正态分布与分布式拒绝服务攻击的主动预防

随着信息技术的发展和应用的普及,网络安全问题已经成为人们关注的焦点问题。目前分布式拒绝服务(DDoS,Distributed Denial of Service)攻击已经成为影响Internet正常运行的一个比较严重的问题,并影响合法用户获得正常的服务。文中首先阐述了DDoS形成的原理,然后分析了预防DDoS攻击的措施和机制。随后借助于SSFNet(Scalable Simula-tion Framework Net)仿真软件构建相应的网络环境,模拟了一种分布式拒绝服务攻击。针对在实验中发现的攻击特征,即攻击发生时通过路由器的新IP数量呈现正态分布的变化趋势,结合统计学中正态分布的概率理论知识,提出了一种通过正态分布模型结合网络中新IP数量变化趋势应对分布式拒绝服务攻击的主动防御方案。然后利用实验中采集的数据,对所提出的应对分布式拒绝服务攻击的防御方案进行了验证。     

DDoS攻击的流程分析与有效防御

DDoS是Distributed Denial of Service的缩写,意即：分布式拒绝服务攻击。它通过控制一批傀儡机（俗称＂肉鸡＂）向目标机器同时发起洪流般的攻击,使得服务器应接不暇而无法响应正常的服务,重则使系统处于瘫痪状态。DDoS攻击具有两个重要的特点：一是针对网络带宽进行海量攻击,造成网络阻塞,湮灭正常网络包;二是耗尽服务器资源,大量非正常的攻击包耗尽主机内存和CPU资源。     

DDoS放大攻击原理及防护

分布式拒绝服务攻击（DDoS）是一种攻击强度大、危害比较严重的网络攻击。 DDoS放大攻击利用放大器对网络流量具有放大作用的技术,向被攻击目标发送大量的网络数据包,造成被攻击的目标网络资源和带宽被耗尽,使得正常的请求无法得到及时有效的响应。简单介绍DDoS放大攻击的原理,分析DDoS放大攻击的防护方法,从攻击源头、放大器、被攻击目标等三个方面采取防护措施,从而达到比较有效的防护效果。     

神经网络和IP标记在DDoS攻击防御中的应用

DDoS(Distributed Denial of Service)攻击是在传统的DoS攻击上产生的新的网络攻击方式,是Internet面临的最严峻威胁之一,这种攻击带来巨大的网络资源消耗,影响正常的网络访问.DDoS具有分布式特征,攻击源隐蔽,而且该类攻击采用IP伪造技术,不易追踪和辨别.任何网络攻击都会产生异常流量,DDoS也不例外,分布式攻击导致这种现象更加明显.主要研究利用神经网络技术并借助IP标记辅助来甄别异常流量中的网络数据包,方法是:基于DDoS攻击总是通过多源头发起对单一目标攻击的特点,通过IP标记技术对路由器上网路包进行标记,获得反映网络流量的标记参数,作为神经网络的输入参数相量;再对BP神经网络进行训练,使其能识别DDoS攻击引起的异常流量;最后,训练成熟的神经网络即可在运行时有效地甄别并防御DDoS攻击,提高网络资源的使用效率.通过实验证明了神经网络技术防御DDoS攻击是可行和高效的.     

网络设备参与的DDoS防御系统的构建与仿真

分布式拒绝服务(DDoS)攻击严重威胁网络安全,现有DDoS防御方法存在被攻击时防御能力不足,无攻击时能力浪费问题。通过在发生DDoS攻击时,通知互联网服务提供商(ISP)将已发现的攻击元组流量在网络中短暂丢弃的方式,可以在保证DDoS防御的前提下,显著减少防御能力部署。仿真实验表明,对已知的攻击元组流量丢弃合理的时长,即可在仅检测0. 55%攻击流量的前提下,阻止99. 9%的攻击流量。同时,合法流量只有2%因误判被阻塞,防护对象的负载相对正常情况下仅上升1. 77%。     

DDoS攻击下RED算法的仿真研究

DDoS（分布式拒绝服务）攻击数据流在发生网络拥塞的情况下并不降低它们的发送速率,充满了路由器的缓冲区,剥夺其他正常数据流的带宽。基于这一网络行为,从拥塞控制的角度来研究DDoS攻击目标端的防御机制。然后在模拟DDoS攻击环境下,对基于路由器的拥塞控制算法RED（随机早期检测）进行了仿真实验研究。实验发现,在DDoS攻击下,一些数据量很大的攻击流会大量占用带宽,从而导致了各流量之间带宽分配的不公平性,据此对拥塞控制机制提出了进一步的改进。     

DDoS攻击下RED算法的仿真研究

DDoS（分布式拒绝服务）攻击数据流在发生网络拥塞的情况下并不降低它们的发送速率,充满了路由器的缓冲区,剥夺其他正常数据流的带宽。基于这一网络行为,从拥塞控制的角度来研究DDoS攻击目标端的防御机制。然后在模拟DDoS攻击环境下,对基于路由器的拥塞控制算法RED（随机早期检测）进行了仿真实验研究。实验发现,在DDoS攻击下,一些数据量很大的攻击流会大量占用带宽,从而导致了各流量之间带宽分配的不公平性,据此对拥塞控制机制提出了进一步的改进。     

基于攻击特征的ARMA预测模型的DDoS攻击检测方法

分布式拒绝服务(DDoS)攻击检测是网络安全领域的研究热点。本文提出一个能综合反映DDoS攻击流的流量突发性、流非对称性、源IP地址分布性和目标IP地址集中性等多个本质特征的IP流特征(IFFV)算法,采用线性预测技术,为正常网络流的IFFV时间序列建立了简单高效的ARMA(2,1)预测模型,进而设计了一种基于IFFV预测模型的DDoS攻击检测方法(DDDP)。为了提高方法的检测准确度,提出了一种报警评估机制,减少预测误差或网络流噪声所带来的误报。实验结果表明,DDDP检测方法能够迅速、有效地检测DDoS攻击,降低误报率。     

基于地址相关度的分布式拒绝服务攻击检测方法

分布式拒绝服务(DDoS)攻击检测是网络安全领域的研究热点.对DDoS攻击的研究进展及其特点进行了详细分析,针对DDoS攻击流的流量突发性、流非对称性、源IP地址分布性和目标IP地址集中性等本质特征提出了网络流的地址相关度(ACV)的概念.为了充分利用ACV,提高方法的检测质量,提出了基于ACV的DDoS攻击检测方法,通过自回归模型的参数拟合将ACV时间序列变换为多维空间内的AR模型参数向量序列来描述网络流状态特征,采用支持向量机分类器对当前网络流状态进行分类以识别DDoS攻击.实验结果表明,该检测方法能够有效地检测DDoS攻击,降低误报率.     

基于Sibson距离的OpenFlow网络DDoS攻击检测方法研究*

为解决软件定义网络(Software Defined Network, SDN)控制器易受分布式拒绝服务(Distributed Denial of Service, DDoS)攻击的问题,本文提出了一种基于Sibson距离的DDoS攻击检测方法。首先,针对现有SDN网络控制器负载过重问题,设计了一种分层式DDoS攻击检测架构,通过采用多个代理控制器来减轻主控制器负荷;其次,针对现有DDoS攻击检测误报率高的问题,提出了一种基于Sibson距离DDoS攻击检测算法,在提高检测时效性和保证检测精度的同时,加强对正常突发流的识别能力。仿真实验表明,该方法能有效区分攻击流和正常突发流,提高了网络的稳健性。     

基于混合深度学习的多类型低速率DDoS攻击检测方法

低速率分布式拒绝服务攻击针对网络协议自适应机制中的漏洞实施攻击,对网络服务质量造成了巨大威胁,具有隐蔽性强、攻击速率低和周期性的特点.现有检测方法存在检测类型单一和识别精度低的问题,因此提出了一种基于混合深度学习的多类型低速率DDoS攻击检测方法.模拟不同类型的低速率DDoS攻击和5G环境下不同场景的正常流量,在网络入...     

An auto-responsive honeypot architecture for dynamic resource allocation and QoS adaptation in DDoS attacked networks

Distributed Denial of Service (DDoS) attacks generate flooding traffic from multiple sources towards selected nodes. Diluted low rate attacks lead to graceful degradation while concentrated high rate attacks leave the network functionally unstable. Previous approaches to such attacks have reached to a level where survivable systems effort to mitigate the effects of these attacks. However, even with such reactive mitigation approaches in place, network under DDoS attack becomes unstable and legitimate users in the network suffer in terms of increased response times and frequent network failures. Moreover, the Internet is dynamic in nature and the topic of automated responses to attacks has not received much attention.In this paper, we propose a proactive approach to DDoS in form of integrated auto-responsive framework that aims to restrict attack flow reach target and maintain stable network functionality even under attacked network. It combines detection and characterization with attack isolation and mitigation to recover networks from DDoS attacks. As first line of defense, our method uses high level specifications of entropy variations for legitimate interactions between clients and servers. The network generates optimized entropic detectors that monitor the behavior of flows to identify significant deviations. As the second line of defense, malicious flows are identified and directed to isolated zone of honeypots where they cannot cause any further damage to the network and legitimate flows are directed to a randomly selected server from pool of replicated servers. This approach leads the attacker to believe that they are succeeding in their attack, whereas in reality they are simply wasting time and resources.Service replication and attack isolation alone are not sufficient to mitigate the attacks. Limited network resources must be judiciously used when an attack is underway. Further, as third line of defense, we propose a Dynamic Honeypot Engine (DHE) modeled as a part of Honeypot Controller (HC) module that triggers the automatic generation of adequate nodes to service client requests and required number of honeypots that interact with attackers in contained manner. This load balancing in the network makes it attack tolerant. Legitimate clients, depending upon their trust levels built according to their monitored statistics, can track the actual servers for certain time period. Attack flows reaching honeypots are logged by Honeypot Data Repository (HDR). Most severe flows are punished by starting honeypot back propagation sessions and filtering them at the source as the last line of defense. The data collected on honeypots are used to isolate and filter present attack, if any and as an insight into future attack trends. The judicious mixture and self organization of servers and honeypots at different time intervals also guaranties promised QoS.We present the exhaustive parametric dependencies at various phases of attack and their regulation in real time to make the service network DDoS attack tolerant and insensitive to attack load. Results show that this auto-responsive network has the potential to maintain stable network functionality and guaranteed QoS even under attacks. It can be fine tuned according to the dynamically changing network conditions. We validate the effectiveness of the approach with analytical modeling on Internet type topology and simulation in ns-2 on a Linux platform.     

