防御和控制DOS/DDOS攻击新方法的研究

DOS(Denial\|of\|Service)/DDOS(Distributed Denial\|of\|Service)网络攻击不但给被攻 击目标带来麻烦,而且还严重干扰与被攻击目标共享网络的其它流量.利用主动网络将一些计算功能增加到每个中间节点(路由节点、交换机等),提出一个防御和控制DOS/DDOS攻击的机制体系,这个机制体系主要包括以下3个机制 :基于集群的自动鉴别和控制机制、基于集群的主动通告追踪机制和基于管理域的控制合作 机制.基于集群的自动鉴别和控制机制包括对DOS/DDOS网络攻击集群的鉴别策略及控制它们 的速率限制策略.基于集群的主动通告追踪机制则是把这些攻击集群特征通告给上游主动节 点并使之激活当地的速率限制策略.利用该系统,在试验中能够有效地预防和控制DOS/DDOS 攻击. 

Study of new measure to recover and control DOS/DDOS atta ck

DOS(denial|of|service)/DDOS(distributed denial|of|service) network attack not only causes harm to attacked target, but also disturbs other flows that share the same network with attacked target. By adding computing into every bosom node (route, switch), a mechanism system to recover and control DOS/DDOS attack which based on active network was advanced. The mechanism system was composed of three mechanisms: cluster-based automatic identification and control mechanism, cluster-based active notify trace mechanism and administration domain based control cooperation mechanism. Cluster-based automatic identification and control mechanism included identification policy of attack cluster and rate-limit policy of controlling them. Cluster-based active notify trace mechanism will notify the characteristic of attack cluster to upstream active node and activate local rate-limit policy. Effective recovery and the control of DOS/DDOS attack can be realized by using this system at lab.