Source-end DDoS Defense System Based On IXP2400 NETWORK PROCESSOR

Recently many Internet servers experience is called Distributed Denial of Service Attacks(DDoS). The aim of DDoS attacks is to prevent legitimate users from accessing desired resources, such as network bandwidth. While former security threats could be faced by a tight security policy and active measures like using firewalls, IDS etc. However, the DDoS is a new type of attacks, which cannot be protected effectively yet. Therefore, a powerful tool for detecting the attacks to Internet server security vulnerability is needed.Nowadays, DDoS attacks pose an imperative issue to the Internet security, and many defense mechanisms have been proposed to combat this problem. Main requirement to the DDo S protection system in aspect of hardware is high processing speed. While the requirements in aspect of software are scalability, high accuracy of correct attacks detection and high suitability to new types of attacks. For the defense system deployment, the closer to the source of the attacks, the earlier detecting attacks. This can reduce the impact on the victims and network resources to the greatest extent. So, it’s better to deploy the DDoS defense system in the source-end.In this thesis, three software modules were added to the IXP 2400(Internet eXchange Point 2400) network processor. Based on that, a source-end DDo S protection system was designed and implemented. The system can detect IP spoofing attacks and flooding attacks effectively. Besides, because the system design is based on the Intel IXA SDK 4.1 software architecture, the system has good features of portability, which contribute to large-scale deployment and upgrade. Details are as follows.1. The design of source end DDoS defense system based on IXP2400 network processor.The system is deployed on the edge of source network, which can monitoring the data stream at the source sub-network and controlling the malicious data streamat the source without affecting other networks. This system contains 3 parts: Source Filtering, DDoS Classifier and DDoS Meter.2.The detailed design of Source Filter, DDoS Classifier and DDoS Meter.The Source Filter is designed by checking the packet header in the source IP address whether the value is effective to achieve. The DDoS Classifier is mainly responsible for the flow and connection information statistics data collected, and compared with the connection model of legitimate traffic. The CUSUM algorithm detects malicious data based on data packet sending and receiving ratio. DDoS Meter achieved mainly through TCM, which using statistical data collected by DDoS Classifier to limit the rate. DDoS Meter determine whether the malicious data by Three Color Metering.3.Testing the Source-End DDoS Protection System by using DDoS simulation attack.Simulation of DDoS attack sends data to attack the server using Smart Bits SMB-6000,at the same time, the legitimate user can exchange data with the server. The defense capability of the defense system can be tested by the connection number of legitimate user and the rejection rate of legitimate connection.Through the tests and analysis, the proposed protection system is capable of protecting IP spoofing, TCP SYN flooding, ICMP and UDP flooding attacks.