使用信息检测(技术)的DoS过滤器.doc

Shield: DoS Filtering Using Traffic Deflecting盾：使用信息检测（技术）的DoS过滤器AbstractDenial-of-service (DoS) attacks continue to be a major problem on the Internet. While many defense mechanisms have been created, they all have significant deployment issues. This paper introduces a novel method that overcomes these issues, allowing a small number of deployed DoS defenses to act as secure on-demand shields for any node on the Internet. The proposed method is based on rerouting any packet addressed to a protected autonomous system (AS) through an intermediate filtering node a shield. In this way, all potentially harmful traffic could be discarded before reaching the destination. The mechanisms for packet rerouting use existing routing techniques and do not require any kind of modification to the deployed protocols or routers. To make the proposed system feasible, from both deployment and usage points of view, traffic rerouting and outsourced filtering could be provided as an insurance-style on-demand service.Index TermsDDoS, Filtering, IP Anycast, BGP, Traffic deflection摘要拒绝服务(DoS)攻击仍然是互联网的一个主要难题。虽然人们创建了许多防御机制，但这些都有着明显的资源配置问题。本文介绍了一种全新的能克服这些问题的方法，通过部署少量的DoS防御来响应互联网上任意节点的防护请求。该方法通过一个中间过滤节点盾来重编数据地址路由以保护AS系统。这样，所有潜在的危险信息流在到达目的地之前就会被丢弃。修改数据包的路由机制使用现有路由技术，不需要修改任何协议或路由器的配置。为使系统能兼顾配置和使用两方面，改变信息流路由和外包过滤可以提供一种保险风格的按需式服务。关键词分布式拒绝服务，过滤，IP任播，边界网关协议，数据流绕曲.简介As the Internet grows, malicious users continue to find intellige-nt and insidious ways to attack it. Many types of attacks happen every day, but one particular kinddenial-of-service (DoS) attacksremain the most common, accounting for more th-an a third of all malicious behavior on the Internet in 2011 1. The main goal of these attacks is literally to deny some o-r all legitimate users access to a particular Internet service, h-arming the service as a whole. In the extreme case, when the attack is aimed at the core Internet infr-astructure (e.g., attacks on the root DNS servers 2), the whole Internet could be jeopardized. There is a clear need for comprehensive, cheap, and easily deployable DoS protection mechanisms随着互联网的飞速发展,恶意用户继续寻找更加灵活隐蔽的方法进行攻击。每天都会发生各种类型的攻击,但是一个特定种类拒绝服务(DoS)攻击任然是最普遍的, 2011年，在互联网上的恶意行为中，（DoS）占了超过三分之一的比重1。这种攻击主要的目标是拒绝一些或所有合法用户访问特定的网络服务的要求,危害整体的服务。在极端情况下,当攻击是针对互联网核心设施时(例如,袭击根域名服务器2),整个互联网就会陷入危险。很明显，人们需要有一种全面、经济、容易配置的DoS保护机制。Attackers may have different motivations (extortion, vengeance, or simple malice) and the goal of a DoS attack could be achieved in many ways. Thus, there is a wide variety of attack methods available 3 and a growing number of proposed defense mechanisms to stop or mitigate them. Many of the proposed DoS defenses are both clever and potentially effective 4. However, the most common question with DoS defenses is how to deploy them.攻击者可能有不同的动机(敲诈,报复,或单纯的恶意)，并且DoS攻击可以以多种方式实现。因此,有各种各样的攻击方法可用3，人们提出了越来越多的防御机制以阻止或减缓攻击。许多DoS 防御都是巧妙和有效的4。然而, DoS防御中最常见的问题是如何部署它们。Some defenses require deployment in core routers 5, but the tier 1 ASes that own these routers have little incentive to do so. The economic model of all transit providers, including tier 1 providers, consists of charging for the amounts of forwarded traffic. Thus, such providers are extremely cautious with any kind of filtering, as they risk the loss of money or even customers. In addition, unless fully deployed by every major ISP, core defenses generally provide very limited protection.一些防御需要在核心路由器上配置5,但是拥有这些路由器的一级AS,却没有必要这样做。运营商的经济模式，包括一级供应商，会因转发信息流而收费。冒着可能损失金钱或客户的危险，因此他们在对任何过滤行为时都极度小心。此外，除非每台主ISP都完全配置，否则核心防御提供的保护通常非常有限。