Analyzing Distributed Denial Of Service Tools The Shaft Case
SDN下基于深度学习混合模型的DDoS攻击检测与防御
第39卷第7期通信学报V ol.39No.7 2018年7月Journal on Communications July 2018 SDN下基于深度学习混合模型的DDoS攻击检测与防御李传煌,吴艳,钱正哲,孙正君,王伟明(浙江工商大学信息与电子工程学院,浙江杭州 310018)摘 要:软件定义网络(SDN, software defined network)作为一种新兴的网络架构,其安全问题一直是SDN领域研究的热点,如SDN控制通道安全性、伪造服务部署及外部分布式拒绝服务(DDoS, distributed denial of service)攻击等。
针对SDN安全中的外部DDoS攻击问题进行研究,提出了一种基于深度学习混合模型的DDoS攻击检测方法——DCNN-DSAE。
该方法在构建深度学习模型时,输入特征除了从数据平面提取的21个不同类型的字段外,同时设计了能够区分流类型的5个额外流表特征。
实验结果表明,该方法具有较高的精确度,优于传统的支持向量机和深度神经网络等机器学习方法,同时,该方法还可以缩短分类检测的处理时间。
将该检测模型部署于控制器中,利用检测结果产生新的安全策略,下发到OpenFlow交换机中,以实现对特定DDoS攻击的防御。
关键词:分布式拒绝服务;软件定义网络;攻击检测;深度学习中图分类号:TP393文献标识码:Adoi: 10.11959/j.issn.1000−436x.2018128DDoS attack detection and defense based onhybrid deep learning model in SDNLI Chuanhuang, WU Yan, QIAN Zhengzhe, SUN Zhengjun, WANG WeimingSchool of Information and Electronic Engineering, Zhejiang Gongshang University, Hangzhou 310018, ChinaAbstract: Software defined network (SDN) is a new kind of network technology, and the security problems are the hot topics in SDN field, such as SDN control channel security, forged service deployment and external distributed denial of service (DDoS) attacks. Aiming at DDoS attack problem of security in SDN, a DDoS attack detection method called DCNN-DSAE based on deep learning hybrid model in SDN was proposed. In this method, when a deep learning model was constructed, the input feature included 21 different types of fields extracted from the data plane and 5 extra self-designed features of distinguishing flow types. The experimental results show that the method has high accuracy, it’s better than the traditional support vector machine (SVM) and deep neural network (DNN) and other machine learning methods. At the same time, the proposed method can also shorten the processing time of classification detection. The de-tection model is deployed in SDN controller, and the new security policy is sent to the OpenFlow switch to achieve the defense against specific DDoS attack.Key words: distributed denial of service, software defined network, attack detection, deep learning收稿日期:2018−02−28;修回日期:2018−05−16基金项目:国家重点研发计划基金资助项目(No.2017YFB0803202);浙江省自然科学基金资助项目(No.LY18F010006);浙江省新型网络标准与应用技术重点实验室基金资助项目(No.2013E10012);浙江省重点研发计划基金资助项目(No.2017C03058)Foundation Items: The National Key Research and Development Program of China (No.2017YFB0803202), The Natural Science Foundation of Zhejiang Province (No.LY18F010006), The Key Laboratory of New Network Standards and Technologies of Zhejiang Province (No.2013E10012), The National Key Research and Development Program of Zhejiang Province (No.2017C03058)第7期李传煌等:SDN下基于深度学习混合模型的DDoS攻击检测与防御·177·1引言分布式拒绝服务(DDoS, distributed denial of service)[1]攻击是一种具有极强危害性的分布式、大范围协同作战的网络攻击方式,攻击者利用其控制的众多傀儡机,同时向被攻击目标发起拒绝服务(DoS, denial of service)攻击,最终导致被攻击目标的系统资源耗尽甚至崩溃,被攻击目标“拒绝”为正常用户提供所需服务。
计算机网络缩写
计算机网络缩写AACK (ACKnowledgement) 确认ADSL (Asymmetric Digital Subscriber Line) 非对称数字用户线API (Applicatin Programming Interface) 应用编程接口ARP (Address Resolution Protocol) 地址解析协议ARQ (Automatic Repeat reQuest) 自动重传请求BBGP (Border Gateway Protocol) 边界网关协议BOOTP (BOOTstrap Protocol) 引导程序协议CCDM(Code Division Multiplexing)码分复用CDMA(Code Division Multiplex Access)码分多址CIDR(Classless InterDomain Routing)无分类域间路由选择CRC(Cyclic Redundancy Check)循环冗余检查CSMA/CD(Carrier Sense Multiple Access/Collision Detection),载波监听多点接入/冲突检测CSMA/CA(Carrier Sense Multiple Access/Collision Avoidance),载波监听多点接入/冲突避免DDHCP(Dynamic Host Configuration Protocol)动态主机配置协议DNS(Domain Name System)域名系统EEGP(External Gateway Protocol)外部网关协议FFDM(Frequency Division Multiplexing) 频分复用FIFO(First In First Out) 先进先出FTP(File Transfer Protocol) 文件传送协议HHDLC(Highlevel Data Link Control) 高级数据链路控制HTML(HyperText Markup Language)超文本标记语言HTTP(HyperText Transfer Protocol)超文本传送协议IICMP(Internet Control Message Protocol)国际控制报文协议IGMP(Internet Group Management Protocol)网际组管理协议IGP(Interior Gateway Protocol)内部网关协议ISP(Internet Service Provider)因特网服务提供者LLAN(Local Arae Network)局域网LCP(Link Control Protocol)链路控制协议LLC(Logical Link Control)逻辑链路控制MMAC(Medium Access Control)媒体接入控制MIPS(Million Instructions Per Second)百万指令每秒OOSI/RM (Open Systems Interconnection Reference Model) 开放系统互连基本参考模型OSPF (Open Shortest Path First) 开放最短通路优先PP2P (PeertoPeer)对等方式PING(Packet InterNet Groper) 分组网间探测,乒程序,ICMP 的一种应用POP(Post Office Protocol) 邮局协议PPP(PointtoPoint Protocol over Ethernet) 点对点协议PPPoE(PointtoPoint Protocol over Ethernet)以太网上的点对点协议RRIP(Routing Information Protocol)路由信息协议SSMTP(Simple Mail Transfer Protocol)简单邮件传送协议SNMP(Simple Network Management Protocol)简单网络管理协议TTCP(Transmission Control Protocol) 传输控制协议TDM(Time Division Multiplexing) 时分复用TELNET(TELetype NETwork) 电传机网络,一种因特网的应用程序TFTP(Trivial File Transfer Protocol) 简单文件传送协议TLD(Top Level Domain) 顶级域名UUDP(User Datagram Protocol) 用户数据报协议VVLAN(Virtual LAN) 虚拟局域网WWAN (Wide Area Network) 广域网WDM (Wavelength Division Multiplexing) 波分复用————————————————————————————————————AACK (ACKnowledgement) 确认ADSL (Asymmetric Digital Subscriber Line) 非对称数字用户线AES (Advanced Encryption Standard) 先进的加密标准AF PHB (Assured Forwarding PerHop Behavior) 确保转发每跳行为AH (Authntication Header) 鉴别首部AIMD (Additive Increase Multiplicative Decrease) 加法增大乘法减小AN (Access Network) 接入网ANSI (American National Standards Institute) 美国国家标准协会AP (Access Point) 接入点AP (Application) 应用程序API (Applicatin Programming Interface) 应用编程接口APNIC (Asia Pacific Network Information Center) 亚太网络信息中心ARIN (American Registry for Internet Numbers) 美国因特网好码注册机构ARP (Address Resolution Protocol) 地址解析协议ARPA (Advanced Research Project Agency) 美国国防部远景研究规划局(高级研究计划署)ARQ (Automatic Repeat reQuest) 自动重传请求AS (Authentication System) 自治系统AS (Authentication Server) 鉴别服务器ASCII (American Standard Code for Information Interchange) 美国信息交换标准码ASN (Autonomous System Number) 自治系统号ASN.I (Abstract Syntax Notation One) 抽象语法记法1ATM (Asynchronous Transfer Node) 异步传递发式ATU (Access Termination Unit) 接入端接单元ATUC(Access Termination Unit Central Office) 端局接入端接单元ATUR(Access Termination Unit Remote) 远端接入端接单元AVT WG (Audio/Video Transport Working Group) 音频/视频运输工作组AWT (Abstract Window Toolkit) 抽象窗口工具箱BBER (Bit Error Rate) 误码率BER (Basic Encoding Rule) 基本编码规则BGP (Border Gateway Protocol) 边界网关协议BOOTP (BOOTstrap Protocol) 引导程序协议BSA (Basic Service Area ) 基本服务区BSS (Basic Service Set) 基本服务集BSSID (Basic Service Set ID) 基本服务集标识符BT (Bit Torrent) 一种P2P 程序CCA(Certification Authority)认证中心CA(Collision Avoidance)碰撞避免CATV(Community Antenna TV,Cable TV)有线电视CBT(Core Based Tree)基于核心的转发树CCIR(Consultative Committee ,International Radio)国际无线电咨询委员会CCITT(Consutative Committee, International Telegraph and Telephone)国际电报电话咨询委员会CDM(Code Division Multiplexing)码分复用CDMA(Code Division Multiplex Access)码分多址CE(Consumer Electronics)消费电子设备CFI(Canonical Format Indicator)规范格式指示符CGI(Common Gateway Interface)通用网关接口CHAP(ChallengeHandshake Authentication Protocol)口令握手鉴别协议CIDR(Classless InterDomain Routing)无分类域间路由选择CNAME(Canonical NAME)规范名CNNIC(Network Information Center of China)中国互联网络信息中心CRC(Cyclic Redundancy Check)循环冗余检查CSACELP(ConjugateStructure AlgebraicCodeExcited Linear Prediction)共轭结构代数码激励线性预测(声码器)CSMA/CD(Carrier Sense Multiple Access/Collision Detection),载波监听多点接入/冲突检测CSMA/CA(Carrier Sense Multiple Access/Collision Avoidance),载波监听多点接入/冲突避免CSRC(Contributing SouRCe identifier)参与源标知符CTS(Clear To Send)允许发送DDACS(Digital Access and Crossconnect System)数字交接系统DARPA(Defense Advanced Research Project Agency)美国国防部远景规划局(高级研究署) DCF(Distributed Coordination Function)分布协调功能DDoS(Distributed Denial of Service)分布式拒绝服务DES(Date Encryption Standard)数据加密标准DF(Don’t Fragment)不能分片DHCP(Dynamic Host Configuration Protocol)动态主机配置协议DiffServ(Distributed Coordination Identifier)数据链路连接标知符DIFS(Distributed Coordination Function IFS)分布协调功能祯间间隔DLCI(Data Link Connection Identifier)数据链路连接标知符DMT(Discrete MultiTone)离散多音(调制)DNS(Domain Name System)域名系统DOCSIS(Data Over Cable Service Interface Specifications)电缆数据服务接口规约DoS(Denial of Service)拒绝服务DS(Distribution System)分配系统DS(Differentiated Services)区分服务(也写作DiffServ)DSCP(Differentiated Services CodePoint)区分服务码点DSL(Digital Subscriber Line)数字用户线DSLAM(DSL Access Multiplexer)数字用户线接入复用器DSSS(Direct Sequence Spread Spectrum)直接序列扩展DVMRP(Distance Vector Multicast Routing Protocol)距离向量多播路由选择协议DWDM(Dense WDM)密集波分复用EEBCDIC(Extended BinaryCoded Decimal Interchangfe Code)扩充的二、十进制交换码EDFA(Erbirm Dooped Fiber