【作者】 孙曦；

【导师】 王育民；

【作者基本信息】 西安电子科技大学 ， 通信与信息系统， 2004， 硕士

【摘要】 分布式拒绝服务(DDoS)攻击是近年来出现的一种全新的拒绝服务(DoS)攻击方式。由于其分布式的特性，使得DDoS攻击比传统的DoS攻击拥有更多的攻击资源，具有更强大的破坏力，而且更难以防范。DDoS攻击已经对Internet安全构成了极大的威胁，并成为目前网络安全界研究的热点。本文详细剖析了DDoS攻击的攻击机理，并引入新的分类法对现有的DDoS攻击手段做了全面深入的研究、分类，其中重点研究了最常用的TCP洪流攻击。随后本文对现有的防御措施分三阶段进行了全面研究、比较和评价，并把攻击期间的检测一过滤机制和攻击源追踪技术作为了研究重点。在此基础上，本文提出了两种新的攻击检测—过滤机制，即：分布式攻击检测—过滤(DADF)机制和针对TCP洪流攻击的本地检测—过滤(LADF)机制。其中我们提出了基于IP地址统计分布特性的异常检测技术，用于攻击检测。另外，针对TCP洪流攻击，我们还提出了“休克”检测技术，用以进一步提高检测效率。这两种新机制中，前者部署在Internet核心路由器或者区域自治系统的关键路由器上，作为安全基础设施。后者部署于受害者及其上游ISP网络，能较好的防御TCP洪流攻击。更多还原

【Abstract】 Distributed Denial of Service(DDoS) Attack is a newly developed attack type, which is the extension of Denial of Service(DoS) Attack. Due to its distributed characteristic, DDoS attacks possess more attack resources and have more destroying power. So, it is very difficult to keep them away. DDoS attacks bring much great threats to Internet security and research on them become a hotspot in network security fields.By proposing new taxonomies, the attack mechanism of DDoS attacks is analyzed in detail and a thorough study and classification of DDoS attacks means are given, with the emphasis on the common used TCP flooding attacks. Then, the research, comparisons and estimations of the counter measures in existence are made in detail, and the research emphasis is put on the detection - filtering mechanism and the IP traceback technique.Two new kinds of detection-filtering mechanism are proposed in this paper. They are Distributed Attack Detection-Filtering mechanism (DADF) and Local Attack Detection-Filtering mechanism (LADF). An abnormal detection technique based on Statistic distribution characteristic of IP addresses presented to provide intrusion detection. In addition, the "shock" detection technique is proposed to counter TCP flooding attacks, which can improve the efficiency of detection. Of the two new mechanisms, the former can act as the security infrastructure, which can be deployed on the Internet core routers or key routers in local autonomic systems. And the latter can be disposed on the victim and its upstream ISP network, which can counter TCP flooding attacks in effect.更多还原