域间IP欺骗防御服务净化机制  被引量：9

作　　者：吕高锋[1] 孙志刚[1] 卢锡城[1] 

机构地区：[1]国防科学技术大学计算机学院,长沙410073

出　　处：《计算机学报》2009年第3期552-563,共12页Chinese Journal of Computers

基　　金：国家"九七三"重点基础研究发展规划项目基金(2009CB320503;2005CB321801)资助~~

摘　　要：IP地址真实性验证成为构建可信网络的基础,基于粗粒度的源-目的自治域标识(密钥)的域间IP欺骗报文过滤机制具有处理简单、保护范围广、部署激励高等优点,却存在不能过滤自治域内子网间IP欺骗报文等不足.而细粒度的源-目的子网标识能够解决过滤粒度粗的问题,却带来了更严重的处理复杂、计算和存储开销大等问题.针对IP欺骗防御机制的计算复杂度和过滤粒度之间的矛盾,提出一种新颖的域间IP欺骗防御服务净化机制RISP.RISP立足于域间IP欺骗防御,根据自治域内拓扑结构的稳定性,引入非对称的细粒度的源子网-目的自治域标识方式,实现对自治域间和自治域内子网间IP欺骗报文的检测与过滤.根据主要的IP欺骗报文攻击的流特征,引入流异常检测机制,实现细粒度标识的动态触发,进一步降低细粒度标识的计算和存储开销,同时对子网内恶意数据流进行流速限制.RISP在不增加自治域内防御实体的情况下,使得防御实体能够过滤自治域内子网间IP欺骗报文,计算和存储开销小,过滤粒度细,而且具有较高的部署激励.The validation of source IP addresses becomes the key technique for devising a trust- worthy network. Inter-domain IP spoofing preventions based on coarse-grained labels of source- destination ASes protect wide domains of ASes and provide high incentives of deployments, however, have the shortcoming that cann＇t filter spoofing packets forging other hosts＇ IP addresses in the same subnet. IP spoofing preventions based on fine grained labels of source-destination subnets solves the above problem, but the complexity of them is very high. Towards the contradiction between the complexity of preventions and the grain of filtering, a novel mechanism to refine the inter-domain IP spoofing prevention service, RISP, is proposed. Based on the stable of the topology of ASes, RISP introduces unsymmetrical fine-grained labels between source subnets and destination ASes, which could filter spoofing packets orienting from ASes or subnets. Based on the characteristics of the mainstream attacks employing IP spoofing, RISP combines the anom aly detection with IP spoofing preventions, which could trigger dynamic marking, reduce the cost of computing and storing of labels and limit the rates of malicious flows.

关 键 词：IP欺骗防御 非对称标识 动态标记 可信网络 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]