DDOS-

4. Tzermias Z. et al. Combining static and dynamic analysis for the detection of malicious documents, Proceedings of the Fourth European Workshop on System Security. ACM, 2011, pp. 4.
5. MITRE Corporation, Common Weakness Enumeration, 2014. Available at: http://cwe.mitre.org/.
6. SecurityLab, Microsoft ne budet ispravlyat' uyazvimost' v Internet Explorer 8 semimesyachnoy davnosti, 2014 [SecurityLab, Microsoft will not fix the vulnerability in Internet Explorer 8 seven-month-old]. Available at: http://www.securitylab.ru/news/453198.php.
7. MITRE Corporation, Common Weakness Enumeration. Available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2389.
8. Microsoft, KB-917150, 2014. Available at: http://support.microsoft.com/kb/917150/ru, .
9. MITRE Corporation, Common Weakness Enumeration. Available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3431.
10. Arora A. et al. An empirical analysis of software vendors' patch release behavior: impact of vulnerability disclosure, Information Systems Research, 2010, Vol. 21, No. 1, pp. 115-132.
..., .. .
- ; e-mail:
dakatargin@sfedu.ru; 346880, ., . , , 15, . 51; .:
+79286211661; .
Katargin Dmitry Andreevich - Southern Federal University; e-mail: dakatargin@sfedu.ru; 15,
Severniy Massiv, kv. 51 Bataysk, Rostovskaya obl, 346880; phone: +79286211661; postgraduate
student.
004.056
..
DDOS-
ї , . ї. , ї (denial of service, DoS) , DoS- . , , ї, . , - 2-3 , . . , , . , 3,16 1,23 %.
; DDoS-; ; .
Y.V. Tarasov
MODELING AND STUDY OF LOW-INTENSITY DDOS-ATTACKS ON BGP-INFRASTRUCTURE
The article presents the development of the method of detection of network attacks such as "denial of service" for various services of storage, processing and transmission of data over the Internet. Emphasis is placed on the detection of low-rate DoS-attacks. Refuted the view that the special tools for intrusion detection, "denial of service" are not required, since the fact of DoS-attacks can not be ignored. It is shown that for an effective response is necessary to know the type, nature, and other indicators of the attack, "denial of service", and the detection system of distributed attacks allow to quickly get the information. Furthermore, the use of such intrusion detection systems can significantly reduce the time of determining the attack - 2-3 days to a few tens of minutes, which reduces costs and downtime traffic attacked resource. As a detection module a hybrid neural network based on Kohonen network and multilayer perceptron is used. The operation of the intrusion detection system prototype, the method offormation of the training sample, all experiments and the topology of the experimental stand are presented. Experimental results of a prototype, in which the type I and type II errors were respectively 1 and 1.5 %, also presented.
Attack detection; low-rate DDoS-attacks; hybrid neural network; security of computer networks.
. ( ), , . ї (DDoS-). , DDoS- (Distributed Denial of Service, ї).
, DoS- , , . : , . SYN-, TCP ; ICMP - , ; DNS--, DNS .
DDoS-, . DDoS- . - - DDoS- , [1]. ( ) [2]. - , , . , , .
DDoS-, DDoS- (SYN-, UDP- ), DDoS- (Low-Rate DDoS) (ї HTTP GET- ї HTTP POST-) [3]. DDoS- [4]. , , HTTP- , , . , .. - Microsoft IIS, Apache . , SMTP DNS-. DDoS DNS-amplification . ї .
1. Low-Rate DDoS. , Low-Rate DDoS-, "" . ї [1, 5].
Low-Rate DDoS- , .. . , -, . , . .
DDoS-, TCP , . - TCP-, , DDoS-.
TCP 2- . (RTT), 10 100 , TCP- -e (additive-increase multiplicative-decrease) (AIMD) , . ї , TCP- 2-, - (RTO, 1 ). ї , , RTO . RTO -. , TCP- AIMD- [6].
Low-Rate DDoS- , ,
, , . TCP- (DDoS- ) , , "" - RTO. , DDoS- ( ) RTO , -, , 100 % . , DDoS- , RTO, ( ) . [5], - TCP- [6].
. 1 web- . , , , .

^ ^HINMMM^gi^iilvfviOaODiffi
, / , %
. 1.

web- . (. 2), http-. , . 3 .
BANDWIDTH, Gbps


\
\
2 ^\
1
0.0-2.0 2.0-4.0 4.0-6.0 6.0-8.0 I 8.0-10.0 10.0-12.0 > 12.0-14.0 | 14.0-16.0 5 16.0-18.0 18.0-20.0 g 20.0-22.0 22.0-24.0 24.0-26.0 26.0-28.0 28.0-30.0 0.0-30.0
. 2.
BANDWIDTH, Gbps
qqqqqqqqqqqqqqoq ^^--
-^
1I 1I 1I 1I 1I \| C\l r-J \| r-J
-BANDWIDTH, Gbps
. 3.
2. ї.
- . , . . , . , , .
Intel Core i7-3770 3.4 , 16 120 .
Citrix XenServer 6.1ї ( Citrix) BIOS - .
:
1. - Debian Wheezy, web- Apache, Php5(libapache2-mod-php5), MySQL-server.
2. - Debian Wheezy, Perl, Slowloris ddos script.
3. - Windows 7 Pro x64, WinPcap, .
DDoS-. ї , , OSI.
slowloris. HTTP. Slow HTTP POST : POST Content-Lengthї, web- , . , POST- , , , , , . web- .
- - HTTP- .
Java-, -. self-signed-, , . , . , , , , HTTP- . , - .
web- Microsoft IIS Apache ( web- ) HTTP HTTPS ї SSL, VPN . SMTP DNS-. , , DDOS-, , .
3. . . , DDoS- , DDoS- . . , 2-3 . , ( ) , .
() . , , . :
1. . , , .
2. , . , , , , .
3. . , .
[8, 9] - , . , () .
, . , , . , . , .
, , , , . - , . .
() - , , , . , .
. 2.2. , [11].
150 , , [10], 50 ( ASCII-). , (telnet, ftp ..). [11].
, , DDoS-, . , - . , , , , , . , , , , .
, (self-organizing map, SOM) . . 4.
1

APACHE


VI 1

SLOWLORIS
. 4.
. 4.
50- , . , .
SOM :
1-4 - , ( 4), 0-1;
5 - , 0-1;
6-55 - 50 , 0-1.

, , , .. -. , .
FF- () . 150 . . ( -).
- 5 . 100 .
. , - , ( 1-5), . , 0-1. .
. . , . DDoS-, , .
- . , , .
2 .
1. . php-, ї sql- ( N ). Apache BanchMark . 10 100 .
2. . , , 3 slowloris , . :
./slowloris.pl -dns google.com -port 80 -timeout 500 -num 100500.
, .
. :
( ) 3,16 %;
( ) 1,23 %.

. 5, - . 6.
. Low-rate DDoS- slowrolis , / () , . , , , , .
.
123456789 10
. 5.
123456789 10
. 6.

