| Distributed denial-of-service attack is the most destructive attacking means on Internet. This kind of attack sends a number of connection requests or useless packets to attacked victim, in which exploits the flaws of TCP/IP and limitation in network bandwidth resource. These illegal packets take up the victim system resource and bandwidth, thus make the victim unable to response other client's normal request.Much research has been given to the mechanism, prevention methods, detection means and response mode against DDoS attack. The mainly contributions of this paper include these following four aspects: (1) It discusses the attacking principle, attacking taxonomy and attacking modes elaborately and provides fundamental references to all kinds of schemes against DDoS attack. (2) It probes into the research works defending DDoS attack up to date.As an emphasis of this study, the detection engineer has been full analyzed based on detecting algorithms of anomaly and signature. Applicable conditions are given to these algorithms. In the end, it integrates the advantages of them and gives a thought of optimizing detection.(3) Aiming at the prevention of attacks, this thesis discovers some flaws of S YN cache and S YN cookie and presents an improving prevention scheme based on random matrix, in which heightens survival ability of attacked system. (4) For the attacking response, first, we put forward a secure response scheme which is grounded on ISP domain. This scheme introduces a secure authenticating process, thus enforces the robustness of victim's system. It also has lesser influence on the network devices available in its implement, which makes it feasible in deployment. Secondly, we discuss each IP Traceback techniques and make a full comparison between their effectiveness, robustness and system cost. At last we give some feasible advice on how to utilize these IP Traceback techniques appropriately.
|
PDF Full Text Request