| In recent years, DDoS attacks have become one of the hardest security problems because they have powerful attack strength and are easy to implement, but are difficult to defend and trace. Existing traditional defensive measures, such as firewalls and intrusion detection systems, cannot defense these attacks effectively only by passive defensive policy. Therefore, how to effectively trace and defense the DDoS attacks becomes one of the challenges in the field of network security.In this thesis, the characteristics, current status, and development trend of DDoS attacks are introduced. A variety of defensive measures against DDoS attacks are analyzed and discussed. At the same time, the detection methods against DDoS attacks are studied and explored thoroughly. Through the discussion of a variety of attacks and different classes of defensive measures, the important role and significance of DDoS attack detection technology in defending DDOS attacks are pointed out. A detection method against DDoS attacks based on the characteristics of IP flow is given. IP Flow is classified into Macro-flow and the Micro-flow. Methods for selecting appropriate statistical attributes for DDoS detection are studied. The ability of some attributes in identifying DDOS attacks is investigated with experiments. A neural network classifier is used in the experiments on DDoS detection. The experiments prove that combining several statistical properties based on the flow concept together in DDoS detection can obtain more effective results. The main advantages are that the properties used to detect DDOS are easy to generate, have clear physical meaning, can make accurate classification, and can obtain some information at the same time, such as the protocol type and the average size of the abnormal packets in an attack. These can then be used to filter the attacks.When a large scale DDoS attack occurs, the defenders may enforce strict flow restriction and filtering to maintain the system being attacked in normal operation. However, strict flow restriction and filtering result in some problems:because of the use of forged IP, the accuracy of filtering the attacks has been greatly reduced, which easily leads to indirect damage, that is, filtering out legitimate data flow when filtering the attacks. A Nested Loop Outlier Detection Algorithm method is put forward to solve this problem. This method strictly filters suspicious data flow when a DDoS attack occurs.At the same time, it establishes a list of priority services (white list).This method not only maintains the normal operation of the system being attacked, but also increases the chance of accessing to services for the legitimate user. Experiments based on a large number of real data and simulation data show that this method can maintain the normal operation of the system under attack except the services under attack and also increase the opportunity of access for the legitimate users. |
PDF Full Text Request