Certification To Determine The Packet Marking Algorithm And Ddos Defense System

The increasing popularity of web-based applications has led to several critical services being provided over the Internet. This has made it imperative to guarantee network security and availability of resources. Distributed Denial of Service, which depletes the network's resource and denies service to legitimate users, is one of the hardest security problems in the Internet.In this thesis, Authenticated Deterministic Packet Marking (ADPM) scheme based on Message Authentication Code (MAC) is proposed and DDoS defense system based on Deterministic Packet Making (DPM) is designed. And also, DDoS attacks and DPM simulation platform using NS2 is constructed. An elaborate discussion on the simulation results is present as well.Deterministic packet marking algorithm only requires edge routers to perform packet marking and can trace a large number of attackers simultaneously with only a few packets from each attacker. Unfortunately, DPM scheme lacks security and compromised routers, either edge routers or transit routers, can easily forge packet markings to prevent the victim performing reconstruction successfully. For that, a new scheme, namely MAC-based Authenticated Deterministic Packet Marking, is proposed. Researches indicate that ADPM algorithm supplies sufficient security that attackers in subnets or compromised routers cannot forge markings, which assures the veracity of address reconstruction at the victim.NS2 is a powerful network simulation tool but it dose not support DPM simulation. NS2 is extended to construct the DDoS attacks and DPM simulation platform and the topologies, the traffic models and packet rates used in the simulation scenes are discussed in detail. The evaluated values of convergence time of Hash-based Deterministic Packet Marking (HDPM) algorithm with the simulation platform match the results in theory.While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. DPM-based DDoS defense system presented in this paper that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The defense system leverages on DPM schemes to obtain the information of ingress addresses of attack packets and perform packet filtering at the victim end. Quantitative evaluation using the simulation platform in terms of the acceptance ratio gap in cases of different thresholds is also present. Comparison to former achievements shows DPM-based DDoS defense system works better.