本文選題：中間人攻擊 + 緩存中毒攻擊��； 參考：《華中科技大學(xué)》2014年博士論文

【摘要】：隨著科學(xué)技術(shù)的進(jìn)步,計(jì)算機(jī)科學(xué)已經(jīng)滲透到人們生活中的各個(gè)領(lǐng)域,人類對(duì)計(jì)算機(jī)網(wǎng)絡(luò)的需求越來(lái)越強(qiáng)烈。Internet的誕生,使分布在世界上數(shù)以千計(jì)的網(wǎng)絡(luò)互聯(lián)起來(lái)。但是各類硬件、軟件、數(shù)據(jù)和信息在網(wǎng)絡(luò)上是共享使用的,這將導(dǎo)致很嚴(yán)重的安全問(wèn)題。 當(dāng)今,中間人攻擊仍是計(jì)算機(jī)網(wǎng)絡(luò)資源的重大威脅之一,這種攻擊通常偽裝成一個(gè)合法用戶的主機(jī)來(lái)惡意欺騙其它主機(jī)。這樣,一個(gè)設(shè)備如果能夠成功偽裝成另一個(gè)主機(jī),它就能在合法信息到達(dá)目標(biāo)設(shè)備之前,中間攔截、讀取、修改或破壞此信息。 ARP緩存污染是欺騙網(wǎng)絡(luò)主機(jī)的一種手段。它利用ARP協(xié)議中IP地址要被轉(zhuǎn)換為物理(MAC)地址的特性來(lái)實(shí)施攻擊。ARP是無(wú)狀態(tài)協(xié)議,這意味著,它在沒(méi)發(fā)送請(qǐng)求的情況下,也將接受響應(yīng)包。想要獲取目的主機(jī)通信內(nèi)容的攻擊者可以發(fā)送偽造的、且匹配任何選定IP地址的ARP響應(yīng)給請(qǐng)求主機(jī)。接受這些偽造的ARP響應(yīng)的主機(jī)無(wú)法區(qū)分是否是合法的ARP響應(yīng),因此將發(fā)送帶攻擊者M(jìn)AC地址的數(shù)據(jù)包。 另一方面,利用DNS緩存攻擊技術(shù)的攻擊者還能把偽造的數(shù)據(jù)引入DNS服務(wù)器緩存表,目的是操作解析數(shù)據(jù)使得目標(biāo)不可達(dá)或者轉(zhuǎn)移信息給錯(cuò)誤的地址,這也被認(rèn)為是當(dāng)今互聯(lián)網(wǎng)用戶的一大威脅。 有許多方案已經(jīng)提出用來(lái)解決ARP和DNS緩存污染問(wèn)題,可是,截至目前為止,它們都還無(wú)法大規(guī)模部署開(kāi)來(lái)。其中的主要原因是：這些方案并不向后兼容,因?yàn)樗鼈儼用芗夹g(shù),這將導(dǎo)致傳統(tǒng)的ARP/DNS協(xié)議將要進(jìn)行很大的修改,并增加了很大的復(fù)雜性。顯然,管理員手工清除污染的方法會(huì)造成巨大開(kāi)銷和負(fù)擔(dān)。另外,動(dòng)態(tài)檢測(cè)方法也可以用來(lái)解決管理緩存的污染問(wèn)題。但是,它的誤警太多,導(dǎo)致網(wǎng)絡(luò)管理員無(wú)所適從。 為此,提出了針對(duì)ARP和DNS協(xié)議中緩存欺騙引發(fā)不安全性問(wèn)題的解決方案。 第一個(gè)解決方案著眼于設(shè)計(jì)一種保護(hù)方法來(lái)提高DNS服務(wù)器的安全性。該方案稱為DNS自適應(yīng)緩存(ACDNS)。它依賴于緩存機(jī)制來(lái)阻止這類攻擊。因?yàn)槲野l(fā)現(xiàn),調(diào)整緩存的存儲(chǔ)策略將提高安全性并提升網(wǎng)絡(luò)訪問(wèn)效率。ACDNS的設(shè)計(jì)與當(dāng)前DNS標(biāo)準(zhǔn)相兼容,并且完全適用于基本的協(xié)議流程和基礎(chǔ)設(shè)施。我的方法僅僅是在把收到的DNS響應(yīng)存入緩存之前添加一段延遲時(shí)間以構(gòu)成新的緩存間隔。即在需要存儲(chǔ)一個(gè)新的映射時(shí)ACDNS停留等待直到新的緩存間隔到,如果另一個(gè)有相同TXID的DNS響應(yīng)在這個(gè)期間內(nèi)來(lái)臨,ACDNS將丟棄這些包。然后,它必須發(fā)送一個(gè)新的含有另一個(gè)TXID的查詢。比較ACDNS和DNS的性能表明,本方案能完全保護(hù)域名解析者不受緩存污染的攻擊。此外,ACDNS的延遲分布很接近于DNS查詢解析延遲。另一方面,DNS查詢的原過(guò)程和ACDNS是完全兼容的。因此,我的方案可以迅速得到部署,對(duì)任意單個(gè)DNS服務(wù)器都可以實(shí)現(xiàn)該改進(jìn)措施,因?yàn)锳CDNS不需要在當(dāng)前的DNS基礎(chǔ)設(shè)施上(對(duì)每一層)進(jìn)行重大修改。 第二個(gè)解決方案也是著眼于防止DNS緩存污染。引入一種稱作“GDR--防止DNS緩存污染攻擊(GDNS)"的方案來(lái)解析域名。設(shè)計(jì)的GDNS包含兩個(gè)階段：第一階段是GDNS無(wú)故請(qǐng)求階段(GDR),在這個(gè)階段,GDNS必須對(duì)有效期內(nèi)的每個(gè)域名再發(fā)送相應(yīng)的DNS查詢來(lái)更新它們的映射。