Research Of Detecting Method Against DDoS Attack Based On Behaviors Of Network Traffic

The rapid development of Internet brings us some potential safety problems besides convenience. Among all these attacks, DDoS (distributed denial of service) is one of attacks which are more destructive and difficult to prevent. According to latest surveys, a number of large websites equipped with high security control such as Yahoo, Korea Ministry of National Defense, U.S. Bureau of special circumstances, have been subjected to DDoS attack. Thus, how to detect DDoS attack fast and efficiently has become a hot spot issue in network security.Network traffic has distinguishable characteristics in the distribution of overall traffic and packet length. First of all, self-similar characteristic of the network traffic has been well recognized by researchers. The method of detecting the attack by analyzing the self-similarity of network traffic is sensitive and efficient with low cost. Recent researches on it have attained some achievements, but difficulties and faultiness still exist in this regard. Secondly, the packet size is characterized by a bimodal distribution in network traffic, namely the proportion of big and small packets is 80% of all. The packet size distribution is effected to some extent under the anomaly conditions. Based on this two statistical characteristic, we have done the work as follows:Firstly, we have established a continuous multi-scale model of the flow characteristic through the analysis on the experimental results. This model adopts an extensive wavelet analysis method, and draws a conclusion that self-similar characteristics of network traffic has a gradual process from scratch to weakness,then to strength and the network traffic has a mono-fractal behaviors by the analysis of high precision data sets which were captured by hardware. Secondly, for SYN flood, we propose a method of the DDoS attack detection based on self-similarity of small packets. When the anomaly flow is not enough to affect the whole flow characteristic, the method of flow characteristic analysis may be invalid. So we proposed a new method by separating the big and small packets from the flow, and only detecting the feature of small packets. Experiments have shown that this method can effectively detect the attack. Lastly, we propose a new SYN Flood detection mechanism based on the active detection. As the bimodal distribution of packet size in network traffic, the method brings the technology of packet-pair to abnormal traffic detection that is detecting SYN Flood according to the change of background flow length. The method has higher hit rates and lower false alarm rates from experimental results. This method based on end-to-end technology has better flexibility and controllability.