Other defenses require deployment on the edges of autonomous systems (ASes), hoping to catch malicious traffic before it goes to the outside world. Unfortunately, it is difficult to detect a DoS attack, and especially a distributed DoS attack, at the source. These attacks can have a multitude of carriers (e.g., infected nodes) that generate small amounts of virtually undetectable malicious traffic, making edge defenses useless. Moreover, there are basically no incentives for ASes to deploy such filtering mechanisms. Edge filters prevent attacks from leaving an AS, but provide little protection for the filtering AS. Until everybody implements a similar defense, the ASes that deploy filters will not gain anything; their users will still be vulnerable. This results in the current status quo, where an AS usually allows almost any traffic with minimal or no filtering at all. Ingress filtering 6 is the most common type of available and widely deployed anti-attack measure 7. Unfortunately, this filtering defends only against IP spoofing and provides little help for deflecting other types of attacks.其他防护要求在自主系统（ASes）边缘进行配置，希望能在恶意信息流出去之前就拦截到它。但是，检测DoS攻击是十分困难的，特别是在源的分布式DoS攻击。这些攻击有许多载体（例如：感染后的节点），这些载体能够产生几乎少到不可检测到的恶意信息，使边缘防护起不了作用。此外，AS基本没有配置这样的过滤机制的理由。边缘过滤使AS免受攻击，但基本不为过滤AS提供保护。除非每个人都配置了相同的配置，配置过滤的AS不会接收任何东西；他们的用户任然是易受攻击的。结果导致现在的情况就是，一个AS基本允许所有信息出入，而且基本不会进行过滤筛选。入口过滤6是最常见的可用的并被广泛配置的反攻击措施7。不幸的是，这种过滤仅对于IP欺骗有效，而对于偏转其他形式的攻击作用却很小。Finally, defenses can be deployed near every victim in the form of traffic analysis tools, firewalls, and anti-virus software. In general, to be able to absorb an attack, these defenses require the victim to be highly over-provisioned (i.e., the network should have a large enough bandwidth, or the content should be sufficiently replicated). Clearly, not every possible victim has the resources to overprovision, which nullifies the effect of such defenses. 最后，防御可以以数据流分析工具、防火墙和杀毒软件的形式配置在每个用户中。一般来说，为了能阻挡攻击，这些防御要求用户是高度过给的（即有足够的带宽，或足以完整的重复内容）。显然，不可能每个用户都有足够的过给资源，这将使防御失效。In this paper we propose a promising security model for the Internet that can leverage virtually any kind of previously proposed mechanism, without facing the deployment problem. Our solution relies on the existing routing techniquesBGP routing 8, IP Anycast 9,10, IP tunneling 11, and othersto divert traffic during a DoS attack from a direct route to a route that contains special DoS filters (Figure 1). When an attack occurs, all packets destined for the target AS are forced by means of the routing system to pass through specially deployed filtering nodes, which we call shields . During an attack, shields (1) pretend to be a valid origin for the attacked prefix (in the same way IP Anycast or a multiple origin AS works), (2) perform a dedicated traffic analysis and filtration of malicious traffic, and (3) deliver all legitimate traffic to a real destination.在本文中,我们提出一个有前途的互联网安全模型, 几乎可以利用任何一种此前提议的机制,而不用面对部署问题。我们的解决方案依赖于现有路由技术边界网关协议路由8 ,IP任播9,10,IP隧道11等等将DoS攻击期间的数据流从直接路由转移到一个包含特殊的DoS过滤器的路径(图1)。当发生攻击时，所有以AS为目的数据包都会被迫从有特殊配置的节点（我们称之为盾）的路由系统通过。攻击发起时，盾（1）假装是一个有效攻击前缀的源（与IP任播和多源AS工作原理相同），（2）执行专用的流量分析，并过滤恶意流量，（3）将所有合法的信息流传输到真正的目的地。(2)执行一个专用的流量分析和过滤的恶意流量,和(3)交付所有合法交通真正的目的地。Fig. 1. Diverting traffic flow from a direct route to pass throughfiltering nodes (shields)图1 将信息流从直接路由转到通过过滤节点（盾）的路由上去One of the key elements in the proposed solution is the on-demand nature of the filtering mechanisms. The shields will divert traffic and perform traffic analysis and filtering for a protected IP prefix or AS only during an active attack. This helps resolve the contradiction between the requirement to protect and that of not disturbing normal network functionality by either increasing delays or reducing available bandwidth.