Architectural Solutions for Preventing Distributed Denial of Service Attacks

防止分布式拒绝服务攻击的架构解决方案

• 批准号: 0208946
• 负责人: Ruby Lee
• 金额: $ 19.63万
• 依托单位: Princeton University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2002
• 资助国家: 美国
• 起止时间: 2002-08-01 至 2005-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0208946&HistoricalAwards=false
• 关键词: Architectural; Solutions; Preventing; Distributed; Denial

Denial of service attacks flood a web-site with so many requests that it can no longer respond. Computers connected to the Internet are vulnerable to being used unwittingly in mounting a distributed denial of service (DDoS) attack on a victim web-site. Past countermeasures based on software patches or re-compilation are often ignored by users, leaving many systems vulnerable. This research first proposes a classification of the various denial of service attacks and countermeasures, then defines architectural solutions in the core (non-optional) hardware and software of future machines. The vulnerabilities of computers, which allow DDoS attack networks to be set up, are studied. Low overhead architectural features in the core hardware of computers are investigated which hinder attack networks from being set up in the first place, or detect and prevent the execution of potentially hostile code. Malicious parties often employ buffer overflow attacks to gain entry to a computer by corrupting procedure return addresses. This research investigates features like a secure return address stack (SRAS) in the processor architecture as a new defense against such buffer overflow exploits. The proposed research approach is unique in providing defenses in the client platforms rather than only in the servers or routers, and in building more trusted architecture in the core hardware, rather than only in software layers. Since application code need not be changed nor re-compiled, both legacy and future software can enjoy the security benefits of hardware architectural solutions. Since DDoS attacks pose a serious threat to the availability of critical Internet services, this research can contribute to the overall security of the Internet while increasing the trust that owners may have in their interconnected information appliances.

拒绝服务攻击使网站充斥着如此多的请求，以至于它无法再响应。连接到互联网的计算机很容易在无意中被用于在受害者网站上发起分布式拒绝服务（DDoS）攻击。 过去基于软件补丁或重新编译的对策往往被用户忽视，使许多系统容易受到攻击。 本研究首先提出了各种拒绝服务攻击和对策的分类，然后定义架构解决方案的核心（非可选）的硬件和软件的未来机器。 研究了允许建立DDoS攻击网络的计算机漏洞。 研究了计算机核心硬件中的低开销体系结构特征，这些特征首先阻碍了攻击网络的建立，或者检测和防止潜在恶意代码的执行。 恶意方经常使用缓冲区溢出攻击，通过破坏过程返回地址来进入计算机。 本研究调查的功能，如安全返回地址栈（SRAS）的处理器架构作为一种新的防御这种缓冲区溢出漏洞。 所提出的研究方法是独特的，在客户端平台提供防御，而不是只在服务器或路由器，并在核心硬件，而不是只在软件层建立更可信的架构。 由于应用程序代码不需要更改或重新编译，因此遗留和未来的软件都可以享受硬件架构解决方案的安全优势。 由于DDoS攻击对关键互联网服务的可用性构成严重威胁，因此这项研究可以有助于互联网的整体安全，同时增加所有者对其互联信息设备的信任。