面向DDoS的容侵参数研究被引量：2

Research on intrusion tolerance parameters facing DDoS attacks

下载PDF

导出

摘要通过对分布式拒绝服务(DDoS)攻击原理的深入研究,攻击参数的形式化分析和推导,以及仿真实验,揭示了 DDoS 攻击与带宽、CPU 处理能力、内存、攻击速度、TCP 连接缓冲池等参数之间的关系,指出了承载 N 倍于处理速度的 DDoS 攻击所需的系统指标,提出了针对 DDoS 的容侵参数、CPU 处理能力、内存和 TCP 连接缓冲池,为 DDoS 攻击的防御打下了坚实的基础。 Based on analysis of the DDoS（distributed denial of service） attack mechanisms, formal deduction of attacking parameters and simulation study of DDoS attack, the paper gives the functional relationship between DDoS attacking effect and impacting parameters, such as network bandwidth, CPU processing ability, memory size, attacking speed, TCP connection buffer size. The systematic requirements to stand DDoS attack which is N times of the CPU processing ability are pointed out. Also, the intrusion-tolerance parameters against DDoS attack are proposed, including CPU processing ability, memory size and TCP connection buffer size. The proposal of these requirements and parameters can greatly improve the ability to defend computer systems against DDoS attack.

作者张兆心方滨兴杜跃进李斌胡萍

机构地区哈尔滨工业大学国家计算机网络与信息安全重点实验室

出处《高技术通讯》 EI CAS CSCD 北大核心 2008年第11期1123-1129,共7页 Chinese High Technology Letters

基金 863计划((2006AA01Z451 2007AA010503)

关键词形式化 DDOS攻击容侵参数连接缓冲池 formalization, DDoS attack, intrusion tolerance parameter, connection buffer

分类号 TP393.08 [自动化与计算机技术—计算机应用技术] TP311.131 [自动化与计算机技术—计算机软件与理论]

引文网络
相关文献

参考文献21

1CERT Coordination Center Software Engineering Institute of Carnegie Mellon University. Denial of Service Attacks. http://www. cert. org/tech-tips/denial-of-service. html,CERT Coordination Center, 1997
2Mirkovic J, Prier G. Attacking DDoS at the source. In: Proceedings of the 10th IEEE International Conference on Network Protocols, Paris, France, 2002. 312-321
3Lakshminarayanan K, Adldns D, Perrig A, et al. Taming IP packet flooding attacks. Computer Communication Review, 21304, 34 ( 1 ) : 45-50
4Anderson T, Roscoe T, Wetherall D. Preventing Intemet denial of service with capabilities. ACM SIGCOMM Computer Communication Review, 2004, 34(1):39-44
5Ferguson P, Senie D. Network ingress filtering: defeating denial of service attacks that employ IP source address spoofing. Internet RFC 2827, 2000
6Handley M, Greenhalgh A. Steps towards a DoS-resistant internet architecture, In: Proceedings of the ACM SIGCOMM workshop on future directions in network architecture, Portland, Oregon, USA, 2004. 49-56
7Wang H, Zhang D, Shin K G. Detecting SYN flooding attacks. In: Proceedings of the Annual Joint Conference of the IEEE Computer Society and Communications Society (INFOCOM), New York, USA, 2002,3. 1530-1539
8Jin C, Wang H N, Shin K G. Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS), Washington, DC, USA, 2003. 30-41
9Ferguson P, Senie D. Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. http://www. ieff. org/rfc/rfe2827.txt
10Yang X W , Wetherall D, Anderson T. A DoS limiting net- work architecture. In: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, New York, USA, 2005. 241-252

二级参考文献19

1CERT.CERT Statistics.http://www.cert.org/stats/#incidents
2Park K,Lee H.A proactive approach to distributed DoS attack prevention using route-based packet filtering.Technical Report,CSD00-017,Department of Computer Sciences,Purdue University,2000.http://www.cs.purdue.edu/nsl/dpf-tech.ps.gz
3Savage S,Wetherall D,Karlin A,Anderson T.Practical network support for IP traceback.In:Proc.of the 2000 ACM SIGCOMM Conf.Stockholm,2000.295-306.http://www.acm.org/sigs/sigcomm/sigcomm2000/conf/paper/sigcomm2000-8-4.ps.gz
4McGuire D,Krebs B.Attack on Internet called largest ever.2002.http://www.washingtonpost.com/ac2/wp-dyn/A828- 2002Oct22?
5Lemos R.Attack targets info domain system.ZDNet News,2002.http://zdnet.com.com/2100-1105-971178.html
6CERT.Overview of attack trends,2002.http://www.cert.org/archive/pdf/attack_trends.pdf
7Ferguson P,Senie D.rfc2827,Network ingress filtering:defeating denial of service attacks which employ IP source address spoofing.IETF,May 2000.http://www.ietf.org/rfc/rfc2827.txt
8Song DX,Perrig A.Advanced and authenticated marking schemes for IP traceback.In:Proc.of the IEEE INFOCOM 2001.http://www.ieee-infocom.org/2001/program.html
9Park K,Lee H.On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack.In:Proc.of the IEEE INFOCOM 2001.2001.338-347.http://www.ieee-infocom.org/2001/program.html
10Snoeren AC,Partridge C,Sanchez LA,Jones CE,Tchakountio F,Kent ST,Strayer T.Hash-Based IP traceback.In:Proc.of the ACM SIGCOMM 2001 Conf.2001.San Diego,2001.3-14.http://www.acm.org/sigs/sigcomm/sigcomm2001/p1.html

共引文献28

1李冬静,李学宝.基于包头压缩的概率性包标记[J].计算机与现代化,2005(9):89-93.
2顾晓清,刘渊.基于自适应包标记的IP回溯[J].计算机应用,2005,25(9):2092-2093. 被引量：4
3曲海鹏,李德全,苏璞睿,冯登国.一种分块包标记的IP追踪方案[J].计算机研究与发展,2005,42(12):2084-2092. 被引量：9
4陈星星,徐红云.基于重叠概率包标记的IP追踪策略[J].计算机工程与应用,2006,42(16):153-155.
5陈伟,何炎祥,彭文灵.一种轻量级的拒绝服务攻击检测方法[J].计算机学报,2006,29(8):1392-1400. 被引量：26
6闫巧,夏树涛,吴建平.改进的压缩边分段采样算法[J].西安电子科技大学学报,2006,33(5):824-828. 被引量：6
7DU Ruizhong YANG Xiaohui MA Xiaoxue HE Xinfeng.DDoS Defense Algorithm Based on Multi-Segment Timeout Technology[J].Wuhan University Journal of Natural Sciences,2006,11(6):1823-1826. 被引量：1
8杨长春,倪彤光,薛恒新.一种新的DDoS攻击源追踪包标记方法[J].计算机工程与应用,2007,43(19):135-137. 被引量：1
9李德全,苏璞睿,魏东梅,冯登国.基于路由器编码的自适应包标记(英文)[J].软件学报,2007,18(10):2652-2661. 被引量：6
10张立莉,曹天杰,汤丽娟.一种改进的概率包标记方案[J].计算机工程,2008,34(7):148-150. 被引量：6

同被引文献27

1何慧,张宏莉,张伟哲,方滨兴,胡铭曾,陈雷.一种基于相似度的DDoS攻击检测方法[J].通信学报,2004,25(7):176-184. 被引量：36
2李德全,徐一丁,苏璞睿,冯登国.IP追踪中的自适应包标记[J].电子学报,2004,32(8):1334-1337. 被引量：33
3房至一,张美文,魏华,王巍.防御和控制DOS/DDOS攻击新方法的研究[J].北京航空航天大学学报,2004,30(11):1033-1037. 被引量：10
4李金明,王汝传.DDoS攻击源追踪的一种新包标记方案研究[J].通信学报,2005,26(11):18-23. 被引量：13
5任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法[J].通信学报,2006,27(5):6-11. 被引量：56
6陈伟,何炎祥,彭文灵.一种轻量级的拒绝服务攻击检测方法[J].计算机学报,2006,29(8):1392-1400. 被引量：26
7李金明,王汝传.基于VTP方法的DDoS攻击实时检测技术研究[J].电子学报,2007,35(4):791-796. 被引量：18
8Chang C W, Lee S, Lin B, et al. The taming of the shrew: mitigating low-rate TCP-targeted tttack. In: Proceedings of the 29th IEEE International Conference on Distributed Computing Systems, Montreal, Canada, 2009. 37-145.
9Chen Y, Hwang K. Spectral analysis of TCP flows for defense against reduction-of-quality attacks. In: Proceedings of the IEEE International Conference on Communications 2007, Glasgow, Scotland, 2007.24-28.
10Chen H, Chen Y. A novel embedded accelerator for online detection of shrew DDoS attacks. In: Proceedings of the 2008 International Conference on Networking, Architecture, and Storage, Chongqing, China,2008. 365-372.

引证文献2

1严有日.基于DDOS攻击机理的分析与防范[J].赤峰学院学报（自然科学版）,2009,25(12):47-49. 被引量：1
2白媛,白中英.低速率DoS攻击的短时分析算法的研究[J].高技术通讯,2011,21(9):928-933.

二级引证文献1

1达青.浅析IP溯源技术的发展应用[J].科技创新与应用,2014,4(19):68-68. 被引量：1

1温进芳,王书海.设计模式在J2EE连接缓冲池技术中的应用研究[J].山西建筑,2004,30(22):227-228.
2方永,李建民.基于JNDI的JDBC实例化对象在数据库连接缓冲池中的研究与实现[J].计算机与现代化,2005(12):42-44.
3包路跃,侯迪,齐勇,赵季中.基于J2EE规范的应用服务器JDBC支持策略[J].计算机工程与应用,2003,39(31):195-197. 被引量：1
4路萍,柯冬香.基于三种不同体系结构的移动商务系统平台的研究[J].计算机与数字工程,2006,34(9):73-77.
5姜久雷.基于Java的数据库连接[J].西北民族学院学报（自然科学版）,2001,22(4):37-40.
6刘永红,李惠君.基于WebSphere构建港口生产管理系统[J].微计算机信息,2007,23(04X):17-19. 被引量：2
7游戏类拷问小编：提高《神圣纪事》人物攻击速度[J].家庭电脑世界,2004(06X):77-77.
8Check Point Threat Cloud全新安全服务大幅提高应对攻击速度[J].中国金融电脑,2012(12):81-81.
9汪已明.快速排查ARP攻击[J].网管员世界,2007(12):70-70.
10姜昌华,朱敏.运用组件技术开发WEB应用程序[J].微型电脑应用,2002,18(8):36-39. 被引量：5

高技术通讯

2008年第11期

浏览历史

内容加载中请稍等...

面向DDoS的容侵参数研究被引量：2

参考文献21

二级参考文献19

共引文献28

同被引文献27

引证文献2

二级引证文献1

相关作者

相关机构

相关主题

浏览历史

面向DDoS的容侵参数研究 被引量：2

参考文献21

二级参考文献19

共引文献28

同被引文献27

引证文献2

二级引证文献1

相关作者

相关机构

相关主题

浏览历史

面向DDoS的容侵参数研究被引量：2