A Defence Method Of DDoS Based On Packet Funneling

With rapid development of the Internet, it brings much convenience and many network security problems at the same time. The security, integrity and availability of the network come to bat. The security problems that the network is currently faced with mainly include the hacker attack, the computer virus and the Distributed Denial of Service (DDoS). The DDoS attack is a newly developed attack type, which is the extension of the Denial of Service attack. Due to its distributed characteristics, the DDoS attacks possess more attack resources and have more destroying power. So, it is very difficult to keep them away. With the harm of DDoS attack getting seriously increasing, it gets much attention of many countries over the world. The DDoS attack is regarded as one of the biggest challenges of the Internet.By studying on the theories of the DDoS, the attack characteristics and the defence methods, the major works and innovations of this paper are as follows:1) The paper introduces many defence methods both here and abroad, we can divide them into three types: defence before attacking, defence during attacking and defence after attacking according to the defence characteristics. Their advantages and disadvantages are subsequently analyzed in detail.2) This paper proposes a new defence method based on Packet Funneling according to the characteristics of source IP spoofing of the DDoS attack and other scholar's achievement. This defence system locates at the edge route and filters the packets sent to victim through AIP table and Waiting Matrix (WM). Our method can discard most of the illegitimate packets, and it can ensure the most legal user at the cost of less legitimate packets at the same time to promote its defence performance.3) We research the defence method based on Packet Funneling, AIP and WM structure. It decrease conflict by using hash technique when AIP is structured and detected, then hash conflict would be solved by using chain address method.Finally, we prove the defence method which is proposed in this paper. The results show that the number of packets escaped strictly controlled in setting value. It not only effectively prevents the DDoS attack, but also is easy to be deployed and expanded in network.