Filter location selection method for bandwidth consumption attacks

Abstract

The invention discloses a filtering position selection method against bandwidth consumption-type attacks. The method comprises the following steps: a link congestion complete dependency set CDSset for routing nodes in an attack tree is built; according to an upstream and downstream dependency relation for the link in the link congestion complete dependency set CDSset, a corresponding link congestion dependency tree is built; all link congestion dependency trees form a link congestion dependency forest; and leaf routing nodes in each link congestion dependency tree in the link congestion dependency forest are the optimal filtering positions of the routing nodes in the attack tree against bandwidth consumption-type attacks. Through adopting the filtering position selection method of the invention, the existing filtering strategy can be used for 25% filtering the routing nodes to clear all congestion links, the two are balanced, and network delay caused by router filtering can be greatly reduced.

Description

technical field [0001] The invention relates to a method for defending against bandwidth consumption attacks, in particular to a filtering location selection method for bandwidth consumption attacks. Background technique [0002] The rapid development of the Internet has greatly facilitated people's lives and promoted the progress of many aspects of society, but the security problems that accompanies the development of the Internet should not be underestimated. We know that in the IP protocol, the host only has the identification information of the IP address, so when the sender changes his IP address to send information to the receiver, the receiver must accept the information and then make a decision because he cannot distinguish its authenticity. Denial of Service attack (Denial of Service attack, DoS attack) is exactly to utilize such protocol loophole (being " Lee.J.Scalable multicast based filtering and tracing framework for defeating distributed DoS attacks [J].Int.J....

AI Technical Summary

Problems solved by technology

[0004] There is still a problem in the defense process: after the attack, the longer it takes to restore normal services, the greater the economic loss caused. In the current packet filtering mechanism, packet filtering and IP traceability are carried out simultaneously, which can Rapid response to attack, enhanced defense effect (such as "K.Argyraki and Cheriton.RD.Scalable network-layer defense against internetbandwidth-flooding attacks[J].IEEE / ACM Transactionson Networking,2009,17:1284-1297.", "D .Seo,H.Lee and A.Perig.PFS: probability filter scheduling against distributeddenial-of-service attacks[J].inProc.ofLocal Computer Networks,2011:9-17. "M.S Fallah and N.Kahani, TDPF: atraceback-based distributed packet filter to mitigate spoofed DDoS attacks[J], Security and Communication Networks, 2014. "M.Sung.and J.Xu, IP traceback-based intelligent packet filtering: a noveltech-nique for defending against Internet DDoS attack[J], IEEE / ACM Transaction on Paralell and Distributed Systems, 2003, 14:861-872.")

However, if the scale of the bot attack network continues to increase, exceeding Moore's Law, the number of filtering routes that need to be opened will also increase, which will have a great impact on network performance.

Images