DDoS攻击防御技术发展综述

doi:10.11959/j.issn.2096-109x.2017.00202

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (10): 16-24.doi: 10.11959/j.issn.2096-109x.2017.00202

DDoS攻击防御技术发展综述

陈飞^1,²(),毕小红^1,²,王晶晶^1,²,刘渊^1,²

¹ 江南大学数字媒体学院，江苏无锡 214122
² 江苏省媒体设计与软件技术重点实验室（江南大学），江苏无锡 214122

修回日期:2017-08-18 出版日期:2017-10-01 发布日期:2017-11-13
作者简介:陈飞（1984-），男，山东泰安人，博士，江南大学讲师，主要研究方向为云计算、计算机网络。|毕小红（1989-），男，山西长治人，江南大学硕士生，主要研究方向为网络虚拟化技术。|王晶晶（1996 -），女，江苏扬州人，江南大学本科生，主要研究方向为 SDN网络。|刘渊（1967-），男，江苏无锡人，江南大学教授，主要研究方向为网络流量分析和数字媒体软件。
基金资助:
国家自然科学基金资助项目(61602214);江苏省自然科学基金资助项目(BK20160191);国家科技支撑计划基金资助项目(2015BAH54F01);江苏省普通高校专业学位研究生实践创新计划基金资助项目(SJZZ16_0218)

Survey of DDoS defense:challenges and directions

Fei CHEN^1,²(),Xiao-hong BI^1,²,Jing-jing WANG^1,²,Yuan LIU^1,²

¹ School of Digital Media,Jiangnan University,Wuxi 214122,China
² Jiangsu Key Laboratory of Media Design and Software Technology,Wuxi 214122,China

Revised:2017-08-18 Online:2017-10-01 Published:2017-11-13
Supported by:
The National Natural Science Foundation of China(61602214);The Natural Science Foundation of Jiangsu Province(BK20160191);The National Science and Technology Support Program of China(2015BAH54F01);Research Innovation Program for College Graduate of Jiangsu Province(SJZZ16_0218)

摘要/Abstract

摘要：

分布式拒绝服务攻击（DDoS）是当前互联网面临的主要威胁之一，如何对 DDoS 攻击进行快速准确的检测以及有效的防御一直是网络信息安全领域的研究热点。从早期的集中式防御技术，到以云计算、SDN为基础的综合型防御体系，针对DDoS攻击各个时期的相关防御技术进行了总结。结合DDoS攻击的特性，系统地分析了各类防御机制在不同应用场景中的优点和潜在问题，为下一代网络安全体系构建提供新的思路和参考。

关键词: DDoS攻击防御, 云计算, SDN, 分布式网络

Abstract:

The distributed denial of server (DDoS) attack is a major threat to the Internet.Numerous works have been proposed to deal with this problem through attack detection and defense mechanism design.A survey was presented to introduce the DDoS defense technologies,from the traditional strategies,through Cloud-based systems,toward SDN-based mechanisms.According to the characteristics of DDoS attack,the features and drawbacks of these systems were discussed,which could provide new insights for the development of the new generation of network security framework in the future.

Key words: DDoS defense, cloud computing, software-defined network, distributed networks

中图分类号:

TP393

陈飞,毕小红,王晶晶,刘渊. DDoS攻击防御技术发展综述[J]. 网络与信息安全学报, 2017, 3(10): 16-24.

Fei CHEN,Xiao-hong BI,Jing-jing WANG,Yuan LIU. Survey of DDoS defense:challenges and directions[J]. Chinese Journal of Network and Information Security, 2017, 3(10): 16-24.

图/表 6

图1

表1

表2

表3

图2

表4

参考文献 48

[1]	诸葛建伟, 韩心彗, 周勇林 ,等. 僵尸网络研究与进展[J]. 软件学报, 2008,19(3): 702-715.
	ZHU-GE J W , HAN X H , ZHOU Y L ,et al. Research and development of Botnets[J]. Journal of Software, 2008,19(3): 702-715.
[2]	SMITH J , SIMS J . Securing cloud,SDN and large data network environments from emerging DDoS attacks[C]// The International Conference on Cloud Computing,Data Science ＆ Engineering. 2017.
[3]	AHMED M E , KIM H . DDoS attack mitigation in internet of things using software defined networking[J]. Proceedings of Big Data Computing Service and Applications, 2017.
[4]	HOQUE N , BHATTACHARYYA D K , KALITA J K . Botnet in DDoS Attacks:Trends and Challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2015,17(4): 2242-2270.
[5]	MIRKOVIC J , REIHER P . A taxonomy of DDoS attack and DDoS defense mechanisms[J]. ACM Sigcomm Computer Communications Review, 2004,34(2): 39-53.
[6]	ZARGAR S T , JOSHI J , TIPPER D . A survey of defense mechanism against distributed denial of service flooding attacks[J]. IEEE Communications Surveys ＆ Tutorials, 2013,15(4): 2046-2069.
[7]	GIL T M , POLETTO M . MULTOPS:a data-structure for bandwidth attach detection[C]// The 10th Conference on USENIX Security Symposium. 2001.
[8]	MIRKOVIC J , REIHER P . D-WARD:a source-end defense against flooding denial-of-service attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2005,2(3): 216-232.
[9]	YAO G , BI J , VASILAKOS A V . Passive IP traceback:disclosing the locations of ip spoofers from path backscatter[J]. IEEE Transactions on Information Forensics and Security, 2015,10(3): 471-484.
[10]	KANSAL V , DAVE M . Proactive DDoS attack detection and isolation[C]// The International Conference on Computer,Communications and Electronics. 2017.
[11]	LU N , SU S , JING M ,et al. A router based packet filtering scheme for defending against DoS attacks[J]. IEEE China Communications, 2014,11(10): 136-146.
[12]	MIZRAK A T , SAVAGE S , MARZULLO K . Detecting compromised routers via packet forwarding behavior[J]. IEEE Network, 2008,22(2): 34-39.
[13]	MAHAJAN R , BELLOVIN S M . Controlling high bandwidth aggregates in the network[J]. ACM Sigcomm Computer Communication Review, 2002,32(3): 62-73.
[14]	LIU X , YANG X , LU Y . To filter or to authorize:network-layer DoS defense against multimillion-node botnets[C]// ACM Sigcomm Conference on Data Communication. 2008: 195-206.
[15]	柳袆, 付枫, 孙鑫 . 基于全局网络PCA的DDoS攻击检测方法[J]. 计算机应用研究, 2012,29(6): 2205-2207.
	LIU Y , FU F , SUN X . DDoS detection method based on network-wide PCA[J]. Application Research of Computers, 2012,29(6): 2205-2207.
[16]	黄靖, 杨树堂, 陆松年 . 一种基于流量控制技术的分布式 DDoS攻击检测框架研究[J]. 计算机应用与软件, 2008,25(6): 6-7.
	HUANG J , YANG S T , LU S N . On framework of distributed DDOS attack detection based on flow control technique[J]. Application Research of Computers, 2008,25(6): 6-7.
[17]	田晓朋, 邬家炜, 陈孝全 . 基于DDoS攻击的检测防御模型的研究[J]. 计算机工程与科学, 2009,31(1): 14-16.
	TIAN X P , WU J W , CHEN X Q . Research on the model of detection and defense based on DDoS attacks[J]. Computer engineering and science, 2009,31(1): 14-16.
[18]	PARK K , LEE H . On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets[J]. ACM Sigcomm Computer Communication Review, 2001,31(4): 15-26.
[19]	YAAR A , PERRIG A , SONG D . StackPi:new packet marking and filtering mechanisms for DDoS and IP spoofing defense[J]. IEEE Journal on Selected Areas in Communications, 2006,24(10): 1853-1863.
[20]	YAU D K Y , LUI J C S , LIANG F . Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles[C]// The 10th IEEE International Workshop on Quality of Service. 2002: 35-44.
[21]	KIM J , SHIN S . Software-defined HoneyNet:towards mitigating link flooding attacks[C]// IEEE/IFIP International Conference on Dependable Systems and Networks. 2017.
[22]	YANG M H , YANG M C . RIHT:a novel hybrid IP traceback scheme[J]. IEEE Transactions on Information Forensics and Security, 2012,7(2): 789-797.
[23]	KARASAWA T , SOSHI M , MIYAJI A . A novel hybrid IP traceback scheme with packet counters[C]// The 5th International Conference on Internet and Distributed Computing Systems. 2012.
[24]	WANG B , ZHENG Y , LOU W ,et al. DDoS attack protection in the era of cloud computing and software-defined networking[J]. Elsevier Computer Networks, 2015,81(C): 308-319.
