[go: up one dir, main page]

CN118432903A - Near-source DDoS defense method based on bidirectional source address verification - Google Patents

Near-source DDoS defense method based on bidirectional source address verification Download PDF

Info

Publication number
CN118432903A
CN118432903A CN202410582391.6A CN202410582391A CN118432903A CN 118432903 A CN118432903 A CN 118432903A CN 202410582391 A CN202410582391 A CN 202410582391A CN 118432903 A CN118432903 A CN 118432903A
Authority
CN
China
Prior art keywords
source address
sav
request
verification
proxy device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410582391.6A
Other languages
Chinese (zh)
Inventor
罗昊然
胡水松
汪文勇
吴俊锐
李宇博
苗宇
邓军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN202410582391.6A priority Critical patent/CN118432903A/en
Publication of CN118432903A publication Critical patent/CN118432903A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a near-source DDoS defense method based on bidirectional source address verification (SAV-B). According to the method, SAV-B proxy equipment (proxy equipment for short) is deployed on a near server side, and is cooperated with SAV-B equipment deployed in a protected area, a bidirectional source address verification task is completed through an interactive authentication mechanism, and the false source address treatment of an SAV-B network deployment domain is realized. The invention can implement a powerful security mechanism at the source end of possible false source network attack traffic, thereby effectively identifying and defending network attacks of false source addresses, particularly under the scene of reflection amplification attack, greatly reducing the security burden of a backbone network and core facilities and effectively improving the security and stability of network communication.

Description

一种基于双向源地址验证的近源DDoS防御方法A near-source DDoS defense method based on bidirectional source address verification

技术领域Technical Field

本发明属于网络安全技术领域,具体涉及一种基于双向源地址验证的近源DDoS防御方法。The invention belongs to the technical field of network security, and in particular relates to a near-source DDoS defense method based on bidirectional source address verification.

背景技术Background technique

反射放大攻击是一种分布式拒绝服务(DDoS)攻击,攻击者利用互联网中的反射服务(如DNS、NTP、SNMP等服务)进行放大,以产生大量流量攻击目标服务器。这类攻击的关键在于利用了大量中继服务器对小请求做出大响应的特性,通过伪造目标地址(即攻击目标的IP地址)发起小型查询请求,使得响应数据(其体积远大于请求)被发送到攻击目标,从而耗尽目标服务器的带宽或资源,影响正常服务。A reflection amplification attack is a distributed denial of service (DDoS) attack in which the attacker uses reflection services (such as DNS, NTP, SNMP, etc.) on the Internet to generate a large amount of traffic to attack the target server. The key to this type of attack is to take advantage of the characteristics of a large number of relay servers making large responses to small requests, and to initiate a small query request by forging the target address (i.e. the IP address of the target), so that the response data (whose volume is much larger than the request) is sent to the target, thereby exhausting the bandwidth or resources of the target server and affecting normal services.

对于服务器而言,现有的服务器保护措施,在面对复杂的网络安全威胁,尤其是源地址伪造和反射放大攻击时,展现出一系列的不足。首先,这些措施通常只针对入站流量进行检查,忽略了对出站流量的同等重视,导致无法有效阻断被伪造的响应数据包。其次,它们大多依赖于静态的防御策略,对动态变化的攻击手段缺乏及时和灵活的应对能力。此外,过分依赖带宽扩展和流量清洗等方法不仅资源消耗巨大,增加了运营成本,而且在面对大规模攻击时仍显脆弱。同时,防御措施的部署往往集中在网络的边缘或关键节点,这种局限性意味着对于分布广泛的服务和应用可能无法提供全面的保护,留下安全盲点。最后,对攻击流量的识别和响应过程存在时间延迟,特别是对于短时高强度的攻击,现有措施可能无法及时响应,增加了防御失败的风险。这些不足凸显了在服务器保护方面,特别是为了抵御源地址伪造和反射放大攻击,针对反射放大攻击多采用限制放大倍数的方法来缓解攻击。For servers, existing server protection measures show a series of deficiencies when facing complex network security threats, especially source address forgery and reflection amplification attacks. First, these measures usually only check inbound traffic, ignoring the equal attention to outbound traffic, resulting in the inability to effectively block forged response packets. Second, most of them rely on static defense strategies and lack timely and flexible response capabilities to dynamically changing attack methods. In addition, over-reliance on methods such as bandwidth expansion and traffic cleaning not only consumes huge resources and increases operating costs, but also remains vulnerable in the face of large-scale attacks. At the same time, the deployment of defense measures is often concentrated on the edge or key nodes of the network. This limitation means that comprehensive protection may not be provided for widely distributed services and applications, leaving security blind spots. Finally, there is a time delay in the identification and response process of attack traffic. Especially for short-term and high-intensity attacks, existing measures may not be able to respond in time, increasing the risk of defense failure. These deficiencies highlight that in terms of server protection, especially in order to resist source address forgery and reflection amplification attacks, the method of limiting the amplification multiple is often used to mitigate the attack.

而双向源地址验证(Source Address Validation-Bi-directional,SAV-B)技术主要通过逐包检测并提取SAVA(Source Address Validation Architecture,真实源地址验证架构)部署域内发出的请求报文的五元组信息并缓存其报文信息,在响应报文传回时通过比对缓存的报文信息以验证数据包源地址的真实性和合法性,该方法能够有效防止源地址伪造攻击,提高网络的整体安全防护能力。双向源地址验证方法的工作原理分为两个阶段,第一阶段SAV-B设备会对向外发出的请求进行逐包检测,并提取访问开放型服务的数据包五元组信息,将报文信息缓存于SAV-B设备的报文信息表内,并通过设置生命周期等手段对报文信息表项进行管理;第二阶段,SAV-B设备会对开放型服务传回的响应数据包进行处理然后进行源地址验证,首先对响应报文提取其五元组信息,再将第一阶段缓存的报文信息进行验证,若验证成功则说明是一次合法的请求与响应,若验证失败则说明是一次非法的请求。The Source Address Validation-Bi-directional (SAV-B) technology mainly detects and extracts the five-tuple information of the request message sent within the SAVA (Source Address Validation Architecture) deployment domain packet by packet and caches its message information. When the response message is transmitted back, it verifies the authenticity and legitimacy of the source address of the data packet by comparing the cached message information. This method can effectively prevent source address forgery attacks and improve the overall security protection capabilities of the network. The working principle of the bidirectional source address verification method is divided into two stages. In the first stage, the SAV-B device will perform packet-by-packet detection on the outgoing requests, extract the five-tuple information of the data packet accessing the open service, cache the message information in the message information table of the SAV-B device, and manage the message information table items by setting the life cycle and other means; in the second stage, the SAV-B device will process the response data packet returned by the open service and then perform source address verification. First, the five-tuple information of the response message is extracted, and then the message information cached in the first stage is verified. If the verification is successful, it means that it is a legal request and response. If the verification fails, it means that it is an illegal request.

因此,如何解决反射放大攻击场景下双向源地址验证的部署位置问题显得尤为重要。Therefore, it is particularly important to solve the deployment location problem of bidirectional source address verification in the reflection amplification attack scenario.

发明内容Summary of the invention

为了解决上述问题,本发明提供了一种双向源地址验证的近源DDoS防御方法,该方法在双向源地址验证方法的基础上引入搭载了关注名单的代理设备,该设备上的关注名单会记录部署了SAV-B设备的网络域,当代理设备在接收到来自关注名单上的设备向开放型服务发送的查询请求时,将自启动验证功能,向对应的SAV-B设备发出交互请求,通过SAV-B设备完成源地址验证以判断数据包的合法性,达到精准识别虚假源,保护SAVA域的目的。In order to solve the above problems, the present invention provides a near-source DDoS defense method with two-way source address verification. The method introduces a proxy device equipped with a watch list on the basis of the two-way source address verification method. The watch list on the device will record the network domain where the SAV-B device is deployed. When the proxy device receives a query request sent from a device on the watch list to an open service, it will automatically start the verification function and send an interaction request to the corresponding SAV-B device. The source address verification is completed by the SAV-B device to determine the legitimacy of the data packet, thereby achieving the purpose of accurately identifying false sources and protecting the SAVA domain.

为了达到上述目的,本发明采用如下技术方案:In order to achieve the above object, the present invention adopts the following technical solution:

一种基于双向源地址验证的近源DDoS防御方法,在近服务器侧部署双向源地址验证SAV-B代理设备,以实施对网络部署域的安全管理,所述代理设备负责实时监控对公共服务器的请求,并与SAV-B设备协同工作,完成双向源地址验证任务,代理设备执行的任务具体包括以下步骤:A near-source DDoS defense method based on bidirectional source address verification is provided. A bidirectional source address verification SAV-B proxy device is deployed on the near-server side to implement security management of the network deployment domain. The proxy device is responsible for real-time monitoring of requests to public servers and works in conjunction with the SAV-B device to complete the bidirectional source address verification task. The tasks performed by the proxy device specifically include the following steps:

步骤S1,代理设备接收公共服务查询请求并进行风险评估;Step S1, the proxy device receives a public service query request and performs a risk assessment;

步骤S2,代理设备向SAV-B设备发送验证请求;Step S2, the proxy device sends a verification request to the SAV-B device;

步骤S3,代理设备接收SAV-B设备对查询请求的验证结果;Step S3, the proxy device receives the verification result of the query request from the SAV-B device;

步骤S4,代理设备根据验证结果处理查询请求;Step S4, the proxy device processes the query request according to the verification result;

步骤S5,代理设备转发查询请求至开放服务器并接收服务器响应。Step S5: The proxy device forwards the query request to the open server and receives a server response.

进一步地,所述SAV-B设备负责收集网络数据包五元组信息,生成报文信息表以及进行源地址真实性验证,所述五元组信息包括源地址、目的地址、协议、源端口、目的端口。Furthermore, the SAV-B device is responsible for collecting quintuple information of network data packets, generating a message information table and performing source address authenticity verification, wherein the quintuple information includes source address, destination address, protocol, source port and destination port.

进一步地,步骤S1中的风险评估包括检查查询请求的源地址是否在预设的关注名单上。Furthermore, the risk assessment in step S1 includes checking whether the source address of the query request is on a preset watch list.

