网络设备参与的DDoS防御系统的构建与仿真
|
摘要
分布式拒绝服务(DDoS)攻击严重威胁网络安全,现有DDoS防御方法存在被攻击时防御能力不足,无攻击时能力浪费问题。通过在发生DDoS攻击时,通知互联网服务提供商(ISP)将已发现的攻击元组流量在网络中短暂丢弃的方式,可以在保证DDoS防御的前提下,显著减少防御能力部署。仿真实验表明,对已知的攻击元组流量丢弃合理的时长,即可在仅检测0. 55%攻击流量的前提下,阻止99. 9%的攻击流量。同时,合法流量只有2%因误判被阻塞,防护对象的负载相对正常情况下仅上升1. 77%。
Distributed Denial of Service( DDoS) attacks seriously threaten network security. Existing DDo S defense methods have problems that insufficient defense capabilities when attacked,and waste of ability when without attack. When a DDo S attack occurs,the ISP is notified to temporarily discard the discovered attacking tuple traffic in the network,which can significantly reduce the defense capability requirement while ensuring DDo S defense. Simulation experiments show that 99. 9% of the attack traffic can be blocked when detecting only 0. 55% of the attack traffic under the premise of the known attacking tuple traffic is discarded for a reasonable period of time. At the same time,only 2% of the normal traffic is blocked due to misjudgment,and the load of the protection object only rises by 1. 77% compared with normal.
Distributed Denial of Service( DDoS) attacks seriously threaten network security. Existing DDo S defense methods have problems that insufficient defense capabilities when attacked,and waste of ability when without attack. When a DDo S attack occurs,the ISP is notified to temporarily discard the discovered attacking tuple traffic in the network,which can significantly reduce the defense capability requirement while ensuring DDo S defense. Simulation experiments show that 99. 9% of the attack traffic can be blocked when detecting only 0. 55% of the attack traffic under the premise of the known attacking tuple traffic is discarded for a reasonable period of time. At the same time,only 2% of the normal traffic is blocked due to misjudgment,and the load of the protection object only rises by 1. 77% compared with normal.
引文
[1]孙曦.DDo S攻击及其对策研究[D].西安:西安电子科技大学,2004.
[2]CHANG R.Defending against flooding-based distributed denialof-service attacks:a tutorial[J].Communications Magazine IEEE,2002,40(10):42-51.
[3]BAKER F,SAVOLA P.Ingress filtering for multihomed networks[M].2004.
[4]YAAR A,PERRIG A,SONG D.Stack Pi:new packet marking and filtering mechanisms for DDo S and IP spoofing defense[J].IEEE Journal on Selected Areas in Communications,2006,24(10):1853-1863.
[5]MAHAJAN R,BELLOVIN S M,FLOYD S,et al.Controlling high bandwidth aggregates in the network[J].SIGCOMM Computer Communication Review,2002,32(3):62-73
[6]孙知信,姜举良,焦琳.DDOS攻击检测和防御模型[J].软件学报,2007,18(9):2245-2258.
[7]池水明,周苏杭.DDo S攻击防御技术研究[J].信息网络安全,2012(5):27-31.
[8]赵国锋,喻守成,文晟.基于用户行为分析的应用层DDo S攻击检测方法[J].计算机应用研究,2011,28(2):717-719.
[2]CHANG R.Defending against flooding-based distributed denialof-service attacks:a tutorial[J].Communications Magazine IEEE,2002,40(10):42-51.
[3]BAKER F,SAVOLA P.Ingress filtering for multihomed networks[M].2004.
[4]YAAR A,PERRIG A,SONG D.Stack Pi:new packet marking and filtering mechanisms for DDo S and IP spoofing defense[J].IEEE Journal on Selected Areas in Communications,2006,24(10):1853-1863.
[5]MAHAJAN R,BELLOVIN S M,FLOYD S,et al.Controlling high bandwidth aggregates in the network[J].SIGCOMM Computer Communication Review,2002,32(3):62-73
[6]孙知信,姜举良,焦琳.DDOS攻击检测和防御模型[J].软件学报,2007,18(9):2245-2258.
[7]池水明,周苏杭.DDo S攻击防御技术研究[J].信息网络安全,2012(5):27-31.
[8]赵国锋,喻守成,文晟.基于用户行为分析的应用层DDo S攻击检测方法[J].计算机应用研究,2011,28(2):717-719.