分散式阻斷攻擊檢測和防禦機制之探討與實作

Abstract

DDoS攻擊已經給網際網路帶來了嚴重的破壞，並且日益成為當今網際網路安全的嚴峻威脅之一。現有對DDoS的防禦系統的研究仍然存在著各種不足，它們或者未能針對DDoS攻擊的特點進行檢測，或者在檢測後未能對攻擊流即時有效的控制，或者在實際應用中難以展開部署。為此，針對DDoS攻擊所具有的異于正常流量的多位元組統計特徵，本文設計實現了一種基於網路處理器IXP2400的即時檢測及控制系統模組。該系統通過對IP網路流量進行多位元組統計異常性分析來發現網路中存在異常的位元元組流量，利用權杖桶技術對異常位元組段流量進行控制。經過一系列的性能評估實驗驗證，本系統可以在充分保護正常流量的基礎上，對DDoS作出有效的檢測及控制，使得網路在遭受DDoS攻擊的時候仍然可以提供最大限度的正常服務。本系統具有高性能處理能力，適合於部署在網際網路分佈層的關鍵出入口對網路安全進行有力的維護。

The DDoS attack has ripped the Internet seriously and remains a severe threat to the Internet， but the defense systems so far developed still have difficulties to cope with it. In this paper， we present a novel system module based on IXP2400 to fight against DDoS attack. The system carries out multi-dimensional real-time anomaly detection to analyze the statistics of traffics for each field， detects the abnormal traffic and uses Token Bucket Filter to control the abnormal traffic. Results of a series of experiments demonstrate that the legitimate traffic can go through the system remaining intact while the harmful DDoS attack get detected by the system’s anomaly-detection mechanism and the attack traffics go under effective control by the system’s flow control mechanism. The system developed is fit to be deployed at the edge of network’s aggregate layer to maintain network security.