本文是计算机专业的留学生作业范文,题目是“Distributed Denial Of Service DDOS Attack Computer Science Essay(分布式拒绝服务DDOS攻击计算机科学论文)”,信息技术是一种令人兴奋的、日益兴起的技术,它要求通信系统进行数据和服务的交换。正如现在所有的服务和产品都在开放的互联网上使用电脑和互联网作为交换数据或货币的媒介,因此很容易出现漏洞。DDOS (Distributed Denial of Service)攻击是一种对可用资源的可用性进行攻击,使得通过认证的用户不再使用可用资源。本文旨在探讨DDOS现有的威胁和漏洞,并提出可能的解决方案和建议,以及此类攻击的概述和体系结构方法。
Abstract 摘要
Information technology is an exciting and emerging day by day technology which requires communication systems for data and services exchange. As nowadays every services and products uses computer and internet as a medium to interchange data or money in an open internet, hence prone to vulnerabilities. Distributed Denial of Service (DDoS) attack is an attack to the availability of the resources available, so that authenticated users do not use those resources. This paper intended to explore the existing threats and vulnerabilities of DDoS with possible solutions and recommendations plus overview and architecture methodology of this kind of attack.Confidentiality, Integrity and Availability are the three main features of the any computer network communication systems. DDoS which is a subset of Denial of service (DoS) attack, which result in overwhelming the victim machine and deny the services to its legitimate users results in Unavailability of the resources and services for concern clients. Some examples are smurf attack, SYN & UDP floods and ping of death. DDoS is a type of DoS attack but uses distributed computers from different location to attack on a particular victim may be a server or client which results into the stopping of its functionality to provide services, hence unavailability of the server ultimately results loss in monetary plus status of the organization. It works by flooding all the network of the given organization with unwanted traffic, the first well known DDoS was identified in 2000 on yahoo.com which goes down to around two hours. The DDoS is a result of weakness of internet which prone to several vulnerabilities as internet was designed only for functionality but not concern about any security. As internet is an open network everything is open and is shared among authenticated users. Another big problem is that it is not centralized network different organization, different countries have their own rules and regulation regarding internet.
保密性、完整性和可用性是任何计算机网络通信系统的三个主要特征。DDoS攻击是拒绝服务(DoS)攻击的一个子集,它会导致被攻击的机器无法承受攻击,并拒绝向合法用户提供服务,从而导致客户端资源和服务不可用。例如smurf攻击、SYN & UDP flood攻击和ping of death攻击。DDoS是一个类型的DoS攻击但使用分布式计算机从不同位置攻击特定的受害者可能是服务器或客户端导致其功能的停止提供服务,因此不可用服务器的最终结果亏损货币+组织的状态。它的工作原理是向特定组织的所有网络发送不受欢迎的流量,第一个众所周知的DDoS是在2000年在雅虎网上被识别出来的,持续了大约两个小时。DDoS是互联网弱点的结果,它容易出现几个漏洞,因为互联网只是为了功能而设计的,而不考虑任何安全。由于互联网是一个开放的网络,一切都是开放的,并在经过身份验证的用户之间共享。另一个大问题是它不是集中化的网络不同的组织,不同的国家有自己的规则和规定的互联网。
1.DDoS Layer Involved 涉及DDoS层
The DDoS attack mainly occurs in three layers of the OSI model which are layer 3 (Network) layer 4 (transport) and layer 7 (application). In transport layer what exactly happens is that attacker uses a forged IP address to request for connection so in typical connection, 3 way TCP handshake is done but in this attack it does not complete 3 way handshake but send connection request over and over server reserves resources for each attempt and results in out of connection requires for the legitimate users.
DDoS攻击主要发生在OSI模型的三层,即三层(网络)、四层(传输)和七层(应用)。在传输层,攻击者使用伪造的IP地址请求连接,所以在典型的连接中,3路TCP握手完成,但在这种攻击中,它不完成3路握手,而是发送连接请求,一次又一次,服务器为每次尝试预留资源,导致合法用户的连接请求断开。
In network layer it includes ping of death and ICMP requests, where as in application layer is kind of effective DDoS attack and hard to detect because it passes the 3 way handshake and treated as authenticated user to the concern server, so attacker requests a large amount of data continuously through HTTP and results in avoiding its legitimate users as got busy with those false requests. In DDoS attack a combination of those three layers results in an effective attack that results in some really drastic effects.
