| Internet data center (IDC) is a standard and professional telecommunication computer room environment, which is established by the operator using the existing Internet communication lines and bandwidth resources. It can provide full-service for the enterprise and the government such as server hosting, related value-added services. With the rapid development of Internet, denial of service (DOS) attacks has become a threat to IDC network security. Therefore, the thesis conducted a thorough research on DOS attack resistance for IDC of Jinan Unicom.On the basis of the introduction of the relevant theory, combined with the actual situation of the existing network, this thesis discussed the essential of DOS attack defense, developed effective schemes and verified these schemes finally.The main works are as follows:1) Introduced the principles of DOS attack theory, the advantages and disadvantages of existing security protection technology.2) After giving the demands analyzing of the IDC network structure of Jinan Unicom and the existing means of anti-DOS, the thesis put forward the requirements and the design principle of the new solution. It can find the attack traffic timely and accurately, support a variety of network models, provide the protective effects on network attacks, have a good user interface and so on. Without the prejudice to the current network services in advance, the design principle is to enhance the capability of the DOS attack resistance of IDC of Jinan Unicom overall. According to the above requirements and design principle, the thesis provides the detailed working state of each link and the whole working procedure, based on hanging the cleaning system beside the IDC core equipment, completing the selection of equipment types and designing of the network equipment and cleaning equipment.3) According to the preliminary design, the thesis completed the specific deployment of network equipment and black hole system. The deployment of network equipment mainly included the interface address configuration, protection segment rule configuration, BGP attributes configuration, etc.. And the deployment of the black hole system mainly included the cluster BGP attributes configuration, traction and probe into rules sampling settings, and so on.4) Over the simulation environment and the current network environment testing, the thesis verified the capability of protection system. Simulation test in the first part included anomaly traffic detection, traction injection and the protective network statistics report and other functional test. The second part focused on the system performance test, simulation attack traffic, and the system performance limit. Network environment test is to test and to verify the function of system performance in the actual network environment. |
PDF Full Text Request