Research And Implementation Of Anti-DDoS Attack System Based On Comware Platform

Now the Internet is developing rapidly,and more and more transactions need completing online.With the continuous improvement of user requirements,the users have gradually focused on network security,stability and transmission efficiency.Simple transmission of packets on the network can not meet the needs of users,users hope that the network can bear a better capability regarding security assurance and service.Nowadays,the endless stream of network attacks make the performance of network extremely deteriorated,especially the Distributed Denial of Service(DDoS),numerous abnormal network traffic let the service quality of those under attack significantly decreased,and there even appeares denial of service,which ultimately results in a large number of losses.Traditional network security technology focuses on intrusion detection,anti-virus software or firewall in enterprise user network,while the technology have not ability to reduce the abnormal traffic.The purpose of this paper is to eliminate the abnormal traffic existing in the network,and to decrease the possibility that users are attacked by DDoS.Based on the Comware platform of a company has developed a system,which can be deployed on routing equipment to against the DDoS attacks.The main research content of this paper is to achieve the combination between BGP technology and Flow-Spec technology on Comware platform,at the same time a research of DDo S attack principle,abnormal traffic monitoring algorithm and flow control algorithm is made After the abnormal traffic is detected by the system,routing equipment can control abnormal traffic according to the flow processing strategy which defined by Flow-Spec technology and at the same time using the BGP technology deploy flow processing strategy on multiple routing equipment where the equivalent relation has been established.Ultimately to maximize the effectiveness of defense against DDoS attacks.The followings are the major aspects of this research work.1.Research which includes the attacking principle and steps was conducted on DDOS attack.Focusing on the principle and procedures of attacks of SYN Flooding,UDP Flooding and smurf attack,detailed analysis was made.2.Related arithmetic was introduced and studied,including CUSUM arithmetic,the modified M-CUSUM arithmetic aimed at router special network environment and token bucket arithmetic for traffic control.3.Detailed research on the key technologies required by system implementation is made.The main research content of this paper is to achieve the combination between BGP technology and Flow-Spec technology on Comware platform.With BGP technology,multiple routing equipment can form equivalent relationship.And using the interaction of messages between peer pairs,the function that flow processing strategy is deployed in a routing device and applied in multiple devices can be achieved.Flow-Spec Technology stipulates the specific composition of traffic processing strategy,including matching rules and traffic processing action,meanwhile it stipulates the specific details in the coding implementation processing of traffic processing strategy.4.Finally,the related algorithms and techniques are used in practice to develop and implement the anti-DDoS attack system.In the overall development of the system,the flow monitoring module is used for monitoring abnormal traffic,the command line terminal module for receiving user configuration data,and the Flow-Spec data processing module for processing the data and sending the chip,and the BGP module is used to establish the function of the peer to peer relationship to achieve the transfer of traffic processing strategy.This system can counter DDoS attack in a highly-efficient and dynamic way,and meanwhile it has a simple course of protection strategy deployment and satisfying effects.Therefore,this system has a great application prospects.