On the feasibility of exploiting P2P systems to launch DDoS attacks

We show that malicious nodes in a peer-to-peer (P2P) system may impact the external Internet environment, by causing large-scale distributed denial of service (DDoS) attacks on nodes not even part of the overlay system. This is in contrast to attacks that disrupt the normal functioning, and performance of the overlay system itself. We demonstrate the significance of the attacks in the context of mature and extensively deployed P2P systems with representative and contrasting membership management algorithms—Kad, a DHT-based file-sharing system, and ESM, a gossip-based video broadcasting system. We then present an evaluation study of three possible mitigation schemes and discuss their strength and weakness. These schemes include (i) preferring pull-based membership propagation over push-based; (ii) corroborating membership information through multiple sources; and (iii) bounding multiple references to the same network entity. We evaluate the schemes through both experiments on PlanetLab with real and synthetic traces, and measurement of the real deployments. Our results show the potential of the schemes in enhancing the DDoS resilience of P2P systems, and also reveal the weakness in the schemes and regimes where they may not be sufficient.     

非结构去中心化的P2P网络DDoS攻击的防御研究

针对非结构去中心化的P2P网络可能作为DDoS引擎而产生大规模的网络攻击,提出了一种基于人工免疫(AIS)的方法来对非结构去中心化的P2P网络中的恶意节点进行免疫处理。通过在非结构去中心化的P2P网络中的节点上构建人工免疫系统,利用抗体和抗原之间天然的亲和关系,以及抗体不断进化的特点,实时计算由返回查询消息的节点提供的资源信息而进行请求得到的请求结果状态序列与检测器中的对应节点的请求状态序列特征之间的亲和力,并检测出恶意节点。在NS2仿真平台上通过修改GnuSim插件,对非结构去中心化的P2P网络中节点的人工免疫系统进行模拟仿真,实验仿真验证了该方法的可行性,且能够有效地降低非结构去中心化P2P网络中恶意节点产生的DDoS攻击程度。     

基于P2P系统的DDoS攻击及其防御技术研究综述*

P2P软件系统已成为Internet上最流行和成功的网络应用之一,其协议和实现的可靠性与安全性必须得到充分的研究和论证。本文首先概述了利用P2P系统进行DDoS攻击的原理,并根据攻击方式的不同将现有研究划分为主动攻击和被动攻击两种。综述了当前针对基于P2P的DDoS攻击的防御方法,分别从基于验证的方法、基于成员管理的方法、基于信誉的方法和受害者端的方法四个方面进行说明。最后,本文从推动P2P网络安全和Internet网络安全的角度出发,对基于P2P的DDoS攻击及其防御技术未来的研究方向进行了探讨。     

蚁群优化在P2P网络防范DDoS攻击中的应用研究*

分析了非结构化P2P网络DDoS攻击的原理,借鉴蚁群算法的思想,为每个节点建立了一个资源相似度信息素表,利用这个信息素表,构建了一种防御DDoS攻击的联盟模型——AntDA (ant colony based defense-association),并讨论了应用AntDA模型进行防御的整个过程。在查询周期模型平台上实现了该模型,通过实验分析,验证了AntDA模型的有效性。     

Robust and efficient detection of DDoS attacks for large-scale internet

In recent years, distributed denial of service (DDoS) attacks have become a major security threat to Internet services. How to detect and defend against DDoS attacks is currently a hot topic in both industry and academia. In this paper, we propose a novel framework to robustly and efficiently detect DDoS attacks and identify attack packets. The key idea of our framework is to exploit spatial and temporal correlation of DDoS attack traffic. In this framework, we design a perimeter-based anti-DDoS system, in which traffic is analyzed only at the edge routers of an internet service provider (ISP) network. Our framework is able to detect any source-address-spoofed DDoS attack, no matter whether it is a low-volume attack or a high-volume attack. The novelties of our framework are (1) temporal-correlation based feature extraction and (2) spatial-correlation based detection. With these techniques, our scheme can accurately detect DDoS attacks and identify attack packets without modifying existing IP forwarding mechanisms at routers. Our simulation results show that the proposed framework can detect DDoS attacks even if the volume of attack traffic on each link is extremely small. Especially, for the same false alarm probability, our scheme has a detection probability of 0.97, while the existing scheme has a detection probability of 0.17, which demonstrates the superior performance of our scheme.     

