| Distributed Deny of Service (DDoS) attack is one of the greatest and most serious threats against the Internet currently. DDoS attack is based on TCP/IP protocol's drawbacks when it was designed and Internet's character of openness. Research on DDoS attack defense plays a very important role and has great significance. It has been an important topic in the area of network security for a long time. In recent years, many researchers have proposed a lot of DDoS attack defense schemes. They all have their own advantages, but also have limitations.First of all, this paper introduces the principle of DDoS attacks, and presents a classification of DDoS attacks based on TCP/IP protocols and network flow characteristics. It also introduces some domestic and international researches on DDoS attacks. Through comparison and analysis it is found that: At present, most of the defense schemes have low prevalence of accuracy, high false negative, high computational complexity and resource consumption, high response delay, small scope of defense and some other shortcomings. So a new concept of the defense scheme of DDoS attacks based on the boundaries of autonomous system is proposed.Secondly, analysis of the routing traction technology in details, the source IP address tracking, remote triggered black hole routing and source address unicast reverse-path verification based on source address are presented. Based on their lack of real-time and computational complexity of the DDoS attack defense, this paper respectively proposes the scheme of improved real-time clean-up trap networks, AS-based adaptive probabilistic packet marking, path authentication method based on the source address, to make up for some shortcomings of traditional scheme, filtering data packets of resource with smaller computational complexity and consumption, more quickly and easily to track out the source of attack.Then, based on the combination of these improved technology solutions, it is proposed that a new scheme of DDoS attack defense based on the AS border router and its model has been achieved and tested by NS2 simulation. The result and analysis are verified on each module apart and also the overall model of defense. The result shows that the new model can work on filtering attacking packets better, and is able to track the attack source faster, with less consumption of resources, so as to defense DDoS attacks effectively.Finally, this paper summarizes the main work, the advantages and disadvantages of the new DDoS attack defense model which need to be further improved in the future. |
PDF Full Text Request