共查询到19条相似文献,搜索用时 78 毫秒
1.
拒绝服务攻击已经成为威胁互联网安全的重要攻击手段,本文介绍了分布式拒绝服务(DDoS)攻击的概念,分析了DDoS攻击的原理;最后介绍了多种IP溯源技术的优缺点。 相似文献
2.
近两年来,分布式拒绝服务(Distributed Denial of Service,DDoS)攻击成为一种日益常见的网络异常流量,它不仅导致被攻击者的网络服务中断,还对电信运营商的IP城域骨干网的安全构成严重威胁.从电信运营商的角度,分析了危害IP城域网安全的DDoS攻击特征,在综合考虑攻击特征、技术现状、投资成本的基础上,提出一种容易在IP城域网部署的DDOS攻击检测与封堵方案.试用结果表明,该方案可以显著提高运营商IP城域网在DDoS攻击事件方面的响应处理能力. 相似文献
3.
分布式拒绝服务攻击及防御机制研究 总被引:1,自引:0,他引:1
分布式拒绝服务(DDoS)攻击是当今网络面临的最严峻的威胁之一,研究防御DDoS攻击的技术非常重要。文章分析了DDoS攻击原理,并深入介绍了当前DDoS攻击的防御技术。 相似文献
4.
李晨光 《电子产品维修与制作》2010,(3):146-149
到目前为止,针对分布式拒绝服务攻击(DDoS)的防御依然没有特别直接有效的方法,因为这种攻击会利用TCP/IP协议的漏洞。除非您完全不使用TCP/IP,才有可能抵御DDoS攻击。 相似文献
5.
文章根据分布式拒绝服务攻击(DDoS)的本质特点,提出了一种基于隐马尔可夫模型(HMM)的DDoS攻击检测方法。该方法通过IP地址信息库.保存当前常用服务的源IP地址,然后对新到数据包的IP地址用HMM建模。通过离线训练,更新IP地址信息库,优化HMM参数。在线检测时,IP地址信息库在线学习更新,HMM实时检测.并根据检测结果通过边界路由器进行积极响应。实验结果显示,该方法具有很好的检测效果,并能及时响应,保持常用服务的延续性。 相似文献
6.
本文主要介绍了分布式拒绝服务DDoS的攻击机制和相应的防御对策,并以英特尔IXP网络处理器为核心,配备符合IP31工业防护标准铝合金外壳设计了一款带DDoS防御的路由设备,同时,提出了解决DDoS攻击的关键技术:数据包认证的原理和方法。 相似文献
7.
分布式拒绝服务攻击(DDoS)是Internet面临的最严峻的威胁之一。本文介绍了DDoS攻击原理,总结了近年来防御技术的研究成果,对DDoS防御技术进行了分析,指出了防御DDoS攻击面临的挑战。 相似文献
8.
DDoS攻击方式与防御措施浅议 总被引:2,自引:1,他引:1
随着Internet互联网络带宽的增加和多种DDoS黑客工具的不断发布,DDoS拒绝服务攻击的实施越来越容易,DDoS攻击事件正在成上升趋势。论文通过对常用的各种DDoS攻击方式进行分类,对攻击的原理进行了探讨,最后在此基础上有针对性地提出了一些防御DDoS攻击的方法。 相似文献
9.
介绍了分布式拒绝服务(DDoS)和反弹式拒绝服务(DRDoS)的原理,对DRDoS的原理进行了重点分析。并提出了一些检测和防范的方法。 相似文献
10.
分布式拒绝服务攻击(DDoS)给政府部门和商业机构的网络安全造成严重威胁。IP追踪技术能够反向追踪IP数据包到它们的源头,所以是识别和阻止DDoS攻击的重要一步。本文针对DDoS攻击,对比分析了各个IP反向追踪方法的基本原理和优缺点。 相似文献
11.
Increased instances of distributed denial of service (DDoS) attacks on the Internet have raised questions on whether and how ad hoc networks are vulnerable to such attacks. This paper studies the special properties of such attacks in ad hoc networks. We examine two types of area-congestion-based DDoS attacks – remote and local attacks – and present in-depth analysis on various factors and attack constraints that an attacker may use and face. We find that (1) there are two types of congestion – self congestion and cross congestion – that need to be carefully monitored; (2) the normal traffic itself causes significant packet loss in addition to the attack impacts in both remote and local attacks; (3) the number of flooding nodes has major impacts on remote attacks while, the load of normal traffic and the position of flooding nodes are critical to local attacks; and (4) given the same number of flooding nodes and attack loads, a remote DDoS attack can cause more damage to the network than a local DDoS attack. 相似文献
12.
13.
新网络环境下应用层DDoS攻击的剖析与防御 总被引:4,自引:0,他引:4
针对新网络环境下近两年新出现的应用层分布式拒绝服务攻击,本文将详细剖析其原理与特点,并分析现有检测机制在处理这种攻击上的不足.最后,本文提出一种基于用户行为的检测机制,它利用Web挖掘的方法通过Web访问行为与正常用户浏览行为的偏离程度检测与过滤恶意的攻击请求,并通过应用层与传输层的协作实现对攻击源的隔离. 相似文献
14.
为了准确及时的进行DDoS攻击检测,提出了一种新的DDoS攻击检测算法。该算法在基于传统的小波分析检测DDoS攻击的基础上融入了主成分分析法和小波分析法中DDoS检测方法,并根据该算法设计相应的模型和算法来检测 DDoS 攻击,并且引入信息论中的信息熵对源IP地址的分散程度进行度量,根据初始阶段Hurst指数及熵值的变化自适应地设定阈值以检测攻击的发生。实验结果表明,该方法大幅度的提高了DDoS检测的速度。 相似文献
15.
Distributed are common threats in many networks, where attackers attempt to make victim servers unavailable to other users by flooding them with worthless requests. These attacks cannot be easily stopped by firewalls, since they forge lots of connections to victims with various IP addresses. The paper aims to exploit the software‐defined networking (SDN) technique to defend against DDoS attacks. However, the controller has to handle lots of connections launched by DDoS attacks, which burdens it with a heavy load and degrades SDN's performance. Therefore, the paper proposes an efficient and low‐cost DDoS defense (ELD) mechanism for SDN. It adopts a nested reverse‐exponential data storage scheme to help the controller efficiently record the information of packets in the limited memory. Once there are many packets with high IP variability sent to a certain server and this situation lasts for a while, then a DDoS attack is likely happening. In this case, the controller asks switches to block malicious connections by installing flow rules. Experimental results verify that the ELD mechanism rapidly recognizes protocol‐based DDoS attacks and stops them in time, including TCP SYN flood, UDP flood, and ICMP flood, and also greatly reduces the overhead for the controller to defend against attacks. Moreover, ELD can distinguish DDoS flows from legitimate ones with similar features such as elephant flows and impulse flows, thereby eliminating false alarms. 相似文献
16.
李江 《电信工程技术与标准化》2013,(12):66-69
分布式拒绝服务攻击(DDoS)对网络具有极大的破坏性,严重影响现网的正常运营。虽然现网已经部署针对DDoS的流量清洗系统,然而小流量的攻击较洪水型攻击更难以被感知,进而不能得到有效的清洗。本文分析了网络中小流量DDoS攻击的原理和防御现状,并提出一种基于资源感知的小流量DDoS攻击防御方法。 相似文献
17.
18.
基于流媒体服务DDoS攻击防范研究 总被引:1,自引:0,他引:1
分布式拒绝服务(Distributed Deny of Service,DDoS)攻击是目前最难解决的网络安全问题之一。在研究RTSP(Real-Time Streaming Protocol)协议漏洞基础上,提出一种有效防御流媒体服务DDoS攻击防御方案。该方案基于时间方差图法(Variance-TimePlots,VTP),计算自相似参数Hurst值,利用正常网络流量符合自相似模型的特性来进行DDoS攻击检测,并综合采用黑白名单技术对流量进行处理。最后通过MATLAB仿真工具进行了模拟实验,并对结果进行了分析,在协议分析基础上能合理控制流量,使得DDoS攻击检测准确率、实时性高,目标流媒体服务器带宽和资源得到了有效保护。 相似文献
19.
In any Distributed Denial of Service (DDoS) attack, invaders may use incorrect or spoofed Internet Protocol (IP) addresses in the attacking packets and thus disguise the actual origin of the attacks. This is primarily due to the stateless nature of the Internet. IP traceback algorithms provide mechanisms for identifying the true source of an IP datagram on the Internet ensuring at least the accountability of cyber attacks. While many IP traceback techniques have been proposed, most of the previous studies focus and offer solutions for DDoS attacks done on Internet Protocol version 4 (IPv4) environment. IPv4 and IPv6 networks differ greatly from each other, which urge the need of traceback techniques specifically tailored for IPv6 networks. In this paper, we propose a novel traceback architecture for IPv6 networks using Common Open-Policy Service and a novel packet-marking scheme. We also provide complete underlying protocol details required for traceback support in IPv6 networks. The proposed architecture is on demand and only single packet is required to traceback the attack. 相似文献