摘要
针对已有的基于包标记的分布式拒绝服务攻击防御机制在安全性、标记利用率低、可扩展性差等方面的缺陷,提出一种基于确定包标记的DDoS攻击防御方案。通过采用一种新的编码机制,在IP数据包中嵌入一个与入口点地址相关的29位标识,将这个标识完整地记录在一个包上,使该方案具有单包追踪且零误报、保护ISP内部网络拓扑信息和应对大规模DDoS攻击的优点,从而达到有效防御DDoS的目的。和同类方法相比,该方案具有较强的实用性。
Aiming at shortcomings of the existing DDoS attacks defense mechanism based on packet marking in security, low utilization of marking, weak scalability, a deterministic packet marking scheme to defend against DDoS attacks is proposed, in which a 29 bit identification that represents the ingress point is embedded in each IP packet. And a novel encoding mechanism is used, making the entire identification information to be stored in a single packet. The approach has the advantages of tracing the origin using a single packet without false positive, keeping the topology privacy within an ISP and the scalability for large-scale DDoS attacks. The purpose of defending can be effectively realized. Comparing with other similar schemes, it is more practical.
出处
《计算机工程》
CAS
CSCD
北大核心
2010年第12期193-194,197,共3页
Computer Engineering
基金
国家"863"计划基金资助项目(2009AA01Z433)
关键词
网络安全
分布式拒绝服务
IP追踪
确定包标记
network security
Distributed Denial of Service(DDoS)
IP traceback
deterministic packet marking