（1.國防科學技術大學計算機學院，湖南長沙 410073；2.中國人民解放軍95942部隊，湖北武漢 430313）

 

摘要：基于源地址欺騙的網絡攻擊已成為當前網絡安全最主要的威脅之一。源地址驗證技術是解決該問題的有效方法之一，具有重要的理論意義和實用價值。當前，國內外研究人員已提出多種源地址驗證技術。本文首先對這些典型技術進行分類，總結這些技術的主要思想及優缺點，然后在此基礎上提出了主動路徑標識機制Active Spi，該機制由路由器對報文進行標記，端系統采取一種主動驗證技術，執行過濾功能。本文實現了Active SPi基于Linux系統的原型系統，并構建多種域內網絡拓撲結構進行模擬實驗。實驗結果表明，Active SPi能對源地址偽造攻擊快速響應，且過濾效果較好.

關鍵詞：源地址欺騙；主動路徑標識；模擬實驗

中圖分類號：                    文獻標識碼：A        文章編號：

 

 WEI Jian¹, CAI Gui-lin², WANG Bao-sheng¹, ZHANG Shuo²

（1. School of Computer, National University of Defense Technology, Changsha 410073,China. 2. Unit 95942 of PLA, Wuhan 430313, China）

Abstract：The network attacks based on the source address spoofing have become one of the most grievous threats to the network security. Source validation is one of the most important technique to solve the problem, and research on this field is of great important in both theory and practical.Researchers have proposed various source address validation technologies. In this thesis, the primary mechanism, advantages and disadvantages of these typical approaches are studied. Based on the study, a novel source validation technique Active path identification (Active SPi) is proposed, in which routers mark packets, and end system takes a proactive verification technology , performs filtering. Finally, a proto-type system of Active SPi is implemented in Linux, and we construct the the simulation with various network topologies to verify the effectiveness and the filtering accuracy of the technique. The test results show that, Active SPi can respond quickly to the source address forgery attack, and having a better filtration.

Key words：source address spoofing; Source Validation technique; simulation

 

參考文獻 (References)

[1] N.E.Hastings,P.A.McLean. TCP/IP spoofing funda-mentals[C].1996.

[2]呂高鋒.IP源地址欺騙的域間防御技術研究[D].國防科學技術大學,2008.

[3] Cheng Jin, Haining Wang, Kang G. Shin. Hop-count filtering: an effective defense against spoofed DDoS traffic [C]. Washington D.C., USA: ACM, 2003.

[4]Wang Haining, Jin Cheng, G. Shin Kang. Defense Against Spoofed IP Traffic Using Hop-Count Filtering[J]. Networking, IEEE/ACM Transactions on. 2007, 15(1): 40~53.

[5]Abraham Yaar, Adrian Perrig, Dawn Song. Pi: A Path Identification Mechanism to Defend against DDoS Attacks[C]. 2003.

[6]Abraham Yaar, Adrian Perrig, Song Dawn. StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense[J]. Selected Areas in Communications, IEEE Journal on. 2006, 24(10): 1853~1863.

[7] S. Savage, D. Wetherall, A. Karlin, et al. Network support for IP traceback[J]. Networking, IEEE/ACM Transactions on. 2001, 9(3): 226~237.

[8] Stefan Savage, David Wetherall, Anna Karlin, et al. Practical network support for IP traceback[C]. New York, NY, USA: ACM, 2000.

[9] A.Belenky,N.Ansari. IP traceback with deterministic packet marking[J]. Communications Letters, IEEE.2003, 7(4): 162~164.

[10] Andrey Belenky, Nirwan Ansari. On deterministic packet marking[J]. Computer Networks. 2007, 51(10): 2677~2700.

[11] C. Bolton, G. Lowe. Analyses of the reverse path forwarding routing algorithm[C]. 2004.

[12] P. Ferguson, D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing[S]. IETF RFC 2827. 2000.

[13]Kihong Park, Heejo Lee. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets[C]. 2001.

[14] Z. Duan, X. Yuan, J. Chandrashekar. Constructing In-ter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates[C]. 2006.

[15] Duan Zhenhai, Yuan Xin, J. Chandrashekar. Controlling IP Spoofing through Interdomain Packet Filters[J]. Dependable and Secure Computing, IEEE Transactions on. 2008, 5(1): 22~36.

[16] Heejo Lee, Minjin Kwon, Geoffrey Hasker, et al. BASE: an incrementally deployable mechanism for viable IP spoofing prevention [C]. Singapore: ACM, 2007.

[17] Li Jun, J. Mirkovic, Wang Mengqiu, et al. SAVE: source address validity enforcement protocol[C]. 2002.

[18] Y.Chen, S.Das, P.Dhar, et al. Detecting and preventing IP-spoofed distributed DoS attacks[J]. International Journal of Network Security. 2008, 7(1): 70~81.

[19] A. Bremler-Barr, H. Levy. Spoofing prevention method[C]. 2005.

[20]Xin Liu, Xiaowei Yang, Yanbin Lu. To filter or to authorize: network-layer DoS defense against multimillion-node botnets[J]. SIGCOMM Comput. Commun. Rev. 2008, 38 (4): 195~206.

[21] Xin Liu, Ang Li, Xiaowei Yang, et al. Passport: Secure and Adoptable Source Authentication[Z]. 2008.

[22]呂高鋒,孫志剛,盧錫城等. 域間IP欺騙防御服務凈化機制[J]. 計算機學報. 2009, 32(3).

[23]詹瑾, 謝贊福. Linux內核Netfilter包過濾防火墻的設計與實現[J]. 科學技術與工程. 2010,10(18).

[24]劉云. Linux下基于Netfilter的包過濾算法[J]. 計算機工程. 2009,35(11).

[25]姚曉宇,趙晨. Linux內核防火墻Netfilter實現與應用研究[J]. 計算機工程. 2003,29(8).

[26] SWsoft, Inc. OpenVZ User’s Guide. 2005. http://openvz.org/documentation.

[27] Boeing Company. Core manual version 3.5. http://cs.itd.nrl.navy.mil/work/core/.