Build A Ddos Attack Detection And Tracking System

Distributed denial-of-service (DDoS) attacks present an immense threat to the Internet. They engage the power of a vast number of coordinated Internet hosts to consume some critical resource at the target and deny the service to legitimate clients. As a side effect, they frequently create network congestion on the way from a source to the target, thus disrupting normal Internet operation. The existing security mechanisms do not provide effective defense against these attacks. The large number of attacking machines and the use of source IP address spoofing make the traceback impossible. The use of legitimate packets for the attack and the varying of packet fields disable characterization and filtering of the attack streams. The distributed nature of the attacks calls for a distributed response, but cooperation between administrative domains is hard to achieve, and security and authentication of participants incur high cost.This paper designs a framework that can detect and trace back DDoS attacks'sources. The main achievements in this paper include:(1) Analyse the principle of DDoS attacks and typical attack tools, research into two detection model and propose a detection model. Introduce the several technology of data mining, compare two data mining arithmetics and propose some problem that should be resolved. Analyse the characteristics of several traceback schemes; propose the problem that should be resolved.(2) Propose the framework of the system. Adopt the winpcap to capture original network packets.(3) Propose Global-Clustering arithmetic to pretreat the packets. Adopt incremental clustering arithmetic to reduce the cost of pretreating the incremental data.(4) Integrate several technologies into the associate rule mining arithmetic to improve it. Propose the incremental associate rule mining arithmetic to resolve the incremental data mining.(5) Adopt decision tree to establish decision rule base, adopt incremental decision tree to resolve the increment of rule base.(6) Extract the existing packet marking schemes and attack reconstruction schemes, propose a packet making scheme and a attack reconstruction scheme.(7) Analyse the existing packet filter technology; realize a filter method. Adopt winpcap to realize a simulative route.