【作者】 李勇辉；

【导师】 杨放春；

【作者基本信息】 北京邮电大学 ， 计算机科学与技术， 2011， 博士

【摘要】 拒绝服务攻击(包括DDoS、DRDoS、DRDoS攻击)是目前互联网面临的主要威胁。由于互联网在社会经济生活中的重要地位,因而防御拒绝服务攻击具有重要的社会意义和经济意义。近年来,研究者们设计并实现了多种类型的防御技术方案。在这些方案中,IP溯源技术占据着重要位置：因为对攻击数据包的所走路径以及来源进行追踪,不仅有利于指导受害者部署防御措施,也有利于对攻击者进行制裁,使潜在攻击者不敢轻易尝试实施攻击,从而有力地维护网络安全。围绕拒绝服务攻击的溯源问题,本文首先探讨了拒绝服务攻击的对策,明晰溯源措施在防御体系中所处位置,然后定义了攻击源追踪的研究范围,并对各种溯源方法进行深入研究,分析了它们各自的优缺点。其中,本文重点介绍了基于数据包标记的溯源方法,并提出一些评估数据包标记法的性能指标。接着,本文分别针对(D)DoS攻击、DRDoS攻击研究对应的溯源方法,这些方法在溯源速度、准确度、可用性方面均达到或超过了其他一些方案的水平。本文的主要工作和贡献可归纳为以下几个方面：(1)提出基于路径信息弹性分片的(D)DoS攻击跨域溯源方法。针对现有跨域溯源方法实用性差、对受害者要求高、重构路径速度慢的缺点,本文提出基于BGP协议的AS-PATH属性所提供的路径信息,对数据包所经过的AS对应编号进行弹性分片,降低重构攻击路径时所需要的数据包数量。同时,本文巧妙地利用数据包标记空间中尚未被使用的空间存储认证信息,使得所提出的溯源方法可识别伪造的标记信息,提高了溯源的准确度。理论分析和实验结果证明,本文所提方法对网络性能影响较小,重构攻击路径时的误报数与已有方法相差不大,而且还具有以下优势：不需要受害者掌握网络拓扑结构；路径重构过程简单；可抵御伪造的标记信息。(2)提出基于动态标记概率的(D)DoS攻击域内快速溯源方法。在此方法中,把溯源过程分为“构造网络拓扑”和“识别入侵路径”两个阶段。由于每个阶段完成的任务不同,因而本方法令两个阶段分别采用不同的标记方案。针对采用固定标记概率导致溯源速度慢、攻击者可伪造标记信息干扰溯源的缺点,本方法在溯源过程的两阶段中均采用了最优标记概率,令路由器动态地调整数据包标记概率。为了避免泄露域内拓扑,本方法对于从域内发往域外的数据包,令边界路由器保存这些数据包的标记信息,然后清空数据包标记空间中所携带的域内信息；同时为降低存储标记信息所需要的空间,本方法提出让边界路由器基于“流”保存标记信息。实验结果表明,与已有方法相比,本方法不仅收敛时间短、误报数和漏报数小,而且没有给网络添加更多的负担。(3)提出基于数据包标记和路由器日志记录的DRDoS攻击溯源方法。针对现有方法实用性差、溯源精度低的缺点,本文融合数据包标记和路由器摘要存储的优点,提出令请求包经过的第一个路由器对该请求包进行标记,而请求包经过的最后一个路由器保存请求包中的标记信息,从而避免了标记信息丢失,使跨过反射机追踪攻击源成为可能。理论分析和实验结果表明,本方法所需存储空间较小,具有较高的实用性,而且相比其他方法,本方法在收敛数目、收敛时间、增量部署、误报数、对网络性能影响方面均有明显优势。更多还原

【Abstract】 At present, denial of service attacks (including DoS, DDoS, DRDoS attack) are the main threat to the Internet. Because the Internet plays a vitally important role in the social and economic life, defense against denial of service attacks has important social meaning and economic significance.In recent years, researchers have designed and implemented various types of defence technology strategy. In these proposed strategies, the IP traceback technology occupies a crucial position:tracing the paths and sources of attack packets is not only advantageous to guide the victims to deploy defence equipments, but also conducive to punish the true attacker, which makes the potential aggressor will not dare easily to implement attacks, thus effectively maintaining the network security.Around the problem of tracing denial of service attacks, this dissertation first studies the countermeasures to the attacks and clears the position of traceback measures in defensive system, then presents the research range of IP traceback, conducts deep study on different types of IP traceback methods and analyzes the methods’advantages and disadvantages. This dissertation especially introduces the IP traceback methods that are based on packet marking and proposes some performance index for assessing the packet marking schemes. After that, this dissertation studies the packet marking based traceback methods for (D)DoS and DRDoS attack respectively. The methods proposed in this paper achieve or exceed the level of other similar traceback schemes in traceback speed, accuracy, usability and so on. The main work and contributions are as follows:(1) Propose a cross-AS traceback method based on flexible fragmentation of path information for tracing (D)DoS attack. In view of the existing cross-AS traceback methods’ bad usability, high ability requirements to victim and low traceback speed, based on the routing information provided by BGP AS-PATH attribute, we propose to fragment the corresponding number of ASs that a packet passes through in a flexible way, so as to reduce the number of packets needed for reconstructing attack path. Meanwhile, we fill the authentication information in the idle room that has not been used by mark information, which makes the proposed method be able to identify forging mark information, thus improving the traceback accuracy. The theoretical analysis and simulation results demonstrate that our method:impact on network performance is small; performance on false positive number is not inferior to existing method. And our method has the following advantages:simple in path reconstruction; low ability requirements to victim; be able to resist forging mark information.(2) Propose a fast intra-domain IP traceback method based on dynamic probabilistic marking for tracing (D)DoS attack. In this method, we divide the traceback process into two stages:"constructing network map" and "identifying intrusion paths". Because the tasks of these two stages are distinct, we make them use different marking methods respectively. Aiming at the problems, such as low traceback speed, attacker could forge mark information to disturb traceback, that caused by marking packets with fixed probability, we adopt optimal marking probability in the two stages, which makes the routers adjust their packet marking probability dynamically. In order to avoid disclosing the intra-domain topology, when a packet is leaving an AS domain, we let the border gateway preserve the mark information of that packet and empty the packet’s marking space which may carry the information of intra-domain topology. Meanwhile, to reducing the storage space needed for saving mark information, we let the border gateways save the information based on the "flow" strategy. The experimental results show that compared with existing method, our method not only possesses shorter convergence time, smaller false positive number and negative number, but also has not added more burden to the network.(3) Propose a traceback method for tracing DRDoS attack based on packet marking and router logging. In view of the existing methods’bad practicality, low traceback precision, we integrate the advantages of packet marking and hash-based router logging and propose a traceback method named ADPM. In ADPM, we let the first router that a request packet qw passes through marks qw and the last router qw passes through saves qw’s characteristics and mark information, thus avoiding losing the mark information and make the victim can locate the attack source that hides behind the reflector. The analysis and simulation results show that ADPM requires small memory to saving the mark information and has high availability. And compared with other method, ADPM has obvious superiority in convergence number, convergence time, incremental deployment, false positive number and impact on network performance.更多还原