基于无线局域网的DDoS攻击技术探究

随着信息技术的发展,无线局域网在计算机网络中逐步规模应用,同时也成为极有吸引力的攻击目标。     

基于P2P泛洪DDoS攻击的防范研究*

提出了基于马尔可夫过程的信任和信誉模型,在节点间构建信任关系,利用节点间信任与信誉信息的交互对恶意节点进行识别,阻断对恶意消息的转发传播,从而增强抵御DDoS攻击的效能。仿真实验结果表明,提出的模型能有效地隔离恶意节点的消息数,提高网络抵御这种基于应用层的DDoS攻击的容忍度。     

Identity management based on adaptive puzzles to protect P2P systems from Sybil attacks

The Sybil attack consists on the indiscriminate creation of counterfeit identities, by a malicious user (attacker), in large-scale, dynamic distributed systems (for example, Peer-to-Peer). An effective approach to tackle this attack consists in establishing computational puzzles to be solved prior to granting new identities. Solutions based on this approach have the potential to slow down the assignment of identities to malicious users, but unfortunately may affect normal users as well. To address this problem, we propose the use of adaptive computational puzzles as an approach to limit the spread of Sybils. The key idea is to estimate a trust score of the source from which identity requests depart, calculated as a proportion of the number of identities already granted to (the) user(s) associated to that source, in regard to the average of identities granted to users associated to other sources. The higher the frequency (the) user(s) associated to a source obtain(s) identities, the lower the trust score of that source and, consequently, the higher the complexity of the puzzle to be solved. An in-depth analysis of both (i) the performance of our mechanism under various parameter and environment settings, and (ii) the results achieved with an experimental evaluation, considering real-life traces from a Peer-to-Peer file sharing community, has shown the effectiveness of the proposed mechanism in limiting the spread of Sybil identities. While comparatively more complex puzzles were assigned to potential attackers, legitimate users were minimally penalized with easier-to-solve puzzles.     

基于模糊理论的分布式拒绝服务攻击检测

针对分布式拒绝服务攻击的检测问题,提出基于模糊逻辑的动态的阈值检测方法。通过对攻击的数据包进行模糊混合运算,按照择近原则得到判决结果,该结果即为待检测量的攻击程度（可信任程度）。网络管理员通过该结果做出及时的反应,在最大限度上降低攻击造成的损失。     

基于P2P平台的DDoS攻击防御方法

P2P系统的分散性、匿名性和随机性等特点容易被利用发起大规模的分布式拒绝服务(DDoS)攻击。为此,提出一种分布式的防御方法。通过在应用层构建一套数据发送授权机制,使P2P平台中的节点在未得到目标节点授权之前不能向其发送大量数据,从而阻止攻击数据到达被攻击者。仿真实验结果证明,该模型可以抵御利用P2P软件发起的DDoS攻击。     

A conservative strategy to protect P2P file sharing systems from pollution attacks

Despite being currently one of the main Internet applications, P2P file sharing has been hampered by content pollution attacks. To tackle this problem, we introduce a novel pollution control strategy that consists in adjusting the rate in which content is disseminated, according to content version reputation. The proposed strategy is modeled and evaluated using simplifying assumptions. Then, inspired by classic distributed designs, we propose a pollution control mechanism that implements such a strategy. The mechanism is evaluated in terms of the delays imposed on non‐polluted version dissemination, the effectiveness of reducing dissemination when the version is polluted, and the negative impact that collusion attacks can impose on the reputation system upon which our mechanism is built. Simulation results looking at scenarios with several hundred peers indicate that the pollution control mechanism can effectively reduce pollution without substantially affecting the dissemination of non‐polluted content. Copyright © 2010 John Wiley & Sons, Ltd.     

基于聚类的应用层DDoS攻击检测方法研究

目前应用层分布式拒绝服务（Application Layer Distributed Denial of Service,AL-DDoS）攻击对网络安全造成的威胁与日俱增,针对应用层用户访问行为,研究了一种基于多聚类中心近邻传播（Multi-Exemplar Affinity Propagation,MEAP）聚类算法的AL-DDoS攻击检测模型。该方法使用用户请求序列的信息熵作为输入,通过MEAP快速获得能够描述用户浏览行为的特征模型,对新加入的请求序列计算到各个聚类中心的距离,设定阈值从而区别正常与攻击序列。通过模拟实验表明,该方法能够有效地完成在线AL-DDoS攻击准实时检测。     

改进的基于熵的DDoS攻击检测方法

基于熵的分布式拒绝服务攻击(DDoS)攻击的检测方法相比其他基于流量或特征的检测方法,具有计算简便、灵敏度高、误报率低、不增加额外网络流量、不增加额外硬件成本等特点。为了进一步提高了DDoS攻击检测的准确率,并降低误报率,提出一种改进的基于熵的DDoS攻击检测方法。该方法将DDoS攻击细分为不同的威胁等级,对每个威胁等级的攻击进行不同次数的检测。NS-2模拟实验结果验证了其有效性。     

基于可变概率包标记的对等网DDoS攻击防御

DDoS攻击是对等网络所面临的主要安全威胁,针对已有的概率包标记算法计算量繁重、无法识别虚假标记数据包欺骗等方面的缺陷,提出一种可变概率包标记算法。通过采用可变概率标记方法及在路由器中记录IP地址发送状态,使方案具有能够追踪大规模拒绝服务攻击、识别和排除攻击者虚假标记信息、大大降低受害者重构路径时需接收包数量的优点,从而达到有效防御DDoS的目的。和同类方法相比,该方案具有较强的实用性。     

自适应聚类算法在DDoS攻击检测中的应用

针对DDoS攻击检测中k-means算法对初始聚类中心敏感和要求输入聚类数目的缺点,提出了一种基于动态指数和初始聚类中心点选取的自适应聚类算法（Adaptive Clustering Algorithm）,并使用该算法建立DDoS攻击检测模型。通过使用LLS_DDoS_1.0数据集对该模型进行测试并与k-means算法对比,实验结果表明,该算法提高了DDoS攻击的检测率,降低了误警率,验证了检测方法的有效性。     

基于熵参数的DDoS攻击检测算法研究

分布拒绝服务攻击(DDoS)通过很多代理产生大量的数据包,在很短的时间内就能耗尽受害者的计算和通信资源.通过研究和分析几种基于对DDoS攻击阶段分类的检测办法,得出基于聚类分析的算法是比较有效的,然而这种算法存在冗余.根据熵的特性对这种基于聚类分析的早期检测算法做了优化,对相关变量进行了关键变量的提取,并通过实验对其进行了分析,实验结果表明,对该算法的优化有效的提高了基于聚类分析的DDoS攻击检测方法的效率.     

Fighting pollution attacks in P2P streaming

In recent years, the demand for multimedia streaming over the Internet is soaring. Due to the lack of a centralized point of administration, Peer-to-Peer (P2P) streaming systems are vulnerable to pollution attacks, in which video segments might be altered by any peer before being shared. Among existing proposals, reputation-based defense mechanisms are the most effective and practical solutions. We performed a measurement study on the effectiveness of this class of solutions. We implemented a framework that allows us to simulate different variations of the reputation rating systems, from the centralized global approaches to the decentralized local approaches, under different parameter settings and pollution models. One key finding is that a centralized reputation system is only effective in static network and in defending against light pollution attacks. In general, a fully distributed reputation system is more suitable for the “real-time” P2P streaming system, since it is better in handling network dynamics and fast in detecting the polluters. Based on this key finding, we propose DRank, a fully distributed rank-based reputation system. Experimental results show that this technique is more flexible and robust in fighting pollution attacks.     

改进的基于认证的DDoS源追踪方案

利用基于双钥序列的消息认证码理论,以自适应概率包标记和高级包标记Ⅱ为基础,针对当前危害甚大的拒绝服务攻击,提出了一种改进的基于认证的DDoS源IP追踪方案.以自适应概率为基础,既达到了较高的追踪收敛率,又能最大限度地降低攻击者伪造数据包的余地.采用基于双钥序列的HMAC算法,对标记信息进行认证,防止攻击者修改已有的标记信息,达到较高的安全性和抗干扰性.     

DNS服务器的DDoS攻击检测系统的研究

建立一个针对DNS服务器DDoS攻击的检测系统,该系统采集DNS服务器端的网络数据,并从中提取出6个特征属性作为流量特征记录;利用经过遗传优化的BP网络建立检测模型,对流量特征记录进行检测;输出检测结果。通过实验结果可以看到利用提取的流量特征属性值,该系统能有效检测到DDoS攻击行为;而且比标准BP算法建立的检测模型具有更好的训练性能和更高的检测准确率。     

利用网络拓扑的结构化P2P系统

如何利用物理网络拓扑是P2P目前研究的一个热点问题,而网络坐标是当前研究这个问题的主要方法和工具。通常形成的网络坐标是基于测量节点间网络延时,但这种方法的缺陷是给网络增加了额外网络负载并且牵涉到路标节点的选择算法,而选择算法的优劣直接影响P2P覆盖网的性能。故本文提出了一种基于IP地址形成网络坐标的方法,该方法避免了现有方法的缺陷,为利用物理网络提供了一种简单有效的方法。本文为有效地构建P2P系统,或可改善现有P2P系统的性能提供了一种新的思路。