用于跟踪网络数据包的优化算法(防止重放攻击)

发布于 2024-10-05 09:02:20 字数 371 浏览 6 评论 0原文

我正在实现一个处理 udp 数据包的网络服务器。我想避免重放攻击,攻击者可以复制 udp 数据包,然后及时重放它们。我正在考虑可以对数据包进行哈希处理并将该值存储在哈希表中。然后,每次收到数据包时,我都可以执行相同的过程,然后在哈希表中查找它。如果它已经存在,那么我们拒绝该数据包,但是如果我们从未见过它(该条目不存在),我们将存储它以供将来使用。

现在,什么哈希算法适合这个?除了哈希表之外我还需要其他东西吗?由于收到了很多 udp 数据包,我希望它能在 O(1) 内工作!!!!!! ;-),这可能吗?

显然,我“记住”哈希值的时间越长,我需要分配的存储(状态)就越多,哈希表可以随着时间的推移动态增长和收缩吗?

我可能离这里很远,我可能根本不需要哈希表!我对想法持开放态度!

I'm implementing a network server that processes udp packets. I want to avoid replay attacks, where an attacker could copy udp packets, and replay them later in time. I way toying with idea that i could hash packet and store this value in a hash table. I can then do the same process everytime a packet is received then look it up in the hash table. If it's already exists then we reject the packet, however if we never seen it (the entry does not exist) we store it for future use.

Now, what hash algorithm would be suitable for this? Do i need something other than hash table? As there are a lot of udp packets being received i want this to work in O(1)!!!!!! ;-), is this possible?

Obviously the longer i 'remember' hashes, the more storage (state) i will need to allocate, can a hash table grow and shrink dynamically over time?

I maybe way off here, i may not need a hash table at all! i'm open to idea's!!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

中二柚 2024-10-12 09:02:20

您可以控制数据包的内容吗?如果是这样,请向内容添加哈希并使用它 - 这会将哈希工作转移给发件人。您还可以包括一个有效期,以便 a) 您知道您可以在该时间之后丢弃数据包的任何记录,b) 攻击者存储的数据包在该时间之后变得无用。您可能希望以某种方式加密时间戳,以便攻击者不能只更新时间戳。

其他技术可以在 Wikipedia 上找到

Do you have control over the content of the packet? If so, add a hash to the content and use that - which moves the hashing effort to the sender. You could also include a validity period so that a) you know you can discard any record of a packet after that time and b) a packet stored by an attacker becomes useless after that time. You would want to encrypt the time stamp in some way so the attacker can't just update the time stamp.

Other techniques can be found on Wikipedia

棒棒糖 2024-10-12 09:02:20

对数据包使用哈希表可能会很昂贵,因为您必须重新哈希哈希表,即 O(n)。

在这种情况下,您应该在服务器和每个客户端之间协商共享秘密。然后使用该密钥 K 构建消息身份验证代码。正在验证的消息应该是您在 UDP 数据包中传输的数据以及时间戳。序列 ID 是不利的,因为无法保证 UDP 数据包一定会到达,并且数据包可能会乱序到达。

应该注意的是,由于三向握手和序列 ID,这种攻击对于 TCP 来说是不可能的。在这种情况下,TCP 提供的安全性实际上可能比所提议的安全系统更轻。

Using a hash table for packets can be expensive because you will have to rehash your hash table, which is O(n).

In this situation you should negotiate a shared secret between the server and each client. This secret key K is then used to construct a Message Authentication Code. The Message being authenticated should be the data you are transmitting in the UDP packet along with a time stamp. Sequence ID's are unfavorable because there is no guarantee a UDP packet will arrive at all, and its possible for packets to arrive out of order.

It should be noted that this attack is impossible with TCP due to the three way handshake and sequence ids. In this case the security provided by TCP may in fact be lighter than this proposed security system.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文