【作者】 王飞；

【导师】 卢锡城；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2013， 博士

【摘要】 分布式拒绝服务(Distributed Denial of Service, DDoS)攻击是Internet面临的最严重安全威胁之一。与传统攻击手段相比，DDoS攻击具有隐蔽性强、强度大、攻击源分散、持续时间长等特点，尚缺乏切实有效的防御机制。目前，DDoS攻击的频繁程度与危害性逐年增加，网络安全形势日益严峻。因此，探索应对DDoS攻击的有效防御手段，具有重要的研究价值和广阔的应用前景。DDoS攻击的应对措施主要包含检测、响应、溯源与预防四类。其中，检测与响应是最基本的防御手段，也是当前研究的核心问题。本文在归纳总结现有工作的基础上，重点针对检测和响应两大基础问题展开研究，主要研究成果如下：1.提出一种多阶段的DDoS攻击早期检测方法。在靠近攻击源的位置对DDoS攻击进行早期检测，能够有效提高攻击预警能力。然而，攻击初期的流量具有明显的隐蔽性，可识别度低，这种情况下如何有效检测DDoS攻击是一个挑战性问题。论文首先建立DDoS攻击模型，分析攻击早期流量特征。在此基础上，融合多种基本流量属性，提出网络流量状态和联合偏离率两种复合流量属性，解决了单一属性可检测性差和多维属性计算复杂度高的矛盾。基于复合流量属性，提出一种多阶段的DDoS攻击早期检测方法MADOP，将检测过程分为网络流量状态预测、细粒度流量奇异点检测和可疑目的地址提取三个阶段，逐步精化DDoS攻击的时空特征。通过合理设置各阶段检测目标，MADOP有效提高早期检测效费比，优化利用资源。实验结果表明，MADOP对攻击流量比例小、异常不明显的DDoS攻击，具有较高的敏感度。攻击流量仅占总体流量5%时，MADOP就能准确检测异常并定位攻击发起时间，受害者识别的准确度达96%。MADOP对慢速拒绝服务攻击也有很好的检测效果。2.提出一种基于分布式概要数据结构的DDoS攻击检测方法。由于DDoS攻击源分散，检测这种攻击存在信息统计开销大和全局异常关联困难等问题。论文提出一种基于分布式概要数据结构的流量信息统计组织技术，该技术采用新型哈希函数BitHash，显式关联IP地址与哈希值，支持基于目的IP的流量统计和基于哈希值的反向地址重构，一方面避免保存数据流状态信息，减少计算和存储开销；另一方面通过概要数据的分布化计算、处理和存储，适应DDoS攻击源分散的特点，全面统计全局范围的流量特性。基于分布式概要数据结构，论文设计了DDoS攻击分布式检测方法FLOW，提出基于BitHash和PCA的局部异常检测机制，以及面向全局检测的异常消息传递与预处理算法、基于异常爆发期的决策算法和轻量级地址重构算法等核心技术。仿真结果表明，FLOW能够准确检测DDoS攻击，受害者识别结果能有效辅助过滤恶意流量。利用地址重构结果过滤报文，误报率不超过3%。理论分析显示，FLOW的整体性能开销优于现有方法，特别是存储开销方面，节省了近70%的空间。3.提出一种基于包标记的分布式DDoS攻击检测机制。现有分布式检测方法普遍通过融合控制平面的异常警报检测DDoS攻击，存在全局检测过分依赖局部检测结果、检测效果受限于局部检测准确度等问题。论文提出在数据平面进行DDoS协同检测的新思路，设计了基于包标记的分布式DDoS攻击检测机制VicSifter。VicSifter将攻击嫌疑流量抽象为检测视图，利用基于概要数据结构的流量筛子，逐跳剔除上游节点检测视图中的正常流量，最后在全局异常流量基础上判定攻击。针对检测视图的高效传递与精简问题，设计了基于包标记的检测视图传递机制和流量精简算法。针对攻击诊断和受害者识别问题，提出基于流量异常环模型和全局异常度的全局决策算法。实验结果表明，VicSifter能够有效检测DDoS攻击并识别受害者，同时具备节点负载小、可扩展性强等特点。通过流量精简，VicSifter迅速将嫌疑目的IP数量减小到原来的2%，3跳之内即可将检测视图精简到仅包含访问攻击受害者的流量。VicSifter采用带内传输方式，不会加剧网络拥塞状况。4.提出基于异常流量演化模式的非均衡速率限制机制。速率限制是DDoS攻击响应的主要技术之一。由于缺乏对聚合流的细粒度划分和对异常聚合流的有效判定，现有速率限制机制对正常流量的错误抑制问题突出。为此，论文提出基于异常流量演化模式的基本非均衡速率限制机制BaURL，根据流量传播的聚散特点判定聚合流的异常性，并依此将聚合流划分为不同优先级集合，施加不同程度的流量抑制，重点限制异常流的带宽分配，从而减少速率限制对正常流量的影响。结合BaURL和细粒度聚合流划分方法，提出基于BitHash的细粒度非均衡速率限制机制FiURL和基于协同的非均衡速率限制机制CoURL，实现对聚合流速率限制的精细化控制。最后，提出基于报文重定向的防御互助组机制，有效解决了基于聚合流的速率限制可能造成的正常用户饿死问题。实验结果表明，上述机制能够显著降低速率限制机制对正常流量的损害，通过调整参数FiURL能够将过滤掉的正常流量控制在10%以下，CoURL对聚合流的精细抑制可达到单个目的IP流的层次。更多还原

【Abstract】 Distributed Denial of Service (DDoS) attack is one of the most serious securitythreats to Internet. Compared with traditional attacks, DDoS attack has several signif-icant features including low-profile attack flow, great attack intensity, dispersive attacksources, long duration, and so on. So far, no practical countermeasure against DDoSattacks is available. As frequency and damage of DDoS attacks increase year by year,security situation of network becomes more and more severe. Therefore, it has an impor-tant research value and a wide application prospect to explore effective countermeasuresagainst DDoS attacks.DDoS defense has four research areas, detection, reaction, traceback and prevention.As the basic defenses for DDoS attack, DDoS detection and reaction are the key problemsin current researches. In this thesis, we performed an in-depth study on DDoS detectionandreactionissuesonthebasisofacomprehensivesurveyofpresentresearchesonDDoSattack and defense. The major contributions are as follows,1. Propose a multistage method for early DDoS detection.Early DDoS detection can effectively enhance the ability of early attack warning.Since attack traffic keeps a low profile and cannot be easily recognized at early stageof DDoS attacks, it is very hard to achieve early DDoS detection. This paper presents aDDoSmodeltotheoreticallyanalyzelowprofilefeatureofDDoSattacks. Thentwocom-plex features, Network Traffic State (NTS) and Joint Deviation Rate (JDR), are definedby merging basic traffic features, which successfully solve the contradiction between thedifficulty in detecting the anomaly of signal feature and high computation cost of multidi-mensional features. Based on the two features, a Multistage Anomaly Detection methodforlOw-Profileattack traffic(MADOP) is proposedtodetectDDoS attacksatearlystage.Through three stages, including network traffic state prediction, fine-grained singularitydetection, and suspicious IP extraction, MADOP refines the spatial-temporal character-istics of DDoS attacks in a stepwise way. By designating reasonable goals for differentdetection stages, MADOP effectively raises the efficiency-cost ratio of early DDoS de-tection, as well as optimizes resource usage of detection devices. MADOP can accuratelydetect anomaly and locate the start time of attacks even when attack traffic only consti- tutes5%of total traffic, with96%successfully identified victims. MADOP also showsgreat quality in low-rate DDoS detection.2. Propose a split-sketch-based collaborative DDoS detection scheme.DDoS attacks have distributed attack sources. Detecting such attacks suffers fromhigh statistic consumption as well as difficult correlation of global anomalies. This thesisproposes a split-sketch-based technique to summarize and organize network traffic. Thistechnique adopts a new hash function, BitHash, which explicitly connects hash value andthe input IP. As a result, the technique can summarize traffic based on destination IPsand then reversely construct input IPs through hash values. This technique, on one hand,avoidskeepingper-IPstates. Ontheotherhand,itefficientlyrespondstodispersiveDDoSattack sources by computing, processing and storing sketch distributedly. Based on splitsketch, this paper proposes a collaborative DDoS detection mechanism called FLOW.FLOW includes several key technologies, including an anomaly detection method usingBitHash and Principal Component Analysis (PCA), a special messaging and preprocess-ing mechanism, a decision algorithm based on burst period of anomaly, and a lightweightIP reconstruction algorithm. Simulation results show that the results of FLOW greatlycontribute to attack traffic filtering during DDoS reaction with false positive rate of lessthan3%. FLOW outperforms other methods with the similar capability in performanceexpenses, especially in space requirement.3. Propose a packet-marking-based collaborative DDoS detection mechanism.Traditional collaborative methods detect DDoS attacks by fusing alerts in controlplane. Problems exist in such methods including global detection’s overdependence onlocalresults, aswellasfinaldecisionbeingsubjecttotheaccuracyoflocaldetection. Thisthesis presents a novel idea of achieving collaborative DDoS detection through data planeand proposes a packet-marking-based distributed DDoS detection mechanism, VicSifter.VicSifter regards suspect network traffic as an abstract detection view, uses sketch-basedtraffic sifter to gradually eliminate normal traffic from detection view, and makes finaldecision on the basis of global abnormal traffic. To pass detection view between collab-orative nodes, VicSifter adopts a packet-marking-based transmission mechanism and atraffic reduction algorithm. Also, for the purpose of attack diagnosis and victim identifi-cation, a highly efficient global detection algorithm based on traffic anomaly circle andglobal anomaly degree is presented. Simulation results show that VicSifter can accuratelydetect DDoS attacks and identify victims. It has remarkable features of low consumption and great scalability. Through traffic reduction, VicSifter rapidly reduces suspect desti-nation IPs to2%. The detection view only contains packets destined for victims after3hops. Using in-band transmission, VicSifter does not aggravate network congestion.4. Propose a series of uneven rate limiting mechanisms on the basis of evolvingpattern of abnormal traffic.Rate limiting is one of the major techniques for DDoS reaction. But the existing ratelimiting mechanisms may wrongly damage normal traffic for lack of fine-grained traf-fic aggregating methods and effective methods to judge abnormal aggregates. In viewof the above questions, this thesis proposes a Basic Uneven Rate Limiting mechanism(BaURL) using Evolving Pattern of Abnormal Traffic (EPAT). By evaluating the abnor-mality of traffic aggregates, BaURL divides them into different priority sets and endowsdifferent levels of suppressing intensity, thus significantly reducing unintentional damageto normal traffic. Combing BaURL and fine-grained traffic aggregating method, a Fine-grained URL (FiURL) mechanism based on BitHash, and a collaborative URL (CoURL)mechanism are proposed to achieve elaborate control in aggregate-based rate limiting. Toconquer the poor client problem that commonly occurs in aggregate-based rate limitingmechanisms, a possible solution using packet redirection is presented and named Mutual-aid team. Simulation results prove that all the four mechanisms and Mutual-Aid Team(MAT) help to effectively limit collateral damage to normal traffic. Through parameteradjustment, the normal traffic filtered by FiURL can be reduced to less than10%, whilethe elaborate control in aggregate of CoURL could achieve the level of single destinationIP stream.更多还原