基于IAD的防DDoS攻击的实现

DDoS攻击是威胁因特网安全的重要手段,本文提出了一种基于IP地址数据库的实用方法来有效防御DDoS攻击,边界路由器保存所有以往在网络上出现的合法IP地址的记录,当边界路由器业务量过载时,利用这一记录来决定是否接受输入的IP包。     

基于线性预测的DDoS攻击检测方法

分布式拒绝服务攻击的原理简单、危害严重,如TCP淹没攻击。该文介绍一种快速、有效的方法来检测TCP SYN flooding攻击,通过线性预测分析来预防、拒绝服务攻击(DoS)。该检测机制采用TCP在响应超时情况下的指数回退算法性质,计算受攻击网络中的收到的SYN和发出的SYN＋ACK数据包数量之差进行数学建模,可以在很短的延时内检测SYN Flooding攻击。该算法可以方便地运用在叶节点路由器和防火墙中。     

防范TCP拒绝服务攻击的高速过滤器

DDoS攻击是因特网目前面临的最严峻的威胁之一.如何快速有效地对其进行防范已经成为一项十分有意义的工作.该文提出了一种TCP Proxy与待响应ACK队列相结合的、能够对TCP绝拒服务攻击进行有效过滤的方法,并用这种方法在Linux内核中实现了一个高速过滤器.实验结果表明,在为TCP传输单独分配带宽的情况下,这种高速过滤器可以有效保护T TCP支持的各种网络服务免受绝拒服务攻击     

利用路由器自适应限流防御分布拒绝服务攻击

提出一种自适应路由器限流算法防御分布拒绝服务攻击的机制.该算法的关键是由被攻击者要求经挑选的相距k跳(hop)的上游路由器对目的为被攻击者的数据流进行限流,从而将被攻击者的服务支援在各数据流之间达到一种类最大-最小公平的流量分配.还在一个实际的因特网拓扑上针对攻击数据流和合法数据流的不同分布和流量模型考察了算法的效果.结果表明这种以服务器为中心的路由器限流是对抗分布拒绝服务攻击的一种很有前途的方法.     

Robust and efficient detection of DDoS attacks for large-scale internet

In recent years, distributed denial of service (DDoS) attacks have become a major security threat to Internet services. How to detect and defend against DDoS attacks is currently a hot topic in both industry and academia. In this paper, we propose a novel framework to robustly and efficiently detect DDoS attacks and identify attack packets. The key idea of our framework is to exploit spatial and temporal correlation of DDoS attack traffic. In this framework, we design a perimeter-based anti-DDoS system, in which traffic is analyzed only at the edge routers of an internet service provider (ISP) network. Our framework is able to detect any source-address-spoofed DDoS attack, no matter whether it is a low-volume attack or a high-volume attack. The novelties of our framework are (1) temporal-correlation based feature extraction and (2) spatial-correlation based detection. With these techniques, our scheme can accurately detect DDoS attacks and identify attack packets without modifying existing IP forwarding mechanisms at routers. Our simulation results show that the proposed framework can detect DDoS attacks even if the volume of attack traffic on each link is extremely small. Especially, for the same false alarm probability, our scheme has a detection probability of 0.97, while the existing scheme has a detection probability of 0.17, which demonstrates the superior performance of our scheme.     

Distributed Denial of Service Attacks: A Threat or Challenge

In today’s cyber world, the Internet has become a vital resource for providing a plethora of services. Unavailability of these services due to any reason leads to huge financial implications or even consequences on society. Distributed Denial of Service (DDoS) attacks have emerged as one of the most serious threats to the Internet whose aim is to completely deny the availability of different Internet based services to legitimate users. The attackers compromise a large number of Internet enabled devices and gain malicious control over them by exploiting their vulnerabilities. Simplicity of launching, traffic variety, IP spoofing, high volume traffic, involvement of numerous agent machines, and weak spots in Internet topology are important characteristics of DDoS attacks and makes its defense very challenging. This article provides a survey with the enhanced taxonomies of DDoS attacks and defense mechanisms. Additionally, we describe the timeline of DDoS attacks to date and attempt to discuss its impact according to various motivations. We highlighted the general issues, challenges, and current trends of DDoS attack technology. The aim of the article is to provide complete knowledge of DDoS attacks and defense mechanisms to the research community. This will, in turn, help to develop a powerful, effective, and efficient defense mechanism by filling the various research gaps addressed in already proposed defense mechanisms.     

