使用信息检测(技术)的DoS过滤器.docVIP

Shield: DoS Filtering Using Traffic Deflecting 盾：使用信息检测（技术）的DoS过滤器 Abstract—Denial-of-service (DoS) attacks continue to be a major problem on the Internet. While many defense mechanisms have been created, they all have significant deployment issues. This paper introduces a novel method that overcomes these issues, allowing a small number of deployed DoS defenses to act as secure on-demand shields for any node on the Internet. The proposed method is based on rerouting any packet addressed to a protected autonomous system (AS) through an intermediate filtering node— a shield. In this way, all potentially harmful traffic could be discarded before reaching the destination. The mechanisms for packet rerouting use existing routing techniques and do not require any kind of modification to the deployed protocols or routers. To make the proposed system feasible, from both deployment and usage points of view, traffic rerouting and outsourced filtering could be provided as an insurance-style on-demand service. Index Terms—DDoS, Filtering, IP Anycast, BGP, Traffic deflection 摘要—拒绝服务(DoS)攻击仍然是互联网的一个主要难题。虽然人们创建了许多防御机制，但这些都有着明显的资源配置问题。本文介绍了一种全新的能克服这些问题的方法，通过部署少量的DoS防御来响应互联网上任意节点的防护请求。该方法通过一个中间过滤节点—盾来重编数据地址路由以保护AS系统。这样，所有潜在的危险信息流在到达目的地之前就会被丢弃。修改数据包的路由机制使用现有路由技术，不需要修改任何协议或路由器的配置。为使系统能兼顾配置和使用两方面，改变信息流路由和外包过滤可以提供一种保险风格的按需式服务。 关键词—分布式拒绝服务，过滤，IP任播，边界网关协议，数据流绕曲 Ⅰ.简介 As the Internet grows, malicious users continue to find intellige-nt and insidious ways to attack it. Many types of attacks happen every day, but one particular kind—denial-of-service (DoS) attacks—remain the most common, accounting for more th-an a third of all malicious behavior on the Internet in 2011 [1]. The main goal of these attacks is literally to deny some o-r all legitimate users access to a particular Internet service, h-arming the service as a whole. In the extreme case, when the attack is aimed at the core Internet infr-astructure (e.g., attacks on the root DNS servers [2]), the whole Internet could be jeopardiz