DDoS攻击技术与防御方法研究
|
摘要
网络在人类社会生活中的应用越来越广泛和重要,Internet已经把人们的学习、工作和生活紧密地联系在一起,但其中潜在的安全问题也越来越严峻,各种攻击手段层出不穷。其中拒绝服务攻击(DoS,Denial of Service)以其攻击范围广、隐蔽性强、简单有效、破坏性大和难以防御等特点成为最常见的网络攻击技术之一。尤其分布式拒绝服务攻击(DDoS,Distributed Denial of Service)其破坏性更大,严重威胁着Internet的安全,受到这种攻击的损失是无法计量的。为其建立有效的防御机制是当前维护网络安全的重要目标之一。
首先研究了DoS攻击和DDoS攻击的技术原理、攻击手段以及典型的DDoS攻击工具,而后对DDoS攻击检测防御方法的研究现状进行了分析;在此基础上,采用攻击树分析方法,从整体性和系统性出发给出了DDoS攻击的攻击树模式,并使用Object-Z语言进行对其进行形式化描述,为DDoS攻击的分析、检测和防御提供参考;接着从ISP(InternetService Provider)域的角度,引入移动Agent技术和整合防御方法的思想,探索构建了基于移动Agent的DDoS防御模型,详细设计了防御模型中的移动Agent组成元件;移动Agent技术使防御模型本身也具有了一定的抗DDoS攻击能力,而整合监控、过滤、追踪等多种防御方法的思想避免了单一防御方法的局限性,同时也具有良好的可扩展性;随后采用逻辑推理的方法从理论上证明基于移动Agent的DDoS防御模型可以有效地防御分布式拒绝服务攻击,另外,编写的移动Agent原型程序验证了移动Agent技术在构建DDoS防御模型中的技术可行性。最后指出了以后研究工作的努力方向。
The network is more and more widespread and important in the human society life. Work and life have been closely connected by Internet. However, with the development and popularity of Internet, network security has become a hot issue. And different kinds of means of attacks emerged endlessly, among which DoS (Denial of Service) attacks become one of the common network attack techniques by the characteristics, such as extensive area, strong concealment, simpleness and efficiency, hard to defense and great destroy, etc. Especially, DDoS (Distributed Denial of Service) attacks are greatly threatening Internet, since their greater destroy. The losing was immeasurable while under such attack. So it is a very important target in the network security field to establish more effective defense mechanism against DDoS attack.
Firstly, the principle and means of Dos and DDoS attacks are analyzed, and the some kinds of DDoS attacks are discussed. The current situation of the research of the technology of detection, defense of DDoS attacks is studied. Attack tree is adopted to model the Distributed Denial of Service attack. Then, Object-Z language, a formal depict attack language, is used to depict the sub-term of the attack tree model in detail to guide the analysis, detection and defense of the DDoS attack. In succession, form the view of ISP (Internet Service Provider) domain, adopting the technology of mobile agent and the idea of integrated method, a DDoS defense model based on mobile agent is exploringly put forward. The elements of the mobile agent in defense model are designed in detail. The technology of mobile agent enable the defense model itself has the ability to defense DDoS attacks. And the idea of integrating flow monitoring, traffic filtering and traceback schemes breaks through the limitation of the single defense method. Subsequently, the definite ability against DDoS attacks of the model is proved by theories analyzing. Moreover, mobile agent programs are developed to prove the feasibility of using mobile agent in the model. Finally, the future research work is presented.
首先研究了DoS攻击和DDoS攻击的技术原理、攻击手段以及典型的DDoS攻击工具,而后对DDoS攻击检测防御方法的研究现状进行了分析;在此基础上,采用攻击树分析方法,从整体性和系统性出发给出了DDoS攻击的攻击树模式,并使用Object-Z语言进行对其进行形式化描述,为DDoS攻击的分析、检测和防御提供参考;接着从ISP(InternetService Provider)域的角度,引入移动Agent技术和整合防御方法的思想,探索构建了基于移动Agent的DDoS防御模型,详细设计了防御模型中的移动Agent组成元件;移动Agent技术使防御模型本身也具有了一定的抗DDoS攻击能力,而整合监控、过滤、追踪等多种防御方法的思想避免了单一防御方法的局限性,同时也具有良好的可扩展性;随后采用逻辑推理的方法从理论上证明基于移动Agent的DDoS防御模型可以有效地防御分布式拒绝服务攻击,另外,编写的移动Agent原型程序验证了移动Agent技术在构建DDoS防御模型中的技术可行性。最后指出了以后研究工作的努力方向。
The network is more and more widespread and important in the human society life. Work and life have been closely connected by Internet. However, with the development and popularity of Internet, network security has become a hot issue. And different kinds of means of attacks emerged endlessly, among which DoS (Denial of Service) attacks become one of the common network attack techniques by the characteristics, such as extensive area, strong concealment, simpleness and efficiency, hard to defense and great destroy, etc. Especially, DDoS (Distributed Denial of Service) attacks are greatly threatening Internet, since their greater destroy. The losing was immeasurable while under such attack. So it is a very important target in the network security field to establish more effective defense mechanism against DDoS attack.
Firstly, the principle and means of Dos and DDoS attacks are analyzed, and the some kinds of DDoS attacks are discussed. The current situation of the research of the technology of detection, defense of DDoS attacks is studied. Attack tree is adopted to model the Distributed Denial of Service attack. Then, Object-Z language, a formal depict attack language, is used to depict the sub-term of the attack tree model in detail to guide the analysis, detection and defense of the DDoS attack. In succession, form the view of ISP (Internet Service Provider) domain, adopting the technology of mobile agent and the idea of integrated method, a DDoS defense model based on mobile agent is exploringly put forward. The elements of the mobile agent in defense model are designed in detail. The technology of mobile agent enable the defense model itself has the ability to defense DDoS attacks. And the idea of integrating flow monitoring, traffic filtering and traceback schemes breaks through the limitation of the single defense method. Subsequently, the definite ability against DDoS attacks of the model is proved by theories analyzing. Moreover, mobile agent programs are developed to prove the feasibility of using mobile agent in the model. Finally, the future research work is presented.
引文
[1]卿斯汉,蒋建春.网络攻防技术原理与实战[M].北京:科学出版社,2004.1.
[2]CNCERT/CC 2006年网络安全工作报告[EB/OL].http://www.cert.org.cn/UserFiles/File/2006CNCERTCCAnnualReport_Chinese.pdf
[3]2006 CSI/FBI Computer Crime and Security Survey[EB/OL]http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf
[4]R.K.C.Chang.Defending against flooding-based distributed denial-of-service attack:a tutorial[J].IEEE Communications Magazine,vol.40,no.10,Oct.2002,42-51.
[5]CERT/CC.Results of the Distributed-Systems Intruder Tools Workshop[EB/OL].http://www.cert.org/reports/dsit_workshop-final.html.December 7,1999.
[6]SANS Institute.Help Defeat Denial of Service attacks:step-by-step[EB/OL].http://www.sans.org/dosstep/index.htm,Mar 23,2000.
[7]Cisco White Papers.Strategies to Protect against Distributed Denial of Service Attacks(DDoS).Feb.2000.
[8]http://www.isi.edu/deter/projects.html
[9]Paul J.Criscuolo.Distributed Denial of Service Trin00,Tribe Flood Network,Tribe Flood Network 2000,And Stacheldraht CIAC-2319.Department of Energy Computer Incident Advisory Capability(CIAC),UCR1-ID-136939,Rev.1,Lawrence Livermore National Laboratory,February 14,2000.
[10]ChristosFapadopoulos,RobertLindell.COSSACK:Coordinated Suppression of Simultaneous Attacks.Proceedings of DARPA Information Survivability Conference and Exposition.Washington,DC,April 2003.94-96.
[11]S.Savage,Wetherall,D.Network Support for IP Trace Back.IEEE/ACM Transactions on Networking,vol.9,No.3,2001.226-237.
[12]Tao Peng,Chdstopher Leckie.Protection from distributed denial of service attacks using history-based 1P filtering.IEEE International Conference on Communications.Anchorage,Alaska,USA,May 2003,482-186
[13]Li De-Quan,SU Pu-Rui,FENG Deng-Guo.Notes on Packet Marking for IP Traceback..Journal of Software,Vol.15,No.2,2004.250-257
[14]胡小新.一种DDoS攻击的防御方案[J].计算机工程与应用,Vol.40,No.12,2004.160-164
[15]卢建芝.基于源端网络的防DDoS攻击的实现.计算机应用,Vol 1.No Z1,2004200-204
[16]北京大学计算机科学研究所[EB/OL]http://www.icst.pku.edu.cn/research/kyfx_8xinxianquan.htm
[17]上海科学技术委员会04年信息技术领域重点科技攻关项目指南[EB/OL].Http://www.stcsm.gov.cn/notice/detail.asp?pid=751
[18]黄鑫,沈传宁等.网络安全技术教程-攻击与防范[M].北京:中国电力出版社,2002.168-176.
[19]林梅琴,李志蜀等.分布式拒绝服务攻击及防范研究[J].计算机应用研究.2006.8.136-138,151.
[20]高永强,郭世泽.网络安全技术与应用大典[M].北京:清华大学出版社,2003:205-230.
[21][美]StuartMcClure,Joel Scambray,George Kurtz.黑客大曝光[M].刘江,杨继张,钟向群.北京:清华大学出版社,2003.352-359.
[22]Rocky K.C.Chang,"Defending against Flooding-Based Distributed Denial-of-service Attacks:A Tutorial" Telecommunications Network Secutity,IEEE Communications Magazine.October2003 P46
[23]P.Ferguson."Network ingress filtering:Defeating denial of service attacks which employ IP source address spoofing agreements performance monitoring,"RFC2827,06 2000
[24]SANS Institute,Egressfiltering v0.2,http://www.sans.org/y2k/egress.htm,02 2000
[25]K.Park and H.Lee,"A proactive approach to distributed DoS attack prevention using route-based packet filtering",In Proc.ACM SIGCOMM,08 2001
[26]孙曦,朱晓妍.DDoS下的TCP洪流攻击及对策.网络安全技术与应用.2004.04 P96-98
[27]任志强.模仿正常服务请求的DDoS攻击的防御方案.信息安全与通信保密.2006.08P119-120
[28]A.Habib,M.Hefeeda,and B.Bhargava.Detecting service violation and DoS attacks.In Proc.Network and Distributed System Security Symposium(NDSS'03),San Diego,Feb2003.
[29]A.Habib.Edge-to-edge measurement-based distributed network monitoring.Source,Computer Networks:The International Journal of Computer and Telecommunications Networking archive Volume 44,Issue 2(February 2004)
[30]A.Habib,S.Fahmy,and B.Bhargava,On Monitoring and Controlling QoS Network Domains,Submitted to ACM Computer Communication Review,Aug.2004.
[31]H.Burch,B.Cheswick.Tracing Anonymous Packets to their Approximate Source.IEEE/ACM Transactions on Networking,Vol.9,no.3,2001(6),P226
[32]S.savage,D.Wetherall."Practical network support for IP traceback"S IGCOMM,Stockhlm,Sweden.August 2000.
[33]D.Song and A.Perrig,"Advanced and Authenticated Marking Schemes for IP Traceback",Proc.IEEE Infocom,Anchorage,Alaska,2001
[34]Bellovin.IcmpTrace back messages[EB/OL].http://search.ietf.org/internet-drafts/draft-ietf-itrace-01.txt
[35]ASnoeren,C.Partridge,"Hashed-based IP traceback",ACM SIGCOMM,Aug.2001
[36]Glenn Sager.Secutity Fun with Ocxmon and cflowd.Presentation at the Internet two Working Group,November 1998
[37]张涛,董占球.网络攻击行为分类技术的研究[J].计算机应用.2004.4
[38]Howard,A Taxonomy of Computer and Network Attacks[EB/OL].http://www.cert.org/research/JHThesis/Chapter6.html
[39]Peter G.Neumann and Donn B.Parker,A Summary of computer misuse techniques,in Proceedings of the 12th National Computer Security Conference.P 397.National Institute of Standards,October 1998
[40]Jeffrey Undercoffer and John Pinkston,Modeling Computer Attacks:A Target-Centric Ontology for Intrusion Detection,Under review IEEE First International Workshop on Information Assurance,2002
[41]李昀,李伟华.基于UML的攻击模式研究[J].计算机工程与应用.2003.3.
