發(fā)布時間：2018-05-12 19:54

  本文選題：云計算 + DDoS攻擊��； 參考：《南京大學(xué)》2016年博士論文

【摘要】：近年來,云計算正逐漸成為IT界主流的計算模式。因為其按需自服務(wù)、泛在接入、資源池化、彈性服務(wù)和可度量服務(wù)的特性,云計算在產(chǎn)業(yè)界和學(xué)術(shù)界備受關(guān)注。云計算提供三種服務(wù)模型：基礎(chǔ)設(shè)施即服務(wù)、平臺即服務(wù)和軟件即服務(wù)�；诖嗣嫦蚍⻊�(wù)的體系結(jié)構(gòu),云服務(wù)用戶可以靈活地租用云服務(wù)滿足自身應(yīng)用需求。云計算的按需資源分配和“即用即付”計費模型,進一步降低了云服務(wù)用戶的軟硬件投入和維護成本。盡管云計算帶來了以上諸多便利,安全因素仍然是當(dāng)前企業(yè)和組織將其應(yīng)用遷移至云平臺主要的障礙。在云平臺面臨的諸多安全漏洞中,DDoS攻擊是影響云服務(wù)可用性的主要安全威脅。一方面,傳統(tǒng)網(wǎng)絡(luò)中的洪泛式DDoS攻擊(如TCP SYN Flood攻擊),低速率DDoS攻擊(如Shrew攻擊)在云平臺中依然存在。另一方面,云計算模式引入了諸多云平臺特有的DDoS攻擊,比如EDoS攻擊,帶寬饑餓DDoS攻擊等。而隨著云平臺廣泛采用軟件定義網(wǎng)絡(luò)作為其云數(shù)據(jù)中心的基礎(chǔ)網(wǎng)絡(luò)架構(gòu),云環(huán)境下的DDoS攻擊平面進一步增加。因此,研究云環(huán)境下的DDoS攻擊防御勢在必行。針對云環(huán)境下現(xiàn)有的DDoS攻擊,如EDoS攻擊、帶寬饑餓DDoS攻擊和控制層洪泛式DDoS攻擊,研究人員已經(jīng)提出了各種防御手段。然而,和云平臺的攻擊平面相比,這些方法還遠遠不夠。目前,該主題相關(guān)的研究工作遇到了諸多挑戰(zhàn),主要包括以下幾個方面：1)缺乏一個全局的DDoS攻擊防御框架,該框架闡述云環(huán)境下各層面潛在的DDoS攻擊漏洞,并指明如何有效地防御、以及在何處防御這些DDoS攻擊；2)作為防御DDoS攻擊流量的第一道防線,如何在云服務(wù)訪問接入點設(shè)計云防火墻框架；3)如何防御云數(shù)據(jù)中心網(wǎng)絡(luò)數(shù)據(jù)層潛在的洪泛式以及低速率DDoS攻擊；4)如何通過數(shù)學(xué)模型評估云防火墻的性能和有效性,以及如何定量分析DDoS攻擊對云平臺各項性能指標(biāo)的影響?針對以上挑戰(zhàn),本文對云環(huán)境下的DDoS攻防及其關(guān)鍵技術(shù)開展了相關(guān)的研究工作。具體而言,本文的工作主要包括以下幾個方面：1)為促進云環(huán)境下的DDoS攻防,我們從全局的角度提出了一個云環(huán)境下的DDoS攻防體系。該DDoS攻防體系從以下四個層面展開：正常用戶、攻擊者層面、云服務(wù)訪問接入點層面、云數(shù)據(jù)中心網(wǎng)絡(luò)層面以及云數(shù)據(jù)中心服務(wù)器層面。具體而言,正常用戶、攻擊者層面是指正常用戶、攻擊者分別向云數(shù)據(jù)中心發(fā)生服務(wù)請求、攻擊流量。云服務(wù)訪問接入點層面是指正常用戶的服務(wù)請求、攻擊者的攻擊流量通過互聯(lián)網(wǎng)到達云服務(wù)訪問接入點。在該層,作為防御DDoS攻擊流量的第一道防線,應(yīng)布置入侵防御系統(tǒng)和云防火墻。云數(shù)據(jù)中心網(wǎng)絡(luò)層面則是指正常用戶的服務(wù)請求、攻擊者的攻擊流量經(jīng)過云服務(wù)訪問接入點、到達云數(shù)據(jù)中心網(wǎng)絡(luò)。在該層,應(yīng)防御網(wǎng)絡(luò)層各種DDoS攻擊、軟件定義網(wǎng)絡(luò)架構(gòu)特有的DDoS攻擊以及帶寬饑餓DDoS攻擊。最后,云數(shù)據(jù)中心服務(wù)器層指正常用戶的服務(wù)請求、攻擊者的攻擊流量最終到達應(yīng)用服務(wù)器。在該層,應(yīng)防御應(yīng)用層DDoS攻擊以及EDoS攻擊。2)為實現(xiàn)在云服務(wù)訪問點部署防火墻,作為防御DDoS攻擊流量的第一道防線,提出了一種非集中式的云防火墻框架。云服務(wù)用戶租用該防火墻保護其托管在云數(shù)據(jù)中心的應(yīng)用。具體而言,托管其應(yīng)用的服務(wù)器被分為多個集群,云服務(wù)提供商根據(jù)動態(tài)資源分配為每個集群設(shè)置一個獨立的防火墻,所有的防火墻并行監(jiān)視網(wǎng)絡(luò)流量。在該框架中,通過動態(tài)資源分配實現(xiàn)資源配置成本最優(yōu)化,同時滿足用戶提出的QoS約束。和現(xiàn)有的集中式防火墻框架相比,該框架可以解決單點失效、大規(guī)模規(guī)則集、不能滿足QoS約束等問題。3)為防御云數(shù)據(jù)中心網(wǎng)絡(luò)潛在的DDoS攻擊,揭露了兩種數(shù)據(jù)中心網(wǎng)絡(luò)數(shù)據(jù)層DDoS攻擊漏洞,基于這兩種漏洞,可以實現(xiàn)數(shù)據(jù)層洪泛式DDoS攻擊和數(shù)據(jù)層低速率DDoS攻擊。具體而言,數(shù)據(jù)層洪泛式DDoS攻擊通過產(chǎn)生大規(guī)模流表規(guī)則到達攻擊目的,低速率DDoS攻擊則通過在流表中產(chǎn)生長期存在的流表規(guī)則到達攻擊目的。為描述數(shù)據(jù)層洪泛式DDoS攻擊特征,將其和控制層洪泛式DDoS攻擊對比。然后基于現(xiàn)有的清洗控制層高負載流量的工作提出該攻擊的防御手段。數(shù)據(jù)層低速率DDoS攻擊可以躲避現(xiàn)有防御手段的檢測,因為其幾乎從不向控制層發(fā)送高負載流量。因此,我們提出了一種新型的防御手段,可以檢測流表中長期存在的流表規(guī)則。4)為通過數(shù)學(xué)模型評估云防火墻的性能和有效性,我們提出了新型的排隊論模型：M/Geo/1和M/Geo/m。該模型遠比現(xiàn)有的排隊模型M/M/1復(fù)雜,為得出包經(jīng)過防火墻的平均響應(yīng)時間,我們首次提出結(jié)合使用Z變換和嵌入式馬爾科夫鏈技術(shù)。同時,提出使用隨機過程定量分析DDoS攻擊對云平臺各項性能指標(biāo)的影響。結(jié)果表明,數(shù)據(jù)層洪泛式DDoS攻擊只需很少的攻擊資源即可大規(guī)模降低系統(tǒng)響應(yīng)時間,而數(shù)據(jù)層低速率DDoS攻擊則對系統(tǒng)產(chǎn)生長期的影響。
