基於P4的內容感知方法來緩解慢速超文本傳輸協定POST攻擊

Abstract

慢速超文本傳輸協定 POST 攻擊是一種針對網頁伺服器的應用層分散式阻斷服務攻擊。攻擊者偽裝成網路速度緩慢的使用者，從而長時間佔據伺服器資源並使其他人無法存取網頁服務。因為攻擊者發送的封包都有遵守超文本傳輸協定，從網路活動的方面難以觀察出差異。為了要解決這個問題，我們在本文中提出一種敏捷的防禦方式，透過利用軟體定義網路中可程式化的網路裝置來解析應用層標頭並辨別攻擊者。藉著這些不存在於傳統網路裝置中的資訊，我們可以辨別出不同類型的超文本傳輸協定請求並限制各個類型的連線數量。這種利用軟體定義網路中可程式化資料層的作法，使它可以達成分散式、來源端的防禦，整體而言具有良好的擴展性。實驗的模擬結果顯示，它對防禦慢速超文本傳輸協定 POST 攻擊是有效且準確的。

A slow HTTP POST attack is an application-layer distributed denial of service (DDoS) attack targeting web servers. The attacker simulates a legitimate user with a slow network speed and continues to send requests, resulting in server resources being occupied for a long time and being unavailable to other users. Since the network requests from the attacker comply with HTTP, they show no difference in network activities. The similarity to legitimate behavior makes it challenging to identify such attack traffic. To address this issue, this paper proposes a responsive defense mechanism that exploits programmable network devices in software-defined networking (SDN) to identify attack traffic based on application-layer headers. With information that is not available from legacy network devices, this method can identify different types of HTTP requests and limit the number of connections for each type per source. This approach achieves a distributed, source-based DDoS defense capability by utilizing data plane programmability in SDN, making it a scalable solution. The simulation results show that the approach is effective and accurate against slow HTTP POST attacks.