{"title":"一个实时的方法来检测整个互联网的SYN洪水攻击","authors":"Lihua Miao, W. Ding, J. Gong","doi":"10.1109/LANMAN.2015.7114740","DOIUrl":null,"url":null,"abstract":"Reports show that DDoS attacks are ubiquitous on the Internet and may jeopardize networks' stable operation. In order to understand the nature of this threat and further to enable effective control and management, a whole picture of the Internet-wide attacks is a necessity. Traditional methods use darknets to this end. However, with the IPv4 address space exhaustion, darknets become hard to acquire. In this paper, we seek to detect Internet-wide attacks using a live network. In particular, we focus on the most prevalent SYN flooding attacks. First, a complete attack scenario model is introduced according to the positions of the attacker, the victim and the attacking address. Then, after discussing the features of all scenarios, an algorithm named WSAND is proposed to detect Internet-wide SYN flooding attacks using Netflow data. In order to evaluate it, the algorithm is deployed at 28 main PoPs (Points of Presence) of the China Education and Research Network (CERNET) and the total internal address space is up to 200/16 blocks. A large quantity of Internet-wide SYN flooding attacks detected in March 2014 is discussed in detail. With the help of the detected attacks, a case study of detecting an internal zombie is presented.","PeriodicalId":193630,"journal":{"name":"The 21st IEEE International Workshop on Local and Metropolitan Area Networks","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-04-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":"{\"title\":\"A real-time method for detecting internet-wide SYN flooding attacks\",\"authors\":\"Lihua Miao, W. Ding, J. Gong\",\"doi\":\"10.1109/LANMAN.2015.7114740\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Reports show that DDoS attacks are ubiquitous on the Internet and may jeopardize networks' stable operation. In order to understand the nature of this threat and further to enable effective control and management, a whole picture of the Internet-wide attacks is a necessity. Traditional methods use darknets to this end. However, with the IPv4 address space exhaustion, darknets become hard to acquire. In this paper, we seek to detect Internet-wide attacks using a live network. In particular, we focus on the most prevalent SYN flooding attacks. First, a complete attack scenario model is introduced according to the positions of the attacker, the victim and the attacking address. Then, after discussing the features of all scenarios, an algorithm named WSAND is proposed to detect Internet-wide SYN flooding attacks using Netflow data. In order to evaluate it, the algorithm is deployed at 28 main PoPs (Points of Presence) of the China Education and Research Network (CERNET) and the total internal address space is up to 200/16 blocks. A large quantity of Internet-wide SYN flooding attacks detected in March 2014 is discussed in detail. With the help of the detected attacks, a case study of detecting an internal zombie is presented.\",\"PeriodicalId\":193630,\"journal\":{\"name\":\"The 21st IEEE International Workshop on Local and Metropolitan Area Networks\",\"volume\":\"25 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2015-04-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"13\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"The 21st IEEE International Workshop on Local and Metropolitan Area Networks\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/LANMAN.2015.7114740\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"The 21st IEEE International Workshop on Local and Metropolitan Area Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/LANMAN.2015.7114740","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 13
摘要
报告显示,DDoS攻击在互联网上无处不在,严重威胁网络的稳定运行。为了了解这种威胁的性质并进一步进行有效的控制和管理,有必要对整个internet范围内的攻击进行全面的了解。传统的方法使用暗网来达到这个目的。然而,随着IPv4地址空间的耗尽,暗网越来越难以获取。在本文中,我们试图使用实时网络来检测互联网范围内的攻击。我们特别关注最普遍的SYN泛洪攻击。首先,根据攻击者、被攻击对象和攻击地址的位置,建立了完整的攻击场景模型;然后,在讨论了所有场景的特征之后,提出了一种名为WSAND的算法,该算法利用Netflow数据检测全互联网范围内的SYN泛洪攻击。为了对其进行评估,将该算法部署在中国教育和研究网络(CERNET)的28个主要pop (point of Presence)上,内部总地址空间高达200/16块。详细讨论了2014年3月检测到的大量全互联网SYN泛洪攻击。借助检测到的攻击,给出了一个检测内部僵尸的案例研究。
A real-time method for detecting internet-wide SYN flooding attacks
Reports show that DDoS attacks are ubiquitous on the Internet and may jeopardize networks' stable operation. In order to understand the nature of this threat and further to enable effective control and management, a whole picture of the Internet-wide attacks is a necessity. Traditional methods use darknets to this end. However, with the IPv4 address space exhaustion, darknets become hard to acquire. In this paper, we seek to detect Internet-wide attacks using a live network. In particular, we focus on the most prevalent SYN flooding attacks. First, a complete attack scenario model is introduced according to the positions of the attacker, the victim and the attacking address. Then, after discussing the features of all scenarios, an algorithm named WSAND is proposed to detect Internet-wide SYN flooding attacks using Netflow data. In order to evaluate it, the algorithm is deployed at 28 main PoPs (Points of Presence) of the China Education and Research Network (CERNET) and the total internal address space is up to 200/16 blocks. A large quantity of Internet-wide SYN flooding attacks detected in March 2014 is discussed in detail. With the help of the detected attacks, a case study of detecting an internal zombie is presented.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
