Research On Distributed Denial Of Service Attacks And Defense Technology

Distributed Denial-of-Service(DDoS) attack is the second serious threat to worm virus on the Internet nowadays,which can result in an annual economic over hundreds of billion US dollars.Since it utilizes loophole of system and potential security hazards of Internet to make attacks,which is featured in natural behaviors and difficult to defense,researches on the security mechanism to defense DDoS attacks has become a hotspot in the network security field.Till now,we still don't have any effective DDoS defense mechanisms to thoroughly solve this problem.Based on research of DDoS attacks,this thesis analyzes existing defensive mechanisms,and summarizes characteristics and problems of various DDoS attack mechanisms.A security mechanism-the multi-layer security mechanism is designed to defense DDoS attack,which,based on TCP/IP reference model, utilizes the technical means of statistical filtering and flow limit from network layer through transport layer to application layer to filter the illegitimate traffic to the full extent to secure normal traffic.A majority of illegitimate traffic is filtered by the algorithm of SHCF(An improved algorithm of Hop Count Filtering algorithm) on network layer,with hop count during IP packet route process as the statistical object.On transmission layer,the rest of illegitimate traffic not yet filtered in network layer is filtered by the improved SYN cookie firewall technology.On the application layer,Traffic-Limitation and connection-limit policies are used.Traffic-limit policy can effectively defense Resource-Deplettion DDoS attacks from legitimate IP addresses;while Connection-Limitation policy can effectively defense Connection-Depletion DDoS attacks from legitimate IP addresses.And cooperative work of both can effectively filter attack traffic from legitimate IP addresses.The defensive mechanisms based on network layer, transport layer and application layer work together to compose the multi-layer mechanism,the cooperative work of which compose the organic whole to effectively ensure the system serves its clients in a sustainable way against DDoS attacks.Finally,the defense mechanism is realized and tested under Linux system. The result shows that the three-layer defense mechanism is able to defense DDoS attacks quite well.