作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2011, Vol. 37 ›› Issue (4): 134-136. doi: 10.3969/j.issn.1000-3428.2011.04.047

• 安全技术 • 上一篇    下一篇

基于流量行为的DDoS检测系统

张 毅,刘 强   

  1. (重庆邮电大学通信与信息工程学院,重庆 400065)
  • 出版日期:2011-02-20 发布日期:2011-02-17
  • 作者简介:张 毅(1970-),男,教授,主研方向:网络检测,网络安全管理;刘 强,硕士研究生
  • 基金资助:
    教育部科学技术研究基金资助重点项目(208117);重庆市教委基金资助重点项目(KJ070516)

DDoS Detection System Based on Traffic Behavior

ZHANG Yi, LIU Qiang   

  1. (College of Communication and Information Engineering, Chongqing University of Posts and Telecommunications, Chongqing 400065, China)
  • Online:2011-02-20 Published:2011-02-17

摘要: 针对传统攻击检测算法不能实时识别攻击源和受害者的问题,基于对单用户流量行为的分析,设计实现一种实时的DDoS洪流攻击检测和防御系统。通过周期性地检测每个用户发送和接收的流量,判断其是否满足TCP和UDP协议行为的时间同步性,从而有效识别攻击者、受害者和正常用户,并且实时过滤攻击流量和转发正常流量。测试结果表明,该系统能够在攻击早期实时地检测出攻击者并过滤其流量,防御效果明显。

关键词: DDoS洪流攻击, 实时性, 单用户流量行为, 无参数CUSUM算法

Abstract: Because many traditional detection algorithms can not real time inspect the attack source and the victim, based on single-user traffic behavioral analysis, this paper presents a real-time DDoS flooding attack detection and prevention system. Based on the time synchronization of TCP and UDP protocol behavior, through periodically detecting every single IP user’s sending and receiving traffic and judging whether its traffic behaviors meet the synchronization or not. This system can effectively recognize attackers, victims and normal users, and real time filter attackers’ traffic and forward normal users’ packets. Experimental results show that the system can make a real-time detection for DDoS flooding attacks and determine the attacker at the early attacking stage, and the defense effect is obvious.

Key words: DDoS flooding attack, real-time, single-user traffic behavior, non-parametric CUSUM algorithm

中图分类号: