基于确定包标记的DDoS攻击防御

DDoS Attacks Defense Based on Deterministic Packet Marking

针对已有的基于包标记的分布式拒绝服务攻击防御机制在安全性、标记利用率低、可扩展性差等方面的缺陷,提出一种基于确定包标记的DDoS攻击防御方案。通过采用一种新的编码机制,在IP数据包中嵌入一个与入口点地址相关的29位标识,将这个标识完整地记录在一个包上,使该方案具有单包追踪且零误报、保护ISP内部网络拓扑信息和应对大规模DDoS攻击的优点,从而达到有效防御DDoS的目的。和同类方法相比,该方案具有较强的实用性。

Aiming at shortcomings of the existing DDoS attacks defense mechanism based on packet marking in security, low utilization of marking, weak scalability, a deterministic packet marking scheme to defend against DDoS attacks is proposed, in which a 29 bit identification that represents the ingress point is embedded in each IP packet. And a novel encoding mechanism is used, making the entire identification information to be stored in a single packet. The approach has the advantages of tracing the origin using a single packet without false positive, keeping the topology privacy within an ISP and the scalability for large-scale DDoS attacks. The purpose of defending can be effectively realized. Comparing with other similar schemes, it is more practical.