电信科学 ›› 2014, Vol. 30 ›› Issue (4): 54-60.doi: 10.3969/j.issn.1000-0801.2014.04.008

• 研究与开发 • 上一篇    下一篇

一种在无状态地址自动配置中DAD攻击的防御方法

宋广佳1,季振洲1,王晖2   

  1. 1 哈尔滨工业大学计算机科学与技术学院 哈尔滨 150001
    2 国家计算机网络应急技术处理与协调中心 北京 100029
  • 出版日期:2014-04-15 发布日期:2017-06-29
  • 基金资助:
    国家自然科学基金资助项目

A Defense Approach of DAD Attack in Stateless Auto Configuration

Guangjia Song1,Zhenzhou Ji1,Hui Wang2   

  1. 1 School of Computer Science and Technology, Harbin Institute of Technology, Harbin 150001, China
    2 National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China
  • Online:2014-04-15 Published:2017-06-29

摘要:

在无状态地址自动配置中,新IP地址在使用前需要进行重复地址检测。在检测过程中,一旦有攻击节点声称解析地址已经被占用,将导致节点地址配置失败,从而形成重复地址检测攻击。针对这种情况,提出使用WAY机制作为防御手段,WAY机制使用逆向地址确认、自我声明及WAY-table检查的方法,对欺骗报文进行过滤,使欺骗节点攻击成本增加且无法进行二次欺骗。仿真实验表明,WAY机制弥补了邻居发现协议安全性的不足,可大幅提升无状态地址自动配置的成功率。

关键词: 网络安全, 地址解析, IPv6, 无状态地址自动配置, 重复地址检测

Abstract:

In stateless address auto configuration, node needs to carry out duplicate address detection before using a new IP address. In the detection process, once a malicious node claims that the resolve IP address is occupied, the node's address configuration will fail. For this case, WAY(who are you)mechanism as a defensive approach was proposed. WAY mechanism uses reverse address confirmation, self-declaration and WAY-table inspection to filter the spoofing packets, which make attackers' cost increase and cannot carry out secondary attack. The experiments show that WAY mechanism can effectively compensate the security flaws of neighbor discovery protocol, significantly increase the success rate of stateless address auto configuration.

Key words: network security, address resolution, IPv6, stateless address auto configuration, duplicate address detection

No Suggested Reading articles found!