期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于增强权证的无状态过滤机制 被引量:2

Stateless Filtering Based on Enhanced Capabilities
下载PDF
导出
摘要 该文针对拒绝服务攻击的防御技术,着重分析了新涌现的权证技术,包括基本思想、无状态过滤和通信量验证体系。探讨了权证能否引发新的攻击和对网络传输性能的影响,针对已有方案的一些技术缺陷提出了改进对策,包括:用通知保护权证请求,多级别权证,动态的权证分配。理论估算和仿真试验表明,这些方法能更好地兼顾安全性和效率性,性能明显优于原方案,提高了权证技术的可行性。 Major defensive mechanisms against DoS attacks in the Internet are reviewed. Especially the most recent capabilities techniques, such as basic concepts, stateless flow filtering and the Traffic Validation Architecture (TVA), are analyzed deeply. The related discussions about the shortcomings of current capabilities techniques, such as potential Denial-of-Capability (DoC) attacks, decrement of transmission efficiency, are given in detail. Some improvement methods are provided. They include protecting capabilities requests with notifications, bi-level capabilities, flexible and dynamical capabilities assignment, etc. These methods enhance the robustness and efficiency of capabilities. Theoretical evaluations and simulations show that the improvements outperform original schemes and are more practical in the Internet.
作者 金光 杨建刚 魏蔚 董亚波
机构地区 浙江大学计算机科学与技术学院 宁波大学信息科学与工程学院
出处 《电子与信息学报》 EI CSCD 北大核心 2008年第10期2490-2493,共4页 Journal of Electronics & Information Technology
基金 浙江省自然科学基金(Y106023) 宁波市自然科学基金(2006A610014)资助课题
关键词 网络安全 拒绝服务攻击 无状态过滤 权证 Network security DoS attacks Stateless filtering Capabilities
分类号 TP393.08 [自动化与计算机技术—计算机应用技术]
  • 相关文献

参考文献10

  • 1Douligeris C and Mitrokotsa A. DDoS attacks and defense mechanism: classification and state-of-the-art. Computer Networks, 2004, 44(3): 643-666.
  • 2Bellovin S, Clark D, Perrig A, and Song D. A clean-slate design for the next-generation secure Internet. National Science Foundation Workshop on Next-Generation Secure Internet, Pittsburgh, PA, 2005.
  • 3Yang X, Wetherall D, and Anderson T. A DoS limiting architecture. Proc. ACM Sigcomm, Philadelphia, PA, 2005:241-252.
  • 4田俊峰,张喆,赵卫东.基于误用和异常技术相结合的入侵检测系统的设计与研究[J].电子与信息学报,2006,28(11):2162-2166. 被引量:23
  • 5Ferguson P and Senie D. RFC2827, Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. Los Angeles, 2000.
  • 6Gao Z and Ansari N. Tracing cyber attacks from the practical perspective. IEEE Communications Magazine, 2005, 43(5): 123-131.
  • 7梁丰,David Yau.利用路由器自适应限流防御分布拒绝服务攻击(英文)[J].软件学报,2002,13(7):1220-1227. 被引量:10
  • 8Anderson T, Roscoe T, and Wetherall D. Preventing Internet Denial-of-Service with capabilities. Proc. ACM HotNets, Cambridge, MA, 2003.
  • 9Yaar A, Perrig A, and Song D. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 2004: 130-143.
  • 10Argyraki K and Cheriton D. Network capabilities: the good, the bad and the ugly. Proc. ACM HotNets, College Park, MD, 2005.

二级参考文献19

  • 1[1]CERT Advisory CA-1996-21 TCP SYN flooding and IP spoofing attacks. http://www.cert.org/ advisories/CA-1996-21.html.
  • 2[2]CERT Advisory CA-1998-01 Smurf IP denial-of-service attacks. http://www.cert.org/ advisories/CA-1998-01.html.
  • 3[3]Banga, G., Drusched, P., Mogul, J. Resource containers: a new facility for resource management in server systems. In: OSDI, ed. Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation (OSDI'99). New Orleans, LA: OSDI, 1999. 45~58.
  • 4[4]Spatscheck, O., Peterson, L. Defending against denial of service attacks in scout. In: OSDI, ed., Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation (OSDI'99). New Orleans, LA: OSDI, 1999. 59~72.
  • 5[5]Meadows, C. A formal framework and evaluation method for network denial of service. In: PCSFW, ed., Proceedings of the 1999 IEEE Computer Security Foundations Workshop. Mordano: IEEE Computer Society Press, 1999. 4~13.
  • 6[6]Savage, S., Wetherall, D., Karlin, A., et al. Practical network support for IP traceback. In: ACM, ed., Proceedings of the ACM SIGCOMM2000. Sweden: ACM, 2000. 295~300.
  • 7[7]Song, D., Perrig, A. Advanced and authenticated techniques for IP traceback. In: INFOCOM ed., Proceedings of the IEEE INFOCOM2001, Anchorage, Alaska: INFOCOM, 2001.
  • 8[8]Park, K., Lee, H. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. In: INFOCOM, ed. Proceedings of the IEEE INFOCOM'2001. Anchorage, Alaska: INFOCOM, 2001.
  • 9[9]Ferguson, P., Senie, D. RFC2827: network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. 2000. http://www.ietf.org/rfc/rfc2827.txt.
  • 10[10]Mahajan, R., Bellovin, S., Floyd, S., et al. Controlling high bandwidth aggregates in the network. Technical Report, ACIRI and AT&T Labs Research, 2001. http://www.icir.org/pushback/pushback-Jul01.pdf.

共引文献31

同被引文献18

  • 1林闯,彭雪海.可信网络研究[J].计算机学报,2005,28(5):751-758. 被引量:253
  • 2孙红杰,方滨兴,张宏莉.基于链路特征的DDoS攻击检测方法[J].通信学报,2007,28(2):88-93. 被引量:11
  • 3林闯,雷蕾.下一代互联网体系结构研究[J].计算机学报,2007,30(5):693-711. 被引量:64
  • 4Garber L. Denial-of-service attacks rip the internet[J]. IEEE Computer, 2000, 33(4): 12-17.
  • 5Anderson T, Roscoe T, Wetherall D. Preventing intemet denial-of-service with capabilities[C]//Proceedings of ACM HotNets II, MA: Cambridge, 2003.
  • 6Argyraki K, Cheriton D. Network,capabilities: the good, the bad and the ugly[C]//Proceeding,,~ ofACM HotNets IV, Maryland: College Park, 2005.
  • 7Yaar A, Perrig A, Song D. Pi: a path identification mechanism to defend against DDoS attacks[C]//In Proceedings of IEEE Symposium on Security and Privacy, CA: Oakland, 2003.
  • 8Bellovin S, Clark D, Perrig A, et al. A clean-slate design for the next-generation secure intemet[C]//National Science Foundation Workshop on Next-generation Secure Intemet, CMU, 2005.
  • 9Yaar A, Perrig A, Song D. SIFF: a stateless internet flow filter to mitigate DDoS flooding attacks[C]//In Proceedings of IEEE Symposium on Security and Privacy, CA: Oakland, 2004.
  • 10Yang X, Wetherall D, Anderson T. A DoS limiting architecture[C]//.In Proceedings of ACM SIGCOMM' 2005, Philadelphia, 2005:241-252.

引证文献2

二级引证文献15

电子与信息学报
2008年 第10期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部