基于Comware平台的防DDoS攻击系统的研究与实现
发布时间:2018-11-10 20:25
【摘要】:如今互联网飞速发展,越来越多的事务需要互联网来配合完成。随着用户需求的不断提高,用户逐渐侧注重于网络的安全性、稳定性和传输有效性。简单的在网络上传送报文信息已经不能满足用户的需求,用户希望网络有着更好的安全保证能力和服务能力。如今层出不穷的网络攻击将网络的性能极度恶化,尤其是分布式拒绝攻击(DDoS),大量的网络异常流量使得被攻击者服务质量明显下降,甚至出现拒绝服务的情况,最终造成大量的损失。传统的网络安全技术研究重点主要放在入侵检测、防火墙或者防病毒软件上,但是这样传统的技术并不能减少网络中存在的异常流量。本文旨在消除网络中存在的异常流量,根本上降低用户受到DDoS攻击的可能,基于某司Comware平台开发了可以部署在路由设备上的防DDoS攻击系统。本文主要研究内容是在Comware平台上实现BGP技术和Flow-Spec技术的结合,同时对DDoS的攻击原理、异常流量监测算法和流量控制算法做了研究。监测到异常流量后,路由设备可以根据由Flow-Spec技术定义的流量处理策略对异常流量进行控制,同时利用BGP技术在多台建立了对等体关系的路由设备上部署流量处理策略,达到最大限度防御DDoS攻击的效果。本文研究内容如下:1、对DDoS攻击进行了研究,包括攻击的原理和步骤。针对SYN Flooding攻击、UDP Flooding攻击以及smurf攻击的攻击原理和过程做了详细的分析。2、对相关算法进行了介绍和研究。包括用于监测异常的CUSUM算法、由CUSUM算法改进的针对路由设备的M-CUSUM算法以及用于流量控制的令牌桶算法。3、详细研究了系统实现所需要的关键技术。实现Flow-Spec技术和BGP技术的结合是本系统的一大特点。BGP技术可以将多台路由设备组成对等体关系,利用对等体之间报文的交互实现流量处理策略在一台路由设备上部署同时在多台设备上应用的功能。Flow-Spec技术规定了流量处理策略的具体组成,包括匹配规则和流量处理动作,同时规定了流量处理策略编码实现过程中的具体细节。4、最终将相关算法和技术用于实际,开发和实现了防DDoS攻击系统。在系统的整体开发中,流量监测模块用于异常流量的监测,命令行终端模块用于接收用户配置数据,Flow-Spec数据处理模块用于数据的具体处理以及下发芯片,BGP模块用于建立对等体关系实现流量处理策略在对等体中传输的功能。本系统在应对DDoS攻击方面有着高效、机动的特点,同时防护策略部署的过程简单,最终达到的效果理想,因此有着很好的应用前景。
[Abstract]:Nowadays, with the rapid development of the Internet, more and more affairs need the Internet to complete. With the increasing demand of users, users pay more attention to network security, stability and transmission efficiency. The simple transmission of message information on the network can no longer meet the needs of users, users hope that the network has a better security and service capabilities. Nowadays, the performance of the network is greatly deteriorated by the endless network attacks, especially the distributed denial of attack (DDoS),) with a large amount of network abnormal traffic, which makes the quality of service of the assailant decline obviously, and even results in the situation of denial of service. In the end, it caused a lot of damage. The traditional network security technology focuses on intrusion detection, firewall or antivirus software, but the traditional technology can not reduce the abnormal traffic in the network. The purpose of this paper is to eliminate the abnormal traffic in the network, and to reduce the possibility of users being attacked by DDoS. Based on the Comware platform of a department, a DDoS protection system can be deployed on the routing equipment is developed. The main research content of this paper is to realize the combination of BGP technology and Flow-Spec technology on Comware platform. At the same time, the attack principle of DDoS, abnormal traffic monitoring algorithm and traffic control algorithm are studied. After monitoring the abnormal traffic, the routing device can control the abnormal traffic according to the traffic handling strategy defined by Flow-Spec technology. At the same time, the BGP technology is used to deploy the traffic processing policy on several routing devices with peer-to-peer relationship. Achieve maximum defense against DDoS attacks. The main contents of this paper are as follows: 1. The DDoS attack is studied, including the principle and steps of the attack. The principle and process of SYN Flooding attack, UDP Flooding attack and smurf attack are analyzed in detail. 2. The related algorithms are introduced and studied. It includes the CUSUM algorithm for monitoring anomalies, the M-CUSUM algorithm for routing devices improved by CUSUM algorithm and the token bucket algorithm for traffic control. 3. The key technologies for system implementation are studied in detail. Realizing the combination of Flow-Spec technology and BGP technology is one of the major characteristics of the system. BGP technology can form a peer relationship between multiple routing devices. Using the exchange of packets between peers to realize the function of traffic processing policy deployed on one routing device and applied on multiple devices, the Flow-Spec technology specifies the specific composition of the traffic processing strategy. It includes matching rules and traffic processing actions, and specifies the specific details of the implementation process of traffic processing policy coding. 4. Finally, the relevant algorithms and techniques are used in practice to develop and implement the anti-attack system of DDoS. In the whole development of the system, the traffic monitoring module is used to monitor the abnormal traffic, the command line terminal module is used to receive the user configuration data, the Flow-Spec data processing module is used for the specific processing of the data and the sending chip. BGP module is used to establish peer relationship to realize the function of traffic processing policy transmission in peer. The system has the characteristics of high efficiency and maneuverability in dealing with DDoS attacks. At the same time, the process of deployment of protection strategy is simple and the result is ideal, so it has a good application prospect.
【学位授予单位】:杭州电子科技大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
本文编号:2323527
[Abstract]:Nowadays, with the rapid development of the Internet, more and more affairs need the Internet to complete. With the increasing demand of users, users pay more attention to network security, stability and transmission efficiency. The simple transmission of message information on the network can no longer meet the needs of users, users hope that the network has a better security and service capabilities. Nowadays, the performance of the network is greatly deteriorated by the endless network attacks, especially the distributed denial of attack (DDoS),) with a large amount of network abnormal traffic, which makes the quality of service of the assailant decline obviously, and even results in the situation of denial of service. In the end, it caused a lot of damage. The traditional network security technology focuses on intrusion detection, firewall or antivirus software, but the traditional technology can not reduce the abnormal traffic in the network. The purpose of this paper is to eliminate the abnormal traffic in the network, and to reduce the possibility of users being attacked by DDoS. Based on the Comware platform of a department, a DDoS protection system can be deployed on the routing equipment is developed. The main research content of this paper is to realize the combination of BGP technology and Flow-Spec technology on Comware platform. At the same time, the attack principle of DDoS, abnormal traffic monitoring algorithm and traffic control algorithm are studied. After monitoring the abnormal traffic, the routing device can control the abnormal traffic according to the traffic handling strategy defined by Flow-Spec technology. At the same time, the BGP technology is used to deploy the traffic processing policy on several routing devices with peer-to-peer relationship. Achieve maximum defense against DDoS attacks. The main contents of this paper are as follows: 1. The DDoS attack is studied, including the principle and steps of the attack. The principle and process of SYN Flooding attack, UDP Flooding attack and smurf attack are analyzed in detail. 2. The related algorithms are introduced and studied. It includes the CUSUM algorithm for monitoring anomalies, the M-CUSUM algorithm for routing devices improved by CUSUM algorithm and the token bucket algorithm for traffic control. 3. The key technologies for system implementation are studied in detail. Realizing the combination of Flow-Spec technology and BGP technology is one of the major characteristics of the system. BGP technology can form a peer relationship between multiple routing devices. Using the exchange of packets between peers to realize the function of traffic processing policy deployed on one routing device and applied on multiple devices, the Flow-Spec technology specifies the specific composition of the traffic processing strategy. It includes matching rules and traffic processing actions, and specifies the specific details of the implementation process of traffic processing policy coding. 4. Finally, the relevant algorithms and techniques are used in practice to develop and implement the anti-attack system of DDoS. In the whole development of the system, the traffic monitoring module is used to monitor the abnormal traffic, the command line terminal module is used to receive the user configuration data, the Flow-Spec data processing module is used for the specific processing of the data and the sending chip. BGP module is used to establish peer relationship to realize the function of traffic processing policy transmission in peer. The system has the characteristics of high efficiency and maneuverability in dealing with DDoS attacks. At the same time, the process of deployment of protection strategy is simple and the result is ideal, so it has a good application prospect.
【学位授予单位】:杭州电子科技大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 李博伦;王海栋;钱高冉;唐翔;高秀敏;;网络流量监管CAR技术研究[J];无线互联科技;2016年16期
2 杨晓雪;;浅析边界网关协议BGP[J];计算机光盘软件与应用;2014年01期
3 王东;;网络链路冗余的设计与实现[J];电子测试;2013年11期
4 赵宇;赵富安;;流量清洗技术及其实现方式浅析[J];通信与信息技术;2012年03期
5 黄卓君;;一种基于Flow-Spec的网络异常流量防护策略[J];广东通信技术;2012年05期
6 姚林燕;;CLI中命令树的设计和实现[J];信息通信;2012年01期
7 李银锦;刘玉;;一种基于流量清洗的DDoS攻击防御系统[J];电脑知识与技术;2010年35期
8 李晓利;郭宇春;;QoS技术中令牌桶算法实现方式比较[J];中兴通讯技术;2007年03期
9 韩璐;宋晓虹;张宁;;浅析路由器技术[J];中国科技信息;2006年21期
10 杨洪春;;DDoS原理、现象及防御方法[J];黄石教育学院学报;2006年03期
相关重要报纸文章 前1条
1 王婧;;达沃斯论坛热议第四次工业革命[N];经济参考报;2016年
相关硕士学位论文 前10条
1 王弘;复合型防火墙扫描防御与客户端认证模块的设计与实现[D];哈尔滨工业大学;2014年
2 王兰芳;CAR技术在Comware平台上的实现[D];南京大学;2012年
3 王威;Comware V7平台DHCP中继的设计与实现[D];华中科技大学;2011年
4 黄丽;基于NP路由器的以太网OAM研究与实现[D];西南交通大学;2011年
5 黄洋;BGP协议收敛性算法研究及并行化设计[D];西安电子科技大学;2011年
6 南琳;BGP路由策略检查工具的设计与实现[D];北京邮电大学;2010年
7 宿晓丹;BGP路由配置文件检查工具的设计与实现[D];北京邮电大学;2010年
8 杨杉;基于路由协议分析的路由管理系统[D];上海交通大学;2009年
9 徐镜湖;互联网域间路由协同配置技术的研究与实现[D];国防科学技术大学;2008年
10 牟晓玲;BGP路由抖动抑制算法的研究与改进[D];湖南大学;2008年
,本文编号:2323527
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2323527.html
