基于增强权证的无状态过滤机制

金光; 杨建刚; 魏蔚; 董亚波

doi:10.3724/SP.J.1146.2007.00460

基于增强权证的无状态过滤机制

doi: 10.3724/SP.J.1146.2007.00460

金光^{①② 杨建刚,},
杨建刚,
魏蔚,
董亚波

基金项目:

浙江省自然科学基金(Y106023)和宁波市自然科学基金(2006A610014)资助课题

计量
- 文章访问数: 3223
- HTML全文浏览量: 77
- PDF下载量: 805
- 被引次数: 0
出版历程
- 收稿日期: 2007-03-28
- 修回日期: 2007-12-17
- 刊出日期: 2008-10-19

Stateless Filtering Based on Enhanced Capabilities

Jin Guang^{①② 杨建刚
,},
Yang Jian-Gang,
Wei Wei,
Dong Ya-Bo

摘要

摘要: 该文针对拒绝服务攻击的防御技术，着重分析了新涌现的权证技术，包括基本思想、无状态过滤和通信量验证体系。探讨了权证能否引发新的攻击和对网络传输性能的影响，针对已有方案的一些技术缺陷提出了改进对策，包括：用通知保护权证请求，多级别权证，动态的权证分配。理论估算和仿真试验表明，这些方法能更好地兼顾安全性和效率性，性能明显优于原方案，提高了权证技术的可行性。
- 网络安全 /
- 拒绝服务攻击 /
- 无状态过滤 /
- 权证
Abstract: Major defensive mechanisms against DoS attacks in the Internet are reviewed. Especially the most recent capabilities techniques, such as basic concepts, stateless flow filtering and the Traffic Validation Architecture (TVA), are analyzed deeply. The related discussions about the shortcomings of current capabilities techniques, such as potential Denial-of-Capability (DoC) attacks, decrement of transmission efficiency, are given in detail. Some improvement methods are provided. They include protecting capabilities requests with notifications, bi-level capabilities, flexible and dynamical capabilities assignment, etc. These methods enhance the robustness and efficiency of capabilities. Theoretical evaluations and simulations show that the improvements outperform original schemes and are more practical in the Internet.
- N /
- e /
- t

HTML全文

参考文献(1)

[1] Douligeris C and Mitrokotsa A. DDoS attacks and defensemechanism: classification and state-of-the-art. ComputerNetworks, 2004, 44(3): 643-666. [2] Bellovin S, Clark D, Perrig A, and Song D. A clean-slatedesign for the next-generation secure Internet. NationalScience Foundation Workshop on Next-Generation SecureInternet, Pittsburgh, PA, 2005. Yang X, Wetherall D, and Anderson T. A DoS limitingarchitecture. Proc. ACM Sigcomm, Philadelphia, PA, 2005:241-252. [3] 田俊峰, 张喆, 赵卫东. 基于误用和异常技术相结合的入侵检测系统的设计与研究[J].电子与信息学报.2006, 28(11):2162-2166浏览 [4] Ferguson P and Senie D. RFC2827, Network ingress filtering:defeating denial of service attacks which employ IP sourceaddress spoofing. Los Angeles, 2000. [5] Gao Z and Ansari N. Tracing cyber attacks from the practicalperspective. IEEE Communications Magazine, 2005, 43(5):123-131. [6] 梁丰, Yau D. 利用路由器自适应限流防御分布拒绝服务攻击(英文). 软件学报, 2002, 13(7): 1220-1227.Liang Feng and Yau D. Using adaptive router throttlesagainst distributed Denial-of-Service attacks. Journal ofSoftware, 2002, 13(7): 1220-1227. [7] Anderson T, Roscoe T, and Wetherall D. Preventing InternetDenial-of-Service with capabilities. Proc. ACM HotNets,Cambridge, MA, 2003. [8] Yaar A, Perrig A, and Song D. SIFF: A stateless Internet flowfilter to mitigate DDoS flooding attacks. Proc. IEEESymposium on Security and Privacy, Oakland, CA, 2004:130-143. [9] Argyraki K and Cheriton D. Network capabilities: the good,the bad and the ugly. Proc. ACM HotNets, College Park, MD,2005.

施引文献

资源附件(0)

访问统计