在路由器上利用SYN Cookie原理实现SYN Flood防御
摘要
分布式拒绝服务(Distributed Denial of Service,DDoS)攻击是目前互联网上最严重的安全问题之一,互联网上大量的不安全机器的存在、自动化DDoS攻击工具的广泛可获得性以及攻击者通常采用假冒的IP地址等原因,使DDoS攻击的防御和追踪相当困难。目前大多数的DDoS攻击通过TCP协议实现,主要采用TCP洪流攻击。对于DDoS及SYN Flood攻击的研究已经成为信息安全研究的热点,国内外一些厂家,比如Cisco、华为、黑洞、金盾等,已经开发出了专门的应对产品。但要想很好的检测和防范DDoS以彻底保障系统的安全性,就需要我们对DDoS攻击特点进行深入的研究,有针对性的提出解决方案。
本文在深入研究了DDoS攻击机制、攻击方法、攻击加强技术及现有的防御和追踪方法后,针对现有的DDoS攻击提出了基于SYN Cookie机制的防御方案。
SYN Flood攻击主要目的是发送大量的SYN请求以耗尽服务器的CPU资源和内存,引起服务器宕机,因此该方案从节省资源入手,路由器代理客户端发送的SYN请求,如果发现是非法请求,即不会回应ACK报文,则直接断掉该连接,不会发送给服务器端;如果回应ACK报文,则为有效连接,可以通过路由器和服务建立连接。在路由器上,由于利用了SYN Cookie原理,因此不会为SYN请求分配过多的资源,只需要维护极少的数据即可。本文选择Netfilter做为主要实现框架,利用链接跟踪模块和IP Inspect功能获得相应的数据报信息,并对数据报做适当的处理。
最后,对本文所提出的方案进行了理论分析和模拟实验,结果表明基于SYN Cookie机制的防DDoS攻击的方案是有效和可行的。
Distributed Denial of Service (DDoS) attack is becoming one of the most severe security issues of the Internet nowadays. There are several reasons such as the existing of large number of insecure machine, the broad availability of automatic DDoS tools and the use of fake IP address make is quite difficult to defense and track DDoS attack. Currently most DDoS attack are implemented via TCP protocol and use TCP flood to achieve their intruding purpose. The research on DDoS and SYN Flood attack has already become a promising area in information security community. Some commercial companies e.g. Cisco, Huawei, etc have already developed some exclusive product. However, in order to detect and prevent DDoS thus protecting the security of the systems, we have to investigate the properties of DDoS in depth so that we can make specific proposal of solving this problem.
In this thesis, we have investigated the mechanism, methodology and techniques of DDoS as well as the current defense and tracking strategy to it. Then we propose a SYN Cookie based defense proposal according to current DDoS attack. The primary goal of SYN Flood attack is sending high volume of queries to eat up the CPU and memory resources of the server and causes a breakdown. Our approach thus starts with saving resources. For those SYN queries sent from router on behalf of the client, if they are detected to be illegal, which do not response the ACK segment, we will disconnect without sending it to the server; otherwise they are active connection and will be able to connect with sever through router. Since we apply SYN Cookie theory to the router, it will not allocate excessive resources for SYN queries. Choosing Netfilter as the primary implementation framework, we leverage connection tracing module and IP Inspect functionality to get specific segment information and do the appropriate processing. The theoretic analysis and experimental simulation show that SYN Cookie based mechanism is able to prevent DDoS attack effectively and efficiently.
本文在深入研究了DDoS攻击机制、攻击方法、攻击加强技术及现有的防御和追踪方法后,针对现有的DDoS攻击提出了基于SYN Cookie机制的防御方案。
SYN Flood攻击主要目的是发送大量的SYN请求以耗尽服务器的CPU资源和内存,引起服务器宕机,因此该方案从节省资源入手,路由器代理客户端发送的SYN请求,如果发现是非法请求,即不会回应ACK报文,则直接断掉该连接,不会发送给服务器端;如果回应ACK报文,则为有效连接,可以通过路由器和服务建立连接。在路由器上,由于利用了SYN Cookie原理,因此不会为SYN请求分配过多的资源,只需要维护极少的数据即可。本文选择Netfilter做为主要实现框架,利用链接跟踪模块和IP Inspect功能获得相应的数据报信息,并对数据报做适当的处理。
最后,对本文所提出的方案进行了理论分析和模拟实验,结果表明基于SYN Cookie机制的防DDoS攻击的方案是有效和可行的。
Distributed Denial of Service (DDoS) attack is becoming one of the most severe security issues of the Internet nowadays. There are several reasons such as the existing of large number of insecure machine, the broad availability of automatic DDoS tools and the use of fake IP address make is quite difficult to defense and track DDoS attack. Currently most DDoS attack are implemented via TCP protocol and use TCP flood to achieve their intruding purpose. The research on DDoS and SYN Flood attack has already become a promising area in information security community. Some commercial companies e.g. Cisco, Huawei, etc have already developed some exclusive product. However, in order to detect and prevent DDoS thus protecting the security of the systems, we have to investigate the properties of DDoS in depth so that we can make specific proposal of solving this problem.
In this thesis, we have investigated the mechanism, methodology and techniques of DDoS as well as the current defense and tracking strategy to it. Then we propose a SYN Cookie based defense proposal according to current DDoS attack. The primary goal of SYN Flood attack is sending high volume of queries to eat up the CPU and memory resources of the server and causes a breakdown. Our approach thus starts with saving resources. For those SYN queries sent from router on behalf of the client, if they are detected to be illegal, which do not response the ACK segment, we will disconnect without sending it to the server; otherwise they are active connection and will be able to connect with sever through router. Since we apply SYN Cookie theory to the router, it will not allocate excessive resources for SYN queries. Choosing Netfilter as the primary implementation framework, we leverage connection tracing module and IP Inspect functionality to get specific segment information and do the appropriate processing. The theoretic analysis and experimental simulation show that SYN Cookie based mechanism is able to prevent DDoS attack effectively and efficiently.
引文
[1] B.Schneier. “Secrets and Lies: Digital Security in a Networked World”,John Wiley&Sons,Inc2000.
[2] Felix Lau,Stuart H.Rubin,Micheal H.Smith et al. Distrubuted denial of service attacks. IEEE International Comference on Systems , Man and Cybernetics. Nashville,October 2000, Pages:2275-2280.
[3] CERT/CC, “Results of the Distributed-Systems Intruder Tools Workshop”,technical report. http ://www.cert.org/reports/workshop-flnal.html,December 7 1999.
[4] RSA Security, New & Events. http://www.rsasecurity.com/press_release.asp? Doc_id=325&id=1234,2000-01-03/2003-03-04.
[5] A. Snoeren,C. Partridg, L. A. Sanchez,et al. Hash-based IP Traceback.. Proceeding of ACM SIGCOMM. San Diego,CA,USA,Augest 2005.
[6] David Mankins,Rajesh Krishnan,Ceilyn Boyd et al. Mitigationg distributed denial of service attacks with dynamic resource pricing. In: Proceedings of Annual Computer Security Applications Conference. Sheraton New Orleans, Louisiana, December 2001.
[7] Roshan Thomas , Brian Mark , Tommy Johnson et al. NerBouncer: client-legotomacy-based high-performance DDoS filtering. Proceedings of DARPA Information Survivability Conference and Exposition. Washingto, DC,April 2003.
[8] Tao Peng , Christopher Leckie , Kotagiri Ramamohanarao. Protection from distributed denial of service attacks using history-based IP filtering. IEEE International Conference on Communications(ICC’03). Anchorage,Alaska,USA,May 2003.
[9] Jelena Mirkovic,Gregory Prier,Peter Reiher. Source-end DDoS defense. Second IEEE International Symposium on Network Computing and Application (NCA 2005). Cambridge,Massachusette,April 2005.
[10] Dawn Xiaodong Song,Adrian Perrig. Advanced and authenticated marking schemes for IP traceback. Proceeding of Twentieth Annual Joint Conference on IEEE Computerand Communications Societies. Stockholm,Sweden,April 2004.
[11] Shu Zhang,Partha Dasgupta. Denying Denial-of-Service Attacks: a Router Based Solution. Proceeding of the 2003 International Conference on Internet Computing. Las Vegas,June 2003.
[12] CERT Coordination Center. Incidents Reported. http://www.cert.org/stats/ cert_stats.html,2004-10-19/2004-10-20
[13] Stefan Savage,David Wetherall,Anna Karlin et al. Practical Nerwork Support for IP Traceback.. Proceeding of the 2003 ACM SIGCOMM Conference. Strockholm,Sweden,August 2003.
[14] W.Richard Stevens. TCP/IP 详解卷 1:协议,机械工业出版社,2000-4.
[15] Kernel Korner. Network Buffers and Memory Management,www.linuxjournal.com.
