The Research On Detection And Traceback Technology Against Web Application Layers DDoS Attack

With the development of network,most of the attackers attacked the object to the network application or service which has resulted in application layer attacks increase rapidly.Network attacks are becoming more and more serious,especially in the application layer DDoS attacks.This paper proposes a detection and traceback technique based on user behavior and traffic characteristics for DDoS attacks at the application layer.This paper first introduces the background knowledge,including application layer DDoS attack principle and its characteristics,and analyzes the difference between application layer DDoS attack and traditional DDoS attack.In this paper,the DDoS attack based on HTTP protocol is mainly researched,and then the HTTP protocol's defect is analyzed in detail.Then the principle of DDoS attack based on HTTP protocol and FlashCrowd phenomenon are described.Then,the existing DDoS attack detection methods and attack source tracing techniques are classified,and their disadvantages and advantages are summarized.Aiming at the shortcomings of the existing application DDoS attack detection methods,such as the single-feature and the detection of the single attack,it can't distinguish the FlashCrowd and the on-line real-time is poor and so on.In this paper,we propose a Web application layer DDoS attack detection method based on Jaccard similarity coefficient,which analyzes the difference of different features in different and uses multi-feature similarity to characterize the similarity between attack flow and normal flow.Experiments show that the method can effectively detect HTTP-Flood attack and slow connection attack,and distinguish the Flash Crowd phenomenon to reduce the false alarm rate of HTTP Flood attack.Because traceback model of the entropy parameter is poor to traceback the slow connection attack.We propose an IP address tracking method based on the similarity coefficient change.The method divides the flow of the router into the flow from the upstream router and the local flow,and identifies the upstream router by the change of the similarity coefficient.Once the immediate upstream router identifies the attack flow,they immediately forward the request to its upstream router to further identify the source of the attack flow,and the process repeats until it reaches the attack source.Experimental results show that the proposed method can lock attack source and restore attack path correctly in a certain network topology,and improve the sensitivity to slow connection attack.