面向自治域的DoS攻击流抑制模型

doi:10.3969/j.issn.1000-436x.2013.09.016

Abstract

Abstract:

Combined with the next generation security architecture,a novel AS-level defense scheme was proposed to restrain DoS attacks in the Internet.And the deficiencies of previous capability schemes were analyzed in detail,especially on requesting/withdrawing authorization of capabilities.The scheme takes account of a congestion feedback mechanism,a combination with multi-level active queue management,and the credit computation.Then a further analysis on the scheme’s effectiveness was presented.Several experiments with NS2 and CAIDA’s topology datasets were performed to evaluate the authorizing time and traffic,the average requesting time and common file transfer time of different schemes.The results show that this scheme can effectively reduce the average requesting time of capabilities,improve common file transfer efficiency,and enhance the feasibility and robustness.

Key words: network security, denial-of-service attack, autonomous system, network congestion, capabilities

Xian-liang JIANG,Guang JIN,Jian-gang YANG,Jia-ming HE. AS-level model for restraining DoS attacks[J]. Journal on Communications, 2013, 34(9): 132-141.

Figures/Tables 15

References 27

[1]	Arbor networks . worldwide infrastructure security report[EB/OL]. , 2012
[2]	PENG T , LECKIE C , RAMAMOHANARAO K . Survey of network-based defense mechanisms countering the DoS and DDoS problems[J]. ACM Computing Surveys, 2007,39(1): 1-42.
[3]	张永铮, 肖军, 云晓春 ,等. DDoS 攻击检测和控制[J]. 软件学报, 2012,23(8): 2258-2072. ZHANG Y Z , XIAO J , YUN X C ,et al. DDoS attacks detection and control mechanisms[J]. Journal of Software, 2012,23(8): 2258-2072.
[4]	王进, 阳小龙, 隆克平 . 基于大偏差统计模型的Http-Flood DDoS检测机制及性能分析[J]. 软件学报, 2012,23(5): 1272-1280. WANG J , YANG X L , LONG K P . Http-flood DDoS detection scheme based on large deviation and performance analysis[J]. Journal of Software, 2012,23(5): 1272-1280.
[5]	GOODRICH M T . Probabilistic packet marking for large-scale IP traceback[J]. IEEE/ACM Transactions on Networking, 2008,16(1): 15-24.
[6]	BELENKY A , ANSARI N . On deterministic packet marking[J]. Computer Networks, 2007,51(10): 2677-2700.
[7]	YAAR A , PERRIG A , SONG D . Pi:a path identification mechanism to defend against DDoS attacks[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. 2003.
[8]	YAAR A , PERRIG A , SONG D . StackPi:new packet marking and filtering mechanisms for DDoS and IP spoofing defense[J]. IEEE Journal on Selected Areas in Communications, 2006,24(10): 1853-1863.
[9]	金光, 张飞, 钱江波 ,等. 融合路径追溯和标识过滤的DDoS 攻击防御方案[J]. 通信学报, 2011,32(2): 61-67. JIN G , ZHANG F , QIAN J B ,et al. DDoS defense with IP traceback and path identification[J]. Journal on Communications, 2011,32(2): 61-67.
[10]	ANDERSON T , ROSCOE T , WETHERALL D . Preventing internet denial-of-service with capabilities[J]. ACM SIGCOMM Computer Communications Review, 2004,34(1): 39-44.
[11]	BELLOVIN S M , CLARK D , PERRIG A ,et al. A clean-slate design for the next-generation secure internet[A]. Proceedings of National Science Foundation Workshop on Next-Generation Secure Internet[C]. 2005.
[12]	吴建平, 吴茜, 徐恪 . 下一代互联网体系结构基础研究及探索[J]. 计算机学报, 2008,31(9): 1536-1548. WU J P , WU Q , XU K . Research and exploration of next-generation Internet architecture[J]. Chinese Journal of Computers, 2008,31(9): 1536-1548.
[13]	林闯, 雷蕾 . 下一代互联网体系结构研究[J]. 计算机学报, 2007,30(5): 693-711. LIN C , LEI L . Research on next generation Internet architecture[J]. Chinese Journal of Computers, 2007,30(5): 693-711.
[14]	YAAR A , PERRIG A , SONG D . SIFF:a stateless internet f filter to mitigate DDoS flooding attacks[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. 2004.
[15]	YANG X , WETHERALL D , ANDERSON T . TVA:a DoS-limiting network architecture[J]. IEEE/ACM Transactions on Networking, 2008,16(6): 1267-1280.
[16]	SHUE C A , KALAFUT A J , ALLMAN M ,et al. On building inexpensive network capabilities[J]. ACM SIGCOMM Computer Communication Review, 2012,42(2): 73-79.
[17]	ARGYRAKI K , CHERITON D . Network capabilities:the good,the bad and the ugly[A]. Proceedings of ACM HotNets IV[C]. 2005.
[18]	LIU X , YANG X , LU Y . To filter or to authorize:network-layer DoS defense against multimillion-node botnets[A]. Proceedings of ACM SIGCOMM[C]. 2008.
[19]	LIU X , YANG X , XIA Y . NetFence:preventing Internet denial of service from inside out[A]. Proceedings ofACM SIGCOMM[C]. 2010.
[20]	孙红杰, 方滨兴, 张宏莉 . 基于链路特征的DDoS攻击检测方法[J]. 通信学报, 2007,28(2): 88-93. SUN H J , FANG B X , ZHANG H L . DDoS attacks detection based on link character[J]. Journal on Communications, 2007,28(2): 88-93.
[21]	臧天宇, 云晓春, 张永铮 ,等. 基于通信特征和D-S证据理论分析僵尸网络相似度[J]. 通信学报, 2011,32(4): 66-76. ZANG T Y , YUN X C , ZHANG Y Z ,et al. Botnet’s similarity analysis based on communication features and D-S evidence theory[J]. Journal on Communications, 2011,32(4): 66-76.
[22]	金光, 杨建刚, 魏蔚 ,等. 基于增强权证的无状态过滤机制[J]. 电子与信息学报, 2008,30(10): 2490-2493. JIN G , YANG J G , WEI W ,et al. Stateless filtering based on enhanced capabilities[J]. Journal of Electronics ＆ Information Technology, 2008,30(10): 2490-2493.
[23]	RESCORLA E . Diffie-hellman key agreement method[EB/OL]. , 1999.
[24]	CAIDA[EB/OL]. , 2011.
[25]	MAHAJAN R , BELLOVIN S M , FLOYD S ,et al. Controlling high bandwidth aggregates in the network[J]. ACM Computer Communication Review, 2002,32(3): 62-73.
[26]	PARNO B , PERRIG A , WENDLANDT D ,et al. Portcullis:protecting connection setup from denial-of-capability attacks[A]. ACM SIGCOMM[C]. 2007.
[27]	BGP routing table analysis reports[EB/OL]. , 2011.

Metrics

Recommended 0

No Suggested Reading articles found!

符号	注解
S_i	源AS主机
D_i	目标AS主机
S_IQS	源AS信息查找服务器
D_IQS	目标AS信息查找服务器
Ticket	数据分组携带的权证标记
T_block	请求拦截时间
T_maxb	最大允许拦截时间
T_limit	请求限流时间
T_maxl	最大允许限流时间

方案			属性
方案	网络架构	防御阶段	防御层次	计算	通信	复杂性	顽健性
PPM^[5]	IPv4	响应	网络层	高	低	低	低
DPM^[6]	IPv4	响应	网络层	中	低	低	中
Pi^[7,8]	IPv4	响应	网络层	中	低	低	低
SIFF^[14]	IPv4/NGSI	预防和响应	网络层	中	中	低	中
TVA^[15]	NGSI	预防和响应	网络层和应用层	高	高	中	高
StopIt^[18]	NGSI	检测和响应	网络层和应用层	低	高	高	中
NetFence^[19]	NGSI	检测和响应	网络层	低	低	中	中
BINC^[16]	NGSI	预防	应用层	低	低	中	低
本文方案	NGSI	预防和响应	网络层和应用层	中	中	低	高

AS-level model for restraining DoS attacks

RichHTML

PDF

Knowledge

Cited

Abstract

Cite this article

share this article

Figures/Tables 15

References 27

Related Articles 15

Metrics

Recommended 0

[1]	Shiqi ZHAO, Xiaohong HUANG, Zhigang ZHONG. Research and implementation of reputation-based inter-domain routing selection mechanism [J]. Journal on Communications, 2023, 44(6): 47-56.
[2]	Haiyan KANG, Molan LONG. Research on network attack analysis method based on attack graph of absorbing Markov chain [J]. Journal on Communications, 2023, 44(2): 122-135.
[3]	Hongbin ZHANG, Yan YIN, Dongmei ZHAO, Bin LIU. Network security situational awareness model based on threat intelligence [J]. Journal on Communications, 2021, 42(6): 182-194.
[4]	Tengfei ZHANG, Shunzheng YU. Research prospects of user information detection from encrypted traffic of mobile devices [J]. Journal on Communications, 2021, 42(2): 154-167.
[5]	Xu CHENG, Yingying WANG, Nianjie ZHANG, Zhangjie FU, Beijing CHEN, Guoying ZHAO. Multi-level loss object tracking adversarial attack method based on spatial perception [J]. Journal on Communications, 2021, 42(11): 242-254.
[6]	Tao HUANG, Jiang LIU, Shuo WANG, Chen ZHANG, Yunjie LIU. Survey of the future network technology and trend [J]. Journal on Communications, 2021, 42(1): 130-150.
[7]	Zhiyong LUO,Xu YANG,Jiahui LIU,Rui XU. Network intrusion intention analysis model based on Bayesian attack graph [J]. Journal on Communications, 2020, 41(9): 160-169.
[8]	Hanxun ZHOU,Chen CHEN,Runze FENG,Junkun XIONG,Hong PAN,Wei GUO. Mobile malware traffic detection approach based on value-derivative GRU [J]. Journal on Communications, 2020, 41(1): 102-113.
[9]	Haijun ZHAO,Chunlin HE,Bin PU,Mengtian CUI. Geographical routing and participant collaboration model based communication mechanism of WSAN [J]. Journal on Communications, 2019, 40(7): 77-86.
[10]	JIANG Lyu,ZHANG Hengwei,WANG Jindong. Optimal strategy selection method for moving target defense based on signaling game [J]. Journal on Communications, 2019, 40(6): 128-137.
[11]	Zhiyong LUO, Xu YANG, Guanglu SUN, Zhiqiang XIE, Jiahui LIU. Finite automaton intrusion tolerance system model based on Markov [J]. Journal on Communications, 2019, 40(10): 79-89.
[12]	Shirui HUANG,Hengwei ZHANG,Jindong WANG,Ruiyu DOU. Network security threat warning method based on qualitative differential game [J]. Journal on Communications, 2018, 39(8): 29-36.
[13]	Xiaodong ZANG,Jian GONG,Xiaoyan HU. Detecting malicious domain names based on AGD [J]. Journal on Communications, 2018, 39(7): 15-25.
[14]	Le-yi SHI,Hui SUN,Yu-wen CUI,Hong-bin GUO,Jian-lan LI. Web plug-in paradigm for anti-DoS attack based on end hopping [J]. Journal on Communications, 2017, 38(Z1): 19-24.
[15]	Tao WANG,Hong-chang CHEN,Guo-zhen CHENG. Research on software-defined network and the security defense technology [J]. Journal on Communications, 2017, 38(11): 133-160.