本文選題：中間人攻擊 + 緩存中毒攻擊　； 參考：《華中科技大學(xué)》2014年博士論文

【摘要】：隨著科學(xué)技術(shù)的進步,計算機科學(xué)已經(jīng)滲透到人們生活中的各個領(lǐng)域,人類對計算機網(wǎng)絡(luò)的需求越來越強烈。Internet的誕生,使分布在世界上數(shù)以千計的網(wǎng)絡(luò)互聯(lián)起來。但是各類硬件、軟件、數(shù)據(jù)和信息在網(wǎng)絡(luò)上是共享使用的,這將導(dǎo)致很嚴重的安全問題。 當(dāng)今,中間人攻擊仍是計算機網(wǎng)絡(luò)資源的重大威脅之一,這種攻擊通常偽裝成一個合法用戶的主機來惡意欺騙其它主機。這樣,一個設(shè)備如果能夠成功偽裝成另一個主機,它就能在合法信息到達目標(biāo)設(shè)備之前,中間攔截、讀取、修改或破壞此信息。 ARP緩存污染是欺騙網(wǎng)絡(luò)主機的一種手段。它利用ARP協(xié)議中IP地址要被轉(zhuǎn)換為物理(MAC)地址的特性來實施攻擊。ARP是無狀態(tài)協(xié)議,這意味著,它在沒發(fā)送請求的情況下,也將接受響應(yīng)包。想要獲取目的主機通信內(nèi)容的攻擊者可以發(fā)送偽造的、且匹配任何選定IP地址的ARP響應(yīng)給請求主機。接受這些偽造的ARP響應(yīng)的主機無法區(qū)分是否是合法的ARP響應(yīng),因此將發(fā)送帶攻擊者MAC地址的數(shù)據(jù)包。 另一方面,利用DNS緩存攻擊技術(shù)的攻擊者還能把偽造的數(shù)據(jù)引入DNS服務(wù)器緩存表,目的是操作解析數(shù)據(jù)使得目標(biāo)不可達或者轉(zhuǎn)移信息給錯誤的地址,這也被認為是當(dāng)今互聯(lián)網(wǎng)用戶的一大威脅。 有許多方案已經(jīng)提出用來解決ARP和DNS緩存污染問題,可是,截至目前為止,它們都還無法大規(guī)模部署開來。其中的主要原因是：這些方案并不向后兼容,因為它們包含加密技術(shù),這將導(dǎo)致傳統(tǒng)的ARP/DNS協(xié)議將要進行很大的修改,并增加了很大的復(fù)雜性。顯然,管理員手工清除污染的方法會造成巨大開銷和負擔(dān)。另外,動態(tài)檢測方法也可以用來解決管理緩存的污染問題。但是,它的誤警太多,導(dǎo)致網(wǎng)絡(luò)管理員無所適從。 為此,提出了針對ARP和DNS協(xié)議中緩存欺騙引發(fā)不安全性問題的解決方案。 第一個解決方案著眼于設(shè)計一種保護方法來提高DNS服務(wù)器的安全性。該方案稱為DNS自適應(yīng)緩存(ACDNS)。它依賴于緩存機制來阻止這類攻擊。因為我發(fā)現(xiàn),調(diào)整緩存的存儲策略將提高安全性并提升網(wǎng)絡(luò)訪問效率。ACDNS的設(shè)計與當(dāng)前DNS標(biāo)準(zhǔn)相兼容,并且完全適用于基本的協(xié)議流程和基礎(chǔ)設(shè)施。我的方法僅僅是在把收到的DNS響應(yīng)存入緩存之前添加一段延遲時間以構(gòu)成新的緩存間隔。即在需要存儲一個新的映射時ACDNS停留等待直到新的緩存間隔到,如果另一個有相同TXID的DNS響應(yīng)在這個期間內(nèi)來臨,ACDNS將丟棄這些包。然后,它必須發(fā)送一個新的含有另一個TXID的查詢。比較ACDNS和DNS的性能表明,本方案能完全保護域名解析者不受緩存污染的攻擊。此外,ACDNS的延遲分布很接近于DNS查詢解析延遲。另一方面,DNS查詢的原過程和ACDNS是完全兼容的。因此,我的方案可以迅速得到部署,對任意單個DNS服務(wù)器都可以實現(xiàn)該改進措施,因為ACDNS不需要在當(dāng)前的DNS基礎(chǔ)設(shè)施上(對每一層)進行重大修改。 第二個解決方案也是著眼于防止DNS緩存污染。引入一種稱作“GDR--防止DNS緩存污染攻擊(GDNS)"的方案來解析域名。設(shè)計的GDNS包含兩個階段：第一階段是GDNS無故請求階段(GDR),在這個階段,GDNS必須對有效期內(nèi)的每個域名再發(fā)送相應(yīng)的DNS查詢來更新它們的映射。這意味著,對最近緩存的DNS域名進行自動再查詢(更新緩存記錄)來提高緩存中的DNS查詢命中率。