基于IXP 1200平台的DDoS攻击防御研究

分布式拒绝服务攻击（DDoS）已经成为互联网最大的威胁之一.提出了一种基于Intel IXP1200网络处理器平台的DDoS防御系统的设计方案,并实际实现了一个防御系统D-Fighter.提出了解决DDoS攻击的两个关键技术：数据包认证和细微流量控制的原理和方法,并在D-Fighter中设计实现.经过实际网络测试环境的应用测试表明,D-Fighter达到了设计目标,对DDoS攻击的防御有较好的效果.     

分布式蠕虫检测和遏制方法的研究

提出了一种分布式蠕虫遏制机制，它由两大部分组成：中央的数据处理中心和分布在各网关的感知器。中央的数据处理中心接收感知器的检测结果，并统计蠕虫的感染状况。分布在各网关的感知器监测网络行为并检测蠕虫是否存在。若检测到蠕虫的存在，感知器根据蠕虫的疫情状况，启动自适应的丢包机制。最后，实验结果证明了该遏制系统能够有效地遏制蠕虫的传播，保护网络的运行；尽可能小的干扰正常的网络行为。     

An approach of defending against DDoS attack

An approach of defending against Distributed Denial of Service （DDoS） attack based on flow model and flow detection is presented. The proposed approach can protect targets from DDoS attacking, and allow targets to provide good service to legitimate traffic under DDoS attacking, with fast reaction. This approach adopts the technique of dynamic comb filter, yields a low level of false positives of less than 1.5%, drops similar percentage of good traffic, about 1%, and passes neglectable percentage of attack bandwidth to the victim, less than 1.5%. The prototype of commercial product, D-fighter, is developed by implementing this proposed approach on Intel network processor platform IXP1200.     

Differentiating Malicious DDoS Attack Traffic from Normal TCP Flows by Proactive Tests

To defend against distributed denial of service (DDoS) attacks, one critical issue is to effectively isolate the attack traffic from the normal ones. A novel DDoS defense scheme based on TCP is hereby contrived because TCP is the dominant traffic for both the normal and lethal flows in the Internet. Unlike most of the previous DDoS defense schemes that are passive in nature, the proposal uses proactive tests to identify and isolate the malicious traffic. Simulation results validate the effectiveness of our proposed scheme     

DDoS攻击恶意行为知识库构建

针对分布式拒绝服务（distributed denial of service,DDoS）网络攻击知识库研究不足的问题,提出了DDoS攻击恶意行为知识库的构建方法。该知识库基于知识图谱构建,包含恶意流量检测库和网络安全知识库两部分：恶意流量检测库对 DDoS 攻击引发的恶意流量进行检测并分类;网络安全知识库从流量特征和攻击框架对DDoS 攻击恶意行为建模,并对恶意行为进行推理、溯源和反馈。在此基础上基于DDoS 开放威胁信号（DDoS open threat signaling,DOTS）协议搭建分布式知识库,实现分布式节点间的数据传输、DDoS攻击防御与恶意流量缓解功能。实验结果表明,DDoS攻击恶意行为知识库能在多个网关处有效检测和缓解DDoS攻击引发的恶意流量,并具备分布式知识库间的知识更新和推理功能,表现出良好的可扩展性。     

ALPi: A DDoS Defense System for High-Speed Networks

Distributed denial-of-service (DDoS) attacks pose a significant threat to the Internet. Most solutions proposed to-date face scalability problems as the size and speed of the network increase, with no widespread DDoS solution deployed in the industry. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attack packets from legitimate ones with the use of packet scoring (where the score of a packet is calculated based on attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold. In this paper, we propose ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and enhanced performance. More specifically, a leaky-bucket overflow control scheme simplifies the score computation, and facilitates high-speed implementation. An attribute-value-variation scoring scheme analyzes the deviations of the current traffic attribute values, and increases the accuracy of detecting and differentiating attacks. An enhanced control-theoretic packet discarding method allows both schemes to be more adaptive to challenging attacks such as those with ever-changing signatures and intensities. When combined together, the proposed extensions not only greatly reduce the memory requirement and implementation complexity but also substantially improve the accuracies in attack detection and packet differentiation. This makes ALPi an attractive DDoS defense system amenable for high-speed hardware implementation.     

Analysis of area-congestion-based DDoS attacks in ad hoc networks

Increased instances of distributed denial of service (DDoS) attacks on the Internet have raised questions on whether and how ad hoc networks are vulnerable to such attacks. This paper studies the special properties of such attacks in ad hoc networks. We examine two types of area-congestion-based DDoS attacks – remote and local attacks – and present in-depth analysis on various factors and attack constraints that an attacker may use and face. We find that (1) there are two types of congestion – self congestion and cross congestion – that need to be carefully monitored; (2) the normal traffic itself causes significant packet loss in addition to the attack impacts in both remote and local attacks; (3) the number of flooding nodes has major impacts on remote attacks while, the load of normal traffic and the position of flooding nodes are critical to local attacks; and (4) given the same number of flooding nodes and attack loads, a remote DDoS attack can cause more damage to the network than a local DDoS attack.     

Intrusion Detection Routers: Design, Implementation and Evaluation Using an Experimental Testbed

In this paper, we present the design, the implementation details, and the evaluation results of an intrusion detection and defense system for distributed denial-of-service (DDoS) attack. The evaluation is conducted using an experimental testbed. The system, known as intrusion detection router (IDR), is deployed on network routers to perform online detection on any DDoS attack event, and then react with defense mechanisms to mitigate the attack. The testbed is built up by a cluster of sufficient number of Linux machines to mimic a portion of the Internet. Using the testbed, we conduct real experiments to evaluate the IDR system and demonstrate that IDR is effective in protecting the network from various DDoS attacks.     

Detection and defense of DDoS attack–based on deep learning in OpenFlow‐based SDN

Distributed denial of service (DDoS) is a special form of denial of service attack. In this paper, a DDoS detection model and defense system based on deep learning in Software‐Defined Network (SDN) environment are introduced. The model can learn patterns from sequences of network traffic and trace network attack activities in a historical manner. By using the defense system based on the model, the DDoS attack traffic can be effectively cleaned in Software‐Defined Network. The experimental results demonstrate the much better performance of our model compared with conventional machine learning ways. It also reduces the degree of dependence on environment, simplifies the real‐time update of detection system, and decreases the difficulty of upgrading or changing detection strategy.     

一种新的分布式DDoS攻击防御体系

Internet技术的发展和应用,给人们的生产和生活带来了很多便捷,但随之出现的网络安全问题,也成为日益严重的社会问题。针对网络中存在的DDoS攻击进行研究,以分布式并行系统的思想为基础,建立了一种新型DDoS攻击的安全防御体系。该体系通过不同组件间的相互协调、合作,实现了对DDoS攻击的分析及其防御。在对DDoS的攻击流量进行分析的过程中,以数据挖掘的模糊关联规则的方法进行分析,并实现了对攻击源的定位,有效地避免了攻击造成进一步的危害。     

DDoS攻击方式与防御措施浅议

随着Internet互联网络带宽的增加和多种DDoS黑客工具的不断发布,DDoS拒绝服务攻击的实施越来越容易,DDoS攻击事件正在成上升趋势。论文通过对常用的各种DDoS攻击方式进行分类,对攻击的原理进行了探讨,最后在此基础上有针对性地提出了一些防御DDoS攻击的方法。     

一种新的DDoS攻击主动防御方案

介绍DDoS攻击原理和分析DDoS攻击网络的控制机制后,提出了一种新的基于蜜网(honeynet)的主动防御方案,利用网络陷阱与跟踪技术,从根源上阻止DDoS攻击远程控制网络的形成,以达到主动防御的目的。     

一种基于资源感知的小流量DDoS攻击防御方法

分布式拒绝服务攻击（DDoS）对网络具有极大的破坏性,严重影响现网的正常运营。虽然现网已经部署针对DDoS的流量清洗系统,然而小流量的攻击较洪水型攻击更难以被感知,进而不能得到有效的清洗。本文分析了网络中小流量DDoS攻击的原理和防御现状,并提出一种基于资源感知的小流量DDoS攻击防御方法。     

Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks

Distributed are common threats in many networks, where attackers attempt to make victim servers unavailable to other users by flooding them with worthless requests. These attacks cannot be easily stopped by firewalls, since they forge lots of connections to victims with various IP addresses. The paper aims to exploit the software‐defined networking (SDN) technique to defend against DDoS attacks. However, the controller has to handle lots of connections launched by DDoS attacks, which burdens it with a heavy load and degrades SDN's performance. Therefore, the paper proposes an efficient and low‐cost DDoS defense (ELD) mechanism for SDN. It adopts a nested reverse‐exponential data storage scheme to help the controller efficiently record the information of packets in the limited memory. Once there are many packets with high IP variability sent to a certain server and this situation lasts for a while, then a DDoS attack is likely happening. In this case, the controller asks switches to block malicious connections by installing flow rules. Experimental results verify that the ELD mechanism rapidly recognizes protocol‐based DDoS attacks and stops them in time, including TCP SYN flood, UDP flood, and ICMP flood, and also greatly reduces the overhead for the controller to defend against attacks. Moreover, ELD can distinguish DDoS flows from legitimate ones with similar features such as elephant flows and impulse flows, thereby eliminating false alarms.     

分布式DNS反射DDoS攻击检测及控制技术

分布式DNS反射DDoS攻击已经成为拒绝服务攻击的主要形式之一,传统的基于网络流量统计分析和网络流量控制技术已经不能满足防护需求。提出了基于生存时间值（TTL）智能研判的DNS反射攻击检测技术,能够准确发现伪造源IP地址分组;基于多系统融合的伪造源地址溯源阻断技术,从源头上阻断攻击流量流入网络。     

基于蜜网技术的DDOS攻击防御策略

DDoS攻击的防御是当前网络安全研究领域中的难点。文章在分析DDoS攻击原理的基础上,介绍了蜜网这一主动防御技术的实现原理及功能,提出了基于蜜网防御DDOS攻击的模型并进行了设计和实现。     

Defending Wireless Infrastructure Against the Challenge of DDoS Attacks

This paper addresses possible Distributed Denial-of-Service (DDoS) attacks toward the wireless Internet including the Wireless Extended Internet, the Wireless Portal Network, and the Wireless Ad Hoc network. We propose a conceptual model for defending against DDoS attacks on the wireless Internet, which incorporates both cooperative technological solutions and economic incentive mechanisms built on usage-based fees. Cost-effectiveness is also addressed through an illustrative implementation scheme using Policy Based Networking (PBN). By investigating both technological and economic difficulties in defense of DDoS attacks which have plagued the wired Internet, our aim here is to foster further development of wireless Internet infrastructure as a more secure and efficient platform for mobile commerce.     

基于流媒体服务DDoS攻击防范研究

分布式拒绝服务（Distributed Deny of Service,DDoS）攻击是目前最难解决的网络安全问题之一。在研究RTSP（Real-Time Streaming Protocol）协议漏洞基础上,提出一种有效防御流媒体服务DDoS攻击防御方案。该方案基于时间方差图法（Variance-TimePlots,VTP）,计算自相似参数Hurst值,利用正常网络流量符合自相似模型的特性来进行DDoS攻击检测,并综合采用黑白名单技术对流量进行处理。最后通过MATLAB仿真工具进行了模拟实验,并对结果进行了分析,在协议分析基础上能合理控制流量,使得DDoS攻击检测准确率、实时性高,目标流媒体服务器带宽和资源得到了有效保护。     

GLORIAD流量监测与分析系统设计与实现

文章首先引入了GLORIAD流量监测与分析系统设计和实现的背景：接着介绍了与系统设计实现相关的原理和技术,包括CISCO NetFlow技术,以及应用NetFlow技术检测分析DDoS和蠕虫病毒等网络异常流量的方法：然后讨论了系统的总体结构和应用上述技术原理实现各个模块的细节,包括如何实现用户行为分析,以及如何实现检测分析DDoS和蠕虫病毒等网络异常;最后总结了系统实现的结果.     

DDoS attack detection in IEEE 802.16 based networks

Achieving high data rate transmission, WiMAX has acquired noticeable attention by communication industry. One of the vulnerabilities of the WiMAX network which leads to DDoS attack is sending a high volume of ranging request messages to base station (BS) in the initial network entry process. In the initial network entry process, BS and subscriber station (SS) exchange management messages. Since some of these messages are not authenticated, malicious SSs can attack the network by exploiting this vulnerability which may increase the traffic load of the BS and prevent it from serving the SSs. So, detecting such attacks is one of the most important issues in such networks. In this research, an artificial neural network (ANN) based approach is proposed in order to detect DDoS attacks in IEEE 802.16 networks. Although lots of studies have been devoted to the detection of DDoS attack, some of them focus just on some statistical features of the traffic and some other focus on packets’ headers. The proposed approach exploits both qualitative and quantitative methods. It detects the attack by feeding some features of the network traffic under attack to an appropriate ANN structure. To evaluate the method, first a typical attacked network is implemented in OPNet simulator, and then by using the proposed system, the efficiency of the method is evaluated. The results show that by choosing suitable time series we can classify 93 % of normal traffic and 91 % of attack traffic.