摘要
TCP同步湮没是最常见也是最重要的拒绝服务攻击 ,研究其防范措施对保障网络安全具有重要意义 .为弥补状态检测防火墙和基于服务器方案等传统对策的不足 ,湮没检测系统FDS在叶节点路由器上监控TCP控制分组 ,根据“SYN FIN匹配对”协议特性对本地统计信息进行分析以检测攻击 .为保护大规模网络 ,该文将基于代理的分布式入侵检测理论与湮没攻击检测结合 ,给出了面向硬件的简化系统SFDS .以SFDS作为集成在路由器网络接口的检测代理 ,提出了一种高性能的分布式湮没检测系统并论述了其全局判决机理 .
TCP SYN flood is one of the most common and most important denial of service attacks. Research against SYN flood is of great value to network security. Traditional countermeasures such as stateful inspection firewalls and other server-based solutions have been proved limited and not very efficient. We present a novel approach based on the Flooding Detection System (FDS), which is installed at the leaf routers. Based on the protocol behavior of TCP SYN-FIN pairs, the FDS detects attacks by monitoring TCP control packets and analyzing the local statistical information. To protect large scale network, we first associate the agent-based distributed intrusion detection with detecting SYN flood attacks. A Simplified Flooding Detection System (SFDS) is then proposed and its algorithm is proved to be hardware-oriented. By integrating the SFDSs as detection agents into network interfaces of the routers, we propose a high-performance distributed flooding detection system and its global decision mechanism is illustrated.
出处
《计算机学报》
EI
CSCD
北大核心
2003年第11期1585-1590,共6页
Chinese Journal of Computers
基金
国家自然科学基金项目"面向大规模网络的分布式入侵检测和预警模型"资助 ( 90 10 40 3 0 )