期刊名称:International Journal of Computer Science and Network Security
印刷版ISSN:1738-7906
出版年度:2008
卷号:8
期号:10
页码:339-345
出版社:International Journal of Computer Science and Network Security
摘要:Internet hosts are threatened by large-scale Distributed Denial-of-Service (DDoS) attacks. The Path Identification DDoS defense scheme has recently been proposed as a deterministic packet marking scheme that allows a DDoS victim to filter out attack packets on a per packet basis with high accuracy after only a few attack packets are received. This paper proposes the Stack Path identification marking, a new packet marking scheme based on path identification, and new filtering mechanisms. The Stack Path Identification marking scheme consists of two new marking methods that substantially improve Path identifier��s incremental deployment performance i.e., Stack-based marking and Write-ahead marking. The proposed scheme almost completely eliminates the effect of a few legacy routers on a path, and performs better than the original Path identification scheme in a sparse deployment of path identifier enabled routers. For the filtering mechanism, derive an optimal threshold strategy for filtering with the Path identification marking. The system develops the path identification IP filter, which can be used to detect IP spoofing attacks with just a single attack packet. Finally, evaluate the Stack path identification��s compatibility with IP Fragmentation, applicability in an IPv6 environment, and several other important issues relating to potential deployment of Stack path identification.
关键词:DDoS; IP spoofing; ISP security; Network; Stack-based marking; Write-ahead marking
Loading...