[16] Yoohwan Kim,Ju-Yeon Jo,Frank L Merat. Defeating Distrbuted Denial-of-Service Attack with Deterministic Bit Marking. Global Telecommunications Conference (GLOBECOM’05. IEEE). San Francisco,CA,December 2005.
[17] TCP/IP 协议的三次握手及实现原理,Cisco 技术文档.
[18] HitorStudio.Woolenhy. SYN 攻 击 原 理 以 及 防 范 技 术http://blog.csdn.net/woolenhy/archive/2005/03/23/328038.aspx. 2005-03.
[19] D.J.Bernstein,http://cr.yp.to/syncookies/archive. September 1996.
[20] SYN Cookie原理及其在Linux内核中的实现,http://www.yesky.com/2/1867502_4.shtml. 2004-10
[21] 邹波. Cookie 思想在 TCP 与 SCTP 中的应用. 电脑知识与技术,2006-04
[22] Rusty Russell. Linux Netfileter Hacking-HOWTO.
[23] Rusty Russell. IP Chains-HOWTO.
[24] Netbull. Linux2.4 中 Netfilter 框架的实现.
[25] TCP/IP 协议的三次握手及实现原理,Cisco 技术文档
[26] Daniel P. Bovet,Marco Cesati. Understanding the Linux Kernel. 东南大学出版社,2004-06
[27] 徐千洋. Linux C 函数库参考手册. 中国青年出版社,2002.
[28] Bruce Schneier. 应用密码学协议算法与 C 源程序. 吴世忠等译. 第一版. 机械工业出版社,2001.
[29] K. Egevang, P. Francis. RFC1631:The IP Network Address Translator (NAT). May 1994.
[30] Rusty Russel. Linux 2.4 NAT-HOWTO.
[31] 郑曙光. HOS NAT 技术白皮书,港湾网络有限公司技术文档. 2004-11
[32] Linux2.4.x 链接跟踪和地址转换
[33] James C. Stephens. IP Connection Tracking.
[34] Rusty Russell. Linux 2.4 Packet Filtering-HOWTO.
[35] 胡晓东. Netfilter 及 IP Tables 源码分析,港湾网络有限公司技术文档. 2004-09.
[36] 徐勇. IP Inspect 概要设计文档,港湾网络有限公司技术文档. 2005-09.
[37] Internet Society. The Internet Engeering Task Force(IETF). http://www.ietf.org
[38] 谢希仁. 计算机网络(第四版). 电子工业出版社,2003.
[39] 周再红,谢冬青. 一种抗 DDoS 攻击的追踪和分布式防御方案研究[硕士学位论文]. 湖南大学,2004-10.
[40] 王锐,周刚译. 网络最高安全技术指南. 机械工业出版社,1999.
[41] 陈丹妮,王锁萍. 基于 IPv6 的 DDoS 防御研究[硕士学位论文]. 南京邮电大学,2006-04.
[42]孟江涛,冯登国,薛锐等. 分布式拒绝服务攻击的原理与防范,Vol.21,2004-01.
[43] Thomas Graf, Greg Maxwell, Remco van Mook et al. Linux Advanced Routing & Traffic Control-HOWTO. 2005-03
[44] Linux2.4.x 源码
[2] Felix Lau,Stuart H.Rubin,Micheal H.Smith et al. Distrubuted denial of service attacks. IEEE International Comference on Systems , Man and Cybernetics. Nashville,October 2000, Pages:2275-2280.
[3] CERT/CC, “Results of the Distributed-Systems Intruder Tools Workshop”,technical report. http ://www.cert.org/reports/workshop-flnal.html,December 7 1999.
[4] RSA Security, New & Events. http://www.rsasecurity.com/press_release.asp? Doc_id=325&id=1234,2000-01-03/2003-03-04.
[5] A. Snoeren,C. Partridg, L. A. Sanchez,et al. Hash-based IP Traceback.. Proceeding of ACM SIGCOMM. San Diego,CA,USA,Augest 2005.
[6] David Mankins,Rajesh Krishnan,Ceilyn Boyd et al. Mitigationg distributed denial of service attacks with dynamic resource pricing. In: Proceedings of Annual Computer Security Applications Conference. Sheraton New Orleans, Louisiana, December 2001.
[7] Roshan Thomas , Brian Mark , Tommy Johnson et al. NerBouncer: client-legotomacy-based high-performance DDoS filtering. Proceedings of DARPA Information Survivability Conference and Exposition. Washingto, DC,April 2003.
[8] Tao Peng , Christopher Leckie , Kotagiri Ramamohanarao. Protection from distributed denial of service attacks using history-based IP filtering. IEEE International Conference on Communications(ICC’03). Anchorage,Alaska,USA,May 2003.
