基于Linux网关的DDoS防护系统的设计与实现
摘要
随着网络应用的普及和深入,拒绝服务(DoS)攻击对网络安全的威胁日益增加。拒绝服务攻击的目的不是盗取信息,但它能使设备或网络陷于瘫患,导致用户不能访问网络资源。基于目前DDoS攻击的破坏性,所以对于研究防御此种攻击的工作尤为重要。本文围绕DDoS防护网关这一主题展开工作,在Linux Netfilter-iptables的基础上,设计并实现了一种动态过滤DDoS攻击报文的模块,并且取得了良好的实验效果。
首先,本文介绍了TCP/IP协议的分层情况,详细叙述了TCP/IP协议族中的几个重要协议,IP网际协议,TCP传输控制协议,UDP用户数据报协议。对这3个重要协议进行了详细解释和描述。并对两种传输层协议进行了比较。
其次,本文详细分析了DoS攻击的各种方式以及原理,描述了DDoS的攻击方式和原理。然后详细分析了大多数的DDOS攻击主要是采用TCP洪流攻击SYN Flood,给出了目前最有效的防止此攻击的SYN Cookie原理,并且做出了改进,给出了实现防火墙的模型原理。
再次,本文介绍了本系统采用的硬件平台,以及本系统的平台结构和原理,在深入分析了Linux Netfilter-iptables结构以及代码的基础上,设计了一种动念过滤的方法来过滤DDoS的攻击包的防护系统模块,给出了防护攻击的整体思路和流程以及各种处理相关攻击报文的动作算法,并给出了本防火墙的操作主界面,以及实验测试数据,为以后的研究工作提供了理论和应用依据。
最后,对全文做了总结,并且对网络安全的前景进行了展望。
With the popularity of network application, the threat of DoS (denial of service) attacks on network security is increasing. The goal of DoS attacks is not to steal information, but it can make the equipment and network paralysed, so that users can not get network resources. Based on the current destruction of DDoS attacks, the research of defense for such attacks is particularly important. This paper is based on DDoS protective gateway. On the basis of Linux Netfilter-iptables, a module of a dynamic filter for DDoS attacks is designed, and a good test result is received.
Firstly, in this paper, the situation of TCP/IP layered is introduced. Several important protocols of the TCP/IP protocol family are described in details, such as IP Internet Protocol, TCP transmission control protocol, UDP user data protocol. These three important agreements are explained in details, and two transfer protocols are compared.
Secondly, in the paper the various ways and principles of the DoS attacks are analysized, and then the way of DDoS attacks and principles are described. And the DDOS attacks is mainly used TCP torrent attack SYN Flood, so the most effective method to prevent this attack--SYN Cookie principle is listed, and some improvements are made. A model of a firewall is listed.
Thirdley, the hardware platform of the system is introduced. The principles and construction of the platform are described. After the structure of the Linux Netfilter-iptables is analysized in-depth, a dynamic filter to filter DDoS attacks packet is designed. And the overall ideas and processes of the protection are given, and the algorithms to filter the attack packets are also given. Theoretical and application basis for the future study are given.as well
Finally, summary and the prospect of network security are introduced.
首先,本文介绍了TCP/IP协议的分层情况,详细叙述了TCP/IP协议族中的几个重要协议,IP网际协议,TCP传输控制协议,UDP用户数据报协议。对这3个重要协议进行了详细解释和描述。并对两种传输层协议进行了比较。
其次,本文详细分析了DoS攻击的各种方式以及原理,描述了DDoS的攻击方式和原理。然后详细分析了大多数的DDOS攻击主要是采用TCP洪流攻击SYN Flood,给出了目前最有效的防止此攻击的SYN Cookie原理,并且做出了改进,给出了实现防火墙的模型原理。
再次,本文介绍了本系统采用的硬件平台,以及本系统的平台结构和原理,在深入分析了Linux Netfilter-iptables结构以及代码的基础上,设计了一种动念过滤的方法来过滤DDoS的攻击包的防护系统模块,给出了防护攻击的整体思路和流程以及各种处理相关攻击报文的动作算法,并给出了本防火墙的操作主界面,以及实验测试数据,为以后的研究工作提供了理论和应用依据。
最后,对全文做了总结,并且对网络安全的前景进行了展望。
With the popularity of network application, the threat of DoS (denial of service) attacks on network security is increasing. The goal of DoS attacks is not to steal information, but it can make the equipment and network paralysed, so that users can not get network resources. Based on the current destruction of DDoS attacks, the research of defense for such attacks is particularly important. This paper is based on DDoS protective gateway. On the basis of Linux Netfilter-iptables, a module of a dynamic filter for DDoS attacks is designed, and a good test result is received.
