CN116633665A - Mixed attack tracing method and system for address spoofing - Google Patents

Abstract

The invention provides a hybrid attack source tracing method and system for address spoofing, which belongs to the technical field of Internet communication security. field to store the attack path information, use the identification field and fragmentation field to store and mark the attack source location information, and insert the attack path information and attack source location information into the data packet; when a DDoS is detected, according to the extracted and summarized collected Data packets with different tag information are traced to the source of the attack, and the attack path and attack source address are obtained. The invention can effectively restore the attacker's attack path and identity position; the number of data packets required for attack path reconstruction is small, and the calculation cost is small; the repeated marking of the switch can be avoided, and the marking information of the upstream router will not be overwritten; the path record is selected Traceability method, fast traceability; bandwidth requirements can be reduced without exposing the network topology.

Description

Hybrid attack source tracing method and system for address spoofing

technical field

The invention relates to the technical field of Internet communication security, in particular to a hybrid attack source tracing method and system based on path records and address fragment marks for address spoofing in a programmable network.

Background technique

Network trusted communication is one of the core technical directions of the future network, and it is also a problem that has plagued the academic and industrial circles for a long time. The Internet Protocol (IP) address is the core element of the current IP network architecture. Under the evolution trend of network communication such as ubiquitous access and network opening, address spoofing has become a major obstacle to the development of trusted communication technology. Address spoofing has several prominent features, such as unknown identity and location of the attacker, difficulty in pursuing accountability afterwards, and reflection amplification of attack traffic.

Most of the existing DDoS attack defense solutions in software-defined networking (SDN) analyze local traffic characteristics in a single domain for centralized single-point detection, and achieve DDoS attack mitigation by blocking existing DDoS attack traffic.

In order to hide their real information, attackers usually use forged source IP addresses to launch DDoS attacks on target hosts. At present, there are mainly two types of defense against DDoS attacks in the network: one is to immediately respond (dropping packets, blocking ports, etc.) after detecting a DDoS attack. This method can quickly respond to DDoS attacks in the network, but it cannot locate the real location of the attacker by analyzing the source IP address in the data packet, and cannot block the DDoS attack from the root cause. The other is to trace the source of the attack after a DDoS attack is detected, and then conduct DDoS defense from the source of the attack based on the source tracing results. DDoS attack source tracing refers to the process in which the victim determines the source and propagation path of the attack data packet in a certain way. Because the path forwarded by the data packet in the network will not be forged. When the DDoS detection method finds that it has been attacked by DDoS, the victim can use traceability measures to reconstruct the attack path or locate the source of the attack to block the DDoS attack from the root and restore the attack path, which is an important part of the DDoS attack defense system. Therefore, the real attack source can be traced by reconstructing the attack path. Then, based on the traceability results, the victim can deploy a safe DDoS mitigation strategy to alleviate the impact of the DDoS attack; on the other hand, the attacker can also be sanctioned.

The traditional IP-based marking algorithm usually inserts the IP address of the passing router or the number of the router as the marking information into the free field of the data packet header during the transmission of the data packet, and then traverses in turn from the attacker to the victim. all routers. Then when the victim collects a sufficient number of packets, the victim reconstructs the attack path based on the tag information stored in the packets.

DDoS attack traceability method based on log records, the main idea of log record traceability is: when data packets are transmitted in the network, the router records the information of the data packets and stores them in the routing log. When the victim detects that he is under attack, he sends a query request to the upstream router, and uses the recursive method to find out the router through which the data packet passes according to the stored information in the router, forms an attack route, and finally finds the source of the attack. The logging method of the router can theoretically trace the source of a single packet attack, and can be applied to trace the source of a (D)DoS attack. However, the log traceability method requires a relatively high storage space of the router. Under the current high-speed link, the router needs to store a large amount of information, and the overhead of the router is relatively large. The earliest log-based IP traceability method is to record part of the information of each packet in the forwarding device, and use the data-link identification mechanism to query the packet to realize the traceback attack path. Wherein, each data packet requires about 60 bytes of storage space, resulting in excessive storage overhead of the forwarding device (router). In order to compress the space required for storing data packet information as much as possible, such methods mostly use a hash function or BloomFilter to store a summary of the data packet. Among them, the most classic logging method is based on Hash value source path isolation engine (SPIE) method. In this method, the router extracts the fixed part in the header of the forwarded IP data packet and the first 8 bytes of data in the packet body, and then performs summary calculation on these extracted data packets and stores them using BloomFilter. When tracing the source, the victim can query the summary information saved by the router one by one, so as to determine the path through which the attack packet has passed. However, this method does not support the IPv6 protocol, is not suitable for a network environment that spans multiple autonomous systems, and cannot trace the source of attacks such as springboard machines and botnets. This traceability technology requires the router to record a large amount of data information, which increases the overhead of the router and reduces the performance of the router.

The storage space and calculation overhead required by the DDoS attack traceability method of the above log records are too large; due to the limited storage capacity of the router, the data packets passing through the router cannot be stored unlimitedly; when the storage limit of the router is reached, the log records will be refreshed, so this method The traceability is time-sensitive. Logging is a security risk. If the router is controlled by an attacker, the attacker can arbitrarily modify or delete log records, making it impossible to trace the source.