进一步地,在步骤S4中,如果SAV-B设备返回的验证结果表明源地址是非法的,代理设备将立即丢弃该源地址对应的查询请求,并记录相关事件信息。Furthermore, in step S4, if the verification result returned by the SAV-B device indicates that the source address is illegal, the proxy device will immediately discard the query request corresponding to the source address and record relevant event information.

进一步地,在丢弃查询请求的同时,代理设备还会触发额外的安全机制,所述安全机制包括发送警告到网络管理员或自动调整网络防火墙设置。Furthermore, while discarding the query request, the proxy device may also trigger additional security mechanisms, including sending a warning to a network administrator or automatically adjusting network firewall settings.

进一步地,步骤S5中,在代理设备确认查询请求的源地址不在关注名单上或该查询请求通过SAV-B设备的验证后,代理设备将安全地转发这些查询请求至目标服务器,代理设备还将记录转发的请求细节,包括时间戳、源地址和目的地。Further, in step S5, after the proxy device confirms that the source address of the query request is not on the watch list or the query request passes the verification of the SAV-B device, the proxy device will securely forward these query requests to the target server, and the proxy device will also record the forwarded request details, including timestamp, source address and destination.

进一步地,目标服务器接收到代理设备转发的查询请求后,根据请求内容进行处理,生成服务器响应,并将响应数据发送回代理设备,所述服务器响应包括任何一种或多种形式的数据服务结果,该响应在传输前进行安全检查以确保不包含安全风险。Furthermore, after receiving the query request forwarded by the proxy device, the target server processes the request according to the request content, generates a server response, and sends the response data back to the proxy device. The server response includes any one or more forms of data service results. The response is security checked before transmission to ensure that it does not contain security risks.

进一步地,SAV-B设备进行源地址真实性验证包括:在SAV-B设备存放的报文信息表中查找是否有与该源地址匹配的记录,以确定其是否符合正常的网络行为。Furthermore, the SAV-B device verifies the authenticity of the source address, including: searching the message information table stored in the SAV-B device for a record matching the source address, to determine whether it complies with normal network behavior.

进一步地,代理设备和SAV-B设备之间的交互认证机制是通过比对第一阶段SAV-B设备生成并缓存的报文信息表中的表项与第二阶段公共服务请求数据包生成的报文信息来验证请求的合法性,所述第一阶段是指向开放服务器发送查询请求,第二阶段是指服务器返回响应报文。Furthermore, the interactive authentication mechanism between the proxy device and the SAV-B device verifies the legitimacy of the request by comparing the table entries in the message information table generated and cached by the SAV-B device in the first phase with the message information generated by the public service request data packet in the second phase. The first phase refers to sending a query request to the open server, and the second phase refers to the server returning a response message.

本发明通过在近服务器侧部署代理设备,与被保护区域的SAV-B设备进行联动,实现了对SAV-B部署域针对反射放大攻击的有效防御,同时,SAV-B设备与代理设备协同工作,通过交互认证机制完成双向源地址验证任务,这种方法能够精确识别虚假源地址,从而显著提高网络的安全性和防护效能,本发明不仅包括对流量的实时监控和异常流量的识别,也涉及与服务器的紧密协同以及与其他网络安全设备的集成,形成一个多层次的安全防御体系,并能减轻主干网络和核心设施的压力,此外,代理设备具备自动化响应与恢复能力,在检测到潜在的攻击时,能够自动执行预设的响应措施,如阻断可疑流量,并快速恢复正常服务,以保证网络服务的连续性和稳定性。The present invention realizes effective defense against reflection amplification attacks in the SAV-B deployment domain by deploying a proxy device near the server side and linking it with the SAV-B device in the protected area. At the same time, the SAV-B device and the proxy device work together to complete the two-way source address verification task through an interactive authentication mechanism. This method can accurately identify false source addresses, thereby significantly improving the security and protection efficiency of the network. The present invention not only includes real-time monitoring of traffic and identification of abnormal traffic, but also involves close coordination with the server and integration with other network security devices to form a multi-level security defense system and reduce the pressure on the backbone network and core facilities. In addition, the proxy device has automatic response and recovery capabilities. When a potential attack is detected, it can automatically execute preset response measures, such as blocking suspicious traffic and quickly restoring normal services to ensure the continuity and stability of network services.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

图1是本发明实施例提供的一种基于双向源地址验证的近源DDoS防御方法的网络结构图;1 is a network structure diagram of a near-source DDoS defense method based on bidirectional source address verification provided by an embodiment of the present invention;

图2是本发明实施例提供的一种基于双向源地址验证的近源DDoS防御方法的简要流程图;2 is a brief flow chart of a near-source DDoS defense method based on bidirectional source address verification provided by an embodiment of the present invention;

图3是本发明实施例提供的双向源地址验证机制的工作原理图。FIG3 is a diagram showing the working principle of a bidirectional source address verification mechanism provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

为了便于理解,本发明首先对相关技术名词做简要介绍。In order to facilitate understanding, the present invention first briefly introduces relevant technical terms.

反射放大攻击(Reflection Amplification Attack):反射放大攻击是一种分布式拒绝服务(DDoS)攻击方法,其中攻击者通过伪造目标服务器的IP地址发送小量请求到一个或多个反射服务器,诱使这些服务器以更大的数据量响应到目标服务器。这种攻击利用了特定网络协议的特性,使得响应流量显著大于初始请求流量,从而放大了攻击效果,攻击者的身份由于反射服务器的介入而被隐藏,使得追踪和防御变得更加困难。Reflection Amplification Attack: Reflection Amplification Attack is a distributed denial of service (DDoS) attack method in which the attacker sends a small number of requests to one or more reflection servers by forging the IP address of the target server, inducing these servers to respond to the target server with a larger amount of data. This attack exploits the characteristics of a specific network protocol, making the response traffic significantly larger than the initial request traffic, thereby amplifying the attack effect. The attacker's identity is hidden due to the involvement of the reflection server, making tracking and defense more difficult.

分布式拒绝服务攻击(Distributed Denial of Service,DDoS):DDoS攻击是一种网络攻击手段,通过利用大量受控的计算机或设备同时向目标发送大量请求,导致目标过载,从而使合法用户无法正常访问。Distributed Denial of Service (DDoS): A DDoS attack is a type of network attack that uses a large number of controlled computers or devices to send a large number of requests to a target at the same time, causing the target to be overloaded, making it impossible for legitimate users to access the target normally.

IP地址伪装(IP Spoofing):一种网络攻击技术,攻击者在发送网络数据包时伪造源IP地址,使数据包看起来像是来自另一个合法或信任的源。这种技术常用于发起一系列恶意活动,包括拒绝服务攻击(DoS)、分布式拒绝服务攻击(DDoS)、会话劫持和网络入侵等。IP Spoofing: A network attack technique in which an attacker forges the source IP address when sending network packets, making the packets look like they come from another legitimate or trusted source. This technique is often used to launch a range of malicious activities, including denial of service attacks (DoS), distributed denial of service attacks (DDoS), session hijacking, and network intrusions.

SAVA(Source Address Validation Architecture):是一种针对网络技术中真实源地址验证的架构和技术,这个体系架构主要用于确保网络中的数据包来源地址的真实性和可靠性,以提高网络安全性和减少网络攻击的风险。SAVA (Source Address Validation Architecture): is an architecture and technology for real source address verification in network technology. This architecture is mainly used to ensure the authenticity and reliability of the source address of data packets in the network to improve network security and reduce the risk of network attacks.

源地址验证(Source Address Validation,SAV):源地址验证是真实源地址验证架构(Source Address Validation Architecture,SAVA)下的验证机制,能够实现在网络环境下的真实源地址验证提升网络的安全性。Source Address Validation (SAV): Source address verification is a verification mechanism under the Source Address Validation Architecture (SAVA), which can realize real source address verification in a network environment to improve network security.

SAVA部署域:指的是在源地址验证架构(SAVA)下实施源地址验证的特定区域或范围,这个概念主要用来描述SAVA技术应用的网络区域,它可以是局域网、一个自治系统(AS)或者跨越多个自治系统的更广泛的网络区域。SAVA deployment domain: refers to the specific area or scope where source address verification is implemented under the Source Address Verification Architecture (SAVA). This concept is mainly used to describe the network area where SAVA technology is applied. It can be a local area network, an autonomous system (AS), or a wider network area spanning multiple autonomous systems.

网络五元组(Network five tuple):网络五元组是一种在网络通信中用于唯一标识和区分数据包的方法,包括源IP地址、目的IP地址、源端口号、目的端口号和传输协议(通常为TCP或UDP)。这种信息的组合在网络监控、安全分析、负载均衡、路由决策和会话管理等方面至关重要,它允许网络设备和应用准确识别、过滤和管理特定的网络流量,确保数据的正确路由和安全传输。Network five tuple: Network five tuple is a method used to uniquely identify and distinguish data packets in network communications, including source IP address, destination IP address, source port number, destination port number and transport protocol (usually TCP or UDP). This combination of information is crucial in network monitoring, security analysis, load balancing, routing decisions and session management. It allows network devices and applications to accurately identify, filter and manage specific network traffic, ensuring the correct routing and secure transmission of data.

双向源地址验证(Source Address Validation-Bidirectional,SAV-B):对双向信息进行源地址验证功能的设备或机制。该机制分为两个阶段进行,第一个阶段对SAVA部署域内发出的请求报文进行逐包检测,保留后续需要进行源地址验证的请求报文五元组信息并形成报文信息,第二个阶段完成对响应报文的源地址验证,采用与第一阶段相同的方式得到传入SAVA部署域内响应报文的五元组信息,将其与第一阶段保留的报文信息进行逐一比对,确认该响应报文源地址的合法性。Source Address Validation-Bidirectional (SAV-B): A device or mechanism that performs source address verification on bidirectional information. This mechanism is divided into two stages. In the first stage, the request message sent from the SAVA deployment domain is inspected packet by packet, and the five-tuple information of the request message that needs to be verified for the source address is retained and formed into message information. In the second stage, the source address verification of the response message is completed. The five-tuple information of the response message sent into the SAVA deployment domain is obtained in the same way as in the first stage, and it is compared one by one with the message information retained in the first stage to confirm the legitimacy of the source address of the response message.

