基于区块链的防护物联网设备DDoS攻击方法
|
摘要
随着物联网设备的普及,利用物联网设备发起的分布式拒绝服务攻击(distributed denial service, DDoS)愈演愈烈,针对此类问题,提出了一种基于边缘计算和区块链的检测防御架构.在边缘节点依据物联网设备的业务功能特点实现了初步的疑似DDoS异常检测,初步检测结果的共享分析得出DDoS预警,最终对物联网设备发出的DDoS进行过滤.该方案的检测防御分布式部署在攻击源端,可以避免引流及流量清洗造成的高额成本和网络阻塞,并可以在检测到DDoS发生之初在源头进行持续过滤从而阻止攻击流量的上涨.
With the popularity of internet of things(IoT) devices, distributed denial of service(DDoS) attacks initiated by IoT devices have become fierce. To solve such problems,this paper proposes a detection and defense architecture based on edge computing and blockchain. According to the business characteristics of IoT devices, the suspected DDoS anomaly detection is implemented at edge nodes. Then the DDoS warning is obtained by sharing and analyzing the preliminary results with blockchain. Finally, DDoS connection is filtered at edge nodes based on the reward mechanism. The detection and defense is deployed at the source distributely, which can avoid high cost and network congestion caused by traffic extraction and cleaning, and can prevent the increasement of total DDoS traffic by filtering the traffic continuously at the source when DDoS is detected.
With the popularity of internet of things(IoT) devices, distributed denial of service(DDoS) attacks initiated by IoT devices have become fierce. To solve such problems,this paper proposes a detection and defense architecture based on edge computing and blockchain. According to the business characteristics of IoT devices, the suspected DDoS anomaly detection is implemented at edge nodes. Then the DDoS warning is obtained by sharing and analyzing the preliminary results with blockchain. Finally, DDoS connection is filtered at edge nodes based on the reward mechanism. The detection and defense is deployed at the source distributely, which can avoid high cost and network congestion caused by traffic extraction and cleaning, and can prevent the increasement of total DDoS traffic by filtering the traffic continuously at the source when DDoS is detected.
引文
[1]Gubbi J,Buyya R,Marusic S,Palaniswamia M.Internet of things(IoT):a vision,architectural elements,and future directions[J].Future Generation Computer Systems,2013,29(7):1645-1660.
[2]施巍松,孙辉,曹杰,张权,刘伟.边缘计算:万物互联时代新型计算模型[J].计算机研究与发展,2017, 54(5):907-924.Shi W S, Sun H, Cao J, Zhang Q, Liu W. Edge computing:an emerging computing model for the internet of everything era[J]. Journal of Computer Research and Development, 2017,54(5):907-924.(in Chinese)
[3] Shi W S, Cao J, Zhang Q, Li Y H Z. Edge computing:vision and challenges[J]. IEEE Internet of Things Journal, 2016, 3(5):637-646.
[4]梅兰妮·斯万.区块链:新经济蓝图及导读[M].北京:新星出版社,2016:27-32.
[5]袁勇,王飞跃.区块链技术发展现状与展望[J].自动化学报,2016, 42(4):481-494.Yuan Y, Wang F Y. Blockchain:the state of the art and future trends[J]. Journal of Automatica Sinica, 2016, 42(4):481-494(in Chinese).
[6] Rodrigues B, Bocek T, Lareida A, Hausheer D, Rafati S, Stiller B. A blockchainbased architecture for collaborative DDoS mitigation with smart contracts[C]//IFIP International Conference on Autonomous Infrastructure, Management and Security, 2017:16-29.
[7] Rodrigues B, Bocek T, Stiller B. Multi-domain DDoS mitigation based on blockchains[J]. Security of Networks and Services in an All-Connected World, 2018:185-190.
[8] Gil T M, Poletto M. MULTOPS:a data-structure for band width attach detection[C]//The10th Conference on USENIX Security Symposium, 2001:23-38.
[9] Mirkovic J, Reiher P. D-WARD:a source-end defense against flooding denial-of-service attacks[J]. IEEE Transactions on Dependable&Secure Computing, 2005, 2(3):216-232.
[10] Zargar S T, Joshi J, Tipper D. A survey of defense mechanism against distributed denial of service flooding attacks[J]. IEEE Communications Surveys&Tutorials, 2013, 15(4):2046-2069.
[11] Rukavitsyn A, Borisenko K, Shorov A. Self-learning method for DDoS detection model in cloud computing[C]//Young Researchers in Electrical and Electronic Engineering. IEEE, 2017:544-547.
[12] Yu Y, Chen Q, Li X. Distributed collaborative monitoring in software defined networks[C]//Proceeding of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking, 2014.
[13] Kansal V, Dave M. Proactive DDoS attack detection and isolation[C]//International Conference on Computer, Communications and Electronics. IEEE, 2017:334-338.
[14] Yao G, Bi J, Vasilakos A V. Passive IP traceback:disclosing the locations of IP spoofers from path backscatter[J]. IEEE Transactions on Information Forensics&Security, 2015, 10(3):471-484.
[15] Sahi A, Lai D, Li Y, Diykh M. An efficient DDoS TCP flood attack detection and prevention system in a cloud environment[J]. IEEE Access, 2017(5):1-1.
[16] Yaar A, Perrig A, Song D. StackPi:new packet marking and filtering mechanisms for DDoS and IP spoofing defense[J]. IEEE Journal on Selected Areas in Communications, 2006, 24(10):1853-1863.
[17]陈飞,毕小红,王晶晶,刘渊. DDoS攻击防御技术发展综述[J].网络与信息安全学报,2017, 3(10):16-24.Chen F, Bi X H, Wang J J, Liu Y. Survey of DDoS defense:challenges and directions[J].Chinese Journal of Network and Information Security, 2017, 3(10):16-24.(in Chinese)
[18]陈旭.基于区块链技术的网络DDoS联合防御方法研究[J].网络安全技术与应用,2017(11):29-30.Chen X. Research on network DDoS joint defense method based on blockchain[J]. Network Security Technology&Application, 2017(11):29-30.(in Chinese)
[19]杨翊,彭扬,矫毅.基于区块链的DDoS防御云网络[EB/OL].[2016-11-04]. http://www.paper.edu.cn/releasepaper/content/201611-59.
[20] Kim Y, Lau W C, Chuah M C, Chao H C. PacketScore:a statistics-based packet filtering scheme against distributed denial-of-service attacks[J]. IEEE Transactions on Dependable&Secure Computing, 2006, 3(2):141-155.
[21] Kim Y, Lau W C, Chuah M C, Chao H J. Packetscore:statistics-based overload control against distributed denial-of-service attacks[C]//International Confrence on Computer Communications. IEEE, 2004(4):2594-2604.
[22] Beitollahi H, Deconinck G. A cooperative mechanism to defense against distributed denial of service attacks[C]//International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, 2012:11-20.
[2]施巍松,孙辉,曹杰,张权,刘伟.边缘计算:万物互联时代新型计算模型[J].计算机研究与发展,2017, 54(5):907-924.Shi W S, Sun H, Cao J, Zhang Q, Liu W. Edge computing:an emerging computing model for the internet of everything era[J]. Journal of Computer Research and Development, 2017,54(5):907-924.(in Chinese)
[3] Shi W S, Cao J, Zhang Q, Li Y H Z. Edge computing:vision and challenges[J]. IEEE Internet of Things Journal, 2016, 3(5):637-646.
[4]梅兰妮·斯万.区块链:新经济蓝图及导读[M].北京:新星出版社,2016:27-32.
