一种新的IP追踪的分片标记方法

拒绝服务攻击（DoS）是难以解决的网络安全问题。IP追踪技术是确定DoS攻击源的有效方法。针对用于IP追踪的压缩边分片采样算法（CEFS）存在的不足,提出了新分片标记算法（NFMS）,该算法通过扩大标记空间和采用自适应概率的方法,减少了重构路径所需数据包数,并通过给分片加标注,减少了重构路径的计算量和误报率,并且将点分片（路由器分片）、边分片（该路由器分片与同偏移值的下游相邻路由器分片的异或值）分开存放,可验证重构路径时所得攻击路径中节点的正确性。分析和仿真结果表明NFMS算法的性能较优。     

基于路由器接口的一致概率包标记算法

概率包标记（PPM）算法是防御分布式拒绝服务攻击(DDoS)的重要方法,针对PPM因为重复标记而存在最弱链和弱收敛性问题,以及因为分片问题而导致重构路径时计算量大等问题,提出一种基于路由器接口（ID number）的一致概率包标记算法——IDCPPM,该算法使每个路由器的标记信息都能以一致的概率到达受害者,且由于不用分片,因而有效地减少了重构路径时所需要接受包的数量,降低了算法的复杂度,并且新方案能扩展到IPv6中。理论分析和实验仿真证明了该方法的有效性。     

一种动-静态结合的概率包标记IP追踪方案

大多数概率包标记IP追踪方案因为固定标记概率而存在最弱链问题,从而导致重构路径的弱收敛性,动态概率包标记虽然在这些方面有所改善,但仍有路由器的负担过重和存储空间要求过高的问题。可以用一种动-静态结合的概率包标记方案来解决上述问题,通过分析表明该方案在收敛时间和最弱链问题上优于静态概率包标记,而在存储空间和路由器负担上优于动态概率包标记。     

改进的非重复性包标记IP追踪方案

IP追踪已成为防御拒绝服务攻击（DOS）的有效方案之一。其中,以Savage等人提出的概率包标记（PPM）已受到广泛重视。然而,概率包标记因为重复标记和固定概率而存在最弱链问题,从而导致重构路径的弱收敛性。提出一种新型的非重复性包标记的IP追踪方案,有效地减少了重构路径时的收敛时间以及计算开销,提高了路径重构的效率。     

基于AS协同的分布式拒绝服务攻击追踪机制研究

提出一种基于自治系统协同的分布式拒绝服务攻击的追踪算法.在该算法中,自治系统边界路由器把所在的AS信息以一定的概率对经过的数据包进行标记,受害者可通过数据包中所标记的路径信息重构出攻击路径,从而追踪到攻击源.带认证的标记方法有效地防止了攻击者伪造和篡改数据包中的路径信息.与其它追踪算法相比,该算法实现了快速实时追踪攻击源,有效地抑制了攻击流进入其它的网络,及时缓减了攻击带来的影响.     

基于追踪部署的动态概率包标记算法的研究

基于追踪部署的相关理论和动态概率包标记算法,针对当前危害甚大的分布式拒绝服务攻击,提出一种基于追踪部署的IP回溯算法。该算法是以贪心算法为基础利用K-剪枝算法在网络拓扑图中找出一些关键的路由器,利用这些路由器也就是只让tracers对过往的数据包按照动态概率包标记算法进行标记,这样大大减少了重构路径所需的数据包数,提高了追踪到攻击者的速度,而且大大减轻了路由器标记的负担,从而能够迅速而准确的找到攻击源。     

一种新的补偿概率包标记IP追踪方案

防御拒绝服务（DoS）攻击是目前最难解决的网络安全问题之一。概率包标记（PPM）是一种比较有效且实用的解决方法。然而大多数PPM方案都存在最弱链问题,导致了弱收敛性。提出一种新的补偿概率包标记方法,有效地减小了重构路径时的收敛时间以及计算开销,提高了路径重构的效率。     

IP追踪中PPM算法的改进研究

概率包标记(PPM)是对拒绝服务(DoS)攻击进行IP追踪的一种实用而有效的方法。文章提出通过利用TTL域对原有PPM方案进行改进，减少了路径重构所需的数据包数量，提高了路径重构的效率。     

复合包标记IP追踪算法研究

在压缩边分段采样算法研究改进基础上,分析攻击路径距离、路由器节点流量统计对标记概率的影响,提出一种复合包标记方法。该方法可以优化算法收敛性,降低运算复杂度和重构路径的差错率,使受害者在最短时间内推测出主要攻击路径,能够很好地应用于多个分布式拒绝服务攻击的攻击源追踪中。     

基于可变概率的快速IP包追踪方案

为了改进概率包标记方案的性能,提出两个能追踪大规模拒绝服务攻击可变概率包标记方案。采用可变概率标记,可识别和排除攻击者虚假标记信息。通过在路由器中记录IP地址发送状态,对包分片进行有序发送,降低了受害者重构路径时所需接收包的数量。     

多维IP分类算法分析研究

路由器中将分组分类成"流"的过程称为分组分类,属于同一流中的所有分组遵循相同的预定规则且路由器对其进行相似的处理。非 "尽力而为"的服务需要对分组进行分类，例如：防火墙，QoS，区分服务等。该文描述3种不同的分类方法并比较分析各种分类（Packet Classification）算法的查找时间复杂度、存储开销。     

Enhancing router QoS through job scheduling with weighted shortest processing time-adjusted

Most routers on the Internet employ a first-in-first-out (FIFO) scheduling rule to determine the order of serving data packets. This scheduling rule does not provide quality of service (QoS) with regards to the differentiation of services for data packets with different service priorities and the enhancement of routing performance. We develop a scheduling rule called Weighted Shortest Processing Time–Adjusted (WSPT-A), which is derived from WSPT (a scheduling rule for production planning in the manufacturing domain), to enhance router QoS. We implement a QoS router model based on WSPT-A and run simulations to measure and compare the routing performance of our model with that of router models based on the FIFO and WSPT scheduling rules. The simulation results show superior QoS performance when using the router model with WSPT-A.     

基于Click系统的优先级转发软件路由器

在云计算环境中, 利用软件技术调度内部网络流量成为云计算环境下的一个重要组成部分. Click是一种模块化的软件路由器, 可以很好的接入到任何网络中, 并通过扩展其模块实现丰富的调度策略. 论文主要对Click软件路由器在调度模块上进行研究, 设计并实现一个能够基于优先级转发的路由器, 将软件路由器应用在云服务的请求调度入口, 当出现多种服务同时请求时, 实现按优先级调度以达到服务性能保障的目的, 解决峰值时重要服务响应缓慢的问题.     

分布式IPv6路由器转发系统设计与实现

为了实施下一代互联网络，需要实现IPv6协议的高性能路由器．转发系统负责路由器的核心功能——IPv6分组的转发，提出了一种分布式高性能IPv6路由器的转发系统的设计和实现方案，包括分布式的IPv6分组转发机制，用于板间IPv6分组传递的分布式分组缓冲管理机制，基于分布式的结构实现的IPv6核心协议，以及用于转发系统的协议数据和配置信息管理的分布式控制消息通信机制．该系统已经在国家“八六三”重大科技项目“高性能IPv6路由器”上得到实现和应用．     

Monitoring Edge-to-Edge Traffic Aggregates in Differentiated Services Networks

Differentiated Services (DiffServ), which are currently being standardized in the IETF DiffServ working group, is a solution that can provide different qualities of service to different network users. DiffServ aggregates network packets at edge routers and forwards the aggregated packets to core routers with different priorities. In this paper, we propose methods using the SNMP framework for monitoring edge-to-edge traffic aggregates in a DiffServ domain, which consists of a set of DiffServ-enabled routers. In order to manage each DiffServ router, we have analyzed the DiffServ MIB and instrumented it in the router. Further, we propose monitoring behaviors of edge-to-edge traffic aggregates by combining topology and performance information from MIB II and DiffServ MIB. Construction procedures and graphical representation of the edge-to-edge traffic aggregates are explained in detail. We also extend our efforts to implement a DiffServ domain monitoring system that monitors a set of DiffServ-enabled routers and traffic aggregates between every edge router pair. We believe that the proposed monitoring methods can serve as useful building blocks for managing DiffServ networks.     

Evaluating the influence of multiplexing schemes and buffer implementation on perceived VoIP conversation quality

This work presents a study of RTP multiplexing schemes, which are compared with the normal use of RTP, in terms of experienced quality. Bandwidth saving, latency and packet loss for different options are studied, and some tests of Voice over IP (VoIP) traffic are carried out in order to compare the quality obtained using different implementations of the router buffer. Voice quality is calculated using ITU R-factor, which is a widely accepted quality estimator. The tests show the bandwidth savings of multiplexing, and also the importance of packet size for certain buffers, as latency and packet loss may be affected. The customer’s experience improvement is measured, showing that the use of multiplexing can be interesting in some scenarios, like an enterprise with different offices connected via the Internet. The system is also tested using different numbers of samples per packet, and the distribution of the flows into different tunnels is found to be an important factor in order to achieve an optimal perceived quality for each kind of buffer. Grouping all the flows into a single tunnel will not always be the best solution, as the increase of the number of flows does not improve bandwidth efficiency indefinitely. If the buffer penalizes big packets, it will be better to group the flows into a number of tunnels. The router processing capacity has to be taken into account too, as the limit of packets per second it can manage must not be exceeded. The obtained results show that multiplexing is a good way to improve customer’s experience of VoIP in scenarios where many RTP flows share the same path.     

Non-preemptive buffer management for latency sensitive packets

The delivery of latency sensitive packets is a crucial issue in real-time applications of communication networks. Such packets often have a firm deadline and a packet becomes useless if it arrives after its deadline. The deadline, however, applies only to the packet’s journey through the entire network; individual routers along the packet’s route face a more flexible deadline. We study policies for admitting latency sensitive packets at a router. Each packet is tagged with a value. A packet waiting at a router loses value over time as its probability of arriving at its destination on time decreases. The router is modeled as a non-preemptive queue, and its objective is to maximize the total value of the forwarded packets. When a router receives a packet, it must either accept it (and delay future packets), or reject it immediately. The best policy depends on the set of values that a packet can take. We consider three natural sets: an unrestricted model, a real-valued model, where any value over 1 is allowed, and an integral-valued model. For the unrestricted model, we prove that there is no constant competitive ratio algorithm. For the real-valued model, we give a randomized 4-competitive algorithm and a matching lower bound (up to low order terms). We also provide a deterministic lower bound of \(\phi ^3 - {\varepsilon }\approx 4.236\), almost matching the previously known 4.24-competitive algorithm. For the integral-valued model, we describe a deterministic 4-competitive algorithm, and prove that this is tight even for randomized algorithms (up to low order terms).     

Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks

IP traceback is the enabling technology to control Internet crime. In this paper we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic.     

Detecting Malicious Packet Losses

In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.     

交叉流水线多队列缓冲报文转发技术

IP报文封装为链路帧是路由器设计必不可少的技术。提出了一种通用的多通道报文封装和转发的处理器结构．利用FPGA内部存储资源，采用流水线和多队列缓存区相结合，显著提高了小报文线速转发和突发流量传输的性能。