本文選題：分布式反射拒絕服務(wù)攻擊 + 分片采樣��； 參考：《華東師范大學(xué)》2016年碩士論文

【摘要】：隨著互聯(lián)網(wǎng)產(chǎn)業(yè)的迅猛發(fā)展,網(wǎng)絡(luò)規(guī)模迅速擴(kuò)大,安全問題變得日益嚴(yán)峻,由于網(wǎng)絡(luò)技術(shù)還不夠完善,便使得企業(yè)乃至國(guó)家面臨嚴(yán)重的網(wǎng)絡(luò)威脅。其中分布式拒絕服務(wù)攻擊是主要的威脅之一,它可以借助多個(gè)計(jì)算機(jī)分布式地向一個(gè)或多個(gè)目標(biāo)發(fā)動(dòng)攻擊,通過請(qǐng)求占用大量的網(wǎng)絡(luò)資源,使服務(wù)器、網(wǎng)絡(luò)造成癱瘓。由于攻擊源地址可進(jìn)行偽造,使得對(duì)于攻擊源的追溯增加了難度,而分布式反射拒絕服務(wù)攻擊(DRDoS)則更隱蔽,它偽造了源地址,利用一些網(wǎng)絡(luò)協(xié)議,通過服務(wù)器間接地向被攻擊點(diǎn)發(fā)動(dòng)攻擊,造成大多數(shù)追溯方案無(wú)法有效地對(duì)攻擊源進(jìn)行追蹤。本文著重對(duì)分布式反射拒絕服務(wù)攻擊(DRDoS)溯源問題進(jìn)行研究。溯源技術(shù)主要可分為五類,入口過濾、鏈路測(cè)試、日志記錄、ICMP追溯以及包標(biāo)記法等。本文提出的算法是以動(dòng)態(tài)概率包標(biāo)記技術(shù)為基礎(chǔ)的,每個(gè)中間節(jié)點(diǎn)路由器利用ttl域計(jì)算標(biāo)記概率,使得標(biāo)記信息以相同的概率被受害者接收；盡可能地利用可用的標(biāo)記空間,將標(biāo)記信息以四分片采樣的形式存儲(chǔ)在標(biāo)記域中,減少了所需的標(biāo)記包數(shù)；通過構(gòu)造相鄰IP分片的哈希值的關(guān)系,從而降低了重構(gòu)算法的復(fù)雜度,改善了重構(gòu)準(zhǔn)確性；增加了一位標(biāo)記覆蓋位,解決了路由標(biāo)記信息的覆蓋問題；為了使反射節(jié)點(diǎn)高效地存儲(chǔ)復(fù)制轉(zhuǎn)發(fā)標(biāo)記信息,采用了改進(jìn)后的Bloom Filter存儲(chǔ)結(jié)構(gòu),同時(shí)在每個(gè)路由節(jié)點(diǎn)設(shè)計(jì)了相應(yīng)的標(biāo)記策略,主要分為中間路由標(biāo)記算法、反射點(diǎn)標(biāo)記算法以及重構(gòu)算法。相比于其他的追溯方法,該算法在重構(gòu)攻擊路徑過程中無(wú)需事先掌握網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu),具有較強(qiáng)的適用性。本文通過理論證明,同時(shí)在OMNeT++環(huán)境下進(jìn)行仿真實(shí)驗(yàn),驗(yàn)證了該方法能夠有效地應(yīng)用在DRDoS攻擊溯源中。
[Abstract]:With the rapid development of the Internet industry, the scale of the network expands rapidly, and the security problem becomes more and more serious. Because the network technology is not perfect enough, the enterprises and even the country are faced with the serious network threat. Distributed denial of service (DDoS) attack is one of the main threats. It can attack one or more targets with the aid of multiple computers. It takes up a large amount of network resources through request and paralyzes the server and network. Since the address of the attack source can be forged, it makes it more difficult to trace the attack source, while the distributed reflection denial of service attack (DRDoS) is more hidden. It forges the source address and uses some network protocols. The most traceability schemes are unable to trace the attack source effectively because of the indirect attack on the point of attack through the server. This paper focuses on the traceability of distributed Reflection-of-Service (DDoS) attacks. Traceability technology can be divided into five categories: entry filtering, link testing, logging ICMP traceability and packet marking. The algorithm proposed in this paper is based on the dynamic probability packet marking technique. Each intermediate node router uses ttl domain to calculate the marking probability, so that the marking information is received by the victim with the same probability, and the available tag space is used as much as possible. The tag information is stored in the tag domain in the form of quadrilateral sampling, which reduces the number of tag packets, reduces the complexity of the reconstruction algorithm and improves the accuracy of the reconstruction by constructing the relationship between the hash values of the adjacent IP fragments. A bit tag overlay bit is added to solve the overlay problem of routing label information. In order to make the reflection node store the duplicate and forward tag information efficiently, the improved Bloom Filter storage structure is adopted. At the same time, a corresponding marking strategy is designed for each routing node, which is mainly divided into intermediate routing marking algorithm, reflection point marking algorithm and reconstruction algorithm. Compared with other traceability methods, the proposed algorithm does not need to master the network topology in the process of reconstructing the attack path, so it has strong applicability. In this paper, it is proved theoretically that the proposed method can be effectively applied to the traceability of DRDoS attack in OMNeT environment.
【學(xué)位授予單位】：華東師范大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2016
【分類號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)碩士學(xué)位論文 前1條

1 楊洋;基于包標(biāo)記的DRDoS攻擊溯源的研究與算法實(shí)現(xiàn)[D];華東師范大學(xué);2016年

，

本文編號(hào)：1892357