DDoS attack source tracing method based on link test. The basic idea of link test is that when the victim detects that he is under attack, start from the route near the victim, and test the upstream link in turn until the router that is the source of the attack is found. The link test can only be implemented during the attack. When the attack is over or the attack is intermittent, this method cannot complete the traceability task. Link testing methods include input debugging and controlled flooding. The traceability process of input debugging is: when the victim detects a network attack, extract some characteristics of the attack data packet and send it to the network administrator. According to the requirements of traceability, the network administrator installs an input debugger that can point out the router that the attack data packet passes through, and can determine whether a certain router is on the attack path. Finally, input debuggers are installed upstream of the router in turn until the source of the attack is found. Controlled flooding uses flooding to test the link. Through the predefined ISP mapping, the victim iteratively floods packets to its upstream routers and observes the impact of these traffic on the attack flow. This recursive process can reveal whether each upstream attack router is on the attack path. This attack source tracing method is strictly limited to the duration of the attack. When the attack stops or is interrupted, DDoS attack source tracing cannot be completed.

The above-mentioned link test-based DDoS attack source tracing method requires a cooperative relationship between multiple ISPs, and the coordination between ISPs is difficult to mediate, resulting in high resource overhead. The method of controlled flooding is also a kind of DoS attack to some extent. It needs to know the network topology structure in advance and requires a long attack time. It is not suitable for DDoS attack.

Contents of the invention

The purpose of the present invention is to provide a hybrid attack traceability method and system based on path records and address fragmentation marking for address spoofing in a programmable network, and use specific switch identification and source address fragmentation to complete marking writing of data packets Overlay processing with some fields is used to track the forwarding path of attack traffic and locate the source of network attacks. The hybrid traceability method is used to accurately restore the location of the attacker and the attack path, reducing the number of data packets required for the reconstruction of the attack path. Improve the defense capability of the network against false address attacks, so as to solve at least one technical problem existing in the above-mentioned background technology.

In order to achieve the above object, the present invention has taken the following technical solutions:

On the one hand, the present invention provides a hybrid attack source tracing method for address spoofing, including:

Use the globally unique number and forwarding port corresponding to each switch to mark the data packets sent by the attacker, and use the optional field to store the attack path information, and use the identification field and fragmentation field to store the location information of the marked attack source. The attack path information and the attack source location information mark are inserted into the data packet;

When DDoS is detected, after extracting and summarizing the collected data packets with different tag information, trace the source of the attack, and obtain the attack path and attack source address.

Optionally, the header of the IP data packet is rewritten, and the differentiated services field of the IP header is used to expand the traffic traceability function to record attack path information and attack source address location.

Optionally, use the reserved field and option field of the IP data packet header to store the switch marking information that includes the traversal between the attacker and the victim; MarkHeader is a supplementary designed protocol header in the data packet header; SwitchID is the global identifier of the switch Field, used to identify the identity information of the switch that the data packet passes through in the packet forwarding process; Eport is the forwarding port field, used to identify the forwarding port of the data packet on the switch, and the SwitchID of the switch is used together with the forwarding port Eport to record the data packet forwarding path; HOP_COUNT is the forwarding hop count statistical field, which is used as a counter maintained by the telemetry packet header, and is used to count the marked forwarding hops during the process from the source switch embedded in the telemetry packet header to the local switch; Max_HOPS is the maximum forwarding hop count field , a constant used to declare the maximum hop count of the path recording function, after the value exceeds the value, the switch will no longer record path information.

Optionally, the attack source address location function utilizes the free field in the header of the IP data packet to design four padding fields: Fragment: stores a fragment after splitting the IP address, and all IP address fragments have the same length; Offset: fragment The offset field stores the sequence of IP address fragments relative to the IP address; HopCount: the forwarding hop count field; Hash: the hash field, which is used to store the hash value obtained after the IP address is processed by the hash function for verification IP address integrity for fragment splicing.

Optionally, the marking process of the attack path record includes that, on the switching device, the identification of the switch and the forwarding port are inserted into the reserved part of the optional field of the data packet as path information; A switch, the switch selects the device identifier according to the marking rule and inserts it into the data packet until the forwarding path from the attacker to the victim is traversed.

Optionally, the marking process of identity location location includes: during the attack source location marking process, the forwarding device reads the DiffServ field, matches the flow table, and performs probability marking on the matched data packets. The forwarding device is divided into two types according to roles: : Mark nodes and intermediate nodes;

If the differentiated services field has not been modified, for the data packet that needs to be fragmented, the switch extracts the IP source address, divides it into equal length to generate fragment _i , and calculates the offset offset _i of the address fragment;

Next, the switch performs a hash operation on the IP source address, and intercepts a specific number of digits as the hash field;

Finally, in terms of data storage location, fill the 15-bit hash field and the high bit of offset _i into the 16-bit identification field, fill the low bit of offset _i into the low bit of flag, and fill fragment _i into the 13-bit FragmentOffset field;

If the differentiated services field has been modified, it is resolved that Diffserv is the Fragment Marking Service (0xC), indicating that the data packet has been marked by the upstream switch of the forwarding path. The switch does not need to perform filling operations, and only updates the forwarding hop count HopCount.

Optionally, during the packet transmission process for performing path recording, the starting switch embeds a telemetry packet header containing a telemetry instruction in the data packet, and then writes the telemetry metadata <SwitchId, Eport> into the Option field of the IP packet header; The switch node in the middle, after identifying the telemetry packet header of the message, accumulates the local identifier <SwitchId, Eport> on the original path record, and updates the forwarding hop count field; on the switch at the last hop, the switch sends the datagram The path records included in the text are unloaded and reported to the controller;

In the path reconstruction process, first, the switch identifies the value of the differentiated service field, extracts the Option field from the packet of the path record policy, and parses the data in the optional field stack; secondly, pops the metadata out of the stack in sequence, reads the The switch ID <SwitchId, Eport>, together with HopCount, can obtain the traceability path from near to far.

Optionally, the reconstruction process of identity location positioning includes:

For the assembly of address fragments, first extract the fragments with the same distance field value; use the hash field value in the fragments to distinguish the identity of the switch for the extracted square fragments, and obtain the fragments with the same forwarding distance and from different switches. film summary;

Splice the fragment digest according to the forwarding distance, starting from the fragment digest with a distance of 1; for the fragment digest with the same hash value, use the value of the offset field in the fragment to reorder the fragment;

When all fragments are obtained after sorting, that is, when the complete IP address is obtained, an address verification needs to be performed, and the IP address with the same verification result is written into the traceable forwarding path set, indicating that the dyed packet is The path contains this switch;

After completing the splicing of message digests at the same distance, the distance is increased by one, and the splicing of fragments is continued for the node of the previous hop, and the work of path tracing and reconstruction is completed until the node with the farthest path;

After collecting all the attack source IP addresses, the nodes in the forwarding path set are output according to the forwarding distance.

Optionally, the method of address verification is: perform hash operation on the concatenated IP address. According to the characteristics of the hash function, the same IP address will generate the same hash output result, and the hash result will be intercepted to the same bit After counting, compare it with the hash value attached in the IP address fragment.

In the second aspect, the present invention provides an address spoofing-oriented hybrid attack traceability system based on the above method, including:

The marking module is used to use the globally unique number and forwarding port corresponding to each switch to mark the data packets sent by the attacker, and use the optional field to store the attack path information, and use the identification field and fragmentation field to store the mark attack Source location information, inserting the attack path information and the attack source location information mark into the data packet;

The source tracing module is used to trace the source of the attack according to the extracted and collected data packets with different tag information when DDoS is detected, and obtain the attack path and attack source address.

In a third aspect, the present invention provides a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium is used to store computer instructions, and when the computer instructions are executed by a processor, the above-mentioned oriented Address spoofing hybrid attack traceability method.

In a fourth aspect, the present invention provides a computer program product, including a computer program. When the computer program is run on one or more processors, it is used to implement the address spoofing-oriented hybrid attack source tracing method as described above.

In a fifth aspect, the present invention provides an electronic device, including: a processor, a memory, and a computer program; wherein, the processor is connected to the memory, the computer program is stored in the memory, and when the electronic device is running, the processor executes the The computer program stored in the memory, so that the electronic device executes the instructions for implementing the address spoofing-oriented hybrid attack source tracing method described above.

The invention has beneficial effects: the mixed source tracing method aimed at address spoofing can effectively restore the attacker's attack path and identity location; the number of data packets required for attack path reconstruction is small, and the calculation cost is small; the problem of repeated marking of switches can be avoided, and the The marking information of the upstream router will be overwritten; the traceability method of path records is selected, and the traceability speed is fast; the information marked to the data packet is the switch identification information rather than the data packet IP address; it can realize that it does not need to expose its network topology and reduce bandwidth requirements .

Advantages of additional aspects of the invention will become apparent from the description hereinafter, or may be learned by practice of the invention.

Description of drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention. For Those of ordinary skill in the art can also obtain other drawings based on these drawings without making creative efforts.

FIG. 1 is a functional structural diagram of the DiffServ field in the IP header according to an embodiment of the present invention.

FIG. 2 is a schematic diagram of rewriting flag information of an optional field (Option field) in an IP header according to an embodiment of the present invention.

FIG. 3 is a field functional structure diagram of IP address fragmentation according to an embodiment of the present invention.

Fig. 4 is a schematic diagram of a data packet marking process according to an embodiment of the present invention.

FIG. 5 is a schematic diagram of an assembly process of a packet fragmentation mark according to an embodiment of the present invention.

Fig. 6 is a flow chart of an example of a source tracing method for address spoofing-oriented hybrid attacks according to an embodiment of the present invention.

Detailed ways

Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with the drawings are exemplary, and are only used to explain the present invention, but not to be construed as limiting the present invention.

Those skilled in the art can understand that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.

Those skilled in the art will understand that unless otherwise stated, the singular forms "a", "an", "said" and "the" used herein may also include plural forms. It should be further understood that the word "comprising" used in the description of the present invention refers to the presence of said features, integers, steps, operations, elements and/or components, but does not exclude the presence or addition of one or more other features, Integers, steps, operations, elements and/or groups thereof.

In order to facilitate the understanding of the present invention, the present invention will be further explained below with specific embodiments in conjunction with the accompanying drawings, and the specific embodiments are not intended to limit the embodiments of the present invention.

Those skilled in the art should understand that the drawings are only schematic diagrams of the embodiments, and the components in the drawings are not necessarily necessary for implementing the present invention.

