基于动态口令的应用层DDoS攻击防御方案

doi:10.3969／j.issn.1000-0801.2012.10.015

摘要/Abstract

摘要：

研究和设计了使用动态口令技术来保护服务器抵御DDoS攻击的OTP-DEF方案。首先，方案可根据服务器工作负载的不同，分别处于正常、疑似受攻击或确认受攻击3种工作模式之下，而基于动态口令的认证方案只在疑似受攻击工作模式下起作用。其次，由于动态口令会自动变化，故方案可抵御复制、重放和暴力破解攻击。第三，通过记录那些不解决难题并不断发送请求的IP地址来识别客户端是否为攻击者，一旦所有攻击者被识别出来后，OTP-DEF屏蔽其IP地址并停止发布难题，以便正常用户能方便地使用服务。最后，只需在服务器端实施和部署，客户端无需做任何更改。

关键词: 分布式拒绝服务攻击, 动态口令, 难题, 网页服务, 应用层

Abstract:

In this paper, we present the design and implementation of OTP-DEF, a kernel extension to protect web servers against application layer DDoS attacks. First of all, according to the load of web server, an OTP-DEF web server should fall into one of three following modes: normal, suspected attack or confirmed attack mode, and the OTP-DEF authentication mechanism shall only be activated when web server is in suspected attack mode. Secondly, we use OTP as our puzzle, which can automatically change at the certain time interval. It makes our proposal can defend copy attacks, replay attacks and Brute-Force Attack. Thirdly, OTP-DEF uses an intermediate stage to identify the IP addresses that ignore the test, and persistently bombard the server with requests despite repeated failures at solving the puzzles. Once these machines are identified, OTP-DEF blocks their requests, turns the tests off, and allows access to legitimate users who are unable or unwilling to solve tests. Finally, OTP-DEF requires no modifications to client software.

Key words: DDoS attack, OTP, puzzle, web service, application layer

叶晰,温武少,叶依如. 基于动态口令的应用层DDoS攻击防御方案[J]. 电信科学, 2012, 28(10): 88-93.

Xi Ye,Wushao Wen,Yiru Ye. An OTP-Based Mechanism for Defending Application Layer DDoS Attacks[J]. Telecommunications Science, 2012, 28(10): 88-93.

图/表 5

参考文献 16

1	Ranjan S , Swaminathan R , Uysal M , et al. DDoS-resilient scheduling to counter application layer attacks under imperfect detection. IEEE-ACM Transaction on Networking, 2009, 17（1）:26～39
2	Arbor Networks. World wide infrastructure security report, volume V. , 2009
3	Zhao Guofeng , Yu Shoucheng , Wen Sheng . Detecting application-layer DDoS attack based on analysis of usersˊbehaviors. Application Research of Computers, 2011, 28（2）:717～719
4	Sangjae Lee , Gisung Kim , Sehun Kim . Sequence-order-independent network profiling for detecting application layer DDoS attacks. EURASIP Journal on Wireless Communications and Networking, 2011: 50～58
5	Ankali S B , Ashoka D V . Detection architecture of application layer DDoS attack for internet. International Journal of Advanced Networking and Applications, 2011, 3（1）:984～990
6	Khattab S , Gobriel S , Melhem R , et al. Live baiting for service-level DoS attackers. Proceedings of 27th IEEE Communications Society Conference on Computer Communications, 2008: 682～690
7	孙长华，刘斌．分布式拒绝服务攻击研究新进展综述．电子学报， 2009,37（7）:1562～1570
8	Yu J , Li Z , Chen H , et al. A detection and offense mechanism to defend against application layer DDoS attacks. Proceedings of 3rd International Conference on Networking and Services, 2007
9	Srivatsa M , Iyengar A , Yin J , et al. Mitigating application-level denial of service attacks on web servers: a client-transparent approach. ACM Transactions on the Web, 2008, 2（3）:1～49
10	Xie Y , Yu S . Monitoring the application-layer DDoS attacks for popular Websites. IEEE/ACM Transactions on Networking, 2009, 17（1）:15～25
11	Xie Y , Yu S . A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors. IEEE/ACM Transactions on Networking, 2009, 17（1）:54～65
12	Kandula S , Katabi D , Jacob M , et al. Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds. Proceedings of the 2nd Conference on Symposium on Networked Systems Design and Implementation, 2005:287～300
13	Mori G , Malik J . Recognizing objects in adversarial clutter:breaking a visual CAPTCHA. Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003（1）:134～144
14	Broder A , Mitzenmacher M . Network applications of bloom filters: a survey. Internet Mathematic, 2002,1（4）:485～509
15	The network simulator-ns-2. , 2011
16	Cao J , Cleveland W , Cao Y , et al. Stochastic models for generating synthetic http source traffic. Proceedings of IEEE INFOCOM, 2004:1546～1557

时间戳	变换间隔时间
2011-10-31 22:30:30	1s
2011-10-31 22:30:3X	10s
2011-10-31 22:30:XX	1min
2011-10-31 23:3X:XX	10min
2011-10-31 22:XX:XX	1h

[1]	丁明玲,余勇昌,王志中. 电信级视频会议系统的并发能力评测方案[J]. 电信科学, 2016, 32(11): 147-153.
[2]	王铭鑫,周华春,陈佳,张宏科. 一种SDN中基于熵值计算的异常流量检测方法[J]. 电信科学, 2015, 31(9): 83-89.
[3]	张家华,杨种学,王江平,史煜凯,魏亮. 融合DDoS威胁过滤与路由优化的SDN通信质量保障策略[J]. 电信科学, 2015, 31(4): 120-126.
[4]	郑兆华,彭金莲,程杰仁. 基于手机令牌的移动应用双向身份认证方案研究[J]. 电信科学, 2014, 30(9): 87-91.
[5]	王懿,胡晓宇. 基于全路由家庭网关实现多业务子网融合的解决方案[J]. 电信科学, 2012, 28(4): 105-109.
[6]	郭建昌,郭茂文,黎艳. 一种电信级手机令牌动态口令系统的架构设计及其实现[J]. 电信科学, 2012, 28(10): 94-98.
[7]	白丽瑞,李彤,谢仲文,宋琛. 基于成本利润Petri网的应用云计费模式分析[J]. 电信科学, 2012, 28(1): 62-66.
[8]	白丽瑞,李彤,谢仲文,宋琛. 基于成本利润Petri网的应用云计费模式分析[J]. 电信科学, 2012, 28(1): 58-62.
[9]	杜成,徐川,唐红. DDoS攻击检测研究综述[J]. 电信科学, 2011, 27(3): 85-89.
[10]	张玉,戴磊. 基于heavy hitter流提取的网络异常检测优化研究[J]. 电信科学, 2010, 26(3): 46-51.