Research On The Defense Method Of DDoS Attacks

Distributed denial of service attack is the most destructive attacking means on Internet. This kind of attack sends a number of connection requests of useless packets to attacked victim, in which exploits the flaws of TCP/IP and limitation in network bandwidth resource. These illegal packets take up the victim system resource and bandwidth, thus make the victim unable to response other client's normal request. On application layer, with the increasing of network bandwidths and the development of network application, the computational complexity of application layer exceeds the network layer's gradually. The trends in the attackers'strategy are shifting from network layer to application layer.First, the principle and means of network DDoS attacks are analyzed, and the some kinds of network layer DDoS attacks are discussed. meanwhile, the principle,characteristic and two kinds of App-DDoS(application layer DDoS attacks) are discussed. Then, the current situation of the research of the technology of detection and defense of network layer and application layer are studied. In succession, form the view of ISP (Internet Service Provider) domain, Defense scheme against DDoS Attacks Based on ISP Networks is put forward. First, the scheme is grounded on ISP domain, so it is convenient to manage. Only few network devices are needed, which makes it feasible in deployment. Second, form the view of the detection of DDoS attacks, DDoS attacks could be identified by the scheme at the moment of launched. So, the scheme could response to DDoS attack quickly. Also, it has high detection ratio. At last, form the view of the defense of DDoS attacks, the scheme could control network traffic within normal range with maintaining the survival rate of normal packets as high as possible. Also, the feasibility of the scheme is validated through the simulated test. For the App-DDoS attack which is new, the paper discusses the characteristic of attack behavior and presents a defense scheme for App-DDoS attacks based on credit probability. The scheme employs statistical analysis of data from normal users to find the probability distributions of data of normal behavior, utilizing rate and workload of request data. The probability distributions are the evidence for setting credit probability of sessions. The scheduling policies realized the defense of attacks based on credit probability of sessions. The experimental results show the effectiveness of the scheme in defending the App-DDoS attacks. Finally, the future research work is presented.