Example 1

In this embodiment 1, a hybrid attack traceability system oriented to address spoofing is first provided, including: a marking module, which is used to mark the data packets sent by the attacker using the globally unique number and forwarding port corresponding to each switch, And use the optional field to store the attack path information, use the identification field and fragmentation field to store the location information of the marked attack source, and insert the attack path information and the attack source location information mark into the data packet; the traceability module is used when DDoS is detected According to extracting and summarizing the collected data packets with different tag information, trace the source of the attack, and obtain the attack path and attack source address.

In this embodiment 1, the above-mentioned system is used to implement a hybrid attack traceability method for address spoofing, including: using the globally unique number and forwarding port corresponding to each switch based on the marking module to mark the data packets sent by the attacker, And use the optional field to store the attack path information, use the identification field and fragmentation field to store and mark the attack source location information, and insert the attack path information and attack source location information into the data packet; when DDoS is detected using the traceability module, according to Extract and summarize the collected data packets with different tag information, trace the source of the attack, and obtain the attack path and attack source address.

In the first embodiment, the DiffServ field design is completed according to the existing header format specification of the IP data packet. Use the globally unique number and forwarding port corresponding to each switch to mark the data packets sent by the attacker, and use the optional field to store the marking path information, and use the identification field and fragmentation field to store the address fragmentation information. First, rewrite the header of the IP data packet, and use the differentiated service field of the IP header to expand the traffic traceability function.

Use the reserved field and option field of the IP data packet header to store the switch marking information that includes the traversal between the attacker and the victim; MarkHeader is the protocol header designed in addition to the data packet header; SwitchID is the global identification field of the switch, used for Identifies the identity information of the switch that the data packet passes through in the packet forwarding process; Eport is the forwarding port field, which is used to identify the forwarding port of the data packet on the switch, and the SwitchID of the switch is used in conjunction with the forwarding port Eport to record the forwarding path of the data packet; HOP_COUNT is the forwarding hop count statistics field, which is used as a counter maintained by the telemetry packet header, and is used to count the number of forwarding hops that are marked during the process from the source switch embedded in the telemetry packet header to the switch; Max_HOPS is the largest forwarding hop count field, used to declare The constant of the maximum hop count of the path record function, after this value is exceeded, the switch will no longer record path information.

The attack source address location function utilizes the free field in the header of the IP data packet to design four padding fields: Fragment: stores a fragment after splitting the IP address, and all IP address fragments are of the same length; Offset: the fragment offset field stores The order of IP address fragmentation relative to the IP address; HopCount: forwarding hop count field; Hash: hash field, used to store the hash value obtained after the IP address is processed by the hash function, and used to verify the splicing of fragments IP address integrity.

The marking process of the attack path record includes, on the switching device, the identifier of the switch and the forwarding port are inserted into the reserved part of the optional field of the data packet as path information; According to the marking rules, the device identification is selected and inserted into the data packet until the forwarding path from the attacker to the victim is traversed.

The marking process of identity location location includes: during the attack source location marking process, the forwarding device reads the DiffServ field, matches the flow table, and performs probability marking on the matched data packets. The forwarding devices are divided into two types according to roles: marking nodes and middle node;

If the differentiated services field has not been modified, for the data packet that needs to be fragmented, the switch extracts the IP source address, divides it into equal length to generate fragment _i , and calculates the offset offset _i of the address fragment;

Next, the switch performs a hash operation on the IP source address, and intercepts a specific number of digits as the hash field;

Finally, in terms of data storage location, fill the 15-bit hash field and the high bit of offset _i into the 16-bit identification field, fill the low bit of offset _i into the low bit of flag, and fill fragment _i into the 13-bit FragmentOffset field;

If the differentiated services field has been modified, it is resolved that Diffserv is the Fragment Marking Service (0xC), indicating that the data packet has been marked by the upstream switch of the forwarding path. The switch does not need to perform filling operations, and only updates the forwarding hop count HopCount.

During the packet transmission process of path recording, the initial switch embeds the telemetry packet header containing the telemetry instruction in the data packet, and then writes the telemetry metadata <SwitchId, Eport> into the Option field of the IP packet header; the middle switch node , after identifying the telemetry packet header of the packet, add the local identifier <SwitchId, Eport> to the original path record, and update the forwarding hop count field; The path record is unloaded and reported to the controller;

In the path reconstruction process, first, the switch identifies the value of the differentiated service field, extracts the Option field from the packet of the path record policy, and parses the data in the optional field stack; secondly, pops the metadata out of the stack in sequence, reads the The switch ID <SwitchId, Eport>, together with HopCount, can obtain the traceability path from near to far.

The reconstruction process of identity location positioning includes:

For the assembly of address fragments, first extract the fragments with the same distance field value; use the hash field value in the fragments to distinguish the identity of the switch for the extracted square fragments, and obtain the fragments with the same forwarding distance and from different switches. film summary;

Splice the fragment digest according to the forwarding distance, starting from the fragment digest with a distance of 1; for the fragment digest with the same hash value, use the value of the offset field in the fragment to reorder the fragment;

When all fragments are obtained after sorting, that is, when the complete IP address is obtained, an address verification needs to be performed, and the IP address with the same verification result is written into the traceable forwarding path set, indicating that the dyed packet is The path contains this switch;

After completing the splicing of message digests at the same distance, the distance is increased by one, and the splicing of fragments is continued for the node of the previous hop, and the work of path tracing and reconstruction is completed until the node with the farthest path;

After collecting all the attack source IP addresses, the nodes in the forwarding path set are output according to the forwarding distance.

Among them, the method of address verification is: perform hash operation on the concatenated IP address. According to the characteristics of the hash function, the same IP address will generate the same hash output result, and the hash result will be intercepted after the same number of digits. , compared with the hash value attached to the IP address fragment.

Example 2

In this embodiment 2, aiming at the unknown identity and location of the attacker in the address spoofing problem, and the difficulty of pursuing responsibility after the event, a hybrid traceability method based on path records and address fragmentation marks in a programmable network is proposed. This method utilizes specific switch identification and source address fragmentation to complete the marking writing of data packets and the overlay processing of some fields, so as to track the forwarding path of attack traffic and locate the source of network attack. The purpose is to use the hybrid traceability method to accurately restore the attacker's location and attack path, reduce the number of data packets required for the reconstruction of the attack path, and improve the network's defense against false address attacks.

The switch encodes the path information or its own identity information into the data message, and this method of embedding the coded information into the data message is collectively referred to as a marking method hereinafter. In this embodiment, the DiffServ field design is completed according to the existing header format specification of the IP data packet. In this embodiment, the globally unique number and forwarding port corresponding to each switch are used to mark the data packets sent by the attacker, and the optional field is used to store the marking path information, and the identification field and fragmentation field are used to store address fragmentation information.

The detailed process of the hybrid traceability method of attack path restoration and attack location location in this embodiment is as follows:

In this embodiment, firstly, the header of the IP data packet is rewritten, and the DiffServ field of the IP header is used to expand the traffic traceability function. The length of the differentiated service field is 8 bits. As shown in Figure 1, 00011000 and 00001100 are set as the two strategy modes of the traceability service, which are respectively the path information record and source address location functions.

The path information recording function in this embodiment utilizes the reserved field and the option field (Option field) of the IP data packet header to store the switch label information that includes the traversal between the attacker and the victim. The specific process is shown in Figure 2. MarkHeader is a supplementary design protocol header in the packet header. The data descriptions corresponding to each field are as follows:

SwitchID, occupying 32 bits, the global identification field of the switch. It is used to identify the identity information of the switch that the data packet passes through during the packet forwarding process.

Eport, which occupies 32 bits, forwards the port field. It is used to identify the forwarding port of the data packet on the switch. The SwitchID of the switch is used together with the forwarding port Eport to record the forwarding path of the data packet.

HOP_COUNT, occupying 16 bits, forwarding hop count statistics field. As a counter maintained by the telemetry packet header, it is used to count the number of marked forwarding hops during the process from the source switch embedded in the telemetry packet header to the local switch.

Max_HOPS, occupying 16 bits, the largest forwarding hops field. A constant used to declare the maximum hop count of the path record function, after the value is exceeded, the switch will no longer record path information.

The source address location function of this embodiment utilizes the idle field of the IP data packet header to design a self-defined filling mark field, and the definitions of the four fields are shown in FIG. 3 .

Fragment (8bit): A fragment after IP address splitting is stored. The present invention considers the feasibility of IP address splitting and recombination, and selects an IP address fragmentation scheme of equal length. For an IP address with a size of 4 bytes and 32 bits, there are many equal-length segmentation schemes that can be considered;

Offset (2bit): The slice offset field stores the order of the IP address slices relative to the IP address. Depending on the number of slices generated, the number of offset bits required is also different. Here, a slice offset of 2 bits is selected;

HopCount (5bit): forwarding hop count field, the longest forwarding path that can be represented is 32 hops. The purpose of the forwarding distance field is to improve the efficiency of traceability reconstruction during the traceability reconstruction process.

Hash(15bit): Hash field. It is used to store the hash value obtained after the IP address is operated by the hash function, and is used to verify the integrity of the IP address of the fragment splicing. The recipient performs a hash operation on the concatenated IP address again, and judges the validity of the reconstructed IP address by comparing the two hash results.

In this embodiment, a forwarding device switch is used to complete the data packet marking work. The data packet marking algorithm is to complete the marking function of the corresponding DiffServ field on each switch, and insert the attack path and attack source location information marks into the data packets. The two marking algorithms are shown in Figure 4.

When the ingress switch connected to the attacker receives the first data packet, it first inserts the DiffServ value into the data packet, and then marks and forwards the data packet according to the marking rules. When a data packet enters the network, the value of the DiffServ field in the data packet is first checked, and then the marking method is determined by the DiffServ type.

In this embodiment, for the marking process of the attack path record, on the switching device, the identifier of the switch and the forwarding port are inserted as path information into the reserved part of the optional field (Option field) of the data packet. From the attacker to the victim, each time a switch passes through, the switch selects the device identification and inserts it into the data packet according to the marking rules of the present invention until the forwarding path from the attacker to the victim is traversed. Finally, after the switch where the victim is located collects the complete marked data packet, the complete attack path between the attacker and the victim can be reconstructed according to the data stack of the present invention. There are three types of roles:

During the attack path recording process, the initial forwarding device inserts the MarkHeader’s telemetry header into the data packet, in which HOP_COUNT indicates the number of hops marked. As the forwarding device’s processing times increase by 1, SwitchID and Eport are used as metadata (Metadata) , add the Metadata in the MarkHeader to the position of the Option field of the data packet.

On the forwarding device in the middle, first update the Markheader with its own forwarding device ID, and write the Metadata of the ID in the Markheader into the Option field.

