共查询到20条相似文献,搜索用时 109 毫秒
1.
针对因特网上的DoS攻击,路径追溯可能成为一种新的防范手段.在分析已有技术的基础上,提出一种新颖的在入口路由器端对数据包进行地址元组标记的算法模型,受害主机通过分析攻击包中的标记信息,能较方便地直接还原出真实攻击入口地址.给出了可供实用的算法要点和必要的理论分析.在一般网络环境中进行的模拟实验获得了良好的与理论估算相吻合的结果.讨论分析了算法模型的性能特点、计算复杂度、适用范围以及进一步的研究内容. 相似文献
2.
3.
4.
5.
数据包在Internet中的传递是通过路由器进行的,在每次传递时,路由器只关心数据的目的地址,源IP地址通常被路由器忽略,由此给拒绝服务(DoS)攻击创造了条件。分布式拒绝服务(DDoS)是基于DoS的攻击方式,特点是规模大、危害性强,近年来很多知名网站如yahoo等都曾受到过它的攻击,造成很大损失。 相似文献
6.
本文首先介绍了几种国际上最新的网络攻击IP源地址追踪方案,随后提出了一种带认证机制的、对入口包进行标记的IP地址追踪方案,最后对几种方案进行了比较,说明入口包标记方案具有较好的特性。 相似文献
7.
分布式拒绝服务器攻击正在对整个互联网产生着巨大的危害,且不断增大。研究了在不同网际协议下,如何标记经过路由器的攻击数据包,重构攻击路径,从而对拒绝服务攻击源进行定位,进而阻断拒绝服务攻击;并分析了IPV6网际协议的安全机制,将IPV4和IPV6的报文格式进行了分析比较,并将IPV4中路由器保存标记信息的算法进行了改进,并成功的应用于IPV6网际协议。 相似文献
8.
分布式拒绝服务器攻击正在对整个互联网产生着巨大的危害,且不断增大。研究了在不同网际协议下,如何标记经过路由器的攻击数据包、重构攻击路径,从而对拒绝服务攻击源进行定位,进而阻断拒绝服务攻击;并分析了IPV6网际协议的安全机制,将IPV4和IPV6的报文格式进行了分析比较,并将1PV4中路由器保存标记信息的算法进行了改进,并成功的应用于IPV6网际协议。 相似文献
9.
DDoS攻击是对等网络所面临的主要安全威胁,针对已有的概率包标记算法计算量繁重、无法识别虚假标记数据包欺骗等方面的缺陷,提出一种可变概率包标记算法。通过采用可变概率标记方法及在路由器中记录IP地址发送状态,使方案具有能够追踪大规模拒绝服务攻击、识别和排除攻击者虚假标记信息、大大降低受害者重构路径时需接收包数量的优点,从而达到有效防御DDoS的目的。和同类方法相比,该方案具有较强的实用性。 相似文献
10.
在当前 IP源地址可欺骗的情况下 ,准确、快速追踪攻击源是防范网络攻击尤其是 DOS攻击的关键 .本文给出了逆向路径追踪 DOS攻击的模型和评价指标 ,分析了已有算法的性能 .在此基础上 ,提出一种新的基于消息鉴别码的随机数据包标记算法 MPPM.在该算法中路由器随机标记转发的数据包 ,标记信息包括路由器自身及其下游路由器组成的边标记的分片以及 MAC值 ,DOS攻击的受害者利用 MAC把不同攻击数据包中的边标记分片重组以得到边标记及攻击路径 ,并可鉴别标记的真伪 .分析和模拟结果表明 ,该算法具有线性的计算复杂度 ,追踪速度快 ,误差较小 ,高效可行 相似文献
11.
由于IP数据包的源地址可以任意伪造,因此在回溯DoS攻击数据包走过的真实路径时是很困难的。基于哈希和流量分析的方法(HashandTrafficAnalysisbasedScheme,简记为HTAS)使得路由器不需太多的存储空间便能长时间地记录下经过它的可疑数据流,受害者据此可以在遭到DoS攻击时或以后进行回溯。该文详细阐述了该方法的工作模型,并对其性能进行了分析。 相似文献
12.
