计算机科学 ›› 2021, Vol. 48 ›› Issue (10): 278-285.doi: 10.11896/jsjkx.210400296
刘亚群, 邢长友, 高雅卓, 张国敏
LIU Ya-qun, XING Chang-you, GAO Ya-zhuo, ZHANG Guo-min
摘要: 链路洪泛等典型网络攻击需要在拓扑侦察的基础上针对网络中的关键链路开展攻击行为,具有较强的破坏性和隐蔽性。为了有效抵御这类攻击,提出了一种对抗网络侦察的拓扑混淆机制TopoObfu。TopoObfu能够根据网络拓扑混淆的需求,在真实网络中添加虚拟链路,并通过修改探测分组的转发规则使攻击者获得虚假的拓扑探测结果,隐藏网络中的关键链路。为了便于实现,TopoObfu将虚假拓扑映射为SDN交换机的分组处理流表项,并支持在仅部分节点为SDN交换机的混合网络中部署。基于几种典型真实网络拓扑的仿真分析结果表明,TopoObfu能够从链路重要性、网络结构熵、路径相似度等方面有效提升攻击者进行关键链路分析的难度,并在SDN交换机流表数量、混淆拓扑生成时间等方面具有较高的实现效率,可以减小关键链路被攻击的概率。
中图分类号:
[1]DOULIGERIS C,MITROKOTSA A.DDoS attacks and defense mechanisms:classification and state-of-the-art[J].Computer Networks,2004,44(5):643-666. [2]国家互联网应急中心.2020年上半年我国互联网网络安全监测数据分析报告[EB/OL].(2020-09-26)[2021-05-18].https://www.cert.org.cn/publish/main/46/2020/20200926085042652505447/20200926085042652505447_html. [3]KANG M S,LEE S B,GLIGOR V D.The crossfire attack[C]//2013 IEEE symposium on security and privacy.IEEE,2013:127-141. [4]STUDER A,PERRIG A.The coremelt attack[C]//European Symposium on Research in Computer Security.Berlin:Springer,2009:37-52. [5]BRIGHT P.Can a ddos break the internet? Sure…Just not all of it[EB/OL].(2013-04-02)[2021-05-18].http://arstechnica.com/security/2013/04/can-a-ddos-break-the-internet-sure-just-not-all-of-it/. [6]BARABÁSI A L.Scale-free networks:a decade and beyond[J].Science,2009,325(5939):412-413. [7]MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74. [8]WANG J,WEN R,LI J,et al.Detecting and mitigating target link-flooding attacks using sdn[J].IEEE Transactions on Dependable and Secure Computing,2018,16(6):944-956. [9]WANG L,LI Q,JIANG Y,et al.Woodpecker:Detecting andmitigating link-flooding attacks via SDN[J].Computer Networks,2018,147:1-13. [10]TRASSARE S T,BEVERLY R,ALDERSON D.A techniquefor network topology deception[C]//MILCOM 2013-2013 IEEE Military Communications Conference.IEEE,2013:1795-1800. [11]KIM J,SHIN S.Software-defined HoneyNet:Towards mitigating link flooding attacks[C]//2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W).IEEE,2017:99-100. [12]BARABÁSI A L,ALBERT R.Emergence of scaling in random networks[J].Science,1999,286(5439):509-512. [13]WANG Q,XIAO F,ZHOU M,et al.Linkbait:active link obfuscation to thwart link-flooding attacks[J].arXiv:1703.09521,2017. [14]AYDEGER A,SAPUTRO N,AKKAYA K.Utilizing NFV for Effective Moving Target Defense against Link Flooding Reconnaissance Attacks[C]//2018 IEEE Military Communications Conference(MILCOM),New York.IEEE,2018:946-951. [15]MEIER R,TSANKOV P,LENDERS V,et al.NetHide:Secure and practical network topology obfuscation[C]//27th USENIX Security Symposium (USENIX Security 18).2018:693-709. [16]KERNEN T.Traceroute[EB/OL].[2021-05-18].http://www.traceroute.org/. [17]NETWORKX D.Networkx[EB/OL].[2021-05-18].https://networkx.org/. [18]Welcome to RYU the Network Operating System(NOS)[EB/OL].[2021-05-18].https://ryu.readthedocs.io/en/latest/index.html. [19]2021 Mininet Project Contributors.Mininet[EB/OL].[2021-05-18].http://mininet.org/. [20]A LINUX FOUNDATION COLLABORATIVE PROJECT.OpenvSwitch[EB/OL].[2021-05-18].http://www.openvswitch.org/. [21]Nicira Extension Structures[EB/OL].[2021-05-18].https://ryu.readthedocs.io/en/latest/nicira_ext_ref.html. [22]THE UNIVERSITY OF ADELAIDE.The internet topologyzoo[EB/OL].(2013-04-16) [2021-05-18].http://topology-zoo.org/. [23]COATES M,CASTRO R,NOWAK R,et al.Maximum likeli-hood network topology identification from edge-based unicast measurements[J].ACM SIGMETRICS Performance Evaluation Review,2002,30(1):11-20. [24]BOSSHART P,DALY D,GIBB G,et al.P4:Programming protocol-independent packet processors[J].ACM SIGCOMM Computer Communication Review,2014,44(3):87-95. |
[1] | 李少辉, 张国敏, 宋丽华, 王秀磊. 基于不完全信息博弈的反指纹识别分析 Incomplete Information Game Theoretic Analysis to Defend Fingerprinting 计算机科学, 2021, 48(8): 291-299. https://doi.org/10.11896/jsjkx.210100148 |
[2] | 赵金龙, 张国敏, 邢长友, 宋丽华, 宗祎本. 一种对抗网络侦察的自适应欺骗防御机制 Self-adaptive Deception Defense Mechanism Against Network Reconnaissance 计算机科学, 2020, 47(12): 304-310. https://doi.org/10.11896/jsjkx.200900126 |
[3] | 申普兵,赵占东,宫强兵. 网络作战能力评估指标体系构建问题的研究 Research on Evaluation of Computer Network Operation Based on Capacity Factor 计算机科学, 2016, 43(Z6): 505-507. https://doi.org/10.11896/j.issn.1002-137X.2016.6A.119 |
|