摘要：

针对已有的基于包标记的分布式拒绝服务攻击防御机制在安全性、标记利用率低、可扩展性差等方面的缺陷，提出一种基于确定包标记的DDoS攻击防御方案。通过采用一种新的编码机制，在IP数据包中嵌入一个与入口点地址相关的29位标识，将这个标识完整地记录在一个包上，使该方案具有单包追踪且零误报、保护ISP内部网络拓扑信息和应对大规模DDoS攻击的优点，从而达到有效防御DDoS的目的。和同类方法相比，该方案具有较强的实用性。

关键词: 网络安全, 分布式拒绝服务, IP追踪, 确定包标记

Abstract:

Aiming at shortcomings of the existing DDoS attacks defense mechanism based on packet marking in security, low utilization of marking, weak scalability, a deterministic packet marking scheme to defend against DDoS attacks is proposed, in which a 29 bit identification that represents the ingress point is embedded in each IP packet. And a novel encoding mechanism is used, making the entire identification information to be stored in a single packet. The approach has the advantages of tracing the origin using a single packet without false positive, keeping the topology privacy within an ISP and the scalability for large-scale DDoS attacks. The purpose of defending can be effectively realized. Comparing with other similar schemes, it is more practical.

Key words: network security, Distributed Denial of Service(DDoS), IP traceback, deterministic packet marking

中图分类号: 

• TP393.08