抵御DoS攻击的端信息跳变Web插件机制
|
摘要
端信息跳变技术是为了减缓网络攻击而提出的一种主动网络防御技术,它通过伪随机地改变通信中的地址、端口等端信息来达到迷惑攻击者的目的。通过浏览器插件机制,将端信息跳变技术引入到Web防护领域,从而在Web访问中迷惑和干扰攻击者。浏览器插件模型有2个工作模式,即非跳变模式和端信息跳变模式,插件模式根据UDP发言人的指令来进行切换,在通信链路安全可靠时插件不进行端信息跳变,能够降低服务代价;当网络受到攻击时切换至端信息跳变模式,保障通信链路的安全。实验结果证明,基于端信息跳变技术的Web插件机制在SYN Flood攻击和UDP Flood攻击下,仍具有较高的服务性能和安全性能。
The end hopping technology is a proactive network defense technology proposed to mitigate the network attack. By changing the IP address, port and other information in the communication pseudo-randomly to achieve the purpose of confusing the attacker. The plug-in mechanism based on the end hopping technology was introduced, and it was applied to the field of Web protection. This plug-in was designed to confuse and interfere with attackers. The plug-in model was divided into two working modes, which are non-end-hopping mode and end hopping mode. The plug-in according to the instructions of the UDP spokesman to switch its own work mode and when the communication link is safe and reliable, it choose the fist mode which can reduce the cost of services. Another, when the network is attacked, the plug-in switches to the end hopping mode to ensure the safety of communications.The experimental results show that the plug-in mechanism based on end hopping has high service and security performance under SYN Flood attack and UDP Flood attack.
The end hopping technology is a proactive network defense technology proposed to mitigate the network attack. By changing the IP address, port and other information in the communication pseudo-randomly to achieve the purpose of confusing the attacker. The plug-in mechanism based on the end hopping technology was introduced, and it was applied to the field of Web protection. This plug-in was designed to confuse and interfere with attackers. The plug-in model was divided into two working modes, which are non-end-hopping mode and end hopping mode. The plug-in according to the instructions of the UDP spokesman to switch its own work mode and when the communication link is safe and reliable, it choose the fist mode which can reduce the cost of services. Another, when the network is attacked, the plug-in switches to the end hopping mode to ensure the safety of communications.The experimental results show that the plug-in mechanism based on end hopping has high service and security performance under SYN Flood attack and UDP Flood attack.
引文
[1]CARVALHO M,RICHARD F.Moving target defenses for computer networks[J].IEEE Security&Privacy,2014,12(2):73-76.
[2]石乐义,贾春福.基于端信息跳变的主动网络防护研究[J].通信学报,2008,29(2):106-110.SHI L Y,JIA C F.Research on end hopping for active network confrontation[J].Journal on Communications,2008,29(2):106-110.
[3]魏春霞,张琳琳,赵楷.基于源地址伪造的Web服务Do S攻击防御方法[J].计算机工程与设计,2014,35(9):3034-3038.WEI C X,ZHANG L L,ZHAO K.Method research based on source address forgery defending Web service Do S attacks[J].Computer Engineering and Design,2014,35(9):3034-3038.
[4]刘泽宇,夏阳,张义龙,等.基于Web行为轨迹的应用层DDo S攻击防御模型[J].计算机应用,2017,37(1):128-133.LIU Z Y,XIA Y,ZHANG Y L,et al.Application-layer DDo S defense model based on Web behavior trajectory[J].Journal of Computer Applications,2017,37(1):128-133.
[5]丁彭父乐.基于IPv6多地址性的Do S攻击与防御研究[D].哈尔滨:哈尔滨工业大学,2014.DING P F L.Based on IPv6 Multi-addresses Do S attack and defense research[D].Harbin:Harbin Institute of Technology,2014.
[6]万明,张宏科,尚文利,等.一体化标识网络映射缓存Do S攻击防范方法研究[J].电子学报,2015,43(10):1941-1947.WAN M,ZHANG H K,SHANG W L,et al.An efficient approach to defend Do S attack against mapping cache under identifier-based universal network[J].Acta Electronica Sinica,2015,43(10):1941-1947.
[7]李星.基于Snort的DDo S攻击检测系统研究与设计[D].北京邮电大学,2015.LI X.Research and design of DDo S attack detection system based on snort[D].Beijing University of Posts and Telecommunications,2015.
[8]WANG H P,XU L,GU G F.Floodguard:a Do S attack prevention extension in software-defined networks[C]//45th Annual IEEE/IFIP International Conference on Dependable Systems and Network.2015.
[9]MONIKA K,DEEPAK K G,PRADEEP B.Do S attack detection technique using back propagation neural network[C]//International Conference on Advances in Computing,Communications and Informatics(ICACCI).IEEE,2016.
[10]PATEL J,KATKAR V.A multi-classifiers based novel Do S/DDo S attack detection using fuzzy logic[J].Springer,2016:809-815.
[11]MOUSAVI S M.Early detection of DDo S attacks in software defined networks controller[D].Ottawa:Carleton University,2014.
