Avaliação de Proteção contra Ataques de Negação de Serviço Distribuídos (DDoS) utilizando Lista de IPs Confiáveis
Resumo
A severidade dos problemas causados por ataques DDoS e o aumento da freqüência e sofisticação dos mesmos têm contribuído para o surgimento de um grande número de mecanismos de defesa. Neste trabalho é proposto um sistema de detecção e prevenção de ataques DDoS baseado numa arquitetura modularizada. A idéia principal da solução consiste em manter uma tabela com o histórico de boas conexões já estabelecidas na rede, para que em situações de ataque essas sejam favorecidas com a maior parte da largura de banda disponível em detrimento de conexões desconhecidas e/ou de atacantes que serão limitadas por filtros. Os resultados dos testes demonstraram que a solução apresenta bom desempenho contra ataques DDoS massivos, grande escalabilidade e baixo consumo de recursos do sistema enquanto não prejudica o trafego legitimo.Referências
Peng, T., Leckie, C. and Ramamohanarao, K. (2002) “Defending against distributed denial of service attack using selective pushback”, In: Proceedings of the Ninth IEEE International Conference on Telecommunications (ICT 2002), Beijing, China, June.
Park, K. and Lee, H. (2001) “On the effectiveness of router-based packet filtering for distributed dos attack prevention in power-law internets”, In: Proceedings of the 2001 ACM SIGCOMM Conference, San Diego, California, U.S.A., August.
Moore, D., Voeker, G. M. and Savage, S. (2001) “Inferring internet Denial-of-Service acitivity”, In: Proceedings of USENIX Security Symposium’2001, pages 9–22, August.
Bellovin, S. (2000) “The icmp traceback message”, Internet Draft, IETF, draft-bellovin-itrace-05.txt (work in progress), http://www.research.att.com/~smb, March.
Yau, D., Lui, J. and Liang, F. (2002) “Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles”, In: Proceedings of IEEE International Workshop on Quality of Service (IWQoS), Miami Beach, Florida, May.
Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxon, V. and Shenker, S. (2001) “Controlling high bandwidth aggregates in the network”, Technical report, AT&T Center for Internet Research at ICSI (ACIRI) and AT&T Labs Research, February.
Mirkovic, J. and Prier, G. (2002) “Attacking DDoS at the source”, In: 10th Proceedings of the IEEE International Conference on Network Protocols. Paris, France, November.
Lee, F., Shieh, S., Shieh, J. and Wang, S. (2003) “A source-end Defense system against DDoS attacks”, In: International Workshop on Advanced Developments in Software and Systems Security, December.
Jung, J., Krishnamurthy, B. and Rabinovich, M. (2002) “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites”, MIT Laboratory for Computer Science.
Mirkovic, J. (2003) “D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks”, Ph.D. Thesis.
Ferguson, P. and Senie, D. (2000) “Network Ingress Filtering: defeating Denial of Service Attacks which employ IP Source Address Spoofing”, RFC 2827. May.
Xu, H. and Lee, H. C. J. (2004) “A Source Address Filtering Firewall to Defend Against Denial of Service Attacks”, In: Vehicular Technology Conference, VTC2004-Fall, IEEE 60th, September.
Pack, G., Yoon, J., Collins, E. and Estan, C. (2005) “On Filtering of DDoS Attacks Based on Source Address Prefixes”, UW CS technical report 1547, December.
Peng, T., Leckie, C. and Ramamohanarao, K. (2003) “Protection from Distributed Denial of Service Attacks Using History-based IP Filtering”, In: Communications, 2003. ICC '03. IEEE International Conference on, May.
Savage, S., Wetherall, D., Karlin, A. and Anderson. (2001) “Network support for IP traceback”, In: IEEE/ACM Transactions on Networking, Vol. 9 No. 3, pages 226-237, June.
Song, D. and Perrig, A. (2001) “Advanced and authenticated marking schemes for IP traceback”, In: Proceedings of IEEE INFOCOM 2001, Anchorage, Alaska, USA, Vol. 2, pages 878-886, April.
Snoeren, A. C., Partridge C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Kent, S. T. and Strayer, W. T. (2001) “Hash-based IP traceback.” In: Proceedings ACM SIGCOMM, August.
Paxon, V. (2001) “An analysis of using reflectors for distributed denial-of-service attacks”, Computer Communication Review 31(3), July.
Stevens, W. R. (1998) UNIX Network Programming, vol. 1, Second Edition: Networking APIs: Sockets and XTI, Prentice Hall.
Floyd, S. and Jacobson, V. (1995) “Link-Sharing and Resource Management Models for Packet Networks”, IEEE/ACM Trans. Networking, vol. 3, pages 365-386, August.
Michalas, A., Louta, M., Fafali, P., Karetsos, G. and Loumos, V. (2004) “Proportional Delay Differentiation Provision by Bandwidth Adaptation of Class-Based Queue Scheduling”, In: Journal of Communication Systems, vol. 17, pages 743-761, September.
Intrusense. (2006) “Packit - Network Injection and Capture”, http://www.intrusense.com/software/packit/.
TCPDUMP (2006), http://www.tcpdump.org/, version 3.9.5, September.
LIBPCAP (2006), http://www.tcpdump.org/, version 0.9.5, September.
Park, K. and Lee, H. (2001) “On the effectiveness of router-based packet filtering for distributed dos attack prevention in power-law internets”, In: Proceedings of the 2001 ACM SIGCOMM Conference, San Diego, California, U.S.A., August.
Moore, D., Voeker, G. M. and Savage, S. (2001) “Inferring internet Denial-of-Service acitivity”, In: Proceedings of USENIX Security Symposium’2001, pages 9–22, August.
Bellovin, S. (2000) “The icmp traceback message”, Internet Draft, IETF, draft-bellovin-itrace-05.txt (work in progress), http://www.research.att.com/~smb, March.
Yau, D., Lui, J. and Liang, F. (2002) “Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles”, In: Proceedings of IEEE International Workshop on Quality of Service (IWQoS), Miami Beach, Florida, May.
Mahajan, R., Bellovin, S. M., Floyd, S., Ioannidis, J., Paxon, V. and Shenker, S. (2001) “Controlling high bandwidth aggregates in the network”, Technical report, AT&T Center for Internet Research at ICSI (ACIRI) and AT&T Labs Research, February.
Mirkovic, J. and Prier, G. (2002) “Attacking DDoS at the source”, In: 10th Proceedings of the IEEE International Conference on Network Protocols. Paris, France, November.
Lee, F., Shieh, S., Shieh, J. and Wang, S. (2003) “A source-end Defense system against DDoS attacks”, In: International Workshop on Advanced Developments in Software and Systems Security, December.
Jung, J., Krishnamurthy, B. and Rabinovich, M. (2002) “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites”, MIT Laboratory for Computer Science.
Mirkovic, J. (2003) “D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks”, Ph.D. Thesis.
Ferguson, P. and Senie, D. (2000) “Network Ingress Filtering: defeating Denial of Service Attacks which employ IP Source Address Spoofing”, RFC 2827. May.
Xu, H. and Lee, H. C. J. (2004) “A Source Address Filtering Firewall to Defend Against Denial of Service Attacks”, In: Vehicular Technology Conference, VTC2004-Fall, IEEE 60th, September.
Pack, G., Yoon, J., Collins, E. and Estan, C. (2005) “On Filtering of DDoS Attacks Based on Source Address Prefixes”, UW CS technical report 1547, December.
Peng, T., Leckie, C. and Ramamohanarao, K. (2003) “Protection from Distributed Denial of Service Attacks Using History-based IP Filtering”, In: Communications, 2003. ICC '03. IEEE International Conference on, May.
Savage, S., Wetherall, D., Karlin, A. and Anderson. (2001) “Network support for IP traceback”, In: IEEE/ACM Transactions on Networking, Vol. 9 No. 3, pages 226-237, June.
Song, D. and Perrig, A. (2001) “Advanced and authenticated marking schemes for IP traceback”, In: Proceedings of IEEE INFOCOM 2001, Anchorage, Alaska, USA, Vol. 2, pages 878-886, April.
Snoeren, A. C., Partridge C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Kent, S. T. and Strayer, W. T. (2001) “Hash-based IP traceback.” In: Proceedings ACM SIGCOMM, August.
Paxon, V. (2001) “An analysis of using reflectors for distributed denial-of-service attacks”, Computer Communication Review 31(3), July.
Stevens, W. R. (1998) UNIX Network Programming, vol. 1, Second Edition: Networking APIs: Sockets and XTI, Prentice Hall.
Floyd, S. and Jacobson, V. (1995) “Link-Sharing and Resource Management Models for Packet Networks”, IEEE/ACM Trans. Networking, vol. 3, pages 365-386, August.
Michalas, A., Louta, M., Fafali, P., Karetsos, G. and Loumos, V. (2004) “Proportional Delay Differentiation Provision by Bandwidth Adaptation of Class-Based Queue Scheduling”, In: Journal of Communication Systems, vol. 17, pages 743-761, September.
Intrusense. (2006) “Packit - Network Injection and Capture”, http://www.intrusense.com/software/packit/.
TCPDUMP (2006), http://www.tcpdump.org/, version 3.9.5, September.
LIBPCAP (2006), http://www.tcpdump.org/, version 0.9.5, September.
Publicado
27/08/2007
Como Citar
OLIVEIRA, Luis; ASCHOFF, Rafael; LINS, Bruno; FEITOSA, Eduardo; SADOK, Djamel.
Avaliação de Proteção contra Ataques de Negação de Serviço Distribuídos (DDoS) utilizando Lista de IPs Confiáveis. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 7. , 2007, Rio de Janeiro.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2007
.
p. 177-190.
DOI: https://doi.org/10.5753/sbseg.2007.20926.
