[1]扈红超,张帅普,程国振,等.云原生环境下基于移动目标防御的 ReDoS 防御方法[J].郑州大学学报(工学版),2024,45(02):72-79.[doi:10.13705/j.issn.1671-6833.2023.05.009]
 HU Hongchao,ZHANG Shuaipu,CHENG Guozhen,et al.ReDoS Defense Method Based on Moving Target Defense in Cloud-native Environment[J].Journal of Zhengzhou University (Engineering Science),2024,45(02):72-79.[doi:10.13705/j.issn.1671-6833.2023.05.009]
点击复制

云原生环境下基于移动目标防御的 ReDoS 防御方法()
分享到:

《郑州大学学报(工学版)》[ISSN:1671-6833/CN:41-1339/T]

卷:
45
期数:
2024年02期
页码:
72-79
栏目:
出版日期:
2024-03-06

文章信息/Info

Title:
ReDoS Defense Method Based on Moving Target Defense in Cloud-native Environment
作者:
扈红超 张帅普 程国振 何威振
1. 郑州大学 中原网络安全研究院,河南 郑州 450001;2. 郑州大学 网络安全学院,河南 郑州 450001 3. 信息工程 大学 信息技术研究所,河南 郑州 450001
Author(s):
HU Hongchao 1 ZHANG Shuaipu 2 CHENG Guozhen 3 HE Weizhen 3
1. Zhongyuan Network Security Research Institute, Zhengzhou University, Zhengzhou 450001,China; 2. School of Cyber Science and Engineering, Zhengzhou University, Zhengzhou 450001,China; 3. Information Technology Research Institute, University of Information Engineering, Zhengzhou 450001, China
关键词:
微服务 ReDoS 移动目标防御 异构 正则表达式
Keywords:
microservices ReDoS moving target defenseheterogeneous regular expression
DOI:
10.13705/j.issn.1671-6833.2023.05.009
文献标志码:
A
摘要:
针对云原生环境中正则表达式拒绝服务(ReDoS)攻击的防御方式存在效率低、无法进行主动防御的问题, 提出了基于移动目标防御(MTD)技术的 ReDoS 攻击防御方法。 首先基于云原生环境下的微服务应用特点,对攻防 双方的行为进行了分析;其次,基于 Kuberneters 设计了基于 MTD 的防御系统,并提出基于拓扑信息和请求到达速 率的动态和静态的多维微服务权重指标、基于排队论的服务效率判断指标以及轮换时机选择方法来指导关键微服 务的选择和关键微服务的轮换时机;最后,给出了基于异构度和服务效率的多维指标 MTD 异构轮换算法,并使用 Python 进行了仿真,结果表明:所提算法防御时延比动态伸缩缩短了 50%左右;并且防御开销在第一次攻击之后趋 于平稳,不会持续增长。
Abstract:
In addressing the inefficiencies and limitations in proactive defense against Regular Expression Denial of Service (ReDoS) attacks in cloud-native environments, we have developed a defense method based on Moving Target Defense (MTD) technology. Initially, we analyzed the behaviors of both attackers and defenders within microservice applications characteristic of cloud-native environments. Subsequently, leveraging Kubernetes, we designed an MTD-based defense system. This system incorporates dynamic and static multi-dimensional microservice weight indices based on topology information and request arrival rates, as well as service efficiency judgment indices based on queue theory. It also includes a method for selecting the timing of key microservice rotations to guide the selection and rotation timings of critical microservices. Finally, we introduced a multi-dimensional MTD heterogeneous rotation algorithm, grounded in heterogeneity and service efficiency, and conducted simulations using Python. Experimental results indicate that our proposed algorithm reduces defense latency by approximately 50% compared to dynamic scaling and that defense costs stabilize after the initial defense against an attack, preventing continuous growth.

参考文献/References:

[1] 岳猛, 王怀远, 吴志军, 等. 云计算中DDoS攻防技术研究综述[J]. 计算机学报, 2020, 43(12): 2315-2336.