1. Cisco Systems Clean Pipesї DDOS- . [ ]. - : http://www.cisco.com/ web/RU/downloads/CleanPipes_rus.pdf, ( : 01.09.2014).
2. .., .., .. ї ї // . - 2010. - 3. - . 136-139.
3. ї DDoS- 2013 . [ ]. - : http://www.securitylab.ru/news/444464.php ( : 01.09.2014).
4. Chee W.O. Brennan T. OWASP AppSec DC 2010. HTTP POST DDoS. [ ]. - : https://www.owasp.org/images/4/43/ Layer_7_DDOS.pdf ( : 01.08.2014).
5. Aleksandar Kuzmanovic, Edward W. Knightly: Low-rate TCP-targeted denial of service attacks and counter strategies // IEEE/ACM Trans. Netw. - 2006. - 14 (4). - P. 683-696.
6. Paxson V., Allman M., Chu H.K. andM. Sargent. Computing TCP's Retransmission Timer, RFC 6298, Proposed Standard, June 2011.
7. RFC 2.0 - RFCї. [ ]. : http://rfc2.ru/4272.rfc - ( 22.08.2014).
8. .., .., .. // . - 2004. - 1 (36). - . 130.
9. .., .., .. // .
- 2003. - 4 (33). - . 204-206.
10. James Cannady. The Application of Artificial Neural Networks to Misuse Detection. 2001.
11. .., .. // . .
- 2009. - 11 (100). - . 154-164.
REFERENCES
1. Reshenie Cisco Systems Clean Pipesї po zashchite ot raspredelennykh DDOS-atak dlya opera-torov svyazi i ikh klientov [Cisco Systems "Clean Pipes" for protection against distributed DDOS attacks for Opera-tors of communication and their clients]. Available at: http://www.cisco.com/ web/RU/downloads/CleanPipes_rus.pdf. (Accessed 01 September 2014).
2. Lobanov V.E., Onykiy B.N., Stankevichus A.A. Arkhitektura sistemy zashchity Grid ot atak tipa otkaz v obsluzhivaniiї i raspredelennyy otkaz v obsluzhivaniiї [The system architecture protect the Grid from attacks such as denial of service and distributed denial of service"], Bezopasnost' informatsionnykh tekhnologiy [Information Technology Security], 2010, No. 3, pp. 136-139.
3. Otchet Laboratorii Kasperskogoї o DDoS-atakakh za pervoe polugode 2013 goda [The report "Kaspersky Lab" about DDoS attacks for the first six months of 2013]. Available at: http://www.securitylab.ru/news/444464.php. (Accessed 01 September 2014).
4. Chee W.O. Brennan T. OWASP AppSec DC 2010. HTTP POST DDoS. Available at: https://www.owasp.org/images/4/43/ Layer_7_DDOS.pdf (Accessed 01 August 2014).
5. Aleksandar Kuzmanovic, Edward W. Knightly: Low-rate TCP-targeted denial of service attacks and counter strategies, IEEE/ACM Trans. Netw, 2006, No. 14 (4), pp. 683-696.
6. Paxson V., Allman M., Chu H.K. and M. Sargent. Computing TCP's Retransmission Timer, RFC 6298, Proposed Standard, June 2011.
7. Sayt RFC 2.0 - Russkie Perevody RFCї [The website "RFC 2.0 - Russian Translations RFC"]. Available at: http://rfc2.ru/4272.rfc - svobodnyy (Accessed 01 September 2014).
8. Abramov E.S., Anikeev M.V., Makarevich O.B. Ispol'zovanie apparata neyrosetey pri obnaruzhenii setevykh atak [The use of the apparatus of neural networks in the detection of network attacks], Izvestiya TRTU [Izvestiya TSURE], 2004, No. 1 (36), pp. 130.
9. Abramov E.S., Anikeev M.V., Makarevich O.B. Podgotovka dannykh dlya ispol'zovaniya v obuchenii i testirovanii neyrosetey pri obnaruzhenii setevykh atak [Preparing data for use in training and testing of neural networks in the detection of network attacks], Izvestiya TRTU [Izvestiya TSURE], 2003, No. 4 (33), pp. 204-206.
10. James Cannady. The Application of Artificial Neural Networks to Misuse Detection. 2001.
11. Abramov E.S., Sidorov I.D. Metod obnaruzheniya raspredelennykh informatsionnykh voz-deystviy na osnove gibridnoy neyronnoy seti [iscovery of distributed information impacts based on hybrid neural network^ Izvestiya YuFU. Tekhnicheskie nauki [Izvestiya SFedU. Engineering Sciences], 2009, No. 11 (100), pp. 154-164.
..., .. .
- ї; e-mail: info@jet.msk.su;
125252, . , . 2- , 2/1, . 50; .: 84954117601, : 84954117602;
ї.
Tarasov Yaroslav Viktorovich - Jet Infosystems; e-mail: info@jet.msk.su; 2/1, 2nd Peschanaya
street, build. 50, Moscow, 125252, Russia; phone: +74954117601, fax: +74954117602; director of
Business Development in Jet Infosystems.