这种解决方案的一个关键元素是过滤机制的随需应变的机制。盾仅仅在攻击活动时将流量转移并对其进行分析过滤以保护IP前缀或AS。这不会增加网络延时或减小可用带宽，有助于解决安全防护的要求和不影响正常网络功能的矛盾。An on-demand DoS attack defense solution is beneficial because the occurrence of a future DoS attack is difficult or even impossible to predict. Not every Internet server or AS is exposed to a DoS attack at the same time; any attack, whatever its duration, is temporary and will eventually cease. Thus, always-on solutions will waste resources by analyzing harmless traffic most of the time. Our shields solve this problem by allowing an effective insurance-style sharing of defense resources among a large number of Internet users。按需应变的DoS防御方案是有效的，因为预测将要发生的DoS攻击十分困难，甚至是不可能的。并不是所有的互联网服务或AS都在同时遭到DoS攻击；任何一个攻击，不管会持续多久，都是暂时的，并且最终会停止。因此，不间断防御的方法会因为分析大部分无害的信息流而浪费资源。盾方案通过允许在大量的互联网用户之间共享安全资源来解决这个问题。The proposed system is a method to deploy DoS defense filters; it is not a design of a DoS defense filter. Many existing high-quality filters could be efficiently implemented on the shield nodes, providing first-class protection for participating parties.本系统是配置DoS防御过滤器的方法；并不是设计DoS防御过滤器。许多已有的高质量滤波器能够在盾节点上有效的运行，为参与部分提供一流的保护。.盾的设计Protection against DoS attacks is a very complex and contradictory problem. One of the most important aspects of DoS defense is where such a defense (e.g., traffic analyzer and filter) should be deployed. This decision largely defines deployment and exploitation cost, as well as the level of protection achieved. Defenses could be implemented locally at the server or AS level. Unfortunately, there are serious drawbacks to the local deployment model. Local defenses may only give a limited protection to the outside world from the attackers inside an AS (a node in a botnet may not generate a detectable volume of malicious traffic) an a limited ability to mitigate certain types of low-rate application-targeted attacks. As a result, until all ASes deploy the defenses, any outside attacker could successfully perform a flood-based DoS attack by overwhelming capacities of local links.防范DoS攻击是一个非常复杂而矛盾的问题。最重要的一个方面就是DoS防御应该在何处(如信息流分析仪和过滤器)部署。这个决定很大程度上定义了部署和开发成本,以及防护级别。防御应该在服务器或AS级别上部署。不幸的是, 本地的部署模式有严重的缺陷。本地防御仅能提供一个有限的保护，以免攻击进入到AS(僵尸网络中的一个节点可能不会产生一个可探测的恶意流量)，仅仅能缓解为数不多的有针对性的攻击类型的攻击。因此,除非所有AS都部署了防御系统,任何外部的攻击者都可以成功地压倒本地连接的容量，进行一个流量巨大的DoS攻击。An alternative deployment strategy is implementing DoS defenses inside the part of the Internet core that sees and forwards virtually all trafficinside the 50 largest ASes that forward more than 95% of all Internet traffic 12. Although core defenses mitigate to some degree the problem of partial deployment and may provide a comprehensive protection against any volume of DoS attacks, they are unlikely to be implemented and deployed in the foreseeable future. Core ASes move traffic as fast as possible (a couple of nanoseconds spent on each forwarded packet) and will not deploy any service that may harm throughput.另一种战略是在几乎可以通视、传输全部流量的互联网核心内部署DoS防御50个最大的AS能够传输整个互联网95%以上的流量12。虽然核心防御能在一定程度上缓解配置问题，并能对任意数量的DoS攻击进行全面防护，但在目前来看，这是不太可能实现的。核心AS尽可能快的传输信息（每个数据包仅花几纳秒），并不会部署任何可能影响吞吐量的服务。Our system takes a different approach. Instead of deploying defenses along the direct route (e.g., at the core routers or AS edges), our system outsources defenses to dedicated shields that can be shared among a large number of Internet users. This outsourcing could be accomplished in a number of ways, but there are two basic components: traffic deflection towards the shield nodes and final delivery of legitimate traffic from shields to the true destinations. It could be implemented within the existing global routing system, using traffic trapping and black-holing for route deflection towards shields, stretched-path forwarding, source routing, and different types of tunneling for final delivery of legitimate traffic to the real destination. In the following sections we discuss these and other implementation strategies, their feasibility, and the level of DoS defenses they could provide.我们的系统采用了一种不同的方法。系统外挂一个能被大部分互联网用户共享的防御盾，而不是沿着直接路由部署防御（如在核心路由器或AS边缘）。这种外挂有很多完成方式，但有两个基本内容：信息流朝盾节点转移以及最后将合法信息从盾传输到真正的目的地。这种外挂能够在现有的全球路由系统上实现，使用信息封装和黑钻将路径转向盾，延伸路径转发，源路径和不同类型的通道来将合法的信息传输到真正的目的地去。在接下来的部分，我们会讨论这和其他方法，这些方法的可用性以及他们能提供的DoS防御等级。A. Traffic redirectionA. 信息改道If there are so many problems with deployment of defense mechanisms along the direct route, why not alter the routing to make traffic go through dedicated filters located elsewhere? Instead of moving the filters to the traffic, move the traffic to the filters. The question here is how to divert traffic and make it flow in the direction of the filter, not in the direction of an AS under attack. Our answer to this question contains two somewhat related solutions, applicable in the existing global routing infrastructure: traffic trapping and traffic black-holing.如果沿直接路由部署防御机制有这么多问题，那么我们为什么不改变路径以使信息通过其他地方的专项过滤器呢？将信息移到过滤器，而不是将过滤器移到信息所在的路径上去。这里的问题是当AS受到攻击时，怎样发送信息并让它朝着过滤器的方向传输，而不是直接流向目的地。对于这个问题，我们的答案包括两个相关的方案，适用于现有的全球路由设施：信息封装和信息黑钻。The first technique includes deployment (physical or tunnel-based) of shields at important topological points in the Internet, such as Internet Exchange Points (IXPs). During an attack, appropriately deployed shields can start announcing shorter paths for the protected prefix (e.g., by forging the AS-PATH attribute of the BGP protocol 8), effectively trapping the traffic for this prefix (Figure 2).第一种技术包括在互联网上重要的拓扑点部署(物理或基于通道)盾牌,如互联网交流点(IXPs)。受到攻击时,合理部署的盾牌可以改为保护路径前缀的简写形式(例如,通过伪造边界网关协议协议的AS-PATH属性 8),有效地捕获这个前缀的信息(图2)Fig. 2. Traffic trapping by shortening the AS-PATH attribute:node 2 announces to node 3 a trap route 2, X 图2通过缩短AS路径属性捕获信息:节点2到节点3陷阱路线 2,X Unfortunately, there are several shortcomings that seriously limit applicability of traffic trapping. First, AS-PATH altering may be harmful and introduce routing loops, though additional restrictions and cautious per-neighbor advertisement decision s can significantly reduce, if not eliminate, this potential damage. Second and probably most critical, is the requirement for substantial deployment. To be effective, shields should be deployed on every major IXPotherwise, the efficiency and level of DoS protection will be significantly jeopardized. Finally, traffic trapping does not really provide a fully comprehensive filtering solution. If an attacker is lucky enough to be colocated or be very close, it can still send malicious traffic directly to the victim, bypassing all traffic traps.但是，存在几个严重限制信息捕获的缺陷。首先,AS路径改变可能是有害的,它引用了路由循环,虽然增加了限制，并且小心选择每个邻点能显著的改善其带来的影响,但如果不能消除这种循环,这将成为潜在的危害。第二，也许也是最关键的是大量部署的要求。为了提高效率，每个主IXP上都应该部署盾否则DoS防御的效率和等级将显著下降。最后，信息捕获不能真正的提供充分全面的过滤方案。如果攻击者正好离被攻击者非常近或就在一起，它仍可以绕过所有的信息陷进直接攻击靶机。