YUE M, WANG H Y, WU Z J, et al. A survey of DDoS attack and defense technologies in cloud computing[J]. Chinese Journal of Computers, 2020, 43(12): 2315-2336.
[2] 辛园园, 钮俊, 谢志军, 等. 微服务体系结构实现框架综述[J]. 计算机工程与应用, 2018, 54(19): 10-17.
XIN Y Y, NIU J, XIE Z J, et al. Survey of implementation framework for microservices architecture[J]. Computer Engineering and Applications, 2018, 54(19): 10-17.
[3] 张宇鹏, 吴自力, 陈鸣, 等. 面向交叉微服务链的任务调度优化[J]. 西安电子科技大学学报, 2021, 48(6): 32-39.
ZHANG Y P, WU Z L, CHEN M, et al. Optimization of task scheduling oriented to cross microservice chains[J]. Journal of Xidian University, 2021, 48(6): 32-39.
[4] LI Z, JIN H, ZOU D Q, et al. Exploring new opportunities to defeat low-rate DDoS attack in container-based cloud environment[J]. IEEE Transactions on Parallel and Distributed Systems, 2019, 31(3): 695-706.
[5] LI Y, SUN Y, XU Z, et al. RegexScalpel: regular expression denial of service (ReDoS) defense by localize-and-fix[C]∥31st USENIX Security Symposium (USENIX Security 22). Atlanta:USENIX Association, 2022: 4183-4200.
[6] KIRRAGE J, RATHNAYAKE A, THIELECKE H. Static analysis for regular expression denial-of-service attacks[C]∥International Conference on Network and System Security. Cham: Springer, 2013: 135-148.
[7] YU S, TIAN Y H, GUO S, et al. Can we beat DDoS attacks in clouds?[J]. IEEE Transactions on Parallel and Distributed Systems, 2014, 25(9): 2245-2254.
[8] YUAN B, ZHAO H, LIN C, et al. Minimizing financial cost of DDoS attack defense in clouds with fine-grained resource management[J]. IEEE Transactions on Network Science and Engineering, 2020, 7(4): 2541-2554.
[9] 沈宇桔. 正则表达式复杂度攻击自动化检测技术研究[D]. 南京: 南京大学, 2019.
SHEN Y J. Research on automatic detection technology of regular expression complexity attack[D]. Nanjing: Nanjing University, 2019.
[10] LI Y T, CHEN Z X, CAO J L, et al. ReDoSHunter: a combined static and dynamic approach for regular expression DoS detection[C]∥USENIX Security Symposium.Atlanta:USENIX Association,2021: 3847-3864.
[11] The Cloudflare Blog. Details of the cloudflare outage[EB/OL].(2019-07-02)[2022-12-11]. https:∥blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/.
[12] 张晓玉, 李振邦. 移动目标防御技术综述[J]. 通信技术, 2013, 46(6): 111-113.
ZHANG X Y, LI Z B. Overview on moving target defense technology[J]. Communications Technology, 2013, 46(6): 111-113.
[13] OLIVO O, DILLIG I, LIN C. Detecting and exploiting second order denial-of-service vulnerabilities in web applications[C]∥Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015: 616-628.
[14] LEI C, ZHANG H Q, TAN J L, et al. Moving target defense techniques: a survey[J]. Security and Communication Networks, 2018, 2018: 1-25.
[15] PAHL C, BROGI A, SOLDANI J, et al. Cloud container technologies: a state-of-the-art review[J]. IEEE Transactions on Cloud Computing, 2019, 7(3): 677-692.
[16] FREEMAN L C. A set of measures of centrality based on betweenness[J]. Sociometry, 1977, 40(1): 35.
[17] KANG M S, GLIGOR V D. Routing bottlenecks in the internet: causes, exploits, and countermeasures[C]∥Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2014: 321-333.
[18] MAGONI D. Tearing down the internet[J]. IEEE Journal on Selected Areas in Communications, 2003, 21(6): 949-960.
[19] 贾洪勇, 潘云飞, 刘文贺, 等. 基于高阶异构度的执行体动态调度算法[J]. 通信学报, 2022, 43(3): 233-245.
JIA H Y, PAN Y F, LIU W H, et al. Executive dynamic scheduling algorithm based on high-order heterogeneity[J]. Journal on Communications, 2022, 43(3): 233-245.
[20] 曾威, 扈红超, 李凌书, 等. 容器云中基于Stackelberg博弈的动态异构调度方法[J]. 网络与信息安全学报, 2021, 7(3): 95-104.
ZENG W, HU H C, LI L S, et al. Dynamic heterogeneous scheduling method based on Stackelberg game model in container cloud[J]. Chinese Journal of Network and Information Security, 2021, 7(3): 95-104.
[21] 刘海芳. 两服务台串联排队系统[D]. 长沙: 中南大学, 2007.
LIU H F. Two service stations in series queuing system[D]. Changsha: Central South University, 2007.

相似文献/References:

[1]龙新征,欧阳荣彬,李若淼,等.基于微信公众平台的校园移动信息服务建设方案研究[J].郑州大学学报(工学版),2017,38(02):5.[doi:10.13705/j.issn.1671-6833.2017.02.002]
 Long Xinzheng,Ouyang Rongbin,Li Ruomiao,et al.The Research of Campus Mobile Information Service Construction Scheme Based on Wechat Public Platform[J].Journal of Zhengzhou University (Engineering Science),2017,38(02):5.[doi:10.13705/j.issn.1671-6833.2017.02.002]

更新日期/Last Update: 2024-03-08