Research On DDoS Attack Detection And Defense Method For Backbone Network

Distributed Denial of Service(DDo S)attacks are an important threat to the Internet,so the detection and defense of DDo S attacks are of great significance.The existing per-flow-based DDo S detection methods are difficult to apply to the backbone network due to excessive resource consumption.In addition,the existing detection methods do not take into account the widespread asymmetric routing in the backbone network,resulting in a high false positive rate in practical applications.Fine-grained DDo S detection helps network administrators to make more targeted decisions,which is of great significance to DDo S defense.However,existing detection methods lack fine-grained identification of DDo S attacks.In terms of defending against DDo S attacks,passive DDo S defense mainly adopts two methods: traffic filtering and traffic scrubbing.The former will discard all traffic to the server and cause indirect service failure,while the latter will redirect traffic to a third-party scrubbing center,thereby introducing more delays and affecting user experience.Active DDo S defense can use the SDN-based end hopping method,but this method cannot provide targeted and immediate defense capabilities due to the lack of DDo S attack awareness.Aiming at the above problems,this paper proposes a low false positive rate,high detection accuracy,and fine-grained DDo S attack detection method for backbone network scenarios.In terms of DDo S attack defense,a DDo S attack defense method combining active and passive hopping is proposed,which can provide DDo S active defense based on active hopping when there is no DDo S alarm event,provide DDo S passive defense based on real-time passive hopping when a DDo S alarm event is received,and finally realizes continuous DDo S defense.Specifically,this paper mainly includes the following research contents:(1)A Sketch-based DDo S attack detection method in the backbone network is proposed.This method uses traffic sampling technology to reduce the number of processed packets,fully considers the difference between DDo S attack flow and normal unidirectional flow in asymmetric routing when selecting features,designs a double composite structure sketch to achieve efficient and fast feature extraction,and finally adopts two-stage detection,realizes detection of DDo S flooding attacks and fine-grained identification of attack types.Experiments using public backbone datasets show that the method can detect 9 types of DDo S attacks with over 98.0% precision and recall within 15 seconds at a sampling rate of 1/2048.In addition,the experimental results compared with other three detection methods show that this method can detect DDo S attacks with lower false alarm rate and shorter alarm time in asymmetric routing scenarios.(2)A DDo S attack defense method based on software-defined port and address hopping is proposed.On the basis that SDN implements DDo S active defense based on end hopping,for the DDo S attack problem that may be caused by the SDN controller checking the validity of packet’s port and address,the inspection function is delegated to the Open Flow switch to complete.The DDo S alarm event is introduced as a trigger condition for passive port and address hopping,which increases the DDo S awareness capability for DDo S defense and provides targeted and immediate passive defense for protected services.In addition,the DNSover-HTTPS(Do H)protocol is used to encrypt and transmit legitimate port and address for users,preventing middlemen from intercepting or tampering with port and address.Experiments and analysis show that when the port and address hopping interval is less than 1second,the attacker needs to conduct at least 2.43 million detections to achieve a successful DDo S attack.Therefore,this method can realize the active defense of DDo S attacks.When an attacker successfully initiates a DDo S attack,this method can complete DDo S awareness and passive terminal address hopping within 1 second to achieve passive defense against DDo S attacks.(3)Based on the above two methods,a DDo S attack detection and defense prototype system for the backbone network is designed and implemented.The system includes a DDo S attack detection module,a DDo S attack defense module,and an interface display module,which can perform fine-grained detection on DDo S traffic in the network,and guide the DDo S defense module to implement port and address hopping to avoid attacks in time by generating DDo S alarm events.The experimental results demonstrate the effectiveness of the method.