超大异常流量攻击的防御思路探讨

Defense of Massive Anomalous Traffic Attack

提出了应对超大异常流量攻击的防御思路,该思路中将防御策略分为短期策略和长期策略。短期措施主要在现有异常流量防护措施的基础上,进一步提升对超大异常流量攻击的防护能力;而长期策略试图从虚假源地址过滤、开放服务的协议方面进行改进。随着可利用的DNS、NTP等公共服务器资源将逐步减少,攻击者将转为挖掘新的可用于流量反射放大的应用协议。由于以"反射、放大流量"为特性的超大异常流量攻击仍将保持发展,对它的安全防御仍有待在实践中检验和不断完善。

In this paper, we propose a solution for ISPs to deal with massively anomalous traffic. This solution includes short-term protection and a long-term strategy. The short-term protection is mainly based on the existing abnormal flow detection but enhances the protection capabilities. The long-term strategy aims to improve the IP source address spoofing filtering and the protocols of the open service, such as DNS and NTP. With the decrease of the available known resource for attackers, new application protocols are used to make areflected and amplified anomalous traffic. For the sustained improvement of attacker skills, the defense of massively anomalous traffic need to be continuously tested and improved in practice.