分布式拒绝服务攻击研究新进展综述

 分布式拒绝服务攻击一直是网络安全领域的研究难点.本文在进一步分析分布式拒绝服务攻击的危害及其原因的基础上,重点综述了2005年以后对该问题的研究和解决方案,主要包括:基于网络服务提供商的网络过滤、基于校验工作、基于重叠网络和基于网络功能.通过分析它们的优缺点,总结出可部署的解决方案的特点,并对今后的研究进行了展望.     

Dual‐collaborative DoS/DDoS mitigation approach in information‐centric mobile Internet

The amount of wireless traffic is increasing at an overwhelming speed. Information‐centric networking (ICN) has been proposed as a promising Future Internet Architecture, which can reduce network traffic by putting data objects toward the edge. It is expected that in information‐centric mobile Internet (ICMI), the wireless traffic can be significantly reduced. Yet, DoS/DDoS attack becomes a critical issue in ICMI by causing wireless gateway blockade. To tackle the problem, we propose a dual‐collaborative DoS/DDoS mitigation approach (DCMA) and advanced DCMA to protect wireless gateways. In the algorithm, the attackers' visiting information including international mobile equipment identity (IMEI) and data object name (DON) are analyzed jointly to accurately identify potential attackers through the collaboration between the Internet and mobile network. In addition, the attacker's behaviors are analyzed centrally, and security strategies are applied distributively throughout wireless edge through the collaboration between wireless core network (CN) and radio access network (RAN). Extensive simulations are performed to verify the effectiveness of the proposed algorithms. The results demonstrate that advanced DCMA can achieve high DDoS and attacker detection probability and small false positive probability.     

Effective allied network security system based on designed scheme with conditional legitimate probability against distributed network attacks and intrusions

Dependence on the Internet is increasing dramatically. Therefore, many researchers have given great attention to the issue of how to tighten Internet security. This study proposes a new scheme for the distributed intrusion prevention system (DIPS), in which the concept of ‘union’ is presented for satisfying the increasing requirements of Internet security issues. In this proposed design, the network intrusion detection system (NIDS) applies a misuse detection technique to detect well‐known intrusion behavior on the Internet. Meanwhile, for anomaly detection technique, a tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to reveal previously undiscovered intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service (DDoS) attacks inside the protected allied network is also covered. To increase the detection accuracy, reduction of false positives and false negatives is also accomplished. Experimental results reveal that the suggested network security system scheme is effective and efficient in resolving the intrusion activity problem of real network environments. Copyright © 2011 John Wiley & Sons, Ltd.     

LTE网络S1接口用户行为分析系统的设计与实现

随着移动互联网技术以及新型业务的飞速发展,网络数据呈现爆炸式增长.提升用户感知,挖掘用户潜在价值成为当前网络服务提供商(Internet Service Provider,ISP)的研究重点.针对该问题,提出一种基于深度包检测(Deep Packet Inspection,DPI)技术的用户行为分析系统.在传统信令监测系统的基础上结合DPI技术,对LTE网络S1接口的用户数据进行分析,实现了从海量数据中高效地挖掘用户群体的行为特征.经过现网数据验证,该方案能达到预期的效果,对ISP具有一定的参考价值.     

ALPi: A DDoS Defense System for High-Speed Networks

Distributed denial-of-service (DDoS) attacks pose a significant threat to the Internet. Most solutions proposed to-date face scalability problems as the size and speed of the network increase, with no widespread DDoS solution deployed in the industry. PacketScore has been proposed as a proactive DDoS defense scheme, which detects DDoS attacks, differentiates attack packets from legitimate ones with the use of packet scoring (where the score of a packet is calculated based on attribute values it possesses), and discards packets whose scores are lower than a dynamic threshold. In this paper, we propose ALPi, a new scheme which extends the packet scoring concept with reduced implementation complexity and enhanced performance. More specifically, a leaky-bucket overflow control scheme simplifies the score computation, and facilitates high-speed implementation. An attribute-value-variation scoring scheme analyzes the deviations of the current traffic attribute values, and increases the accuracy of detecting and differentiating attacks. An enhanced control-theoretic packet discarding method allows both schemes to be more adaptive to challenging attacks such as those with ever-changing signatures and intensities. When combined together, the proposed extensions not only greatly reduce the memory requirement and implementation complexity but also substantially improve the accuracies in attack detection and packet differentiation. This makes ALPi an attractive DDoS defense system amenable for high-speed hardware implementation.     

