基于移动agent的DDoS攻击协同防范技术研究

分布式拒绝服务攻击（distributed denial—of—service，DDoS）已经对Internet的稳定运行造成了很大的威胁。近两年来，DDoS的攻击方法和工具变得越来越复杂，越来越有效，追踪真正的攻击者电越来越困难。从攻击防范的角度来说现有的技术仍然不足以抵御大规模的攻击。文中通过分析DDoS攻击原理以及DDoS攻击行为，提出了一个基于移动agent的分布式协同入侵检测模型。该模型通过构建本地人侵检测模块和反DDoS实体模块来协同对分布式拒绝访问攻击形成大面积网络预警机制，以达到在陷于大规模分布式拒绝访问攻击时，能够最小化检测和反应时间，并进行自动响应。     

基于移动agent的DDoS攻击协同防范技术研究

分布式拒绝服务攻击(distributed denial-of-service,DDoS)已经对Internet的稳定运行造成了很大的威胁。近两年来,DDoS的攻击方法和工具变得越来越复杂,越来越有效,追踪真正的攻击者也越来越困难。从攻击防范的角度来说现有的技术仍然不足以抵御大规模的攻击。文中通过分析DDoS攻击原理以及DDoS攻击行为,提出了一个基于移动agent的分布式协同入侵检测模型。该模型通过构建本地入侵检测模块和反DDoS实体模块来协同对分布式拒绝访问攻击形成大面积网络预警机制,以达到在陷于大规模分布式拒绝访问攻击时,能够最小化检测和反应时间,并进行自动响应。     

混合型网络中DDoS攻击的入侵扫描研究

现有网络中网络地址转换（NAT）的存在使得其后网络中的主机对外部网络变得不可见,IPv6庞大的地址空间也使得攻击者利用传统的随机地址扫描策略很难找到有漏洞主机。概述当前DDoS攻击的基本原理,具体分析了随着因特网体系结构的变化,网络NAT等设施的出现对DDoS攻击所带来的影响。针对传统理论在研究DDoS攻击过程中的一些不足,提出了一种基于搜索引擎技术和Teredo服务的新型扫描策略,以及对NAT后主机实施DDoS攻击的具体方法。仿真实验证明这种新型DDoS入侵攻击更加有效,对复杂网络环境的适应性也更强。     

内网安全技术十大策略

内网安全的威胁不同于网络边界的威胁。网络边界安全技术防范来自Internet上的攻击，主要是防范来自公共的网络服务器如HTTp或SMTP的攻击。网络边界防范（如边界防火墙系统等）减小了资深黑客仅仅只需接入互联网、写程序就可访问企业网的几率。内网安全威胁主要源于企业内部。恶性的黑客攻击一般都会先控制局域网络内部的一台主机，然后以此为基地，对Internet上其他主机发起恶性攻击。因此，应在边界展开黑客防护措施，同时建立并加强内网防范策略。     

一种新的DDOS攻击及其防护措施研究

分布式拒绝服务(DDoS)攻击是非常有效的网络攻击,而且很难进行防护。一种称为分布式反射拒绝服务(DRDoS)的新的DDoS攻击使攻击者不需要控制代理端,只通过向大量服务器发送服务请求,利用通信协议规则使得服务器返回的数据被“反射”到攻击目标(可能是主机、服务器,也可能是路由器)而使其瘫痪。文章通过实例、示意图等方法详细分析了DDoS和DRDoS攻击的原理,从技术上和策略上提出了可行的防护技术手段。     

基于信息熵的多Agent DDoS攻击检测

分布式拒绝服务攻击(DDOS)在短时间内产生大量的数据包,可以迅速耗尽网络或者主机的资源,对Internet的稳定性造成了巨大威胁.文中通过分析DDoS攻击的原理及攻击者的行为方式,划分攻击阶段,提取攻击特征,据此建立多Agent DDoS检测模型并分配各Agent的任务.模型由熵检测算法捕捉网络数据包的异常,再由DDoS的Ontology推断出攻击的具体情况.根据在DARPA 2000入侵检测数据集上的实验结果,模型对DDoS攻击的准备阶段和实施阶段有较高的识别率.     

