DDoS Detection And Response Based On IP Flows

DDoS attack as one of the current mainstream malicious network behavior has caused serious harm to the normal operation of the Internet.The research work of this paper revolves around DDoS attack detection and response.The detection work is based on the IP flow provided by the network boundary router and is deployed and verified in the CERNET network environment based on the NBOS platform.On this basis,this paper studied the evaluation of the test results,meanwhile,it studied the use of SDN technology to response to the DDoS attack.In the DDoS attack detection,the paper first combined with the current academic view and the industrial view of the detection to give the standard.On this basis,the paper analyzes the original SYN Flood detection logic of NBOS system,points out the shortcomings,puts forward the perfect scheme and verifies the improved experiment by comparing the experiment results.Then,based on the analysis of the UDP Flood attack scenario,the paper points out that the UDP floods are based on the similarity between the attack on the single host and the whole network segment,and the algorithm based on the threshold of the intensity threshold and the threshold value is designed and achieved in the real network environment.Finally,in order to solve the problem of authenticity of attack,this paper presents a method to evaluate the results based on spoofed address,packet length,backscatter message strength and attack strength.It is proved by comparison with the actual sample analysis.On the basis of DDoS attack detection,the paper further puts forward the research ideas of locating and tracking the botnet behind DDoS attack detection results.Firstly,the feasibility of the research idea is proved by analyzing the activity cycle of the zombie host.Then,two different ways of positioning control command message and C&C controller are designed based on the communication characteristics of the zombie host.On this basis,the paper designs and implements the botnet tracking system(BTS)and successfully locates multiple C&C controllers and zombie hosts in the actual network.The positioned controller can be easily intercepted using the SDN flow table.In the DDoS attack response,in addition to the control command to intercept,but also discussed the attack traffic intercept,and gives the corresponding SDN flow table for the interception rules and generation methods.On this basis,the paper based on a SDN-based emergency response system(HYDRA)and designed a DDoS attack intercept system,the system based on NBOS and BTS to obtain analysis of data,generate intercept rules submitted to the HYDRA to intercept.The actual measurement of the system in the CERNET Jiangsu network boundary indicates that it can effectively control the command and DDoS attack traffic.This result shows the feasibility and practicability of responding to DDoS attacks based on SDN technology.