A Complex Model Of DDoS Attack Detection And Defense

During these years, distributed denials of service (DDoS) attacks have done great harm to the application and the development of Internet. Currently, the self-similarity of network traffic, time series analysis and IP packet filtering have been the important strategies and technologies of DDoS attacks detection and defense. But these strategies and technologies are used individually; whereas the results of DDoS detection and defense are not ideal, the reason lies in that self-similarity of network traffic and time series analysis only can detect DDoS attacks, but they can't defend DDoS attacks. There are delayed detection, false alarm and omission alarm in the detecting results. Although the traditional IP packets filtering technology can defend DDoS attacks well, it is used in a great number of data, querying and updating data require a lot of system resources, such as CPU and memory, etc., and IP packet filtering technology used single can not detect DDoS attacks.First, in this paper, DDoS attacks are classified based on the network tranfic and TCP/IP protocols. The types of DDoS attacks are analyzed simplely. In addition, the strategies of DDoS attacks detection and defense are analyzed and compared.Secondly, a complex model of DDoS attacks detection and defense is proposed based on the advantages of time series analysis and IP packet filtering technology. A time sequence PDD (Port to Port Data Density) is defined, and the stationary feature of PDD is tested by non-parameter testing. According to the testing results, we deal with time series PDD by using non-stationary time series AAR (additive autoregressive) model. Online analysis of AAR model is well, and the computation of AAR model is small. The time sequence produced by AAR model is used to detect DDoS attacks by non-parameter CUSUM algorithm. Because of the false alarm and omission alarm from detection, a revising algorithm is proposed to revise the results of detection. The defense module of the model is used to defend DDoS attacks based on the dynamic IP packet filtering technology, and the problems containing great number of data, querying and updating data requiring many system resources are solved. To assist dynamic IP packet filtering technology so as to defend DDoS attacks or avoid network congestion, a pre-detection algorithm is proposed. In addition, the noise of network will affect the results of detection; we introduce Wavelet to filter the partial noise in the model.Finally, we test the function of partial modules in NS2 which run on Linux (Red Hat 9.0), and analyze the results of testing.