分布式拒绝服务攻击剖析

【作者】 安呈法；

【导师】 杨静； 孙志忠；

【作者基本信息】 山东大学 ， 计算机技术， 2006， 硕士

【摘要】 随着网络技术的不断发展，网络安全已经成为一个十分重要的课题。作为一种网络攻击手段，拒绝服务(DOS)近年来在互联网上越来越猖獗。分布式拒绝服务(DDoS)攻击是近年来出现的一种全新的拒绝服务(DoS)攻击方式。由于其分布式的特性，使得DDoS攻击比传统的DoS攻击拥有更多的攻击资源，具有更强大的破坏力，而且更难以防范。DDoS攻击已经对Internet安全构成了极大的威胁，并成为目前网络安全界研究的热点。 本文首先对当前的网络安全的现状做了简单的回顾，讨论了目前重要的网络安全威胁，以及Internet的基础协议—TCP／IP协议中存在的安全漏洞。其中特别阐述了利用这些漏洞进行网络欺骗和攻击的手段。然后详细剖析了DDoS攻击的攻击机理，对DDoS攻击的网络模型进行划分，并根据攻击方式的不同，对现有的DDoS攻击手段做了全面深入的分类研究。随后本文对现有的防御措施进行了全面研究、比较和评价。 最后，对危害TCP服务的SYN-flood攻击进行了介绍，对一种有效防范SYN Flood攻击的SYN-cookies机制做了详细的分析，并对其在Linux内核中的实现加以描述。由此可以发现这一攻击以资源消耗为手段的攻击方式在现有条件下不管系统是否存在漏洞均可发起攻击，因而无法通过补丁方式来实现防范，而且传统的防范方式人工参与过多，无法对攻击做出及时响应。针对SYN-cookies的这一不足，基于Linux内核的NetFilter框架，在内核IP层实现对报文的流速监测，并依此建立了SYN-cookies自动开启的机制，只有当遭到SYN-flood攻击时才打开SYN-cookies，当攻击结束后又将它及时关闭，有效地减轻了SYN-cookies对正常服务所造成的负面影响。更多还原

【Abstract】 With the development of network technology, the security of network has become a very important subject. As a Internet attacking method, the Denianl of Service attack(DoS), has greatly endangered Internet recently. Distributed Denial of Service(DDoS) Attack is an newly developed attack type, which is the extension of Denial of Service(DoS) Attack. Due to its distributed characteristic, DDoS atacks possess more atack resources and have more destroying power. So, it is very difficult to keep them away. DDoS attacks bring much great threats to Internet security and research on them become a hotspot in network security fields.This paper makes a brief review about the history and present situation of network security, the present menace on the network and those security problems existing in the TCP/IP protocols. Especially about the cheating and attacking methods that utilize the weaknesses of TCP/IP. Second, it analyzes the attack mechanism of DDoS attacks detail and a thorough study and gives the classification of DDoS atacks means according to the different attack methods. Then, the research, comparisons and estimations of the counter measures in existence are made in detail.At last, it analyse SYN flood attack which harms all kinds of TCP Service, and introduce an defensing method - SYN cookies in detail. In the process of research, we get to know that SYN flood make resource consuming as attack means and under the current protocol condition, no matter whether operation systems have leaks or not, attack can always be implemented. So we can not realize the defence for them through patching operation system. In addition, the tradition detecting and defensing tactics require more artificial action, and therefore we can not respond the attacks timely. And facing the default of SYN cookies, design a mechamism for automatic opening and closing SYN cookies. Only when DDoS atacks happen, SYN cookies is opened. When the atacks are over, it is closed timely. Thus, this reduces the disadvantageous effect on the normal service availably.更多还原