[Abstract]:In recent years, cloud computing is becoming the mainstream computing model in the IT world. Because it needs self service, ubiquitous access, resource pooling, resilient services and measurable services, cloud computing has attracted much attention in industry and academia. Cloud computing provides three service models: basic provisioning service, platform service and software as service. Service oriented architecture, cloud service users can flexibly rent and use cloud services to meet their own application requirements. The allocation of demand resources for cloud computing and the "pay off" model can further reduce the software and hardware input and maintenance costs of cloud service users. Although cloud computing brings many advantages, security factors are still present. In many security vulnerabilities facing cloud platforms, DDoS attacks are the main security threats that affect the availability of cloud services. On the one hand, floodplain DDoS attacks in traditional networks (such as TCP SYN Flood attacks) and low rate DDoS attacks (such as Shrew attacks) still exist in the cloud platform. On the other hand, the cloud computing model introduces the unique DDoS attacks of multi cloud platforms, such as EDoS attacks, bandwidth hungry DDoS attacks, and so on. As the cloud platform widely uses software defined networks as the basic network architecture of its cloud data center, the DDoS attacks in the cloud environment are increased step by step. Therefore, the study of DDoS attacks in the cloud environment is protected. Against the current DDoS attacks in the cloud, such as EDoS attacks, bandwidth hungry DDoS attacks and control layer floodplain DDoS attacks, researchers have proposed a variety of defense methods. However, these methods are far from enough for the attack planes of the cloud platform. We should include the following aspects: 1) lack of a global DDoS attack defense framework, which describes the potential DDoS attack vulnerabilities at all levels in the cloud environment, and points out how to defend effectively, and where to defend against these DDoS attacks; 2) how to design the access point in the cloud service as the first line of defense for the defense DDoS attack traffic. Cloud firewall framework; 3) how to defend the potential flooding and low rate DDoS attacks of the network data layer of the cloud data center; 4) how to evaluate the performance and effectiveness of the cloud firewall through a mathematical model, and how to quantify the impact of the DDoS attack on the performance indicators of the cloud platform? For the above challenges, the DDoS in the cloud environment Relevant research work has been carried out in attack and defense and its key technologies. Specifically, the work of this paper mainly includes the following aspects: 1) in order to promote DDoS attack and defense under the cloud environment, we put forward a DDoS attack and defense system in the cloud environment from the global perspective. The DDoS attack defense system starts from four levels: the normal user, the attacker layer Surface, cloud service access point level, cloud data center network level and cloud data center server level. In particular, normal users, attacker level refers to normal users, attackers have service requests in Xiang Yun data center, attack traffic. Cloud service access point level refers to the service requests of normal users, attackers Attack traffic is accessed through the Internet to Da cloud service. In this layer, the intrusion defense system and cloud firewall should be arranged