| 非对称路由环境下SYN flood攻击防御方法 |
| |
| 引用本文: | 陶建喜,周立,周舟,杨威,刘庆云,杨嵘.非对称路由环境下SYN flood攻击防御方法[J].通信学报,2013,34(Z1):285-291. |
| |
| 作者姓名: | 陶建喜 周立 周舟 杨威 刘庆云 杨嵘 |
| |
| 作者单位: | 1. 中国科学院 信息工程研究所,北京 100093;2. 国家计算机网络应急技术处理协调中心,北京100029;
3. 北京邮电大学 计算机学院,北京 100876;4. 信息内容安全技术国家工程实验室,北京100093 |
| |
| 基金项目: | 国家高技术研究发展计划(“863”计划)基金资助项目(2011AA010703);国家“242”信息安全计划基金资助项目(2012A99);中国科学院战略性先导科技专项基金资助项目(XDA06030200);国家自然科学基金资助项目(61303260) |
| |
| 摘 要: | 针对现有网络安全设施无法有效防御非对称路由环境下流量规模较大的SYN flood攻击的问题,对SYN flood攻击检测技术和TCP连接管理策略进行研究,提出了一种轻量级攻击检测和混合连接管理策略相结合的防御方法,利用SYN分组比例和目的地址熵进行攻击检测,并根据检测结果对基于SYN的连接管理策略和基于数据的连接管理策略进行灵活切换。实验证明该防御方法能有效地减轻SYN flood攻击对网络安全设施的影响。
|
| 关 键 词: | SYN flood 非对称路由 连接管理 SYN分组比例 目的地址熵 |
| 收稿时间: | 8/6/2013 12:00:00 AM |
SYN flood attack defense strategy for asymmetric routing |
| |
| Jian-xi TAO,Li ZHOU,Zhou ZHOU,Wei YANG,Qing-yun LIU,Rong YANG.SYN flood attack defense strategy for asymmetric routing[J].Journal on Communications,2013,34(Z1):285-291. |
| |
| Authors: | Jian-xi TAO Li ZHOU Zhou ZHOU Wei YANG Qing-yun LIU Rong YANG |
| |
| Affiliation: | 1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2. National Computer Network Emergency Response Technical Team/Coordination Center, Beijing 100029, China;3. College of Computer Science and Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China;4. National Engineering Laboratory for Information Security Technology, Beijing 100093, China |
| |
| Abstract: | In order to resolve the problem that existing network security facilities can't defend against large-scale SYN flood attack under asymmetric routing environment, attack detection technology and connection management strategy were researched, and a defense architecture combining a light-weight detection method with a hierarchical connection management strategy was presented. The detection method uses SYN packet rate and destination IP address entropy, and the hierarchical connection management strategy consists of a method based on SYN packet and a method based on data packet. The experimental results show that this proposed method can mitigate the influence brought by SYN flood attack. |
| |
| Keywords: | SYN flood asymmetric routing connection management SYN packet rate destination IP address entropy |
|
| 点击此处可从《通信学报》浏览原始摘要信息 |
|
点击此处可从《通信学报》下载全文 |
