Defense against SYN flooding attacks: A particle swarm optimization approach

SYN flooding attack is a threat that has been designed based on vulnerabilities of the connection establishment phase of the TCP protocol. In this attack some sources send a large number of TCP SYN segments, without completing the third handshake step to quickly exhaust connection resources of the victim server. Hence, a main part of the server’s buffer space is allocated to the attack half open connections and incoming new connection requests will be blocked. This paper proposes a novel framework, in which, the defense issue is formulated as an optimization problem. Then it employs the particle swarm optimization (PSO) algorithm to solve this optimization problem. Our theoretical analysis and packet-level simulations in ns-2 environment show that the proposed defense strategy called PSO_SYN decreases the number of blocked TCP connection requests and cuts down share of attack connections from the buffer space.     

对一种DoS攻击的分析及防范策略研究

Web服务器常常遭到来自外部网络主机的拒绝服务攻击,其中,SYN flood攻击是最常见的一种。攻击者使用伪造的源地址向服务器发送大量的TCP连接请求,致使服务器为每一个连接请求分配资源直至资源耗尽,因此,合法用户的正常访问也因为无法建立TCP连接而被拒绝。分析了SYN flood攻击的基本原理,对现有的几种处理资源耗尽及伪造源地址的方法进行了分析,指出了它们的优缺点。     

浅议TCP SYN Flooding攻击

介绍了TCP协议建立连接的过程及存在的安全问题，以及由此而引起的TCP SYN Flooding(TCP SYN洪流)拒绝服务攻击，并介绍了几种简便有效的防范措施。     

一种基于无状态连接请求验证的SYN湮没攻击防御方法

已有SYN湮没攻击检测防御技术存在一个共性缺陷，就是在验证连接请求有效前分配一定的系统资源保存连接状态，基于无状态连接请求验证的方法可以有效地解决这一问题，但已有的方法存在验证有效后无法完整建立TCP连接、通讯双方状态不一致等问题．本文提出一种新的基于无状态连接请求验证的网关级SYN湮没攻击防御方法，该方法在解决已有问题并兼容现有TCP／IP协议栈实现的基础上，可实现对不同操作系统SYN湮没攻击的有效防御．     

基于线性预测的DDoS攻击检测方法

分布式拒绝服务攻击的原理简单、危害严重,如TCP淹没攻击。该文介绍一种快速、有效的方法来检测TCP SYN flooding攻击,通过线性预测分析来预防、拒绝服务攻击(DoS)。该检测机制采用TCP在响应超时情况下的指数回退算法性质,计算受攻击网络中的收到的SYN和发出的SYN＋ACK数据包数量之差进行数学建模,可以在很短的延时内检测SYN Flooding攻击。该算法可以方便地运用在叶节点路由器和防火墙中。     

防御DDoS攻击算法

目前,对商业服务器攻击方式主要有两种,包括拒绝服务（DoS）攻击和分布式拒绝服务（DDoS）攻击。这种攻击类型属于命中一运行类型。DoS／DDoS攻击因为不够灵敏而不能绕过防火墙等防御．即DoS／DDoS攻击向受害主机发送大量看似合法的网络包．从而造成网络阻塞或服务器资源耗尽而导致拒绝服务。虽然数据没有被损坏。但是服务器最终被摧毁．并且还会引发一系列其他的问题．对于一个电子商务服务器．其最重要的为服务器的停机时间。研究对分布式拒绝服务（DDoS）防御原则。     

在路由器上用SYN Cookie实现SYN Flood的防御

SYN Flood是目前流行的DDOS攻击手段,能够极为有效地攻击网站服务器,使得服务器资源耗尽而无法提供正常服务.由于利用了TCP/IP的协议漏洞,很难从根本上进行防范.给出一种在路由器上利用SYN Cookie机制实现对SYN Flood的防御,能够有效地保护服务器不受SYN Flood攻击,同时不会增加路由器的负担.     

Defense techniques for low-rate DoS attacks against application servers

Low-rate denial of service (DoS) attacks have recently emerged as new strategies for denying networking services. Such attacks are capable of discovering vulnerabilities in protocols or applications behavior to carry out a DoS with low-rate traffic. In this paper, we focus on a specific attack: the low-rate DoS attack against application servers, and address the task of finding an effective defense against this attack.Different approaches are explored and four alternatives to defeat these attacks are suggested. The techniques proposed are based on modifying the way in which an application server accepts incoming requests. They focus on protective measures aimed at (i) preventing an attacker from capturing all the positions in the incoming queues of applications, and (ii) randomizing the server operation to eliminate possible vulnerabilities due to predictable behaviors.We extensively describe the suggested techniques, discussing the benefits and drawbacks for each under two criteria: the attack efficiency reduction obtained, and the impact on the normal operation of the server. We evaluate the proposed solutions in a both a simulated and a real environment, and provide guidelines for their implementation in a production system.     

TCP DDoS攻击与防范

随着互联网的迅速普及和应用的不断发展,各种黑客工具和网络攻击手段也随之倍出,网络攻击导致网络和用户受到侵害,其中分布式拒绝服务DDoS以其攻击范围广、隐蔽性强、简单有效等特点成为常见的网络攻击技术之一,极大地影响网络和业务主机系统的有效服务.其中的TCP DDoS它利用了传统协议中三次握手协议的不安全性,向互联网服务器发送大量的报文.由于服务器接收大量无效的报文,而使得正常的报文无法得到及时响应.如何检测这种攻击发生以及如何降低这种攻击所带来的后果已成为目前安全界研究的热点问题.     

防御TCP拒绝服务攻击的改进方法

提出了对SYNProxy机制的改进方法,将哈希表和SYNcookie结合起来处理半连接表:在低强度攻击下采用哈希表,在高强度攻击下采用SYNCookie。在此基础上,采用位图优化哈希表算法。改进方法可以防御更大强度的攻击。改进方法已经应用在防火墙中,测试表明该方法可以防御高强度的TCP拒绝服务攻击。     

A comprehensive study of queue management as a DoS counter-measure

The purpose of a denial of service (DoS) attack is to render a network service unavailable for legitimate users. We address the problem of DoS attacks on connection-oriented protocols where the attacker tries to deplete the server connection by initiating communication with the server and then abandoning the communication. The most exploited attack in this category is the SYN-flood attack but other attacks using the same approach in stateful communication protocols also fall into this category. Our goals are twofold: first, to develop a mathematical model allowing us to analyse the trade-off between the attacker and the defender resources and second, to offer prevention mechanisms that can be used to defend against this category of attacks. We model the server queue of connections using Markov chains to establish a relationship between the server capacity, the attack rate and the impact on the service level. We analyse two methods of adjusting the timeout, threshold and linear, and we couple them with three policies of assigning the timeout to connections: the deterministic policy, the deferred policy and the utopian Poisson policy. First, theoretical modelling confirms that for any given strategy, there exists a linear trade-off between attack rate and targeted server queue size. However, the ratio that needs to be kept between them in order to maintain a similar level of quality of service differs between strategies; in that sense some are better than others. In particular, theoretical modelling also indicates that the linear deferred timeout strategy is very similar in performance to the linear Poisson timeout strategy, which in turn outperforms all the other dynamic timeout strategies. The dynamic timeout strategies always outperform the classical fixed timeout method. Our model is very general and can be used to capture the behaviour of the server queue during connection depletion attacks at various levels in the TCP protocol stack. We confirm the theoretical findings using stochastic simulations and network experiments of SYN-flood attacks. We also show how the model can be used when analysing a TCP connection establishment flood or a ticket reservation flood. The protection strategies we suggest are robust to changes in the attack model and our implementation is very efficient and transparent with respect to the server and applications it tries to protect. The strategies could therefore be easily integrated into existing operating systems and applications, or implemented in separate network devices.     

