| Because it is easy to implement and is hard to defend, Denial of Service (DoS) attack has become one of the severe threats in Internet. As its distributed form, Distributed Denial of Service (DDoS) attack is more harmful and is one of the important problems focused on by Internet security study.Based on the classification of current DDoS attack and the state-of-art of current defense techniques, the paper proposes a series of methods which detect DDoS by its specific characteristics in network traffic. The paper mainly aims at DDoS flooding attack and divides it into connection blocking attack and common flooding attack. Against the periodical burst in connection blocking attack, the paper proposes a method which samples bytes per time unit, uses power spectrum density as the statistical tool, uses the summation of power in lower frequency as the detecting indicator; and the method is accurate and efficient. Based on the fact that common flooding attack could break the correlation between the traffic from and to server network, the paper proposes a method which uses extended first connection density as samples, uses cross-correlation function as correlation representation and detects common flooding attack through fuzzy logical classifier. The method has low false positive and low false negative. Because in common flooding attack, multiple attackers produce attacking traffic using similar tools with similar parameters, there is correlation among multiple attacking flows and correlation inside single flow. The method in the paper measures correlation among multiple flows using statistical distance and measures the correlation inside single flow using Kolmogorov Complexity (KC), and could effectively differentiate an attacking flow from a legitimate flow.About DDoS response, the paper proposes traffic control based response methods. Because of the periodical burst inside the traffic of connection blocking attack, traffic balance could effectively decrease the attacking effect. The paper proposes a method which balances multiple incoming flows. The method averagely shares the incoming bandwidth of victim among multiple incoming links of the response router and could ensure the throughput of legitimate traffic with very low price. On the other hand, the periodical burst inside connection blocking attack could be smoothed with large router cache, so leak bucket and packet queue based response method in upstream routers is proposed, the method could smooth the attacking traffic without obviously increasing packet latency. For common flooding attack, the paper proposes a method which is based on multi-resources max-min fairness and uses Autonomy System (AS) as the response unit. In the method, edge routers of AS throttle the traffic to victim according to latest consumption of victim's resources and periodically update the throttling threshold upon the feedback from victim, and as a result, could effectively protect two kinds of resources of victim: bandwidth and processor.About DDoS prevention, the paper proposes a mechanism which uses AS verification based dynamic capability. The mechanism uses two-level capability and brings down the cost of original capability based architecture. And against the problem that large throughput connections would frequently apply for resources and consequently has low transport efficiency, the paper proposes a mechanism which dynamically distributes resources using historical information, hence increases transport efficiency while satisfies security needs. And against the problem that current capability architecture could not effectively defend connection blocking attack, we setup a mechanism which uses the up bound of time-to-live of capability. The mechanism could suppress traffic burst and prevent the connection blocking attack. Experiments indicate that improved prevention architecture has lower overhead than original capability based architecture and could defend more variants of DDoS.Last, defense architecture with unit of AS is built using above techniques. Elements inside the defense architecture could interact effectively to detect and respond to attacks. And defense architectures in different AS could interact actively to amplify defense effect. The architecture supports incrementally deployment. Experiments show that the architecture is better than the newest architecture and could adapt to worse conditions than existing architectures.The future works include: detection techniques against new generation of DDoS; new DDoS suppression mechanisms; new architecture and the application of research results here to other large scale network attacks.
|
PDF Full Text Request