Design And Implementation Of A High Performance Anti-DDoS System Based On DPDK

The rapid development of network technology has brought great convenience to the society and people's lives,but at the same time,the number and scale of DDoS attacks have expanded rapidly.The traditional DDoS attack defense strategy is more and more difficult to deal with effectively.Through the analysis,this dissertation found that the DDoS attacks currently showed the characteristics of large flow,tidal,diversity and universality.On this basis,this dissertation studies the domestic and foreign research status in the following four aspects:the common DDoS attack defense methods,the flow cleaning technology,data packet processing technology and the deployment of DDoS attack defense system.Then this dissertation puts forward a high performance Anti-DDoS system based on DPDK.The main works and innovations of this dissertation include the following four aspects:(1)In view of the current DDoS attack situation,a high performance Anti-DDoS system based on DPDK is proposed.It is mainly includes three modules:data packet detection module,flow cleaning module and management center module.Using packet detection module to detect flow in the network link.If DDoS attack is found,the management module can be reported by alarm log.When the management center module receives the alarm log,it sends out the flow cleaning instruction to the flow cleaning module.The flow in the link is drained by the flow cleaning module,then a series of flow cleaning and filtering operations are carried out,and finally the traffic is reinjected to the original link.(2)In the packet detection module,this dissertation uses the fast packet processing advantage of DPDK to apply the DPDK to the packet capture process,and extends the function of the DPDK packet capture program,adds the packet recognition,classification and throughput calculation process.The throughput is detected in real time,and the alarm information is reported to the management center when the throughput exceeds the threshold of defense.The test results shows that the performance of packet loss rate and delay is greatly improved by using DPDK compared with traditional methods.(3)In the flow cleaning module,this dissertation use the four main steps to filter attack data packet:feature filtering,false source authentication,blacklist filtering and intelligent speed limiting.Similarly,we capture the data package of drainage by DPDK,then expand the packet capture program and add the flow cleaning process.In the feature filtering step,this dissertation proposes to filter the UDP reflection amplification attack initiated by a specific port by using the source port field characteristics of parsing packets.In the false source authentication step,an improved Counting Bloom Filter algorithm called HCBF(High-Performance Counting Bloom Filter)algorithm is proposed to identify the legitimate source address and filters DDoS attack initiated by the forged source address.The test results show that the HCBF algorithm has a great improvement in false negative rate and false positive rate compared with the traditional false source address recognition algorithm.(4)In view of the problem that the single Anti-DDoS system at the end of the attack is difficult to cope with the current large traffic DDoS attack,the dissertation proposes to deploy the packet detection and flow cleaning module in this system on the backbone network nodes of all provinces in the nationwide,and managed by a unified management center module to achieve distributed defense at the source end of the near DDoS attack to enhance defense performance and reduce the pressure of the attacked end defense system.