在路由器上利用SYN Cookie原理实现SYN Flood防御

【作者】 刘艳；

【导师】 陈雷霆；

【作者基本信息】 电子科技大学 ， 信息安全， 2007， 硕士

【摘要】 分布式拒绝服务(Distributed Denial of Service,DDoS)攻击是目前互联网上最严重的安全问题之一,互联网上大量的不安全机器的存在、自动化DDoS攻击工具的广泛可获得性以及攻击者通常采用假冒的IP地址等原因,使DDoS攻击的防御和追踪相当困难。目前大多数的DDoS攻击通过TCP协议实现,主要采用TCP洪流攻击。对于DDoS及SYN Flood攻击的研究已经成为信息安全研究的热点,国内外一些厂家,比如Cisco、华为、黑洞、金盾等,已经开发出了专门的应对产品。但要想很好的检测和防范DDoS以彻底保障系统的安全性,就需要我们对DDoS攻击特点进行深入的研究,有针对性的提出解决方案。本文在深入研究了DDoS攻击机制、攻击方法、攻击加强技术及现有的防御和追踪方法后,针对现有的DDoS攻击提出了基于SYN Cookie机制的防御方案。SYN Flood攻击主要目的是发送大量的SYN请求以耗尽服务器的CPU资源和内存,引起服务器宕机,因此该方案从节省资源入手,路由器代理客户端发送的SYN请求,如果发现是非法请求,即不会回应ACK报文,则直接断掉该连接,不会发送给服务器端;如果回应ACK报文,则为有效连接,可以通过路由器和服务建立连接。在路由器上,由于利用了SYN Cookie原理,因此不会为SYN请求分配过多的资源,只需要维护极少的数据即可。本文选择Netfilter做为主要实现框架,利用链接跟踪模块和IP Inspect功能获得相应的数据报信息,并对数据报做适当的处理。最后,对本文所提出的方案进行了理论分析和模拟实验,结果表明基于SYN Cookie机制的防DDoS攻击的方案是有效和可行的。更多还原

【Abstract】 Distributed Denial of Service (DDoS) attack is becoming one of the most severe security issues of the Internet nowadays. There are several reasons such as the existing of large number of insecure machine, the broad availability of automatic DDoS tools and the use of fake IP address make is quite difficult to defense and track DDoS attack. Currently most DDoS attack are implemented via TCP protocol and use TCP flood to achieve their intruding purpose. The research on DDoS and SYN Flood attack has already become a promising area in information security community. Some commercial companies e.g. Cisco, Huawei, etc have already developed some exclusive product. However, in order to detect and prevent DDoS thus protecting the security of the systems, we have to investigate the properties of DDoS in depth so that we can make specific proposal of solving this problem.In this thesis, we have investigated the mechanism, methodology and techniques of DDoS as well as the current defense and tracking strategy to it. Then we propose a SYN Cookie based defense proposal according to current DDoS attack. The primary goal of SYN Flood attack is sending high volume of queries to eat up the CPU and memory resources of the server and causes a breakdown. Our approach thus starts with saving resources. For those SYN queries sent from router on behalf of the client, if they are detected to be illegal, which do not response the ACK segment, we will disconnect without sending it to the server; otherwise they are active connection and will be able to connect with sever through router. Since we apply SYN Cookie theory to the router, it will not allocate excessive resources for SYN queries. Choosing Netfilter as the primary implementation framework, we leverage connection tracing module and IP Inspect functionality to get specific segment information and do the appropriate processing. The theoretic analysis and experimental simulation show that SYN Cookie based mechanism is able to prevent DDoS attack effectively and efficiently.更多还原