一种基于AS安全联盟的域间路由系统拟态防护机制

doi:10.11896/j.issn.1002-137X.2017.09.029

摘要/Abstract

摘要： 针对域间路由系统的大规模低速率拒绝服务攻击(Low-rate DoS against BGP Session,BGP-LDoS)能够造成域间路由系统的整体瘫痪,而现有的检测方法和防护措施难以有效检测和防御此类攻击。BGP-LDoS攻击实施的前提是对域间路由系统的拓扑进行探测分析,获取关键链路的相关参数信息。网络拟态变换能够通过持续的动态变换来迷惑攻击者,增加攻击者对网络进行探测与分析的代价和复杂度,降低攻击成功的概率。借鉴拟态安全防御思想,提出了一种域间路由系统拓扑动态变换的防护方法,由系统中多个相邻自治系统(Autonomous System,AS)组成AS拟态联盟,在联盟内部进行拓扑等效变换。文中给出了实现的具体过程。对拓扑变换后的网络抗BGP-LDoS攻击的能力进行验证分析,实验结果表明,利用该方法可有效降低攻击者对网络拓扑分析的精确度,干扰其关键链路的选择过程,从而实现对BGP-LDoS攻击的防护。

关键词: 拟态变换,AS安全联盟,网络安全,域间路由

Abstract: Large-scale low rate denial of service attack against BGP sessions can cause paralysis of the inter-domain routing system as a whole.However,existing detection methods and protection measures are difficult to effectively detect and defense against such attacks.Detecting the topology of the inter-domain routing system and obtaining the key link parameters are fundamental steps to the BGP-LDoS attack.Network’s mimic transformation can provide continuous dynamic transformation to puzzle the attacker,increase cost and complexity of the attacker’s detection and analysis,reduce attack’s success probability.From the view of mimic security defense,this paper presented an inter domain routing system security alliance mechanism.The method uses neighboring autonomous systems form as an ally,and makes equi-valent topology transformation in the alliance.The realization of the specific process was given.The resilience of the BGP-LDoS attack after the mimicry transformation was checked and analyzed.Experimental results demonstrate that the method can effectively reduce the attacker’s network topology analysis accuracy,and interference attacker’s target link selection process.It can provide reliable protection for inter-domain system to against BGP-LDoS attack.

Key words: Mimic transformation,AS alliance,Network security,Inter domain routing

苗甫,王振兴,郭毅,张连成. 一种基于AS安全联盟的域间路由系统拟态防护机制[J]. 计算机科学, 2017, 44(9): 148-155. https://doi.org/10.11896/j.issn.1002-137X.2017.09.029

MIAO Fu, WANG Zhen-xing, GUO Yi and ZHANG Lian-cheng. AS Security Alliance Mechanism for Inter-domain Routing System Based on Mimicry Protection[J]. Computer Science, 2017, 44(9): 148-155. https://doi.org/10.11896/j.issn.1002-137X.2017.09.029

