摘要
网络攻防对抗日益加剧,攻击者不论是水平还是手法都有了较大地提升与转变,面对当前复杂的网络环境,及时响应、主动防御成为持续动态维护网络安全的重要保障。网络攻击追踪技术作为主动防御关键组成技术之一,以其独特的攻击源定位、攻击路径重构、网络犯罪威慑等技术优势,成为当前网络安全领域研究的热点。
网络攻击追踪技术以往的研究主要侧重于对单一算法思想的提出,比较经典的算法有数据包标记法、路由记录、休眠水印追踪方法等。这些方法各具优势,给当前网络中伪造IP攻击和连接链攻击的追踪提供了解决思路。当前,多样化的网络复合攻击成为发展的趋势,使得网络攻击追踪更需要引入智能分析和增强追踪时效等特征。论文以可控域为实例,分别提出了跨越多级跳板攻击追踪和分布式拒绝服务攻击追踪的算法思想,并设计了攻击路径重构算法。为便于追踪功能的实现,论文在可控域中引入了多级监测粒度自适应调整机制和双层聚生协同网络攻击追踪机制相结合的方法,通过对攻击行为的纵深监控和攻击来源的协同分析定位,为防御策略的制定提供指导。同时,根据追踪系统设计方案,在可控域内搭建了网络攻击追踪原型系统。
论文研究的主要贡献:
1、借鉴国内外经典攻击追踪算法,提出了单可控域内跨越多级跳板攻击追踪的算法思想和多级可控域内分布式拒绝服务攻击追踪的算法思想,设计了可控域内的攻击路径重构算法。
2、提出了支持多个可控域协同的分布式网络攻击追踪技术框架,该技术框架加强了系统纵横双向灵活拓展的设计,便于追踪系统规模的合适选取与部署。
3、基于协同追踪思想,论文设计出一种双层聚生协同网络攻击追踪机制,运用自适应协同聚生追踪协议在各同级实体间建立及时合作、拆除关系,提高追踪定位时效。
4、设计出一种多级监测粒度自适应调整机制,提高了监测的自适应性,对追踪系统中关键实体和主要功能模块进行了分析设计。
5、综合以上研究成果,对追踪系统中关键实体和主要功能模块进行了研究分析,设计实现了基于可控域的分布式网络攻击追踪原型系统。
实验结果表明,该方法能够在可控域网络内较准确地识别跳板攻击、拒绝服务攻击等,并及时协作查找出攻击源,降低了系统的漏报、误报率,达到了对可控域网络主动实施智能安全防护的作用。
As the increasingly heating of the antagonism between the network attack and network defense, no matter how and what is changed in attack level or techniques, active defence is becoming the most important safeguard of network security nowadays. Network attack tracing as the techniques of active defence have already turned into the hotspot of research.
Network attack tracing mostly put emphasis on the ideas of arithmetic, such as Packet Marking, Router Log, Sleeping Watermark Traceback, and so on. These methods have thrown light on the problems of IP traceback and traceback across stepping-stone. The developing tendency of defending made it necessary that we should turn to the intelligent analysis and efficiency. In this paper, the traceback ideas of crossing stepping-stones and distributed denial of service attack have been put forward meanwhile the attack path reconstruction arithmetic has been designed. The method of combining multilevel granularity self-adapting monitoring mechanism and double-aggregative-collaborative tracing mechanism has been applied to the controlled network. By this the tracing prototype system, we could efficiently locate the source of attack and then carry on the active defence. Eventually we have built the traceback prototype in controlled network. The paper offers as follows:
1. Offered the traceback across stepping-stones method and distributed denial of service tracing method, and moreover, designed the attack path reconstruction arithmetic.
2. The framework of distributed network traceback which undertakes double-direction extending design is convenient for system extending.
3. Designed a kind of double-aggregative-collaborative tracing mechanism. Exchanging a new self-adapted cooperative assembled protocol between the tracing entities which actually could promote the tracing efficiency.
4. Offered a kind of multilevel granularity self-adapting monitoring mechanism which has promoted the adaptability of the tracing system. In addition, we designed the function modules.
5. Combining the hereinbefore research, we have built a tracing prototype system.
Experiment results show that the method could traceback across stepping-stone and denialof service in the controlled network etc. The tracing techniques could reduce the fault rates while promoted the network active defence
引文
[1]Computer Emergency Response Team(CERT).CERT Advisor CA-2000-01 Denial of service development[J].http://www.cert.org/advisories/CA-2000-01.html.2000.
[2]郑成兴.网络入侵防范的理论与实践[M].北京:机械工业出版社,2006:16.
[3]Zhang Yin,Paxson V.Detecting Stepping Stones[A].In Proceedings 10th USENIX Security Symposium[C].2000.
[4]PAXSON,V.An analysis of using reflectors for distributed denial-of service attacks[A].ACM Comp.Comm.Review[C].2001:31(3).
[5]J.Elliott.Distributed Denial of Service Attack and the Zombie Ant Effect[J].IP Professional.March/April 2000.
[6]D.Ditrich.Distributed Denial of Service (DDoS) Attacks Tools Resource Page[J].http://staff.washington.edu/dittrich/misc/ddos/,2000.
[7]SAVAGE,S.WETHERALL,D.,KARLIN,A.,AND ANDERSON,T.Network suppoa for IP traceback[A].ACM/IEEE Trans.on Networking[C].2001:226-239.
[8]D.X.Song and A.Perrig.Advanced and Authenticated Marking Scheme for IP Traceback[A].In Proceedings of 2001 IEEE INFOCOM Conference[C].2001.
[9]K.Park and H.Lee.On the Effectiveness of Probabilistic Packet Marking for IP Traceback[A].In Proceedings of 2001 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communication(ACM SIGCOMM)[C].2001:15-26.
[10]H.Y.Chang,R.Narayan,C.Sargor,F.Jou,S.F.Wu,B.M.Vetter,F.Gong,X.Wang,M.Brown,and J.J.Yuill.DECIDUOUS:Decentralized Source Identification for Network-Based Intrusions [A].In Proceeding of 6th IFIP/IEEE International Symposium on Integrated Network Management[C].1999:702-714.
[11]H.Y.Chang,P.Chen,A.Hayatnagarkar,R.Narayan,P.Sheth,N.Vo,C.L.Wu,S.F.Wu,L.Zhang,X.Zhang,F.Gong,F.Jou,C.Sargor,X.Wu.Design and Implementation of A Real-Time Decentralized Source Identification System for Untrusted IP Packets[A].In Proceedings of the DARPA Information Survivability Conference & Exposition[C].2000.
[12]S.M.Bellovin.ICMP Traceback Messages[J].Intemet Draft,March 2001.
[13]A.Mankin,D.Massey,C.Wu,S.F.Wu,and L.Zhang,On Design and Evaluation of Intention-Driven ICMP Traceback[A].In Proceedings of IEEE International Conference on Computer Communications and Networks[C].2001.
[14]D.Dean,M.Franklin,and A.Stubblefield.An Algebraic Approach to IP Traceback[A].In Proceedings of 2001 Network and Distributed System Security Symposium[C].February 2001.
[15]Dequan Li,Purui Su,Dengguo Feng.Router numbering based packet marking[A].Proceedings of the Ninth International Conference on Distributed Multimedia Systems[C].Miami,Florida,USA September,2003:698-703.
[16] A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, S.T. Kent, and W.T. Strayer.Hashbased IP Traceback[A]. In Proceedings of 2001 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (ACM SIGCOMM)[C].2001:3-14.
[17] L.A. Sanchez, W.C. Milliken, A.C. Snoeren, F. Tchakountio, C.E. Jones, S.T. Kent, C. Partridge, and W.T.Strayer. Hardware Support for a Hash-Based IP Traceback[A]. In Proceedings of DARPA Information Survivability Conference & Exposition[C].June 2001.
[18] S. Snapp, et all. DIDS (Distributed Intrusion Detection System) - Motivation, Architecture and Early Prototype [A]. In Proceedings of 14th National Computer Security Conference[C]. 1991.
