A Distributed Denial of Service (DDOS) attack is one type of flood attacks, which mainly refers to that the attacker controls a large quantity of infected hosts to form an attack network by using a main control host as a platform (which may have multiple levels or multiple layers), so as to perform a large-scale attacks of service denial to an affected host. This attack may usually magnify the attack of a single attacker by levels, so as to cause a significant influence to the affected host, as well as severe network congestion.
One method of detecting the DDOS attack is a traffic anomaly detection. The principle of the traffic anomaly detection lies in that the packet traffic of each protocol is evenly varied in a normal situation and will only be significantly varied after being affected by some specific attacks. The traffic anomaly detection is usually divided into two stages. One is a study stage, including studying through some sample traffic so as to establish an initial analysis model. Further, the system enters an operating stage, collects the packet traffic and performs traffic statistics, performs an analysis on the traffic model, and compares the analysis with the initial analysis model. If the difference of the two is greater than the threshold, it is determined to be abnormal; otherwise, traffic study is performed, and the initial analysis model is modified continuously.
Another method of detecting the DDOS attack is a packet transmission frequency detection. As a result of the DDOS attack, a feature of large traffic is usually presented, and the traffic is usually inter-related to the packet transmission frequency of the packet. Therefore, the packet transmission frequency can be counted, and then the result is compared with the threshold. If the result is greater than the threshold, it is determined to be abnormal; otherwise, it is determined to be normal.
One of the challenges in implementing detecting DDOS attacks is the accuracy. As for the traffic anomaly detection method, if the attack is a flood attack under a small traffic, the variation of the traffic in a short term is not obvious, so that the attack may not be detected by using a simple traffic analysis algorithm. In some normal requests, such as proxy or Network Address Translation (NAT) service, a large traffic may also be found during a short time period, so that an error of the attack detection may occur. As for the packet transmission frequency detection method, it is difficult to detect the attack under the small traffic. In some normal requests, such as proxy or NAT service, the error of detection may occur as well.