UDP Reflection Attack Response Scheme Based on SDN

doi:10.19678/j.issn.1000-3428.0053065

Abstract

Abstract: Based on an Intrusion Detection System(IDS),this paper proposes a response scheme for User Datagram Protocol(UDP) reflection attacks from 5 kinds of UDP reflection attack amplifiers,including Character Generator Protocol(CharGen),Domain Name System(DNS),Network Time Protocol(NTP),Simple Network Management Protocol(SNMP) and Simple Service Discovery Protocol(SSDP).After the reflection attack amplifier is located,the scheme combines Software Defined Network(SDN) on the network boundary with response rules based on OpenFlow tables to filter control command messages,so UDP reflection attacks can be prevented.Test results on the network boundary of Nanjing main node of China Education and Research Computer Network(CERNET) demonstrate the operability and effectiveness of the proposed response scheme.

Key words: User Datagram Protocol(UDP), reflection attack amplifier, Software Defined Network(SDN), reflection attack response, network boundary

摘要： 针对字符发生器协议、域名系统协议、网络时钟协议、简单网络管理协议、简单服务发现协议这5种类型的用户数据报协议（UDP）反射攻击放大器，提出基于入侵检测系统（IDS）的UDP反射攻击响应方案。在定位到反射攻击放大器的前提下，结合网络边界的软件定义网络技术，采用基于OpenFlow流表的响应规则对控制命令报文进行过滤，从而阻止UDP反射攻击。在中国教育和科研计算机网南京主节点的网络边界上的测试结果验证了该响应方案的可操作性和有效性。

关键词: 用户数据报协议, 反射攻击放大器, 软件定义网络, 反射攻击响应, 网络边界

CLC Number:

TP393

DING Wei, ZHANG Qianfeng, ZHOU Wenfeng. UDP Reflection Attack Response Scheme Based on SDN[J]. Computer Engineering, 2020, 46(1): 121-128.

丁伟, 张千风, 周文烽. 基于SDN的UDP反射攻击响应方案[J]. 计算机工程, 2020, 46(1): 121-128.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0053065

http://www.ecice06.com/EN/Y2020/V46/I1/121

Figures/Tables 7

References

[1] PRINCE M.The DDoS that knocked spamhaus offline(and how we mitigated it)[EB/OL].[2018-10-15].https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/.
[2] NETSCOUT's 14th annual worldwide infrastructure security report[EB/OL].[2018-10-15].https://www.netscout.com/report/.
[3] DING Wei,WANG Li,SU Qi.UDP reflection attacks interception based on ACL[J].Journal of Huazhong University of Science and Technology(Nature Science Edition),2016,44(11):21-25.(in Chinese)丁伟,王力,苏琪.基于ACL的UDP反射攻击拦截[J].华中科技大学学报(自然科学版),2016,44(11):21-25.
[4] THOMAS D R,CLAYTON R,BERESFORD A R.1000 days of UDP amplification DDoS attacks[C]//Proceedings of 2017 APWG Symposium on Electronic Crime Research.Washington D.C.,USA:IEEE Press,2017:79-84.
[5] LI Gang.Research of scanning and DRDoS attack detection based on netflow[D].Nanjing:Southeast University,2016.(in Chinese)李刚.基于流记录的扫描和反射攻击行为主机检测[D].南京:东南大学,2016.
[6] ZHANG Weiwei,GONG Jian,DING Wei.NBOS:a fine network management system based on flow technology[C]//Proceedings of the 19th Annual Conference of CERNET.Jinan:Management Committee of CERNET,2012:41-46.(in Chinese)张维维,龚俭,丁伟,等.NBOS:一个基于流技术的精细化网管系统[C]//中国教育和科研计算机网CERNET第十九届学术年会论文集.济南:中国教育和科研计算机网CERNET管理委员会,2012:41-46.
[7] TAO Naiyong.The principle and protection methods of DDoS amplification attack[J].Telecommunication Network Technology,2017(10):89-93.(in Chinese)陶乃勇.DDoS放大攻击原理及防护方法[J].电信网技术,2017(10):89-93.
[8] JOHNSON D,DEERING S.Reserved IPv6 subnet anycast addresses:RFC2526[S].IETF,1999:1-3.
[9] JARRAYA Y,MADI T,DEBBABI M.A survey and a layered taxonomy of software-defined networking[J].Communications Surveys and Tutorials,2014,4(4):1955-1980.
[10] MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[11] LI Hefei,HUANG Xinli,ZHENG Zhengqi.Detection method of DDoS attack based on software defined network and its application[J].Computer Engineering,2016,42(2):118-123.(in Chinese)李鹤飞,黄新力,郑正奇.基于软件定义网络的DDoS攻击检测方法及其应用[J].计算机工程,2016,42(2):118-123.
[12] CHEN C C,CHEN Y R,LU W C,et al.Detecting amplification attacks with software defined networking[C]//Proceedings of IEEE Conference on Dependable and Secure Computing.Washington D.C.,USA:IEEE Press,2017:7-10.
[13] RIJSWIJK-DEIJ R V,SPEROTTO A,PRAS A.DNSSEC and its potential for DDoS attacks:a comprehensive measurement study[C]//Proceedings of Conference on Internet Measurement.New York,USA:ACM Press,2014:449-460.
[14] US-CERT.DNS amplification attacks[EB/OL].[2018-10-15].https://www.us-cert.gov/ncas/alerts/TA13-088A.
[15] MAREK M,OLAFUR G.Deprecating the DNS ANY meta-query type[EB/OL].[2018-10-15].https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/.
[16] FINCH T.The qmail ANY query bugs[EB/OL].[2018-10-15].https://fanf.livejournal.com/122220.html.
[17] ANDREWS M.Extension Mechanisms for DNS(EDNS) EXPIRE option:RFC 7314[S].Internet Systems Consortium,2014:1-4.
[18] DAGON D,ANTONAKAKIS M,VIXIE P,et al.Increased DNS forgery resistance through 0x20-bit encoding:security via leet queries[C]//Proceedings of ACM Conference on Computer and Communications Security.Alexandria,USA:[s.n.],2008:211-222.
[19] BERTI-EQUILLE L,ZHAUNIAROVICH Y.Profiling DRDoS attacks with data analytics pipeline[C]//Proceedings of 2017 ACM Conference on Information and Knowledge Management.New York,USA:ACM Press,2017:1983-1986.
[20] PAXSON V.An analysis of using reflectors for distributed denial-of-service attacks[J].ACM SIGCOMM Computer Communication Review,2001,31(3):38-47.

Please choose a citation manager

Content to export