一种基于路由器的伪装IP回溯方法

在因特网中，攻击者能伪造其IP地址。本文提出了一种新的针对洪泛型攻击(flooding attack)的IP回溯技术——PPL。在该方法中，路由器以一定的概率存储转发分组的信息．然后利用这些信息．从被攻击者开始回溯攻击分组到其源，对网络攻击者起到威慑的作用。仿真实验证明．新方案在回溯洪泛型攻击时，其性能优于文[2]中的方案。     

防御DDoS攻击算法

目前,对商业服务器攻击方式主要有两种,包括拒绝服务（DoS）攻击和分布式拒绝服务（DDoS）攻击。这种攻击类型属于命中一运行类型。DoS／DDoS攻击因为不够灵敏而不能绕过防火墙等防御．即DoS／DDoS攻击向受害主机发送大量看似合法的网络包．从而造成网络阻塞或服务器资源耗尽而导致拒绝服务。虽然数据没有被损坏。但是服务器最终被摧毁．并且还会引发一系列其他的问题．对于一个电子商务服务器．其最重要的为服务器的停机时间。研究对分布式拒绝服务（DDoS）防御原则。     

防范DDoS

DDoS攻击的防御是当前网络安全研究领域中的难点。通过对DDoS攻击原理的讨论和对现有防范技术的剖析．提出了防范DDoS攻击的一些积极的建议。     

DoS/DDoS拒绝服务攻击分析及防范对策

拒绝服务攻击已经成为威胁互联网安全的重要攻击手段，本文从分析DoS拒绝攻击服务的原理入手．然后对分布式拒绝服务攻击（DDoS）的原理进行了解析，最后从主机和网络两个层面分析如何去防范DoS攻击。     

Distributed Denial of Service (DDoS) detection by traffic pattern analysis

In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.     

一种IPv6环境下实时DDoS防御方法

现有的DDoS防御方法大多是针对传统IPv4网络提出的,而且它们的防御实时性还有待进一步提高。针对这种情况,提出了一种IPv6环境下实时防御DDoS的新方法,其核心思想是首先在受害者自治系统内建立决策判据树,然后依据决策判据1和2对该树进行实时监控,如果发现攻击,就发送过滤消息通知有关实体在受害端和源端一起对攻击包进行过滤,从而保护受害者。实验证明,该方法能够在秒钟数量级检测到攻击并且对攻击包进行过滤,能有效地防范多个DDoS攻击源。另外,该方法还能准确地区分攻击流和高业务流,可以在不恢复攻击路径的情况下直接追踪到攻击源所在的自治系统（甚至是子网）。     

A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks

Attack mitigation schemes actively throttle attack traffic generated in distributed denial-of-service (DDoS) attacks. This paper presents attack diagnosis (AD), a novel attack mitigation scheme that adopts a divide-and-conquer strategy. AD combines the concepts of pushback and packet marking, and its architecture is in line with the ideal DDoS attack countermeasure paradigm - attack detection is performed near the victim host and packet filtering is executed close to the attack sources. AD is a reactive defense mechanism that is activated by a victim host after an attack is detected. By instructing its upstream routers to mark packets deterministically, the victim can trace back one attack source and command an AD-enabled router close to the source to filter the attack packets. This process isolates one attacker and throttles it, which is repeated until the attack is mitigated. We also propose an extension to AD called parallel attack diagnosis (PAD) that is capable of throttling traffic coming from a large number of attackers simultaneously. AD and PAD are analyzed and evaluated using the Skitter Internet map, Lumeta's Internet map, and the 6-degree complete tree topology model. Both schemes are shown to be robust against IP spoofing and to incur low false positive ratios     

DDoS下的TCP洪流攻击及对策

分布式拒绝服务攻击(DDoS)是近年来出现的一种极具攻击力的Internet攻击手段,而TCP洪流攻击是其最主要的攻击方式之一。本文提出了一种针对TCP洪流攻击的本地攻击检测-过滤LADF机制,其部署于受害者及其上游ISP网络。该机制综合使用了一种基于信息熵的异常检测技术、SYN-cookie技术和“红名单”技术来检测攻击报文,最终结合新型防火墙技术,构建起一个完善的本地DDoS防御系统。     

