Research On Detection And Reaction Of Distributed Denial Of Service Attacks

Distributed Denial of Service (DDoS) attack is one of the most serious securitythreats to Internet. Compared with traditional attacks, DDoS attack has several signif-icant features including low-profile attack flow, great attack intensity, dispersive attacksources, long duration, and so on. So far, no practical countermeasure against DDoSattacks is available. As frequency and damage of DDoS attacks increase year by year,security situation of network becomes more and more severe. Therefore, it has an impor-tant research value and a wide application prospect to explore effective countermeasuresagainst DDoS attacks.DDoS defense has four research areas, detection, reaction, traceback and prevention.As the basic defenses for DDoS attack, DDoS detection and reaction are the key problemsin current researches. In this thesis, we performed an in-depth study on DDoS detectionandreactionissuesonthebasisofacomprehensivesurveyofpresentresearchesonDDoSattack and defense. The major contributions are as follows,1. Propose a multistage method for early DDoS detection.Early DDoS detection can effectively enhance the ability of early attack warning.Since attack traffic keeps a low profile and cannot be easily recognized at early stageof DDoS attacks, it is very hard to achieve early DDoS detection. This paper presents aDDoSmodeltotheoreticallyanalyzelowprofilefeatureofDDoSattacks. Thentwocom-plex features, Network Traffic State (NTS) and Joint Deviation Rate (JDR), are definedby merging basic traffic features, which successfully solve the contradiction between thedifficulty in detecting the anomaly of signal feature and high computation cost of multidi-mensional features. Based on the two features, a Multistage Anomaly Detection methodforlOw-Profileattack traffic(MADOP) is proposedtodetectDDoS attacksatearlystage.Through three stages, including network traffic state prediction, fine-grained singularitydetection, and suspicious IP extraction, MADOP refines the spatial-temporal character-istics of DDoS attacks in a stepwise way. By designating reasonable goals for differentdetection stages, MADOP effectively raises the efficiency-cost ratio of early DDoS de-tection, as well as optimizes resource usage of detection devices. MADOP can accuratelydetect anomaly and locate the start time of attacks even when attack traffic only consti- tutes5%of total traffic, with96%successfully identified victims. MADOP also showsgreat quality in low-rate DDoS detection.2. Propose a split-sketch-based collaborative DDoS detection scheme.DDoS attacks have distributed attack sources. Detecting such attacks suffers fromhigh statistic consumption as well as difficult correlation of global anomalies. This thesisproposes a split-sketch-based technique to summarize and organize network traffic. Thistechnique adopts a new hash function, BitHash, which explicitly connects hash value andthe input IP. As a result, the technique can summarize traffic based on destination IPsand then reversely construct input IPs through hash values. This technique, on one hand,avoidskeepingper-IPstates. Ontheotherhand,itefficientlyrespondstodispersiveDDoSattack sources by computing, processing and storing sketch distributedly. Based on splitsketch, this paper proposes a collaborative DDoS detection mechanism called FLOW.FLOW includes several key technologies, including an anomaly detection method usingBitHash and Principal Component Analysis (PCA), a special messaging and preprocess-ing mechanism, a decision algorithm based on burst period of anomaly, and a lightweightIP reconstruction algorithm. Simulation results show that the results of FLOW greatlycontribute to attack traffic filtering during DDoS reaction with false positive rate of lessthan3%. FLOW outperforms other methods with the similar capability in performanceexpenses, especially in space requirement.3. Propose a packet-marking-based collaborative DDoS detection mechanism.Traditional collaborative methods detect DDoS attacks by fusing alerts in controlplane. Problems exist in such methods including global detection’s overdependence onlocalresults, aswellasfinaldecisionbeingsubjecttotheaccuracyoflocaldetection. Thisthesis presents a novel idea of achieving collaborative DDoS detection through data planeand proposes a packet-marking-based distributed DDoS detection mechanism, VicSifter.VicSifter regards suspect network traffic as an abstract detection view, uses sketch-basedtraffic sifter to gradually eliminate normal traffic from detection view, and makes finaldecision on the basis of global abnormal traffic. To pass detection view between collab-orative nodes, VicSifter adopts a packet-marking-based transmission mechanism and atraffic reduction algorithm. Also, for the purpose of attack diagnosis and victim identifi-cation, a highly efficient global detection algorithm based on traffic anomaly circle andglobal anomaly degree is presented. Simulation results show that VicSifter can accuratelydetect DDoS attacks and identify victims. It has remarkable features of low consumption and great scalability. Through traffic reduction, VicSifter rapidly reduces suspect desti-nation IPs to2%. The detection view only contains packets destined for victims after3hops. Using in-band transmission, VicSifter does not aggravate network congestion.4. Propose a series of uneven rate limiting mechanisms on the basis of evolvingpattern of abnormal traffic.Rate limiting is one of the major techniques for DDoS reaction. But the existing ratelimiting mechanisms may wrongly damage normal traffic for lack of fine-grained traf-fic aggregating methods and effective methods to judge abnormal aggregates. In viewof the above questions, this thesis proposes a Basic Uneven Rate Limiting mechanism(BaURL) using Evolving Pattern of Abnormal Traffic (EPAT). By evaluating the abnor-mality of traffic aggregates, BaURL divides them into different priority sets and endowsdifferent levels of suppressing intensity, thus significantly reducing unintentional damageto normal traffic. Combing BaURL and fine-grained traffic aggregating method, a Fine-grained URL (FiURL) mechanism based on BitHash, and a collaborative URL (CoURL)mechanism are proposed to achieve elaborate control in aggregate-based rate limiting. Toconquer the poor client problem that commonly occurs in aggregate-based rate limitingmechanisms, a possible solution using packet redirection is presented and named Mutual-aid team. Simulation results prove that all the four mechanisms and Mutual-Aid Team(MAT) help to effectively limit collateral damage to normal traffic. Through parameteradjustment, the normal traffic filtered by FiURL can be reduced to less than10%, whilethe elaborate control in aggregate of CoURL could achieve the level of single destinationIP stream.