共查询到20条相似文献,搜索用时 31 毫秒
1.
2.
DNS(domain name system,域名系统)主要用来提供域名与IP地址相互映射的网络服务。以某大学城双出口网络中DNS为应用实例,介绍了一种基于BIND9技术的策略DNS配置方法。对于同一域名的查询请求,DNS可根据其客户端源IP地址不同,返回不同的解析结果。 相似文献
3.
4.
5.
This paper presents the design and development of a new network virtualization scheme to support multitenant datacenter networking (MT‐DCN) based on software‐defined networking (SDN) technologies. Effective multitenancy supports are essential and challenging for datacenter networking designs. In this study, we propose a new network virtualization architecture framework for efficient packet forwarding in MT‐DCN. Traditionally, an internet host uses IP addresses for both host identification and location information, which causes mobile IP problems whenever the host is moved from one IP subnet to another. Unfortunately, virtual machine (VM) mobility is inevitable for cloud computing in datacenters for reasons such as server consolidation and network traffic flow optimization. To solve the problems, we decouple VM identification and location information with two independent values neither by IP addresses. We redefine the semantics of Ethernet MAC address to embed tenant ID information to the MAC address field without violating its original functionality. We also replace traditional Layer2/Layer3 two‐stage routing schemes (MAC/IP) with an all‐Layer2 packet forwarding mechanism that combines MAC addresses (for VM identification and forwarding in local server groups under an edge switch gateway) and multiprotocol label switching (MPLS) labels (for packet transportation between edge switch gateways across the core label switching network connecting all the edge gateways). To accommodate conventional IP packet architecture in a multitenant environment, SDN (OpenFlow) technology is used to handle all this complex network traffics. We verified the design concepts by a simple system prototype in which all the major system components were implemented. Based on the prototype system, we evaluated packet forwarding efficiency under the proposed network architecture and compared it with conventional IP subnet routing approaches. We also evaluated the incurred packet processing overhead caused by each of the packet routing components. 相似文献
6.
在互联网中客户端都是采用域名的方式访问站点,域名到IP地址的映射由DNS域名解析服务器完成,一旦DNS域名解析服务器发生故障,将直接导致网站无法访问.LINUX是继UNIX功能的一种集安全性和高稳定性一体的开源和免费的操作系统.使用LINUX操作系统构建DNS域名解析服务器,通过使用区域传输来构建辅助DNS,能加强互联网站点的域名解析的安全性和容错功能. 相似文献
7.
Paweł Foremski Christian Callegari Michele Pagano 《International Journal of Network Management》2014,24(4):272-288
Nowadays we see a tremendous growth of the Internet, especially in terms of the amont of data being transmitted and new network protocols being introduced. This poses a challenge for network administrators, who need adequate tools for network management. Recent findings show that DNS can contribute valuable information on IP flows and improve traffic visibility in a computer network. In this paper, we apply these findings on DNS to propose a novel traffic classification algorithm with interesting features. We experimentally show that the information carried in domain names and port numbers is sufficient for immediate classification of a highly significant portion of the traffic. We present DNS‐Class: an innovative, fast and reliable flow‐based traffic classification algorithm, which on average yields 99.8% of true positives and < 0.1% of false positives on real traffic traces. The algorithm can work as a major element of a modular system in a cascade architecture. Additionally, we provide an analysis on how various network protocols depend on DNS in terms of flows, packets and bytes. We release the complete source code implementing the presented system as open source. Copyright © 2014 John Wiley & Sons, Ltd. 相似文献
8.
9.
Message‐locked encryption (MLE) is a widespread cryptographic primitive that enables the deduplication of encrypted data stored within the cloud. Practical client‐side contributions of MLE, however, are vulnerable to a poison attack, and server‐side MLE schemes require large bandwidth consumption. In this paper, we propose a new client‐side secure deduplication method that prevents a poison attack, reduces the amount of traffic to be transmitted over a network, and requires fewer cryptographic operations to execute the protocol. The proposed primitive was analyzed in terms of security, communication costs, and computational requirements. We also compared our proposal with existing MLE schemes. 相似文献
10.
