Study And Representation On Defending Tactics In Distributed Denial Of Service

Distributed Denial of Service(DDoS) is considered as"The ultimate weapon of hackers", because of its simple implementation and good effect. The attackers make hundreds of thousands agents to send a mass of wasted diagrams to the victim to exhaust its both network and capability. They use IP spoofing or imitate legal streams to evade the IDS and firewall, which makes it harder and harder to defend against DDoS.Firstly, this article analyzes the basic DDoS theory, and the existing methods of detection and relative defending based on routers. In defending, mainly explain the architecture of DDoS defending and pushback mechanism. In detection, emphasize the statistic-based detection methods, including entropy and BloomFilter.Secondly, aiming to the shortage of the single deployment on the source, middle, or victim, the Distributed Defending System (DDS) is presented. DDS multiply deploys the defending nodes and manages them by a single managing-node to achieve a multiple-defending object. This mechanism can be generalized as"wide detection local pushback and distant defending", which not only pushbacks evading the bottle-neck near the victim but also reduces the network consumed by DDoS.Thirdly, a new detection and distinction method based on source-destination clustering is raised to combine the idea of HIF and the statistics out of the dramatic shift of the source information when DDoS is carrying out with IP spoofing. In detection, it uses sequence change-point detection method to detect the attacking point by finding the shift of a sequence composed of the ratio of diagrams with new source IP address to a certain number of diagrams. In distinction, using a density-based clustering analyzing called DBSCAN, the majority set of items picked out of the dubious diagrams is considered as the attacking diagrams because all the attacking diagrams have a similar or even the same destination IP address. And the source IP addresses of this set are the ones of attacking diagrams. Hash them to a BloomFilter table called attacking character table, which helps other defending nodes to estimate whether it has attacking diagrams.At last, accomplish the modules and functions of this infrastructure, and appropriate experiments are conducted to validate the study's correctness.