{"title":"基于IP回溯标记方案的包过滤机制","authors":"Sharon Yan Ping, Lee Moonchuen","doi":"10.1109/IPOM.2004.1547625","DOIUrl":null,"url":null,"abstract":"Denial of service attacks have become one of the most serious threats to the Internet community. One effective means to defend against such attacks is to locate the attack source(s) and to filter out the attack traffic. To locate the attack source(s), this paper proposes an adaptive packet marking scheme for IP traceback, which supports two types of marking. A participating border router would perform deterministic router id marking when a packet enters the network for the first time, and probabilistic domain id marking when it receives a packet from another domain. After collecting sufficient packets, the victim would reconstruct the attack graph incorporating attack paths and the source router(s) identified, with each node on the paths viewed as a domain. Based on the attack graph traced back we propose to let the filtering agent(s) inspect the markings inscribed in the received packets and filter the packets with a marking matching with the attack signatures. Simulation results show that the proposed marking scheme outperforms other IP traceback methods as it requires fewer packets for attack paths reconstruction, and can handle large number of attack sources effectively with relatively low false positives produced. Meanwhile, with the attack packets filtering mechanism, around 80% attack traffic would be removed and the normal traffic can be efficiently preserved in order to restore the victim's service.","PeriodicalId":197627,"journal":{"name":"2004 IEEE International Workshop on IP Operations and Management","volume":"130 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-10-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"IP traceback marking scheme based packets filtering mechanism\",\"authors\":\"Sharon Yan Ping, Lee Moonchuen\",\"doi\":\"10.1109/IPOM.2004.1547625\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Denial of service attacks have become one of the most serious threats to the Internet community. One effective means to defend against such attacks is to locate the attack source(s) and to filter out the attack traffic. To locate the attack source(s), this paper proposes an adaptive packet marking scheme for IP traceback, which supports two types of marking. A participating border router would perform deterministic router id marking when a packet enters the network for the first time, and probabilistic domain id marking when it receives a packet from another domain. After collecting sufficient packets, the victim would reconstruct the attack graph incorporating attack paths and the source router(s) identified, with each node on the paths viewed as a domain. Based on the attack graph traced back we propose to let the filtering agent(s) inspect the markings inscribed in the received packets and filter the packets with a marking matching with the attack signatures. Simulation results show that the proposed marking scheme outperforms other IP traceback methods as it requires fewer packets for attack paths reconstruction, and can handle large number of attack sources effectively with relatively low false positives produced. Meanwhile, with the attack packets filtering mechanism, around 80% attack traffic would be removed and the normal traffic can be efficiently preserved in order to restore the victim's service.\",\"PeriodicalId\":197627,\"journal\":{\"name\":\"2004 IEEE International Workshop on IP Operations and Management\",\"volume\":\"130 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2004-10-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2004 IEEE International Workshop on IP Operations and Management\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IPOM.2004.1547625\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2004 IEEE International Workshop on IP Operations and Management","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IPOM.2004.1547625","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
IP traceback marking scheme based packets filtering mechanism
Denial of service attacks have become one of the most serious threats to the Internet community. One effective means to defend against such attacks is to locate the attack source(s) and to filter out the attack traffic. To locate the attack source(s), this paper proposes an adaptive packet marking scheme for IP traceback, which supports two types of marking. A participating border router would perform deterministic router id marking when a packet enters the network for the first time, and probabilistic domain id marking when it receives a packet from another domain. After collecting sufficient packets, the victim would reconstruct the attack graph incorporating attack paths and the source router(s) identified, with each node on the paths viewed as a domain. Based on the attack graph traced back we propose to let the filtering agent(s) inspect the markings inscribed in the received packets and filter the packets with a marking matching with the attack signatures. Simulation results show that the proposed marking scheme outperforms other IP traceback methods as it requires fewer packets for attack paths reconstruction, and can handle large number of attack sources effectively with relatively low false positives produced. Meanwhile, with the attack packets filtering mechanism, around 80% attack traffic would be removed and the normal traffic can be efficiently preserved in order to restore the victim's service.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
