The Design And Implementation Of A Provention System Against Low-rate Denial Of Service

The rapid development of computer network and communication technology led to the rapid dissemination and exchange of science and technology;however,there are an increasing number of network security issues.Denial of service attacks is more serious among those problems.During the attack,an attacker utilizes a variety of methods to consume the victim's network bandwidth and host resources,leading to the server can't response to users' normal requests,which impacts tremendously.Denial of service attacks contains a large number of types;most of them are used large flood flow and against network layer protocols.Researcher discovered a new type of denial of service attack,which is different from traditional flooding DoS attack in 2001.Its average flow is small and it is very subtle.Otherwise,it is similar to some real data stream and is of trouble to find out.Because of low cost of attack,an attacker even can achieve the effect of a denial of service successfully with one computer.This attack is called low-rate denial of service attack,which is short to LDoS.Such attacks exploit flaws network protocols or server periodically sends small packets so that network traffic has been in a state of congestion or depletion server links.Since traditional firewalls are mostly low-level protocol packet detection and filtering and is weak in detection of high-level packet data,it can't defend denial of service attacks effectively.In this paper,communication technology and network theory which are related with low-rate denial of service attacks are studied deeply.The main defense method against traditional denial of service attack is flow speed detection.However,the pure flow speed detection for low-rate denial of service is easy to cause false positives.In terms of defense,a prevention system of low-rate denial of service whose prototype comes from intrusion prevention system is designed and implemented,which is base on anomaly detection and associated traffic analysis.And the test of this prevention system can detect most attack traffic,showing effective defense.The main work in the paper is summarized as follows:(1)Network technology,such as network congestion control method of transmission control protocol(TCP)and HTTP communication technology,which related to low-rate denial of service has been studied.The Internet has been used to simulate data transmission and the packet is captured to be analyzed for data structure.The strategy and pre-processing module traffic acquisition module in the main field and protocol decoding analysis is set.(2)The features and principles of denial of service in the transport layer and application layer have been studied.The attack is reproduced by using tools and data collected is analyzed.On the basis of previous studies,a new defense method is proposed.The method combines anomaly detection with flow correlation analysis.(3)The working mechanism of intrusion prevention system,especially the detection strategy of network-based intrusion prevention system is mainly studied.On the basis,a prototype of low-rate denial of service prevention system is designed.Then the function structure of the whole architecture and all modules in the defense system is designed in detail.And realized traffic acquisition module,a database module and the client module are implemented.(4)Test and result analysis of the prevention system is made.The test covers function,defense capability and its own safety of the defense system.