Research On DDoS Defense Mechanism Based On Packet Marking

DDoS(Distributed Denial of Service) attack is one of the most threatening and devastating methods of attacks.DDoS defense technology has become a spotlight in network security area in recent years.It's of utmost importance to secure the sustained service of key application technology,especially defending against DDoS attacks.In a DDoS attack,the attacker often use IP Spoofing to hide his/her identity.To defend such DDoS attacks,this dissertation presents a new packet marking scheme to protect TCP services.Every packet arriving at a perimeter router carries a token.The token is composed of the source IP address and a path identifier stamped by intermediate routers in the 16-bit identification field of the IP header.After the client completes the TCP three-way handshake,the perimeter router dynamically adds the path identifier and the corresponding IP address of the client to the database. A packet carrying a valid token has permission to reach the destination.A token provides a strong proof that the packet is a part of an existing TCP connection.More importantly,a valid token proves that the information in the packet header is correct.This makes the filtering devices identify individual flows with a higher degree of certainty.Simulations show that the new packet marking scheme can defend against IP spoofing and reflective DDoS attacks effectively.This dissertation presents an approach called IPi(Improved Path identification) through research on attack packets identification and filtering technology based on path identification. Instead of inserting one or two bits of token like previous Pi(Path identification) techniques,the router determines the hops the packet to be forwarded has traveled according to the TTL value in the packet header.Then the router generates the token with a flexible length accordingly,and inserts it into the packet.IPi utilizes the marking space fully and the path identification has a higher differentiation index.Simulations based on actual Internet topologies show that malicious packets can be identified and filtered by IPi more effectively,and IPi has a obviously better performance comparing to the previous Pi approach when the attack paths and the legitimate paths have more overlap routes.