Research On OPC UA Denial Of Service Attack Defense Solution Based On Reverse Proxy

With the rapid development of information technology,industrial control systems are making great strides in the direction of interconnectivity and open integration.Since OPC UA(OLE for Process Control Unified Architecture)is unified,open and independent,it is considered to be the future communication standard of industrial control systems.However,an open network environment not only brings great opportunities,but also introduces more security threats.Among all security threats,the denial of service(DoS)is the biggest threat to the industrial control system.This kind of attack will cause network congestion or exhaustion of target system resources,causing the target network or system to delay or even reject normal user requests.This attack greatly damages the usability of the industrial control system.Since existing defense technologies cannot parse OPC UA traffic,attackers can exploit the OPC UA attack surface and launch more subtle DoS attacks at the OPC UA level.These attacks will reach critical OPC UA servers through existing defense technologies,affecting the availability of the entire industrial control system.In this context,it is of great significance to study DoS attacks at the OPC UA level.This thesis studies the DoS attack defense schemes in OPC UA and other fields,analyzes and compares their shortcomings,and introduces reverse proxy into OPC UA defense system.According to the characteristics of industrial control system and OPC UA DoS attack,a defense model based on attack prevention is proposed.Based on reverse proxy and defense model,the OPC UA DoS Defender is designed and implemented.This provides new ideas for the safety protection of industrial control systems.The research content and main innovations of this article are as follows:1.On the basis of application layer proxy technology,the OPC UA reverse proxy method is proposed.This method creates a new communication layer,namely the aggregated reverse proxy layer,and implements transparent and secure OPC UA proxy through configuration update,transformation of identity information,address hiding,etc.This method can not only parse and proxy all types of messages,run in all security modes,but also be used in conjunction with other functional modules for functional expansion,with a wide range of application scenarios.2.Based on the characteristics of OPC UA DoS attacks and industrial control systems,the OPC UA DoS defense model suitable for industrial control systems is proposed.This model is based on the concepts of suspicious behavior and punishment.By detecting suspicious behavior and punishing suspicious clients in a timely manner,attack prevention is achieved.At the same time,availability is used as the only indicator of attack detection,and attack processing is carried out through recorded forwarding delay,achieving a complete defense system.3.To address the issue of current defense facilities being unable to resist OPC UA level DoS attacks,the OPC UA DoS Defender has been designed and implemented.The system is based on the defense model proposed in this thesis,takes reverse proxy as the physical basis,summarizes the suspicious behavior judgment methods,and designs a delay forwarding algorithm.The main goal of this system is attack prevention,which can not only defend against message flooding and resource depletion attacks,but also resist DoS attacks in trusted mode,protecting certain critical resources in the industrial control system from the impact of DoS attack.4.Build a testing platform based on actual application scenarios,and conduct functional and performance tests on the implemented OPC UA DoS Defender from both the agent and attack defense levels.The experiment proves that the OPC UA DoS Defender proposed in this article can accurately distinguish suspicious behavior from normal behavior,timely impose penalties on suspicious clients,prevent attacks,greatly reduce communication latency of the system in attack scenarios,protect the availability of source server session resources,and have certain reference value for the protection of OPC UA and industrial control systems.