[25]	WANG H , JIN C , SHIN K G . Defense against spoofed IP traffic using hop-count filtering[J]. IEEE/ACM Transactions on Networking, 2007,15(1): 40-53.
[26]	PATIL S P , PATIL Y S . A survey on DDoS attacks and its defending methods in cloud[J]. International Journal of Innovative Research in Computer and Communication Engineering, 2015,3(11): 119878-11976.
[27]	SAHI A , LAI D , LI Y ,et al. An efficient DDoS TCP flood attack detection and prevention system in a cloud environment[J]. IEEE Access, 2017,5: 6036-6048.
[28]	RUKAVITSYN A , BORISENKO K , SHOROV A . Self-learning method for DDoS detection model in cloud computing[C]// IEEE Young Researchers in Electrical and Electronic Engineering. 2017: 544-547.
[29]	WAHAB O A , BENTAHAR J , OTROK H ,et al. Optimal load distribution for the detection of VM-based DDoS attacks in the cloud[J]. IEEE Transactions on Services Computing, 1939,(99):1.
[30]	LUA R , YOW K C . Mitigating DDoS attacks with transparent and intelligent fast-flux swarm network[J]. IEEE Network, 2011,25(4): 28-33.
[31]	CHEN J , WANG Y , WANG X . On-demand security architecture for cloud computing[J]. Computer, 2012,45(7): 73-78.
[32]	SOMANI G , GAUR M S , SANGHI D ,et al. Combating DDoS attacks in the cloud:requirements,trends,and future directions[J]. IEEE Cloud Computing, 2017,4(1): 22-32.
[33]	DAYAL N , SRIVASTAVA S . Analyzing behavior of DDoS attacks to identify DDoS detection features in SDN[C]// The International Conference on Communication Systems and Networks. 2017: 274-281.
[34]	MEHDI S A , KHALID J , KHAYAM S A . Revisiting traffic anomaly detection using software defined networking[C]// The International Conference on Recent Advances in Intrusion Detection. 2011: 161-180.
[35]	JIN R , WANG B . Malware detection for mobile devices using software-defined networking[C]// IEEE Research and Educational Experiment Workshop. 2013: 81-88.
[36]	YAO G , BI J , XIAO P . Source address validation solution with OpenFlow/NOX architecture[C]// IEEE International Conference on Network Protocols,IEEE Computer Society. 2011: 7-12.
[37]	YU Y , CHEN Q , LI X . Distributed collaborative monitoring in software defined networks[J]. Computer Science, 2014.
[38]	肖甫, 马俊青, 黄洵松 ,等. SDN环境下基于KNN的DDoS攻击检测方法[J]. 南京邮电大学学报, 2015,35(1): 84-88.
	XIAO F , MA J Q , HUANG X S ,et al. DDoS attack detection based on KNN in software defined networks[J]. Journal of Nanjing University of Posts and Telecommunications, 2015,35(1): 84-88.
[39]	PASSITO A , MOTA E , BENNESBY R ,et al. AgNOS:a framework for autonomous control of software-defined networks[C]// IEEE International Conference on Advanced Information Networking and Applications. 2014: 405-412.
[40]	KLOTI R , KOTRONIS V , SMITH P . OpenFlow:a security analysis[C]// IEEE International Conference on Network Protocols. 2014: 1-6.
[41]	WUNDSAM A , DAN L , SEETHARAMAN S ,et al. OFRewind:enabling record and replay troubleshooting for networks[C]// Usenix Conference on Usenix Technical. 2011: 29-29.
[42]	王秀磊, 陈鸣, 邢长友 ,等. 一种防御 DDoS 攻击的软件定义安全网络体制[J]. 软件学报, 2016,27(12): 3104-3119.
	WANG X L , CHEN M , XING C Y ,et al. Software defined security networking mechanism against DDoS attacks[J]. Journal of Software, 2016,27(12): 3104-3119.
[43]	HAMEED S , KHAN H A . Leveraging SDN for collaborative DDoS mitigation[C]// The International Conference on Networked Systems. 2017.
[44]	FRANCOIS J , FESTOR O . Anomaly traceback using software defined networking[J]. International Workshop on Information Forensics ＆ Security, 2014
[45]	YAN Q , GONG Q , YU F R . Effective software-defined networking controller scheduling method to mitigate DDoS attacks[J]. Electronics Letters, 2017,53(7): 469-471.
[46]	BELYAEV M , GAIVORONSKI S . Towards load balancing in SDN-networks during DDoS-attacks[C]// IEEE Science and Technology Conference. 2015: 1-6.
[47]	JESUS W P D , SILVA D A D , JUNIOR R T D S ,et al. Analysis of SDN contributions for cloud computing security[C]// IEEE/ACM International Conference on Utility and Cloud Computing. 2015: 922-927.
[48]	YAN Q , YU F R . Distributed denial of service attacks in software-defined networking with cloud computing[J]. IEEE Communications Magazine, 2015,53(4): 52-59.

DDoS攻击类型	描述
访问请求洪流攻击	攻击者在应用层的Session里加入大量的访问请求
非对称攻击	攻击者发送高任务量的请求，加重服务器计算或数据库查询的负载
重复单次攻击	将请求任务分发到多个 Session，并提高Session发送量

检测机制	准确度	时效性	通信开销	部署成本	代表方案
源端检测	低	高	较低	较高	MULTOPS^[7]、D-WARD^[8]
末端检测	高	低	低	低	IP Traceback^[9]、主动检测^[10]
中间网络检测	较高	较高	高	高	路由报文过滤^[11,12]
分布式型检测	高	高	较高	较高	ACC^[13]、StopIt^[14]

攻击响应技术	优点	缺点	代表方案
报文过滤	过滤通过地址欺骗的DDoS攻击，保护正常用户流量	①无法防御利用真实主机和IP地址的攻击；②对检测的精确度依赖较高；③大规模攻击时负载较高	分布式报文过滤^[18]路径标识^[19]
速率限制	能够避免大量报文拥塞链路，保障攻击情况下的系统正常运行	①需要大规模部署；②可能对正常用户造成影响	Pushback^[13]最大最小公平限流 ^[20]
攻击容忍	尽可能维持系统的正常运行和用户的使用，为反攻措施争取时间	①本身不能阻止 DDoS 攻击；②需要大量的系统资源开销以维持服务正常运行	Honeynet^[21]负载均衡^[10]
攻击溯源	追踪攻击的发起者进行主动防御，从根源上抑制攻击产生	①需要大规模部署；②需要利用空间有限的报文头信息进行标记；③利用大量路由器存储数据分组信息	Packet marking^[22]Logging^[23]

防御技术	文献	攻击检测	攻击响应	协作机制
集中式防御	5～24]	分析报文为主	报文过滤、限速等	单点/组内协作
云计算	25～32]	分析网络流量为主	网络结构调整、隔离等	云接入点/Hypervisor
SDN网络	33～44]	分析流表为主	数据流过滤、溯源等	SDN控制器/交换机

DDoS攻击防御技术发展综述

Survey of DDoS defense:challenges and directions

在线阅读

pdf下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 48

相关文章 15

Metrics

推荐阅读 0

[1]	吴颖,李璇,金彪,金榕榕. 隐私保护的图像内容检索技术研究综述[J]. 网络与信息安全学报, 2019, 5(4): 14-28.
[2]	金子晋,兰巨龙,江逸茗,孙鹏浩,魏鹏. SDN环境下基于QLearning算法的业务划分路由选路机制[J]. 网络与信息安全学报, 2018, 4(9): 17-22.
[3]	戴千一,徐开勇,郭松,蔡国明,周致成. 分布式网络环境下基于区块链的密钥管理方案[J]. 网络与信息安全学报, 2018, 4(9): 23-35.
[4]	李颖, 马春光. 可搜索加密研究进展综述[J]. 网络与信息安全学报, 2018, 4(7): 13-21.
[5]	于孟洋,林晖,田有亮. 移动云计算中一种新的跨层信誉机制[J]. 网络与信息安全学报, 2018, 4(3): 51-58.
[6]	王元昊,李宏博,崔钰钊,郭庆文,黄琼. 具有密文等值测试功能的公钥加密技术综述[J]. 网络与信息安全学报, 2018, 4(11): 13-22.
[7]	张建标,朱元曦,胡俊,王晓. 面向云环境的虚拟机可信迁移方案[J]. 网络与信息安全学报, 2018, 4(1): 6-14.
[8]	李维奉,羌卫中,李伟明,邹德清. 云环境隐私侵犯取证研究[J]. 网络与信息安全学报, 2018, 4(1): 26-35.
[9]	高元照,李学娟,李炳龙,吴熙曦. 云计算取证模型[J]. 网络与信息安全学报, 2017, 3(9): 13-23.
[10]	袁得嵛,王小娟,万建超. “互联网+”对网络空间安全影响及未来发展趋势[J]. 网络与信息安全学报, 2017, 3(5): 1-9.
[11]	施江勇,杨岳湘,李文华,王森. 基于SDN的云安全应用研究综述[J]. 网络与信息安全学报, 2017, 3(5): 10-25.
[12]	孙光,樊晓平,蒋望东,周航军,刘胜宗,龚春红,朱静. 云计算环境约束下的软件水印方案[J]. 网络与信息安全学报, 2016, 2(9): 12-21.
[13]	冯丙文,翁健,卢伟. 基于隐私保护的数字图像取证外包技术框架研究[J]. 网络与信息安全学报, 2016, 2(8): 23-31.
[14]	张亮轩,李晖. 云计算中支持有效用户撤销的多授权方基于属性加密方案[J]. 网络与信息安全学报, 2016, 2(2): 62-74.
[15]	王锴,李志华,黄凡,严飞. HyperSpector：基于UEFI的VMM动态可信监控基的设计与实现[J]. 网络与信息安全学报, 2016, 2(12): 47-55.