分布式拒绝服务攻击剖析
摘要
随着网络技术的不断发展,网络安全已经成为一个十分重要的课题。作为一种网络攻击手段,拒绝服务(DOS)近年来在互联网上越来越猖獗。分布式拒绝服务(DDoS)攻击是近年来出现的一种全新的拒绝服务(DoS)攻击方式。由于其分布式的特性,使得DDoS攻击比传统的DoS攻击拥有更多的攻击资源,具有更强大的破坏力,而且更难以防范。DDoS攻击已经对Internet安全构成了极大的威胁,并成为目前网络安全界研究的热点。
本文首先对当前的网络安全的现状做了简单的回顾,讨论了目前重要的网络安全威胁,以及Internet的基础协议—TCP/IP协议中存在的安全漏洞。其中特别阐述了利用这些漏洞进行网络欺骗和攻击的手段。然后详细剖析了DDoS攻击的攻击机理,对DDoS攻击的网络模型进行划分,并根据攻击方式的不同,对现有的DDoS攻击手段做了全面深入的分类研究。随后本文对现有的防御措施进行了全面研究、比较和评价。
最后,对危害TCP服务的SYN-flood攻击进行了介绍,对一种有效防范SYN Flood攻击的SYN-cookies机制做了详细的分析,并对其在Linux内核中的实现加以描述。由此可以发现这一攻击以资源消耗为手段的攻击方式在现有条件下不管系统是否存在漏洞均可发起攻击,因而无法通过补丁方式来实现防范,而且传统的防范方式人工参与过多,无法对攻击做出及时响应。针对SYN-cookies的这一不足,基于Linux内核的NetFilter框架,在内核IP层实现对报文的流速监测,并依此建立了SYN-cookies自动开启的机制,只有当遭到SYN-flood攻击时才打开SYN-cookies,当攻击结束后又将它及时关闭,有效地减轻了SYN-cookies对正常服务所造成的负面影响。
With the development of network technology, the security of network has become a very important subject. As a Internet attacking method, the Denianl of Service attack(DoS), has greatly endangered Internet recently. Distributed Denial of Service(DDoS) Attack is an newly developed attack type, which is the extension of Denial of Service(DoS) Attack. Due to its distributed characteristic, DDoS atacks possess more atack resources and have more destroying power. So, it is very difficult to keep them away. DDoS attacks bring much great threats to Internet security and research on them become a hotspot in network security fields.
This paper makes a brief review about the history and present situation of network security, the present menace on the network and those security problems existing in the TCP/IP protocols. Especially about the cheating and attacking methods that utilize the weaknesses of TCP/IP. Second, it analyzes the attack mechanism of DDoS attacks detail and a thorough study and gives the classification of DDoS atacks means according to the different attack methods. Then, the research, comparisons and estimations of the counter measures in existence are made in detail.
At last, it analyse SYN flood attack which harms all kinds of TCP Service, and introduce an defensing method - SYN cookies in detail. In the process of research, we get to know that SYN flood make resource consuming as attack means and under the current protocol condition, no matter whether operation systems have leaks or not, attack can always be implemented. So we can not realize the defence for them through patching operation system. In addition, the tradition detecting and defensing tactics require more artificial action, and therefore we can not respond the attacks timely. And facing the default of SYN cookies, design a mechamism for automatic opening and closing SYN cookies. Only when DDoS atacks happen, SYN cookies is opened. When the atacks are over, it is closed timely. Thus, this reduces the disadvantageous effect on the normal service availably.