Amplifier)掺铒光纤放大器EFM(Ethernet in the First Mile)第一英里的以太网EFPHB(Expedited Forwarding PerHop Behavior)迅速转发每跳行为EGP(External Gateway Protocol)外部网关协议EIA(Electronic Industries Association)美国工业协会EOT(End Of Transmission)传输结束ESP(Encapsulating Security Payload)封装完全有效载荷ESS(Extended Servic Set)扩展的服务集ETSI(European Telecommunications Standrards Institute)欧洲电信标准协会EUI(Extended Unique Identifier)扩展的唯一标识符FFC(Fibre Channel)光纤通道FCS(Frame Check Sequence)帧检验列FDDI(Fiber Distributed Data Interface)光纤分布式数据FDM(Frequency Division Multiplexing) 频分复用FEC(Forwarding Equivalence Class) 转发等价类FFD(FullFunction Device) 全功能设备FHSS(Frequency Hopping Spread Spectrum) 跳频扩频FIFO(First In First Out) 先进先出FQ(Fair Queuing) 公平排队FTP(File Transfer Protocol) 文件传送协议FTTB(Fiber To The Building) 光纤到大楼FTTC(Fiber To The Curb) 光纤到路边5FTTD(Fiber To The Door) 光纤到门户FTTF(Fiber To The Floor) 光纤到楼层FTTH(Fiber To The Home) 光纤到家FTTN(Fiber To The Neighbor) 光纤到邻居FTTO(Fiber To The Office) 光纤到办公室FTTZ(Fiber To The Zone) 光纤到小区GGIF(Graphics Interchange Format) 图形交换格式GSM(Graphics System for Mobile) 全球移动通信系统,GSM 体制HHDLC(Highlevel Data Link Control) 高级数据链路控制HDSL(High speed DSL) 高速数字用户线HFC(Hybrid Fiber Coax) 光纤同轴混合(网)HIPPI(HighPerformance Parallel Interface) 高性能并行接口HRDSSS(High Rate Direct Sequence Spread Spectrum) 高速直接序列扩频HSSG(High Speed Study Group)高速研究组HTML(HyperText Markup Language)超文本标记语言HTTP(HyperText Transfer Protocol)超文本传送协议IIAB(Internet Assigned Numbers Authority)因特网体系结构委员会IANA(Internet Corporation for Assigned Names and Numbers)因特网赋号管理局ICANN(Internet Corporation for Assigned Names and Numbers ) 因特网名字与号码指派公司ICMP(Internet Control Message Protocol)国际控制报文协议IDEA(Internet Data Encryption Algorithm)国际数据加密算法IEEE(Institute of Electrical and Electronic Engineering)(美国)电气和电子工程师学会IESG(Internet Engineering Steering Group)因特网工程指导小组IETF(Internet Engineering Task Force)因特网工程部IFS(InternetFrame Space)桢间间隔IGMP(Internet Group Management Protocol)网际组管理协议IGP(Interior Gateway Protocol)内部网关协议IM(Instant Messaging)即时传信IMAP(Internet Message Access Protocol)因特网报文存取协议IntServ(Integrated Services)综合服务IP(Internet Protocol)网际协议IPCP(IP Control Protocol)IP 控制协议IPng(IP Next Generation)下一代的IPIPRA(Intenet Policy Registration Authorrity)因特网政策登记管理机构IPsec(IP security)IP 安全协议IPX(Internet Packet Exchange)Novel 公司的一种联网协议IR(InfraRed)红外技术IRSG(Internet Reseach Seering Group)因特网研究指导小组IRTF(Internet Reaserch Task Force)因特网研究部ISDN(Integrated Services Digital Network)综合业务数字网ISO(International Organization for Standardization)国际标准化组织ISOC(Internet Society)因特网协会ISM(Industrial,Scientific,and Medical)工业、科学与医药(频段)ISP(Internet Service Provider)因特网服务提供者ITU(Internation Telecommunication Union)国际电信联盟ITUT(ITU Telecommunication Standardization Sector)国际电信联盟电信标准化部门JJPEG(Joint Photographic Expert Group)联合图像专家JVM(java Virtual Machine)java 虚拟机KKDC(Key Distributio Center)密钥分配中心LLACNIC(Latin American&Caribbean Network InternetCenter)拉美与加勒比海网络信息中心LAN(Local Arae Network)局域网LCP(Link Control Protocol)链路控制协议LDP(Lable Distribution Protocol)标记分配协议LED(Light Emitting Diode)发光二极管LMDS(Local Multipoint Distribution System)本地多点分配系统LLC(Logical Link Control)逻辑链路控制LoS(Line of Sight)视距LPC(linear Prediction Coding)线性预测编码LSP(Label Switched Path)标记交换路径LSR(Label Switching Router)标记交换路由器MMAC(Medium Access Control)媒体接入控制MACA(Multiple Access with Collision Avoidance)具有碰撞避免的多点接入MAGIC(Mobile multimedia,Anytime/anywhere,Global mobility support,Integrated wireless and Customized personal service)移动多媒体、任何时间/地点、支持全球移动性、综合无线和定制的个人服务MAN(Metropolitan Area Network)城域网MANET(Mobile Adhoc NETworks)移动自组网络的工作组MBONE(Multicast Backbone On the InterNEt)多播主干网MCU(Multipoint Control Unit)多点控制单元MD(Message Digest)报文摘要MF(More Fragment)还有分片MFTP(Multisource File Transfer Protocol)多源文件传输协议MIB(Management Information Base)管理信息库MIME(Multipurpose Internet Mail Extensions)通用因特网邮件扩充MIPS(Million Instructions Per Second)百万指令每秒MMUSIC(Multiparty MUltimedia SessIon Control)多参与者多媒体会话控制MOSPF(Multicast extensions to OSPF)开放最短通路优先的多播扩展MP3(Mpeg1 Audio layer3)一种音频压缩标准MPEG(Motion Picture Experts Group)活动图像专家组MPLS(MultiProtocol Label Switching)多协议标记交换MPPS(Million Packets Per Second)百万分组每秒MRU(Maximum Receive Unit)最大接收单元MSL(Maximum Segment Lifetime)最长报文段寿命MSS(Maximum Segment Size)最长报文段MTU(Maximum Transfer Unit)最大传送单元NNAP(Network Access Point)网络接入点NAT(Network Address Translation)网络地址转换NAV(Network Allocation Vector)网络分配向量NCP(Network Control Protocol)网络控制协议NFS(Network File System)网络文件系统NGI(Next Generation Internet)下一代因特网NGN(Next Generation Network)下一代电信网NIC(Network Interface Card)网络接口卡、网卡NLA(NextLevel Aggregation)下一级聚合NLRI(Network Layer Reachability Information) 网络层可达性信息NOC(Network Operations Center) 网络运行中心NSAP(Network Service Access Point) 网络层服务访问点NSF(Nationnal) (美国)国家科学基金会NVT(Network Virtual Terminal) 网络虚拟终端OOC (Optical Carrier) 光载波ODN (Optical Distribution Node) 光分配结点OFDM (Orthogonal Frequency Division Multiplexing) 正交频分复用OSI/RM (Open Systems Interconnection Reference Model) 开放系统互连基本参考模型OSPF (Open Shortest Path First) 开放最短通路优先OUI (Organizationally Unique Identifier) 机构唯一标识符PP2P (PeertoPeer)对等方式PAN(Personal Area Network) 个人区域网PAP(Password Authentication Protocol) 口令鉴别协议PARC(Polo Alto Research Center) (美国施乐公司(XEROX)的)PARC 研究中心PAWS(Protect Against Wrapped Sequence numbers) 防止序号绕回PCA(Policy Certification Authority) 政策认证中心PCF(Point Coordination Function) 点协调功能PCM(Pulse Code Modulation) 脉码调制PCMCIA(Personal Computer Memory Card Interface Adapter) 个人计算机存储器卡接口适配器PDA(Personal Digital Assistant) 个人数字助理PDU(Protocol Data Unit) 协议数据单元PEM(Privacy Enhanced Mail) 因特网的正式邮件加密技术PGP(Pretty Good Privacy) 一种电子邮件加密技术PHB(PerHop Behavior) 每跳行为PIFS (Point Coordination Function IFS) 点协调功能桢间间隔PIMDM(Protocol Independent MulticastDense Mode) 协议无关多播密集方式PIMSM(Protocol Independent MulticastSparse Mode) 协议无关多播稀疏方式PING(Packet InterNet Groper) 分组网间探测,乒程序,ICMP 的一种应用PK(public key) 公钥,公开密钥PKI(Public Key Infrastructure) 公钥基础结构PoP(Post Office Protocol) 汇接点POP(Post Office Protocol) 邮局协议POTS(Plain Old Telephone Service) 传统电话PPP(PointtoPoint Protocol over Ethernet) 点对点协议PPPoE(PointtoPoint Protocol over Ethernet)以太网上的点对点协议PS(POTS Splitter) 电话分离器PTE(Path Terminating Element) 路径端接设备QQAM (Quadrature Amplitude Modulation) 正交幅度调制QoS (Quality of Service) 服务质量QPSK(Quarternary Phase Shift Keying)正交相移键控RRA(Registration Authority)注册管理机构RARP(Reverse Address Resolution Protocol)逆地址解析协议RAS(Registration/Adminssion/Status)登记/接纳/状态RED(Random Early Detection)随机早期检测RED(Random Early Discard,Randomm Early Drop)随机早期丢弃RFC(Request For Comments)请求评论RG(Research Group)研究组RIP(Routing Information Protocol)路由信息协议RIPE(法文表示的European IP Network)欧洲的IP 网络RPB(Reverse Path Broadcasting )反向路由广播RSA(Rivest,Shamir and Adleman)用三个人名表示的一种公开密钥算法的名称RSVP(Resource reservation Protocol)实时传送控制协议RTCP(Realtime Transfer Protocol)RTO(RetransmissionTimeOut)超时重传时间RTP(RealtimeTransfer Protocol)实时传送协议RTS(Request To Send)请求发送RTSP(Realtime Streaming Protocol)实时流式协议RTT(RoundTrip TIme)往返时间SSA(Security Association)安全关联SACK(Selective ACK)选择确认SCTP(Stream Control Transmission Protocol)流控制传输协议SDH(Synchronous Digital Hierarchy)同步数字系列SDSL(Singleline DSL)对线的数字用户线SDU(Service Data Unit)服务数据单元SET(Secure Electronic Transaction)安全电子交易SHA(Secure Hash Algorithm)安全散列算法SIFS(Short IFS)短帧间间隔SIP(Session Initiation Protocol)会话发起协议SK(Secret Key)密钥SLA(Service Level Agreement)服务等级协议SMI(Structure of Management Information)管理信息结构SMTP(Simple Mail Transfer Protocol)简单邮件传送协议SNA(System Network Archiecture)系统网络体系结构SNMP(Simple Network Management Protocol)简单网络管理协议SOH(Start Of Header)首部开始SONET(Synchronous Optical Network)同步光纤网SPI(Security Parameter Index) 安全指数索引SRA(Seamless Rate Adaptation) 无缝速率自适应技术SSID(Service Set IDentifier) 服务集标识符SSL(Secure Socket Layer) 安全插口层,或安全套接层SSRC(Synchronous SouRce identifier) 同步源标实符STDM(Statistic TDM ) 统计时分复用STM(Synchronous Transfer Module) 同步传输模块STP(Shielder Teisted Pair) 屏蔽双绞线STS(Synchronous Transport Signal) 同步传送信号TTAG(TAG Swithcing) 标记交换TCB(Transmission Control Protocol) 传输控制程序块TCP(Transmission Control Protocol) 传输控制协议TDM(Time Division Multiplexing) 时分复用TELNET(TELetype NETwork) 电传机网络,一种因特网的应用程序TFTP(Trivial File Transfer Protocol) 简单文件传送协议TIA(Telecommunications Industries Association) 电信行业协会TLA(TopLevel Aggergation) 顶级聚合TLD(Top Level Domain) 顶级域名TLI(Transport Layer Interface) 运输层接口TLS(Transport Layer Security) 运输层安全协议TLV(Type Length Value)类型长度值TPDU(Transport Protocol Data Unit) 运输协议数据单元TSS(Telecommunication Standardization Sector) 电信标准化部门TTL(Time to Live) 生存时间,或寿命UUA(User Agent) 用户代理UAC(User Agent Client) 用户代理客户UAS(User Agent Server) 用户代理服务器UDP(User Datagram Protocol) 用户数据报协议UIB(User Interface Box) 用户接口盒URL(Uniform Resource Locator) 统一资源定位符UTP(Unshielder Twisted Pair) 无屏蔽双绞线UWB( UltraWideBand) 超宽带VVC(Virtual Circuit) 虚电路VCI( Virtual Channel Identifier) 虚拟路标识VDSL( Very high speed DSL) 甚高速数字用户线VID(VLAN ID) 标识符VLAN(Virtual LAN) 虚拟局域网VLSM(Variable Length Subner Mask) 变长子网掩码VoIP(Voice over IP) 在IP 上的话音VON(Voice On the Net) 在因特网上的话音VIP(Virtual Path Identifier) 虚拟道标识符VPN (Virtual Private Network) 虚拟专用网VSAT (Very Small Aperture Terminal) 甚小孔径地球站WWAN (Wide Area Network) 广域网WDM (Wavelength Division Multiplexing) 波分复用WEP (Wired Equivalent Privacy) 有线等效保密字段WFQ (Weighted Fair Queuing) 加权公平排队WG (Working Group) 工作组WiFi(WirelessFidelity)无线保真度(无线局域网的同义词)WIMAX(Worldwide interoperability for Microwave Access) 全球微波接入的互操作性,即WMAN。
