Abstract: As DDoS attacks occur frequently in multi-data center and existing DDoS attack eliminating methods cannot avoid the interference to legitimate traffic, this paper proposes a DDoS attack elimination strategy for multi-data center, based on service function chaining and traffic awareness technology. By deploying the perception component to the entrance of data center, which detects abnormal data traffic, and interacts with controller, the controller will put the work of attack eliminating in the scrubbing domain, which is outside the data center, thus avoiding interference to legitimate data traffic. At the same time, a load balancing algorithm is proposed for the scrubbing domain to ensure stable processing capability when serving multi-data center. This paper builds a prototype to verify the feasibility of the strategy through experiments.

Key words: multi-data center, awareness, security service chain, load balancing

摘要： 多数据中心DDoS攻击频发，现有攻击消除方式虽能阻拦攻击流量，但难以避免对合法流量的干扰。在服务功能链的基础上结合流量感知技术，提出一种针对多数据中心的DDoS攻击消除策略。通过在数据中心入口部署感知组件，感知异常流量并与控制器交互，将DDoS攻击消除工作放在数据中心外的清洗域，避免干扰合法流量。同时在清洗域提出一种负载均衡算法，为多数据中心提供足够的处理能力。最后搭建原型系统，通过实验对比验证策略的可行性。

关键词: 多数据中心, 感知, 安全服务链, 负载均衡