SYN Flood攻击的检测

为有效防止和避免网络的SYN Flood攻击,论文介绍了 SYN Hood攻击的基本原理,国内外研究现状,然后详细描述了两种比较有效和方便实施的防御方法:SYN-cookie技术和地址状态监控.SYN-cookie技术实现了无状态的握手,避免了SYN Flood的资源消耗.地址状态监控的解决方法能够对每一个连接服务器的...     

一种SYN Flood DoS攻击工具的实现

为检测目标主机是否存在DoS漏洞及承受DoS攻击的能力,在Linux平台上实现一个基于SYN Flood的DoS攻击工具。首先,介绍SYN Flood攻击原理。然后利用原始套接字结合IP欺骗技术,实现SYN Flood攻击报文的构造和发送,实现了基于SYN Flood攻击工具synAttacker。最后,利用synAttacker进行测试,并对测试结果进行分析。测试结果表明synAttacker能够进行有效的SYN Flood攻击,可以作为DoS渗透攻击工具。     

基于SYN Cookie的DDoS防御技术研究

文章讨论了防御SYN Flood类型DDoS攻击的基本原理和技术,通过对比几种SYN Cookie方案的技术细节,提出了一种改进方案和相应的系统模型。     

非对称路由环境下SYN flood攻击防御方法

针对现有网络安全设施无法有效防御非对称路由环境下流量规模较大的SYN flood攻击的问题,对SYN flood攻击检测技术和TCP连接管理策略进行研究,提出了一种轻量级攻击检测和混合连接管理策略相结合的防御方法,利用SYN分组比例和目的地址熵进行攻击检测,并根据检测结果对基于SYN的连接管理策略和基于数据的连接管理策略进行灵活切换。实验证明该防御方法能有效地减轻SYN flood攻击对网络安全设施的影响。     

通过虚拟机探索网络协议及其安全

TCP/IP协议是网络互联的基础,文章运用虚拟机技术探讨了网络协议的组成原理、IP分片的安全问题、TCP协议的安全隐患、UDP协议的缺陷;用虚拟机模拟了针对这些安全漏洞的一些攻击,如泪滴攻击、SYN Flood攻击、UDP Flood攻击等,并提出了相应的防御措施。     

IPv6环境下SYN-Flood攻击防范的研究

在分析几种常规防范DDoS方法特点和不足的基础上,结合数据包流量检测技术和改进的TCP Cookie技术,在IPv6环境下建立了一种数据包检测--智能过滤PDIF(Packet Detection and Intelligence Filter)防御SYN Flood 攻击的模型.通过检测数据包流量是否超出闻值来分析是否发生攻击,同时采用一种验证远程客户端TCP连接有效性的算法来实现智能过滤,将DDoS攻击分组拦截而让正常的网络流量通过,在实验室测试中取得了较好的效果.     

基于自适应阀值的SYN Flooding攻击防御

针对危害性极大的SYN Flooding攻击,提出了一种新的基于自适应阀值的防御系统.该系统监控出/入终端网络TCP业务的平衡性,实时自适应调整攻击检测阀值和限速门限,提高了检测的准确性和在线检测速度,有效地滤除攻击流,同时向合法业务提供良好的服务.     

一种基于软件定义网络的通信网络保护方法

为了应对互联网数据传输过程中的分布式拒绝服务攻击(DDoS),提高互联网数据传输的安全性,通过对SYN泛洪 攻击机理进行分析研究,提出应对SYN泛洪攻击较为有效的软件定义网络(SDN)防御机制,分析其防御机理,建立 SDN信息熵计算模型,并构建了实际仿真计算实验环境, 研究结果证明SDN能够较为快速有效的对SYN泛洪攻击进行防御,同时能够对类似于SYN攻击的其他DDoS攻击进行有效防御。     

DDOS攻击原理及其防御策略研究

阐述了DDOS攻击的原理;论述了目前主要的几种DDOS攻击方式即SYN／ACK Flood攻击。TCP全连接攻击和刷Script脚本攻击;针对这些主要的攻击方式提出了采用高性能的网络设备、尽量避免NAT的使用、使用网络和主机扫描工具检测脆弱性、采用网络入侵检测系统NIDS和探测器、增强操作系统的TCP／IP栈、速率限制法、调整服务器的各项参数等防御策略;并结合一个实际的DDOS攻击案例讨论了相应的解决措施．     

接入控制器中基于Netfilter的防范DDOS攻击策略研究

DDOS(分布式拒绝服务)是一种常见的、破坏力强的网络攻击,为了减小其对网络设备的影响,提出一种在接入控制器中基于 Netfilter的防范DDOS攻击的策略。结合改良的 SYN Cookie(标识握手信号的本地数据)技术,对 Linux 内核中的Netfilter进行二次开发,实现了针对DDOS中 SYN Flood(标识握手信号的洪水攻击)方式的防火墙。测试结果表明：该方案能够有效地防止网络攻击,以较小的性能损失保证TCP(传输控制协议)服务的正常工作,并节约了成本。     