這意味著,對(duì)最近緩存的DNS域名進(jìn)行自動(dòng)再查詢(更新緩存記錄)來(lái)提高緩存中的DNS查詢命中率。因此,GDNS可使區(qū)域域名服務(wù)器(ZS)的高速緩存保存區(qū)域DNS新近的域信息而減少DNS解析時(shí)間,并無(wú)需為每個(gè)DNS請(qǐng)求向權(quán)威的頂級(jí)域名服務(wù)器(TLD)發(fā)出DNS查詢。第二階段是緩存定時(shí),正如ACDNS方案那樣在緩存收到對(duì)DNS緩存污染攻擊檢測(cè)和防御的應(yīng)答之前加一段延遲時(shí)間。因此,GDR算法提供了兩個(gè)好處。第一,它為解析域名接近最優(yōu)的性能提供了一種有效的技術(shù)。第二,雖然在緩存接收響應(yīng)之前增加了一段延遲時(shí)間,但GDI對(duì)GDNS在減少解析延遲上有顯著的幫助。實(shí)驗(yàn)結(jié)果表明,GDNS可以有效的防止緩存污染攻擊。同時(shí)還將極大地減少域名解析延遲時(shí)間,它是域名解析的重要性能參數(shù)。 第三個(gè)解決方案是防止ARP欺騙。提出用“基于C/S的入侵檢測(cè)系統(tǒng)(CSIDS)"來(lái)實(shí)現(xiàn)對(duì)ARP欺騙攻擊的檢測(cè)和防御。其主要思想是監(jiān)控接收到的ARP數(shù)據(jù)包,如果發(fā)現(xiàn)可疑的ARP數(shù)據(jù)包,同一網(wǎng)絡(luò)的CSIDS的系統(tǒng)將交換控制信息。這個(gè)控制信息容許CSIDS在更新ARP緩存之前指出惡意的數(shù)據(jù)包或者給發(fā)送方發(fā)送一個(gè)響應(yīng)包。每一個(gè)異常的數(shù)據(jù)包必須被發(fā)送至CSIDS服務(wù)器以作檢查,并且同網(wǎng)絡(luò)的各CSIDS部分將投票決策以作出該數(shù)據(jù)包或真或假的回應(yīng)給請(qǐng)求端。為了評(píng)估CSIDS檢測(cè)和預(yù)防的能力,我對(duì)CSIDS和ARP的性能作了對(duì)比,結(jié)果表明,CSIDS系統(tǒng)被證明是很容易實(shí)現(xiàn)的,并可應(yīng)用在局域網(wǎng)內(nèi)來(lái)提高安全性。 第四個(gè)解決方案主要是提供一個(gè)良好且廉價(jià)的方案,叫做“無(wú)償決策的分組系統(tǒng)(GDPS)",旨在克服ARP協(xié)議的不安全性即IP地址的欺騙。它力圖達(dá)到兩個(gè)主要目標(biāo)：(1)GDPS通過(guò)實(shí)時(shí)分析ARP數(shù)據(jù)包來(lái)探測(cè)出可疑ARP包；(2)通過(guò)發(fā)送修改后的ARP請(qǐng)求包來(lái)判斷合法與非法的主機(jī)。在此方案中我著重于ARP的通信映射來(lái)提高ARP協(xié)議的安全性。因?yàn)镚DPS取決于發(fā)送的一組改進(jìn)的ARP請(qǐng)求,然后,GDPS計(jì)算響應(yīng)的開(kāi)銷,這意味著用平均響應(yīng)時(shí)間和ARP響應(yīng)包的數(shù)量來(lái)區(qū)分合法或攻擊者的MAC地址。結(jié)果表明,攻擊者機(jī)器發(fā)送ARP應(yīng)答包的數(shù)量是被害者發(fā)送數(shù)據(jù)包的數(shù)倍。 為了對(duì)以上兩種方案進(jìn)行安全分析,我擴(kuò)展了NS-2框架來(lái)仿真所有的協(xié)議,與ARP與DNS正常執(zhí)行進(jìn)行了各種比較。 總之,我的方案有很多重要的優(yōu)點(diǎn),總結(jié)如下：(1)能夠有效阻止普遍的緩存污染攻擊；(2)能夠向后兼容ARP和DNS協(xié)議的現(xiàn)有標(biāo)準(zhǔn)；(3)這些解決方案不使用密碼,無(wú)單點(diǎn)失效問(wèn)題；(4)能夠以很低的代價(jià)輕易地被應(yīng)用；(5)對(duì)于GDNS方法,它大大降低了DNS解析延遲；(6)作為第三和第四種解決方案,能夠很好地在動(dòng)態(tài)環(huán)境(DHCP)下匹配運(yùn)行.
[Abstract]:With the progress of science and technology , computer science has infiltrated all fields in people ' s life , and human demand for computer networks is becoming more and more intense . The birth of the Internet connects thousands of networks in the world . But all kinds of hardware , software , data and information are shared on the network , which will lead to serious security problems .

Today , man - in - the - middle attacks are still one of the major threats to computer network resources , often disguised as a legitimate user ' s host for malicious spoofing of other hosts . As such , a device can intercept , read , modify , or destroy this information before legitimate information reaches the target device if it can be successfully disguised as another host .

ARP cache contamination is a means of spoofing a network host . It utilizes the characteristics of the IP address in the ARP protocol to be converted to a physical ( MAC ) address . ARP is a stateless protocol , which means that it will accept a response packet without sending a request . An attacker who wants to acquire the destination host communication content may send a forged , and match any ARP response to any selected IP address to the requesting host . The host that accepts these forged ARP responses cannot distinguish whether it is a legitimate ARP response , so packets with an attacker MAC address will be sent .

On the other hand , an attacker using DNS cache attack techniques can also introduce forged data into the DNS server cache table for the purpose of operating the resolution data so that the destination unreachable or the transfer of information to the wrong address is also considered a major threat to today ' s Internet users .

There are many scenarios that have been proposed to address the problem of ARP and DNS cache pollution , but so far , they have not been deployed on a large scale . The main reason is that these schemes are not backwards compatible because they contain encryption technology , which will lead to significant changes in traditional ARP / DNS protocols , and a large complexity . Obviously , manual cleanup of pollution by administrators can cause significant overhead and burden . Additionally , dynamic detection methods can also be used to address the problem of managing cache pollution . However , dynamic detection methods are too many to result in a network administrator doing nothing .

For this reason , a solution to the problem of non - security caused by cache spoofing in ARP and DNS protocols is proposed .

The first solution is to design a protection method to improve the security of the DNS server . The protocol is called the DNS Adaptive Cache ( ACDNS ) . It relies on caching mechanisms to prevent such attacks . The ACDNS is designed to be compatible with the current DNS standard and is fully applicable to basic protocol processes and infrastructure .

The second solution is to prevent DNS cache contamination . A solution called " GDR - - Prevention of DNS Cache Contamination Attack ( GDNS ) " is introduced to resolve the domain name . The design ' s GDNS includes two phases : the first phase is the GDNS latency request phase ( GDR ) . This means that GDNS provides two benefits to the DNS domain name server ( ZS ) . The second stage is cache timing . As a result , GDNS provides a significant help to resolve the domain name near optimal performance . The second is that GDNS can effectively prevent cache contamination attacks . The third solution is to prevent ARP spoofing . A C / S based intrusion detection system ( CSIDS ) is proposed to detect and protect ARP spoofing attacks . The main idea is to monitor received ARP packets . If a suspicious ARP packet is found , CSIDS of the same network will exchange control information . This control information allows CSIDS to indicate malicious packets before updating the ARP cache or to send a response packet to the sender . In order to evaluate the ability of CSIDS to detect and prevent , I compared the performance of CSIDS and ARP . The results show that the CSIDS system is proven to be easily implemented and can be applied to the local area network to improve security . The fourth solution is to provide a good and inexpensive solution , called a " decision - free packet system ( GDPS ) " , designed to overcome the unsecure IP address spoofing of the ARP protocol . It seeks to achieve two primary objectives : ( 1 ) GDPS determines the legitimate and illegal hosts by sending modified ARP request packets ; ( 2 ) By sending the modified ARP request packet , I focus on the ARP request and then , GDPS calculates the MAC address of the response . The results indicate that the number of ARP reply packets sent by the attacker machine is an integer multiple of the victim ' s sending packet . In order to secure the above two schemes , I extended the NS - 2 framework to simulate all protocols , and compared ARP with DNS . In summary , my scheme has many important advantages , summarized as follows : ( 1 ) can effectively prevent the common cache pollution attack ; ( 2 ) can be backwards compatible with the existing standards of ARP and DNS protocols ; ( 3 ) the solution does not use the password , has no single point failure problem ; ( 4 ) can be easily applied at a very low cost ; ( 5 ) For the GDNS method , the DNS resolution delay is greatly reduced ; and ( 6 ) As the third and fourth solutions , the operation can be well matched under the dynamic environment ( DHCP ) .
【學(xué)位授予單位】：華中科技大學(xué)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【共引文獻(xiàn)】

相關(guān)期刊論文 前10條

1 韓立;;情境感知研究現(xiàn)狀[J];電腦與信息技術(shù);2014年06期

2 宋廣佳;季振洲;;地址解析的兩個(gè)相關(guān)問(wèn)題研究[J];智能計(jì)算機(jī)與應(yīng)用;2015年02期

3 鄭笛;王俊;賁可榮;;考慮上下文質(zhì)量的不確定上下文可信融合方法[J];華中科技大學(xué)學(xué)報(bào)(自然科學(xué)版);2013年S2期

4 Quan Liang;Yuan-Zhuo Wang;Yong-Hui Zhang;;Resource Virtualization Model Using Hybrid-graph Representation and Converging Algorithm for Cloud Computing[J];International Journal of Automation and Computing;2013年06期

5 薛霄;常靜坤;曾志峰;安吉宇;;基于情境感知的智慧礦山服務(wù)系統(tǒng)研究[J];計(jì)算機(jī)工程與科學(xué);2013年09期

6 鄭笛;王俊;賁可榮;;擴(kuò)展車聯(lián)網(wǎng)應(yīng)用中的海量傳感器信息處理技術(shù)[J];計(jì)算機(jī)研究與發(fā)展;2013年S2期

7 李沛杰;張興明;沈劍良;;一種基于FPGA設(shè)計(jì)的本地DNS服務(wù)器[J];計(jì)算機(jī)應(yīng)用研究;2014年04期

8 李娟妮;華慶一;姬翔;;移動(dòng)環(huán)境中任務(wù)分析及任務(wù)建模方法[J];計(jì)算機(jī)科學(xué);2014年10期

9 薛霄;常靜坤;安吉宇;;智慧礦山服務(wù)系統(tǒng)的情境感知實(shí)現(xiàn)技術(shù)研究[J];計(jì)算機(jī)研究與發(fā)展;2014年12期

10 Alireza PARVIZI-MOSAED;Shahrouz MOAVEN;Jafar HABIBI;Ghazaleh BEIGI;Mahdieh NASER-SHARIAT;;Towards a self-adaptive service-oriented methodology based on extended SOMA[J];Journal of Zhejiang University-Science C(Computers & Electronics);2015年01期

相關(guān)會(huì)議論文 前1條

1 單康康;江肖強(qiáng);;混合加密機(jī)制在DNSSEC中的應(yīng)用研究[A];中國(guó)高等教育學(xué)會(huì)教育信息化分會(huì)第十次學(xué)術(shù)年會(huì)論文集[C];2010年

相關(guān)博士學(xué)位論文 前3條

1 王軍平;基于物聯(lián)網(wǎng)的服務(wù)提交關(guān)鍵技術(shù)與系統(tǒng)的研究[D];北京郵電大學(xué);2013年

2 陳媛Z，

本文編號(hào)：2089491