| Currently Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks are the most common means for threatening the Internet. When an attack occurs, the scattered zombies are sending a large number of packets to the target host or server, making network link congested, leading network and the host to paralyzed, and causing great damage. How to defense against DDoS attacks effectively has been a hot research topic in the field of network security in recent years. There are several serious challenges especially under the circumstance of backbone network that the work of DDoS defense must have to face, for instance, how to detect attacks accurately, and quickly and in high efficiency, how to response to the attack in time, and how to make the attack traffic be cleaned and filtered.This thesis summarizes the concept, principle and classification of DDoS attack, and describes the common attack tools. Current existing methods for DDoS defense are discussed and analyzed from three aspects- attack detection, prevention and response. On the basis of above, the main work and innovations of this thesis as follow:First, multilevel hybrid method for DDoS detection is proposed, coarse-grained way is combined with fine-grained way to detect and recognize attack collaboratively. The detection algorithm using address entropy based on CUSUM is employed to detect abnormal traffic, to perceive of the appearance of DDoS attack at the macro level. The algorithm of approximately detecting application layer congestion state is presented. The status of application layer congestion is detected by measuring RTT of TCP packets with payloads to help affirm the attack and be aware of the impact of the attack.Second, multilevel methods for cleaning attack traffic are proposed, the DDoS attack traffic is washed out in different ways according to its detectable level. The identification algorithm of attack traffic based on traffic’s self-similarity is presented. The network traffic to and from the candidate victims is observed, and the traffic is identified to be attack traffic whether or not from angle of traffic performance. For malformed packets traffic, it is filtered directly. For suspicious attack traffic that could not be recognized directly, it is processed by speed limitation depending on the degree of application layer congestion that has been detected. Multi-level measures is combined to guarantee malformed traffic is filtered effectively and roundly.Third, a real-time DDoS defense proto system is built by adopting the attack traffic cleaning and attack detection methods. The defense system is deployed into the campus backbone network for experiments. The results of experiments confirmed that the proposed methods are useful supplement for traditional DDoS defense methods, and they are beneficial for attack detecting and suspicious traffic cleaning of DDoS. |
PDF Full Text Request