Study of new measure to recover and control DOS/DDOS atta ck
-
摘要: DOS(Denial\|of\|Service)/DDOS(Distributed Denial\|of\|Service)网络攻击不但给被攻 击目标带来麻烦,而且还严重干扰与被攻击目标共享网络的其它流量.利用主动网络将一些计算功能增加到每个中间节点(路由节点、交换机等),提出一个防御和控制DOS/DDOS攻击的机制体系,这个机制体系主要包括以下3个机制 :基于集群的自动鉴别和控制机制、基于集群的主动通告追踪机制和基于管理域的控制合作 机制.基于集群的自动鉴别和控制机制包括对DOS/DDOS网络攻击集群的鉴别策略及控制它们 的速率限制策略.基于集群的主动通告追踪机制则是把这些攻击集群特征通告给上游主动节 点并使之激活当地的速率限制策略.利用该系统,在试验中能够有效地预防和控制DOS/DDOS 攻击.
-
关键词:
- DOS/DDOS攻击 /
- 主动网络 /
- 集群
Abstract: DOS(denial\|of\|service)/DDOS(distributed denial\|of\|service) network attack no t only causes harm to attacked target, but also disturbs other flows that share the same network with attacked target. By adding computing into every bosom node (route, switch), a mechanism system to recover and control DOS/DDOS attack which based on active network was advanced. The mechanism system was composed of three mechanisms: cluster-based automatic identification and control mechanism, cluster-based active notify trace mechanism and administration domain based control cooperation mechanism. Cluster-based automatic identification and control mechanism included identification policy of attack cluster and rate-limit policy of controlling them. Cluster-based active notify trace mechanism will notify the characteristic of attack cluster to upstream active node and activate local rate-limit policy. Effective recovery and the control o f DOS/DDOS attack can be realized by using this system at lab.-
Key words:
- DOS/DDOS attack /
- active network /
- cluster
-
[1] 杨子翔, 蔡锡钧. Network DOS/DDOS攻击及预防方法之研究 . http://www.ncku.edu.tw/TANET2000/download/ A3-2,2000-10-21/2003-02 Yang Zixiang,Cai Xijun. The study of network DOS/DDOS attack and the technique of prevent . http://www.ncku.edu.tw/TANET2000/download/ A3-2,2000-10-21/2003-02(in Chinese) [2] Raul Mahajan, Sally Floyd. Controlling high-bandwidth flows at the congested router . http://www.cs.washington.edu/homes/ratul/red-pd/paper_icnp.pdf, 2000-11/2003- 02 [3]Vern Paxson. An analysis of using reflectors to defeat DoS traceback.Ausus,t2000 .ftp:ftp.ee.lbl.gov/.vp-reflectors.txt, 2000-8/2003-2 [4]Robert Stone. CenterTrack:an IP overlay network for tracking DoS floods . http://www.arbornetworks.com/downloads/research51/stone00centertrack new.pdf,2000-08/2003-02 [5]Venkatachary Srinivasan, Geroge Varhese. Faster IP lookups using controlled prefix expansion . http://ccrc.wustl.edu/~cheenu/papers/filucpe.ps,1998-02/2003-02 [6]Tennenhouse D L, Smith J M, Sincoskie W D, et al. A survey of active network research[J]. IEEE Communications Magazine, 1997,35(1):80~86 -
点击查看大图
计量
- 文章访问数: 2458
- HTML全文浏览量: 135
- PDF下载量: 1095
- 被引次数: 0
下载:
