基于轻量级虚拟化的LDDoS仿真方法

doi:10.19678/j.issn.1000-3428.0054002

摘要/Abstract

摘要： 低速率分布式拒绝服务（LDDoS）攻击是一种复杂的大规模网络攻击行为，已成为当前网络面临的严重安全威胁之一，建立仿真平台研究LDDoS攻防技术，可以提升仿真的逼真性且保证仿真规模。为此，基于轻量级虚拟化技术，提出一种针对BGP会话的LDDoS仿真方法，通过融合网络拓扑构建、攻击场景配置和采集与分析过程，搭建仿真体系架构，并给出该架构基于轻量级虚拟化技术的实现方法。实验结果表明，相比于GTNeTS和GNS3方法，该方法具有逼真性高、扩展性强和仿真规模大的优势，单物理服务器可构建具备400个路由节点规模的LDDoS仿真场景，可为大规模LDDoS的攻防策略研究提供仿真技术基础。

关键词: 网络安全, 网络仿真, 轻量级虚拟化, BGP会话, 低速率分布式拒绝服务攻击

Abstract: Low-rate Distributed Denial-of-Service(LDDoS) attack,as a complex large-scale network attack,is one of the major threats faced by modern networks.It is necessary to establish an emulation platform to study LDDoS attack and defense method,so as to improve the emulation fidelity while ensuring emulation scale.Therefore,based on lightweight virtualization,this paper proposes an LDDoS emulation method for BGP connection.The emulation architecture is built by converging network topology construction,attack scene configuration,and acquisition and analysis.Then the implementation method of the emulation architecture based on lightweight virtualization technology is proposed.Experimental results show that compared with the GTNeTS method and the GNS3 method,the proposed method has the advantages of high fidelity,strong scalability and large emulation scale.With this method,a single physical server can construct an LDDoS emulation scene with four hundreds of routing nodes,so it can provide emulation technology foundation for the research of large-scale LDDoS attack and defense strategy.

Key words: network security, network emulation, lightweight virtualization, BGP connection, Low-rate Distributed Denial-of-Service(LDDoS) attack

中图分类号:

TP393

宋贺, 王晓锋. 基于轻量级虚拟化的LDDoS仿真方法[J]. 计算机工程, 2020, 46(3): 105-113.

SONG He, WANG Xiaofeng. LDDoS Emulation Method Based on Lightweight Virtualization[J]. Computer Engineering, 2020, 46(3): 105-113.

