Network Working Group L. Andersson Request for Comments: 4948 Acreo AB Category: Informational E. Davies Folly Consulting L. Zhang UCLA August 2007
Network Working Group L. Andersson Request for Comments: 4948 Acreo AB Category: Informational E. Davies Folly Consulting L. Zhang UCLA August 2007
Report from the IAB workshop on Unwanted Traffic March 9-10, 2006
2006年3月9日至10日IAB不必要交通研讨会报告
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
Abstract
摘要
This document reports the outcome of a workshop held by the Internet Architecture Board (IAB) on Unwanted Internet Traffic. The workshop was held on March 9-10, 2006 at USC/ISI in Marina del Rey, CA, USA. The primary goal of the workshop was to foster interchange between the operator, standards, and research communities on the topic of unwanted traffic, as manifested in, for example, Distributed Denial of Service (DDoS) attacks, spam, and phishing, to gain understandings on the ultimate sources of these unwanted traffic, and to assess their impact and the effectiveness of existing solutions. It was also a goal of the workshop to identify engineering and research topics that could be undertaken by the IAB, the IETF, the IRTF, and the network research and development community at large to develop effective countermeasures against the unwanted traffic.
本文件报告了互联网体系结构委员会(IAB)举办的关于不必要互联网流量的研讨会的结果。研讨会于2006年3月9日至10日在美国加利福尼亚州Marina del Rey的USC/ISI举行。研讨会的主要目标是促进运营商、标准和研究团体之间就不必要的流量进行交流,如分布式拒绝服务(DDoS)攻击、垃圾邮件和网络钓鱼,了解这些不必要流量的最终来源,并评估其影响和现有解决方案的有效性。研讨会的另一个目标是确定可由IAB、IETF、IRTF和整个网络研究和开发社区承担的工程和研究主题,以制定针对不必要流量的有效对策。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The Root of All Evils: An Underground Economy . . . . . . . . 4 2.1. The Underground Economy . . . . . . . . . . . . . . . . . 5 2.2. Our Enemy Using Our Networks, Our Tools . . . . . . . . . 6 2.3. Compromised Systems Being a Major Source of Problems . . . 7 2.4. Lack of Meaningful Deterrence . . . . . . . . . . . . . . 8 2.5. Consequences . . . . . . . . . . . . . . . . . . . . . . . 10 3. How Bad Is The Problem? . . . . . . . . . . . . . . . . . . . 10 3.1. Backbone Providers . . . . . . . . . . . . . . . . . . . . 10 3.1.1. DDoS Traffic . . . . . . . . . . . . . . . . . . . . . 10 3.1.2. Problem Mitigation . . . . . . . . . . . . . . . . . . 11 3.2. Access Providers . . . . . . . . . . . . . . . . . . . . . 12 3.3. Enterprise Networks: Perspective from a Large Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 13 3.4. Domain Name Services . . . . . . . . . . . . . . . . . . . 14 4. Current Vulnerabilities and Existing Solutions . . . . . . . . 15 4.1. Internet Vulnerabilities . . . . . . . . . . . . . . . . . 15 4.2. Existing Solutions . . . . . . . . . . . . . . . . . . . . 16 4.2.1. Existing Solutions for Backbone Providers . . . . . . 16 4.2.2. Existing Solutions for Enterprise Networks . . . . . . 17 4.3. Shortfalls in the Existing Network Protection . . . . . . 18 4.3.1. Inadequate Tools . . . . . . . . . . . . . . . . . . . 18 4.3.2. Inadequate Deployments . . . . . . . . . . . . . . . . 18 4.3.3. Inadequate Education . . . . . . . . . . . . . . . . . 19 4.3.4. Is Closing Down Open Internet Access Necessary? . . . 19 5. Active and Potential Solutions in the Pipeline . . . . . . . . 20 5.1. Central Policy Repository . . . . . . . . . . . . . . . . 20 5.2. Flow Based Tools . . . . . . . . . . . . . . . . . . . . . 21 5.3. Internet Motion Sensor (IMS) . . . . . . . . . . . . . . . 21 5.4. BCP 38 . . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.5. Layer 5 to 7 Awareness . . . . . . . . . . . . . . . . . . 22 5.6. How To's . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.7. SHRED . . . . . . . . . . . . . . . . . . . . . . . . . . 23 6. Research in Progress . . . . . . . . . . . . . . . . . . . . . 23 6.1. Ongoing Research . . . . . . . . . . . . . . . . . . . . . 23 6.1.1. Exploited Hosts . . . . . . . . . . . . . . . . . . . 23 6.1.2. Distributed Denial of Service (DDoS) Attacks . . . . . 25 6.1.3. Spyware . . . . . . . . . . . . . . . . . . . . . . . 26 6.1.4. Forensic Aids . . . . . . . . . . . . . . . . . . . . 26 6.1.5. Measurements . . . . . . . . . . . . . . . . . . . . . 27 6.1.6. Traffic Analysis . . . . . . . . . . . . . . . . . . . 27 6.1.7. Protocol and Software Security . . . . . . . . . . . . 27 6.2. Research on the Internet . . . . . . . . . . . . . . . . . 27 6.2.1. Research and Standards . . . . . . . . . . . . . . . . 28 6.2.2. Research and the Bad Guys . . . . . . . . . . . . . . 29
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The Root of All Evils: An Underground Economy . . . . . . . . 4 2.1. The Underground Economy . . . . . . . . . . . . . . . . . 5 2.2. Our Enemy Using Our Networks, Our Tools . . . . . . . . . 6 2.3. Compromised Systems Being a Major Source of Problems . . . 7 2.4. Lack of Meaningful Deterrence . . . . . . . . . . . . . . 8 2.5. Consequences . . . . . . . . . . . . . . . . . . . . . . . 10 3. How Bad Is The Problem? . . . . . . . . . . . . . . . . . . . 10 3.1. Backbone Providers . . . . . . . . . . . . . . . . . . . . 10 3.1.1. DDoS Traffic . . . . . . . . . . . . . . . . . . . . . 10 3.1.2. Problem Mitigation . . . . . . . . . . . . . . . . . . 11 3.2. Access Providers . . . . . . . . . . . . . . . . . . . . . 12 3.3. Enterprise Networks: Perspective from a Large Enterprise . . . . . . . . . . . . . . . . . . . . . . . . 13 3.4. Domain Name Services . . . . . . . . . . . . . . . . . . . 14 4. Current Vulnerabilities and Existing Solutions . . . . . . . . 15 4.1. Internet Vulnerabilities . . . . . . . . . . . . . . . . . 15 4.2. Existing Solutions . . . . . . . . . . . . . . . . . . . . 16 4.2.1. Existing Solutions for Backbone Providers . . . . . . 16 4.2.2. Existing Solutions for Enterprise Networks . . . . . . 17 4.3. Shortfalls in the Existing Network Protection . . . . . . 18 4.3.1. Inadequate Tools . . . . . . . . . . . . . . . . . . . 18 4.3.2. Inadequate Deployments . . . . . . . . . . . . . . . . 18 4.3.3. Inadequate Education . . . . . . . . . . . . . . . . . 19 4.3.4. Is Closing Down Open Internet Access Necessary? . . . 19 5. Active and Potential Solutions in the Pipeline . . . . . . . . 20 5.1. Central Policy Repository . . . . . . . . . . . . . . . . 20 5.2. Flow Based Tools . . . . . . . . . . . . . . . . . . . . . 21 5.3. Internet Motion Sensor (IMS) . . . . . . . . . . . . . . . 21 5.4. BCP 38 . . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.5. Layer 5 to 7 Awareness . . . . . . . . . . . . . . . . . . 22 5.6. How To's . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.7. SHRED . . . . . . . . . . . . . . . . . . . . . . . . . . 23 6. Research in Progress . . . . . . . . . . . . . . . . . . . . . 23 6.1. Ongoing Research . . . . . . . . . . . . . . . . . . . . . 23 6.1.1. Exploited Hosts . . . . . . . . . . . . . . . . . . . 23 6.1.2. Distributed Denial of Service (DDoS) Attacks . . . . . 25 6.1.3. Spyware . . . . . . . . . . . . . . . . . . . . . . . 26 6.1.4. Forensic Aids . . . . . . . . . . . . . . . . . . . . 26 6.1.5. Measurements . . . . . . . . . . . . . . . . . . . . . 27 6.1.6. Traffic Analysis . . . . . . . . . . . . . . . . . . . 27 6.1.7. Protocol and Software Security . . . . . . . . . . . . 27 6.2. Research on the Internet . . . . . . . . . . . . . . . . . 27 6.2.1. Research and Standards . . . . . . . . . . . . . . . . 28 6.2.2. Research and the Bad Guys . . . . . . . . . . . . . . 29
7. Aladdin's Lamp . . . . . . . . . . . . . . . . . . . . . . . . 30 7.1. Security Improvements . . . . . . . . . . . . . . . . . . 30 7.2. Unwanted Traffic . . . . . . . . . . . . . . . . . . . . . 31 8. Workshop Summary . . . . . . . . . . . . . . . . . . . . . . . 31 8.1. Hard Questions . . . . . . . . . . . . . . . . . . . . . . 31 8.2. Medium or Long Term Steps . . . . . . . . . . . . . . . . 32 8.3. Immediately Actionable Steps . . . . . . . . . . . . . . . 33 9. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 33 10. Security Considerations . . . . . . . . . . . . . . . . . . . 38 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 38 12. Informative References . . . . . . . . . . . . . . . . . . . . 39 Appendix A. Participants in the Workshop . . . . . . . . . . . . 40 Appendix B. Workshop Agenda . . . . . . . . . . . . . . . . . . . 41 Appendix C. Slides . . . . . . . . . . . . . . . . . . . . . . . 41
7. Aladdin's Lamp . . . . . . . . . . . . . . . . . . . . . . . . 30 7.1. Security Improvements . . . . . . . . . . . . . . . . . . 30 7.2. Unwanted Traffic . . . . . . . . . . . . . . . . . . . . . 31 8. Workshop Summary . . . . . . . . . . . . . . . . . . . . . . . 31 8.1. Hard Questions . . . . . . . . . . . . . . . . . . . . . . 31 8.2. Medium or Long Term Steps . . . . . . . . . . . . . . . . 32 8.3. Immediately Actionable Steps . . . . . . . . . . . . . . . 33 9. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 33 10. Security Considerations . . . . . . . . . . . . . . . . . . . 38 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 38 12. Informative References . . . . . . . . . . . . . . . . . . . . 39 Appendix A. Participants in the Workshop . . . . . . . . . . . . 40 Appendix B. Workshop Agenda . . . . . . . . . . . . . . . . . . . 41 Appendix C. Slides . . . . . . . . . . . . . . . . . . . . . . . 41
The Internet carries a lot of unwanted traffic today. To gain a better understanding of the driving forces behind such unwanted traffic and to assess existing countermeasures, the IAB organized an "Unwanted Internet Traffic" workshop and invited experts on different aspects of unwanted traffic from operator, vendor, and research communities to the workshop. The intention was to share information among people from different fields and organizations, fostering an interchange of experiences, views, and ideas between the various communities on this important topic. The major goal of this workshop was to stimulate discussion at a deep technical level to assess today's situation in regards to:
如今,互联网承载着大量不必要的流量。为了更好地了解此类有害流量背后的驱动力并评估现有对策,IAB组织了一次“有害互联网流量”研讨会,并邀请运营商、供应商和研究团体的不同方面的专家参加研讨会。其目的是在不同领域和组织的人们之间共享信息,促进不同社区之间就这一重要议题交流经验、观点和想法。本次研讨会的主要目标是激发深层次技术层面的讨论,以评估当前在以下方面的情况:
o the kinds of unwanted traffic that are seen on the Internet,
o 互联网上出现的各种不必要的流量,
o how bad the picture looks,
o 这幅画看起来有多糟,
o who and where are the major sources of the problem,
o 谁和哪里是问题的主要根源,
o which solutions work and which do not, and
o 哪些解决方案有效,哪些不有效,以及
o what needs to be done.
o 需要做什么。
The workshop was very successful. Over one and half days of intensive discussions, the major sources of the unwanted traffic were identified, and a critical assessment of the existing mitigation tools was conducted. However, due to the limitation of available time, it was impossible to cover the topic of unwanted traffic in its entirety. Thus, for some of the important issues, only the surface was touched. Furthermore, because the primary focus of the workshop was to collect and share information on the current state of affairs, it is left as the next step to attempt to derive solutions to the
研讨会非常成功。经过一天半的密集讨论,确定了不必要交通的主要来源,并对现有缓解工具进行了重要评估。然而,由于可用时间的限制,不可能完全涵盖不需要的流量这一主题。因此,对于一些重要问题,只触及了表面。此外,由于讲习班的主要重点是收集和分享有关当前事态的信息,因此下一步将是设法找出解决问题的办法
issues identified. This will be done in part as activities within the IAB, the IETF, and the IRTF.
已查明的问题。这部分将作为IAB、IETF和IRTF内的活动来完成。
During the workshop, a number of product and company names were cited, which are reflected in the report to a certain extent. However, a mention of any product in this report should not be taken as an endorsement of that product; there may well be alternative, equally relevant or efficacious products in the market place.
研讨会期间,列举了一些产品和公司名称,这些名称在一定程度上反映在报告中。但是,本报告中提及的任何产品不应视为对该产品的认可;市场上很可能有替代的、同样相关的或有效的产品。
This report is a summary of the contributions by the workshop participants, and thus it is not an IAB document. The views and positions documented in the report do not necessarily reflect IAB views and positions.
本报告是研讨会参与者贡献的总结,因此不是IAB文件。报告中记录的观点和立场不一定反映IAB的观点和立场。
The workshop participant list is attached in Appendix A. The agenda of the workshop can be found in Appendix B. Links to a subset of the presentations are provided in Appendix C; the rest of the presentations are of a sensitive nature, and it has been agreed that they will not be made public. Definitions of the jargon used in describing unwanted traffic can be found in Section 9.
研讨会参与者名单附在附录A中。研讨会议程可在附录B中找到。附录C中提供了演示文稿子集的链接;其余的发言都是敏感性质的,大家都同意不公开这些发言。描述不需要的流量时使用的术语定义见第9节。
The first important message this workshop would like to bring to the Internet community's attention is the existence of an underground economy. This underground economy provides an enormous amount of monetary fuel that drives the generation of unwanted traffic. This economic incentive feeds on an Internet that is to a large extent wide open. The open nature of the Internet fosters innovations but offers virtually no defense against abuses. It connects to millions of mostly unprotected hosts owned by millions of mostly naive users. These users explore and benefit from the vast opportunities offered by the new cyberspace, with little understanding of its vulnerability to abuse and the potential danger of their computers being compromised. Moreover, the Internet was designed without built-in auditing trails. This was an appropriate choice at the time, but now the lack of traceability makes it difficult to track down malicious activities. Combined with a legal system that is yet to adapt to the new challenge of regulating the cyberspace, this means the Internet, as of today, has no effective deterrent to miscreants. The unfettered design and freedom from regulation have contributed to the extraordinary success of the Internet. At the same time, the combination of these factors has also led to an increasing volume of unwanted traffic. The rest of this section provides a more detailed account of each of the above factors.
本次研讨会希望提请互联网社区注意的第一个重要信息是地下经济的存在。这种地下经济提供了大量的货币燃料,推动了不必要交通的产生。这种经济激励源于在很大程度上完全开放的互联网。互联网的开放性促进了创新,但实际上没有为滥用提供任何保护。它连接到数百万未受保护的主机,而这些主机的所有者大多是天真的用户。这些用户探索新网络空间提供的巨大机会并从中获益,但对其易被滥用的脆弱性和其计算机被破坏的潜在危险知之甚少。此外,互联网的设计没有内置审计线索。这在当时是一个合适的选择,但现在由于缺乏可追溯性,很难追踪到恶意活动。再加上尚未适应网络空间监管新挑战的法律体系,这意味着截至今天,互联网对恶棍没有有效的威慑力。不受约束的设计和不受监管的自由促成了互联网的非凡成功。同时,这些因素的结合也导致了不需要的交通量的增加。本节的其余部分将更详细地介绍上述每一个因素。
As in any economic system, the underground economy is regulated by a demand and supply chain. The underground economy, which began as a barter system, has evolved into a giant shopping mall, commonly running on IRC (Internet Relay Chat) servers. The IRC servers provide various online stores selling information about stolen credit cards and bank accounts, malware, bot code, botnets, root accesses to compromised hosts and web servers, and much more. There are DDoS attack stores, credit card stores, PayPal and bank account stores, as well as Cisco and Juniper router stores that sell access to compromised routers. Although not everything can be found on every server, most common tools used to operate in the underground economy can be found on almost all the servers.