[19] H. Jung, et al. Caller Identification System in the Internet Environment[A]. In Proceedings of 4th USENIX Security Symposium[C].1993.
[20] Staniford-Chen S, Heberlein L T.Holding intruders accountable on the internet[A].Proceedings of IEEE Symposium on Security and Privacy[C].Oaklan, CA, 1995.
[21] Yoda K, Etoh H. Finding a connection chain for tracing intruders[A].Proceedings of the 6th European Symposium on Research in Computer Security (LNCS 1985)[C].Toulouse, France, 2000.
[22] Wang X, Reeves D, Wu S F, et al.Sleepy watermark tracing: An active network-based intrusion response framework [A].Proceedings of 16th International Conference on Information Security (IFIP/Sec 01) [C].Paris, IKM, 2001.
[23] Lee S C, Shields C.Tracing the source of network attack: A technical, legal and societal problem[A].Proceedings of the 2001 IEEE Workshop on Information Assurance and Security[C].NY:United States Military Academy, West Point, 2001.
[24] Dawn X Song, Adrian Perrig. Advanced and authenticated marking schemes for IP traceback [A].Proceedings of IEEE INFOCOM '01[C].Anchorage, Alaska, April, 2001:878-886.
[25] Dequan Li, Purui Su, Dengguo Feng, Notes on packet marking for IP traceback[J]. Journal of Software ,2004,15 (2): 250-258.
[26] K Park, H Lee. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack[A]. Proceedings of IEEE INFOCOM '01[C].Anchorage, Alaska, April, 2001.338-347.
[27] T Peng, C Leckie, R Kotagiri.Adjusted probabilistic packet marking for IP traceback [A]. Proceedings of the Second IFIP Networking Conference (Networking 2002[C].Pisa, Italy, May 2002:697-708.
[28] S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback[A]. In Proceedings of the 2000 ACM SIGCOMM Conference[C].August 2000.
[29] SNOEREN, A. C, PARTRIDGE, C, SANCHEZ, L. A., JONES, C. E.,TCHAKOUNTIO, F., KENT, S.T., AND STRAYER, W. T. Hash-based IP traceback[A]. In Proc. ACM SIGCOMM [C].2001:3-14.
[30] SNOEREN, A. C, PARTRIDGE, C, SANCHEZ, L. A., JONES, C. E.,TCHAKOUNTIO, F., SCHWARTZ, B., KENT, S. T., AND STRAYER,W. T. Single-packet IP traceback[A]. ACM/IEEE Trans on Networking[C].2002.
[31] 闫巧,吴建平,江勇.网络攻击源追踪技术的分类和展望[J].清华大学学报(自然科学版),2005,45(4):497-500.
[32] R. Stone. CenterTrack: An IP Overlay Network for Tracking DoS Floods[A]. In Proceedings of 9th Usenix Security Symposium[C]. 2000.
[33]U.Tupakula and V.Varadharajan.A practical method to counteract denial of service attacks[A].In the 26th Australasian Computer Science Conference[C].February 2003.
[34]李小勇.网络入侵检测关键技术研究[D].上海:上海交通大学,2002:89-90.
[35]盛志伟,刘仕筠,李群.以太网数据包捕获与转发技术[J].微计算机信息,2006,12:279-282.
[36]骆珍,裴昌幸,朱畅华.DDoS攻击的技术分析与防御策略[J].电子科技,2006,12:74-78.
[37]FERGUSON,P.,AND SENIE,D.Network ingress filtering:Defeating denial of service attacks which employ IP source address spoofing[A].RFC 2267,IETF[C].Jan,1998.
[38]R.K.C.Chang,Defending against flooding-based distributed denial-of-service attacks[J].a tutorial IEEE Communications Magazine.2002.10:42-51.
[39]J.Li,M.Sung,J.Xu,L.Li,and Q.Zhao.Large-scale ip traceback in high-speed intemet:Practical techniques and theoretical foundation[A].In IEEE Symposium on Security and Privacy[C].may 2004.