DDOS攻击分析及其防范策略

分布式拒绝服务（DDOS）攻击防御是网络安全领域的长期重要课题。近年来,随着Internet业务与广播电视日渐融合,广电网络成为DDOS攻击新目标,因此DDOS攻击防御亦成为广电网络安全新课题。本文以流行最为广泛的SYN Flooding攻击为重点研究对象,基于DDOS攻击原理及攻击方式分析,提出DDOS攻击识别方法;从服务器、网络设备及安全设备等方面,重点阐述以预防为主确保网络安全的攻击防御策略、防御措施及处理方法。     

基于小波分析和连接信任域的DDoS防范模型

分析了DoS攻击机理,基于网络流量的自相似性提出了一种DDoS防范模型.首先采用小波方法计算流量的Hurst参数,判断是否遭受DoS攻击.当认为受到攻击后,结合连接信任域来进行响应.实验表明,该模型可以检测到强、弱DoS攻击;在受到DDoS攻击后,仍可以在一定程度上为正常用户提供服务.     

同源SYN报文两次接收法防御SYN Flood攻击

在介绍SYN Flood攻击原理的基础上,分析了已有防御方法的不足,据此提出了一种同源SYN报文两次接收法.该方法对SYN请求报文在合理的时间段内进行两次接收,然后转入三次握手机制.该方法可以有效的对TCP连接请求进行筛选,让正常的连接请求进入三次握手流程,从而有效地避免了半连接队列溢出引起的DoS攻击.分析表明,同源SYN报文两次接收法不需外部工具支持,在TCP/IP协议的不变性、防火墙穿透能力和节省系统资源消耗等方面具有一定的优势,且该方法对阻止DDoS攻击同样有效.     

SYN Flooding攻击原理与防御措施

SYN Flooding是最流行的DoS和DDoS攻击手段,文章分析了SYNHooding攻击原理,介绍了目前常用的检测及防御技术。     

分布式拒绝服务攻击的软防御系统

提出了一种分布式拒绝服务攻击的软防御系统模型.针对分布式拒绝服务攻击的行为和目标,从服务器自身适应入手,设计了一个服务资源管理系统,对访问资源进行管理和优化.在代理连接服务中采用流水技术优化SYN半连接的数量及连接时间.有效的阻止了分布式拒绝服务的攻击,优化了服务器的访问管理,提高了服务器的访问效率.     

一种提高状态检测防火墙抵御Syn Flood攻击的方法

针对影响状态检测防火墙性能的Syn Flood攻击,分析了Syn Flood攻击的原理,基于Patricia tries构造半开连接表来处理TCP连接建立的过程,提出了一种利用端口队列来跟踪每个半开连接,根据SYN数据包的统计和状态检测来抵御SynFlood攻击的方法.实验结果表明,该方法在占用较少的系统资源的情况下,有效的提高了状态检测防火墙对Syn Flood攻击的防御能力.     

基于SVM分类器的SYN Flood攻击检测规则生成方法的研究

洪泛攻击（SYN flood）是目前最常用的拒绝服务攻击之一,它通过发送大量TCP请求连接报文,造成大量的半连接从而消耗网络资源．由于洪泛攻击中所使用的数据包都是正常数据包,又采用了伪IP技术,使得对其的检测和阻断都十分困难．本文分析了洪泛攻击的攻击原理以及检测并阻断攻击困难的原因,提出了二次检测的防御方法,先用SVM异常检测分类器检测出攻击报文．再依据报文相似度生成误用检测规则从而阻断攻击报文．试验结果表明这种方法对SYN flood攻击的检测效果明显。     

数据中心中TCP连接建立过程的优化方法

针对数据中心中由于SYN包丢失而引起的TCP连接被延迟从而错过任务时间限制的问题,在无需更换现有设备以及无需修改应用和TCP的前提下,提出一种基于加权随机早期检测（WRED）协议的TCP连接初始化的优化方法。该方法解决了连接优化的三个关键问题：如何识别和标记SYN包,如何在交换机上为SYN包预留空间以及需要预留多少空间。与原TCP相比,优化后TCP连接建立的时间极大地减少。实验表明TCP连接初始化优化方法可以解决任务错过规定时间限制的问题。     

SYN Flooding攻击原理与防御措施

SYN Flooding是最流行的DoS和DDoS攻击手段,文章分析了SYN Flooding攻击原理,介绍了目前常用的检测及防御技术。