Design And Implementation Of Defense Mechanism For DDoS Attack Based On Mapping System For Control And Data Separation

With the development of the Internet,many problems have been exposed.Its security has become more and more serious.In order to solve the existing problems of the Internet,effectively prevent DDoS attacks,and build a new network system mechanism is of great significance.In many studies,identity and locationseparation,control and dataseparation becomes the focus of research.Mapping System for Control and Data Separation basedon "the basic research of smart identifier network system",and focused oncontrol functions in the controller,to further control and forwarding separation.The controller is the heart of the whole mapping system.The performance of the controller has a great influence on its overall performance.DDoS attacks sends a large number of requests through the network,and consumes the network resources,results in server denial of service.If the controllerbreak down,it will affect the operation of the entire network.In the mapping system the terminalas an important part of the system on behalf of the user.In the meantime,the terminal attack will reduce the network resource utilization and user experience.This paper mainly studies thatthe design and implementation of DDoS attack detection defense mechanism based on mapping system.First of all,this paper analyzes the current situation of domestic and foreign research in this field.On the other hand,the identity and location separation,control and forwarding separation,DDoS attack detection defenseandintroduces the mapping system of control and data separation are summarized.Andthen the DDoS attack and defense methods areintroduced.Secondly,the mapping system for control and data separationis analyzed in this paper.The methods of DDoS attacks targeting the controller and the host are studied,the DDoS attack detection defense function modulesare designed according to the different targets of the attack.Main works includes 1)analysis of theDDoS attackofthe target is the controller,the DDoS attack triggers a large number of mapping requests by forging a large number of access identities to attack the controller;2)study of the mapping request parsing process;3)study of the mapping request message structure,according to the the information in the mapping request,theport and access identifiermapping module,access identifier abnormal detection function module are designed;4)analysis ofthe DDoS attack on the host in the mapping system,and attack the host which accessto the mapping system through a localised puppet machine;5)analysis offeatures of DDoS attacks,according to the attack when the flow and characteristics of the element entropy changes,the statistical traffic information function module and DDoS attack detection defense function module are designed and achieved,the traffic information statistical processing module includes traffic statistical classification of information acquisition and processing,the DDoS attack detection defense module includes flow matrix,the entropy value matrix construction,according to the mathematical statistics method to calculate the measured value and threshold value,compared them;6)according to the comparison results,use the statistical calculation results to locate the attack source,and then use the traffic limit method of DDoS attack defense.Finally,the mapping system for control and data separation is simulated,andthe connectivity is tested in this paper.In this test environment,the background traffic without DDoS attacks is simulated.Then the function and performance of DDoS attack defense mechanisms in the mapping system for control and data separation for the DoS and DDoS attacks testsare simulated.Analysis of the result,and verification of the implementation of DDoS attack defense mechanism in the mapping system for control and data separation.