网络入侵检测系统的拒绝服务攻击的检测与防御

38220042JOURNALOFXIANJIAOTONGUNIVERSITYVol.382Feb.2004,,,(,710049,):(DOS),.DOS,,TCP,DOS.,DOS,DOS.:;;:TP393:A:0253-987X(2004)02-0132-04DetectingandDefeatingDenial2of2ServiceAttacksonNetworkIntrusionDetectionSystemsSunQindong,ZhangDeyun,GaoPeng,ZhangXiao(SchoolofElectronicsandInformationEngineering,XianJiaotongUniversity,Xian710049,China)Abstract:Aimingatthecharactersticofdenial2of2service(DOS)attacks,anovelalgorithmisproposedtodetectanddefeatDOSattacks.Throughanalyzingthefrequencyanddispersionofalerts,theDOSattacksaredetect2ed.Todefeattheattacks,thestatefulinspectionisswitchedfromnormalmodetoemergencymodebythestagedswitchmethodandpacketsthatdontbelongtoanormalTCPsessionaredropped.PerformanceanalysisandexperimentsdemonstratethatthealgorithmcandiscovertheDOSattacksintimeandeffectivelyprotectnet2workintrusiondetectionsystems.Keywords:intrusiondetection;denial2of2serviceattacks;statefulinspection(IDS),IDS.IDS(fail2open),IDS,.,IDS.IDS(DOS)[1,2].IDS,.IDS,.IDSDOS,,IDS,,,,IDS.,DOS,,.DOS.,,Snort[3],,;,TCP(3),.,DOS;DOS,.,DOS:2003-04-23.:(1975),,;(),,,.:(2001-1-010).©1995-2004TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.,.TCP,,[1].,DOS.1DOS,DOSTCP,IP,.IPIDS,IDS(IP).,,IP,.DOS,,.IP,DOS(IP).TN,N/K,K,M,iNi.U,U=Mi=0(N/(KM)-Ni)2(1)DOSIP,U,,DOS;,.,L=NU(2)L,DOS,LLthrld,DOS,,IDS.QddosQnmlNL,Lddos1,Lddos2,,LddosN;Lnml1,Lnml2,,LnmlNNDOSL,NL,Lthrld,Lthrld=(Ni=1Lnmli+Ni=1Lddosi)/2N(3)L,(FIFO)QddosQnm1.DOS,LQddos,;,Qnml,QddosQnml,(3)Lthrld.,IDS,Lthrld,Lthrld.2DOS,.DOS,,,.,DOS,,DOS.,TCP,,.DOS,.,DOS,.,,,Rfake=AfakeAfake+Anml(4):Afake;Anml.RfakeRthrld,DOS.,,.1DOS,.(1)T,(2)L,LLthrld,;,.(2)timer,.timernT,Rfake.RfakeRthrld,Qddos,Lthrld,timer,;,timer,Qnml,Lthrld,(1).3312,:©1995-2004TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.1DOS(3),,counter.timerT1,counterPddos,DOS,timercounter,(3);,,timercounter,(1).3,,IDS,,,.DOS,2.DOSt1,t5.,t2,t3,t4-t3.,DOS,tmax=t4-t12T+nT=(n+2)T(5)T,n5,(n+2)TIDS.,(DOS)t3,t4,TCP,DOS.,3.t1t2,t2,t3,nT.T23,Lthrld,,.4.CPU2.0GHz256MBPIVPC,RedHat7.2,40GB.4.,TCPReplay[4],;Stick[5]DOS.TCPReplayStickIDS,,[6].40Mb/s,DOS150/s.DOS20min,20min,5.443138©1995-2004TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.A;B5,DOS,,;DOS,,,,DOS,100%.5DOS,IDS.,DOS,IDS,DOS.IDSDOS,DOS,,(DDOS).:[1]PtacekT,NewshamT.Insertion,Evasion,anddenialofservice:Eludingnetworkintrusiondetection[EB/OL].http:citeseer.njnec.com/ptacek98insertion.html,2003-01-15.[2]AnsenW,MellP,KarygiannisT,etal.Mobileagentsinintrusiondetectionandresponse[A].12thAnnualCana2dianInformationTechnologySecuritySymposium,Ot2tawa,Canada,2000.[3]RoeschM.Snort2lightweightintrusiondetectionfornetworks[A].ProceedingsoftheUSENIXLISA99conference[C].Washington:UsenixAssociation,1999.229238.[4]UndyM.TCPReplaymanual[EB/OL].[5]GiovanniC.Draftwhitepaperonstick[EB/OL].[6]ACMSIGCOMM.TheInternettrafficarchive[EB/OL].()(127)[2]SalimJH.Beyondsoftnet[A].5thAnnualLinuxShowcase&Conference,Oakland,California,1999.[3]WhiteR.InsideCiscoIOSsoftwarearchitecture[M].Indianapolis,USA:CiscoPress,2000.[4]KohlerE.Theclickmodularrouter[J].ACMTransac2tionsonComputerSystems,2000,18(3):263297.[5]ChenB,MorrisR.FlexiblecontrolofparallelisminamultiprocessorPCrouter[A].2001USENIXAnnualTechnicalConference,Boston,2001.[6]LevonJ.OProfile[EB/OL].[7]SquillanteMS,LazowskaED.Usingprocessor2cacheaffinityinformationinshared2memorymultiprocessorscheduling[J].IEEETransactionsonParallelandDis2tributedSystems,1993,4(2):131143.[8]RustyR.Unreliableguidetolocking[EB/OL].()5312,:©1995-2004TsinghuaTongfangOpticalDiscCo.,Ltd.Allrightsreserved.