基于源的DDoS攻击防范方法的研究
|
摘要
随着互联网络的发展,当前拒绝服务攻击工具随处可得,且易操作,使得分布式拒绝服务攻击的发生频率越来越高。分布式拒绝服务攻击已被公认为互联网上最难解决的问题之一,尤其是带宽消耗攻击至今没有一种有效的解决方法。
本文主要研究针对此类攻击的有效防范方法。首先从IP回溯和有效区分合法与非法包两个方面改进Mahajan等所提出的方法。改进后的方法可以更好保护攻击源与受害者之间的网络带宽资源以及非攻击路径上的合法数据包,并能在一定程度上保护攻击路径上的合法数据包。其次,提出了一种基于随机边标记识别攻击源位置的方法。此方法可以解决随机边标记没有给出攻击源位置,以及攻击者伪造标记域的问题,并能获得更准确的攻击路径。最后,从检测响应及时方面考虑,提出由路由器检测和控制分布式拒绝服务攻击的思想,给出了相应的检测控制分布式拒绝服务攻击的方法。通过模拟实验验证了此方法的有效性,实验证明我们的方法可以及时的检测出分布式拒绝服务攻击,并对攻击加以控制。此方法缩短了检测和响应时间,参数配置得当时,可以做到在攻击还没有盛行时就提前控制攻击。
With the development of Internet, the tools of distributed denial of service attacks can be available everywhere and operated easily. So distributed denial of service attacks happen frequently. Distributed denial of service attacks have been considered as one of the most difficult security problems. Especially, there is no effective defense to bandwidth depletion attacks.
This paper mainly researches into methods to defend against distributed denial of service attacks. Firstly, the method of Mahajan etc is improved in IP trace back and differentiating good and bad packages. The improved method can protect network bandwidth resource between attack sources and victim, and legitimate packages in un-attack paths. It can also protect legitimate packages in attack paths to a certain extent. Secondly, a probabilistic edge marking-based method to locate attacker is presented. This method can resolve such problems as Probabilistic Edge Marking can't give the locations of attack sources and attackers forge marking
field. It can achieve more exact attack path. Finally, a method to let the router delect DDoS attacks is proposed in order to detect and response them quickly. The methods to detect and control distributed denial of service attacks on the router are given. The method is validated by network simulation experiment. Experiment results show that the method can detect distributed denial of service attack and control it in time. It can reduce the time to detect and control distributed denial of service attack, and it can control attack before it prevails when parameters are settled suitably.
本文主要研究针对此类攻击的有效防范方法。首先从IP回溯和有效区分合法与非法包两个方面改进Mahajan等所提出的方法。改进后的方法可以更好保护攻击源与受害者之间的网络带宽资源以及非攻击路径上的合法数据包,并能在一定程度上保护攻击路径上的合法数据包。其次,提出了一种基于随机边标记识别攻击源位置的方法。此方法可以解决随机边标记没有给出攻击源位置,以及攻击者伪造标记域的问题,并能获得更准确的攻击路径。最后,从检测响应及时方面考虑,提出由路由器检测和控制分布式拒绝服务攻击的思想,给出了相应的检测控制分布式拒绝服务攻击的方法。通过模拟实验验证了此方法的有效性,实验证明我们的方法可以及时的检测出分布式拒绝服务攻击,并对攻击加以控制。此方法缩短了检测和响应时间,参数配置得当时,可以做到在攻击还没有盛行时就提前控制攻击。
With the development of Internet, the tools of distributed denial of service attacks can be available everywhere and operated easily. So distributed denial of service attacks happen frequently. Distributed denial of service attacks have been considered as one of the most difficult security problems. Especially, there is no effective defense to bandwidth depletion attacks.
This paper mainly researches into methods to defend against distributed denial of service attacks. Firstly, the method of Mahajan etc is improved in IP trace back and differentiating good and bad packages. The improved method can protect network bandwidth resource between attack sources and victim, and legitimate packages in un-attack paths. It can also protect legitimate packages in attack paths to a certain extent. Secondly, a probabilistic edge marking-based method to locate attacker is presented. This method can resolve such problems as Probabilistic Edge Marking can't give the locations of attack sources and attackers forge marking
field. It can achieve more exact attack path. Finally, a method to let the router delect DDoS attacks is proposed in order to detect and response them quickly. The methods to detect and control distributed denial of service attacks on the router are given. The method is validated by network simulation experiment. Experiment results show that the method can detect distributed denial of service attack and control it in time. It can reduce the time to detect and control distributed denial of service attack, and it can control attack before it prevails when parameters are settled suitably.
