發(fā)布時間：2018-11-10 20:25

【摘要】：如今互聯(lián)網(wǎng)飛速發(fā)展,越來越多的事務(wù)需要互聯(lián)網(wǎng)來配合完成。隨著用戶需求的不斷提高,用戶逐漸側(cè)注重于網(wǎng)絡(luò)的安全性、穩(wěn)定性和傳輸有效性。簡單的在網(wǎng)絡(luò)上傳送報文信息已經(jīng)不能滿足用戶的需求,用戶希望網(wǎng)絡(luò)有著更好的安全保證能力和服務(wù)能力。如今層出不窮的網(wǎng)絡(luò)攻擊將網(wǎng)絡(luò)的性能極度惡化,尤其是分布式拒絕攻擊(DDoS),大量的網(wǎng)絡(luò)異常流量使得被攻擊者服務(wù)質(zhì)量明顯下降,甚至出現(xiàn)拒絕服務(wù)的情況,最終造成大量的損失。傳統(tǒng)的網(wǎng)絡(luò)安全技術(shù)研究重點主要放在入侵檢測、防火墻或者防病毒軟件上,但是這樣傳統(tǒng)的技術(shù)并不能減少網(wǎng)絡(luò)中存在的異常流量。本文旨在消除網(wǎng)絡(luò)中存在的異常流量,根本上降低用戶受到DDoS攻擊的可能,基于某司Comware平臺開發(fā)了可以部署在路由設(shè)備上的防DDoS攻擊系統(tǒng)。本文主要研究內(nèi)容是在Comware平臺上實現(xiàn)BGP技術(shù)和Flow-Spec技術(shù)的結(jié)合,同時對DDoS的攻擊原理、異常流量監(jiān)測算法和流量控制算法做了研究。監(jiān)測到異常流量后,路由設(shè)備可以根據(jù)由Flow-Spec技術(shù)定義的流量處理策略對異常流量進行控制,同時利用BGP技術(shù)在多臺建立了對等體關(guān)系的路由設(shè)備上部署流量處理策略,達到最大限度防御DDoS攻擊的效果。本文研究內(nèi)容如下:1、對DDoS攻擊進行了研究,包括攻擊的原理和步驟。針對SYN Flooding攻擊、UDP Flooding攻擊以及smurf攻擊的攻擊原理和過程做了詳細(xì)的分析。2、對相關(guān)算法進行了介紹和研究。包括用于監(jiān)測異常的CUSUM算法、由CUSUM算法改進的針對路由設(shè)備的M-CUSUM算法以及用于流量控制的令牌桶算法。3、詳細(xì)研究了系統(tǒng)實現(xiàn)所需要的關(guān)鍵技術(shù)。實現(xiàn)Flow-Spec技術(shù)和BGP技術(shù)的結(jié)合是本系統(tǒng)的一大特點。BGP技術(shù)可以將多臺路由設(shè)備組成對等體關(guān)系,利用對等體之間報文的交互實現(xiàn)流量處理策略在一臺路由設(shè)備上部署同時在多臺設(shè)備上應(yīng)用的功能。Flow-Spec技術(shù)規(guī)定了流量處理策略的具體組成,包括匹配規(guī)則和流量處理動作,同時規(guī)定了流量處理策略編碼實現(xiàn)過程中的具體細(xì)節(jié)。4、最終將相關(guān)算法和技術(shù)用于實際,開發(fā)和實現(xiàn)了防DDoS攻擊系統(tǒng)。在系統(tǒng)的整體開發(fā)中,流量監(jiān)測模塊用于異常流量的監(jiān)測,命令行終端模塊用于接收用戶配置數(shù)據(jù),Flow-Spec數(shù)據(jù)處理模塊用于數(shù)據(jù)的具體處理以及下發(fā)芯片,BGP模塊用于建立對等體關(guān)系實現(xiàn)流量處理策略在對等體中傳輸?shù)墓δ�。本系統(tǒng)在應(yīng)對DDoS攻擊方面有著高效、機動的特點,同時防護策略部署的過程簡單,最終達到的效果理想,因此有著很好的應(yīng)用前景。
[Abstract]:Nowadays, with the rapid development of the Internet, more and more affairs need the Internet to complete. With the increasing demand of users, users pay more attention to network security, stability and transmission efficiency. The simple transmission of message information on the network can no longer meet the needs of users, users hope that the network has a better security and service capabilities. Nowadays, the performance of the network is greatly deteriorated by the endless network attacks, especially the distributed denial of attack (DDoS),) with a large amount of network abnormal traffic, which makes the quality of service of the assailant decline obviously, and even results in the situation of denial of service. In the end, it caused a lot of damage. The traditional network security technology focuses on intrusion detection, firewall or antivirus software, but the traditional technology can not reduce the abnormal traffic in the network. The purpose of this paper is to eliminate the abnormal traffic in the network, and to reduce the possibility of users being attacked by DDoS. Based on the Comware platform of a department, a DDoS protection system can be deployed on the routing equipment is developed. The main research content of this paper is to realize the combination of BGP technology and Flow-Spec technology on Comware platform. At the same time, the attack principle of DDoS, abnormal traffic monitoring algorithm and traffic control algorithm are studied. After monitoring the abnormal traffic, the routing device can control the abnormal traffic according to the traffic handling strategy defined by Flow-Spec technology. At the same time, the BGP technology is used to deploy the traffic processing policy on several routing devices with peer-to-peer relationship. Achieve maximum defense against DDoS attacks. The main contents of this paper are as follows: 1. The DDoS attack is studied, including the principle and steps of the attack. The principle and process of SYN Flooding attack, UDP Flooding attack and smurf attack are analyzed in detail. 2. The related algorithms are introduced and studied. It includes the CUSUM algorithm for monitoring anomalies, the M-CUSUM algorithm for routing devices improved by CUSUM algorithm and the token bucket algorithm for traffic control. 3. The key technologies for system implementation are studied in detail. Realizing the combination of Flow-Spec technology and BGP technology is one of the major characteristics of the system. BGP technology can form a peer relationship between multiple routing devices. Using the exchange of packets between peers to realize the function of traffic processing policy deployed on one routing device and applied on multiple devices, the Flow-Spec technology specifies the specific composition of the traffic processing strategy. It includes matching rules and traffic processing actions, and specifies the specific details of the implementation process of traffic processing policy coding. 4. Finally, the relevant algorithms and techniques are used in practice to develop and implement the anti-attack system of DDoS. In the whole development of the system, the traffic monitoring module is used to monitor the abnormal traffic, the command line terminal module is used to receive the user configuration data, the Flow-Spec data processing module is used for the specific processing of the data and the sending chip. BGP module is used to establish peer relationship to realize the function of traffic processing policy transmission in peer. The system has the characteristics of high efficiency and maneuverability in dealing with DDoS attacks. At the same time, the process of deployment of protection strategy is simple and the result is ideal, so it has a good application prospect.
【學(xué)位授予單位】：杭州電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前10條

