云环境下DDoS攻防体系及其关键技术研究

发布时间：2018-05-12 19:54

  本文选题：云计算 + DDoS攻击　； 参考：《南京大学》2016年博士论文

【摘要】：近年来,云计算正逐渐成为IT界主流的计算模式。因为其按需自服务、泛在接入、资源池化、弹性服务和可度量服务的特性,云计算在产业界和学术界备受关注。云计算提供三种服务模型：基础设施即服务、平台即服务和软件即服务。基于此面向服务的体系结构,云服务用户可以灵活地租用云服务满足自身应用需求。云计算的按需资源分配和“即用即付”计费模型,进一步降低了云服务用户的软硬件投入和维护成本。尽管云计算带来了以上诸多便利,安全因素仍然是当前企业和组织将其应用迁移至云平台主要的障碍。在云平台面临的诸多安全漏洞中,DDoS攻击是影响云服务可用性的主要安全威胁。一方面,传统网络中的洪泛式DDoS攻击(如TCP SYN Flood攻击),低速率DDoS攻击(如Shrew攻击)在云平台中依然存在。另一方面,云计算模式引入了诸多云平台特有的DDoS攻击,比如EDoS攻击,带宽饥饿DDoS攻击等。而随着云平台广泛采用软件定义网络作为其云数据中心的基础网络架构,云环境下的DDoS攻击平面进一步增加。因此,研究云环境下的DDoS攻击防御势在必行。针对云环境下现有的DDoS攻击,如EDoS攻击、带宽饥饿DDoS攻击和控制层洪泛式DDoS攻击,研究人员已经提出了各种防御手段。然而,和云平台的攻击平面相比,这些方法还远远不够。目前,该主题相关的研究工作遇到了诸多挑战,主要包括以下几个方面：1)缺乏一个全局的DDoS攻击防御框架,该框架阐述云环境下各层面潜在的DDoS攻击漏洞,并指明如何有效地防御、以及在何处防御这些DDoS攻击；2)作为防御DDoS攻击流量的第一道防线,如何在云服务访问接入点设计云防火墙框架；3)如何防御云数据中心网络数据层潜在的洪泛式以及低速率DDoS攻击；4)如何通过数学模型评估云防火墙的性能和有效性,以及如何定量分析DDoS攻击对云平台各项性能指标的影响?针对以上挑战,本文对云环境下的DDoS攻防及其关键技术开展了相关的研究工作。具体而言,本文的工作主要包括以下几个方面：1)为促进云环境下的DDoS攻防,我们从全局的角度提出了一个云环境下的DDoS攻防体系。该DDoS攻防体系从以下四个层面展开：正常用户、攻击者层面、云服务访问接入点层面、云数据中心网络层面以及云数据中心服务器层面。具体而言,正常用户、攻击者层面是指正常用户、攻击者分别向云数据中心发生服务请求、攻击流量。云服务访问接入点层面是指正常用户的服务请求、攻击者的攻击流量通过互联网到达云服务访问接入点。在该层,作为防御DDoS攻击流量的第一道防线,应布置入侵防御系统和云防火墙。云数据中心网络层面则是指正常用户的服务请求、攻击者的攻击流量经过云服务访问接入点、到达云数据中心网络。在该层,应防御网络层各种DDoS攻击、软件定义网络架构特有的DDoS攻击以及带宽饥饿DDoS攻击。最后,云数据中心服务器层指正常用户的服务请求、攻击者的攻击流量最终到达应用服务器。在该层,应防御应用层DDoS攻击以及EDoS攻击。2)为实现在云服务访问点部署防火墙,作为防御DDoS攻击流量的第一道防线,提出了一种非集中式的云防火墙框架。云服务用户租用该防火墙保护其托管在云数据中心的应用。具体而言,托管其应用的服务器被分为多个集群,云服务提供商根据动态资源分配为每个集群设置一个独立的防火墙,所有的防火墙并行监视网络流量。在该框架中,通过动态资源分配实现资源配置成本最优化,同时满足用户提出的QoS约束。和现有的集中式防火墙框架相比,该框架可以解决单点失效、大规模规则集、不能满足QoS约束等问题。3)为防御云数据中心网络潜在的DDoS攻击,揭露了两种数据中心网络数据层DDoS攻击漏洞,基于这两种漏洞,可以实现数据层洪泛式DDoS攻击和数据层低速率DDoS攻击。具体而言,数据层洪泛式DDoS攻击通过产生大规模流表规则到达攻击目的,低速率DDoS攻击则通过在流表中产生长期存在的流表规则到达攻击目的。为描述数据层洪泛式DDoS攻击特征,将其和控制层洪泛式DDoS攻击对比。然后基于现有的清洗控制层高负载流量的工作提出该攻击的防御手段。数据层低速率DDoS攻击可以躲避现有防御手段的检测,因为其几乎从不向控制层发送高负载流量。因此,我们提出了一种新型的防御手段,可以检测流表中长期存在的流表规则。4)为通过数学模型评估云防火墙的性能和有效性,我们提出了新型的排队论模型：M/Geo/1和M/Geo/m。该模型远比现有的排队模型M/M/1复杂,为得出包经过防火墙的平均响应时间,我们首次提出结合使用Z变换和嵌入式马尔科夫链技术。同时,提出使用随机过程定量分析DDoS攻击对云平台各项性能指标的影响。结果表明,数据层洪泛式DDoS攻击只需很少的攻击资源即可大规模降低系统响应时间,而数据层低速率DDoS攻击则对系统产生长期的影响。
[Abstract]:In recent years, cloud computing is becoming the mainstream computing model in the IT world. Because it needs self service, ubiquitous access, resource pooling, resilient services and measurable services, cloud computing has attracted much attention in industry and academia. Cloud computing provides three service models: basic provisioning service, platform service and software as service. Service oriented architecture, cloud service users can flexibly rent and use cloud services to meet their own application requirements. The allocation of demand resources for cloud computing and the "pay off" model can further reduce the software and hardware input and maintenance costs of cloud service users. Although cloud computing brings many advantages, security factors are still present. In many security vulnerabilities facing cloud platforms, DDoS attacks are the main security threats that affect the availability of cloud services. On the one hand, floodplain DDoS attacks in traditional networks (such as TCP SYN Flood attacks) and low rate DDoS attacks (such as Shrew attacks) still exist in the cloud platform. On the other hand, the cloud computing model introduces the unique DDoS attacks of multi cloud platforms, such as EDoS attacks, bandwidth hungry DDoS attacks, and so on. As the cloud platform widely uses software defined networks as the basic network architecture of its cloud data center, the DDoS attacks in the cloud environment are increased step by step. Therefore, the study of DDoS attacks in the cloud environment is protected. Against the current DDoS attacks in the cloud, such as EDoS attacks, bandwidth hungry DDoS attacks and control layer floodplain DDoS attacks, researchers have proposed a variety of defense methods. However, these methods are far from enough for the attack planes of the cloud platform. We should include the following aspects: 1) lack of a global DDoS attack defense framework, which describes the potential DDoS attack vulnerabilities at all levels in the cloud environment, and points out how to defend effectively, and where to defend against these DDoS attacks; 2) how to design the access point in the cloud service as the first line of defense for the defense DDoS attack traffic. Cloud firewall framework; 3) how to defend the potential flooding and low rate DDoS attacks of the network data layer of the