Research And Implementation Of Forensics System On DDoS Attack Based On Botnet

With the development of computer technology, computer security incidents occurred frequently. And the Computer Forensics is developed in this situation, and it has a deterrent effect on criminals. At present, distributed denial of service (DDoS) attacks has become a major threat to the information security. Botnet provided a convenience to launching DDoS attacks. Therefore, forensics on DDoS attack based on botnet gradually become an important element of computer forensics.The Botnet based on IRC protocol is currently the most popular Botnet. Through the analysis of Botnet IRC C2 (command and control) behavior characteristics, this thesis proposes a novel method of recognition of the IRC C2 behavior based on controlled-end:separating the IRC data from the ordinary network flow, featuring IRC behavior, fuzzy matching the IRC behavior characteristics and matching model, then identifying whether the IRC flow is a IRC C2 behavior.At present the most main forms of DDoS attacks are based on the TCP protocol and based on ICMP protocol. In this thesis, two identification methods based on source-end about DDoS attck are put forward. For DDoS attacks based on TCP protocol, we use the statistics of the difference of number between TCP SYN packets and SYN ACK packets to quantify the targets Congestion extent; and evaluate the difference of number between the SYN ACK packets and the packet responding the SYN ACK packets to judge the malicious attack. The non-parameters CUSUM algorithm will enlarge effect of continuous attacks and reduce the false alarm rate. For the DDoS attacks based on ICMP packet, from the analysis of the ICMP attack, a method of detecting Smurf attack by judging whether source IP of packet has been forged is put forward. Experimental results show that the two methods of detection of DDoS attacks have a high recognition rate.Based on the analysis of botnet, this thesis uses the election Vector to detect spliting and transfering of botnet, and uses attack vector to detect Botnet which participate in DDoS attacks. Because large-scale DDoS attacks can not be launched, this thesis develops a simulation system to verify the algorithm.At last, this thesis analyzes the functional requirements of forensic system, designs and implements a forensical prototype system on DDoS attack based on Botnet.