Research And Application Of Defense Of DDoS Attacks Based On ISP Network

The Distributed Denial of Service (DDoS) attack is a grave threat to Internet services and even to the network itself. It sends trashy data packets to victim by the flaws of TCP/IP and the limitation in network bandwidth resource. The victim can't response normal request after its system and network resources are taken up.Firstly, I will introduce the characteristic, current status and development trend of DDoS attack, analyze and investigate the defense mechanisms. Then I list the advantage and disadvantage of current defense mechanisms.Meanwhile I have done a deep analysis for the importance and proactive facts that ISP joins in the defense.I will propose a distributed and cooperated defense model after summary of DDoS defense's difficult.This system will cover three function modules, management module, detection module and response module. The target is to get better defense effect with the different function module deployed in network and the advantage of source network, intermediate network and aim network.The system use multiplex detection method,the detection systems deployed at the aim network are always on line to monitor the status of IP packet flow forwarded to aim network,it will send alarm message to management module which will activate the that deployed in ISP network when there are anomalous packets. Distributed detection system based on Distributed Change-point Detection (DCD) mechanism.DCD mechanism not only can detect the DDoS attack, but also can develop a new Change-Aggregation Tree(CAT)by monitoring suspicious traffic changes over a number of attack-transit routers.The system will response by the CAT accordingly. In this paper, there are some improvements on the calculation and will be sensitive to the frequent DDoS attacks with weighted method. The system's response approach is filtering that is based on router. Throttle is the primary response approach of the system. Aggregate-based Congestion Control(ACC) exists some defects on the design which will limit the rate of some router's data flow but can not differentiate the legal data packets with attack packets. Based on this, I propose a method to summarize the character of attacks and meet the gap of ACC. With the approval of experiment, it shows a good defense efficacy.