[42]B Schneier,Attack Trees:Modeling Secutity Threats[J],Dr Dobb's Jounal,1999
[43]Douligeris,Mitrokotsa.DDoS attacks and defense mechanisms:classification and state-of-the-art.Computer Networks:The International Journal of Computer and Telecommunications Networking[J].Volume 44,April 2004.643
[44]李刚,朱关铭.结构化面向对象形式规格说明语言OOZS-设计原理[J].上海大学学报(自然科学版).Vol.4,no2,Apr.1998
[45]R.Duke,G.Rose,Object-Z:a specification language advocated for the description of standards[J].Computer Standards and Interfaces.17:511-533,1995
[46]U.K.Tupakula and V.Varadharajan.Model and mechanisms for counteracting distributed denialof-service attacks.Technical Report,Macquarie University,2002
[47]谢希仁 《计算机网络》(第四版)北京:电子工业出版社2006.6 9-10
[48]王汝传,徐小龙,黄海平.《智能Agent及其在信息网络中的应用》.北京:北京邮电大学出版社2006.2 70-88,222-223
[49]张云勇 《移动agent及其应用》.北京:清华大学出版社2002.1 7-18,52
[50]《Robert Stone,CenterTrack:An IP overlay network for tracking DoS floods,Proceedings of Nineth Usenix Security Symposium,August 2000.》
[51]Udaya Kiran Tupakula and Vijay Varadharajan,A practical method to counteract denial-of-service attacks,Proceedings 26th Australasian Computer Science Conference(ACSC2003),pp.275-284,Adelaide,Australia,February 2003.
[52]JOHN I,STEVEN M B.Implementing Pushback:Router-Based Defense Against DDoS Attacks[A].Network and Distributed System Security Symposium[C].February 2002.
[53]李俊,李明.一种防御DDoS攻击的集成方法[J].计算机工程.2006.9vol.32(18).130-132.
[54]RFC2267[EB/OL].http://www.ietf.org/rfc/rfc2267.txt
[55]C.Barros.A proposal for ICMP traceback message.Internet Draft[EB/OL].http://www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html
[56]S.Bellovin,The ICMP traceback message,Network working Group,Internet Draft,March 2000[EB/OL].http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt.
[57]B.Cubaleska and M.Schneider.Detecting Dos attacks in mobile agent systems and using trust policies for their prevention.The 6~(th) World Multi conference on Systemics,Cybernetics and Informatics SCI 2002.
[58]王晓东.计算机算法与设计(第二版)[M].北京:电子工业出版社.2004.7.306-308
[59]D.S.MALIK著,邱仲潘译.离散数学结构-理论与应用[M].北京:高等教育出版社.2005.11.652-656,735-736
[60]P.Mell,D.Marks,and M.McLarnon,"A denial-of-service resistant intrusion detection architecture." Computer Networks,Vol.34.pp.641-658,2000.
[61]http://aglets.sourceforge.net/
[2]CNCERT/CC 2006年网络安全工作报告[EB/OL].http://www.cert.org.cn/UserFiles/File/2006CNCERTCCAnnualReport_Chinese.pdf
[3]2006 CSI/FBI Computer Crime and Security Survey[EB/OL]http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf
[4]R.K.C.Chang.Defending against flooding-based distributed denial-of-service attack:a tutorial[J].IEEE Communications Magazine,vol.40,no.10,Oct.2002,42-51.
[5]CERT/CC.Results of the Distributed-Systems Intruder Tools Workshop[EB/OL].http://www.cert.org/reports/dsit_workshop-final.html.December 7,1999.
[6]SANS Institute.Help Defeat Denial of Service attacks:step-by-step[EB/OL].http://www.sans.org/dosstep/index.htm,Mar 23,2000.
[7]Cisco White Papers.Strategies to Protect against Distributed Denial of Service Attacks(DDoS).Feb.2000.
[8]http://www.isi.edu/deter/projects.html
[9]Paul J.Criscuolo.Distributed Denial of Service Trin00,Tribe Flood Network,Tribe Flood Network 2000,And Stacheldraht CIAC-2319.Department of Energy Computer Incident Advisory Capability(CIAC),UCR1-ID-136939,Rev.1,Lawrence Livermore National Laboratory,February 14,2000.
[10]ChristosFapadopoulos,RobertLindell.COSSACK:Coordinated Suppression of Simultaneous Attacks.Proceedings of DARPA Information Survivability Conference and Exposition.Washington,DC,April 2003.94-96.
[11]S.Savage,Wetherall,D.Network Support for IP Trace Back.IEEE/ACM Transactions on Networking,vol.9,No.3,2001.226-237.
[12]Tao Peng,Chdstopher Leckie.Protection from distributed denial of service attacks using history-based 1P filtering.IEEE International Conference on Communications.Anchorage,Alaska,USA,May 2003,482-186
[13]Li De-Quan,SU Pu-Rui,FENG Deng-Guo.Notes on Packet Marking for IP Traceback..Journal of Software,Vol.15,No.2,2004.250-257
[14]胡小新.一种DDoS攻击的防御方案[J].计算机工程与应用,Vol.40,No.12,2004.160-164
[15]卢建芝.基于源端网络的防DDoS攻击的实现.计算机应用,Vol 1.No Z1,2004200-204
[16]北京大学计算机科学研究所[EB/OL]http://www.icst.pku.edu.cn/research/kyfx_8xinxianquan.htm
[17]上海科学技术委员会04年信息技术领域重点科技攻关项目指南[EB/OL].Http://www.stcsm.gov.cn/notice/detail.asp?pid=751
[18]黄鑫,沈传宁等.网络安全技术教程-攻击与防范[M].北京:中国电力出版社,2002.168-176.
[19]林梅琴,李志蜀等.分布式拒绝服务攻击及防范研究[J].计算机应用研究.2006.8.136-138,151.
[20]高永强,郭世泽.网络安全技术与应用大典[M].北京:清华大学出版社,2003:205-230.
[21][美]StuartMcClure,Joel Scambray,George Kurtz.黑客大曝光[M].刘江,杨继张,钟向群.北京:清华大学出版社,2003.352-359.
[22]Rocky K.C.Chang,"Defending against Flooding-Based Distributed Denial-of-service Attacks:A Tutorial" Telecommunications Network Secutity,IEEE Communications Magazine.October2003 P46
[23]P.Ferguson."Network ingress filtering:Defeating denial of service attacks which employ IP source address spoofing agreements performance monitoring,"RFC2827,06 2000
[24]SANS Institute,Egressfiltering v0.2,http://www.sans.org/y2k/egress.htm,02 2000
[25]K.Park and H.Lee,"A proactive approach to distributed DoS attack prevention using route-based packet filtering",In Proc.ACM SIGCOMM,08 2001
[26]孙曦,朱晓妍.DDoS下的TCP洪流攻击及对策.网络安全技术与应用.2004.04 P96-98
[27]任志强.模仿正常服务请求的DDoS攻击的防御方案.信息安全与通信保密.2006.08P119-120
[28]A.Habib,M.Hefeeda,and B.Bhargava.Detecting service violation and DoS attacks.In Proc.Network and Distributed System Security Symposium(NDSS'03),San Diego,Feb2003.
[29]A.Habib.Edge-to-edge measurement-based distributed network monitoring.Source,Computer Networks:The International Journal of Computer and Telecommunications Networking archive Volume 44,Issue 2(February 2004)
[30]A.Habib,S.Fahmy,and B.Bhargava,On Monitoring and Controlling QoS Network Domains,Submitted to ACM Computer Communication Review,Aug.2004.
[31]H.Burch,B.Cheswick.Tracing Anonymous Packets to their Approximate Source.IEEE/ACM Transactions on Networking,Vol.9,no.3,2001(6),P226
[32]S.savage,D.Wetherall."Practical network support for IP traceback"S IGCOMM,Stockhlm,Sweden.August 2000.
[33]D.Song and A.Perrig,"Advanced and Authenticated Marking Schemes for IP Traceback",Proc.IEEE Infocom,Anchorage,Alaska,2001
[34]Bellovin.IcmpTrace back messages[EB/OL].http://search.ietf.org/internet-drafts/draft-ietf-itrace-01.txt
[35]ASnoeren,C.Partridge,"Hashed-based IP traceback",ACM SIGCOMM,Aug.2001
[36]Glenn Sager.Secutity Fun with Ocxmon and cflowd.Presentation at the Internet two Working Group,November 1998
[37]张涛,董占球.网络攻击行为分类技术的研究[J].计算机应用.2004.4
[38]Howard,A Taxonomy of Computer and Network Attacks[EB/OL].http://www.cert.org/research/JHThesis/Chapter6.html
[39]Peter G.Neumann and Donn B.Parker,A Summary of computer misuse techniques,in Proceedings of the 12th National Computer Security Conference.P 397.National Institute of Standards,October 1998
[40]Jeffrey Undercoffer and John Pinkston,Modeling Computer Attacks:A Target-Centric Ontology for Intrusion Detection,Under review IEEE First International Workshop on Information Assurance,2002
[41]李昀,李伟华.基于UML的攻击模式研究[J].计算机工程与应用.2003.3.
[42]B Schneier,Attack Trees:Modeling Secutity Threats[J],Dr Dobb's Jounal,1999
[43]Douligeris,Mitrokotsa.DDoS attacks and defense mechanisms:classification and state-of-the-art.Computer Networks:The International Journal of Computer and Telecommunications Networking[J].Volume 44,April 2004.643
[44]李刚,朱关铭.结构化面向对象形式规格说明语言OOZS-设计原理[J].上海大学学报(自然科学版).Vol.4,no2,Apr.1998
[45]R.Duke,G.Rose,Object-Z:a specification language advocated for the description of standards[J].Computer Standards and Interfaces.17:511-533,1995
[46]U.K.Tupakula and V.Varadharajan.Model and mechanisms for counteracting distributed denialof-service attacks.Technical Report,Macquarie University,2002
[47]谢希仁 《计算机网络》(第四版)北京:电子工业出版社2006.6 9-10
[48]王汝传,徐小龙,黄海平.《智能Agent及其在信息网络中的应用》.北京:北京邮电大学出版社2006.2 70-88,222-223
[49]张云勇 《移动agent及其应用》.北京:清华大学出版社2002.1 7-18,52
[50]《Robert Stone,CenterTrack:An IP overlay network for tracking DoS floods,Proceedings of Nineth Usenix Security Symposium,August 2000.》
[51]Udaya Kiran Tupakula and Vijay Varadharajan,A practical method to counteract denial-of-service attacks,Proceedings 26th Australasian Computer Science Conference(ACSC2003),pp.275-284,Adelaide,Australia,February 2003.
[52]JOHN I,STEVEN M B.Implementing Pushback:Router-Based Defense Against DDoS Attacks[A].Network and Distributed System Security Symposium[C].February 2002.
[53]李俊,李明.一种防御DDoS攻击的集成方法[J].计算机工程.2006.9vol.32(18).130-132.
[54]RFC2267[EB/OL].http://www.ietf.org/rfc/rfc2267.txt
[55]C.Barros.A proposal for ICMP traceback message.Internet Draft[EB/OL].http://www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html
[56]S.Bellovin,The ICMP traceback message,Network working Group,Internet Draft,March 2000[EB/OL].http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt.
[57]B.Cubaleska and M.Schneider.Detecting Dos attacks in mobile agent systems and using trust policies for their prevention.The 6~(th) World Multi conference on Systemics,Cybernetics and Informatics SCI 2002.
[58]王晓东.计算机算法与设计(第二版)[M].北京:电子工业出版社.2004.7.306-308
[59]D.S.MALIK著,邱仲潘译.离散数学结构-理论与应用[M].北京:高等教育出版社.2005.11.652-656,735-736
[60]P.Mell,D.Marks,and M.McLarnon,"A denial-of-service resistant intrusion detection architecture." Computer Networks,Vol.34.pp.641-658,2000.
[61]http://aglets.sourceforge.net/
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |