èŠ‚ç‚¹æ–‡çŒ®

DDoSæ”»å‡»çš„é˜²å¾¡æ–¹æ³•ç ”ç©¶

Research on the Defense Method of DDoS Attacks

åˆ†é¡µä¸‹è½½
åˆ†ç« ä¸‹è½½
æ•´æœ¬ä¸‹è½½
åœ¨çº¿é˜…è¯»
ä¸æ”¯æŒè¿…é›·ç‰ä¸‹è½½å·¥å…·ï¼Œè¯·å–æ¶ˆåŠ é€Ÿå·¥å…·åŽä¸‹è½½ã€‚

ã€ä½œè€…ã€‘ åµ‡æµ·è¿›ï¼›

ã€ä½œè€…åŸºæœ¬ä¿¡æ¯ã€‘ æ±Ÿå—å¤§å¦ ï¼Œ è®¡ç®—æœºåº”ç”¨æŠ€æœ¯ï¼Œ 2008ï¼Œ ç¡•å£«

ã€æ‘˜è¦ã€‘ åˆ†å¸ƒå¼æ‹’ç»æœåŠ¡æ”»å‡»(DDoS,Distributed Denial of Service)æ˜¯äº’è”ç½‘çŽ¯å¢ƒä¸‹æœ€å…·æœ‰ç ´ååŠ›çš„ä¸€ç§æ”»å‡»æ–¹å¼ã€‚å®ƒåˆ©ç”¨TCP/IPåè®®çš„ç¼ºé™·å’Œç½‘ç»œå¸¦å®½èµ„æºçš„æœ‰é™æ€§,å‘è¢«æ”»å‡»æ–¹æ¶æ„å‘é€è®¸å¤šè¿žæŽ¥è¯·æ±‚æˆ–æ— ç”¨çš„æ•°æ®åŒ…,ä»Žè€Œå¤§é‡å æœ‰å—å®³è€…çš„å¸¦å®½èµ„æºä½¿å…¶æ— æ³•å†ç»§ç»å“åº”å…¶ä»–æ£å¸¸ç”¨æˆ·çš„è¯·æ±‚ã€‚åœ¨åº”ç”¨å±‚,éšç€ç½‘ç»œå¸¦å®½çš„å¢žåŠ å’Œç½‘ç»œåº”ç”¨ç¨‹åºçš„å‘å±•,åº”ç”¨å±‚çš„è®¡ç®—é‡é€æ¸è¶…è¿‡ç½‘ç»œå±‚,DDoSæ”»å‡»ç–ç•¥æœ‰ä»Žç½‘ç»œå±‚é€æ¸å‘åº”ç”¨å±‚è½¬ç§»çš„è¶‹åŠ¿ã€‚é¦–å…ˆç ”ç©¶ç½‘ç»œå±‚DDoSæ”»å‡»æŠ€æœ¯çš„åŽŸç†ã€æ”»å‡»æ‰‹æ®µåŠå…¶å…¸åž‹çš„æ”»å‡»å·¥å…·,å¹¶ä»‹ç»æ–°å‡ºçŽ°çš„åº”ç”¨å±‚DDoSæ”»å‡»(App-DDoS, Application Layer DDoS)çš„åŽŸç†ã€ç‰¹ç‚¹åŠå…¶ä¸¤ç§æ”»å‡»ç±»åž‹ã€‚ç„¶åŽåˆ†åˆ«å¯¹ç½‘ç»œå±‚å’Œåº”ç”¨å±‚DDoSæ£€æµ‹é˜²å¾¡æ–¹æ³•çš„ç ”ç©¶çŽ°çŠ¶è¿›è¡Œå½’çº³æ€»ç»“ã€‚åœ¨æ¤åŸºç¡€ä¹‹ä¸Š,ä»ŽISP(Internet Service Provider)åŸŸçš„è§’åº¦,æå‡ºåŸºäºŽISPç½‘ç»œçš„DDoSæ”»å‡»é˜²å¾¡æ–¹æ³•ã€‚è¯¥æ–¹æ¡ˆ,å…¶ä¸€,åœ¨å¯è¡Œæ€§æ–¹é¢,åœ¨ISPç½‘ç»œå†…å®žçŽ°,ä¾¿äºŽç®¡ç†ã€‚éœ€è¦æ·»ç½®çš„è®¾å¤‡å°‘,å…·æœ‰éƒ¨ç½²çš„å¯è¡Œæ€§ã€‚å…¶äºŒ,åœ¨æ”»å‡»æ£€æµ‹æ–¹é¢,èƒ½å¤Ÿåœ¨DDoSæ”»å‡»åˆšåˆšå‘èµ·çš„æ—¶å€™å°±å‘çŽ°DDoSæ”»å‡»æµ,æ£€æµ‹çŽ‡é«˜,ååº”é€Ÿåº¦å¿«ã€‚å…¶ä¸‰,åœ¨é˜²å¾¡æ–¹æ¡ˆæ–¹é¢,èƒ½å¤Ÿåœ¨æŽ§åˆ¶æ”»å‡»æ•°æ®æµçš„æƒ…å†µä¸‹,æœ€å¤§é™åº¦çš„ä¿è¯æ£å¸¸æŠ¥æ–‡å˜æ´»çŽ‡,å°†ç½‘ç»œæµé‡æŽ§åˆ¶åœ¨æ£å¸¸èŒƒå›´ä¹‹å†…ã€‚æœ€åŽé€šè¿‡å®žéªŒè¯æ˜Žè¯¥æ–¹æ¡ˆçš„æœ‰æ•ˆæ€§ã€‚é’ˆå¯¹æ–°åž‹App-DDoSæ”»å‡»çš„è¡Œä¸ºç‰¹ç‚¹,æå‡ºä¸€ç§åŸºäºŽå¯ä¿¡åº¦çš„App-DDoSæ”»å‡»é˜²å¾¡æ–¹æ³•ã€‚è¯¥æ–¹æ³•ä»ŽæœåŠ¡è¯·æ±‚çš„é€ŸçŽ‡å’Œè´Ÿè½½ä¸¤ä¸ªæ–¹é¢,ç»Ÿè®¡åˆ†æžæ£å¸¸ç”¨æˆ·çš„æ•°æ®åˆ†å¸ƒè§„å¾‹,å¹¶ä»¥æ¤ä½œä¸ºç¡®å®šä¼šè¯å¯ä¿¡åº¦çš„ä¾æ®ã€‚è°ƒåº¦ç–ç•¥å†æ ¹æ®ä¼šè¯å¯ä¿¡åº¦å®žçŽ°å¯¹æ”»å‡»çš„é˜²å¾¡ã€‚å®žéªŒç»“æžœè¯æ˜Žè¯¥æ–¹æ³•èƒ½å¤Ÿå¿«é€Ÿæœ‰æ•ˆçš„å®žçŽ°å¯¹App-DDoSæ”»å‡»çš„é˜²å¾¡ã€‚æœ€åŽæŒ‡å‡ºä»¥åŽç ”ç©¶å·¥ä½œçš„åŠªåŠ›æ–¹å‘ã€‚æ›´å¤š è¿˜åŽŸ

ã€Abstractã€‘ Distributed denial of service attack is the most destructive attacking means on Internet. This kind of attack sends a number of connection requests of useless packets to attacked victim, in which exploits the flaws of TCP/IP and limitation in network bandwidth resource. These illegal packets take up the victim system resource and bandwidth, thus make the victim unable to response other clientâ€™s normal request. On application layer, with the increasing of network bandwidths and the development of network application, the computational complexity of application layer exceeds the network layerâ€™s gradually. The trends in the attackersâ€™strategy are shifting from network layer to application layer.First, the principle and means of network DDoS attacks are analyzed, and the some kinds of network layer DDoS attacks are discussed. meanwhile, the principle,characteristic and two kinds of App-DDoS(application layer DDoS attacks) are discussed. Then, the current situation of the research of the technology of detection and defense of network layer and application layer are studied. In succession, form the view of ISP (Internet Service Provider) domain, Defense scheme against DDoS Attacks Based on ISP Networks is put forward. First, the scheme is grounded on ISP domain, so it is convenient to manage. Only few network devices are needed, which makes it feasible in deployment. Second, form the view of the detection of DDoS attacks, DDoS attacks could be identified by the scheme at the moment of launched. So, the scheme could response to DDoS attack quickly. Also, it has high detection ratio. At last, form the view of the defense of DDoS attacks, the scheme could control network traffic within normal range with maintaining the survival rate of normal packets as high as possible. Also, the feasibility of the scheme is validated through the simulated test. For the App-DDoS attack which is new, the paper discusses the characteristic of attack behavior and presents a defense scheme for App-DDoS attacks based on credit probability. The scheme employs statistical analysis of data from normal users to find the probability distributions of data of normal behavior, utilizing rate and workload of request data. The probability distributions are the evidence for setting credit probability of sessions. The scheduling policies realized the defense of attacks based on credit probability of sessions. The experimental results show the effectiveness of the scheme in defending the App-DDoS attacks. Finally, the future research work is presented.æ›´å¤š è¿˜åŽŸ

ã€å…³é”®è¯ã€‘ åˆ†å¸ƒå¼æ‹’ç»æœåŠ¡æ”»å‡»(DDoS)ï¼› åº”ç”¨å±‚åˆ†å¸ƒå¼æ‹’ç»æœåŠ¡æ”»å‡»(App-DDoS)ï¼› æ”»å‡»æ ‘ï¼› å¯ä¿¡åº¦ï¼› æ•°æ®åŒ…è¿‡æ»¤ï¼› æ£€æµ‹ï¼› é˜²å¾¡ï¼› é€ŸçŽ‡é™åˆ¶ï¼›
ã€Key wordsã€‘ DDoSï¼› App-DDoSï¼› attack treeï¼› credit probabilityï¼› Packet filteringï¼› detectionï¼› defenseï¼› rate limitationï¼›

ã€ç½‘ç»œå‡ºç‰ˆæŠ•ç¨¿äººã€‘ æ±Ÿå—å¤§å¦

ã€åˆ†ç±»å·ã€‘TP393.08
ã€è¢«å¼•é¢‘æ¬¡ã€‘1
ã€ä¸‹è½½é¢‘æ¬¡ã€‘191
æ”»è¯»æœŸæˆæžœ

çŸ¥ç½‘èŠ‚ä¸‹è½½

èŠ‚ç‚¹æ–‡çŒ®ä¸ï¼š

æœ¬æ–‡é“¾æŽ¥çš„æ–‡çŒ®ç½‘ç»œå›¾ç¤º:

æœ¬æ–‡çš„å¼•æ–‡ç½‘ç»œ

èŠ‚ç‚¹æ–‡çŒ®