与任何经济系统一样,地下经济由需求和供应链调节。地下经济最初是一个易货系统,现在已经演变成一个巨大的购物中心,通常运行在IRC(互联网中继聊天)服务器上。IRC服务器提供各种在线商店,销售有关被盗信用卡和银行帐户、恶意软件、机器人代码、僵尸网络、对受损主机和web服务器的根访问等信息。有DDoS攻击商店、信用卡商店、PayPal和银行帐户商店,以及Cisco和Juniper路由器商店,出售对受损路由器的访问。虽然不是每台服务器上都能找到所有东西,但在地下经济中使用的最常用工具几乎可以在所有服务器上找到。
How do miscreants turn attack tools and compromised machines into real assets? In the simplest case, miscreants electronically transfer money from stolen bank accounts directly to an account that they control, often in another country. In a more sophisticated example, miscreants use stolen credit cards or PayPal accounts for online purchases. To hide their trails, they often find remailers who receive the purchased goods and then repackage them to send to the miscreants for a fee. The miscreants may also sell the goods through online merchandising sites such as eBay. They request the payments be made in cashier checks or money orders to be sent to the people who provide money laundering services for the miscreants by receiving the payments and sending them to banks in a different country, again in exchange for a fee. In either case, the destination bank accounts are used only for a short period and are closed as soon as the money is withdrawn by the miscreants.
歹徒如何将攻击工具和受损机器变成真正的资产?在最简单的情况下,歹徒通过电子方式将被盗银行账户中的资金直接转移到他们控制的账户,通常是在另一个国家。在一个更复杂的例子中,歹徒使用被盗的信用卡或贝宝账户进行在线购买。为了隐藏他们的踪迹,他们通常会找到那些收到购买的货物的再生产商,然后重新包装这些货物,并以一定的费用寄给这些恶棍。这些不法分子还可能通过eBay等在线商品销售网站出售商品。他们要求以本票或汇款单的形式支付款项,通过接收款项并将其发送到另一个国家的银行,再以收取费用的方式将款项发送给为歹徒提供洗钱服务的人。在这两种情况下,目的地银行账户都只在短期内使用,一旦歹徒取出资金,账户就会关闭。
The miscreants obtain private and financial information from compromised hosts and install bots (a.k.a. zombies) on them. They can also obtain such information from phishing attacks. Spam messages mislead naive users into accessing spoofed web sites run by the miscreants where their financial information is extracted and collected.
这些歹徒从受损主机获取私人和财务信息,并在其上安装机器人(又称僵尸)。他们还可以从网络钓鱼攻击中获取此类信息。垃圾邮件误导天真的用户访问恶棍运营的伪造网站,从中提取和收集他们的财务信息。
The miscreants in general are not skilled programmers. With money, however, they can hire professional writers to produce well phrased spam messages, and hire coders to develop new viruses, worms, spyware, and botnet control packages, thereby resupplying the underground market with new tools that produce more unwanted traffic on the Internet: spam messages that spread phishing attacks, botnets that are used to launch DDoS attacks, click fraud that "earns" income by deceiving online commercial advertisers, and new viruses and worms that compromise more hosts and steal additional financial information as well as system passwords and personal identity information.
这些恶棍一般都不是熟练的程序员。然而,有了钱,他们可以雇佣专业作家制作措辞恰当的垃圾邮件,并雇佣编码人员开发新的病毒、蠕虫、间谍软件和僵尸网络控制软件包,从而为地下市场提供新的工具,在互联网上产生更多不必要的流量:传播网络钓鱼攻击的垃圾邮件,用于发起DDoS攻击的僵尸网络,通过欺骗在线商业广告商“赚取”收入的点击欺诈,以及危害更多主机并窃取额外财务信息以及系统密码和个人身份信息的新病毒和蠕虫。
The income gained from the above illegal activities allows miscreants to hire spammers, coders, and IRC server providers. Spammers use botnets. Direct marketing companies set up dirty affiliate programs. Some less than scrupulous banks are also involved to earn transaction fees from moving the dirty money around. In the underground market, everything can be traded, and everything has a value. Thus is spawned unwanted traffic of all kinds.
从上述非法活动中获得的收入允许不法分子雇佣垃圾邮件发送者、编码者和IRC服务器提供商。垃圾邮件发送者使用僵尸网络。直销公司设立了肮脏的联盟计划。一些不那么严格的银行也参与了通过转移脏钱来赚取交易费的活动。在地下市场,一切都可以交易,一切都有价值。因此产生了各种不必要的流量。
The underground economy has evolved very rapidly over the past few years. In the early days of bots and botnets, their activities were largely devoted to DDoS attacks and were relatively easy to detect. As the underground economy has evolved, so have the botnets. They have moved from easily detectable behavior to masquerading as normal user network activity to achieve their goals, making detection very difficult even by vigilant system administrators.
过去几年,地下经济发展非常迅速。在机器人和僵尸网络出现的早期,它们的活动主要用于DDoS攻击,并且相对容易检测。随着地下经济的发展,僵尸网络也在发展。他们已经从容易检测到的行为转变为伪装成正常的用户网络活动来实现他们的目标,这使得即使警惕的系统管理员也很难检测到。
The drive for this rapid evolution comes to a large extent from the change in the intention of miscreant activity. Early virus attacks and botnets were largely anarchic activities. Many were done by "script kiddies" to disrupt systems without a real purpose or to demonstrate the prowess of the attacker, for example in compromising systems that were touted as "secure". Mirroring the commercialization of the Internet and its increasing use for e-business, miscreant activity is now mostly focused on conventional criminal lines. Systems are quietly subverted with the goal of obtaining illicit financial gain in the future, rather than causing visible disruptions as was often the aim of the early hackers.
这种迅速演变的动力在很大程度上来自于恶行活动意图的变化。早期的病毒攻击和僵尸网络主要是无政府行为。许多攻击都是由“脚本小子”进行的,目的是在没有真正目的的情况下破坏系统,或者展示攻击者的威力,例如破坏被吹捧为“安全”的系统。反映了互联网的商业化及其在电子商务中的日益广泛使用,现在的犯罪活动主要集中在传统的犯罪线路上。系统被悄悄地颠覆,目的是在未来获得非法的经济利益,而不是像早期黑客通常的目的那样造成可见的破坏。
Internet Relay Chat (IRC) servers are commonly used as the command and control channel for the underground market. These servers are paid for by miscreants and are professionally supported. They are advertised widely to attract potential consumers, and thus are easy to find. The miscreants first talk to each other on the servers to find out who is offering what on the market, then exchange encrypted private messages to settle the deals.
互联网中继聊天(IRC)服务器通常用作地下市场的指挥和控制渠道。这些服务器由歹徒付费,并得到专业支持。它们被广泛宣传以吸引潜在消费者,因此很容易找到。歹徒们首先在服务器上互相交谈,找出谁在市场上提供什么,然后交换加密的私人消息来解决交易。
The miscreants are not afraid of network operators seeing their actions. If their activities are interrupted, they simply move to another venue. When ISPs take actions to protect their customers, revenge attacks are uncommon as long as the miscreants' cash flow is not disturbed. When a botnet is taken out, they move on to the next one, as there is a plentiful supply. However, if an IRC server is taken out that disturbs their cash flow, miscreants can be ruthless and severe attacks may follow. They currently have no fear, as they know the chances of their being caught are minimal.
这些恶棍并不害怕网络运营商看到他们的行动。如果他们的活动被打断,他们只需搬到另一个地点。当互联网服务提供商采取行动保护他们的客户时,只要不干扰歹徒的现金流,报复性攻击就不常见。当一个僵尸网络被取出时,他们会转移到下一个,因为有充足的供应。然而,如果一个IRC服务器被取出,扰乱了他们的现金流,歹徒可能会变得残忍,随后可能会遭到严重的攻击。他们目前并不害怕,因为他们知道自己被抓住的机会很小。
Our enemies make good use of the Internet's global connectivity as well as all the tools the Internet has developed. IRC servers provide a job market for the miscreants and shopping malls of attack tools. Networking research has produced abundant results making it easier to build large scale distributed systems, and these have been adopted by miscreants to build large size, well-controlled botnets. Powerful search engines also enable one to quickly find readily available tools and resources. The sophistication of attacks has increased with time, while the skills required to launch effective attacks have become minimal. Attackers can be hiding anywhere in the Internet while attacks get launched on a global scale.
我们的敌人充分利用互联网的全球连通性以及互联网开发的所有工具。IRC服务器为歹徒和攻击工具购物中心提供了就业市场。网络研究已经产生了丰富的成果,使得构建大规模分布式系统变得更加容易,而这些成果已经被歹徒用来构建大型、控制良好的僵尸网络。强大的搜索引擎还使人们能够快速找到现成的工具和资源。随着时间的推移,攻击的复杂程度不断提高,而发动有效攻击所需的技能也变得微不足道。在全球范围内发起攻击时,攻击者可以隐藏在互联网的任何地方。
The current Internet provides a field ripe for exploitation. The majority of end hosts run vulnerable platforms. People from all walks of life eagerly jump into the newly discovered online world, yet without the proper training needed to understand the full implications. This is at least partially due to most users failing to anticipate how such a great invention can be readily abused. As a result, the Internet has ended up with a huge number of compromised hosts, without their owners being aware that it has happened.
当前的互联网提供了一个成熟的开发领域。大多数终端主机运行易受攻击的平台。各行各业的人们都热切地跳进新发现的网络世界,但却没有得到理解其全部含义所需的适当培训。这至少在一定程度上是由于大多数用户未能预见到如此伟大的发明如何容易被滥用。结果,互联网最终导致大量主机受损,而其所有者却不知道这一情况已经发生。
Unprotected hosts can be compromised in multiple ways. Viruses and worms can get into the system through exploiting bugs in the existing operating systems or applications, sometimes even in anti-virus programs. A phishing site may also take the opportunity to install malware on a victim's computer when a user is lured to the site. More recently, viruses have also started being propagated through popular peer-to-peer file sharing applications. With multiple channels of propagation, malware has become wide-spread, and infected machines include not only home PCs (although they do represent a large percentage), but also corporate servers, and even government firewalls.
未受保护的主机可能以多种方式受到损害。病毒和蠕虫可以通过利用现有操作系统或应用程序(有时甚至是反病毒程序)中的漏洞进入系统。当用户被诱骗到网站时,网络钓鱼网站还可能借此机会在受害者的计算机上安装恶意软件。最近,病毒也开始通过流行的点对点文件共享应用程序传播。通过多种传播渠道,恶意软件已经广泛传播,受感染的机器不仅包括家用电脑(尽管它们确实占很大比例),还包括公司服务器,甚至政府防火墙。
News of new exploits of vulnerabilities of Microsoft Windows platforms is all too frequent, which leads to a common perception that the Microsoft Windows platform is a major source of vulnerability. One of the reasons for the frequent vulnerability exploits of the Windows system is its popularity in the market place; thus, a miscreant's investment in each exploit can gain big returns from infecting millions of machines. As a result, each incident is also likely to make headlines in the news. In reality, all other platforms such as Linux, Solaris, and MAC OS for example, are also vulnerable to compromises. Routers are not exempt from security break-ins either, and using a high-end router as a DoS launchpad can be a lot more effective than using a bundle of home PCs.
新的利用Microsoft Windows平台漏洞的新闻太频繁了,这导致人们普遍认为Microsoft Windows平台是漏洞的主要来源。Windows系统频繁漏洞攻击的原因之一是其在市场上的流行程度;因此,一个恶棍对每一次攻击的投资都可以从感染数百万台机器中获得巨大的回报。因此,每一个事件都有可能成为新闻头条。事实上,所有其他平台,例如Linux、Solaris和MAC OS,也容易受到损害。路由器也不能免于安全入侵,使用高端路由器作为DoS启动平台可能比使用一捆家用PC更有效。
Quietly subverting large numbers of hosts and making them part of a botnet, while leaving their normal functionality and connectivity essentially unimpaired, is now a major aim of miscreants and it appears that they are being all too successful. Bots and the functions they perform are often hard to detect and most of the time their existence are not known to system operators or owners (hence, the alternative name for hosts infected with bots controlled by miscreants - zombies); by the time they are detected, it might very well be too late as they have carried out the intended (mal-)function.
悄悄地颠覆大量主机并使其成为僵尸网络的一部分,同时保持其正常功能和连接性基本上不受影响,现在是恶棍们的一个主要目标,而且看起来他们太成功了。机器人及其执行的功能通常很难检测到,而且大多数情况下,系统操作员或所有者并不知道它们的存在(因此,被歹徒控制的机器人感染的主机的替代名称为僵尸);当它们被检测到时,可能已经太晚了,因为它们已经执行了预期的(错误)功能。
The existence of a large number of compromised hosts is a particularly challenging problem to the Internet's security. Not only does the stolen financial information lead to enormous economic losses, but also there has been no quick fix to the problem. As noted above, in many cases the owners of the compromised computers are unaware of the problem. Even after being notified, some owners still do not care about fixing the problem as long as their own interest, such as playing online games, is not affected, even though the public interest is endangered --- large botnets can use multi- millions of such compromised hosts to launch DDoS attacks, with each host sending an insignificant amount of traffic but the aggregate exceeding the capacity of the best engineered systems.
The existence of a large number of compromised hosts is a particularly challenging problem to the Internet's security. Not only does the stolen financial information lead to enormous economic losses, but also there has been no quick fix to the problem. As noted above, in many cases the owners of the compromised computers are unaware of the problem. Even after being notified, some owners still do not care about fixing the problem as long as their own interest, such as playing online games, is not affected, even though the public interest is endangered --- large botnets can use multi- millions of such compromised hosts to launch DDoS attacks, with each host sending an insignificant amount of traffic but the aggregate exceeding the capacity of the best engineered systems.
One of the Internet's big strengths is its ability to provide seamless interconnection among an effectively unlimited number of parties. However, the other side of the same coin is that there may not be clear ways to assign responsibilities when something goes wrong. Taking DDoS attacks as an example, an attack is normally launched from a large number of compromised hosts, the attack traffic travels across the Internet backbone to the access network(s) linking to the victims. As one can see, there are a number of independent stake-holders involved, and it is not immediately clear which party should take responsibility for resolving the problem.
互联网的一大优势是它能够在实际上不受限制的各方之间提供无缝互连。然而,同一枚硬币的另一面是,当出现问题时,可能没有明确的方法来分配责任。以DDoS攻击为例,通常从大量受损主机发起攻击,攻击流量通过互联网主干传输到连接到受害者的接入网络。正如人们所看到的,有许多独立的利益相关者参与其中,目前还不清楚应由哪一方负责解决问题。
Furthermore, tracking down an attack is an extremely difficult task. The Internet architecture enables any IP host to communicate with any other hosts, and it provides no audit trails. As a result, not only is there no limit to what a host may do, but also there is no trace after the event of what a host may have done. At this time, there is virtually no effective tool available for problem diagnosis or packet trace back. Thus, tracking down an attack is labor intensive and requires sophisticated skills. As will be mentioned in the next section, there is also a lack of incentive to report security attacks. Compounded with the high cost, these factors make forensic tracing of an attack to its root a rare event.
此外,追踪攻击是一项极其困难的任务。Internet体系结构允许任何IP主机与任何其他主机通信,并且不提供审核跟踪。因此,不仅对主机可以执行的操作没有限制,而且在事件发生后也没有跟踪主机可能执行的操作。目前,几乎没有有效的工具可用于问题诊断或数据包跟踪。因此,追踪攻击需要耗费大量人力,并且需要复杂的技能。正如将在下一节中提到的,还缺乏报告安全攻击的动机。再加上高昂的成本,这些因素使得对袭击根源的法医追踪成为罕见的事件。
In human society, the legal systems provide protection against criminals. However, in the cyberspace, the legal systems are lagging behind in establishing regulations. The laws and regulations aim at penalizing the conduct after the fact. If the likelihood of detection is low, the deterrence would be minimal. Many national jurisdictions have regulations about acts of computer fraud and abuse, and they often carry significant criminal penalties. In the US (and many other places), it is illegal to access government computers without authorization, illegal to damage protected government computers, and illegal to access confidential information on protected computers. However, the definition of "access" can be difficult to ascertain. For example, is sending an ICMP (Internet Control Messaging Protocol) packet to a protected computer considered illegal access? There is a lack of technical understanding among lawmakers that would be needed to specify the laws precisely and provide effective targeting limited to undesirable acts. Computer fraud and liabilities laws provide a forum to address illegal access activities and enable prosecution of cybercriminals. However, one difficulty in prosecuting affiliate programs using bot infrastructure is that they are either borderline legal, or there is little evidence. There is also the mentality of taking legal action only when the measurable monetary damage exceeds a high threshold, while it is often difficult to quantify the monetary damage in individual cases of cyberspace crimes.
在人类社会中,法律制度为罪犯提供保护。然而,在网络空间,法律体系在制定法规方面滞后。法律法规旨在惩罚事后行为。如果被发现的可能性很低,那么威慑力就会很小。许多国家司法管辖区都有关于计算机欺诈和滥用行为的规定,而且往往会受到重大刑事处罚。在美国(和其他许多地方),未经授权访问政府计算机是非法的,损坏受保护的政府计算机是非法的,访问受保护计算机上的机密信息也是非法的。然而,“准入”的定义可能难以确定。例如,向受保护的计算机发送ICMP(Internet控制消息传递协议)数据包是否被视为非法访问?立法者之间缺乏技术上的理解,需要准确地规定法律,并提供有效的目标,仅限于不良行为。计算机欺诈和责任法为解决非法访问活动和起诉网络罪犯提供了一个论坛。然而,起诉使用bot基础设施的附属项目的一个困难是,它们要么处于法律边缘,要么几乎没有证据。还有一种心态是,只有当可测量的金钱损失超过高阈值时才采取法律行动,而在网络空间犯罪的个别案件中,往往很难量化金钱损失。
There is a coalition between countries on collecting cybercriminal evidence across the world, but there is no rigorous way to trace across borders. Laws and rules are mostly local to a country, policies (when they exist) are mostly enacted and enforced locally, while the Internet itself, that carries the unwanted traffic, respects no borders. One estimate suggests that most players in the underground economy are outside the US, yet most IRC servers supporting the underground market may be running in US network providers, enjoying the reliable service and wide connectivity to the rest of the world provided by the networks.
各国在收集全世界的网络犯罪证据方面有一个联盟,但没有严格的跨境追踪方法。法律和规则大多是一个国家的地方性法规,政策(如果有)大多是在当地制定和执行的,而承载不需要的流量的互联网本身则不尊重任何边界。一项估计表明,地下经济的大多数参与者都在美国境外,但支持地下市场的大多数IRC服务器可能都在美国网络供应商中运行,享受着网络提供的可靠服务和与世界其他地区的广泛连接。
In addition, the definition of "unwanted" traffic also varies between different countries. For example, China bans certain types of network traffic that are considered legitimate elsewhere. Yet another major difficulty is the trade-off and blurred line between having audit trails to facilitate forensic analysis and to enforce censorship. The greater ability we build into the network to control traffic, the stronger would be the monitoring requirements coming from the legislators.
此外,“不需要的”交通的定义在不同的国家也有所不同。例如,中国禁止在其他地方被视为合法的某些类型的网络流量。另一个主要的困难是,在通过审计追踪来促进法医分析和实施审查之间存在权衡和模糊的界限。我们在网络中建立的控制流量的能力越强,立法者提出的监控要求就越强。
It should be emphasized that, while a legal system is necessary to create effective deterrence and sanctions against miscreants, it is by no means sufficient on its own. Rather, it must be accompanied by
应当强调的是,虽然法律制度对于建立对恶棍的有效威慑和制裁是必要的,但仅靠法律制度本身是远远不够的。相反,它必须伴随着
technical solutions to unwanted traffic detection and damage recovery. It is also by no means a substitute for user education. Only a well informed user community can collectively establish an effective defense in the cyberspace.
意外流量检测和损坏恢复的技术解决方案。它也决不是用户教育的替代品。只有消息灵通的用户群体才能在网络空间集体建立有效的防御。
What we have today is not a rosy picture: there are
我们今天所拥有的并不是一幅美好的图画:有
o big economic incentives and a rich environment to exploit,
o 巨大的经济激励和丰富的开发环境,
o no specific party to carry responsibility,
o 没有具体的责任方,
o no auditing system to trace back to the sources of attacks, and
o 没有可追溯到攻击源的审计系统,以及
o no well established legal regulations to punish offenders.
o 没有完善的法律法规来惩罚罪犯。
The combination of these factors inevitably leads to ever increasing types and volume of unwanted traffic. However, our real threats are not the bots or DDoS attacks, but the criminals behind them. Unwanted traffic is no longer only aiming for maximal disruption; in many cases, it is now a means to illicit ends with the specific purpose of generating financial gains for the miscreants. Their crimes cause huge economic losses, counted in multiple billions of dollars and continuing.
这些因素的结合不可避免地导致不需要的交通类型和数量不断增加。然而,我们真正的威胁不是机器人或DDoS攻击,而是它们背后的罪犯。不需要的流量不再仅仅是为了最大程度的中断;在许多情况下,它现在是达到非法目的的一种手段,其具体目的是为歹徒创造经济利益。他们的犯罪行为造成了巨大的经济损失,数额达数十亿美元,而且还在继续。
There are quite a number of different kinds of unwanted traffic on the Internet today; the discussions at this workshop were mainly around DDoS traffic and spam. The impact of DDoS and spam on different parts of the network differs. Below, we summarize the impact on backbone providers, access providers, and enterprise customers, respectively.
今天,互联网上有许多不同种类的无用流量;本次研讨会的讨论主要围绕DDoS流量和垃圾邮件展开。DDoS和垃圾邮件对网络不同部分的影响不同。下面,我们分别总结了对主干网提供商、接入提供商和企业客户的影响。
Since backbone providers' main line of business is packet forwarding, the impact of unwanted traffic is mainly measured by whether DDoS traffic affects network availability. Spam or malware is not a major concern because backbone networks do not directly support end users. Router compromises may exist, but they are rare events at this time.
由于主干网提供商的主要业务是数据包转发,不需要的流量的影响主要通过DDoS流量是否影响网络可用性来衡量。垃圾邮件或恶意软件不是主要问题,因为主干网不直接支持最终用户。路由器妥协可能存在,但在这个时候它们是罕见的事件。
Observation shows that, in the majority of DDoS attacks, attack traffic can originate from almost anywhere in the Internet. In particular, those regions with high speed user connectivity but
观察表明,在大多数DDoS攻击中,攻击流量几乎可以来自互联网上的任何地方。特别是那些具有高速用户连接但
poorly managed end hosts are often the originating sites of DDoS attacks. The miscreants tend to find targets that offer maximal returns with minimal efforts.
管理不善的终端主机通常是DDoS攻击的始发站点。歹徒们倾向于找到那些付出最小努力就能获得最大回报的目标。
Backbone networks in general are well-provisioned in regard to traffic capacities. Therefore, core routers and backbone link capacity do not get affected much by most DDoS attacks; a 5Gbps attack could be easily absorbed without causing noticeable impact on the performance of backbone networks. However, DDoS attacks often saturate access networks and make a significant impact on customers. In particular, multihomed customers who have multiple well-provisioned connections for high throughput and performance may suffer from aggregated DDoS traffic coming in from all directions.
一般来说,主干网在通信容量方面配置良好。因此,大多数DDoS攻击对核心路由器和骨干链路容量影响不大;5Gbps攻击很容易被吸收,而不会对骨干网络的性能造成明显影响。然而,DDoS攻击通常会使访问网络饱和,并对客户造成重大影响。特别是,具有多个精心配置的连接以实现高吞吐量和高性能的多宿客户可能会受到来自各个方向的聚合DDoS流量的影响。
Currently, backbone networks do not have effective diagnosis or mitigation tools against DDoS attacks. The foremost problem is a lack of incentives to deploy security solutions. Because IP transit services are a commodity, controlling cost is essential to surviving the competition. Thus, any expenditure tends to require a clearly identified return-on-investment (ROI). Even when new security solutions become available, providers do not necessarily upgrade their infrastructure to deploy the solutions, as security solutions are often prevention mechanisms that may not have an easily quantifiable ROI. To survive in the competitive environment in which they find themselves, backbone providers also try to recruit more customers. Thus, a provider's reputation is important. Due to the large number of attacks and inadequate security solution deployment, effective attacks and security glitches can be expected. However, it is not in a provider's best interest to report all the observed attacks. Instead, the provider's first concern is to minimize the number of publicized security incidents. For example, a "trouble ticket" acknowledging the problem is issued only after a customer complains. An informal estimate suggested that only about 10% of DDoS attacks are actually reported (some other estimates have put the figure as low as 2%). In short, there is a lack of incentives to either report problems or deploy solutions.
目前,主干网没有针对DDoS攻击的有效诊断或缓解工具。首要的问题是缺乏部署安全解决方案的激励。由于IP传输服务是一种商品,因此控制成本对于在竞争中生存至关重要。因此,任何支出都需要明确的投资回报率(ROI)。即使有了新的安全解决方案,提供商也不一定要升级其基础设施以部署解决方案,因为安全解决方案通常是预防机制,可能没有容易量化的ROI。为了在竞争激烈的环境中生存,主干网提供商还试图招募更多的客户。因此,供应商的声誉很重要。由于攻击数量巨大且安全解决方案部署不足,因此可以预期会出现有效的攻击和安全问题。但是,报告所有观察到的攻击并不符合提供商的最佳利益。相反,提供商首先关心的是尽量减少公开的安全事件的数量。例如,只有在客户投诉后,才会发出确认问题的“故障单”。一项非正式估计表明,只有约10%的DDoS攻击被实际报告(其他一些估计将该数字降至2%)。简言之,缺乏报告问题或部署解决方案的激励。
Partly as a consequence of the lack of incentive and lack of funding, there exist few DDoS mitigation tools for backbone providers. Network operators often work on their own time to fight the battle against malicious attacks. Their primary mitigation tools today are Access Control Lists (ACL) and BGP (Border Gateway Protocol) null routes to black-hole unwanted traffic. These tools can be turned on locally and do not require coordination across administrative domains. When done at, or near, DDoS victims, these simple tools can have an immediate effect in reducing the DDoS traffic volume.
部分由于缺乏激励和资金,骨干网提供商几乎没有DDoS缓解工具。网络运营商经常利用自己的时间与恶意攻击作斗争。如今,他们的主要缓解工具是访问控制列表(ACL)和BGP(边界网关协议)空路由,用于黑洞不需要的流量。这些工具可以在本地打开,不需要跨管理域进行协调。当在DDoS受害者处或附近进行时,这些简单的工具可以立即降低DDoS流量。
However, these tools are rather rudimentary and inadequate, as we will elaborate in Section 4.2.1.
然而,正如我们将在第4.2.1节中详细说明的那样,这些工具相当初级且不充分。
A common issue that access providers share with backbone providers is the lack of incentive and the shortage of funding needed to deploy security solutions. As with the situation with security incidents on the backbone, the number of security incidents reported by access providers is estimated to be significantly lower than the number of the actual incidents that occurred.
接入提供商与主干网提供商共同面临的一个问题是,缺乏部署安全解决方案所需的激励和资金短缺。与主干网发生安全事件的情况一样,接入提供商报告的安全事件数量估计大大低于实际发生的事件数量。
Because access providers are directly connected to end customers, they also face unique problems of their own. From the access providers' viewpoint, the most severe impact of unwanted traffic is not the bandwidth exhaustion, but the customer support load it engenders. The primary impact of unwanted traffic is on end users, and access providers must respond to incident reports from their customers. Today, access providers are playing the role of IT help desk for many of their customers, especially residential users. According to some access providers, during the Microsoft Blaster worm attack, the average time taken to handle a customer call was over an hour. Due to the high cost of staffing the help desks, it is believed that, if a customer calls the help desk just once, the provider would lose the profit they would otherwise have otherwise made over the lifetime of that customer account.
由于接入提供商直接连接到终端客户,因此他们也面临着自己独特的问题。从接入提供商的角度来看,不需要的流量最严重的影响不是带宽耗尽,而是它所带来的客户支持负载。不必要流量的主要影响是最终用户,访问提供商必须对其客户的事件报告作出响应。如今,接入提供商正在为许多客户(尤其是住宅用户)扮演IT服务台的角色。据一些访问提供商称,在Microsoft Blaster蠕虫攻击期间,处理客户电话的平均时间超过一小时。由于服务台的人员配置成本较高,我们认为,如果客户只给服务台打一次电话,服务提供商将失去在该客户帐户的生命周期内本来可以获得的利润。
To reduce the high customer service cost caused by security breaches, most access providers offer free security software to their customers. It is much cheaper to give the customer "free" security software in the hope of preventing system compromises than handling the system break-ins after the event. However, perhaps due to their lack of understanding of the possible security problems they may face, many customers fail to install security software despite the free offer from their access providers, or even when they do, they may lack the skill needed to configure a complex system correctly.
为了降低因安全漏洞而导致的高客户服务成本,大多数接入提供商向其客户提供免费的安全软件。与事后处理系统入侵相比,为客户提供“免费”安全软件以防止系统受损要便宜得多。然而,可能是由于他们对可能面临的安全问题缺乏了解,许多客户无法安装安全软件,尽管他们的访问提供商提供了免费服务,或者即使安装了,他们也可能缺乏正确配置复杂系统所需的技能。
What factors may influence how quickly customers get the security breaches fixed? Past experience suggests the following observations:
哪些因素可能影响客户修复安全漏洞的速度?过去的经验表明以下观察结果:
o Notification has little impact on end user repair behavior.
o 通知对最终用户修复行为几乎没有影响。
o There is no significant difference in terms of repair behavior between different industries or between business and home users.
o 不同行业之间或商业用户与家庭用户之间的维修行为没有显著差异。
o Users' patching behavior follows an exponential decay pattern with a time constant of approximately 40% per month. Thus, about 40% of computers tend to be patched very quickly when a patch is
o 用户的补丁行为遵循指数衰减模式,时间常数约为每月40%。因此,大约40%的计算机在安装补丁时往往会很快被修补
released, and approximately 40% of the remaining vulnerable computers in each following month will show signs of being patched. This leaves a few percent still unpatched after 6 months. In the very large population of Internet hosts, this results in a significant number of hosts that will be vulnerable for the rest of their life.
在接下来的每个月,大约40%的剩余易受攻击的计算机将显示被修补的迹象。这使得6个月后仍有少数未修补。在互联网主机数量非常庞大的情况下,这将导致大量主机在其余生中易受攻击。
o There is a general lack of user understanding: after being compromised, unmanaged computers may get replaced rather than repaired, and this often results in infections occurring during the installation process on the replacement.
o 用户普遍缺乏理解:在受损后,非托管计算机可能会被更换而不是修复,这通常会导致在更换计算机的安装过程中发生感染。
The operators of one big enterprise network reported their experience regarding unwanted traffic to the workshop. Enterprises perceive many forms of bad traffic including worms, malware, spam, spyware, Instant Messaging (IM), peer-to-peer (P2P) traffic, and DoS. Compared to backbone and access providers, enterprise network operators are more willing to investigate security breaches, although they may hesitate to pay a high price for security solutions. False positives are very costly. Most operators prefer false negatives to false positives. In general, enterprises prefer prevention solutions to detection solutions.
一家大型企业网络的运营商向车间报告了他们关于不必要流量的经验。企业感知到多种形式的不良流量,包括蠕虫、恶意软件、垃圾邮件、间谍软件、即时消息(IM)、点对点(P2P)流量和DoS。与主干网和接入提供商相比,企业网络运营商更愿意调查安全漏洞,尽管他们可能会犹豫是否为安全解决方案支付高昂的价格。误报的代价很高。大多数操作员更喜欢假阴性而不是假阳性。一般来说,企业更喜欢预防解决方案而不是检测解决方案。
Deliberately created unwanted traffic (as opposed to unwanted traffic that might arise from misconfiguration) in enterprise networks can be sorted into three categories. The first is "Nuisance", which includes unwanted traffic such as spam and peer-to-peer file sharing. Although there were different opinions among the workshop participants as to whether P2P traffic should, or should not, be considered as unwanted traffic, enterprise network operators are concerned not only that P2P traffic represents a significant share of the total network load, but they are also sensitive to potential copyright infringement issues that might lead to significant financial and legal impacts on the company as a whole. In addition, P2P file sharing applications have also became a popular channel for malware propagation.
企业网络中故意创建的不必要流量(与可能因配置错误而产生的不必要流量相反)可分为三类。第一种是“滋扰”,包括垃圾邮件和点对点文件共享等不必要的流量。尽管研讨会参与者对P2P流量是否应被视为有害流量存在不同意见,但企业网络运营商不仅关注P2P流量占总网络负载的很大一部分,但他们也对可能对整个公司造成重大财务和法律影响的潜在版权侵权问题敏感。此外,P2P文件共享应用程序也已成为恶意软件传播的流行渠道。
The second category of unwanted traffic is labeled "Malicious", which includes the traffic that spreads malware. This class of traffic can be small in volume but the cost from the resulting damage can be high. The clean up after an incident also requires highly skilled operators.
第二类不需要的流量被标记为“恶意”,其中包括传播恶意软件的流量。这类交通量可能很小,但由此造成的损失成本可能很高。事故后的清理也需要高技能的操作员。
The third category of unwanted traffic is "Unknown": it is known that there exists a class of traffic in the network that can be best described in this way, as no one knows its purpose or the locations
第三类不需要的流量是“未知的”:已知网络中存在一类流量,可以用这种方式最好地描述,因为没有人知道它的用途或位置
of the sources. Malicious traffic can be obscured by encryption, encapsulation, or covered up as legitimate traffic. The existing detection tools are ineffective for this type of traffic. Noisy worms are easy to identify, but stealth worms can open a backdoor on hosts and stay dormant for a long time without causing any noticeable detrimental effect. This type of bad traffic has the potential to make the greatest impact on an enterprise from a threat perspective.
消息来源之一。恶意流量可以通过加密、封装或掩盖为合法流量来掩盖。现有的检测工具对此类流量无效。噪音蠕虫很容易识别,但隐形蠕虫可以打开主机的后门,长时间处于休眠状态,而不会造成任何明显的有害影响。从威胁的角度来看,这种类型的不良流量有可能对企业造成最大的影响。
There are more mitigation tools available for enterprise networks than for backbone and access network providers; one explanation might be the greater affordability of solutions for enterprise networks. The costs of damage from a security breach can also have a very significant impact on the profits of an enterprise. At the same time, however, the workshop participants also expressed concerns regarding the ongoing arms race between security exploits and patching solutions. Up to now, security efforts have, by and large, been reactive, creating a chain of security exploits and a consequent stream of "fixes". Such a reactive mode has not only created a big security market, but also does not enable us to get ahead of attackers.
与主干网和接入网提供商相比,企业网络的缓解工具更多;一种解释可能是企业网络解决方案的价格更高。安全漏洞造成的损害成本也会对企业的利润产生非常重大的影响。然而,与此同时,研讨会参与者还对安全漏洞和修补解决方案之间正在进行的军备竞赛表示关切。到目前为止,安全工作大体上是被动的,产生了一连串的安全漏洞攻击和随之而来的“修复”。这种被动模式不仅创造了一个巨大的证券市场,而且也无法让我们超越攻击者。
Different from backbone and access providers, there also exists a class of Internet service infrastructure providers. Provision of Domain Name System (DNS) services offers an example here. As reported by operators from a major DNS hosting company, over time there have been increasingly significant DDoS attacks on .com, .net and root servers.
与骨干网和接入网提供商不同,还存在一类互联网服务基础设施提供商。提供域名系统(DNS)服务就是一个例子。据一家大型DNS托管公司的运营商报告,随着时间的推移,.com、.net和根服务器上的DDoS攻击越来越严重。
DNS service operators have witnessed large scale DDoS attacks. The most recent ones include reflection attacks resulting from queries using spoofed source addresses. The major damage caused by these attacks are bandwidth and resource exhaustion, which led to disruption of critical services. The peak rate of daily DNS transactions has been growing at a much faster rate than the number of Internet users, and this trend is expected to continue. The heavy load on the DNS servers has led to increasing complexity in providing the services.
DNS服务运营商目睹了大规模DDoS攻击。最近的攻击包括使用伪造源地址的查询导致的反射攻击。这些攻击造成的主要损害是带宽和资源耗尽,导致关键服务中断。每日DNS交易的峰值增长速度远快于互联网用户数量,预计这一趋势将持续下去。DNS服务器上的繁重负载导致提供服务的复杂性增加。
In addition to intentional DDoS Attacks, some other causes of the heavy DNS load included (1) well known bugs in a small number of DNS servers that still run an old version of the BIND software, causing significant load increase at top level servers; and (2) inappropriately configured firewalls that allow DNS queries to come out but block returning DNS replies, resulting in big adverse impacts on the overall system. Most of such issues have been addressed in the DNS operational guidelines drafted by the IETF DNS Operations
除了故意的DDoS攻击外,DNS负载沉重的其他一些原因包括(1)少数DNS服务器中的众所周知的错误,这些服务器仍然运行旧版本的BIND软件,导致顶级服务器的负载显著增加;和(2)不适当配置的防火墙,允许DNS查询出来,但阻止返回DNS回复,从而对整个系统造成巨大的不利影响。大多数此类问题已在IETF DNS操作部门起草的DNS操作指南中得到解决
Working Group; however, many DNS operators have not taken appropriate actions.
工作组;然而,许多DNS运营商没有采取适当的行动。
At this time, the only effective and viable mitigation approach is over-engineering the DNS service infrastructure by increasing link bandwidth, the number of servers, and the server processing power, as well as deploying network anycast. There is a concern about whether the safety margin gained from over-engineering is, or is not, adequate in sustaining DNS services over future attacks. Looking forward, there are also a few new issues looming. Two imminent ones are the expected widespread deployment of IPv6 whose new DNS software would inevitably contain new bugs, and the DNS Security Extensions (DNSSEC), which could potentially be abused to generate DDoS attacks.
目前,唯一有效和可行的缓解方法是通过增加链路带宽、服务器数量和服务器处理能力以及部署网络选播来过度设计DNS服务基础设施。人们担心,过度设计所获得的安全裕度是否足以在未来的攻击中维持DNS服务。展望未来,还有一些新问题迫在眉睫。两个迫在眉睫的问题是IPv6的预期广泛部署,其新DNS软件将不可避免地包含新的漏洞,以及DNS安全扩展(DNSSEC),该扩展可能被滥用以产生DDoS攻击。
This section summarizes three aspects of the workshop discussions. We first collected the major vulnerabilities mentioned in the workshop, then made a summary of the existing solutions, and followed up with an examination of the effectiveness, or lack of it, of the existing solutions.
本节总结了研讨会讨论的三个方面。我们首先收集了研讨会中提到的主要漏洞,然后总结了现有的解决方案,并随后检查了现有解决方案的有效性或不足。
Below is a list of known Internet vulnerabilities and issues around unwanted traffic.
下面列出了已知的Internet漏洞和有关不必要流量的问题。
o Packet source address spoofing: there has been speculation that attacks using spoofed source addresses are decreasing, due to the proliferation of botnets, which can be used to launch various attacks without using spoofed source addresses. It is certainly true that not all the attacks use spoofed addresses; however, many attacks, especially reflection attacks, do use spoofed source addresses.
o 数据包源地址欺骗:有人猜测,由于僵尸网络的扩散,使用欺骗源地址的攻击正在减少,僵尸网络可以在不使用欺骗源地址的情况下发动各种攻击。当然,并非所有的攻击都使用伪造的地址;然而,许多攻击,尤其是反射攻击,确实使用伪造的源地址。
o BGP route hijacking: in a survey conducted by Arbor Networks, route hijacking together with source address spoofing are listed as the two most critical vulnerabilities on the Internet. It has been observed that miscreants hijack bogon prefixes for spam message injections. Such hijacks do not affect normal packet delivery and thus have a low chance of being noticed.
o BGP路由劫持:在Arbor Networks进行的一项调查中,路由劫持和源地址欺骗被列为互联网上两个最关键的漏洞。据观察,歹徒劫持bogon前缀用于垃圾邮件注入。此类劫持不会影响正常的数据包传递,因此被发现的几率很低。
o Everything over HTTP: port scan attacks occur frequently in today's Internet, looking for open TCP or UDP ports through which to gain access to computers. The reaction from computer system management has been to close down all the unused ports, especially in firewalls. One result of this reaction is that application designers have moved to transporting all data communications over
o HTTP上的一切:端口扫描攻击在今天的互联网上频繁发生,寻找打开的TCP或UDP端口以访问计算机。计算机系统管理的反应是关闭所有未使用的端口,特别是在防火墙中。这种反应的一个结果是,应用程序设计者已经转向通过网络传输所有数据通信
HTTP to avoid firewall traversal issues. Transporting "everything over HTTP" does not block attacks but has simply moved the vulnerability from one place to another.
HTTP以避免防火墙穿越问题。“通过HTTP传输所有内容”不会阻止攻击,只是将漏洞从一个地方转移到另一个地方。
o Everyone comes from Everywhere: in the earlier life of the Internet it had been possible to get some indication of the authenticity of traffic from a specific sender based for example on the Time To Live (TTL). The TTL would stay almost constant when traffic from a certain sender to a specific host entered an operators network, since the sender will "always" set the TTL to the same value. If a change in the TTL value occurred without an accompanying change in the routing, one could draw the conclusion that this was potential unwanted traffic. However, since hosts have become mobile, they may be roaming within an operator's network and the resulting path changes may put more (or less) hops between the source and the destination. Thus, it is no longer possible to interpret a change in the TTL value, even if it occurs without any corresponding change in routing, as an indication that the traffic has been subverted.
o 每个人都来自四面八方:在互联网的早期,有可能从特定的发送者那里获得流量真实性的一些指示,例如基于生存时间(TTL)。当从某个发送方到某个特定主机的流量进入运营商网络时,TTL几乎保持不变,因为发送方将“始终”将TTL设置为相同的值。如果TTL值发生变化而路由没有相应变化,则可以得出结论,这是潜在的不必要流量。然而,由于主机已经成为移动的,它们可能在运营商的网络中漫游,并且由此产生的路径更改可能会在源和目标之间增加(或减少)跳数。因此,不再可能将TTL值的变化解释为业务已被破坏的指示,即使其在路由中没有任何相应变化的情况下发生。
o Complex Network Authentication: Network authentication as it is used today is far too complex to be feasible for users to use effectively. It will also be difficult to make it work with new wireless access technologies.
o 复杂网络认证:目前使用的网络认证过于复杂,用户无法有效使用。要使它与新的无线接入技术配合使用也很困难。
A possible scenario envisages a customers handset that is initially on a corporate wireless network. If that customer steps out of the corporate building, the handset may get connected to the corporate network through a GPRS network. The handset may then roam to a wireless LAN network when the user enters a public area with a hotspot. Consequently, we need authentication tools for cases when the underlying data link layer technology changes quickly, possibly during a single application session.
一种可能的情况是设想客户的手机最初位于公司无线网络上。如果该客户走出公司大楼,手机可能会通过GPRS网络连接到公司网络。然后,当用户进入具有热点的公共区域时,手持设备可以漫游到无线LAN网络。因此,当底层数据链路层技术快速变化时(可能在单个应用程序会话期间),我们需要身份验证工具。
o Unused Security Tools: Vendors and standards have produced quite a number of useful security tools; however, not all, or even most, of them get used extensively.
o 未使用的安全工具:供应商和标准已经生产了很多有用的安全工具;然而,并不是所有的,甚至不是大多数,都被广泛使用。
Several engineering solutions exist that operators can deploy to defend the network against unwanted traffic. Adequate provisioning is one commonly used approach that can diminish the impact of DDoS on the Internet backbone. The solution that received most mentions at the workshop was BCP 38 on ingress filtering: universal deployment of
运营商可以部署几种工程解决方案来保护网络免受不必要的流量影响。充分的资源调配是一种常用的方法,可以减少DDoS对Internet主干网的影响。研讨会上提到最多的解决方案是关于入口过滤的BCP 38:通用部署
BCP 38 can effectively block DDoS attacks using spoofed source IP addresses. At present, Access Control List (ACL) and BGP null routing are the two tools most commonly used by network operators to mitigate DDoS attacks. They are effective in blocking DDoS attacks, especially when being applied at or near a victim's site.
BCP 38可以使用伪造的源IP地址有效阻止DDoS攻击。目前,访问控制列表(ACL)和BGP空路由是网络运营商抵御DDoS攻击最常用的两种工具。它们可有效阻止DDoS攻击,尤其是在受害者站点或其附近应用时。
Unfortunately, BCP 38 is not widely deployed today. BCP 38 may require device upgrades, and is considered tedious to configure and maintain. Although widespread deployment of BCP 38 could benefit the Internet as a whole, deployment by individual sites imposes a certain amount of cost to the site, and does not provide a direct and tangible benefit in return. In other words, BCP 38 suffers from a lack of deployment incentives.
不幸的是,BCP 38目前尚未广泛部署。BCP 38可能需要设备升级,配置和维护被认为是乏味的。虽然BCP 38的广泛部署可以使整个互联网受益,但单个站点的部署会给站点带来一定的成本,并且不会带来直接和有形的回报。换句话说,BCP 38缺乏部署激励。
Both BGP null routing and ACL have the drawback of relying on manual configuration and thus are labor intensive. In addition, they also suffer from blocking both attack and legitimate packets. There is also a potential that some tools could back-fire, e.g., an overly long ACL list might significantly slow down packet forwarding in a router.
BGP null路由和ACL都有依赖于手动配置的缺点,因此都是劳动密集型的。此外,它们还面临阻止攻击和合法数据包的问题。还有一种可能性是某些工具可能会反击,例如,过长的ACL列表可能会显著降低路由器中的数据包转发速度。
Unicast Reverse Path Filtering (uRPF), which is available on some routers, provides a means of implementing a restricted form of BCP 38 ingress filtering without the effort of maintaining ACLs. uRPF uses the routing table to check that a valid path back to the source exists. However, its effectiveness depends on the specificity of the routes against which source addresses are compared. The prevalence of asymmetric routing means that the strict uRPF test (where the route to the source must leave from the same interface on which the packet being tested arrived) may have to be replaced by the loose uRPF test (where the route may leave from any interface). The loose uRPF test is not a guarantee against all cases of address spoofing, and it may still be necessary to maintain an ACL to deal with exceptions.
在某些路由器上可用的单播反向路径过滤(uRPF)提供了一种实现受限形式的BCP 38入口过滤的方法,而无需维护ACL。uRPF使用路由表检查返回源的有效路径是否存在。然而,它的有效性取决于与源地址进行比较的路由的特殊性。非对称路由的盛行意味着严格的uRPF测试(到源的路由必须从测试数据包到达的同一接口离开)可能必须被松散的uRPF测试(路由可以从任何接口离开)所取代。松散的uRPF测试并不能保证防止所有地址欺骗的情况,并且可能仍然需要维护ACL来处理异常。
A wide variety of commercial products is available for enterprise network protection. Three popular types of protection mechanisms are
各种各样的商业产品可用于企业网络保护。以下是三种流行的保护机制:
o Firewalls: firewalls are perhaps the most widely deployed protection products. However, the effectiveness of firewalls in protecting enterprise confidential information can be weakened by spyware installed internally, and they are ineffective against attacks carried out from inside the perimeter established by the firewalls. Too often, spyware installation is a byproduct of installing other applications permitted by end users.
o 防火墙:防火墙可能是部署最广泛的保护产品。但是,防火墙在保护企业机密信息方面的有效性可能会因内部安装的间谍软件而受到削弱,而且它们对于从防火墙建立的周界内部进行的攻击无效。间谍软件安装通常是安装终端用户允许的其他应用程序的副产品。
o Application level gateways: these are becoming more widely used. However, because they require application-specific support, and in many cases they cache all the in-flight documents, configuration can be difficult and the costs high. Thus, enterprise network operators prefer network level protections over layer-7 solutions.
o 应用程序级网关:它们的应用越来越广泛。但是,由于它们需要特定于应用程序的支持,并且在许多情况下它们会缓存所有正在运行的文档,因此配置可能会很困难,而且成本很高。因此,与第7层解决方案相比,企业网络运营商更喜欢网络级保护。
o Anti-spam software: Anti-spam measures consume significant human resources. Current spam mitigation tools include blacklists and content filters. The more recent "learning" filters may help significantly reduce the human effort needed and decrease the number of both false positives and negatives.
o 反垃圾邮件软件:反垃圾邮件措施消耗大量人力资源。当前的垃圾邮件缓解工具包括黑名单和内容过滤器。最近的“学习”过滤器可能有助于显著减少所需的人力,并减少误报和漏报的数量。
A more recent development is computer admission control, where a computer is granted network access if and only if it belongs to a valid user and appears to have the most recent set of security patches installed. It is however a more expensive solution. A major remaining issue facing enterprise network operators is how to solve the user vulnerability problem and reduce reliance on user's understanding of the need for security maintenance.
最近的一个发展是计算机准入控制,当且仅当计算机属于有效用户并且似乎安装了最新的一组安全补丁时,才授予计算机网络访问权限。然而,这是一个更昂贵的解决方案。企业网络运营商面临的一个主要遗留问题是如何解决用户漏洞问题,减少对用户理解安全维护需求的依赖。
Generally speaking, network and service operators do not have adequate tools for network problem diagnosis. The current approaches largely rely on the experience and skills of the operators, and on time-consuming manual operations. The same is true for mitigation tools against attacks.
一般来说,网络和服务运营商没有足够的工具来诊断网络问题。目前的方法主要依赖于操作员的经验和技能,以及耗时的手动操作。针对攻击的缓解工具也是如此。
The limited number of existing Internet protection measures have not been widely deployed. Deployment of security solutions requires resources which may not be available. It also requires education among the operational community to recognize the critical importance of patch installation and software upgrades; for example, a bug in the BIND packet was discovered and fixed in 2003, yet a number of DNS servers still run the old software today. Perhaps most importantly, a security solution must be designed with the right incentives to promote their deployment. Effective protection also requires coordination between competing network providers. For the time being, it is often difficult to even find the contact information for operators of other networks.
现有数量有限的互联网保护措施尚未得到广泛部署。部署安全解决方案需要的资源可能不可用。它还要求运营社区进行教育,认识到补丁安装和软件升级的关键重要性;例如,BIND数据包中的一个bug在2003年被发现并修复,但许多DNS服务器今天仍然运行旧软件。也许最重要的是,安全解决方案的设计必须有适当的激励来促进其部署。有效的保护还需要竞争网络提供商之间的协调。目前,甚至很难找到其他网络运营商的联系信息。
A number of workshop participants shared the view that, if all the known engineering approaches and bug fixes were universally deployed, the Internet could have been enjoying a substantially reduced number
许多研讨会参与者都认为,如果所有已知的工程方法和错误修复都得到普遍部署,互联网的数量可能会大大减少
of security problems today. In particular, the need for, and lack of, BCP 38 deployment was mentioned numerous times during the workshop. There is also a lack of enthusiasm about the routing security requirements document being developed by the IETF RPSEC (Routing Protocol Security) Working Group, which focuses heavily on cryptographically-based protection requirements. Not only would cryptographically-based solutions face the obstacle of funding for deployment, but also they are likely to bring with them their own set of problems.
今天的安全问题。特别是,研讨会期间多次提到需要和缺乏BCP 38部署。IETF RPSEC(路由协议安全)工作组正在开发的路由安全要求文件也缺乏热情,该工作组主要关注基于密码的保护要求。基于密码的解决方案不仅会面临部署资金的障碍,而且可能会带来自己的一系列问题。
There exists an educational challenge to disseminate the knowledge needed for secure Internet usage and operations. Easily guessed passwords and plaintext password transmission are still common in many parts of the Internet. One common rumor claims that Cisco routers were shipped with a default password "cisco" and this was used by attackers to break into routers. In reality, operators often configure Cisco routers with that password, perhaps because of the difficulty of disseminating passwords to multiple maintainers. A similar problem exists for Juniper routers and other vendors' products.
传播安全使用和操作互联网所需的知识是一项教育挑战。容易猜测的密码和明文密码传输在互联网的许多地方仍然很常见。一个常见的谣言称Cisco路由器附带默认密码“Cisco”,攻击者利用该密码闯入路由器。实际上,运营商经常使用该密码配置Cisco路由器,可能是因为难以将密码分发给多个维护者。Juniper路由器和其他供应商的产品也存在类似的问题。
How to provide effective education to the Internet user community at large remains a great challenge. As mentioned earlier in this report, the existence of a large number of compromised hosts is one major source of the unwanted traffic problem, and the ultimate solution to this problem is a well-informed, vigilant user community.
如何为广大互联网用户群体提供有效的教育仍然是一个巨大的挑战。正如本报告前面提到的,大量受损主机的存在是不必要流量问题的一个主要来源,而这个问题的最终解决方案是一个消息灵通、警惕的用户社区。
One position made at the workshop is that, facing the problems of millions of vulnerable computers and lack of effective deterrence, protecting the Internet might require a fundamental change to the current Internet architecture, by replacing unconstrained open access to the Internet with strictly controlled access. Although the participants held different positions on this issue, a rough consensus was reached that, considering the overall picture, enforcing controlled access does not seem the best solution to Internet protection. Instead, the workshop identified a number of needs that should be satisfied to move towards a well protected Internet:
研讨会上提出的一个立场是,面对数百万台易受攻击的计算机和缺乏有效威慑的问题,保护互联网可能需要对当前的互联网架构进行根本性的改变,用严格控制的访问取代对互联网的无限制开放访问。尽管与会者在这一问题上持不同立场,但大体上达成了一个共识,即从总体上看,实施受控访问似乎不是保护互联网的最佳解决方案。相反,研讨会确定了一系列应满足的需求,以实现保护良好的互联网:
o the need for risk assessment for service providers; at this time, we lack a commonly agreed bar for security assurance;
o 对服务提供商进行风险评估的必要性;目前,我们缺乏一个共同商定的安全保障标准;
o the need to add traceability to allow tracking of abnormal behavior in the network, and
o 需要添加可追溯性,以便跟踪网络中的异常行为,以及
o the need for liability if someone fails to follow recommended practices.
o 如果有人未能遵循推荐的做法,则需要承担责任。
Adding traceability has been difficult due to the distributed nature of the Internet. Collaboration among operators is a necessity in fighting cybercrimes. We must also pay attention to preparation for the next cycle of miscreant activity, and not devote all our efforts to fixing the existing problems. As discussed above, the current reactive approach to security problems is not a winning strategy.
由于互联网的分布式特性,增加可追溯性一直很困难。运营商之间的合作是打击网络犯罪的必要条件。我们还必须注意为下一轮的邪恶活动做准备,而不是将我们的全部努力用于解决现有的问题。如上所述,目前对安全问题采取的被动做法并不是一种成功的战略。
This section addresses the issues that vendors recognized as important and for which there will be solutions available in the near future.
本节讨论供应商认为重要的问题,并在不久的将来提供解决方案。
There are a number of potential solutions that vendors are working on, but are not yet offering as part of their product portfolio, that will allegedly remedy or diagnose the problems described in Section 4.1.
供应商正在开发一些潜在的解决方案,但尚未作为其产品组合的一部分提供,据称这些解决方案将修复或诊断第4.1节中描述的问题。
Inevitably, when vendors have or are about to make a decision on implementing new features in their products but have not made any announcement, the vendors are not willing to talk about the new features openly, which limits what can be said in this section.
不可避免地,当供应商已经或即将决定在其产品中实施新功能,但尚未发布任何公告时,供应商不愿意公开谈论新功能,这限制了本节的内容。
One idea is to build a Central Policy Repository that holds policies that are known to work properly, e.g., policies controlling from whom one would accept traffic when under attack. This repository could, for example, keep information on which neighbor router or AS is doing proper ingress address filtering. The repository could also hold the configurations that operators use to upgrade configurations on their routers.
一个想法是构建一个中央策略存储库,该存储库保存已知可以正常工作的策略,例如,控制在受到攻击时从谁处接受流量的策略。例如,该存储库可以保存关于哪个邻居路由器或AS正在进行正确的入口地址过滤的信息。存储库还可以保存运营商用来升级其路由器配置的配置。
If such a repository is to be a shared resource used by multiple operators, it will necessarily require validation and authentication of the stored policies to ensure that the repository does not become the cause of vulnerabilities. Inevitably, this would mean that the information comes with a cost and it will only be viable if the sum of the reductions in individual operators' costs is greater than the costs of maintaining the repository.
如果这样的存储库是由多个运营商使用的共享资源,则必须对存储的策略进行验证和身份验证,以确保存储库不会成为漏洞的原因。不可避免地,这意味着信息会带来成本,并且只有在单个运营商成本降低的总和大于维护存储库的成本时,信息才是可行的。
A set of tools based on flow data is widely used to extract information from both network and data link layers. Tools have been built that can be used to find out the sources of almost any type of traffic, including certain unwanted traffic. These flow-based tools make it possible to do things like DDoS traceback, traffic/peering analyses, and detection of botnets, worms, and spyware.
基于流数据的一组工具广泛用于从网络层和数据链路层提取信息。已经建立了一些工具,可以用来找出几乎任何类型流量的来源,包括某些不需要的流量。这些基于流的工具使DDoS回溯、流量/对等分析以及僵尸网络、蠕虫和间谍软件的检测成为可能。
These tools monitor flows on the network and build baselines for what is the "normal" behavior. Once the baseline is available, it is possible to detect anomalous activity. It is easy to detect variations over time, and decide if the variation is legitimate or not. It is possible to take this approach further, typically involving the identification of signatures of particular types of traffic.
这些工具监视网络上的流,并为“正常”行为建立基线。一旦基线可用,就可以检测异常活动。随着时间的推移,很容易检测到变化,并确定变化是否合法。可以进一步采用这种方法,通常包括识别特定类型的业务的签名。
These flow-based tools are analogous to the "sonar" that is used by navies to listen for submarines. Once a particular submarine is identified, it is possible to record its sonar signature to be used to provide rapid identification in the future when the same submarine is encountered again.
这些基于流量的工具类似于海军用来监听潜艇的“声纳”。一旦识别出某艘潜艇,就可以记录其声纳特征,以便在将来再次遇到同一艘潜艇时提供快速识别。
Examples of existing tools include Cisco IOS NetFlow <http://www.cisco.com/en/US/products/ps6601/ products_ios_protocol_group_home.html>, sFlow <http://www.sflow.org/>, and NeTraMet <http://www.caida.org/tools/measurement/netramet/> based on the IETF RTFM and IPFIX standards.
现有工具的示例包括Cisco IOS NetFlow<http://www.cisco.com/en/US/products/ps6601/ 产品\u ios\u协议\u组\u home.html>,sFlow<http://www.sflow.org/>,以及网架<http://www.caida.org/tools/measurement/netramet/>基于IETF RTFM和IPFIX标准。
There are also tools for working with the output of NetFlow such as jFlow <http://www.net-track.ch/opensource/jflow/> and Arbor Networks' Peakflow <http://www.arbor.net/products_platform.php>.
还有一些用于处理NetFlow输出的工具,如jFlow<http://www.net-track.ch/opensource/jflow/>和Arbor Networks的峰值流量<http://www.arbor.net/products_platform.php>.
The Cooperative Association for Internet Data Analysis (CAIDA) maintains a taxonomy of available tools on its web site at <http://www.caida.org/tools/taxonomy/index.xml>.
互联网数据分析合作协会(CAIDA)在其网站上维护可用工具的分类法,网址为<http://www.caida.org/tools/taxonomy/index.xml>.
The Internet Motion Sensor (IMS) [IMS] may be used to watch traffic to or from "Darknets" (routable prefixes that don't have end hosts attached), unassigned address spaces, and unannounced address spaces. By watching activities in these types of address spaces, one can understand and detect, e.g., scanning activities, DDoS worms, worm infected hosts, and misconfigured hosts.
互联网运动传感器(IMS)[IMS]可用于监视进出“黑暗”(未连接终端主机的可路由前缀)、未分配地址空间和未通知地址空间的流量。通过观察这些类型的地址空间中的活动,可以了解并检测(例如)扫描活动、DDoS蠕虫、蠕虫感染的主机和配置错误的主机。
Currently, the IMS is used to monitor approximately 17 million prefixes, about 1.2% of the IPv4 address space. The use of IMS has highlighted two major characteristics of attacks; malicious attacks are more targeted than one might have assumed, and a vulnerability in a system does not necessarily lead to a threat to that system (e.g., the vulnerability may not be exploited to launch attacks if the perceived "benefit" to the attacker appears small). Data from IMS and other sources indicates that attackers are making increased use of information from social networking sites to target their attacks and select perceived easy targets, such as computers running very old versions of systems or new, unpatched vulnerabilities.
目前,IMS用于监控约1700万个前缀,约占IPv4地址空间的1.2%。IMS的使用突出了攻击的两个主要特征;恶意攻击的针对性比人们想象的更高,系统中的漏洞不一定会对该系统造成威胁(例如,如果攻击者感知到的“好处”似乎很小,则该漏洞可能不会被利用来发起攻击)。来自IMS和其他来源的数据表明,攻击者越来越多地利用来自社交网站的信息来确定攻击目标,并选择感知到的容易攻击的目标,例如运行非常旧版本系统的计算机或新的未修补漏洞。
This form of passive data collection is also known as a "Network Telescope". Links to similar tools can be found on the CAIDA web site at <http://www.caida.org/data/passive/network_telescope.xml>.
这种形式的被动数据采集也称为“网络望远镜”。类似工具的链接可在CAIDA网站上找到,网址为<http://www.caida.org/data/passive/network_telescope.xml>.
In the year 2000, the IETF developed a set of recommendations to limit DOS attacks and Address Spoofing published as BCP 38 [RFC2827], "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing". However, up to now BCP 38 capabilities still have not been widely deployed, perhaps due to the incentive issue discussed earlier.
2000年,IETF制定了一套限制DOS攻击和地址欺骗的建议,发布为BCP 38[RFC2827],“网络入口过滤:击败采用IP源地址欺骗的拒绝服务攻击”。然而,到目前为止,BCP 38能力尚未得到广泛部署,可能是由于前面讨论的激励问题。
The IETF has also developed an additional set of recommendations extending BCP 38 to multihomed networks. These recommendations are published as BCP 84 [RFC3704].
IETF还制定了一套额外的建议,将BCP 38扩展到多宿网络。这些建议发布为BCP 84[RFC3704]。
Tools are being developed that will make it possible to perform deep packet inspection at high speed. Some companies are working on hardware implementation to inspect all layers from 2 to 7 (e.g., EZchip <http://www.ezchip.com/t_npu_whpaper.htm>). A number of other companies, including Cisco and Juniper, offer tools capable of analyzing packets at the transport layer and above.
正在开发的工具将使高速执行深度数据包检查成为可能。一些公司正在进行硬件实施,以检查从2到7的所有层(例如EZchip<http://www.ezchip.com/t_npu_whpaper.htm>). 包括Cisco和Juniper在内的许多其他公司都提供了能够在传输层及以上分析数据包的工具。
One idea that was discussed at the workshop envisaged operators and standards bodies cooperating to produce a set of "How To" documents as guidelines on how to configure networks. Dissemination and use of these "How To's" should be encouraged by vendors, operators, and standards bodies.
研讨会上讨论的一个想法设想运营商和标准机构合作编制一套“如何”文件,作为如何配置网络的指南。供应商、运营商和标准机构应鼓励传播和使用这些“操作指南”。
This type of initiative needs a "sponsor" or "champion" that takes the lead and starts collecting a set of "How To's" that could be freely distributed. The workshop did not discuss this further.
这种类型的倡议需要一个“赞助商”或“冠军”,带头收集一套可以自由分发的“如何做”指南。讲习班没有进一步讨论这一问题。
Methods to discourage the dissemination of spam by punishing the spammers, such as Spam Harassment Reduction via Economic Disincentive (SHRED) [SHRED], were discussed. The idea is to make it increasingly expensive for spammers to use the email system, while normal users retain what they have come to expect as normal service. There was no agreement on the effectiveness of this type of system.
讨论了通过惩罚垃圾邮件发送者来阻止垃圾邮件传播的方法,如通过经济抑制(SHRED)[SHRED]减少垃圾邮件骚扰。这样做的目的是让垃圾邮件发送者使用电子邮件系统的成本越来越高,而普通用户则将他们期望的作为正常服务保留下来。对于这类系统的有效性没有达成一致意见。
In preparation for this session, several researchers active in Internet Research were asked two rather open ended questions: "Where is the focus on Internet research today?" and "Where should it be?"
为了准备这次会议,几位活跃于互联网研究的研究人员被问到了两个相当开放的问题:“今天互联网研究的重点在哪里?”和“应该在哪里?”
A summary of the answers to these questions is given below. Section 6.2.2 covers part of the relationship between research and miscreants. For example, research activities in each area (please refer to the slide set for Workshop Session 8 which can be found at the link referred to in Appendix C).
以下是这些问题的答案摘要。第6.2.2节涵盖了研究与歹徒之间的部分关系。例如,每个领域的研究活动(请参阅研讨会第8课时的幻灯片集,可在附录C中的链接中找到)。
Section 6.1 discusses briefly areas where we see active research on unwanted traffic today.
第6.1节简要讨论了我们目前对不必要流量进行积极研究的领域。
One area where researchers are very active is analyzing situations where hosts are exploited. This has been a major focus for a long time, and an abundance of reports have been published. Current research may be divided into three different categories: prevention, detection, and defense.
研究人员非常活跃的一个领域是分析主机被利用的情况。长期以来,这一直是一个主要焦点,并发表了大量报告。目前的研究可分为三类:预防、检测和防御。
Code quality is crucial when it comes to preventing exploitation of Internet hosts. Quite a bit of research effort has therefore gone into improvement of code quality. Researchers are looking into automated methods for finding bugs and maybe in the end fixes for any bugs detected.
在防止利用Internet主机时,代码质量至关重要。因此,相当多的研究工作已经投入到提高代码质量上。研究人员正在研究寻找bug的自动化方法,并可能最终修复检测到的任何bug。
A second approach designed to stop hosts from becoming compromised is to reduce the "attack surface". Researchers are thinking about
第二种防止主机受损的方法是减少“攻击面”。研究人员正在考虑
changes or extensions to the Internet architecture. The idea is to create a strict client server architecture, where the clients only are allowed to initiate connections, and while servers may only accept connections.
Internet架构的更改或扩展。我们的想法是创建一个严格的客户机-服务器体系结构,其中只允许客户机启动连接,而服务器可能只接受连接。
Researchers have put a lot of effort into better scaling of honey pots and honey farms to better understand and neutralize the methods miscreants are using to exploit hosts. Research also goes into developing honey monkeys in order to understand how hosts are vulnerable. Both honey pots/farms and honey monkeys are aimed at taking measures that prevent further (mis-)use of possible exploits.
研究人员已经投入了大量精力来更好地扩大蜜罐和蜂蜜农场的规模,以便更好地理解和消除恶棍利用宿主的方法。为了了解寄主是如何容易受到攻击的,研究人员还研究了如何培育蜜猴。蜜罐/农场和蜜猴都旨在采取措施防止进一步(误用)可能的利用。
When an attack is launched against a computer system, the attack typically leaves evidence of the intrusion in the system logs. Each type of intrusion leaves a specific kind of footprint or signature. The signature can be evidence that certain software has been executed, that logins have failed, that administrative privileges have been misused, or that particular files and directories have been accessed. Administrators can document these attack signatures and use them to detect the same type of attack in the future. This process can be automated.
当针对计算机系统发起攻击时,攻击通常会在系统日志中留下入侵证据。每种类型的入侵都会留下特定的足迹或特征。签名可以证明某些软件已被执行、登录失败、管理权限被滥用或特定文件和目录已被访问。管理员可以记录这些攻击特征,并使用它们在将来检测相同类型的攻击。这个过程可以自动化。
Because each signature is different, it is possible for system administrators to determine by looking at the intrusion signature what the intrusion was, how and when it was perpetrated, and even how skilled the intruder is.
由于每个特征码都不同,因此系统管理员可以通过查看入侵特征码来确定入侵是什么,入侵的方式和时间,甚至入侵者的技能。
Once an attack signature is available, it can be used to create a vulnerability filter, i.e., the stored attack signature is compared to actual events in real time and an alarm is given when this pattern is repeated.
一旦攻击特征可用,就可以使用它来创建漏洞过滤器,即,实时将存储的攻击特征与实际事件进行比较,并在重复此模式时发出警报。
A further step may be taken with automated vulnerability signatures, i.e., when a new type of attack is found, a vulnerability filter is automatically created. This vulnerability filter can be made available for nodes to defend themselves against this new type of attack. The automated vulnerability signatures may be part of an Intrusion Detection System (IDS).
可通过自动漏洞签名采取进一步步骤,即,当发现新类型的攻击时,将自动创建漏洞过滤器。此漏洞过滤器可用于节点防御这种新类型的攻击。自动漏洞签名可能是入侵检测系统(IDS)的一部分。
An IDS can be a part of the defense against actual attacks, e.g., by using vulnerability filters. An Intrusion Detection System (IDS) inspects inbound and outbound network activities and detects signatures that indicate that a system is under attack from someone attempting to break into or compromise the system.
IDS可以作为防御实际攻击的一部分,例如通过使用漏洞过滤器。入侵检测系统(IDS)检查入站和出站网络活动,并检测表明系统受到试图侵入或破坏系统的人攻击的特征码。
Research on DDoS attacks follows two separate approaches, the first has the application as its focus, while the second focuses on the network.
DDoS攻击的研究遵循两种不同的方法,第一种方法以应用为重点,第二种方法以网络为重点。
The key issue with application oriented research is to distinguish between legitimate activities and attacks. Today, several tools exist that can do this and research has moved on to more advanced things.
面向应用的研究的关键问题是区分合法活动和攻击。今天,有几种工具可以做到这一点,研究已经转向更先进的东西。
Research today looks into tools that can detect and filter activities that have been generated by bots and botnets.
今天的研究着眼于能够检测和过滤由机器人和僵尸网络生成的活动的工具。
One approach is to set up a tool that sends challenges to senders that want to send traffic to a certain node. The potential sender then has to respond correctly to that challenge; otherwise, the traffic will be filtered out.
一种方法是设置一个工具,向想要向某个节点发送流量的发送者发送挑战。然后,潜在的发送者必须正确响应该挑战;否则,流量将被过滤掉。
The alternative is to get more capacity between sender and receiver. This is done primarily by some form of use of peer-to-peer technology.
另一种方法是在发送方和接收方之间获得更多容量。这主要是通过某种形式的对等技术实现的。
Today, there is "peer-to-peer hype" in the research community; a sure way of making yourself known as a researcher is to publish something that solves old problems by means of some peer-to-peer technology. Proposals now exist for peer-to-peer DNS, peer-to-peer backup solutions, peer-to-peer web-cast, etc. Whether these proposals can live up to the hype remains to be seen.
如今,研究界出现了“点对点炒作”;让自己成为一名研究者的一个可靠方法是发布一些通过点对点技术解决旧问题的东西。目前已有针对点对点DNS、点对点备份解决方案、点对点网络广播等的提案。这些提案是否能达到宣传效果还有待观察。
Research on DDoS attacks that takes a network oriented focus may be described by the following oversimplified three steps.
以网络为中心的DDoS攻击研究可以通过以下三个过于简单的步骤来描述。
1. Find the bad stuff
1. 找到坏东西
2. Set the "evil bit" on those packets
2. 在这些数据包上设置“邪恶位”
3. Filter out the packets with the "evil bit" set
3. 过滤掉设置了“邪恶比特”的数据包
This rather uncomplicated scheme has to be carried out on high-speed links and interfaces. Automation is the only way of achieving this.
这种相当简单的方案必须在高速链路和接口上执行。自动化是实现这一目标的唯一途径。
One way of indirectly setting the "evil bit" is to use a normalized TTL. The logic goes: the TTL for traffic from this sender has always
间接设置“邪恶位”的一种方法是使用规范化的TTL。逻辑是:来自此发送方的流量的TTL始终
been "x", but has now suddenly become "y", without any corresponding change in routing. The conclusion is that someone is masquerading as the legitimate sender. Traffic with the "y" TTL is filtered out.
本来是“x”,但现在突然变成了“y”,没有任何相应的路由更改。结论是有人伪装成合法的发送者。具有“y”TTL的流量被过滤掉。
Another idea is to give traffic received from ISPs that are known to do source address validation the "red carpet treatment", i.e., to set the "good bit". When an attack is detected, traffic from everyone that doesn't have the "good bit" is filtered out. Apart from reacting to the attack, this also give ISPs an incentive to do source address validation. If they don't do it, their peers won't set the "good bit" and the ISP's customers will suffer, dragging down their reputation.
另一个想法是将从已知进行源地址验证的ISP接收的流量给予“红地毯式处理”,即设置“良好位”。当检测到攻击时,来自每个没有“好比特”的流量都会被过滤掉。除了对攻击作出反应外,这也鼓励ISP进行源地址验证。如果他们不这样做,他们的同行将不会设置“好位”,ISP的客户将蒙受损失,拖累他们的声誉。
Overlay networks can also be used to stop a DDoS attack. The idea here is that traffic is not routed directly to the destination. Instead, it is hidden behind some entry points in the overlay. The entry points make sure the sender is the host he claims he is, and in that case, marks the packet with a "magic bit". Packets lacking the "magic bit" are not forwarded on the overlay. This has good scaling properties; you only need to have enough capacity to tag the amount of traffic you want to receive, not the amount you actually receive.
覆盖网络也可用于阻止DDoS攻击。这里的想法是,流量不会直接路由到目的地。相反,它隐藏在覆盖中的某些入口点后面。入口点确保发送者是他声称的主机,在这种情况下,用“魔术位”标记数据包。缺少“魔术位”的数据包不会在覆盖层上转发。这具有良好的缩放特性;您只需要有足够的容量来标记希望接收的流量,而不是实际接收的流量。
Current research on spyware and measurements of spyware are aiming to find methods to understand when certain activities associated with spyware happen and to understand the impact of this activity.
当前对间谍软件的研究和对间谍软件的测量旨在找到了解与间谍软件相关的某些活动何时发生的方法,并了解该活动的影响。
There are a number of research activities around spyware, e.g., looking into threats caused by spyware; however, these were only briefly touched upon at the workshop.
围绕间谍软件有许多研究活动,例如,调查间谍软件造成的威胁;然而,这些问题在研讨会上仅作了简短的讨论。
Lately, research has started to look into tools and support to answer the "What happened here?" question. These tools are called "forensic aids", and can be used to "recreate" an illegal activity just as the police do when working on a crime scene.
最近,研究开始寻找工具和支持来回答“这里发生了什么?”的问题。这些工具被称为“法医辅助工具”,可以用来“重现”非法活动,就像警察在犯罪现场工作时所做的那样。
The techniques that these forensic aids take as their starting point involve the identification of a process or program that should not be present on a computer. The effort goes into building tools and methods that can trace the intruder back to its origin. Methods to understand how a specific output depends on a particular input also exist.
这些法医辅助手段以识别不应该出现在计算机上的过程或程序为起点。这项工作致力于构建能够追踪入侵者到其源头的工具和方法。理解特定输出如何依赖于特定输入的方法也存在。
Measurements are always interesting for the research community, because they generate new data. Consequently, lots of effort goes into specifying how measurements should be performed and into development of measurement tools. Measurements have been useful in creating effective counter-measures against worms. Before measurements gave actual data of how worms behave, actions taken against worms were generally ineffective.
测量对于研究界来说总是很有趣的,因为它们产生了新的数据。因此,大量的工作投入到了如何进行测量和开发测量工具上。在制定有效的防治蠕虫措施方面,这些措施非常有用。在测量给出蠕虫行为的实际数据之前,针对蠕虫采取的措施通常是无效的。
One aspect of research that closely relates to measurements is analysis. Earlier, it was common to look for the amount of traffic traversing certain transport ports. Lately, it has become common to tunnel "everything" over something else, and a shift has occurred towards looking for behavior and/or content. When you see a certain behavior or content over a protocol that is not supposed to behave in this way, it is likely that something bad is going on.
与测量密切相关的研究的一个方面是分析。早些时候,查找通过某些运输端口的流量是很常见的。最近,将“一切”隐藏在其他东西之上已经变得很普遍,人们开始转向寻找行为和/或内容。当您看到协议上的某个行为或内容不应该以这种方式运行时,很可能发生了一些不好的事情。
Since this is an arms race, the miscreants that use tunneling protocols have started to mimic the pattern of something that is acceptable.
由于这是一场军备竞赛,使用隧道协议的恶棍们已经开始模仿某种可以接受的模式。
The general IETF design guidelines for robust Internet protocols says: "Be liberal in what you receive and conservative in what you send". The downside is that most protocols believe what they get and as a consequence also get what they deserve. The IAB is intending to work on new design guidelines, e.g., rules of thumb and things you do and things you don't. This is not ready yet, but will be offered as input to a BCP in due course.
IETF关于健壮互联网协议的一般设计指南中说:“接收内容要自由,发送内容要保守”。缺点是,大多数协议相信他们得到的,因此也得到了他们应得的。IAB打算制定新的设计准则,例如经验法则、你做的事情和你不做的事情。这还没有准备好,但将在适当时候作为输入提供给BCP。
An area where there is a potential overlap between standards people and researchers is protocol analysis languages. The protocol analysis languages could be used, for example, look for vulnerabilities.
标准人员和研究人员之间存在潜在重叠的一个领域是协议分析语言。例如,可以使用协议分析语言查找漏洞。
The workshop discussed the interface between people working in standardization organizations in general and IETF in particular on the one hand and people working with research on the other. The topic of discussion was broader than just "Unwanted traffic". Three topics were touched on: what motivates researchers, how to attract researchers to problems that are hindering or have been discovered in
研讨会讨论了标准化组织工作人员,尤其是IETF工作人员与从事研究工作人员之间的接口。讨论的主题不仅仅是“不必要的交通”。涉及到三个主题:是什么激励了研究人员,如何吸引研究人员解决阻碍研究的问题,或者在研究中发现的问题
the context of standardization, and the sometimes rocky relations between the research community and the "bad boys".
标准化的背景,以及研究界和“坏男孩”之间有时不稳定的关系。
The workshop discussed how research and standardization could mutually support each other. Quite often there is a commonality of interest between the two groups. The IAB supports the Internet Research Task Force (IRTF) as a venue for Internet research. The delta between what is done and what could be is still substantial. The discussion focused on how standardization in general and the IETF in particular can get help from researchers.
研讨会讨论了研究和标准化如何相互支持。这两个群体之间往往有共同的利益。IAB支持互联网研究工作队(IRTF)作为互联网研究的场所。已经做的事情和可能做的事情之间的差距仍然很大。讨论的重点是一般的标准化,特别是IETF如何从研究人员那里获得帮助。
Since standardization organizations don't have the economic strength to simply finance the research they need or want, other means have to be used. One is to correctly and clearly communicate problems, another is to supply adequate and relevant information.
由于标准化组织没有经济实力为他们需要或想要的研究提供资金,因此必须使用其他手段。一个是正确和清楚地沟通问题,另一个是提供充分和相关的信息。
To attract the research community to work with standardization organizations, it is necessary to identify the real problems and state them in such a way that they are amenable to solution. General unspecified problems are of no use, e.g., "This is an impossible problem!" or "All the problems are because my users behave badly!"
为了吸引研究界与标准化组织合作,有必要确定真正的问题,并以易于解决的方式陈述这些问题。一般未指明的问题是没有用的,例如,“这是一个不可能的问题!”或“所有的问题都是因为我的用户行为不好!”
Instead, saying "This is an absolutely critical problem, and we have no idea how to solve it!" is much more attractive.
相反,说“这是一个绝对关键的问题,我们不知道如何解决它!”更有吸引力。
The potential research problem should also be communicated in a way that is public. A researcher that wants to take on a problem is helped if she/he can point at a slide from NANOG or RIPE that identifies this problem.
潜在的研究问题也应该以公开的方式进行沟通。如果一位研究人员想解决一个问题,她/他可以指着NANOG或Pread的一张幻灯片来确定这个问题,那么她/他就会得到帮助。
The way researchers go about solving problems is basically to identify all the existing constraints, and then relax one of the constraints and see what happens. Therefore, rock solid constraints are a show stopper, e.g., "We can't do that, because it has to go into an ASIC!". Real constraints have to be clearly communicated to and understood by the researcher.
研究人员解决问题的方法基本上是识别所有现有的约束,然后放松其中一个约束,看看会发生什么。因此,坚如磐石的约束是一个阻碍,例如,“我们不能这样做,因为它必须进入ASIC!”。真正的限制必须清楚地传达给研究者并被研究者理解。
One reasonable way of fostering cooperation is to entice two or three people and have them write a paper on the problem. What will happen then is that this paper will be incrementally improved by other researchers. The vast majority of all research goes into improving on someone else's paper.
促进合作的一个合理方法是吸引两三个人,让他们写一篇关于这个问题的论文。接下来会发生的是,这篇论文将被其他研究人员逐步改进。绝大多数研究都是为了改进别人的论文。
A second important factor is to supply sufficient relevant information. New information that suggests possible ways to address new problems or improve on old or partial solutions to previously
第二个重要因素是提供足够的相关信息。建议解决新问题或改进旧的或部分解决以前问题的方法的新信息
investigated problems are attractive. Often, understanding of important problems comes from the operator community; when trying to initiate research from a standards perspective, keeping operators in the loop may be beneficial.
调查的问题很有吸引力。通常,对重要问题的理解来自运营商社区;当试图从标准的角度开始研究时,让操作员处于循环中可能是有益的。
Today, the research community is largely left on its own, and consequently tends to generate essentially random, untargeted results. If the right people in the standards community say the right things to the right people in the research community, it can literally focus hundreds of graduate students on a single problem. Problem statements and data are needed.
今天,研究界基本上是独立的,因此倾向于产生基本上随机的、无目标的结果。如果标准社区中合适的人对研究社区中合适的人说了合适的话,它可以让数百名研究生专注于一个问题。需要问题陈述和数据。
A general problem with all research and development is that what can be used may also be misused. In some cases, miscreants have received help from research that was never intended.
所有研究和开发的一个普遍问题是,可以使用的东西也可能被误用。在某些情况下,歹徒从研究中得到了从未打算过的帮助。
There are several examples of Free Nets, i.e., networks designed to allow end-users to participate without revealing their identity or how and where they are connected to the network. The Free Nets are designed based on technologies such as onion routing or mix networks. Free Nets create anonymity that allows people to express opinions without having to reveal their true identity and thus can be used to promote free speech. However, these are tools that can also work just as well to hide illegal activities in democracies.
有几个免费网络的例子,也就是说,网络设计为允许最终用户参与,而不透露他们的身份或他们连接到网络的方式和地点。免费网络是基于洋葱路由或混合网络等技术设计的。自由网络创造了匿名性,允许人们在不透露真实身份的情况下发表意见,因此可以用来促进言论自由。然而,这些工具同样可以用来隐藏民主国家的非法活动。
Mix networks create hard-to-trace communications by using a chain of proxy servers. A message from a sender to a receiver passes by the chain of proxies. A message is encrypted with a layered encryption where each layer is understood by only one of the proxies in the chain; the actual message is the innermost layer. A mix network will achieve untraceable communication, even if all but one of the proxies are compromised by a potential tracer.
混合网络通过使用一系列代理服务器创建难以跟踪的通信。从发送者到接收者的消息经过代理链。消息通过分层加密进行加密,其中每一层仅由链中的一个代理理解;实际消息是最内层。混合网络将实现无法追踪的通信,即使除了一个代理之外的所有代理都被潜在的追踪器破坏。
Onion routing is a technique for anonymous communication over a computer network; it is a technique that encodes routing information in a set of encrypted layers. Onion routing is a further development of mix networks.