参考文献

[1] LI S,ZHUGE J W,LI X.Study on BGP security[J].Chinese Journal of Software,2013,24(1):121-138.(in Chinese) 黎松,诸葛建伟,李星.BGP安全研究[J].软件学报,2013,24(1):121-138.
[2] LI Q,ZHANG X,ZHANG X,et al.Invalidating idealized BGP security proposals and counter measures[J].IEEE Transactions on Dependable and Secure Computing,2015,12(3):298-311.
[3] SCHUCHARD M,MOHAISEN A,FOO K D,et al.Losing control of the internet:using the data plane to attack the control plane[C]∥Proceedings of the 17th ACM Conference on Computer and Communications Security.ACM,2010:726-728.
[4] LI H S,ZHU J H,QIU H,et al.The new threat to internet:DNP attack with the attacking flows strategizing technology[J].International Journal of Communication Systems,2015,28(6):1126-1139.
[5] ZHANG Y,MAO Z M,WANG J.Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing[C]∥Proc of the Network and Distributed System Security Symposium (NDSS).2007.
[6] KENT S,LYNN C,SEO K.Secure border gateway protocol (S-BGP)[J].IEEE Journal on Selected Areas in Communications,2000,18(4):582-592.
[7] WHITE R.Securing BGP through secure origin BGP[J].Internet Protocol Journal,2003,6(3):15-22.
[8] OORSCHOT P C,WAN T,KRANAKIS E.On interdomainrouting security and pretty secure BGP (psBGP)[J].ACM Transactions on Information and System Security (TISSEC),2007,10(3):11-25.
[9] SUBRAMANIAN L,ROTH V, STOICA I,et al.Listen andWhisper:Security Mechanisms for BGP[C]∥Proceedings of 1th Symposium on Networked Systems Design and Implementation(NSDI’04).2004:127-140.
[10] LDA M,MASSEY D,PEI D,et al.PHAS:a prefix hijack alert system[C]∥Proceedings of the 15^th USENIX Security Sympo-sium.Vancouver,Canada,2006:108-119.
[11] GOODELL G,AIELLO W,GRIFFIN T,et al.Working aroundBGP:An incremental approach to improving security and accuracy of inter-domain routing[C]∥Proceedings of the ISOC NDSS.San Diego,US,2003:75-85.
[12] XU J,GUO,P,ZHAO M,et al.Comparing different moving target defense techniques[C]∥Proceedings of the First ACM Workshop on Moving Target Defense.ACM,2014:97-107.
[13] CAI G L,WANG B S,WANG T Z,et al.Research and Development of Moving Target Defence Technology[J].Journal of Computer Research and Development,2016,53(5):968-987.(in Chinese) 蔡桂林,王宝生,王天佐,等.移动目标防御技术研究进展[J].计算机研究与发展,2016,53(5):968-987.
[14] WU J X.Meaning and Vision of Mimic Computing and Mimic Security Defence[J].Telecommunication Science,2014,30(7):2-7.(in Chinese) 邬江兴.拟态计算与拟态安全防御的原意和愿景[J].电信科学,2014,30(7):2-7.
[15] MCCANEY K.Morphinator[EB/OL].[2015-09-04].http://gcn.com/articles/2012/08/03/army-mrohpinator-cyber-maneuver network defence.aspx.
[16] CHIRICESCU S,DEHON A,DEMANGE D,et al.SAFE:Aclean-slate architecture for secure systems[C]∥2013 IEEE International Conference on Technologies for Homeland Security (HST).IEEE,2013:570-576.
[17] MUSLINER D J,RYE J M,THOMSEN D,et al.Fuzzbuster:Towards adaptive immunity from cyber threats[C]∥2011 Fifth IEEE Conference on Self-Adaptive and Self-Organizing Systems Workshops (SASOW).IEEE,2011:137-140.
[18] DARPA.Active cyber defense [EB/OL].[2015-9-04].http://www.darpa.mil/Our_work/I2O/programs/Active-Cyber-Defence(ACD).aspx.
[19] ANTONATOS S,AKRITIDIS P,MARKATOS E P,et al.Defending against hitlist worms using network address space randomization[J].Computer Networks,2007,51(12):3471-3490.
[20] ZHAO X,TANG H B,WANG W B,et al.Moving target defense approach of HSS[J].Computer Application Research,2017,34(1):1-7.(in Chinese) 赵星,汤红波,王文博,等.一种HSS移动目标防御方法[J].计算机应用研究.2017,34(1):1-7.
[21] DUNLOP M,GROAT S,URBANSKI W,et al.Mt6d:A moving target ipv6 defense[C]∥Military Communications Conference(MILCOM 2011).IEEE,2011:1321-1326.
[22] MANADHATA P K,WING J M.A formal model for a system’sattack surface[M].Moving Target Defense.Springer New York,2011:1-28.
[23] ZHU Q,BASAR T.Game-theoretic approach to feedback-dri-ven multi-stage moving target defense[C]∥International Confe-rence on Decision and Game Theory for Security.Springer International Publishing,2013:246-263.
[24] SINCLAIR G,NUNNERY C,KANG B B H.The waledac protocol:The how and why[C]∥2009 4th International Conference on Malicious and Unwanted Software (MALWARE).IEEE,2009:69-77.
[25] CAIDA.The IPv4 Routed /24 AS Links Dataset[EB/OL].[2015-9-04].http://www.caida.org/data/active/ipv4_routed_topology_aslinks_dataset.xml.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed