可扩展性增强的动态确定包标记溯源方法

A Scalable IP Traceback Approach Employing Dynamic Deterministic Packet Marking in the Large-Scale Networks

僵尸物联网的出现使得拒绝服务攻击(Denial of Service,DoS)的破坏力进一步升级,而源地址伪造是导致DoS攻击一直难以被有效防御的重要原因.为此,研究者提出了可追踪匿名攻击源的IP溯源技术.在已提出的众多IP溯源方法中,动态确定包标记溯源因轻量、高效且易部署等特点,一经提出就立刻受到人们广泛关注.然而,现有方法在面对大规模攻击时仍存在因溯源规模受限、负载过于集中而引发的可扩展性问题.基于此,本文提出一种可扩展的动态确定包标记溯源方法,SEEK.一方面通过设计层次化的溯源联盟体系结构和动态调整包标记概率来均衡溯源设备负载,避免因性能瓶颈而制约系统的可扩展性;另一方面通过动态扩展标签装载域、分层复用标签空间和自适应管理标签来提高标签的可使用量和利用率,避免因标签资源不足而引发溯源规模受限,进而制约系统的可扩展性.通过理论分析和基于大规模真实拓扑的仿真实验,结果表明:相比以往同类典型方案,在绝大多数攻击场景下SEEK在扩展性和高效性方面都能提高20%以上.

With the development of the Internet of Things(IoT),more and more IoT devices have been connected to the Internet.Everything has two sides and IoT is not an exception.It has brought convenience to people’s lives,but also creates a series of issues.For example,attackers can exploit the fragile security and closure of IoT to disrupt the network activities.Denial of Service(DoS)attacks are typical cyber attacks in which the perpetrator seeks to make a machine or network resource(e.g.,bandwidth)unavailable to its intended users by temporarily or indefinitely disrupting the legitimate services of a host connected to the Internet.Generally speaking,DoS attacks are launched by thousands of attackers that attempt to overload the system with lots of useless requests.IP spoofing is a common trick in DoS attacks,which can not only conceal their locations,but also bypass the defence mechanism.The attacker hides its own IP address and forges the source address,so that the victim cannot identify the locations of those attackers.Quite obviously,such technique makes the DoS attacks become more destructive than before,and difficult to control defense.For this reason,the IP traceback technology has been extensively researched and developed already,which is responsible for disclosing the attack sources.Among these existing IP traceback approaches,the dynamic deterministic packet marking traceback approach termed as DDPM has attracted great attention due to its light weight,high efficiency,and ease to deployment.Its main idea is to make use of the abnormal flow detection system that has been widely deployed on the Internet to establish the audit trails and further traceback to involved attack source.Only when the monitor notices a surge of suspicious network flows,it will apply for a private and unique mark from a globally shared MOD server,and insert it into the suspicious packets’header.At the same time,the MOD server establishes and maintains the mapping relationship between the marks and their related requesting IP addresses.Once detect the DDoS attack,the victim extracts the marks from attack packets and further obtains the attack sources by requesting the MOD server.Although DDPM uses the marking space in a round-robin style to improve the salability,in the face of the large scale networks,it still suffered the following disadvantages:the small number of traceable sources and the load imbalance.Therefore,this paper proposed a scalable dynamic deterministic packet marking approach,termed as SEEK.In order to overcome these drawbacks,SEEK first designs a hierarchical architecture for the traceable alliance and dynamic probabilistic packet marking to balance the load of the relevant traceback devices,and then employs a number of techniques,such as the expansive label-loading space,the reuse label space,and the adaptive label management,to increase the number of available labels and improve their utilization.We perform extensive mathematical analysis and simulations to evaluate our approach.The results show that our approach significantly outperforms the prior apporaches in termes of the scalability and efficiency by more than 20 percent.