Attrition Defenses for a Peer-to-Peer Digital Preservation System

a r X i v :c s /0405111v 2 [c s .C R ] 27 N o v 2004

Attrition Defenses for a Peer-to-Peer Digital Preservation System

TJ Giuli

Stanford University,CA

Petros Maniatis

Intel Research,Berkeley,CA

Mary Baker

HP Labs,Palo Alto,CA

David S.H.Rosenthal

Stanford University Libraries,CA

Mema Roussopoulos

Harvard University,Cambridge,MA

Abstract

In peer-to-peer systems,attrition attacks include both traditional,network-level denial of service attacks as well as application-level attacks in which malign peers conspire to waste loyal peers’resources.We describe several defenses for LOCKSS,a peer-to-peer digital preservation system,that help ensure that application-level attacks even from powerful adversaries are less effective than simple network-level attacks,and that network-level attacks must be intense,wide-spread,and prolonged to impair the system.$Revision: 1.317$

1Introduction

Denial of Service (DoS)attacks are among the most dif-?cult for distributed systems to resist.Distinguishing le-gitimate requests for service from the attacker’s requests can be tricky,and devoting substantial effort to doing so can easily be self-defeating.The term DoS was in-troduced by Needham [32]with a broad meaning but over time it has come to mean high-bit-rate network-level ?ooding attacks [22]that rapidly degrade the usefulness of the victim system.In addition to DoS,we use the term attrition to include also moderate-or low-bit-rate application-level attacks that gradually impair the victim system.

The mechanisms described in this paper are aimed at equipping the LOCKSS 1peer-to-peer (P2P)digital preservation system to resist attrition attacks.The sys-tem is in use at about 80libraries worldwide;publishers of about 2000titles have endorsed its use.Cooperation among peers reduces the cost and increases the reliabil-ity of preservation,eliminates the need for backup,and greatly reduces other operator interventions.

A loyal (non-malign)peer participates in the LOCKSS system for two reasons:to achieve regular reassurance

crux of attrition attacks and their defenses,we extend our prior evaluation[29]to deal with numerous con-currently preserved archival units of content competing with each other for resources.Finally,resource over-provisioning is essential in defending against attrition attacks.Our contribution is the ability to put an upper bound on the amount of over-provisioning required to defend the LOCKSS system from an arbitrarily power-ful attrition adversary.Our defenses may not all be im-mediately applicable to all P2P applications,but we be-lieve that many systems may bene?t from a subset of de-fenses,and that our analysis of the effectiveness of these defenses is more broadly useful.

In the rest of this paper,we?rst describe our applica-tion.We continue by outlining how we would like this application to behave under different levels of attrition attack.We give an overview of the LOCKSS protocol, describing how it incorporates each of our attrition de-fenses.We then explain the results of a systematic explo-ration of simulated attacks against the resulting design, showing that it successfully defends against attrition at-tacks at all layers,from the network level up through the application protocol.

2The Application

In this section,we provide an overview of the digital preservation problem for academic publishing,the prob-lem that LOCKSS seeks to solve.We then present and justify the set of design goals required of any solution to this problem,setting the stage for our approach in subse-quent sections.

Academic publishing has migrated to the Web[42], placing society’s scienti?c and cultural heritage at a vari-ety of risks such as confused provenance,accidental edit-ing by the publisher,storage corruption,failed backups, government or corporate censorship,vandalism,and de-liberate rewriting of history.The LOCKSS system was designed[36]to provide librarians with the tools they need to preserve their community’s access to journals and other Web materials.

