分布式拒绝服务攻击的防御研究及实现
摘要
近年来出现的分布式拒绝服务攻击(DDoS)对网络安全和信息的可用性造成了巨大的威胁。DDoS攻击由于实现简单、破坏性很大,而被攻击者广泛使用。目前大多数的DDoS攻击通过TCP协议实现,主要采用TCP洪流攻击。对于DDoS及TCP SYN Flood攻击的研究已成为信息安全研究的热点,国内外一些厂家也开发出了专门的应对产品。但要想很好地检测和防范DDoS以彻底保障系统的安全性,就需要我们对DDoS攻击特点进行深入的研究,有针对性的提出解决方案。
研究DDoS攻击发生时报文流呈现统计分布特性是目前防御策略研究的一个方向。虽然攻击源伪造源IP地址,但其发出的攻击包所经过的路由路径(其决定了某个TTL值)只由真实来源决定。TCPSYNFlood攻击发生时,在路由器会引起某些异常情况,如流量异常(可能会流量猛增),报文流一些特征的统计分布特性发生改变(如源IP地址的随机分布特性,TTL字段的分布特性)等。因此,我们提出基于TTL值检测防御TCP SYN Flood攻击。利用跳数的统计分布特性,达到区分合法包与伪造包的目的。结合流量异常检测技术实现快捷有效地识别攻击。
Linux因其健壮性、可靠性、灵活性以及可定制性而在IT业界变得非常受欢迎,所以目前服务器大多使用Linux操作系统。本文选用Linux系统作为基础,并利用内核Netfilter防火墙,架构一个检测防御系统。主要利用连接跟踪模块对基于TTL检测防御机制进行功能扩充。通过防火墙技术,在网络边界建立相应的网络通信监控系统来保障网络安全。
The DDoS(Distributed Denial of Service) attack threats the safe of network and the usability of the information very much, in recent years. Because of simpleness and validity, it is used widely by attackers. Now most DDoS attacks are TCP flood attacks and are implemented according to TCP protocol. The study of DDoS and TCP SYN flood becomes the hotspot of research about information security. Many foreign and home manufactures develop the special products. In order to detect and defend DDoS to ensure the safe of the system thoroughly, we have to research about the characteristic to solve the problem.
When DDoS happens, the flood presents some characteristics, such as the statistical distributing. Although an attacker can forge any field in the IP header, he or she cannot falsify the numbers of hops an IP packet takes the reach its destination, which is solely determined by the Internet routing infrastructure. The hop-count information is indirectly reflected in the TTL field of the IP header. We propose a TTL-based filter to weed out spoofed IP packets. Through the statistical distributing of the hops, we can distinguish the legal packets and spoofed packets.
Linux is very popular in the IT field because of its robustness, reliability, flexibility and customizability, so currently most of the servers use Linux operating system. Choosing Linux OS as the basis, and making use of netfilter, we construct the detecting and defending system. We make use of Connection Tracking in order to extend the function. Through the firewall, the system can watch the communication in the border.
研究DDoS攻击发生时报文流呈现统计分布特性是目前防御策略研究的一个方向。虽然攻击源伪造源IP地址,但其发出的攻击包所经过的路由路径(其决定了某个TTL值)只由真实来源决定。TCPSYNFlood攻击发生时,在路由器会引起某些异常情况,如流量异常(可能会流量猛增),报文流一些特征的统计分布特性发生改变(如源IP地址的随机分布特性,TTL字段的分布特性)等。因此,我们提出基于TTL值检测防御TCP SYN Flood攻击。利用跳数的统计分布特性,达到区分合法包与伪造包的目的。结合流量异常检测技术实现快捷有效地识别攻击。
Linux因其健壮性、可靠性、灵活性以及可定制性而在IT业界变得非常受欢迎,所以目前服务器大多使用Linux操作系统。本文选用Linux系统作为基础,并利用内核Netfilter防火墙,架构一个检测防御系统。主要利用连接跟踪模块对基于TTL检测防御机制进行功能扩充。通过防火墙技术,在网络边界建立相应的网络通信监控系统来保障网络安全。
The DDoS(Distributed Denial of Service) attack threats the safe of network and the usability of the information very much, in recent years. Because of simpleness and validity, it is used widely by attackers. Now most DDoS attacks are TCP flood attacks and are implemented according to TCP protocol. The study of DDoS and TCP SYN flood becomes the hotspot of research about information security. Many foreign and home manufactures develop the special products. In order to detect and defend DDoS to ensure the safe of the system thoroughly, we have to research about the characteristic to solve the problem.
When DDoS happens, the flood presents some characteristics, such as the statistical distributing. Although an attacker can forge any field in the IP header, he or she cannot falsify the numbers of hops an IP packet takes the reach its destination, which is solely determined by the Internet routing infrastructure. The hop-count information is indirectly reflected in the TTL field of the IP header. We propose a TTL-based filter to weed out spoofed IP packets. Through the statistical distributing of the hops, we can distinguish the legal packets and spoofed packets.
Linux is very popular in the IT field because of its robustness, reliability, flexibility and customizability, so currently most of the servers use Linux operating system. Choosing Linux OS as the basis, and making use of netfilter, we construct the detecting and defending system. We make use of Connection Tracking in order to extend the function. Through the firewall, the system can watch the communication in the border.
引文
[1] Andrew S.Tanenbaum.计 算 机 网 络 (熊 桂 喜 ,王 小 虎 译 ).北 京 : 清 华 大 学 出版 社 ,2000.259-419
[2] Thomer M.Gill.MULTOPS: a data structure for DOS detection.Dec 2000
[3] John Ioannidis and Steven M.Bellovin.Implementing Pushback: Router-Based Defense Against DDoS Attacks.2003
[4]RyanBickhart.TTLFilteringforDDoSDefense. www.cis.udel.edu/~bickhart/security/ttlfilter.ppt. 2004
[5] Cheng Jin, Haining Wang, et al. Hop-Count Filtering: An Effective DefenseAgainstSpoofedDDosTraffic.www.eecs.umich.edu/techreports/cse/2003/CSE-TR-473-03.pdf. 2004
[6] Felix Lau, Stuart h. Rubin,et al. Distributed Denial Of Service Attacks.2002
[7] L.Grber.Denial-of-service attacks rip the internet.IEEE Comput,vol.33.
[8] C.L.Schuba.Analysis of denial of service attack in TCP.IEEE Symp.Security Privacy,Oakland,CA,1997,pp,208-223
[9] Ratul Mahajan,steven M Bellovin,et al.Controlling High Bandwidth Aggregate in the Network
[10] Hal Burch,Bill Chewick.Tracing Anonymous Packets to Their Approximate Source
[11] Department of Computer Science University of Kentucky.DENIAL OF SERVICE-UNLEASHED
[12] Jonathan Lemon.Resisting SYN flood DoS attacks with a SYN cache
[13] 吴 虎 , 云 超 . 对 DDOS 攻 击 防 范 策 略 的 研 究 及 若 干 实 现 , 计 算 机 应 用 研究 .2002
[14] 王 锐 ,周 刚 译 .网 络 最 高 安 全 技 术 指 南 .北 京 : 机 械 工 业 出 版 社 , 1999
[15] 濮 青 ,基 于 网 络 拒 绝 服 务 攻 击 的 技 术 分 析 与 安 全 策 略 ,成 都 :计 算 机 应用 研 究
[16] 张 文 科 , 陈 雷 霆 等 .蜜 罐 技 术 在 防 御 分 布 式 拒 绝 服 务 攻 击 中 的 应 用 .成都:通信技术,2003
[17]陆庆,周世杰,基于边采样包标记的IP源回溯系统,计算机应用,2003
[18]简清明,王兰英.LINUX下DOS和DDOS攻击的防范,肇庆学院院报.2004
[19]刘峰,范松波等.DDoS攻击报文过滤器在Linux防火墙中的应用.长沙通信职业技术学校学报.20054(3)
[20]孙曦,朱晓妍等.DDoS下的洪流攻击及对策.网络安全与技术应用.2004
[21]李永禄.新型防火墙核心技术的研究与设计:[硕士学位论文].北京:北京工业大学,2004
[22]丁松阳.Linux内核防火墙源代码:[硕士学位论文].解放军信息工程大学,2002
[2] Thomer M.Gill.MULTOPS: a data structure for DOS detection.Dec 2000
[3] John Ioannidis and Steven M.Bellovin.Implementing Pushback: Router-Based Defense Against DDoS Attacks.2003
[4]RyanBickhart.TTLFilteringforDDoSDefense. www.cis.udel.edu/~bickhart/security/ttlfilter.ppt. 2004
[5] Cheng Jin, Haining Wang, et al. Hop-Count Filtering: An Effective DefenseAgainstSpoofedDDosTraffic.www.eecs.umich.edu/techreports/cse/2003/CSE-TR-473-03.pdf. 2004
[6] Felix Lau, Stuart h. Rubin,et al. Distributed Denial Of Service Attacks.2002
[7] L.Grber.Denial-of-service attacks rip the internet.IEEE Comput,vol.33.
[8] C.L.Schuba.Analysis of denial of service attack in TCP.IEEE Symp.Security Privacy,Oakland,CA,1997,pp,208-223
[9] Ratul Mahajan,steven M Bellovin,et al.Controlling High Bandwidth Aggregate in the Network
[10] Hal Burch,Bill Chewick.Tracing Anonymous Packets to Their Approximate Source
[11] Department of Computer Science University of Kentucky.DENIAL OF SERVICE-UNLEASHED
[12] Jonathan Lemon.Resisting SYN flood DoS attacks with a SYN cache
[13] 吴 虎 , 云 超 . 对 DDOS 攻 击 防 范 策 略 的 研 究 及 若 干 实 现 , 计 算 机 应 用 研究 .2002
[14] 王 锐 ,周 刚 译 .网 络 最 高 安 全 技 术 指 南 .北 京 : 机 械 工 业 出 版 社 , 1999
[15] 濮 青 ,基 于 网 络 拒 绝 服 务 攻 击 的 技 术 分 析 与 安 全 策 略 ,成 都 :计 算 机 应用 研 究
[16] 张 文 科 , 陈 雷 霆 等 .蜜 罐 技 术 在 防 御 分 布 式 拒 绝 服 务 攻 击 中 的 应 用 .成都:通信技术,2003
[17]陆庆,周世杰,基于边采样包标记的IP源回溯系统,计算机应用,2003
[18]简清明,王兰英.LINUX下DOS和DDOS攻击的防范,肇庆学院院报.2004
[19]刘峰,范松波等.DDoS攻击报文过滤器在Linux防火墙中的应用.长沙通信职业技术学校学报.20054(3)
[20]孙曦,朱晓妍等.DDoS下的洪流攻击及对策.网络安全与技术应用.2004
[21]李永禄.新型防火墙核心技术的研究与设计:[硕士学位论文].北京:北京工业大学,2004
[22]丁松阳.Linux内核防火墙源代码:[硕士学位论文].解放军信息工程大学,2002
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |