面向自治域的DoS攻击流抑制模型

doi:10.3969/j.issn.1000-436x.2013.09.016

摘要/Abstract

摘要：

针对因特网上的DoS攻击，结合下一代安全因特网架构，分析了现有权证方案在申请、授权和解授权等方面的问题。兼顾网络拥塞反馈机制，结合多级主动队列、信誉计算等思想，提出了一种面向自治域的DoS攻击流抑制模型，并进一步分析其有效性。通过在NS2上利用权威的CAIDA真实拓扑数据集，对权证授权时间和授权通信量、平均权证获取时间、不同方案的文件传输时间进行对比分析和评价，结果表明本方案能有效降低平均权证获取时间，提高文件传输效率，使权证方案更具可行性和顽健性。

关键词: 网络安全, 拒绝服务攻击, 自治域, 网络拥塞, 权证

Abstract:

Combined with the next generation security architecture,a novel AS-level defense scheme was proposed to restrain DoS attacks in the Internet.And the deficiencies of previous capability schemes were analyzed in detail,especially on requesting/withdrawing authorization of capabilities.The scheme takes account of a congestion feedback mechanism,a combination with multi-level active queue management,and the credit computation.Then a further analysis on the scheme’s effectiveness was presented.Several experiments with NS2 and CAIDA’s topology datasets were performed to evaluate the authorizing time and traffic,the average requesting time and common file transfer time of different schemes.The results show that this scheme can effectively reduce the average requesting time of capabilities,improve common file transfer efficiency,and enhance the feasibility and robustness.

Key words: network security, denial-of-service attack, autonomous system, network congestion, capabilities

江先亮,金光,杨建刚,何加铭. 面向自治域的DoS攻击流抑制模型[J]. 通信学报, 2013, 34(9): 132-141.

Xian-liang JIANG,Guang JIN,Jian-gang YANG,Jia-ming HE. AS-level model for restraining DoS attacks[J]. Journal on Communications, 2013, 34(9): 132-141.

图/表 15

表1

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

表2

参考文献 27

[1]	Arbor networks . worldwide infrastructure security report[EB/OL]. , 2012
[2]	PENG T , LECKIE C , RAMAMOHANARAO K . Survey of network-based defense mechanisms countering the DoS and DDoS problems[J]. ACM Computing Surveys, 2007,39(1): 1-42.
[3]	张永铮, 肖军, 云晓春 ,等. DDoS 攻击检测和控制[J]. 软件学报, 2012,23(8): 2258-2072. ZHANG Y Z , XIAO J , YUN X C ,et al. DDoS attacks detection and control mechanisms[J]. Journal of Software, 2012,23(8): 2258-2072.
[4]	王进, 阳小龙, 隆克平 . 基于大偏差统计模型的Http-Flood DDoS检测机制及性能分析[J]. 软件学报, 2012,23(5): 1272-1280. WANG J , YANG X L , LONG K P . Http-flood DDoS detection scheme based on large deviation and performance analysis[J]. Journal of Software, 2012,23(5): 1272-1280.
[5]	GOODRICH M T . Probabilistic packet marking for large-scale IP traceback[J]. IEEE/ACM Transactions on Networking, 2008,16(1): 15-24.
[6]	BELENKY A , ANSARI N . On deterministic packet marking[J]. Computer Networks, 2007,51(10): 2677-2700.
[7]	YAAR A , PERRIG A , SONG D . Pi:a path identification mechanism to defend against DDoS attacks[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. 2003.
[8]	YAAR A , PERRIG A , SONG D . StackPi:new packet marking and filtering mechanisms for DDoS and IP spoofing defense[J]. IEEE Journal on Selected Areas in Communications, 2006,24(10): 1853-1863.
[9]	金光, 张飞, 钱江波 ,等. 融合路径追溯和标识过滤的DDoS 攻击防御方案[J]. 通信学报, 2011,32(2): 61-67. JIN G , ZHANG F , QIAN J B ,et al. DDoS defense with IP traceback and path identification[J]. Journal on Communications, 2011,32(2): 61-67.
[10]	ANDERSON T , ROSCOE T , WETHERALL D . Preventing internet denial-of-service with capabilities[J]. ACM SIGCOMM Computer Communications Review, 2004,34(1): 39-44.
[11]	BELLOVIN S M , CLARK D , PERRIG A ,et al. A clean-slate design for the next-generation secure internet[A]. Proceedings of National Science Foundation Workshop on Next-Generation Secure Internet[C]. 2005.
[12]	吴建平, 吴茜, 徐恪 . 下一代互联网体系结构基础研究及探索[J]. 计算机学报, 2008,31(9): 1536-1548. WU J P , WU Q , XU K . Research and exploration of next-generation Internet architecture[J]. Chinese Journal of Computers, 2008,31(9): 1536-1548.
[13]	林闯, 雷蕾 . 下一代互联网体系结构研究[J]. 计算机学报, 2007,30(5): 693-711. LIN C , LEI L . Research on next generation Internet architecture[J]. Chinese Journal of Computers, 2007,30(5): 693-711.
[14]	YAAR A , PERRIG A , SONG D . SIFF:a stateless internet f filter to mitigate DDoS flooding attacks[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. 2004.
[15]	YANG X , WETHERALL D , ANDERSON T . TVA:a DoS-limiting network architecture[J]. IEEE/ACM Transactions on Networking, 2008,16(6): 1267-1280.
[16]	SHUE C A , KALAFUT A J , ALLMAN M ,et al. On building inexpensive network capabilities[J]. ACM SIGCOMM Computer Communication Review, 2012,42(2): 73-79.
[17]	ARGYRAKI K , CHERITON D . Network capabilities:the good,the bad and the ugly[A]. Proceedings of ACM HotNets IV[C]. 2005.
[18]	LIU X , YANG X , LU Y . To filter or to authorize:network-layer DoS defense against multimillion-node botnets[A]. Proceedings of ACM SIGCOMM[C]. 2008.
[19]	LIU X , YANG X , XIA Y . NetFence:preventing Internet denial of service from inside out[A]. Proceedings ofACM SIGCOMM[C]. 2010.
[20]	孙红杰, 方滨兴, 张宏莉 . 基于链路特征的DDoS攻击检测方法[J]. 通信学报, 2007,28(2): 88-93. SUN H J , FANG B X , ZHANG H L . DDoS attacks detection based on link character[J]. Journal on Communications, 2007,28(2): 88-93.
[21]	臧天宇, 云晓春, 张永铮 ,等. 基于通信特征和D-S证据理论分析僵尸网络相似度[J]. 通信学报, 2011,32(4): 66-76. ZANG T Y , YUN X C , ZHANG Y Z ,et al. Botnet’s similarity analysis based on communication features and D-S evidence theory[J]. Journal on Communications, 2011,32(4): 66-76.
[22]	金光, 杨建刚, 魏蔚 ,等. 基于增强权证的无状态过滤机制[J]. 电子与信息学报, 2008,30(10): 2490-2493. JIN G , YANG J G , WEI W ,et al. Stateless filtering based on enhanced capabilities[J]. Journal of Electronics ＆ Information Technology, 2008,30(10): 2490-2493.
[23]	RESCORLA E . Diffie-hellman key agreement method[EB/OL]. , 1999.
[24]	CAIDA[EB/OL]. , 2011.
[25]	MAHAJAN R , BELLOVIN S M , FLOYD S ,et al. Controlling high bandwidth aggregates in the network[J]. ACM Computer Communication Review, 2002,32(3): 62-73.
[26]	PARNO B , PERRIG A , WENDLANDT D ,et al. Portcullis:protecting connection setup from denial-of-capability attacks[A]. ACM SIGCOMM[C]. 2007.
[27]	BGP routing table analysis reports[EB/OL]. , 2011.

符号	注解
S_i	源AS主机
D_i	目标AS主机
S_IQS	源AS信息查找服务器
D_IQS	目标AS信息查找服务器
Ticket	数据分组携带的权证标记
T_block	请求拦截时间
T_maxb	最大允许拦截时间
T_limit	请求限流时间
T_maxl	最大允许限流时间

方案			属性
方案	网络架构	防御阶段	防御层次	计算	通信	复杂性	顽健性
PPM^[5]	IPv4	响应	网络层	高	低	低	低
DPM^[6]	IPv4	响应	网络层	中	低	低	中
Pi^[7,8]	IPv4	响应	网络层	中	低	低	低
SIFF^[14]	IPv4/NGSI	预防和响应	网络层	中	中	低	中
TVA^[15]	NGSI	预防和响应	网络层和应用层	高	高	中	高
StopIt^[18]	NGSI	检测和响应	网络层和应用层	低	高	高	中
NetFence^[19]	NGSI	检测和响应	网络层	低	低	中	中
BINC^[16]	NGSI	预防	应用层	低	低	中	低
本文方案	NGSI	预防和响应	网络层和应用层	中	中	低	高