A DDoS Countermeasure Solution For Critical Services Of Large-scale Networks

In recent years, the research of application-layer distributed denial of service (App-DDoS) attacks is becoming a hot topic in the field of computer network security. App-DDoS is a special kind of distributed denial of service (DDoS) attack. Usually, the server provides this kind of services that the client only need to send a few messages but consume massive resources. App-DDoS attacker can exploit the weakness and send a certain amount of request packets which may lead the server to be paralyzed. Traditional DDoS defense systems can do little about the App-DDoS. The main reasons are:(1) The App-DDoS attack’s packet seems legitimate on the network layer, while the attack node’s traffic is not so large.(2) The diversity and variability of the services make it difficult to find a general defense solution.(3) App-DDoS attackers often attack the websites via a proxy server, which increase the difficulty for the system to track. Therefore, the App-DDoS attacks are increasingly become a threat for the secret-associated networks. E-goverment networks and military networks.Most existing solutions to the App-DDoS attacks can be divided into two classes:"massive overprovision" and "detect and block’". However, the former class will greatly increase maintenance costs, and cannot resist the instantaneous burst of App-DDoS attacks. With the increase of the application layer services, the diversity and variability of the services makes the defense system of the latter too complex to resist App-DDoS attacks on the new services. Aiming at the features of the App-DDoS attacks, we conduct an extensive study on DDoS and manage to answer the following questions:(1) Why the traditional DDoS defense system and its defense policy can do little for App-DDoS attacks? And whether the defense system can take advantage of the weakness of the App-DDoS attackers?(2) Whether can we find a better solution to defend variable App-DDoS attacks through theoretical analysis?(3) How to desisn such a defense model? The contributions of this thesis are as follows: 1) We propose a cost-effective App-DDoS countermeasure strategy. Most existing traditional defense systems work by detecting and filtering attack packets. But the characteristics of App-DDoS attack packet are not obvious, so the traditional defense system can do little about the App-DDoS attacks. Considering that App-DDoS attackers need to interact with the server and its bandwidth is limited, we take advantage of this weakness and notify all clients to retry or to send bit stream. It will cost most of the clients’bandwidth. In this way, attacker cannot be served because too many requests need to be retried or to send much bits, which will cause bandwidth exhaustion.2) We propose a concept called "volume of services". In terms of App-DDoS attack, what we need to focus on is not the traffic bits, but the amount of consumed resources of the server. Based on the amount of consumed resources, we propose a concept called "volume of services". Using the concept of "volume of services", we can get the mathematical abstraction of App-DDoS defense strategy. Then we introduce some concepts based on "volume of services", such as "volume of effective services" and "volume of applied services". These concepts can measure the reliability and validity of the algorithms of our countermeasure model. And mathematical function of the "volume of effective services" and the "volume of applied services" can be used to describe the characteristics of the client. Based on these functions, we can do further researchers about App-DDoS.3) We design an App-DDoS countermeasure model. The model consists of overlay computing modules, traffic-limiting module, resources-allocating module and encouragement module. The overlay computing module is designed to determine whether the server is attacked, and it can also determine type of the attacks. The traffic-limiting module is used to avoid denial of service. The resources-allocating module can decide to accept (or reject) the requests by using the information of different requests. The encouragement module is designed to notify a client to retry or to send bit stream. Besides, this module is also responsible for managing the information table. The above four modules together form our defense system for the App-DDoS attacks. The experiment results demonstrate that, comparing to existing defense models, our solution can outcome higher performance gains and is more cost efficient.