1 李博倫;王海棟;錢高冉;唐翔;高秀敏;;網(wǎng)絡(luò)流量監(jiān)管CAR技術(shù)研究[J];無線互聯(lián)科技;2016年16期

2 楊曉雪;;淺析邊界網(wǎng)關(guān)協(xié)議BGP[J];計算機光盤軟件與應(yīng)用;2014年01期

3 王東;;網(wǎng)絡(luò)鏈路冗余的設(shè)計與實現(xiàn)[J];電子測試;2013年11期

4 趙宇;趙富安;;流量清洗技術(shù)及其實現(xiàn)方式淺析[J];通信與信息技術(shù);2012年03期

5 黃卓君;;一種基于Flow-Spec的網(wǎng)絡(luò)異常流量防護策略[J];廣東通信技術(shù);2012年05期

6 姚林燕;;CLI中命令樹的設(shè)計和實現(xiàn)[J];信息通信;2012年01期

7 李銀錦;劉玉;;一種基于流量清洗的DDoS攻擊防御系統(tǒng)[J];電腦知識與技術(shù);2010年35期

8 李曉利;郭宇春;;QoS技術(shù)中令牌桶算法實現(xiàn)方式比較[J];中興通訊技術(shù);2007年03期

9 韓璐;宋曉虹;張寧;;淺析路由器技術(shù)[J];中國科技信息;2006年21期

10 楊洪春;;DDoS原理、現(xiàn)象及防御方法[J];黃石教育學(xué)院學(xué)報;2006年03期

相關(guān)重要報紙文章 前1條

1 王婧;;達沃斯論壇熱議第四次工業(yè)革命[N];經(jīng)濟參考報;2016年

相關(guān)碩士學(xué)位論文 前10條

1 王弘;復(fù)合型防火墻掃描防御與客戶端認(rèn)證模塊的設(shè)計與實現(xiàn)[D];哈爾濱工業(yè)大學(xué);2014年

2 王蘭芳;CAR技術(shù)在Comware平臺上的實現(xiàn)[D];南京大學(xué);2012年

3 王威;Comware V7平臺DHCP中繼的設(shè)計與實現(xiàn)[D];華中科技大學(xué);2011年

4 黃麗;基于NP路由器的以太網(wǎng)OAM研究與實現(xiàn)[D];西南交通大學(xué);2011年

5 黃洋;BGP協(xié)議收斂性算法研究及并行化設(shè)計[D];西安電子科技大學(xué);2011年

6 南琳;BGP路由策略檢查工具的設(shè)計與實現(xiàn)[D];北京郵電大學(xué);2010年

7 宿曉丹;BGP路由配置文件檢查工具的設(shè)計與實現(xiàn)[D];北京郵電大學(xué);2010年

8 楊杉;基于路由協(xié)議分析的路由管理系統(tǒng)[D];上海交通大學(xué);2009年

9 徐鏡湖;互聯(lián)網(wǎng)域間路由協(xié)同配置技術(shù)的研究與實現(xiàn)[D];國防科學(xué)技術(shù)大學(xué);2008年

10 牟曉玲;BGP路由抖動抑制算法的研究與改進[D];湖南大學(xué);2008年

，

本文編號：2323527