| With the rapid development of the Internet,the drawbacks of the IPv4 protocol have become increasingly apparent.The IP address is seriously insufficient.Although various solutions have been proposed to temporarily alleviate the contradiction,they cannot solve the problem for a long time.Various types of network attacks have emerged in an endless stream.DDoS attacks have been unavoidable attacks since the day they were born.It is extremely difficult to fake the source addresses of attacks to trace the origin of attacks,and it has caused great damage to the society.Although the IPv6 protocol solves the problem of insufficient IPv4 protocol IP addresses,it still faces security risks.The IPv6 protocol has been widely promoted around the world and its development momentum is rapid.More and more people are beginning to pay attention to the security performance of the IPv6 protocol.Among them,the risk of DDoS attacks in the IPv6 protocol has received extensive attention.The applicability of attack source tracing scheme in IPv4 network to IPv6 protocol needs to be analyzed.Based on an in-depth analysis of the structure and security of IPv6 packets,this paper analyzes the types and characteristics of various DDoS attacks and analyzes the existing attack source tracing schemes.The feasibility of tracing the source of DDoS attacks under IPv6 is analyzed.Compare it.After the comparison,the packet marking method is selected as an improved main method.The scheme proposed in this paper mainly makes the following improvements.First,a more efficient and reasonable marker probability algorithm is proposed.The access network router determines the labeling probability of the packet,marks the packet as a flow object,and divides the bandwidth occupancy into large traffic and small traffic.In order to avoid too many tagged packets with large traffic,the tagging probability is dynamically adjusted according to the bandwidth occupancy rate,while the small traffic rate is marked with a fixed probability to ensure the tagging for small traffic.This will ultimately help trace the origin of DDoS attacks with fewer tagged messages.Second,the traditional tagging process is improved,and the intra-domain traceability is combined with the inter-domain traceability.The access network routers and the autonomous domain border routers are selected as tag routers to ensure the integrity of the reconstructed path to the greatest degree,which is beneficial to the resistance.The offense also marks the source of the attack.Third,a new authentication scheme is proposed,and the most efficient hash algorithm is selected as the authentication implementation subject by comparison.In the early stage,public key cryptography and symmetric cryptography were used to transfer shared information services.In the object of the hash algorithm,the shared information and the message flow label information are added after the path information,which not only prevents the forgery and tamper marks,but also prevents the replay attack of the message.When marking packets arrive at an attacked person,only the path information needs to be extracted to implement path reconstruction.Finally,this paper verifies the feasibility of the proposed scheme through simulation experiments,and compares the performance with the traditional method.It proves that the proposed scheme is efficient and reliable. |
PDF Full Text Request