共查询到18条相似文献,搜索用时 109 毫秒
1.
IP地址真实性验证成为构建可信网络的基础,基于源-目的标识(密钥)的自治域级IP欺骗过滤和基于源标识(公钥)的端系统级IP认证均采用了端-端方式试图解决IP欺骗.端-端认证方式实现简单,但却忽略了IP欺骗报文对中间网络的泛洪攻击,防御效果差.提出面向IP欺骗防御联盟成员的域间IP欺骗防御服务增强机制——ESP(enhanced spoofing prevention).ESP引入开放的路由器协同机制,提供了源-目的路径中ESP节点信息通告和协同标记的框架.基于源标识IP欺骗防御,ESP融入了路径标识,不仅减小了源标识冲突概率,而且混合型标识支持了ESP节点根据报文标识提前过滤IP欺骗报文.基于BGP(border gateway protocol),提出前缀p-安全节点的概念和检测理论,有效控制了源标识传播范围,减小了ESP节点的标记和过滤开销.ESP继承了基于标识的防御机制的可部分部署性,能够很好地支持动态路由和非对称路由.应用Routeview提供的RIB(routing information base)进行评估,ESP增强了IP欺骗防御服务的能力,而且能够提前过滤IP欺骗报文. 相似文献
2.
域间IP欺骗防御服务增强机制 总被引:1,自引:0,他引:1
IP地址真实性验证成为构建可信网络的基础,基于源-目的标识(密钥)的自治域级IP欺骗过滤和基于源标识(公钥)的端系统级IP认证均采用了端-端方式试图解决IP欺骗.端-端认证方式实现简单,但却忽略了IP欺骗报文对中间网络的泛洪攻击,防御效果差.提出面向IP欺骗防御联盟成员的域间IP欺骗防御服务增强机制——ESP(enhanced spoofing prevention).ESP引入开放的路由器协同机制,提供了源-目的路径中ESP节点信息通告和协同标记的框架.基于源标识IP欺骗防御,ESP融入了路径标识,不仅减小了源标识冲突概率,而且混合型标识支持了ESP节点根据报文标识提前过滤IP欺骗报文.基于BGP(border gateway protocol),提出前缀p-安全节点的概念和检测理论,有效控制了源标识传播范围,减小了ESP节点的标记和过滤开销.ESP继承了基于标识的防御机制的可部分部署性,能够很好地支持动态路由和非对称路由.应用Routeview提供的RIB(routing information base)进行评估,ESP增强了IP欺骗防御服务的能力,而且能够提前过滤IP欺骗报文. 相似文献
3.
由于能够隐藏攻击位置、避开攻击过滤、窃取用户隐私和增强攻击危害,IP匿名已被各类网络攻击广泛使用并造成极大的危害.为此,研究者们提出了IP溯源——一种能够在匿名攻击发生后揭露攻击主机身份的追踪技术.鉴于已有的IP溯源研究在面对大规模网络时存在扩展性差、处理开销大、拓扑隐私泄露等问题,提出了一种可动态扩展的高效单包溯源方法,简称SEE.该方法采用域间和域内相分离的层次化系统架构模型来弱化自治域之间的溯源联系、避免拓扑隐私泄露,并通过域内溯源网络构建、域内溯源地址分配、域内路径指纹建立和提取、域间反匿名联盟构建和域内到域间的平稳过渡等策略来改善系统的扩展性和处理开销.通过理论分析和基于大规模真实和人工互联网拓扑的仿真实验,结果表明,相对于以往方案,SEE在高效性和扩展性方面确实有了很大的改善. 相似文献
4.
现有的DDoS防御方法大多是针对传统IPv4网络提出的,而且它们的防御实时性还有待进一步提高。针对这种情况,提出了一种IPv6环境下实时防御DDoS的新方法,其核心思想是首先在受害者自治系统内建立决策判据树,然后依据决策判据1和2对该树进行实时监控,如果发现攻击,就发送过滤消息通知有关实体在受害端和源端一起对攻击包进行过滤,从而保护受害者。实验证明,该方法能够在秒钟数量级检测到攻击并且对攻击包进行过滤,能有效地防范多个DDoS攻击源。另外,该方法还能准确地区分攻击流和高业务流,可以在不恢复攻击路径的情况下直接追踪到攻击源所在的自治系统(甚至是子网)。 相似文献
5.
可信任是下一代互联网的重要特征.目前,互联网的路由系统只按照分组的目的IP地址转发分组,携带虚假源IP地址的伪造分组也会被传输到目的地,这会在威胁接收方安全的同时,隐藏发送方的真实身份.可信任互联网的路由系统不仅需要能够正确地转发分组,而且能够验证分组来自正确的发送方.基于路由的域间分布式分组过滤是过滤伪造分组的有效方法.提出了BGP的路由选择通知功能扩展,为域间分组过滤提供过滤标准.在扩展的支持下,边界路由器能够鉴别进入本自治系统的分组的真实性,过滤掉伪造其他自治系统地址的分组.模拟结果表明,路由选择通知不会对BGP正常的路由功能产生负面影响,选择合理的路由选择时钟参数,可以在同时取得较小带宽开销和较快收敛速度的情况下,为域间分布式分组过滤提供支持. 相似文献
6.
消除伪造源地址分组是互联网安全可信的内在要求.基于路由的分布式分组过滤具有良好的效果,但是目前对其有效性缺乏严密的理论分析.基于域间路由传播和互联网拓扑的分层特征,建立路由传播数模型和理想AS图模型,以此为工具分析了基于域间路由的最大过滤和半最大过滤有效性.结论印证并从理论上解释了前人研究中的实验结果.最大过滤能够消除绝大多数的伪造分组,虽然无法达到100%,但可以将伪造成功的自治系统数量限制为互联网AS路径的平均长度.在理想AS图上,半最大过滤与最大过滤的有效性相同,但是存储和计算开销要小很多,为实际中部署半最大过滤提供了理论依据.理论模型分析揭示了基于域间路由的分布式分组过滤的内在优缺点,有助于设计辅助措施和在整个互联网全面而合理地部署. 相似文献
7.
近年来,IP源地址伪造被频繁应用于网络攻击中,对互联网安全造成极大威胁.域间源地址验证方法通过对IP报文进行自治域级别的验证来防御这类网络攻击.学术界提出了这类方法的评价指标,并依照该指标设计出很多新的方法.然而,这些方法尽管指标值优秀,却无一能在实际中得到互联网服务提供商的广泛部署.究其原因,是现有评价指标主要关注互联网整体的安全性,而没有考虑到互联网服务提供商的个体利益.文中首次从互联网服务提供商的经济诉求出发,研究域间源地址验证方法的可部署性评价模型.作者提出将部署收益、部署开销和运维风险作为可部署性评价的3项基本指标,并给出其形式化定义;从理论上证明了该指标体系的合理性;建立了评价模型,为每个指标设计了完善的量化评价方法;以现有著名域间源地址方法的部署收益评价为例,展示了将理论模型应用于方法评价的具体流程,并对评价结果进行深入分析;最后,作者讨论了方法可部署性与互联网整体安全性的关系、方法设计的优化目标以及如何应用模型指导方法的设计.该评价模型的提出,对于设计更易于部署的方法具有指导意义,并有利于促进域间源地址验证方法在互联网的部署. 相似文献
8.
针对现有P2P电子商务模型信任粒度比较粗糙,不能很好体现节点真实行为的问题.提出一种细粒度信任模型(FG-trust),可以计算一个节点在不同领域、不向方面的可信度.模型采用多代理结构,将网络划分为多个域,每个域内设一个代理,管理域内节点信息,整个网络中设置一个总代理管理域间消息传递.引入领域模型的概念,计算同一节点在... 相似文献
9.
可信任是下一代互联网的重要特征,真实地址访问是可信任的基础和前提.自治域级真实地址访问是整个可信任互联网体系结构中最为复杂的一个层次.基于标签的源地址验证不受拓扑结构影响,无需中间节点特殊处理,是实现域间真实地址访问的有效方法.然而,现有方法中信任联盟过于扁平化和单一化的问题导致验证开销随联盟规模增大而急剧增大,影响和制约了机制的可扩展性和过滤能力,难以进行增量部署.对此,文中提出了一种层次化的基于标签替换的域间真实源地址验证方法(Hidasav),该方法通过合理规划联盟层次和聚类整合,构建出一种多级并存的信任联盟体系结构,通过引入实现轻量级标签替换的联盟边界,将每一层级联盟和外界网络隔离,使得下层联盟和更高层联盟内部的网络环境彼此互不可见、互无影响.与现有同类典型方法在CNGI真实环境中的实验结果比较表明,该方法能够在确保域间高速通信的同时有效降低边界路由设备的状态机存储、更新和报文验证开销. 相似文献
10.
Grid环境下基于实体行为的信任评估模型* 总被引:2,自引:1,他引:1
面对网格环境的动态性和不确定性,网格安全因素变得尤为重要。提出了一种基于实体行为的信任评估模型,该模型把网格分成若干个自治域,对域内和域间实体的信任关系分别处理,通过引入欺骗惩罚机制保障网格实体的安全性。仿真实验表明,这种信任模型能更加准确地评估实体之间的信任关系,从而有效地解决网格环境中存在的安全问题。 相似文献
11.
IP spoofing hinders the efficiency of DDoS defenses. While recent proposals of IP spoofing prevention mechanisms are weak at filtering spoofing packets due to the complexity in maintaining source IP spaces and the low incentive of deployments. To address this problem, we propose an efficient mechanism to extend the range of inter-domain IP spoofing prevention called MASK. Source MASK nodes inform destination MASK nodes about the source IP spaces and labels of their neighbor Stub-ASes in order to implement the marking and verification of packets towards the Stub-ASes, and limit the number of MASK peers through the propagation of BGP updates so as to reduce the overheads of computing and storing of labels. By utilizing the method of extending the spoofing prevention to Stub-ASes, MASK can not only enlarge the domain of the spoofing prevention service, but also filter spoofing packets in advance. Through analysis and simulations, we demonstrate MASK's accuracy and effectiveness. 相似文献
12.
Zhenhai Duan Xin Yuan Chandrashekar J. 《Dependable and Secure Computing, IEEE Transactions on》2008,5(1):22-36
The distributed denial-of-service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose an interdomain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in border gateway protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks. 相似文献
13.
Filtering out traffic with forged source address on routers can significantly improve the security of Internet. However, despite intermittent IP spoofing attacks, existing filtering mechanisms inspect each packet all the time, consuming considerable resource on routers even there is no spoofing at all. This article considers the requirement for a solution performing IP spoofing filtering with agility, which consumes resource in proportional to the size of attack. A novel IP spoofing filtering mechanism named Virtual Anti-Spoofing Edge (VASE) is proposed in this article. VASE uses sampling and on-demand filter configuration to reduce unnecessary overhead in peace time. The evaluation based on simulation shows VASE has obvious advantages over commonly used mechanisms in various scenarios. VASE is fully compatible with current IP spoofing filtering practices and can be implemented with commodity routers. In the campus network of Tsinghua University, VASE is providing real benefits. 相似文献
14.
15.
IP欺骗是常用的一种攻击手段。在存在信任关系的网络中,IP欺骗能够伪装成为合法用户,取得一般用户甚至超级用户的权限,危害甚大。本文分析了这种攻击的实现原理,并提出了针对这种攻击的检测方法和防御技术,另外对IP欺骗和IP却持进行了比较。 相似文献
16.
The Internet not only facilitates our daily activities, such as communication, entertainment and shopping but also serves as the enabling technology for many critical services, including finance, manufacturing, healthcare and transportation. On the other hand, a wide spectrum of attacks targets its communication infrastructure to disable or disrupt the network connectivity and traffic flow until recovery processes take place. Attacking all autonomous systems (ASes) in the Internet is typically beyond the capability of an adversary. Therefore, targeting a small number of ASes which results in the highest impact is the best strategy for attackers. Similarly, it is important for network practitioners to identify, fortify and secure those critical ASes to mitigate the impact of the attacks. In this study we introduce an intuitive and effective measure, IP address spatial path stress centrality, to assess and identify the critical ASes in the Internet. We compare IP address spatial path stress centrality to the three well-known and widely used centrality measures, namely customer-cone size, node degree and betweenness. We demonstrate that the proposed measure incorporates business relations and IP address spaces to achieve a better measure for identifying the critical ASes in the Internet. 相似文献
17.
The Internet topology at the autonomous system (AS) level is of great importance, and traceroute has been known to be a potential tool to obtain a complete AS topology. The original IP-to-AS mapping table maps the IP addresses in traceroute paths to their origin ASes, which may cause false AS links. The existing methods refine the original mapping table based on traceroute-BGP path pairs or alias resolution data. However, the information extracted from either of them is inaccurate and incomplete. In this paper, we present a two-type information fusion based method to refine the original mapping table. We extract four kinds of information from path pair and alias resolution data. Based on these information, we build a candidate AS set for each router. Then we choose the AS that is consistent with the existing information to be the owner AS of each router and map all of the IP addresses on the router to it. We validate the result with the ground truth from PeeringDB and Looking Glass severs. Compared with the existing methods, our method produces a more accurate mapping table. In addition, we discuss the coverage of our method and show that our method is convergent and more robust against the reduction of information or the increase of incorrect information. 相似文献
18.
提出一种基于Internet无尺度特性的StackPi在途中过滤方法,与原有的StackPi在目的端过滤的方法相比,只须配置少量的(少于总节点量的10%)途中过滤机制就能在整个Internet范围内有效抑制IP源地址假冒。准确地找到Internet中具有高连接特征的集散节点是该方法的前提,使用该方法需要Internet的拓扑知识或其他能够定位集散节点的算法。 相似文献