Research On Defense Mechanism Of DDoS Attacks

With the development of computer technology, the popularization of Internet, network has become a necessary part of our daily life to communicate and obtain information. Accordingly, network security becomes increasingly more important. Recently, Distributed Denial-of-Service (DDoS) attacks have increased in frequency, severity, sophistication and pose an increasing threat to today's Internet to address. Particularly, spoofed DDoS attacks are among the hardest security problems because they are simple to implement, difficult to prevent, and very difficult to trace. Existing traditional countermeasures, such as firewalls and intrusion detection systems, can not do very well only by passive defense policy. Therefore, research on spoofed DDoS attacks and their countermeasures is not only very important but also challenging.Through taxonomy of DDoS attacks and defense mechanisms, this dissertation analyzes the principle of the DDoS attacks, and depicts its development firstly. Secondly, the countermeasures to DDoS attacks and challenges which the defense mechanisms are facing are discussed. After that, several mechanisms defending against spoofed DDoS attacks and packet marking schemes for traceback are reviewed. In order to defend against spoofed DDoS attacks effectively, a packet marking scheme to defend against spoofed DDoS attacks is proposed, and a dynamic PPM scheme based on router fingerprint is presented in this paper to traceback the spoofed IP source addresses.DDoS attack programs generally fill IP header fields, especially the 32-bit source IP address, with randomized values, and there is usually no explicit attack pattern to distinguish legitimate packets from malicious ones, which make the defenses against DDoS attacks more difficult. In order to detect and filter the DDoS attacks which use spoofed packets to circumvent the conventional intrusion detection schemes, in this paper, a new packet marking scheme is proposed, in which a path identification that represents the route an IP packet traversed is embedded in each IP packet. And a counter is set for each path identification which represents the number of different IP addresses that have the same identification. The onset of a spoofed DDoS attack can be detected by comparing the sum of the counters with a marginal value that has been set. Spoofed packet can be filtered so as to sustain the quality of protected Internet services. Experiment results showed that the proposed scheme is efficient on identifying the spoofed DDoS attack packets.Packet Marking Scheme have been proposed for achieving traceback of DoS attacks, which has several advantages such as short responding time and small resource consuming. A probabilistic packet marking (PPM) scheme has been proposed by Savage et al. which allows the victim traceback the approximate origin of spoofed IP packets. Because of the randomness of the marking procedure, it has a very high computation overhead for the victim to reconstruct the attack paths and gives a large number of false positives. In this paper, a Dynamic PPM scheme based on router fingerprint is proposed. In this mechanism, a router marks each packet dynamically so as to maintain uniform marking probability of each router with respect to the victim. Moreover, the number of packets for path reconstruction is minimal. By recording the router fingerprint, false positive ratio is decreased. The proposed scheme uses the 13-bit offset filed to record fingerprint (13-bit hash value) of the router. On the victim, different fragments with the same distance value, fragments value and hash value are combined to get the IP addresses of the routers in the attack path. Analysis of this algorithm shows that this mechanism does reduce the computation overhead and its false positives greatly.