DDoS攻击及其对策研究
|
摘要
分布式拒绝服务(DDoS)攻击是近年来出现的一种全新的拒绝服务(DoS)攻击方式。由于其分布式的特性,使得DDoS攻击比传统的DoS攻击拥有更多的攻击资源,具有更强大的破坏力,而且更难以防范。DDoS攻击已经对Internet安全构成了极大的威胁,并成为目前网络安全界研究的热点。本文详细剖析了DDoS攻击的攻击机理,并引入新的分类法对现有的DDoS攻击手段做了全面深入的研究、分类,其中重点研究了最常用的TCP洪流攻击。随后本文对现有的防御措施分三阶段进行了全面研究、比较和评价,并把攻击期间的检测一过滤机制和攻击源追踪技术作为了研究重点。在此基础上,本文提出了两种新的攻击检测—过滤机制,即:分布式攻击检测—过滤(DADF)机制和针对TCP洪流攻击的本地检测—过滤(LADF)机制。其中我们提出了基于IP地址统计分布特性的异常检测技术,用于攻击检测。另外,针对TCP洪流攻击,我们还提出了“休克”检测技术,用以进一步提高检测效率。这两种新机制中,前者部署在Internet核心路由器或者区域自治系统的关键路由器上,作为安全基础设施。后者部署于受害者及其上游ISP网络,能较好的防御TCP洪流攻击。
Distributed Denial of Service(DDoS) Attack is a newly developed attack type, which is the extension of Denial of Service(DoS) Attack. Due to its distributed characteristic, DDoS attacks possess more attack resources and have more destroying power. So, it is very difficult to keep them away. DDoS attacks bring much great threats to Internet security and research on them become a hotspot in network security fields.
By proposing new taxonomies, the attack mechanism of DDoS attacks is analyzed in detail and a thorough study and classification of DDoS attacks means are given, with the emphasis on the common used TCP flooding attacks. Then, the research, comparisons and estimations of the counter measures in existence are made in detail, and the research emphasis is put on the detection - filtering mechanism and the IP traceback technique.
Two new kinds of detection-filtering mechanism are proposed in this paper. They are Distributed Attack Detection-Filtering mechanism (DADF) and Local Attack Detection-Filtering mechanism (LADF). An abnormal detection technique based on Statistic distribution characteristic of IP addresses presented to provide intrusion detection. In addition, the "shock" detection technique is proposed to counter TCP flooding attacks, which can improve the efficiency of detection. Of the two new mechanisms, the former can act as the security infrastructure, which can be deployed on the Internet core routers or key routers in local autonomic systems. And the latter can be disposed on the victim and its upstream ISP network, which can counter TCP flooding attacks in effect.
Distributed Denial of Service(DDoS) Attack is a newly developed attack type, which is the extension of Denial of Service(DoS) Attack. Due to its distributed characteristic, DDoS attacks possess more attack resources and have more destroying power. So, it is very difficult to keep them away. DDoS attacks bring much great threats to Internet security and research on them become a hotspot in network security fields.
By proposing new taxonomies, the attack mechanism of DDoS attacks is analyzed in detail and a thorough study and classification of DDoS attacks means are given, with the emphasis on the common used TCP flooding attacks. Then, the research, comparisons and estimations of the counter measures in existence are made in detail, and the research emphasis is put on the detection - filtering mechanism and the IP traceback technique.
Two new kinds of detection-filtering mechanism are proposed in this paper. They are Distributed Attack Detection-Filtering mechanism (DADF) and Local Attack Detection-Filtering mechanism (LADF). An abnormal detection technique based on Statistic distribution characteristic of IP addresses presented to provide intrusion detection. In addition, the "shock" detection technique is proposed to counter TCP flooding attacks, which can improve the efficiency of detection. Of the two new mechanisms, the former can act as the security infrastructure, which can be deployed on the Internet core routers or key routers in local autonomic systems. And the latter can be disposed on the victim and its upstream ISP network, which can counter TCP flooding attacks in effect.
引文
[1] B. Schneier, "Secrets and Lies: Digital Security in a Networked World", John Wiley & Sons, Inc. 2000.
[2] R. K. C. Chang, "Defending against flooding-based distributed denial-of-service attacks: a tutorial", IEEE Communications Magazine, vol. 40, no. 10, Oct. 2002, pp. 42-51
[3] David Moore, Geoffrey M. Voelker, and Stefan Savage, "Inferring Internet Denial-of-Service Activity," Usenix Security Symposium, 2001.
