DDoS攻击的防御方法研究
|
摘要
分布式拒绝服务攻击(DDoS,Distributed Denial of Service)是互联网环境下最具有破坏力的一种攻击方式。它利用TCP/IP协议的缺陷和网络带宽资源的有限性,向被攻击方恶意发送许多连接请求或无用的数据包,从而大量占有受害者的带宽资源使其无法再继续响应其他正常用户的请求。在应用层,随着网络带宽的增加和网络应用程序的发展,应用层的计算量逐渐超过网络层,DDoS攻击策略有从网络层逐渐向应用层转移的趋势。
首先研究网络层DDoS攻击技术的原理、攻击手段及其典型的攻击工具,并介绍新出现的应用层DDoS攻击(App-DDoS, Application Layer DDoS)的原理、特点及其两种攻击类型。然后分别对网络层和应用层DDoS检测防御方法的研究现状进行归纳总结。在此基础之上,从ISP(Internet Service Provider)域的角度,提出基于ISP网络的DDoS攻击防御方法。该方案,其一,在可行性方面,在ISP网络内实现,便于管理。需要添置的设备少,具有部署的可行性。其二,在攻击检测方面,能够在DDoS攻击刚刚发起的时候就发现DDoS攻击流,检测率高,反应速度快。其三,在防御方案方面,能够在控制攻击数据流的情况下,最大限度的保证正常报文存活率,将网络流量控制在正常范围之内。最后通过实验证明该方案的有效性。针对新型App-DDoS攻击的行为特点,提出一种基于可信度的App-DDoS攻击防御方法。该方法从服务请求的速率和负载两个方面,统计分析正常用户的数据分布规律,并以此作为确定会话可信度的依据。调度策略再根据会话可信度实现对攻击的防御。实验结果证明该方法能够快速有效的实现对App-DDoS攻击的防御。最后指出以后研究工作的努力方向。
Distributed denial of service attack is the most destructive attacking means on Internet. This kind of attack sends a number of connection requests of useless packets to attacked victim, in which exploits the flaws of TCP/IP and limitation in network bandwidth resource. These illegal packets take up the victim system resource and bandwidth, thus make the victim unable to response other client’s normal request. On application layer, with the increasing of network bandwidths and the development of network application, the computational complexity of application layer exceeds the network layer’s gradually. The trends in the attackers’strategy are shifting from network layer to application layer.
First, the principle and means of network DDoS attacks are analyzed, and the some kinds of network layer DDoS attacks are discussed. meanwhile, the principle,characteristic and two kinds of App-DDoS(application layer DDoS attacks) are discussed. Then, the current situation of the research of the technology of detection and defense of network layer and application layer are studied. In succession, form the view of ISP (Internet Service Provider) domain, Defense scheme against DDoS Attacks Based on ISP Networks is put forward. First, the scheme is grounded on ISP domain, so it is convenient to manage. Only few network devices are needed, which makes it feasible in deployment. Second, form the view of the detection of DDoS attacks, DDoS attacks could be identified by the scheme at the moment of launched. So, the scheme could response to DDoS attack quickly. Also, it has high detection ratio. At last, form the view of the defense of DDoS attacks, the scheme could control network traffic within normal range with maintaining the survival rate of normal packets as high as possible. Also, the feasibility of the scheme is validated through the simulated test. For the App-DDoS attack which is new, the paper discusses the characteristic of attack behavior and presents a defense scheme for App-DDoS attacks based on credit probability. The scheme employs statistical analysis of data from normal users to find the probability distributions of data of normal behavior, utilizing rate and workload of request data. The probability distributions are the evidence for setting credit probability of sessions. The scheduling policies realized the defense of attacks based on credit probability of sessions. The experimental results show the effectiveness of the scheme in defending the App-DDoS attacks. Finally, the future research work is presented.
