CN109257273A - By the method and device for poisoning path aggravation routing intensity - Google Patents
By the method and device for poisoning path aggravation routing intensity Download PDFInfo
- Publication number
- CN109257273A CN109257273A CN201810884877.XA CN201810884877A CN109257273A CN 109257273 A CN109257273 A CN 109257273A CN 201810884877 A CN201810884877 A CN 201810884877A CN 109257273 A CN109257273 A CN 109257273A
- Authority
- CN
- China
- Prior art keywords
- link
- autonomous
- routing
- autonomous system
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 231100000572 poisoning Toxicity 0.000 title claims abstract description 52
- 230000000607 poisoning effect Effects 0.000 title claims abstract description 52
- 239000002574 poison Substances 0.000 claims abstract description 76
- 231100000614 poison Toxicity 0.000 claims abstract description 76
- 238000005242 forging Methods 0.000 claims abstract description 11
- 230000005540 biological transmission Effects 0.000 claims abstract description 5
- 238000010845 search algorithm Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 5
- 238000004422 calculation algorithm Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000004088 simulation Methods 0.000 description 6
- 230000007423 decrease Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000009467 reduction Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 241000209202 Bromus secalinus Species 0.000 description 2
- 230000001154 acute effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 235000013399 edible fruits Nutrition 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 238000012876 topography Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000004907 flux Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/04—Interdomain routing, e.g. hierarchical routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/12—Shortest path evaluation
- H04L45/123—Evaluation of link metrics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/14—Routing performance; Theoretical aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/24—Multipath
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method and apparatus that the invention discloses a kind of by poisoning path aggravation routing intensity, this method comprises: poisoned the branch link of the predefined paths of bottleneck link between aiming field to Operation Autonomy system by way of forging BGP declaration, to aggravate the routing intensity of bottleneck link between aiming field;Wherein, poison so that Operation Autonomy system cannot pass through the link and will route message transmissions to other autonomous systems of internet.The present invention is poisoned the branch link of the predefined paths of bottleneck link between aiming field to Operation Autonomy system by way of forging BGP declaration, to aggravate the routing intensity of bottleneck link between aiming field.
Description
Technical field
The present invention relates to Internet technical field more particularly to a kind of sides by poisoning path aggravation routing intensity
Method and device.
Background technique
Due to design reasons, a large amount of routing can be by a small number of central site networks and its connected link for internet.It is such
Big degree occurs a small amount of link the phenomenon that referred to as in set of routes (route concentration) for a large amount of route assemblages
Link in set of routes is then known as routing bottleneck (routing bottleneck).The routing bottleneck of one autonomous system carries
Largely with the routing of the system communication, once receiving a large amount of flows more than its load-bearing capacity, bottleneck link can occur network and gather around
Plug even interrupts, and the user in the autonomous system will face the communication abnormality of high latency, high packet loss.Usual malicious operation is autonomous
System can flood the means of (link flooding) by link, be impacted with high-intensitive flow to routing bottleneck, thus
Influence the network access performance of user in the associated network of the bottleneck link.But existing technical staff can also pass through chain simultaneously
The means of road flooding (link flooding) are next intentional to impact Target Link.
Existing technical staff, which generallys use, directly carries out the similar DDoS technology of data Layer to routing bottleneck to realize pair
Target Link is impacted, however this kind operation meeting is particularly easy to be directed to by associated safety system so that operation is with clearly defined objective.Cause
This, existing technical staff can declare technology using the aggravation of indirect means realization routing intensity, on road by forging BGP
On the basis of concentrating, the flow attack link that use is more dispersed, more hidden influences target network performance.Particularly due to BGP is declared
The design of announcement does not carry out encryption and verification operation to the path AS, and the routing that each autonomous system can be declared/forward to it is more
Newly modify.Therefore it can aggravate inter-domain routing bottleneck by forging BGP declaration, once the set of routes intermediate range at bottleneck link
Degree increases, and just has the more streams for leading to different prefixes by bottleneck, the flow of these different destination addresses can all cause bottleneck
Congestion.But the mode of this kind aggravation routing intensity can make the cheated number of autonomous system in internet increase, and still can
So that operation is with clearly defined objective, it is easy to be directed to by associated safety system.
Prefix hijack technology is to forge BGP declaration control by control in the prior art using more universal abduction method
The prefix of system routing message, the flow for attracting the other autonomous systems in internet to access the prefix pass through itself, thus eavesdropped,
The operation such as distort, abandon, however its to route intensity lower.
Therefore, one kind is needed to be neither easy to be directed to by associated safety system, at the same aggravate route intensity efficiency compared with
The method of high aggravation routing intensity.
Summary of the invention
The technical problem to be solved by the present invention is to nowadays aggravate to route the method for intensity to be easy by associated safety
System is directed to, to influence the efficiency of intensity, while the efficiency for aggravating intensity is relatively low.
Existing prefix hijack mode is easy to be directed to by associated safety system, to influence to kidnap effect, while set of routes
Middle degree is also relatively low.
In order to solve the above-mentioned technical problems, the present invention provides one kind by poisoning path (poisoned path) aggravation
The method for routing intensity, comprising:
By the branch of the predefined paths of bottleneck link between aiming field to Operation Autonomy system by way of forging BGP declaration
Link is poisoned, to aggravate the routing intensity of bottleneck link between aiming field;Wherein, described to poison so that described operate certainly
The system of controlling, which cannot pass through the link, will route message transmissions to bottleneck link between the aiming field.
Preferably, the predefined paths optimal path of bottleneck link to Operation Autonomy system between the aiming field.
Preferably, by the predetermined of bottleneck link between aiming field to Operation Autonomy system by way of forging BGP declaration
The branch link in path carries out poisoning step
Optimal path of the bottleneck link to Operation Autonomy system between calculating aiming field;
Poison object according to optimal path selection is all;
According to it is all it is described poison object generation poison message;
Hop-by-hop poisons the branch link of the optimal path.
Preferably, bottleneck link includes one or more between the aiming field.
Preferably, the optimal path step of bottleneck link to Operation Autonomy system includes: between calculating aiming field
Bottleneck link is calculated between the purpose domain to the Operation Autonomy system most using breadth-first search algorithm
Shortest path.
Preferably, bottleneck link is calculated between the purpose domain to the Operation Autonomy using breadth-first search algorithm
The optimal path step of system includes:
Select client's autonomous system of bottleneck link between the purpose domain as starting autonomous system;
The client's autonomous system for choosing the starting autonomous system forms client set Sn, and wherein the initial value of n is 1;
Judge in the client set Sn whether to include the Operation Autonomy system, if including the Operation Autonomy system
It goes in next step, otherwise using all autonomous systems in the client set Sn as new starting autonomous system, and n adds 1, turns
To previous step;
Recall since the Operation Autonomy system according to supplier's autonomous system and the correlation of client's autonomous system
And record, obtain the optimal path from the Operation Autonomy system to client's autonomous system of bottleneck link the purpose domain.
Preferably, choosing all object steps that poison according to the optimal path includes:
The supplier or companion for selecting all autonomous systems on the optimal path are as object is poisoned, wherein the poison
Change object not on the optimal path.
Preferably, poison object generation according to all and poison message step and include:
All autonomous systems number for poisoning object are arranged in the autonomous system number of two Operation Autonomy systems
Between, and be written into be formed in routing message and poison message.
Preferably, hop-by-hop poisons the branch link step of the optimal path and includes:
The message that poisons is sent to all supplier's autonomous system and companion's autonomy system by the Operation Autonomy system
System, the branch link for poisoning message hop-by-hop and poisoning the optimal path are completed to poison.
According to another aspect of the present invention, a kind of device by poisoning path aggravation routing intensity is provided,
Including data processor and the computer readable storage medium for being stored with computer program, the computer program can be by the number
The step of being executed according to processor to complete any of the above-described described method by poisoning path aggravation routing intensity.
Compared with prior art, one or more embodiments in above scheme can have following advantage or beneficial to effect
Fruit:
Using the method provided in an embodiment of the present invention by poisoning path aggravation routing intensity, by forging BGP
The mode of declaration poisons the branch link of the predefined paths of bottleneck link between aiming field to Operation Autonomy system, thus plus
The routing intensity of bottleneck link between acute aiming field.Further, after the branch link of predefined paths being poisoned, so that
Operation Autonomy system can only will route message by predefined paths and be sent to bottleneck link between aiming field, and pass through bottle between aiming field
Routing iinformation is transmitted to other autonomous systems of internet by neck chain road.Specifically, the present invention also can be applicable in prefix hijack,
By poisoning to the path BGP, so that general declare that the method efficiency for aggravating inter-domain routing bottleneck obviously mentions based on BGP
It rises.After the diplomatic branch link between Operation Autonomy system to the predefined paths of bottleneck link aiming field poisons,
The cheated number of autonomous system in internet can be made to decline, but the routing number passed through on bottleneck link between aiming field
Mesh increases, to not only reduce the risk found by security mechanism, but also achievees the purpose that reinforce routing intensity.
Other features and advantages of the present invention will be illustrated in the following description, and partly becomes from specification
It is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by wanting in specification, right
Specifically noted structure is sought in book and attached drawing to be achieved and obtained.
