基于蜜罐网络的入侵检测系统的研究
摘要
分布式拒绝服务DDoS(Distributed Denial of Service)攻击,是拒绝服务攻击DoS的集群攻击方式。与DoS攻击类似,DDoS攻击通过使受害主机处理数据过大而导致系统资源或网络带宽资源耗竭,使其不能提供正常的服务。由于是通过多台计算机同时向受害主机发起攻击,DDoS攻击危害更大、防范更难。虽然目前针对DDoS攻击的防范研究在广泛地进行,但因DDoS攻击手段的独特性,所提出的防范方法还不能从根本上抑制这种攻击。本文在系统分析DDoS攻击的基本原理与特点、目前常用的DDoS防范方法并总结现有方法,特别是基于蜜罐技术的DDoS防范方法的不足等基础上,设计并实现了一个新型的基于蜜罐的DDoS防范模型系统。该模型在有效检测到DDoS攻击时,利用蜜罐子网转接攻击服务器的网络流,既能保护服务器主机又能迷惑黑客,同时还记录其详细的攻击信息。模型的特色之处是使用远程日志服务器存储蜜罐系统所收集的黑客攻击信息,保护日志信息的安全与可信。
模型系统的具体设计与实现方法在本文有详细描述,包括模型的框架设计、蜜罐作用定位、DDoS防范功能分析、攻击转向技术实现、远程日志系统设计与实现等。
Distributed Denial of Service (DDoS) attacks against Internet security is one of the attacks that most harm and difficult to prevent. While the research for defending against DDoS attacks be took in a wide range, since DDoS attacks' means uniqueness, the current methods are not fundamentally to defending against such attacks. This paper analysis of the DDoS attack principles and the current methods used to defending against the DDoS, and summed up its shortcomings also; This paper has also analyzed the shortcoming of current model, which based on honeypot technology. For improve these short comings, this paper designed and implemented a model based on honeypot technology to defending against DDoS. Honeypot technology is a new technology for network security; Its main role is to confuse hackers and records attacks. This model using honeypot sub-network to receive attacks flow that switching from server, it can protect host server and confuse hackers, also can records hackers information in detail. Log information for analysis and evidence of attack is very important, In order to ensure the security and credible of honyepot systems collected log information, this paper also designed and realized a program to store log information in a long-distance server. This model adopts the way of judging then transmitting the attacks flows to the honeypot, have protected the server and guaranteed the normal access of the important customer at the same time .The model that this paper puts forward has the following advantages: Use the distance server to store the log information that the honeypot system collects the attacking, protect the security of the information of the log and can be believed.
Concrete design and realization of the model system in detail describe in this paper , including the frame of the model, honeypot function in the model, the function analysis of the model prevent against DDoS attacking, realization of the redirection technology of the attacking flows, the realization and design of the distance log storing system etc.
模型系统的具体设计与实现方法在本文有详细描述,包括模型的框架设计、蜜罐作用定位、DDoS防范功能分析、攻击转向技术实现、远程日志系统设计与实现等。
Distributed Denial of Service (DDoS) attacks against Internet security is one of the attacks that most harm and difficult to prevent. While the research for defending against DDoS attacks be took in a wide range, since DDoS attacks' means uniqueness, the current methods are not fundamentally to defending against such attacks. This paper analysis of the DDoS attack principles and the current methods used to defending against the DDoS, and summed up its shortcomings also; This paper has also analyzed the shortcoming of current model, which based on honeypot technology. For improve these short comings, this paper designed and implemented a model based on honeypot technology to defending against DDoS. Honeypot technology is a new technology for network security; Its main role is to confuse hackers and records attacks. This model using honeypot sub-network to receive attacks flow that switching from server, it can protect host server and confuse hackers, also can records hackers information in detail. Log information for analysis and evidence of attack is very important, In order to ensure the security and credible of honyepot systems collected log information, this paper also designed and realized a program to store log information in a long-distance server. This model adopts the way of judging then transmitting the attacks flows to the honeypot, have protected the server and guaranteed the normal access of the important customer at the same time .The model that this paper puts forward has the following advantages: Use the distance server to store the log information that the honeypot system collects the attacking, protect the security of the information of the log and can be believed.
