首页 | 本学科首页   官方微博 | 高级检索  
相似文献
 共查询到20条相似文献,搜索用时 93 毫秒
1.
介绍了分布式防火墙的概念与模型,分析了分布式防火墙不依赖于网络拓朴结构的优点.为克服分布式防火墙在防止拒绝服务攻击中的不足,提出了分布式主动型防火墙的模型:不被动地防止攻击,而是将内部的攻击拒绝在攻击者处.运用策略分解的方法,将一条KeyNote语言描述的策略分为两部分再发放给相应主机.此方法有效地防止了来自内部的拒绝服务攻击,使服务器能正常提供服务.  相似文献   

2.
分布式拒绝服务攻击已成为危害互联网安全的突出安全问题,本文分析了分布式拒绝服务攻击的攻击原理和防御原理,并提出了一种结合白名单和黑名单的硬件防火墙实现方案。  相似文献   

3.
DDoS攻击原理剖析与防范策略研究   总被引:1,自引:0,他引:1  
介绍了分布式拒绝服务(DDoS)攻击的概念和攻击原理,讨论了DDoS攻击的主要工具和防范策略,分析了检测式分布式拒绝服务攻击的方法,并从多个角度给出了防范措施。  相似文献   

4.
Linux主机防范DDoS攻击的措施   总被引:1,自引:0,他引:1  
分布式拒绝服务(DDoS)是一种目前常见的网络攻击手段。该文简要介绍了DDoS攻击原理,并演示了利用Netfilter/iptables防火墙软件的状态检测机制实施有效的防御DDoS攻击策略,最后给出相应的实现脚本。  相似文献   

5.
分布式拒绝服务攻击已经成为网络最大的安全威胁之一,如何有效的防御DDos攻击已经引起了诸多学者的关注,文章阐述了分布式拒绝服务攻击的原理,攻击类型,检测方法和对DDos攻击防御策略。  相似文献   

6.
防御拒绝服务攻击的实时动态安全模型   总被引:1,自引:0,他引:1  
举例说明拒绝服务攻击危害、防御方法以及通过防火墙防御策略的局限性,根据DDoS的特征,提出并分析了IDS与防火墙相结合而产生的实时动态安全模型,该模型对其他的攻击方式同样有很好的参考价值。  相似文献   

7.
拒绝服务攻击是攻击网络系统的一种常用方法,文章首先介绍了拒绝服务攻击的分类,并就几种常见的攻击原理进行了分析,然后提出了防御对策,最后重点分析了拒绝服务攻击的进一步发展-分布式拒绝服务攻击的原理与防范策略。  相似文献   

8.
防TTL值欺骗的数据包标记算法研究   总被引:1,自引:0,他引:1       下载免费PDF全文
分布式拒绝服务攻击是目前最难处理的网络难题之一,针对分布式拒绝服务攻击提出了多种应对方案,这些方案都各有优缺点,但其中自适应概率包标记受到了广泛地重视和运用。针对攻击者对TTL初始值的伪造提出了一种自适应策略,有利于防止TTL值的伪造,减少路由器处理器的负担,节省了IP包头的空间。  相似文献   

9.
分布式拒绝服务攻击研究综述   总被引:18,自引:0,他引:18  
分布式拒绝服务攻击(distributed denial-of-service,DDoS)已经对Internet的稳定运行造成了很大的威胁.在典型的DDoS攻击中,攻击者利用大量的傀儡主机向被攻击主机发送大量的无用分组.造成被攻击主机CPU资源或者网络带宽的耗尽.最近两年来.DDoS的攻击方法和工具变得越来越复杂,越来越有效,追踪真正的攻击者也越来越困难.从攻击防范的角度来说,现有的技术仍然不足以抵御大规模的攻击.本文首先描述了不同的DDoS攻击方法,然后对现有的防范技术进行了讨论和评价.然后重点介绍了长期的解决方案-Internet防火墙策略,Internet防火墙策略可以在攻击分组到达被攻击主机之前在Internet核心网络中截取这些攻击分组。  相似文献   

10.
DDoS攻击检测技术研究   总被引:3,自引:0,他引:3  
分布式拒绝服务攻击是网络安全的重大威胁之一。传统的根据流量特征来检测拒绝服务攻击的方法,无法适用于分布式拒绝服务攻击的检测。文章介绍了一种基于CUSUM算法的检测技术,这种检测方法可以有效识别分布式拒绝服务攻击。  相似文献   

11.
认证协议为保证其安全性,通常要使用复杂的密码算法,从而造成DoS攻击隐患.为解决该问题,基于保护协议响应方的立场,综合Cookie方法和工作量证明方法的思想,采用两阶段认证的方法,提出了该一种抵御DoS攻击的认证协议安全方案.对方案进行了框架设计和实现设计,并根据方案建立实验模型.实验结果的分析表明了方案抵御DoS攻击的能力,然后分析了安全方案的安全特性.最后应用安全方案对Helsinki协议进行了改进,增强了该协议的抗DOS攻击能力.  相似文献   

12.
《Computer Networks》2007,51(4):1013-1030
This paper presents a low-rate DoS attack that could be launched against iterative servers. Such an attack takes advantage of the vulnerability consisting in the possibility of forecasting the instant at which an iterative server will generate a response to a client request. This knowledge could allow a potential intruder to overflow application buffers with relatively low-rate traffic to the server, thus avoiding the usual DoS IDS detection techniques. Besides the fundamentals of the attack, the authors also introduce a mathematical model for evaluating the efficiency of this kind of attack. The evaluation is contrasted with both simulated and real implementations. Some variants of the attack are also studied. The overall results derived from this work show how the proposed low-rate DoS attack could cause an important negative impact on the performance of iterative servers.  相似文献   

13.
米安 《现代计算机》2013,(11):19-24
目前,对商业服务器攻击方式主要有两种,包括拒绝服务(DoS)攻击和分布式拒绝服务(DDoS)攻击。这种攻击类型属于命中一运行类型。DoS/DDoS攻击因为不够灵敏而不能绕过防火墙等防御.即DoS/DDoS攻击向受害主机发送大量看似合法的网络包.从而造成网络阻塞或服务器资源耗尽而导致拒绝服务。虽然数据没有被损坏。但是服务器最终被摧毁.并且还会引发一系列其他的问题.对于一个电子商务服务器.其最重要的为服务器的停机时间。研究对分布式拒绝服务(DDoS)防御原则。  相似文献   

14.
Low-rate denial of service (DoS) attacks have recently emerged as new strategies for denying networking services. Such attacks are capable of discovering vulnerabilities in protocols or applications behavior to carry out a DoS with low-rate traffic. In this paper, we focus on a specific attack: the low-rate DoS attack against application servers, and address the task of finding an effective defense against this attack.Different approaches are explored and four alternatives to defeat these attacks are suggested. The techniques proposed are based on modifying the way in which an application server accepts incoming requests. They focus on protective measures aimed at (i) preventing an attacker from capturing all the positions in the incoming queues of applications, and (ii) randomizing the server operation to eliminate possible vulnerabilities due to predictable behaviors.We extensively describe the suggested techniques, discussing the benefits and drawbacks for each under two criteria: the attack efficiency reduction obtained, and the impact on the normal operation of the server. We evaluate the proposed solutions in a both a simulated and a real environment, and provide guidelines for their implementation in a production system.  相似文献   

15.
A DoS attack can be regarded as an attempt of attackers to prevent legal users from gaining a normal network service. The TCP connection management protocol sets a position for a classic DoS attack, namely, the SYN flood attack. In this attack some sources send a large number of TCP SYN segments, without completing the third handshake step to quickly exhaust connection resources of the under attack system. This paper models the under attack server by using the queuing theory in which attack requests are recognized based on their long service time. Then it proposes a framework in which the defense issue is formulated as an optimization problem and employs the particle swarm optimization (PSO) algorithm to optimally solve this problem. PSO tries to direct the server to an optimum defense point by dynamically setting two TCP parameters, namely, maximum number of connections and maximum duration of a half-open connection. The simulation results show that the proposed defense strategy improves the performance of the under attack system in terms of rejection probability of connection requests and efficient consumption of buffer space.  相似文献   

16.
DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key provisioning mode does not scale well with the number of clients, it may result in scalability issues on the server side, and it complicates key re-provisioning in dynamic scenarios. This paper presents a single and efficient security architecture which addresses both issues, by substantially limiting the impact of DoS, and reducing the number of keys stored on the server side to one unit only. Our approach does not break the existing standard and does not require any additional message exchange between DTLS client and server. Our experimental results show that our approach requires a shorter amount of time to complete a handshake execution and consistently reduces the time a DTLS server is exposed to a DoS instance. We also show that it considerably improves a DTLS server in terms of service availability and robustness against DoS attack.  相似文献   

17.
一种基于移动Agent的分布式应用系统架构   总被引:3,自引:0,他引:3  
石太伟  郭陟  顾明 《计算机工程》2005,31(24):61-63
拒绝服务(Dos)攻击对分布式应用系统的安全威胁日益严重。文章提出了一种基于移动Agent的分布式应用系统架构,用以保护系统中的应用服务器,提高其抗DoS攻击的能力。为进一步改善系统抗DoS攻击性能,提出了一种基于遗传算法的代理主机分组算法。最后定性评估了系统的抗DoS攻击能力。  相似文献   

18.
改进的空间网络密钥交换协议   总被引:2,自引:0,他引:2       下载免费PDF全文
针对空间网络的特点及空间网络对密钥交换的特殊需求,提出一种适用于空间网络的密钥交换协议。该协议以Internet密钥交换协议为基础,通过增加DH循环队列、提高Cookie计算强度的方法增强其抗拒绝服务攻击的能力,给出抵御中间人攻击、选项攻击及反射攻击的修正方法。理论分析表明,该协议具有更高的安全性和较少的交换次数,更适用于空间网络通信环境。  相似文献   

19.
低速率拒绝服务攻击研究综述   总被引:6,自引:0,他引:6  
低速率拒绝服务攻击是近年来提出的一类新型攻击,其不同于传统洪泛式DoS攻击,主要是利用端系统或网络中常见的自适应机制所存在的安全漏洞,通过低速率周期性攻击流,以更高的攻击效率对受害者进行破坏且不易被发现。LDoS攻击自提出以来便得到了研究者们的充分重视,其攻击特征分析与检测防范方法逐渐成为网络安全领域的一个重要研究课题。首先对目前已提出的各种LDoS攻击方式进行了分类描述和建模,并在NS2平台上进行了实验验证,接着对LDoS攻击的检测防范难点进行了讨论并对已有的各种检测防范方案进行了小结,最后指出了有待进一步研究的几个问题,以期为今后此类攻击检测防范研究工作提供参考。  相似文献   

20.
根据会话初始协议(SIP)拒绝服务攻击的原理和方式,将阈值动态调整和实时动态防御相结合,提出一种抵御SIP洪泛攻击的防御模型,利用卡方流量判定模型与累计和统计模型动态调整阈值,并检测SIP洪泛攻击,通过IP防御模型动态抵御基于IP的SIP洪泛攻击。实验结果表明,该模型可以实时、高效地检测SIP洪泛攻击,在异常发生时有效防止SIP/ IMS服务器被攻击。  相似文献   

设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号