非对称路由环境下SYN flood攻击防御方法

doi:10.3969/j.issn.1000-436x.2013.z1.038

通信学报 ›› 2013, Vol. 34 ›› Issue (Z1): 285-291.doi: 10.3969/j.issn.1000-436x.2013.z1.038

非对称路由环境下SYN flood攻击防御方法

陶建喜^1,^3,⁴,周立²,周舟^1,⁴,杨威^1,⁴,刘庆云^1,⁴,杨嵘^1,⁴()

¹ 中国科学院信息工程研究所，北京 100093
² 国家计算机网络应急技术处理协调中心，北京100029
³ 北京邮电大学计算机学院，北京 100876
⁴ 信息内容安全技术国家工程实验室，北京100093

出版日期:2013-08-25 发布日期:2017-06-23
基金资助:
国家高技术研究发展计划（“863”计划）基金资助项目;国家“242”信息安全计划基金资助项目;中国科学院战略性先导科技专项基金资助项目;国家自然科学基金资助项目

SYN flood attack defense strategy for asymmetric routing

Jian-xi TAO^1,^3,⁴,Li ZHOU²,Zhou ZHOU^1,⁴,Wei YANG^1,⁴,Qing-yun LIU^1,⁴,Rong YANG^1,⁴()

¹ Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
² National Computer Network Emergency Response Technical Team/Coordination Center, Beijing 100029, China
³ College of Computer Science and Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
⁴ National Engineering Laboratory for Information Security Technology, Beijing 100093, China

Online:2013-08-25 Published:2017-06-23
Supported by:
The National High Technology Research and Development Program of China (863 Program);The National Information Security Program of China (242 Program);Strategic Priority Research Program of the Chinese Academy of Sciences;The National Natural Science Foundation of China

摘要/Abstract

摘要：

针对现有网络安全设施无法有效防御非对称路由环境下流量规模较大的SYN flood攻击的问题，对SYN flood攻击检测技术和TCP连接管理策略进行研究，提出了一种轻量级攻击检测和混合连接管理策略相结合的防御方法，利用SYN分组比例和目的地址熵进行攻击检测，并根据检测结果对基于SYN的连接管理策略和基于数据的连接管理策略进行灵活切换。实验证明该防御方法能有效地减轻SYN flood攻击对网络安全设施的影响。

关键词: SYNflood, 非对称路由, 连接管理, SYN分组比例, 目的地址熵

Abstract:

In order to resolve the problem that existing network security facilities can't defend against large-scale SYN flood attack under asymmetric routing environment, attack detection technology and connection management strategy were researched, and a defense architecture combining a light-weight detection method with a hierarchical connection management strategy was presented. The detection method uses SYN packet rate and destination IP address entropy, and the hierarchical connection management strategy consists of a method based on SYN packet and a method based on data packet. The experimental results show that this proposed method can mitigate the influence brought by SYN flood attack.

Key words: SYN flood, asymmetric routing, connection management, SYN packet rate, destination IP address entropy

陶建喜,周立,周舟,杨威,刘庆云,杨嵘. 非对称路由环境下SYN flood攻击防御方法[J]. 通信学报, 2013, 34(Z1): 285-291.

Jian-xi TAO,Li ZHOU,Zhou ZHOU,Wei YANG,Qing-yun LIU,Rong YANG. SYN flood attack defense strategy for asymmetric routing[J]. Journal on Communications, 2013, 34(Z1): 285-291.

图/表 8

图1

图2

图3

图4

图5

表1

图6

表2

参考文献 15

[16]	WANG H N , ZHANG D L , SHIN K G . Detecting SYN flooding attacks[A]. Twenty-First Annual Joint Conference of the IEEE Com-puter and Communications Societies[C]. New York, NY, USA, 2002.1530-1539.
[17]	EHRLICH W K , FUTAMURA K , LIU D . An Entropy Based Method to Detect Spoofed Denial of Service (DoS) Attacks[M]. US: Springer US, 2008,44:101-122.
[1]	Prolexic Quarterly Global DDoS Attack Report Q4 2012[R]. Holly-wood: Prolexic Technologies, 2013.
[2]	KLEYMAN B . Why Anti-DDoS Products and Services are Critical for Today's Business Environment[R]. Data Center Knowledge (DCK), 2013.
[3]	2012年我国互联网网络安全态势综述[R]．北京：国家互联网应急中心， 2013.2012 Survey on Internet Security Situation in China[R]. Beijing: Na-tional Computer Network Emergency Response Technical Team/Co-ordination Center, 2013.
[4]	What is asymmetric routing[EB/OL]. , 2013.
[5]	EDDY W . TCP SYN flooding attacks and common mitigations[EB/OL]. , 2007.
[6]	BERNSTEIN D J . SYN cookies[EB/OL]. .
[7]	ZúQUETE A . Improving the functionality of syn cookies[J]. Ad-vanced Communications and Multimedia Security, 2002,(100):57-77.
[8]	HANG B , HU R M , SHI W . An enhanced SYN cookie defence method for TCP DDoS attack[J]. Journal of Networks, 2011,8(6):1206-1213.
[9]	JONATHAN L . Resisting SYN flood DoS attacks with a SYN cache[A]. Proceedings of the BSD Conference 2002 on BSD Confer-ence[C]. CA, USA, 2002.89-97.
[10]	WU Z , CHEN Z . A three-layer defense mechanism based on web servers against distributed denial of service attacks[A]. Proceedings of the First International Conference on Communications and Network-ing[C]. Beijing, China, 2006.1-5.
[11]	SCHUBA C L , KRSUL I V , KUHN M G . Analysis of a denial of service attack on TCP[A]. Proceedings of 1997 IEEE Symposium on Security and Privacy[C]. Oakland, CA, USA, 1997.208-223.
[12]	WANG H N , ZHANG D L , SHIN K G . SYN-dog: sniffing SYN flood-ing sources[A]. Proceedings of the 22′nd International Conference on Distributed Computing Systems (ICDCS'02)[C]. Vienna, Austria, 2002.421-428.
[13]	NAKASHIMA T , OSHIMA S . A detective method for SYN flood attacks[A]. Proceedings of the First International Conference on Inno-vative Computing, Information and Control (ICICIC'06)[C]. Wash-ington DC, USA, 2006.48-51.
[14]	CHEN W , YEUNG D . Defending against TCP SYN flooding attacks under different types of IP spoofing[A]. Proceedings of the Interna-tional Conference on Networking, International Conference on Sys-tems and International Conference on Mobile Communications and Learning Technologies[C]. Mauritius, 2006.38-43.
[15]	SUN C H , HU C C , TANG Y , et al. More accurate and fast SYN flood detection[A]. Proceedings of 18th Internatonal Conference on Computer Communications and Networks[C]. San Francisco, CA, USA, 2009.1-6.

1stDP次序	连接数	百分比	累计百分比
1	2 907 594	99.053 28%	99.053 28%
2	24 700	0.841 46%	99.894 73%
3	1 894	0.064 52%	99.959 26%
4	837	0.028 51%	99.987 77%
5	240	0.008 18%	99.995 95%
6	118	0.004 02%	99.999 97%
＞6	1	0.000 03%	100.000 00%

改进后	改进前	提升幅度
1.9 Gbit/s	1.2 Gbit/s	58.3%

非对称路由环境下SYN flood攻击防御方法

SYN flood attack defense strategy for asymmetric routing

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 15

相关文章 4

Metrics

推荐阅读 0

[1]	兰浩良,丁伟,夏震. 基于流记录的非对称路由检测[J]. 通信学报, 2014, 35(Z1): 98-102.
[2]	兰浩良，丁伟，夏震. 基于流记录的非对称路由检测[J]. 通信学报, 2014, 35(Z1): 19-102.
[3]	陶建喜1,3,4，周立2，周舟1,4，杨威1,4，刘庆云1,4，杨嵘1,4. 非对称路由环境下SYN flood攻击防御方法[J]. 通信学报, 2013, 34(Z1): 38-291.
[4]	时岩,陈山枝,董德才,李玉宏. CoMa-mSCTP：移动环境中基于mSCTP的连接管理机制[J]. 通信学报, 2007, 28(8): 105-112.