Firstly, in this paper, the situation of TCP/IP layered is introduced. Several important protocols of the TCP/IP protocol family are described in details, such as IP Internet Protocol, TCP transmission control protocol, UDP user data protocol. These three important agreements are explained in details, and two transfer protocols are compared.
Secondly, in the paper the various ways and principles of the DoS attacks are analysized, and then the way of DDoS attacks and principles are described. And the DDOS attacks is mainly used TCP torrent attack SYN Flood, so the most effective method to prevent this attack--SYN Cookie principle is listed, and some improvements are made. A model of a firewall is listed.
Thirdley, the hardware platform of the system is introduced. The principles and construction of the platform are described. After the structure of the Linux Netfilter-iptables is analysized in-depth, a dynamic filter to filter DDoS attacks packet is designed. And the overall ideas and processes of the protection are given, and the algorithms to filter the attack packets are also given. Theoretical and application basis for the future study are given.as well
Finally, summary and the prospect of network security are introduced.
引文
[1]李德全.拒绝服务攻击,北京:电子工业出版社,2007
[2]Peter Szor.计算机病毒防范艺术,北京:机械工业出版社,2007
[3]胡昌振.网络入侵检测原理与技术,北京:北京理工大学出版社,2006
[4]吴伟娇,吴海良.TCP/IP协议脆弱性分析,中国科技信息,2005,(16)
[5]史蒂文斯(W.Richiard Stevens)著;范建华译.TCP/IP详解卷一:协议,北京:机械工业出版社,2000
[6]史蒂文斯(W.Richiard Stevens)著;范建华译.TCP/IP详解卷二:实现,北京:机械工业出版社,2000
[7]FrannkJ.Derifer.Jr[美].联网技术使用手册北京:电子工业出版社,2001
[8]Ericde[美].黑客供给透析与防范[M].北京:电子工业出版社,2002
[9]李明柱,时忆杰.黑客攻击与安全防范.北京:北京航空航天大学出版社.2002
[10]严芬,黄皓,殷新春.基于的复合攻击检测方法研究.计算机学报.2006.
[11]涂浩,李芝棠和黎耀,引入的安全问题,全国网络与信息安全技术研讨会.2004
[12]高能,冯登国,向继.一种基于数据挖掘的拒绝服务攻击检测技术.计算机学ba 报,2006.
[13]邵立松,张鹤颖,窦文华.基于窗口的端到端拥塞控制:网络稳定性与效率.计算机学报,2004.
[14]StoneR.CenterTrack:an IP overlay network for tracking DoS floods[C].In:Proceedings of thje 2000 USENIX Security Symposium,Denver,CO,July2000.
[15]Burch H,CheswickB.Tracing anonymous packets to their approximate source[Z].UnpublishedPaper,Dec.1999.
[16]Jelena Mirkovic,Sven Dietrich,David Dittrich,et al.Internet Denial of Service Attack and Defense Mechanisms.Prentice Hall PTR 2004.
[17]Bernstein D J.SYN Cookies.http://cr.yp.to/syncookie.html.
[18]Savage S,Wetherall D,Karlin A,et al.Practical network support for IP traceback[C].2000 ACM SIGCOMM Conference,Aug.2000.
[19]Alex C Snoeren,Craig Partridge,Luis A Sanchez,et al.Hash-based IP traceback[C].In:Proc.ACM SIGCOMM 2001,August 2001.
[20]Li Jin-ming,Wang Ru-chuan.Study of a new packet marking scheme for DDoS attack source traceback.Journal on Communications,2005.
[21]Liu J,Lee Z J,Chung Y C,Efficient dynamic probabilistic packet marking for IP traceback[C],Netwoks,ICON2005,2003.
[22]K.Wall M.Watson M.Whitis著,王勇、王一川、林花军、甘泉译,GNU/Linux编程指南,北京:清华大学出版社,2000-6.
[23]W.Richard Stevens,尤晋元等译,UNIX环境高级编程,北京:机械工业出版社,2000-2.
[24]W.Richard Stevens著,UNIX网络编程,北京:清华大学出版社2002.
[25]李卓桓等著,Linux网络编程,北京:机械工业出版社,2000-1.
[26]Neil Matthew,Richard Stones 著,Beginning Linux Programming,Wrox Press Inc,1999-9.