Concrete design and realization of the model system in detail describe in this paper , including the frame of the model, honeypot function in the model, the function analysis of the model prevent against DDoS attacking, realization of the redirection technology of the attacking flows, the realization and design of the distance log storing system etc.
引文
[1] John D.Howard. An Analysis Of Security Incidents On The Internet: PhD. thesis. Pittsburgh, PA, US: Carnegie Mellon University,1998,Pages:5.
[2] Felix Lau, Stuart H. Rubin, Michael H. Smith et al. Distributed denial of service attacks. In: IEEE International Conference on Systems, Man, and Cybernetics.
[3] DoS 和 DDoS仍是网络的头号威胁.http://www.cnw.com.cn/issues/article.asp? Filename=n24237.txt, 2002-11 -4/2003-09-01.
[4] http://www.chinanews.com.cn/news/2005/2005-01-23/26/532080.shtml
[5] David Mankins, Rajesh Krishnan, Ceilyn Boyd et al. Mitigating distributed denial of service attacks with dynamic resource pricing. In: Proceedings of Annual Computer Security Applications Conference. Sheraton New Orleans, Louisiana, December 2001, Pages: 411-421.
[6] Roshan Thomas, Brian Mark, Tommy Johnson et al. NetBouncer: client-legitimacy-based high-performance DDoS filtering. In: proceedings of DARPA Information Survivability Conference and Exposition. Washington, DC, April 2003, Pages: 14-25.
[7] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao. Protection from distributed denial of service attacks using historu-based IP filtering. In:IEEE International Conference on Communications(ICC'03). Anchorage, Alaska, USA, May 2003, Pages: 482-486.
[8] Jelena Mirkovic, Gregory Prier, Peter Reiher.Source-end DDoS defense, In: Second IEEE International Symposium on Network Computing and Applications(NCA 2003). Cambridge, Massachusette, April 2003, Pages: 171-178.
[9] Udaya Kiran Tupakula, Vijay Varadharajan. Counteracting DDoS attacks in multiple Conference on Networks(ICON2003). Sydney, Australia, October 2003, Pages: 455-460.
[10] Joao.B.D.Cabrera,Lundy Lewis, Xinzhou Qin et al. Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study. In:proccedings of IEEE/IFIP International Integrated Network Management Symposium.Seattle, Washington, May 2001, Pages: 609-622.
[11] Laura Feinstein ,Dan Schnackenberg,Ravindra Balupari et al, Statistical approaches to DDoS attack detection and response. In: Proceedings of DARPA Information Survivability Conference and Exposition, Washington,DC,April 2003,Pages:303-314.
[12] Christos Papadopoulos, Robert Lindell, John Mehringer et al. COSSACK: Coordinated Suppression of Simultaneous Attacks. In:proceedings of DARPA Information Survivability Conference and Exposition. Washington, DC, April 2003, Pages:94-96.
[13] A. Snoeren, C. Partidge, L.A. Sanchez, et al. Hash-based IP Traceback. In: Proceedings of ACM SINCOMM. San Diego, CA, USA, August 2001, Pages: 3-14.
[14] S.Bellovin, M.Leech,and T.Taylor. ICMP Traceback Messages. Internet draft, work in progress, October 2001.
[ 15 ] H. Burch and B. Cheswick. Tracing Anonymous Packets to Their Approximate Source. In: Proceedings of 2000 USENIX LISA Conf. New Orleans, LA, December 2000, Pages: 319-327.
[16] Stone R. Centertrack: An IP overlay network for tracking DoS floods. In the Proceedings of the 9th USENIX Security Symposium. Denver, CO, USA: USENIX, July 2000, Pages: 199-212.
[17] John Ioannidis, S.M.Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In: Proceedings of the Network and Distributed System Security Symposium. San Diego, California, February 2002.
[18] Stefan Savage, David Wetherall, Anna Karlin et al. Practical Network Support for IP Traceback. In: Proceedings of the 2000 ACM SIGCOMM Conference. Stockholm. Sweden, August 2000, Pages: 226-237.
[19] Dawn Xiaodong Song, Adrian Perrig. Advanced and authenticated marking schemes for IP traceback. In: Proceedings of Twentieth Annual Joint Conference on IEEE Computer and Communications Societies. Stockholm, Sweden, April 2001, Pages: 878-886.
[20] Shu Zhang, Partha Dasgupta. Denying Denial-of-Service Attacks: a Router Based Solution. In: prceeding of the 2003 International Conference on Internet Computing. Las Vagas, June 2003, Pages: 301-307.
[21] Yoohwan Kim, Ju-Yeon Jo, Frank L Merat. Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking. In: Global Telecommunications Conference(GLOBECOM'03, IEEE). San Fracisco, CA, December 2003, Pages: 1363-1367.
[22] 北京大学计算机科学研究所。http://www.icst.pku.edu.cn/center/centeljj.htm,2004-03-20/2004-10-10.
[23] 卢建芝.基于源端网络的防DDoS攻击的实现.计算机应用,2004,24(12):201-202.
[24] 胡小新.一种DDoS攻击的防御方案.计算机工程与应用,2004,40(12):160-163.
[25] 杜彦辉.分布式拒绝服务攻击的形式化描述.计算机应用研究,2004,21(3):214-216.
[26] 李德全,苏璞睿,冯登国.用于IP追踪的包标记的注记.软件学报,2004,15(2):250-258.
[27] D. Karig and R. Lee, "Remote Denial of Service Attacks and Countermeasures." Princeton University Department of Electrical Engineering Technical Report CE-L2001-002,October 2001.
[28] D. Mankins, R. Krishnan, C. Boyd, et al., "Mitigating Distributed Denial of Service
[29] Attacks with Dynamic Resource Pricing", ACSAC 2001.Proceedings 17th Annual, pp. 411-421, 2001.
[30] P. Ferguson and D. Senie, "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing agreements performance monitoring;" RFC 2827, May 2000.
[31] SANS Institute, "Egress filtering v 0.2," http://www.sans.org/y2k/egress.htm,Feb 2000.
[32] K. Park and H. Lee, "A proactive approach to distributed DoS attack preventionusing route-based packet filtering," in Proc. ACM SIGCOM1bI, Aug 201:
[33] David K. Yau, John C. S. Lui, and F. Liang, "Defending Against Distributed Denialof Service Attacks with Max-min Fair Server-centric Router Throttles", Quality of Service, 2002 Tenth IEEE International Workshop, pp. 35-44, 2002.
[34] 曹爱娟,刘宝旭,许榕生.抵御DDoS攻击的陷阱系统.计算机工程,2004,30(1),10-13.
[35] http://www.honeyd.org
[2] Felix Lau, Stuart H. Rubin, Michael H. Smith et al. Distributed denial of service attacks. In: IEEE International Conference on Systems, Man, and Cybernetics.
[3] DoS 和 DDoS仍是网络的头号威胁.http://www.cnw.com.cn/issues/article.asp? Filename=n24237.txt, 2002-11 -4/2003-09-01.
[4] http://www.chinanews.com.cn/news/2005/2005-01-23/26/532080.shtml
[5] David Mankins, Rajesh Krishnan, Ceilyn Boyd et al. Mitigating distributed denial of service attacks with dynamic resource pricing. In: Proceedings of Annual Computer Security Applications Conference. Sheraton New Orleans, Louisiana, December 2001, Pages: 411-421.
[6] Roshan Thomas, Brian Mark, Tommy Johnson et al. NetBouncer: client-legitimacy-based high-performance DDoS filtering. In: proceedings of DARPA Information Survivability Conference and Exposition. Washington, DC, April 2003, Pages: 14-25.
[7] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao. Protection from distributed denial of service attacks using historu-based IP filtering. In:IEEE International Conference on Communications(ICC'03). Anchorage, Alaska, USA, May 2003, Pages: 482-486.
[8] Jelena Mirkovic, Gregory Prier, Peter Reiher.Source-end DDoS defense, In: Second IEEE International Symposium on Network Computing and Applications(NCA 2003). Cambridge, Massachusette, April 2003, Pages: 171-178.
[9] Udaya Kiran Tupakula, Vijay Varadharajan. Counteracting DDoS attacks in multiple Conference on Networks(ICON2003). Sydney, Australia, October 2003, Pages: 455-460.
[10] Joao.B.D.Cabrera,Lundy Lewis, Xinzhou Qin et al. Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study. In:proccedings of IEEE/IFIP International Integrated Network Management Symposium.Seattle, Washington, May 2001, Pages: 609-622.