Enhancing router QoS through job scheduling with weighted shortest processing time-adjusted

Most routers on the Internet employ a first-in-first-out (FIFO) scheduling rule to determine the order of serving data packets. This scheduling rule does not provide quality of service (QoS) with regards to the differentiation of services for data packets with different service priorities and the enhancement of routing performance. We develop a scheduling rule called Weighted Shortest Processing Time–Adjusted (WSPT-A), which is derived from WSPT (a scheduling rule for production planning in the manufacturing domain), to enhance router QoS. We implement a QoS router model based on WSPT-A and run simulations to measure and compare the routing performance of our model with that of router models based on the FIFO and WSPT scheduling rules. The simulation results show superior QoS performance when using the router model with WSPT-A.     

路由器交换过程中信息安全分析

路由器是实现多台电脑组建局域网并连接互联网的主要设备之一,在我们工作和生活之中被普遍应用。路由器的联网通过TCP/IP协议连接互联网,而网络协议TCP/IP协议存在安全漏洞,因此路由器便成为主要攻击的对象。不法分子和黑客通过获取路由器交换过程中的IP地址控制路由器所连接的联网电脑,或者在路由器交换过程中的报文破译网络传输的信息和数据。本文对路由器交换过程中的信息安全进行分析,安全优化路由器,构建路由器交换过程中信息安全策略。     

TCP DDoS攻击与防范

随着互联网的迅速普及和应用的不断发展,各种黑客工具和网络攻击手段也随之倍出,网络攻击导致网络和用户受到侵害,其中分布式拒绝服务DDoS以其攻击范围广、隐蔽性强、简单有效等特点成为常见的网络攻击技术之一,极大地影响网络和业务主机系统的有效服务.其中的TCP DDoS它利用了传统协议中三次握手协议的不安全性,向互联网服务器发送大量的报文.由于服务器接收大量无效的报文,而使得正常的报文无法得到及时响应.如何检测这种攻击发生以及如何降低这种攻击所带来的后果已成为目前安全界研究的热点问题.     

Perimeter-based defense against high bandwidth DDoS attacks

Distributed denial of service (DDoS) is a major threat to the availability of Internet services. The anonymity allowed by IP networking, together with the distributed, large scale nature of the Internet, makes DDoS attacks stealthy and difficult to counter. To make the problem worse, attack traffic is often indistinguishable from normal traffic. As various attack tools become widely available and require minimum knowledge to operate, automated antiDDoS systems become increasingly important. Many current solutions are either excessively expensive or require universal deployment across many administrative domains. This paper proposes two perimeter-based defense mechanisms for Internet service providers (ISPs) to provide the antiDDoS service to their customers. These mechanisms rely completely on the edge routers to cooperatively identify the flooding sources and establish rate-limit filters to block the attack traffic. The system does not require any support from routers outside or inside of the ISP, which not only makes it locally deployable, but also avoids the stress on the ISP core routers. We also study a new problem of perimeter-based IP traceback and provide three solutions. We demonstrate analytically and by simulations that the proposed defense mechanisms react quickly in blocking attack traffic while achieving high survival ratio for legitimate traffic. Even when 40 percent of all customer networks attack, the survival ratio for traffic from the other customer networks is still close to 100 percent.     

Embedded fuzzy expert system for Adaptive Weighted Fair Queueing

This paper introduces an embedded fuzzy expert system for Adaptive Weighted Fair Queueing (AWFQ) located in the network traffic router to update weights for output queues. WFQ algorithm allows differentiated service for traffic classes according to Quality of Service (QoS) requirements. Link sharing and packet scheduling methods are the most critical factors when guaranteeing QoS. There are many different scheduling mechanisms but adequate and adaptive QoS aware scheduling solutions are still in a phase of development due to the rapid growth of multimedia in the Internet. The proposed AWFQ model in this work simplifies the link sharing to two service classes: one for UDP and another for TCP. The implementation of the model is based on adaptive change of weight coefficients that determine the amount of allowed bandwidth for the service class. New weight coefficients are calculated periodically on routers according to developed embedded fuzzy expert system. It is shown through simulations that the AWFQ model is more stable and reacts faster to different traffic states than the traditional WFQ scheduler. The embedded expert system adjusts the weights of AWFQ with two parameters that are based on the share of the UDP and TCP input traffic data rate and the change of the share of the UDP and TCP input data rate.     

基于RAM和TCAM存储结构的高速路由查找算法

由于因特网速度的不断提高,网络流量的不断增加和路由表规模的不断扩大,IP路由查找已经成为制约核心路由器性能的主要瓶颈。文章分析了两种常用的基于硬件存储器的路由查找算法,并结合它们各自优点,提出了一种基于RAM和TCAM存储结构的路由查找算法,该算法克服了上述两种算法的不足,具有查找速率高、更新时间快、存储代价低、易于实现等特点,是一种理想的适合于高速核心路由器环境的查找机制。     

Shared memory multiprocessor architectures for software IP routers

We propose new shared memory multiprocessor architectures and evaluate their performance for future Internet protocol (IP) routers based on symmetric multiprocessor (SMP) and cache coherent nonuniform memory access (CC-NUMA) paradigms. We also propose a benchmark application suite, RouterBench, which consists of four categories of applications representing key functions on the time-critical path of packet processing in routers. An execution driven simulation environment is created to evaluate SMP and CC-NUMA router architectures using this RouterBench. The execution driven simulation can produce accurate cycle-level execution time prediction and reveal the impact of various architectural parameters on the performance of routers. We port the FUNET trace and its routing table for use in our experiments. We find that the CC-NUMA architecture provides an excellent scalability for design of high-performance IP routers. Results also show that the CC-NUMA architecture can sustain good lookup performance, even at a high frequency of route updates.     

A router-based technique to mitigate reduction of quality (RoQ) attacks

We propose a router-based technique to mitigate the stealthy reduction of quality (RoQ) attacks at the routers in the Internet. The RoQ attacks have been shown to impair the QoS sensitive VoIP and the TCP traffic in the Internet. It is difficult to detect these attacks because of their low average rates. We also show that our generalized approach can detect these attacks even if they employ the source IP address spoofing, the destination IP address spoofing, and undefined periodicity to evade several router-based detection systems. The detection system operates in two phases: in phase 1, the presence of the RoQ attack is detected from the readily available per flow information at the routers, and in phase 2, the attack filtering algorithm drops the RoQ attack packets. Assuming that the attacker uses the source IP address and the destination IP address spoofing, we propose to detect the sudden increase in the traffic load of all the expired flows within a short period. In a network without RoQ attacks, we show that the traffic load of all the expired flows is less than certain thresholds, which are derived from real Internet traffic analysis. We further propose a simple filtering solution to drop the attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit. Our results show that we can successfully detect and mitigate RoQ attacks even with the source and destination IP addresses spoofed. The detection system is implemented in the ns2 simulator. In the simulations, we use the flowid field available in ns2 to implement per-flow logic, which is a combination of the source IP address, the destination IP address, the source port, and the destination port. We also discuss the real implementation of the proposed detection system.     

DoS-DDoS: TAXONOMIES OF ATTACKS,COUNTERMEASURES, AND WELL-KNOWN DEFENSE MECHANISMS IN CLOUD ENVIRONMENT

Cloud computing has become a suitable provider of services for organizations as well as individuals through the Internet. Generally, these services become unavailable because of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks that can deny the legitimate users access to the service delivered by cloud. Taxonomy is an important opportunity for researchers and cloud service providers. Therefore, it provides researchers with a general view about some contributions to understand and ameliorate their limitations and helps cloud service providers to select the best defense strategy to protect their cloud service against DoS and DDoS attacks. In this article, we present taxonomies of DoS and DDoS attacks in cloud environment, countermeasures, and highlight their solutions with another taxonomy of well-known defense mechanisms.     

Utilizing bloom filters for detecting flooding attacks against SIP based services

Any application or service utilizing the Internet is exposed to both general Internet attacks and other specific ones. Most of the times the latter are exploiting a vulnerability or misconfiguration in the provided service and/or in the utilized protocol itself. Consequently, the employment of critical services, like Voice over IP (VoIP) services, over the Internet is vulnerable to such attacks and, on top of that, they offer a field for new attacks or variations of existing ones. Among the various threats–attacks that a service provider should consider are the flooding attacks, at the signaling level, which are very similar to those against TCP servers but have emerged at the application level of the Internet architecture. This paper examines flooding attacks against VoIP architectures that employ the Session Initiation Protocol (SIP) as their signaling protocol. The focus is on the design and implementation of the appropriate detection method. Specifically, a bloom filter based monitor is presented and a new metric, named session distance, is introduced in order to provide an effective protection scheme against flooding attacks. The proposed scheme is evaluated through experimental test bed architecture under different scenarios. The results of the evaluation demonstrate that the required time to detect such an attack is negligible and also that the number of false alarms is close to zero.     

一种基于QoS的Internet服务管理体系结构

服务定位协议(SLP)是IETF提出的基于IP网络的服务定位标准。而这一标准并没有考虑对QoS的支持。未来的互联网络是一个具有QoS保证的网络。服务发现仅仅是Internet服务管理中的一个方面，发现服务不是最终目的，最终目的是为了使用这一服务。在对SLP体系结构、下一代互联网QoS服务管理及相关技术充分研究的基础上，提出了一种新奇的基于QoS的Internet服务管理体系结构模型。为使在服务表示与发现层支持QoS，对SLP定位协议进行了一些扩充。对服务定位协议扩充后，当用户代理在向服务代理发布请求时，可以在请求消息中绑定QoS对象参数，一旦服务代理接收到这一消息，就可以利用这些QoS参数与域管理器进行协商，协商结果可通过服务代理反馈给用户代理。这样不仅减小了网络开销，而且降低了传统的用户代理与域管理器协商的次数，在服务发现的同时用户代理还可以直接获得该服务的QoS信息。     

Collaborative Detection of DDoS Attacks over Multiple Network Domains

This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic-flow level The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISPs). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at the gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the floe cling damages to the victim systems serviced by the provider. The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish mutual trust or consensus. We simulated the DCD system up to 16 network domains on the Cyber Defense Technology Experimental Research (DETER) testbed, a 220-node PC cluster for Internet emulation experiments at the University of Southern California (USC) Information Science Institute. Experimental results show that four network domains are sufficient to yield a 98 percent detection accuracy with only 1 percent false-positive alarms. Based on a 2006 Internet report on autonomous system (AS) domain distribution, we prove that this DDoS defense system can scale well to cover 84 AS domains. This security coverage is wide enough to safeguard most ISP core networks from real-life DDoS flooding attacks.     

Edge-limited scalable QoS flow set-up

Although the Differentiated Services architecture supports scalable packet forwarding based on aggregate flows, the detailed procedure of Quality of Service (QoS) flow set-up within this architecture has not been well established. In this paper we explore the possibility of a scalable QoS flow set-up using a sink-tree paradigm. The paradigm initially constructs a sink tree at each egress edge router using network topology and bandwidth information provided by a QoS extended version of Open Shortest Path First (OSPF), which is a widely used link-state routing protocol. Our sink-tree paradigm dynamically reallocates network bandwidths online according to traffic demands. As a consequence, our paradigm easily supports QoS routing, resource allocation, and admission control at ingress edge routers without consulting core routers in a way that the QoS flow set-up time and overhead are minimized. Simulation results are very encouraging in that the proposed methodology requires significantly less communication overhead in setting up QoS flows compared to the traditional per-flow signaling-based methodology while still maintaining high resource utilization.     

A differentiated services implementation for high-performance TCP flows

The IETF’s recent differentiated services (DS) architecture, which specifies a scalable mechanism for treating packets differently, offers new opportunities for building end-to-end quality of service (QoS) systems. However, it also introduces new challenges. In particular, it is not clear whether TCP’s flow and congestion control mechanisms work well with the mechanisms used for end-to-end QoS. For that reason it is essential to analyze whether the existing DS mechanisms can be used with standard TCP implementations or whether it is necessary to wait for upcoming features introduced in future modified versions of TCP. The general-purpose architecture for reservation and allocation (GARA) supports flow-specific QoS specification, immediate and advance reservation, and online monitoring and control of both individual resources and heterogeneous resource ensembles. Using GARA, we evaluated actual DS mechanisms provided by Cisco routers. We present the results of this evaluation and discuss their impact on the performance of popular TCP implementations.