引文
[1] L. Garber, Denial-of-Service Attacks Rip the Internet, Computer, vol. 33, no. 4, pp.12-17, Apr. 2000.
[2] J. Howard, An Analysis of Security Incidents on the Internet, PhD thesis, Carnegie Mellon Univ., Aug. 1998.
[3] Steven Gibson, The Distributed Reflection DoS Attack, Gibson Research Corporation, February 22nd 2002, http://grc.com/dos/drdos.htm
[4] Andrey Belenky, Nirwan Ansari, On IP Traceback, IEEE Communications Magazine, pp. 142-153, July. 2003
[5] Robert Stone, CeterTrack: An IP Overlay Network for Tracking DoS Floods[C], 9th USENIX Security Symposium, pp. 199-212, 14-17 August 2000, Denver, Colorado, USA, The USENIX Association
[6] Hal Burch, Bill Cheswick. Tracing Anonymous Packets to Their Approximate Source, Proc, Usenix LISA'00, 2000.
[7] A.C. Snoeren et al., Single-Packet IP Traceback, IEEE/ACM Trans. Networking, vol.10, no.6, 2002.
[8] T. Baba, S. Matsuda, Tracing Network Attacks to Their Sources, IEEE Internet Computing, vol.6, no. 3, 2002.
[9] S. Bellovin, M. Leech, T. Taylor, ICMP Traceback Messages, Internet Draft, Internet Eng. Task Force, 2003; work in progress.
[10] A. Mankin et al., On Design and Evaluation of'Intention-Driven' ICMP Trace-back, Proc. IEEE Int'l Conf.Computer Comm. and Networks, IEEE CS Press, 2001. pp.159-165.
[11] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical Network Support for IP Traceback, Proc. ACM SIGCOMM 2000, pp. 295-306, 2000-8.
[12] D. Song and A. Perrig, Advanced and Authenticated Marking Schemes for IP Traceback, Proc. Infocom 2001, 2001-4.
[13] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao, Adjusted Probabilistic Packet Marking for IP Traceback, NETWORKING 2002: 697-708.
[14] Drew Dean, Matt Franklin, Adam Stubblefield, An Algebraic Approach to IP Traceback, Proc. 2001 Network and Distribtited System Security Symposium.
[15] Joao B.D. Cabrera et al., Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables-A Feasibility Study, in Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management, Seattle, WA, May, 2001.
[16] Yih Huang, J. Mark Pullen, Countering Denial-of-Service Attacks Using Cong-
estion Triggered Packet Sampling and Filtering, in 10th International Conference on Computer Communications and Networks, 2001.
[17] Haining Wang, Danlu Zhang, Kang G. Shin, Detecting SYN Flooding Attacks, INFOCOM 2002
[18] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao, Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring, draft, November 2002. http://www.ee.mu.oz.au/pgrad/taop/research/detection.pdf
[19] R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, Controlling High Bandwidth Aggregates in the Network, technical report, ACIRI and AT&T Labs Research, 2001-2.
[20] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao, Protection from Distributed Denial of Service Attacks Using History-based IP Filtering, IEEE International Conference on Communications, 2003.
[21] J.Jung, B.Krishnamurthy, and M. Rabinovich, Flash crowds and denial of service attacks: Characterization and implications for cdns and web sites, May 7-11, 2002, USA ACM 1-58113-449-5/02/0005.
[22] Abraham Yaar, Adrian Perrig, Dawn Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, IEEE Symposium on Security and Privacy, 2003.
[23] Minho Sung, Jun xu, IP Traceback-based Intelligent Packet Filtering: A Novel Technique for Defending Against Internet DDoS Attacks, 10th IEEE International Conference on Network Protocols(ICNP), Paris, France, Nov 2002.
[24] Gaeil Ahn, Kiyoung Kim, Jongsoo Jang, MF(Minority First) Scheme for defeating Distributed Denial of Service Attacks, Eighth IEEE International Symposium on Computers and Communications, June 30-July 03, 2003.