cloud data center; 4) how to evaluate the performance and effectiveness of the cloud firewall through a mathematical model, and how to quantify the impact of the DDoS attack on the performance indicators of the cloud platform? For the above challenges, the DDoS in the cloud environment Relevant research work has been carried out in attack and defense and its key technologies. Specifically, the work of this paper mainly includes the following aspects: 1) in order to promote DDoS attack and defense under the cloud environment, we put forward a DDoS attack and defense system in the cloud environment from the global perspective. The DDoS attack defense system starts from four levels: the normal user, the attacker layer Surface, cloud service access point level, cloud data center network level and cloud data center server level. In particular, normal users, attacker level refers to normal users, attackers have service requests in Xiang Yun data center, attack traffic. Cloud service access point level refers to the service requests of normal users, attackers Attack traffic is accessed through the Internet to Da cloud service. In this layer, the intrusion defense system and cloud firewall should be arranged as the first line of defense against DDoS attack traffic. The network level of the cloud data center refers to the service request of the normal user, the attacker's attack traffic is accessed through the cloud service and reaches the cloud data. In this layer, all kinds of DDoS attacks on the network layer should be defended. The software defines the DDoS attack and bandwidth hungry DDoS attack. Finally, the cloud data center server layer refers to the service request of the normal user, and the attacker's attack traffic is finally reached the application server. In this layer, the application layer DDoS attack and the EDoS attack should be defended. 2) in order to deploy firewalls at cloud service access points, as the first line of defense against DDoS attack traffic, a non centralized cloud firewall framework is proposed. Cloud service users rent the firewall to protect its applications hosted in the cloud data center. Specifically, the server hosting its use is divided into multiple clusters, cloud services provided Vendors set up an independent firewall for each cluster based on dynamic resource allocation, and all firewalls monitor network traffic in parallel. In this framework, the resource allocation cost is optimized by dynamic resource allocation and the user's QoS constraints are met. Compared with the existing centralized firewall framework, the framework can solve a single point. Failure, large scale rule set, can not satisfy QoS constraints and other problems.3) to defend the potential DDoS attacks of the cloud data center network, exposing two data center network data layer DDoS attack vulnerability. Based on these two vulnerabilities, data layer flooding DDoS attack and data layer low rate DDoS attack can be realized. Specifically, data layer flooding DDoS Attacks reach the target by producing large scale table rules, and low rate DDoS attacks arrive at the target by generating a long existing flow table rule in the flow table. To describe the feature of the floodplain DDoS attack in the data layer, compare it with the floodplain DDoS attack in the control layer. The defense means of the attack. The data layer low rate DDoS attack can avoid the detection of existing defense means, because it almost never sends high load traffic to the control layer. Therefore, we propose a new defense method to detect the long existing stream table rule.4 in the flow table to evaluate the cloud firewall through a mathematical model. Performance and effectiveness, we propose a new queuing theory model: M/Geo/1 and M/Geo/m. are far more complex than the existing queuing model M/M/1. In order to get the average response time of packets passing through the firewall, we first propose a combination of Z transform and embedded Markov chain technology. At the same time, we propose a quantitative analysis of DDoS attacks using random processes. The impact on the performance indicators of the cloud platform shows that the system response time can be reduced on a large scale by only a few attack resources in the floodplain DDoS attack, while the low rate DDoS attack on the data layer has a long-term impact on the system.

【学位授予单位】：南京大学
【学位级别】：博士
【学位授予年份】：2016
【分类号】：TP393.08
，

本文编号：1879938