认证确定包标记算法-南京师范大学学报（工程技术版）

文章信息/Info

作者:: 宗易安¹; 窦万峰¹; 2; 1. 南京师范大学数学与计算机科学学院, 江苏南京210097; 2. 南京大学计算机软件新技术国家重点实验室, 江苏南京210093

Author(s):: Zong Yian¹; Dou Wanfeng¹; ²; 1.School of Mathematics and Computer Science,Nanjing Normal University,Nanjing 210097,China;2.National Important Laboratory of Computer Software New Technology,Nanjing University,Nanjing 210093,China

Keywords:: den ial of serv ice attack; IP traceback; dete rm inistic packetm a rking; MAC- based authentication

摘要:: 确定包标记算法只需要边界路由器进行标记,可以对只使用少量包的拒绝服务攻击进行追踪,能同时追踪上千个攻击者,并且易于实现.针对确定包标记算法中,被攻击者控制的路由器(边界路由器或中间路由器)修改标记或加入伪造包,进而妨碍受害者重构入口地址的问题,提出了新的基于MAC认证的确定包标记算法.研究表明,认证确定包标记算法提供了足够的安全性,能有效阻止子网内的攻击者或傀儡路由器伪造虚假的标记,从而保证了受害者端地址重构的准确性.

Abstract:: Determ in istic packet m ark ing ( DPM ) a lgo rithm only requires edge routers to pe rfo rm packe tm arking and can trace a large number of a ttackers sim ultaneously w ith on ly a few packets from each attacker. For that, comprom ised routers, e ither edge route rs o r transit routers, can eas ily forge packetm ark ings to prevent the v ictim perform ing reconstruction successfu lly. For that, a new schem e, nam ely MAC - based Authenticated DPM ( ADPM ), is proposed. Researches ind ica te that ADPM algor ithm supplies sufficien t secur ity tha t attackers in subnets o r com prom ised routers cannot forgem arkings, wh ich assures the veracity o f address reconstruc tion a t the v ictim.