一种IPv6环境下实时DDoS防御方法

现有的DDoS防御方法大多是针对传统IPv4网络提出的，而且它们的防御实时性还有待进一步提高。针对这种情况，提出了一种IPv6环境下实时防御DDoS的新方法，其核心思想是首先在受害者自治系统内建立决策判据树，然后依据决策判据1和2对该树进行实时监控，如果发现攻击，就发送过滤消息通知有关实体在受害端和源端一起对攻击包进行过滤，从而保护受害者。实验证明，该方法能够在秒钟数量级检测到攻击并且对攻击包进行过滤，能有效地防范多个DDoS攻击源。另外，该方法还能准确地区分攻击流和高业务流，可以在不恢复攻击路径的情况下直接追踪到攻击源所在的自治系统（甚至是子网）。

Method of defending against DDoS attacks based on real time consideration in IPv6 network

The majority of existing DDoS defense methods are based on IPv4, and their real-time characteristic of thwarting DDoS attacks needs to be improved. The paper proposed a novel method of defending against DDoS attacks on a real-time basis in IPv6 network under these circumstances. At a word, its working process was composed of three steps.In the first step, created decision-making criterion trees in the autonomic systems in which victim servers were. The next step was to inspect the trees for DDoS attacks continually, according to Decision-making Criterion 1 and 2. Once DDoS attacks were detected, filtering messages would be sent. Finally, after receiving the messages, the involved entities started blocking attack traffic near victims and attackers in order to protect victim servers. It is proved by experiment that the method can distinguish attack traffic from normal traffic in a second and then filter illegitimate packets. It also can defend against multiple attack sources effectively. Besides, it can distinguish between attack traffic and heavy legitimate traffic accurately, and determine the attack-originating autonomic systems(even subnets) without reconstructing attack paths.