| Distributed denial-of-service(DDoS)attacks have been a serious threat to Internet security for many years.DDoS attack is a kind of malicious behavior which conducted by hackers when attacking the target computer by the remote control of botnets.Botnets are consisted of a large number of puppet machines which are also known as broilers.Due to the fact that DDoS attacks has the characteristics of high concealment,simplicity and destruction,many Internet companies,including Baidu,Sina and Amazon,have experienced DDoS attacks.Therefore,the number of DDoS attacks has been on the rise in recent years(??the number of DDoS attacks are growing in scale and quantity in recent years).According to the above fact,it is vital for contemporary cybersecurity to have the ability of detecting such attacks in time and tracking attackers accurately.Based on the recent research on DDoS in the industry,firstly this paper analyzes the characteristics of DDoS attack,the detection method,traceability method of DDoS attack.And then,the related technologies,honeypot and virtual breeding environment,are also analyzed.Finally,a method is proposed to restore DDoS attacks and trace DDoS attackers by malicious sample farming.This method is implemented by the system by simulating all aspects of DDoS attacks.The system includes DDoS attack malware capture module,malware farming module,traffic monitoring module,victim analysis module and traceback module.The malware capture module is mainly supported by interactive honeypot technology,responsible for capturing the malicious samples to be cultured.The malware culture module,based on the study of virtual environment technology under Linux,carries out long-term breeding of the captured samples to take the initiative to capture the attack events.The traffic monitoring module is used to monitor the flow of the aquaculture environment in real time to determine whether DDoS events have occurred and to respond differently depending on the situation.The victim analysis module is used to analyze the detected DDoS events in detail.The analysis results include the victim's information,the attack type and the traffic size of the attack.This module is also responsible for promptly cut off the ongoing DDoS attacks.The traceback module mainly analyzes the information about the DDoS event log and other information of the other modules to find the IP address of the DDoS attack event initiator.Through the test of functionality and performance,it is proved that the system has achieved all of the above module functions.The system can capture a largenumber of active DDoS attack malicious samples,and can actively trace numerous control terminates of DDoS attacks during the sample culture.The entry point of DDoS detection and traceback is advanced from the attack chain downstream to the middle.Starting from the puppet machine node,the network information of the victim and the host side can be analyzed simultaneously,which is important for active defense of DDoS attack. |
PDF Full Text Request