Detailed description of the invention
Attached drawing is used to provide further understanding of the present invention, and constitutes part of specification, with reality of the invention
It applies example and is used together to explain the present invention, be not construed as limiting the invention.In the accompanying drawings:
Fig. 1 shows a kind of implementation steps signal that the embodiment of the present invention one aggravates intensity method by poisoning path
Figure;
Fig. 2 shows the embodiment of the present invention one by poisoning the breadth-first search calculation in path aggravation intensity method
The step schematic diagram of method calculating optimal path;
Fig. 3 show the embodiment of the present invention two by poison path aggravate intensity method a kind of embodiment it is mutual
Networking topographies schematic diagram;
Fig. 4 shows the another embodiment that the embodiment of the present invention three aggravates intensity method by poisoning path
Interconnect net topology schematic diagram.
Specific embodiment
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings and examples, how to apply to the present invention whereby
Technological means solves technical problem, and the realization process for reaching technical effect can fully understand and implement.It needs to illustrate
As long as not constituting conflict, each feature in each embodiment and each embodiment in the present invention can be combined with each other,
It is within the scope of the present invention to be formed by technical solution.
Link flooding is to be impacted with high-intensitive flow to routing bottleneck, and then it is associated to influence the bottleneck link
The means of the network access performance of user in network are a kind of attacks of malice.Existing technical staff also can use one
Fixed link flooding means carry out intentional impact Target Link.The similar of data Layer directly is carried out to routing bottleneck in the prior art
DDoS technology realizes the impact to Target Link, can to operate with clearly defined objective, is particularly easy to be directed to by associated safety system.
Particularly due to the design of BGP declaration encrypt to the path AS and verification operation, each autonomous system can declare it/
The routing update of forwarding is modified.Therefore existing technical staff can by forge BGP declare technology using indirect means into
Walking along the street by intensity aggravation.However this kind of mode increases the cheated number of autonomous system in internet, while
It is easy to be directed to by associated safety system.
Prefix hijack technology is to forge BGP declaration control by control in the prior art using more universal abduction method
The prefix of message processed, the flow for attracting the other autonomous systems in internet to access the prefix passes through itself, to be eavesdropped, be usurped
The operation such as change, abandon.The specific prefix for assuming autonomous system A is 8.8.8.0/24, and the prefix of autonomous system B is 8.8.9.0/
24, when autonomous system A kidnaps the flow for flowing to autonomous system B, in the routing message that autonomous system A is sent to
Prefix replaces with the prefix (8.8.9.0/24) of autonomous system B, so that flowing to the autonomy of a part of flux and flow direction of autonomous system B
System A, i.e. abduction of the completion autonomous system A to the flow of autonomous system B.However in the use process of prefix hijack technology mutually
The cheated number of autonomous system is on the high side in networking, is easy to be directed to by associated safety system, while it is also relatively low to route intensity.
And in the prior art also without the presence of the method for the intensity of the routing in aggravation prefix hijack.
In order to which further the present invention is described in detail by poisoning path aggravation intensity method or apparatus, first
Following noun is explained.Autonomous system is the component units of internet, collective or tissue with certain capacity of will, often
For should be in independent communities such as some Network Provider (China Telecom).Border Gateway Protocol (Border Gateway
Protocol, abbreviation BGP), it is the currently the only Routing Protocol operated between each autonomous system extensively.The path AS: on the road BGP
By an attribute in update message, indicate that autonomous system reaches the autonomy that the corresponding destination IP prefix of message needs successively to pass through
System.It forges BGP: malicious modification (such as modification purpose prefix, the modification path AS) is carried out to the information of the control message of BGP,
To reach itself purpose.
Embodiment one
To solve the above-mentioned technical problems in the prior art, the embodiment of the invention provides one kind by poisoning path
The method of aggravation routing intensity.
The present invention is included the following steps: by poisoning path aggravation intensity method
Bottleneck link between selection operation autonomous system and aiming field, by bottle between aiming field by way of forging BGP declaration
The branch link of predefined paths of neck chain road to Operation Autonomy system is poisoned, to aggravate the routing of bottleneck link between aiming field
Intensity;Wherein, Operation Autonomy system is the autonomous system for carrying out path and poisoning operation, and bottleneck link is to need between aiming field
The bottleneck link in set of routes is carried out, and poisons and cannot pass through the link for message transmissions to internet for Operation Autonomy system
Other autonomous systems.
It should be noted that bottleneck link also can be a plurality of bottleneck link for a bottleneck link between aiming field, and it is right
The method that the predetermined link of Operation Autonomy system to bottleneck link between every aiming field is poisoned is all the same, when to multilink
When being poisoned, by it is calculated it is all poison object and be placed in BGP routing message poison and issue.Below only with mesh
Bottleneck link is that a link is described in detail between mark domain.
