Denial Of Service Attack Detection And Response

As the internet becomes widely used in our daily life, the security problem will effect the future development of the internet directly. Network attacks damaged networks and users. DoS (Denial of Service) attacks become one of the common networks attack techniques by the characteristics, such a extensive area, strong concealment, simpleness and efficiency, etc. DoS attacks greatly affected the effective service of network and host systems, especially among which DDoS (Distributed Denial of Service) attacks are greatly threatening internet, since they are difficult to recognize and defense due to their concealment and distribution.In this thesis, we firstly give out a description about the status, the principle and method of DDoS attack. Then we analyze the status of research on DDoS.Secondly, a DDoS detection method is deeply discussed that is DDoS attacking detection algorithm which is based on self-similarity traffic model. Hurst parameter is the most important variable in this model which can be used to estimate the DDoS attack. There are many methods to calculate the Hurst parameter and we adopt Wavelet analysis method which has become a popular method in theory and engineering field.We also describe our response model. This model we adopt a packet filtering scheme based traceback technique, which can filter the attack packets that is marked by Routers, in order to defends DDoS attacks.Concerning the research both on detection and response, we finally design a detection-response prototype, which gets the traffic information from the IP packet header, and calculates the Hurst parameter and decides whether the traffic is in normal state or not. The reference Hurst parameter is self-adapter using a way like digital filter in signal processing. When attack is detected, the model uses connection-domain concept to prevent the target system. Which is more, the target system can provide service to legitimate user to some extent even under DoS attack. In the model traffic capturing and information extracting are mostly efficiency-required. We develop two methods to perform traffic capturing. In traffic information extracting, it can achieve better performance if some tricks used.At the end, the correctness and validity of the prototype system are identified through the experiments using the NS2 emluator and MIT Lincoln Laboratory DDoS attack datasets. And the experiment results show that the prototype system can recognize the DDoS attack effectively.