[4] L. Garber, "Denial-of-Service Attacks Rip the Internet," Computer, vol. 33, no. 4, pp. 12-17, Apr. 2000.
[5] CERT/CC, "Results of the Distributed-Systems Intruder Tools Workshop". technical report, http://www.cert.org/reports/dsit_workshop-final.html. December 7, 1999.
[6] SANS Institute, "Help Defeat Denial of Service attacks: step-by step", http://www.sans.org/dosstep/index.htm, Mar 23, 2000
[7] Cisco White Papers, "Strategies to Protect against Distributed Denial of Service Attacks (DDoS)," Feb. 2000.
[8] D. Dittrich, Distributed Denial of Service (DDoS) Attacks/tools http://staff.washington.edu/dittrich/misc/ddos/
[9] Paul J. Criscuolo. "Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht CIAC-2319", Department of Energy Computer Incident Advisory Capability (CIAC), UCRL-ID-136939, Rev. 1, Lawrence Livermore National Laboratory, February 14, 2000.
[10] Mixter, "Tribe Flood Network 3000", http://packetstormsecurity.com/distributed/tfn3k.txt
[11] P. Ferguson and D. Senie, "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing agreements performance monitoring," RFC 2827, May 2000.
[12] K. Park and H. Lee, "A proaetive approach to distributed DoS attack prevention using route-based packet filtering," in Proc. ACM SIGCOMM, Aug 2001.
[13] S. Bellovin , "Internet Draft: ICMP Traceback Messages," technical report, Network Working Group, Mar. 2000.
[14] C. Barros, "A proposal for ICMP traceback messages," Internet Draft http://www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html, Sept 18, 2000.
[15] V. Paxson, "An analysis of using reflectors for distributed denial-of-service attacks," ACM Computer Communication Review, vol. 31 (3), July 2001.
[16] H. Burch and H. Cheswick, "Tracing anonymous packets to their approximate source," in Proc. USENIX Conference, pp. 319-327, Dec. 2000.
[17] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Network support for IP traceback," IEEE/ACM Transaction on Networking, vol. 9:(3), pp.226-237, June 2001.
[18] D. Song and A. Perrig, "advanced and authenticated marking schemes for IP traceback," in Proc. IEEE INFOCOM, Apr. 2001.
[19] A Snoeren, C. Partridge, L. Sanchez, W. Strayer, C. Jones, and F. Tchakountio, "Hashed-based IP traceback," ACM SIGCOMM, Aug. 2001.
[20] J. Xu, "Sustaining Availability of Web Services under Severe Denial of Service Attacks," technical report, Georgia Inst. of Technology,; May 2001.,
[21] L. Feinstein, D. Schnackenberg, R. Balupari, D. Kindred, "DDoS tolerant networks" DARPA Information Survivability Conference and Exposition, 2003. Proceedings, vol. 2, April 22-24, 2003, pp. 73 -75.
[22] D. Karig and R. Lee, "Remote Denial of Service Attacks and Countermeasures," Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001.
[23] CERT, "TCP Syn Flooding and IP Spoofing Attacks," Advisory CA-96-21, Sept. 1996.
[24] J. Howard, "An Analysis of Security Incidents on the Internet," PhD thesis, Carnegie Mellon Univ., Aug. 1998.
[25] K. J. Houle and G. M. Weaver, "Trends in Denial of Service Attack Technology," CERT Coordination Center, October 2001.
[26] Anonymous, et al., "Maximum Security"(Third Edition), SAMS press, 2001.
[27] J. Postel, "Rfc 793: Transmission Control Protocol," technical report, Internet Soc., Sept. 1980.,
[28] W. Stevens, TCP/IP Illustrated Volume 1, The Protocols. Addison-Wesley, 1994.
[29] CERT/CC. Smurf IP denial-of-service attacks. CERT Advisory CA-1998-01, http://www.eert.org/advisories/CA-1998-01. html, January 1998.
[30] Steven J. Templeton, Karl E. Levitt, "Detecting Spoofed Packets", DARPA Information Survivability Conference and Exposition, 2003. Proceedings, Volume: 1, April 22-24, 2003 Pages: 164 - 175
[31] L. Stein and John N. Stuart "The World Wide Web Security FAQ", Version 3.1.2, February 4, 2002. http://www.w3.org/security/faq/.
