Research Of Proactive Defense Mechanism Based On Network Utility Maximization For DDoS Attacks

Among mass of network security events, DDoS (Distributed Denial of Service) attacks have been one of the major threats of network security for its inherent simplicity of operation, damage severity and difficulty of defense. Therefore, the research about new means of DDoS attacks defense is significant.This paper firstly introduces three types of defense technology for DDoS attack by the difference of their deployed locations; and then introduces the concepts of the NUM (Network Utility Maximization) and duality theory.Then we focus on the broadband-based DDoS attacks which have large harm and could block the network rapidly before the defense system's response, and paralyzed a large number of network transmission nodes. In this situation, even if some legitimate access data flows is not in the direct scope of the attack, but if they pass through some traffic route which the attack flows on, they will also be very serious damaged. Given the above, this paper proposed a proactive defense mechanism based on the network utility maximization (NUM-PDM). This proactive defense mechanism is deployed on the middle network among the attackers'source network and the under-attack terminating network, which, as a defensive front edge for DDoS attacks. The NUM-PDM's primary goal is to provide a loose isolation bandwidth for each traffic ?ow which passed through the core backbone network by maximizing the network resource, to minimum the collateral damage on these legitimate flows when DDoS attacks happen, and make further containment in case of the identification of the attack traffic, so as to achieve the purpose of defense against DDoS attacks.Finally, we build a network model by simulating the real core backbone network, and use real data of normal traffic and attack flows to assess the effectiveness of the active defense mechanisms in this paper from three indicators, finally the experimental data show that the defense mechanisms can significantly reduce the collateral damage on the normal traffic flows which attack flows bring.