共查询到19条相似文献,搜索用时 125 毫秒
1.
DDoS攻击源追踪的一种新包标记方案研究 总被引:7,自引:0,他引:7
在对包标记方案的收敛性进行研究的基础上,给出了新的标记概率的选取方法,以得到最优化的收敛性;同时,为了对抗攻击者控制转发节点伪造信息而干扰路径重构算法,提出了一种新的安全的验证包标记方案。最后,对该方案的一些性能进行了仿真验证,结果显示,验证包标记方案的各方面性能均有较大提高。 相似文献
2.
3.
包标记方案作为追踪DoS(DDoS)攻击源的最有前案的技术,有了很多的实现方法,但都有着一些大大小小的缺陷。文中提出了一种新的技术方案,在概率包标记方案自身的安全性能方面有了很大的改进。 相似文献
4.
基于有序标记的IP包追踪方案 总被引:5,自引:0,他引:5
包标记方案是一种针对DoS攻击提出的数据包追踪方案,由于其具有响应时间快、占用资源少的特点,近年来受到了研究者的广泛关注.但由于包标记方案标记过程的随机性,使得受害者进行路径重构时所需收到的数据包数目大大超过了进行重构所必需收到的最小数据包数目,从而导致重构误报率的提高和响应时间的增长.本文提出了一种基于有序标记的IP包追踪方案,该方案通过存储每个目标IP地址的标记状态,对包标记的分片进行有序发送,使得在DoS发生时,受害者重构路径所需收到的标记包的数目大大降低,从而提高了对DoS攻击的响应时间和追踪准确度.该算法的提出进一步提高了包标记方案在实际应用中的可行性. 相似文献
5.
为了减少拒绝服务攻击给网络带来的威胁,设计了域内防御分布式拒绝服务的方法,它一共有五个模块的所组成,分别是网络管理模块,检测模块,标记模块,定位模块,过滤模块。从而给局部网络运营商提供了一种可以有效的将攻击数据拒于网络之外的机制。 相似文献
6.
DDos攻击已经严重影响网络的安全,文中对两种DDos检测方法进行了研究,包括基于流连接密度和流特征熵的方法.介绍了这两种方法的核心思想,给出了检测的过程,并分析了它们的应用范围.实验表明,这两种方法能够有效检测DDos攻击. 相似文献
7.
8.
研究和设计了使用动态口令技术来保护服务器抵御DDoS攻击的OTP-DEF方案.首先,方案可根据服务器工作负载的不同,分别处于正常、疑似受攻击或确认受攻击3种工作模式之下,而基于动态口令的认证方案只在疑似受攻击工作模式下起作用.其次,由于动态口令会自动变化,故方案可抵御复制、重放和暴力破解攻击.第三,通过记录那些不解决难题并不断发送请求的IP地址来识别客户端是否为攻击者,一旦所有攻击者被识别出来后,OTP-DEF屏蔽其IP地址并停止发布难题,以便正常用户能方便地使用服务.最后,只需在服务器端实施和部署,客户端无需做任何更改. 相似文献
9.
10.
防御分布式拒绝服务攻击的优化路径标识模型 总被引:1,自引:1,他引:0
为防御互联网拒绝服务攻击,路径标识(Pi)技术为快速区分和过滤攻击包提供了有效手段,基于此提出优化路径标识方案OPi,与已有方案中各路由器插入1或2位标记不同,路由器根据包的当前TTL值,推算已经过的距离,分别插入1~16位可变长标记,最大程度利用标记域空间.相比以往方案,尤其当攻击路径和合法路径严重混杂时,OPi区分程度更高.考虑到攻击包会随机产生TTL初值来扰乱OPi标识,进一步提出了OPi TTL的过滤方案.理论分析和基于大规模真实互联网拓扑的仿真实验表明,OPi的防御效果较理想. 相似文献
11.
In mobile ad hoc networks (MANETs) and wireless sensor networks (WSNs), it is easy to launch various sophisticated attacks such as wormhole, man-in-the-middle and denial of service (DoS), or to impersonate another node. To combat such attacks from outsider nodes, we study packet authentication in wireless networks and propose a hop-by-hop, efficient authentication protocol, called HEAP. HEAP authenticates packets at every hop by using a modified HMAC-based algorithm along with two keys and drops any packets that originate from outsiders. HEAP can be used with multicast, unicast or broadcast applications. We ran several simulations to compare HEAP with existing authentication schemes, such as TESLA, LHAP and Lu and Pooch’s algorithm. We measured metrics such as latency, throughput, packet delivery ratio, CPU and memory utilization and show that HEAP performs very well compared to other schemes while guarding against outsider attacks. 相似文献
12.
拒绝服务攻击给网络安全带来了巨大的威胁,防范DDoS攻击一直是安全领域的一个重要课题。介绍了路由器防范拒绝服务攻击的技术,包括IP路径重构技术、在源端防范DDoS策略、防范IP地址欺骗的机制和基于拥塞控制的方法,指出了进一步的研究方向。 相似文献
13.
14.
MA Xin-Xin ZHAO Yang QIN Zhi-Guang 《中国电子科技》2007,5(1):18-22,28
In unstructured peer-to-peer (P2P) systems such as Gnutella, a general routing search algorithm is used to blindly flood a query through network among peers. But unfortunately, malicious nodes could easily make use of the search approach launching distributed denial of service (DDoS) attack which aims at the whole network. In order to alleviate or minimize the bad effect due to behavior of malicious nodes using the flooding search mechanism, the paper proposes a Markov-based evaluation model which exerts the trust and reputation mechanism to computing the level of trustworthy of nodes having the information requested by evaluation of the nodes' history behavior. Moreover, it can differentiate malicious nodes as early as possible for isolating and controlling the ones' message transmitted. The simulation results of the algorithm proposed show that it could effectively isolate malicious nodes, and hold back the transmission of vicious messages so that it could enhance tolerance of DDoS based on flooding in Guutella-like P2P network. 相似文献
15.
The denial of service attack is a main type of threat on the Internet today. On the basis of path identification (Pi) and Internet control message protocol (ICMP) traceback (iTrace) methods, a packet track and traceback mechanism is proposed, which features rapid response and high accuracy. In this scheme, routers apply packet marking scheme and send traceback messages, which enables the victim to design the path tree in peace time. During attack times the victim can trace attackers back within the path tree and perform rapid packet filtering using the marking in each packet. Traceback messages overcome Pi's limitation, wherein too much path information is lost in path identifiers; whereas path identifiers can be used to expedite the design of the path-tree, which reduces the high overhead in iTrace. Therefore, our scheme not only synthesizes the advantages but also compromises the disadvantages of the above two methods. Simulation results with NS-2 show the validity of our scheme. 相似文献
16.
In this paper, a new Design for Testability (DFT) scheme is proposed, for the testing of LC-tank CMOS Voltage Controlled Oscillators (VCOs). The proposed test-circuit is capable of detecting hard (catastrophic) and soft (parametric) faults, injected in the VCO. The test result is provided by a digital Fail/Pass signal. Simulation results reveal the effectiveness of the proposed circuit. The overall silicon area requirement of the proposed DFT scheme is negligible. 相似文献
17.
以蜂窝数字分组数据(CDPD)系统中的RS(63,47)码为例,提出了一种建立在伽罗华域(GaloisFields)广义三角基乘法器基础上的改进的Reed-Solomon译码器电路。在该译码器的设计中,针对CDPD系统中RS(63,47)码的特点,采用了改进的快速钱氏-BRS根搜索算法来求解它的根并且应用流水线等技术来优化系统设计,从而节省了硬件资源并且提高了速度,使得译码器的性能得到很大的改善。所设计的译码器不但完全满足CDPD系统的设计要求,而且电路结构易于超大规模集成电路(VLSI)的实现,具有广泛的适用范围。 相似文献
18.
