期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

防御分布式拒绝服务攻击的优化路径标识模型 被引量:2

Optimal path identification to defend against DDoS attacks
在线阅读 下载PDF
导出
摘要 为防御互联网拒绝服务攻击,路径标识(Pi)技术为快速区分和过滤攻击包提供了有效手段,基于此提出优化路径标识方案OPi,与已有方案中各路由器插入1或2位标记不同,路由器根据包的当前TTL值,推算已经过的距离,分别插入1~16位可变长标记,最大程度利用标记域空间。相比以往方案,尤其当攻击路径和合法路径严重混杂时,OPi区分程度更高。考虑到攻击包会随机产生TTL初值来扰乱OPi标识,进一步提出了OPi+TTL的过滤方案。理论分析和基于大规模真实互联网拓扑的仿真实验表明,OPi的防御效果较理想。 A novel packet marking scheme, optimal path identification (OPi), was proposed to defend against DDoS attacks. Instead of using fixed 1 or 2 bit in previous schemes, in OPi a router deduces the traveling distance of an arrived packet by its TTL value and inserts a variable-length marking of 1-16 bit into the packet. The marking field is filled completely even the path is very short and the distinguishability is improved. OPi outperforms previous schemes, especially when attacker paths adjoin user paths seriously. To obtain better performance, an OPi+TTL filtering strategy was proposed to frustrate attackers' tries with spoofed initial TrL values. Theoretical analyses and simulations with actual Internet topologies show OPi performs excellently.
作者 金光 杨建刚 李渊 张会展
机构地区 浙江大学计算机科学与技术学院 宁波大学信息科学与工程学院
出处 《通信学报》 EI CSCD 北大核心 2008年第9期46-53,共8页 Journal on Communications
基金 浙江省自然科学基金资助项目(Y106023) 宁波市自然科学基金资助项目(2006A610014)~~
关键词 互联网安全 分布式拒绝服务攻击 数据包标记 路径标识 Internet security DDoS attack packet marking path identification
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献15

  • 1DITTRICH D. Distributed denial of service (DDoS) attacks/tools [EB/OL]. http://staff.washington.edu/dittrich/misc/ddos/, 2007.
  • 2DOULIGERIS C, MITROKOTSA A. DDoS attacks and defense mechanism: classification and state-of-the-art [J]. Computer Networks, 2004, 44(3): 643-666.
  • 3FERGUSON P, SENIE D. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofreg[S]. RFC 2827, 2000.
  • 4孙红杰,方滨兴,张宏莉.基于链路特征的DDoS攻击检测方法[J].通信学报,2007,28(2):88-93. 被引量:11
  • 5GAO Z, ANSARI N. Tracing cyber attacks from the practical perspective[J]. IEEE Communication Magazine, 2005, 43(3):123-131.
  • 6KIM Y, LAU W, CHUAH M, et al. Packetscore: a statistics-based packet filtering scheme against distributed denial-of-service attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2006, 3(2):141-155.
  • 7JIN C, WANG H, SHIN K G. Hop-count filtering: an effective defense against spoofed DDoS traffic[J]. IEEE/ACM Transactions on Networking, 2007, 15(1):40-53.
  • 8YAAR A, PERRIG A, SONG D. Pi: a path identification mechanism to defend against DDoS attacks[A]. Proc of IEEE Symposium on Security and Privacy[C]. Oakland, CA, USA, 2003.93-107.
  • 9YAAR A, PERRIG A, SONG D. StackPi: new packet marking and filtering mechanisms for DDoS and IP spoofing defense[J]. IEEE Journal on Selected Areas in Communications, 2006, 24(10): 1853-1863.
  • 10KIM Y, JO J, MERAT F, et al. Defeating distributed denial-of-service attack with deterministic bit marking[A]. Proc of IEEE Globecom, San Francisco[C]. CA, USA, 2003. 1363-1367.

二级参考文献14

  • 1TANACHAIWIWAT S, HWANG K. Differential packet filtering against DDoS flood attaeks[EB/OL], http://ceng.use.edu/-kaihwang/papers/ACMSecurity509pdf.pdf, 2003.
  • 2JELENA M, PETER L R. A taxonomy of DDoS attack and DDoS defense mechanisms[J]. Computer Comunication Review, 2004, 34(2): 39-53.
  • 3CHANG R K C. Defending against flooding-based distributed denial of service attacks:a tutorial[J]. IEEE Communications Magazine, 2002,40(10): 42-51.
  • 4SCHUBA C, KRSUL I. Analysis of a denial of service attack on TCP[A]. Proceedings of the 1997 IEEE Symposium on Security and Privacy[C]. 1997. 208-223.
  • 5LEIWO J, NIKANDER P, AURA T. Towards network denial of service resistant protocols[A]. Proceedings of the 15^th International Information Security Conference[C].2000. 301-310.
  • 6MEADOWS C. A formal framework and evaluation method for network denial of service[A]. Proceedings of the 12^th IEEE Computer Security Foundations Workshop[C]. 1999. 4-13.
  • 7AURA T, NIKANDER P, LEIWO J. DoS- resistant authentication with client puzzles[A]. Proc of the 8^th International Workshop on Security Protocols[C].2001. 170-177.
  • 8FERGUSON P, SENIE D. Network Ingress Filtering:Defeating Denial of Service Attacks which Employ IP Source Address Spoofing[S].RFC 2267, 1998.
  • 9STONE R. Center Irack:an IP overlay network for tracking DoS floods[A]. Proceddings of 2000 USENIX Security Symposium[C].2000. 199-212.
  • 10MAHAJAN R, BELLOVIN S, FLOYD S, et al. Controlling high bandwidth aggregates in the network[J]. ACM SIGCOMM Computer Communication Review, 2002, 32(3): 62-73.

共引文献10

同被引文献24

  • 1李金明,王汝传.DDoS攻击源追踪的一种新包标记方案研究[J].通信学报,2005,26(11):18-23. 被引量:13
  • 2孙红杰,方滨兴,张宏莉.基于链路特征的DDoS攻击检测方法[J].通信学报,2007,28(2):88-93. 被引量:11
  • 3GARBER L. Denial-of-service attacks rip the Intemet[J]. Computer, 2000, 33(4):12-17.
  • 4Distributed denial of service (DDoS) attacks/tools[EB/OL], hap:l/staff. washington.edu/dittrich/misc/DDoS/. 2010.
  • 5FINN E Cyber assaults on estonia typify a new battle tactic[J]. Washington Post Foreign Service, 2007,May: A01.
  • 6DOULIGERIS C, MITROKOTSA A. DDoS attacks and defense mechanism: classification and state-of-the-art [J]. Computer Networks, 2004, 44(3):643-666.
  • 7SAVAGE S, WETHERALL D, KARLIN A, et al. Practical network support for IP traceback[J]. IEEE/ACM Transactions on Networking, 2001, 9(3):226-237.
  • 8YAAR A, PERRIG A, SONG D. StackPi: new packet marking and filtering mechanisms for DDoS and IP spoofing defense[J]. IEEE Journal on Selected Areas in Communications, 2006, 24(10): 1853-1863.
  • 9YANG X, WETHERALL D, ANDERSON T. TVA: a DoS-limiting network architecture[J]. IEEE/ACM Transactions on Networking, 2008, 16(6): 1267-1280.
  • 10GAO Z, ANSARI N, Tracing cyber attacks from the practical perspective[J}. IEEE Communication Magazine, 2005,43(5): 123-131.

引证文献2

二级引证文献8

通信学报
2008年 第9期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部