In one embodiment of the invention, predefined paths between aiming field bottleneck link to the optimal of Operation Autonomy system
Path.The optimal path shortest path of bottleneck link to Operation Autonomy system between aiming field.Also need explanation, this Shen
Please in predefined paths can also bottleneck link be to other paths of Operation Autonomy system between aiming field, in practical applications in advance
Determining path can be chosen according to specific requirements.
Fig. 1 shows a kind of implementation steps signal that the embodiment of the present invention one aggravates intensity method by poisoning path
Figure;Referring to figure one, when predefined paths between aiming field bottleneck link to Operation Autonomy system optimal path when, pass through forgery
The step that the mode of BGP declaration poisons the branch link of the predefined paths of bottleneck link between aiming field to Operation Autonomy system
Suddenly specifically comprise the following steps.
Step S101, calculate aiming field between bottleneck link to Operation Autonomy system optimal path.
Specifically, it is excellent by poisoning the width that path is aggravated in intensity method that Fig. 2 shows the embodiment of the present invention one
First searching algorithm calculates the step schematic diagram of optimal path;With reference to Fig. 2, calculated between purpose domain using breadth-first search algorithm
Optimal path of the bottleneck link to Operation Autonomy system.Wherein, calculating optimal path using breadth-first search algorithm includes such as
Lower specific steps:
Step S1011 selects client's autonomous system conduct starting autonomous system of bottleneck link between then purpose domain;Further
Bottleneck link between purpose domain is chosen since bottleneck link includes supplier's autonomous system and client's autonomous system in ground
In client's autonomous system as starting autonomous system, using as it is subsequent find optimal path starting autonomous system.
Step S1012, the client's autonomous system for choosing starting autonomous system form client set Sn, wherein the initial value of n
It is 1;Further, all client's autonomous systems for choosing starting autonomous system form client and combine S1.Wherein client set
Digital n in Sn is increased according to subsequent deterministic process.
Whether step S1013 judges in client set Sn to include the Operation Autonomy system, if including the Operation Autonomy
System is then gone in next step, otherwise using the autonomous system in client set Sn as new starting autonomous system, goes to previous step,
And n adds 1.
Further, due to it is initial when obtained client set be client set S1, client set S1 is carried out
Judgement goes to step S1014, otherwise by each of client set S1 if including Operation Autonomy system in client set S1
Autonomous system is used as new starting autonomous system, and goes to step S1012, regenerates corresponding client set Sn, at this time n
Add 1 on original base.
After going to step S1012, each of client set S1 autonomous system is used as to new starting autonomous system,
And all client's autonomous systems for choosing each starting autonomous system form client set S2;And so on, until the visitor of generation
Until family set Sn includes Operation Autonomy system.
Step S1014 is opened according to supplier's autonomous system and the corresponding relationship of client's autonomous system from Operation Autonomy system
Begin to recall, be formed from Operation Autonomy system to the optimal path of client's autonomous system of bottleneck link purpose domain.
Further, two autonomous systems are usually required due to forming link, and supplier's autonomous system and client are certainly
Controlling system is corresponding relationship, issued according to the transmission path of routing message, in a link data message be client from
System is controlled, receiving routing message is supplier's autonomous system, therefore is according to supplier's autonomous system and client's autonomous system
Corresponding relationship, and according to the sequence opposite with the sequence of the client set of generation, recall since Operation Autonomy system, arrives
It traces back between domain until client's autonomous system of bottleneck link, is formed from Operation Autonomy system to the visitor of bottleneck link purpose domain
The optimal path of family autonomous system.
Step S102 poisons object according to optimal path selection is all.
Specifically, the supplier and/or companion for selecting all autonomous systems on optimal path as poisoning object, wherein
Poison object not on optimal path.Further, optimal path includes no less than one autonomous system, chooses optimal road
All suppliers and/or companion of each autonomous system on diameter are as object is poisoned, wherein when the autonomy system on optimal path
The supplier and/or companion of system are not chosen as poisoning object when on optimal path.
Step S103, according to it is all poison object generation poison message.
Specifically, by all autonomous systems number for poisoning object be arranged in two Operation Autonomy systems autonomous system number it
Between, and be written into be formed in routing message and poison message.Further, a road is being declared or forwarded to usual autonomous system
When by message (its path AS being assumed to be<X ..., Y>), the autonomous system number of oneself can be added in the path AS front end, when the routing
When message is forwarded, the path AS will replace with<A, X ..., Y>(assuming that autonomous system number that A is the autonomous system).The application
The path AS is written in order by the way that Operation Autonomy system and all autonomous systems number for poisoning object to be ranked up, and by it
Realize that the forgery of BGP declaration, generation poison message.The row of concrete operations autonomous system and all autonomous systems number for poisoning object
Sequential mode are as follows: arranged between two Operation Autonomy systems by all autonomous systems number for poisoning object are unduplicated in any order
Column.For example, it is assumed that the autonomous system number of Operation Autonomy system be A, poison message the path AS be<A, L, M, A>, then autonomy
System number is respectively that the autonomous system of L and M is poisoned.
