Research And Implementation Of Ddos Defense Technology Based On Network Processor

With the development and applications of Internet technology,network safety problem confronted with by enterprise is more and more complicated,security threat circumstances is gradually austere. Distributed Denial of Service (DDoS) attack has become more popular because of the following advantages: first, it's a simple way to attack;second, it's easy to achieve purpose; and finally, it's difficult to be prevented and traced. The traditional means of preventing DDoS attacks is already stretched.The enterprises or government departments with on-line trading business,or with key, top-secret information must take security mechanism and security measures to protect the network and key servers.Therefore the development of advanced DDoS defense product is very important.This thesis contains the following contents:(1)A common,self-learning and scalable DDoS defense prototype is brought forward.This prototype can effectively detect and make response for the current common denial of service attacks, and then a DDoS defense product has been developed on the basis.DDoS defense system is a network security equipment integrated with hardware and software,which accesses to the network transparent,and detect and intercept DDoS attacks flow which flows through the system.The system uses the high-performance network processor as the hardware platform, divided in three parts: DDoS defense engine, honey pot subsystem and the monitoring and management center.(2)Have designed the DDoS defense engine on the network processor Octeon CN3120 of CAVIUM company ,which take full advantage of the high-performance of CN3120 dual-core processors to deal with the network data packets .It make detection and analysis about the network data ,and then deal with the attack flow by the defense module,which mainly including six module : the static characteristic defense , extraordinarily detecting , SYN Flood defense , white list draws , allocation , rate of flow attacking a target control. (3)Have design and implement communication module, static characteristics defense module and SYN Flood defense module based on the SYN Cookie technology on the DDoS defense engine.Communication module is responsible for the communication with monitoring and management center,which sends statistical information of the defense modules to the monitoring and management center and receives initialization information and control information from monitoring and management center.The static characteristic defense module is responsible for blocking some DoS attacks with obvious characteristics ,such as Land, Smurf, Ping Of Death, Nuke attack; SYN Flood defense module is mainly targeted at the one of most common denial of service attacks-SYN Flood attack.The DDoS defense engine uses the improved SYN Cookie algorithm to detect and defense the denial-of-service attack. The SYN Cookie technology differents from the traditional method of using and preserve the SYN and ACK fields,which uses RST field and out of polling queue method.In their own security, DDoS defense engine uses hot-standby technology to avoid a single point of failure, and uses the strategy that the system will let all the flow pass, do nothing to avoid to become the network bottleneck.