网络信息安全英语练习题
网络信息安全英语练习题### Network Information Security Practice Questions1. Understanding Network Security Basics- Question: What is the primary function of a firewall in network security?- Answer: A firewall's primary function is to monitor and control incoming and outgoing network traffic based on predetermined security rules.2. Types of Network Attacks- Question: Differentiate between a DDoS attack and a phishing attack.- Answer: A DDoS (Distributed Denial of Service) attack overwhelms a website or server with a flood of traffic, making it inaccessible. A phishing attack, on the other hand, involves tricking individuals into revealing sensitive information, such as passwords or credit card numbers, through deceptive emails or websites.3. Cryptography- Question: Explain the difference between symmetric and asymmetric encryption.- Answer: Symmetric encryption uses the same key for both encryption and decryption, making it faster but requiring secure key distribution. Asymmetric encryption uses a pair of keys, a public key for encryption and a private key for decryption, which enhances security but is computationallyslower.4. Secure Communication Protocols- Question: What is SSL/TLS and why is it important for secure communication?- Answer: SSL/TLS (Secure Sockets Layer/Transport Layer Security) is a protocol used to provide secure communication over the internet. It is important because it encrypts data being transmitted, ensuring that it cannot be intercepted and read by unauthorized parties.5. Vulnerability Management- Question: How can organizations manage and mitigate software vulnerabilities?- Answer: Organizations can manage and mitigate software vulnerabilities by regularly updating and patching software, conducting vulnerability assessments, and implementing a strong patch management policy.6. Network Security Policies- Question: What are the key components of a network security policy?- Answer: Key components of a network security policy include access control, password policies, network segmentation, incident response plan, and user education on security practices.7. Wireless Security- Question: What is WPA2 and why is it preferred over WPA for wireless security?- Answer: WPA2 (Wi-Fi Protected Access II) is a securityprotocol for wireless networks that provides stronger encryption and is more secure than WPA. It is preferred dueto its use of the Advanced Encryption Standard (AES), whichis more resistant to hacking attempts.8. Intrusion Detection Systems (IDS)- Question: What is the role of an IDS in network security? - Answer: An IDS monitors network traffic for suspicious activity or policy violations. It can detect and alert administrators to potential intrusions or attacks, allowingfor a timely response to mitigate threats.9. Social Engineering- Question: How can social engineering attacks be prevented?- Answer: Social engineering attacks can be prevented by educating employees about the tactics used in such attacks, implementing strict security policies, and encouraging a culture of skepticism towards unsolicited communications.10. Incident Response- Question: What steps should be taken when a security incident is detected?- Answer: Upon detecting a security incident, stepsshould include isolating the affected system, collecting evidence, analyzing the incident, eradicating the threat, restoring affected systems, and reviewing the incident to improve security measures.11. Data Protection- Question: What measures can be taken to protectsensitive data?- Answer: Measures to protect sensitive data include data encryption, access controls, regular backups, and secure data disposal practices.12. Compliance and Regulations- Question: Why is compliance with data protection regulations important?- Answer: Compliance with data protection regulations is important to protect the privacy of individuals, maintain trust with customers, and avoid legal penalties and reputational damage.Remember, these practice questions are designed to test your understanding of network information security concepts and practices. It is essential to stay updated with the latest security trends and technologies to effectively protect your networks and data.。
vulnerability analysis of the financial network
vulnerability analysis of the financial networkAbstractAs the development of the financial network accelerates, the increasingly complex financial networks have become an integral part of our daily lives. At the same time, the financial networks have also become a target for malicious attacks from cybercriminals. In this paper, we discuss the vulnerabilities of the financial networks and propose security measures to reduce financial network vulnerabilities. Firstly, we introduce the basic concepts of the financial network. Then, we analyze the potential threats to the financial network. In addition, a comprehensive analysis of the vulnerabilities of the financial network is provided. Finally, a number of security control measures are proposed to reduce the financial network vulnerabilities.IntroductionWith the rapid development of the Internet, the global financial system is gradually transitioning from traditional financial operations to the digital financial network, which is becoming increasingly complex. The financial network is a complex system composed of a variety of users, operators, systems and services. It provides users with access to banking,investment, fund management and other financial services. The financial network itself is vulnerable to attacks, and the lack of security control measures can lead to devastating losses. Therefore, it is necessary to conduct a security analysis of the financial network to identify its vulnerabilities and take corresponding security measures.Threat AnalysisThe potential threats to the financial network may come from internal or external sources. For internal threats, malicious codes and malicious programs created by internal malicious individuals are the most common. These malicious programs can be used to steal user information, such as user name, password, bank account number and credit card number. Other internal threats come from system failures, such as missed updates, system crashes, or unauthorized access to the system. For external threats, malicious codes created by cybercriminals are the greatest threats. These malicious codes can be used to steal user information, hijack user accounts, and cause financial losses. Other external threats include social engineering attacks, phishing attacks, and Distributed Denial of Service (DDoS) attacks.Vulnerability AnalysisThe vulnerabilities of the financial network can be divided into two categories, software vulnerabilities and hardware vulnerabilities. Software vulnerabilities refer to the vulnerabilities caused by the errors of software design, development, operation and maintenance. Common software vulnerabilities include buffer overflow vulnerabilities, SQL injection vulnerabilities, and authentication vulnerabilities. The hardware vulnerabilities refer to the vulnerabilities of the hardware related devices in the network system, such as routers and switches, which may be caused by aging, poor security configuration and lack of monitoring.Security Control MeasuresThe security control measures for the financial network should be comprehensive and include preventive, corrective, supervisory and other measures. Firstly, preventive measures should be taken to reduce the risks of attacks. These measures include the establishment of a secure financial network architecture, the selection of secure network hardware and software, and the implementation of comprehensive network security policies. Secondly, corrective measures should be taken in the event of an attack. These measures include the timely correction of vulnerabilities, the implementation ofmalicious code detection and prevention measures, and the implementation of a comprehensive emergency response plan. Finally, supervisory measures should be taken to ensure that security measures are effectively implemented. These measures include the establishment of a monitoring system, the implementation of audit and inspection of security systems, and the establishment of a security team to monitor the security situation of the financial network in real time.ConclusionIn this paper, we have discussed the vulnerabilities of the financial network and proposed security measures to reduce financial network vulnerabilities. The implementation of these security control measures can effectively reduce the risks of financial network attacks and ensure the security and reliability of the financial network.。
术语对应的学科名词解释
术语对应的学科名词解释在我们的日常生活和学习中,我们经常会遇到各种各样的术语。
这些术语代表着特定学科中的概念或理论,是学术交流和专业研究的重要工具。
本文将通过一些常见的术语,为读者解释这些术语所对应的学科名词。
1. 熵(Entropy)熵是热力学中的一个重要概念,它代表了一个系统的无序程度。
在物理学中,熵被用来描述能量分布的混乱程度。
而在信息论中,熵则表示信息的不确定性或信息的平均信息量。
因此,熵这个术语既可在物理学中使用,也可在信息科学中使用。
2. 主观性(Subjectivity)主观性是哲学和心理学中常见的概念。
它指的是个体的主观经验和观点,与客观事实相对立。
主观性认为,每个人的认知和感受都是独特而个体化的,因此无法被客观的标准或规则所完全捕捉和测量。
主观性在哲学和心理学领域内有广泛的应用和研究。
3. 多样性(Diversity)多样性是生物学和社会科学领域中的一个重要概念。
在生物学中,多样性描述了一个生态系统或物种群体中的种类和数量多样性。
而在社会科学中,多样性则指代不同文化、民族、性别、背景等方面的差异和多元化。
多样性这个术语在不同学科中的具体定义和应用有所不同,但都强调了不同元素的多样性和丰富性。
4. 可持续发展(Sustainable Development)可持续发展是环境学和经济学中的一个重要概念。
它强调了人类社会的发展需求与生态环境的保护之间的平衡。
可持续发展要求我们在满足当前需求的同时,不损害未来世代的需求和资源。
该概念涉及到经济、社会和环境等多个领域,因此它的学科背景非常广泛。
5. 数据挖掘(Data Mining)数据挖掘是计算机科学和统计学中的一个术语。
它指的是通过从大量数据中提取模式、关联和知识等信息来发现隐藏在数据中的有价值的信息。
数据挖掘可以用于商业、科学和决策等领域,帮助我们了解数据背后的规律和趋势,从而做出更准确的预测和决策。
6. 经典条件作用(Classical Conditioning)经典条件作用是心理学中的一个重要概念,也被称为条件反射。
SYNFlood攻击的原理及防御
文章编号:2096-1472(2019)-03-29-03DOI:10.19644/ki.issn2096-1472.2019.03.009软件工程 SOFTWARE ENGINEERING 第22卷第3期2019年3月V ol.22 No.3Mar. 2019SYN Flood 攻击的原理及防御张文川(兰州石化职业技术学院,甘肃 兰州 730060)摘 要:SYN-Flood攻击是当前网络上最为常见的DDoS攻击,也是最为经典的拒绝服务攻击,它利用了TCP协议实现上的一个缺陷,通过向网络服务所在端口发送大量的伪造源地址的攻击报文,就可能造成目标服务器中的半开连接队列被占满,从而阻止其他合法用户进行访问。
为了有效防范这种攻击,在分析攻击原理的基础上,发现可以使用TCP代理防御及TCP源探测防御方法来解决这个问题,经过测试证明,该办法能够有效降低SYN Flood攻击造成的危害。
关键词:DDoS攻击;STN Flood攻击;TCP代理防御;TCP源探测防御中图分类号:TP399 文献标识码:AThe Principle and Defense of SYN Flood AttackZHANG Wenchuan(Lanzhou Petrochemical College of V ocational Technology ,Lanzhou 730060,China )Abstract:SYN-Flood attack is the most common DDoS attack and the most classic denial-of-service attack on the current network.It takes advantage of a flaw in TCP protocol implementation and sends a large number of attack packets of forged source addresses to the port where the network service is located,which may cause the semi-open connection queue in the target server to be occupied,thus preventing other legal users from accessing.In order to effectively prevent this attack,on the basis of analyzing the attack principle,it is found that TCP proxy defense and TCP source detection defense methods can be used to solve this problem.Testsprove that this method can effectively reduce the harm caused by SYN Flood attack.Keywords:DdoSattack;STN Flood attack;TCP proxy defense;TCP source detection defense基金项目:全国工业和信息化职业教育教学指导委员会工信行指委“基于校企合作人才培养模式的信息化教学的研究与实践”项目编号:【2018】20号.1 引言(Introduction)过去,攻击者所面临的主要问题是网络宽带不足,受限于较慢的网络速度,攻击者无法发出过多的请求。
新物种数字化科技英文缩写
新物种数字化科技英文缩写New Species of Digitized Technological English AbbreviationsIn the fast-paced world of technology, new species of digitized advancements emerge almost every day. These innovative breakthroughs come with their own set of terminologies and acronyms, allowing professionals to communicate efficiently and concisely. Let's explore some of the most commonly used abbreviations in the digital realm.1. AI - Artificial Intelligence: AI is the simulation of human intelligence processes by machines, especially computer systems. It involves tasks such as speech recognition, decision-making, problem-solving, and learning.2. IoT - Internet of Things: IoT refers to the network of physical devices, vehicles, and other objects embedded with sensors, software, and connectivity, allowing them to connect and exchange data. This technology enables smart homes, cities, and industries.3. VR - Virtual Reality: VR is an immersive experience that can be similar to or completely different from the real world. It is achieved using headsets that display synthetic environments, often with audio and haptic feedback, offering a sense of presence.4. AR - Augmented Reality: AR incorporates digital information, such as images and sounds, into the user's view of the real world, enhancing their perception and interaction with their surroundings.5. ML - Machine Learning: ML is a subset of AI that allows machines to learn from data without being explicitly programmed. It involves the development of algorithms that can identify patterns and make predictions or decisions based on the provided information.6. Big Data: Big Data refers to extremely large and complex datasets that cannot be processed using traditional methods. It involves capturing, storing, analyzing, andvisualizing data to uncover patterns, correlations, and insights that can drive informed decision-making.7. Cloud Computing: Cloud computing refers to the on-demand availability of computer system resources, such as storage, processing power, and applications, without the need for direct management by the user. It enables accessibility, scalability, and cost-effectiveness for businesses and individuals.8. SaaS - Software as a Service: SaaS is a software distribution model in which applications are hosted by a service provider and made available to customers over the internet. It eliminates the need for installation and maintenance of software on individual devices.9. UX - User Experience: UX focuses on enhancing the overall experience of users when interacting with a product or service. It encompasses elements such as usability, accessibility, and aesthetics, with the goal of providing a seamless and satisfying experience.10. UI - User Interface: UI refers to the visual and interactive elements that users engage with when using a software application or website. It involves designing intuitive and visually appealing interfaces that facilitate efficient and enjoyable user interactions.11. API - Application Programming Interface: An API specifies a set of rules and protocols that enable different software applications to communicate and exchange data with each other. It allows developers to leverage existing functionalities and build upon them to create new applications.12. Blockchain: Blockchain is a decentralized and distributed ledger technology that records transactions across multiple computers. It ensures transparency, security, and immutability, making it ideal for applications such as cryptocurrencies, supply chain management, and voting systems.13. 5G - Fifth Generation: 5G is the latest cellular network technology, offering faster speeds, lower latency, and greater capacity than its predecessors. It enablestransformative applications such as autonomous vehicles, remote surgery, and smart cities.14. RPA - Robotic Process Automation: RPA utilizes software robots or artificial intelligence to automate repetitive tasks and streamline business processes, reducing manual effort and improving efficiency.15. DDoS - Distributed Denial of Service: DDoS is a malicious attack that floods a network or website with an overwhelming amount of traffic, rendering it inaccessible to legitimate users.These are just a few examples of the numerous digitized technological abbreviations that shape the contemporary digital landscape. Familiarity with these acronyms is essential for professionals working in the technology industry, enabling effective communication and understanding of the latest advancements. Stay updated as new species of digitized technology continue to evolve and reshape our world.。
英语作文-电信行业网络安全挑战与解决方案探讨
英语作文-电信行业网络安全挑战与解决方案探讨In the realm of telecommunications, cybersecurity stands as a bastion against the ceaseless tide of digital threats that seek to undermine the integrity of networks and the confidentiality of data. The challenges are manifold, ranging from sophisticated cyber-attacks to the ever-evolving landscape of malware. Yet, within these challenges lie opportunities for innovation and strategic defense.The telecommunications industry is uniquely positioned at the crossroads of technology and communication, making it a prime target for cyber threats. The interconnected nature of telecom networks means that a breach in one area can have cascading effects across the system. Cybersecurity in this sector is not just about protecting data, but also ensuring the continuity of services that are critical to the functioning of modern society.One of the primary challenges in telecom cybersecurity is the protection of the infrastructure itself. The deployment of 5G technology, while a leap forward in terms of speed and connectivity, also opens up new avenues for attacks. The increased number of connected devices and the reliance on software-defined networking create multiple points of vulnerability. To counteract this, telecom companies must employ robust encryption methods, conduct regular security audits, and foster a culture of security awareness among employees.Another significant challenge is the threat posed by Distributed Denial of Service (DDoS) attacks. These attacks can cripple network infrastructure, leading to service outages and financial losses. Telecom providers must implement advanced DDoS mitigation strategies, such as the deployment of intelligent DDoS protection systems that can detect and respond to attacks in real-time.Phishing attacks also pose a serious threat, as they target the human element of cybersecurity. Employees and customers alike can be deceived into providing sensitiveinformation or granting access to secure systems. Education and training programs are essential in equipping individuals with the knowledge to identify and avoid such scams.The solutions to these challenges are as diverse as the threats themselves. Artificial intelligence and machine learning can play pivotal roles in detecting anomalies and predicting potential breaches before they occur. By analyzing vast amounts of data, these technologies can identify patterns indicative of cyber threats and automate responses to neutralize them swiftly.Collaboration is another key element in the fight against cyber threats. Telecom companies must work closely with government agencies, cybersecurity firms, and each other to share intelligence about threats and best practices for defense. This collective approach enhances the ability to respond to threats and strengthens the overall security posture of the industry.In conclusion, the cybersecurity challenges faced by the telecommunications industry are complex and dynamic. However, through a combination of technological innovation, strategic planning, and collaborative effort, these challenges can be met with effective solutions. The goal is clear: to create a secure and resilient digital environment where communication can thrive without the shadow of cyber threats looming overhead. This endeavor is not only about safeguarding data but also about preserving the trust and reliability that are the cornerstones of the telecommunications industry. 。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Analyzing Distributed Denial Of Service Tools: The Shaft Case Sven Dietrich –NASA Goddard Space Flight CenterNeil Long –Oxford UniversityDavid Dittrich –University of WashingtonABSTRACTIn t his paper we present an analysis of Shaft , an example of malware used in dist ribut ed denial of service (DDoS) attacks. This relatively recent occurrence combines well-known denial of service a t t acks (such as TCP SYN flood, smurf, and UDP flood) wi t h a dis t ribu t ed and coordinated approach to create a powerful program, capable of slowing network communications to a grinding halt.Denial of service at t ack programs,root kits ,and net work sniffers have been around in t he comput er underground for a very long t ime. They have not gained nearly t he same level of a en ion by he general public as did he Morris Internet Worm of 1988, bu have slowly progressed in t heir development . As more and more syst ems have come t o be required for business, research, educat ion, t he basic funct ioning of government , and now ent ert ainment and commerce from people’s homes, t he increasingly large number of vulnerable sys tems has converged wit h t he development of t hese t ools t o creat e a sit uat ion t hat result ed in dist ribut ed denial of service attacks that took down the largest e-commerce and media sites on the Internet.In contrast, we provide a comparative analysis of several distributed denial of service tools(e.g., Trinoo, TFN, Stacheldraht, and Mstream), look at emerging countermeasures against someof these tools. We look at practical examples of these techniques, provide some examples from test environments and finally talk about future trends of these distributed tools.IntroductionNet work-based at t acks are not hing new,but up t o last year t he t echniques ut ilized were focused on simple point -t o-point denial of service. By denial of service we mean overwhelming the victim host or net-work to the point of unresponsiveness to the legitimate user.We provide a little overview,by no means com-plete, of previous point-to-point denial of service tech-niques. There are four major poin t -to-poin t tech-niques: TCP SYN flooding, UDP flooding, ICMP flooding, and Smurf attacks. The first one misbehaves from t he st andard t hree-way TCP handshake causing resource consump ion and bandwid h consump ion,whereas t he remaining ones int end t o consume t he vict im’s bandwidt h.The year 1999 saw an emergence of new denial of service tools. The change was inevi t able: t he growt h of net work pipes made simple point -t o-point tools either useless, or the improved tracking capabili-ties easily shut down the source of the problem. Even though some solutions or at least containment methods exist for the above, the distributed variants as an evo-lut ion of coordinat ed many-t o-one at t acks escape t he traditional model sufficiently.Rather than relying on a single source, at t ackers could now t ake advant age of some hundred, t housand, even t en t housand or more systems to inflict denial of service onto their victims.AnalysisThe DDoS Network ModelA Distributed Denial of Service Network follows a hierarchical model, with one or more attackers con-trolling a so-called handler ,which in turn controls the hordes of agents that execute the commands relayed to them.The communication between the attacker and the handler,and bet ween t he handler and t he agent s is referred to as the control traffic of t he ne twork,whereas t he communicat ion bet ween t he agent s and t he vict ims is referred t o as t he flood traffic .Cont rol t raffic can be TCP,UDP,ICMP,or a combinat ion of the three. Flood traffic consists of traffic generated by each individual point -t o-point denial of service t ech-nique, or sometimes a combination thereof.In order to remove himself from view,the attacker introduces additional layers between the vic-tim host(s) and himself. He can access the handler via a variet y of mechanisms, t he most popular being a simple telnet .More sophisticated tools use, or can take advan tage of, more advanced techniques, such as encrypt ed TCP connect ions (ssh is a possibilit y for TFN, blowfish-encryp ed proprie ary as in S achel-draht ) or non-st andard met hods such as embedding commands in ICMP or UDP packets (e.g., LOKI [22,23] or Q). Additional care is taken to protect the han-dler,as it is the key control point and effectively theAnalyzing Distributed Denial Of Service Tools: The Shaft Case Dietrich, Long, & Dittrichanonymizer of the network. So as to eliminate a single point of failure, more t han one handler is found in pract ice, and in most cases each handler has equal power over its agents.The agents are controlled from the handler,often using a different pro t ocol t han the one in effec tbetween attacker and handler.It is speculated that this is done t o evade correlat ion. The communicat ion is not necessarily bidirectional, as there have been cases of oblivious t ransfers. Inst ruct ed by t he at t acker,t he handler can cont rol t he numerous agent s t o perform the attacks by proxy.As we will see, some DDoS tools provide a clear overview of t he DDoS net work, e.g.,enabling t o det ermine t he st at us and performance of each individual agent.Figure 1:A typical DDoS network FindingsShaft was init ially det ect ed t hrough anomalous net work act ivit y.Wit h t he help of t he net work ana-lyzer Argus [1], spikes (see Figure 2) in t he packet flows led t o t he discovery of t he shaftnode agent on t he compromised syst em wit hin t he local net work. It was one of about 100 nodes in a Shaft DDoS network.The successful retrieval of an attack binary,the shaftn-ode agent, and eventually its source, permitted a thor-ough analysis of its functionality.Since t he shaftmaster handler was not ret rieved unt il four mont hs lat er,it t ook simulat ion, t horough analysis of Argus [1] logs and a pinch of creativity to reconstruct the functionality of this attack tool. Simu-lat ion and analysis t ools such as t he Unix debugging t ool strace ,and disassembly of binaries are the main contributors to the understanding of munication FeaturesAs a first st ep, it was import ant t o ident ify t he network communication aspect of Shaft. Shaft (in the analyzed version, 1.72) is modeled aft er Trinoo [11],in that communication between handlers and agents is achieved using t he unreliable IP prot ocol UDP.See St evens [29] for an ext ensive discussion of t he TCP and UDP protocols. Remote control is established viaa simple t elnet connect ion t o t he handler.Shaft uses tickets for keeping t rack of t he t ransact ions issued t o its individual agents. Both passwords and ticket num-bers have t o ma t ch fort he agen t t o execu t e t he request . A simple let er-shift ing (Caesar cipher,see Schneier [27]) is in mand StructureNext , analyzing t he command st ruct ure of t he tool provided additional understanding of the capabili-t ies of Shaft. Using available source and t he simple Unix command strings ,we est ablished t he command synt ax of bot h t he agent and t he handler.It provided insight into the capabilities of the handler that was not apparent from the agent source.A full listing of both he agen and handler commands can be found in Appendix 1 and 2, respectively.Figure 2:Spikes in network activity.DetectionBrief Description of Installation MethodsAs with previous DDoS tools, the methods used t o ins t all t he handler/agen t will be t he same as inst alling any program on a compromised Unix sys-t em, wit h all t he st andard opt ions for concealing t he programs and files (e.g., use of hidden directories,root kits ,kernel modules, et c.). The reader is referred t o Dit t rich’s Trinoo analysis [11] for a description of pos-sible installation methods of this type of tool.Further findings [32] have revealed that the Shaft DDoS t ools were indeed used in conjunct ion wit h a root kit ,an inet d-based (inet d is t he Unix server t hat handles most incoming connections such as telnet and ftp) trojan, a trojaned secure shell (SSH) daemon, and a set of Unix shell script s t o aut omat ically dist ribut e the tools out to the individual agent systems. The pre-sent inetd-based trojan has been known to exist in the wild as early as May 1999.The distribution Unix shell script (from [32]), as sent with netcat [19] to the trojaned system, is as fol-lows:#!/bin/shecho "oir##t"echo "QUIT"sleep 5echo "cd /tmp"Dietrich, Long, & DittrichAnalyzing Distributed Denial Of Service Tools: The Shaft Casesleep 5echo "rcp user@host:shaftnode ./"sleep 5echo "chmod +x shaftnode"sleep 5echo "./shaftnode"echo "exit"This shell script inst alls t he shaft node agent on t he syst em, by performing a remot e copy from a reposi-tory host into the /tmp directory,making it executable and launching it. The reader is referred t o [32] for a complet e discussion of t he inst allat ion, t rojaning and rootkit-ing of the handler host.Time Pro t ocol Src IP/Port Flow Ds t IP/Port21:39:22 tcp z.z.z.z.53982↔x.x.x.x.2121:39:32 t cp x.x.x.x.1023→y.y.y.y.51421:39:56 udp x.x.x.x.33198→z.z.z.z.2043321:45:20 udp z.z.z.z.1765→x.x.x.x.1875321:45:20 udp x.x.x.x.33199→z.z.z.z.2043321:45:59 udp z.z.z.z.1866→x.x.x.x.1875321:45:59 udp x.x.x.x.33200→z.z.z.z.2043321:45:59 udp z.z.z.z.1968→x.x.x.x.1875321:45:59 udp z.z.z.z.1046→x.x.x.x.1875321:45:59 udp z.z.z.z.1147→x.x.x.x.1875321:45:59 udp z.z.z.z.1248→x.x.x.x.1875321:45:59 udp z.z.z.z.1451→x.x.x.x.1875321:46:00 udp x.x.x.x.33201→z.z.z.z.2043321:46:00 udp x.x.x.x.33202→z.z.z.z.2043321:46:01 udp x.x.x.x.33203→z.z.z.z.2043321:48:37 udp z.z.z.z.1037→x.x.x.x.1875321:48:37 udp z.z.z.z.1239→x.x.x.x.1875321:48:37 udp z.z.z.z.1340→x.x.x.x.1875321:48:37 udp z.z.z.z.1442→x.x.x.x.1875321:48:38 udp x.x.x.x.33204→z.z.z.z.2043321:48:38 udp x.x.x.x.33205→z.z.z.z.2043321:48:38 udp x.x.x.x.33206→z.z.z.z.2043321:48:56 udp z.z.z.z.1644→x.x.x.x.1875321:48:56 udp x.x.x.x.33207→z.z.z.z.2043321:49:59 udp x.x.x.x.33208→z.z.z.z.2043321:50:00 udp x.x.x.x.33209→z.z.z.z.2043321:50:14 udp z.z.z.z.1747→x.x.x.x.1875321:50:14 udp x.x.x.x.33210→z.z.z.z.20433Table 1:Compromise flow on Nov 28.Algorithmic Overview of AttacksUpon launch, t he shaft agent (t he ‘‘shaft node’’)reports back to its default handler (its ‘‘shaft mast er ’’)by sending a ‘‘new <upshifted password>’’command,which regist ers t he new agent in t he pool of agent s available t o t he handler.For t he default password of ‘‘shift ’’found in t he analyzed code, t his would be ‘‘t ijgu’’. Therefore a new agent would send out ‘‘new tijgu’’, and all subsequent messages would carry that password in it. Only in one case does the agent shift in he opposi e direc ion for one par icular command,e.g., ‘‘pkt res rghes’’. While it was init ially unclear whether this was a mistake, a more thorough analysisof the shaftmaster revealed that both shifts were used in an attempt to evade analysis.Incoming commands arrive as space separat ed items: command, upshifted password, command argu-ment , socket number,t icket , and opt ional argument s,which can be represented as the message flow diagram between handler H and agent A:1. A →H: "new", f(password)2. H →A: cmd, f(password), [args], Na, Nb3. A →H: cmdrep, f(password), Na, Nb, [args]4. Jump to step 2.•f(X) is the Caesar cipher function on X•Na, Nb are numbers (tickets, socket numbers)•cmd, cmdrep are commands and command acknowledgmen t s•args are command argumentsThe flooding occurs in bursts of 100 packets per host, with the source port and source address random-ized. This number is hard-coded, but it is believed that more flexibility can be added. Whereas the source port spoofing only works if the agent is running as a root privileged process, the author has added provisions for packet flooding using the UDP protocol and with the correct source address in the case the process is run-ning as a simple user process. It is noteworthy that therandom funct ion is notproperly seeded, which mayAnalyzing Distributed Denial Of Service Tools: The Shaft Case Dietrich, Long, & Dittrich lead t o predict able source port sequences and sourcehost IP sequences.The source port is generated with (R mod(65535-1024)+1024) where R is he ou pu of he rand() function. This will generate source ports greater than 1024 at all times.The source IP is of the form R1.R2.R3.R4 where R1, R2, R3, R4 are the outputs of rand()mod255. The source IP numbers can (and will) contain a zero in the leading octet.Additionally,the sequence number for all TCP packe s is fixed, namely 0x28374839, which helps wit h respect t o det ect ion at t he net work level.The ACK and URGENT flags are randomly set, except on some platforms.Destination ports for TCP and UDP packet floods are randomized.The client must choose t he durat ion (‘‘t ime’’), size of packets, and type of packet flooding directed at t he vict im host s. Each set of host s has it s own dura-tion, which gets divided evenly across all hosts. This is unlike TFN [6] which forks an individual process for each victim host.For the type, the client can select UDP,TCP SYN, ICMP packet flooding, or the combi-nation of all three. Even though there is potential for having a different type and packet size for each set of vict im host s, t his feat ure is not exploit ed in t his ver-sion.When a general command is issued, it is sent to all hosts listed in a hidden file containing all the Shaft agent s, in general wit h a t imeout of 30 seconds. To dat e, no mechanism t o alt er t hat t imeout has been found. Some commands have longer t imeout s, up t o 300 seconds. A list of outstanding tickets (transactions wait ing t o complet e) is available t o t he at t acker wit h the ‘‘ltic’’command, which lists the ticket number and it s corresponding remaining t ime. The at acker can visually correlate the ticket number to the actual com-mand by scrolling back in his screen buffer and com-paring the number that was printed after the execution of t he command, similar t o seeing a process id dis-played when sending a process into the background on a Unix system.The aut hor of Shaft seems t o have a part icular interest in statistics, namely packet generation rates of its individual agents. The statistics on packet genera-t ion rat es are possibly used t o det ermine t he ‘‘yield’’of t he DDoS net work as a whole. This would allow the attacker to stop adding hosts to the attack network when it reached t he necessary size t o overwhelm t he vict im net work, and t o know when it is necessary t o add more agents to compensate for loss of agents due to attrition during an attack (as the agent systems are identified and taken off-line).Packet Flow AnalysisIn this section we will look at a practical exam-ple of an attack carried out with the Shaft distributed denial of service attack tool, as seen from the attack-ing network perspective.The handler is list ening on port 20433, and an exis ing connec ion on por 20432 is awai ing he commands of t he at t acker.The packet flow is illus-trated in Table 1.There is quite some activity between the handler andhe agen, as hey go hrough he command request and acknowledgement phases. There was also what appeared to be testing of the impact on the local network itself with, among others, UDP packet flood-ing against the broadcast address (first 2-3 spikes), fol-lowed by ICMP flooding as shown in Figure 2. See Figure 3 for a fine-grained view.Figure3:28Nov 1999 floods 21:00-23:00. The interesting portion is the first three lines. It shows he penet rat ion from t he handler (z.z.z.z) using t he inetd-based trojan with source port 53982 and destina-tion port21 (any inetd related portwould have worked), t he download of t he shaft node binary from y.y.y.y via rcp (remote copy,port 514), and the regis-tration of the shaftnode agent with its shaftmaster han-dler.The theory that these were the traces of the pene-tration was confirmed by findings [32] on the handler host. The ten second delay between the packet on port 21 and the remote copy on port 514 is consistent with he scrip men ioned in he sec ion on ins alla ion methods. Later that night, the attacker performed sev-eral at tacks (three UDP and one combination TCP/UDP/ICMP) in order t o t est t he Shaft net work furt her,as illust rat ed in Figure 4. Let us look at t he individual phases from a lat er at t ack aft er it became possible to record the packet contents, as well as gen-eral flow dat a, subsequent t o a det erminat ion of t he agent, handler and communication ports. Subse-quently,the handler cont inued t o send such packet s even though the agent had been disabled and the host integrity recovered.This is illustrated in Table 2.Dietrich, Long, & Dittrich Analyzing Distributed Denial Of Service Tools: The Shaft CaseFigure4:Further testing 29 Nov 1999 02:00-07:00.ime flow command18:06:40 Z→X alive tijgu hi 5 817018:09:14 Z→X ime tijgu 700 5 643718:09:14 X→Z ime tijgu 5 6437 70018:09:16 Z→X size tijgu 4096 5 871718:09:16 X→Z size tijgu 5 8717 409618:09:23 Z→X ype tijgu 2 5 9003Table 2:Setup and configuration phase on Dec 4. ime flow command18:09:24 Z→X own tijgu a.a.a.a 5 525618:09:24 X→Z owning tijgu 5 5256 a.a.a.a 18:09:24 Z→X pktres tijgu a.a.a.a 5 1993 18:09:24 Z→X own tijgu b.b.b.b 5 7818:09:24 Z→X pktres tijgu j.j.j.j 5 884518:09:24 Z→X own tijgu c.c.c.c 5 624718:09:25 Z→X own tijgu d.d.d.d 5 419018:09:25 Z→X own tijgu e.e.e.e 5 237618:09:25 X→Z owning tijgu 5 78 b.b.b.b18:09:26 X→Z owning tijgu 5 6247 c.c.c.c 18:09:27 X→Z owning tijgu 5 4190 d.d.d.d 18:09:28 X→Z owning tijgu 5 2376 e.e.e.e 18:21:04 X→Z pktres rghes 5 1993 51600 18:21:04 X→Z pktres rghes 0 0 5140018:21:07 X→Z pktres rghes 0 0 5150018:21:07 X→Z pktres rghes 0 0 5140018:21:07 X→Z pktres rghes 0 0 51400Table 3:Host list and statistics.The handler issues an ‘‘alive’’command, and says ‘‘hi’’t o it s agent, assigning a socket number of ‘‘5’’and a ticket number of 8170. We will see that this ‘‘socket number’’ will persist throughout this attack. A t ime period of 700 seconds is assigned t o t he agent, which is acknowledged. A packet size of 4096 bytes is specified, which is again confirmed. The last line indi-cates the type of attack, in this case ‘‘the works’’, i.e., UDP,TCP SYN and ICMP packet flooding combined. Failure o specify he ype would make he agen default to UDP packet flooding.Now t he list of host s t o at t ack and which ones they want statistics from on completion, as shown in Table 3.To prot ect t he ident it y of t he vict ims, t he hosts IP number have been replaced with a.a.a.a through j.j.j.j.t ime flow command18:24:25 Z→X own tijgu e.e.e.e 5 449318:25:53 Z→X own tijgu b.b.b.b 5 939218:27:05 Z→X own tijgu a.a.a.a 5 308518:27:06 X→Z owning tijgu 5 3085 a.a.a.a 18:33:52 Z→X own tijgu c.c.c.c 5 187818:33:53 X→Z owning tijgu 5 1878 c.c.c.c 18:36:04 X→Z pktres rghes 0 0 10410018:36:20 Z→X pktres tijgu a.a.a.a 5 1511 18:36:21 X→Z owning tijgu 5 1754 a.a.a.a 18:37:33 X→Z pktres rghes 0 0 8170018:38:13 Z→X own tijgu f.f.f.f 5 312618:38:13 Z→X pktres tijgu f.f.f.f 5 469718:38:14 X→Z owning tijgu 5 3126 f.f.f.f 18:38:47 X→Z pktres rghes 5 151176600 18:39:15 Z→X own tijgu g.g.g.g 5 427218:39:16 X→Z owning tijgu 5 4272 g.g.g.g 18:39:41 Z→X own tijgu c.c.c.c 5 885018:39:41 Z→X pktres tijgu c.c.c.c 5 9924 18:40:43 Z→X own tijgu c.c.c.c 5 267218:41:25 X→Z owning tijgu 5 5195 h.h.h.h 18:45:33 X→Z pktres rghes 5 9924 53700 18:48:01 X→Z pktres rghes 0 0 4880018:49:54 X→Z pktres rghes 5 4697 45700 18:50:56 X→Z pktres rghes 0 0 4490018:51:22 X→Z pktres rghes 0 0 4570018:53:04 X→Z pktres rghes 0 0 6370018:54:47 Z→X own tijgu i.i.i.i 5 208618:54:47 Z→X pktres tijgu i.i.i.i 5 698018:54:47 X→Z owning tijgu 5 2086 i.i.i.i 19:06:27 X→Z pktres rghes 5 6980 241200Table 4:More hosts and statistics.Now that all other parameters are set, the handler issues several ‘‘own’’commands, in effect specifying the victim hosts. Those commands are acknowledged by t he agent wit h an ‘‘owning’’reply.The flooding occurs as soon as the first victim host gets added. The handler also requests packet statistics from the agents for cert ain vict im host s (e.g., ‘‘pkt res t ijgu a.a.a.a 5 1993’’). Note that the reply comes back with the same ident ifiers (‘‘5 1993’’) at t he end of t he 700 second packet flood, indicat ing t hat 51600 set s of packet s were sent. One should realize t hat, if successful, t his means 51600 x 3 packets due to the configuration of all three (UDP,TCP,and ICMP) types of packets.In turn, this results in roughly 220 4096 byte packets per second per host, or about 900 kilobytes per second perAnalyzing Distributed Denial Of Service Tools: The Shaft Case Dietrich, Long, & Dittrichvictim host from this agent alone, about 4.5 megabytes per second t ot al for t his lit t le exercise.A graphical view can be seen inhe firs por ion (minu es 1through 12) of Figure 5.Figure 5:4Dec 1999 floods.Note the reverse shift (‘‘shift’’becomes ‘‘rghes’’,rat her t han ‘‘t ijgu’’) for t he password on t he packet statistics. Continuing on with the attack, as shown in Table 4, the attacker selects new targets in a staggered manner,but still keeping the established settings of the 700 second combina ion ype a ack of 4096 by e packet s. The yields