在軟體定義網路的環境下偵測分散式反射阻斷服務攻擊

Abstract

分散式阻斷服務攻擊時常造成網站中斷服務，遂行攻擊目的並造成使用者不方便，而其中一種攻擊方法是利用開放服務當作反射點及封包放大來進行攻擊，稱為分散式反射阻斷服務攻擊，這種攻擊會偽造來源IP位址所以很難溯源，也會造成比一般的阻斷服務攻擊更大的流量。而DNS放大攻擊就是其中一個例子，DNS提供了域名與IP位址之間的轉換服務，讓人們可以不用去記憶沒有規則的IP位址。由於DNS提供的服務會產生查詢封包與回應封包大小不對等的現象，在DNS伺服器沒有設定正確的情況下會幫助所有IP來源去查詢他們所詢問的域名及IP位址的轉換，因此這種沒有設定正確的DNS伺服器會被濫用成為放大流量的工具，攻擊者會利用它進行DDoS攻擊，攻擊者只需要偽造被害者的IP並送出小流量的查詢封包，就可以產生出數十倍的回覆流量到被害者的位址，而這種情況在校園網路中又更為常見。為了防止校園中的網路可能有人架設DNS或NTP這種開放服務卻沒設定好而被駭客利用來發動DDoS攻擊，所以在本文中提出一個架構：在網路出入口中使用機器學習方法來偵測放大反射式攻擊的流量，由於在網路出入口中的流量繁重，所以我們需要使用SDN的技術來複製封包，並引導複製的封包進入到我們用來偵測攻擊的機器，透過SDN我們可以只取得我們想要偵測的流量，且在測出惡意流量時可以再透過SDN的機制來阻擋放大攻擊。由於這類型的攻擊都有相似的特徵，使用機器學習方式可以有效地識別這類流量放大的網路攻擊。

DDoS(Distributed Denial of Service) attack can disable the network service easily, if the system is not well managed and defended. One of the DDoS attack methods is using some open services as a reflector to launch attacks, called DRDoS(Distributed Reflection Denial of Service). For this type of attack, it is difficult to trace the attackers due to the fact that attackers usually spoof their IP addresses, and always generate more traffics than normal DDoS attack. Attackers amplify the amount of attack traffic by targeting at the vulnerabilities of protocols and services. This kind of attack is called amplification attack. DNS amplification attack is an instance of these attacks. DNS systems translate domain names to the numerical IP addresses, but DNS servers reply packets that are substantially larger than the request packets. Hence open recursive DNS server is used as packet amplifier by attacker to launch DRDoS attack. In order to avoid this type of attack in campus network, we propose a system to block amplification attack automatically. Due to our system is built at network entrance, we use SDN technique to mirror only the packets needed to our detection agent. When our detection agent classifies the flow as attack, we use SDN controller's RESTful API to add flow rules on OpenFlow switch to drop the malicious packets. Thus we can block attacks by adding flow rule to drop the packets from the specific IP address. DRDoS attack has similar features, so we can detect them with machine learning technique. Our system can detect both DNS and NTP amplification attacks.