摘要:
针对已有的基于包标记的分布式拒绝服务攻击防御机制在安全性、标记利用率低、可扩展性差等方面的缺陷,提出一种基于确定包标记的DDoS攻击防御方案。通过采用一种新的编码机制,在IP数据包中嵌入一个与入口点地址相关的29位标识,将这个标识完整地记录在一个包上,使该方案具有单包追踪且零误报、保护ISP内部网络拓扑信息和应对大规模DDoS攻击的优点,从而达到有效防御DDoS的目的。和同类方法相比,该方案具有较强的实用性。
关键词:
网络安全,
分布式拒绝服务,
IP追踪,
确定包标记
Abstract:
Aiming at shortcomings of the existing DDoS attacks defense mechanism based on packet marking in security, low utilization of marking, weak scalability, a deterministic packet marking scheme to defend against DDoS attacks is proposed, in which a 29 bit identification that represents the ingress point is embedded in each IP packet. And a novel encoding mechanism is used, making the entire identification information to be stored in a single packet. The approach has the advantages of tracing the origin using a single packet without false positive, keeping the topology privacy within an ISP and the scalability for large-scale DDoS attacks. The purpose of defending can be effectively realized. Comparing with other similar schemes, it is more practical.
Key words:
network security,
Distributed Denial of Service(DDoS),
IP traceback,
deterministic packet marking
中图分类号:
王小静, 肖友霖. 基于确定包标记的DDoS攻击防御[J]. 计算机工程, 2010, 36(12): 193-194.
WANG Xiao-Jing, XIAO You-Lin. DDoS Attacks Defense Based on Deterministic Packet Marking[J]. Computer Engineering, 2010, 36(12): 193-194.