The Research On Detection Of Application-layer DDoS Attacks

With the rapid development of modern network information technology and driven by economic interests,some cyber-hackers have attacked to achieve their own goals.Among them,the attacks launched against the application layer protocol(HTTP,DNS)bear the brunt.In order to protect the legitimate interests of normal users and the purification of the network environment,research on network security is urgent.In this paper,a detection method is proposed for DDoS attacks based on HTTP protocol and DNS protocol respectively.This paper first studies and summarizes the relevant background knowledge,including the characteristics of HTTP and DNS protocol,the principles and features of DDoS attacks based on HTTP protocol and DNS protocol,and expounds the typical DDoS attacks based on the two protocols respectively.Existing DDoS attack detection methods based on the above two protocols are studied and classified,and their respective advantages and disadvantages are summarized.The existing DDoS attack detection methods based on HTTP generally have the disadvantages of low precision,high complexity and difficult to distinguish Flash Event.This paper presents a new DDoS attack detection method based on the new information theory.By using a new set of information theory Indicator ?-entropy and ? difference metrics to detect application-layer DDoS attacks and burst-flow events.The proposed metric is highly sensitive to small changes in network traffic,and is more effective than the existing generalized entropy and generalized information difference metrics.The experimental results show that this method is highly sensitive and convergent,and can detect DDoS attacks efficiently and distinguish the burst flow.This paper presents a method of detection and filtering of DNS method attacks,analyzes and selects the characteristics of the DNS attack when DNS attacks occur,based on the disadvantages of single use and poor real-time performance of the DDoS attack detection methods based on DNS protocol.The data amount in a unit time is used as a calculation term,and the k-means ++ algorithm is used to perform cluster analysis to determine whether an attack occurs or not.The HOP-count information is used to filter out the attack traffic to the victim.Experiments show that this method can effectively detect DNS amplification attacks with high accuracy and real-time performance,and can effectively filter out illicit traffic and reduce victim damage.