[11] Laura Feinstein ,Dan Schnackenberg,Ravindra Balupari et al, Statistical approaches to DDoS attack detection and response. In: Proceedings of DARPA Information Survivability Conference and Exposition, Washington,DC,April 2003,Pages:303-314.
[12] Christos Papadopoulos, Robert Lindell, John Mehringer et al. COSSACK: Coordinated Suppression of Simultaneous Attacks. In:proceedings of DARPA Information Survivability Conference and Exposition. Washington, DC, April 2003, Pages:94-96.
[13] A. Snoeren, C. Partidge, L.A. Sanchez, et al. Hash-based IP Traceback. In: Proceedings of ACM SINCOMM. San Diego, CA, USA, August 2001, Pages: 3-14.
[14] S.Bellovin, M.Leech,and T.Taylor. ICMP Traceback Messages. Internet draft, work in progress, October 2001.
[ 15 ] H. Burch and B. Cheswick. Tracing Anonymous Packets to Their Approximate Source. In: Proceedings of 2000 USENIX LISA Conf. New Orleans, LA, December 2000, Pages: 319-327.
[16] Stone R. Centertrack: An IP overlay network for tracking DoS floods. In the Proceedings of the 9th USENIX Security Symposium. Denver, CO, USA: USENIX, July 2000, Pages: 199-212.
[17] John Ioannidis, S.M.Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In: Proceedings of the Network and Distributed System Security Symposium. San Diego, California, February 2002.
[18] Stefan Savage, David Wetherall, Anna Karlin et al. Practical Network Support for IP Traceback. In: Proceedings of the 2000 ACM SIGCOMM Conference. Stockholm. Sweden, August 2000, Pages: 226-237.
[19] Dawn Xiaodong Song, Adrian Perrig. Advanced and authenticated marking schemes for IP traceback. In: Proceedings of Twentieth Annual Joint Conference on IEEE Computer and Communications Societies. Stockholm, Sweden, April 2001, Pages: 878-886.
[20] Shu Zhang, Partha Dasgupta. Denying Denial-of-Service Attacks: a Router Based Solution. In: prceeding of the 2003 International Conference on Internet Computing. Las Vagas, June 2003, Pages: 301-307.
[21] Yoohwan Kim, Ju-Yeon Jo, Frank L Merat. Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking. In: Global Telecommunications Conference(GLOBECOM'03, IEEE). San Fracisco, CA, December 2003, Pages: 1363-1367.
[22] 北京大学计算机科学研究所。http://www.icst.pku.edu.cn/center/centeljj.htm,2004-03-20/2004-10-10.
[23] 卢建芝.基于源端网络的防DDoS攻击的实现.计算机应用,2004,24(12):201-202.
[24] 胡小新.一种DDoS攻击的防御方案.计算机工程与应用,2004,40(12):160-163.
[25] 杜彦辉.分布式拒绝服务攻击的形式化描述.计算机应用研究,2004,21(3):214-216.
[26] 李德全,苏璞睿,冯登国.用于IP追踪的包标记的注记.软件学报,2004,15(2):250-258.
[27] D. Karig and R. Lee, "Remote Denial of Service Attacks and Countermeasures." Princeton University Department of Electrical Engineering Technical Report CE-L2001-002,October 2001.
[28] D. Mankins, R. Krishnan, C. Boyd, et al., "Mitigating Distributed Denial of Service
[29] Attacks with Dynamic Resource Pricing", ACSAC 2001.Proceedings 17th Annual, pp. 411-421, 2001.
[30] P. Ferguson and D. Senie, "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing agreements performance monitoring;" RFC 2827, May 2000.
[31] SANS Institute, "Egress filtering v 0.2," http://www.sans.org/y2k/egress.htm,Feb 2000.
[32] K. Park and H. Lee, "A proactive approach to distributed DoS attack preventionusing route-based packet filtering," in Proc. ACM SIGCOM1bI, Aug 201:
[33] David K. Yau, John C. S. Lui, and F. Liang, "Defending Against Distributed Denialof Service Attacks with Max-min Fair Server-centric Router Throttles", Quality of Service, 2002 Tenth IEEE International Workshop, pp. 35-44, 2002.
[34] 曹爱娟,刘宝旭,许榕生.抵御DDoS攻击的陷阱系统.计算机工程,2004,30(1),10-13.
[35] http://www.honeyd.org