as the first line of defense against DDoS attack traffic. The network level of the cloud data center refers to the service request of the normal user, the attacker's attack traffic is accessed through the cloud service and reaches the cloud data. In this layer, all kinds of DDoS attacks on the network layer should be defended. The software defines the DDoS attack and bandwidth hungry DDoS attack. Finally, the cloud data center server layer refers to the service request of the normal user, and the attacker's attack traffic is finally reached the application server. In this layer, the application layer DDoS attack and the EDoS attack should be defended. 2) in order to deploy firewalls at cloud service access points, as the first line of defense against DDoS attack traffic, a non centralized cloud firewall framework is proposed. Cloud service users rent the firewall to protect its applications hosted in the cloud data center. Specifically, the server hosting its use is divided into multiple clusters, cloud services provided Vendors set up an independent firewall for each cluster based on dynamic resource allocation, and all firewalls monitor network traffic in parallel. In this framework, the resource allocation cost is optimized by dynamic resource allocation and the user's QoS constraints are met. Compared with the existing centralized firewall framework, the framework can solve a single point. Failure, large scale rule set, can not satisfy QoS constraints and other problems.3) to defend the potential DDoS attacks of the cloud data center network, exposing two data center network data layer DDoS attack vulnerability. Based on these two vulnerabilities, data layer flooding DDoS attack and data layer low rate DDoS attack can be realized. Specifically, data layer flooding DDoS Attacks reach the target by producing large scale table rules, and low rate DDoS attacks arrive at the target by generating a long existing flow table rule in the flow table. To describe the feature of the floodplain DDoS attack in the data layer, compare it with the floodplain DDoS attack in the control layer. The defense means of the attack. The data layer low rate DDoS attack can avoid the detection of existing defense means, because it almost never sends high load traffic to the control layer. Therefore, we propose a new defense method to detect the long existing stream table rule.4 in the flow table to evaluate the cloud firewall through a mathematical model. Performance and effectiveness, we propose a new queuing theory model: M/Geo/1 and M/Geo/m. are far more complex than the existing queuing model M/M/1. In order to get the average response time of packets passing through the firewall, we first propose a combination of Z transform and embedded Markov chain technology. At the same time, we propose a quantitative analysis of DDoS attacks using random processes. The impact on the performance indicators of the cloud platform shows that the system response time can be reduced on a large scale by only a few attack resources in the floodplain DDoS attack, while the low rate DDoS attack on the data layer has a long-term impact on the system.

【學(xué)位授予單位】：南京大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2016
【分類號】：TP393.08
，

本文編號：1879938