软件定义边界 SDP 作为分布式拒绝服务(DDoS)攻击的防御机制(英文版)
软件定义边界(SDP)工作组
2014年4月
Abstract
A Distributed Denial-of-Service (DDoS) attack is a large-scale attack in which the perpetrator uses more than one unique source IP address (often thousands of them) to launch simultaneous attacks against a target. The goal is to overload the service (or its network), preventing it from being able to deliver its intended services. Since the incoming traffic flooding the victim originates from many different sources, it is impossible to stop the attack by using simple techniques such as ingress filtering or source blacklisting. This also makes it very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin. Some DDoS attacks involve forging IP sender addresses (IP address spoofing), further complicating efforts to identify and defend against the attack1.
Introduction
5
SDP as a DDoS Defense Mechanism
11
HTTP Flood Attack & SDP Defense
13
TCP SYN Flood Attack and SDP Defense
15
UDP Reflection Attack & SDP Defense
16
Summary
18
更多下载查看