Step S104, hop-by-hop poison the branch link of optimal path.
Specifically, Operation Autonomy system is sent to all supplier's autonomous system and companion's autonomy system for message is poisoned
System, poisons the branch link that message hop-by-hop poisons optimal path, completes to poison.Further, Operation Autonomy system will poison
After message is sent, when poison object receive poison message when, due to the anti-loop mechanism of autonomous system, poison object meeting
Think that this poisons message once by itself processing and forwarded over, selects to abandon this and poison report in order to avoid forming route loop
Text is poisoned so that poisoning object, further such that the data message that Operation Autonomy system is sent can only be by arriving target
The optimal path of bottleneck link is sent between domain, to aggravate the routing intensity of bottleneck link between aiming field.
It should be noted that as shown in the above method, attacker by poison routing message that path prevents it from issuing by
Other link propagations other than non-inter-domain routing bottleneck to internet other parts so that all cheated set of routes
In in Target Link.It is a more conservative method that algorithm above provided, which poisons routing algorithm, i.e., attacks Target Link arrival
All branches of the optimal path of beat time point are poisoned entirely.In fact, because the routing priority of partial branch may ratio
It is lower by the path of Target Link, even if these branches, without poisoning, the routing of most autonomous systems can also pass through
Target Link accesses attacker, so we can carry out a degree of reduction to object is poisoned.On the internet, have a large amount of
Common router, for network worker provide access service.Attacker can use these common routers, attempt gradually
Reduction poisons object, observes the access of these common routers when being declared prefix, routes the intensity on Target Link: such as
Fruit is reduced after some poisons object, and routing intensity decline is obvious, then cannot reduce the autonomous system;If reducing some poison
After changing object, intensity is routed almost without decline, then it can not be poisoned.The reduction method for poisoning object is wanted
Ask common router to have wide distribution, can be used the common router of RouteViews project or RIPE project into
Row reduction.
Using the method provided in an embodiment of the present invention by poisoning path aggravation routing intensity, by forging BGP
The mode of declaration poisons the branch link of the predefined paths of bottleneck link between aiming field to Operation Autonomy system, thus plus
The routing intensity of bottleneck link between acute aiming field.Further, after the branch link of predefined paths being poisoned, so that
Operation Autonomy system can only will route message by predefined paths and be sent to bottleneck link between aiming field.Specifically, the present invention is also
It can be applicable in prefix hijack, by poisoning to the path BGP, so that general aggravate inter-domain routing bottle based on BGP declaration
The method efficiency of neck is obviously improved.Diplomatic between Operation Autonomy system to point of the predefined paths of bottleneck link aiming field
After branch link is poisoned, the cheated number of autonomous system in internet can be made to decline, but the bottleneck between aiming field
The number of routes that chain road is passed through increases, to not only reduce the risk found by security mechanism, but also reaches and reinforces in set of routes
The purpose of degree.
Embodiment two
In order to further be carried out specifically to the present invention by poisoning the method for path aggravation routing intensity
It is bright, it is specifically applied to during prefix hijack below to realize that it routes the concentration of degree.
Fig. 3 show the embodiment of the present invention two by poison path aggravate intensity method a kind of embodiment it is mutual
Networking topographies schematic diagram;With reference to Fig. 3, in the present embodiment, the autonomous system number of Operation Autonomy system is AS 198348, is held as a hostage
The autonomous system number of the autonomous system of prefix is AS 262152, the autonomous system of bottle diameter both link ends autonomous system between aiming field
Number be 3216-AS 3356 of AS.For the ease of distinguishing each autonomous system, each autonomous system is represented with each autonomous system number below.
Autonomous system-level topology between Operation Autonomy system and aiming field around bottle diameter link is as shown in Figure 3.Operation Autonomy system is forged
BGP declaration aggravates inter-domain routing bottleneck.In order to further show between aiming field in the set of routes of bottleneck link
The case where degree, implements to poison Path Method again to only implementation prefix hijack method and after implementing prefix hijack method below
Two kinds of results of implementation compare explanation.
Specific steps include:
Step 1: obtaining internet present topology from internet data analysis center (CAIDA) and injecting inter-domain routing
Analogue system.
Step 2: when being normally carried out BGP declaration using inter-domain routing analogue system simulation AS262152, each autonomy in internet
The routing convergence result of system is completed.It is at this time N1 by the number of routes of inter-domain routing bottleneck link AS3216-AS3356.
Step 3: carrying out prefix hijack to AS262152 using inter-domain routing analogue system simulation AS198348.Wait route
After convergence, the number of routes by the inter-domain routing bottleneck link is N2, and cheated autonomous system ratio is D1 in internet.
