Architectural Solutions for Preventing Distributed Denial of Service Attacks

防止分布式拒绝服务攻击的架构解决方案

• 批准号: 0208946
• 负责人: Ruby Lee
• 金额: $ 19.63万
• 依托单位: Princeton University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2002
• 资助国家: 美国
• 起止时间: 2002-08-01 至 2005-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0208946&HistoricalAwards=false
• 关键词: Architectural; Solutions; Preventing; Distributed; Denial

Denial of service attacks flood a web-site with so many requests that it can no longer respond. Computers connected to the Internet are vulnerable to being used unwittingly in mounting a distributed denial of service (DDoS) attack on a victim web-site. Past countermeasures based on software patches or re-compilation are often ignored by users, leaving many systems vulnerable. This research first proposes a classification of the various denial of service attacks and countermeasures, then defines architectural solutions in the core (non-optional) hardware and software of future machines. The vulnerabilities of computers, which allow DDoS attack networks to be set up, are studied. Low overhead architectural features in the core hardware of computers are investigated which hinder attack networks from being set up in the first place, or detect and prevent the execution of potentially hostile code. Malicious parties often employ buffer overflow attacks to gain entry to a computer by corrupting procedure return addresses. This research investigates features like a secure return address stack (SRAS) in the processor architecture as a new defense against such buffer overflow exploits. The proposed research approach is unique in providing defenses in the client platforms rather than only in the servers or routers, and in building more trusted architecture in the core hardware, rather than only in software layers. Since application code need not be changed nor re-compiled, both legacy and future software can enjoy the security benefits of hardware architectural solutions. Since DDoS attacks pose a serious threat to the availability of critical Internet services, this research can contribute to the overall security of the Internet while increasing the trust that owners may have in their interconnected information appliances.

拒绝服务攻击使网站充斥着大量请求，以致网站无法再响应。连接到 Internet 的计算机很容易被无意中用于对受害者网站发起分布式拒绝服务 (DDoS) 攻击。 过去基于软件补丁或重新编译的对策常常被用户忽视，导致许多系统容易受到攻击。 这项研究首先提出了各种拒绝服务攻击的分类和对策，然后定义了未来机器的核心（非可选）硬件和软件的架构解决方案。 研究了允许建立 DDoS 攻击网络的计算机漏洞。 研究计算机核心硬件中的低开销架构特征，这些特征首先阻碍攻击网络的建立，或者检测和阻止潜在敌对代码的执行。 恶意方经常利用缓冲区溢出攻击，通过破坏过程返回地址来进入计算机。 这项研究调查了处理器架构中的安全返回地址堆栈 (SRAS) 等功能，作为针对此类缓冲区溢出漏洞的新防御措施。 所提出的研究方法的独特之处在于在客户端平台中提供防御而不仅仅是在服务器或路由器中，以及在核心硬件中构建更可信的架构而不仅仅是在软件层中。 由于无需更改或重新编译应用程序代码，因此遗留软件和未来软件都可以享受硬件架构解决方案的安全优势。 由于 DDoS 攻击对关键互联网服务的可用性构成严重威胁，因此这项研究可以为互联网的整体安全做出贡献，同时增加所有者对其互连信息设备的信任。