based on constantly observing abnormal behavior in data by the host machines and determining the latest attack address.The study argues that unfair exchange of threat data is an impediment between security operation centers.SOChain is a decentralized incentive-based data exchange platform where information sharing is rewarded using DDoS coin tokens.The blockchain-based platform helps to overcome trust and fairness issues.Partners can use bloom filters to search the threat data/IP addresses corresponding to irregularities or threats in their networks.A dual level bloom filter is also used to protect the privacy of the uploaded and purchased data between entities.Confidentiality is taken care of using Diffie-Hellman key-exchange and symmetric encryption, while integrity is assured using a signature method.The paper detailed the implementation of each filter and exchange level [76].The authors in [77] employed a ranking mechanism focused on network providers sharing information in a trust federation.Once the DDoS attack is detected by an external agent, information sharing takes place over the blockchain network, assigning reputation scores based on historical information.Reputation scores determine the allocation of resources for attack defense, and the mitigation is assigned to express the data path framework.Blockchain is essentially used to store and share information for collaborative scoring before any mitigation process is deployed.DefenseChain is another consortium for threat intelligent sharing and works on an incentive basis between organizations for effective impact on the mitigation process.The platform comparatively requires fewer resources and shorter duration for deployment.The setup is based on Dolus defense by pretense implementation.The implementation involves the NSF cloud whereby information is shared and incentivized after threat detection by Ferntic using Python.DefenseChain involves multiple stage detection and mitigation in terms of policy update, attack traffic redirection and spoofing, which makes it slower compared to similar models.Despite the detection mitigation time factor, the re-occurrence rate is quite lower [78].A collaborative system employing encrypted IP lists using an AES algorithm into a swarm and a distributed file storage system embedded in Ethereum is reported in [79].The blockchain hashing function guarantees tamper proof lists.Compared to other similar systems, researchers propose to store only hash values in the smart contract, which is transparent in nature.Instead they store the encrypted IPs in the swarm and provide URLs for participants to check the IP list.The smart contract is used to determine potential DDoS sources by comparing the information provided by different collaborators.Once similar IPs are detected from multiple sources, these are flagged as potential threats.While the smart contract comparison is similar to a consensus protocol, attack botnets emerge from scrambled and different IPs in different attacks.This becomes a major limitation of the proposed approach.An agent is allocated at each node consisting of multiple IoT devices and shares outbound traffic information with others to identify possible DDoS attacks.This information exchange uses a smart contract to ensure integrity of the cooperation and information in IoT networks [80] Insider threats are one of the major issues in IoT sensor-based networks.Researchers investigate the effect of environment tampering on the perception layer and propose an Ethereum-based framework deploying smart contracts and edge computing, which validates the incoming data.This helps in preserving the data integrity for accurate analytics and processing.Ethereum is deployed on each edge node by selecting only one candidate for proof of work while distributing the processing results to all the nodes in the chain.A smart contract is written to validate the data integrity of the incoming sensor data, and faulty values are corrected using standard environmental conditions.Any insider tampering is corrected and registered with details, such as timestamp, for analysis.The experiment was conducted on a low computation power machine and Marvin, which signifies its scalability.Testing concluded change of faulty data to standard operating values before forwarding them for analytical processes [81]; this study did not specifically deal with DDoS mitigation.However, similar strategies have been used by other researchers for DDoS detection in an IoT-based network.
Table 1 presents an overview, highlights major findings and comments on crucial issues surrounding the studies included in this review, to pave the way for future research in this domain.No learning and optimization from virtual blockchain to original blockchain has been demonstrated experimentally [71][72][73] Collaborative threat information sharing

Incentivized information sharing
Incentivized cooperative model based on blockchain is economically and geographically beneficial as a threat signaling system Improvements to threat information storage and incentive model can be made further Blockchain is essentially used for information sharing [74] Enhancement: Incentive Scheme for [71].Applicable to [72,73].

Discussion-Open Challenges and Opportunities
The study revealed that the contemporary mitigation solutions are mostly applicable to specific scenarios or architectures.Some of the ideas are promising yet conceptual in nature without any experimental proofs and require further research to prove their validity and effectiveness for DDoS mitigation.Another open challenge is scalability of these solutions to real world settings, which still remains to be studied.At the same time, the data used in some of the learning approaches is outdated, which complicates the effectiveness of such solutions.As the complexity and volume of DDoS attacks has increased over the years, the current solutions or any future work need to be evaluated based on realistic scenarios.Simulation environments must be able to mimic real world or near real world conditions both in terms of traffic and infrastructure.Predefined rules will cater only to already reported attacks while leaving the networks still vulnerable to new attacks.Dynamic learning approaches updated at short regular intervals must be studied.The mitigation architectures need to be implemented at a protocol level so that they are inherent into the network architecture providing them greater inbuilt control over the traffic flow rather than being bystanders waiting for protocol execution before taking necessary measures for mitigation.The implementation at the protocol level will likely generalize the implementation of such solutions across various network domains and architectures.The inherent architecture of blockchain must also be studied and leveraged for effective mitigation solutions.Other emerging technologies such as network function virtualization, fog computing, edge computing, etc. must be included in the hybrid architecture of blockchain-based mitigation solutions.

Conclusions
The complexity of DDoS attacks has led to a considerable amount of losses, financially and computationally, and especially service denial.The projected numbers indicate a manifold increase in the next few years.The ever-increasing reliance on cyber physical systems and constant evolution of DDoS attacks demand innovative and more efficient solutions for DDoS detection and mitigation.Blockchains' inherent characteristics have proven to be a major leap in this domain.However, appropriate attention has not been given towards blockchain technology for cybersecurity, especially DDoS mitigation.As such, there is an immediate need to discuss the advancements in this area so that more focused research is directed to solve the critical issues at hand.This study provided a comprehensive review of all related works to DDoS mitigation strategies using blockchain.The discussion provided all relevant details of these approaches at one place and provided an overview of related methods and techniques in light of each other.A review overview was tabulated, highlighting the major findings and commenting on crucial issues surrounding these studies to pave the way for future research in this domain.A brief taxonomical approach was illustrated to provide an overview of the structure of mitigation solutions under review.Finally, limitations and opportunities were discussed in the preceding section.The discussion clearly indicates that this domain of research is still in its infancy, and blockchain has not been leveraged to its best potential to solve issues pertinent to DDoS mitigation.