| The appearance and spread of DDoS among the internet has greatly affected the normal running of the network, for the aspect of website and enterprise, it caused severe economic losses. DDoS has various kind, its attack targets will also be very extensive. Recent years, more and more attacks against the industry of Internet bar, which are increasingly becoming the hardest hit by DDoS attacks. Therefore, the study of anti-DDoS under the application environment of Internet bar has great practical significance.When certain telecommunication equipment manufacturers working on the development of router system, the router application of Internet bars against DDoS attacks is been proposed. This research is based on the project needs.Anti-DDoS of Internet bar has its particularity. It mainly reflected in there aspects: multiple businesses, weak against attacks and limited resources of access routers. In the beginning of this study, it has no achievement which has been proposed. Domestic security products which lack the anti-attack of Internet bar, and the entire industry of anti-attack of Internet bar is not yet mature. Therefore, in this paper, the subject related to the anti-DDoS of the needs of Internet bar is analyzed deeply, the associated research algorithms and programs against attacks were studied. By comparing the anti-DDoS reference with the other areas of research and engineering, a program of the anti-DDoS modular on the router is presented. Finally, after the implementation of anti-DDoS module, in order to improve the capacity of the entire network against attack and break the bottleneck of single anti-DDoS, an algorithm of linkage of multiple routers against the attack is proposed.The program consists of four parts:1) Anti-scan attack. Design of the traditional anti-scan attack against port scan and address scan was independent, resulting in low detection efficiency and more consumption of the system resources. This paper designed an integrated program against scan:scanProtect. By integrated anti-Address scan with anti-Port scan, the scheme could be supported with innovative chain management of table and an efficient anti-Scan system is designed and been put into implementation.2) Anti-pseudo-source-address attack. To meet the needs of Internet bar router's capacity of anti-attack and specific business, this paper selects uRPF algorithm, based on these, makes use of ACL technology, designs and implements an extended detection of pseudo source address.3) Anti-KillerPackets. Feature detection method is required to check each packet, but Internet bar routers with limited resources, so set the protection of a particular host system can reduce unnecessary overhead. Via the use of ACL, AKP algorithm's (Anti-Killer Packet) design through aim to achieve the protection of a particular host and through the use of chain management to further improve the performance of the algorithm.4) Anti-Flood attacks. Internet bar routers need to protect the global network and specific hosts from Flood hazards. Flow control strategy based on AF (Anti-Flood) algorithm design with flow control router system technology and ACL technology to achieve a host of global and specific protection.The anti-attack capacity of single device is limited by their resources. To overcome this limitation, to maximize the single device's anti-DDoS capacity, the end of this article, reference bypass traction and cleaning center technology theory, a single router based IBT (Intern Bypass Traction) algorithm is proposed. The algorithm uses the concept of linkage of multiple routers, a single device's anti-DDoS capacity is extended to the whole network. In this paper, the principle of the algorithm is described, the process of the algorithm is introduced, and the linkage of anti-DDoS performance is analyzed. Analysis shows that the IBT has strong capacity against DDoS, and with highly practicality. |
PDF Full Text Request