Distributed Denial Of Service Attack Detection Technology

Distributed Denial of Service (DDoS) Attack is emerging as a special kind of Denial of Service (DoS) Attack in recent years. It is distributed and cooperative large-scale attack. DDoS attack has the same attack principles as the traditional DoS attack. But DoS attack is originated from one single attacker point, while the realization of DDoS comes from hundreds, even thousands of PC attackers which have been installed Daemon, and it is a group-based attack-behavior. The targets of DDoS are usually quite big websites, such as the websites of business companies, search engines, or government departments. Among these contests of hundred or thousand to one, the Internet Service Provider (ISP) will face unprecedented destructions. Compared with the traditional DoS attack, DDoS attacks possess more attack resources, and have larger destroying power, and thus it is more difficult to be detected and defensed. DDoS attacks have brought tremendous threat to the security of Internet nowadays, and it also gains much research attention in the field of network security.The aim of this topic is to design and implement a product of DDoS Defense System. This topic comes from the project of"Intrusion and DDoS Defense product", which is the"Information Industry Development Fund 2005 public bidding project". I joined in the project's requirement analysis and system design in the Key Laboratory of New Computer Applied Technology of Sichuan Province. My task includes the research on the DDoS detection approaches and detection module design.First, we begin our thesis with the definition and attack-methods of DoS. It then induced the emergence of distributed DoS, named DDoS. We shall analyze the DDoS attack's architecture and working principles in detail, and have a thorough and comprehensive study, comparison and summary for its attack methods. Next, we shall focus on the detection approaches of DDoS attack. In general, there are two categories of DDoS detection methods: abnormity-based detection and characteristics-based detection, and the former one is key point of our research in this thesis. By the summary of current DDoS attack detection methods and the detection models of some attack tools, and based on the study and analysis of some representative research work in the field of DDoS detection, we improve the previous entropy detection algorithms, and propose two enhanced detection methods. One is based on cumulative entropy, and the other is time-based entropy. These two methods use either entropy or time cumulative way to improve the traditional detection approaches, and thus decrease the detection mistake rate, to some extent. The experiment results show that these methods could lead to a more accurate detection, and also could adapt well to the fluctuation of the normal network. Besides, we propose a assistant DDoS detection model. By using different package analysis methods, it could help improve the efficiency of system's attack detection. Finally, to this topic, we design a whole structure of Defending DoS/DDoS System design, making it suitable for the detection and defension requirements in practical environment. We shall describe the system's architecture design and work flow detailedly, and analyze its core detection module design and relevant detection technology.