计算机工程与应用 ›› 2007, Vol. 43 ›› Issue (5): 140-142.

• 网络、通信与安全 • 上一篇    下一篇

非强制性包标记算法

顾晓清 倪彤光 刘渊   

  1. 江苏工业学院计算机科学与工程系 江南大学通信与控制工程学院
  • 收稿日期:2006-03-07 修回日期:1900-01-01 出版日期:2007-02-11 发布日期:2007-02-11
  • 通讯作者: 顾晓清

A non-preemptive packet marking scheme

XiaoQing Gu   

  • Received:2006-03-07 Revised:1900-01-01 Online:2007-02-11 Published:2007-02-11
  • Contact: XiaoQing Gu

摘要: 防御分布式拒绝服务(DDoS)攻击是目前最难处理的网络安全问题之一。在众多解决方法中,包标记方法受到了广泛的重视。在这类标记方案中,路径中的路由器根据一定策略标记过往的数据包,从而受害者可以在短时间内对攻击路径进行重构,实现对攻击者的IP回溯。本文提出了一种新的包标记方法,非强制性包标记算法。可以有效地降低了重构时间和误报率,减少了网络和路由器标记数据包的负担。

关键词: 分布式拒绝服务攻击, 包标记, IP回溯, 网络安全

Abstract: Distributed Denial of Service (DDoS) attack is among the hardest network problems. Among several countermeasures, packet making scheme is promising. In these marking schemes, every router marks a passing packet with a probability, so that the convergence time for an attacking path can be achieved in little time, and the attack can be found in attack path reconstruction using IP traceback. In this paper, a new packet making scheme, a non-preemptive packet marking scheme is given, which reduces the convergence time and false positive rate, and takes lower network and router overhead.

Key words: Distributed Denial of Service attacks, packet making, IP traceback, network security