SAV-B设备:具有双向源地址验证机制的路由器、交换机、防护设备等。SAV-B devices: routers, switches, protection devices, etc. with a bidirectional source address verification mechanism.

关注名单:保存SAVA部署域信息的名单,可用于判断某源地址是否来自于SAVA部署域。Watchlist: A list that stores SAVA deployment domain information, which can be used to determine whether a source address comes from the SAVA deployment domain.

受保护区域(Protected Area):指受到SAV-B保护的那部分网络,该区域需要通过SAV-B设备/机制才能与其他网络连接。Protected Area: refers to the part of the network protected by SAV-B. This area needs to be connected to other networks through SAV-B equipment/mechanism.

本发明提供的一种基于双向源地址验证的近源DDoS防御方法的网络结构如图1所示,其包括一个双向源地址验证(SAV-B)设备和代理设备,其中SAV-B设备承担着收集网络数据包五元组信息、进行报文信息表的生成和源地址真实性验证的角色,它通过与代理设备的协作,确保了网络通信的合法性和安全性。代理设备部署在靠近公共服务器的源端位置,代理设备的职责是监控用户发出的公共服务查询请求,并在转发这些请求之前,先通过SAV-B设备进行源地址验证,强调了在请求数据包到达公共服务器之前,它们需要通过位于源端的代理设备与SAV-B设备进行一系列的验证。这种布局有助于在请求数据包尚未得到响应之前识别和阻止源地址伪造攻击,特别是反射放大类型的攻击,从而确保网络通信的安全和可靠。The network structure of a near-source DDoS defense method based on bidirectional source address verification provided by the present invention is shown in Figure 1, which includes a bidirectional source address verification (SAV-B) device and a proxy device, wherein the SAV-B device is responsible for collecting five-tuple information of network data packets, generating message information tables and verifying the authenticity of source addresses. It ensures the legitimacy and security of network communications through cooperation with the proxy device. The proxy device is deployed at a source end position close to the public server. The proxy device is responsible for monitoring public service query requests issued by users, and before forwarding these requests, first performs source address verification through the SAV-B device, emphasizing that before the request data packets reach the public server, they need to perform a series of verifications with the SAV-B device through the proxy device located at the source end. This layout helps to identify and prevent source address forgery attacks, especially reflection amplification type attacks, before the request data packets are responded to, thereby ensuring the security and reliability of network communications.

一方面,本发明提供的一种基于双向源地址验证的近源DDoS防御方法如图2所示,所述代理设备执行的任务具体包括以下步骤:On the one hand, a near-source DDoS defense method based on bidirectional source address verification provided by the present invention is shown in FIG2 , and the tasks performed by the proxy device specifically include the following steps:

步骤(1)初步请求处理Step (1) Initial request processing

代理设备接收公共服务查询请求并进行风险评估,当代理设备接收到一个公共服务查询请求时,首先进行基本的身份验证和安全检查,包括分析请求的五元组信息(源地址、目的地址、协议、源端口、目的端口),为后续查询请求的合法性和安全性验证做准备。The proxy device receives public service query requests and performs risk assessment. When the proxy device receives a public service query request, it first performs basic identity authentication and security checks, including analyzing the five-tuple information of the request (source address, destination address, protocol, source port, destination port), in preparation for the legitimacy and security verification of subsequent query requests.

代理设备通过对特定查询请求(如对DNS服务器或NET服务器的查询请求)进行检测的方式,来评估查询请求的后续动作,如果发现该查询请求的源地址不在预设的关注名单上,代理设备将视其为不需要验证的请求,并直接转至步骤(4)进一步处理。如果该查询请求的源地址在关注名单上,代理设备将该请求标记为待验证请求,并缓存请求数据以进行深入分析。The proxy device evaluates the subsequent actions of a query request by detecting a specific query request (such as a query request to a DNS server or a NET server). If the source address of the query request is not on the preset watch list, the proxy device will regard it as a request that does not require verification and directly proceed to step (4) for further processing. If the source address of the query request is on the watch list, the proxy device marks the request as a request to be verified and caches the request data for further analysis.

步骤(2)向SAV-B设备发送验证请求Step (2) Send a verification request to the SAV-B device

对于被标记为待验证的请求,SAV-B设备需要协助代理设备进一步确认其合法性,代理设备将根据请求的源地址向该源地址关联的SAV-B设备发送验证请求。For requests marked as pending verification, the SAV-B device needs to assist the proxy device in further confirming the legitimacy. The proxy device will send a verification request to the SAV-B device associated with the source address according to the source address of the request.

步骤(3)接收SAV-B设备对查询请求的验证结果,并根据验证结果处理查询请求Step (3) receiving the verification result of the query request from the SAV-B device and processing the query request according to the verification result

一旦SAV-B设备完成对源地址的验证,它将把验证结果发送回代理设备。如果SAV-B设备返回的验证结果表明源地址是非法的,代理设备将立即丢弃该源地址对应的查询请求,并记录相关事件信息,以便于后续的安全分析和报告。Once the SAV-B device completes the verification of the source address, it will send the verification result back to the proxy device. If the verification result returned by the SAV-B device indicates that the source address is illegal, the proxy device will immediately discard the query request corresponding to the source address and record the relevant event information for subsequent security analysis and reporting.

在丢弃请求的同时,代理设备还会触发额外的安全机制,如发送警告到网络管理员或自动调整网络防火墙设置等。When discarding the request, the proxy device can also trigger additional security mechanisms, such as sending a warning to the network administrator or automatically adjusting the network firewall settings.

步骤(4)安全转发查询请求Step (4) Safely forward the query request

在代理设备确认查询请求的源地址不在关注名单上或该请求通过SAV-B设备的验证后,它将安全地转发这些请求至目标服务器。After the proxy device confirms that the source address of the query request is not on the watch list or the request is authenticated by the SAV-B device, it will securely forward these requests to the target server.

此外,代理设备可以选择记录转发的请求细节,包括时间戳、源地址和目的地等,以便于未来的安全审核和分析。Additionally, proxy devices can choose to log forwarded request details, including timestamps, source addresses, and destinations, to facilitate future security audits and analysis.

步骤(5)接收服务器响应Step (5) Receive server response

目标服务器接收到经过代理设备转发的查询请求后,根据请求内容进行处理,并生成服务响应,服务器响应完成后,将响应数据发送回代理设备,所述服务器响应包括任何一种或多种形式的数据服务结果,该响应在传输前进行安全检查以确保不包含安全风险。After receiving the query request forwarded by the proxy device, the target server processes it according to the request content and generates a service response. After the server response is completed, the response data is sent back to the proxy device. The server response includes any one or more forms of data service results. The response is security checked before transmission to ensure that it does not contain security risks.

另一方面,所述SAV-B设备进行源地址真实性验证具体包括:SAV-B设备接收到代理设备发送的验证请求后,将立即对验证请求进行处理,在SAV-B设备存放的报文信息表中查找是否有与该源地址匹配的记录,以确定其是否符合正常的网络行为。On the other hand, the SAV-B device performs source address authenticity verification specifically including: after receiving the verification request sent by the proxy device, the SAV-B device will immediately process the verification request, and search the message information table stored in the SAV-B device to see if there is a record matching the source address to determine whether it conforms to normal network behavior.

进一步地,代理设备和SAV-B设备之间的交互认证机制如图3所示,其交互认证是通过比对第一阶段SAV-B设备生成并缓存的报文信息表中的表项与第二阶段公共服务请求数据包生成的报文信息来验证请求的合法性,所述第一阶段是指向开放服务器发送查询请求,第二阶段是指服务器返回响应报文。Furthermore, the interactive authentication mechanism between the proxy device and the SAV-B device is shown in FIG3 , wherein the interactive authentication verifies the legitimacy of the request by comparing the table entries in the message information table generated and cached by the SAV-B device in the first phase with the message information generated by the public service request data packet in the second phase, wherein the first phase refers to sending a query request to an open server, and the second phase refers to the server returning a response message.

下面将结合附图及具体实施例对本发明提供的一种基于双向源地址验证的近源DDoS防御方法作全面完整的描述。The following will provide a comprehensive and complete description of a near-source DDoS defense method based on bidirectional source address verification provided by the present invention in conjunction with the accompanying drawings and specific embodiments.

实施例:反射放大攻击场景下采用双向源地址验证Example: Using bidirectional source address verification in a reflection amplification attack scenario

实施例中以DNS查询请求为例。In the embodiment, a DNS query request is taken as an example.

步骤1初步请求接收:Step 1 Initial Request Receipt:

代理设备收到查询请求,提取五元组信息,本例中以三条五元组信息为例:The proxy device receives the query request and extracts the five-tuple information. In this example, three five-tuple information are used as an example:

“172.168.1.1:10.0.0.1:12345:53:UDP”"172.168.1.1:10.0.0.1:12345:53:UDP"

“192.168.1.1:10.0.0.1:12345:53:UDP”"192.168.1.1:10.0.0.1:12345:53:UDP"

“192.168.1.3:10.0.0.1:12345:53:UDP”"192.168.1.3:10.0.0.1:12345:53:UDP"

首先检查源地址是否在关注名单中,在本实施例中,172.168.1.1为不在关注名单上的源地址,代理设备将请求标记为不需验证请求并进行常规处理,跳转步骤4;192.168.1.1和192.168.1.3在关注名单中,代理设备将该请求设置为待验证请求,跳转至步骤2。First, check whether the source address is in the watch list. In this embodiment, 172.168.1.1 is a source address that is not on the watch list. The proxy device marks the request as a request that does not require verification and performs normal processing, jumping to step 4; 192.168.1.1 and 192.168.1.3 are in the watch list, the proxy device sets the request as a request to be verified, and jumps to step 2.

步骤2向SAV-B设备发送验证请求:Step 2: Send a verification request to the SAV-B device:

对于待验证请求,代理设备根据源地址192.168.1.1,192.168.1.3寻找关注名单中与之关联的SAV-B设备,向其发送验证请求,以确认查询请求的合法性。For the request to be verified, the proxy device searches for the SAV-B device associated with it in the watch list according to the source addresses 192.168.1.1 and 192.168.1.3, and sends a verification request to it to confirm the legitimacy of the query request.

步骤3SAV-B设备进行验证:Step 3 SAV-B device verification:

收到来自代理设备的验证请求,SAV-B设备通过检查其缓存的报文信息进行源地址验证。SAV-B设备快速确认请求是否有效,并将结果返回给代理设备,本例中验证得出192.168.1.1所对应的数据包有驻留匹配的报文信息,而192.168.1.3则不存在对应的报文信息,因此SAV-B设备向代理设备回复验证结果,“192.168.1.1:10.0.0.1:12345:53:UDP”为合法查询请求;“192.168.1.3:10.0.0.1:12345:53:UDP”为非法查询请求。After receiving the verification request from the proxy device, the SAV-B device verifies the source address by checking the message information in its cache. The SAV-B device quickly confirms whether the request is valid and returns the result to the proxy device. In this example, the verification shows that the data packet corresponding to 192.168.1.1 has resident matching message information, while 192.168.1.3 does not have corresponding message information. Therefore, the SAV-B device replies the verification result to the proxy device, "192.168.1.1:10.0.0.1:12345:53:UDP" is a legal query request; "192.168.1.3:10.0.0.1:12345:53:UDP" is an illegal query request.

步骤4安全转发查询请求:Step 4: Safely forward the query request:

172.168.1.1为不在关注名单上的源地址,直接转发。对于在关注名单中的源地址,代理设备接收到SAV-B的验证结果后,将合法的查询请求“192.168.1.1:10.0.0.1:12345:53:UDP”对应缓存的数据包转发到目标服务器,不合法的查询请求“192.168.1.3:10.0.0.1:12345:53:UDP”对应缓存的数据包丢弃。172.168.1.1 is a source address not on the watch list, so it is forwarded directly. For source addresses on the watch list, after receiving the verification result of SAV-B, the proxy device forwards the cached data packets corresponding to the legal query request "192.168.1.1:10.0.0.1:12345:53:UDP" to the target server, and discards the cached data packets corresponding to the illegal query request "192.168.1.3:10.0.0.1:12345:53:UDP".

步骤5接收服务器响应:Step 5: Receive server response:

目标服务器处理查询请求生成响应数据包,并将响应数据发送回代理设备,代理设备接收所述响应数据。The target server processes the query request to generate a response data packet, and sends the response data back to the proxy device, and the proxy device receives the response data.

在这个实施例中,双向源地址验证方法有效地识别和处理了所有在关注名单中向开放服务器发起的查询请求,保证了关注名单上验证过的合法请求才被允许访问服务器,从而提高了网络的整体安全性和稳定性。In this embodiment, the bidirectional source address verification method effectively identifies and processes all query requests initiated to the open server in the watch list, ensuring that only legitimate requests verified on the watch list are allowed to access the server, thereby improving the overall security and stability of the network.

以上所述仅为本发明的较佳实施例,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等,均包含在本发明的保护范围内。The above description is only a preferred embodiment of the present invention and is not intended to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (9)

1. The near-source DDoS defense method based on the bidirectional source address verification is characterized in that a bidirectional source address verification SAV-B proxy device is deployed at a near server to implement security management of a network deployment domain, the proxy device is responsible for monitoring a request to a public server in real time and cooperates with the SAV-B device to complete a bidirectional source address verification task, and the task executed by the proxy device specifically comprises the following steps:
step S1, agent equipment receives a public service query request and performs risk assessment;
Step S2, the proxy equipment sends a verification request to the SAV-B equipment;
step S3, the proxy equipment receives the verification result of the SAV-B equipment on the query request;
Step S4, the agent device processes the query request according to the verification result;
and S5, the proxy equipment forwards the query request to the open server and receives the server response.
2. The method of claim 1, wherein the SAV-B device is responsible for collecting network packet five-tuple information, including source address, destination address, protocol, source port, destination port, generating a message information table, and performing source address authenticity verification.
3. The method according to claim 1, wherein the risk assessment in step S1 comprises checking whether the source address of the query request is on a preset list of interests.
4. The method according to claim 1, wherein in step S4, if the verification result returned by the SAV-B device indicates that the source address is illegal, the proxy device immediately discards the query request corresponding to the source address and records the related event information.
5. The method of claim 4, wherein the proxy device triggers additional security mechanisms including sending a warning to a network administrator or automatically adjusting network firewall settings while dropping the query request.
6. The method according to claim 1, characterized in that in step S5, after the proxy device confirms that the source address of the query request is not on the attention list or that the query request is verified by the SAV-B device, the proxy device will securely forward these query requests to the target server, and the proxy device will also record the forwarded request details, including the timestamp, source address and destination.
7. A method according to claim 1, wherein the target server, upon receiving the query request forwarded by the proxy device, processes it according to the content of the request, generates a server response and sends response data back to the proxy device, said server response comprising any one or more forms of data service results, the response being security checked prior to transmission to ensure that no security risk is involved.
8. The method of claim 2, wherein the SAV-B device performing source address authenticity verification comprises: and searching whether a record matched with the source address exists in a message information table stored in the SAV-B equipment so as to determine whether the record accords with normal network behavior.
9. The method according to claim 1 or 2, wherein the interactive authentication mechanism between the proxy device and the SAV-B device verifies the validity of the request by comparing the table entries in the message information table generated and cached by the SAV-B device in the first phase with the message information generated by the public service request packet in the second phase, where the first phase refers to sending a query request to the open server and the second phase refers to the server returning a response message.
CN202410582391.6A 2024-05-11 2024-05-11 Near-source DDoS defense method based on bidirectional source address verification Pending CN118432903A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410582391.6A CN118432903A (en) 2024-05-11 2024-05-11 Near-source DDoS defense method based on bidirectional source address verification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410582391.6A CN118432903A (en) 2024-05-11 2024-05-11 Near-source DDoS defense method based on bidirectional source address verification

