分布式拒绝服务攻击的防御研究及实现

【作者】 罗锦尚；

【导师】 陈雷霆；

【作者基本信息】 电子科技大学 ， 计算机应用技术， 2006， 硕士

【摘要】 近年来出现的分布式拒绝服务攻击(DDoS)对网络安全和信息的可用性造成了巨大的威胁。DDoS攻击由于实现简单、破坏性很大,而被攻击者广泛使用。目前大多数的DDoS攻击通过TCP协议实现,主要采用TCP洪流攻击。对于DDoS及TCP SYN Flood攻击的研究已成为信息安全研究的热点,国内外一些厂家也开发出了专门的应对产品。但要想很好地检测和防范DDoS以彻底保障系统的安全性,就需要我们对DDoS攻击特点进行深入的研究,有针对性的提出解决方案。研究DDoS攻击发生时报文流呈现统计分布特性是目前防御策略研究的一个方向。虽然攻击源伪造源IP地址,但其发出的攻击包所经过的路由路径(其决定了某个TTL值)只由真实来源决定。TCPSYNFlood攻击发生时,在路由器会引起某些异常情况,如流量异常(可能会流量猛增),报文流一些特征的统计分布特性发生改变(如源IP地址的随机分布特性,TTL字段的分布特性)等。因此,我们提出基于TTL值检测防御TCP SYN Flood攻击。利用跳数的统计分布特性,达到区分合法包与伪造包的目的。结合流量异常检测技术实现快捷有效地识别攻击。Linux因其健壮性、可靠性、灵活性以及可定制性而在IT业界变得非常受欢迎,所以目前服务器大多使用Linux操作系统。本文选用Linux系统作为基础,并利用内核Netfilter防火墙,架构一个检测防御系统。主要利用连接跟踪模块对基于TTL检测防御机制进行功能扩充。通过防火墙技术,在网络边界建立相应的网络通信监控系统来保障网络安全。更多还原

【Abstract】 The DDoS(Distributed Denial of Service) attack threats the safe of network and the usability of the information very much, in recent years. Because of simpleness and validity, it is used widely by attackers. Now most DDoS attacks are TCP flood attacks and are implemented according to TCP protocol. The study of DDoS and TCP SYN flood becomes the hotspot of research about information security. Many foreign and home manufactures develop the special products. In order to detect and defend DDoS to ensure the safe of the system thoroughly, we have to research about the characteristic to solve the problem.When DDoS happens, the flood presents some characteristics, such as the statistical distributing. Although an attacker can forge any field in the IP header, he or she cannot falsify the numbers of hops an IP packet takes the reach its destination, which is solely determined by the Internet routing infrastructure. The hop-count information is indirectly reflected in the TTL field of the IP header. We propose a TTL-based filter to weed out spoofed IP packets. Through the statistical distributing of the hops, we can distinguish the legal packets and spoofed packets.Linux is very popular in the IT field because of its robustness, reliability, flexibility and customizability, so currently most of the servers use Linux operating system. Choosing Linux OS as the basis, and making use of netfilter, we construct the detecting and defending system. We make use of Connection Tracking in order to extend the function. Through the firewall, the system can watch the communication in the border.更多还原