摘要
针对国际互联网工程任务组IETF源地址验证增强SAVI工作组重点解决了接入网的IP源地址验证,而自治域间的源地址验证仍然面临挑战的问题,以入口和出口过滤(ingress/egress filtering)防御技术为基础,提出了一种基于自治域防御联盟的域间源地址验证系统方案.该方案通过设计特定的源宣告方式及相关路由策略,确立了联盟成员的验证规则配置形式,在保证方案轻量性的基础上提升了原入口和出口过滤技术的防御性能;着重研究了自治域防御联盟的源宣告策略,针对多路径和误宣告现象引发的回流误判提出了解决方法,证明了以自治域防御联盟为单位的过滤技术具备有效的域间源地址验证能力.
To solve the problem that when IETF(Internet engineering task force)SAVI(source address validation improvement)working group focuses on solving the problem of source address validation in access network,validation among AS(autonomous systems)still faces enormous challenges,based on Ingress/Egress Filtering technology,a alliance system was proposed to upgrade the capability in inter-AS source validation.By designing the source declaration method and routing policies,related configurations were put forwarded for each AS in alliance to enhance its filtering performance with lightweight costs.By exploring the phenomenon of multi-path and declaration mistake,the study of the policy in source declaration could not only avoids the potential false positive,but also affirm the feasibility in inter-AS source address validation for AS alliance based on filtering technologies.
作者
贾溢豪
任罡
刘莹
Jia Yihao Ren Gang Liu Ying(Department of Computer Science and Technology Tsinghua National Laboratory for Information Science and Technology Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China)
出处
《华中科技大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2016年第11期11-15,共5页
Journal of Huazhong University of Science and Technology(Natural Science Edition)
基金
国家自然科学基金资助项目(NSFC61402257)
清华大学自主科研资助项目(2014z21051)
关键词
分布式拒绝服务攻击
IP源地址验证
自治域间
网络安全
源宣告
distributed denial of service attack(DDoS)
IP source address validation
inter-AS
internet security
source declaration