Luckily, traffic trapping is not the only method that can be employed for traffic rerouting. There is a much less restrictive alternative that allows any level of deployment (i.e., from one to millions of shields) at any place on the Internet. Instead of shortening AS-PATHs, during an active attack, shields can become the only origins (from a BGPs point of view) for the attacked prefix. The exact procedure could be as follows. When an AS detects an attack for a prefix, it informs shields that they need to enable filtering for the prefix. Receiving this solicitation, shields, on behalf of the AS, begin announcing the attacked prefix as if it is their own, and the AS itself withdraws all original routes for the prefix in question (Figure 3). This way, the AS has effectively black-holed traffic for the attacked prefix, which is an extreme case of traffic trapping.幸运的是，信息捕获并不是可使信息改道的唯一办法。有一个限制宽松得多的，互联网上任意地方任意级别都能部署的替代方案（即,从一个到数以百万计的盾牌）。在受到攻击时，盾可以变为攻击前缀唯一的源（从边界网关的视角来看），而不是简写AS路径。具体步骤如下。当一个AS检测到一个前缀攻击时，就会通知盾，它需要能够使用这个前缀的过滤。接到这个请求后，盾牌就会为AS声明攻击前缀，AS自身也将所有有这个前缀的原始路径撤销（图三）。这样，AS实际上就把攻击前缀的信息黑钻了，这是信息捕获的一个极端的例子。Fig. 3. Traffic black-holing by anycasting protected prefix: origin withdraws the real route and shields act as route origins图3 信息黑钻由任播保护前缀:源撤回真正的路线，由盾充当源In both cases, once shields determine that the attack has ceased, they release filtering resources and revert back to the original routing. In the traffic black-holing case, they also notify the protected AS that filtering will be terminated soon. This allows AS to return its original routing announcements to the global routing system and proceed with receiving data over the standard shortest paths. In special circumstances, operators are able to manually terminate protection service, effectively returning routing to the pre-protection state. 在这两种情况下,一旦盾牌确定攻击已经停止，就将释放过滤资源和恢复到原始的路由。在信息黑钻情况下,他们还通知受保护的AS，过滤将终止。这允许AS返回原来路由的消息通知全球路由系统，继续以标准的最短路径接收数据。在特殊情况下,运营商能够手动终止保护服务,返回到未保护时的路由状态。B. Legitimate traffic deliveryB.合法信息传输An astute reader may have realized a problem with this scheme. While the traffic has been diverted from the original route and effectively filtered, how does the destination actually get the filtered (i.e., legitimate) traffic? In the case of traffic trapping the answer to this question is quite easy. Shields can internally maintain the real shortest-path next hop and forward all legitimate traffic to it. Traffic could get trapped many times along the route, but it will always be getting closer and closer, and eventually will get to the final destination.读者们可能已经意识到这种方案中的一个问题。尽管信息从原来的路线被转移和有效地过滤，原目的地要如何得到经过过滤的信息呢(例如,合法信息)？对于信息捕获，这个答案很简单。盾在内部保存真正的最短路径下跳，并将合法信息转发给下一跳。信息可能沿线被捕获很多次，但它总是会离目的地越来越近，并最终到达目的地。The matter is not that simple for the black-holing case. Since the original prefix was withdrawn, shields cannot simply place the packets on the pipe and expect them to get to the host. In fact, since shields are advertising the prefix as their own, the packets will get routed back to the same or another nearby shield. Therefore, we need an additional mechanism to get the packets from the shields to the true destination.这个问题对黑钻来说不那么简单。因为原来的前缀被撤销,盾牌不能简单地把数据包放到路由上并期望它们到达主机。事实上,因为盾牌申明前缀是他们自己的,数据包将回到同一个或附近的另一个盾牌。因此,我们需要一个额外的机制来把盾牌中的数据包送到真正的目的地。There is no ideal solution that satisfies all possible exploitation and security requirements, but several alternative schemes offer different implementation complexity, deployment feasibility, and level of DoS protection.目前尚没有理想的方案来满足所有可能的开发和安全需求，但有几种可选的方案，他们提供了不同的复杂度、部署的可行性和DoS保护的等级。The simplest scheme is to use a secret routable IP prefix for IP-IP tunneling purposes. The ultimate goal is to use such a prefix to tunnel legitimate traffic towards the real destination, without exposing the original prefix to direct attacks. However, this is obviously a single point of failure. If the attacker learns the secret prefix, the destination will be again exposed to direct attac