Research on Protecting Against SYN Flooding on a Firewall

1　IntroductionTheSYNFloodingattacksexploitTCP sthree wayhand shakemechanismanditslimitationinmaintaininghalf openconnections,andareper formedbytheattackersubmittingastreamofTCPSYN (connectionrequest)packetstothetargetsys tem ,fillingitsconnectionrequestqueue,andthusdenyinglegitimateusers accesstothetargetsys tem[1 ] .SYNFloodingdoesgreatharmtopopularwebsites,especiallytoe Businessones.Severalapproacheshavebeen proposedtocounterSYNfloodingattacks.SYNCache[2 ] andSYNCookie[3] canmiti…     

抵御SYN洪水攻击早期阶段的检测方法

Existing detection methods against SYN flooding attacks are effective only at the later stages when attacking signatures are obvious. In this paper an early stage detecting method （ESDM） is proposed. The ESDM is a simple but effective method to detect SYN flooding attacks at the early stage. In the ESDM the SYN traffic is forecasted by autoregressive integrated moving average model, and non-parametric cumulative sum algorithm is used to find the SYN flooding attacks according to the forecasted traffic. Trace-driven simulations show that ESDM is accurate and efficient to detect the SYN flooding attacks.     

网络设备中防火墙状态检测系统设计

为了在网络设备中嵌入防火墙状态检测系统,研究防火墙状态检测技术,设计了一种状态检测系统,以及通用的状态机模型,记录和维护网络中所有通信连接的状态和过程,并根据状态机模型进行连接的状态变迁,保证通信的完整性和安全性,支持更多应用、协议。同时还提出了一种基于IP流的报文快速转发算法,实验证明该算法可以加快报文的转发效率,并在保证系统安全的同时,有效提高系统性能。     

Adaptive Defense Against Various Network Attacks

In defending against various network attacks, such as distributed denial-of-service (DDoS) attacks or worm attacks, a defense system needs to deal with various network conditions and dynamically changing attacks. Therefore, a good defense system needs to have a built-in “adaptive defense” functionality based on cost minimization—adaptively adjusting its configurations according to the network condition and attack severity in order to minimize the combined cost introduced by false positives (misidentify normal traffic as attack) and false negatives (misidentify attack traffic as normal) at any time. In this way, the adaptive defense system can generate fewer false alarms in normal situations or under light attacks with relaxed defense configurations, while protecting a network or a server more vigorously under severe attacks. In this paper, we present concrete adaptive defense system designs for defending against two major network attacks: SYN flood DDoS attack and Internet worm infection. The adaptive defense is a high-level system design that can be built on various underlying nonadaptive detection and filtering algorithms, which makes it applicable for a wide range of security defenses.     

一种新的DDoS攻击检测算法

为了准确及时的进行DDoS攻击检测,提出了一种新的DDoS攻击检测算法。该算法在基于传统的小波分析检测DDoS攻击的基础上融入了主成分分析法和小波分析法中DDoS检测方法,并根据该算法设计相应的模型和算法来检测 DDoS 攻击,并且引入信息论中的信息熵对源IP地址的分散程度进行度量,根据初始阶段Hurst指数及熵值的变化自适应地设定阈值以检测攻击的发生。实验结果表明,该方法大幅度的提高了DDoS检测的速度。     

Divided two-part adaptive intrusion detection system

The main objective of this paper is to design a more complete intrusion detection system solution. The paper presents an efficient approach for reducing the rate of alerts using divided two-part adaptive intrusion detection system (DTPAIDS). The proposed DTPAIDS has a high degree of autonomy in tracking suspicious activity and detecting positive intrusions. The proposed DTPAIDS is designed with the aim of reducing the rate of detected false positive intrusion through two achievements. The first achievement is done by implementing adaptive self-learning neural network in the proposed DTPAIDS to gives it the ability to be automatic adaptively system based on Radial Basis Functions (RBF) neural network. The second achievement is done through dividing the proposed intrusion detection system IDS into two parts. The first part is IDS₁, which is installed in the front of firewall and responsible for checking each entry user’s packet and deciding if the packet considered is an attack or not. The second is IDS₂, which is installed behind the firewall and responsible for detecting only the attacks which passed the firewall. This proposed approach for IDS exhibits a lower false alarm rate when detects novel attacks. The simulation tests are conducted using DARPA 1998 dataset. The experimental results show that the proposed DTPAIDS [1] reduce false positive rate, [2] detects intrusion occurrence sensitively and precisely, [3] accurately self–adapts diagnoser model, thus improving its detection accuracy.     

基于改进决策树的有状态防火墙模型

适应复杂防御策略的有状态模型是研究有状态防火墙的核心内容。防火墙的运行不仅应当具有时间和空间上的效率,还应当允许管理员定义复杂的逻辑过程和状态信息。在一种经典的有状态防火墙模型的基础上,结合改进决策树,提出了一种新的允许用户自定义状态变量以及防御算法的模型。该模型能够更好地适应针对不同类型网络攻击,复杂多变的防御策略需求,在时间和空间上也具有较好的效率。     

基于策略系统的SYN Flooding攻击防御机制

拒绝服务(denial of service)攻击对网络带来的危害越来越严重,SYN Flooding攻击是DoS攻击中著名的一种.本文介绍了在网络测量平台上基于策略系统的SYN Flooding攻击防御机制.文章首先简单介绍了SYN Flooding的攻击原理、防御方法以及网络监测系统,然后对策略系统进行了讨论,最后详细阐述了网络测量平台上基于策略系统的SYN Flooding攻击检测和追踪工具的设计与实现,并进行了分析.