On the forwarding device at the end point, the metadata stack (Metadata Stack) of the optional field (Option field) is extracted.

For the marking process of identity location location, on the switching device, the IP address of the switch is used as the attack source location to generate fragments. Use the designed four fields to fill the identification field, offset field and flag bit of the IP protocol header of the data packet. The specific implementation process is as follows:

In the process of marking the location of the attack source, the forwarding device reads the differentiated service field, matches the flow table, and performs probability marking on the matched data packets. The forwarding device is divided into two types according to the role: marking node and intermediate node

If the differentiated services field has not been modified, for the data packet that needs to be fragmented, the switch extracts the IP source address, divides it into fragment _i with equal length, and calculates the offset offset _i of the address fragment.

Next, the switch performs a hash operation on the IP source address, and intercepts a specific number of digits as the hash field.

Finally, in terms of data storage location, fill the 15-bit hash field and the high bit of offset _i into the 16-bit identification field, fill the low bit of offset _i into the low bit of flag, and fill fragment _i into the 13-bit FragmentOffset field.

If the differentiated services field has been modified, it is resolved that Diffserv is the Fragment Marking Service (0xC), indicating that the data packet has been marked by the upstream switch of the forwarding path. The switch does not need to perform filling operations, and only updates the forwarding hop count HopCount.

When the victim detects DDoS through the DDoS attack detection algorithm in the domain, the server in the victim domain extracts and summarizes the collected data packets with different tag information, and then starts to trace the source of the attack. It is divided into attack path tracing and identity location positioning.

The path reconstruction process of the path record policy is as follows:

During the packet transmission process for path recording, the originating switch embeds a telemetry packet header containing telemetry instructions in the data packet, and then writes the telemetry metadata <SwitchId, Eport> into the Option field of the IP packet header. The intermediate switch node, after identifying the telemetry packet header of the message, adds the local identifier <SwitchId, Eport> to the original path record, and updates the forwarding hop count field. On the switch at the last hop, the switch offloads the path record contained in the data packet and reports it to the controller.

In the path reconstruction process, first, the switch identifies the value of the DiffServ field, extracts the Option field from the packet of the path record policy, and parses the data in the optional field (Option field) stack.

Secondly, pop the metadata out of the stack in sequence, read the carried switch identifiers <SwitchId, Eport> in sequence, and cooperate with HopCount to obtain the traceability path from near to far.

The reconstruction process of identity location positioning is as follows:

(1) For the assembly of address fragments, the fragments with the same distance field value are extracted first, and the fragments with the same forwarding distance mean that these fragments may come from the same switch.

(2) In addition, considering that there are multiple attackers and multiple forwarding paths, for these fragments with the same forwarding distance, use the hash field value in the fragmentation to distinguish the identity of the switch, because the switches from the same The hash of the switch is the same. After two screenings, you can get fragmentation summaries with the same forwarding distance and from different switches.

(3) Splicing these fragment summaries according to the forwarding distance, starting from the fragment summaries with a distance of 1. For shard digests with the same hash value, reorder the shards using the value of the offset field in the shard.

(4) When all fragments are obtained after sorting, that is, when the complete IP address is obtained, an address verification is required. The method of verification is to perform a hash operation on the spliced IP address, according to the hash function The same IP address will generate the same hash output result. After the hash result is cut to the same number of digits, it is compared with the hash value attached to the IP address fragment.

(5) Write the IP address with the same verification result into the traceable forwarding path set, indicating that the path of the dyed message includes this switch.

(6) After completing the splicing of message digests at the same distance, the distance is increased by one, and the splicing of fragments is continued for the node of the previous hop, and the work of path tracing and reconstruction is completed until the node with the farthest path.

(7) After all the attack source IP addresses are collected, the nodes in the forwarding path set are output according to the forwarding distance.

To sum up, the hybrid traceability method for address spoofing proposed in Embodiment 2 can effectively restore the attacker's attack path and identity location. The path reconstruction of the hybrid traceability method also requires fewer packets and less computational overhead. It can avoid the repeated marking problem of the switch, and will not overwrite the marking information of the upstream router. The traceability method of path record is selected, and the traceability speed is fast. The information stamped into the data packet is the switch identification information rather than the data packet IP address. The hybrid traceability method does not need to expose its network topology and reduces bandwidth requirements.

Example 3

As shown in FIG. 6 , in Embodiment 3, the hybrid traceability method for address spoofing has the advantages of being lightweight and fine-grained. In order to reduce the number of data packets required for path reconstruction, avoid the problem of repeated marking, reduce the resource overhead of the router, and improve the ability of the cross-domain source tracing defense mechanism, the globally unique number SwitchID corresponding to the switch and the forwarding port Eport are used instead of the IP address pair Packets sent from the attacker are tagged.

IP packet is used as the information carrier of path reconstruction, and the present embodiment rewrites the IP packet header, utilizes the differentiated service (Diffserv) field of the IP header to mark the data flow to be traced, utilizes the reserved field and the option field (Option field) To store path information, use fragmentation field (FragmentOffset) and identification field (identification) to store identity information. Enable the variable part of the IP packet header, that is, the Option field as a storage switch that contains the traversal from the attacker to the victim.

From the attacker to the victim, each time a data packet to be marked passes through a switch, the switch selects <SwitchId, Eport> of the switch and inserts it into the data packet according to the marking rules in the above-mentioned embodiment 2, until it traverses from the attacker The forwarding path from victim to victim. Finally, after the victim collects complete metadata containing different tag information, the complete attack path between the attacker and the victim can be reconstructed according to the one-to-one correspondence between the Hop_Count field, the SwitchID field and the Eport field;

From the attacker to the victim, each time the data packet to be marked passes through a switch, the switch generates IP fragments according to the non-repetition filling rule of the present invention, and fills the identification field, the flag field and the FragmentOffset field. Finally, after the victim collects information containing different fragment marks, the identity position can be restored according to the fragment _i field, offset _i field and HopCount field of the present invention, and the identity verification is performed using the hash field, thereby reconstructing a complete identity position information.

Example 4

Embodiment 4 provides a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium is used to store computer instructions, and when the computer instructions are executed by a processor, the above-mentioned address-oriented spoofing is realized A hybrid attack source tracing method, which includes:

Use the globally unique number and forwarding port corresponding to each switch to mark the data packets sent by the attacker, and use the optional field to store the attack path information, and use the identification field and fragmentation field to store the location information of the marked attack source. The attack path information and the attack source location information mark are inserted into the data packet;

When DDoS is detected, according to the extracted and collected data packets with different tag information, the source of the attack is traced, and the attack path and attack source address are obtained.

Example 5

Embodiment 5 provides a computer program product, including a computer program. When the computer program is run on one or more processors, it is used to implement the address spoofing-oriented hybrid attack traceability method as described above. The method includes :

Use the globally unique number and forwarding port corresponding to each switch to mark the data packets sent by the attacker, and use the optional field to store the attack path information, and use the identification field and fragmentation field to store the location information of the marked attack source. The attack path information and the attack source location information mark are inserted into the data packet;

When DDoS is detected, according to the extracted and collected data packets with different tag information, the source of the attack is traced, and the attack path and attack source address are obtained.

Example 6

Embodiment 6 provides an electronic device, including: a processor, a memory, and a computer program; wherein, the processor is connected to the memory, the computer program is stored in the memory, and when the electronic device is running, the processor executes the memory A stored computer program, so that the electronic device executes instructions for implementing the address spoofing-oriented hybrid attack source tracing method as described above, the method including:

Use the globally unique number and forwarding port corresponding to each switch to mark the data packets sent by the attacker, and use the optional field to store the attack path information, and use the identification field and fragmentation field to store the location information of the marked attack source. The attack path information and the attack source location information mark are inserted into the data packet;

When DDoS is detected, according to the extracted and collected data packets with different tag information, the source of the attack is traced, and the attack path and attack source address are obtained.

To sum up, in the hybrid attack traceability method for face-type address spoofing described in the embodiment of the present invention, the free field of the IP data packet rewrites the header of the data packet, and uses the option field according to the distance between the attacker and the victim. Build a dynamically mutable stack of path records. Write the identification and forwarding ports of each switch as tag information into the packet. The identifier of each switch is represented by an unsigned 32-bit integer, and the IP address fragmentation of the switch is fixed and equal in length. The marking method of the path record is performed by the switch, and the data packet is marked according to the differentiated service field. Other network data packets skip the data packet marking and directly carry out data packet forwarding. In the attack path reconstruction stage, the reconstruction process of the attack path is realized according to the option field (Option field), and the identity position location is completed according to the fragment field. When storing the attack path, the identification information belonging to different switches is written into the MetadataStack in a stacked manner. The marked packet containing the attack path received by the victim is the metadata information that traverses from the attacker to the victim.

In a specific application, the identification fragmentation information of each switch can select different fragmentation lengths to complete the fragmentation. However, the more fragments are divided into, the more data packets the victim needs to reconstruct the attack path, which will increase the complexity and system overhead of the system. The tag information may be switch-based identification information. It is easy to be attacked by DDoS, and the router information is tampered with, making it impossible to attack the real attack source.

Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, and a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, so that the instructions executed on the computer or other programmable device Steps are provided for implementing the functions specified in the flow chart or flow charts and/or block diagram block or blocks.

Although the specific implementation of the present invention has been described above in conjunction with the accompanying drawings, it does not limit the protection scope of the present invention. Those skilled in the art should understand that on the basis of the technical solutions disclosed in the present invention, those skilled in the art do not need to pay Various modifications or deformations that can be made through creative labor shall be covered within the scope of protection of the present invention.

Claims (10)

