摘要
提出了对SYNProxy机制的改进方法,将哈希表和SYNcookie结合起来处理半连接表:在低强度攻击下采用哈希表,在高强度攻击下采用SYNCookie。在此基础上,采用位图优化哈希表算法。改进方法可以防御更大强度的攻击。改进方法已经应用在防火墙中,测试表明该方法可以防御高强度的TCP拒绝服务攻击。
The TCP SYN flooding is the most commonly used DoS attack.Many solutions exist to protect against SYN flooding,while SYN proxy is a firewall's approach.This paper introduces an improved approach on SYN proxy,explains its design,and evaluates its performance.In this approach,an improved hash table is used to save the half-connection states,which holds a bitmap in its bucket,and better performance is achieved.The hash table limits its bucket length.When a bucket exceeds its limit,it drops half-connection states,and migrates to SYN cookie.This keeps the balance a-mong performance,service quality,resources,and other factors.The proposal is implemented in a firewall,and tests demonstrate good performance achieved.
出处
《计算机工程与应用》
CSCD
北大核心
2003年第20期22-24,31,共4页
Computer Engineering and Applications
基金
国家863高技术研究发展计划"网络安全管理与测评技术"基金资助(编号:863-301-05-03)
国家"九五"科技攻关基金资助(编号:96-743-01-04-01)
