面向拒绝服务攻击的多标签IP返回追踪新方法  被引量：1

作　　者：陈秀真[1,2] 李生红[3] 凌屹东[2] 李建华[3] 

机构地区：[1]西安交通大学制造系统工程国家重点实验室,西安710049 [2]上海交通大学信息安全工程学院,上海200240 [3]上海交通大学电子信息与电气工程学院,上海200240

出　　处：《西安交通大学学报》2013年第10期13-17,共5页Journal of Xi'an Jiaotong University

基　　金：国家科技支撑计划资助项目(2012BAH38B04);国家自然科学基金资助项目(61271316);机械制造系统工程国家重点实验室开放基金资助项目(sklms 2012005)

摘　　要：针对网络安全中拒绝服务攻击难以防御的特点,提出面向拒绝服务攻击的多标签IP返回追踪方法(iTrace-DPPM),用以识别基于互联网控制报文协议(ICMP)的直接和反射式拒绝服务攻击的真实源地址。该方法首先结合ICMP数据段大小及最大传输单元阀值,计算单一ICMP数据报文可携带的路由标记数,再根据数据包的幸存时间推断路由器与攻击源头的距离,将路由器的标记概率设定为距离的倒数,并针对每个标记域独立地执行概率标记算法,最后受害目标根据接收的标记信息,实现转发路径的重构及源头识别。与已有的动态概率包标记方法相比,iTrace-DPPM方法具有路径重构所需数据包少、支持部分部署及无额外负载的优点。NS2环境下的模拟实验结果证实,路径重构所需的攻击包数降为DPPM方法的路由标记数的倒数。A novel traceback method of dynamic probabilistic packet marking with multi-tag,called iTrace-DPPM,is proposed to solve the problem that DoS attacks are difficult to defend in the field of network security.True source addresses of direct and reflective DoS attacks based on internet control message protocol （ICMP） are identified with the proposed method.The method firstly calculates the number of routing tags stored in an ICMP packet with considering the size of data segment and the threshold value of maximum transmission unit.When a router is prepared to mark a packet,the distance from the generating node of the packet is deduced according to the time to live,the marking probability is set as the reciprocal of distance,and the probabilistic packet marking algorithm is further performed for one time at each tag field of one packet independently.Finally,the victim host reconstructs the complete forwarding paths from the received routing mark information and determines the true source host who launches DoS attacks.A comparison with existing dynamic probabilistic packet marking approach shows that the proposed iTrace-DPPM has the following three advantages：less attacking packets needed in reconstructing attack paths,support of partial deployment,and no extra network load.A series of simulations under NS2 show that the number of attacking packets needed by the iTrace-DPPM is reduced to the reciprocal of the number of routing tags of the traditional DPPM.

关 键 词：网络安全 IP返回追踪 拒绝服务攻击 动态概率标记 多标签 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]