實驗結果顯示,在模擬 Layer-7 HTTP GET Flood 攻擊的情境下,DuSDA 架構能成功將攻擊流量限制在受害的子系統中。當大檔案系統因攻擊而導致效能下降時,小檔案系統仍能維持高服務可用性與穩定的回應時間,不受攻擊波及。本研究證實了透過服務隔離結合協同防禦機制,能有效提升檔案下載服務在面臨針對性 DDoS 攻擊時的系統韌性。 ;With the evolution of cyberattack techniques, application-layer distributed denial-of-service (Application Layer DDoS) attacks have become a major threat to online services. Attackers often target resource-intensive endpoints, such as large file download services, to launch HTTP Flood attacks. In a traditional single-system architecture, all services share the same network bandwidth and computing resources. Once the large-file download service is attacked and exhausts the available bandwidth, all services—including small-file downloads—collapse simultaneously, resulting in a complete service outage. Existing defense mechanisms, such as Web Application Firewalls (WAFs) or rate limiting, often struggle to accurately distinguish malicious high-volume download behavior without degrading the experience of legitimate users.
To address this issue, this thesis proposes a dual-system defense architecture named DuSDA (Dual-System Defense Architecture). The core strategy of this research is to isolate large-file and small-file services in both resource allocation and system architecture. A unified DuSDA Dispatcher is deployed as the entry point, and user requests are distributed to the independently operated large-file or small-file subsystems through HTTP 302 redirection. To achieve precise attack detection, the system implements a real-time monitoring module based on Nginx log analysis and adopts a Multi-Dimensional Scoring Mechanism to evaluate the risk level of user behavior. In addition, a Cross-System Monitoring and Coordination mechanism is designed to synchronize threat intelligence between the isolated subsystems using UDP packets, enabling coordinated blocking once a malicious IP is detected.
Experimental results show that under simulated Layer-7 HTTP GET Flood attacks, the DuSDA architecture effectively confines the attack traffic within the targeted subsystem. When the large-file subsystem experiences performance degradation due to attacks, the small-file subsystem continues to maintain high availability and stable response times, remaining unaffected. This research demonstrates that service isolation combined with coordinated defense mechanisms can significantly enhance the resilience of file download systems against targeted DDoS attacks.
