| Distributed Denial-of-Service (DDoS) attack is one of the hardest security problems in the internet today. Since a vast number of insecure machines exist in the internet, automated attack tools can easily be downloaded and the attackers often use spoofed source address, the defense of the attack and the traceback of attackers is extremely difficult. The DDoS attacks remain unmitigated in spite of some proposed DDoS defense systems that offer excellent protection from specific attack scenarios.In this paper, the mechanism, methods, hardening technology, existing defense and traceback to DDoS are discussed. After that, a distributed defense system solution, DIS, based on the routers is proposed. The main work is as following:1) Analyzed current packet marking schemes used for DDoS traceback, according to the FMS marking idea and using cryptographic digital signature, a self-adaptive hash digital signature marking scheme AHSM is developed. It means that the routers that the packet passed by will give a hash digital signature with a variable probability instead of a constant probability. With the hash digital being adopted, the digital signature processing speed is fast; false positive is low; the overhead of reconstruction attack path is low. It makes the IP address untampered, and makes the user non-deniable. Furthermore, it can effectively defend against routers being tampered. With a variable probability, it will take fewer packets to reconstruct the attack path, thus the victim could respond to attack more promptly.2) Based on the fact that a lot of new IP address aggregations will come out and the request rate of legitimate users will decrease when attack is happening, a DDoS detection scheme is designed by using statistical method. In this scheme, a legitimate IP address aggregation database is created to save the aggregation information classified by different source address and the request numbers. The rate of new IP address aggregation and the request rate are used to detect periodically and determine whether the attack is ongoing.3) Based on the shortcomings, one point deployment, of existing defense system against DDoS. The detection module can promptly observe the DDoS attack when it is deployed at the upstream router, and it can provide a precise detection to DDoS attack when it is deployed at the victim end. As for traceback, besides a self-adaptive hash signature marking scheme AHSM being adopted, the first router that the packet passedby will give a proxy signature to implement the precise traceback to the real origin. The response module is deployed at the source end, intermediate network and victim end. The response is delivered by the AS controller network which is an overlay network in logic. So the response speed is fast. Due to the accuracy of traceback,Finally, the proposed DIS scheme is proved to be effective and feasible by theoretical analysis and simulated experiment.
|
PDF Full Text Request