因此,GDNS可使區(qū)域域名服務(wù)器(ZS)的高速緩存保存區(qū)域DNS新近的域信息而減少DNS解析時間,并無需為每個DNS請求向權(quán)威的頂級域名服務(wù)器(TLD)發(fā)出DNS查詢。第二階段是緩存定時,正如ACDNS方案那樣在緩存收到對DNS緩存污染攻擊檢測和防御的應(yīng)答之前加一段延遲時間。因此,GDR算法提供了兩個好處。第一,它為解析域名接近最優(yōu)的性能提供了一種有效的技術(shù)。第二,雖然在緩存接收響應(yīng)之前增加了一段延遲時間,但GDI對GDNS在減少解析延遲上有顯著的幫助。實驗結(jié)果表明,GDNS可以有效的防止緩存污染攻擊。同時還將極大地減少域名解析延遲時間,它是域名解析的重要性能參數(shù)。 第三個解決方案是防止ARP欺騙。提出用“基于C/S的入侵檢測系統(tǒng)(CSIDS)"來實現(xiàn)對ARP欺騙攻擊的檢測和防御。其主要思想是監(jiān)控接收到的ARP數(shù)據(jù)包,如果發(fā)現(xiàn)可疑的ARP數(shù)據(jù)包,同一網(wǎng)絡(luò)的CSIDS的系統(tǒng)將交換控制信息。這個控制信息容許CSIDS在更新ARP緩存之前指出惡意的數(shù)據(jù)包或者給發(fā)送方發(fā)送一個響應(yīng)包。每一個異常的數(shù)據(jù)包必須被發(fā)送至CSIDS服務(wù)器以作檢查,并且同網(wǎng)絡(luò)的各CSIDS部分將投票決策以作出該數(shù)據(jù)包或真或假的回應(yīng)給請求端。為了評估CSIDS檢測和預(yù)防的能力,我對CSIDS和ARP的性能作了對比,結(jié)果表明,CSIDS系統(tǒng)被證明是很容易實現(xiàn)的,并可應(yīng)用在局域網(wǎng)內(nèi)來提高安全性。 第四個解決方案主要是提供一個良好且廉價的方案,叫做“無償決策的分組系統(tǒng)(GDPS)",旨在克服ARP協(xié)議的不安全性即IP地址的欺騙。它力圖達到兩個主要目標(biāo)：(1)GDPS通過實時分析ARP數(shù)據(jù)包來探測出可疑ARP包；(2)通過發(fā)送修改后的ARP請求包來判斷合法與非法的主機。在此方案中我著重于ARP的通信映射來提高ARP協(xié)議的安全性。因為GDPS取決于發(fā)送的一組改進的ARP請求,然后,GDPS計算響應(yīng)的開銷,這意味著用平均響應(yīng)時間和ARP響應(yīng)包的數(shù)量來區(qū)分合法或攻擊者的MAC地址。結(jié)果表明,攻擊者機器發(fā)送ARP應(yīng)答包的數(shù)量是被害者發(fā)送數(shù)據(jù)包的數(shù)倍。 為了對以上兩種方案進行安全分析,我擴展了NS-2框架來仿真所有的協(xié)議,與ARP與DNS正常執(zhí)行進行了各種比較。 總之,我的方案有很多重要的優(yōu)點,總結(jié)如下：(1)能夠有效阻止普遍的緩存污染攻擊；(2)能夠向后兼容ARP和DNS協(xié)議的現(xiàn)有標(biāo)準(zhǔn)；(3)這些解決方案不使用密碼,無單點失效問題；(4)能夠以很低的代價輕易地被應(yīng)用；(5)對于GDNS方法,它大大降低了DNS解析延遲；(6)作為第三和第四種解決方案,能夠很好地在動態(tài)環(huán)境(DHCP)下匹配運行.
[Abstract]:With the progress of science and technology , computer science has infiltrated all fields in people ' s life , and human demand for computer networks is becoming more and more intense . The birth of the Internet connects thousands of networks in the world . But all kinds of hardware , software , data and information are shared on the network , which will lead to serious security problems .