2.DDoS Architecture DDoS的架构
The main purpose of DDoS attack is to overwhelm the related server and makes it down, it can be for benefit or for fun only but in both case legitimate clients suffered as bandwidth, resources, memory and CPU got wasted. DDoS attack architecture consists of hierarchy pattern to attack; the four main components of DDoS are as follows:
DDoS攻击的主要目的是压制相关的服务器,使其瘫痪,它可以是为了利益或只是为了好玩,但在这两种情况下,合法的客户端会受到带宽,资源,内存和CPU的浪费。DDoS攻击体系结构由层次模式构成;DDoS的四个主要组成部分如下:
Attacker
Master Machines/Handler
Zombie Machines
Victim
First of all attacker scans thousands of computers on the internet independent of the origin of the systems for known vulnerabilities that is which have minimum security aspect on the computer and makes Master machines or handlers, its consists of more than two systems to many depends upon how sophisticated is attack, after making handlers rest scans for the vulnerable systems is done by these handlers, which results in thousands of zombies across the globe without knowledge of concern users and when these zombies are ready attacker can execute for attack and makes the victim down.
留学生作业辅导
3.DDoS Tools DDoS工具
The tools used by DDoS attack are very sophisticated as it runs in background or in foreground with the systems program name and is not visible or very hard to detect by administrators. Trin00, tribal flood network,stacheldraht, tribal flood network 2000, trinity, wintrin00, MStream and etc are the examples of such kind of tools used in DDoS attack, by this tools attacker installed and executes accordingly.
DDoS 攻击使用的工具非常复杂,因为它以系统程序名称在后台或前台运行,并且管理员不可见或很难检测到。Trin00、tribal flood network、stacheldraht、tribal flood network 2000、trinity、wintrin00、MStream 等是用于 DDoS 攻击的此类工具的示例,攻击者通过该工具安装并执行相应的操作。
It also helps him to facilitates co ordination between masters and zombie, and execute timer also to bombards at a fixed time, so that all zombies attacks the victim. Trin00 scans for buffer overflows in systems and install attack shell daemon through remote shell, it communicate through unencrypted UDP. In tribal flood network, it installs the daemon which carries out the multiple attacks like ICMP flood, UDP flood, SYN flood, communication done through ICMP ECHO and REPLY.
List of zombies daemon IP address is encrypted in later version of TFN. Stacheldraht uses the combination of trin00 and TFN. Encryption takes place between attacker and master’s communication and attacks are similar to TFN. Trinity floods through UDP, SYN, and ACK through Internet Relay Chat (IRC) has a backdoor program which monitors TCP port. MStream uses forged TCP packets with ACK flag set, it uses TCP and UDP floods with no encryption in between but master machines are kept password protected. Beside these tools various other program and tools are readily available for such kind of attack which leaves no residue to trace back.
4.DDoS Types DDoS类型
DDoS are acts differently but mainly classified in two main categories according to their attack pattern which are as follows:Bandwidth Depletion attack 、Resource Depletion attack
In bandwidth depletion attack the main targeted area is the bandwidth of the concern victim by overwhelming with unwanted traffic more than 10 Gbps (It depends) and prevents the legitimate users from gaining access for the services. Some examples of such attacks are UDP flood, ping flood, Smurf and reflection attacks which bombards with unwanted traffic to make unavailability of the services.
DDoS攻击方式不同,但主要分为两大类:带宽耗尽攻击、资源耗尽攻击
在带宽耗尽攻击中,主要的目标区域是关注受害者的带宽,因为超过10gbps(视情况而定)的不希望的流量使合法用户无法获得对服务的访问。这类攻击的一些例子是UDP flood、ping flood、Smurf和反射攻击,这些攻击用不需要的流量轰击,使服务不可用。
Whereas in resource depletion attack, the main concern area are the resources available. This attack leads to the out of resource available for the concern users by TCP SYN attack, PUSH ACK attack, Teardrop attack. These attacks through the requests like SYN to the concern server which in return reserves resources for this request, but attacker bombards the same again and again and hence server goes out resources.
留学生作业范文参考
5.DDoS Defense DDoS防御
Practically speaking it is impossible to prevent DDoS attack but what we can do is to reduce its effect or tries to make security strong as much as possible. The following are very basic defense mechanism against DDoS attacks are:Prevention 、Detection 、Classification 、Justifying 、Tracing back
The first phase called prevention which means to prevent from DDoS attack as much as possible that is to prevent itself to be part of the attack architecture, so not to become handler. It is done through the continuous monitor of the systems but every user is not aware of the security issues.
实际上,防止DDoS攻击是不可能的,但我们可以做的是减少其影响或尽量加强安全。针对DDoS攻击,最基本的防御机制有:防御、检测、分类、证明、追溯
第一阶段叫做预防,意思是尽可能地防止DDoS攻击,也就是防止自己成为攻击架构的一部分,而不是成为处理程序。这是通过对系统的持续监控完成的,但每个用户都不知道安全问题。
The second phase describes to know that if the systems are under attack by verifying abnormal activities like CPU or bandwidth uses, it can done through firewalls or routers.
The third phase is classification of the detected attack according to its prototypes like IP Addresses, protocol used and packet type used; it can be done through the use of Intrusion Detection System for future countermeasure.
The fourth mechanism is justifying the detected attack that is how to deal with the known or detected attack one way is to block the whole traffic from those addresses by using access control list on gateways or react accordingly another approach is to trace back the detected packet so that source can be identified.
The final part of our defense mechanism is trace back which will be covered in later section of this paper.
6.DDoS Security measures DDoS的安全措施
As currently various research are going on to stop DDoS attack and it may takes time but DDoS becoming deadly day by day and is considered second in financial losses due to attack after viruses but comparison to virus it is very new and have vast effect with no remedy. So only option we got is to make it harder for attacker to penetrate into the systems, and following are some security precaution we should follow:
由于目前各种各样的研究正在进行,阻止DDoS攻击可能需要时间,但DDoS日益致命,被认为是仅次于病毒的第二大经济损失,但与病毒相比,它是非常新的,具有巨大的效果,没有补救措施。所以我们唯一的选择就是让攻击者更难侵入系统,下面是我们应该遵循的一些安全防范措施:
Install and update continuously antivirus and spyware software from trusted authority and run regularly.
Patches the security components of the systems continuously and be always ready for up gradation of systems.
A well set network infrastructure with proper installation of firewalls and routers with appropriate policies, so that unwanted traffic and organization traffic can be separated clearly.
Filters incoming traffic on routers or rate-limit certain types of traffic like ICMP and SYN packets.
Monitors continuously incoming and outgoing packets and if some abnormality seen then react accordingly.
Use Network Address Translation (NAT) to hide internal IP addresses.
Use Intrusion detection systems (IDS) implement host based IDS plus network based IDS in a mix pattern to filter and detect abnormalities in the network.
Egress and Ingress filtering, these are filtering mechanism implement on IP traffic. Egress sets the ranges of IPs leaving the organization’s network whereas in ingress a set of IP address ranges are allowed to move into the network.
Using of SYN and RST cookies to verifies both communication parties with the help of cookies, so that legitimate clients can access the resources.
Use a proxy server in between the network so that a request goes via proxy to server and proxy filters it according the rules implemented on it.
Implement Honeypots systems, these are the systems in an organization with open security and are separated with internal network to know the attack pattern.
At last but not least literate the users or clients about the security concerns.
DDoS Attack is an attack on availability of the resources and services which results in financial losses, loss of organization reputation, and disturbance in work flow environment. The bitter truth is that the security technologies like firewall, routers and IDS are very week to prevent DDoS as it cannot differentiate between original and fake traffic. Another factor is that it uses IP spoofing, difficult to verify with original packets plus the routing involved is stateless. Hence results in very strong attack.In this paper we have gone through the DDoS overview with its architecture layouts plus types and tools involved in DDoS attack. We have highlighted the DDoS detection part and visualize the security aspects and implementation to safeguard the assets against such attack plus a brief summary to how to trace back.To compete with DDoS one way effort cannot prevent or defeat it, it needs all round support to tackle with it like among different internet communities, different countries to enforce such laws and regulation strictly to cope with it.
DDoS攻击是一种针对资源和服务可用性的攻击,它会导致财务损失、组织声誉损失、工作流环境混乱等。残酷的事实是,防火墙、路由器和IDS等安全技术非常容易阻止DDoS,因为它无法区分原始流量和虚假流量。另一个因素是它使用IP欺骗,很难验证原始数据包,加上涉及的路由是无状态的。因此导致了非常强的攻击。在本文中,我们概述了DDoS的架构布局,以及DDoS攻击所涉及的类型和工具。我们强调了DDoS检测部分,并将安全方面和实现可视化,以保护资产免受此类攻击,并简要总结了如何进行追溯。要想与DDoS竞争,单一的努力并不能阻止或击败它,它需要全方位的支持来应对它,比如不同的互联网社区,不同的国家,严格执行这样的法律法规来应对它。
留学生作业相关专业范文素材资料,尽在本网,可以随时查阅参考。本站也提供多国留学生课程作业写作指导服务,如有需要可咨询本平台。