Drdos Attacks Detection Model

Distributed reflection denial of service attacks (DRDoS Attack) is a novel denial of service attacks, it is easy to implement, and have an intensive effect, but difficult to detect and defense. Now, the method of attack against DRDoS most have the same strategy like against DDoS attacks, although get some certain effect, but not ideal, so it is necessary to think a new way for DRDoS attack detection and prevention.DRDoS attack can use all protocols which automatically generate any response message to complete the attacks, according to the characteristics of DRDoS, we can use request-response packets to implement detection and defense. Hiroshima Tsunoda.el. have proposed a detection model according to this thinking, but if all packets the host received have to match, undoubtedly it will cost lots of time so that the normal connection responses for service will be put off even hang up. In this paper, attack detection method for the DRDoS solves this problem successfully, the details as follows:(1) Based on the original model propose an improved model that Firstly, according to traffic characteristics, to set one threshold R (R is a quantity of request -response packets within an RTT) in order to determine the traffic of potential attack, and then according to the request-response packets to determined attack on the traffic secondly, it can not only respond quickly to the normal connection, the second test is also greatly reduced the actual network false alarm rate.(2) In this paper, have classified and analyzed the main request-response relations of layers, on request package have the normal response or not, the response packet may be classified into normal response packet and abnormal response packet, then the method give some minimum set of detection condition.(3) Design the structure of memory, the best value of RTT is given by experiment, and then calculates the memory size of model within a RTT.(4) To implement packets capture based on the Winpcap, and give packets filter under the conditions the user gave, and then implement the traffic statistics of the required.(5) On the secondary detection of potential attacks traffic should math with forecast packets in the memory, and determines the effectiveness of potential attack traffic. After completed packets analysis, if exist a same packet in the memory, the packet matching is successful, the attack traffic is normal, its effectiveness is confirmed, otherwise discarded.This thesis get a conclusion that the proposed method is superior to others, the proposed have a perfect detection rate and false alarm rate by analyzing time complexity and performance of the model.