Reflector attacks are a variant of denial-of-service attacks that use unwitting, legitimate servers to flood a target. The attacker spoofs the target's address in legitimate service requests, such as TCP SYN packets. The servers, called "reflectors,'' reply to these requests, flooding the target. RAD is a novel defense against reflector attacks. It has two variants -- locally-deployed (L-RAD) and core-deployed (C-RAD). Local RAD uses message authentication codes (MACs) to mark outgoing requests at their source, so the target of a reflector attack can differentiate between replies to legitimate and spoofed requests. MACs can be validated either at the target machine or on a gateway router at the target's network. Core RAD, which is deployed at the AS level, handles larger attacks that overwhelm L-RAD. The source AS marks each packet it sends with a hash message authentication code (HMAC) and core ASes filter packets that carry incorrect HMACs. C-RAD prevents reflector attacks by filtering spoofed requests, rather than filtering reflected replies. We tested both variants using the DETER testbed by replaying backbone traces from the MAWI project archive in a congestion-responsive manner. Our tests show that Local RAD is better than the no-defense case, but gets overwhelmed when the attack exceeds the target's network capacity. Core-deployed RAD successfully handles attacks of all rates.
展开▼
机译:反射器攻击是拒绝服务攻击的一种变体,它使用不知情的合法服务器淹没目标。攻击者在合法服务请求(例如TCP SYN数据包)中欺骗目标的地址。称为“反射器”的服务器响应这些请求,淹没了目标RAD是一种针对反射器攻击的新型防御措施,它具有两种变体-本地部署(L-RAD)和核心部署(C-RAD) 。本地RAD使用消息身份验证代码(MAC)在源处标记传出请求,因此反射器攻击的目标可以区分对合法请求和欺骗请求的答复,可以在目标计算机或网关路由器上对MAC进行验证。部署在AS级别的Core RAD可以处理使L-RAD不堪重负的较大攻击,源AS用散列消息认证码(HMAC)标记发送的每个数据包,而核心AS则过滤携带错误HMAC的数据包C-RAD通过过滤欺骗的请求而不是过滤反射的响应来防止反射器攻击,我们使用DETER测试平台通过以拥塞响应方式重播MAWI项目档案库中的主干痕迹来测试这两种变体。 w Local RAD比无防御情况要好,但是当攻击超出目标的网络容量时,就会变得不知所措。核心部署的RAD成功处理了所有速率的攻击。
展开▼