为了解决穿透内网经外网访问另一个内网的问题,提出了一套新型可行的远程视频监控系统解决方案.方案采用客户端/服务器(C/S)的系统模型设计.服务器利用V4L2接口函数控制摄像头采集视频,完成视频转码,并采用NAT-DDNS技术,完成IP地址端口的映射和动态域名的解析.在客户端,创建Iplimage图像结构体变量,实现视频流数据与OpenCV的库函数相结合,并还原和显示帧视频图像.与传统的方案相比,视频观看不受浏览器的限制,且突破局域网,真正的实现客户端穿透内网访问的远程监控.经实验测试,系统图像显示稳定,达到预期效果. 相似文献
11.
Marco Milanesio Christian Callegari Pietro Michiardi 《International Journal of Communication Systems》2019,32(6)
In the last years, the quantity of data and the number of applications carried over web traffic have been continuously increasing and nowadays web browsing accounts for most of the Internet traffic. In such a scenario, a poor browsing experience can result very annoying to the end user, and the effective identification of the root cause of such bad performance is of primary interest to both the users and the network operators. In this paper, we present a unified framework, based on a novel lightweight open‐source publicly available probe and on an original statistical diagnosis algorithm, to correctly and effectively point out the segment of a web connection (eg, local client, backbone network, and DNS server) responsible for a poor web browsing experience. The extensive experimental evaluation carried out in the paper demonstrates the effectiveness of the proposed approach to diagnose poor quality of experience at a large scale. 相似文献
12.
Defense Against Spoofed IP Traffic Using Hop-Count Filtering 总被引:1,自引:0,他引:1
IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1)conceal flooding sources and dilute localities in flooding traffic, and 2)coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)-which builds an accurate IP-to-hop-count (IP2HC) mapping table-to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements 相似文献
13.
身份认证机制是网络安全的第一道防线,利用椭圆曲线密钥交换体制,设计了一种新型的身份认证方案,该方案降低了对信道安全性的要求,提供通信双方的相互认证,并能有效地防止重放攻击、冒充攻击、小数攻击,提高了认证系统的安全性。 相似文献
14.
Privacy and Security have become an indispensable matter of attention in the Vehicular Ad-Hoc Network, which is vulnerable to many security threats these days. One of them is the Denial of Service (DoS) attacks, where a malicious node forges a large number of fake identities, i.e., Internet Protocol (IP) addresses in order to disrupt the proper functioning of fair data transfer between two fast-moving vehicles. In this paper, a distributed and robust approach is presented to defend against DoS attacks. In this proposed scheme, the fake identities of malicious vehicles are analyzed with the help of consistent existing IP address information. Beacon packets are exchanged periodically by all the vehicles to announce their presence and to become aware of the next node. Each node periodically keeps a record of its database by exchanging the information in its environment. If some nodes observe that they have similar IP addresses in the database, these similar IP addresses are identified as DoS attacks. However, it can be expected that security attacks are likely to increase in the coming future due to more and more wireless applications being developed onto the well-known exposed nature of the wireless medium. In this respect, the network availability is exposed to many types of attacks. A DoS attack on the network availability is being elaborated in this paper. A model of a product interaction for DoS prevention has been developed called “IP-CHOCK” that will lead to the prevention of DoS attacks. The proposed approach will be able to locate malicious nodes without the requirement of any secret information exchange and special hardware support. Simulation results demonstrate that the detection rate increases when optimal numbers of nodes are forged by the attackers. 相似文献
15.
针对基于概率抽样的网络流量异常检测数据集构造过程中无法同时兼顾大、小流抽样需求及未区分flash crowd与流量攻击等问题,该文提出一种面向流量异常检测的概率流抽样方法。在对数据流按目的、源IP地址进行分类的基础上,将每类数据流抽样率定义为其目的、源IP地址抽样率的最大值,并在抽样过程中对数据流抽样数目向上取整,保证每类数据流至少被抽样一次,使抽样得到的数据集可有效反映原始流量在大、小流和源、目的IP地址方面的分布性。采用源IP地址熵刻画异常流源IP地址分散度,并基于源IP地址熵阈值设计攻击流抽样算法,降低由flash crowd引起的非攻击异常流抽样概率。仿真结果表明,该方法能同时满足大、小流抽样需求,具有较强的异常流抽样能力,可抽样到所有与异常流相关的可疑源、目的IP地址,并能在抽样过程中过滤非攻击异常流。 相似文献
16.