Any solution must meet six stringent requirements. First,since under US law[16]copyright Web content can only be preserved with the owner’s permission,the so-lution must accommodate the publishers’interests.Re-quiring publishers,for example,to offer perpetual no-fee access or digital signatures on content makes them reluctant to give that permission.Second,a solution must be extremely cheap in terms of hardware,operating cost,and human expertise.Few libraries could afford[3] a solution involving handling and securely storing off-line media,but most can afford the few cheap off-the-shelf PCs that provide suf?cient storage for tens of thou-sands of journal-years.Third,the existence of cheap,reliable storage cannot be assumed;affordable storage is unreliable[21,35].Fourth,a solution must have a long time horizon.Auditing content against stored dig-ital signatures,for example,assumes not only that the cryptosystem will remain unbroken,but also that the se-crecy,integrity,and availability of the keys are guaran-teed for decades.Fifth,a solution must anticipate ad-versaries capable of powerful attacks sustained over long periods;it must withstand these attacks,or at least de-grade slowly and gracefully while providing unambigu-ous warnings[34].Sixth,a solution must not require a central locus of control or administration,if it is to with-stand concentrated technical or legal attacks.

Two different architectures have been proposed for preserving Web journals.On one hand,trusted third party archives require publishers to grant the archive per-mission,under certain circumstances,to republish their content.It has proved very dif?cult to persuade pub-lishers to do so[5].In the LOCKSS system,on the other hand,publishers need only grant their subscribing libraries permission to supply their own content replica to their local readers.This has been the key to obtaining permission from publishers.It is thus important to note that our goal is not to minimize the number of replicas consistent with content safety.Instead,we strive to min-imize the per-replica cost of maintaining a large number of replicas.We trade extra replicas for fewer lawyers,an easy decision given their relative costs.

The LOCKSS design is extremely conservative,mak-ing few assumptions about the infrastructure.Although we believe this is appropriate for a digital preservation system,less conservative assumptions are certainly pos-sible.Taking increased risk can increase the amount of content that can be preserved with given computa-tional power.For example,the availability of limited amounts of reliable,write-once memory would allow au-dits against local hashes,the availability of a reliable public key infrastructure might allow publishers to sign their content and peers to audit against the signatures, and so on.Conservatively,the assumptions underlying such optimizations could be violated without warning at any time;the write-once memory might be corrupted or mishandled or a private key might leak.Thus,designs us-ing these optimizations would still need the audit mech-anism as a fall-back.The more a peer operator can do to avoid local failures the better the system works,but our conservative design principles lead us to focus on mech-anisms that minimize dependence on these efforts. With this speci?c application in mind,we tackle the “abstract”problem of auditing and repairing replicas of distinct archival units or AUs(a year’s run of an on-line journal,in our target application)preserved by a popu-lation of peers(libraries)in the face of attrition attacks. For each AU it preserves,a peer starts out with its own,

correct replica(obtained from the publisher’s Web site), which it can only use to satisfy local read requests(from local patrons)and to assist other peers with replica re-pairs.In the rest of this paper we refer to AUs,peers, and replicas,rather than journals and libraries.

3System Model

In this section we present the adversary we model,our security goals for the system,and our defensive frame-work.

3.1Adversary Model

In keeping with our conservative design philosophy,we assume a powerful adversary with several important abil-ities.Pipe stoppage is his ability to prevent communi-cation with victim peers for extended periods by?ood-ing links with garbage packets or using more sophisti-cated techniques[25].Total information awareness al-lows him to control and monitor all of his resources in-stantaneously.He has unconstrained identities in that he can purchase or spoof unlimited network identities.In-sider information allows him complete knowledge of his victims’system parameters and resource commitments. Masquerading means that loyal peers cannot detect him, as long as he follows the protocol.Finally,he has unlim-ited computational resources,though he is polynomially bounded in his computations(i.e.,he cannot invert cryp-tographic functions).

The adversary employs these capabilities in effortless and effortful attacks.An effortless attack requires no measurable computational effort from the attacker and includes traditional DoS attacks such as pipe stoppage. An effortful attack requires the attacker to invest in the system and therefore requires computational effort. 3.2Security Goals

The overall goal of the LOCKSS system is to maintain a high probability that the consensus of peers re?ects the correct AU,and a high probability that a reader accesses good data.In contrast,an attrition adversary’s goal is to decrease these probabilities signi?cantly by preventing peers from auditing their replicas for a long time,long enough for undetected storage problems such as“bit rot”to occur.

