摘要
提出了一种应用于路由器的嵌入式DDoS(分布式拒绝服务攻击)防御算法。针对DDoS攻击的本质特征,对IP数据流进行轻量级协议分析,把IP数据流分为TCP、UDP和ICMP(网间控制报文协议)数据流,分别建立相应的聚集模式,根据该模式来检测DDoS聚集所占资源,采取相应的抑制措施过滤攻击数据包,从而保证合法数据流的正常转发。仿真试验证明该方法能准确地检测到DDoS攻击,处理效果很好。
A new embedded algorithm for defeating DDoS (distributed denial of service) is proposed, which can be applied in a router. According to nature of DDoS flow, this algorithm divides IP flow into TCP( transfer control protocol), UDP(user datagram protocol) and ICMP(internet control message protocol) flow through lightweight protocol analysis of IP data flow, sets up responding flow aggregate model, detects DDoS attack according to the model, separates the resource of DDoS aggregate, and adopts control measures to filter attack flow and assure the normal transmission of legitimate data flow. The simulation results show that the algorithm is effective in checking the DDoS attach.
出处
《南京邮电学院学报(自然科学版)》
EI
2005年第5期11-14,共4页
Journal of Nanjing University of Posts and Telecommunications
关键词
DOS/DDOS
聚集
模式
Denial of service/Distributed denial of service
Aggregate
Model