Hyun‐Cheol Kim Charalampos Z. Patrikakis Nikos Minogiannis Pantelis N. Karamolegkos Alex Lambiris Kyuheon Kim 《ETRI Journal》2006,28(4):411-424
This paper presents a multimedia streaming platform for efficiently transmitting MPEG‐4 content over IP networks. The platform includes an MPEG‐4 compliant streaming server and client, supporting object‐based representation of multimedia scenes, interactivity, and advanced encoding profiles defined by the ISO standard. For scalability purposes, we employ an application‐layer multicast scheme for media transmission using overlay networks. The overlay network, governed by the central entity of the network distribution manager, is dynamically deployed according to a set of pre‐defined criteria. The overlay network supports both broadcast delivery and video‐on‐demand content. The multimedia streaming platform is standards‐compliant and utilizes widespread multimedia protocols such as MPEG‐4, real‐time transport protocol, real‐time transport control protocol, and real‐time streaming protocol. The design of the overlay network was architected with the goal of transparency to both the streaming server and the client. As a result, many commercial implementations that use industry‐standard protocols can be plugged into the architecture relatively painlessly and can enjoy the benefits of the platform. 相似文献
17.
文章根据分布式拒绝服务攻击(DDoS)的本质特点,提出了一种基于隐马尔可夫模型(HMM)的DDoS攻击检测方法。该方法通过IP地址信息库.保存当前常用服务的源IP地址,然后对新到数据包的IP地址用HMM建模。通过离线训练,更新IP地址信息库,优化HMM参数。在线检测时,IP地址信息库在线学习更新,HMM实时检测.并根据检测结果通过边界路由器进行积极响应。实验结果显示,该方法具有很好的检测效果,并能及时响应,保持常用服务的延续性。 相似文献
18.
通过在BGP的路由反射器(RR)把需要封堵的IP地址通过BGP信息向全网发布并携带特定的BGP虚拟下一跳信息,而在IP骨干网的边缘路由器设置该特定虚拟下一跳IP地址的黑洞路由。以至于在IP骨干网的边缘路由器都会自动把访问该需要封堵IP地址的流量丢弃,达到快速封堵IP地址的目的。 相似文献
19.
It is well known that the distribution of files transmission duration in the Web is heavy‐tailed (A practical guide to Heavy Tails: Statistical Techniques and Application. Birkhauser: Boston, 1998; 3–26). This paper attempts to understand the reasons for this phenomenon by isolating the three major factors influencing the transmission duration: file size, network conditions and server load. We present evidence that the transmission‐duration distribution (TDD) of the same file from the same server to the same client in the Web is Pareto and therefore heavy tailed. Furthermore, text files transmission delay for a specific client/server pair is not significantly affected by the file sizes: all files transmitted from the same server to the same client have very similar transmission duration distributions, regardless of their size. We use simulations to estimate the impact of network conditions and server load on the TDD. When the server and the client are on the same local network, the TDD of each file is usually Pareto as well (for server files and client requests that are distributed in a realistic way). By examining a wide‐area network situation, we conclude that the network conditions do not have a major influence on the heavy‐tailed behaviour of TDD. In contrast, the server load is shown to have a significant impact on the high variability of this distribution. Copyright © 2004 John Wiley & Sons, Ltd. 相似文献
20.
Kassem Fawaz Abdalla Artail Rasha Al‐Khansa Hassan Artail Haidar Safa 《Wireless Communications and Mobile Computing》2015,15(13):1711-1728
This work proposes a replication scheme that is implemented on top of a previously proposed system for MANETs that cache submitted queries in special nodes, called query directories, and uses them to locate the data (responses) that are stored in the nodes that first request them, called caching nodes. The system, which was named distributed cache invalidation method (DCIM), includes client‐based mechanisms for keeping the cached data consistent with the data source. In this work, we extend DCIM to handle cache replicas inside the MANET. For this purpose, we utilize a push‐based approach within the MANET to propagate the server updates to replicas inside the network. The result is a hybrid approach that utilizes the benefits of pull approaches for client server communication and those of push approaches inside the network between the replicas. The approach is analyzed analytically, and the appropriate number of replicas is obtained, where it was concluded that full replication of the indices of data items at the query directory and two‐partial replication of the data items themselves makes most sense. Simulation results based on ns2 demonstrate the ability of the added replication scheme to lower delays and improve hit ration at the cost of mild increases in overhead traffic. Copyright © 2013 John Wiley & Sons, Ltd. 相似文献