摘要
针对运算资源受限的物联网(IoT)设备难以抵抗HTTP慢速拒绝服务(SHDoS)攻击的问题,提出了一种部署于IoT接入网关的轻量级SHDoS防御系统。首先,该系统基于IP报文重建了TCP连接的状态信息;之后,基于SHDoS的攻击原理设计了一种基于TCP连接资源占用率的攻击检测算法;最后,系统根据检测算法的检测结果通过发送伪造的RST报文和设置防火墙规则来快速阻断攻击连接。在IoT环境中的实验结果显示,该系统对已知的5种SHDoS攻击工具都具有较好的检测能力,能在60 s内检测到攻击主机并能主动屏蔽攻击,且系统对运算资源占用少,受攻击时内存占用仅为1004 KB,CPU使用率约为19.6%。实验表明,该系统能够满足在资源受限的IoT环境中抵抗SHDoS攻击的需求。
In order to solve the problem that the internet of things(IoT)devices with limited computing resources are difficult to defend against slow HTTP denial of service(SHDoS)attacks,a lightweight SHDoS defense system deployed on IoT access gateways was proposed.Firstly,the system reconstructed the TCP connection status information based on IP packets.Afterwards,by analyzing the principle of SHDoS attacks,an attack detection algorithm based on TCP connection resource occupancy was designed.Finally,according to the detection results of the detection algorithm,the system quickly blocked the attack connection by sending fake RST packets and setting firewall rules.In the IoT environment,the experimental results show that the system has well detection capabilities for the five known SHDoS attack tools.The system can detect the attacking host within 60 seconds and actively block it.In addition,the system only occupies a small amount of computing resources.When the device is under attack,the system memory consumption is about 1004 KB,and the average CPU usage is about 19.6%.Experiments show that the system can meet the needs of defending against SHDoS attacks in resource-constrained IoT environments.
作者
陈旖
苏维涓
郑龙德
赵政源
CHEN Yi;SU Weijuan;ZHENG Longde;ZHAO Zhengyuan(Department of Computer and Information Security Management, Fujian Police College, Fuzhou, Fujian 350007, China;Fujian Province University Engineering Research Center of Network Security and Law Enforcement, Fujian Police College, Fuzhou, Fujian 350007, China)
出处
《闽江学院学报》
2021年第2期51-58,共8页
Journal of Minjiang University
基金
福建省中青年教师教育科研项目(JAT190440)
福建警察学院“大学生创新创业训练计划”项目(cxxl-2020123)。
