| The increasing popularity of web-based applications has led to several critical services being provided over the internet. This has made it imperative to guarantee network security and availability of resources. Distributed Denial of Service, which depletes the network's resource and denies service to legitimate users, is one of the hardest security problems in the internet. Our research work includes: DDoS defense scheme within an ISP or domain; IP traceback scheme and packet filtering scheme based on multi-edge mark.There isn't a feasible approach to deal with DDoS attack within the entire INTERNET up to now. In this paper, a system to work out it within an ISP or domain is proposed. The system, which consists of Intrusion Detection System (IDS), IP traceback (IP marking) and packet filtering subsystems, is practical and easy to deploy. This approach enables a local network operator to prevent DDoS attack traffic from entering its network.The multi-edge mark-based IP traceback scheme allows the victim to traceback to or near to the origin of the attackers with the help of the network administrator. The scheme features high performance efficiency and no false positive. Compared with the previous solutions, such as single-edge mark-based IP traceback scheme, it has high precision and low computation overhead for victim to reconstruct the attack path. Single-edge mark-based intelligent packet filtering can effectively filter out the majority of DDoS traffic. But many legitimate packets are wrongly filtered out. To improve the performance, a multi-edge mark-based scheme is proposed in this paper. It leverages on multiple edges marking and weight technologies to drastically reduce the rate of the legitimate packets which are filtered.In our research work, Using simulation and quantitative measures, we find that our mechanism works successfully. |
PDF Full Text Request