Web Ddos Defense Based On The Rhythm Of Packets

The Internet has become an indispensable part of our life, work and learning. But while we enjoy the Internet, we must endure the inconvenience even loss brought us by malicious activities. The network security was not got enough consideration at the design time of the Internet. But with the development and popularization of the Internet, network attack emerge in endlessly, government agencies and industry researchers and even folk people has draw attention to network security.Distributed Denial of Service (DDoS) aims at consuming computing resources, it prevents the host from providing service to legitimate users. DDoS is an important one in all kinds of network attack methods. DDoS is widely used by attackers because of its simple principle, widely available tools, the capability of hiding tracks and causing great damage. It has become one of the most threat to the Internet in recent years and brought immeasurable losses to network business. DDoS attack detection and prevention is an important part of the whole network security system, it is the current research frontier in the field of network security. Many researchers have carried out in-depth study on DDoS attacks and made remarkable achievements. But the combat of network security against attackers is long and hard, with improvement of network defense technology, DDoS attack technique is also in constant evolution from the original TCP/SYN flooding to the application layer DDoS, the struggle of attack and defense is getting fiercer day after day.In layer-7Web DDoS the attackers pretend to be legitimate users, they submit malicious HTTP requests to the server side, try to run out of server-side computing resources to prevent it from severing other legitimate users. The key point of Web DDoS defense is to filter the attack flows and locate the attackers effectively and accurately.In this paper, we introduce the concept of flow rhythm got from length and interval of packets, then we propose a algorithm which can defense Web DDoS on the base of flow rhythm. First we analysis the rhythm characteristic under different Web DDoS attack modes and point out the differences between rhythm of legitimate flow and rhythm of attack flow. Secondly on the basis of depicting rhythm characteristic of single client, we put forward the concept of rhythm velocity matrix to depict the behavior characteristic of user group. Finally we propose and implement the defense algorithm based on the rhythm velocity matrix, the algorithm can filter the Web DDoS attack flows effectively and locate the attackers accurately. Meanwhile we implement Web DDoS attack simulating program and generate simulate attack traffic of different Web DDoS attack modes on the base of pulic Internet trace datasets, then we test our algorithm on the simulate datasets.The experiment shows that our algorithm works well in different Web DDoS attack modes. The true positive rate of filtering attack flows is100%and the max false positive rate of locating attackers is1.5%. Though our algorithm starts on the point of layer-7behavior characteristic, but it only uses layer-3factors. The algorithm does not process layer-7payloads, so it is fast, effective and easy to implement. Above all, the algorithm proposed in this paper needs not process the layer-7payloads and requires less computing resources, it is theoretical significance and pratical value to filter and control layer-7DDoS in network backbone.