本文選題：分布式拒絕服務攻擊 + 應用層��； 參考：《天津大學》2014年碩士論文

【摘要】：在科技飛速發(fā)展的今天,WEB網(wǎng)站中的應用愈加豐富,給人們的生活帶來極大的便利。與此同時,網(wǎng)絡協(xié)議存在的缺陷使得網(wǎng)絡安全問題也越來越突出。在應用層中,客戶端只需要發(fā)出少量請求就可以大大消耗服務器資源。針對WEB網(wǎng)站的應用層分布式拒絕服務(APP-DDOS)攻擊正是利用了這一弱點。在網(wǎng)站面臨的安全威脅中,APP-DDOS攻擊所占的比重越來越大,也愈加難以防御。因此,有效檢測APP-DDOS攻擊并加以控制、過濾,對于保護網(wǎng)站安全有著重要的意義。在分析和研究國內(nèi)外APP-DDOS防御技術(shù)的基礎上,本文設計并實現(xiàn)了一個網(wǎng)站安全防御平臺。該平臺可以有效控制和防御APP-DDOS攻擊,同時又留出接口應對網(wǎng)頁篡改、注入攻擊等安全威脅,以便更好地整合網(wǎng)站防御方法、提升平臺的防御能力。該平臺使用了三種關(guān)鍵技術(shù):URL動態(tài)映射方法、積分支付策略和激勵機制以實現(xiàn)對APP-DDOS的防御。URL動態(tài)映射方法從隱藏服務器真正的資源地址的角度出發(fā),對客戶端每次請求的資源地址進行動態(tài)映射,只有在映射地址匹配數(shù)據(jù)庫記錄時才會獲得后端WEB服務器的響應。同時,映射地址無法被暴力破解,使攻擊者無法準確定位攻擊目標而造成拒絕服務。積分支付策略是對黑白名單法的改進,提出積分和服務價格概念來衡量服務器資源狀況;當遭受攻擊時,可以最小化白名單用戶的訪問延遲,同時減輕URL動態(tài)映射方法的計算負擔。激勵機制基于圖靈測試的思想,讓新用戶進行一系列的相關(guān)操作證明用戶是正常用戶,減少新的正常用戶獲得服務的延遲。論文最后搭建了實驗環(huán)境,對所設計和實現(xiàn)的網(wǎng)站安全防御平臺進行了模擬實驗。實驗結(jié)果表明,防御平臺對APP-DDOS攻擊有著良好的防御效果。
[Abstract]:With the rapid development of science and technology, the application of Web website is becoming more and more abundant, which brings great convenience to people's life. At the same time, the defects of network protocol make network security more and more prominent. In the application layer, the client needs to make a small number of requests to greatly consume server resources. The application layer distributed denial-of-service (APP-DDOS) attack against WEB sites exploits this weakness. APP-DDOS attacks are becoming more and more difficult to defend against. Therefore, it is of great significance to detect, control and filter APP-DDOS attacks effectively. Based on the analysis and research of APP-DDOS defense technology at home and abroad, this paper designs and implements a website security defense platform. The platform can effectively control and defend against APP-DDOS attacks, and at the same time set aside an interface to deal with security threats such as web page tampering and injection attacks, so as to better integrate the methods of web defense and enhance the platform's defense capability. The platform uses three key techniques: URL dynamic mapping method, integral payment strategy and incentive mechanism to implement the defense. URL dynamic mapping of APP-DDOS from the point of view of hiding the real resource address of the server. The resource address requested by the client is dynamically mapped. Only when the mapping address matches the database record, the response of the back-end WEB server will be obtained. At the same time, the mapping address can not be brutally cracked, which makes the attacker unable to locate the target accurately, resulting in denial of service. The integral payment strategy is an improvement to the black-and-white list method. The concepts of points and service prices are proposed to measure server resource status. When attacked, whitelist users can be minimized access latency. At the same time, the computational burden of URL dynamic mapping method is reduced. Based on the idea of Turing test, the incentive mechanism allows the new user to perform a series of related operations to prove that the user is a normal user, and to reduce the delay for the new normal user to obtain the service. At the end of the paper, the experimental environment is built, and the designed and implemented website security defense platform is simulated. Experimental results show that the defense platform has a good defense against APP-DDOS attacks.
【學位授予單位】：天津大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.092

【參考文獻】

相關(guān)期刊論文 前3條

1 趙國鋒;喻守成;文晟;;基于用戶行為分析的應用層DDoS攻擊檢測方法[J];計算機應用研究;2011年02期

2 肖軍;云曉春;張永錚;;基于會話異常度模型的應用層分布式拒絕服務攻擊過濾[J];計算機學報;2010年09期

3 嵇海進;蔡明;;基于可信度的應用層DDoS攻擊防御方法[J];計算機工程與設計;2007年19期

相關(guān)博士學位論文 前1條

1 徐川;應用層DDoS攻擊檢測算法研究及實現(xiàn)[D];重慶大學;2012年

相關(guān)碩士學位論文 前8條

1 簡校榮;基于歷史IP過濾的防御實驗系統(tǒng)研究與實現(xiàn)[D];華南理工大學;2013年

2 徐琳;應用層DDoS攻擊防御與檢測方法[D];上海交通大學;2013年

3 袁曉輝;IP Spoofing防御實驗平臺的設計與實現(xiàn)[D];華南理工大學;2012年

4 陸興舟;一種針對大規(guī)模網(wǎng)絡關(guān)鍵服務的DDoS反制方案[D];華東師范大學;2012年

5 趙利明;基于路由協(xié)作的DdoS檢測與防御研究[D];東北大學;2011年

6 王文龍;分布式拒絕服務攻擊及追蹤源研究[D];成都理工大學;2011年

7 田正先;基于網(wǎng)絡效用最大化的DDoS攻擊主動防御機制研究[D];華中科技大學;2011年

8 張光;網(wǎng)絡攻擊與防御仿真平臺的設計與實現(xiàn)[D];西安電子科技大學;2005年

，

本文編號：1875453