A novel approach to detecting DDoS Attacks at an Early Stage

Distributed Denial-of-Service (DDoS) attacks pose a serious threat to Internet security. Most current research focuses on detection and prevention methods on the victim server or source side. To date, there has been no work on defenses using valuable information from the innocent client whose IP has been used in attacking packets. In this paper, we propose a novel cooperative system for producing warning of a DDoS attack. The system consists of a client detector and a server detector. The client detector is placed on the innocent client side and uses a Bloom filter-based detection scheme to generate accurate detection results yet consumes minimal storage and computational resources. The server detector can actively assist the warning process by sending requests to innocent hosts. Simulation results show that the cooperative technique presented in this paper can yield accurate DDoS alarms at an early stage. We theoretically show the false alarm probability of the detection scheme, which is insensitive to false alarms when using specially designed evaluation functions. This work is partially supported by HK Polyu ICRG A-PF86 and CERG Polyu 5196/04E, and by the National Natural Science Foundation of China under Grant No. 90104005.     

防御DDoS攻击的包标记联合部署方案

提出了一种新的结合确定包标记和路径标识的方案,其在源边界路由器以概率形式选择执行确定性包标记或路径标识。该方案以下游网络拥塞程度和路径追溯结果为依据,动态调整数据包标记操作,并在受害主机处根据不同的标记策略采取不同的防御措施。基于大规模权威因特网拓扑数据集的仿真实验表明,该方案防御效果较好,能有效减轻受害主机遭受DDoS攻击的影响。     

非参数PCUSUM算法DDoS攻击检测

针对DDoS攻击时受害端中报文段未确认率急剧变化的特点,提出一种有效的DDoS攻击检测方法,以达到在保证告警正确性的前提下缩短检测时间的目的。在受害端对TCP网络流进行检测,在每个时间间隔内统计未确认的报文段数量与总报文段的比率,并在下一时间间隔内对上一时间间隔的序列值进行修正,得到更准确的检测序列值,再运用非参数递归PCUSUM算法检测DDoS攻击。实验结果表明,该方法与CUSUM算法相比,具有更高的检测准确性和更快的检测速度。     

On the defense of the distributed denial of service attacks: anon-off feedback control approach

Proposes a coordinated defense scheme of distributed denial of service (DDoS) network attacks, based on the backward-propagation, on-off control strategy. When a DDoS attack is in effect, a high concentration of malicious packet streams are routed to the victim in a short time, making it a hot spot. A similar problem has been observed in multiprocessor systems, where a hot spot is formed when a large number of processors access simultaneously shared variables in the same memory module. Despite the similar terminologies used here, solutions for multiprocessor hot spot problems cannot be applied to that in the Internet, because the hot traffic in DDoS may only represent a small fraction of the Internet traffic, and the attack strategies on the Internet are far more sophisticated than that in the multiprocessor systems. The performance impact on the hot spot is related to the total hot packet rate that can be tolerated by the victim. We present a backward pressure propagation, feedback control scheme to defend DDoS attacks. We use a generic network model to analyze the dynamics of network traffic, and develop the algorithms for rate-based and queue-length-based feedback control. We show a simple design to implement our control scheme on a practical switch queue architecture     

PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks

Distributed denial-of-service (DDoS) attacks are a critical threat to the Internet. This paper introduces a DDoS defense scheme that supports automated online attack characterizations and accurate attack packet discarding based on statistical processing. The key idea is to prioritize a packet based on a score which estimates its legitimacy given the attribute values it carries. Once the score of a packet is computed, this scheme performs score-based selective packet discarding where the dropping threshold is dynamically adjusted based on the score distribution of recent incoming packets and the current level of system overload. This paper describes the design and evaluation of automated attack characterizations, selective packet discarding, and an overload control process. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation through scorebook generation and pipeline processing. A simulation study indicates that packetscore is very effective in blocking several different attack types under many different conditions.