The IEEE 802.11e medium access control (MAC) layer protocol is an emerging standard to support quality of service (QoS) in
802.11 wireless networks. Some recent work shows that the 802.11e hybrid coordination function (HCF) can improve significantly
the QoS support in 802.11 networks. A simple HCF referenced scheduler has been proposed in the 802.11e which takes into account
the QoS requirements of flows and allocates time to stations on the basis of the mean sending rate. As we show in this paper,
this HCF referenced scheduling algorithm is only efficient and works well for flows with strict constant bit rate (CBR) characteristics.
However, a lot of real-time applications, such as videoconferencing, have some variations in their packet sizes, sending rates
or even have variable bit rate (VBR) characteristics. In this paper we propose FHCF, a simple and efficient scheduling algorithm
for 802.11e that aims to be fair for both CBR and VBR flows. FHCF uses queue length estimations to tune its time allocation
to mobile stations. We present analytical model evaluations and a set of simulations results, and provide performance comparisons
with the 802.11e HCF referenced scheduler. Our performance study indicates that FHCF provides good fairness while supporting
bandwidth and delay requirements for a large range of network loads.
Pierre Ansel received a multidisciplinary in-depth scientific training in different fields such as Pure and Applied Mathematics, Physics,
Mechanics, Computer Science and Economics from the Ecole Polytechnique, Palaiseau, France. Then, he joined the Ecole Nationale
Superieure des Telecommunications, Paris, France in 2005 where he went further into electronics, databases, computer network
security and high speed networks. He received a multidisciplinary master of sciences degree and an additional master of sciences
degree in telecommunications in 2005. He did a summer internship in 2003 in INRIA, Sophia Antipolis, France where he worked
on the Quality of Service in 802.11 networks at Planete Group, France. Then in 2004, he joined France Telecom R&D, Issy-les-Moulineaux,
France to work on Intranet Security issues. He designed a WiFi security supervision architecture based on WiFi Intrusion Detection
Sensors. He is currently a French civil servant and belongs to the French Telecommunications Corps.
Qiang Ni received the B.Eng., M.Sc. and Ph.D. degrees from Hua Zhong University of Science and Technology (HUST), Wuhan City, China
in 1993, 1996 and 1999 respectively. He is currently a faculty member in the Electronic and Computer Engineering Division,School
of Engineering and Design, Brunel University, West London, U.K. Between 2004 and 2005 he was a Senior Researcher at the Hamilton
Institute, National University of Ireland, Maynooth. From 1999 to 2001, he was a post-doctoral research fellow in the multimedia
and wireless communication laboratory, HUST, China. He visited and conducted research at the wireless and networking group
of Microsoft Research Asia Lab during the year of 2000. From Sept. 2001 until may 2004, he was a research staff member at
the Planète group of INRIA Sophia Antipolis France. Since 2002, he has been active as a voting member at the IEEE 802.11 wireless
LAN standard working group. His current research interests include communication protocol design and performance analysis
for wireless networks, cross-layer optimizations, vertical handover and mobility management in mobile wireless networks, and
adaptive multimedia transmission over hybrid wired/wireless networks. He has authored /co-authored over 40 international journal/conference
papers, book chapters, and standard drafts in this field. He is a member of IEEE. E-mail: Qiang.Ni@ieee.org
Thierry Turletti received the M.S. (1990) and the Ph.D. (1995) degrees in computer science both from the University of Nice – Sophia Antipolis,
France. He has done his PhD studies in the RODEO group at INRIA Sophia Antipolis. During the year 1995–96, he was a postdoctoral
fellow in the Telemedia, Networks and Systems group at LCS, MIT. He is currently a research scientist at the Planete group
at INRIA Sophia Antipolis. His research interests include multimedia applications, congestion control and wireless networking.
Dr. Turletti currently serves on the Editorial Board of Wireless Communications and Mobile Computing. 相似文献