Real-Time DDoS Attack Detection And Analysis Based On Online Flow Measurement

In recent years,with the development of mobile Internet and data center network,various network attack methods emerge one after another.Among them,distributed denial of service(DDoS)brute force attacks occur most frequently,so DDoS defense systems have become a popular research direction.At the same time,with the development of emerging technologies such as software-defined networks(SDN),more abundant flow table monitoring and traffic diversion functions are provided,which also brings about the evolution of the DDoS defense architecture.Based on the investigation of the current DDoS defense system architecture,this paper finds that the core of DDoS defense is the difficulty of dealing with massive high-speed traffic.How to achieve high-speed network flow state measurement and abnormal behavior detection that can match the fiber line speed is the core of defense technology.The traditional method is mainly based on online collection of high-speed traffic,random downsampling of full packets,and load balancing to blade servers for processing and analysis.The random packet sampling rate of several tenths greatly reduces the accuracy and coverage of subsequent DDoS traffic cleaning.The core of the method proposed in this paper is to offload the network functions of traffic collection and suspicious flow identification to the data forwarding plane of network devices(switches,routers,or collectors),hoping to achieve more accurate DDoS attack traffic identi-fication and traffic diversion.To expand,the method for identifying suspicious DDoS attack traffic proposed in this paper is divided into two stages: coarse-grained identification and fine-grained identification.Among them,the coarse-grained stage uses the high aggregation effect of DDoS attack traffic on the attack target to find suspicious attack targets in numerous network objects;the fine-grained stage further identifies suspicious attack sources in the relevant traffic of the attack target.Finally,the traffic between the suspicious attack source and the attack tar-get is directed to a professional DDoS cleaning device to effectively reduce the load of cleaning traffic.The main contributions and innovations of this paper are as follows:(1)For the coarse-grained measurement problem of flow,In this paper,an online network flow cardinality measurement algorithm based on incremental update unit is proposed.Due to the high query operation time complexity of the traditional Virtual Hyper Log Log algorithm,Online query cannot be realized,so this paper improves the hash mapping scheme of the algo-rithm,At the same time,an incremental update unit is introduced to speed up query operations.As a result,the query time complexity of the algorithm is reduced from the original O(n)level to a constant level.experiment result shows,Under the premise of ensuring the measurement accuracy,the algorithm proposed in this paper has low time complexity of insertion and query,which meets the requirements of deploying to the data plane.(2)For fine-grained measurement and fine-grained classification problems of flows,This paper proposes an optimization on the scheme.Firstly,aiming at the problem of fine-grained measurement,this paper proposes a design of separation of fine-grained information mainte-nance and storage.And this paper improves the Cuckoo filter to achieve an efficient stream fine-grained information maintenance module,Solve the performance problems caused by the traditional hash table dynamic memory allocation and recycling.Then for fine-grained classi-fication problems,This paper proposes a method to store classification results using analytical context.The original classification method does not consider the incremental update of flow state information,and there is a problem of repeated calculation.This paper improves the clas-sification scheme,By analyzing the context preprocessing before the stream enters the classifi-cation,Directly output the previous classification results for streams with fewer state updates,Thus,unnecessary classification times are reduced and the decision classification performance is improved.Experiments show that this method has a good acceleration effect.(4)Build a network flow measurement and DDoS attack detection system based on a soft-ware programmable data plane,The system consists of tcpreplay network packets generator,DPDK development components and management end implemented by Web technology.tcpre-play is responsible for generating attack traffic and background traffic.DPDK is responsible for implementing the network packet IO part of the online network measurement system.Finally,the Web technology is used to provide a friendly operation interface and realize the function of data visualization.