| With the continuous development of the Internet,people's lives have long been inseparable from the Internet.While the Internet brings convenience to our life,there are also many potential threats and problems which need our attention.Among these attacks,DDoS attack is the most common and intractability one.DDoS attack takes advantage of the vulnerability of TCP/IP.It sends plenty of packet with spoofed source address,which occupies many resources of victim.So victim cannot provide normal service.At present,there is no effective defense means to solve the DDoS attack fundamentally.By analyzing the existing defense technologies,this thesis proposes to build a defense system against DDoS attack based on the source address validation technique and IP trace technique.The source address validation technique can detect and filter the attack packets with spoofed source address used in DDoS attack,and the IP trace technique can track the detected packets,in order to limit and prevent the attack in the future.This thesis will carry out research based on these two techniques,and the specific work is as follows:First,this thesis proposed a single-packet traceback algorithm MTA based on MPLS.Based on the label forwarding technique MPLS,this thesis designed a trace label.When a packet is forwarded in MPLS network,it should not only bring a forward label,but also a trace label that calculated according to the label carried in the last hop and the entry interface.Moreover,with the message authentication code calculated by DES,the attackers cannot tamper the trace label to mislead the trace back.The packet carrying the trace label and the message authentication code can complete the single-packet traceback and accurately locate the original router that the attacker accessed.The simulation results show that the MTA algorithm has high accuracy,and the cost is low.Secondly,a source address validation algorithm(LVA)based on LDP protocol is proposed.LVA algorithm chooses interface and hop count as the factors to validate source address and LDP will build the address-interface-hop count table in advance.With the help of the LDP,it can accurately and easily calculate the relationship between the source address and the corresponding interface and hop count in each router,which is not so easy in some other algorithms.Therefore,it can improve the accuracy and reduce the misjudgment rate.In addition,with the divided of the roles of network areas and routers,the thesis chooses appropriate locations for LVA to deploy.Through the simulation experiment,the LVA algorithm can achieve low false negative rate at low deployment rates,without false positives,and supports dynamic updates.Finally,this thesis designed a DDoS defense system based on MTA and LVA.The system has three modules: source address validation module,label switch module and controller module.The system has functions of detecting,tracking and warning DDoS attacks.The experiments show that the system achieves the expected functions and has good defense effect against DDoS attacks... |
PDF Full Text Request