| 防御TCP拒绝服务攻击的改进方法 |
| |
| 引用本文: | 郑卫斌,张德运,高磊,吴瞻. 防御TCP拒绝服务攻击的改进方法[J]. 计算机工程与应用, 2003, 39(20): 22-24,31 |
| |
| 作者姓名: | 郑卫斌 张德运 高磊 吴瞻 |
| |
| 作者单位: | 西安交通大学计算机网络技术与工程研究所,西安,710049 |
| |
| 基金项目: | 国家863高技术研究发展计划“网络安全管理与测评技术”基金资助(编号:863-301-05-03),国家“九五”科技攻关基金资助(编号:96-743-01-04-01) |
| |
| 摘 要: | 提出了对SYNProxy机制的改进方法,将哈希表和SYNcookie结合起来处理半连接表:在低强度攻击下采用哈希表,在高强度攻击下采用SYNCookie。在此基础上,采用位图优化哈希表算法。改进方法可以防御更大强度的攻击。改进方法已经应用在防火墙中,测试表明该方法可以防御高强度的TCP拒绝服务攻击。
|
| 关 键 词: | TCP 拒绝服务攻击 SYNFlooding 哈希算法 防火墙 |
| 文章编号: | 1002-8331-(2003)20-0022-03 |
Improved Approach to Resisting TCP DoS Attacks |
| |
| Zheng Weibin Zhang Deyun Gao Lei Wu Zhan. Improved Approach to Resisting TCP DoS Attacks[J]. Computer Engineering and Applications, 2003, 39(20): 22-24,31 |
| |
| Authors: | Zheng Weibin Zhang Deyun Gao Lei Wu Zhan |
| |
| Abstract: | The TCP SYN flooding is the most commonly used DoS attack.Many solutions exist to protect against SYN flooding,while SYN proxy is a firewall's approach.This paper introduces an improved approach on SYN proxy,explains its design,and evaluates its performance.In this approach,an improved hash table is used to save the half-connection states,which holds a bitmap in its bucket,and better performance is achieved.The hash table limits its bucket length.When a bucket exceeds its limit,it drops half-connection states,and migrates to SYN cookie.This keeps the balance a-mong performance,service quality,resources,and other factors.The proposal is implemented in a firewall,and tests demonstrate good performance achieved. |
| |
| Keywords: | TCP DoS SYN Flooding Hash Firewall |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
|