Today , man - in - the - middle attacks are still one of the major threats to computer network resources , often disguised as a legitimate user ' s host for malicious spoofing of other hosts . As such , a device can intercept , read , modify , or destroy this information before legitimate information reaches the target device if it can be successfully disguised as another host .

ARP cache contamination is a means of spoofing a network host . It utilizes the characteristics of the IP address in the ARP protocol to be converted to a physical ( MAC ) address . ARP is a stateless protocol , which means that it will accept a response packet without sending a request . An attacker who wants to acquire the destination host communication content may send a forged , and match any ARP response to any selected IP address to the requesting host . The host that accepts these forged ARP responses cannot distinguish whether it is a legitimate ARP response , so packets with an attacker MAC address will be sent .

On the other hand , an attacker using DNS cache attack techniques can also introduce forged data into the DNS server cache table for the purpose of operating the resolution data so that the destination unreachable or the transfer of information to the wrong address is also considered a major threat to today ' s Internet users .

There are many scenarios that have been proposed to address the problem of ARP and DNS cache pollution , but so far , they have not been deployed on a large scale . The main reason is that these schemes are not backwards compatible because they contain encryption technology , which will lead to significant changes in traditional ARP / DNS protocols , and a large complexity . Obviously , manual cleanup of pollution by administrators can cause significant overhead and burden . Additionally , dynamic detection methods can also be used to address the problem of managing cache pollution . However , dynamic detection methods are too many to result in a network administrator doing nothing .

For this reason , a solution to the problem of non - security caused by cache spoofing in ARP and DNS protocols is proposed .

The first solution is to design a protection method to improve the security of the DNS server . The protocol is called the DNS Adaptive Cache ( ACDNS ) . It relies on caching mechanisms to prevent such attacks . The ACDNS is designed to be compatible with the current DNS standard and is fully applicable to basic protocol processes and infrastructure .

