DNS欺骗攻击及其防护研究

DNS是计算机用户访问网站使用的域名地址解析系统。DNS欺骗则是攻击者常见的攻击手段。从DNS的服务工作过程入手,分析了DNS的欺骗原理,探讨了防止DNS欺骗攻击的技术方法。     

DNS安全:牵一发动全身——访中国互联网络信息中心(CNNIC)执行主任李晓东

DNS创新应用持续发展3月份的DDos攻击事件再次折射出DNS的脆弱性。其实针对DNS的攻击一直存在,早在2002年,互联网的13台根服务器就曾遭遇拒绝服务攻击,进而导致全球互联网部分瘫痪,只是那时的互联网不像现在一样和人们的生活有如此密切的关系,所以DNS的安全事件没有     

DNS放大攻击:潘多拉魔盒已被打开

3月底发生了互联网有史以来最大的300G DDoS攻击事件。此次黑客利用了DNS放大攻击(DNS Amplifica-tion attack,也叫反射攻击)技术,这种攻击方式其实由来已久,早在2002年就已引起研究人员的关注,但是造成这么大的攻击流量还是首次被发现。由于这种攻击模式成本低,效果好,追踪溯源困难,而且由于脆弱的DNS体系具有开放式特点,难以彻底杜绝。潘多拉魔盒已经     

DNS拒绝服务攻击与对策

正面对各种形式攻击对DNS服务构成的威胁,要确保校园网DNS服务的安全可靠运行,需要从基础架构开始进行全面的考虑。DNS是互联网最关键的基础设施之一,它最主要的功能是将域名与IP地址进行映射。随着互联网应用的发展,DNS被赋予越来越多的职责。然而,由于DNS协议设计之初并没有足够的安全考虑,协议缺陷、实现和配置缺陷等一系列问题一直以来都威胁着DNS的安全运行。2008年,Dan Kaminsky提出的一种DNS缓存中毒攻击方法引起学术和企业界对DNS安全的广泛关注,时至今日绝大多数DNS服务器都已实现了源端口随     

DNS网关：新装一层防护栏

为了解决现存DNS体系的安全和服务性能问题,郑州大学提出了一个基于DNS网关技术的解决方案,用于巩固现存DNS体系,提高DNS的服务性能．增加抗击DDoS攻击的能力。     

DNSSEC的原理及部署

段清华大学海新博士介绍了DNSSec的工作原理及目前在全球部署的情况,指出,由于DNS配置比较复杂,故障较多,DNS被攻击的事件时有发生,加上故障和攻击交叠在一起,更加复杂,使得DNSSec并没有引起足够的关注。     

DNS发明者警告：DNS新的威胁即将到来

在最近召开的网络和分布式系统研讨会上，来自乔治亚理工和Google研究院的研究人员向大家展示了关于DNS解析路径污染和恶意修改DNS应答的最新研究成果。新的DNS攻击包括被黑客控制的DNS服务器将用户在不知情的情况下导向恶意的网站。     

高招期间戒备网页挂马

最近网络安全运行中需要关注的事件是5月19日晚由暴风影音软件引起的DNS请求拒绝服务攻击。由于学生中使用暴风影音软件的人数较多,因此很多校园网都受到攻击风波的影响。此次事件生动地给我们上了一堂安全课。对DNS服务的拒绝服务攻击作为一种操作简单但影响面巨大的攻击方式,未来可能越来越频繁地被利用。DNS服务的安全需要我们花费更多的精力去关注。     

DNS网关实现校园网联动防护——郑州大学提高校园网管理的安全型策略分析

DNS现已成为众多病毒攻击的重要目标,所面临的安全隐患与日俱增。为解除这些病毒的攻击源,郑州大学从安全联动的理念出发、群策群力地研制出了一套DNS网关软件。从技术层面通过DNS分析实现校园网内有效的联动防护,由此网管们便可通过这种技术来控制病毒的攻击行为,从而提高校园网管理的安全性。     

校园网的DNS安全问题

校园网内有4000多台开放的DNS递归解析服务器,占全部服务器的65.2%。DNS安全问题已引起了广泛的关注。为此,我们利用自行开发设计的DNS安全检测软件,对中国教育和科研计算机网的IP地址范围进行了DNS服务探测,并对响应DNS请求的主机进行服务器安全检测。下面,我们给出我们的部分检测结果以及被攻击利用的危险。对教育网IP地址范围扫描总共发现7235个主机提供DNS服务。     

基于到达时间差的无线传感器网络中Sybil攻击检测方案

As wireless sensor networks （WSN） are deployed in fire monitoring, object tracking applications, security emerges as a central requirement. A case that Sybil node illegitimately reports messages to the master node with multiple non-existent identities （ID） will cause harmful effects on decision-making or resource allocation in these applications. In this paper, we present an efficient and lightweight solution for Sybil attack detection based on the time difference of arrival （TDOA） between the source node and beacon nodes. This solution can detect the existence of Sybil attacks, and locate the Sybil nodes. We demonstrate efficiency of the solution through experiments. The experiments show that this solution can detect all Sybil attack cases without missing.     

统一存储网络安全研究

With development of networked storage and its applications, united storage network (USN) combined with network attached storage (NAS) and storage area network (SAN) has emerged. It has such advantages as high performance, low cost, good connectivity, etc. However the security issue has been complicated because USN responds to block I/O and file I/O requests simultaneously. In this paper, a security system module is developed to prevent many types of atl~cks against USN based on NAS head.The module not only uses effective authentication to prevent unauthorized access to the system data, but also checks the data integrity.Experimental results show that the security module can not only resist remote attacks and attacks from those who has physical access to the USN, but can also be seamlessly integrated into underlying file systems, with little influence on their performance.     

拒绝服务攻击的研究与探讨

拒绝服务攻击是黑客经常采用并且极为有效的网站攻击手段，它利用了用户必须采用的TCP／IP协议的漏洞，较难防范。本文介绍了拒绝服务攻击的原理和常用方法，分析了分布式拒绝服务攻击的工作原理，并讨论了防范攻击的几种主要方法。     

Improved Feistel-based ciphers for wireless sensor network security

Wireless sensor networks （WSNs） are exposed to a variety of attacks. The quality and complexity of attacks are rising day by day. The proposed work aims at showing how the complexity of modern attacks is growing accordingly, leading to a similar rise in methods of resistance. Limitations in computational and battery power in sensor nodes are constraints on the diversity of security mechanisms. We must apply only suitable mechanisms to WSN where our approach was motivated by the application of an improved Feistel scheme. The modified accelerated-cipher design uses data-dependent permutations, and can be used for fast hardware, firmware, software and WSN encryption systems. The approach presented showed that ciphers using this approach are less likely to suffer intrusion of differential cryptanalysis than currently used popular WSN ciphers like DES, Camellia and so on.     

一种基于聚类与关联规则算法的DDoS攻击检测模型

分布式拒绝服务（Distribute Denial of Service）攻击是当前主要的网络安全威胁之一．本文分析了DDoS攻击的本质特征,提出了一种基于数据挖掘算法的DDoS攻击检测模型．该模型使用聚类算法与关联规则对网络流量与网络数据包连接状态分别建立特征模型,并确定DDoS攻击的检测阈值．实验表明,该检测模型能够实时有效的检测DDoS攻击．     

利用ATM网络技术防止实时攻击

有效的入侵检测是保证系统安全所必需的．介绍了异步传输模式的特点，研究了利用这种网络技术来防止对密码协议中信息的实时传输进行攻击的一种方法，该方法可为指定连接的带宽和信元延迟提供保证．利用这些机制来检测非法入侵，保证网络上信息的实时传输．     

对RSA密码系统旁路攻击的防御

Based on the structure of the side channel attacks (SCAs) to RSA cryptosystem can resist the fault attack andcombine with the randomization method for the message and secret exponent, a new implementation scheme of CRT-based(the Chinese remained theorem) RSA is proposed. The proposed scheme can prevent simple power analysis (SPA), differentialpower analysis (DPA) and time attack, and is compatible with the existing RSA-CRT cryptosystem as well. In addition, animprovement for resisting fault attack is proposed, which can reduce extra computation time.     

基于变点计算的源端DDoS攻击检测方法

文章提出了一种新型的源端的分布式拒绝服务攻击检测方法。首先用布隆过滤器结构对出入不同接口的数据包的数量进行简单计算,然后用无参数CUSUM（CumulativeSum）方法检测。本方法不仅能够在源端检测出分布式拒绝服务攻击的存在,而且各种类型的分布式拒绝服务攻击都能够被成功检测。实验表明,本方法检测结果精确,使用的资源更少。     

Synthesized Multi-Method to Detect and Classify Epileptic Waves in EEG

In order to sufficiently exploit the advantages of different signal processing methods, such as wavelet transformation (WT), artificial neural networks (ANN) and expert rules (ER), a synthesized multi-method was introduced to detect and classify the epileptic waves in the EEG data. Using this method, at first, the epileptic waves were detected from pre-processed EEG data at different scales by WT, then the characteristic parameters of the chosen candidates of epileptic waves were extracted and sent into the well-trained ANN to identify and classify the true epileptic waves,and at last, the detected epileptic waves were certificated by ER. The statistic results of detection and classification show that, the synthesized multi-method has a good capacity to extract signal features and to shield the signals from the random noise. This method is especially fit for the analysis of the biomedical signals in biomedical engineering which are usually non-placid and nonlinear.     

基于SVD和直方图的JPEG同幅图像篡改盲检测算法

首先分析了基于小波变换和奇异值分解方法对同幅图像拼接篡改检测的缺点,结合相关重要的思想,构建了一种改进算法,该算法运用SVD提取图像块特征,并采用偏移频率的直方图来确定阈值。在仿真实验中,通过运用三种算法对图像篡改进行检测,对比结果表明,文章所提算法对同幅图像单次篡改和多次篡改均有更好的检测效果,而且通过修改图像的质量因子的实验进一步证实了该算法具有一定的鲁棒性。