一种新的IPv6 DNS自动更新系统

本文阐述了一种新型的基于客户机/服务器模型的IPv6 DNS自动更新系统.首先分析了IPv6 DNS自动更新技术目前的进展及存在的问题,然后,针对这些问题提出了一种支持多个IPv4/v6地址、支持安全动态更新、支持地址自动检测和地址过滤、基于客户机/服务器模型的IPv6 DNS自动更新系统.此系统支持多种主流操作平台,并为用户的使用和网络的整体部署提供了极大的灵活性.最后对其以后的应用进行了展望.     

基于策略的DNS及其配置

DNS(domain name system,域名系统)主要用来提供域名与IP地址相互映射的网络服务。以某大学城双出口网络中DNS为应用实例,介绍了一种基于BIND9技术的策略DNS配置方法。对于同一域名的查询请求,DNS可根据其客户端源IP地址不同,返回不同的解析结果。     

分布式DNS反射DDoS攻击检测及控制技术

分布式DNS反射DDoS攻击已经成为拒绝服务攻击的主要形式之一,传统的基于网络流量统计分析和网络流量控制技术已经不能满足防护需求。提出了基于生存时间值（TTL）智能研判的DNS反射攻击检测技术,能够准确发现伪造源IP地址分组;基于多系统融合的伪造源地址溯源阻断技术,从源头上阻断攻击流量流入网络。     

主动监听中协议欺骗的研究

提出了基于协议欺骗的主动监听框架,大大扩展了网络监听的适用范围。分析了网络访问的具体过程,将其中存在的映射关系分为四种:服务器域名到IP地址、IP到MAC地址、远程服务器的IP地址到本地路由器IP地址、以及客户端界面显示到应用服务器的处理。依据破坏的映射关系不同,本文将能够实现主动监听的协议欺骗分为四大类:ARP欺骗、路由欺骗、DNS欺骗和应用层欺骗,并详细分析了这四类协议欺骗攻击原理、实现方式及其防范策略。     

SEAL2: An SDN‐enabled all‐Layer2 packet forwarding network architecture for multitenant datacenter networks

This paper presents the design and development of a new network virtualization scheme to support multitenant datacenter networking (MT‐DCN) based on software‐defined networking (SDN) technologies. Effective multitenancy supports are essential and challenging for datacenter networking designs. In this study, we propose a new network virtualization architecture framework for efficient packet forwarding in MT‐DCN. Traditionally, an internet host uses IP addresses for both host identification and location information, which causes mobile IP problems whenever the host is moved from one IP subnet to another. Unfortunately, virtual machine (VM) mobility is inevitable for cloud computing in datacenters for reasons such as server consolidation and network traffic flow optimization. To solve the problems, we decouple VM identification and location information with two independent values neither by IP addresses. We redefine the semantics of Ethernet MAC address to embed tenant ID information to the MAC address field without violating its original functionality. We also replace traditional Layer2/Layer3 two‐stage routing schemes (MAC/IP) with an all‐Layer2 packet forwarding mechanism that combines MAC addresses (for VM identification and forwarding in local server groups under an edge switch gateway) and multiprotocol label switching (MPLS) labels (for packet transportation between edge switch gateways across the core label switching network connecting all the edge gateways). To accommodate conventional IP packet architecture in a multitenant environment, SDN (OpenFlow) technology is used to handle all this complex network traffics. We verified the design concepts by a simple system prototype in which all the major system components were implemented. Based on the prototype system, we evaluated packet forwarding efficiency under the proposed network architecture and compared it with conventional IP subnet routing approaches. We also evaluated the incurred packet processing overhead caused by each of the packet routing components.     

基于Linux平台的DNS服务器容错

在互联网中客户端都是采用域名的方式访问站点,域名到IP地址的映射由DNS域名解析服务器完成,一旦DNS域名解析服务器发生故障,将直接导致网站无法访问.LINUX是继UNIX功能的一种集安全性和高稳定性一体的开源和免费的操作系统.使用LINUX操作系统构建DNS域名解析服务器,通过使用区域传输来构建辅助DNS,能加强互联网站点的域名解析的安全性和容错功能.     

DNS‐Class: immediate classification of IP flows using DNS

Nowadays we see a tremendous growth of the Internet, especially in terms of the amont of data being transmitted and new network protocols being introduced. This poses a challenge for network administrators, who need adequate tools for network management. Recent findings show that DNS can contribute valuable information on IP flows and improve traffic visibility in a computer network. In this paper, we apply these findings on DNS to propose a novel traffic classification algorithm with interesting features. We experimentally show that the information carried in domain names and port numbers is sufficient for immediate classification of a highly significant portion of the traffic. We present DNS‐Class: an innovative, fast and reliable flow‐based traffic classification algorithm, which on average yields 99.8% of true positives and < 0.1% of false positives on real traffic traces. The algorithm can work as a major element of a modular system in a cascade architecture. Additionally, we provide an analysis on how various network protocols depend on DNS in terms of flows, packets and bytes. We release the complete source code implementing the presented system as open source. Copyright © 2014 John Wiley & Sons, Ltd.     

基于IPFIX的DNS异常行为检测方法

提出了一种基于IPFIX（IP数据流信息输出）网络流量数据准确检测可疑和异常DNS、识别DNS流量放大攻击行为的算法。该算法已在清华大学校园网实际部署运行,能够有效检测到校园网内部DNS的异常行为并发送告警信息,从而及时控制攻击行为,实现异常流量的及时监测和预警。     

Client‐Side Deduplication to Enhance Security and Reduce Communication Costs

Message‐locked encryption (MLE) is a widespread cryptographic primitive that enables the deduplication of encrypted data stored within the cloud. Practical client‐side contributions of MLE, however, are vulnerable to a poison attack, and server‐side MLE schemes require large bandwidth consumption. In this paper, we propose a new client‐side secure deduplication method that prevents a poison attack, reduces the amount of traffic to be transmitted over a network, and requires fewer cryptographic operations to execute the protocol. The proposed primitive was analyzed in terms of security, communication costs, and computational requirements. We also compared our proposal with existing MLE schemes.     

基于OpenCV与NAT-DDNS的远程视频监控系统设计

为了解决穿透内网经外网访问另一个内网的问题,提出了一套新型可行的远程视频监控系统解决方案.方案采用客户端/服务器(C/S)的系统模型设计.服务器利用V4L2接口函数控制摄像头采集视频,完成视频转码,并采用NAT-DDNS技术,完成IP地址端口的映射和动态域名的解析.在客户端,创建Iplimage图像结构体变量,实现视频流数据与OpenCV的库函数相结合,并还原和显示帧视频图像.与传统的方案相比,视频观看不受浏览器的限制,且突破局域网,真正的实现客户端穿透内网访问的远程监控.经实验测试,系统图像显示稳定,达到预期效果.     

Network level perspective in web sessions troubleshooting

In the last years, the quantity of data and the number of applications carried over web traffic have been continuously increasing and nowadays web browsing accounts for most of the Internet traffic. In such a scenario, a poor browsing experience can result very annoying to the end user, and the effective identification of the root cause of such bad performance is of primary interest to both the users and the network operators. In this paper, we present a unified framework, based on a novel lightweight open‐source publicly available probe and on an original statistical diagnosis algorithm, to correctly and effectively point out the segment of a web connection (eg, local client, backbone network, and DNS server) responsible for a poor web browsing experience. The extensive experimental evaluation carried out in the paper demonstrates the effectiveness of the proposed approach to diagnose poor quality of experience at a large scale.     

Defense Against Spoofed IP Traffic Using Hop-Count Filtering

IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1)conceal flooding sources and dilute localities in flooding traffic, and 2)coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)-which builds an accurate IP-to-hop-count (IP2HC) mapping table-to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements     

一种一次性口令身份认证方案的设计与分析

身份认证机制是网络安全的第一道防线，利用椭圆曲线密钥交换体制，设计了一种新型的身份认证方案，该方案降低了对信道安全性的要求，提供通信双方的相互认证，并能有效地防止重放攻击、冒充攻击、小数攻击，提高了认证系统的安全性。     

Prevention of DoS Attacks in VANET

Privacy and Security have become an indispensable matter of attention in the Vehicular Ad-Hoc Network, which is vulnerable to many security threats these days. One of them is the Denial of Service (DoS) attacks, where a malicious node forges a large number of fake identities, i.e., Internet Protocol (IP) addresses in order to disrupt the proper functioning of fair data transfer between two fast-moving vehicles. In this paper, a distributed and robust approach is presented to defend against DoS attacks. In this proposed scheme, the fake identities of malicious vehicles are analyzed with the help of consistent existing IP address information. Beacon packets are exchanged periodically by all the vehicles to announce their presence and to become aware of the next node. Each node periodically keeps a record of its database by exchanging the information in its environment. If some nodes observe that they have similar IP addresses in the database, these similar IP addresses are identified as DoS attacks. However, it can be expected that security attacks are likely to increase in the coming future due to more and more wireless applications being developed onto the well-known exposed nature of the wireless medium. In this respect, the network availability is exposed to many types of attacks. A DoS attack on the network availability is being elaborated in this paper. A model of a product interaction for DoS prevention has been developed called “IP-CHOCK” that will lead to the prevention of DoS attacks. The proposed approach will be able to locate malicious nodes without the requirement of any secret information exchange and special hardware support. Simulation results demonstrate that the detection rate increases when optimal numbers of nodes are forged by the attackers.     

一种面向流量异常检测的概率流抽样方法

针对基于概率抽样的网络流量异常检测数据集构造过程中无法同时兼顾大、小流抽样需求及未区分flash crowd与流量攻击等问题,该文提出一种面向流量异常检测的概率流抽样方法。在对数据流按目的、源IP地址进行分类的基础上,将每类数据流抽样率定义为其目的、源IP地址抽样率的最大值,并在抽样过程中对数据流抽样数目向上取整,保证每类数据流至少被抽样一次,使抽样得到的数据集可有效反映原始流量在大、小流和源、目的IP地址方面的分布性。采用源IP地址熵刻画异常流源IP地址分散度,并基于源IP地址熵阈值设计攻击流抽样算法,降低由flash crowd引起的非攻击异常流抽样概率。仿真结果表明,该方法能同时满足大、小流抽样需求,具有较强的异常流抽样能力,可抽样到所有与异常流相关的可疑源、目的IP地址,并能在抽样过程中过滤非攻击异常流。     

An MPEG‐4 Compliant Interactive Multimedia Streaming Platform Using Overlay Networks

This paper presents a multimedia streaming platform for efficiently transmitting MPEG‐4 content over IP networks. The platform includes an MPEG‐4 compliant streaming server and client, supporting object‐based representation of multimedia scenes, interactivity, and advanced encoding profiles defined by the ISO standard. For scalability purposes, we employ an application‐layer multicast scheme for media transmission using overlay networks. The overlay network, governed by the central entity of the network distribution manager, is dynamically deployed according to a set of pre‐defined criteria. The overlay network supports both broadcast delivery and video‐on‐demand content. The multimedia streaming platform is standards‐compliant and utilizes widespread multimedia protocols such as MPEG‐4, real‐time transport protocol, real‐time transport control protocol, and real‐time streaming protocol. The design of the overlay network was architected with the goal of transparency to both the streaming server and the client. As a result, many commercial implementations that use industry‐standard protocols can be plugged into the architecture relatively painlessly and can enjoy the benefits of the platform.     

基于HMM的分布式拒绝服务攻击检测方法

文章根据分布式拒绝服务攻击（DDoS）的本质特点，提出了一种基于隐马尔可夫模型（HMM）的DDoS攻击检测方法。该方法通过IP地址信息库．保存当前常用服务的源IP地址，然后对新到数据包的IP地址用HMM建模。通过离线训练，更新IP地址信息库，优化HMM参数。在线检测时，IP地址信息库在线学习更新，HMM实时检测．并根据检测结果通过边界路由器进行积极响应。实验结果显示，该方法具有很好的检测效果，并能及时响应，保持常用服务的延续性。     

利用BGP虚拟下一跳技术实现IP地址快速封堵

通过在BGP的路由反射器（RR）把需要封堵的IP地址通过BGP信息向全网发布并携带特定的BGP虚拟下一跳信息,而在IP骨干网的边缘路由器设置该特定虚拟下一跳IP地址的黑洞路由。以至于在IP骨干网的边缘路由器都会自动把访问该需要封堵IP地址的流量丢弃,达到快速封堵IP地址的目的。     

The distribution of file transmission duration in the web

It is well known that the distribution of files transmission duration in the Web is heavy‐tailed (A practical guide to Heavy Tails: Statistical Techniques and Application. Birkhauser: Boston, 1998; 3–26). This paper attempts to understand the reasons for this phenomenon by isolating the three major factors influencing the transmission duration: file size, network conditions and server load. We present evidence that the transmission‐duration distribution (TDD) of the same file from the same server to the same client in the Web is Pareto and therefore heavy tailed. Furthermore, text files transmission delay for a specific client/server pair is not significantly affected by the file sizes: all files transmitted from the same server to the same client have very similar transmission duration distributions, regardless of their size. We use simulations to estimate the impact of network conditions and server load on the TDD. When the server and the client are on the same local network, the TDD of each file is usually Pareto as well (for server files and client requests that are distributed in a realistic way). By examining a wide‐area network situation, we conclude that the network conditions do not have a major influence on the heavy‐tailed behaviour of TDD. In contrast, the server load is shown to have a significant impact on the high variability of this distribution. Copyright © 2004 John Wiley & Sons, Ltd.     

Replication enabled distributed cache invalidation method: replication enabled distributed cache management system for wireless mobile networks

This work proposes a replication scheme that is implemented on top of a previously proposed system for MANETs that cache submitted queries in special nodes, called query directories, and uses them to locate the data (responses) that are stored in the nodes that first request them, called caching nodes. The system, which was named distributed cache invalidation method (DCIM), includes client‐based mechanisms for keeping the cached data consistent with the data source. In this work, we extend DCIM to handle cache replicas inside the MANET. For this purpose, we utilize a push‐based approach within the MANET to propagate the server updates to replicas inside the network. The result is a hybrid approach that utilizes the benefits of pull approaches for client server communication and those of push approaches inside the network between the replicas. The approach is analyzed analytically, and the appropriate number of replicas is obtained, where it was concluded that full replication of the indices of data items at the query directory and two‐partial replication of the data items themselves makes most sense. Simulation results based on ns2 demonstrate the ability of the added replication scheme to lower delays and improve hit ration at the cost of mild increases in overhead traffic. Copyright © 2013 John Wiley & Sons, Ltd.