作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2008, Vol. 34 ›› Issue (19): 141-143. doi: 10.3969/j.issn.1000-3428.2008.19.048

• 安全技术 • 上一篇    下一篇

基于数据包标记的伪造IP DDoS攻击防御

冯庆云,曲海鹏,周 英,郭忠文   

  1. (中国海洋大学计算机系,青岛 266100)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2008-10-05 发布日期:2008-10-05

Packet Marking Scheme to Defend Against Spoofed IP DDoS Attack

FENG Qing-yun, QU Hai-peng, ZHOU Ying, GUO Zhong-wen   

  1. (Department of Computer, Ocean University of China, Qingdao 266100)
  • Received:1900-01-01 Revised:1900-01-01 Online:2008-10-05 Published:2008-10-05

摘要: 提出一种基于数据包标记的伪造IP DDoS攻击防御方案,该方案在IP数据包中嵌入一个路径相关的16位标识,通过检测标识计数器临界值判断是否发生了DDoS攻击,对伪造地址的IP数据包进行过滤,达到对DDoS攻击进行有效防御的目的。仿真实验表明,该方案对于伪造的IP数据包具有较高的识别率。

关键词: 分布式拒绝服务攻击, 数据包标记, 伪造IP

Abstract: A new packet marking scheme is proposed, in which a path identification that represents the route an IP packet has traversed is embedded in each IP packet. And a counter is set for each identification. It represents the number of different IP addresses that have the same identification. The onset of a spoofed DDoS attack can be detected by comparing the sum of the counters with a marginal value that has been set. Spoofed packet can be filtered so as to sustain the quality of protected Internet services. Experimental results show that the proposed scheme is efficient on identifying the spoofed DDoS attack packets.

Key words: Distributed Denial of Service(DDoS) attack, packet marking, spoofed IP

中图分类号: