摘要
大量的网络攻击手段和可利用的网络资源大大增加了抵御分布式拒绝服务(Distributed Denial-of-Service,DDoS)攻击的难度.应用层DDoS建立在正常的网络层行为之上,当前网络层安全设备无法有效抵御攻击.文章提出了一种应用层DDoS攻击过滤模型.基于攻击请求的生成方式,文中将应用层DDoS攻击分为5类,分析了应用层DDoS攻击与正常访问行为的不同,提出了访问行为异常属性和session异常度模型.利用此模型,可以有效区分正常访问session和应用层DDoS攻击session.将First-Come First-Serve(FCFS)、Low Suspicion First(LSF)和Round Robin3种转发策略与session异常度模型结合,采用真实网络日志,模拟分析合法请求返回时延随时间的变化关系.结果表明,转发速率为合法请求最大速率就可获得较好的转发性能,此外,FCFS和Round Robin比LSF具有更低的合法请求返回时延.
Mitigating Distributed Denial-of-Service (DDoS) attacks becomes more challenging with increasing available resources and techniques for attackers. Current network-layer security devices fail to counter application-layer DDoS (App-DDoS) attacks for the normal traffic feature on the network layer. In this paper, to handle App-DDoS attacks, a novel defense model is proposed. App-DDoS attack is divided into 5 types based on the attack URL generating way. Based on the differences between normal sessions and attack sessions, the paper proposes the session behavior suspicion parameters and the session suspicion model, which can be used to differentiate normal sessions from App-DDoS sessions accurately. The model is combined with 3 forwarding policies, including First-Come First-Serve (FCFS), Low Suspicion First (LSF) and Round Robin respectively to defend against 5 types of App-DDoS attacks. Simulation result with real Web trace shows that these forwarding policies perform well when the forwarding rate equals to the maximum normal request arrival rate, and FCFS and Round Robin perform better than LSF on the normal request response delay.
出处
《计算机学报》
EI
CSCD
北大核心
2010年第9期1713-1724,共12页
Chinese Journal of Computers
基金
国家自然科学基金(60703021)
国家"八六三"高技术研究发展计划项目基金(2007AA010501
2007AA01Z474
2007AA01Z467)资助~~
关键词
DDOS
过滤
异常度
应用层
转发策略
DDoS
filter
suspicion
application-layer
forwarding policy
