一种基于MIPv6的移动目标防御反审查方法
|
摘要
虽然互联网已经成为生活中各个方面的中心,但仍有很多用户无法通过互联网自由地获取信息。攻击者可以通过部署审查者实现对用户特定信息的屏蔽。从网络信息提供者的角度出发,提出一种面向用户的反审查方法,使攻击者的攻击代价大大增加。通过使用移动IPv6来形成移动目标防御策略,使Web服务器从逻辑上表现为移动节点(实际上没有移动)。对该方案进行建模(概率模型)分析,提出一个关键参数—分群比,将攻击者所需资源与实际条件限制进行对比。在该模型的基础上搭建现实原型(对服务器软件和内核进行简单修改而不改变标准移动IPv6协议),以此证明可以在不改变现有网络基础设施的情况下使用该方法。通过实验分析该方法性能开销。
Although the Internet has become the center of all aspects of our lives, there are still many users cannot freely access to information through the Internet. Attackers can shield users' specific information by deploying censors. From the perspective of network information providers, we proposed a user-oriented anti-censorship method to greatly increase the cost of attackers. By using mobile IPv6 to form a mobile target defense strategy, Web servers were logically represented as mobile nodes(virtually no movement). The scheme was modeled(probability model) and analyzed. A key parameter, the swarm ratio, was proposed to compare the attacker's resource requirements with the actual constraints. On the basis of this model, a real prototype was built(simple modification of server software and kernel without changing the standard mobile IPv6 protocol) to prove that the scheme could be used without changing the existing network infrastructure. Performance overhead was measured by experiments.
Although the Internet has become the center of all aspects of our lives, there are still many users cannot freely access to information through the Internet. Attackers can shield users' specific information by deploying censors. From the perspective of network information providers, we proposed a user-oriented anti-censorship method to greatly increase the cost of attackers. By using mobile IPv6 to form a mobile target defense strategy, Web servers were logically represented as mobile nodes(virtually no movement). The scheme was modeled(probability model) and analyzed. A key parameter, the swarm ratio, was proposed to compare the attacker's resource requirements with the actual constraints. On the basis of this model, a real prototype was built(simple modification of server software and kernel without changing the standard mobile IPv6 protocol) to prove that the scheme could be used without changing the existing network infrastructure. Performance overhead was measured by experiments.
引文
[1] 刘麒, 徐阳, 吕婷,等. 基于HTML5 WebWorker组件的DDoS攻击方式和检测[J]. 计算机应用与软件, 2016, 33(12):295-300.
[2] F-Secure Switch on Freedom[OL]. 2015-04-10. http://f-secure.se.whoisbucket.com/.
[3] Free VPN Service Free VPN Software—Hotspot Shield VPN[OL]. 2015-04-10. http://www.hotspotshield.com/.
[4] Psiphon Uncensored Internet Access For Windows and Mobile[OL]. 2015-04-10. https://psiphon3.com/en/index.html.
[5] Degabriele J P, Stam M. Untagging Tor: A Formal Treatment of Onion Encryption[C]//International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Cham, 2018:259-293.
[6] Sengupta S, Vadlamudi S G, Kambhampati S, et al. A Game Theoretic Approach to Strategy Generation for Moving Target Defense in Web Applications[C]//Conference on Autonomous Agents and Multiagent Systems. International Foundation for Autonomous Agents and Multiagent Systems, 2017:178-186.
[7] Wang H, Jia Q, Fleck D, et al. A moving target DDoS defense mechanism[J]. Computer Communications, 2014, 46:10-21.
[8] Venkatesan S, Albanese M, Amin K, et al. A moving target defense approach to mitigate DDoS attacks against proxy-based architectures[C]//Communications and Network Security. IEEE, 2017:198-206.
[9] Dunlop M, Groat S, Urbanski W, et al. MT6D: A Moving Target IPv6 Defense[C]//Military Communications Conference. IEEE, 2012: 1321-1326.
[10] Meng R, Da B, Wang C. IP mobility enhancements for MIPv6 and PMIPv6[C]//Tenth International Conference on Mobile Computing and Ubiquitous Network. IEEE Computer Society, 2017:1-6.
[11] Karlin J. Decoy Routing: Toward Unblockable Internet Communication[C]//Proceedings of the USENIX Workshop on Free and Open Communications on the Internet(FOCI’11),2011.
[12] Houmansadr A, Nguyen G T K, Caesar M, et al. Cirripede: Circumvention Infrastructure using Router Redirection with Plausible Deniability[C]//Proceedings of the 18th ACM conference on Computer and communications security. New York: ACM, 2011:187-200.
[13] Wustrow E, Swanson C M, Halderman J A. TapDance: end-to-middle anticensorship without flow blocking[C]//Proceedings of the 23rd USENIX conference on Security Symposium. USENIX Association, 2014: 159-174.
[14] Wustrow E, Wolchok S, Goldberg I, et al. Telex: Anticensorship in the network infrastructure[C]//Proceedings of the 20th USENIX conference on Security. USENIX Association Berkeley, 2011.
[15] Morrell C, Ransbottom J S, Marchany R, et al. Scaling IPv6 address bindings in support of a moving target defense[C]//The 9th International Conference for Internet Technology and Secured Transactions(ICITST-2014). IEEE, 2015:440-445.
[16] 郭志强, 王振兴, 张连成,等. 基于Hash生成地址的移动IPv6高效安全路由优化方案[J]. 计算机应用与软件, 2016,33(6):105-109.
[17] Heydari V, Kim S I, Yoo S M. Anti-Censorship Framework using Mobile IPv6 based Moving Target Defense[C]//Proceedings of the 11th Annual Cyber and Information Security Research Conference. ACM, 2016.
