网站安全防御平台设计

发布时间：2018-05-11 20:25

本文选题：分布式拒绝服务攻击 + 应用层　；参考：《天津大学》2014年硕士论文

【摘要】：在科技飞速发展的今天,WEB网站中的应用愈加丰富,给人们的生活带来极大的便利。与此同时,网络协议存在的缺陷使得网络安全问题也越来越突出。在应用层中,客户端只需要发出少量请求就可以大大消耗服务器资源。针对WEB网站的应用层分布式拒绝服务(APP-DDOS)攻击正是利用了这一弱点。在网站面临的安全威胁中,APP-DDOS攻击所占的比重越来越大,也愈加难以防御。因此,有效检测APP-DDOS攻击并加以控制、过滤,对于保护网站安全有着重要的意义。在分析和研究国内外APP-DDOS防御技术的基础上,本文设计并实现了一个网站安全防御平台。该平台可以有效控制和防御APP-DDOS攻击,同时又留出接口应对网页篡改、注入攻击等安全威胁,以便更好地整合网站防御方法、提升平台的防御能力。该平台使用了三种关键技术:URL动态映射方法、积分支付策略和激励机制以实现对APP-DDOS的防御。URL动态映射方法从隐藏服务器真正的资源地址的角度出发,对客户端每次请求的资源地址进行动态映射,只有在映射地址匹配数据库记录时才会获得后端WEB服务器的响应。同时,映射地址无法被暴力破解,使攻击者无法准确定位攻击目标而造成拒绝服务。积分支付策略是对黑白名单法的改进,提出积分和服务价格概念来衡量服务器资源状况;当遭受攻击时,可以最小化白名单用户的访问延迟,同时减轻URL动态映射方法的计算负担。激励机制基于图灵测试的思想,让新用户进行一系列的相关操作证明用户是正常用户,减少新的正常用户获得服务的延迟。论文最后搭建了实验环境,对所设计和实现的网站安全防御平台进行了模拟实验。实验结果表明,防御平台对APP-DDOS攻击有着良好的防御效果。
[Abstract]:With the rapid development of science and technology, the application of Web website is becoming more and more abundant, which brings great convenience to people's life. At the same time, the defects of network protocol make network security more and more prominent. In the application layer, the client needs to make a small number of requests to greatly consume server resources. The application layer distributed denial-of-service (APP-DDOS) attack against WEB sites exploits this weakness. APP-DDOS attacks are becoming more and more difficult to defend against. Therefore, it is of great significance to detect, control and filter APP-DDOS attacks effectively. Based on the analysis and research of APP-DDOS defense technology at home and abroad, this paper designs and implements a website security defense platform. The platform can effectively control and defend against APP-DDOS attacks, and at the same time set aside an interface to deal with security threats such as web page tampering and injection attacks, so as to better integrate the methods of web defense and enhance the platform's defense capability. The platform uses three key techniques: URL dynamic mapping method, integral payment strategy and incentive mechanism to implement the defense. URL dynamic mapping of APP-DDOS from the point of view of hiding the real resource address of the server. The resource address requested by the client is dynamically mapped. Only when the mapping address matches the database record, the response of the back-end WEB server will be obtained. At the same time, the mapping address can not be brutally cracked, which makes the attacker unable to locate the target accurately, resulting in denial of service. The integral payment strategy is an improvement to the black-and-white list method. The concepts of points and service prices are proposed to measure server resource status. When attacked, whitelist users can be minimized access latency. At the same time, the computational burden of URL dynamic mapping method is reduced. Based on the idea of Turing test, the incentive mechanism allows the new user to perform a series of related operations to prove that the user is a normal user, and to reduce the delay for the new normal user to obtain the service. At the end of the paper, the experimental environment is built, and the designed and implemented website security defense platform is simulated. Experimental results show that the defense platform has a good defense against APP-DDOS attacks.
【学位授予单位】：天津大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.092

【参考文献】