Compressive Sensing Node Localization Method Using Autonomous Underwater Vehicle Network

This framework attempts to introduce a new Distributed denial-of-service (DDoS) attack detection and mitigation model. It is comprised of two stages, namely DDoS attack detection and mitigation. The first stage consists of three important phases like feature extraction, optimal feature selection, and classification. In order to optimally select the features of obtained feature sets, a new improved algorithm is implanted named Improved Update oriented Rider Optimization Algorithm (IU-ROA), which is the modification of the Rider Optimization Algorithm (ROA) algorithm. The optimal features are subjected to classification using the Deep Convolutional Neural Network (CNN) model, in which the presence of network attacks can be detected. The second stage is the mitigation of the attacker node. For this, a bait detection mechanism is launched, which provides the effective mitigation of malicious nodes having Distributed Denial-of-Service (DDoS) attacks. The experimentation is done on the KDD cup 99 dataset and the experimental analysis proves that the proposed model generates a better result which is 90.06% in mitigation analysis and the overall performance analysis of the proposed model on DDoS Attack Detection is 96% better than conventional methods.

     

Defending Wireless Infrastructure Against the Challenge of DDoS Attacks

This paper addresses possible Distributed Denial-of-Service (DDoS) attacks toward the wireless Internet including the Wireless Extended Internet, the Wireless Portal Network, and the Wireless Ad Hoc network. We propose a conceptual model for defending against DDoS attacks on the wireless Internet, which incorporates both cooperative technological solutions and economic incentive mechanisms built on usage-based fees. Cost-effectiveness is also addressed through an illustrative implementation scheme using Policy Based Networking (PBN). By investigating both technological and economic difficulties in defense of DDoS attacks which have plagued the wired Internet, our aim here is to foster further development of wireless Internet infrastructure as a more secure and efficient platform for mobile commerce.     

DDoS攻击原理及抗DDoS设备的应用

随着网络的发展及计算机的普及,网络安全也成为了企业关注的焦点.DDoS攻击简单而有效,已成为网络中非常流行的一种攻击方式.本文在介绍了DDoS原理及分类的基础上,分析了当前安全设备抗DDoS的不足.以此为前提,讲述了专业抗DDoS设备ADS在运营商行业的应用,并提供了一次ADS设备抗DDoS攻击的实例.     

Intrusion Detection Routers: Design, Implementation and Evaluation Using an Experimental Testbed

In this paper, we present the design, the implementation details, and the evaluation results of an intrusion detection and defense system for distributed denial-of-service (DDoS) attack. The evaluation is conducted using an experimental testbed. The system, known as intrusion detection router (IDR), is deployed on network routers to perform online detection on any DDoS attack event, and then react with defense mechanisms to mitigate the attack. The testbed is built up by a cluster of sufficient number of Linux machines to mimic a portion of the Internet. Using the testbed, we conduct real experiments to evaluate the IDR system and demonstrate that IDR is effective in protecting the network from various DDoS attacks.     

No longer in denial [network security]

The world was made rudely aware of the battle between hackers and Internet system security administration when public access to the sites of Amazon, eBay, Yahoo!, and other dot-coms was cut off by a new method of attack called distributed denial of service (DDoS), in February 2000. To block the sites, one or more hackers sneaked into the computers of several unsuspecting users connected to the Net, and used these widely dispersed machines as drones to launch a barrage of false messages. DDoS is a network problem because it abuses the network's resources; so the solution has to be in the network. Security experts are planning to fight the war with DDoS hackers on many fronts-from the Web-server vanguard through to the personal computers in the trenches. In the wake of the February attack, their first act has been to try to establish lines of communications among Web site operators, Internet service providers (ISPs), and legal authorities. The work of the Internet Engineering Task Force in tacking the hacker by tracking the flow of data packets through the network     

基于DDoS的TCP SYN攻击与防范

分布式拒绝服务攻击(DDoS)是出现在这几年的一种具有很强攻击力而又缺乏有效防御手段的Internet攻击手段,是目前网络安全界研究的热点.TCP SYN洪流攻击是最常见的DDoS攻击手段之一.文中在对DDoS攻击进行深入研究的基础上,着重对TCP SYN洪流攻击及其防范措施进行了深入研究,提出了一种新的综合攻击检测技术,较好地解决了对此类攻击的防范问题.     

软件定义网络中的DDoS安全

随着现代化信息技术的广泛应用,近年来,我国信息环境呈现了明显的复杂化演变趋势。基于网络信息安全,文章主要介绍了软件定义网络中的DDoS安全保证价值,并简要概述了软件定义网络中的DDoS攻击检测路径,探究基于SDSNM逻辑架构的防御体系、基于OpenFlow攻击缓解方法、基于强化学习的攻击防御系统和基于DPDK的攻击防御系统,旨在全面优化网络信息安全环境。     

防御拒绝服务攻击

Internet上的DDoS攻击对网络和系统安全产生了新的挑战,近年来针对这一问题出现了很多应对机制。论文对防范DDoS攻击的多种方法进行了分析比较。     

DDoS攻击恶意行为知识库构建

针对分布式拒绝服务（distributed denial of service,DDoS）网络攻击知识库研究不足的问题,提出了DDoS攻击恶意行为知识库的构建方法。该知识库基于知识图谱构建,包含恶意流量检测库和网络安全知识库两部分：恶意流量检测库对 DDoS 攻击引发的恶意流量进行检测并分类;网络安全知识库从流量特征和攻击框架对DDoS 攻击恶意行为建模,并对恶意行为进行推理、溯源和反馈。在此基础上基于DDoS 开放威胁信号（DDoS open threat signaling,DOTS）协议搭建分布式知识库,实现分布式节点间的数据传输、DDoS攻击防御与恶意流量缓解功能。实验结果表明,DDoS攻击恶意行为知识库能在多个网关处有效检测和缓解DDoS攻击引发的恶意流量,并具备分布式知识库间的知识更新和推理功能,表现出良好的可扩展性。     

一种新的分布式DDoS攻击防御体系

Internet技术的发展和应用,给人们的生产和生活带来了很多便捷,但随之出现的网络安全问题,也成为日益严重的社会问题。针对网络中存在的DDoS攻击进行研究,以分布式并行系统的思想为基础,建立了一种新型DDoS攻击的安全防御体系。该体系通过不同组件间的相互协调、合作,实现了对DDoS攻击的分析及其防御。在对DDoS的攻击流量进行分析的过程中,以数据挖掘的模糊关联规则的方法进行分析,并实现了对攻击源的定位,有效地避免了攻击造成进一步的危害。     

Detecting and analyzing border gateway protocol blackholing activity

DDoS attack is a traditional malicious attempt to make an authorized system or service inaccessible. Currently, BGP blackholing is an operational countermeasure that builds upon the capabilities of BGP to protect from DDoS attacks. BGP enables blackholing by leveraging the BGP community attribute. This paper presents the analysis of BGP blackholing activity and propose a machine learning-based mechanism to detect BGP blackholing activity. In BGP blackholing analysis, we find that many networks, including Internet service providers (ISPs) and Internet exchange points (IXPs), offer BGP blackholing service to their customers. We collect networks' blackhole communities and make BGP blackhole communities dictionary. Within 3-month period (from August to October, 2018), we find a significant number of BGP blackhole announcements (97,532) and distinct blackhole prefixes (8,120). Most of the blackhole prefixes are IPv4 (99.1%). Among IPv4 blackhole prefixes, mostly are /32 (79.9%). The daily patterns of BGP blackholing highlight that there is a variable number of blackhole announcements and distinct blackhole prefixes every day. Furthermore, we apply machine learning techniques to design a BGP blackholing detection mechanism based on support vector machine (SVM), decision tree, and long short-term memory (LSTM) classifiers. The results are compared based on accuracy and F-score. Experimental results show that LSTM achieves the best classification accuracy of 95.9% and F-score of 97.2%. This work provides insights for network operators and researchers interested in BGP blackholing service and DDoS mitigation in the Internet.     

StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

Today's Internet hosts are threatened by large-scale distributed denial-of-service (DDoS) attacks. The path identification (Pi) DDoS defense scheme has recently been proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received (Yaar , 2003). In this paper, we propose the StackPi marking, a new packet marking scheme based on Pi, and new filtering mechanisms. The StackPi marking scheme consists of two new marking methods that substantially improve Pi's incremental deployment performance: Stack-based marking and write-ahead marking. Our scheme almost completely eliminates the effect of a few legacy routers on a path, and performs 2–4 times better than the original Pi scheme in a sparse deployment of Pi-enabled routers. For the filtering mechanism, we derive an optimal threshold strategy for filtering with the Pi marking. We also develop a new filter, the PiIP filter, which can be used to detect Internet protocol (IP) spoofing attacks with just a single attack packet. Finally, we discuss in detail StackPi's compatibility with IP fragmentation, applicability in an IPv6 environment, and several other important issues relating to potential deployment of StackPi.     

DDoS攻击新趋势及ISP应对方法

分布式拒绝服务(DDoS)攻击是近年来黑客广泛使用的一种攻击手段,它不仅严重影响被攻击者对互联网的访问,还会严重影响互联网络提供商(ISP)网络的正常运行.本文通过对最近一年来发生于北京电信以及中国电信网内的DDOS攻击事件进行分析,总结出当前DDoS攻击的新趋势,并有针对性地从运营商角度提出应对思路,保证运营商互联网骨干的稳定运行.     

Adaptive Defense Against Various Network Attacks

In defending against various network attacks, such as distributed denial-of-service (DDoS) attacks or worm attacks, a defense system needs to deal with various network conditions and dynamically changing attacks. Therefore, a good defense system needs to have a built-in “adaptive defense” functionality based on cost minimization—adaptively adjusting its configurations according to the network condition and attack severity in order to minimize the combined cost introduced by false positives (misidentify normal traffic as attack) and false negatives (misidentify attack traffic as normal) at any time. In this way, the adaptive defense system can generate fewer false alarms in normal situations or under light attacks with relaxed defense configurations, while protecting a network or a server more vigorously under severe attacks. In this paper, we present concrete adaptive defense system designs for defending against two major network attacks: SYN flood DDoS attack and Internet worm infection. The adaptive defense is a high-level system design that can be built on various underlying nonadaptive detection and filtering algorithms, which makes it applicable for a wide range of security defenses.     

IP MAN中MPLS VPN部署和业务应用

IP城域网是一个城市地域范围内的IP网络,作为互联网的一部分,为用户提供基于IP的各种业务。MPLS VPN业务作为新兴的网络增值业务在提供本地连接通道的基础上,使企业的分支机构与总部间相互连通而不必建立专网,从而大大节约了企业的建网投入,为国内运营商提供了良好的市场商机。主要介绍中国联合网络通信有限公司荆州分公司利用MPLS VPN接入技术在IP城域网中实施部署。从CNC Network的局限性和业务需求入手,介绍了IP城域网中MPLS VPN部署工作的背景和意义。不仅对IP城域网中部署MPLS VPN的主要难点进行了阐述,还同时介绍了其在超市行业和金盾工程(GSP)中成功的业务应用。