首先研究网络层DDoS攻击技术的原理、攻击手段及其典型的攻击工具,并介绍新出现的应用层DDoS攻击(App-DDoS, Application Layer DDoS)的原理、特点及其两种攻击类型。然后分别对网络层和应用层DDoS检测防御方法的研究现状进行归纳总结。在此基础之上,从ISP(Internet Service Provider)域的角度,提出基于ISP网络的DDoS攻击防御方法。该方案,其一,在可行性方面,在ISP网络内实现,便于管理。需要添置的设备少,具有部署的可行性。其二,在攻击检测方面,能够在DDoS攻击刚刚发起的时候就发现DDoS攻击流,检测率高,反应速度快。其三,在防御方案方面,能够在控制攻击数据流的情况下,最大限度的保证正常报文存活率,将网络流量控制在正常范围之内。最后通过实验证明该方案的有效性。针对新型App-DDoS攻击的行为特点,提出一种基于可信度的App-DDoS攻击防御方法。该方法从服务请求的速率和负载两个方面,统计分析正常用户的数据分布规律,并以此作为确定会话可信度的依据。调度策略再根据会话可信度实现对攻击的防御。实验结果证明该方法能够快速有效的实现对App-DDoS攻击的防御。最后指出以后研究工作的努力方向。
Distributed denial of service attack is the most destructive attacking means on Internet. This kind of attack sends a number of connection requests of useless packets to attacked victim, in which exploits the flaws of TCP/IP and limitation in network bandwidth resource. These illegal packets take up the victim system resource and bandwidth, thus make the victim unable to response other client’s normal request. On application layer, with the increasing of network bandwidths and the development of network application, the computational complexity of application layer exceeds the network layer’s gradually. The trends in the attackers’strategy are shifting from network layer to application layer.
First, the principle and means of network DDoS attacks are analyzed, and the some kinds of network layer DDoS attacks are discussed. meanwhile, the principle,characteristic and two kinds of App-DDoS(application layer DDoS attacks) are discussed. Then, the current situation of the research of the technology of detection and defense of network layer and application layer are studied. In succession, form the view of ISP (Internet Service Provider) domain, Defense scheme against DDoS Attacks Based on ISP Networks is put forward. First, the scheme is grounded on ISP domain, so it is convenient to manage. Only few network devices are needed, which makes it feasible in deployment. Second, form the view of the detection of DDoS attacks, DDoS attacks could be identified by the scheme at the moment of launched. So, the scheme could response to DDoS attack quickly. Also, it has high detection ratio. At last, form the view of the defense of DDoS attacks, the scheme could control network traffic within normal range with maintaining the survival rate of normal packets as high as possible. Also, the feasibility of the scheme is validated through the simulated test. For the App-DDoS attack which is new, the paper discusses the characteristic of attack behavior and presents a defense scheme for App-DDoS attacks based on credit probability. The scheme employs statistical analysis of data from normal users to find the probability distributions of data of normal behavior, utilizing rate and workload of request data. The probability distributions are the evidence for setting credit probability of sessions. The scheduling policies realized the defense of attacks based on credit probability of sessions. The experimental results show the effectiveness of the scheme in defending the App-DDoS attacks. Finally, the future research work is presented.