[32] D. McGuire, '"DDoS' Attacks Still Pose Threat to Intemet", washingtonpost.com, November 4, 2003
[33] Belenky, A.; Ansari, N. "On IP Trackback", Communications Magazine, IEEE, Volume: 41 Issue: 7, July 2003 Page(s): 142 - 153
[34] "Nmap Stealth Port Scanner Introduction", Insecure,org. August 2002. http://www.insecure.org/nmap/.
[35] "Nessus Documentation", Nessus. 2002. http://www.nessus.org/.
[36] "CVE (version 20030402)", Common Vulnerabilities and Exposures. Sep 27, 2003. http://cve.mitre.org/cve/.
[37] R. Lee, D. Karig, P. McGregor and Z. Shi, "Enlisting Hardware Architecture to Thwart Malicious Code Injection", Proceedings of the International Conference on Security in Pervasive Computing (SPC-2003), pp. N/A, March 2003.
[38] D. Mankins, R. Krishnan, C. Boyd, et al., "Mitigating Distributed Denial of Service Attacks with Dynamic Resource Pricing", ACSAC 2001. Proceedings 17th Annual, pp. 411-421,2001.
[39] SANS Institute, "Egress filtering v 0.2," http://www.sans.org/y2k/egress.htm, Feb 2000.
[40] David K. Yau, John C. S. Lui, and F. Liang, "Defending Against Distributed Denial of Service Attacks with Max-min Fair Server-centric Router Throttles", Quality of Service, 2002 Tenth IEEE International Workshop, pp. 35-44, 2002.
[41] N. Weiler, "Honeypots for Distributed Denial of Service", Enabling Technologies: Infrastructure for Collaborative Enterprises, 2002. WET ICE 2002, Proceedings. Eleventh IEEE International Workshops, 2002. pp. 109-114. 2002.
[42] D. E. Denning, An Intrusion-detection Model, IEEE Trans. on Software Eng.
SE-13, pp. 222-232, February 1987.
[43] 王育民,梁传甲,“信息与编码理论”,西北电讯工程学院出版社,1986
[44] 王育民,刘建伟,“通信网的安全—理论与技术”,西安电子科技大学出版社,1999.
[2] R. K. C. Chang, "Defending against flooding-based distributed denial-of-service attacks: a tutorial", IEEE Communications Magazine, vol. 40, no. 10, Oct. 2002, pp. 42-51
[3] David Moore, Geoffrey M. Voelker, and Stefan Savage, "Inferring Internet Denial-of-Service Activity," Usenix Security Symposium, 2001.
[4] L. Garber, "Denial-of-Service Attacks Rip the Internet," Computer, vol. 33, no. 4, pp. 12-17, Apr. 2000.
[5] CERT/CC, "Results of the Distributed-Systems Intruder Tools Workshop". technical report, http://www.cert.org/reports/dsit_workshop-final.html. December 7, 1999.
[6] SANS Institute, "Help Defeat Denial of Service attacks: step-by step", http://www.sans.org/dosstep/index.htm, Mar 23, 2000
[7] Cisco White Papers, "Strategies to Protect against Distributed Denial of Service Attacks (DDoS)," Feb. 2000.
[8] D. Dittrich, Distributed Denial of Service (DDoS) Attacks/tools http://staff.washington.edu/dittrich/misc/ddos/
[9] Paul J. Criscuolo. "Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht CIAC-2319", Department of Energy Computer Incident Advisory Capability (CIAC), UCRL-ID-136939, Rev. 1, Lawrence Livermore National Laboratory, February 14, 2000.
[10] Mixter, "Tribe Flood Network 3000", http://packetstormsecurity.com/distributed/tfn3k.txt
[11] P. Ferguson and D. Senie, "Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing agreements performance monitoring," RFC 2827, May 2000.
[12] K. Park and H. Lee, "A proaetive approach to distributed DoS attack prevention using route-based packet filtering," in Proc. ACM SIGCOMM, Aug 2001.
[13] S. Bellovin , "Internet Draft: ICMP Traceback Messages," technical report, Network Working Group, Mar. 2000.
[14] C. Barros, "A proposal for ICMP traceback messages," Internet Draft http://www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html, Sept 18, 2000.
[15] V. Paxson, "An analysis of using reflectors for distributed denial-of-service attacks," ACM Computer Communication Review, vol. 31 (3), July 2001.
[16] H. Burch and H. Cheswick, "Tracing anonymous packets to their approximate source," in Proc. USENIX Conference, pp. 319-327, Dec. 2000.
