| Distributed Denial-of-Service (DDoS ) attack is a distributed variation originated from Denial-of-service (DoS ) attack. DoS is a network attack using less legitimate requirement for more network resource. So the server will soon overload and cannot response to other legal clients' requirements. This type of attack usually launches from a single host. However, DDoS is launched from magnitude hosts located from different domain at Internet, and each attacker uses simple DoS attack. As Internet applies widespread, it heavily harms our network.The limitation of Internet resource results in this phenomenon. Based on TCP/IP protocol, Internet is designed to best effort forward and point-to-point mechanism and not have abundant security consideration.Different from DoS, DDoS have three attack layers: attacker, handler and zombie. Attacker initials an attack, exploits and intrudes hosts existing security holes, turns them to handlers or zombies. Finally, handlers and zombies launch attack.DDoS defense faces different challenges originated from technology and society, and mainly have autonomous and distributed defense method. Being near to attack source, Source-end network defense has many advantages such as congestion avoidance, small-collated damage, easer trace back and applying sophisticated detection strategies etc. So this type of defense is researched extensively.This thesis put forward a new source-end defense method: DDoS adaptive source-end network defense, DASEND. This defense system locates at source network router; consists in adaptive source-end detection and response modules. In order to limit attack and protect legal traffics, it classify from flow and connection granularity. Finally, elaborate several emulation experiments manifest this method have excellent effect to DDoS defense.
|
PDF Full Text Request