自适应包标记的DDoS源IP追踪

目前的IP追踪都是基于反向完整路径追踪,反向完整路径追踪要ISP的配合,而要取得所有的ISP的配合是一件困难的事情。在各种解决方法中,自适应概率包标记受到了广泛的重视。这个算法需要很少的带宽和处理的花费,可以追踪多个DDoS攻击源,而且不需要揭示网络拓扑的内在结构。     

大流量优先的实时IP随机包标记反向追踪

在现有IP随机包标记反向追踪算法实时性的研究基础上,分析了标记概率、推测路径需要的数据包数量和攻击路径距离的关系,提出一个大流量优先的实时IP随机包标记反向追踪方法LTFMS,利用路由器节点当前流量统计,受害者可在最短时间内推测出主要攻击路径。通过建立模拟测试环境实验分析,对于大规模DDoS攻击,该方法在相同时间内可比现有方法推测出更多的攻击路径。     

CoMM:基于协作标记与缓解的实时IP反向追踪模型

实时性对于在DoS或DDoS网络攻击中发送假源地址包的主机进行IP反向追踪非常重要．提出一个IP实时反向追踪的模型CoMM（Cooperative Marking and Mitigation），在受害者主动参与和自治网络协调员的帮助下推测攻击路径，局部推测的攻击路径可以帮助受害者推测的攻击路径进行验证，上游路由器采取限速方式减小攻击程度的同时保证合法用户流量的传输和受害者正常推测攻击路径的流量需要，并有效的降低路由器参加追踪的开销．     

基于IP地址重拼接的DDOS攻击源追踪算法

为了提高对分布式拒绝服务(DDoS)攻击源反向追踪的效率和准确度,提出了一个新算法.此算法不同于AMS(Advanced Marking Schemes)算法,是利用IP地址拼接技术,重定义IP数据包头部分字段,利用一种新的路由器地址编码格式,使得一个数据包携带更多路由地址信息,提高重构路径的效率,大幅降低误报率.相对于AMS算法,新算法明显提高了IP反向追踪的性能,降低了误报率.     

IP反向追踪技术综述

拒绝服务攻击(DoS)给政府部门和商业机构造成了严重的经济损失和社会威胁。IP追踪技术能够反向追踪IP数据包到它们的源头,所以是识别和阻止DoS攻击的重要一步。本文针对DoS攻击,对比分析了各个IP反向追踪方法的基本原理和优缺点。     

基于确定包标记的DDoS攻击防御

针对已有的基于包标记的分布式拒绝服务攻击防御机制在安全性、标记利用率低、可扩展性差等方面的缺陷,提出一种基于确定包标记的DDoS攻击防御方案。通过采用一种新的编码机制,在IP数据包中嵌入一个与入口点地址相关的29位标识,将这个标识完整地记录在一个包上,使该方案具有单包追踪且零误报、保护ISP内部网络拓扑信息和应对大规模DDoS攻击的优点,从而达到有效防御DDoS的目的。和同类方法相比,该方案具有较强的实用性。     

利用WIN95轻松上网

如果您已向ISP(Internet服务供应商)申请到用户帐号并采用PPP方式,利用win95(中/英)内置的拨号软件及浏览器软件您可以方便地实现与ISP的连接。在安装前您需要了解下面几个相关术语的含义:IP地址,DNS Sever以及,IP/TCP。数据要到达某一地方需要一定的地址,这个地址就是IP地址,它是基于IP协议的地址,一般由4个(0～255)的数字组成。这是INTERNET服务器所确认的地址,但由于数字地址不便记忆,人们更愿意输入文字地址,这就需要     

基于管道的可视化路由追踪方法

路由追踪是基于ICMP协议的.追踪命令trcert正是利用路由器对数据报存活时间的处理方式来实现路由探测.首先利用管道提取tracert的输出,再结合现有IP数据库及自建地名-坐标数据库对路由中各节点IP在地图上进行定位,最终实现了在地图上动态显示追踪的详细信息和路径.     

网络安全和IP追踪

本文介绍了几种常用的网络安全技术的工作原理和存在的缺点,并重点探讨了用于反向追踪攻击者的源IP地址的前摄追踪和反应追踪方法。最后阐述了这些IP追踪方法的局限和有待解决的问题。     

基于MPLS的流量工程路由算法研究

流量工程是ISP最难处理的任务之一。ISP要求现有的IP网络具有流量工程管理的能力,并要求IP over ATM方式下的流量工程在纯IP结构的网络中也能得到体现。MPLS正是一种ATM和纯IP网共存情况下提供流量工程,并且避免两个分立网络的技术。本文以MPLS技术在实施流量工程方面的优势为基础,提出了一种新的基于邻域的显式路由算法。     

On deterministic packet marking

In this article, we present a novel approach to IP Traceback – deterministic packet marking (DPM).¹ DPM is based on marking all packets at ingress interfaces. DPM is scalable, simple to implement, and introduces no bandwidth and practically no processing overhead on the network equipment. It is capable of tracing thousands of simultaneous attackers during a DDoS attack. Given sufficient deployment on the Internet, DPM is capable of tracing back to the slaves responsible for DDoS attacks that involve reflectors. In DPM, most of the processing required for traceback is done at the victim. The traceback process can be performed post-mortem allowing for tracing the attacks that may not have been noticed initially, or the attacks which would deny service to the victim so that traceback is impossible in real time. The involvement of the Internet Service Providers (ISPs) is very limited, and changes to the infrastructure and operation required to deploy DPM are minimal. DPM is capable of performing the traceback without revealing topology of the providers’ network, which is a desirable quality of a traceback method.     

A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking

Tracing IP packets to their origins is an important step in defending Internet against denial-of-service attacks. Two kinds of IP traceback techniques have been proposed as packet marking and packet logging. In packet marking, routers probabilistically write their identification information into forwarded packets. This approach incurs little overhead but requires large flow of packets to collect the complete path information. In packet logging, routers record digests of the forwarded packets. This approach makes it possible to trace a single packet and is considered more powerful. At routers forwarding large volume of traffic, the high storage overhead and access time requirement for recording packet digests introduce practicality problems. In this paper, we present a novel scheme to improve the practicality of log-based IP traceback by reducing its overhead on routers. Our approach makes an intelligent use of packet marking to improve scalability of log-based IP traceback. We use mathematical analysis and simulations to evaluate our approach. Our evaluation results show that, compared to the state-of-the-art log-based approach called hash-based IP traceback, our approach maintains the ability to trace single IP packet while reducing the storage overhead by half and the access time overhead by a factor of the number of neighboring routers.     

Ant-based IP traceback

The denial-of-service (DoS) attacks with the source IP address spoofing techniques has become a major threat to the Internet. An intrusion detection system is often used to detect DoS attacks and to coordinate with the firewall to block them. However, DoS attack packets consume and may exhaust all the resources, causing degrading network performance or, even worse, network breakdown. A proactive approach to DoS attacks is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic.

In this paper, an ant-based traceback approach is proposed to identify the DoS attack origin. Instead of creating a new type or function or processing a high volume of fine-grained data used by previous research, the proposed traceback approach uses flow level information to identify the origin of a DoS attack.

Two characteristics of ant algorithm, quick convergence and heuristic, are adopted in the proposed approach on finding the DoS attack path. Quick convergence efficiently finds out the origin of a DoS attack; heuristic gives the solution even though partial flow information is provided by the network.

The proposed method is evaluated through simulation on various network environments and two simulated real networks, NSFNET and DFN. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments, with full and partial flow information provided by the networks.     

IPv6下基于改进的SPIE源追踪方案

源追踪技术提供对真实攻击来源的有效追踪,有利于实时阻断、隔离DDoS等网络攻击。目前的源追踪方法大多是使用IPv4包头中很少使用的16位标识域保存经过的路由器信息,不适用于IPv6环境。本文提出一种IPv6下基于改进的SPIE源追踪方案。该方法利用路由器,使用Bloom filters数据结构保存转发的数据包的摘要,减少了耗费的存储空间,同时时保护了数据包的机密性;它不但适合DDoS攻击的源追踪,还能进行单个数据包的源追踪。     

层次分析法在IP返回跟踪DoS攻击方法中的应用研究

将运筹学中的层次分析法应用于IP返回跟踪DoS攻击的方法中,可以为网络安全决策提供支持。首先介绍了层次分析法和几种IP返回跟踪DoS攻击的方法,在此基础上建立了IP返回跟踪DoS攻击方法的层次分析模型,用层次分析法对六种IP返回跟踪DoS攻击方法做了实证地比较和分析。     

可动态扩展的高效单包溯源方法

由于能够隐藏攻击位置、避开攻击过滤、窃取用户隐私和增强攻击危害,IP匿名已被各类网络攻击广泛使用并造成极大的危害.为此,研究者们提出了IP溯源——一种能够在匿名攻击发生后揭露攻击主机身份的追踪技术.鉴于已有的IP溯源研究在面对大规模网络时存在扩展性差、处理开销大、拓扑隐私泄露等问题,提出了一种可动态扩展的高效单包溯源方法,简称SEE.该方法采用域间和域内相分离的层次化系统架构模型来弱化自治域之间的溯源联系、避免拓扑隐私泄露,并通过域内溯源网络构建、域内溯源地址分配、域内路径指纹建立和提取、域间反匿名联盟构建和域内到域间的平稳过渡等策略来改善系统的扩展性和处理开销.通过理论分析和基于大规模真实和人工互联网拓扑的仿真实验,结果表明,相对于以往方案,SEE在高效性和扩展性方面确实有了很大的改善.     

伪造路径下PPM算法IP追踪性能研究

该文研究了概率分组标记(PPM)IP追踪机制对拒绝服务攻击(DoS)的有效性。在攻击者伪造多条攻击路径的情况下,分析得到PPM可以选取最优追踪标记概率以提高追踪效率;进一步的分析则表明,在伪造路径长度增加时,PPM效率将明显降低。     

一种无日志的快速DDoS攻击路径追踪算法

分布式拒绝服务攻击是目前Internet面临的主要威胁之一.攻击路径追踪技术能够在源地址欺骗的情况下追踪攻击来源,在DDoS攻击的防御中起到非常关键的作用.在各种追踪技术中随机包标记法具有较明显的优势,然而由于较低的标记信息利用率,追踪速度仍然不够快.为了提高追踪速度提出一种无日志的快速攻击路径追踪算法.该算法利用少量路由器存储空间和带内信息传输方式提高标记信息利用率,不仅大大提高了追踪速度,而且避免占用额外的网络带宽.