Step 4: carrying out prefix hijack to AS262152 using inter-domain routing analogue system simulation AS198348, and use
Poison in the routing algorithm progress path of poisoning proposed in the present invention.After routing convergence, pass through the road of the inter-domain routing bottleneck link
It is N3 by number, cheated autonomous system ratio is D2 in internet.
Specifically poison step are as follows:
S1: optimal routing is selected;
S11: select AS3216 as starting autonomous system;
S12: client's autonomous system of AS3216 is selected to form client set S1, wherein S1 includes AS29226;
S13: judge not include Operation Autonomy system AS198348 in client set S1, by n plus 1, and go to step
S12;
S12: client's autonomous system of all autonomous systems forms client set S2 in selection S1, and wherein S2 includes
AS198348 is client's autonomous system of AS29226;
S13: judge in client set S2 to include Operation Autonomy system AS198348, go to step S14;
S14: recalling since Operation Autonomy system according to supplier's autonomous system and the corresponding relationship of client's autonomous system,
That is AS198348-AS29226-AS3216 is formed from Operation Autonomy system to client's autonomous system of bottleneck link purpose domain
Optimal path.
S2: poison object according to optimal path selection is all;
The collateral branch of AS198348 are as follows: AS 8470
The collateral branch of AS 29226 are as follows: AS 8359, AS 1299, AS 29076
The collateral branch of AS 3216 are as follows: AS 20965
Poisoning object includes AS 8470, AS 8359, AS 1299, AS 29076, AS 20965.
S3: according to it is all poison object generation poison message;
The path AS poisoned in message generated:<198348,8470,8359,1299,29076,20965,198348>.
S4: Operation Autonomy system is sent to all supplier's autonomous system and companion's autonomous system for message is poisoned, by
The branch link for poisoning optimal path is jumped, completes to poison.
If the following table 1 shows that the experiment that aggravates twice arranges as a result, wherein deception autonomous system ratio is respectively D1 and D2,
It is respectively N2-N1 and N3-N1 that routing, which increases number:
Table 1
It cheats autonomous system ratio (%) | Routing increases number | |
Only prefix hijack | 89.8 | 3576 |
Prefix hijack simultaneously poisons | 66.7 | 4148 |
It can be seen that can reduce it using routing algorithm is poisoned due to increasing AS path length and cheat autonomous system
Ratio, while can allow and more be routed across inter-domain routing bottleneck, to enhance in set of routes.The example demonstrates the present invention
Availability.
Embodiment three
In order to further be carried out specifically to the present invention by poisoning the method for path aggravation routing intensity
It is bright, it is specifically applied to during another prefix hijack below to realize that it routes the concentration of degree.
Fig. 4 shows the another embodiment that the embodiment of the present invention three aggravates intensity method by poisoning path
Interconnect net topology schematic diagram;With reference to Fig. 4, in the present embodiment, the autonomous system number of Operation Autonomy system is AS 24723, is held as a hostage
The autonomous system number of the autonomous system of prefix is AS 63291, the autonomous system number of bottle diameter both link ends autonomous system between aiming field
For 4766-AS 6939 of AS.For the ease of distinguishing each autonomous system, each autonomous system is represented with each autonomous system number below.Behaviour
The autonomous system-level topology made between autonomous system and aiming field around bottle diameter link is as shown in Figure 4.Operation Autonomy system forges BGP
Declaration aggravates inter-domain routing bottleneck.In order to further show the routing intensity of bottleneck link between aiming field
The case where, below to only implementing prefix hijack method and implement two kinds that implement to poison Path Method after prefix hijack method again
Result of implementation compares explanation.
Specific steps include:
Step 1: obtaining internet present topology from internet data analysis center (CAIDA) and injecting inter-domain routing
Analogue system.
Step 2: when being normally carried out BGP declaration using inter-domain routing analogue system simulation AS63291, each autonomy in internet
The routing convergence result of system is completed.It is at this time N4 by the number of routes of inter-domain routing bottleneck link AS4766-AS6939.
Step 3: carrying out prefix hijack to AS63291 using inter-domain routing analogue system simulation AS24723.It is received wait route
After holding back, the number of routes by the inter-domain routing bottleneck link is N5, and cheated autonomous system ratio is D3 in internet.
Step 4: carrying out prefix hijack to AS63291 using inter-domain routing analogue system simulation AS24723, and use this
Poison in the routing algorithm progress path of poisoning proposed in invention.After routing convergence, pass through the routing of the inter-domain routing bottleneck link
Number is N6, and cheated autonomous system ratio is D4 in internet.
Specifically poison step are as follows:
S1: optimal routing is selected;
S11: select AS4766 as starting autonomous system;
S12: client's autonomous system of AS4766 is selected to form client set S1, wherein S1 includes AS1273;
S13: judge not include Operation Autonomy system AS24723 in client set S1, by n plus 1, and go to step S12;
S12: client's autonomous system of AS1273 is selected to form client set S2, wherein S2 includes AS31500;
S13: judge not include Operation Autonomy system AS24723 in client set S2, by n plus 1, and go to step S12;
S12: client's autonomous system of AS31500 is selected to form client set S3, wherein S3 includes AS24724;
S13: judge not include Operation Autonomy system AS24723 in client set S3, by n plus 1, and go to step S12;
S12: client's autonomous system of AS24724 is selected to form client set S3, wherein S3 includes AS24723;
S13: judge in client set S3 to include Operation Autonomy system AS24723, go to step S14;
S14: recalling since Operation Autonomy system according to supplier's autonomous system and the corresponding relationship of client's autonomous system,
That is AS24723-AS24724-AS31500-AS1273-AS4766 is formed from Operation Autonomy system to bottleneck link purpose domain
Client's autonomous system optimal path.
S2: poison object according to optimal path selection is all;
The collateral branch of AS24723 are as follows: nothing
The collateral branch of AS 24724 are as follows: AS6453, AS 1299
The collateral branch of AS31500 are as follows: AS 8732, AS 2603, AS 3267, AS 3356
The collateral branch of AS1273 are as follows: AS 701
The collateral branch of AS4766 are as follows: AS 174
Poisoning object includes AS6453, AS 1299, AS 8732, AS 2603, AS 3267, AS 3356, AS 701,
AS 174。
S3: according to it is all poison object generation poison message;
The path AS poisoned in message generated: < 24723,6453,1299,8732,2603,3267,3356,701,
174,24723>。
S4: Operation Autonomy system is sent to all supplier's autonomous system and companion's autonomous system for message is poisoned, by
The branch link for poisoning optimal path is jumped, completes to poison.
If the following table 2 shows that the experiment that aggravates twice arranges as a result, wherein deception autonomous system ratio is respectively D3 and D4,
It is respectively N5-N4 and N6-N4 that routing, which increases number:
Table 2
It cheats autonomous system ratio (%) | Routing increases number | |
Prefix hijack | 72.3 | 9600 |
Prefix hijack simultaneously poisons | 46.9 | 13465 |
It can be seen that the method effect of aggravation inter-domain routing bottleneck obtains after we are using routing algorithm is poisoned
It significantly improves.The number that routing increases improves about 40%, while the ratio for cheating autonomous system has dropped instead.To attacker
For, what he paid close attention to is to the routing intensity on bottleneck link.The autonomous system ratio of deception declines, and can protect instead
Him is protected from the detection of other security mechanisms.The example demonstrates availability and high efficiency of the invention.
Wherein, example two and example three are that the present invention is routed to the method application of intensity by poisoning path aggravation
To the realistic case in practical internet.
Example IV
To solve the above-mentioned technical problems in the prior art, the embodiment of the invention provides one kind by poisoning path
The device of aggravation routing intensity.
The present invention includes data processor and is stored with computer by poisoning the device of path aggravation routing intensity
The computer readable storage medium of program, computer program can be executed by data processor to complete passing through for embodiment one and poison
All steps of the method for path aggravation routing intensity.
The present embodiment is beneficial identical as caused by embodiment one, does not repeat herein to it.
While it is disclosed that embodiment content as above but described only to facilitate understanding the present invention and adopting
Embodiment is not intended to limit the invention.Any those skilled in the art to which this invention pertains are not departing from this
Under the premise of the disclosed spirit and scope of invention, any modification and change can be made in the implementing form and in details,
But protection scope of the present invention still should be subject to the scope of the claims as defined in the appended claims.
Claims (10)
1. a kind of method by poisoning path aggravation routing intensity characterized by comprising
By the branch link of the predefined paths of bottleneck link between aiming field to Operation Autonomy system by way of forging BGP declaration
Poisoned, to aggravate the routing intensity of bottleneck link between aiming field;Wherein, described to poison so that the Operation Autonomy system
System, which cannot pass through the link, will route message transmissions to other autonomous systems of internet.
2. the method according to claim 1, wherein predefined paths bottleneck link between the aiming field arrives
The optimal path of Operation Autonomy system.
3. according to the method described in claim 2, it is characterized in that, by bottleneck between aiming field by way of forging BGP declaration
Link to Operation Autonomy system predefined paths branch link carry out poisoning step include:
Optimal path of the bottleneck link to Operation Autonomy system between calculating aiming field;
Poison object according to optimal path selection is all;
According to it is all it is described poison object generation poison message;
Hop-by-hop poisons the branch link of the optimal path.
4. according to the method described in claim 3, it is characterized in that, bottleneck link includes one or more between the aiming field.
5. according to the method described in claim 3, it is characterized in that, bottleneck link is to Operation Autonomy system between calculating aiming field
Optimal path step includes:
Bottleneck link is calculated between the purpose domain to the optimal road of the Operation Autonomy system using breadth-first search algorithm
Diameter.
6. according to the method described in claim 5, it is characterized in that, calculating the purpose domain using breadth-first search algorithm
Between the optimal path step of bottleneck link to the Operation Autonomy system include:
Select client's autonomous system of bottleneck link between the purpose domain as starting autonomous system;
All client's autonomous systems for choosing the starting autonomous system form client set Sn, and wherein the initial value of n is 1;
Judge in the client set Sn whether to include the Operation Autonomy system, be gone to if including the Operation Autonomy system
In next step, otherwise using all autonomous systems in the client set Sn as new starting autonomous system, and n adds 1, goes to
One step;
Recall and remember since the Operation Autonomy system according to supplier's autonomous system and the correlation of client's autonomous system
Record, obtains the optimal path from the Operation Autonomy system to client's autonomous system of bottleneck link the purpose domain.
7. according to the method described in claim 3, it is characterized in that, poisoning object step according to optimal path selection is all
Include:
The supplier or companion for selecting all autonomous systems on the optimal path poison pair wherein described as poisoning object
As not on the optimal path.
8. according to the method described in claim 3, it is characterized in that, according to it is all poison object generation poison message step packet
It includes:
All autonomous systems number for poisoning object are arranged between the autonomous system number of two Operation Autonomy systems,
And it is written into be formed in routing message and poisons message.
9. according to the method described in claim 3, it is characterized in that, hop-by-hop poisons the branch link step packet of the optimal path
It includes:
The message that poisons is sent to all supplier's autonomous system and companion's autonomous system, institute by the Operation Autonomy system
It states and poisons the branch link that message hop-by-hop poisons the optimal path, complete to poison.
10. a kind of device by poisoning path aggravation routing intensity, which is characterized in that including data processor and storage
There is the computer readable storage medium of computer program, the computer program can be executed by the data processor on to complete
The step of stating the method for any of claims 1-9 by poisoning path aggravation routing intensity.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810884877.XA CN109257273A (en) | 2018-08-06 | 2018-08-06 | By the method and device for poisoning path aggravation routing intensity |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810884877.XA CN109257273A (en) | 2018-08-06 | 2018-08-06 | By the method and device for poisoning path aggravation routing intensity |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109257273A true CN109257273A (en) | 2019-01-22 |
Family
ID=65049200
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810884877.XA Pending CN109257273A (en) | 2018-08-06 | 2018-08-06 | By the method and device for poisoning path aggravation routing intensity |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109257273A (en) |
-
2018
- 2018-08-06 CN CN201810884877.XA patent/CN109257273A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Ekparinya et al. | Impact of man-in-the-middle attacks on ethereum | |
US9736263B2 (en) | Temporal caching for ICN | |
CN105830403B (en) | Method and apparatus for high-performance LFA routing algorithm | |
CN108989212A (en) | The Routing Protocol signaling and its relationship of multiple next-hops | |
CN108989202A (en) | The forwarding based on structural path context for dummy node | |
JP5449543B2 (en) | Packet routing in the network | |
CN103701700B (en) | Node discovery method in a kind of communication network and system | |
US20140153435A1 (en) | Tiered deep packet inspection in network devices | |
Zhang et al. | BGP design and implementation | |
US9712649B2 (en) | CCN fragmentation gateway | |
Wang et al. | Topology poisoning attack in SDN-enabled vehicular edge network | |
CN105704030A (en) | System and method for distance-based interest forwarding | |
CN105991347A (en) | Redirection method of DNS request message and device | |
CN110381006A (en) | Message processing method, device, storage medium and processor | |
Miller et al. | A taxonomy of attacks using bgp blackholing | |
Nepal et al. | Deanonymizing schemes of hidden services in tor network: A survey | |
US9762746B2 (en) | Advice of charge in content centric networks | |
CN105812277B (en) | The control method and system of access request, communication equipment | |
CN110535697A (en) | A kind of method of the cross-domain broadcasting network load of equilibrium block chain | |
Janarthanam et al. | Adaptive learning method for DDoS attacks on software defined network function virtualization | |
CN106254252A (en) | The delivery method of a kind of Flow spec route and device | |
Saharan et al. | Prevention of DrDoS amplification attacks by penalizing the attackers in SDN environment | |
CN109257273A (en) | By the method and device for poisoning path aggravation routing intensity | |
CN105812272B (en) | Processing method, device and the system of business chain | |
Chiesa et al. | PrIXP: Preserving the privacy of routing policies at Internet eXchange Points |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190122 |
|
RJ01 | Rejection of invention patent application after publication |