| At present, The Internet has become an important component of a social infrastructure. Network security threatens the development of Internet and national security. Distributed Denial of Service(DDoS) attack is recognized as a worldwide problem, it is one of the most serious threats to the Internet. Because defense methods of DDoS attacks distinguish legitimate packets from forged packets, the effect of DDoS attack defense is not adequately valid and these defense methods have an effect on users to use netwoek normally to some extent. Technologies of DDoS attack-tracing are difficultly popularized because they need to receive a large number of attack packets, huge calculation for reconstruction of the attack path and huge router resource cost. Therefore, researches on methods of DDoS attack defense and DDoS attack–tracing are of great theoretical and practical significance.Nowadays, many network security problems are caused by online behaviors of network users, but C/S pattern does not support the management for online behaviors of network users. Multicast users need dynamic management and DDoS attackers sends a large number of the repeated service requests. So a Client Manager /Server (CM/S) model is put forward in the thesis. The CM/S model is a distributed one, the client manager supervises the online behaviors of network users such as managing network users dynamically to join multicast groups or leave, forbidding repeated requests and the packets with spoofed source IP addresses coming from a Local Area Network (LAN) to enter the Internet, and keeping nonrequested packets from the Internet and so on. Theoretical analysis and simulation results have shown the satisfactory results.To send a great many repeated requests is one of important reasons which lead to DDoS attack flood. Multicast is more vulnerable to attacks than unicast because multicast uses a group address. DDoS attack flow is large and multicast can effectively reduce load of network and server. So a Service-Oriented Network Data Transmission (SONDT) is puts forward in the dissertation. The SONDT reduces loads of network and server in order to defense DDoS attacks, uses unicast addresses only to implement multicast in order to solve the security problem that a group address causes, and checks the path which a packet comes from so as to prevent a host outside a multicast tree from sending packets to the tree. The thesis gives the theoretical analysis and simulation results.At present, technologies of DDoS attack-tracing have poor practicality. To spoof source IP addresses is an important technology that DDoS attackers adopt. Datagram supports dynamic routing and traditional virtual circuit supplies connection-oriented service. So an Orientable Complete Path (OCP) is put forward in the dissertation. The OCP can solve the problem of source IP address forgery, trace network attack sources that include DDoS attack sources, and transmit network data. The thesis gives theoretical analysis.Based on CM/S model, SONDT and OCP, a new model of DDoS attack defense is designed in the thesis. The model does not have an effect on users to use network normally, solves the problem of source IP address forgery and the security problem that a group address causes, traces network attack sources easily, forbids a host outside a multicast tree to send packets to the multicast tree, and prevents from DDoS attack such as TCP SYN Flood, UDP Flood, HTTP Flood, SIP Flood, Smurf Attack, Fraggle Attack, Ping Flood, Router State-Holding Attack and DNS Attack and so on. Multicast and unicast as well as DDoS attack defense are implemented in the model. The thesis gives theoretical analysis. |
PDF Full Text Request