高级检索

    pTrace: 一种面向可控云计算的DDoS攻击源控制技术

    pTrace: A Counter Technology of DDoS Attack Source for Controllable Cloud Computing

    • 摘要: 当前,越来越多的分布式拒绝服务(distributed denial of service, DDoS)攻击的攻击源迁移至云中,给云计算的可控性及整个网络空间的安全带来了严重挑战.然而关于有效控制云中该类攻击源的研究还比较缺乏.为此设计了一种面向可控云计算的DDoS攻击源控制系统pTrace,该系统包括入口流量过滤inFilter和恶意进程溯源mpTrace两部分.其中,inFilter过滤伪造源地址信息的数据包;mpTrace先识别攻击流及其源地址信息,依据源地址信息追溯并管控发送攻击流的恶意进程.在Openstack和Xen环境下实现了pTrace的原型系统,分析及实验表明,inFilter可以有效地防止含有虚假源地址信息的DDoS攻击包流出云外;当攻击流速率约为正常流量的2.5倍时,mpTrace即可正确识别攻击流信息,并可在ms级的时间内正确追溯攻击流量发送进程.该方法有效控制了位于云中的DDoS攻击源,减小了对云内傀儡租户及云外攻击目标的影响.

       

      Abstract: Currently, a growing number of attack sources of distributed denial of service (DDoS) are migrating to cloud computing and bringing a greater security challenge to the whole cyberspace. However, the research on effectively suppressing these attack sources is still deficient. So, this paper proposes a method pTrace to defeat the DDoS attack sources in cloud, which comprising the packet filter module inFilter and the malicious process retroactive module mpTrace. inFilter mainly filters packets with forged source address. And, mpTrace firstly identifies attack streams and their corresponding source addresses, then trace malicious processes based on the obtained source addresses. We have implemented a prototype system under Openstack and Xen environment. Experimental results and analysis show that inFilter can prevent large-scale DDoS attack frombeing launched in cloud center with lower time consumption, and mpTrace can identify a attack flow correctly when its flow rate is about 2.5 times the normal traffic, tracing malicious processes in ms time level. At last, this method reduces the impact both on puppet cloud tenant and the victim outside cloud.

       

    /

    返回文章
    返回