移动IPv6网络中的DoS攻击

介绍了移动IPv6协议的工作原理,分析总结了移动IPv6网络中三种主要的DoS攻击。针对NS-2环境提出了一套模拟移动IPv6中DoS攻击的具体实现方案。经过对仿真实验结果分析表明,DoS攻击对移动IPv6网络性能造成很大的影响。     

IPv6中的DoS/DDoS攻击流量突发检测算法

IPv6下的安全体系结构IPSec对IPv6网络的安全起到了一定的作用,但是它对某些特殊攻击的防范,例如泛洪DoS/DDoS攻击,却无能为力。该文通过对IPv6中泛洪DoS/DDoS攻击发生时的流量特征的分析,对基于网络流量突发变化的DoS/DDoS攻击检测算法在IPv6下的应用进行研究,分别用Matlab和NS-2对算法进行有效性和可行性验证。结果表明,突发流量检测算法在IPv6环境中运行良好。     

IPv6分片重组在SNORT中的实现

IPv6协议把IPSec协议作为必选的协议,保证数据在不安全的网络上进行安全传输,使网络层的安全性得到增强,但是无法有效防止针对协议本身的攻击,因此在以IPv6为基础的下一代因特网中,安全问题依然重要。本文通过讨论IP分片攻击的表现形式、IPv6分片重组机制,给出了IPv6分片重组在Snort的具体实现方案。     

IPv6安全脆弱性研究

IPv6作为可控、可信、可扩展的下一代网络核心协议已经从试验阶段走向实际应用。普遍认为IPv6因有IPSec而比IPv4更安全,但IPv6网络在实际部署中往往没有实施IPSec。IPv6协议在没有IPSec时的安全性,特别是过渡时期和IPv6协议自身的安全性问题值得深入研究。主要研究了IPv6在没有IPSec时的安全性。首先对IPv6网络中的攻击和安全问题进行了分类和概述,然后分两部分重点讨论了过渡时期的安全性和IPv6特有的安全性,并给出了一些攻击和漏洞的防护建议。     

IPv6与隧道多地址性的DoS攻击放大问题研究

DoS攻击是威胁IPv4网络安全的重要问题之一.随着IPv6的发展,相关安全问题也逐步体现并影响IPv6网络的正常运行.该文指出利用IPv6和隧道主机的多地址性,攻击者可获得大量合法IPv6地址,通过伪装成多个虚拟主机实施对目标设备的DoS攻击.这种攻击具有大量的可用地址范围,且受控于同一真实主机,通过不断使用新地址和多地址间配合,可避开以IP为单位的传统检测与防御策略,并可有效放大攻击节点数目或减少实际攻击节点数量.为此提出了基于地址特征分类的防御框架(defense framework based on addresses classification,DFAC).通过分类不同地址特征,构造特征子集,在特征子集基础上实施对虚拟主机攻击的检测和防御,解决虚拟主机引发的放大问题.原型系统实验结果表明,DFAC有效地降低了上述DoS攻击对系统负载的影响.     

防DoS攻击算法的分析和实现

网络安全是Internet发展的一大难题，随着网络攻击活动的猖獗和Internet的普及而显得越来越重要。主要分析了一种网络攻击(DoS攻击)的原理，讲述了几种具体的攻击方法，并在此基础上给出了防DoS攻击的一种算法。     

基于SIP的VoIP网络中DoS攻击的分析与研究

SIP协议是NGN中的重要协议之一,它在Internet环境下建立并管理会话,正以迅猛的速度改变当今企业及各种机构的沟通方式,因此对SIP协议安全性的研究也就显得格外重要.尽管多年来全球无数网络安全专家都在潜心研究DoS攻击的解决办法,但到目前为止收效不大,因为DoS攻击利用了协议本身的弱点.研究了针对VoIP环境下的DoS攻击,在简单介绍SIP协议和DoS攻击的基础上,详细地描述了基于SIP的VoIP网络环境中的DoS攻击的多种攻击类型,并给出针对这些攻击的网络安全维护对策.     

