分散式阻斷攻擊之來源端防禦系統

Abstract

分散式阻斷攻擊在近年來已是一個很嚴重的威脅。這幾年來已有許多防止分散式阻斷攻擊的方法被提出來。然而，這些方法不是準確度不高就是效果不佳。 為了解決這兩個問題，我們提出一個高正確率及有效反應的來源端防禦系統來防止攻擊封包流到受害者端。偵測系統根據分散，擁塞和連續的特性來判斷分散式阻斷攻擊的程度。然後，回應系統依據它的行為來限制其頻寬。而且，當攻擊流已趨緩，回應系統會有效率的恢復它的頻寬。根據我們的模擬，測試結果證實了我們的效能是比現成的系統好。

Distributed denial-of-service (DDoS) attacks are emerging as threat to the stability of the Internet recently. In last few years, many approaches have been proposed to prevent DDoS attack. However, these approaches either have high false alarm rate, or poor performance for response. To address both issues, we proposed a source-end DDoS defense system that offers high accuracy of detection and effectiveness of response system to prevent the attack traffic from forwarding to the victim. The detection scheme determines the degree of DDoS attacks based on distribution, congestion, and continuity. Subsequently, the response scheme limits the allowed bandwidth of attack traffic in proportion to its behavior. Moreover, it can efficiently recover the limited rate if the flow becomes compliant. According to our simulation, the test results validate that our performance is better than existed scheme.