[25] P. Ferguson, D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. In RFC 2267, January 1998.
[26] K. Park, H. Lee, On the effectiveness of route-based packet filtering for distributed dos attack prevention in power-law internets, In Proceedings of ACM SIGCOMM'2001, San Diego, CA, August 2001.
[27] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. Save: Source address validity enforcement protocol, In Proceedings of IEEE INFOCOM '2002, New York City, NY, June 2002.
[28] Cheng Jin, Haining Wang, Kang G.Shin, Hop-Count Filtering: An Effective Defense Against Spoofed Traffic, Conference on Computer and Communications Security, pp.30-41, Washington D.C., USA
[29] 薛东,赵国庆,胡建伟,对拒绝服务网络路由的反向追踪算法,电子对抗技术,2002年第17卷第2期,pp.26-30.
[30] 梁丰,赵新建,David You,通过自适应随机数据包标记实现实时IP回溯,软件学报.2003年,第14卷,第5期,pp.1005-1010.
[31] 陆庆,周世杰,基于边采样包标记的IP源回溯系统,计算机应用,2003年3月,第23卷第3期,pp.21-23.
[32] 余详宣,刘铭,检测、防范DoS攻击的分布式模型及实现,华中科技大学学报,2002年3月,第30卷,第3期,pp.19-21.
[33] 赵华峰,罗维亮,用资源控制来防范资源耗尽型拒绝服务攻击,渭南师范学院学报,2003年3月,第18卷,第2期,pp.61-63.
[34] 刘辉,防止分布式网络攻击的方法和对策,河南科学,2002年6月,第20卷,第3期,pp.304-307
[35] 林栋,拒绝服务攻击(DoS)的攻与防,广东通信技术,2003年4月第23卷第4期,pp.26-28.
[36] 吴海威.ICMP攻击和基于ICMP的路由欺骗技术,海南广播电视大学学报,2003年第2期,pp.82-84.
[37] 周伟,王丽娜,张焕国,傅建明,一种新的DDoS攻击方法及对策,计算机工程与应用,2003年1月,pp.144-146.
[38] Vern Paxson, An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, Computer Communication Review 31 (3), July 2001.
[39] Jelena Mirkovic, Janice Martin, Peter Reiher, A Taxonomy of DDoS Attacks and DDoS Defense Mechanism, Computer Science Department. University of California, Los Angeles, Technical Report #020018.
[40] Ruby B. Lee, Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2003-003, May 2003.
[41] 蔡淑珍,拒绝服务攻击分析及其防范解决方案研究:[学位论文],南京师范大学,2003-5
[42] K.T.Law, John C.S.Lui, David K.Y.Yau, You Can Run, But You Can't Hide: An Effective Methodology to Traceback DDoS Attackers, The Tenth IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOT), Fort Worth, Texas, USA. 12-16 October 2002
[43] Haining Wang, Kang G.Shin, Transport-Aware IP Routers: A Built-In Protection Mechanism to Counter DDoS Attacks, IEEE Trans. Parallel Distrib. Syst. 14(9): 873-884 (2003).
[44] K. Nichols, V. Jacobson, and L. Zhang, A Two-Bit Differentiated Services Architecture for the Internet, RFC 2638, July 1999.
[45] 苑森苗等,《数据结构》,吉林科学技术出版社,1995年12月第二版
[46] Balachander Krishnamurthy, Jia Wang, On Network-Aware Clustering of Web Clients, Proceedings of ACM SIGCOMM'2000.
[47] M. Basscville and I. V. Nikiforov, Detection of Abrupt Changes: Theory and Application, Prentice Hall, 1993.
[48] 濮晓龙,关于累计和(CUSUM)检测算法的改进,应用数学报第26卷 第2期,2003年4月
[49] 徐雷鸣,庞博,赵耀,《NS与网络模拟》,人民邮电出版社,2003年11月第一版
[50] Virginia Tech, Beginner's Guide to ns2-Installation and Basic Usage, ECE 5984: Network Performance, Design, and Management, Spring 2002.
[51] Kevin Fall(Editor), Karman Varadhan(Editor), The ns Manual, August 27, 2003.
[52] Jae Chung, Mark Claypool, NS by Example, http://nile.wpi.edu/NS/
[53] 刘利,苏德富,王国英,一种基于随机边标记的有效识别攻击源位置的方法,《计算机工程》,录用
[54] 刘利,苏德富,一种基于路由器的DDoS攻击防御系统的设计,《计算机应用》,录用
[2] J. Howard, An Analysis of Security Incidents on the Internet, PhD thesis, Carnegie Mellon Univ., Aug. 1998.
[3] Steven Gibson, The Distributed Reflection DoS Attack, Gibson Research Corporation, February 22nd 2002, http://grc.com/dos/drdos.htm
[4] Andrey Belenky, Nirwan Ansari, On IP Traceback, IEEE Communications Magazine, pp. 142-153, July. 2003
[5] Robert Stone, CeterTrack: An IP Overlay Network for Tracking DoS Floods[C], 9th USENIX Security Symposium, pp. 199-212, 14-17 August 2000, Denver, Colorado, USA, The USENIX Association
[6] Hal Burch, Bill Cheswick. Tracing Anonymous Packets to Their Approximate Source, Proc, Usenix LISA'00, 2000.
[7] A.C. Snoeren et al., Single-Packet IP Traceback, IEEE/ACM Trans. Networking, vol.10, no.6, 2002.
[8] T. Baba, S. Matsuda, Tracing Network Attacks to Their Sources, IEEE Internet Computing, vol.6, no. 3, 2002.
[9] S. Bellovin, M. Leech, T. Taylor, ICMP Traceback Messages, Internet Draft, Internet Eng. Task Force, 2003; work in progress.
[10] A. Mankin et al., On Design and Evaluation of'Intention-Driven' ICMP Trace-back, Proc. IEEE Int'l Conf.Computer Comm. and Networks, IEEE CS Press, 2001. pp.159-165.
[11] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical Network Support for IP Traceback, Proc. ACM SIGCOMM 2000, pp. 295-306, 2000-8.
[12] D. Song and A. Perrig, Advanced and Authenticated Marking Schemes for IP Traceback, Proc. Infocom 2001, 2001-4.
[13] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao, Adjusted Probabilistic Packet Marking for IP Traceback, NETWORKING 2002: 697-708.
[14] Drew Dean, Matt Franklin, Adam Stubblefield, An Algebraic Approach to IP Traceback, Proc. 2001 Network and Distribtited System Security Symposium.
[15] Joao B.D. Cabrera et al., Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables-A Feasibility Study, in Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Network Management, Seattle, WA, May, 2001.
[16] Yih Huang, J. Mark Pullen, Countering Denial-of-Service Attacks Using Cong-
estion Triggered Packet Sampling and Filtering, in 10th International Conference on Computer Communications and Networks, 2001.
[17] Haining Wang, Danlu Zhang, Kang G. Shin, Detecting SYN Flooding Attacks, INFOCOM 2002
[18] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao, Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring, draft, November 2002. http://www.ee.mu.oz.au/pgrad/taop/research/detection.pdf
[19] R. Mahajan, S. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, Controlling High Bandwidth Aggregates in the Network, technical report, ACIRI and AT&T Labs Research, 2001-2.
[20] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao, Protection from Distributed Denial of Service Attacks Using History-based IP Filtering, IEEE International Conference on Communications, 2003.
[21] J.Jung, B.Krishnamurthy, and M. Rabinovich, Flash crowds and denial of service attacks: Characterization and implications for cdns and web sites, May 7-11, 2002, USA ACM 1-58113-449-5/02/0005.
[22] Abraham Yaar, Adrian Perrig, Dawn Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, IEEE Symposium on Security and Privacy, 2003.
[23] Minho Sung, Jun xu, IP Traceback-based Intelligent Packet Filtering: A Novel Technique for Defending Against Internet DDoS Attacks, 10th IEEE International Conference on Network Protocols(ICNP), Paris, France, Nov 2002.
[24] Gaeil Ahn, Kiyoung Kim, Jongsoo Jang, MF(Minority First) Scheme for defeating Distributed Denial of Service Attacks, Eighth IEEE International Symposium on Computers and Communications, June 30-July 03, 2003.
[25] P. Ferguson, D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. In RFC 2267, January 1998.
[26] K. Park, H. Lee, On the effectiveness of route-based packet filtering for distributed dos attack prevention in power-law internets, In Proceedings of ACM SIGCOMM'2001, San Diego, CA, August 2001.
[27] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. Save: Source address validity enforcement protocol, In Proceedings of IEEE INFOCOM '2002, New York City, NY, June 2002.
[28] Cheng Jin, Haining Wang, Kang G.Shin, Hop-Count Filtering: An Effective Defense Against Spoofed Traffic, Conference on Computer and Communications Security, pp.30-41, Washington D.C., USA
[29] 薛东,赵国庆,胡建伟,对拒绝服务网络路由的反向追踪算法,电子对抗技术,2002年第17卷第2期,pp.26-30.
[30] 梁丰,赵新建,David You,通过自适应随机数据包标记实现实时IP回溯,软件学报.2003年,第14卷,第5期,pp.1005-1010.
[31] 陆庆,周世杰,基于边采样包标记的IP源回溯系统,计算机应用,2003年3月,第23卷第3期,pp.21-23.
[32] 余详宣,刘铭,检测、防范DoS攻击的分布式模型及实现,华中科技大学学报,2002年3月,第30卷,第3期,pp.19-21.
[33] 赵华峰,罗维亮,用资源控制来防范资源耗尽型拒绝服务攻击,渭南师范学院学报,2003年3月,第18卷,第2期,pp.61-63.
[34] 刘辉,防止分布式网络攻击的方法和对策,河南科学,2002年6月,第20卷,第3期,pp.304-307
[35] 林栋,拒绝服务攻击(DoS)的攻与防,广东通信技术,2003年4月第23卷第4期,pp.26-28.
[36] 吴海威.ICMP攻击和基于ICMP的路由欺骗技术,海南广播电视大学学报,2003年第2期,pp.82-84.
[37] 周伟,王丽娜,张焕国,傅建明,一种新的DDoS攻击方法及对策,计算机工程与应用,2003年1月,pp.144-146.
[38] Vern Paxson, An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, Computer Communication Review 31 (3), July 2001.
[39] Jelena Mirkovic, Janice Martin, Peter Reiher, A Taxonomy of DDoS Attacks and DDoS Defense Mechanism, Computer Science Department. University of California, Los Angeles, Technical Report #020018.
[40] Ruby B. Lee, Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2003-003, May 2003.
[41] 蔡淑珍,拒绝服务攻击分析及其防范解决方案研究:[学位论文],南京师范大学,2003-5
[42] K.T.Law, John C.S.Lui, David K.Y.Yau, You Can Run, But You Can't Hide: An Effective Methodology to Traceback DDoS Attackers, The Tenth IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOT), Fort Worth, Texas, USA. 12-16 October 2002
[43] Haining Wang, Kang G.Shin, Transport-Aware IP Routers: A Built-In Protection Mechanism to Counter DDoS Attacks, IEEE Trans. Parallel Distrib. Syst. 14(9): 873-884 (2003).
[44] K. Nichols, V. Jacobson, and L. Zhang, A Two-Bit Differentiated Services Architecture for the Internet, RFC 2638, July 1999.
[45] 苑森苗等,《数据结构》,吉林科学技术出版社,1995年12月第二版
[46] Balachander Krishnamurthy, Jia Wang, On Network-Aware Clustering of Web Clients, Proceedings of ACM SIGCOMM'2000.
[47] M. Basscville and I. V. Nikiforov, Detection of Abrupt Changes: Theory and Application, Prentice Hall, 1993.
[48] 濮晓龙,关于累计和(CUSUM)检测算法的改进,应用数学报第26卷 第2期,2003年4月
[49] 徐雷鸣,庞博,赵耀,《NS与网络模拟》,人民邮电出版社,2003年11月第一版
[50] Virginia Tech, Beginner's Guide to ns2-Installation and Basic Usage, ECE 5984: Network Performance, Design, and Management, Spring 2002.
[51] Kevin Fall(Editor), Karman Varadhan(Editor), The ns Manual, August 27, 2003.
[52] Jae Chung, Mark Claypool, NS by Example, http://nile.wpi.edu/NS/
[53] 刘利,苏德富,王国英,一种基于随机边标记的有效识别攻击源位置的方法,《计算机工程》,录用
[54] 刘利,苏德富,一种基于路由器的DDoS攻击防御系统的设计,《计算机应用》,录用