DDOS防御的新方法

A NEW DDOS DEFENSE METHOD

目前,基于包标记的IP追踪和攻击包识别技术是有效防御分布式拒绝服务攻击的主要手段之一。提出一种基于确定包标记的防御新方法通过在子网中增加跟踪服务器,改变EPS编码方式,并通过边界路由器来追踪和识别攻击数据包。实验表明,方法具有追踪攻击源数量大,没有误报率,可以实现攻击包识别、单包追踪和有效保护网络拓扑的隐秘性等优点。

Currently, IP tracking based on packet marking and attacking package recognition technology is one of the main means for effective protection against DDOS attacks. A new defense method based on determined package marking is proposed in the paper, which, through adding tacking servers within a sub-network, alters EPS coding method, furthermore through border routers, tracks and identifies attack packets. Experimental results have shown that the method bears such advantages as tracking a large number of attack sources, zero false alarm rates, identifying attack packets, tracking sinKle packet and effectively protectin~ network tooolo~ privacy etc.