[9] Jelena Mirkovic,Gregory Prier,Peter Reiher. Source-end DDoS defense. Second IEEE International Symposium on Network Computing and Application (NCA 2005). Cambridge,Massachusette,April 2005.
[10] Dawn Xiaodong Song,Adrian Perrig. Advanced and authenticated marking schemes for IP traceback. Proceeding of Twentieth Annual Joint Conference on IEEE Computerand Communications Societies. Stockholm,Sweden,April 2004.
[11] Shu Zhang,Partha Dasgupta. Denying Denial-of-Service Attacks: a Router Based Solution. Proceeding of the 2003 International Conference on Internet Computing. Las Vegas,June 2003.
[12] CERT Coordination Center. Incidents Reported. http://www.cert.org/stats/ cert_stats.html,2004-10-19/2004-10-20
[13] Stefan Savage,David Wetherall,Anna Karlin et al. Practical Nerwork Support for IP Traceback.. Proceeding of the 2003 ACM SIGCOMM Conference. Strockholm,Sweden,August 2003.
[14] W.Richard Stevens. TCP/IP 详解卷 1:协议,机械工业出版社,2000-4.
[15] Kernel Korner. Network Buffers and Memory Management,www.linuxjournal.com.
[16] Yoohwan Kim,Ju-Yeon Jo,Frank L Merat. Defeating Distrbuted Denial-of-Service Attack with Deterministic Bit Marking. Global Telecommunications Conference (GLOBECOM’05. IEEE). San Francisco,CA,December 2005.
[17] TCP/IP 协议的三次握手及实现原理,Cisco 技术文档.
[18] HitorStudio.Woolenhy. SYN 攻 击 原 理 以 及 防 范 技 术http://blog.csdn.net/woolenhy/archive/2005/03/23/328038.aspx. 2005-03.
[19] D.J.Bernstein,http://cr.yp.to/syncookies/archive. September 1996.
[20] SYN Cookie原理及其在Linux内核中的实现,http://www.yesky.com/2/1867502_4.shtml. 2004-10
[21] 邹波. Cookie 思想在 TCP 与 SCTP 中的应用. 电脑知识与技术,2006-04
[22] Rusty Russell. Linux Netfileter Hacking-HOWTO.
[23] Rusty Russell. IP Chains-HOWTO.
[24] Netbull. Linux2.4 中 Netfilter 框架的实现.
[25] TCP/IP 协议的三次握手及实现原理,Cisco 技术文档
[26] Daniel P. Bovet,Marco Cesati. Understanding the Linux Kernel. 东南大学出版社,2004-06
[27] 徐千洋. Linux C 函数库参考手册. 中国青年出版社,2002.
[28] Bruce Schneier. 应用密码学协议算法与 C 源程序. 吴世忠等译. 第一版. 机械工业出版社,2001.
[29] K. Egevang, P. Francis. RFC1631:The IP Network Address Translator (NAT). May 1994.
[30] Rusty Russel. Linux 2.4 NAT-HOWTO.
[31] 郑曙光. HOS NAT 技术白皮书,港湾网络有限公司技术文档. 2004-11
[32] Linux2.4.x 链接跟踪和地址转换
[33] James C. Stephens. IP Connection Tracking.
[34] Rusty Russell. Linux 2.4 Packet Filtering-HOWTO.
[35] 胡晓东. Netfilter 及 IP Tables 源码分析,港湾网络有限公司技术文档. 2004-09.
[36] 徐勇. IP Inspect 概要设计文档,港湾网络有限公司技术文档. 2005-09.
[37] Internet Society. The Internet Engeering Task Force(IETF). http://www.ietf.org
[38] 谢希仁. 计算机网络(第四版). 电子工业出版社,2003.
[39] 周再红,谢冬青. 一种抗 DDoS 攻击的追踪和分布式防御方案研究[硕士学位论文]. 湖南大学,2004-10.
[40] 王锐,周刚译. 网络最高安全技术指南. 机械工业出版社,1999.
[41] 陈丹妮,王锁萍. 基于 IPv6 的 DDoS 防御研究[硕士学位论文]. 南京邮电大学,2006-04.
[42]孟江涛,冯登国,薛锐等. 分布式拒绝服务攻击的原理与防范,Vol.21,2004-01.
[43] Thomas Graf, Greg Maxwell, Remco van Mook et al. Linux Advanced Routing & Traffic Control-HOWTO. 2005-03
[44] Linux2.4.x 源码
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |