A novel idea jointed deterministic packet marking and path identification is proposed. In this scheme, source border routers mark packets with either deterministic packet marking or path identification in the form of probability. Based on downstream network congestion tolerance and IP traceback consequence, routers dynamically adjust the propor-tion of package marking. Then the victim takes different actions according to different marking content. The results of large-scale simulations with Skitter, authoritative Internet topologies dataset, show the scheme is effective to defend DDoS attack, and alleviate attack impacts on the victim.%提出了一种新的结合确定包标记和路径标识的方案,其在源边界路由器以概率形式选择执行确定性包标记或路径标识。该方案以下游网络拥塞程度和路径追溯结果为依据,动态调整数据包标记操作,并在受害主机处根据不同的标记策略采取不同的防御措施。基于大规模权威因特网拓扑数据集的仿真实验表明,该方案防御效果较好,能有效减轻受害主机遭受DDoS攻击的影响。
展开▼