共查询到19条相似文献,搜索用时 93 毫秒
1.
基于有序标记的IP包追踪方案 总被引:5,自引:0,他引:5
包标记方案是一种针对DoS攻击提出的数据包追踪方案,由于其具有响应时间快、占用资源少的特点,近年来受到了研究者的广泛关注.但由于包标记方案标记过程的随机性,使得受害者进行路径重构时所需收到的数据包数目大大超过了进行重构所必需收到的最小数据包数目,从而导致重构误报率的提高和响应时间的增长.本文提出了一种基于有序标记的IP包追踪方案,该方案通过存储每个目标IP地址的标记状态,对包标记的分片进行有序发送,使得在DoS发生时,受害者重构路径所需收到的标记包的数目大大降低,从而提高了对DoS攻击的响应时间和追踪准确度.该算法的提出进一步提高了包标记方案在实际应用中的可行性. 相似文献
2.
IP追踪技术是防御拒绝服务攻击的一个研究热点。本文对IP追踪中的动态概率包标记算法进行了介绍和分析,在总结其优点的同时也发现其存在不足。针对动态概率包标记算法使得距离攻击者最近的边界路由器的标记负载太大的不足提出了一个可行性改进方案,经对比分析效果明显。 相似文献
3.
包标记方案作为追踪DoS(DDoS)攻击源的最有前案的技术,有了很多的实现方法,但都有着一些大大小小的缺陷。文中提出了一种新的技术方案,在概率包标记方案自身的安全性能方面有了很大的改进。 相似文献
4.
针对网络中常见的分布式拒绝服务攻击,研究者们提出了多种对抗DDoS攻击的方法.其中Savage等人提出的概率包标记方案以其易于实施,消耗资源少等优点,引起人们的重视.然而概率包标记方案也存在着明显缺陷.在研究概率包标记方案不足的基础上,提出了一种基于历史标记的IP追踪方案,实验证明受害者在降低攻击源最大不确定性因素的同时用比概率包标记方案较少的数据包就可重构攻击路径,从而可尽早的采取防御措施来减少危害. 相似文献
5.
IP追踪已成为防御拒绝服务攻击(D0s)的有效方案之一。其中,以savage等人提出的概率包标记(PPM)已受到广泛重视。然而,概率包标记(PPM)在进行路径重构时会出现高计算量和高误报率问题。本文提出基本概率包标记的研究与改进方案,有效地减少了重构路径时的计算开销和误报率,提高了路径重构的效率。 相似文献
6.
7.
近些年来,分布式拒绝攻击DDoS(Distributed Denial of Service)因其实施简单、破坏力及危害性巨大,已经成为目前网络安全中最大的威胁之一,如何有效的防范DDoS攻击、减少DDoS攻击带来的危害已成为当前的研究热点。本文重点分析了基于包标记算法的DDoS攻击源追踪技术,对于各种基于包标记算法的攻击源追踪技术进行了原理研究,并对其各自优缺点分别进行了分析与总结。根据各种基于包标记算法的攻击源追踪技术原理,给出了其算法流程。同时,通过模拟实验,对相关的基于流量模式匹配技术的攻击源追踪技术进行了对比与分析,验证了本文提出的算法的性能。 相似文献
8.
概率包标记作为当前IP追踪领域的研究热点日益引起研究者的关注。然而传统方案往往存在很多不足,而且基于不现实的假设.影响了实用性。Tabu方案虽然可以改善传统方案的弱收敛性,具有抗伪造标记攻击能力,但它导致了高昂的路由器开销。基于合理的假设条件下对Tabu方案进行改进,根据TFL值计算距离和点采样等策略.改善了Tabu方案存在的问题,而且支持渐进部署,具有较好的实用性。 相似文献
9.
IP追踪技术是防御拒绝服务攻击(DoS)的重要措施.文中针对用于IP追踪的压缩边分片采样算法(CEFS)存在的不足,提出了标注分片自适应概率包标记算法(LFAPPM).该算法通过扩大标记空闻和采用自适应概率的方法,减少了重构路径所需包数,并通过给分片加标注,减少了重构路径的计算量和误报数,而且通过初始化没被边界路由器标记的包标记空间,加强了抗干扰性.与其他算法进行比较,LFAPPM算法各种性能指标较优. 相似文献
10.
MPLS技术虽然为Internet提供了一种新的数据包转发模式,但是还不能消除其固有的网络攻击。基于流标记的端口包记录信源追踪系统则可以找到攻击源。包记录技术是整个追踪系统的核心。而其中所采取的基于流的策略可以大大节省存储空间;基于端口的策略通过减少反向追踪请求个数提高了追踪速度,进一步通过自适应的调整Bloom filter的k参数大大降低了追踪的误报率。 相似文献
11.
12.