Publications (1)

Publication Number Publication Date
CN118432903A true CN118432903A (en) 2024-08-02

Family

ID=92325502

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410582391.6A Pending CN118432903A (en) 2024-05-11 2024-05-11 Near-source DDoS defense method based on bidirectional source address verification

Country Status (1)

Country Link
CN (1) CN118432903A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170063680A1 (en) * 2015-08-24 2017-03-02 Alibaba Group Holding Limited Verifying source addresses associated with a terminal
CN107547497A (en) * 2017-05-10 2018-01-05 新华三技术有限公司 A kind of unaware PORTAL authentication methods and device
CN107770113A (en) * 2016-08-15 2018-03-06 台山市金讯互联网络科技有限公司 A kind of accurate flood attack detection method for determining attack signature
CN108833418A (en) * 2018-06-22 2018-11-16 北京京东金融科技控股有限公司 Methods, devices and systems for defensive attack
CN112055028A (en) * 2020-09-11 2020-12-08 北京知道创宇信息技术股份有限公司 Network attack defense method and device, electronic equipment and storage medium
CN115296893A (en) * 2022-08-02 2022-11-04 北京天融信网络安全技术有限公司 Method, device, system and medium for detecting address information abnormity

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170063680A1 (en) * 2015-08-24 2017-03-02 Alibaba Group Holding Limited Verifying source addresses associated with a terminal
CN107770113A (en) * 2016-08-15 2018-03-06 台山市金讯互联网络科技有限公司 A kind of accurate flood attack detection method for determining attack signature
CN107547497A (en) * 2017-05-10 2018-01-05 新华三技术有限公司 A kind of unaware PORTAL authentication methods and device
CN108833418A (en) * 2018-06-22 2018-11-16 北京京东金融科技控股有限公司 Methods, devices and systems for defensive attack
CN112055028A (en) * 2020-09-11 2020-12-08 北京知道创宇信息技术股份有限公司 Network attack defense method and device, electronic equipment and storage medium
CN115296893A (en) * 2022-08-02 2022-11-04 北京天融信网络安全技术有限公司 Method, device, system and medium for detecting address information abnormity

Similar Documents

Publication Publication Date Title
US7478429B2 (en) Network overload detection and mitigation system and method
Wheeler et al. Techniques for cyber attack attribution
US7620733B1 (en) DNS anti-spoofing using UDP
Hussein et al. SDN security plane: An architecture for resilient security services
Kambourakis et al. A fair solution to dns amplification attacks
KR101067781B1 (en) Method and apparatus for defense against denial of service attacks in IP networks by target victim self-identification and control
KR20080028381A (en) How to defend against denial of service attacks in IP networks by target victim self-identification and control
Lee et al. Study of detection method for spoofed IP against DDoS attacks
Jeyanthi et al. Packet resonance strategy: a spoof attack detection and prevention mechanism in cloud computing environment
Arafat et al. A practical approach and mitigation techniques on application layer DDoS attack in web server
Nasser et al. Provably curb man-in-the-middle attack-based ARP spoofing in a local network
Rajendran DNS amplification & DNS tunneling attacks simulation, detection and mitigation approaches
Sahri et al. Protecting DNS services from IP spoofing: SDN collaborative authentication approach
CN118509209B (en) Bidirectional source address verification device
Nuiaa et al. A Comprehensive Review of DNS-based Distributed Reflection Denial of Service (DRDoS) Attacks: State-of-the-Art
CN118432903A (en) Near-source DDoS defense method based on bidirectional source address verification
Sahu et al. DDoS attacks & mitigation techniques in cloud computing environments
Sahri et al. Collaborative spoofing detection and mitigation--SDN based looping authentication for DNS services
CN118432902B (en) A near-destination DDoS defense method based on bidirectional source address verification
Mopari et al. Detection of DDoS attack and defense against IP spoofing
Trabelsi et al. Spoofed ARP packets detection in switched LAN networks
Noureldien et al. Block Spoofed Packets at Source (BSPS): a method for detecting and preventing all types of spoofed source IP packets and SYN Flooding packets at source: a theoretical framework
Park et al. An effective defense mechanism against DoS/DDoS attacks in flow-based routers
Bi et al. Study on classification and characteristics of source address spoofing attacks in the internet
Chouman et al. Novel defense mechanism against SYN flooding attacks in IP networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination