The Research On IP Traceback And A Rapid Source-End Detection Mechanism Against DDoS Attack

Due to the deficiency of network protocol, there are a lot of attacks in network, among which DDoS attack has become one of the most common network attack technology because of its simplicity, strong concealment, and powerful destruction. DDoS attackers launched attacks from several sources that had already been penetrated. The attack streams exhausted the resource of the victim and rendered it unavailable to legitimate clients. This kind of attack has badly affected the effective service of network and host system. They threated the security of network and the usability of information very much. Directing at this attack, the existed countermeasure strategies have proposed solutions from the angles of IP Traceback and defense against DDoS attacks.IP Traceback technologies can effectively trace the locations of the real attack source, and then they can interdict on-going attacks and insulate DDoS attacks in networks. This paper presents an IP Traceback scheme based on improved SPIE in IPv6. The method sets the invariant field of IPv6 packets as the input of hash function and uses Bloom filters data structure upon routers to save digests of forwarded data packets. So, in addition to reduce the storage requirement, it can preserve traffic confidentiality. On the basis of IP Traceback scheme in IPv6 and by combining the IP Traceback scheme in IPv4, a new IP Traceback scheme for transition of IPv4/IPv6 is proposed. The method is fit for IP Traceback in DDoS, as well as tracing a single packet.Defense system against DDoS attacks is always deployed at victim, but legitimate traffic would be affected when filtering attack streams after detecting the attack. It's easier to filter attack packets at source network, but the small amount of attack stream brings difficulty to attack detection. This paper presents a rapid source-end detection mechanism against DDoS attacks, which considers the amount difference between SYN packets in TCP and the corresponding SYN/ACK packets as detection factor. In order to abbreviate the delay of detection, an improved CUSUM method is proposed by taking the number of attackers into account. The improved CUSUM method reduces false positive by accumulating the continuous attacks. The experimental results show our scheme generates lower false positive and the delay of detection is shorter than the existed source-end detection method.