Professional Documents
Culture Documents
H NI - 2010
1
H NI - 2010
LI CM N
Li u tin em xin by t lng bit n su sc n thy gio TS. Nguyn i Th hng dn ch bo em rt tn tnh trong sut nm hc va qua. Em xin by t lng bit n n cc thy c gio trong khoa Cng ngh thng tin, trng i hc Cng ngh, i hc Quc gia H Ni. Cc thy c dy bo, ch dn em trong sut bn nm hc ti trng i hc Cng ngh, to iu kin tt nht gip em hon thnh kha lun tt nghip. Ti xin cm n cc bn sinh vin K51 trng i hc Cng ngh, c bit l cc bn sinh vin lp K51CA v K51MMT cng cc thnh vin cng phng 202B k tc x ngoi ng on kt, gip cng ti theo hc cc b mn b ch v th v trong chng trnh hc i hc ti trng. Cui cng, con xin gi ti b, ch gi, m nui cng gia nh lng bit n v tnh cm yu thng.
TM TT
Phng chng tn cng t chi dch v, c bit l cc cuc tn cng t chi dch v phn tn vo cc Website vn ang l ti nhn c rt nhiu quan tm ca cc nh nghin cu. Bn cnh nhng kh khn do c s h tng mng cn yu km, s pht trin khng ngng ca cc cng c v phng php tn cng khin cho vic phng v chng tn cng t chi dch v tr thnh mt vn rt nan gii. Kha lun ny s trnh by v mt phng php phng chng tn cng t chi dch v hiu qu bng cch s dng mt kin trc mng bao ph bo v Website. Trong kin trc ny, mt nhm cc SOAP, secure overlay Access Point, s thc hin chc nng kim tra v phn bit ngi truy cp vi cc chng trnh c hi ca nhng k tn cng, a yu cu ca ngi dng hp l n cc node b mt trong mng bao ph bng kt ni SSL thng qua mng . Sau cc node b mt s chuyn tip yu cu ngi dng, qua mt vng lc, n vi Server ch. Vic dng cc b lc mnh lc cc yu cu c hi gi trc tip n Server ch, ch cho php cc node b mt c truy cp, cng vi vic s dng mng bao ph che giu cc node b mt, v nhm cc SOAP trong mng bao ph c th b tn cng sn sng c thay th bng cc SOAP khc, gip cho Website c bo v v hn ch ti a tc ng ca cc cuc tn cng. Tuy vy kin trc t ra bt lc khi mt hoc mt s cc node trong mng bao ph b chim dng tr thnh node gy hi v tn cng mng. Kha lun thc hin cc ci tin, c th pht hin tnh hung node gy hi tn cng, v t ng chuyn hng truy vn trnh khi s tn cng gy hi. Sau khi xy dng mt kch bn tn cng, kin trc ci tin c kim tra cho thy kt qu rt kh quan. T kha: Denial of Service, overlay node, Graphic Turing Test
ii
MC LC
LI CM N.............................................................................................. i TM TT.................................................................................................... ii MC LC................................................................................................... iii M U..................................................................................................... 1 Chng 1: CC CCH THC TN CNG T CHI DCH V.......... 3 1.1 Thit lp nn mng Agent................................................................ 3 1.1.1 Tm kim cc my d b tn thng........................................ 3 1.1.2 t nhp vo my d b tn thng......................................... 3 1.1.3 Phng php ly truyn .......................................................... 4 1.2 iu khin mng li my Agent.................................................... 5 1.2.1 Gi lnh trc tip..................................................................... 5 1.2.2 Gi lnh gin tip..................................................................... 5 1.2.3 Unwitting Agent....................................................................... 6 1.2.4 Thc hin tn cng................................................................... 7 1.3 Cc cch thc tn cng t chi dch v............................................ 8 1.3.1 Khai thc cc im yu ca mc tiu....................................... 8 1.3.2 Tn cng vo giao thc............................................................ 8 1.3.3 Tn cng vo Middleware........................................................ 10 1.3.4 Tn cng vo ng dng............................................................ 10 1.3.5 Tn cng vo ti nguyn.......................................................... 11 1.3.6 Pure Flooding........................................................................... 11 1.4 IP Spoofing....................................................................................... 12 1.5 Xu hng ca DoS........................................................................... 13
iii
Chng 2: CC BIN PHP PHNG CHNG TRUYN THNG...... 14 2.1 Bin php pushback.......................................................................... 14 2.2 Bin php Traceback........................................................................ 15 2.3 Bin php D-WARD........................................................................ 18 2.4 Bin php NetBouncer...................................................................... 19 2.5 Bin php Proof of Work.............................................................. 20 2.6 Bin php DefCOM.......................................................................... 21 2.7 Bin php COSSACK...................................................................... 22 2.8 Bin php Pi..................................................................................... 23 2.9 Bin php SIFF................................................................................. 24 2.10 Bin php lc m chng HCF....................................................... 25 Chng 3: SOS V WEBSOS.................................................................... 27 3.1 Giao thc Chord............................................................................... 27 3.2 Kin trc SOS................................................................................... 29 3.3 Kin trc WebSOS........................................................................... 31 3.3.1 Gii php xut..................................................................... 31 3.3.2 Kin trc ca WebSOS............................................................ 31 3.3.3 C ch ca WebSOS................................................................ 32 3.3.3.1 C ch chung.................................................................... 32 3.3.3.2 C ch nh tuyn............................................................. 34 3.3.4 C ch bo v........................................................................... 34 3.3.5 nh gi u, nhc im ca kin trc WebSOS.................. 36 Chng 4: THC NGHIM, CI TIN V KT QU........................... 37 4.1 Mi trng thc nghim................................................................... 37 4.2 Ci t kin trc WebSOS................................................................ 37 4.3 Kim tra tr ca cc kt ni......................................................... 38
iv
4.4 xut ci tin................................................................................. 39 4.4.1 Vn v mng bao ph ca WebSOS .................................. 39 4.4.2 xut ci tin........................................................................ 40 4.4.3 Thc thi xut....................................................................... 42 4.4.3.1 Kch bn th nghim......................................................... 42 4.3.3.2 Kt qu th nghim........................................................... 43 4.3.3.2.1 Vi chng trnh gc................................................. 43 4.3.3.2.2 Vi chng trnh ci tin........................................... 44 4.4.4 nh gi hiu nng ca chng trnh ci tin.................... 46 Chng 5: KT LUN............................................................................... 50 5.1 Cc kt qu t c................................................................... 50 5.2 Cc kt qu hng ti....................................................................... 50 TI LIU THAM KHO........................................................................... 52
M U
Tn cng t chi dch v (Dos, Denial of Services) ngy cng tr thnh mt mi e da ln i vi s tin cy ca mng internet. L cc cuc tn cng s dng nhiu cch thc t chc v thc hin khc nhau, t vic dng ch mt my ti vic thu thp cc my agent di quyn vi s lng ln n hng chc ngn my phc v tn cng, mc ch ca cc cuc tn cng l lm t lit cc ng dng, my ch, ton b mng li, hoc lm gin on kt ni ca ngi dng hp php ti Website ch. Mt nghin cu ti UCSD [23] ch ra rng ngay t u thp nin ny cc cuc tn cng t chi dch v din ra vi mt t l ln ti 4000 cuc tn cng mi tun. Trong nm 2002, mt cuc tn cng t chi dch v [22] lm sp ti 9 trong s 13 my ch DNS root ca ton th gii. Mc nh hng nghim trng ca cc cuc tn cng t chi dch v, m c bit c nhc n nhiu nht l tn cng t chi dch v phn tn DDoS, dn n mt lot cc nghin cu nhm hiu r hn v cc c ch tn cng, a ti cc cch thc gip c th phng chng nh hng tiu cc ca n. C nhiu phng php c xut nhm chng li cc cuc tn cng t chi dch v, t vic lc cc gi tin trnh gi mo a ch ngun, chuyn hng tn cng, y ngc lung giao thng tn cng tr li mng, cch ly phn bit my khch v giao thng my ch, Mi gii php u rt tt, v cung cp k thut gip chng ta nh v vn tn cng t chi dch v. Song cc phng php ch c th bo v li tng kha cnh ca tn cng t chi dch v. Kha lun ca ti trnh by mt phng php phng chng tn cng t chi dch v phn tn rt hiu qu v ton din hn th. l vic p dng kin trc mng bao ph, bo v mc tiu khi s tip cn ca k tn cng. Da trn kin trc mng bao ph, c mt s xut c a ra l kin trc SOS v WebSOS. Kin trc SOS s dng mt mng bao ph ch cho cc truy vn hp php qua xc thc c php n server ch. Da vo vic s dng cc node b mt, v ch c giao thng t cc node ny mi c th n c server ch, kin trc t ra kh hiu qu trong vic bo v Website. K tha kin trc SOS, WebSOS trin khai mng bao ph vi mt s c ch ci tin nh xc thc ngi dng thng qua bi kim tra CAPTCHA, kt ni thng qua proxylet cng vi vic xc thit lp kt ni SSL v xc thc X.509, nhm tng mc bo mt hn cho h thng. gip cho WebSOS c th trnh c c cc trng hp cc node trong mng bao ph b chim dng tr thnh ngun tn cng, chng ti a ra cc xut ci tin nhm t ng pht hin, v thay i truy vn trnh c cuc tn cng nh vy.
