Research On Distributed Detection And Tracback Against DDoS Attack

DDoS attack is one of the most impactive and malicious attacks in the Internet at present, and it results in incalculable losses on the Internet business. Researchers from many countries have proposed some schemes. However, with the development of the defense technology, the technology of DDoS attack is also improved. The traditional DDoS detection architecture, the detection methods and the traceback methods are facing severe challenges. Aiming at these challenges, distributed architecture for detection is proposed; the detection algorithm which can find slight change and adapt to detect collaboratively is designed; the packet marking algorithm with high accuracy, low network and router overhead, as well as few packets required for reconstruction is also studied. They are as follows:(1) An elephant flow identification algorithm based on LRU and SCBF LRU_SCBF is proposed. The LRU_SCBF uses two-level structure which is LRU list and SCBF array. The arrival mice flow is stored into the SCBF at first. Then it is extracted to the LRU when its count is greater than a certain threshold. If the LRU is full, the mice flow is out from LRU according to the LRU strategy and put into the SCBF, and so on. The elephant flows and mice flows are stored separately. The storage complexity is low, the false positive rate and the false negative are both low in LRU_SCBF. It makes the extraction of elephant flows accurate and timely in high-speed network. Applying this in DDoS detection, it can raise the alarm in time.(2)Aiming at the disadvantages of DCD scheme which are high overhead and high false negatives, a distributed detection against DDoS attack based on weighted CAT has been proposed. By designing a multi-tier distributed architecture, the detection task is distributed to the edge routers at the source end, the routers at the intermediate network, and the victim end over the Internet to implement the early detection. An adaptive CUSUM is adopted to detect the abnormality at each router. Once the abnormality is found, the alert packet carrying with traffic weight is sent to the local CAT server, where the traffic weight is generated by LRU_SCBF algorithm. The victim end detection is based on the weight of AS tree. Comparing with the DCD scheme, the detection rate is improved, the overhead of the network communication and the storage is reduced from O(mnk) to O(mk), the cost of computation from O(mn) to O(m).(3) A P2P-based distributed detection scheme against DDoS attack is proposed. The distributed end-nodes in the Internet are organized into a P2P network by Chord protocol for detection. The detection algorithm based on CUSUM and space similarity is deployed at each node in the P2P detection network. Upon the abnormality detected at the detection node, the detection request is broadcast to the other nodes based on the node trust. Having detected the abnormality with the same method, the response nodes use space similarity algorithm to calculate the similarity between request node and response node. The victim end makes a comprehensive decision whether the DDoS attack happens. The P2P-based detection network is adopted, which makes the scheme more scalable. CUSUM-based detection at the end-node can detect the slight change at the host. Thus it implements the early detection against DDoS attack. Node trust is introduced for abnormal information broadcast, which can prevent network from congestion caused by malicious broadcast from malicious nodes. Abnormality detection among nodes based on space similarity can improve the detection accuracy.(4) A novel Maekawa-set-based tracback scheme against DDoS attack is proposed. It aims at the disadvantage of the FMS scheme, which is the large number of false positives caused by fragment marking. The scheme is to split the marking information, which is composed of the IP addresses of current router and the port to the next router, into fragments, and allocates fragment-id for each fragment. Then, it will generate a Maekawa set based on those fragment-ids. The number of subset is m and the length of subset is k for the Maekawa set. While packets pass through a router, the router will write the k fragments orderly to the IP header by m times with an optimal probability, where the fragments are split from the edge and recombined in Maekawa subset way. The proposed scheme has several other advantages-it has low false positives and requires fewer packets to reconstruct the attack path; computation overhead is low.(5) A fast traceback against large-scale DDoS attack in high-speed internet based on fixed space-code Bloom Filter is proposed. It aims at the disadvantages of the current schemes, which cannot traceback the large-scale DDoS attack with the increasing false positive rate, or which cannot traceback the DDoS attack fast from the large number of packets required for reconstruction, or which can not apply in the high-speed Internet because of the high overhead of network and router etc. The proposed scheme maps k hash digests of the router’s IP into an m-bit Bloom Filter array. Then the m-bit Bloom Filter array is probabilistically written into the IP header of the passing packet or deterministically accumulated with the marking information in the IP header of the marked packet. If the Bloom Filter array in the marking information is full, the marking information is probabilistically written into another packet.This scheme has several advantages-low false positive rate; fewer packets to reconstruct the attack path; and low computation overhead and storage overhead at the router. It implements the local traceback fast under large-scale DDOS attack in high-speed Internet.(6) The scheme based on fixed space-code Bloom Filter stores n routers’ information into the Bloom Filter array.In order to reduce the false positive rate further, an adaptive space-code Bloom Filter traceback scheme against DDoS attack is proposed. Before accumulating with the marking information, the number of’0’bits in Bloom Filter array of a marked packet is counted. If the number is greater than half of the total length of Bloom Filter array, the marking information will be probabilistically written into another packet with the same source address and destination address. Theoretical analysis and experimental results indicate that the scheme not only has all benefits in fixed space-code Bloom Filter scheme, but also reduces the false positive rate heavily.