[27]于明俭、陈向阳、方汉著,Linux程序设计权威指南,北京:机械工业出版社,2001.4.
[28]John Lions著,尤晋元译,莱昂氏UNIX源代码分析,北京:机械工业出版社,2000-9.
[29]Alessandro Ruibini著,LISOLEG译,Linux设备驱动程序,北京:中国电力出版社,2000-4.
[30]Daniel Pierre Bovet,Marco Cesati 著,Understanding the LINUX Kernel:From I/O Ports to Process Management,O'Reilly,2000-9.
[31]The Swiss Education and Research Network.Default TTL values in TCP/IR 2002.
[2]Peter Szor.计算机病毒防范艺术,北京:机械工业出版社,2007
[3]胡昌振.网络入侵检测原理与技术,北京:北京理工大学出版社,2006
[4]吴伟娇,吴海良.TCP/IP协议脆弱性分析,中国科技信息,2005,(16)
[5]史蒂文斯(W.Richiard Stevens)著;范建华译.TCP/IP详解卷一:协议,北京:机械工业出版社,2000
[6]史蒂文斯(W.Richiard Stevens)著;范建华译.TCP/IP详解卷二:实现,北京:机械工业出版社,2000
[7]FrannkJ.Derifer.Jr[美].联网技术使用手册北京:电子工业出版社,2001
[8]Ericde[美].黑客供给透析与防范[M].北京:电子工业出版社,2002
[9]李明柱,时忆杰.黑客攻击与安全防范.北京:北京航空航天大学出版社.2002
[10]严芬,黄皓,殷新春.基于的复合攻击检测方法研究.计算机学报.2006.
[11]涂浩,李芝棠和黎耀,引入的安全问题,全国网络与信息安全技术研讨会.2004
[12]高能,冯登国,向继.一种基于数据挖掘的拒绝服务攻击检测技术.计算机学ba 报,2006.
[13]邵立松,张鹤颖,窦文华.基于窗口的端到端拥塞控制:网络稳定性与效率.计算机学报,2004.
[14]StoneR.CenterTrack:an IP overlay network for tracking DoS floods[C].In:Proceedings of thje 2000 USENIX Security Symposium,Denver,CO,July2000.
[15]Burch H,CheswickB.Tracing anonymous packets to their approximate source[Z].UnpublishedPaper,Dec.1999.
[16]Jelena Mirkovic,Sven Dietrich,David Dittrich,et al.Internet Denial of Service Attack and Defense Mechanisms.Prentice Hall PTR 2004.
[17]Bernstein D J.SYN Cookies.http://cr.yp.to/syncookie.html.
[18]Savage S,Wetherall D,Karlin A,et al.Practical network support for IP traceback[C].2000 ACM SIGCOMM Conference,Aug.2000.
[19]Alex C Snoeren,Craig Partridge,Luis A Sanchez,et al.Hash-based IP traceback[C].In:Proc.ACM SIGCOMM 2001,August 2001.
[20]Li Jin-ming,Wang Ru-chuan.Study of a new packet marking scheme for DDoS attack source traceback.Journal on Communications,2005.
[21]Liu J,Lee Z J,Chung Y C,Efficient dynamic probabilistic packet marking for IP traceback[C],Netwoks,ICON2005,2003.
[22]K.Wall M.Watson M.Whitis著,王勇、王一川、林花军、甘泉译,GNU/Linux编程指南,北京:清华大学出版社,2000-6.
[23]W.Richard Stevens,尤晋元等译,UNIX环境高级编程,北京:机械工业出版社,2000-2.
[24]W.Richard Stevens著,UNIX网络编程,北京:清华大学出版社2002.
[25]李卓桓等著,Linux网络编程,北京:机械工业出版社,2000-1.
[26]Neil Matthew,Richard Stones 著,Beginning Linux Programming,Wrox Press Inc,1999-9.
[27]于明俭、陈向阳、方汉著,Linux程序设计权威指南,北京:机械工业出版社,2001.4.
[28]John Lions著,尤晋元译,莱昂氏UNIX源代码分析,北京:机械工业出版社,2000-9.
[29]Alessandro Ruibini著,LISOLEG译,Linux设备驱动程序,北京:中国电力出版社,2000-4.
[30]Daniel Pierre Bovet,Marco Cesati 著,Understanding the LINUX Kernel:From I/O Ports to Process Management,O'Reilly,2000-9.
[31]The Swiss Education and Research Network.Default TTL values in TCP/IR 2002.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |