Research And Design Of DDoS Defense Architecture Based On Successively Weakening Attacks

Since the DDoS attacks caused amazing destructions and great damages ,it's power and harmfulness has received people's scrutiny. In recent years, more and more people draw survivability theory into the research of network attack defense and hope to improve the system survivability under network attacks. This thesis is under the support of 863 project"The research on the model and key technologies of network survivability system based on holographic principle"and devotes the research and design of DDoS defense architecture based on successively weakening attacks. In this thesis, a DDoS defense system framework based on successively weakening attacks is presented and the temporal passport module and connection dispatcher layer module are designed and implemented. The primary work of this paper included four aspect.(1) The definition, analytical approach and design method of survivability technologies are analyzed and the defense idea based on successively weakening and successively filtering attacks is presented. This idea uses different policies to construct layered defense architecture, and weakens the attack threat layer by layer so as to improve the system survivability. At the same time, this idea provides the theory base for DDoS defense architecture based on successively weakening attacks.(2) The design and defense policies of DDoS defense architecture based on successively weakening attacks is presented. This architecture takes the static and dynamic defense policies. During the communication process of user layer, authentication scheduling layer, connection scheduling layer and service layer, this architecture takes the dynamic policies. The static policies are taken all through the defense architecture. These policies devote to improve the survivability properties so as to improve the system survivability.(3) The user temporal passport module is designed and implemented based on modifing the TCP protocol stack and adding the Netfilter extended module through the kernel Module programming, after analysed and researched of the implementation of Linux network.(4) The connection dispatcher module is designed and implemented based on the Linux programming interface, user white-list management, firewall match and LVS technologies.The DDoS defense system presented in this thesis weakens the DDoS attack influence on application service. That be improved by adding filtering layer and policies is a feasible technical method of improving the system survivability under network attacks. In the CAPF and other security for relevant business information system it has certain applications.