1
Phn tip theo ca kha lun c t chc nh sau: Chng 1: Cc phng thc tn cng t chi dch v nu ln mt cch tng quan v cc cch thc mt k tn cng phi thc hin nhm to ra mt cuc tn cng t chi dch v. Chng 2: Cc phng php phng chng tn cng t chi dch v c xut trc y. Nhiu phng php hin nay vn l nhng nghin cu ng quan tm trong lnh vc phng chng tn cng t chi dch v. Cc phng php lc, vi s pht trin ca c s h tng mng, nu c thc hin ng b c th gim thiu nguy c tn cng t chi dch v cho cc Website. Chng 3: SOS v WebSOS, gii thiu v c ch ca hai kin trc bo v Website khi tn cng t chi dch v thng qua vic s dng mng bao ph v node b mt. T nu ln cc c im ct li c ti s dng tham gia vo kin trc c ci tin nhm phng chng tn cng t chi dch v. Chng 4: Thc nghim, ci tin v kt qu nu ln nhng kt qu ca ti trong vic thc hin trin khai m hnh kin trc WebSOS v cc phn tch nhm a ra ci tin gip h thng tr ln mnh m hn chng li cc cuc tn cng ngay t trong cc node thuc mng bao ph khi mt s node b chim dng tr thnh ngun tn cng. Chng 4 cng a ra cc kt qu nh gi hiu nng ca kin trc ngun WebSOS v kin trc ci tin thng qua kch bn tn cng c xy dng v qua vic o mt s thng s v tr truy vn thc hin qua m hnh cc kin trc ny. Chng 5: Kt lun tng kt li cc kt qu t c, cng vi cc kt qu m nghin cu kha lun hng ti nhm hon thin m hnh hng ti mc tiu c th trin khai thc hin.
Thng cc l hng bo mt sao khi c pht hin s c gim nh bi cc bn v patch. Tuy vy cc k tn cng lun c gng khai thc, tm kim cc l hng khc m my c th c. V c mt l hng khng th gim nh, hoc c sa bi bn v, l mt mt m truy nhp my tnh yu. Mt s chng trnh khai thc c cha cc t in mt khu chung thng c s dng. Chng th cc mt khu trong danh sch t nhp vo my tnh. C th mt nhiu thi gian, song trong nhiu trng hp chng cng khai thc c cc mt khu yu ca ngi dng v t c quyn truy nhp hp l n my ngi . Ngi dng thng ngh rng khng t mt khu cho ti khon Administrator l hp l, hoc cho rng, "password" hoc mt s t n gin khc l bo v ti khon. V l nhng nhm ln nghim trng c th khin h phi tr gi t.
Khi mng li cc agent ln dn, k tn cng cn giao tip vi cc my ny iu khin chng cho hot ng tn cng. Mc ch ca vic giao tip ny nhm gip k tn cng c th a ra lnh bt u/ kt thc cc cuc tn cng c th cng nh gip hn c th ly nhng s liu c th v hnh vi ca cc my agent.
tip to ra s kin bt thng c th d dng pht hin khi kim sot mng. Do c ch ca tryn thng trc tip l handler v agent phi sn sng chp nhn lng nghe trn mt cng nht nh, v vy khi kim tra bng nhin thy my khi to kt ni n mt my khc trn mt cng l l c th pht hin vic my b chim dng. Kim tra cc gi tin gi v nhn qua kt ni ny, ngi qun tr mng c th xc nh a ch ca my mnh kt ni. Ngay c khi khng c kt ni, da vo vic gim st cc cng m trn my cng c th pht hin c cc tin trnh ca handler hoc agent. Cui cng, k tn cng cng phi vit cc m ring ca mnh cho vic truyn cc lnh v iu khin. l l do cc k tn cng chuyn sang vic truyn thng qua cc IRC. Lc ny c k tn cng v cc agent s kt ni n mt IRC server no , v vy n l hp l v khng to ra mt s kin bt thng no c. Vai tr ca hanlder gi c thc hin bi mt knh n l trn IRC server, v thng c bo v bi password. Thng thng c mt knh m ha cng vo trong cc con bot trong my nn nhn, ni m n kt ni vo ban u tm hiu xem knh iu khin thc s nm u. V sau n s kt ni vo trong knh iu khin . Vic nhy knh thm ch cng c th thc hin trong mng IRC thng qua cch ny. T , con bot c th nhn lnh ca k tn cng n qua knh iu khin m n tm c v kt ni n, thc hin lnh, nh qut tm my agent khc, tn cng DDoS, update, Vic gi lnh gin tip c rt nhiu u im. Server th vn tn ti m c duy tr bi ngi khc, cn k tn cng ch cn mt knh thng tin ca server trong hng ngn knh chat khc, nn s rt kh pht hin, d cho l n c th tr thnh mt knh khc l khi c ti hng ngn, chc ngn ngi t nhin tham gia ch trong vi pht. Thm ch khi b pht hin th cng cn phi tip xc c vi ngi qun l server mi c th dng knh truyn, trong khi server IRC rt c th li l mt server nc ngoi no . Hn na, theo c ch phn tn ca IRC, khng cn tt c cc client phi truy cp vo cng mt server IRC mi c th tham gia vo knh handler, m ch cn truy cp vo mt server trong cng mng. Hu ht cc cng c xut hin sau Trinity u li dng c ch truyn thng ny.
cng tp hp mt danh sch cc h thng d b tn thng v, ti thi im v tn cng, c cc agent thng qua danh sch ny gi cc lnh bt u khai thc cc lung giao thng. Cc lu lng truy cp to ra l hp php. V d, k tn cng c th li dng mt l hng hin nay ti mt my ch Web lm n chy chng trnh PING.EXE. Mt s nh nghin cu gi l cc unwitting agent. S dng cc unwitting agent, thay v phi ci t m c trn my nn nhn, k tn cng s dng cc l hng bo mt thm nhp vo my v chy cc phn mm hp php sn c trn h thng, v vy vic chng tr li hnh ng tn cng ny tr nn rt kh v phc tp. Do trn my nn nhn khng cha m c hi, nn cc chng trnh qut cng truy cp, qut file h thng, hoc qut virus khng th pht hin.Thng ch c th pht hin thng qua vic gim st lu lng mng, cc chng trnh qut l hng bo mt nh Nessus. V ch c cch v cc li bo mt mi gip vic b lm dng my v cc phn mm hp php trong my c hn ch, gim thiu nguy c b chim dng my lm agent cho cuc tn cng.
C mt s phng php gy ra t chi dch v. To ra mt hiu ng DoS l tt c cc cch c th ph hng hoc lm cho h thng ngng hot ng. C nhiu cch lm mt h thng ngng hot ng, v thng s tn ti nhiu l hng trong h thng nhng k tn cng s c gng khai thc hoc nh v tn cng vo trong chng cho n khi hn nhn c kt qu mong mun: mc tiu b phi chuyn sang trng thi offline.
khng ng, hoc d liu lp i lp li). Khi nhn c gi SYN, my ch cp pht mt khi iu khin truyn dn (TCB), lu tr thng tin v khch hng. Sau n tr li bng mt SYN-ACK, thng bo cho khch hng c yu cu rng dch v ca n s c cp, ghi nhn s th t ca khch hng v gi thng tin v s th t ban u ca my ch. Cc khch hng, khi nhn c gi SYN-ACK, cng cp pht mt khi iu khin truyn dn, sau tr li vi mt gi ACK n my ch, hon thnh vic m kt ni. Tim nng lm dng nm trong vic cp pht ngun ti nguyn ca my ch ngay t khi nhn c gi SYN. Khi my ch giao TCB ca mnh v tr li bng mt SYNACK, kt ni c cho l na m. Ngha l ti nguyn my ch cp pht s c gi dnh cho kt ni vi khch hng, cho n khi khch hng gi mt gi tin ACK, ng kt ni (bng cch gi gi tin RST) hoc cho n khi ht hn ch v server ngt kt ni, gii phng khng gian m. V cho d khch hng c gi li gi tin khc, hay khng, th ti nguyn s c cp pht gi trong mt khong thi gian nht nh. Trong mt cuc tn cng trn gi tin TCP SYN, k tn cng to ra v s cc kt ni na m bng cch s dng gi mo IP ngun. Nhng yu cu nhanh chng vt kit b nh TCB ca my ch, v khi my ch s khng cn c th chp nhn yu cu kt ni n na. c th gi cho tnh trng ny c ko di nh mong mun, k tn cng cn phi to ra mt dng u n cc gi SYN i vi nn nhn ( ginh ly nhng ti nguyn c gii phng bi thi gian tm ngng hoc hon thnh cc phin TCP). y l mt cuc tn cng c bit nguy him, khi m my ch nhn c mt s lng ln cc gi SYN hp php v khng th d dng phn bit cc gi t khch hng hp php vi cc gi t giao thng tn cng. thc hin thnh cng mt cuc tn cng trn ngp gi SYN, k tn cng cn xc nh v tr cng m trn my ca nn nhn. Sau , ch cn gi mt lu lng gi tin nh, tm 10 gi SYN/ pht l c th dn dn vt kit ti nguyn ca nn nhn. Mt kiu tn cng SYN t ph bin hn l tn cng trn gi SYN vi cng ngu nhin. Trong , k tn cng to ra mt khi lng ln cc gi tin TCP SYN nhm mc tiu cng ngu nhin ca nn nhn, vi mc tiu p o ti nguyn mng ca nn nhn, hn l lm y b nh m ca nn nhn.
Tn cng vo giao thc rt kh c th chng li bng phng php sa cha, to bn v. Bi to bn v yu cu phi thay i giao thc, trong khi thc t cho thy vic thay i giao thc internet gn nh l bt kh thi. Trong mt s trng hp, vic s
9
dng giao thc hin ti mt cch thng mnh c th gii quyt vn . Nh vic s dng TCP SYN cookies c th gii quyt c tn cng trn gi SYN m ch cn thay i cch server x l kt ni n.
10
tin gi ti server. V vy, mt ln na, nhiu cch phng th khng th gip bo v chng li loi hnh tn cng ny.
1.4 IP Spoofing
Mt chin thut c s dng trong cc cuc tn cng nguy him, c bit DDoS l IP Spoofing, hay IP gi mo. Trong cc gi tin mng bnh thng, trng tiu s l ni cha a ch IP ca my ngun, a ch my ch. Gi mo IP din ra khi mt phn mm c hi to ra cc gi tin ring v thay th a ch IP ngun bng mt a ch IP no khc, thng qua vic to v thit lp cc raw socket, socket do ngi dng nh ngha. C mt vi mc gi mo ip khc nhau:
- Gi mo IP mt cch ngu nhin: phn mm s to ra mt a ch IPv4 ngu
nhin trong khong t 0.0.0.0 n 255.255.255.255. Trong mt s trng hp, n s to ra cc a ch IPv4 sai, nh a ch thuc min 192.168.0.0 l min dng cho mng c nhn, hoc a ch multicast, broastcast, a ch khng tn ti (nh 0.1.2.3). Tuy vy trong hu ht trng hp th n u to c a ch IP hp l v c th nh tuyn c.
- Gi mo mt n mng: Nu mt my thuc mng 192.168.1.0/24 th n d dng
nh my ch nn nhn khng c c nhng thit lp phng chng. K tn cng ch cn n gin gi mo a ch ca my nn nhn, gi mt gi tin request, v d nh gi tin TCP SYN, v nu my nn nhn khng c mt c ch lc tt, n s nhn gi tin, cp pht ti nguyn cho request v gi tr li li cho chnh n. iu ny dn ti mt vng lp v tn trong chnh my nn nhn, gia mt bn cn nhn thng tin phn hi cn mt bn th khng bao gi gi thng tin phn hi c. Trong thc t, gi mo a ch IP khng phi l cn thit cho mt cuc tn cng DDoS thnh cng, bi v k tn cng c th vt kit ti nguyn v kh nng x l ca nn nhn vi mt lng ln cc gi tin m khng cn lin quan g n a ch ngun c. Tuy vy mt s k tn cng s dng IP Spoofing cho mt vi l do, nh che giu a ch ca cc agent, t che giu c a ch ca handler v ca k tn cng tt hn, hoc s dng cho tn cng phn x nhiu vng DRDoS l hnh thc tn cng mnh nht
12
hin nay gi mo a ch IP ca nn nhn yu cu mt s server ln gi cc truy vn hp php n server nn nhn, kt qu l nn nhn b tn cng cc server ln trn th gii, v khng th no chng ni. IP Spoofing cng gip k tn cng vt qua c ch bo v ca mt s my ch khi h lu a ch cc khch hng thng xuyn v dng n lm danh sch a ch tin cy u tin truy cp trong trng hp b tn cng.
nghn, gim nh cc cuc tn cng DoS n gin, dung th li, v duy tr hot ng ca node trong mng. Nhiu nghin cu c gng tip cn gii quyt bi ton con nh hn ca vn phc tp ny. Do tnh cht nhy cm ca d liu trong mng v s phc tp ca hin tng ny, tht kh hiu mt cch y nh hng ca DDoS. Nhiu nguyn mu c kim tra trong cc mi trng phng th nghim m khng c nn hay giao thng hot ng. Mt s tng cho rng giao thng tn cng ch yu l gi mo, v iu ny r rng l sai lm, v nhng ngi khc cho rng kin thc nht nh v topology ca mng, hoc truy cp vo c s d liu c th nhn bit c lu lng truy cp l DDoS hay khng. Nhng ngi khc yu cu sa i ng k v c s h tng Internet, iu c th lm cho n tr thnh khng tng thch vi cc giao thc hin ti v cc ng dng ca khch hng, hoc l khng thc t v k thut, chnh sch, hoc l do chnh tr. Chng 2 ny s tho lun v mt s phng php tip cn nghin nghin cu c thc hin v trin khai.
cn, ni ng gp s lng ln ca giao thng tng hp. C ch ny hot ng tt nht chng li kiu tn cng gi trn DDoS v flash, v chng chia s nhng c im chung, v c gng x l nhng hin tng t gc ca cng vic kim sot tc nghn. Vic t ra gii hn t l qu cao c th khin cc giao thng hp l cng b gii hn, mt mt, cn vic t ra gii hn qu thp c th khin k tn cng vt qua c s bo v.Ni chung, pushback dng nh i hi cc m hnh trin khai tip cn ti router. Phng php tip cn hin ti khng th y t l gii hn qua mt router m khng hiu phng php pushback. Pushback cng yu cu cc router duy tr cc trng thi v lung giao thng, l mt gnh nng thm v c s h tng mng ca phng php.
mp gn nht vi ngi tn cng vo c s h tng nh du. ngh ban u ca Savage, 8-2000, khng c bt k quy nh xc thc i vi nhng du hiu, nhng sau c thm k thut s dng mt ngh xc thc v ton vn kim tra do D.X.Song nu ln vo thng 3-2001 ti IEEE INFOCOM 2001. Traceback da trn k thut bm, xut bi A.C.Snoeren vo thng 8-2001 yu cu router tham gia ghi nh mi gi i qua n, nhng trong mt thi gian hn ch. iu ny cho php truy tm cc cuc tn cng mt gi nh "Ping of Death", nhng ch khi truy vn nhanh. Cc b my c lp ngun (SPIE, Source Path Isolation Engine) nh cc gi thng qua vic tnh ton hm bm vi cc phn bt bin ca mt tiu IP (v d, TTL v checksum). tng thm khng gian b sung, hm bm yu, thay v bm m ha mnh, c trin khai di hnh thc cc b lc Bloom Filter. Nhng bn ghi th ng khng cn phi tn ti bn trong cc router ngay c khi cc thit k phn cng a chng vo cc router c tho lun. Cc nh thit k SPIE ngh ra mt cch t mt bn ghi b ng trn mi giao din ca router. Mt s ngi khi ch trch v cho rng n s l qu t thm mt thit b cho mi giao din, do , thit b SPIE c m rng c mt SPIEDER vi nhiu kt ni cho mi giao din trn router. Mc d hm bm yu cho php c li, chng s nhanh chng c nh hng qua nhiu hm bm c p dng ti cc b nh tuyn khc nhau khi khong cch tng dn t nn nhn. Nn nhn khi to mt yu cu traceback thng qua mt mng li thay th (tht hay o) kt ni cc nh qun l traceback, cc agent sinh d liu, v cc b nh tuyn. Do khi lng giao thng ln trn cc mng xng sng, thi gian gia vic nhn mt gi tin vi phm v yu cu cho traceback s mt khong mt vi pht, ty thuc vo nng lc v mng li giao thng. Mt k thut th t s dng traceback, do D.Dean v cc ng nghip ca ng xut vo thng 2 nm 2001, l mt cch tip cn i s i vi vn traceback. Tng t mt phng php ca Savage v ng nhip ti ACM SIGCOMM thng 8-2000, k thut ny mt nhng phn thng tin ln vt vo cc gi tin IP cp b nh tuyn. n ny mi s dng cc k thut i s m ha thng tin ng dn thnh cc gi v ti to li chng vo trang web ca nn nhn. Cc tc gi hy vng s t c s linh hot hn trong vic thit k v ci tin trong loi b thng tin tha k tn cng to ra v cung cp kh nng traceback a tuyn. PPM v xut traceback vi cch tip cn i s cng theo mt s gi nh nh sau:
16
- K tn cng c th gi bt k gi tin. - Nhiu k tn cng c th hnh ng vi nhau. - K tn cng nhn thc c s hot ng ca cc chng trnh traceback. - K tn cng phi gi t nht l hng ngn gi. - Tuyn ng gia cc my ni chung l n nh, nhng cc gi tin c th b sp xp li hoc b mt. - Router khng th thc hin nhiu tnh ton cho mi gi tin. - Router gi nh l khng th b chim dng, nhng khng phi tt c router u phi tham gia traceback. Nhng gi nh phn bit r rng nhng k thut ny vi mt k thut n gi nh traceback da trn k thut bm. D.Dean v ng nghip tho lun v hiu qu so vi Savage, khi nhng yu cu khng gian khc nhau gia 18 v 21 bit. Trong mt s trng hp, h t c kt qu tt hn mt cht cho vic ti to li ng i, nhng s trng hp tnh ton sai vn cn cao. Ngoi vic nh du gi tin, mt n out-ofpacket c xut, tng t nh Bellovin vo thng 8-2001. Cc tc gi nhn ra rng vic ci tin thut ton l cn thit, v vic tm ra cc ti u khc cn c khm ph. Khi nim ny cn ci tin hn na, nhng c th pht trin thnh mt khi nim y ha hn trong thi gian di.
lm chm li lu lng truy cp ng ng, v lm chm li cc kt ni tn cng m n cm nhn. T l gii hn nng ng v thay i theo thi gian, da trn quan st ca tn hiu tn cng v cc chnh sch hn ch v giao thng tiu cc. t giao thng tiu cc s lm gim nh cc chnh sch hn ch. Ging nh hu ht cc h thng nghin cu, D-WARD c th nghim vi mt homegrown thit lp cc tiu ch chun DDoS, v ging nh hu ht cc h thng nghin cu, n hot ng tt theo cc tiu ch chun. Tuy nhin, h thng D-WARD cng tri qua nhiu th nghim c lp vo cui chu k chng trnh DARPA FTN. Nhng th nghim ch ra rng D-WARD c kh nng nhanh chng pht hin nhng v tn cng to ra d thng giao thng hai chiu, chng hn nh tn cng gi trn nng n. D-WARD kim sot hiu qu tt c cc giao thng, trong c giao thng tn cng, v c thit hi v mt mc sai lm ch ng thp. N kp thi khi phc hot ng bnh thng khi kt thc cuc tn cng. Bng cch gii hn t l lu lng tn cng hn l ngn chn n, h thng ny mt cch nhanh chng phc hi t cc sai lm ch ng . Theo thit k, n ngng cc cuc tn cng ti ngun mng, do , n yu cu vic trin khai trn rng (bao gm mt phn ln cc ngun thc t) t c hiu qu mong mun. Tr khi c mt hnh pht cho cc cc hosting ca DDoS agent t ra i vi cc mng ngun, y khng phi l mt h thng m nh khai thc mng s hm h trin khai, bi D-WARD khng cung cp mt li ch ng k cho cc nh trin khai ny. Tuy nhin, n c th c th tch hp n vi c ch bo v khc (nh Cossack ti mc 2.7) m c yu cu hnh ng t mng ngun, cung cp cc response chn lc cho request. Tm li, li th ca D-WARD nm trong vic pht hin v kim sot cc cuc tn cng, gi nh rng giao thng tn cng thay i y so vi cc m hnh giao thng bnh thng. Theo thc t rng D-WARD chn lc gii hn t l lu lng truy cp, n c thit hi thp, v p ng tn cng tng i nhanh. Mt khc, nhng k tn cng vn c th thc hin cc cuc tn cng thnh cng t cc mng khng c trang b vi h thng ny.
cc gi tin n t khch hng hoc ngi s dng "hp php". Mt s th nghim cho tnh chnh ng c thc hin trn my khch, v d, mt gi ping (ICMP Echo) th nghim c gi xem liu c mt khch hng thc s ng sau nhng gi c nhn c bi Server ch, v cng l mt Reverse Turing Test, kim tra phn bit gia ngi v my. Ngi c c th xem nh mt bi kim tra khi ng k mt ti khon e-mail trn cc dch v e-mail Yahoo: khch hng c yu cu nhp mt cm t hay ch b bin dng, hin th trong mt hnh nh nn lm cho n tr nn kh c, mt bi kim tra m thng ch mt con ngi c th lm , khng phi l mt my hay chng trnh t ng. V nu bi kim tra c vt qua, chng t ngi dng l hp php, th yu cu n Server ch c tip tc. Nu khng, NetBouncer chm dt kt ni. Mt v d tng tc ca mt Reverse Turing Test c th c tm thy trn trang CAPTCHA ti http://www.captcha.net/. Mt khi cc khch hng chng t rng ngi thc s l hp php, h c thm vo danh sch ca khch hng hp php v c cho u i i vi khch hng cha c hp php. Danh sch ny c qun l bng k thut qun l dch v cht lng v m bo chia s cng bng cc ti nguyn gia tt c cc khch hng hp php. ngn chn mt cuc tn cng t vic k tha cc thng tin ca mt khch hng hp php, tnh hp php ht hn sau mt thi gian nht nh v cn phi c nh gi li bng cch s dng cng mt hoc mt vi bi kim tra khc nhau. Nh vy cch tip cn c th lm vic? N c th nh bi nhiu cuc tn cng gi mo, bi nhng bi kim tra challenge phi tip cn ngun gc thc s ca cc gi tin giao dch hon thnh. Cc ti nguyn mng sn c c chia s mt cch cng bng gia cc khch hng c chng minh tnh hp php ca h. Tuy nhin, NetBouncer gi nh nhng thuc tnh nht nh ca khch hng, chng hn nh kh nng tr li cho ping (v d, kim tra s hin din ca mt khch hng), m khng phi tt c khch hng u h tr, c bit l nhng ngi c ci tng la hay b nh tuyn DSL c bt tnh nng an ninh b sung. Mc d khch hng l hp php, h thng khng c bo v chng li cc cuc tn cng mo danh, ngha l, mt k tn cng c th li dng thc t l mt khch hng hp php thc hin tt c cc cng vic cn thit chng minh tnh hp php ca mnh vi NetBouncer v sau tn cng mng nh vic gi mo a ch IP hp php ca khch hng. Ngoi ra, h thng khng phi l min dch vi ngun ti nguyn cn kit do mt
19
s lng ln cc khch hng hp php. Hn na, ging nh tt c phng th pha mc tiu, n c th b trn ngp bi khi lng ca cc gi trn ng truyn n. Ging nh tt c cc phng n phng th tt chng li DDoS, NetBouncer c li th v hn ch ca n. V mt tch cc, n xut hin cung cp dch v tt cho khch hng hp php trong phn ln cc trng hp. V n nm ni tuyn trn mng, c ngha l n khng c mt s hin din c th nhn thy trn mng ging nh mt cu ni mng, n khng yu cu sa i cho cc my ch v khch hng trn mng c bo v hoc cc my ch kt ni vi nhau. Cc a im trin khai gn nn nhn v n khng yu cu hp tc vi NetBouncers khc. V mt tiu cc, nhng k tn cng c th thc hin cc cuc tn cng thnh cng vo nn nhn / mc tiu bng cch mo nhn hp php hoc tuyn dng mt s lng ln cc agent, c hai u l d dng t c thng qua gi mo v tuyn dng , tng ng. Ngoi ra, NetBouncer t ra cc gi nh nht nh v cc khch hng hp php m khng phi lun lun c chia s bi tt c cc khch hng v nh vy s lm cho h b loi tr khi truy cp vo ti nguyn c bo v. Cc bi kim tra tnh hp php t mt gnh nng ng k n chnh NetBouncer v c th gy cn kit ngun lc ca cc c ch bo v.
thc t giao thc TCP / IP thc hin trn c hai u (client v my ch) phi c sa i cho phng php ny lm vic. Cch phng chng ny ny khng x l c vn nh cc cuc tn cng phn tn trong k tn cng to ra cc yu cu vt kit cc ti nguyn my ch hoc tn cng vt kit ti nguyn cho vic to puzzle hay tiu th bng thng ca ng mng dn n my ch.
hp php. Min l tun theo phn loi t l hn yu cu, giao thng ny s khng lm tn thng cc nn nhn. Tm li, thit k ca DefCOM l gip pht hin giao thng bt hp php ti mc tiu, gii hn t l li, v ngn chn lu lng truy cp ng ng/ lu lng tn cng ti mng li ngun. S dng D-WARD nh h thng phn loi ban u ca n, DefCOM cng vn ra xa hn vo ct li x l cc cuc tn cng t cc mng khng c trang b node phn loi giao thng khng hp php. DefCOM x l l lt, trong khi gy ra t s cn tr, hoc l v hi cho giao thng hp php. Do tnh cht che ph ca h thng, DefCOM t n to nn mt gii php m rng v khng cn tip cn vi trin khai thm nh vo vic s dng kin trc peer-to-peer, nhng n yu cu trin khai rng hn phng th ca nn nhn. Theo mt nhc im, x l b h hng hoc ph v cc nt trong mng che ph c th kh kh khn, v DefCOM c kh nng hot ng ti t nu khng c x l.
lc gia cc nh kim sot khng c kh nng m rng, v h s dng truyn thng multicast.
23
vi cch tip cn khc, k hoch ny khng i hi mt c ch che ph, nhng n c yu cu sa i ca my khch v my ch, cng nh c router na. Cc my khch s s dng mt giao thc bt tay vo kh nng trao i, v sau l lu lng truy cp c quyn s c gii quyt nhanh ca mng, tri ngc vi giao thng khng c c quyn m s khng nhn c u tin. C quy nh ti ch ngn chn tn cng gi trn vi lu lng truy cp c quyn ca mt ngi tri php, v d, bi mt ngi c gng to ra capabilities (thc hin bng cch nh du trong mi gi). Nu mt my khch vi capabilities bt u ngp lt, sau cc thng tin cho lu lng truy cp c quyn c th b thu hi vi my khch . Cc tc gi ca c ch ny xut hai con ng: mt l c ch Internet th h tip theo kt hp nhng k thut ny v mt l c ch cho cc giao thc mng hin nay IPv4. l cn cha r rng rng nhng con ng s chng minh hiu qu hay khng. Tm li, k thut ny cng chp nhn nhiu gi thit, trong c gi nh l my khch v my ch cp nht cc phn mm theo giao thc TCP / IP kt hp sa i cn thit cho cc capabilities mi. u im l khng cn thit phi c-lin-ISP hay hp tc gia cc ISP. Tuy nhin, n cng gi nh rng gi mo l hn ch, v vic x l v duy tr trng thi c yu cu ti tng router. Cc giao thc mng mi yu cu nh du khng gian trong tiu gi IP, hp tc ca khch hng v my ch, mi router phi nh du cc gi tin, v tuyn ng gia cc my trn mng vn n nh. Cc gi nh ny l kh hn ch, so vi nhng g c th xy ra trong mt mng thc s.
24
H thng ny to nn d on ca chng m bt u vi gi tr TTL quan st v on gi tr TTL ban u c t trong gi tin ngi gi. Ch c mt vi gi tr nh h iu hnh s dng v h l kh khc nhau, to iu kin on chnh xc. S chng sau c tnh bng s chnh lch gia TTL ban u v cc gi tr quan st c. S chng Hop-count phn phi theo phn phi chun (chung ng cong), v c s bin i trong gi tr TTL. Nu k tn cng mun t c iu ny, hn s phi on ng gi tr TTL chn vo mt gi tin gi mo, s chng suy lun ph hp vi gi tr mong i. Gi mo tr nn kh khn, v k tn cng gi phi gi mo gi tr TTL chnh xc lin kt vi mt a ch ngun c gi mo v, tng cng s chng khc bit thch hp gia k tn cng v a ch gi mo, giao thng c hi tr nn mt m hnh d dng hn. Trong cc hot ng chung, cc b lc m chng l th ng trong khi n ang phn tch lu lng v ni n vi cc bng tnh n thnh lp cc gi nh hop. Nu s lng bt xng hp vt qua mt ngng thnh lp, chng trnh bt u lc. Cc bn n u c cp nht lin tc bng cch kim tra mt ngu nhin kt ni TCP n mt trang web trong mng c bo v. Lu rng chng trnh ny c gng ngn chn lu lng truy cp gi mo. Khng c g ngn cn k tn cng khi vic pht ng mt cuc tn cng bng cc ngun thc v mang gi tr TTL chnh xc, v do cc cuc tn cng bng cch s dng cc mng bot ln hoc su vi DDoS, m khng cn phi mo a ch ngun thnh cng, vn s l mt vn . V cc loi tn cng tr nn d dng ngy hm nay, nhng k tn cng ch cn p dng phng php ny trn gi mo a ch ngun c th vt qua phng th nh vy. Ging nh nhng cuc phng th pha nn nhn, phng php ny khng th gip bo v chng li cc cuc tn cng quy m ln da trn vic gi trn ti lin kt ti vo my thc hin vic kim tra cc gi tr TTL.
25
Trong mng Chord, mi node c cp pht mt nh danh ID thng qua mt hm bm nht qun trong khong [0, 2m] vi mt gi tr m nh trc. Cc node trong mng bao ph c sp xp th t theo nh danh ca chng, v c t chc theo vng, thun chiu kim ng h.
Hnh 1: nh tuyn theo Chord [14]. Mi node s duy tr mt bng gi l finger table, cha ng nh danh ca m node trong mng bao ph. Gi tr hng th i trong bng finger table ca node c nh danh x, l node c nh danh nh nht m ln hn hoc bng x + 2i-1. ( (mod 2m)), nh hnh. Khi node x nhn c gi tin c ch l node nh danh y, n gi gi tin n node trong mng theo bng finger table ca n sao cho node ny c nh danh ln nht m cn nh hn y. Nh trn hnh, nu node c nh danh 7 nhn c gi tin m ch n c nh danh l 18, gi tin s c nh tuyn t node 7 n node 16, sau n node 17. Khi gi tin n node 17, node tip theo trong mng bao ph l node 22, v vy node 17 bit rng node 22 l node chu trch nhim cho nh danh 20. Nh vy thut ton nh tuyn ca Chord s khin gi tin c chuyn trong mng n vi node ch qua khong O(m) node.
27
Chord chnh l mt gii php tt cho rt nhiu vn : cn bng ti, phn tn, linh hot, c kh nng m rng. N cng c th x l tt khi cc node tham gia v ri khi mng mt cch thng xuyn.
28
Trong kin trc ny, yu cu ca khch hng t source point s i vo mt lp bao ph qua mt node l SOAP Secure Overlay Access Point. Do tnh cht ca SOS, nn node ny s lm nhim v kim tra ngi dng ny c hp l hay khng, qua mt c ch xc thc, nh l login. Sau khi xc thc xong ngi dng, yu cu s c chuyn tip qua mng bao ph. Mng bao ph ny ng vai tr mt firewall phn tn, c xy dng theo giao thc Chord vi k thut nh tuyn theo cu trc, s dng bng bm phn tn DHT. Giao thc Chord s c m t trong phn tip theo. , v trong mng bao ph, cc node c th ng mt trong cc vai tr sau: - SOAP: Secure Overlay Access Point: l cc im truy cp cho khch hng. - Secret Servlet: Cc node c bit, m ch c kt ni n t cc node ny mi c server ch chp nhn. - Beacon: Cc node c bit trong mng bao ph bi n bit c v tr ca cc secret servlet, nh thng bo nh k t cc secret servlet gi ti chng. - Overlay Node: cc node bnh thng khc trong mng. Sau khi node SOAP xc thc xong ngi dng, n s ly a ch Server ch trong gi tin yu cu, s dng hm bm ca chord t c mt gi tr bm. Gi tr bm ny s cho bit v tr ca mt Beacon, nh SOAP chuyn tip yu cu ngi dng n node Beacon . Khi Beacon nhn c gi tin, n li c a ch Server ch, v sau chuyn tip gi tin n Secret Servlet ca server ch. Secret Servlet nhn c gi tin t Beacon, n cng tip tc chuyn tip gi tin n Server ch tng ng. Vn t ra l lm th no Beacon bit c a ch ca Secret Servlet tng ng vi Server ch? iu ny c thc hin thng qua vic nh k, cc Secret Servlet tng ng vi Server ch s s dng hm bm ca Chord vi a ch Server ch, nh ly c gi tr bm v bit c v tr ca Beacon cn bit n. Ngay sau n gi mt thng bo n Beacon , v nh vy Beacon ny s nhn thng bo v bit c Secret Servlet ng vi mt Server ch. Cn vi cc Server ch, c ch ca chng l install mt b lc router gn n nht, v la chn mt s node trong mng bao ph SOS lm Secret Servlet ca mnh, v cho php chuyn tip kt ni thng qua cc b lc n Server ch. Cc router quanh Server ch cng c cu hnh ch chp nhn kt ni n t Servlet ca n.
29
Vi kin trc xut nh vy, SOS c tin tng rng s tr thnh mt phng php tip cn mi v mnh m trong phng php ch ng phng v chng tn cng t chi dch v.
kt ni trc tip n my ch ch m khng thng qua mng bao ph WebSOS. Ch khi h thng b tn cng, nh cc router cht lng cao c ci t b lc a ch IP, cc kt ni n t bn ngoi s b lc v t chi kt ni n cc my ch ch, ch c cc Secret Servlet mi c quyn truy cp n cc my ch ny, lc mng bao ph WebSOS mi thc s hot ng, v ngi dng mun truy nhp vo my ch ch phi kt ni thng qua mng bao ph ny. Cc SOAP l c ci t Web server nhm to ra v thc hin xc thc ngi dng hp l thng qua bi kim tra CAPTCHA. Cng trn cc web server SOAP, cc applet c lu tr ngi dng c th ti v v chy proxy applet sau khi vt qua bi kim tra CAPTCHA .
Hnh 3: Bi kim tra ngi truy cp s dng CAPTCHA. T kha kim tra trong trng hp ny l zbyc.
Vng lc xung quanh Server ch vn l cc router mnh c install cc b lc IP c th lc mi kt ni n Server trong thi gian din ra cuc tn cng, v ch cho php kt ni t cc Secret Servlet n c Server ch.
31
3.3.3 C ch ca WebSOS
3.3.3.1 C ch chung Vic kt ni thng qua mng bao ph WebSOS c thc hin nh hnh:
Hnh 4: C ch truy cp v xc thc ca ngi dng [6] u tin, ngi dng cn bit mt SOAP v truy cp n n. SOAP ny s c ci t mt webserver thc hin chc nng kim tra CAPTCHA hay Graphic Turing Test- GTT, xc nhn truy cp thc hin bi con ngi. CAPTCHA- Completely Automated Public Turing test to tell Computers and Human Apart, l mt chng trnh c th to ra bi kim tra m hu ht con ngi u c th vt qua, trong khi chng trnh t ng th khng. Trong WebSOS, CAPTCHA c to ra bi chng trnh GIMPY. Khi ngi truy cp vt qua bi kim tra GTT, SOAP s cp cho ngi dng mt chng thc X.509 ngn hn, c m ha ip ca ngi truy cp vo lm chng thc cho vic truy cp vo dch v web, nhm trnh vic s dng li cho agent vi ip khc tn cng. Sau , SOAP s yu cu ngi dng chy mt chng trnh proxy applet (signed applet) browser ca ngi dng kt ni n Server ch thng qua proxy applet , t to kt ni SSL n SOAP. SOAP nhn kt ni ny, v chuyn tip kt ni qua mng bao ph n Beacon thch hp, Beacon s chuyn tip n Secret Servlet. T Secret Servlet, yu cu c chuyn qua vng lc n Server ch. Router vng lc
32
nhn thy IP ca Secret Servlet hp l nn chp nhn cho kt ni n Server. iu ny khin kt ni ca ngi dng tr nn an ton, v cng khin tuyn ng nh tuyn tng ln, gy ra mt tr nht nh.
3.3.3.2 C ch nh tuyn Trong m hnh WebSOS, giao thng t mt ngun ti server ch s i qua cc node theo th t: ngun, SOAP, Beacon, Servlet v Server ch. C ch nh tuyn thng thng c s dng ngi dng kt ni ti SOAP. Hn na, do Beacon bit cc Servlet xc nh tng ng vi cc Server, cng nh Servlet cng bit v tr ca Server, v vy c ch nh tuyn thng thng cng c s dng gia Beacon v Servlet, gia Servlet v Server ch. Cn gia SOAP vi Beacon, mt c ch nh tuyn ca lp bao ph c s dng. Nhm gim qung ng nh tuyn gia chng, nh gim qung ng tng t ngun ti Server ch, thut ton Chord c s dng trong trng hp ny. Trong m hnh SOS gc, qung ng thit lp t ngi dng n Server ch qua mng bao ph c th khc vi qung ng ngc li t Server ch ti ngi dng. Hn na, response t Server ch c th gi trc tip n ngi dng m khng qua li mng bao ph, bi cc knh truyn thng l song cng, v trong cc cuc tn cng DDoS th ch c kt ni ti cc Server ch mi l b tc nghn. Cch thc c nhng thun li kh ln trong vic gim tr ca mng, v hu ht cc kt ni client/server hin nay l khng i xng do cc client thng nhn response nhiu hn l gi i cc request. Trong WebSOS, nh tuyn c thc hin vi tng kt ni c bn. Mi request tip theo trong cng mt kt ni v cc response t Server ch c th i theo qung ng ngc li trong mng bao ph. Trong khi c ch ny lm cho vic p dng tr nn n gin, n cng gy nn hu qu lm cho tr tng ln ng k, v hu ht cc response u i qua mng bao ph vi nhiu chng, hn l vic i trc tip n my khch gim qung ng trong mng ph. 3.3.4 C ch bo v C ch bo v c gi nh trong trng hp k tn cng khng mnh m tn cng gi trn lm qu ti hot ng ca vng lc xung quanh cc Server ch, cng
33
nh khng mnh ti mc tn cng trn lm qu ti tt c cc SOAP trong mng bao ph. Khi khng c cuc tn cng no din ra, cc khch hng, cng nh cc x l t ng nh chng trnh nh ch mc ca google c th truy cp Website mt cch trc tip nh cc Website khc. Khi c du hiu ca mt cuc tn cng t chi dch v phn tn, vng lc xung quanh cc Web Server c kch hot, cc kt ni n Website u b loi b, ngoi tr cc kt ni n t cc Servlet tng ng vi cc Web Server ch. Nh vy, tc hi ca mt cuc tn cng t chi dch v trc tip n cc Server ch b lm gim n mc thp nht nh cc b lc mnh m ny. K tn cng mun tip tc ph hoi Website ch cn cch kt ni n cc Server ch qua mng bao ph, thc hin tn cng. Khi kt ni n mng bao ph, thng qua vic s dng bi kim tra Graphic Turing Test hin i, giao thng t con ngi s c phn bit chnh xc vi giao thng t cc chng trnh my t ng do s m bo ca cc chng trnh CAPTCHA hin i c th khin cc chng trnh nhn dng ch vit t khng th thc hin chnh xc. V vy, cc chng trnh c hi ca k tn cng s b gii hn, khng th tip cn gi gi tin ph hoi ti Server ch c. Thm vo , WebSOS s dng SSL qua mi chng trong mng bao ph, nhm mc ch xc thc chng trc , nhm trnh vic k tn cng c th pht hin c mt s node trong lp bao ph WebSOS v thc hin gi dng cc node . Vi thc t rng chi ph v thi gian to v chng thc m ha vi thut ton RC4 l rt nh (nh phn 4 s cp n), cc node trong mng bao ph khng cn thit phi c ci t thm chc nng c bit khc, v khch hng th n gin ch cn c cp mt chng thc ph hp t qun tr ca WebSOS. Hn na, nhm trnh vic k tn cng s dng IP Spoofing gi gi tin tn cng c IP ngun trng vi IP ca cc Servlet n Server ch, WebSOS xut s dng c ch GRE: Generic Routing Encapsulation theo Farinacci v cc ng nghip vo thng 32000, v Dommety, thng 9-2000. Theo , k tn cng mun gi mo Secret Servlet ngoi vic cn on c IP ca Servlet, cn phi on c c gi tr kha ca GRE. Vi vic s dng kha phc tp, th vic gi mo Servlet l v cng kh khn i vi k tn cng. Cui cng, nu nh k tn cng c thc s gi mo c mt vi Servlet i na, th da vo vic phn tch cc gi tin n nhiu t mt vi Servlet, Server ch
34
hon ton c th chn li tp cc Servlet cho mnh, gi thng bo mi n chng v cc b lc router. Tng kt: Nh vy chng ta xy dng xong kin trc WebSOS cho vic bo v cc WebSite khi tc ng ca cc cuc tn cng t chi dch v. Kin trc ny s trin khai qua cc hot ng chnh l xc nhn ngi dng hp l qua bi kim tra Graphic Turing Test, thc hin kt ni SSL thng qua mt proxy applet qua mng bao ph n mt Servlet, v t Servlet qua mt vng lc n c Server ch.
35
Module CAPTCHA c ci t trn WebServer Xampp. Module Secure Tunnel Proxylet c vit bi ngn ng Java. Communication Control Module v module Overlay Network (Chord) c vit bi java, v C, tng ng. Website cn bo v l mt my c ci t WebServer Xampp.
Bng 1: tr khi th nghim kt ni n 1 s trang web C th thy, tr y s nhn 2 hoc 3, l mt tr c th chp nhn c khi mt Website nm trong hon cnh mt cuc tn cng t chi dch v. y do vic nh tuyn qua cc node thc hin mt cch th cng, nn thi gian tr do vic thc hin thut ton nh tuyn Chord b b qua. Ngoi tr do vic nh tuyn cn c thi gian tr do vic cp v chng thc kha qua kt ni SSL. Cc o c v thi gian xc thc kha RSA 1024 bit do Stavrou [6] v cc ng nghip s dng mt my Linux 3 GHz Pentium IV o c khi dng th vin OpenSSL V 0.9.7c. o c cho thy thi gian s dng xc thc ngi dng l rt nh, v qua tnh ton gi s mi kha xc thc ht hn sau 30 pht, th mi node c th xc thc cho 18 triu ngi dng mi gi, l khi cha cn ti tng tc phn cng.
37
Qua cc o c trn c th thy, d cho tr l vn ln nht ca WebSOS, tr to ra trong cc th nghim l c th chp nhn c. Vi vic cc khch hng c th truy nhp trc tip vo Website trong thi im khng c cuc tn cng, ch kch hot mng bao ph WebSOS trong cuc tn cng, th thi gian tr nh vy l c th chp nhn trong vic trin khai mt cch rng ri.
Tn cng ton vn d liu: Tn cng ton vn d liu c th trn knh request, bng cch hy b gi tin hoc knh truyn thit lp. Khi node b chim dng hy gi tin trn knh request, ngi dng s nhn thy rng mnh khng th kt ni n server. Khi k node b chim dng tn cng ton vn d liu trn knh truyn thit lp, chng ta c th pht hin ra kiu tn cng ny thng qua gii php ci tin, hoc ngay ng dng pha ngi dng c th nhn thy c thng qua d liu gi v sai, hoc qua vic xc thc c th chuyn sang SOAP khc. Tn cng hy gi tin: tn cng hy cc gi thit lp kt ni khin ngi dng khng th kt ni n server qua node . Phn tch su hn trng hp ny, ta thy trong knh truyn c thit lp, k tn cng c th hy b cc gi tin
38
c truyn gia ngi dng hp l v server. Tng t kiu tn cng ton vn d liu, chng ta c th pht hin kiu tn cng ny thng qua gii php ci tin, hoc ng dng ngi dng cng c th nhn thy qua vic kt ni b ngng, hoc qua thng lng thp ca ng dng.
-
Tn cng gi trn gi tin: Mt node b chim dng c th tham gia tn cng gi trn n server ch thng qua vic gi trn gi tin n Servlet.
39
(*) Nu probe>3, thc hin thay i SOAP cho client v thit lp li gi tr cc bin v mc nh. Nu numD>= 3 , thc hin thay i SOAP cho client v thit lp li cc bin v mc nh. Gi d liu request. Gi d liu probeRequest sau mt khong thi gian random v tng probe ln 1. Kim tra nu drop==true, tng numD ln 1. t gi tr drop=true. Nu s lng kt ni thnh cng numS>7, gn numS= 0 v numD= 0. Nu nhn c d liu response, tng numS ln 1, v t li drop=false. Nu d liu response l probeResponse, gn probe= 0 v numD=0; Quay li (*) - xut ci tin thc hin ti Server ch Nu nhn c request l probeRequest, x l v gi li probeResponse
Nh vy theo gi m, proxylet chy trn client s kim tra nu c 10 ln gi request m c ti 3 ln khng nhn c d liu response th proxylet xem nh c hnh ng tn cng hy gi tin v t ng thay i SOAP kt ni n Server. Ngoi ra, sau mt khong thi gian random, mt gi tin probeRequest c proxylet ti client gi ln Server ch. Nu nh client khng nhn c gi probeResponse ph hp, n s tng mt gi tr numD. Khi numD >=3, proxylet s thc hin thay i SOAP cho client, v gn li numD=0, tip tc qu trnh. Cn nu nhn c gi tin probeResponse ph hp, proxylet ghi nhn khng c tn cng hy gi tin, cc bin c reset, qu trnh c thc hin li t u.
40
thc thi xut, chng ta thay i c ch hot ng ca proxylet, v gi nh k gi tin thm d n server, sau ch gi tin tr li thm d. Nu gi tin tr li khng ng, hoc khng c gi tin tr li thm d th mt bin thit lp sn cng c tng dn, n mt gi tr xc nh trc, proxylet s t ng kt ni n mt SOAP khc m bo truy cp ngi dng. Ngoi ra, khi yu cu ngi dng khng nhn c tr li t server, th bin c thit lp cng tng dn n gi tr nh trc . Khi proxylet kt ni n SOAP khc, bin s c khi to li gi tr 0. Sau khi thc nghim vi h thng, ti thy hiu qu ca c ch l r rt, cc trng hp khi khng c gi tin tr li thm d, hoc cc gi tin tr li t server b hy b, thm ch c khi vic gi ng truyn cho cc gi thm d/ tr li thm d v hy cc gi tin khc, c ch vn c th pht hin v x l hiu qu qua vic thay i SOAP. Danh sch cc SOAP thay i c lu ti tng SOAP, c proxylet c v lu trong mt mng dng thay i SOAP khc khi pht hin c tn cng hy gi tin.
- Kch bn 2: Tng t nh kch bn 1, tuy vy node tn cng khng hy b ton b gi tin. Ta gi s k tn cng tinh vi ti mc pht hin ra c cc gi tin probeRequest, probeResponse cho d ta c che giu chng trong gi tin gi i tt th no chng na, hoc l k ch hy b mt s lng ln gi tin trong cc gi tin nhn c t server, ch cho mt s t cc gi tin i qua nh la ngi dng rng vn c kt ni tuy rt chm, vi server v mt cch ngu nhin cc gi tin cha probeRequest v probeResponse u khng b hy, hoc khng b hy ti 3 gi probeResponse lin tip. Nh vy theo kch bn 2, c ch xut gi probeRequest v probeResponse b v hiu ha, ta s phi s dng cch khc pht hin ra l cc gi tin ang b hy b vi s lng ln, bit c tn cng ca mt node c hi v thc hin thay SOAP cho client.
4.3.3.2 Kt qu th nghim
4.3.3.2.1 Vi chng trnh gc Khi thc thi kch bn th nghim vi chng trnh WebSOS gc, hin tng trc quan l pha client ngi dng, cc gi tin request c gi i bnh thng, v vy Browser vn ch cc gi response trong khi khng h c gi response no ti Browser. Trang web vn thng bo Waiting for http://...., song khng th load c trang kt qu. Sau 20 giy (theo thit lp ty bin setSoTimeout trong code chng trnh) khng nhn c response, Browser thng bo Internet Explorer cannot display the webpage.
42
Hnh 5: Kch bn th nghim c thc thi vi chng trnh gc. Cc client khng th nhn response khi trn ng nh tuyn n server c mt node b chim dng thc hin tn cng hy gi tin. Kt qu tt yu xy ra l khi thc thi kch bn vi chng trnh WebSOS gc, Browser ti client khng th nhn c response t Server ch, tng ng vi vic cc ngi dng hp l khng th kt ni n Server ch khi trn ng nh tuyn t client n Server ch c mt node b chim dng, v thc hin hnh thc tn cng hy gi tin. Vi kch bn th 2, do hu ht cc gi tin b hy, nn ngi dng cng gn nh khng th kt ni n server. 4.3.3.2.2 Vi chng trnh ci tin - Kch bn 1: Khi thc hin kch bn th nghim 1 vi chng trnh ci tin, hin tng din ra ban u khng khc g so vi chng trnh gc, l Browser khng th nhn response t Server, trang web vn ch thng bo Waiting for http://.... m khng c hin tng g xy ra. Tuy nhin, sau mt thi gian, khong 14 giy th trang web load bnh thng v ngi dng truy nhp thnh cng. Cc ln truy vn tip theo tr nn bnh thng, khng cn c hin load lu nh ln truy cp trc na.
43
Hnh 6: Kch bn th nghim 1 c thc thi vi chng trnh ci tin. Sau 14 giy loading vi trng hp xu nht (12 giy thc hin c ch), Browser c th load trang web. Cc request sau, Browser gi v nhn truy vn bnh thng. Vi kch bn th nghim 2, trng hp xu nht sau 3 ln truy vn khng thnh cng, ln th 4 tr i Browser cng gi nhn truy vn bnh thng. Nguyn do l bi c ch xut, khi gi truy vn n server th ng thi c sau 3 giy mt probeRequest li c gi ln server (thi gian gia 2 ln gi probeRequest c th iu chnh), v sau 3 ln lin tip gi probeRequest khng thnh cng cc proxy applet t ng thay i SOAP dn n thay i ng dn nh tuyn t client n server ch. Do ng dn khng cn i qua node b chim dng na, nn nh hng ca hnh vi tn cng khng cn. ng thi proxy applet t ng gi li yu cu qua SOAP mi v nhn response, khin trang web c load thnh cng sau khong thi gian ch probeResponse m khng c tr li. V do chuyn SOAP vi ng dn nh tuyn mi, cc truy vn sau ny cng thc hin bnh thng, khng cn hin tng khng c response n Browser na. Cn nhn mnh trng hp trn l trng hp xu nht khi ngi dng mi truy cp gp phi node c hi trn ng dn nh tuyn ca mnh. trng hp tt hn, khi ngi dng ang truy cp chng hn, th mt node trong ng dn nh tuyn b chim dng v tn cng. Lc ny do probeRequest v probeResponse vn ang c
44
gi, v b hy khng nhn c, sau mt khong thi gian khong 12 giy (ln th 4 gi probeRequest), proxy applet s nhn ra node c hi v thay i SOAP. Trong khong thi gian ny c th ngi dng vn cha chuyn trang khc trong Website, v d nh ngi dng ang c bo chng hn, nn ngi dng s khng cm nhn c rng SOAP b thay i, khi vo trang web khc ngi dng khng nhn thy s chm tr no c. - Kch bn 2: Khi thc hin kch bn th hai vi chng trnh ci tin, hin tng xy ra l lc ngi dng load mt trang web nhng khng th kt ni n trang web, hoc trang web b mt qu nhiu phn do b hy s lng ln gi tin. Do gi nh c ch probeRequest v probeResponse b v hiu ha v node tn cng v tnh khng hy b 3 gi tin probe lin tip no, hoc k tn cng tinh vi ti mc cho php cc gi probe i qua mc cho n lc giu gi probe ca chng ta, v vy chng ta cn a ra gii php cho kch bn ny. Gii php c a ra l gii php m s lng gi tin request m khng c c response. Chng ta a ra t l khi c trong 10 gi tin request m c ti 3 gi tin khng nhn c response (t l ny c th thay i cho ph hp vi tng mng) th proxy applet cng coi nh c tn cng hy gi tin, v thc hin thay i SOAP cho client. V vy trong trng hp ny ngi dng s cm thy kh khn hn, bi v c ch m s request khng c tr li, nn ngi dng phi qua ba ln request server m khng nhn c load c trang web. n ln th t tr v sau, ngi dng c th truy vn bnh thng do proxy applet chuyn i SOAP gip ngi dng khng cn b tn cng hy gi tin t node c hi na. trng hp tt hn, khi ngi dng gi yu cu mt trang web, gi s response cho yu cu u tin khng b hy, do trang web thng c nhiu thnh phn, nn mt s lng ln cc request tip theo s c Browser t ng gi ln server download cc thnh phn ny v Browser. V vy tn cng s ch khin ngi dng cm thy trang web thiu nhiu thnh phn, tuy vy n trang web sau proxy applet nhn ra c node c hi, v chuyn SOAP, v vy ngi dng li cm thy thoi mi v truy cp Website bnh thng.
3.5 3 2.5
Trc tip
2 1.5 1 0.5 0
news4st_test test_local google.com
Hnh 7: Thi gian truy vn trung bnh ca cc chng trnh vo mt s trang web. Cc chng trnh u c chy vi kin trc mng bao ph gm c 3 node.
Thc hin nh gi hiu nng ca chng trnh ci tin so vi chng trnh gc thng qua vic so snh thi gian truy cp trong trng hp b tn cng theo cc kch bn 1 v 2, ta c kt qu nh sau: a ch Trc tip Phin bn gc (c hai kch
46
bn) news4st.htm_local test.htm_local www.google.com 0.48 0.84 1.42 Khng kt ni Khng kt ni Khng kt ni
18 16 14 12 10 8 6 4 2 0
news4st_test test_local google.com Trc tip Ci tin_kch bn 1 Ci tin_kch bn 2
Hnh 8: Thi gian truy vn trung bnh ca cc chng trnh vo mt s trang web khi thc hin chy vi kch bn 1 v 2. Vi phin bn gc, kt qu lun l khng th kt ni. Kin trc mng bao ph gm 3 node. Vi kch bn 1 c ch pht hin thay i mt 12 giy. Vi kch bn 2 t ln th 4 truy vn mi thnh cng. Cc o c cho thy r s bt lc ca kin trc gc khi 100% th nghim u khng th kt ni vi trng hp node trong mng bao ph b chim dng v tn cng
47
h thng. C ch ci tin cho thy mt kt qu chp nhn c v rt kh quan cho trin khai.
Chng 5: KT LUN
48
Qua thi gian nghin cu v phng chng tn cng t chi dch v, c bit l qua qu trnh thc hin ti kha lun tt nghip: Phng chng tn cng t chi dch v phn tn vo cc Website, ti nm c nhng k thut phng chng tn cng t chi dch v v nhng kin thc v mng bao ph, t xy dng v trin khai c kin trc WebSOS nhm hn ch c cc tn cng t chi dch v vo cc mc tiu Website. Nhng kt qu chnh m ti t c cng nh cc kt qu hng ti, c th c tng kt li nh di y:
5.1 Cc kt qu t c
- Xy dng c kin trc WebSOS vi kh nng c th chng li mnh m cc cuc tn cng t chi dch v. H thng cho php ngi dng truy cp trc tip vo Website, v ch kch hot khi Website b tn cng t chi dch v. Vi vng lc IP mnh m, cng c ch xc thc ngi dng hon ho v vic che giu cc Servlet b mt, Server ch c cch ly v bo v rt tt khi cuc tn cng. - Thc hin cc thc nghim cho thy tr ca h thng phng chng tn cng t chi dch v l chp nhn c, vi kh nng trin khai v m rng cao cho cc Web server cng cng phc v ngi dng. - Thc hin ci tin h thng bng cch t gi nh mt hoc mt vi node trong mng bao ph c th b chim dng, v tn cng h thng bng hnh thc tn cng hy gi tin hay tn cng ton vn gi tin, khin ngi dng hp l khng th truy cp h thng. Cch thc ci tin cho thy hiu qu r rt, v trong sut vi ngi dng to cm gic thoi mi cho ngi dng cho d l trong hon cnh h thng ang b tn cng.
5.2 Cc kt qu hng ti
- Hng ti vic x l tr ca kin trc mng bao ph, bng cch phng php xy dng ng i khng i xng, hoc gi response trc tip t Server ch n client. - Nm trong xut ci tin, gi nh t ra l mt node trong mng bao ph c th b chim dng v tr thnh ngun tn cng. Khi c ch x l ra l kh hiu qu khi node thc hin hnh vi tn cng hy gi tin. Song do gi nh node trong mng bao ph c th b chim dng, node cn c th tham gia hnh vi tn cng nguy him na l hnh vi tn cng gi trn gi tin. Vic xy dng mt c ch hiu qu pht
49
hin, v loi b cc node b chim dng trong mng bao ph chnh l mc tiu cn hng n.
[1]
S. T. Kent, and W. T. Strayer, "Hash-Based IP Traceback," Proceedings of ACM SIGCOMM 2001, August 2001, pp. 314 [2] A. Yaar, A. Perrig, and D. Song, "Pi: A Path Identification Mechanism to Defend Against DDoS Attacks," Proceedings of the IEEE Symposium on Security and Privacy, May 2003, pp. 93107. [3] A. Yaar, A. Perrig, and D. Song, "SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks," Proceedings of the IEEE Symposium on Security and Privacy, May 2004, pp. 130143. [4] [5] Angelos D. Keromytis, Vishal Misra, Dan Rubenstein, SOS: Secure Angelos D. Keromytis, Vishal Misra, Dan Rubenstein, SOS: An Overlay Services, ACM SIGCOMM 2002. Architecture For Mitigating DDoS Attacks, IEEE Journal on Selected Areas of Communications (JSAC), 2003, pages 176-188. [6] Angelos Stavrou, Debra L. Cook, William G. Morein, Angelos D. Keromytis, Vishal Misra, Dan Rubenstein; WebSOS: An Overlay-based System For Protecting Web Servers From Denial of Service Attacks; Computer Networks, Volume 48, Issue 5 (August 2005), pages 781 807. [7] C. Jin, H. Wang, and K. G. Shin, "Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic," Proceedings of the 10th ACM Conference on Computer and Communication Security, ACM Press, October 2003, pp 3041. [8] C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, and R. Govindan, "Cossack: Coordinated Suppression of Simultaneous Attacks," Proceedings of 3rd DARPA Information Survivability Conference and Exposition (DISCEX 2003), vol. 2, April 2003, pp. 9496. [9] D. Farinacci, T. Li, S. Hanks, D. Meyer, P. Traina, Generic Routing Encapsulation (GRE), RFC 2784, IETF (March 2000). URL http://www.rfceditor.org/rfc/rfc2784.txt [10] Debra L. Cook, William G. Morein, Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein; WebSOS: Protecting Web Servers From DDoS; Proceedings of the 11th IEEE International Conference on Networks (ICON) (2003); pages 455460.
51
[11]
Defense via Ingress Filtering," http://www.networkassociates.com/us/_tier0/nailabs/_media/documents/netbouncer.pdf. [12] Elaine Shi, Ion Stoica, David Andersen, Adrian Perrig, OverDoSe: A Generic DDoS Protection Service Using an Overlay Network, CMU Technical Report CMU-CS-06-114, 2006 [13] [14] G. Dommety, Key and Sequence Number Extensions to GRE, RFC Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari 2890, IETF (September 2000). URL http://www.rfc-editor.org/rfc/rfc2890.txt Balakrishnan, Chord: A Scalable Peer-to-peer Lookup Service for Internet Applications, ACM Sigcomm 2001. [15] J. Mirkovic, D-WARD: Source-End Defense Against Distributed Denialof-Service Attacks, PhD thesis, University of California Los Angeles, August 2003, http://lasr.cs.ucla.edu/ddos/dward-thesis.pdf. [16] J. Mirkovic, M. Robinson, P. Reiher, and G. Kuenning, "Forming Alliance for DDoS Defenses," Proceedings of the New Security Paradigms Workshop (NSPW 2003), ACM Press, August 2003, pp. 1118. [17] [18] [19] Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher; Internet Michael Glenn; A Summary of DoS/DDoS Prevention, Monitoring and R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and Denial of Service: Attack and Defense Mechanisms.chm ; Prentice Hall PTR; 2004. Mitigation Techniques in a Service Provider Environment; SANS Institute; 2003. S.Shenker, "Controlling High Bandwidth Aggregates in the Network," ACM SIGCOMM Computer Communications Review, vol. 32, no. 3, July 2002, pp. 6273. [20] [21] 295306 [22] http://c.root-servers.org/october21.txt S. Bellovin, M. Leech, and T. Taylor, "ICMP Traceback Messages," S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical Network Internet draft, work in progress, October 2001. Support for IP Traceback," Proceedings of ACM SIGCOMM 2000, August 2000, pp.
52
[23]
http://edition.cnn.com/2001/TECH/internet/05/24/dos.study.idg/
53