基于包标记的DRDoS攻击溯源的研究与算法实现

发布时间：2018-05-15 11:52

本文选题：分布式反射拒绝服务攻击 + 分片采样　；参考：《华东师范大学》2016年硕士论文

【摘要】：随着互联网产业的迅猛发展,网络规模迅速扩大,安全问题变得日益严峻,由于网络技术还不够完善,便使得企业乃至国家面临严重的网络威胁。其中分布式拒绝服务攻击是主要的威胁之一,它可以借助多个计算机分布式地向一个或多个目标发动攻击,通过请求占用大量的网络资源,使服务器、网络造成瘫痪。由于攻击源地址可进行伪造,使得对于攻击源的追溯增加了难度,而分布式反射拒绝服务攻击(DRDoS)则更隐蔽,它伪造了源地址,利用一些网络协议,通过服务器间接地向被攻击点发动攻击,造成大多数追溯方案无法有效地对攻击源进行追踪。本文着重对分布式反射拒绝服务攻击(DRDoS)溯源问题进行研究。溯源技术主要可分为五类,入口过滤、链路测试、日志记录、ICMP追溯以及包标记法等。本文提出的算法是以动态概率包标记技术为基础的,每个中间节点路由器利用ttl域计算标记概率,使得标记信息以相同的概率被受害者接收；尽可能地利用可用的标记空间,将标记信息以四分片采样的形式存储在标记域中,减少了所需的标记包数；通过构造相邻IP分片的哈希值的关系,从而降低了重构算法的复杂度,改善了重构准确性；增加了一位标记覆盖位,解决了路由标记信息的覆盖问题；为了使反射节点高效地存储复制转发标记信息,采用了改进后的Bloom Filter存储结构,同时在每个路由节点设计了相应的标记策略,主要分为中间路由标记算法、反射点标记算法以及重构算法。相比于其他的追溯方法,该算法在重构攻击路径过程中无需事先掌握网络拓扑结构,具有较强的适用性。本文通过理论证明,同时在OMNeT++环境下进行仿真实验,验证了该方法能够有效地应用在DRDoS攻击溯源中。
[Abstract]:With the rapid development of the Internet industry, the scale of the network expands rapidly, and the security problem becomes more and more serious. Because the network technology is not perfect enough, the enterprises and even the country are faced with the serious network threat. Distributed denial of service (DDoS) attack is one of the main threats. It can attack one or more targets with the aid of multiple computers. It takes up a large amount of network resources through request and paralyzes the server and network. Since the address of the attack source can be forged, it makes it more difficult to trace the attack source, while the distributed reflection denial of service attack (DRDoS) is more hidden. It forges the source address and uses some network protocols. The most traceability schemes are unable to trace the attack source effectively because of the indirect attack on the point of attack through the server. This paper focuses on the traceability of distributed Reflection-of-Service (DDoS) attacks. Traceability technology can be divided into five categories: entry filtering, link testing, logging ICMP traceability and packet marking. The algorithm proposed in this paper is based on the dynamic probability packet marking technique. Each intermediate node router uses ttl domain to calculate the marking probability, so that the marking information is received by the victim with the same probability, and the available tag space is used as much as possible. The tag information is stored in the tag domain in the form of quadrilateral sampling, which reduces the number of tag packets, reduces the complexity of the reconstruction algorithm and improves the accuracy of the reconstruction by constructing the relationship between the hash values of the adjacent IP fragments. A bit tag overlay bit is added to solve the overlay problem of routing label information. In order to make the reflection node store the duplicate and forward tag information efficiently, the improved Bloom Filter storage structure is adopted. At the same time, a corresponding marking strategy is designed for each routing node, which is mainly divided into intermediate routing marking algorithm, reflection point marking algorithm and reconstruction algorithm. Compared with other traceability methods, the proposed algorithm does not need to master the network topology in the process of reconstructing the attack path, so it has strong applicability. In this paper, it is proved theoretically that the proposed method can be effectively applied to the traceability of DRDoS attack in OMNeT environment.
【学位授予单位】：华东师范大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP393.08

【相似文献】