| Along with the rapid development of the Internet, the demand of people for the security and reliability of the Internet becomes stronger and stronger. However, the situation of network security is worse and worse, and the network attacks occur continually. Spoofing the source IP address of packets is one of the major tools used by hackers to mount network attacks. Using the flaws of the design of IPv4, the IP spoofing makes the network attacks be successful time after time. Especially, the DoS/DDoS attack, which is large-scale, destructive and defended difficulty, is one of the main threats to the Internet.Compare with IPv4, IPv6 has many advantages, especially, such as importing the IPSec mechanism which improves the security of IPv6 greatly. However, we can see two limitations of IPSec in this paper. On the one hand, whereas IPSec solves end-to-end security problem, it can not protect the infrastructure of the Internet, and make sure the authenticity of source address of packets in the process of transmission. On the other hand, the encrypting mechanism of itself may be used by hackers to launch DoS/DDoS attack. Therefore, IPv6 can not solve the source IP spoofing problem completely, the real address issue is still play an important role in IPv6 security.The traditional methods to defense the IP spoofing can not protect the layer-2 network. In this paper, we use the 802.1x protocol to solve the date link layer problem. In allusion to the characteristics of campus network, we design a network security architecture which combines the layer-3 filtering methods and the layer-2 authentication technique to insure the authenticity of source address of packets. We simulation the architecture with OPNET, then test its performance under DoS attack. The results indicate that the architecture can guarantee the creditability of source address of the packets which are transmitted in the network, and defeat the DoS attacks using the forged source address effectively. |
PDF Full Text Request