The second solution is to prevent DNS cache contamination . A solution called " GDR - - Prevention of DNS Cache Contamination Attack ( GDNS ) " is introduced to resolve the domain name . The design ' s GDNS includes two phases : the first phase is the GDNS latency request phase ( GDR ) . This means that GDNS provides two benefits to the DNS domain name server ( ZS ) . The second stage is cache timing . As a result , GDNS provides a significant help to resolve the domain name near optimal performance . The second is that GDNS can effectively prevent cache contamination attacks . The third solution is to prevent ARP spoofing . A C / S based intrusion detection system ( CSIDS ) is proposed to detect and protect ARP spoofing attacks . The main idea is to monitor received ARP packets . If a suspicious ARP packet is found , CSIDS of the same network will exchange control information . This control information allows CSIDS to indicate malicious packets before updating the ARP cache or to send a response packet to the sender . In order to evaluate the ability of CSIDS to detect and prevent , I compared the performance of CSIDS and ARP . The results show that the CSIDS system is proven to be easily implemented and can be applied to the local area network to improve security . The fourth solution is to provide a good and inexpensive solution , called a " decision - free packet system ( GDPS ) " , designed to overcome the unsecure IP address spoofing of the ARP protocol . It seeks to achieve two primary objectives : ( 1 ) GDPS determines the legitimate and illegal hosts by sending modified ARP request packets ; ( 2 ) By sending the modified ARP request packet , I focus on the ARP request and then , GDPS calculates the MAC address of the response . The results indicate that the number of ARP reply packets sent by the attacker machine is an integer multiple of the victim ' s sending packet . In order to secure the above two schemes , I extended the NS - 2 framework to simulate all protocols , and compared ARP with DNS . In summary , my scheme has many important advantages , summarized as follows : ( 1 ) can effectively prevent the common cache pollution attack ; ( 2 ) can be backwards compatible with the existing standards of ARP and DNS protocols ; ( 3 ) the solution does not use the password , has no single point failure problem ; ( 4 ) can be easily applied at a very low cost ; ( 5 ) For the GDNS method , the DNS resolution delay is greatly reduced ; and ( 6 ) As the third and fourth solutions , the operation can be well matched under the dynamic environment ( DHCP ) .
【學(xué)位授予單位】：華中科技大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【共引文獻】

相關(guān)期刊論文 前10條

1 韓立;;情境感知研究現(xiàn)狀[J];電腦與信息技術(shù);2014年06期

2 宋廣佳;季振洲;;地址解析的兩個相關(guān)問題研究[J];智能計算機與應(yīng)用;2015年02期

3 鄭笛;王俊;賁可榮;;考慮上下文質(zhì)量的不確定上下文可信融合方法[J];華中科技大學(xué)學(xué)報(自然科學(xué)版);2013年S2期

4 Quan Liang;Yuan-Zhuo Wang;Yong-Hui Zhang;;Resource Virtualization Model Using Hybrid-graph Representation and Converging Algorithm for Cloud Computing[J];International Journal of Automation and Computing;2013年06期

5 薛霄;常靜坤;曾志峰;安吉宇;;基于情境感知的智慧礦山服務(wù)系統(tǒng)研究[J];計算機工程與科學(xué);2013年09期

6 鄭笛;王俊;賁可榮;;擴展車聯(lián)網(wǎng)應(yīng)用中的海量傳感器信息處理技術(shù)[J];計算機研究與發(fā)展;2013年S2期

7 李沛杰;張興明;沈劍良;;一種基于FPGA設(shè)計的本地DNS服務(wù)器[J];計算機應(yīng)用研究;2014年04期

8 李娟妮;華慶一;姬翔;;移動環(huán)境中任務(wù)分析及任務(wù)建模方法[J];計算機科學(xué);2014年10期

9 薛霄;常靜坤;安吉宇;;智慧礦山服務(wù)系統(tǒng)的情境感知實現(xiàn)技術(shù)研究[J];計算機研究與發(fā)展;2014年12期

10 Alireza PARVIZI-MOSAED;Shahrouz MOAVEN;Jafar HABIBI;Ghazaleh BEIGI;Mahdieh NASER-SHARIAT;;Towards a self-adaptive service-oriented methodology based on extended SOMA[J];Journal of Zhejiang University-Science C(Computers & Electronics);2015年01期

相關(guān)會議論文 前1條

1 單康康;江肖強;;混合加密機制在DNSSEC中的應(yīng)用研究[A];中國高等教育學(xué)會教育信息化分會第十次學(xué)術(shù)年會論文集[C];2010年

相關(guān)博士學(xué)位論文 前3條

1 王軍平;基于物聯(lián)網(wǎng)的服務(wù)提交關(guān)鍵技術(shù)與系統(tǒng)的研究[D];北京郵電大學(xué);2013年

2 陳媛Z，

本文編號：2089491