A novel deterministic packet marking (DPM) for IP traceback against denial of service (DoS) and distributed denial of service (DDoS) attacks is presented, which features good scalability and high accuracy. In this scheme, an ingress router pre-calculates a Hash of its IP address and splits the Hash into several fragments. When marking a packet, the router randomly selects a fragment to mark into the packet. In the traceback stage the victim identifies the marked router with the help of the map of its upstream routers. Based on the map, the victim can identify a candidate ingress router after receiving only several marked packets. The scheme overcomes defects in previous deterministic packet marking schemes, where too much packets are required to recover a router and high false positive rate occurs in case of large-scale DDoS. Theoretical analysis, the pseudo code and experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks. 相似文献
13.
The denial of service attack is a main type of threat on the Internet today. On the basis of path identification (Pi) and Internet control message protocol (ICMP) traceback (iTrace) methods, a packet track and traceback mechanism is proposed, which features rapid response and high accuracy. In this scheme, routers apply packet marking scheme and send traceback messages, which enables the victim to design the path tree in peace time. During attack times the victim can trace attackers back within the path tree and perform rapid packet filtering using the marking in each packet. Traceback messages overcome Pi's limitation, wherein too much path information is lost in path identifiers; whereas path identifiers can be used to expedite the design of the path-tree, which reduces the high overhead in iTrace. Therefore, our scheme not only synthesizes the advantages but also compromises the disadvantages of the above two methods. Simulation results with NS-2 show the validity of our scheme. 相似文献
14.
Yu Kuo Tseng Hsi Han Chen Wen Shyong Hsieh 《Communications Letters, IEEE》2004,8(6):359-361
A new scheme in probabilistic packet marking (PPM) for IP traceback against denial-of-service attack is presented. Non-preemptive PPM is performed while a marked packet is coming, but compensates the reduction of marking probability in marked-free packets. The nonpreemptive compensation makes the probability of each marked packet arrived at the victim is equal to its original marking probability. This scheme efficiently improves the convergent amount of marked packets required for reconstructing the complete attack path. 相似文献
15.
StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense 总被引:5,自引:0,他引:5
《Selected Areas in Communications, IEEE Journal on》2006,24(10):1853-1863
Today's Internet hosts are threatened by large-scale distributed denial-of-service (DDoS) attacks. The path identification (Pi) DDoS defense scheme has recently been proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received (Yaar , 2003). In this paper, we propose the StackPi marking, a new packet marking scheme based on Pi, and new filtering mechanisms. The StackPi marking scheme consists of two new marking methods that substantially improve Pi's incremental deployment performance: Stack-based marking and write-ahead marking. Our scheme almost completely eliminates the effect of a few legacy routers on a path, and performs 2–4 times better than the original Pi scheme in a sparse deployment of Pi-enabled routers. For the filtering mechanism, we derive an optimal threshold strategy for filtering with the Pi marking. We also develop a new filter, the PiIP filter, which can be used to detect Internet protocol (IP) spoofing attacks with just a single attack packet. Finally, we discuss in detail StackPi's compatibility with IP fragmentation, applicability in an IPv6 environment, and several other important issues relating to potential deployment of StackPi. 相似文献
16.
DDoS攻击源追踪的一种新包标记方案研究 总被引:7,自引:0,他引:7
在对包标记方案的收敛性进行研究的基础上,给出了新的标记概率的选取方法,以得到最优化的收敛性;同时,为了对抗攻击者控制转发节点伪造信息而干扰路径重构算法,提出了一种新的安全的验证包标记方案。最后,对该方案的一些性能进行了仿真验证,结果显示,验证包标记方案的各方面性能均有较大提高。 相似文献
17.
本文介绍了光突发交换(OBS)网络中的一种操作维护管理(OAM)方案,包括这种OAM方案的结构、功能、分组过程和分组格式。此方案可以实现光通道连接顺畅,并可检查OBS网络状态和突发包的功能。 相似文献
18.
Fugui Wang Mohapatra P. Mukherjee S. Bushmitch D. 《Selected Areas in Communications, IEEE Journal on》2000,18(12):2640-2650
The differentiated services (DiffServ) model, proposed to evolve the current best-effort Internet to a quality-of-service-aware Internet, provides packet level service differentiation on a per-hop basis. The end-to-end service differentiation may be provided by extending the per-hop behavior over multiple network domains through service level agreements between domains. The edge routers of each of the domains monitor the aggregate flow of the incoming packets and demote packets when the aggregate incoming traffic exceeds the negotiated interdomain service agreement. A demoted packet may encounter other edge routers on its path that have sufficient resources to route the packet with its original marking. In this paper, we propose a random early demotion and promotion (REDP) technique that works at the aggregate traffic level and allows (1) fair demotion of packets belonging to different flows, and (2) easy and fair detection and promotion of the demoted packets. Using early and random decisions on packets REDP ensures fairness in promotion and demotion. It uses a three color marking mechanism, reserving one color fur differentiating between a demoted packet and a packet with the original out-of-profile marking. We experiment with the proposed REDP scheme using the ns2 simulator for both TCP and UDP streams. The results demonstrate the fairness of REDP scheme in demoting and promoting packets. Furthermore, we show a variety of results that demonstrates that REDP provides better assured services compared to the previously proposed RIO scheme with or without the provision of promotion 相似文献