[17] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Network support for IP traceback," IEEE/ACM Transaction on Networking, vol. 9:(3), pp.226-237, June 2001.
[18] D. Song and A. Perrig, "advanced and authenticated marking schemes for IP traceback," in Proc. IEEE INFOCOM, Apr. 2001.
[19] A Snoeren, C. Partridge, L. Sanchez, W. Strayer, C. Jones, and F. Tchakountio, "Hashed-based IP traceback," ACM SIGCOMM, Aug. 2001.
[20] J. Xu, "Sustaining Availability of Web Services under Severe Denial of Service Attacks," technical report, Georgia Inst. of Technology,; May 2001.,
[21] L. Feinstein, D. Schnackenberg, R. Balupari, D. Kindred, "DDoS tolerant networks" DARPA Information Survivability Conference and Exposition, 2003. Proceedings, vol. 2, April 22-24, 2003, pp. 73 -75.
[22] D. Karig and R. Lee, "Remote Denial of Service Attacks and Countermeasures," Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001.
[23] CERT, "TCP Syn Flooding and IP Spoofing Attacks," Advisory CA-96-21, Sept. 1996.
[24] J. Howard, "An Analysis of Security Incidents on the Internet," PhD thesis, Carnegie Mellon Univ., Aug. 1998.
[25] K. J. Houle and G. M. Weaver, "Trends in Denial of Service Attack Technology," CERT Coordination Center, October 2001.
[26] Anonymous, et al., "Maximum Security"(Third Edition), SAMS press, 2001.
[27] J. Postel, "Rfc 793: Transmission Control Protocol," technical report, Internet Soc., Sept. 1980.,
[28] W. Stevens, TCP/IP Illustrated Volume 1, The Protocols. Addison-Wesley, 1994.
[29] CERT/CC. Smurf IP denial-of-service attacks. CERT Advisory CA-1998-01, http://www.eert.org/advisories/CA-1998-01. html, January 1998.
[30] Steven J. Templeton, Karl E. Levitt, "Detecting Spoofed Packets", DARPA Information Survivability Conference and Exposition, 2003. Proceedings, Volume: 1, April 22-24, 2003 Pages: 164 - 175
[31] L. Stein and John N. Stuart "The World Wide Web Security FAQ", Version 3.1.2, February 4, 2002. http://www.w3.org/security/faq/.
[32] D. McGuire, '"DDoS' Attacks Still Pose Threat to Intemet", washingtonpost.com, November 4, 2003
[33] Belenky, A.; Ansari, N. "On IP Trackback", Communications Magazine, IEEE, Volume: 41 Issue: 7, July 2003 Page(s): 142 - 153
[34] "Nmap Stealth Port Scanner Introduction", Insecure,org. August 2002. http://www.insecure.org/nmap/.
[35] "Nessus Documentation", Nessus. 2002. http://www.nessus.org/.
[36] "CVE (version 20030402)", Common Vulnerabilities and Exposures. Sep 27, 2003. http://cve.mitre.org/cve/.
[37] R. Lee, D. Karig, P. McGregor and Z. Shi, "Enlisting Hardware Architecture to Thwart Malicious Code Injection", Proceedings of the International Conference on Security in Pervasive Computing (SPC-2003), pp. N/A, March 2003.
[38] D. Mankins, R. Krishnan, C. Boyd, et al., "Mitigating Distributed Denial of Service Attacks with Dynamic Resource Pricing", ACSAC 2001. Proceedings 17th Annual, pp. 411-421,2001.
[39] SANS Institute, "Egress filtering v 0.2," http://www.sans.org/y2k/egress.htm, Feb 2000.
[40] David K. Yau, John C. S. Lui, and F. Liang, "Defending Against Distributed Denial of Service Attacks with Max-min Fair Server-centric Router Throttles", Quality of Service, 2002 Tenth IEEE International Workshop, pp. 35-44, 2002.
[41] N. Weiler, "Honeypots for Distributed Denial of Service", Enabling Technologies: Infrastructure for Collaborative Enterprises, 2002. WET ICE 2002, Proceedings. Eleventh IEEE International Workshops, 2002. pp. 109-114. 2002.
[42] D. E. Denning, An Intrusion-detection Model, IEEE Trans. on Software Eng.
SE-13, pp. 222-232, February 1987.
[43] 王育民,梁传甲,“信息与编码理论”,西北电讯工程学院出版社,1986
[44] 王育民,刘建伟,“通信网的安全—理论与技术”,西安电子科技大学出版社,1999.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |