| In recent years, the high frequent activities of Denial of Service (DoS) attacks have been bringing large loss to Internet Service Provider (ISP), as DoS attack is a mode of attack more difficult to be detected and prevented than others. Most existed resisting methods are passive, which can only detect DoS attack after: it.has led to some certain loss, or cannot be widely deployed because of high expenses. However, Hop Integrity, designed by Mohamed G. Gouda in 2002, which can prevent network packets from being forged, modified and replayed actively and effectively, is an effective way of preventing DoS actively.Linux has become more and more popular in IT field because of its opening characteristic, stability, flexibility and customizability. After analyzing the principle of hop integrity protocol in details, this paper implements hop integrity protocol based on many kernel technologies of linux, such as Netfilter package-filtering technology, LKM, System Call and /proc file system. What's more, a module of logging the network packets information is imbedded. This implementation includes three mainly modules, secret exchange module, handle of the input and output module and traceback module. The traceback module can work well by taking full advantage of the security factors of hop integrity. In the end, the function of the hop integrity, implemented in this papser, is tested, and the performance is evaluated. It shows that, hop integrity does well in preventing packages from being modified, forged and replayed in their first hop between adjacent routers, thus it can resist DoS attack actively. When certain attacks happen, attack source can be traced quickly and effectively. It also does not bring large cost to the OS. Although the analysis shows that hop integrity cause some delay of the packages transformation, it is accepted while real time transfer is not the most important factors. |
PDF Full Text Request