分布式拒绝服务攻击防御技术研究
|
摘要
随着人们对计算机网络的依赖性不断增强,网络安全越来越受到重视。分布式拒绝服务攻击(DDoS, Distributed Denial of Service)由于其分布式的特性,具有强大的破坏力,而且防范困难。目前对DDoS攻击的防御策略有基于源端、受害端和中间网络三种防御策略。对于这三种策略,目前已有许多成熟的技术,如基于受害方网络的入侵检测系统、DDoS防火墙,基于中间网络的核心路由器包过滤技术等。
针对DDoS防御,虽然已有很多研究性的或者已经商业化的DDoS防御系统,但是针对DDoS的很多问题并没有得到很好的解决。本文从尚未解决的问题入手,首先从以下两方面进行分析研究。
(1)阐述DDoS的根源及DDoS的发展变化,对DDoS的攻击原理、攻击工具、攻击分类及防御方法做了细致的分析,为DDoS防御提供了基本的依据,并且深入分析了现存的解决方案。
(2)深入探讨了千兆级DDoS防火墙研制开发和高速网络带宽耗尽DDoS防御方法,和第三方DDoS主动防御策略模型。设计实现了DDoS防火墙和防御算法应对分布式攻击。然而DDoS防火墙和防御算法并不是阻止DDoS攻击的完整解决方案。本文主要阐述了受害端防御(以防火墙的形式实现),中间网络防御和第三方防御,以上方法均能有效地检测并防御DDoS,同时并没有以牺牲系统性能为代价,在攻击过程中能够给合法流量提供优质服务。
通过研究高速网络DDoS防御的特点,提出了基因过滤算法。主要针对高速网络环境不能采用低速过滤设备的特点,采用路由器过滤带宽耗尽DDoS攻击流量,用统计的方法为路由器路由的流量分配权重。主要利用遗传算法在路由器上过滤流量,从而得到最大的有效流量。最后,在真实的网络环境中验证了其可行性和有效性,讨论分析了算法模型的特点和适用范围,以及进一步的研究内容。
结合全网防御特征,首次提出了DDoS的第三方防御方法。应用微分对策理论,提出防止DDoS应该采取主动策略,如果第三方占有足够的资源,能够和攻击者抗衡,则针对受害网络或服务器的DDoS防御将能够取得成功。建立了一个基于微分对策的DDoS对抗模型,此模型包含以下四个部分:Attacker, Defender, Victim, Botnet。本文认为Victim应该与Defender协同工作来抵御DDoS,采用微分对策决定Defender至少需要控制多少Bot才能有效抵御DDoS。最后,通过NS2网络环境中的仿真研究,验证了其效果,并讨论分析了算法模型的特点和适用范围,以及进一步的研究内容。
目前的DDoS防火墙设备均采用ASIC或X86架构,而没有基于专用网络处理器的DDoS防火墙, NP (Network Processer网络处理器)同时具备了ASIC和X86架构的优点。针对DDoS防火墙现存的防御问题和IXP2400结构特点,设计了千兆DDoS防火墙,提出了高层协议统计分析算法、应用层主动防御算法、有状态Bloom Filter算法。并在真实的网络攻击环境中验证了其可行性和有效性。NP架构的DDoS防火墙的特点是单台防御能力强,受到攻击时负载轻,不占用出口带宽,对于TCP/UDP的小包和大包处理效率高,针对应用层DDoS防范效果好。
As people's dependence on computer networks becomes stronger, network security is getting more and more important. Because of its distributed characteristics, Distributed Denial of Service (DDoS) attacks have more attack resources and more destroying power. So they are very difficut to defense. Currently, there are three kinds of DDoS attack defense policies which are based on the attacking source networks, the victim networks, and the intermediate networks, respectively. For these three policies, there are already some mature technologies and systems, for example, intrusion detection systems on the victim networks, DDoS firewalls, and core router packet filtering technology.
Many defense systems have been designed in the academic and commercial communities to counter DDoS attacks, yet the problem remains largely unsolved. This dissertation explores the problem of DDoS defense from two directions.
(1) The origin of the problem and all its variations are discussed, a survey of existing solutions is provided, and the theory and classification of DDoS attacks, the DDoS attacking tools, and the defense tactics are analyzed. The DDoS defense methods are analyzed in detail which is the basis of DDoS defense.
(2) The design and implementation of a DDoS firewall is presented that prevents ongoing attacks from the distributed attacking networks. We focus on Gbps DDoS firewalls, bandwidth depletion DDoS defense in high-speed networks, and active defense of third party against DDoS defense model. However, firewalls or DDoS defense algorithms are not the complete solution to DDoS attacks. This dissertation addresses the victim-end defense (implemented in the Firewall system), the middle network defense, and the third party defense. These methods can detect and prevent a significant number of DDoS attacks, do not incur significant cost for its operation, and can offer good services to the legitimate traffic during the attacks.
A GA algorithm is proposed based on the research on high-speed network DDoS defense. Mainly because the low-speed filtering equipment cannot be used for high-speed network environments, we use routers to filter bandwidth depletion DDoS traffic. The main idea is to use statistical approaches to allocate weight for the traffic at the routers. We propose a new method based on Genetic Algorithm to filter traffic on the routers and maximize goodput. The feasibility and effectiveness of our approach is validated by measuring the performance of an experimental prototype against a series of attacks. The advantages of the scheme are discussed and further research directions are given.
Considering the entire Internet DDoS defense, the third party DDoS defense method is proposed for the first time. If the third party has enough resources to defense against the attackers, then the DDoS defense for the victim network and the servers will succeed. A new DDoS defense model is proposed based on Differential Games theory. Four main actors are included:Attacker, Defender, Victim, and Botnet. It is believed that Victims who experience an attack should cooperate with the Defender to defend against DDoS attacks. The Differential Games model are used to determine the minimum number of Bots that should be controlled by the Defender to block the DDoS attacks effectively. The feasibility and effectiveness of this approach is validated by simulation experiments with NS2. The advantages of the scheme are discussed and further research directions are given.
At the present time, DDoS firewalls all adopt the ASIC or X86 architecture. There are no DDoS firewalls based on a Network Processor. NP has both the advantages of ASIC and X86. After analyzing the problems with the classical DDoS firewalls and the merits of IXP2400 network processors, a Gbps DDoS firewall is designed and a statistical analysis algorithm for the high-level protocols, an active defense algorithm in the application layer, and a state Bloom Filter algorithm are proposed. The feasibility and effectiveness of this approach is validated by measuring the performance of an experimental prototype against a series of attacks. The advantages of the DDoS firewall are great capabilities by a single firewall, lower workload under attacks, zero exit bandwidth consumption, high efficiency in dealing with both small and big TCP/UDP packets, and with good effect on application level DDoS.
针对DDoS防御,虽然已有很多研究性的或者已经商业化的DDoS防御系统,但是针对DDoS的很多问题并没有得到很好的解决。本文从尚未解决的问题入手,首先从以下两方面进行分析研究。
(1)阐述DDoS的根源及DDoS的发展变化,对DDoS的攻击原理、攻击工具、攻击分类及防御方法做了细致的分析,为DDoS防御提供了基本的依据,并且深入分析了现存的解决方案。
(2)深入探讨了千兆级DDoS防火墙研制开发和高速网络带宽耗尽DDoS防御方法,和第三方DDoS主动防御策略模型。设计实现了DDoS防火墙和防御算法应对分布式攻击。然而DDoS防火墙和防御算法并不是阻止DDoS攻击的完整解决方案。本文主要阐述了受害端防御(以防火墙的形式实现),中间网络防御和第三方防御,以上方法均能有效地检测并防御DDoS,同时并没有以牺牲系统性能为代价,在攻击过程中能够给合法流量提供优质服务。
通过研究高速网络DDoS防御的特点,提出了基因过滤算法。主要针对高速网络环境不能采用低速过滤设备的特点,采用路由器过滤带宽耗尽DDoS攻击流量,用统计的方法为路由器路由的流量分配权重。主要利用遗传算法在路由器上过滤流量,从而得到最大的有效流量。最后,在真实的网络环境中验证了其可行性和有效性,讨论分析了算法模型的特点和适用范围,以及进一步的研究内容。
结合全网防御特征,首次提出了DDoS的第三方防御方法。应用微分对策理论,提出防止DDoS应该采取主动策略,如果第三方占有足够的资源,能够和攻击者抗衡,则针对受害网络或服务器的DDoS防御将能够取得成功。建立了一个基于微分对策的DDoS对抗模型,此模型包含以下四个部分:Attacker, Defender, Victim, Botnet。本文认为Victim应该与Defender协同工作来抵御DDoS,采用微分对策决定Defender至少需要控制多少Bot才能有效抵御DDoS。最后,通过NS2网络环境中的仿真研究,验证了其效果,并讨论分析了算法模型的特点和适用范围,以及进一步的研究内容。
目前的DDoS防火墙设备均采用ASIC或X86架构,而没有基于专用网络处理器的DDoS防火墙, NP (Network Processer网络处理器)同时具备了ASIC和X86架构的优点。针对DDoS防火墙现存的防御问题和IXP2400结构特点,设计了千兆DDoS防火墙,提出了高层协议统计分析算法、应用层主动防御算法、有状态Bloom Filter算法。并在真实的网络攻击环境中验证了其可行性和有效性。NP架构的DDoS防火墙的特点是单台防御能力强,受到攻击时负载轻,不占用出口带宽,对于TCP/UDP的小包和大包处理效率高,针对应用层DDoS防范效果好。
As people's dependence on computer networks becomes stronger, network security is getting more and more important. Because of its distributed characteristics, Distributed Denial of Service (DDoS) attacks have more attack resources and more destroying power. So they are very difficut to defense. Currently, there are three kinds of DDoS attack defense policies which are based on the attacking source networks, the victim networks, and the intermediate networks, respectively. For these three policies, there are already some mature technologies and systems, for example, intrusion detection systems on the victim networks, DDoS firewalls, and core router packet filtering technology.
Many defense systems have been designed in the academic and commercial communities to counter DDoS attacks, yet the problem remains largely unsolved. This dissertation explores the problem of DDoS defense from two directions.
(1) The origin of the problem and all its variations are discussed, a survey of existing solutions is provided, and the theory and classification of DDoS attacks, the DDoS attacking tools, and the defense tactics are analyzed. The DDoS defense methods are analyzed in detail which is the basis of DDoS defense.
(2) The design and implementation of a DDoS firewall is presented that prevents ongoing attacks from the distributed attacking networks. We focus on Gbps DDoS firewalls, bandwidth depletion DDoS defense in high-speed networks, and active defense of third party against DDoS defense model. However, firewalls or DDoS defense algorithms are not the complete solution to DDoS attacks. This dissertation addresses the victim-end defense (implemented in the Firewall system), the middle network defense, and the third party defense. These methods can detect and prevent a significant number of DDoS attacks, do not incur significant cost for its operation, and can offer good services to the legitimate traffic during the attacks.
A GA algorithm is proposed based on the research on high-speed network DDoS defense. Mainly because the low-speed filtering equipment cannot be used for high-speed network environments, we use routers to filter bandwidth depletion DDoS traffic. The main idea is to use statistical approaches to allocate weight for the traffic at the routers. We propose a new method based on Genetic Algorithm to filter traffic on the routers and maximize goodput. The feasibility and effectiveness of our approach is validated by measuring the performance of an experimental prototype against a series of attacks. The advantages of the scheme are discussed and further research directions are given.
Considering the entire Internet DDoS defense, the third party DDoS defense method is proposed for the first time. If the third party has enough resources to defense against the attackers, then the DDoS defense for the victim network and the servers will succeed. A new DDoS defense model is proposed based on Differential Games theory. Four main actors are included:Attacker, Defender, Victim, and Botnet. It is believed that Victims who experience an attack should cooperate with the Defender to defend against DDoS attacks. The Differential Games model are used to determine the minimum number of Bots that should be controlled by the Defender to block the DDoS attacks effectively. The feasibility and effectiveness of this approach is validated by simulation experiments with NS2. The advantages of the scheme are discussed and further research directions are given.
At the present time, DDoS firewalls all adopt the ASIC or X86 architecture. There are no DDoS firewalls based on a Network Processor. NP has both the advantages of ASIC and X86. After analyzing the problems with the classical DDoS firewalls and the merits of IXP2400 network processors, a Gbps DDoS firewall is designed and a statistical analysis algorithm for the high-level protocols, an active defense algorithm in the application layer, and a state Bloom Filter algorithm are proposed. The feasibility and effectiveness of this approach is validated by measuring the performance of an experimental prototype against a series of attacks. The advantages of the DDoS firewall are great capabilities by a single firewall, lower workload under attacks, zero exit bandwidth consumption, high efficiency in dealing with both small and big TCP/UDP packets, and with good effect on application level DDoS.
引文
1. Felix Lau, Stuart H.Rubin, Micheal H.Smith Distrubuted denial of service attacks [A]. IEEE International Comference on Systems, Man and Cybernetics [C].Nashville 2000 2275-2280
2.苏更殊,李之棠DDoS攻击的分析检测与防范技术[J].计算机工程与设计,2006,23:175-180
3. D. L. Cook, W. G Morein, A. D. Keromytis, V. Misra, and D. Rubenstein WebSOS: Protecting Web Servers from DDoS attacks [A].Proceedings of the 11th IEEE International Conference on Networks (ICON 2003) [C].NY,2003,455-460
4. S. Byers, A. D. Rubin, and D. Kormann Defending against an Internet-Based Attack on the Physical World [A].Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, ACM Press [C].Mardrid, Spain,2002,8:11-18
5. WRichard Stevens TCP/IP详解卷1:协议[M].机械工业出版社,2000.4
6. KUZMANOVIC, KNIGHTLY Low-rate TCP-targeted denial of service attacks-the shrew vs the mice and elephants [A].Proceedings of ACM SIGCOMM 2003 [C].US, 2003.16(3):334-350
7. SUN H B Defending against low-rate TCP attacks:dynamic detection and protection Proc [A].IEEE International Conference on Network Protocols (ICNP) [C].Berlin, Germany,2004,21:5-8
8. David Mankins, Rajesh Krishnan, Ceilyn Boyd et al. Mitigationg distributed denial of service attacks with dynamic resource pricing [A].Proceedings of Annual Computer Security Applications Conference [C].Sheraton New Orleans, Louisiana,2001,24: 4155-4160
9.孙钦东,张德运,高鹏基于时间序列分析的分布式拒绝服务攻击检测[J].计算机学报,2005,28(5):767-773
10.何慧,张宏莉,张伟哲一种基于相似度的DDoS攻击检测方法[J].通信学报,2004,25(7):76-184
11.任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法[J].通信学报,2006,27(5):6-11
12. Benjamin Armbrustera, J. Cole Smithb and Kihong Park A packet filter placement problem with application to defense against spoofed denial of service attacks[J]. European Journal of Operational Research,2007,172(2):1283-1292
13. Roshan Thomas, Brian Mark, Tommy Johnson et al. Client-based high-performance DDoS filtering [A].Proceedings of DARPA Information Survivability Conference and Exposition. [C].Washington, DC, April 2003.17-22
14. Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao Protection from distributed denial of service attacks using history-based IP filtering [A].IEEE International Conference on Communications (ICC'03) [C].Anchorage, Alaska, USA, May 2003. 467-472
15. Yoohwan Kim, Ju-Yeon Jo, Frank L Merat Defeating Distrbuted Denial-of-Service Attack with Deterministic Bit Marking [A].Global Telecommunications Conference (GLOBECOM'05.IEEE) [C].San Francisco,2005.12,23:167-172
16. Mirkovic, Gregory, Peter Reiher Source-end DDoS defense [A].Second IEEE International Symposium on Network Computing and Application(NCA 2005). [C].Cambridge, Massachusette, April 2005
17. Mirkovic, Martin A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms [J].Los Angeles, CA, University of California Computer Science Department
18. A.Snoeren Hash-based IP Traceback [A].Proceeding of ACM SIGCOMM. [C].San Diego, CA, USA, Augest 2005,23:45-50
19. J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner, State of the Practice of Intrusion Detection Technologies [R].Technical Report CMU/SEI-99-TR-028, Software Engineering Institute,1999
20. HitorStudio.Woolenhy. SYN攻击原理以及防范技术[R].http://blog.csdn.net/woolenhy/archive/2005/03/23/328038.aspx,2005.03
21. Kohler E, Li JY, Paxson V, Shenker S. Observed structure of addresses in IP traffic [A].Internet Measurement Workshop 2002. [C].New York:ACM Press,2002. 253-266
22. Shevtekar A,Anantharam K,Ansari N Low Rate TCP.Denial-of-Service Attack Detection at Edge Routers [A].IEEE. Communications Letters,April 2005
23. M. Krohn. Building secure high-performance Web services with OKWS. In USENIX [R].Technical Conference, June 2004
24. Chen Y,Kwok Y.K,Hwang K Filtering Shrew DDoS Attacks Using A New Frequency Domain Approach [A].In Proc.IEEE LCN Workshop on Network Security [C].NY 2005,23:120-130
25. Bestavros, Matta I. Bandwidth Stealing via Link Targeted RoQ.Attacks [A].The 2nd International Conference on Communication and Computer.Networks [C].Berlin Germany,2004.1201-1234
26.邹波.Cookie思想在TCP与SCTP中的应用[J].电脑知识与技术,2006.04,12:142-165
27. Yaar A,Perrig A,Dawn Xiaodong Song SIFF:A stateless Internet flow filter to mitigate DDoS flooding attacks [A].Proc.2004 IEEE Symp.Security and Privacy.Oakland:IEEE Computer Society Press [C].2004:130-147
28. Jelena Mirkovic D-WARD:Source-End Defense Against Distributed Denial-of-Service Attacks[D].UCLC 2004
29. Henry Y X,Lee C J.A Source address filtering firewall to defend against denial of service attacks [A].Proceedings of IEEE 60th Vehicular [C].Tailand,2004:130-147.
30. Dawn Xiaodong Song, Adrian Perrig Advanced and authenticated marking schemes for IP traceback [A].Proceeding of Twentieth Annual Joint Conference on IEEE Computerand Communications Societies. [C].Stockholm, Sweden, April 2004.
31. Stefan Savage, David Wetherall, Anna Karlin et al. Practical Nerwork Support for IP Traceback, [A].Proceeding of the 2003 ACM SIGCOMM Conference [C].Strockholm, Sweden, August 2003
32. Kernel Korner Network Buffers and Memory Management [OL].www.linuxjournal.com.
33. Shu Zhang, Partha Dasgupta Denying Denial-of-Service Attacks:a Router Based Solution [A].Proceeding of the 2003 International Conference on Internet Computing [C].Las Vegas, June 2003,14:2213-2225
34. Angiulli F, Pizzuti C. Outlier mining in large high-dimensional data sets[J].IEEE Trans. on Knowledge and Data Engineering,2005,17(2):203-215
35. EMIST project. Evaluation methods for internet security technology. [OL].http://www.isi.edu/deter/emist.temp.html
36. Wen J, Anthony KHT, Jiawei H. Mining top-n local outliers in large databases [A]. ACM SIGKDD Intel Conf. on Knowledge Discovery and Data Mining [C].San Francisco, New York:ACM Press,2001.293-298.20
37. Seo J, Lee C, Moon J Defending DDoS attacks using network traffic analysis and probabilistic packet drop [A].GCC 2004 Workshops [C].Berlin Heidelberg:Springer, 2004:390-397
38. Kumar A, Jun X, Li L, Jia W. Space-Code bloom filter for efficient traffic flow measurement [A].The 3rd ACM SIGCOMM Conf. on Internet Measurement [C].New York:ACM Press,2003.167-172
39. Tao P, Christopher L, Kotagiri R Proactively detecting distributed denial of service attacks using source IP address monitoring [A].Third International IFIP-TC6 Networking Conference[C].Berlin Heidelberg:Springer,2004:771-782
40. D. Mankins, R. Krishnan, C. Boyd, J. Zao, and M. Frentz Mitigating distributed denial of service attacks with dynamic resource pricing [A].In Proc. IEEE ACSAC [C]. 2001,23:198-203
41. Burch Tracing anonymous packets to their approximate source [J].USENIX Association Press 2005,17(2):203-215
42. D Moore, G Voelker, and S Savage Inferring Internet Denial of Service Activity [A].Proceedings of the 2001 USENIX Security Symposium [C]. Japan 2001,23:761-772
43. HAO S, SONG H, JIANG WB, et al. A Queue Model to Detect DDoSAttacks[A].Proceedings of the 2005 International Symposium on Collaborative Technologies and Systems [C].Beijing China 2005,23:106-112
44. Shimonishi H, M urase A network processor architecture for flexible QoS control very high speed line interfaces [A].Proeeedings of the 2001 IEEE W orkshop on High Performance Switching and Routing (HPSR 2001) [C].Dallas, America 2001,402-406
45.蔡玮珺,仲海骏,高速网络下的DDoS检测[J].计算机工程2006.5,32:10-14
46. Chen Shigang, Tang Yong,Du Wenliang Stateful DDoS attacks and targeted filtering[J]. Journal of Network and Computer Applications,2007,30(3):823-840
47. Andersen Distributed Filtering for Internet Services [A].in 4th Usenix Symposium on Internet Technologies and Systems. [C].NY,America,2003,10(13):23-40
48. Cohen Simulating Cyber Attacks,Defenses and Consequences [OL].http://www.all.net/journal/ntb/simulate/simulate.htm
49. Nicolas H, Darryl V. Inverting sampled traffic [A].Proc. of the 3rd ACM SIGCOMM Conf. on Internet Measurement. [C].2003,23:222-233
50.孙知信,唐益慰,程媛基于改进CUSUM算法的路由器异常流量检测[J].软件学报,2005,16(12):2117-2123
51.郑辉Internet蠕虫研究[D].南开大学,2000
52.孙知信,唐益慰基于特征提取的路由器异常流量过滤算法研究[J].软件学报,2006,17(2):295-304
53. D. Dean, M. Franklin, and A. Stubblefield, An Algebraic Approach to IP Traceback[J].ACM Transactions on Information and System Security (TISSEC), 2002,(5):119-137
54.罗光春,卢显良,薛丽军一种运用限幅自相似性的新型DDoS入侵检测机制[J]计算机科学,2004,25(13)103-109
55.李登峰,陈守煜微分对策数值解的梯度法[J].大连理工大学学报,1994,(04):207-213
56.李登峰,陈守煜多人多目标微分对策及其P-N均衡策略[A].1994中国控制与决策学术年会论文集[C].吉林,1994,23(4)1208-1230
57. Isaacs R Differential Games [R].Research Memoranda Rand Corporation,1956
58. Staar A W,Ho Y C Further Properties of Nonzero-sum Differential Games [J].Journal of Optimization and Application,1969,3 (3):207-219
59. Lucks D L Equilibrium Feedback Control in Linear Games with Quadratic Cost [J]. Journal on Control and Optimistic,1971,9 (2):234-252
60. Engwerda J C. Feedback Nash equilibrium in the scalar infinite horizon LQ-games [J].Automatica.2000,36(1):135-139
61. Simaan M, Cruz Jr J B. On the solutions of open-loop Nash-Riccati equations in linear quadratic differential games [J].International Journal of Control.1973,18(1):57-63
62. Engwerda J C. Feedback Nash equilibrium in the scalar infinite horizon LQ-games. [J].Automatica.2000,36(1):135-139
63.杨玉华,刘培宁,刘际炜,陈涵生NS-2的仿真模拟技术分析[J].计算机工程,2005,(15):22-27
64.刘勃兰,宋玲.基于NS2的移动自组网路由协议的仿真与实现[J].计算机工程与应用,2007,(06).340-347
65.孙祺,李骐,高振明基于NS网络仿真器的研究与扩展[J].山东电子,2004,(01).134-156
66. Canavan J E Fundamentals of network security [R].Boston,2001
67.郭方方集群防火墙系统的研究[D].哈尔滨工程大学,2006
68.陈文惠.防火墙系统策略配置研究[D].中国科学技术大学,2007
69. Weste Nile CMOS VLSI design:a circuits and systemsperspective[M].The 3rd Person Education,2005,45:693-706
70.周昔平多线程网络处理器分布式内核结构研究[D].西北工业大学,2006
71.桑红石,赵慧,尚社多值图像连通域标记ASIC结构设计[J].小型微型计算机系统,2008,(01)67-80
72. http://www.intel.com/design/network/produ cts/npfamily/ixp2400.html [OL]
73. Zhang bing The research and implementation of NIDS based on IXP2400 [D].Master Dissertation of UESTC,2006
74. An Ke,Zhao Rong-cai,Shan Zheng Technology of data fitting based IXP2400packets sending speed control [J].Journal of Chinese Computer Systems,2007,28 (9):1610-1613
75. Shan Zheng Research on hierarchical performance analysis methodology of NP-based system[D].PLA Information Engineering University,2008
76. Zhang Hong-ke,Su Wei,Wu Yong Principium and technology of network network processor[M].Beijing:Beijing University of Posts and Telecommunications,2004
77. Intel Corporation Intel IXP2400 network processor hardware reference manual [OL].Intel Corporation,2004
78.谢莉钧 IXA架构网络处理器上软件应用开发研究[D].电子科技大学,2006
79.苟正洪 基于IXP2400的iSCSI Initiator研究与实现[D].电子科技大学,2007
80.张铮,赵荣彩,颜峻,金晓燕 基于IXP2400的高速流量生成方法[J].信息工程大学学报,2007.318(1)20-27
81. Intel(R) PXA270 Processor Electrical, Mechanical and Ther-mal Specification Data Sheet[S].2004
82. Intel(R) PXA27x Processor Family Design Guide[S].2004,24:37-39
83. Intel Corp, Intel IXP2400 and IXP2800 Network Processor Programmer's Reference Manual 2004-10 [CP]
84.徐千洋Linux C函数库参考手册[M].中国青年出版社,2002.495-604
85. Bruce Schneier应用密码学协议算法与C源程序[M].机械工业出版社,2001.195-302
86.孙知信,李清东 基于源目的IP地址对数据库的防范DDoS攻击策略[J].软件学报2007,18(10):2613-2623
87. M. Adler Tradeoffs in Probabilistic Packet Marking for IP Traceback [A].Proceedings of the 34th annual ACM Symposium on Theory of Computing, ACM Press[C].Portugal 2002,22:407-418
88.陈丹妮,王锁萍 基于IPv6的DDoS防御研究[D].南京邮电大学2004
89. H. Tangmunarunkit, R. Govindan, S. Jamin, S. Shenker, and W. Willinger Network topology generators:Degree-based vs. structural [A].In Proceedings of ACM SIGCOMM[C].Spain 2002
90. J. Strauss, D. Katabi, and F. Kaashoek A measurement study of available bandwidth estimation tools [A].Proceedings of ACM IMC [C].2003,10:234-239
91. R. Mahajan, N. Spring, David Wetherall, and Thomas Anderson. User-level internet path diagnosis [A].Proceedings of ACM SOSP [C].LA, America, October 2003. 407-418.
92.周再红,谢冬青 一种抗DDoS攻击的追踪和分布式防御方案研究硕士学位论文[D].南开大学,2004
93. Thomas Graf,Greg Maxwell,Remco van Mook et al Linux Advanced Routing&T Control-HOWTO [OL].2005.03
94. W. Morein, A. Stavrou, D. Cook, A. Keromytis, V. Mishra, and D. Rubenstein Using graphic turing tests to counter automated DDoS attacks against Web servers [A].In ACM CCS [A].Berlin,2003.10
95. K. Park, V. S. Pai, K.-W. Lee, and S. Calo Securing Web service by automatic robot detection [A].In USENIX Technical Conference[C].2006.13(2)2201-2213
96.王敏,吉逸Java2环境下身份认证和授权机制的研究[J].微机发展,2003(05).103-109
97.金海坤,杜文杰,沙俐敏基于CAPTCHA的中文安全机制的研究[J].计算机工程与设计,2006,(06):220-229
98. Network World Extortion via DDoS on the rise [OL].May 2005. http://www.networkworld.com/news/2005/051605-DDoS-extortion.html
99. Programmer's reference manual.Intel Corporation [OL].2003
100.Building blocks applications design Guide.Intel Corporation [OL].2003
101.Building blocks developer's manual.Intel Corporation [OL].2003
102.Building blocks reference manual.Intel Corporation [OL].2003
103.Development tools user's guide.Intel Corporation [OL].2003
104.E. J. Johnson,A. R. Knuze IXP 2400/2800 Programming [M].US:Intel Press,2003: 48-53
105.M. J. Rashti, H. R. Rabiee A. Foroutan A Multi Dimensional Packet Classifier for NP Based Firewalls [J].IEEE Computer Society Press,2004,12:250-254
106.谭章熹,林闯,任丰原网络处理器的分析与研究[J].软件学报,2003,14(2):253-267
107.Network Systems Design Using Network Processors [M].Prentice Hall,2003
108.Intel IXP2400 Network Processor Product Information available at http:/www.intel.com/design/network/produets/ixpfamily/ixp2400.htm [OL]
109.Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao Survey of network-based defense mechanisms countering the DoS and DDoS problems [J].ACM Computing Surveys (CSUR),2007,3:0360-0300
110.E. Arikan Attack profiling for DDoS benchmarks [D].MS thesis, University of Delaware,2006.8
111.T. Benzel, R. Braden, D. Kim, C. Neuman, A, Joseph, K. Sklower, R. Ostrenga, and S. Schwab. Experiences With DETER:A Testbed for Security Research [A].In 2nd IEEE [C].TridentCom, March 2006
112.EMIST project. Evaluation methods for internet security technology [OL].http://www.isi.edu/deter/emist.temp.html
113.J. Mirkovic, E. Arikan, S. Wei, S. Fahmy, R. Thomas, and P. Reiher. Benchmarks for DDoS Defense Evaluation [A].MILCOM [C] Japan 2006
114.Tao P, Christopher L, Kotagiri R.Proactively detecting distributed denial of service attacks using source IP address monitoring [A].Third International IFIP-TC6 Networking Conference [C].Berlin Heidelberg:Springer,2004:771-782
115.D. E. Comer, Network SystemsDesign UsingNetwork Processors [M].Asia:Prentice Hall,2004:157-158
116.Intel Corporation. Intel IXP2400 Network Processor Hardware Reference Manual 2003 [CP].http://www.intel.com/design/network/products/npfamily/ixp2400.htm
117.STEIN The World Wide Web Security FAQ [OL].2007,16:04-10
118.Kumar A, Sung M, Xu J, Wang J. Data streaming algorithms for efficient and accurate estimation of flow size distribution [A].ACM Sigmetrics. New York:ACM Press, [C].2004,177-188
119.K. Anagnostakis, M. Greenwald, and R. Ryger On the Sensitivity of Network Simulation to Topology [A].In Proc. of MASCOTS [C].Berlin 2002.34(9):1002-1021
2.苏更殊,李之棠DDoS攻击的分析检测与防范技术[J].计算机工程与设计,2006,23:175-180
3. D. L. Cook, W. G Morein, A. D. Keromytis, V. Misra, and D. Rubenstein WebSOS: Protecting Web Servers from DDoS attacks [A].Proceedings of the 11th IEEE International Conference on Networks (ICON 2003) [C].NY,2003,455-460
4. S. Byers, A. D. Rubin, and D. Kormann Defending against an Internet-Based Attack on the Physical World [A].Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, ACM Press [C].Mardrid, Spain,2002,8:11-18
5. WRichard Stevens TCP/IP详解卷1:协议[M].机械工业出版社,2000.4
6. KUZMANOVIC, KNIGHTLY Low-rate TCP-targeted denial of service attacks-the shrew vs the mice and elephants [A].Proceedings of ACM SIGCOMM 2003 [C].US, 2003.16(3):334-350
7. SUN H B Defending against low-rate TCP attacks:dynamic detection and protection Proc [A].IEEE International Conference on Network Protocols (ICNP) [C].Berlin, Germany,2004,21:5-8
8. David Mankins, Rajesh Krishnan, Ceilyn Boyd et al. Mitigationg distributed denial of service attacks with dynamic resource pricing [A].Proceedings of Annual Computer Security Applications Conference [C].Sheraton New Orleans, Louisiana,2001,24: 4155-4160
9.孙钦东,张德运,高鹏基于时间序列分析的分布式拒绝服务攻击检测[J].计算机学报,2005,28(5):767-773
10.何慧,张宏莉,张伟哲一种基于相似度的DDoS攻击检测方法[J].通信学报,2004,25(7):76-184
11.任勋益,王汝传,王海艳.基于自相似检测DDoS攻击的小波分析方法[J].通信学报,2006,27(5):6-11
12. Benjamin Armbrustera, J. Cole Smithb and Kihong Park A packet filter placement problem with application to defense against spoofed denial of service attacks[J]. European Journal of Operational Research,2007,172(2):1283-1292
13. Roshan Thomas, Brian Mark, Tommy Johnson et al. Client-based high-performance DDoS filtering [A].Proceedings of DARPA Information Survivability Conference and Exposition. [C].Washington, DC, April 2003.17-22
14. Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao Protection from distributed denial of service attacks using history-based IP filtering [A].IEEE International Conference on Communications (ICC'03) [C].Anchorage, Alaska, USA, May 2003. 467-472
15. Yoohwan Kim, Ju-Yeon Jo, Frank L Merat Defeating Distrbuted Denial-of-Service Attack with Deterministic Bit Marking [A].Global Telecommunications Conference (GLOBECOM'05.IEEE) [C].San Francisco,2005.12,23:167-172
16. Mirkovic, Gregory, Peter Reiher Source-end DDoS defense [A].Second IEEE International Symposium on Network Computing and Application(NCA 2005). [C].Cambridge, Massachusette, April 2005
17. Mirkovic, Martin A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms [J].Los Angeles, CA, University of California Computer Science Department
18. A.Snoeren Hash-based IP Traceback [A].Proceeding of ACM SIGCOMM. [C].San Diego, CA, USA, Augest 2005,23:45-50
19. J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner, State of the Practice of Intrusion Detection Technologies [R].Technical Report CMU/SEI-99-TR-028, Software Engineering Institute,1999
20. HitorStudio.Woolenhy. SYN攻击原理以及防范技术[R].http://blog.csdn.net/woolenhy/archive/2005/03/23/328038.aspx,2005.03
21. Kohler E, Li JY, Paxson V, Shenker S. Observed structure of addresses in IP traffic [A].Internet Measurement Workshop 2002. [C].New York:ACM Press,2002. 253-266
22. Shevtekar A,Anantharam K,Ansari N Low Rate TCP.Denial-of-Service Attack Detection at Edge Routers [A].IEEE. Communications Letters,April 2005
23. M. Krohn. Building secure high-performance Web services with OKWS. In USENIX [R].Technical Conference, June 2004
24. Chen Y,Kwok Y.K,Hwang K Filtering Shrew DDoS Attacks Using A New Frequency Domain Approach [A].In Proc.IEEE LCN Workshop on Network Security [C].NY 2005,23:120-130
25. Bestavros, Matta I. Bandwidth Stealing via Link Targeted RoQ.Attacks [A].The 2nd International Conference on Communication and Computer.Networks [C].Berlin Germany,2004.1201-1234
26.邹波.Cookie思想在TCP与SCTP中的应用[J].电脑知识与技术,2006.04,12:142-165
27. Yaar A,Perrig A,Dawn Xiaodong Song SIFF:A stateless Internet flow filter to mitigate DDoS flooding attacks [A].Proc.2004 IEEE Symp.Security and Privacy.Oakland:IEEE Computer Society Press [C].2004:130-147
28. Jelena Mirkovic D-WARD:Source-End Defense Against Distributed Denial-of-Service Attacks[D].UCLC 2004
29. Henry Y X,Lee C J.A Source address filtering firewall to defend against denial of service attacks [A].Proceedings of IEEE 60th Vehicular [C].Tailand,2004:130-147.
30. Dawn Xiaodong Song, Adrian Perrig Advanced and authenticated marking schemes for IP traceback [A].Proceeding of Twentieth Annual Joint Conference on IEEE Computerand Communications Societies. [C].Stockholm, Sweden, April 2004.
31. Stefan Savage, David Wetherall, Anna Karlin et al. Practical Nerwork Support for IP Traceback, [A].Proceeding of the 2003 ACM SIGCOMM Conference [C].Strockholm, Sweden, August 2003
32. Kernel Korner Network Buffers and Memory Management [OL].www.linuxjournal.com.
33. Shu Zhang, Partha Dasgupta Denying Denial-of-Service Attacks:a Router Based Solution [A].Proceeding of the 2003 International Conference on Internet Computing [C].Las Vegas, June 2003,14:2213-2225
34. Angiulli F, Pizzuti C. Outlier mining in large high-dimensional data sets[J].IEEE Trans. on Knowledge and Data Engineering,2005,17(2):203-215
35. EMIST project. Evaluation methods for internet security technology. [OL].http://www.isi.edu/deter/emist.temp.html
36. Wen J, Anthony KHT, Jiawei H. Mining top-n local outliers in large databases [A]. ACM SIGKDD Intel Conf. on Knowledge Discovery and Data Mining [C].San Francisco, New York:ACM Press,2001.293-298.20
37. Seo J, Lee C, Moon J Defending DDoS attacks using network traffic analysis and probabilistic packet drop [A].GCC 2004 Workshops [C].Berlin Heidelberg:Springer, 2004:390-397
38. Kumar A, Jun X, Li L, Jia W. Space-Code bloom filter for efficient traffic flow measurement [A].The 3rd ACM SIGCOMM Conf. on Internet Measurement [C].New York:ACM Press,2003.167-172
39. Tao P, Christopher L, Kotagiri R Proactively detecting distributed denial of service attacks using source IP address monitoring [A].Third International IFIP-TC6 Networking Conference[C].Berlin Heidelberg:Springer,2004:771-782
40. D. Mankins, R. Krishnan, C. Boyd, J. Zao, and M. Frentz Mitigating distributed denial of service attacks with dynamic resource pricing [A].In Proc. IEEE ACSAC [C]. 2001,23:198-203
41. Burch Tracing anonymous packets to their approximate source [J].USENIX Association Press 2005,17(2):203-215
42. D Moore, G Voelker, and S Savage Inferring Internet Denial of Service Activity [A].Proceedings of the 2001 USENIX Security Symposium [C]. Japan 2001,23:761-772
43. HAO S, SONG H, JIANG WB, et al. A Queue Model to Detect DDoSAttacks[A].Proceedings of the 2005 International Symposium on Collaborative Technologies and Systems [C].Beijing China 2005,23:106-112
44. Shimonishi H, M urase A network processor architecture for flexible QoS control very high speed line interfaces [A].Proeeedings of the 2001 IEEE W orkshop on High Performance Switching and Routing (HPSR 2001) [C].Dallas, America 2001,402-406
45.蔡玮珺,仲海骏,高速网络下的DDoS检测[J].计算机工程2006.5,32:10-14
46. Chen Shigang, Tang Yong,Du Wenliang Stateful DDoS attacks and targeted filtering[J]. Journal of Network and Computer Applications,2007,30(3):823-840
47. Andersen Distributed Filtering for Internet Services [A].in 4th Usenix Symposium on Internet Technologies and Systems. [C].NY,America,2003,10(13):23-40
48. Cohen Simulating Cyber Attacks,Defenses and Consequences [OL].http://www.all.net/journal/ntb/simulate/simulate.htm
49. Nicolas H, Darryl V. Inverting sampled traffic [A].Proc. of the 3rd ACM SIGCOMM Conf. on Internet Measurement. [C].2003,23:222-233
50.孙知信,唐益慰,程媛基于改进CUSUM算法的路由器异常流量检测[J].软件学报,2005,16(12):2117-2123
51.郑辉Internet蠕虫研究[D].南开大学,2000
52.孙知信,唐益慰基于特征提取的路由器异常流量过滤算法研究[J].软件学报,2006,17(2):295-304
53. D. Dean, M. Franklin, and A. Stubblefield, An Algebraic Approach to IP Traceback[J].ACM Transactions on Information and System Security (TISSEC), 2002,(5):119-137
54.罗光春,卢显良,薛丽军一种运用限幅自相似性的新型DDoS入侵检测机制[J]计算机科学,2004,25(13)103-109
55.李登峰,陈守煜微分对策数值解的梯度法[J].大连理工大学学报,1994,(04):207-213
56.李登峰,陈守煜多人多目标微分对策及其P-N均衡策略[A].1994中国控制与决策学术年会论文集[C].吉林,1994,23(4)1208-1230
57. Isaacs R Differential Games [R].Research Memoranda Rand Corporation,1956
58. Staar A W,Ho Y C Further Properties of Nonzero-sum Differential Games [J].Journal of Optimization and Application,1969,3 (3):207-219
59. Lucks D L Equilibrium Feedback Control in Linear Games with Quadratic Cost [J]. Journal on Control and Optimistic,1971,9 (2):234-252
60. Engwerda J C. Feedback Nash equilibrium in the scalar infinite horizon LQ-games [J].Automatica.2000,36(1):135-139
61. Simaan M, Cruz Jr J B. On the solutions of open-loop Nash-Riccati equations in linear quadratic differential games [J].International Journal of Control.1973,18(1):57-63
62. Engwerda J C. Feedback Nash equilibrium in the scalar infinite horizon LQ-games. [J].Automatica.2000,36(1):135-139
63.杨玉华,刘培宁,刘际炜,陈涵生NS-2的仿真模拟技术分析[J].计算机工程,2005,(15):22-27
64.刘勃兰,宋玲.基于NS2的移动自组网路由协议的仿真与实现[J].计算机工程与应用,2007,(06).340-347
65.孙祺,李骐,高振明基于NS网络仿真器的研究与扩展[J].山东电子,2004,(01).134-156
66. Canavan J E Fundamentals of network security [R].Boston,2001
67.郭方方集群防火墙系统的研究[D].哈尔滨工程大学,2006
68.陈文惠.防火墙系统策略配置研究[D].中国科学技术大学,2007
69. Weste Nile CMOS VLSI design:a circuits and systemsperspective[M].The 3rd Person Education,2005,45:693-706
70.周昔平多线程网络处理器分布式内核结构研究[D].西北工业大学,2006
71.桑红石,赵慧,尚社多值图像连通域标记ASIC结构设计[J].小型微型计算机系统,2008,(01)67-80
72. http://www.intel.com/design/network/produ cts/npfamily/ixp2400.html [OL]
73. Zhang bing The research and implementation of NIDS based on IXP2400 [D].Master Dissertation of UESTC,2006
74. An Ke,Zhao Rong-cai,Shan Zheng Technology of data fitting based IXP2400packets sending speed control [J].Journal of Chinese Computer Systems,2007,28 (9):1610-1613
75. Shan Zheng Research on hierarchical performance analysis methodology of NP-based system[D].PLA Information Engineering University,2008
76. Zhang Hong-ke,Su Wei,Wu Yong Principium and technology of network network processor[M].Beijing:Beijing University of Posts and Telecommunications,2004
77. Intel Corporation Intel IXP2400 network processor hardware reference manual [OL].Intel Corporation,2004
78.谢莉钧 IXA架构网络处理器上软件应用开发研究[D].电子科技大学,2006
79.苟正洪 基于IXP2400的iSCSI Initiator研究与实现[D].电子科技大学,2007
80.张铮,赵荣彩,颜峻,金晓燕 基于IXP2400的高速流量生成方法[J].信息工程大学学报,2007.318(1)20-27
81. Intel(R) PXA270 Processor Electrical, Mechanical and Ther-mal Specification Data Sheet[S].2004
82. Intel(R) PXA27x Processor Family Design Guide[S].2004,24:37-39
83. Intel Corp, Intel IXP2400 and IXP2800 Network Processor Programmer's Reference Manual 2004-10 [CP]
84.徐千洋Linux C函数库参考手册[M].中国青年出版社,2002.495-604
85. Bruce Schneier应用密码学协议算法与C源程序[M].机械工业出版社,2001.195-302
86.孙知信,李清东 基于源目的IP地址对数据库的防范DDoS攻击策略[J].软件学报2007,18(10):2613-2623
87. M. Adler Tradeoffs in Probabilistic Packet Marking for IP Traceback [A].Proceedings of the 34th annual ACM Symposium on Theory of Computing, ACM Press[C].Portugal 2002,22:407-418
88.陈丹妮,王锁萍 基于IPv6的DDoS防御研究[D].南京邮电大学2004
89. H. Tangmunarunkit, R. Govindan, S. Jamin, S. Shenker, and W. Willinger Network topology generators:Degree-based vs. structural [A].In Proceedings of ACM SIGCOMM[C].Spain 2002
90. J. Strauss, D. Katabi, and F. Kaashoek A measurement study of available bandwidth estimation tools [A].Proceedings of ACM IMC [C].2003,10:234-239
91. R. Mahajan, N. Spring, David Wetherall, and Thomas Anderson. User-level internet path diagnosis [A].Proceedings of ACM SOSP [C].LA, America, October 2003. 407-418.
92.周再红,谢冬青 一种抗DDoS攻击的追踪和分布式防御方案研究硕士学位论文[D].南开大学,2004
93. Thomas Graf,Greg Maxwell,Remco van Mook et al Linux Advanced Routing&T Control-HOWTO [OL].2005.03
94. W. Morein, A. Stavrou, D. Cook, A. Keromytis, V. Mishra, and D. Rubenstein Using graphic turing tests to counter automated DDoS attacks against Web servers [A].In ACM CCS [A].Berlin,2003.10
95. K. Park, V. S. Pai, K.-W. Lee, and S. Calo Securing Web service by automatic robot detection [A].In USENIX Technical Conference[C].2006.13(2)2201-2213
96.王敏,吉逸Java2环境下身份认证和授权机制的研究[J].微机发展,2003(05).103-109
97.金海坤,杜文杰,沙俐敏基于CAPTCHA的中文安全机制的研究[J].计算机工程与设计,2006,(06):220-229
98. Network World Extortion via DDoS on the rise [OL].May 2005. http://www.networkworld.com/news/2005/051605-DDoS-extortion.html
99. Programmer's reference manual.Intel Corporation [OL].2003
100.Building blocks applications design Guide.Intel Corporation [OL].2003
101.Building blocks developer's manual.Intel Corporation [OL].2003
102.Building blocks reference manual.Intel Corporation [OL].2003
103.Development tools user's guide.Intel Corporation [OL].2003
104.E. J. Johnson,A. R. Knuze IXP 2400/2800 Programming [M].US:Intel Press,2003: 48-53
105.M. J. Rashti, H. R. Rabiee A. Foroutan A Multi Dimensional Packet Classifier for NP Based Firewalls [J].IEEE Computer Society Press,2004,12:250-254
106.谭章熹,林闯,任丰原网络处理器的分析与研究[J].软件学报,2003,14(2):253-267
107.Network Systems Design Using Network Processors [M].Prentice Hall,2003
108.Intel IXP2400 Network Processor Product Information available at http:/www.intel.com/design/network/produets/ixpfamily/ixp2400.htm [OL]
109.Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao Survey of network-based defense mechanisms countering the DoS and DDoS problems [J].ACM Computing Surveys (CSUR),2007,3:0360-0300
110.E. Arikan Attack profiling for DDoS benchmarks [D].MS thesis, University of Delaware,2006.8
111.T. Benzel, R. Braden, D. Kim, C. Neuman, A, Joseph, K. Sklower, R. Ostrenga, and S. Schwab. Experiences With DETER:A Testbed for Security Research [A].In 2nd IEEE [C].TridentCom, March 2006
112.EMIST project. Evaluation methods for internet security technology [OL].http://www.isi.edu/deter/emist.temp.html
113.J. Mirkovic, E. Arikan, S. Wei, S. Fahmy, R. Thomas, and P. Reiher. Benchmarks for DDoS Defense Evaluation [A].MILCOM [C] Japan 2006
114.Tao P, Christopher L, Kotagiri R.Proactively detecting distributed denial of service attacks using source IP address monitoring [A].Third International IFIP-TC6 Networking Conference [C].Berlin Heidelberg:Springer,2004:771-782
115.D. E. Comer, Network SystemsDesign UsingNetwork Processors [M].Asia:Prentice Hall,2004:157-158
116.Intel Corporation. Intel IXP2400 Network Processor Hardware Reference Manual 2003 [CP].http://www.intel.com/design/network/products/npfamily/ixp2400.htm
117.STEIN The World Wide Web Security FAQ [OL].2007,16:04-10
118.Kumar A, Sung M, Xu J, Wang J. Data streaming algorithms for efficient and accurate estimation of flow size distribution [A].ACM Sigmetrics. New York:ACM Press, [C].2004,177-188
119.K. Anagnostakis, M. Greenwald, and R. Ryger On the Sensitivity of Network Simulation to Topology [A].In Proc. of MASCOTS [C].Berlin 2002.34(9):1002-1021