Research On Detection And Response Technology Of UDP Reflection Attack

DDoS attack is one of the most serious threat to the Internet today.In recent years,UDP reflection attacks have become a major component of DDoS attacks in the internet,which has caused serious damage to the normal running of the Internet.The research work in this paper focuses on the detection,evaluation and responses of UDP reflection attacks.In terms of UDP reflection attack detection,the detection work of the paper focuses on the amplifier involved in the reflection attack on the Internet on the fact that the process of amplifier and flow amplification is the main body of damage and that the amplifiers in the UDP reflection attack use real addresses.The paper first analyzes the characteristics of the UDP reflection attack protocol and introduces the latest 18 service protocols with the potential of reflection attacks.Afterwards,the paper analyzed in detail the principle of CharGen,DNS,NTP,SNMP and SSDP reflection attacks that actually caused reflection attacks on the Internet among the 18 service protocols.An adaptive amplifier positioning detection system is designed and implemented on the basis of constructing a request packet for a reflection attack.The system can currently implement positioning detection of CharGen,DNS,TFTP,NTP,SNMP,SSDP,and support for added amplifier detection in an added manner.Based on the design and implementation of the adaptive amplifier location detection system,the paper confirms experimentally that there is no TFTP reflection attack in the managed network(CERNET Nanjing master node network).The experiment firstly uses the packet collection system deployed on the border of the managed network to obtain the TFTP request packets flowing into the network.Through statistical analysis,the possible TFTP servers and their respective file name parameters used in the managed network are obtained.Finally,the amplifier positioning detection system performs further positioning detection on these possible TFTP servers.The test result shows that there is no TFTP amplifier inside the managed network in the detection period.Based on the adaptive amplifier location detection system,the paper also established an amplifier library for CERNET under the support of a flow-based network management system which called NBOS.The paper then proposes a method based on BAF statistical characteristics analysis and stability characteristics analysis to evaluate the amplifier,and divides the amplifier into three levels of minor,attention,and serious to support the hierarchical response of the amplifier.In terms of UDP reflection attack response,the paper designs and implements an SDNbased UDP reflection attack response system,and focuses on how to use SDN technology to implement responses to NTP and DNS reflection attacks.The measurement under the support of a SDN system-HYDRA deployed at the boundary of the managed network indicates that this method can effectively respond to UDP reflection attacks.This result shows that SDN-based technology can effectively control UDP reflection attacks.