http://www.ecice06.com/CN/Y2020/V46/I3/105

图/表 13

20200321084847

20200321084850

20200321084854

20200321084857

20200321084900

20200321084902

20200321084906

20200321084909

20200321084912

20200321084916

20200321084919

20200321084922

20200321084927

参考文献

[1] FANG Binxing,JIA Yan,LI Aiping,et al.Cyber ranges:state-of-the-art and research challenges[J].Journal of Cyber Security,2016,1(3):1-9.(in Chinese)方滨兴,贾焰,李爱平,等.网络空间靶场技术研究[J].信息安全学报,2016,1(3):1-9.
[2] LI Song,ZHUGE Jianwei,LI Xing.Study on BGP security[J].Journal of Software,2013,24(1):121-138.(in Chinese)黎松,诸葛建伟,李星.BGP安全研究[J].软件学报,2013,24(1):121-138.
[3] WEN Kun,YANG Jiahai,ZHANG Bin.Survey on research and progress of low-rate denial of service attacks[J].Journal of Software,2014,25(3):591-605.(in Chinese)文坤,杨家海,张宾.低速率拒绝服务攻击研究与进展综述[J].软件学报,2014,25(3):591-605.
[4] ZHANG Ying,MAO Zuoqing,WANG Jia.Low-rate TCP-targeted DoS attack disrupts Internet routing[C]//Proceedings of the Network and Distributed System Security Symposium.San Diego,USA:Internet Society,2007:1-15.
[5] SCHUCHARD M,MOHAISEN A,FOO KUNE D,et al.Losing control of the Internet:using the data plane to attack the control plane[C]//Proceedings of the 17th ACM Conference on Computer and Communications Security.New York,USA:ACM Press,2010:726-728.
[6] ZHANG Yiyi,ZHU Yuefei,GAO Xiang.DDoS attack against router with border gateway protocol and precaution[J].Computer Engineering,2012,38(19):103-106.(in Chinese)张依依,祝跃飞,高翔.针对BGP路由器的DDoS攻击及防范措施[J].计算机工程,2012,38(19):103-106.
[7] LI Heshuai,ZHU Junhu,QIU Han,et al.The new threat to Internet:DNP attack with the attacking flows strategizing technology[J].International Journal of Communication Systems,2015,28(6):1126-1139.
[8] WU Zhijun,CUI Yi,YUE Meng,et al.Cross-correlation based synchronization mechanism of LDDoS attacks[J].Journal of Networks,2014,9(3):604-611.
[9] LI Heshuai,ZHU Junhu,WANG Qingxian,et al.LAAEM:a method to enhance LDoS attack[J].IEEE Communications Letters,2016,20(4):708-711.
[10] GUO Yi,YAN Juwei,QIU Han,et al.A CRF-theory-based method for BGP-LDoS attack detection[C]//Proceedings of the 2nd IEEE International Conference on Computer and Communications.Washington D.C.,USA:IEEE Press,2016:1071-1075.
[11] GUO Yi,DUAN Haixin,CHEN Jikun,et al.MAF-SAM:an effective method to perceive data plane threats of inter domain routing system[J].Computer Networks,2016,110:69-78.
[12] CHEN Shiyun,LIU Yuan,WANG Xiaofeng.An optimized low-rate distributed denial of service attack strategy for Internet backbone network[J].Computer Applications and Software,2016,33(8):289-293.(in Chinese)陈世云,刘渊,王晓锋.面向Internet骨干网的优化LDDoS策略[J].计算机应用与软件,2016,33(8):289-293.
[13] CHEN Xingman,GUO Yanhui,LI Qi.Study on simulated ZMW attack[C]//Proceedings of the 5th International Conference on Education,Management,Information and Medicine.Paris,France:Atlantis Press,2015:690-698.
[14] DUTTA A,GNAWALI O.Large-scale network protocol emulation on commodity cloud[C]//Proceedings of Global Communications Conference.Washington D.C.,USA:IEEE Press,2014:1114-1119.
[15] ANDEL T R,STEWART K E,HUMPHRIES J W.Using virtualization for cyber security education and experimenta-tion[C]//Proceedings of the 14th Colloquium for Information System Security Education.Baltimore,USA:CISSE,2010:130-136.
[16] HUANG Minhuan,ZHANG Yaoxue,XU Fei,et al.Design of virtualization platform for router simulation[J].Journal of System Simulation,2014,26(8):1672-1677.(in Chinese)黄敏桓,张尧学,许飞,等.基于虚拟化技术的路由仿真实验平台设计[J].系统仿真学报,2014,26(8):1672-1677.
[17] ZHENG Xianyi,SHI Gang,MENG Dan.A survey on system security isolation technology[J].Chinese Journal of Computers,2017,40(5):1057-1079.(in Chinese)郑显义,史岗,孟丹.系统安全隔离技术研究综述[J].计算机学报,2017,40(5):1057-1079.
[18] HEGDE S S,JAYAREKHA P.Basic analysis of docker networking[J].International Journal of Advanced Research in Computer Science,2017,8(5):740-743.
[19] DENG Bo,MAO Hongyu,WANG Xiaofeng,et al.Emulation method for the fusion of virtual and physical networks supported by cloud platform[J].Journal of Chinese Computer Systems,2018,39(3):478-483.(in Chinese)邓博,毛红宇,王晓锋,等.云平台支撑下的虚实网络融合仿真方法[J].小型微型计算机系统,2018,39(3):478-483.
[20] ABDELMONIEM A M,BENSAOU B.SDN-based incast congestion control framework for data centers:implementation and evaluation[C]//Proceedings of IEEE International Conference on Communications.Washington D.C.,USA:IEEE Press,2016:1-17.

选择文件类型/文献管理软件名称

选择包含的内容