基于动态口令的应用层DDoS攻击防御方案

doi:10.3969／j.issn.1000-0801.2012.10.015

Abstract

Abstract:

In this paper, we present the design and implementation of OTP-DEF, a kernel extension to protect web servers against application layer DDoS attacks. First of all, according to the load of web server, an OTP-DEF web server should fall into one of three following modes: normal, suspected attack or confirmed attack mode, and the OTP-DEF authentication mechanism shall only be activated when web server is in suspected attack mode. Secondly, we use OTP as our puzzle, which can automatically change at the certain time interval. It makes our proposal can defend copy attacks, replay attacks and Brute-Force Attack. Thirdly, OTP-DEF uses an intermediate stage to identify the IP addresses that ignore the test, and persistently bombard the server with requests despite repeated failures at solving the puzzles. Once these machines are identified, OTP-DEF blocks their requests, turns the tests off, and allows access to legitimate users who are unable or unwilling to solve tests. Finally, OTP-DEF requires no modifications to client software.

Key words: DDoS attack, OTP, puzzle, web service, application layer

Xi Ye,Wushao Wen,Yiru Ye. An OTP-Based Mechanism for Defending Application Layer DDoS Attacks[J]. Telecommunications Science, 2012, 28(10): 88-93.

Figures/Tables 5

References 16

1	Ranjan S , Swaminathan R , Uysal M , et al. DDoS-resilient scheduling to counter application layer attacks under imperfect detection. IEEE-ACM Transaction on Networking, 2009, 17（1）:26～39
2	Arbor Networks. World wide infrastructure security report, volume V. , 2009
3	Zhao Guofeng , Yu Shoucheng , Wen Sheng . Detecting application-layer DDoS attack based on analysis of usersˊbehaviors. Application Research of Computers, 2011, 28（2）:717～719
4	Sangjae Lee , Gisung Kim , Sehun Kim . Sequence-order-independent network profiling for detecting application layer DDoS attacks. EURASIP Journal on Wireless Communications and Networking, 2011: 50～58
5	Ankali S B , Ashoka D V . Detection architecture of application layer DDoS attack for internet. International Journal of Advanced Networking and Applications, 2011, 3（1）:984～990
6	Khattab S , Gobriel S , Melhem R , et al. Live baiting for service-level DoS attackers. Proceedings of 27th IEEE Communications Society Conference on Computer Communications, 2008: 682～690
7	孙长华，刘斌．分布式拒绝服务攻击研究新进展综述．电子学报， 2009,37（7）:1562～1570
8	Yu J , Li Z , Chen H , et al. A detection and offense mechanism to defend against application layer DDoS attacks. Proceedings of 3rd International Conference on Networking and Services, 2007
9	Srivatsa M , Iyengar A , Yin J , et al. Mitigating application-level denial of service attacks on web servers: a client-transparent approach. ACM Transactions on the Web, 2008, 2（3）:1～49
10	Xie Y , Yu S . Monitoring the application-layer DDoS attacks for popular Websites. IEEE/ACM Transactions on Networking, 2009, 17（1）:15～25
11	Xie Y , Yu S . A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors. IEEE/ACM Transactions on Networking, 2009, 17（1）:54～65
12	Kandula S , Katabi D , Jacob M , et al. Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds. Proceedings of the 2nd Conference on Symposium on Networked Systems Design and Implementation, 2005:287～300
13	Mori G , Malik J . Recognizing objects in adversarial clutter:breaking a visual CAPTCHA. Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003（1）:134～144
14	Broder A , Mitzenmacher M . Network applications of bloom filters: a survey. Internet Mathematic, 2002,1（4）:485～509
15	The network simulator-ns-2. , 2011
16	Cao J , Cleveland W , Cao Y , et al. Stochastic models for generating synthetic http source traffic. Proceedings of IEEE INFOCOM, 2004:1546～1557

Metrics

Recommended 0

No Suggested Reading articles found!

时间戳	变换间隔时间
2011-10-31 22:30:30	1s
2011-10-31 22:30:3X	10s
2011-10-31 22:30:XX	1min
2011-10-31 23:3X:XX	10min
2011-10-31 22:XX:XX	1h

[1]	Zhiqun GU, Jiawei ZHANG, Yuefeng JI, Hao YU, Taleb Tarik. Network architecture and key technologies of intelligent optical networks driven by data and model [J]. Telecommunications Science, 2022, 38(7): 18-30.
[2]	Hanbing ZHENG,Xiang YU,Weiwei WANG. Hybrid genetic algorithm based optimization of pilotpattern [J]. Telecommunications Science, 2016, 32(9): 75-81.
[3]	Qingbo GONG,Jun NIU,Xiuting SUN,Kui WANG. Confidence of comments evaluated for Web service based on difference-induced [J]. Telecommunications Science, 2016, 32(8): 90-96.
[4]	Bin HOU,Hongbing TU,Yunfu WANG. Enterprise content management platform Web services based on CXF framework [J]. Telecommunications Science, 2016, 32(5): 191-196.
[5]	Bin XU,Jin QI,Xi YIN,Ye WANG,Ruiyun CHANG. Personalized service composition based on multi-strategy discrete differential evolution in mobile internet [J]. Telecommunications Science, 2016, 32(2): 99-105.
[6]	Mingling DING,Yongchang YU,Zhizhong WANG. Concurrent performance testing method of carrier-class video conference system [J]. Telecommunications Science, 2016, 32(11): 147-153.
[7]	Zhiqiang Luo,Jun Shen,Huamin Jin. Detection and Control Technology of Distributed DNS Reflective DDoS Attack [J]. Telecommunications Science, 2015, 31(10): 1-196.
[8]	Xiaoyan Hu,Jian Gong. Exploring the Roles of In-Network Caching in ICN [J]. Telecommunications Science, 2014, 30(3): 67-74.
[9]	Zhihua Li,Quanqi Gu,Jianfei Tang,Liang Xue,Jijun Zhao. Design and Implementation of Smart Home Managemen System Based on RESTful Web Services [J]. Telecommunications Science, 2014, 30(11): 99-104.
[10]	Bingsong Hu,Xiaosang Huang. An Implement Scheme for Secure STB [J]. Telecommunications Science, 2013, 29(4): 33-36.
[11]	Shanliang Pan,Qinjiao Mao,Lu Han. Research on a Web Services Discovery Method Based on Virtual Social Network [J]. Telecommunications Science, 2013, 29(12): 28-37.
[12]	Yi Wang,Xiaoyu Hu. Multi-Service Subnet Integration Solution Based on Residential Gateway [J]. Telecommunications Science, 2012, 28(4): 105-109.
[13]	Yingying Zhao,Yun Zhang. Application of the Logic Language Based on Reasoning Mechanism in Web Composite Service [J]. Telecommunications Science, 2012, 28(12): 112-117.
[14]	Chen Yicheng,Li Wei and Wang Jing. Design and Implementation of Data Synchronization Module of OMP Management Subsystem [J]. Telecommunications Science, 2012, 28(11): 108-111.
[15]	Zhang Zhengming,Ma Bingxian and Xiang Dongming. Research and Implementation of Web Service Registration Method Based on Petri Network [J]. Telecommunications Science, 2012, 28(11): 86-91.

An OTP-Based Mechanism for Defending Application Layer DDoS Attacks

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 16

Related Articles 15

Metrics

Recommended 0