Research On DDoS Attack And Defense Technology For WEB Server

In recent years,increasing incidents of Distributed Denial of Service(DDoS)attacks on Web servers,the web site being attacked is unable to provide services and caused a huge loss of resources and money.DDoS attacks on WEB servers belong to application-level DDoS attacks,that is,after establishing TCP connection between attackers and target,DDoS attack is launched by using a real source IP address.The attackers adopt the attack mode what imitates the normal user's access behavior,this kind of attack mode has strong concealment and dose not show the abnormal phenomenon in traffic level,and it's very similar to Flash Crowd,it is difficult to distinguish between normal users and illegal users,detecting DDoS attacks on WEB servers is extremely difficult.Therefore,in order to ensure the security of WEB servers and the availability of services,how to defend against DDoS attacks on WEB servers becomes particularly essential.First of all,by analyzing the principle and mode of WEB server DDoS attack,the in-depth research of user access behavior and attacker's attack behavior.Because the trend of user's access path is controlled by access behavior,and there is a big difference between the access with attack behavior and the normal user's access,namely,when the web server is attacked by DDoS,the abnormal access behavior of users will be highlighted,therefore,by extracting the characteristic factors of user behavior abnormality,WEB server DDoS attack can be effectively identified.At the same time,in order to accurately determine the exception of user access behavior of each time node in the access process,by analyzing the length of web access path and the sequence of path nodes,comprehensive calculation of the real-time outliers in the process of user access.Then,this paper proposes an attack detection and defense model based on WEB access path(WAP),it is composed of data acquisition module,anomaly detection module and defense module.the core module is WEB access path anomaly detection,The anomaly detection module detects the user access process from five different perspectives,including request path suspicion,request distribution suspicion,path loop suspicion,behavior gap suspicion and path length suspicion.By calculating the normal value of legitimate users visiting the website and the deviant degree of abnormal value of users with aggressive behavior,on this basis,it is determined whether or not to be attacked by DDoS.When DDoS attack is determined,the defense module records the identity information of abnormal user,according to the size of the illegal value of users,the corresponding defense strategy is implemented to restrict the access of users with attacking behavior,so as to achieve the purpose of DDoS attack defense.Finally,the real log data set is used as the training set,five different types of application layer DDoS attacks are used to attack the experimental website.The experimental results show that the attack detection and defense model based on Web access path can identify attacks in a short time and take effective defense measures to resist them,reduce the occurrence of misjudgment.