The Research on DDoS Defense Methods Based on Autonomous Systems in IPv6 Network

Abstract: Distributed Denial of Service (DDoS) attacks have become one of the most serious security threats to the Internet now.In a DDoS attack, hundreds or thousands of compromised hosts are amassed to send a victim a lot of attacking packets to deplete its resources such as network bandwidth,memory,and CPU. As a result,the victim denies its services to legitimate users.With the quick development of the Internet, these attacks have been becoming more and more harmful.As two typical traceback technologies based on AS(Autonomous Systems), the AS Two Steps Algorithm and the Proxy-based Traceback Technology need to reconstruct attack paths. However, it costs a certain time to reconstruct attack paths. Besides, they can't stop DDoS attacks by themselves. Under these circumstances, this paper proposes a novel method of defending against these attacks on a real-time basis in IPv6 network. The method is called the AS Real-time Defense Method.The main contents of this paper are as follows:1.First of all, the related contents of IPv6 are very thoroughly researched. These contents include the advantages of IPv6, the IPv6 packet header and the IPv6 address scheme. In addition, this paper analyzes the principle of DDoS attacks , the classification of these attacks and typical DDoS attack tools in great detail. Besides, this paper discusses the development trend of these attacks.2.The AS Two Steps Algorithm and the Proxy-based Traceback Technology are analyzed deeply. They are able to trace the attack sources in IPv4 network. However, because the IPv6 package header has already changed greatly, they aren't directly applied in IPv6 network. Therefore, this paper improves them under these circumstances. Particularly, in the AS Two Steps Algorithm, the AS Two Steps Algorithm Header,which is a extension header, is defined and used to record the 36-bit marking information of the algorithm. Besides, in the Proxy-based Traceback Technology, when the packet digest is computed, the MD5 algorithm input includes all fields in the basic IPv6 header except the Traffic Class field and the Hop Limit field, the last address in the address list of notes which is contained in the Routing header, the Fragment header and the first 160-bit information of payload. By the way, when a packet contains the Routing header, the last address in the address list of notes is included in the MD5 algorithm input instead of the destination address in the basic IPv6 header.3.The AS Real-time Defense Method is proposed. At a word, its working process is composed of three steps.In the first step, decision-making criterion trees are created in the autonomic systems in which victim servers are. The next step is to inspect the trees for DDoS attacks continually, according to Decision-making Criterion 1 and 2; Once DDoS attacks are detected, filtering messages will be sent. Finally, after receiving the messages, the involved entities start blocking attack traffic near victims and attackers in order to protect victim servers. It is proved by experiment that the method can distinguish attack traffic from normal traffic in a second and then filter illegitimate packets. It also can defend against multiple attack sources effectively. Besides, it can distinguish between attack traffic and heavy legitimate traffic accurately, and determine the attack-originating autonomic systems(even subnets) without reconstructing attack paths…
Key words: Network Security; IPv6; DDoS Attacks; Defense Methods; Autonomous Systems