Abstract
With the spread of the COVID-19 epidemic, the government has put forward higher requirements for network security and reliability through the flow of network managers and the release of information. Traditional intrusion detection technology and firewall technology cannot effectively defend against DDoS attacks. This paper analyzes the principles and defects of intrusion detection system and firewall. In this paper, the architecture design of intrusion prevention system which integrates audit and network defense functions is proposed. The system optimizes the detection and analysis component of detecting attack behavior according to the special requirements of attack defense task, and adds the module of attack behavior characteristic analysis and defense strategy generation. The policy execution component uses a special defense engine to execute defense policies, providing the system with deep defense capabilities. Experiments show that the validity and reliability of the key modules in the proposed defense model meet the technical requirements. It has a certain reference value to improve the reliability of network management system under the influence of COVID-19 epidemic situation.
Introduction
At present, the COVID-19 epidemic continues to spread. People use the Internet to solve their daily needs and obtain the information related to the COVID-19 epidemic situation. The government controls the flow of personnel through the network information system. These situations pose challenges to network security. The security and reliability of information network has a certain significance for COVID-19 epidemic prevention and control.
The rapid development of network makes the structure of network more and more complex. Many “hacker” sites in the network not only provide a large number of system defect information and attack methods, but also provide a large number of easy-to-use system vulnerability scanning and attack tools [1, 2]. Attackers do not need to have special system knowledge to be able to use the corresponding intrusion tools to easily attack the system with security defects [3]. The technical means of network security and hacker’s attack are based on the same environment. The hacker’s ability and the ability of network security can only change from one to the other and develop alternately in the struggle. Therefore, the network security defense and intrusion detection is a long-term arduous task.
Although great progress has been made in the research of computer security, the implementation and maintenance of secure computer system is still very difficult, because we cannot ensure that the security of the system reaches a certain level. The intruder can invade the system by using the security loopholes in the system, which mainly come from the defects in the design of system software and application software or the defects and deficiencies in the design and implementation of security policy specifications in the system. Even though we can design and implement an extremely secure system, due to the limitations of a large number of applications and data processing in the existing system on the existing system, as well as the additional investment needed to configure the new system, replacing the existing system with the new system will cost a lot of system migration cost, so this method of replacing the existing system with the new security system In fact, the case is very difficult to implement. On the other hand, the scheme of upgrading the existing system by adding new functional modules constantly introduces new system security defects.
Aiming at the problem that traditional intrusion detection technology and firewall technology cannot effectively defend against DDoS attacks, this paper proposes a system architecture design scheme of intrusion prevention system that combines auditing and network defense functions. The system optimizes the detection and analysis components for detecting attack behaviors according to the special requirements of attack defense tasks, and adds attack behavior characteristic analysis and defense strategy generation modules. The policy execution component uses a dedicated defense engine to execute the defense strategy to provide the system with deep defense capabilities.
A method against distributed denial of service attack
Overall defense strategy
A network host can use Raw Socket to make network data message with false source IP address [4]. However, the network data packets with false source protecting IP address are usually related to malicious network behaviors such as distributed denial of service (DDoS) attack. Through the method of forging the source IP address, DDoS, attack has become a very difficult Internet security problem and a serious threat to Internet services [5–7]. DDoS attacks block the network access of legitimate users by consuming the system resources of the attacked host or occupying the network bandwidth [8].
Attackers often fill the random 32 bit binary number into the source IP address field of IP data packets, and create spurious source IP address data packets [9, 10] in this way to hide the controlled host that launched the attack and avoid tracking. Due to some design defects of the current IP protocol system, the router does not verify the legitimacy of the source of data packets when forwarding data packets, so that the forged source IP address can be successfully forwarded by the router. Because of this system defect, it is difficult to trace and detect the source of DDoS attack. Some DDoS attacks, such as Smurf [11] and recent DRDOS attacks [12, 13], rely entirely on the manufacture of false source IP address data packets to launch attacks.
When an attacker uses software such as TFN2k to launch a DDoS attack on the target host, the victim host will receive a large number of flood packets of false source IP address constructed by IP Spoof technology. Traditional defense methods, such as filtering the specific IP address or port on the firewall, random packet loss, cannot effectively distinguish the legitimate access traffic and illegal access traffic, so it is difficult to effectively protect the victim host and maintain the normal service of the victim host to the legitimate users.
To sum up, how to solve the problem of effective identification of IP Spoof network traffic during DDoS attack is the key for network intrusion prevention system to effectively prevent DDoS attacks and ensure the normal operation of networkhosts [14, 15].
Because there is no very effective means to effectively identify the data flow of IP Spoof, the current DDoS attack defense technologies are all passive defense means without distinction, which are either discarded without distinction or allocated system resources for processing without distinction. However, when the denial of service attack comes, the number of malicious packets is very large, and the access requests of legitimate users are submerged in the ocean of malicious packets; therefore, if there is no effective means to distinguish between them, the consequences will be disastrous whether they are handled or not.
But the discrimination itself is very complex, and the more accurate the algorithm is, the more complex it is. Therefore, it is the main starting point for the author of this paper to design a DDoS defense system to balance performance and cost by adopting appropriate overall defense strategy.
This system uses the system model based on the state control strategy and the hierarchical protection strategy in the attack period to defend the cooperative control distributed denial of service attack using IP Spoof technology.
Two states of IPS system
The main characteristics of DDoS attacks are short duration, destructive and difficult to prevent. Attack defense algorithm is a special attack mitigation algorithm designed according to the special harm of DDoS attack. Due to the limitation of system overhead, it is difficult to realize the absolute and accurate algorithm to distinguish malicious traffic from normal network traffic, so the approximate algorithm is used to achieve the balance between performance and cost. However, the approximate discrimination algorithm may filter some legitimate network access as attack traffic. Although a small amount of misjudgment is tolerable in large-scale network intrusion, but in non-attack period, calling such algorithms will have a negative impact on legitimate network access. Two working states of IPS system against DDoS attack is shown in Fig. 1.
Two working states of IPS system against DDoS attack.
In the period of DDoS attack, a variety of approximate discrimination algorithms are used to distinguish the received data traffic and perform corresponding filtering or forwarding operations. Due to the different balance point between performance and cost and the different accuracy of differentiation, the hierarchical protection strategy is adopted for DDoS attack defense.
Hierarchical protection strategy refers to the use of three-level defense strategy model to process packets in defense system. First, the data preprocessing technology is used for simple filtering to separate some abnormal and abnormal packets; then the DDoS defense technology based on data flow fingerprint recognition is used for filtering. In most cases, after these two levels of filtering processing, it can play a good defense effect. For some special DDoS attacks, such as DDoS attacks with small attack source granularity and wide distribution, if the effect is not obvious after the first two levels of defense strategy processing, the HCF based deep defense technology will be used for processing. The three-level defense strategy model is shown in Fig. 2.
Three level defense strategy model for IP Spoof DDS.
Through the hierarchical protection strategy, the algorithm with the simplest processing process and the highest processing efficiency is regarded as the first level filtering strategy, and simple filtering is carried out, which can greatly reduce the workload of the subsequent filtering algorithm and improve the processing efficiency; the algorithm with the most complex processing process but the most accurate is regarded as the third level filtering strategy, so as to ensure the overall effectiveness of the defense strategy. In this way, by using the hierarchical protection strategy from simple to complex, from coarse to fine, it not only ensures the accuracy and effectiveness of the processing process, effectively distinguishes malicious traffic from normal traffic, but also meets the requirements of processing efficiency when large-scale DDoS attacks occur.
In the defense system, the three-level defense strategy model is used to process data packets. First, the data preprocessing technology is used for simple filtering to separate some abnormal and abnormal packets; then the DDoS defense technology based on data flow fingerprint recognition is used for filtering. In most cases, after these two levels of filtering, self-defense can play a very good role. For some special DDoS attacks, such as DDoS attacks with small attack source granularity and wide distribution, if the effect is not obvious after the first two levels of defense strategy processing, the HCF based deep defense technology will be used for processing.
In this section, the algorithm design of the three-level defense strategy model is described in detail, and the algorithm is implemented in a modular way. In the sixth chapter, the performance of the prototype system module in the test data set and the actual attack test will also be introduced.
Data preprocessing technology
When DDoS attacks occur, because the attack packets are artificially created by the attacker through program methods, there will be a large number of malformed and abnormal packets in the network. Through protocol verification and data preprocessing technology based on routing feature anomaly recognition, a large number of malformed and abnormal packets can be divided and filtered, so as to reduce the workload of subsequent defense algorithms.
(1) Protocol verification technology
Protocol verification technology can check protocol domains of different layers to find illegal or suspicious content, such as unused domains, illegal values, inappropriate options, irregular serial numbers, CRC modifications, etc. At present, many scholars have done in-depth research on protocol verification technology, which will not be covered in this paper.
(2) Data preprocessing technology based on routing feature anomaly recognition
TTL (time to live) is a value in the IP protocol package, which tells the network router whether the time in the network is too long and should be discarded. There are many reasons why a package cannot be delivered to its destination for a certain period of time. For example, an incorrect routing table can cause an infinite loop of packets. One solution is to discard the packet after a period of time, and then send a message to the sender, who decides whether to resend or not. The original idea of TTL is to determine a time range beyond which packets are discarded. Since each router must reduce the TTL value by 1, TTL usually indicates the maximum number of routers that a packet can pass before it is discarded. When the count reaches 0, the router decides to discard the packet and send an ICMP message to the original sender.
The initial value of TTL is usually the system default value, which is an 8-bit field in the package header. Using the IP protocol of multiplexing, TTL value indicates the range of a packet to be forwarded. The default initial value of TTL is usually 255, 128, 64, 60, 32, 30. At present, the number of routing hops of network hosts in the Internet environment is usually less than 25. Therefore, the TTL value of the received packets is usually in the range of 235–255, 108–128, 40–64 and 10–32.
According to the intrusion prevention system architecture, when DDoS attacks occur, the detection and analysis component of IPS system will trigger the state switch, which drives the DDoS hierarchical protection policy in the policy execution component to work. At this point, the packet will first arrive at the data preprocessing module. After primary filtering, most abnormal and abnormal packets in the data stream will be filtered out.
The following shows the implementation of data preprocessing algorithm based on routing feature exception recognition:
{
if (ips_proc_mod==A TTACK_MODE)
(
ipchns = ma lloc (100)
strcpy (ipchns, ” iptables -A forward)
system (ipchns)
strcpy (ipchns, ” iptables -A forward -mtfl-ttl 230:255"): -m ttl-ttl 103:128”);
system (ipchns)
strcpy (ipchns. “ iptables-A forward -m tfl-tt/35:64")
system (ipchns)
strcpy (ipchns, ” iptables -A forward –m ftl-ttl5:32")
system (ipchns)
ttl_preprocjist (ttl_blockjist)
system_procjog (BLOCK_FORfMRD, TTL. ttl_blockjist)
checkjnode (& ips rocjnod)
}
Defense Technology Based on fingerprint recognition of data stream
When a DDoS attack occurs, the attack source will send a large number of packets to the target host continuously to submerge the target host. According to the statistical analysis of common attack software, according to the different performance of the host, each attack host will usually produce thousands to tens of thousands of packets per second to send to the target host, and some high-performance network servers can even produce 100000 packets per second. Through the statistics of the source of attack packets, it is easy to find the IP addresses of attack sources, and filter the packets from these IP addresses. The principle is similar to the separation of stone and fine sand with a sieve. According to the aggregation effect of the source IP address, the coarse stone is blocked out of the network, while the fine sand can pass through.
However, the new generation of DDoS attacks use IP Spoof technology to forge DDoS attack packets with source IP address, whose source IP address field is filled with 32-bit binary number generated randomly. Packet source IP address will be randomly distributed in the whole IP address space. Therefore, the new attack data flow will flood through the “screen mesh” to wash down the system that uses the traditional IP address filtering of the attacksource.
In the IP protocol definition of IP packet header information, the source address and destination address fields indicate the end-to-end digital characteristics of the packet, and are also the most direct digital characteristics to find the source of attack and filter the packet. Although in IP Spoof DDoS attacks, this end-to-end digital feature can no longer be used to indicate the legitimacy of data packets; however, there are still some “fingerprint information” in malicious data traffic, which cannot be used to determine the exact source of the sender, but as a basis for distinguishing between malicious traffic and normal traffic, it is enough. In this paper, a set of distinguishing / defending algorithm is designed and implemented by using the route “fingerprint information” provided by TIL value in IP Spoof DDoS malicious traffic. The algorithm consists of two parts: analysis of route “fingerprint information”and defense.
The algorithm filters the malicious traffic generated by the IP Spoof DDoS attack by submitting the routing “fingerprint information” representing the malicious attack traffic to the attack defense module in the policy execution component.
Algorithm validity analysis
The algorithm filters according to TTL characteristic value of malicious attack traffic. When the attack occurs, because the algorithm detects the routing “fingerprint information” of data traffic, it is very effective to prevent the IP Spoof DDoS attack with forged source IP address, and its missed detection rate is close to 0. There are some shortcomings in false detection, which can filter out the legitimate traffic with the same TTL value as the attack traffic, and is sensitive to the distribution of the attack source in the TTL value domain space. However, under the normal DDoS attack scale, when the number of hosts initiating the attack does not exceed 100 or the coverage in the TTL domain space is less than 20%, the access of more than 50% of normal users will not be affected. In this case, the defense algorithm based on data stream fingerprint recognition is veryeffective.
Deep defense technology based on HCF
Through the above two-level protection strategy, most of the malicious traffic generated by IP Spoof DDoS attacks can be filtered, and at the same time, the traffic of legal traffic can be guaranteed to the greatest extent to maintain the normal network services provided by the target host to legal users.
However, in some cases, relying on the above-mentioned two-level protection strategy for the defense effect of IP Spoof DDoS attacks may not be ideal. For example: The number of hosts launching attacks is huge, reaching hundreds or even thousands, and the distribution in the network is relatively scattered. The number of TTL values representing malicious traffic is too large, which makes a large number of normal network traffic with the same TTL value filtered together. The attack program forges the initial value of TTL in the data package by technical means, which makes it difficult for IPS system to obtain the “fingerprint information” of attack traffic from the statistical characteristics of TTL value.
At this time, IPS system uses HCF based deep defense technology to defend against IP Spoof DDoS attacks.
In general, the Hop-count between two determined hosts on the network is a certain value, which is related not only to the IP address of the receiver, but also to the IP address of the sender. Based on the above characteristics of Hop-count, HCF (Hop Count Filtering) algorithm can effectively defend against IP Spoof DDoS attacks.
Calculation of hop-count value
The TTL field is set in the IP packet header to control the packet lifetime in the network. In the process of packet transmission from sender to receiver, TTL field is subtracted by 1 for each router. If we record the initial value of TTL as TTL initial and the value of TTL when the packet is received as TTL final , then we can easily get hopcount =TTL initial -TTL final .
We can easily get the TTL final value from the IP packet header. However, TTL initial value may be any of 30,32,60,64,128,255. The HCF algorithm uses the following methods to determine the initial value:
The initial value range of TTL 30,32,60,64,128,255 is divided into four subsets 30,32), 60,64, 128), 255. It is found that the distance between each subset (defined as the minimum value of the absolute value of the difference between elements between the subsets) is greater than the Hop-count between any two hosts on the Internet, therefore, the subset closest to and larger than TTL final is selected as the initial value of TTL. When there are two elements in the subset, the results calculated with these two TTL initial values will be taken as the possible values of Hop-count.
Preconditions to ensure the effectiveness of the algorithm
The effectiveness of the algorithm is based on the following two prerequisites:
(1) Verification of the stability of Hop-count
In more than 50 days since September 1, 2004, more than 9000 one-way path measurement data randomly selected from 113 network hosts’ traceroute measurement data every 10 minutes were analyzed. It was found that less than 5% of the paths had changed their hop count value more than 3 times.
This experiment proves that the value of Hop-count between hosts on the Internet is stable enough to support the work of HCF algorithm effectively.
(2) Verification of distribution characteristics of Hop-count
The distribution characteristics of Hop-count need to meet certain distribution characteristics to ensure that the system can distinguish illegal Spoof IP packets through the corresponding relationship between source IP and Hop-count values. Figure 3 shows the statistical distribution of Hop-count on Yahoo website. Figure 4 shows the statistical distribution of hop count of a trace route gateway from Stanford Univ.
The statistical distribution of Hop-count on Yahoo website.
The statistical distribution of hop count of a trace route gateway from Stanford University.
Based on the statistics of Hop-count values of visitors to multiple trace route gateways on the Internet, we found the following statistical characteristics: The distribution of Hop-count values is Gaussian The statistical average of Hop-count values generally falls between 14 and 19 hops The standard deviation of Hop-count value is 3 to 5 jumps The number of IP addresses with the same Hop-count value is generally no more than 10%
This distribution has met the need of the effectiveness of HCF algorithm
The algorithm compares the actual number of routing hops of each packet (calculated by TTL value in the packet) with the standard value in the Hop-count table established in advance by the system to determine the validity of the packet. For the remote attacker, because it is impossible to match the appropriate TTL initial value for each randomly generated false IP address, it is impossible to evade detection by camouflage. According to statistics, only less than 10% of the packets in the attack data stream are missed by HCF because the random IP address is exactly the same as the number of Hop-count of the real IP.
For the packets sent by legal users, because the Hop-count calculated by the source IP and TTL values is consistent with the Hop-count value in the comparison table, it can almost guarantee that they pass the HCF system filter 100%.
Based on the above analysis, we find that HCF algorithm has a very good performance in defending against IP Spoof DDoS attacks, because it guarantees almost zero false alarm rate and keeps the false alarm rate within the tolerable range. Because the false alarm rate is not more than 10%, in many cases it can even be as low as 5%, and the false alarm rate is close to 0. If we use appropriate methods to combine it with traditional defense means (such as SYN, cookie, load balance, etc.), we can improve the working efficiency of traditional defense methods by 10 to 20 times. The related problems are worth further study in the future.
Experiment result and analysis
In this experiment, two attack hosts are used to simulate large-scale distributed denial of service attacks. TFN2K and the two TFN2K modified versions are used to test the defense performance of IPS system prototype, and the test results are analyzed.
System defense against unknown Spoof IP DDoS attack tools
In this experiment, TFN2K and its modified version v1.0 are used to test the effectiveness of IPS system and the impact of unknown attack software on its defense performance. SYN flood, UDP flood and ICMP flood are used in the experiment.
From Table 1, we can see that the IPS system has an obvious defense effect against the IP Spoof DDoS attack launched by TFN2K. After the IPS system is started, the remote customer’s access delay to Victim is not obvious.
The comparison of attack and defense performance of TFN2K and TFN2K modified v1.0
The comparison of attack and defense performance of TFN2K and TFN2K modified v1.0
Because the IPS system design and implementation in this paper uses the defense technology based on behavior mode, and does not target specific attack software. From the experimental data in the table above, we can find that IPS is still effective against unknown attacks.
In this experiment, TFN2K modified vl.1. is used to detect the impact of the distribution characteristics of attacking hosts on the defense performance of IPS system, and the experimental results are analyzed. The purpose of the experiment is to simulate the defense ability of IPS system when a large number of real network hosts attack on Victim, and observe the impact of the increase of the number of attacking hosts on the defense ability of IPS system.
In this part, six control experiments were conducted. Each experiment uses different data to fill the TTL field of attack packets, so that the TTL value of packets received by IPS system appears randomly with basically the same probability in the following set:
The experimental results are shown in Table 2. Through the analysis of experimental data, IPS system has completed the filtering of attack traffic well in six experiments. However, with the increase of the distribution of attack sources, more and more legitimate users’ network access will be affected. In the last round of experiments, ICMP packets used to detect response time were also filtered out by IPS system.
The impact of distribution characteristics of attack hosts on IPS system defense performance
The impact of distribution characteristics of attack hosts on IPS system defense performance
In the control experiment, the virtual attack network covered 80 of the possible 100 values of TTL under the current network condition. According to the paper rough estimate, an attacker must control at least 500 attack hosts before launching such an attack.
With the spread of the COVID-19 epidemic, the government has put forward higher requirements for network security and reliability through the flow of network managers and the release of information. Through experiments, it is not difficult to find that the intrusion prevention system based on state switch and hierarchical protection strategy has a good defense effect on Spoof IP DDoS attacks. Although the IPS prototype system appears some unsatisfactory aspects in this experiment, it is very effective in most cases, and the impact of IPS system on legitimate users’ network access when the attack hosts in the experiment are widely distributed is expected in advance, which is mainly because the IPS prototype system proposes three-tier defense strategy model in this paper. It is simplified. Through the discussion of the last section, because the deep defense Algorithm Based on HCF is not sensitive to the network distribution of attacking hosts, and in all cases, the impact on the network access of legitimate users is not more than 10%. It can be predicted that a complete three-tier defense strategy model will solve the problems in this experiment. It has a certain reference value to improve the reliability of network management system under the influence of COVID-19 epidemic situation
Footnotes
Acknowledgments
This paper is supported by Key Project of Natural Science Research for Universities of Anhui Province (No. KJ2018A0448), and Professor (Doctoral) Research Project of Suzhou University (No. 2015jb14).