[18] Arkko J, Vogt C, Haddad W. Enhanced Route Optimization for Mobile IPv6[EB/OL]. RFC 4866, Internet Requests for Comments,May 2007.
[19] Perkins C. Securing Mobile IPv6 Route Optimization Using a Static Shared Key[EB/OL]. RFC 4449, Internet Requests for Comments,Jun. 2006.
[20] Nikander P, Arkko J, Aura T, et al. Mobile IP Version 6 Route Optimization Security Design Background[EB/OL].RFC 4225, Internet Requests for Comments, Dec. 2005.
[21] Kang D, Jung J, Lee D, et al. Security analysis and enhanced user authentication in proxy mobile IPv6 networks[J]. Plos One, 2017, 12(7):e0181031.
[22] Wakikawa R, Devarapalli V, Tsirtsis G, et al. Multiple Care-Of Addresses Registration[EB/OL]. RFC 5648, Internet Requests for Comments, Oct. 2009.
[23] Guo N, Peng F, Gao T. Secure Mobility Management for MIPv6 with Identity-Based Cryptography[M]//Information and Communication Technology. Springer International Publishing, 2015.
[2] F-Secure Switch on Freedom[OL]. 2015-04-10. http://f-secure.se.whoisbucket.com/.
[3] Free VPN Service Free VPN Software—Hotspot Shield VPN[OL]. 2015-04-10. http://www.hotspotshield.com/.
[4] Psiphon Uncensored Internet Access For Windows and Mobile[OL]. 2015-04-10. https://psiphon3.com/en/index.html.
[5] Degabriele J P, Stam M. Untagging Tor: A Formal Treatment of Onion Encryption[C]//International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Cham, 2018:259-293.
[6] Sengupta S, Vadlamudi S G, Kambhampati S, et al. A Game Theoretic Approach to Strategy Generation for Moving Target Defense in Web Applications[C]//Conference on Autonomous Agents and Multiagent Systems. International Foundation for Autonomous Agents and Multiagent Systems, 2017:178-186.
[7] Wang H, Jia Q, Fleck D, et al. A moving target DDoS defense mechanism[J]. Computer Communications, 2014, 46:10-21.
[8] Venkatesan S, Albanese M, Amin K, et al. A moving target defense approach to mitigate DDoS attacks against proxy-based architectures[C]//Communications and Network Security. IEEE, 2017:198-206.
[9] Dunlop M, Groat S, Urbanski W, et al. MT6D: A Moving Target IPv6 Defense[C]//Military Communications Conference. IEEE, 2012: 1321-1326.
[10] Meng R, Da B, Wang C. IP mobility enhancements for MIPv6 and PMIPv6[C]//Tenth International Conference on Mobile Computing and Ubiquitous Network. IEEE Computer Society, 2017:1-6.
[11] Karlin J. Decoy Routing: Toward Unblockable Internet Communication[C]//Proceedings of the USENIX Workshop on Free and Open Communications on the Internet(FOCI’11),2011.
[12] Houmansadr A, Nguyen G T K, Caesar M, et al. Cirripede: Circumvention Infrastructure using Router Redirection with Plausible Deniability[C]//Proceedings of the 18th ACM conference on Computer and communications security. New York: ACM, 2011:187-200.
[13] Wustrow E, Swanson C M, Halderman J A. TapDance: end-to-middle anticensorship without flow blocking[C]//Proceedings of the 23rd USENIX conference on Security Symposium. USENIX Association, 2014: 159-174.
[14] Wustrow E, Wolchok S, Goldberg I, et al. Telex: Anticensorship in the network infrastructure[C]//Proceedings of the 20th USENIX conference on Security. USENIX Association Berkeley, 2011.
[15] Morrell C, Ransbottom J S, Marchany R, et al. Scaling IPv6 address bindings in support of a moving target defense[C]//The 9th International Conference for Internet Technology and Secured Transactions(ICITST-2014). IEEE, 2015:440-445.
[16] 郭志强, 王振兴, 张连成,等. 基于Hash生成地址的移动IPv6高效安全路由优化方案[J]. 计算机应用与软件, 2016,33(6):105-109.
[17] Heydari V, Kim S I, Yoo S M. Anti-Censorship Framework using Mobile IPv6 based Moving Target Defense[C]//Proceedings of the 11th Annual Cyber and Information Security Research Conference. ACM, 2016.
[18] Arkko J, Vogt C, Haddad W. Enhanced Route Optimization for Mobile IPv6[EB/OL]. RFC 4866, Internet Requests for Comments,May 2007.
[19] Perkins C. Securing Mobile IPv6 Route Optimization Using a Static Shared Key[EB/OL]. RFC 4449, Internet Requests for Comments,Jun. 2006.
[20] Nikander P, Arkko J, Aura T, et al. Mobile IP Version 6 Route Optimization Security Design Background[EB/OL].RFC 4225, Internet Requests for Comments, Dec. 2005.
[21] Kang D, Jung J, Lee D, et al. Security analysis and enhanced user authentication in proxy mobile IPv6 networks[J]. Plos One, 2017, 12(7):e0181031.
[22] Wakikawa R, Devarapalli V, Tsirtsis G, et al. Multiple Care-Of Addresses Registration[EB/OL]. RFC 5648, Internet Requests for Comments, Oct. 2009.
[23] Guo N, Peng F, Gao T. Secure Mobility Management for MIPv6 with Identity-Based Cryptography[M]//Information and Communication Technology. Springer International Publishing, 2015.