Early Detection of DDoS Attacks Against Software Defined Network Controllers

Software Defined Network (SDN) is a new network architecture that has an operating system. Unlike conventional production networks, SDN allows more flexibility in network management using that operating system that is called the controller. The main advantage of having a controller in the network is the separation of the forwarding and the control planes, which provides central control over the network. Although central control is the major advantage of SDN, it is also a single point of failure if it is made unreachable by a Distributed Denial of Service (DDoS) attack. In this paper, that single point of failure is addressed by utilizing the controller to detect such attacks and protect the SDN architecture of the network in its early stages. The two main objectives of this paper are to (1) make use of the controller’s broad view of the network to detect DDoS attacks and (2) propose a solution that is effective and lightweight in terms of the resources that it uses. To accomplish these objectives, this paper examines the effect of DDoS attacks on the SDN controller and the way it can exhaust controller resources. The proposed solution to detect such attacks is based on the entropy variation of the destination IP address. Based on our experimental setup, the proposed method can detect DDoS within the first 250 packets of the attack traffic.     

DDoS攻击分类与效能评估方法研究

DDoS攻击是一类常见而又难以防范的网络攻击模式，对Internet网络系统的正常运行构成了巨大威胁。DDoS攻击的分类方法和攻击效能评估是计算机网络攻防对抗研究的一项重要而紧迫的任务。本文介绍了DDoS攻击的原理、方法、一般概念和主要目标，研究了基于攻击代理的传播模式、通讯方式、作用机制等特征的DDoS攻击分类方法体系，分析了DDoS攻击的攻击效能评价指标体系。在分析了DDoS攻击效能评估的特点的基础上提出了DDoS攻击效能评估的模糊评价评估模型。     

基于自相似流量检测的DDoS攻击及防御研究

DDoS攻击是目前互联网中应用最广泛,也是危害性最大的一种攻击方式,以破坏网络服务的可用性为目标。文章首先介绍了DDoS的攻击原理,并重点对DDoS的攻击方式和基于自相似网络流量的DDoS攻击检测方式进行研究,最后针对目前DDoS攻击的防御方式进行了全面解析。     

于Gnutella对等网的DDoS攻击特性分析*

通过对Gnutella协议内容的概述、存在的安全问题的分析,对传统基于网络层的DDoS攻击的原理、类型和检测的分析描述,对Gnutella网络中的DDoS攻击和基于网络层的DDoS攻击的分析比较,针对基于Gnutella网络的DDoS攻击特性提出防范的研究方法。     

基于自适应包标记的IP源追踪方案

防御分布式拒绝服务(DDoS)攻击是当前网络攻击研究的重要课题,本文提出了一种DDoS攻击追踪方案的构想,在自适应包标记理论的基础上,提出了新的改进算法,该方案利用了TTL域和并提出了一种伸缩性的包标记策略,可以通过更少的数据包更快的定位出攻击源。同以往方法比较,该算法的灵活性好,并且误报率很低。经仿真实验证明该系统用较少的数据包即追踪IP源,最大限度的减少了攻击带来的损失。     

一种改进的DRDoS检测算法

分布式拒绝服务攻击DDoS是互联网环境下最具有破坏力的一种攻击方式。检测并防御这种攻击是解决网络安全领域的重要课题。针对DRDoS的特性,采用了一种改进的DRDoS检测算法——T&A算法。DDoS攻击的预防解决了现有不同特定网络服务技术检测的不足的问题,提出了基于行为异常的方法进行检测的改进方案。通过模拟攻击实验证明,该算法不仅提升了检测率、降低了误报率,而且对资源的占用较少,具有较好预警功能。