[12]杨梦婷.基于Open Flow的SDN网络仿真平台设计与Do S攻击检测[D].北京:北京邮电大学,2015.YANG M T.Open Flow-based SDN network simulation platform and Do S attack detection[D].Beijing:Beijing University of Posts and Telecommunications,2015.
[13]LIM S,HA J,KIM H,et al.A SDN-oriented DDo S blocking scheme for botnet-based attacks[C]//Sixth International Conference on Ubiquitous and Future Networks.IEEE,2014:63-68.
[14]贾春福,林楷,鲁凯.基于端信息跳变Do S攻击防护机制中的插件策略[J].通信学报,2009,30(10):114-118.JIA C F,LIN K,LU K.Plug-in policy for Do S attack defense mechanism based on end hopping[J].Journal on Communications,2009,30(10):114-118.
[15]林楷,贾春福.基于消息篡改的端信息跳变技术[J].通信学报,2013,34(12):142-148.LIN K,JIA C F.End hopping based on message tampering[J].Journal on Communications,2013,34(12):142-148.
[16]刘江,张红旗,代向东,等.基于端信息自适应跳变的主动网络防御模型[J].电子与信息学报,2015,37(11):2642-2649.LIU J,ZHANG H Q,DAI X D,et al.A proactive network defense model based on selfadaptive end hopping[J].Journal of Electronics and Information Technology,2015,37(11):2642-2649
[2]石乐义,贾春福.基于端信息跳变的主动网络防护研究[J].通信学报,2008,29(2):106-110.SHI L Y,JIA C F.Research on end hopping for active network confrontation[J].Journal on Communications,2008,29(2):106-110.
[3]魏春霞,张琳琳,赵楷.基于源地址伪造的Web服务Do S攻击防御方法[J].计算机工程与设计,2014,35(9):3034-3038.WEI C X,ZHANG L L,ZHAO K.Method research based on source address forgery defending Web service Do S attacks[J].Computer Engineering and Design,2014,35(9):3034-3038.
[4]刘泽宇,夏阳,张义龙,等.基于Web行为轨迹的应用层DDo S攻击防御模型[J].计算机应用,2017,37(1):128-133.LIU Z Y,XIA Y,ZHANG Y L,et al.Application-layer DDo S defense model based on Web behavior trajectory[J].Journal of Computer Applications,2017,37(1):128-133.
[5]丁彭父乐.基于IPv6多地址性的Do S攻击与防御研究[D].哈尔滨:哈尔滨工业大学,2014.DING P F L.Based on IPv6 Multi-addresses Do S attack and defense research[D].Harbin:Harbin Institute of Technology,2014.
[6]万明,张宏科,尚文利,等.一体化标识网络映射缓存Do S攻击防范方法研究[J].电子学报,2015,43(10):1941-1947.WAN M,ZHANG H K,SHANG W L,et al.An efficient approach to defend Do S attack against mapping cache under identifier-based universal network[J].Acta Electronica Sinica,2015,43(10):1941-1947.
[7]李星.基于Snort的DDo S攻击检测系统研究与设计[D].北京邮电大学,2015.LI X.Research and design of DDo S attack detection system based on snort[D].Beijing University of Posts and Telecommunications,2015.
[8]WANG H P,XU L,GU G F.Floodguard:a Do S attack prevention extension in software-defined networks[C]//45th Annual IEEE/IFIP International Conference on Dependable Systems and Network.2015.
[9]MONIKA K,DEEPAK K G,PRADEEP B.Do S attack detection technique using back propagation neural network[C]//International Conference on Advances in Computing,Communications and Informatics(ICACCI).IEEE,2016.
[10]PATEL J,KATKAR V.A multi-classifiers based novel Do S/DDo S attack detection using fuzzy logic[J].Springer,2016:809-815.
[11]MOUSAVI S M.Early detection of DDo S attacks in software defined networks controller[D].Ottawa:Carleton University,2014.
[12]杨梦婷.基于Open Flow的SDN网络仿真平台设计与Do S攻击检测[D].北京:北京邮电大学,2015.YANG M T.Open Flow-based SDN network simulation platform and Do S attack detection[D].Beijing:Beijing University of Posts and Telecommunications,2015.
[13]LIM S,HA J,KIM H,et al.A SDN-oriented DDo S blocking scheme for botnet-based attacks[C]//Sixth International Conference on Ubiquitous and Future Networks.IEEE,2014:63-68.
[14]贾春福,林楷,鲁凯.基于端信息跳变Do S攻击防护机制中的插件策略[J].通信学报,2009,30(10):114-118.JIA C F,LIN K,LU K.Plug-in policy for Do S attack defense mechanism based on end hopping[J].Journal on Communications,2009,30(10):114-118.
[15]林楷,贾春福.基于消息篡改的端信息跳变技术[J].通信学报,2013,34(12):142-148.LIN K,JIA C F.End hopping based on message tampering[J].Journal on Communications,2013,34(12):142-148.
[16]刘江,张红旗,代向东,等.基于端信息自适应跳变的主动网络防御模型[J].电子与信息学报,2015,37(11):2642-2649.LIU J,ZHANG H Q,DAI X D,et al.A proactive network defense model based on selfadaptive end hopping[J].Journal of Electronics and Information Technology,2015,37(11):2642-2649