洋葱路由是一种通过计算机网络进行匿名通信的技术;它是一种在一组加密层中对路由信息进行编码的技术。洋葱路由是混合网络的进一步发展。
Research projects have resulted in methods for distributed command and control, e.g., in the form of Distributed Hash Tables (DHT) and gossip protocols. This of course has legitimate uses, e.g., for security and reliability applications, but it also is extremely useful for DDoS attacks and unwanted traffic in general.
研究项目产生了分布式命令和控制方法,例如分布式哈希表(DHT)和八卦协议。这当然具有合法用途,例如用于安全性和可靠性应用,但对于DDoS攻击和一般不需要的流量也非常有用。
A lot of effort has gone into research around worms, the result is that we have a very good understanding of the characteristics of the
围绕蠕虫进行了大量的研究,结果是我们对蠕虫的特性有了很好的了解
technology associated with worms and how they behave. This is a very good basis when we want to protect against worms. The downside is that researchers also understand how to implement future worms, including knowledge on how to design faster worms that won't leave a footprint.
与蠕虫及其行为相关的技术。这是一个很好的基础,当我们想防止蠕虫。缺点是,研究人员还了解如何实现未来的蠕虫,包括如何设计不会留下足迹的更快的蠕虫。
If we had an Aladdin's Lamp and could be granted anything we wanted in the context of remedying unwanted traffic or effects of such traffic - what would we wish for? The topic of this session was wishes, i.e., loosening the constraints that depend on what we have and focus on what we really want.
如果我们有一盏阿拉丁的灯,可以在补救不必要的交通或交通影响的背景下得到我们想要的任何东西——我们希望得到什么?本次会议的主题是愿望,即放松依赖于我们所拥有的东西的限制,专注于我们真正想要的东西。
There certainly are lots of "wishes" around, not least of which is making things simpler and safer. On the other hand, very few of these wishes are clearly stated. One comment on this lack of clarity was that we are too busy putting out the fires of today and don't have the time to be thinking ahead.
这里当然有很多“愿望”,尤其是让事情变得更简单、更安全。另一方面,这些愿望很少有明确的表述。对这种缺乏明确性的一种评论是,我们忙于扑灭今天的大火,没有时间提前思考。
Operators at the workshop expressed a number of wishes that, if fulfilled, would help to improve and simplify security. The list below contains a number of examples of actions that ought to improve security. The content is still at the "wish-level", i.e., no effort has gone in to trying to understand the feasibility of realizing these wishes.
讲习班的操作人员表达了一些愿望,如能实现,将有助于改善和简化安全。下面的列表包含了一些应该提高安全性的操作示例。内容仍处于“愿望水平”,即没有努力理解实现这些愿望的可行性。
Wish: Reliable point of contact in each administrative domain for security coordination. First and foremost, operators would like to see correct and complete contact information to coordinate security problems across operators.
愿望:在每个管理领域建立安全协调的可靠联络点。首先,运营商希望看到正确完整的联系信息,以协调运营商之间的安全问题。
The "whois" database of registration details for IP addresses and Autonomous System numbers held by Regional Internet Registries (e.g., ARIN, RIPE, APNIC) was intended to be a directory for this type of information, and RFC 2142 [RFC2142] established common mailbox names for certain roles and services. There are several reasons why these tools are largely unused, including unwanted traffic.
区域互联网注册中心(如ARIN、RIME、APNIC)持有的IP地址和自治系统编号的“whois”注册详细信息数据库旨在作为此类信息的目录,RFC 2142[RFC2142]为某些角色和服务建立了通用邮箱名称。这些工具大部分未被使用的原因有很多,包括不必要的流量。
Wish: Organized testing for security. Today, new hardware and software are extensively tested for performance. There is almost no testing of this hardware and software for security.
愿望:有组织的安全测试。今天,新的硬件和软件经过了广泛的性能测试。几乎没有对这种硬件和软件进行安全测试。
Wish: Infrastructure or test bed for security. It would be good to have an organized infrastructure or test bed for testing of security for new products.
愿望:基础设施或安全测试平台。最好有一个有组织的基础设施或测试平台来测试新产品的安全性。
Wish: Defaults for security. Equipment and software should come with a simple and effective default setting for security.
愿望:默认安全性。设备和软件应配备简单有效的安全默认设置。
Wish: Shared information regarding attacks. It would be useful to have an automated sharing mechanism for attacks, vulnerabilities, and sources of threats between network users and providers in order to meet attacks in a more timely and efficient manner.
愿望:共享有关攻击的信息。在网络用户和提供商之间建立一个针对攻击、漏洞和威胁源的自动共享机制将非常有用,以便以更及时、更高效的方式应对攻击。
Wish: Automatic filtering of unwanted traffic. It would be useful, not least for enterprises, to have mechanisms that would automatically filter out the unwanted traffic.
愿望:自动过滤不需要的流量。拥有能够自动过滤掉不需要的流量的机制将是有益的,尤其是对企业而言。
Some filtering of spam, viruses, and malware that is sent by email is already practicable but inevitably is imperfect because it mainly relies on "heuristics" to identify the unwanted traffic. This is another example of the "arms race" between filtering and the ingenuity of spammers trying to evade the filters. This "wish" needs to be further discussed and developed to make it something that could be turned into practical ideas.
通过电子邮件发送的垃圾邮件、病毒和恶意软件的某些过滤已经是可行的,但不可避免地是不完善的,因为它主要依靠“启发式”来识别不需要的流量。这是过滤和垃圾邮件发送者试图逃避过滤之间的“军备竞赛”的另一个例子。这一“愿望”需要进一步讨论和发展,使之成为可以转化为实际想法的东西。
Wish: Fix Spam. A large fraction of the email traffic coming into enterprises today is spam, and consequently any fixes to the spam problem are very high on their priority list.
愿望:修复垃圾邮件。如今,进入企业的电子邮件流量中有很大一部分是垃圾邮件,因此,对垃圾邮件问题的任何修复都是他们的优先事项。
The workshop spent its last two hours discussing the following question: What are the engineering (immediate and longer term) and research issues that might be pursued within the IETF and the IRTF, and what actions could the IAB take? The suggested actions can be summarized into three classes.
研讨会最后两个小时讨论了以下问题:IETF和IRTF中可能涉及的工程(近期和长期)和研究问题是什么,IAB可以采取什么行动?建议的行动可归纳为三类。
The discussions during this concluding section raised a number of questions that touched upon the overall network architecture designs.
本结束部分的讨论提出了一些涉及整体网络架构设计的问题。
o What should be the roles of cryptographic mechanisms in the overall Internet architecture? For example, do we need to apply
o 密码机制在整个互联网体系结构中应该扮演什么角色?例如,我们需要申请吗
cryptographic mechanisms to harden the shell, or rely on deep packet inspection to filter out bad traffic?
加密机制来强化外壳,还是依靠深度数据包检查来过滤坏流量?
o To add effective protection to the Internet, how far are we willing to go in
o 为了给互联网增加有效的保护,我们愿意走多远
* curtailing its openness, and
* 限制其开放性,以及
* increasing the system complexity?
* 增加系统复杂性?
And what architectural principles do we need to preserve as we go along these paths?
当我们沿着这些路径前进时,我们需要保留哪些体系结构原则?
o A simple risk analysis would suggest that an ideal attack target of minimal cost but maximal disruption is the core routing infrastructure. However, do we really need an unlinked and separately managed control plane to secure it? This requires a deep understanding of the architectural design trade-offs.
o 简单的风险分析表明,成本最低但中断最大的理想攻击目标是核心路由基础设施。然而,我们真的需要一个未链接且单独管理的控制平面来保护它吗?这需要深入理解建筑设计的权衡。
o Can we, and how do we, change the economic substructure? A special workshop was suggested as a next step to gain a better understanding of the question.
o 我们能否,以及如何改变经济结构?有人建议举办一次特别讲习班,作为进一步了解这一问题的下一步。
While answering the above hard questions may take some time and effort, several specific steps were suggested as medium or long term efforts to add protection to the Internet:
虽然回答上述困难问题可能需要一些时间和努力,但建议采取若干具体步骤,作为增加互联网保护的中期或长期努力:
o Tightening the security of the core routing infrastructure.
o 加强核心路由基础设施的安全性。
o Cleaning up the Internet Routing Registry repository [IRR], and securing both the database and the access, so that it can be used for routing verifications.
o 清理Internet路由注册表存储库[IRR],并保护数据库和访问,以便可以将其用于路由验证。
o Take down botnets.
o 拆除僵尸网络。
o Although we do not have a magic wand to wave all the unwanted traffic off the Internet, we should be able to develop effective measures to reduce the unwanted traffic to a tiny fraction of its current volume and keep it under control.
o 虽然我们没有一根魔杖可以将所有不需要的流量从互联网上挥舞出去,但我们应该能够制定有效的措施,将不需要的流量减少到当前流量的一小部分,并将其保持在控制之下。
o Community education, to try to ensure people *use* updated host, router, and ingress filtering BCPs.
o 社区教育,确保人们*使用*更新的主机、路由器和入口过滤BCP。
The IETF is recommended to take steps to carry out the following actions towards enhancing the network protection.
建议IETF采取措施执行以下行动,以增强网络保护。
o Update the host requirements RFC. The Internet host requirements ([RFC1122], [RFC1123]) were developed in 1989. The Internet has gone through fundamental changes since then, including the pervasive security threats. Thus, a new set of requirements is overdue.
o 更新主机需求RFC。互联网主机需求([RFC1122]、[RFC1123])于1989年制定。从那时起,互联网经历了根本性的变化,包括无处不在的安全威胁。因此,一套新的要求已经过期。
o Update the router requirements. The original router requirements [RFC1812] were developed in 1995. As with the host requirements, it is also overdue for an update.
o 更新路由器要求。最初的路由器要求[RFC1812]是在1995年制定的。与主机要求一样,它也已过期,无法进行更新。
o Update ingress filtering (BCP 38 [RFC2827] and BCP 84 [RFC3704]).
o 更新入口过滤(BCP 38[RFC2827]和BCP 84[RFC3704])。
One immediate action that the IAB should carry out is to inform the community about the existence of the underground economy.
IAB应立即采取的一项行动是告知社区地下经济的存在。
The IRTF is recommended to take further steps toward understanding the Underground Economy and to initiate research on developing effective countermeasures.
建议IRTF采取进一步措施了解地下经济,并开始研究制定有效对策。
Overall, the workshop attendees wish to raise the community's awareness of the underground economy. The community as a whole should undertake a systematic examination of the current situation and develop both near- and long-term plans.
总体而言,研讨会与会者希望提高社区对地下经济的认识。整个社会应系统地审查当前情况,并制定近期和长期计划。
This section gives an overview of some of the key concepts and terminology used in this document. It is not intended to be complete, but is offered as a quick reference for the reader of the report.
本节概述了本文档中使用的一些关键概念和术语。本报告并不打算完整,但作为报告读者的快速参考。
ACL Access Control List in the context of Internet networking refers to a set of IP addresses or routing prefixes (layer 3 or Internet layer information), possibly combined with transport protocol port numbers (layer 4 or transport layer information). The layer 3 and/or layer 4 information in the packets making up a flow entering or leaving a device in the Internet is matched against the entries in an ACL to determine whether the packets should, for example, be allowed or denied access to some resources. The ACL effectively specifies a filter to be used on a flow of packets.
Internet联网上下文中的ACL访问控制列表是指一组IP地址或路由前缀(第3层或Internet层信息),可能与传输协议端口号(第4层或传输层信息)相结合。构成进入或离开因特网中的设备的流的分组中的第3层和/或第4层信息与ACL中的条目相匹配,以确定分组例如是否应该被允许或拒绝访问某些资源。ACL有效地指定要在数据包流上使用的筛选器。
BGP route hijacking Attack in which an inappropriate route is injected into the global routing system with the intent of diverting traffic from its intended recipient either as a DoS attack (q.v.) where the traffic is just dropped or as part of some wider attack on the recipient. Injecting spurious routes specifying addresses used for bogons can, for example, provide bogus assurance to email systems that spam is coming from legitimate addresses.
BGP路由劫持攻击,在这种攻击中,将不适当的路由注入全局路由系统,目的是将通信量从其预期接收者转移,或者作为DoS攻击(q.v.),其中通信量刚刚被丢弃,或者作为对接收者更广泛攻击的一部分。例如,注入指定bogons地址的虚假路由可以向电子邮件系统提供虚假保证,即垃圾邮件来自合法地址。
Bogon A bogon is an IP packet that has a source address taken for a range of addresses that has not yet been allocated to legitimate users, or is a private [RFC1918] or reserved address [RFC3330].
Bogon Bogon是一种IP数据包,其源地址用于尚未分配给合法用户的一系列地址,或者是专用[RFC1918]或保留地址[RFC3330]。
Bogon prefix A bogon prefix is a route that should never appear in the Internet routing table, e.g., from the private or unallocated address blocks.
Bogon前缀Bogon前缀是一种不应出现在Internet路由表中的路由,例如,来自专用或未分配地址块的路由。
Bot A bot is common parlance on the Internet for a software program that is a software agent. A Bot interacts with other network services intended for people as if it were a real person. One typical use of bots is to gather information. The term is derived from the word "robot," reflecting the autonomous character in the "virtual robot"- ness of the concept. The most common bots are those that covertly install themselves on people's computers for malicious purposes, and that have been described as remote attack tools. Bots are sometimes called "zombies".
Bot Bot是互联网上一种常见的说法,指的是作为软件代理的软件程序。机器人与其他面向人的网络服务进行交互,就好像它是真人一样。机器人的一个典型用途是收集信息。该术语来源于“机器人”一词,反映了“虚拟机器人”的自主性特征,即概念的灵活性。最常见的机器人是那些出于恶意目的在人们的计算机上秘密安装自己的机器人,它们被描述为远程攻击工具。机器人有时被称为“僵尸”。
Botnet Botnet is a jargon term for a collection of software robots, or bots, which run autonomously. This can also refer to the network of computers using distributed computing software. While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure.
Botnet Botnet是一个术语,用于表示自动运行的软件机器人或机器人的集合。这也可以指使用分布式计算软件的计算机网络。虽然术语“僵尸网络”可用于指代任何一组机器人,如IRC机器人,但该词通常用于指在通用命令和控制基础设施下运行程序(通常称为蠕虫、特洛伊木马或后门)的受损机器的集合。
Click fraud Click fraud occurs in pay per click (PPC) advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad for the purpose of generating an improper charge per click. Pay per click advertising is when operators of web sites act as publishers and offer clickable links from advertisers in exchange for a charge per click.
点击欺诈点击欺诈发生在点击付费(PPC)广告中,当一个人、自动脚本或计算机程序模仿网络浏览器的合法用户点击广告以产生不正当的点击收费时。点击付费广告是指网站运营商充当发布者,提供来自广告商的可点击链接,以换取每次点击收费。
Darknet A Darknet (also known as a Network Telescope, a Blackhole, or an Internet Sink) is a globally routed network that has no "real" machines attached and carries only a very small amount of specially crafted legitimate traffic. It is therefore easily possible to separate out and analyze unwanted traffic that can arise from a wide variety of events including misconfiguration (e.g., a human being mis-typing an IP address), malicious scanning of address space by hackers looking for vulnerable targets, backscatter from random source denial-of-service attacks, and the automated spread of malicious software called Internet worms.
暗网暗网(也称为网络望远镜、黑洞或互联网接收器)是一种全球路由网络,没有连接“真正”的机器,只承载极少量精心编制的合法流量。因此,很容易分离和分析各种事件可能产生的不必要流量,包括错误配置(例如,人类错误键入IP地址)、黑客恶意扫描地址空间寻找易受攻击的目标、随机源拒绝服务攻击的反向散射、,以及被称为互联网蠕虫的恶意软件的自动传播。
Dirty affiliate program Affiliate programs are distributed marketing programs that recruit agents to promote a product or service. Affiliates get financially compensated for each sale associated with their unique 'affiliate ID.' Affiliates are normally instructed by the operator of the affiliate program to not break any laws while promoting the product or service. Sanctions (typically loss of unpaid commissions or removal from the affiliate program) are normally applied if the affiliate spams or otherwise violates the affiliate program's policies.
Dirty affiliate program affiliate programs是一种分布式营销计划,招募代理商来推广产品或服务。关联公司可获得与其唯一“关联公司ID”相关的每次销售的经济补偿。关联公司计划的运营商通常会指示关联公司在推广产品或服务时不得违反任何法律。如果附属机构滥发垃圾邮件或违反附属机构计划的政策,通常会实施制裁(通常是失去未付佣金或从附属机构计划中删除)。
Dirty affiliate programs allow spamming, or if they do nominally prohibit spamming, they don't actually sanction violators. Dirty affiliate programs often promote illegal or deceptive products (prescription drugs distributed without regard to normal dispensing requirements, body part enlargement products, etc.), employ anonymous or untraceable affiliates, offer payment via anonymous online financial channels, and may fail to follow normal tax withholding and reporting practices.
肮脏的联盟程序允许垃圾邮件,或者如果他们名义上禁止垃圾邮件,他们实际上不会制裁违规者。肮脏的分支机构计划通常宣传非法或欺骗性产品(不考虑正常配药要求而分发的处方药、身体部位放大产品等),雇佣匿名或无法追踪的分支机构,通过匿名在线金融渠道提供支付,并且可能无法遵循正常的预扣税和申报惯例。
DoS attack Denial-Of-Service attack, a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic or otherwise blocking resources necessary to allow normal traffic flow.
DoS攻击拒绝服务攻击,是一种针对网络的攻击,旨在通过向网络中注入无用流量或以其他方式阻塞允许正常流量所需的资源,使网络瘫痪。
DDoS attack Distributed Denial of Service, an attack where multiple compromised systems are used to target a single system causing a Denial of Service (DoS) attack.
DDoS攻击分布式拒绝服务(Distributed Denial of Service),一种利用多个受损系统针对单个系统的攻击,造成拒绝服务(DoS)攻击。
Honey farm A honey farm is a set of honey pots working together.
蜂蜜农场蜂蜜农场是一套一起工作的蜂蜜罐。
Honey monkey A honey monkey is a honey pot in reverse; instead of sitting and waiting for miscreants, a honey monkey actively mimics the actions of a user surfing the Web. The honey monkey runs on virtual machines in order to detect exploit sites.
蜂蜜猴蜂蜜猴是蜂蜜罐的反面;蜜猴不是坐着等着恶棍,而是主动模仿用户上网的动作。蜂蜜猴在虚拟机上运行,以检测漏洞站点。
Honey pot A honey pot is a server attached to the Internet that acts as a decoy, attracting potential miscreants in order to study their activities and monitor how they are able to break into a system. Honeypots are designed to mimic systems that an intruder would like to break into but limit the intruder from having access to an entire network.
蜜罐蜜罐是连接到互联网的服务器,充当诱饵,吸引潜在的恶棍,以便研究他们的活动并监控他们如何能够闯入系统。蜜罐被设计成模拟入侵者想要入侵的系统,但限制入侵者访问整个网络。
IRC Internet Relay Chat is a form of instant communication over the Internet. It is mainly designed for group (many-to-many) communication in discussion forums called channels, but also allows one-to-one communication, originally standardized by RFC 1459 [RFC1459] but much improved and extended since its original invention. IRC clients rendezvous and exchange messages through IRC servers. IRC servers are run by many organizations for both benign and nefarious purposes.
IRC Internet中继聊天是通过Internet进行即时通信的一种形式。它主要设计用于在称为频道的论坛中进行组(多对多)通信,但也允许一对一通信,最初由RFC 1459[RFC1459]标准化,但自其最初发明以来,得到了极大的改进和扩展。IRC客户端会合并通过IRC服务器交换消息。IRC服务器由许多组织出于良性和恶性目的运行。
Malware Malware is software designed to infiltrate or damage a computer system, without the owner's informed consent. There are disagreements about the etymology of the term itself, the primary uncertainty being whether it is a portmanteau word (of "malicious" and "software") or simply composed of the prefix "mal-" and the morpheme "ware". Malware references the intent of the creator, rather than any particular features. It includes computer viruses, worms, Trojan horses, spyware, adware, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant.
恶意软件恶意软件是未经所有者知情同意而设计用于渗透或损坏计算机系统的软件。关于这个词本身的词源存在分歧,主要的不确定性在于它是一个portmanteau词(指“恶意”和“软件”),还是仅仅由前缀“mal-”和语素“ware”组成。恶意软件引用创建者的意图,而不是任何特定功能。它包括计算机病毒、蠕虫、特洛伊木马、间谍软件、广告软件和其他恶意和有害软件。在法律上,恶意软件有时被称为计算机污染物。
Mix networks Mix networks create hard-to-trace communications by using a chain of proxy servers [MIX]. Each message is encrypted to each proxy; the resulting encryption is layered like a Russian doll with the message as the innermost layer. Even if all but one of the proxies are compromised by a tracer, untraceability is still achieved. More information can be found at <http://www.adastral.ucl.ac.uk/~helger/crypto/link/protocols/ mix.php>.
混合网络混合网络通过使用代理服务器链创建难以跟踪的通信[Mix]。每个消息对每个代理进行加密;产生的加密像俄罗斯娃娃一样分层,最内层是消息。即使追踪者破坏了除一个之外的所有代理,仍然无法追踪。有关更多信息,请访问<http://www.adastral.ucl.ac.uk/~helger/crypto/link/protocols/mix.php>。
Onion routing Onion routing is a technique for anonymous communication over a computer network, it is a technique that encodes routing information in a set of encrypted layers. Onion routing is based on mix cascades (see mix networks (q.v.)). More information can be found at <http://www.onion-router.net/>.
洋葱路由洋葱路由是一种通过计算机网络进行匿名通信的技术,它是一种在一组加密层中对路由信息进行编码的技术。洋葱路由基于混合级联(参见混合网络(q.v.))。有关更多信息,请访问<http://www.onion-router.net/>.
Phishing Phishing is a form of criminal activity using social engineering techniques. It is characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication. Phishing is typically carried out using spoofed websites, email, or an instant message. The term phishing derives from password harvesting and the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.
网络钓鱼是一种利用社会工程技术进行的犯罪活动。它的特点是,在一次明显的官方电子通信中,通过伪装成一个值得信赖的人或企业,试图欺诈性地获取敏感信息,如密码和信用卡详细信息。网络钓鱼通常使用欺骗网站、电子邮件或即时消息进行。“钓鱼”一词源于密码捕获和使用越来越复杂的诱饵“钓鱼”用户的财务信息和密码。
Root access Access to a system with full administrative privileges bypassing any security restrictions placed on normal users. Derived from the name traditionally used for the 'superuser' on Unix systems.
Root访问以完全管理权限访问系统,绕过对普通用户的任何安全限制。源于Unix系统上传统上用于“超级用户”的名称。
Script kiddy Derogatory term for an inexperienced hacker who mindlessly uses scripts and other programs developed by others with the intent of compromising computers or generating DoS attacks.
ScriptKiddy是一个贬义词,指一个没有经验的黑客,他无意识地使用他人开发的脚本和其他程序,意图破坏计算机或产生DoS攻击。
Spam Spamming is the abuse of electronic messaging systems to send unsolicited, undesired bulk messages. The individual messages are refereed to as spam. The term is frequently used to refer specifically to the electronic mail form of spam.
垃圾邮件是指滥用电子信息系统发送未经请求、不受欢迎的大量信息。个别邮件被视为垃圾邮件。该术语经常用于专门指垃圾邮件的电子邮件形式。
Spoofing (IP) spoofing is a technique where the illegitimate source of IP packets is obfuscated by contriving to use IP address(es) that the receiver recognizes as a legitimate source. Spoofing is often used to gain unauthorized access to computers or mislead filtering mechanisms, whereby the intruder sends packets into the network with an IP source address indicating that the message is coming from a legitimate host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a valid host and then modify the packet headers so that it appears that the packets are coming from that host.
欺骗(IP)欺骗是一种通过设法使用接收方识别为合法来源的IP地址来混淆IP数据包非法来源的技术。欺骗通常用于获得对计算机的未经授权的访问或误导过滤机制,入侵者通过IP源地址向网络发送数据包,表明消息来自合法主机。要进行IP欺骗,黑客必须首先使用各种技术查找有效主机的IP地址,然后修改数据包头,使数据包看起来似乎来自该主机。
Spyware Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, e.g., for spam purposes.
间谍软件任何在用户不知情的情况下通过用户的互联网连接秘密收集用户信息的软件,例如用于垃圾邮件目的的软件。
UBE Unsolicited Bulk Email: an official term for spam.
未经请求的批量电子邮件:垃圾邮件的官方术语。
UCE Unsolicited Commercial Email: an official term for spam.
UCE未经请求的商业电子邮件:垃圾邮件的官方术语。
Virus A program or piece of code that is loaded onto a computer without the owner's knowledge and runs without their consent. A virus is self-replicating code that spreads by inserting copies of itself into other executable code or documents, which are then transferred to other machines. Typically, the virus has a payload that causes some harm to the infected machine when the virus code is executed.
病毒一种程序或一段代码,未经所有者知情而加载到计算机上,并在未经所有者同意的情况下运行。病毒是一种自我复制的代码,它通过将自身的副本插入其他可执行代码或文档进行传播,然后将这些代码或文档传输到其他机器。通常,当病毒代码被执行时,病毒的有效负载会对受感染的机器造成一些伤害。
Worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other systems and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.
蠕虫计算机蠕虫是一种自我复制的计算机程序。它使用网络将自身的副本发送到其他系统,并且可以在没有任何用户干预的情况下这样做。与病毒不同,它不需要将自身附加到现有程序上。蠕虫总是会损害网络(如果只是通过消耗带宽),而病毒总是会感染或破坏目标计算机上的文件。
Zombie This is another name for a bot.
僵尸这是机器人的另一个名字。
This document does not specify any protocol or "bits on the wire".
本文件未规定任何协议或“线路上的位”。
The IAB would like to thank the University of Southern California Information Sciences Institute (ISI) who hosted the workshop and all those people at ISI and elsewhere who assisted with the organization and logistics of the workshop at ISI.
IAB想感谢南加州大学信息科学研究所(ISI)主持了研讨会和ISI和其他地方的所有人,他们协助ISI工作坊的组织和后勤工作。
The IAB would also like to thank the scribes listed in Appendix A who diligently recorded the proceedings during the workshop.
IAB还要感谢附录A中列出的抄写员,他们在研讨会期间勤勉地记录了会议过程。
A special thanks to all the participants in the workshop, who took the time, came to the workshop to participate in the discussions, and who put in the effort to make this workshop a success. The IAB
特别感谢所有参加研讨会的与会者,他们抽出时间来参加研讨会的讨论,并为研讨会取得成功付出了努力。国际律师协会
especially appreciates the effort of those that prepared and made presentations at the workshop.
特别感谢那些在研讨会上准备并作了发言的人所作的努力。
[IMS] University of Michigan, "Internet Motion Sensor", 2006, <http://ims.eecs.umich.edu/>.
[IMS]密歇根大学,“互联网运动传感器”,2006,<http://ims.eecs.umich.edu/>.
[IRR] Merit Network Inc, "Internet Routing Registry Routing Assets Database", 2006, <http://www.irr.net/>.
[IRR]美德网络公司,“互联网路由注册路由资产数据库”,2006年<http://www.irr.net/>.
[MIX] Hill, R., Hwang, A., and D. Molnar, "Approaches to Mix Nets", MIT 6.857 Final Project, December 1999, <http:// www.mit.edu/afs/athena/course/6/6.857/OldStuff/Fall99/ papers/mixnet.ps.gz>.
[MIX]Hill,R.,Hwang,A.,和D.Molnar,“混合网络的方法”,麻省理工学院6.857最终项目,1999年12月,<http://www.MIT.edu/afs/athena/course/6/6.857/OldStuff/Fall99/papers/mixnet.ps.gz>。
[RFC1122] Braden, R., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, October 1989.
[RFC1122]Braden,R.,“互联网主机的要求-通信层”,标准3,RFC 1122,1989年10月。
[RFC1123] Braden, R., "Requirements for Internet Hosts - Application and Support", STD 3, RFC 1123, October 1989.
[RFC1123]Braden,R.,“互联网主机的要求-应用和支持”,STD 3,RFC 1123,1989年10月。
[RFC1459] Oikarinen, J. and D. Reed, "Internet Relay Chat Protocol", RFC 1459, May 1993.
[RFC1459]Oikarinen,J.和D.Reed,“互联网中继聊天协议”,RFC 1459,1993年5月。
[RFC1812] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995.
[RFC1812]Baker,F.,“IP版本4路由器的要求”,RFC1812,1995年6月。
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996.
[RFC1918]Rekhter,Y.,Moskowitz,R.,Karrenberg,D.,Groot,G.,和E.Lear,“私人互联网地址分配”,BCP 5,RFC 1918,1996年2月。
[RFC2142] Crocker, D., "MAILBOX NAMES FOR COMMON SERVICES, ROLES AND FUNCTIONS", RFC 2142, May 1997.
[RFC2142]Crocker,D.,“公共服务、角色和功能的邮箱名称”,RFC 2142,1997年5月。
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。
[RFC3330] IANA, "Special-Use IPv4 Addresses", RFC 3330, September 2002.
[RFC3330]IANA,“特殊用途IPv4地址”,RFC33302002年9月。
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, March 2004.
[RFC3704]Baker,F.和P.Savola,“多宿网络的入口过滤”,BCP 84,RFC 37042004年3月。
[SHRED] Krishnamurthy, B. and E. Blackmond, "SHRED: Spam Harassment Reduction via Economic Disincentives", 2003, <http://www.research.att.com/~bala/papers/shred-ext.ps>.
[SHRED]Krishnamurthy,B.和E.Blackmond,“SHRED:通过经济抑制减少垃圾邮件骚扰”,2003年<http://www.research.att.com/~bala/papers/shread-ext.ps>。
Bernard Aboba (IAB) Loa Andersson (IAB) Ganesha Bhaskara (scribe) Bryan Burns Leslie Daigle (IAB chair) Sean Donelan Rich Draves (IAB Executive Director) Aaron Falk (IAB, IRTF chair) Robert Geigle Minas Gjoka (scribe) Barry Greene Sam Hartman (IESG, Security Area Director) Bob Hinden (IAB) Russ Housely (IESG, Security Area Director) Craig Huegen Cullen Jennings Rodney Joffe Mark Kosters Bala Krishnamurthy Gregory Lebovitz Ryan McDowell Danny McPherson Dave Merrill David Meyer (IAB) Alan Mitchell John Morris Eric Osterweil (scribe) Eric Rescorla (IAB) Pete Resnick (IAB) Stefan Savage Joe St Sauver Michael Sirivianos (scribe) Rob Thomas Helen Wang Lixia Zhang (IAB)
Bernard Aboba(IAB)Loa Andersson(IAB)Ganesha Bhaskara(抄写员)Bryan Burns Leslie Daigle(IAB主席)Sean Donelan Rich Draves(IAB执行董事)Aaron Falk(IAB,IRTF主席)Robert Geigle Minas Gjoka(抄写员)Barry Greene Sam Hartman(IESG,安全区域总监)Bob Hinden(IAB)Russ Hously(IESG,安全区域总监)Craig Huegen Cullen Jennings Rodney Joffe Mark Kosters Bala Krishnamurthy Gregory Lebovitz Ryan McDowell Danny McPherson Dave Merrill David Meyer(IAB)Alan Mitchell John Morris Eric Osterweil(抄写员)Eric Rescorla(IAB)Pete Resnick(IAB)Stefan Savage Joe St Sauver Michael Sirivanos(抄写员)Rob Thomas Helen Wang Lixia Zhang(IAB)
Session 1: How bad is the problem? What are the most important symptoms?
问题有多严重?最重要的症状是什么?
Session 2: What are the sources of the problem?
会话2:问题的根源是什么?
Lunch session (session 3): Solutions in regulatory and societal space
午餐会(第3次会议):监管和社会领域的解决方案
Session 4: The underground economy
会议4:地下经济
Session 5: Current countermeasures, what works, what doesn't
课程5:当前的对策,哪些有效,哪些无效
Session 6: If all our wishes could be granted, what would they be?
第六课:如果我们所有的愿望都能实现,那会是什么?
Session 7: What's in the pipeline, or should be in the pipeline
第七课:什么在准备中,或者应该在准备中
Session 8: What is being actively researched on?
第八课:正在积极研究什么?
Session 9: What are the engineering (immediate and longer term) and research issues that might be pursued within the IETF/IAB/IRTF?
第9课:IETF/IAB/IRTF中可能涉及的工程(近期和长期)和研究问题是什么?
Links to a subset of the presentations given by the participants at the workshop can be found via the IAB Workshops page on the IAB web site at <http://utgard.ietf.org/iab/about/workshops/unwantedtraffic/ index.html>. As mentioned in Section 1, this is not a complete set of the presentations because certain of the presentations were of a sensitive nature which it would be inappropriate to make public at this time.
通过IAB网站上的IAB Workshops页面,可以找到学员在研讨会上所作演示的子集的链接,网址为<http://utgard.ietf.org/iab/about/workshops/unwantedtraffic/ index.html>。如第1节所述,这不是一套完整的演示文稿,因为某些演示文稿具有敏感性质,此时不宜公开。
Authors' Addresses
作者地址
Loa Andersson Acreo AB
安德松·阿克雷奥律师事务所
EMail: loa@pi.se
EMail: loa@pi.se
Elwyn Davies Folly Consulting
Elwyn Davies Folly咨询公司
EMail: elwynd@dial.pipex.com
EMail: elwynd@dial.pipex.com
Lixia Zhang UCLA
加州大学洛杉矶分校张丽霞
EMail: lixia@cs.ucla.edu
EMail: lixia@cs.ucla.edu
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。