Network congestion caused by DDoS attacks, malicious hosts controlled by the machine caused by a large number of puppets, not in the traditional sense of the end to end congestion, we can only control the router, or IP-based congestion control to achieve. The current mainstream of seven IP congestion control algorithms are needed to improve before they can be used effectively to prevent DDoS attacks.
Distributed Denial of Service DDoS (Distributed Denial of Service) attack is regarded as the greatest threat facing the Internet is one.
There are some common methods of DDoS attacks and defense mechanisms, including: prevention by modifying the configuration and protocol attacks, the source of the reverse lookup attack, attack detection and filtering, distributed attack detection and filtering (Host / router side) and so on.
DDoS attacks and network congestion
Generate the root causes of network congestion to the network is to provide the load over the network, storage and processing power, increase the performance of invalid packets, packet delay increases with the loss, and decreased quality of service. If at this time can not take effective detection and control methods, will lead to congestion has been increasing, and even cause system crashes, under normal circumstances the formation of the three direct causes of network congestion is:
鈼?router memory space. Need some input data stream with an output port, if the entry rate is greater than the export rate, it will build in the port queue. If you do not have enough storage space, data packets will be dropped, especially on the burst data stream. Increase storage space on the surface seems to be able to resolve this contradiction, but according to Nagel's research, if the router has unlimited storage capacity, the congestion will only become worse.
鈼?the relative lack of bandwidth capacity. Intuitively, when the data input bandwidth greater than the total output bandwidth, the network will form a low-bandwidth bottleneck link Office, network congestion occurs, relevant information that may refer to Shannon theory.
鈼?processor processing capability is weak. If the router's CPU cache in the implementation of the queue, update the routing tables and other operations, the processing speed can not keep up high-speed link will result in congestion. Similarly, low-speed links for high-speed processors will also have congestion.
These are the early Internet network congestion in the three main reasons. This, TCP congestion control gives a good solution. In practice, if all end users are complying with or compatible TCP congestion control mechanism, network congestion can be well controlled. However, when network congestion caused by DDoS attacks when, TCP window-based congestion control mechanism which can not be resolved. The reason is the congestion caused by attacks from malicious hosts send a large number of data caused not only these hosts will not be completed under the TCP congestion control mechanism for coordination of work, or even itself may contain a forged source address, to increase the amount of data sent, increase the number of connections and other attacks. In this case, the DDoS attack network congestion caused by the router must be processed, it is only IP-based congestion control to achieve.
Note that, DDoS attacks on network congestion caused by the above analysis is different from the ordinary case, there are substantial differences between them. In contrast, DDoS attack caused by congestion, often attacking the data packet size, arrival time, and many other aspects of the protocol type has some relevance, it is a distributed denial of service determined by its own characteristics. Ordinary case of network congestion, the data is not controlled by multiple attackers sent, and therefore does not have the similar correlation of. Congestion caused by attacks carried out protection, we should first find the correlation between, on the basis of traditional congestion control mechanism is introduced and refined in order to be efficient and accurate detection and control.
Seven mainstream IP congestion control algorithm and evaluation
According to the principle and mechanism of DDoS attacks, mechanisms of protection of the ability to do evaluation should be reference to the following criteria: condition 1, whether the feature according to certain rules setting; second condition, whether in accordance with certain rules to distinguish between the data flowing through ; conditions for three different types of data packets, it can provide different priority services. If a congestion control mechanism to meet these three conditions, we basically have a protective DDoS attacks.
The following will give a brief analysis of the current number of mainstream IP congestion control algorithm and its protection evaluation of the feasibility of DDoS attacks:
鈼?FIFO FIFO (First In First Out)
Traditional FIFO strategy is currently the most widely used Internet as a service model. Its biggest advantage is ease of implementation, but is essentially a FIFO "to end" (Drop-tail) of the algorithm, so when unexpected data arrives prone to the phenomenon of packet loss, the fair is poor, on the upper the TCP fast recovery and lower efficiency.
Evaluation criteria were known, the algorithm does not meet either condition, too simple and lack of intelligence, can not for the DDoS attack protection.
鈼?Random Early Detection RED (Random Early Detection)
RED algorithm is a certain probability into the router discards the packet. RED's early design idea is to avoid the continuous drop of the same connection packet, thereby enhancing the throughput of the connection. Packet loss rate through the assessment, RED can get better at the connection between fairness, strong adaptability to the unexpected business. RED also some disadvantages, such as may cause network instability, and select the appropriate configuration parameters is not an easy task. In recent years, researchers have proposed many improved RED algorithm, these algorithms are to some extent, from different aspects to improve the performance of RED.
Evaluation criteria were known, this method is not protective effect of DDoS attacks, because the idea is the assessed packet loss rate, normal business and attack data "too fair" and could not be differentiated, enabling a large number of normal business in the attack occurs can not be service.
鈼?Explicit Congestion Notification Algorithms in ECN (Explicit Congestion Notification)
The first two congestion control algorithms are adopted to tell the end of the system packet loss, network congestion has occurred. The Explicit Congestion Notification Algorithm congestion prompted by a clear (RFC2481) to implement congestion control, on the one-time effect of large-volume data transmission ideal, but there are certain requirements on the delay.
The algorithm embedded in the source side packet ECN, a router based on network conditions set by the CE (Congestion Experienced) bit. Source termination received feedback from the network to come back home this CE-bit data packet, it will then send the packet marked as dropped packets. ECN's advantage does not require retransmission timeout, not dependent on the coarse-grained TCP timer, so there is some delay in the applications required better performance. On this basis, also proposed another improved algorithm, it by adjusting the size of congestion window CWND, to correct a long RTT of TCP connection error, to improve the sharing of bottleneck bandwidth fairness.
Evaluation criteria were known, this method is not protective effect of DDoS attacks, because no signatures to identify and distinguish the functions, when the attack occurred less intelligence.
鈼?fair queuing algorithm FQ (Fair Queuing)
FQ algorithm in the routers for each output line queues have built one. When a line is idle, the router back and forth to scan all queues, each team in turn will send the first package. FQ bandwidth independent of packet size distribution, services began almost simultaneously in the queue. Therefore, in the case of statistical multiplexing without the expense of providing additional equity, and end to end congestion control mechanisms can be better coordinated. The disadvantage is that to achieve them are complex and require line of each data stream, and each stream of state statistics, packet classification and packet scheduling overhead and so on.
Evaluation criteria were known, this method is not protective effect of DDoS attacks, because the same ECN Act.
鈼?weighted fair queuing algorithms WFQ (Weighted Fair Queuing)
Weighted fair queuing algorithm is FQ Algorithm. According to different data streams of different bandwidth requirements, queue for each queue cache resource allocation by applying the weighting to increase the adaptability of FQ on the different applications, the algorithm there are other improved algorithm.
Evaluation criteria were known, the method can be used for protection by improved DDoS attack idea is first to detect and classify attacks, and then import the data according to attack the data, normal data, were queuing up three types of suspicious data processing, data directly on the attack discarded, while data on suspicious and normal to give a certain weight, to provide different quality of service. Good performance in the router to handle the case of ability, or even a more complex and intelligent processing strategies, such as multi-priority queue.
鈼?weighted random early detection WRED (Weighted Random Early Detection)
Is the random early detection combined with priority queuing, this combination provides a high-priority packet priority communication services capabilities. When an interface congestion began to appear, it selectively discard lower-priority group, rather than simply randomly dropping packets.
Evaluation criteria were known, the method can be used for protection by improved DDoS attacks, ideas and WFQ similar, they all meet the conditions of the three evaluation criteria, should be increased to improve the conditions and terms of a second set.
鈼?custom queuing
Custom queuing is allowed to have a minimum bandwidth and latency requirements of different applications sharing the network designed. Custom queuing for the distribution of different protocols with different queue space and queue a revolving manner, when a specific protocol data stream is allocated a larger queue space, also received a higher priority services, custom queuing priority queue more than fair. Custom queuing can guarantee that each particular type of communication can be fixed bandwidth, while in the case of link tension and avoid the data stream attempt to limit the amount beyond the possibility of pre-allocation.
Evaluation criteria were known, the method can be used for protection by improved DDoS attacks, are used in resource allocation and priorities for different businesses weighted to improve ideas and WFQ and WRED similar.
7 Ways addition to the above, there are other ways. If the FQ and the RED algorithm to combine Flow RED algorithm, it will cache into several queues, then each data stream using RED algorithm, simulation results show the fairness of its good; and if the core stateless fair queuing algorithms CSFQ (Core-Stateless Fair Queuing) border routers in the network to perform data flow management, and in the core does not do much more.
Can be seen, the protective ability of these algorithms, there are big differences between any of them need to improve before they can be effectively used to control DDoS attacks caused by network congestion.
相关链接:
Nine WAYS to recruit good staff
ADO How To Create Modify Delete List
Of! The relationship between SEO and UCD
Ambiguous "message" Mostly Huafei Trap
AVI to DivX
Vigilance "wind Downloader" Summer Lift Vitality And
Premier Audio Rippers And Converters
XviD To WMV
MKV to Zune
CMM assessment in China Suggestions
Good Audio CD Players
agricultural GROWTH in india an assessment
News about Converters And OPTIMIZERS
"Open source COMMUNITIES in China" held in Sharon
No comments:
Post a Comment