IP Spoofing DDoS Defense Using Active IP Record and ICMP Message
-
摘要: 介绍了分布式拒绝服务攻击的原理;分析了四种具有代表性的防御方法;提出一种针对IP欺骗DDoS攻击的防御方法,在自治系统边界,利用活动IP记录表对进入自治系统的数据包进行处理,来自活动IP的网络流直接通过;没有活动记录的IP数据包被自治系统边界路由器或邻近边界的路由器丢弃,并发送网间控制报文协议(ICMP)超时差错报文通报源节点,IP不活动的IP欺骗DDoS攻击数据包不能到达受害节点;被丢弃的合法数据包由其源节点上层协议或应用进行重传。Abstract: This paper describes the principle of Distributed Denial of Service (DDoS) attack. Several representative defense methods are analyzed to against it. A defense method against IP spoofing DDoS attack is proposed. An active IP record table is used to detect all IP packets passing through the border of autonomy system in this method. Packets of the source IP address which are not active will be discarded by the border routers or routers near the border in the autonomy system, according to the Internet Control Message Protocol (ICMP) protocol, timeout ICMP messages will be sent to the source IP hosts, and thus, IP spoofed packets will be discarded, because their source IP usually are not active. Although some legal packets will also be discarded, the retransmission will be triggered by the timeout ICMP messages immediately.
-
Key words:
- active IP /
- distributed denial of service /
- IP spoofing
计量
- 文章访问数: 4383
- HTML全文浏览量: 146
- PDF下载量: 50
- 被引次数: 0