一种基于特征匹配的拒绝服务攻击检测技术
以下是资料介绍,如需要完整的请充值下载.
1.无需注册登录,支付后按照提示操作即可获取该资料.
2.资料以网页介绍的为准,下载后不会有水印.资料仅供学习参考之用.
密 惠 保
1.无需注册登录,支付后按照提示操作即可获取该资料.
2.资料以网页介绍的为准,下载后不会有水印.资料仅供学习参考之用.
密 惠 保
资料介绍:
1.3 Research Content and Scope
In this paper, we analyze several typical types of DoS attacks such as Smurf, SYN Flooding, UDP Flooding, and attempt to set up the signature model for these attacks. Last, we do pattern matching in each packet we captured in order to find packet with attack signatures. Finally, we implemented the DoS attacks detection system, based on works we have done.
In order to get best effects in limited time, we firstly confirm our research scope.
(1) Our research focus on the detection of DoS attacks, this may be helpful for further prevention or response of DoS attacks, whereas, they are not discussed in this paper.
(2) Distributed Denial of Service (DDoS) attack is a special scene of DoS attack, which lunched from various hosts. In our paper, we treat DDoS the same as DoS. That’s to say, wherever we mention DoS, it also involves DDoS.
(3) Attack signature is a sequence of computer activities or alterations which may in-volves packet feature, conditions, arrangement and interrelationship among events. In this paper, our signature matching based detection technology only considers the packet features as attack signatures.
(4) We do some case study on the signatures of typical DoS attacks such as Smurf, SYN Flooding and UDP Flooding, these signatures are used to demonstrate the characteristics of DoS attacks. The majority of the signatures in our system prototype are from the Internet, but they are modified according to the signature engine of our prototype.
1.4 Paper Structure
The whole paper is made up with 6 sections. Section 1 is introduction, manly talk about the background of the whole paper and related research work by others and our research con-tent and scope. In Section 2 we give an overview of DoS attacks including typical DoS at-tacks, DoS tools and DoS attack signatures. Section 3 mainly discusses the Pattern Matching Algorithms during signature matching. Section 4 detailed demonstrates the design and im-plementation of our DoS attacks detection system prototype. We do more experiments in Sec-tion 5 to test our system for the detection rate and false alarm rate. Section 6 concludes the whole paper and brings forward the future works. copyright think58
2.1.3 UDP Flooding
Since the usage of UDP protocol is limited by its standard, it is comparative more hardly to achieve a UDP Flooding attack. The Land attack send a packet to a machine with the source host/port the same as the destination host/port, what crashed a lot of boxes [22]. Some other UDP Flooding consist of a large number of spoofed UDP packets aimed at diagnostic ports on network devices, that cause increase in CPU time responding to these packets on network devices.
2.1.4 Summary
Through analyzing of these familiar attacks, we find some common. First, there is all spoofed information in the attack packets. For example, the Smurf attack spoofs its source address in the ICMP echo packet, cheat the router and host in LAN to be the amplifier, and together to attack victim with spoofed address. Meanwhile, the SYN Flooding spoofs TCP flag in the handshake packet, making the target think some source is attempting to connect and consume a lot of network resources. Second, the protocols have limitations in themselves. Take SYN flooding for example, the three-way handshake process spend a lot of time waiting for reply to SYN ACK after the target host received a SYN signals from attacker, thus the normal connection can not established.
2.2 Popular DoS Attacks Tools
Internet Security System (ISS) has identified a number of distributed denial of service tools available on the Internet [23]. Some of these attack tools includes: TFN, Trin00, TFN2K, and Stacheldrant. These attack tools differ in their capabilities and complexities, but all share the common goal of attempting to overwhelm a victim with an abundant amount of difficult to detect or filter traffic. Some of these tools are the suspected attack tools that used during the famous week when Yahoo, eBay and CNN etc. were taken down at nearly the same time in February 7 to 11 2002.
2.2.1 Tribal Flood Network
TFN was the first highly visible DoS attack tool to surface. It exhibits a two-tier archi-tecture, involving a client that controls the targeting and options of the attack system, and multiple daemons which function as listeners for the client's commands, and perform the ac-tual denial of service attacks [23].
TFN daemon runs as a hidden service on the machines it uses, able to receive commands from the client hidden subliminally in standard network communications/protocols. It also hides the client and daemon's source in all communication and attacks.
2.2.2 Trin00
Trin00 moved to a three tier architecture, including a client(telnet or netcat), used by the attacker, that sends its commands, including targets, to master servers, which control multiple daemons, knowing their addresses and forwarding commands received from the client [23].
This additional tier made this tool harder to trace back to the attacker, adding an addi-tional layer to the communication. However, Trin00 did not take advantage of all of TFN's technology to hide itself, communicating using its own proprietary channels and failing to hide the source of its attack traffic. Trin00 was also limited to only one form of denial of ser-vice attack, unlike TFN, which had a variety.
2.2.3 TFN2K
TFN2K, while not evolving to a three-tier architecture like Trin00, added encryption to its communication between its 2 tiers, client and daemons, make it harder to detect. TFN2K also imported some new types of denial of service attack. Its author is already preparing for a newer version TFN3K [21].
2.2.4 Stacheldraht
Stacheldraht took Trin00 and TFN's technology and combined them, hiding the source addresses of its traffic and adding the variety of denial of service attacks from TFN, while adding the three tier architecture of Trin00 [23]. A new version of Stacheldraht has recently emerged with additional technology to hide its presence and communications.
In this paper, we analyze several typical types of DoS attacks such as Smurf, SYN Flooding, UDP Flooding, and attempt to set up the signature model for these attacks. Last, we do pattern matching in each packet we captured in order to find packet with attack signatures. Finally, we implemented the DoS attacks detection system, based on works we have done.
In order to get best effects in limited time, we firstly confirm our research scope.
(1) Our research focus on the detection of DoS attacks, this may be helpful for further prevention or response of DoS attacks, whereas, they are not discussed in this paper.
(2) Distributed Denial of Service (DDoS) attack is a special scene of DoS attack, which lunched from various hosts. In our paper, we treat DDoS the same as DoS. That’s to say, wherever we mention DoS, it also involves DDoS.
(3) Attack signature is a sequence of computer activities or alterations which may in-volves packet feature, conditions, arrangement and interrelationship among events. In this paper, our signature matching based detection technology only considers the packet features as attack signatures.
内容来自think58
[来源:http://www.think58.com]
(4) We do some case study on the signatures of typical DoS attacks such as Smurf, SYN Flooding and UDP Flooding, these signatures are used to demonstrate the characteristics of DoS attacks. The majority of the signatures in our system prototype are from the Internet, but they are modified according to the signature engine of our prototype.
1.4 Paper Structure
The whole paper is made up with 6 sections. Section 1 is introduction, manly talk about the background of the whole paper and related research work by others and our research con-tent and scope. In Section 2 we give an overview of DoS attacks including typical DoS at-tacks, DoS tools and DoS attack signatures. Section 3 mainly discusses the Pattern Matching Algorithms during signature matching. Section 4 detailed demonstrates the design and im-plementation of our DoS attacks detection system prototype. We do more experiments in Sec-tion 5 to test our system for the detection rate and false alarm rate. Section 6 concludes the whole paper and brings forward the future works. copyright think58
[资料来源:http://think58.com]
2.1.3 UDP Flooding
Since the usage of UDP protocol is limited by its standard, it is comparative more hardly to achieve a UDP Flooding attack. The Land attack send a packet to a machine with the source host/port the same as the destination host/port, what crashed a lot of boxes [22]. Some other UDP Flooding consist of a large number of spoofed UDP packets aimed at diagnostic ports on network devices, that cause increase in CPU time responding to these packets on network devices.
2.1.4 Summary
Through analyzing of these familiar attacks, we find some common. First, there is all spoofed information in the attack packets. For example, the Smurf attack spoofs its source address in the ICMP echo packet, cheat the router and host in LAN to be the amplifier, and together to attack victim with spoofed address. Meanwhile, the SYN Flooding spoofs TCP flag in the handshake packet, making the target think some source is attempting to connect and consume a lot of network resources. Second, the protocols have limitations in themselves. Take SYN flooding for example, the three-way handshake process spend a lot of time waiting for reply to SYN ACK after the target host received a SYN signals from attacker, thus the normal connection can not established.
[资料来源:THINK58.com]
2.2 Popular DoS Attacks Tools
Internet Security System (ISS) has identified a number of distributed denial of service tools available on the Internet [23]. Some of these attack tools includes: TFN, Trin00, TFN2K, and Stacheldrant. These attack tools differ in their capabilities and complexities, but all share the common goal of attempting to overwhelm a victim with an abundant amount of difficult to detect or filter traffic. Some of these tools are the suspected attack tools that used during the famous week when Yahoo, eBay and CNN etc. were taken down at nearly the same time in February 7 to 11 2002.
2.2.1 Tribal Flood Network
TFN was the first highly visible DoS attack tool to surface. It exhibits a two-tier archi-tecture, involving a client that controls the targeting and options of the attack system, and multiple daemons which function as listeners for the client's commands, and perform the ac-tual denial of service attacks [23].
TFN daemon runs as a hidden service on the machines it uses, able to receive commands from the client hidden subliminally in standard network communications/protocols. It also hides the client and daemon's source in all communication and attacks.
[资料来源:http://THINK58.com]
2.2.2 Trin00
Trin00 moved to a three tier architecture, including a client(telnet or netcat), used by the attacker, that sends its commands, including targets, to master servers, which control multiple daemons, knowing their addresses and forwarding commands received from the client [23].
This additional tier made this tool harder to trace back to the attacker, adding an addi-tional layer to the communication. However, Trin00 did not take advantage of all of TFN's technology to hide itself, communicating using its own proprietary channels and failing to hide the source of its attack traffic. Trin00 was also limited to only one form of denial of ser-vice attack, unlike TFN, which had a variety.
2.2.3 TFN2K
TFN2K, while not evolving to a three-tier architecture like Trin00, added encryption to its communication between its 2 tiers, client and daemons, make it harder to detect. TFN2K also imported some new types of denial of service attack. Its author is already preparing for a newer version TFN3K [21].
think58好,好think58 [资料来源:http://THINK58.com]
2.2.4 Stacheldraht
Stacheldraht took Trin00 and TFN's technology and combined them, hiding the source addresses of its traffic and adding the variety of denial of service attacks from TFN, while adding the three tier architecture of Trin00 [23]. A new version of Stacheldraht has recently emerged with additional technology to hide its presence and communications.