摘要
IP源地址伪造是多种DDoS攻击的基础,给安全事件的溯源和响应处置造成了很大困难。URPF主要用于防止基于源地址欺骗的网络攻击行为,边界过滤法用于对来自网络内部的数据包进行检查。基于基础电信运营企业网络,文章提出了基于URPF技术和边界过滤法的IP源地址伪造协同处置方法,可在网内和边界出口双重过滤伪造IP源地址。实验结果表明,该方法有效阻止了IP源地址伪造流量。某省电信骨干网大规模应用后,CNCERT监测数据证实骨干路由器已无本地伪造流量和跨域伪造流量出现。
Spoofed IP address is the basis of many DDoS attacks, which makes it difficult to trace and respond to security incidents? URPF is mainly used to prevent the network attacks based on the source address spoofing. Network ingress filtering is used to check the packets from the network inside. On basis of telecom enterprise network this paper proposes the spoofed IP address collaborative disposal method based on the URPF technology and network ingress filtering, which realizes double filtering of the spoofed IP address inside the network and on the boundary export. Experiments show that this method can effectively prevent spoofed IP address traffic. After the large-scale application of Anhui telecom backbone network, monitoring data from CNCERT confirmed that Anhui telecom backbone routers have no local forged traffic and cross-domain forged traffic.
作者
张可
汪有杰
程绍银
王理冬
ZHANG Ke;WANG Yoiyie;CHENG Shaoyin;WANG Lidong(Anhui Branch, National Computer Network Emergency Response Technical Team, Hefei Anhui 230041, China;Anhui Telecom Network Security Operation Center, Hefei Anhui 230031, China;School of Cyber Security, University of Science and Technology of China, Hefei Anhui 230027, China;Anhui Institute of Electronic Products Supervision and Inspection(Anhui Information Security Testing Evaluation Center), Hefei Anhui 230061, China)
出处
《信息网络安全》
CSCD
北大核心
2019年第5期22-29,共8页
Netinfo Security
基金
安徽省自然科学基金[1208085QF112]
量子通信与量子计算机重大项目安徽省引导性项目[AHY150400]