引文
1.卿斯汉,蒋建春.网络攻防技术原理与实战[M].北京:科学出版社,2004.1
2. CNCERT/CC.2007年上半年网络安全工作报告[EB/OL]. http://www.cert.org.cn/UserFiles/File/2007CNCERTCCAnnualReport_Chinese.pdf ,2007-08-21
3. S.Ranjan, R.Karrer and E.Knightly.Wide area redirection of dynamic content by internet data centers. Twenty-third AnnualJoint Conference of the IEEE Computer and Communication Societies,2004:816-826
4.谢逸,余顺争.新网络环境下应用层DDoS攻击的剖析与防御[J].电信科学,2007(1):89-93
5. Computer Emergency Response Team. Denial of service developments [EB/OL]. http://www.cert.org/advisories/CA-2000-01.html 2000-01
6. CERT/CC. Results of the Distributed-Systems Intruder Tools Workshop[EB/OL]. http://www.cert.org/reports/dsit_workshop-final.html,1999-12-7
7. SANS Institute. Help Defeat Denial of Service attacks: step-by-step[EB/OL]. http://www.sans.org/dosstep/index.htm, 2000-3-23
8. Cisco White Papers. Strategies to Protect against Distributed Denial of Service Attacks(DDoS). 2000
9. http://www.isi.edu/deter/projects.html
10.Paul J.Criscuolo. Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht CIAC-2319. Department of Energy Computer Incident Advisory Capability(CIAC),UCRl-ID-136939,Rev.1,Lawrence Livermore National Laboratory, February 14,2000
11.ChristosFapadopoulos,RobertLindell. COSSACK:Coordinated Suppression of Simultaneous Attacks[A]. Proceedings of DARPA Information Survivability Conference and Exposition[C]. Washington,USA,2003:94-96
12.S.Savage,Wetherall,D.Network.Support for IP Trace Back[J]. IEEE/ACM Transactions on Networking ,2001,9(3):226-237
13.Tao Peng,Christopher Leckie. Protection from distributed denial of service attacks using history-based 1P filtering[A]. IEEE International Conference on Communications[C]. Alaska,USA, 2003:482-186
14.Li De-Quan,SU Pu-Rui, FENG Deng-Guo. Notes on Packet Marking for IP Traceback.Journal of Software, 2004,15(2):250-257
15.胡小新.一种DDoS攻击的防御方案[J].计算机工程与应用,2004,40(12): 160-164
16.卢建芝.基于源端网络的防DDoS攻击的实现[J].计算机应用, 2004 ,1(1):200-204
17.上海科学技术委员会04年信息技术领域重点科技攻关项目指南[EB/OL]. Http://www.stcsm.gov.cn/notice/detail.asp?pid=751
18.Ranjan S,Swaminathan R,Uysal M,et al.DDoS resilient scheduling to counter application layer attacks under imperfect detection[A]. Proceedings of IEEE[C], Barcelona,Spain, 2006.1-13
19.Kandula S,Katabi D,Jacob M,et al.Botz-4-sale:surviving organized DDoS attacks that mimic flash crowds[A]. Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation[C],2005.287-300
20.Michael Walfish,Mythili Vutukuru,Hari Balakrishnan,et al.DDoSdefense by offense. ACM SIGCOMM, 2006,36(4):303-314
21.黄鑫,沈传宁等.网络安全技术教程—攻击与防范[M].北京:中国电力出版社,2002. 168-176
22.林梅琴,李志蜀等.分布式拒绝服务攻击及防范研究[J].计算机应用研究,2006(8):136-138
23.高永强,郭世泽.网络安全技术与应用大典[M].北京:清华大学出版社,2003.207~231
24.Katarina Jnzic, Tracing back DDoS attacks,Masters Thesis,April 2002
25.StuartMcClure,Joel Scambray,George Kurtz.黑客大曝光[M]: .刘江,杨继张,钟向群等译.北京:清华大学出版社,2003.352-359
26.Rocky, K.C.Chang. Defending against Flooding-Based Distributed Denial-of-service Attacks:A Tutorial[J]. IEEE Communications Magazine. 2003(6) :46
27.P. Ferguson . Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing agreements performance monitoring.RFC2827,06 2000
28.SANS Institute,Egressfiltering v0.2[EB/OL].http://www.sans.org/y2k/egress.htm, 2000-02
29.PARK K, LEE H.A proactive approach to distributed DoS attack prevention using route-based packet filtering[EB/OL]. http://citeseer.ist.psu.edu/,2000-12
30.孙曦,朱晓妍. DDoS下的TCP洪流攻击及对策.网络安全技术与应用[J],2004(4): 96-98
31.任志强.模仿正常服务请求的DDoS攻击的防御方案[J].信息安全与通信保密, 2006(8):121-124
32.A.Habib,M.Hefeeda,and B.Bhargava. Detecting service violation and DoS attacks. In Proc. Network and Distributed System Security Symposium(NDSS’03). San Diego, 2003.
33.A.Habib.Edge-to-edge measurement-based distributed network monitoring[J]. Source, Computer Networks: The International Journal of Computer and Telecommunications Networking archive ,2004,44(2):211– 233
34.A. Habib, S. Fahmy, and B. Bhargava. Monitoring and Controlling QoS Network Domains[J]. International Journal of Network Management, 2005,15(1):11-29
35.H.Burch,B.Cheswick.Tracing Anonymous Packets to their Approximate Source. IEEE / ACM Transactions on Networking.2001,Vol.9(3):226
36.S.savage,D.Wetherall. Practical network support for IP traceback[A]. Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication[C].Stockhlm, Sweden,2000.259-306
37.D.Song and A.Perrig. Advanced and Authenticated Marking Schemes for IP Traceback[A] . Proc. IEEE Infocom[C].Anchorage,Alaska,2001. 878-886
38.Bellovin .IcmpTrace back messages[EB/OL].http:// search.ietf.org/ internet-drafts/ draft-ietf-itrace-01.txt 2000-09
39.ASnoeren,C.Partridge. Hashed-based IP traceback[A] .ACM SIGCOMM[C]. San Diego, CA ,2001. 226–237
40.Glenn Sager. Secutity Fun with Ocxmon and cflowd. http://www.caida.org/projects/NGI/ content/ security/1198.1998
41.Yu Chen, Kai Hwang. Collaborative Change Detection of DDoS Attacks on Community and ISP Networks[C]. International Symposium on Collaborative Technologies and Systems.2006. 401- 410
42.http://www.isi.edu/nsnam/ns/
43.李文中,郭胜,许平等.服务组合中一种自适应的负载均衡算法[J].软件学报, 2006, 17(5) :1068-1077
2. CNCERT/CC.2007年上半年网络安全工作报告[EB/OL]. http://www.cert.org.cn/UserFiles/File/2007CNCERTCCAnnualReport_Chinese.pdf ,2007-08-21
3. S.Ranjan, R.Karrer and E.Knightly.Wide area redirection of dynamic content by internet data centers. Twenty-third AnnualJoint Conference of the IEEE Computer and Communication Societies,2004:816-826
4.谢逸,余顺争.新网络环境下应用层DDoS攻击的剖析与防御[J].电信科学,2007(1):89-93
5. Computer Emergency Response Team. Denial of service developments [EB/OL]. http://www.cert.org/advisories/CA-2000-01.html 2000-01
6. CERT/CC. Results of the Distributed-Systems Intruder Tools Workshop[EB/OL]. http://www.cert.org/reports/dsit_workshop-final.html,1999-12-7
7. SANS Institute. Help Defeat Denial of Service attacks: step-by-step[EB/OL]. http://www.sans.org/dosstep/index.htm, 2000-3-23
8. Cisco White Papers. Strategies to Protect against Distributed Denial of Service Attacks(DDoS). 2000
9. http://www.isi.edu/deter/projects.html
10.Paul J.Criscuolo. Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht CIAC-2319. Department of Energy Computer Incident Advisory Capability(CIAC),UCRl-ID-136939,Rev.1,Lawrence Livermore National Laboratory, February 14,2000
11.ChristosFapadopoulos,RobertLindell. COSSACK:Coordinated Suppression of Simultaneous Attacks[A]. Proceedings of DARPA Information Survivability Conference and Exposition[C]. Washington,USA,2003:94-96
12.S.Savage,Wetherall,D.Network.Support for IP Trace Back[J]. IEEE/ACM Transactions on Networking ,2001,9(3):226-237
13.Tao Peng,Christopher Leckie. Protection from distributed denial of service attacks using history-based 1P filtering[A]. IEEE International Conference on Communications[C]. Alaska,USA, 2003:482-186
14.Li De-Quan,SU Pu-Rui, FENG Deng-Guo. Notes on Packet Marking for IP Traceback.Journal of Software, 2004,15(2):250-257
