王卓昊,方琦,尹建辉,刘颖,董平.可编程网络中一种轻量级 DDoS 攻击缓解机制研究[J].情报工程,2022,8(5):115-126 |
可编程网络中一种轻量级 DDoS 攻击缓解机制研究 |
Research on a Lightweight DDoS Attack Mitigation Mechanism in Programmable Networks |
|
DOI:10.3772/j.issn.2095-915X.2022.05.010 |
中文关键词: 可编程网络;DDoS 攻击缓解;带内遥测;拥塞避免;威胁情报 |
英文关键词: Programmable networking; DDoS attack mitigation; in-band telemetry; congestion avoidance; threat intelligence |
基金项目: |
作者 | 单位 | 王卓昊 | 1. 中国科学技术信息研究所 北京 100038; | 方琦 | 2. 北京交通大学移动专用网络国家工程研究中心 北京 100044 | 尹建辉 | 2. 北京交通大学移动专用网络国家工程研究中心 北京 100044 | 刘颖 | 2. 北京交通大学移动专用网络国家工程研究中心 北京 100044 | 董平 | 2. 北京交通大学移动专用网络国家工程研究中心 北京 100044 |
|
摘要点击次数: 833 |
全文下载次数: 1374 |
中文摘要: |
[ 目的 / 意义 ] 分布式拒绝服务(DDoS)攻击是互联网中威胁性最大且较难防御的攻击之一。针对传统的 DDoS攻击缓解机制检测较为复杂且缓解策略生成较慢的问题,文中提出了一种基于带内遥测的轻量级 DDoS 攻击缓解机制。[ 方法 / 过程 ] 首先,本文将 DDoS 攻击事件视为一种威胁情报,通过情报学方法研究提取普遍的 DDoS 攻击特征;然后,在数据平面利用带内遥测技术检测 DDoS 攻击,从而有效降低网络开销,实现轻量化;最后,控制平面生成限速策略并下发到数据平面交换机,通过源端限速的方法减小攻击流量对网络的影响。[ 结果 / 结论 ] 该机制能够及时检测到 DDoS攻击并有效缓解 DDoS 攻击造成的网络拥塞,并且通过缩短限速阈值中数据包的统计周期可以提高缓解机制的灵敏性,对 DDoS 攻击做出更快的反应。 |
英文摘要: |
[Objective/Significance] Distributed denial-of-service (DDoS) attack is one of the most threatening and difficult to defend attacks on the Internet. In response to the problems that traditional DDoS attack mitigation mechanisms are more complex to detect and slower to generate mitigation policies, a lightweight DDoS attack mitigation mechanism based on inband telemetry is proposed in this paper. [Methods/Processes] First, in this paper, DDoS attack events are considered as a kind of threat intelligence, and the universal DDoS attack characteristics are extracted through intelligence research methods. Then, inband telemetry is used in the data plane to detect DDoS attacks, thus effectively reducing the network overhead and achieving lightweighting. Finally, the control plane generates a speed-limiting policy and sends it down to the data plane switches to reduce the impact of attack traffic on the network through the source-side speed-limiting method. [Results/Conclusions] That this mechanism can detect DDoS attacks in time and effectively mitigate the network congestion caused by DDoS attacks, and the sensitivity of the mitigation mechanism can be improved by shortening the statistical period of packets in the speed limit threshold to make faster response to DDoS attacks. |
查看全文
查看/发表评论 下载PDF阅读器 |
关闭 |