of t he at t ack vary from roughly 800 kilobytes per second per host in a multi-target set-ting to 4.2 megabytes per second per host in a single target set t ing (Target I). The st aggered approach can be observed in the right two thirds of Figure 5 (min-utes 14 through 50).Cryptographic AspectsShaf t incorpora t ed several no t ewor t hy t ech-niques for keeping informat ion secret. For one, t helet er-shift ing or Caesar cipher,was applied severalimes wit hin t his t ool. As described previously,he transaction password ‘‘shift’’was shifted by one letter upwards to generate the string ‘‘tijgu’’observed on thenet work. However,a different shift in t he opposit edirect ion generat ed ‘‘rghes’’for t he ret urn st at ist ics.While the author(s) of this program did not encrypt the ent ire message exchange bet ween handler and agent ,t hey did nevert heless obfu scate t he real st rings, such as applying the shift to the handler IP numbers in the binary and also t he port numbers in t he case of a ‘‘swit ch’’command, namely by adding an offset to the real port number.As wit h t he original Trinoo t ool, t he Shaft han-dler cont ained 13-charact er st rings, st rangely resem-bling Unix crypt () out put. Through close analysis of t he handler code, it was est ablished t hat t hey repre-sented the access passwords to the control port of the program, that is where the attacker would connect to and perform t he dist ribut ed denial of service from a convenient, but not quite menu-driven, command line.The ac ual passwords were recovered in a similar fashion o he ones from Trinoo and S acheldrah ,except that the above shifts had to be performed on the ciphertext first.Similar to the handler settings in earlier tools, the author of Shaft attempts to keep the list of its agents in a non-trivial format. Other tools encrypt that list using Blowfish, but this tool packs the four octets of the IP number into a 4-byte integer and writes the ASCII rep-resentation of that number to a file, one per line. For example, adding t he agent wit h IP address 127.0.0.1using ‘‘+node 127.0.0.1’’would yield a line cont ain-ing ‘‘16777343’’, which is:127 × 2560+0×2561+0×2562+1×2563.In order t o ext ract t he IP numbers from t he list , one would apply the reverse transformation.Anomaly DetectionThe network flooding which took place was ini-tially noticed after a cursory glance at the hourly net-work flow data files recorded using an Argus [1] mon-itor at the main Internet connection point. Without anysuch monitoring the activities would have almost cer-tainly gone unnoticed since the floods took place over t he Sunday-Monday nigh t .O ther IDS recordsDietrich, Long, & Dittrich Analyzing Distributed Denial Of Service Tools: The Shaft Caseindicated a possible UDP portscan had taken place butfor host IPs not possible on the local net blocks.For example, t he t ypical argus dat a file at t hat time of day (night) would be 4Mbytes but these grew t o bet ween 40 and 100Mbyt es. Analyzing such large data files takes significant effort and resources (hence t he hourly rot at ion) but it was possible t o det ermine the start time of the rapid rise in connections and then tracing the external connection (handler) and internal flooder (agent ) becomes a mat t er for t rial and error and some measure of good fortune. In this instance the first guess was used to contact the host administrator who was able t o locat e t he process st ill left running (al hough inac ive), ob ain an lsof [18] ou pu and recover residual files and logs.Reducing the data for the hourly flows down to somet hing suit able for graphical display was compli-cat ed by t he very large number of dat a point s which overwhelms most of the standard graphing or statisti-cal packages.O t her t raffic moni t oring applica t ions which might have indicated that an unusually large network flow had occurred would not usually have an accurate time nor could have been used to trace the external →internal communications channel correspondence. For example snmp monitoring of packet numbers is a pop-ular me hod. Accumula ed by e coun s per sub-ne (host , port , et c) could also have been obt ained using NeTraMet [5] but again t his would have been inade-quate for the post event analysis.Impact of Victim Hosts/networksThe effect of the combined outpouring of packets has already been considered from the point of view of the target victim but it should be noted that very little legit imat e t raffic was able t o move over t he Int ernet gat eway while t he flood t ook place. This secondary denial of service would be of major significance dur-ing normal working hours and when combined wit h several such agent s dist ribut ed around one sit e can lead to saturation of the essential backbone infrastruc-ture and routers.Impact on network – given the time of day it had lit t le or no impact apart from slowing ext ernal port scanners (!) – maybe it is worth noting that on typical asynchronous ATM ext ernal connect ions t here would be an impact on outgoing verus incoming. The impact of one host running flat out will be a lot less than sev-eral hos t s running as agen t s. Delibera t ely limi t ing agents to one per site would have considerable bene-fit s when it comes t o avoiding det ect ions while st ill retaining effective DoS of the target(s).Secondary EffectsPoor DNS response (if any) – even problems managing ne twork devices during the peaks. The flurry of ‘‘response’’packets caused by the floods can crea e addi ional complica ions wi hin he ne work.Due to the ‘‘inband-signalling’’nature of TCP/IP,the control messages related to network management must travel over the very same congested network.NIDS vs. Active ScanningNetwork Intrusion Detection Systems (NIDS)During very high (near saturation) flows almost no event of any kind would be logged by an IDS sys-tem – they would either have to drop packets at a very high rat e or require mult i-CPU archit ect ures in order to combine packet collection and packet state analysis.As pipe capaci ies con inue o grow (Gigabi , e c)here will be serious difficul ies for ne work flow monitors such as Argus to keep up based on the typi-cal PC architecture (there is seldom a budget available for a top end machine which will, hopefully,be wast-ing cycles 99 % of the time waiting for such events).Passive ScanningFor t he purpose of det ect ing malicious act ivit y,cert ain feat ures of t he whole DDoS package have t o be considered and provide clues for passive scanning of such event s. This program does not provide for code updat es (like TFN or St acheldraht ). This may imply ‘‘rcp’’or ‘‘ft p’’connect ions during t he init ial int rusion phase (see also [11]). As found in [32], t he int ruders used ‘‘rcp’’in t heir dist ribut ion script s, but this could easily be altered.The program uses UDP traffic for its communi-cation between the handlers and the agents. Consider-ing t hat t he t raffic is notencrypt ed, it can easily be det ect ed based on cert ain keywords. Performing an ‘‘ngrep’’[20] for the keywords mentioned in the syn-tax sections (Appendix 1 and 2), will locate the con-t rol t raffic, and looking for TCP packe t s wi t h sequence numbers of 0x28374839 (decimal 674711609) may locat e t he TCP SYN packet flood raffic. The lat t er t raffic can be det ect ed t hrough it s secondary effect of causing SYN|ACK and RST|ACK traffic wit h sequence numbers of 0x2837483a (deci-mal 674711610), as point ed out by Richard Bejt lich (who has been wit nessing t hese effect s – wit h t his same sequence number – for well over a year [3]).Source por s of he flood raffic are always above 1024, and source IP numbers can include zeroes in the leading octet.Strings in this control traffic can be detected with the ‘‘ngrep’’program using the same technique shown in [11, 12, 13]. Here are some examples t hat will locate the control traffic between the handler and the agent, independently of the port number used.#ngrep -i -x "alive tijgu" udpU 192.168.10.1:4001 -> 192.168.10.2:1875361 6c 69 76 65 20 74 69alive ti 6a 67 75 20 68 69 20 35jgu hi 520 38 36 34 31 0a 8641.U 192.168.0.2:1494 -> 192.168.0.1:2043361 6c 69 76 65 20 74 69alive ti 6a 67 75 20 35 20 38 36jgu 5 8634 31 20 62 6c 61 6841 blah。