利用入侵检测技术防范DDoS

分布式拒绝服务攻击(DDoS)由多宿主机发动,是目前常见的网络攻击中比较严重的一种,难于检测和跟踪。为此,阐述了DDoS的攻击方式的体系结构,并较为详细地分析了DDoS的机理并给出了攻击实例,概述了入侵检测技术的概念,提出了利用入侵检测技术防范DDoS攻击的一种尝试。设计一个针对DDoS的入侵检测方案,该方案检测通过路由器的数据包的流量判断是否异常。如果发现数据包的异常发送,则发出受攻击信号。本方案由3部分组成:包分类,获取原始的网络流量统计;流量离散函数,计算网络数据包的发送特性;基于变异的检测,在当前流量远远偏离历史上的正常变化范围时做出反应。

Defense of DDoS by Using Intrusion Detection Technology

Distributed denial of service (DDoS) performed by multiple hosts is one of the most serious problems in computer and network security, it difficult to detecte and trace. First, the system construction of the DDoS attack model was described, and the principles of DDoS attack were deeply analyzed. Then the example of DDoS attack case was presented. Second, the concepts of intrusion detection technology were summarized. At the last, some models of detection DDoS attack and some technical methods based on intrusion detection to prevent the DDoS from attacking were provided. A network intrusion detection scheme was proposed, which focused on detecting DDoS attacks. The proposed scheme detected if packets passing routers were found anomaly in traffic distribution, which could generate the attack signature as the anomaly in packet field distributions. The proposed scheme is composed of three stages. Packet classification, which can help classify the packets and get the characteristic of network traffic. Traffic dispersion function, which computes the character of the network packets distribution. Variance-based anomaly detection, the network traffic is treated as anomalistic if the variance of statistics exceeds the threshold decided by previous statistics.