[5]袁勇,王飞跃.区块链技术发展现状与展望[J].自动化学报,2016, 42(4):481-494.Yuan Y, Wang F Y. Blockchain:the state of the art and future trends[J]. Journal of Automatica Sinica, 2016, 42(4):481-494(in Chinese).
[6] Rodrigues B, Bocek T, Lareida A, Hausheer D, Rafati S, Stiller B. A blockchainbased architecture for collaborative DDoS mitigation with smart contracts[C]//IFIP International Conference on Autonomous Infrastructure, Management and Security, 2017:16-29.
[7] Rodrigues B, Bocek T, Stiller B. Multi-domain DDoS mitigation based on blockchains[J]. Security of Networks and Services in an All-Connected World, 2018:185-190.
[8] Gil T M, Poletto M. MULTOPS:a data-structure for band width attach detection[C]//The10th Conference on USENIX Security Symposium, 2001:23-38.
[9] Mirkovic J, Reiher P. D-WARD:a source-end defense against flooding denial-of-service attacks[J]. IEEE Transactions on Dependable&Secure Computing, 2005, 2(3):216-232.
[10] Zargar S T, Joshi J, Tipper D. A survey of defense mechanism against distributed denial of service flooding attacks[J]. IEEE Communications Surveys&Tutorials, 2013, 15(4):2046-2069.
[11] Rukavitsyn A, Borisenko K, Shorov A. Self-learning method for DDoS detection model in cloud computing[C]//Young Researchers in Electrical and Electronic Engineering. IEEE, 2017:544-547.
[12] Yu Y, Chen Q, Li X. Distributed collaborative monitoring in software defined networks[C]//Proceeding of the ACM SIGCOMM 2014 Workshop on Hot Topics in Software Defined Networking, 2014.
[13] Kansal V, Dave M. Proactive DDoS attack detection and isolation[C]//International Conference on Computer, Communications and Electronics. IEEE, 2017:334-338.
[14] Yao G, Bi J, Vasilakos A V. Passive IP traceback:disclosing the locations of IP spoofers from path backscatter[J]. IEEE Transactions on Information Forensics&Security, 2015, 10(3):471-484.
[15] Sahi A, Lai D, Li Y, Diykh M. An efficient DDoS TCP flood attack detection and prevention system in a cloud environment[J]. IEEE Access, 2017(5):1-1.
[16] Yaar A, Perrig A, Song D. StackPi:new packet marking and filtering mechanisms for DDoS and IP spoofing defense[J]. IEEE Journal on Selected Areas in Communications, 2006, 24(10):1853-1863.
[17]陈飞,毕小红,王晶晶,刘渊. DDoS攻击防御技术发展综述[J].网络与信息安全学报,2017, 3(10):16-24.Chen F, Bi X H, Wang J J, Liu Y. Survey of DDoS defense:challenges and directions[J].Chinese Journal of Network and Information Security, 2017, 3(10):16-24.(in Chinese)
[18]陈旭.基于区块链技术的网络DDoS联合防御方法研究[J].网络安全技术与应用,2017(11):29-30.Chen X. Research on network DDoS joint defense method based on blockchain[J]. Network Security Technology&Application, 2017(11):29-30.(in Chinese)
[19]杨翊,彭扬,矫毅.基于区块链的DDoS防御云网络[EB/OL].[2016-11-04]. http://www.paper.edu.cn/releasepaper/content/201611-59.
[20] Kim Y, Lau W C, Chuah M C, Chao H C. PacketScore:a statistics-based packet filtering scheme against distributed denial-of-service attacks[J]. IEEE Transactions on Dependable&Secure Computing, 2006, 3(2):141-155.
[21] Kim Y, Lau W C, Chuah M C, Chao H J. Packetscore:statistics-based overload control against distributed denial-of-service attacks[C]//International Confrence on Computer Communications. IEEE, 2004(4):2594-2604.
[22] Beitollahi H, Deconinck G. A cooperative mechanism to defense against distributed denial of service attacks[C]//International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, 2012:11-20.