Research On Defense Against TCP-based Distributed Denial-of-Service Attack

Distributed Denial of Service (DDoS) attacks, large-scale cooperative attacks launched from a large number of compromised hosts, are a major threat to Internet services. DDoS uses client/server technique and combines multiple hosts to form an attack platform. Popular web sites, search engine and government web sites, such as Yahoo, CNN, and Amazon, are among the well-known victims of DDoS attacks, yet an even larger number of online companies than these depend on the stability and availability of the Internet and face considerable losses should they be the object of a DDoS attack. More than 90% of DDoS attacks exploit a system's Transmission Control Protocol (TCP). Research on this kind of attack is significant for the security and reliability of the Internet.Defense against DDoS has received many attentions from scholars, yet there is currently no defense against such attacks that provides efficient detection. Due to the distributed and cooperative nature characters of DDoS, the best solutions shall use a distributed and cooperative strategy. Unfortunately, cooperative methods call for the wide deployment of defense systems which may be dispersed across different domains supported by different Internet Service Providers (ISPs), all potentially having distinct administrative strategies and security policies. This makes it very difficult to design a distributed defense system. Furthermore, since not every ISP will directly benefit from the deployment of a cooperative defense system, some ISPs are not very strongly motivated to cooperate. All of difficulties discourage researchers from seeking an efficient distributed cooperative defense method.The basic philosophy of our defense method is to deploy different defense methods at different places and each method works autonomously and independently, having no needs for the cooperation or support from other infrastructure elements. This makes deployment much practical. Independent defenses at different locations bring different challenges. Aiming at these challenges, this thesis proposes three defense methods at different deployment: at source side, at victim side and at innocent subnet side.1. A light-weight defense method at the source side. There are some drawbacks of source-end defense prevent it from practical use. One is the inaccurate detection. Compared to the attacking traffic at victim side, the malicious traffic near source-end is relatively much low and does not show evident features, which makes accurate...