DDoS攻击从检测到流量识别总体防御方案研究

分布式拒绝服务（DDoS）攻击是互联网安全的严重威胁，攻击发生时会有大规模流量淹没目标网络和主机。能够准确快速地检测到攻击，区分合法拥塞流量和攻击流量，对攻击流量加以清洗，对于DDoS攻击的防御来说十分重要。采用信息熵对流量参数进行实时统计来检测攻击，用累积和（CUSUM）算法控制熵值连续变化情况。检测到攻击后，依据目的IP数量前后增长情况找出受害者，对流向受害者处的流量进行重点观察。由于大规模的攻击流量与合法的拥塞流量非常相似，难以识别，在此对流本身的相似性进行考察，使用流相关系数算法辨别攻击流量和合法拥塞流量，为流量清洗工作提供依据。

Overall scheme of defense against DDoS attack from detection to traffic identification

Distributed denial of service （DDoS） attack is a serious threat to Internet security. Target networks and hosts will be overwhelmed by massive traffic when attack happens. It is important for the defense against DDoS attack to detect the at-tack quickly and accurately,discriminate the attack traffic from legitimate crowd traffic to eliminate attack traffic,and eliminate the attack traffic. The entropy is used to execute real-time statistics of some flow parameters for detecting the attack,and cumula-tive sum（CUSUM）algorithm is employed to track continuous changes of the entropy. According to the growth of destination IP quantity,victims can be discovered,and then the traffic swarming into the victims is observed emphatically. As the large-scale attack traffic and legitimate crowd traffic are very similar,it is difficult to recognize attack traffic. The correlation coefficient is used in this paper to check the similarity of the flow to discriminate the attack traffic from legitimate crowd traffic,which pro-vides an evidence for subsequent elimination and filtering.