15.胡小新.一种DDoS攻击的防御方案[J].计算机工程与应用,2004,40(12): 160-164
16.卢建芝.基于源端网络的防DDoS攻击的实现[J].计算机应用, 2004 ,1(1):200-204
17.上海科学技术委员会04年信息技术领域重点科技攻关项目指南[EB/OL]. Http://www.stcsm.gov.cn/notice/detail.asp?pid=751
18.Ranjan S,Swaminathan R,Uysal M,et al.DDoS resilient scheduling to counter application layer attacks under imperfect detection[A]. Proceedings of IEEE[C], Barcelona,Spain, 2006.1-13
19.Kandula S,Katabi D,Jacob M,et al.Botz-4-sale:surviving organized DDoS attacks that mimic flash crowds[A]. Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation[C],2005.287-300
20.Michael Walfish,Mythili Vutukuru,Hari Balakrishnan,et al.DDoSdefense by offense. ACM SIGCOMM, 2006,36(4):303-314
21.黄鑫,沈传宁等.网络安全技术教程—攻击与防范[M].北京:中国电力出版社,2002. 168-176
22.林梅琴,李志蜀等.分布式拒绝服务攻击及防范研究[J].计算机应用研究,2006(8):136-138
23.高永强,郭世泽.网络安全技术与应用大典[M].北京:清华大学出版社,2003.207~231
24.Katarina Jnzic, Tracing back DDoS attacks,Masters Thesis,April 2002
25.StuartMcClure,Joel Scambray,George Kurtz.黑客大曝光[M]: .刘江,杨继张,钟向群等译.北京:清华大学出版社,2003.352-359
26.Rocky, K.C.Chang. Defending against Flooding-Based Distributed Denial-of-service Attacks:A Tutorial[J]. IEEE Communications Magazine. 2003(6) :46
27.P. Ferguson . Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing agreements performance monitoring.RFC2827,06 2000
28.SANS Institute,Egressfiltering v0.2[EB/OL].http://www.sans.org/y2k/egress.htm, 2000-02
29.PARK K, LEE H.A proactive approach to distributed DoS attack prevention using route-based packet filtering[EB/OL]. http://citeseer.ist.psu.edu/,2000-12
30.孙曦,朱晓妍. DDoS下的TCP洪流攻击及对策.网络安全技术与应用[J],2004(4): 96-98
31.任志强.模仿正常服务请求的DDoS攻击的防御方案[J].信息安全与通信保密, 2006(8):121-124
32.A.Habib,M.Hefeeda,and B.Bhargava. Detecting service violation and DoS attacks. In Proc. Network and Distributed System Security Symposium(NDSS’03). San Diego, 2003.
33.A.Habib.Edge-to-edge measurement-based distributed network monitoring[J]. Source, Computer Networks: The International Journal of Computer and Telecommunications Networking archive ,2004,44(2):211– 233
34.A. Habib, S. Fahmy, and B. Bhargava. Monitoring and Controlling QoS Network Domains[J]. International Journal of Network Management, 2005,15(1):11-29
35.H.Burch,B.Cheswick.Tracing Anonymous Packets to their Approximate Source. IEEE / ACM Transactions on Networking.2001,Vol.9(3):226
36.S.savage,D.Wetherall. Practical network support for IP traceback[A]. Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication[C].Stockhlm, Sweden,2000.259-306
37.D.Song and A.Perrig. Advanced and Authenticated Marking Schemes for IP Traceback[A] . Proc. IEEE Infocom[C].Anchorage,Alaska,2001. 878-886
38.Bellovin .IcmpTrace back messages[EB/OL].http:// search.ietf.org/ internet-drafts/ draft-ietf-itrace-01.txt 2000-09
39.ASnoeren,C.Partridge. Hashed-based IP traceback[A] .ACM SIGCOMM[C]. San Diego, CA ,2001. 226–237
40.Glenn Sager. Secutity Fun with Ocxmon and cflowd. http://www.caida.org/projects/NGI/ content/ security/1198.1998
41.Yu Chen, Kai Hwang. Collaborative Change Detection of DDoS Attacks on Community and ISP Networks[C]. International Symposium on Collaborative Technologies and Systems.2006. 401- 410
42.http://www.isi.edu/nsnam/ns/
43.李文中,郭胜,许平等.服务组合中一种自适应的负载均衡算法[J].软件学报, 2006, 17(5) :1068-1077