Distributed Defense Against Large-scale DDoS Attacks

The Internet was originally designed for openness and scalability. The Internet's security vulnerability is mainly due to its open resource access model design, emphasizing functionality and simplicity, but not security. So, the Internet faces huge security threats when it plays more important role in commercial activities. One of the most serious security threats on the Internet are Distributed Denial of Service (DDoS) attacks, due to the significant service disruption they can create and the difficulty in preventing them. Therefore, America has regarded DDoS attacks as the No.1 killer in the internet since 2004. DDoS attacks are researched in many countries because there is no effective measure to fight against DDoS attacks until now. DDoS attacks are up to be stealthy and scalable. The distributed reflector denial of service occurs frequently which makes DDoS attacks trend to be more scalable and more serious. The large-scale DDoS attacks are one of most popular security problems.The characters of DDoS have to be acquainted completely in order to defend DDoS attacks more effectively. We simulate DDoS attacks under different conditions through NS-2 and we gain behavioral characters of different DDoS attacks. Some quantitative characters can be regarded as the evaluation standards of an effective defense system. This is very useful for Internet security and designing engineers. According to this idea which is brought out for the first time we can simulate real networks of different applications and get simulation results with which we can use to evaluate the validity of a defense system.Many existing DDoS defense systems are implemented in the victim end where the huge traffic may crowd when it comes to large-scale traffic attacks. The paper proposes a regional ISP-based distributed defense (RIDD) systems against large-scale DDoS attacks. Firstly, we select most optimal locations which are the networks of regional Internet service providers (ISPs) to fight against DDoS attacks in the universal Internet network structure. Secondly, perimeter routers and egress routers of a regional ISP are separately used to detect DDoS attack traffic and to classify the distrustful packets and discard it. Thirdly, we integrate anomaly detection and packet classification technologies into the RIDD systems leveraged on existing research achievements in the literatures.