本文選題：分布式拒絕服務(wù)攻擊 + 應(yīng)用層��； 參考：《天津大學(xué)》2014年碩士論文

【摘要】：在科技飛速發(fā)展的今天,WEB網(wǎng)站中的應(yīng)用愈加豐富,給人們的生活帶來(lái)極大的便利。與此同時(shí),網(wǎng)絡(luò)協(xié)議存在的缺陷使得網(wǎng)絡(luò)安全問(wèn)題也越來(lái)越突出。在應(yīng)用層中,客戶(hù)端只需要發(fā)出少量請(qǐng)求就可以大大消耗服務(wù)器資源。針對(duì)WEB網(wǎng)站的應(yīng)用層分布式拒絕服務(wù)(APP-DDOS)攻擊正是利用了這一弱點(diǎn)。在網(wǎng)站面臨的安全威脅中,APP-DDOS攻擊所占的比重越來(lái)越大,也愈加難以防御。因此,有效檢測(cè)APP-DDOS攻擊并加以控制、過(guò)濾,對(duì)于保護(hù)網(wǎng)站安全有著重要的意義。在分析和研究國(guó)內(nèi)外APP-DDOS防御技術(shù)的基礎(chǔ)上,本文設(shè)計(jì)并實(shí)現(xiàn)了一個(gè)網(wǎng)站安全防御平臺(tái)。該平臺(tái)可以有效控制和防御APP-DDOS攻擊,同時(shí)又留出接口應(yīng)對(duì)網(wǎng)頁(yè)篡改、注入攻擊等安全威脅,以便更好地整合網(wǎng)站防御方法、提升平臺(tái)的防御能力。該平臺(tái)使用了三種關(guān)鍵技術(shù):URL動(dòng)態(tài)映射方法、積分支付策略和激勵(lì)機(jī)制以實(shí)現(xiàn)對(duì)APP-DDOS的防御。URL動(dòng)態(tài)映射方法從隱藏服務(wù)器真正的資源地址的角度出發(fā),對(duì)客戶(hù)端每次請(qǐng)求的資源地址進(jìn)行動(dòng)態(tài)映射,只有在映射地址匹配數(shù)據(jù)庫(kù)記錄時(shí)才會(huì)獲得后端WEB服務(wù)器的響應(yīng)。同時(shí),映射地址無(wú)法被暴力破解,使攻擊者無(wú)法準(zhǔn)確定位攻擊目標(biāo)而造成拒絕服務(wù)。積分支付策略是對(duì)黑白名單法的改進(jìn),提出積分和服務(wù)價(jià)格概念來(lái)衡量服務(wù)器資源狀況;當(dāng)遭受攻擊時(shí),可以最小化白名單用戶(hù)的訪問(wèn)延遲,同時(shí)減輕URL動(dòng)態(tài)映射方法的計(jì)算負(fù)擔(dān)。激勵(lì)機(jī)制基于圖靈測(cè)試的思想,讓新用戶(hù)進(jìn)行一系列的相關(guān)操作證明用戶(hù)是正常用戶(hù),減少新的正常用戶(hù)獲得服務(wù)的延遲。論文最后搭建了實(shí)驗(yàn)環(huán)境,對(duì)所設(shè)計(jì)和實(shí)現(xiàn)的網(wǎng)站安全防御平臺(tái)進(jìn)行了模擬實(shí)驗(yàn)。實(shí)驗(yàn)結(jié)果表明,防御平臺(tái)對(duì)APP-DDOS攻擊有著良好的防御效果。
[Abstract]:With the rapid development of science and technology, the application of Web website is becoming more and more abundant, which brings great convenience to people's life. At the same time, the defects of network protocol make network security more and more prominent. In the application layer, the client needs to make a small number of requests to greatly consume server resources. The application layer distributed denial-of-service (APP-DDOS) attack against WEB sites exploits this weakness. APP-DDOS attacks are becoming more and more difficult to defend against. Therefore, it is of great significance to detect, control and filter APP-DDOS attacks effectively. Based on the analysis and research of APP-DDOS defense technology at home and abroad, this paper designs and implements a website security defense platform. The platform can effectively control and defend against APP-DDOS attacks, and at the same time set aside an interface to deal with security threats such as web page tampering and injection attacks, so as to better integrate the methods of web defense and enhance the platform's defense capability. The platform uses three key techniques: URL dynamic mapping method, integral payment strategy and incentive mechanism to implement the defense. URL dynamic mapping of APP-DDOS from the point of view of hiding the real resource address of the server. The resource address requested by the client is dynamically mapped. Only when the mapping address matches the database record, the response of the back-end WEB server will be obtained. At the same time, the mapping address can not be brutally cracked, which makes the attacker unable to locate the target accurately, resulting in denial of service. The integral payment strategy is an improvement to the black-and-white list method. The concepts of points and service prices are proposed to measure server resource status. When attacked, whitelist users can be minimized access latency. At the same time, the computational burden of URL dynamic mapping method is reduced. Based on the idea of Turing test, the incentive mechanism allows the new user to perform a series of related operations to prove that the user is a normal user, and to reduce the delay for the new normal user to obtain the service. At the end of the paper, the experimental environment is built, and the designed and implemented website security defense platform is simulated. Experimental results show that the defense platform has a good defense against APP-DDOS attacks.
【學(xué)位授予單位】：天津大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.092

【參考文獻(xiàn)】

相關(guān)期刊論文 前3條

1 趙國(guó)鋒;喻守成;文晟;;基于用戶(hù)行為分析的應(yīng)用層DDoS攻擊檢測(cè)方法[J];計(jì)算機(jī)應(yīng)用研究;2011年02期

2 肖軍;云曉春;張永錚;;基于會(huì)話異常度模型的應(yīng)用層分布式拒絕服務(wù)攻擊過(guò)濾[J];計(jì)算機(jī)學(xué)報(bào);2010年09期

3 嵇海進(jìn);蔡明;;基于可信度的應(yīng)用層DDoS攻擊防御方法[J];計(jì)算機(jī)工程與設(shè)計(jì);2007年19期

相關(guān)博士學(xué)位論文 前1條

1 徐川;應(yīng)用層DDoS攻擊檢測(cè)算法研究及實(shí)現(xiàn)[D];重慶大學(xué);2012年

相關(guān)碩士學(xué)位論文 前8條

1 簡(jiǎn)校榮;基于歷史IP過(guò)濾的防御實(shí)驗(yàn)系統(tǒng)研究與實(shí)現(xiàn)[D];華南理工大學(xué);2013年

2 徐琳;應(yīng)用層DDoS攻擊防御與檢測(cè)方法[D];上海交通大學(xué);2013年

3 袁曉輝;IP Spoofing防御實(shí)驗(yàn)平臺(tái)的設(shè)計(jì)與實(shí)現(xiàn)[D];華南理工大學(xué);2012年

4 陸興舟;一種針對(duì)大規(guī)模網(wǎng)絡(luò)關(guān)鍵服務(wù)的DDoS反制方案[D];華東師范大學(xué);2012年

5 趙利明;基于路由協(xié)作的DdoS檢測(cè)與防御研究[D];東北大學(xué);2011年

6 王文龍;分布式拒絕服務(wù)攻擊及追蹤源研究[D];成都理工大學(xué);2011年

7 田正先;基于網(wǎng)絡(luò)效用最大化的DDoS攻擊主動(dòng)防御機(jī)制研究[D];華中科技大學(xué);2011年

8 張光;網(wǎng)絡(luò)攻擊與防御仿真平臺(tái)的設(shè)計(jì)與實(shí)現(xiàn)[D];西安電子科技大學(xué);2005年

，

本文編號(hào)：1875453