1. A hybrid attack source tracing method for address spoofing, characterized in that it comprises: Use the globally unique number and forwarding port corresponding to each switch to mark the data packets sent by the attacker, and use the optional field to store the attack path information, and use the identification field and fragmentation field to store the location information of the marked attack source. The attack path information and the attack source location information mark are inserted into the data packet; When DDoS is detected, according to the extracted and collected data packets with different tag information, the source of the attack is traced, and the attack path and attack source address are obtained. 2. The hybrid attack traceability method oriented to address spoofing according to claim 1, characterized in that, the header of the IP data packet is rewritten, and the traffic traceability function is expanded to record the attack path information and the attack path information by using the differentiated service field of the IP header. Source address location. 3. the hybrid attack traceability method for address spoofing according to claim 2, is characterized in that, utilizes the reserved field and the option field of IP packet head to store and comprise the exchange label information that traverses between assailant and victim; MarkHeader It is the protocol header designed as a supplement to the data packet header; SwitchID is the global identification field of the switch, which is used to identify the identity information of the switch that the data packet passes through in the packet forwarding process; Eport is the forwarding port field, which is used to identify the location of the data packet on the switch Forwarding port, the SwitchID of the switch and the forwarding port Eport are used together to record the forwarding path of the data packet; HOP_COUNT is the forwarding hop count statistics field, which is used as a counter maintained by the telemetry packet header, and is used to count the number of connections from the source switch embedded in the telemetry packet header to the switch. In the process, the marked forwarding hops; Max_HOPS is the maximum forwarding hops field, which is used to declare the constant of the maximum hops of the path recording function. After exceeding this value, the switch will no longer record the path information. 4. The hybrid attack traceability method for address spoofing according to claim 3, characterized in that, the attack source address location function utilizes the idle field of the IP packet header to design four filling tag fields: Fragment: stores the fragmented IP address After a split, all IP address fragments have the same length; Offset: fragment offset field stores the order of IP address fragments relative to IP addresses; HopCount: forwarding hop count field; Hash: hash field, used to store IP The hash value obtained after the address is processed by the hash function is used to verify the integrity of the IP address of the splicing. 5. The hybrid attack traceability method oriented to address spoofing according to claim 3, wherein the marking process of the attack path record comprises, on the switching device, the identification of the switch and the forwarding port are optional options for inserting the data packet as path information. The reserved part of the field; from the attacker to the victim, every time a switch passes through, the switch selects the device identifier and inserts it into the data packet according to the marking rules until the forwarding path from the attacker to the victim is traversed. 6. The address spoofing-oriented hybrid attack source tracing method according to claim 4, wherein the marking process of identity location location includes: during the attack source location marking process, the forwarding device reads the differentiated service field and matches the flow table, Probabilistically mark the successfully matched data packets, and the forwarding devices are divided into two types according to their roles: marking nodes and intermediate nodes; If the differentiated services field has not been modified, for the data packet that needs to be fragmented, the switch extracts the IP source address, divides it into equal length to generate fragment _i , and calculates the offset offset _i of the address fragment; Next, the switch performs a hash operation on the IP source address, and intercepts a specific number of digits as the hash field; Finally, in terms of data storage location, fill the 15-bit hash field and the high bit of offset _i into the 16-bit identification field, fill the low bit of offset _i into the low bit of flag, and fill fragment _i into the 13-bit FragmentOffset field; If the differentiated services field has been modified, it is resolved that Diffserv is the fragment marking service, indicating that the data packet has been marked by the upstream switch of the forwarding path. The switch does not need to perform filling operations, and only updates the forwarding hop count HopCount. 7. The hybrid attack traceability method for address spoofing according to claim 5, characterized in that, during the message transmission process of the execution path record, the initial switch embeds the telemetry packet header containing the telemetry instruction in the data message, and then Write the telemetry metadata <SwitchId, Eport> into the Option field of the IP packet header; the intermediate switch node, after identifying the telemetry packet header of the message, adds the local identifier <SwitchId, Eport> to the original path record, and Update the forwarding hop count field; on the last hop switch, the switch unloads the path record contained in the data message and reports it to the controller; In the path reconstruction process, first, the switch identifies the value of the differentiated service field, extracts the Option field from the packet of the path record policy, and parses the data in the optional field stack; secondly, pops the metadata out of the stack in sequence, reads the The switch ID <SwitchId, Eport>, together with HopCount, can obtain the traceability path from near to far. 8. The address spoofing-oriented hybrid attack traceability method according to claim 6, wherein the reconstruction process of identity location positioning includes: For the assembly of address fragments, first extract the fragments with the same distance field value; use the hash field value in the fragments to distinguish the identity of the switch for the extracted square fragments, and obtain the fragments with the same forwarding distance and from different switches. film summary; Splice the fragment digest according to the forwarding distance, starting from the fragment digest with a distance of 1; for the fragment digest with the same hash value, use the value of the offset field in the fragment to reorder the fragment; When all fragments are obtained after sorting, that is, when the complete IP address is obtained, an address verification needs to be performed, and the IP address with the same verification result is written into the traceable forwarding path set, indicating that the dyed packet is The path contains this switch; After completing the splicing of message digests at the same distance, the distance is increased by one, and the splicing of fragments is continued for the node of the previous hop, and the work of path tracing and reconstruction is completed until the node with the farthest path; After collecting all the attack source IP addresses, the nodes in the forwarding path set are output according to the forwarding distance. 9. The address spoofing-oriented hybrid attack traceability method according to claim 8, characterized in that the address verification method is: perform hash operation on the concatenated IP addresses, and according to the characteristics of the hash function, the same IP The address will generate the same hash output result. After the hash result is truncated to the same number of digits, it is compared with the hash value attached to the IP address fragment. 10. An address spoofing-oriented hybrid attack traceability system based on the method according to any one of claims 1-9, characterized in that it comprises: The marking module is used to use the globally unique number and forwarding port corresponding to each switch to mark the data packets sent by the attacker, and use the optional field to store the attack path information, and use the identification field and fragmentation field to store the mark attack Source location information, inserting the attack path information and the attack source location information mark into the data packet; The source tracing module is used to trace the source of the attack according to the extracted and collected data packets with different tag information when DDoS is detected, and obtain the attack path and attack source address.