计算机科学

计算机科学 ›› 2014, Vol. 41 ›› Issue (7): 210-215.doi: 10.11896/j.issn.1002-137X.2014.07.044

• 信息安全 • 上一篇    下一篇

面向未来互联网的基于Capabilities的DDoS防御体系研究

张洪豪,王劲松,黄玮,赵祥麟   

  1. 天津理工大学计算机视觉与系统教育部重点实验室 天津300384;天津理工大学计算机视觉与系统教育部重点实验室 天津300384;天津理工大学计算机视觉与系统教育部重点实验室 天津300384;天津理工大学计算机视觉与系统教育部重点实验室 天津300384
  • 出版日期:2018-11-14 发布日期:2018-11-14
  • 基金资助:
    本文受国家自然科学基金 (60904063,61301140),天津市教委科技项目(20120703)资助

Capabilities-based DDoS Defense Architecture for Future Internet

ZHANG Hong-hao,WANG Jin-song,HUANG Wei and ZHAO Xiang-lin   

  • Online:2018-11-14 Published:2018-11-14

PDF (PC)

473

摘要: 介绍了面向未来互联网的防御DDoS攻击的Capabilities机制的原理及其关键技术,阐述了当前基于Capabilities机制的几个典型方案。研究了基于Capabilities机制的DDoS防御体系的全局框架,并探讨了该框架所包含的流分类、执行、Capabilities管理这3部分在未来互联网中可行的实现方案。建立了Capabilities机制框架下的流量模型,从理论上分析并论证了Capabilities机制框架下的安全性与效率等问题。通过仿真实验,比较了在不同场景下各种Capabilities方案的性能及效率。

关键词: 网络安全,分布式拒绝服务攻击,Capabilities机制,未来互联网 中图法分类号TP393.08文献标识码A

Abstract: Firstly,this paper introduced the theory and key technologies of Capabilities mechanism for future Internet and expounded and compared the typical programs based on Capabilities mechanism about their performance and reliability by simulation experiment in dissimilar scenarios.Secondly,we researched on the DDoS defense architecture based on capabilities mechanism,and discussed the viable implementation of the three parts(the flow classification,enforcement,Capabilities management) contained in the architecture in future network.Furthermore,we designed a simple traffic modeling under the Capabilities framework and analyzed the security and efficiency of the Capabilities framework theoretically.Finally,the paper analyzed the shortcomings and inadequacies of several solutions based on Capabilities mechanism and compared their performance and efficiency of in different scenarios through simulation experiments

Key words: Network security,DDoS,Capabilities mechanism,Future internet

[1] Worldwide Infrastructure Security Report.http://www.arbornetworks.com/research/infrastructure-security-report,2013
[2] Bellovin S,Clark D,Perrig A,et al.A Clean-Slate Design for the Next-Generation Secure Internet[C]∥National Science Foundation Workshop on Next-Generation Secure Internet.CMU,GENI Design Document,2005
[3] Anderson T,Roscoe T,Wetherall D.Preventing Internet Denial-of-Service with Capabilities [J].Computer Communication Review,2004,34(1):39-44
[4] Yaar A,Perrig A,Song D.SIFF:A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks[C]∥Proceedings of IEEE Symposium on Security and Privacy.May 2004
[5] Yang X,Wetherall D,Anderson T.A DoS limiting Architecture[C]∥Proceedings of ACM SIGCOMM.2005:241-252
[6] Argyraki K,Cheriton D.Network Capabilities:The Good,the Bad and the Ugly[C]∥Proceedings of ACM HotNets IV.College Park,Maryland,2005
[7] Walfish M,Vutukuru M,Balakrishnan H,et al.DDoS defenseby offense[J].Proceedings of ACM SIGCOMM,2006,36(4):303-314
[8] Parno B,Wendlandt D,Shi E,et al.Portcullis:Protecting Connection Setup from Denial-of-Capability Attacks [J].Procee-dings of ACM SIGCOMM,2007,37(4):289-300
[9] Liu X,Yang X,Lu Y.To Filter or to Authorize:Network-LayerDoS Defense Against Multimillion-node Botnets[J].Proceedings of ACM SIGCOMM,2008,38(4):195-206
[10] Liu X,Yang X,Xia Y.NetFence:Preventing internet denial of service from inside out[C]∥Proceedings of the ACM SIGCOMM.2010:255-266
[11] Van Jacobson.Congestion avoidance and control[C]∥Procee-dings of ACM SIGCOMM’88.1988
[12] CAIDA.http://www.caida.org/home/
[13] The Network Simulator NS2.http:// www.isi.edu/nsn-am/ns/
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发