Manhee Lee Eun Jung Kim 《Parallel and Distributed Systems, IEEE Transactions on》2007,18(10):1393-1406
The InfiniBand architecture (IBA) is a promising communication standard for building clusters and system area networks. However, the IBA specification has left out security aspects, resulting in potential security vulnerabilities, which could be exploited with moderate effort. In this paper, we view these vulnerabilities from three classical security aspects - confidentiality, authentication, and availability - and investigate the following security issues. First, as groundwork for secure services in IBA, we present partition-level and queue-pair-level key management schemes, both of which can be easily integrated into IBA. Second, for confidentiality and authentication, we present a method to incorporate a scalable encryption and authentication algorithm into IBA, with little performance overhead. Third, for better availability, we propose a stateful ingress filtering mechanism to block denial-of-service (DoS) attacks. Finally, to further improve the availability, we provide a scalable packet marking method tracing back DoS attacks. Simulation results of an IBA network show that the security performance overhead due to encryption/authentication on network latency ranges from 0.7 percent to 12.4 percent. Since the stateful ingress filtering is enabled only when a DoS attack is active, there is no performance overhead in a normal situation. 相似文献
13.
Tor is a real-world, circuit-based low-latency anonymous communication network, supporting TCP applications over the Internet. In this paper, we present an extensive study of protocol-level attacks against Tor. Different from existing attacks, the attacks investigated in this paper can confirm anonymous communication relationships quickly and accurately by manipulating one single cell and pose a serious threat against Tor. In these attacks, a malicious entry onion router may duplicate, modify, insert, or delete cells of a TCP stream from a sender, which can cause cell recognition errors at the exit onion router. If an accomplice of the attacker at the entry onion router also controls the exit onion router and recognizes such cell recognition errors, the communication relationship between the sender and receiver will be confirmed. These attacks can also be used for launching the denial-of-service (DoS) attack to disrupt the operation of Tor. We systematically analyze the impact of these attacks and our data indicate that these attacks may drastically degrade the anonymity service that Tor provides, if the attacker is able to control a small number of Tor routers. We have implemented these attacks on Tor and our experiments validate their feasibility and effectiveness. We also present guidelines for defending against protocol-level attacks. 相似文献
14.
DoS攻击的研究与源地址追踪 总被引:2,自引:0,他引:2
本文介绍了DoS攻击的发展概貌,并重点介绍了几种常见攻击方法的原理和防御措施,随后给出了国际上最新的网络攻击IP源地址追踪方案,最后介绍了由作者提出的带认证机制的入口包标记方法实现的IP源地址追踪。 相似文献
15.
基于源目的IP地址对数据库的防范DDos攻击策略 总被引:2,自引:1,他引:1
提出了一种基于源目的IP地址对数据库的防范分布式拒绝服务攻击(distributed denial of service attacks,简称DDos)攻击策略.该策略建立正常流量的源目的IP地址对数据库(source and destination IP address database,简称SDIAD),使用扩展的三维Bloom Filter表存储SDIAD,并采用改进的滑动窗口无参数CUSUM(cumulative sum)算法对新的源目的IP地址对进行累积分析,以快速准确地检测出DDos攻击.对于SDIAD的更新,采用延迟更新策略,以确保SDIAD的及时性、准确性和鲁棒性.实验表明,该防范DDos攻击策略主要应用于边缘路由器,无论是靠近攻击源端还是靠近受害者端,都能够有效地检测出DDos攻击,并且有很好的检测准确率. 相似文献
16.
Analysis and Implementation of an Open Programmable Router Based on Forwarding and Control Element Separation 总被引:1,自引:0,他引:1 
下载免费PDF全文
下载免费PDF全文 A router architecture based upon ForCES (Forwarding and Control Element Separation), which is being standardized by IETF ForCES working group, gains its competitive advantage over traditional router architectures in flexibility, programmability, and cost-effectiveness. In this paper, design and implementation of a ForCES-based router (ForTER) is illustrated. Firstly, the implementation architecture of ForTER is discussed. Then, a layered software model, which well illustrates ForCES features, is proposed. Based on the model, design and implementation of Control Element (CE) and Forwarding Element (FE) in ForTER are introduced in detail. Moreover, security for ForTER is considered and an algorithm to prevent DoS attacks is presented. Lastly, experiments of ForTER are illustrated for routing and running routing protocols, network management, DoS attack prevention, etc. The experimental results show the feasibility of the ForTER design. Consequently, the ForTER implementation basically testifies the feasibility of ForCES architecture and some IETF ForCES specifications. 相似文献
17.
Gu Hsin Lai Chia-Mei Chen Bing-Chiang Jeng Willams Chao 《Expert systems with applications》2008,34(4):3071-3080
The denial-of-service (DoS) attacks with the source IP address spoofing techniques has become a major threat to the Internet. An intrusion detection system is often used to detect DoS attacks and to coordinate with the firewall to block them. However, DoS attack packets consume and may exhaust all the resources, causing degrading network performance or, even worse, network breakdown. A proactive approach to DoS attacks is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic.
In this paper, an ant-based traceback approach is proposed to identify the DoS attack origin. Instead of creating a new type or function or processing a high volume of fine-grained data used by previous research, the proposed traceback approach uses flow level information to identify the origin of a DoS attack.
Two characteristics of ant algorithm, quick convergence and heuristic, are adopted in the proposed approach on finding the DoS attack path. Quick convergence efficiently finds out the origin of a DoS attack; heuristic gives the solution even though partial flow information is provided by the network.
The proposed method is evaluated through simulation on various network environments and two simulated real networks, NSFNET and DFN. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments, with full and partial flow information provided by the networks. 相似文献
18.
本文分析了常见的拒绝服务攻击的检测方法:基于流量的检测、基于源IP地址的检测和基于数据包属性的检测,并讨论了几种检测机制的优缺点.对于拒绝服务攻击的防御,着重分析了基于出口过滤的防御机制、基于数据包危险度的流量控制和IP回溯机制. 相似文献
19.
本文分析了常见的拒绝服务攻击的检测方法:基于流量的检测、基于源IP地址的检测和基于数据包属性的检测,并讨论了几种检测机制的优缺点。对于拒绝服务攻击的防御,着重分析了基于出口过滤的防御机制、基于数据包危险度的流量控制和IP回溯机制。 相似文献
20.
《Journal of Parallel and Distributed Computing》2006,66(9):1152-1164
The Denial-of-Service (DoS) attack is a challenging problem in the current Internet. Many schemes have been proposed to trace spoofed (forged) attack packets back to their sources. Among them, hop-by-hop schemes are less vulnerable to router compromise than packet marking schemes, but they require accurate attack signatures, high storage or bandwidth overhead, and cooperation of many ISPs.In this paper, we propose honeypot back-propagation, an efficient hop-by-hop traceback mechanism, in which accurate attack signatures are obtained by a novel leverage of the roaming honeypots scheme. The reception of attack packets by a roaming honeypot (a decoy machine camouflaged within a server pool) triggers the activation of a tree of honeypot sessions rooted at the honeypot under attack toward attack sources. The tree is formed hierarchically, first at Autonomous system (AS) level and then at router level. Honeypot back-propagation supports incremental deployment by providing incentives for ISPs even with partial deployment.Against low-rate attackers, most traceback schemes would take a long time to collect the needed number of packets. To address this problem, we also propose progressive back-propagation to handle low-rate attacks, such as on-off attacks with short bursts. Analytical and simulation results demonstrate the effectiveness of the proposed schemes under a variety of DDoS attack scenarios. 相似文献