本文首先对当前的网络安全的现状做了简单的回顾,讨论了目前重要的网络安全威胁,以及Internet的基础协议—TCP/IP协议中存在的安全漏洞。其中特别阐述了利用这些漏洞进行网络欺骗和攻击的手段。然后详细剖析了DDoS攻击的攻击机理,对DDoS攻击的网络模型进行划分,并根据攻击方式的不同,对现有的DDoS攻击手段做了全面深入的分类研究。随后本文对现有的防御措施进行了全面研究、比较和评价。
最后,对危害TCP服务的SYN-flood攻击进行了介绍,对一种有效防范SYN Flood攻击的SYN-cookies机制做了详细的分析,并对其在Linux内核中的实现加以描述。由此可以发现这一攻击以资源消耗为手段的攻击方式在现有条件下不管系统是否存在漏洞均可发起攻击,因而无法通过补丁方式来实现防范,而且传统的防范方式人工参与过多,无法对攻击做出及时响应。针对SYN-cookies的这一不足,基于Linux内核的NetFilter框架,在内核IP层实现对报文的流速监测,并依此建立了SYN-cookies自动开启的机制,只有当遭到SYN-flood攻击时才打开SYN-cookies,当攻击结束后又将它及时关闭,有效地减轻了SYN-cookies对正常服务所造成的负面影响。
With the development of network technology, the security of network has become a very important subject. As a Internet attacking method, the Denianl of Service attack(DoS), has greatly endangered Internet recently. Distributed Denial of Service(DDoS) Attack is an newly developed attack type, which is the extension of Denial of Service(DoS) Attack. Due to its distributed characteristic, DDoS atacks possess more atack resources and have more destroying power. So, it is very difficult to keep them away. DDoS attacks bring much great threats to Internet security and research on them become a hotspot in network security fields.
This paper makes a brief review about the history and present situation of network security, the present menace on the network and those security problems existing in the TCP/IP protocols. Especially about the cheating and attacking methods that utilize the weaknesses of TCP/IP. Second, it analyzes the attack mechanism of DDoS attacks detail and a thorough study and gives the classification of DDoS atacks means according to the different attack methods. Then, the research, comparisons and estimations of the counter measures in existence are made in detail.
At last, it analyse SYN flood attack which harms all kinds of TCP Service, and introduce an defensing method - SYN cookies in detail. In the process of research, we get to know that SYN flood make resource consuming as attack means and under the current protocol condition, no matter whether operation systems have leaks or not, attack can always be implemented. So we can not realize the defence for them through patching operation system. In addition, the tradition detecting and defensing tactics require more artificial action, and therefore we can not respond the attacks timely. And facing the default of SYN cookies, design a mechamism for automatic opening and closing SYN cookies. Only when DDoS atacks happen, SYN cookies is opened. When the atacks are over, it is closed timely. Thus, this reduces the disadvantageous effect on the normal service availably.
引文
[1] Bruce Schneier, Secrets and Lies: Digital Security in a Networked World, John Wiley & Sons, Inc. Aug. 2000
[2] Rocky K. C. Chang, Defending against Flooding-Based Distributed Denial-of-Service Attacks: A tutorial, IEEE Communications Magazine, Oct. 2002
[3] IEEE JNL, Denial-of-service attacks rip the internet, technical report, Apr. 2000
[4] Lawrence A. Gordon, 2004 CSI/FBI Computer Crime and Security Survey
[5] David Moore, Inferring internet denial-of-service activity, Usenix Security Symposium, Aug. 2001
[6] 中网公司,DOS/DDOS攻击防御解决方案,Oct 2003
[7] CERT/CC, Results of the Distributed-Systems Intruder Tools Workshop, technical report, Dec. 1999
[8] RFC 2827, Network Ingress Filtering, http://rfc, net/rfc2827, html, May. 2000;
[9] RFC 1244, Network Working Group, http://rfc, net/rfc1244, txt, July 1981
[10] RFC 791, 网际协议(Internet Protocol), http://rfc.net/rfc0791.txt, Sep. 1981
[11] RFC 792, 网际控制报文协议(Internet Control Message Protocol), http://rfc.net/rfc0792.txt, Sep. 1981
[12] RFC 793, 传输控制协议(Transmission Control Protocol), http://rfc.net/rfc0793.txt, Sep. 1981
[13] Lincoln D. Stein, The World Wide Web Security FAQ, http://www.w3.org/Security/Faq/Feb. 2002
[14] Michael Glenn, A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment, Aug. 2003
[15] Jelena Mirkovic & Peter Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, Apr. 2002
[16] 徐茜,DDoS攻击原理及应对策略,May.2004
[17] Microsoft Co., The Security Monitoring and Attack Detection Planning Guide, June. 2005
[18] Thomas Dubendorfer, Analysis of Internet Relay Chat Usage by DDoS Zombies, Apr. 2004
[19] 周勇林,僵尸网络的威胁和应对措施,Mar.2005
[20] 李光永,网络蠕虫型分布式拒绝服务攻击的原理及防御,June.2004
[21] 郑辉,恶意移动代码分析与研究,Oct.2004
[22] D. Dittrich, Distributed Denial of Service (DDoS) Attacks tools, http://staff.washington.edu/dittrich/misc/ddos/
[23] Kevin J. Houle, CERT/CC, Trends in Denial of Service Attack Technology, Oct 2001
[24] Michael Glenn, A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment, Aug. 2003
[25] SANS Institute, Help Defeat Denial of Service atacks: step-by-step, http://www.sans.org/dosstep/index.htm, Mar. 2000
[26] W.Richard Stevens,TCP/IP详解卷1:协议,机械工业出版社,2003
[27] Stephen M. Specht, Distributed Denial of Service:Taxonomies of Attacks, Tools and Countermeasures, October 2004
[28] CERT/CC, Smurf IP Denial-of-Service Attacks, Mar. 2000
[29] Vern Paxson, An Analysis of Using Reflectorsfor Distributed Denial-of-Service Attacks, June. 2001
[30] 郑进兴,网络攻击与防护工具评比指标,2003
[31] Stephen M. Specht, Distributed Denial of Service:Taxonomies of Attacks, Tools and Countermeasures, Oct. 2004
[32] 郑辉,恶意移动代码分析与研究,Oct.2004
[33] 徐一丁,分布式拒绝服务攻击(DDoS)原理及防范,Jun.2002
[34] Larry Loeb,网络威胁,Oct 2001
[35] 周勇林,僵尸网络的威胁和应对措施,Mar,2005
[36] 宫一鸣,网络运行监测手段浅谈,Jan 2005
[37] Nathalie Weiler, Honeypots for Distributed Denial of Service Attacks, Oct. 2002
[38] Prolexic Technologies, Inc. Distributed Denial of Service Attacks, 2004
[39] D.X. Song, A. Perring, Advanced and Authenticated Marking Schemes for IP Traceback, SIGCOMM, Jun. 2000
[40] A. Mankin, D. Massey, On Design and Evaluation of "Intention-Driven" ICMP Traceback, IC3N'2001, Oct. 2001
[41] 伍丽樵、詹士贤,入侵检测之IP traceback机制,Jun.2005
[42] Steve Gibson, DRDoS report, http://www.grc.com/files/drdos.pdf
[43] S. Bellovin, Internet Draft: ICMP Traceback Messages, Aug. 2003
[44] D. J. Bernstein, SYN cookies, http://cr.yp.to/syncookies.html
[45] Frank Kargl, Protecting Web Servers from Distributed Denial of Service Attacks, http://www10.org/cdrom/papers/pdf/p409.pdf
[46] Aditya Akella, Detecting DDoS Attacks on ISP Networks
[47] 魏晋伟,SYN Cookie原理及其在Linux内核中的实现,Sep.2004
[48] Michael Pichler, Lifting the covers, Jun. 2002
[49] Hao-Ran Liu, Introduction to the Linux Kernel, http://www.cs.ccu.edu.tw/~1hr89/linux-kernelf
[50] http://www.oreilly.com/catalog/regex/chapter/ch04, html
[2] Rocky K. C. Chang, Defending against Flooding-Based Distributed Denial-of-Service Attacks: A tutorial, IEEE Communications Magazine, Oct. 2002
[3] IEEE JNL, Denial-of-service attacks rip the internet, technical report, Apr. 2000
[4] Lawrence A. Gordon, 2004 CSI/FBI Computer Crime and Security Survey
[5] David Moore, Inferring internet denial-of-service activity, Usenix Security Symposium, Aug. 2001
[6] 中网公司,DOS/DDOS攻击防御解决方案,Oct 2003
[7] CERT/CC, Results of the Distributed-Systems Intruder Tools Workshop, technical report, Dec. 1999
[8] RFC 2827, Network Ingress Filtering, http://rfc, net/rfc2827, html, May. 2000;
[9] RFC 1244, Network Working Group, http://rfc, net/rfc1244, txt, July 1981
[10] RFC 791, 网际协议(Internet Protocol), http://rfc.net/rfc0791.txt, Sep. 1981
[11] RFC 792, 网际控制报文协议(Internet Control Message Protocol), http://rfc.net/rfc0792.txt, Sep. 1981
[12] RFC 793, 传输控制协议(Transmission Control Protocol), http://rfc.net/rfc0793.txt, Sep. 1981
[13] Lincoln D. Stein, The World Wide Web Security FAQ, http://www.w3.org/Security/Faq/Feb. 2002
[14] Michael Glenn, A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment, Aug. 2003
[15] Jelena Mirkovic & Peter Reiher, A Taxonomy of DDoS Attack and DDoS Defense Mechanisms, Apr. 2002
[16] 徐茜,DDoS攻击原理及应对策略,May.2004
[17] Microsoft Co., The Security Monitoring and Attack Detection Planning Guide, June. 2005
[18] Thomas Dubendorfer, Analysis of Internet Relay Chat Usage by DDoS Zombies, Apr. 2004
[19] 周勇林,僵尸网络的威胁和应对措施,Mar.2005
[20] 李光永,网络蠕虫型分布式拒绝服务攻击的原理及防御,June.2004
[21] 郑辉,恶意移动代码分析与研究,Oct.2004
[22] D. Dittrich, Distributed Denial of Service (DDoS) Attacks tools, http://staff.washington.edu/dittrich/misc/ddos/
[23] Kevin J. Houle, CERT/CC, Trends in Denial of Service Attack Technology, Oct 2001
[24] Michael Glenn, A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment, Aug. 2003
[25] SANS Institute, Help Defeat Denial of Service atacks: step-by-step, http://www.sans.org/dosstep/index.htm, Mar. 2000
[26] W.Richard Stevens,TCP/IP详解卷1:协议,机械工业出版社,2003
[27] Stephen M. Specht, Distributed Denial of Service:Taxonomies of Attacks, Tools and Countermeasures, October 2004
[28] CERT/CC, Smurf IP Denial-of-Service Attacks, Mar. 2000
[29] Vern Paxson, An Analysis of Using Reflectorsfor Distributed Denial-of-Service Attacks, June. 2001
[30] 郑进兴,网络攻击与防护工具评比指标,2003
[31] Stephen M. Specht, Distributed Denial of Service:Taxonomies of Attacks, Tools and Countermeasures, Oct. 2004
[32] 郑辉,恶意移动代码分析与研究,Oct.2004
[33] 徐一丁,分布式拒绝服务攻击(DDoS)原理及防范,Jun.2002
[34] Larry Loeb,网络威胁,Oct 2001
[35] 周勇林,僵尸网络的威胁和应对措施,Mar,2005
[36] 宫一鸣,网络运行监测手段浅谈,Jan 2005
[37] Nathalie Weiler, Honeypots for Distributed Denial of Service Attacks, Oct. 2002
[38] Prolexic Technologies, Inc. Distributed Denial of Service Attacks, 2004
[39] D.X. Song, A. Perring, Advanced and Authenticated Marking Schemes for IP Traceback, SIGCOMM, Jun. 2000
[40] A. Mankin, D. Massey, On Design and Evaluation of "Intention-Driven" ICMP Traceback, IC3N'2001, Oct. 2001
[41] 伍丽樵、詹士贤,入侵检测之IP traceback机制,Jun.2005
[42] Steve Gibson, DRDoS report, http://www.grc.com/files/drdos.pdf
[43] S. Bellovin, Internet Draft: ICMP Traceback Messages, Aug. 2003
[44] D. J. Bernstein, SYN cookies, http://cr.yp.to/syncookies.html
[45] Frank Kargl, Protecting Web Servers from Distributed Denial of Service Attacks, http://www10.org/cdrom/papers/pdf/p409.pdf
[46] Aditya Akella, Detecting DDoS Attacks on ISP Networks
[47] 魏晋伟,SYN Cookie原理及其在Linux内核中的实现,Sep.2004
[48] Michael Pichler, Lifting the covers, Jun. 2002
[49] Hao-Ran Liu, Introduction to the Linux Kernel, http://www.cs.ccu.edu.tw/~1hr89/linux-kernelf
[50] http://www.oreilly.com/catalog/regex/chapter/ch04, html
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |