计算机网络安全与管理：第15讲 协议漏洞攻击.pptVIP

DNS放大攻击 利用伪造目标地址方式发送dns请求 搜索DNS性质放大响应 60 byte 请求造成 512 - 4000 byte 响应 发送多个请求到连接服务器 变更请求流 DNS 服务器也被攻击 DoS 攻击防御 高流量需要合法性 高度公开性 非常著名的网站, e.g. Olympics etc 或有攻击者制造的合法流量 针对 (D)DoS的三条防御策略: 攻击预防与抢占 攻击检测与过滤 攻击源回溯与取证 攻击阻止 阻止哄骗源地址 在路由器部分尽可能接近于源 实际上很少得到执行 在上行数据流分配网络上限制速率 针对特定的包类型 e.g. some ICMP, some UDP, TCP/SYN 使用修改的TCP连接处理 使用 SYN cookies 或选择性的或随机性的放弃某实体 攻击阻止 阻止IP直接广播 阻止可疑的服务 源与目的组合 利用 “puzzles” 以区别合法请求与程序攻击 良好的系统安全习惯 当需要高性能高可靠性的服务时使用镜像与多服务器 攻击响应 需要良好的攻击响应机制 联系ISP 强行使用上行通信过滤 细节处理 有标准的过滤器 网络监控与IDS 检测与通知异常的流量 * * A critical component of many denial of service attacks, is the use of spoofed source addresses. One of the fundamental, and longest standing, recommendations for defense against these attacks is to limit the ability of systems to send packets with spoofed source addresses, cf. RFC 2827. This filtering needs to be done as close to the source as possible, by routers or gateways knowing the valid address ranges of incoming packets. Typically this is the ISP providing the network connection for an organization or home user. Regrettably, despite this being a well-known recommendation, many ISPs still do not perform this type of filtering. Any defenses against flooding attacks need to be located back in the Internet cloud, not at a target organization’s boundary router, since this is usually located after the resource being attacked. The filters must be applied to traffic before it leaves the ISP’s network, or even at the point of entry to their network. Some attacks using particular packet types, such as ICMP floods, or UDP floods to diagnostic services, can be throttled by imposing limits on the rate at which these packets will be accepted. It is possible to specifically defend against the SYN spoofing attack by using a modified version of the TCP connection handling code. Instead of saving the connection details on the server, critical information about the requested connection is cryptographically encoded in a “cookie” that is sent as the server’s initial sequen