ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2015, Vol. 52 ›› Issue (10): 2212-2223.doi: 10.7544/issn1000-1239.2015.20150577

所属专题: 2015网络安全与隐私保护研究进展

• 信息安全 • 上一篇    下一篇

pTrace: 一种面向可控云计算的DDoS攻击源控制技术

李保珲1,2,3,徐克付2,3,张鹏2,3,郭莉2,3   

  1. 1(北京邮电大学计算机学院 北京 100876); 2(中国科学院信息工程研究所 北京 100093); 3(信息内容安全技术国家工程实验室(中国科学院信息工程研究所) 北京 100093) (delibh@126.com)
  • 出版日期: 2015-10-01
  • 基金资助: 
    基金项目:国家“八六三”高技术研究发展计划基金项目(2015AA016005);国家自然科学基金项目(61402464)

pTrace: A Counter Technology of DDoS Attack Source for Controllable Cloud Computing

Li Baohui1,2,3, Xu Kefu2,3, Zhang Peng2,3, Guo Li2,3   

  1. 1(School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876);2(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093);3(National Engineering Laboratory for Information Security Technology (Institute of Information Engineering, Chinese Academy of Sciences), Beijing 100093)
  • Online: 2015-10-01

摘要: 当前,越来越多的分布式拒绝服务(distributed denial of service, DDoS)攻击的攻击源迁移至云中,给云计算的可控性及整个网络空间的安全带来了严重挑战.然而关于有效控制云中该类攻击源的研究还比较缺乏.为此设计了一种面向可控云计算的DDoS攻击源控制系统pTrace,该系统包括入口流量过滤inFilter和恶意进程溯源mpTrace两部分.其中,inFilter过滤伪造源地址信息的数据包;mpTrace先识别攻击流及其源地址信息,依据源地址信息追溯并管控发送攻击流的恶意进程.在Openstack和Xen环境下实现了pTrace的原型系统,分析及实验表明,inFilter可以有效地防止含有虚假源地址信息的DDoS攻击包流出云外;当攻击流速率约为正常流量的2.5倍时,mpTrace即可正确识别攻击流信息,并可在ms级的时间内正确追溯攻击流量发送进程.该方法有效控制了位于云中的DDoS攻击源,减小了对云内傀儡租户及云外攻击目标的影响.

关键词: 可控云计算, 流量过滤, 恶意程序溯源, 信息熵, 虚拟机自省

Abstract: Currently, a growing number of attack sources of distributed denial of service (DDoS) are migrating to cloud computing and bringing a greater security challenge to the whole cyberspace. However, the research on effectively suppressing these attack sources is still deficient. So, this paper proposes a method pTrace to defeat the DDoS attack sources in cloud, which comprising the packet filter module inFilter and the malicious process retroactive module mpTrace. inFilter mainly filters packets with forged source address. And, mpTrace firstly identifies attack streams and their corresponding source addresses, then trace malicious processes based on the obtained source addresses. We have implemented a prototype system under Openstack and Xen environment. Experimental results and analysis show that inFilter can prevent large-scale DDoS attack frombeing launched in cloud center with lower time consumption, and mpTrace can identify a attack flow correctly when its flow rate is about 2.5 times the normal traffic, tracing malicious processes in ms time level. At last, this method reduces the impact both on puppet cloud tenant and the victim outside cloud.

Key words: controllable cloud computing, packets filtering, malicious program tracebacking, information entropy, virtual machine introspection

中图分类号: