摘要
分析了状态检测防火墙的工作原理,提出了一种能有效防御目前针对状态检测防火墙进行DoS攻击的UDP(UserDatagramProtocol)状态检测防火墙模型及其实现算法.模型使用了动态设定虚连接生命期的方法,以避免防火墙的状态表被填满而导致防火墙拒绝服务;在算法中利用哈希函数对UDP虚连接进行管理,将算法平均时间复杂度控制在Ο(λ),空间复杂度控制在Ο(n),在冲突较少的情况下,算法时间复杂度为Ο(1),使防火墙具有较好的执行效率.
The principle of UDP(User Datagram Protocol) packets inspection on stateful-inspection firewall is analyzed; and a model, which could effectively prevent the DoS attacks, and its implementation algorithm are presented. With the method of dynamic configuring the life cycle for UDP virtual connections, the firewall can avoid exhausting its state-table resource. A hash table has been employed in the algorithm to manage UDP virtual connections, of which the average time complexity is controlled at Ο(λ); the space complexity is controlled at Ο(n); and in situation of less collisions, the time complexity is Ο (1), which does not varied with the number of connections.
出处
《武汉大学学报(工学版)》
CAS
CSCD
北大核心
2004年第2期69-73,共5页
Engineering Journal of Wuhan University
基金
国家电力公司青年科技促进费资助项目(编号:SPQKJ023).
