{"title":"分布式拒绝服务检测使用TCP/IP头和流量测量分析","authors":"Lersak Limwiwatkul, Arnon Rungsawangr","doi":"10.1109/ISCIT.2004.1412917","DOIUrl":null,"url":null,"abstract":"Recently, the detection of distributed denial of service (DDoS) and the discovery of DDoS attacking signature used the mean of traffic measurement analysis at protocol level. This technique is not suited to find the signatures of DDoS attack, which is formless. Also, DDoS is in general the combination of different forms of denial of service (DoS). As a result, it is difficult to find the exact signature of attack. Moreover, it is very difficult to distinguish the difference between an unusual high traffic which is caused by the attack, and the flash crowds which normally occur when a huge number of users use the target machine at the same time. In fact, this difference should only be observed from analyzing the data in the packet header. In this paper, we propose to discover the DDoS attacking signature by analyzing the TCP/IP packet header against the well defined rules and conditions, and distinguish the difference between normal and abnormal traffic. We here observe three groups or delegates of DDoS attacking, i.e., ICMP flood, UDP flood and TCP SYN flood, and present convincing preliminary experiments.","PeriodicalId":237047,"journal":{"name":"IEEE International Symposium on Communications and Information Technology, 2004. ISCIT 2004.","volume":"3 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"67","resultStr":"{\"title\":\"Distributed denial of service detection using TCP/IP header and traffic measurement analysis\",\"authors\":\"Lersak Limwiwatkul, Arnon Rungsawangr\",\"doi\":\"10.1109/ISCIT.2004.1412917\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Recently, the detection of distributed denial of service (DDoS) and the discovery of DDoS attacking signature used the mean of traffic measurement analysis at protocol level. This technique is not suited to find the signatures of DDoS attack, which is formless. Also, DDoS is in general the combination of different forms of denial of service (DoS). As a result, it is difficult to find the exact signature of attack. Moreover, it is very difficult to distinguish the difference between an unusual high traffic which is caused by the attack, and the flash crowds which normally occur when a huge number of users use the target machine at the same time. In fact, this difference should only be observed from analyzing the data in the packet header. In this paper, we propose to discover the DDoS attacking signature by analyzing the TCP/IP packet header against the well defined rules and conditions, and distinguish the difference between normal and abnormal traffic. We here observe three groups or delegates of DDoS attacking, i.e., ICMP flood, UDP flood and TCP SYN flood, and present convincing preliminary experiments.\",\"PeriodicalId\":237047,\"journal\":{\"name\":\"IEEE International Symposium on Communications and Information Technology, 2004. ISCIT 2004.\",\"volume\":\"3 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2004-10-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"67\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE International Symposium on Communications and Information Technology, 2004. ISCIT 2004.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISCIT.2004.1412917\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE International Symposium on Communications and Information Technology, 2004. ISCIT 2004.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISCIT.2004.1412917","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 67
摘要
目前,分布式拒绝服务(DDoS)的检测和DDoS攻击特征的发现都采用了协议级流量测量分析的均值。这种技术不适合寻找没有形式的DDoS攻击签名。此外,DDoS通常是不同形式的拒绝服务(DoS)的组合。因此,很难找到攻击的确切特征。此外,很难区分攻击造成的异常高流量与大量用户同时使用目标机器时通常发生的闪变人群之间的区别。实际上,只有通过分析包头中的数据才能观察到这种差异。本文提出通过对TCP/IP报文头的分析,在定义好的规则和条件下发现DDoS攻击特征,并区分正常流量和异常流量。我们在这里观察了三组或代表的DDoS攻击,即ICMP flood, UDP flood和TCP SYN flood,并提出了令人信服的初步实验。
Distributed denial of service detection using TCP/IP header and traffic measurement analysis
Recently, the detection of distributed denial of service (DDoS) and the discovery of DDoS attacking signature used the mean of traffic measurement analysis at protocol level. This technique is not suited to find the signatures of DDoS attack, which is formless. Also, DDoS is in general the combination of different forms of denial of service (DoS). As a result, it is difficult to find the exact signature of attack. Moreover, it is very difficult to distinguish the difference between an unusual high traffic which is caused by the attack, and the flash crowds which normally occur when a huge number of users use the target machine at the same time. In fact, this difference should only be observed from analyzing the data in the packet header. In this paper, we propose to discover the DDoS attacking signature by analyzing the TCP/IP packet header against the well defined rules and conditions, and distinguish the difference between normal and abnormal traffic. We here observe three groups or delegates of DDoS attacking, i.e., ICMP flood, UDP flood and TCP SYN flood, and present convincing preliminary experiments.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
