Research On The Techniques For The Detection And Prevention Of DDoS Attacks

Distributed denial of service attacks (DDoS) pose a significant threat to Internet security. Research on DDoS detection and defense has always been the hotspot. Existing DDoS solutions usually have shortcomings such as high false positive, low efficiency and lack of linkage between detection and defense, so, building efficient integrated detection and defense systems with low false positive is current objective of DDoS research. Previous work on preventing DDoS has focused primarily on attacks on a single server location. Increasingly more and more sites are served on content delivery networks, which bring a new challenge to DDoS researchers.This research analyzes the detection and defense of DDoS, does systematic classification, and figures out the main research points, advantages and disadvantages of every kind of methods, summaries the challenges researchers facing. On the basis of analysis works, the following researches are accomplished on the techniques for the detection and prevention of DDoS attacks.1) A DDoS detection method based on IP flow characteristics (IP flow method) is proposed. This method applies statistical IP flow features to DDoS detection, divides IP flow into macro flow and micro flow, which is helpful to statistical feature selection; The following5features for DDoS detection are summerized: percentage of abnormal packets (PAP), average number of packets in per flow (ANPPF), percentage of correlative packets (PCF), one direction generating speed (ODGS), port generating speed (PGS). Finally, a neural network classifier is employed to achieve auto detection. This method provides a way to detect DDoS, which is effective and efficient.2) An outlier detection based white list construction method is proposed to mitigate false positive. This method filters suspicious attack traffic strictly at first. Then it runs outlier detection algorithms on the filtered datasets. The results of data mining construct the quasi-normal datasets, which are used to initialize and update the white list. At last, with the help of white list, wrongly filtered normal users get the chance to be served again. Experimental results show that the method insures the running of other applications on the server and recovers the attacked applications step by step. The outlier detection based method researches the false positive mitigation from a new angle with new DDoS defense method.3) In order to improve the eficiency of existing DDoS detection and defense methods, a general multi-core based DDoS defense architecture (M3D) is proposed. M3D provides independent working space for DDoS detection and defense by using multi-core, which solves the problem of deploying DDoS defense on online equipments, such as UTM. The M3D model applied to the outlier detection method based false positive mitigation method. Experimental results show that the M3D system achieves high reacting speed and efficiency. The using of multi-core technology improves the performance of existing detection and defense methods and decreases the load of security operation.4) A basic experimental CDN network is designed and realized, and DDoS is studied in this environment. A site deployment algorithm is proposed to enhance the ability of CDN against DDoS, which is proved through experiments. Also researched are two special parts of CDN, the default server and the smart DNS. Experimental results show that these two parts can be used to enhance the ability of CDN against DDoS.The above research works are helpful exploration to several techniques for detection and prevention of DDoS attacks. Proposed IP flow based detection method and outlier detection based false positive mitigation method are improved through the use of M3D model, which introduces multi-core to DDoS detection and defense and improves existing method’s efficiency. The research on DDoS in CDN provides a way of deploying web sites in a single ISP, which enhances the ability of CDN against DDoS. It is a complicated system project for DDoS prevention. More efforts are still needed to consummate and improve the current methods, besides the research works of this dissertation.