Matagating DDoS Attack With Checking Spoofed IP Addresses

DDoS attack is one of the most dominating threats in current Internet and it is the main cause of numerous network security problems. Along with the increment of link speed and network bandwidth, it becomes more and more difficult to design the DDoS prevention mechanism by maintaining all connections under current hardware performance. So how to build a lightweight real-time DDoS prevention mechanism becomes a great challenge for both industry and academy area.After comprehensively analyzing the features of current network transaction and traffic and according to the stability of the maps from source IP addresses to final TTL values obtained from our measuring results, this paper has proposed a lightweight online method for mitigating the DDoS attacks based on spoofed IP addresses detecting and host threatening index (HTI). Considering the stationary of wired network topology in a long time scale, this method uses the mapping between the source IP address and TTL in the IP header of packet to describe the logic position of the sending host in the link. By comparing the mapping feature between the data training phase and the detecting phase the spurious packet should be filtered out. In addition the changes of current Internet traffic character and their effects are taken into account. Traffic character changes of current Internet are analyzed in the paper. The host threatening index is introduced into the detecting process in order to improve the examining capability and reduce the appearance of misjudgments. The probability of being attacked can be quantized by computing the host threatening index.In the paper the implementation of the proposed algorithm under Linux environment is discussed in detail, including the module partition and design method. Spoofed IP addresses detection is implemented using the data structure of Bloom Filter to reduce time and space overhead due to the searching of training result and to reduce the complexity of the defense system. A simple but effective hash function is also proposed. The hash function only contains 18 and operations and 10 shift operations and makes the overhead of packet processing reduced significantly. Besides, the suspect host list implemented by kernel space link list can improve the reliability of the system and lighten the computing burden significantly.The experiment results show that the method in the paper can detect the attacks as effectively as HCF when abundantly trained and reduce the false negative rate significantly in the environment of current Internet. It is shown with the experiments that the false positive rate of this method is only 2% while that of HCF is 40%. Moreover, the false positive rate of our method may not vary with the volume of attack traffic and vary less than 1% due to the increasing of training period. Performance test of the method shows that the average processing overhead per packet is only 200 CPU cycles which approaches to the minimum value of HCF. The processing overhead also does not vary with the attack traffic volume and vary a little with training period.