计算机应用 ›› 2018, Vol. 38 ›› Issue (7): 1936-1940.DOI: 10.11772/j.issn.1001-9081.2018010073

• 网络空间安全 • 上一篇    下一篇

基于滑动时间窗口的IPv6地址跳变主动防御模型

孔亚洲, 张连成, 王振兴   

  1. 数学工程与先进计算国家重点实验室(信息工程大学), 郑州 450002
  • 收稿日期:2018-01-10 修回日期:2018-02-28 出版日期:2018-07-10 发布日期:2018-07-12
  • 通讯作者: 孔亚洲
  • 作者简介:孔亚洲(1989-),男,河南濮阳人,博士研究生,主要研究方向:IPv6网络安全;张连成(1982-),男,河南商丘人,讲师,博士,主要研究方向:SDN网络安全;王振兴(1959-),男,河北晋州人,教授,博士,主要研究方向:IPv6网络安全。
  • 基金资助:
    国家自然科学基金重点项目(61402526)。

Address hopping proactive defense model in IPv6 based on sliding time window

KONG Yazhou, ZHANG Liancheng, WANG Zhenxing   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing(Information Engineering University), Zhengzhou Henan 450002, China
  • Received:2018-01-10 Revised:2018-02-28 Online:2018-07-10 Published:2018-07-12
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61402526).

摘要: 针对IPv6恢复端到端通信,IPv6节点易被攻击者探测攻击等问题,提出一种基于滑动时间窗口的IPv6地址跳变(AHSTW)主动防御模型。首先通过共享密钥进行地址跳变间隔等会话参数的协商,之后引入收发时间窗口的概念,通信双方仅发送或接收处于时间窗口内的数据包,通过时间窗口自适应调整(TWAA)算法,依据网络时延的变化及时调整时间窗口大小以适应网络环境的变化。理论分析证明,该模型能够有效抵抗攻击者对目标IPv6节点的数据截获分析攻击和拒绝服务攻击(DoS)。实验结果表明,在传输相同数据包大小时,AHSTW的额外CPU开销在2~5个百分点,并无显著提高,通信效率并无显著下降;在通信过程中,通信双方地址与端口呈随机、分散、无序等特点,极大增加了攻击者的开销与攻击难度,保护了IPv6网络安全。

关键词: IPv6, 地址跳变, 主动防御, 自适应, 拒绝服务攻击

Abstract: Aiming at the problem that IPv6 nodes are easily under probing attack by an attacker while end-to-end communication is restored in the IPv6 network, a proactive defense model of Address Hopping based on Sliding Time Window in IPv6 (AHSTW) was proposed. Session parameters such as the address hopping interval were firstly negotiated by using the shared key, and then the concept of sending and receiving time window was introduced. The two communication parties sent or received only the packets in the time window, through a Time Window Adaptive Adjustment (TWAA) algorithm. According to the change of network delay, the time window could be adjusted in time to adapt to the changes of the network environment. The theoretical analysis shows that the proposed model can effectively resist the data interception attacks and Denial of Service (DoS) attacks on the target IPv6 nodes. The experimental results show that in the transmission of the same data packet size, the extra CPU overhead of AHSTW model is to 2-5 percentage points, with no significant increase in communication cost and no significant decline in communication efficiency. The addresses and ports of two communication parties are random, decentralized, out of order and so on, which greatly improves the cost and difficulty of attackers and protects the network security of IPv6.

Key words: IPv6, address hopping, proactive defense, self-adaption, Denial of Service (DoS)

中图分类号: