摘要
洪泛攻击(SYN flood)是目前最常用的拒绝服务攻击之一,它通过发送大量TCP请求连接报文,造成大量的半连接从而消耗网络资源.由于洪泛攻击中所使用的数据包都是正常数据包,又采用了伪IP技术,使得对其的检测和阻断都十分困难.本文分析了洪泛攻击的攻击原理以及检测并阻断攻击困难的原因,提出了二次检测的防御方法,先用SVM异常检测分类器检测出攻击报文,再依据报文相似度生成误用检测规则从而阻断攻击报文.试验结果表明这种方法对SYN flood攻击的检测效果明显。
SYN flood is the most popular DOS(Denial of Sever) attack at present. It makes lots of half-connection to use up the net resource through send huge number of TCP connect-request packet. It is difficult to defense this kind of attack because the packets it sent are the normal packets with fake IP address. This article analysis the elements of SYN flood attack and why it is so difficult to defense. And the article also gives a way to defense SYN flood through twice detect and interdiction: First, detect the abnormal packet using the classifier based on the SVM(Support Vector Machine) arithmetic, than create the misuse rule using the similar degree of the vector of these packet to interdict the attack packets. The result of the experiment shows that the effect this way to defense SYN flood is evidence.
出处
《计算机应用与软件》
CSCD
北大核心
2005年第10期38-39,51,共3页
Computer Applications and Software
基金
航空科学基金项目(04c52009)
作者简介
蒋琦.硕士生,主研领域:入侵检测。
