A Study On The Prevention Mechanism Of DDoS Based On Congestion Control

With Internet popularized quickly and its application developing, more and more all kinds of hacker's tools and network attack measures are appearing. Network attacks damaged networks and users, among which DDoS(Distributed Denial of Service) attacks become one of the common network attack techniques by the characteristics, such as extensive area, strong concealment, simpleness and efficiency, etc. DDoS attacks greatly affected the effective service of network and host systems.DDoS engage the power of a vast number of coordinated Internet hosts to consume some critical resource at the target and deny the service to legitimate clients. As a side effect, they frequently create network congestion on the way from a source to the target, thus disrupting normal Internet operation. The existing security mechanisms do not provide effective defense against these attacks. The large number of attacking machines and the use of source IP address spoofing make the traceback impossible. The use of legitimate packets for the attack and the varying of packet fields disable characterization and filtering of the attack streams. The distributed nature of the attacks calls for a distributed response, but cooperation between administrative domains is hard to achieve, and security and authentication of participants incur high cost. In the paper, we firstly introduce the principle of DDoS, common tools and manners of attacks. We analyze the attack of TCP SYN Flood,UDP Flood,ICMP Flood and Smurf emphatically. Based on the groundwork, we construe the defense technique of DDoS from two aspects in detail, one is the trace back of attack source, and the other is the prevention mechanism of attack target. And we exploit the Net Switch Devices Flow Detector system, which can find the attack source quickly in the LAN and cut these attacks at the source network when DDoS attacks happen.We discuss the prevention mechanism of DDos based congestion control, and point out that network congestion in DDoS attacks is due to a well-defined subset of the traffic--an aggregate. The victim router drops packets when DDoS attacks happen. Rate-limiting can make the border router pick up these addresses of high traffic according to the dropping packets. Then the router limits the network traffic of these addresses by aggregate-based congestion control, with the result that it can weaken the degree of DDoS attacks. In the paper, we improve the identification algorithm of ACC combining with Ipv6 flow label, simulate the experiment of DDoS attacks under network simulator, and compare it with old ACC in the performance. Finally, we analyze the header of packets whose rate is limited in the Rate-Limiter and shorten the sign of aggregate combining with obvious characteristic of DDoS packets.Finally we give a summarization of this paper and present the next work we will do.