在IPv6环境中VPN测试的关键技术

利用IPSec VPN技术,企业能够将Internet作为其通信网络基础的骨干,实现全球通达,并大大节约成本,同时保持内部通信的安全。IPv6协议是下一代互联网协议,IPSec协议是IPv6协议的一个重要组成部分。对IPSec协议的一致性测试是保证不同厂商之间互联与互操作的基础。本文详细介绍了用Ixia厂商设备测试IPSec协议一致性的测试方法,并给出了VPN产品穿透性测试的测试用例。     

IPv6防火墙研究

下一代Internet的核心协议IPv6将逐步取代IPv4,但目前适用于IPv6防火墙的并不多,在分析了IPSec6的原理和防火墙的原理后,提出了在IPSec6基础上创建IPv6防火墙的方法,最后给出了实现防火墙的实例。     

JFK协议的分析与改进

JFK（just fast keying）协议是一种新型的Internet密钥交换协议,具有高效、安全和较好的防DoS（denial of services）攻击的特点。但是JFK协议也有自身的缺陷,比如没有实现PFS（perfect forward secrecy）。对JFK协议进行了详细的分析,通过增加循环DH队列、改变消息的内容和改进消息处理方式的方法对JFK协议进行了改进,改进后的JFK协议在不牺牲效率的情况下实现了PFS,并且具有更好的防DoS攻击和重放攻击的能力。     

A novel approach for securing IPv6 link local communication

ABSTRACT

Link local communication is one of the predominant components and intrinsic features of Internet Protocol Version 6 (IPv6) networks. IPv6 nodes utilize link local communication for ascertaining the presence of other nodes on the link, for resolving their link local addresses, and for determining the reachability information of the other nodes. To achieve link local communication, IPv6 nodes employ the services of Neighbor Discovery Protocol (NDP). The protocol also suffices and forms the fundamental core in IPv6 mobile communication, enabling multihop communication. The NDP presumes that the network consists of trusted nodes; however, with the genesis of public unsecured wireless networks, any random node with minimum authentication can affix itself to the link and launch various attacks. As in the case of NDP Stateless Address Auto Configuration (SLAAC), there is no inclusion of central address configuration servers, thereby making the process vulnerable to denial-of-service (DoS) attacks on duplicate address detection (DAD). Also, in the case of the NDP address resolution process, man-in-the-middle attacks (MITM) can be launched, whereby the attackers impersonate the legitimate nodes address. Thus access to the link can be obstructed and network traffic can be redirected without the knowledge of users. To vanquish these problems, the Internet Engineering Task Force (IETF) proposed the use of cryptographically generated addresses (CGAs), which are an intrinsic element of the Secure Neighbor Discovery (SEND) protocol. The use of CGAs ensures message integrity, authentication, and address impersonation mitigation, but at the cost of higher computation and resource utilization. This article proposes some novel approaches for securing IPv6 link layer communication operations. These techniques are implemented programmatically for securing DoS on IPv6 DAD and MITM attacks and used as an alternate approach for CGAs and the SEND protocol.     

移动IPv6中IPSec的优化方案

移动IPv6是新一代互联网移动通信协议,一经定义便被3G标准技术框架所采纳和推广。但因其移动性、无线链路接入及协议自身的复杂性等特点,移动IPv6也带来了一系列新的安全问题。从其工作机制出发揭示了移动IPv6的安全漏洞,总结了其自身提供的安全措施。其中IPSec是作为一种安全机制被引入IPv6并强制实施。重点分析了IPSec和移动IPv6融合时存在的问题,有针对性地给出了在移动IPv6中应用IPSec的两种优化方案。     

IPv6的DoS／DDoS攻击及防御

IPv6无疑要比IPv4更加安全,但其本身就不是认证加密所能解决,而且就目前来看IPsec的大规模应用还有许多问题需要解决。本文详细分析了IPv6网络的DoS／DDoS攻击并针对IPV6可能面临的各种形式的拒绝服务攻击展开了讨论。     

IPSec技术分析及其应用

本文详细讨论了IPSec的架构以及它的三大组成部分：认证头标（AH），封装安全净荷（ESP)和密钥交换协议（IKE），以及不同模式下的 头标格式。IPSec协议为互操作性设计，它不会影响现有网络以及网络中那些并不支持IPSec的主机。IPSec独立于具体的加密算法，它不仅适用于 IPv4也适用于IPv6。实际上IPSec已经成为IPv6必备的组成部分。文中还对虚拟专网VPN及其应用作了讨论。     

Detecting stealth DHCP starvation attack using machine learning approach

Dynamic Host Configuration Protocol (DHCP) is used to automatically configure clients with IP address and other network configuration parameters. Due to absence of any in-built authentication, the protocol is vulnerable to a class of Denial-of-Service (DoS) attacks, popularly known as DHCP starvation attacks. However, known DHCP starvation attacks are either ineffective in wireless networks or not stealthy in some of the network topologies. In this paper, we first propose a stealth DHCP starvation attack which is effective in both wired and wireless networks and can not be detected by known detection mechanisms. We test the effectiveness of proposed attack in both IPv4 and IPv6 networks and show that it can successfully prevent other clients from obtaining IP address, thereby, causing DoS scenario. In order to detect the proposed attack, we also propose a Machine Learning (ML) based anomaly detection framework. In particular, we use some popular one-class classifiers for the detection purpose. We capture IPv4 and IPv6 traffic from a real network with thousands of devices and evaluate the detection capability of different machine learning algorithms. Our experiments show that the machine learning algorithms can detect the attack with high accuracy in both IPv4 and IPv6 networks.     

Feature Selection for Detecting ICMPv6-Based DDoS Attacks Using Binary Flower Pollination Algorithm

Internet Protocol version 6 (IPv6) is the latest version of IP that goal to host 3.4 × 10³⁸ unique IP addresses of devices in the network. IPv6 has introduced new features like Neighbour Discovery Protocol (NDP) and Address Auto-configuration Scheme. IPv6 needed several protocols like the Address Auto-configuration Scheme and Internet Control Message Protocol (ICMPv6). IPv6 is vulnerable to numerous attacks like Denial of Service (DoS) and Distributed Denial of Service (DDoS) which is one of the most dangerous attacks executed through ICMPv6 messages that impose security and financial implications. Therefore, an Intrusion Detection System (IDS) is a monitoring system of the security of a network that detects suspicious activities and deals with a massive amount of data comprised of repetitive and inappropriate features which affect the detection rate. A feature selection (FS) technique helps to reduce the computation time and complexity by selecting the optimum subset of features. This paper proposes a method for detecting DDoS flooding attacks (FA) based on ICMPv6 messages using a Binary Flower Pollination Algorithm (BFPA-FA). The proposed method (BFPA-FA) employs FS technology with a support vector machine (SVM) to identify the most relevant, influential features. Moreover, The ICMPv6-DDoS dataset was used to demonstrate the effectiveness of the proposed method through different attack scenarios. The results show that the proposed method BFPA-FA achieved the best accuracy rate (97.96%) for the ICMPv6 DDoS detection with a reduced number of features (9) to half the total (19) features. The proven proposed method BFPA-FA is effective in the ICMPv6 DDoS attacks via IDS.     

基于改进反向探测的IPv6邻居缓存保护方法

针对IPv6邻居缓存(NC)易被攻击的问题,提出一种改进的反向探测方法(RD+)。该方法首先引入时间戳和报文序列两个选项,分别用于限制报文响应时长以及响应报文匹配;之后,定义RD+队列存储时间戳和报文序号等信息,并设计基于时间戳的随机早期检测(RED-T)算法对RD+队列实施管理以防范拒绝服务(DoS)攻击。实验结果表明,RD+能够有效抵抗邻居缓存欺骗和DoS攻击,与启发式和显式相结合的方法(HE)以及安全邻居发现协议(SEND)相比,其资源消耗较少。