Severe pipe stoppage attacks in the wild last for days or weeks[31].Our goal is to ensure that,in the very least,the LOCKSS system withstands such attacks sus-tained over months.Beyond pipe stoppage,attackers must use protocol messages to some extent.We seek to ensure the following three conditions.First,a peer man-ages its resources so as to prevent exhaustion no matter how much effort is exerted by however many identities request service.Second,when deciding which requests to service,a peer gives preference to requests from those likely to behave properly(i.e.,“ostensibly legitimate”). And third,at every stage of a protocol exchange,an os-tensibly legitimate attacker expends commensurate effort to that which he imposes upon the defenders.

3.3Defensive Framework

We seek to curb the adversary’s success by modeling a peer’s processing of inbound messages as a series of ?lters,each costing a certain amount to apply.A mes-sage rejected by a?lter has no further effect on the peer, allowing us to estimate the cost of eliminating whole classes of messages from further consideration.Each?l-ter increases the effort a victim needs to defend itself,but limits the effectiveness of some adversary capability. The bandwidth?lter models a peer’s network connec-tion.It represents the physical limits on the rates of inbound messages that an adversary can force upon his victims.The admission control?lter takes inbound mes-sages at the maximum rate supported by the bandwidth ?lter and further limits them to match the maximum rate at which a peer expects protocol traf?c from legitimate senders,favoring known peer identities.This curbs the adversary’s use of unlimited identities and prevents him from applying potentially unconstrained computational resources upon a victim.The effort balancing?lters en-sure that effort imposed upon a victim by ostensibly le-gitimate traf?c is balanced by correspondingly high ef-fort borne by the attacker,making it costly for a resource-constrained adversary to masquerade as a legitimate peer. We show in Section7.4that the most effective strat-egy for effortful attacks is to emulate legitimacy,and that even this has minimal effect on the utility of the system. Effortless attacks,such as traditional distributed DoS (DDoS)attacks,are more effective but must be main-tained for a long time against most of the peer population to degrade the system signi?cantly(Section7.2).

4The LOCKSS Replica Auditing and Re-pair Protocol

The LOCKSS audit process operates as a sequence of “opinion polls”conducted by every peer on each of its AU replicas.At intervals,typically every3months,a peer(the poller)constructs a random subset(i.e.,sam-ple)of the peer population that it knows are preserv-ing an AU,and invites those peers as voters into a poll. Each voter individually hashes a poller-supplied nonce and its replica of the AU to produce a fresh vote,which the poller tallies.If the poller is outvoted in a landslide (e.g.,it disagrees with80%of the votes),it assumes its

Figure1:A time-line of a poll,showing the message exchange between the poller and a voter.

replica is corrupt and repairs it from a disagreeing voter. The roles of poller and voter are distinct,but every peer plays both.

The general structure of a poll follows the time-line of Figure1.A poll consists of two phases:the vote solici-tation phase and the evaluation phase.In the vote solic-itation phase the poller requests and obtains votes from as many voters in its sample of the population as pos-sible.Then the poller begins the evaluation phase,dur-ing which it compares these votes to its own replica,one hashed content block at a time,and tallies them.If the hashes disagree the poller may request repair blocks from its voters and re-evaluate the block.If in the eventual tally,after any repairs,the poller agrees with the land-slide majority,it sends a receipt to each of its voters and immediately starts a new poll.Peers interleave making progress on their own polls and voting in other peers’polls,spreading each poll over a long period chosen so that polls on a given AU occur at a rate much higher than the rate of undetected storage problems,e.g.“bit rot.”4.1Vote Solicitation

The outcome of a poll is determined by the votes of the inner circle peers,sampled at the start of the poll by the poller from its reference list for the AU.The reference list contains mostly peers that have agreed with the poller in recent polls on the AU,and a few peers from its static friends list,maintained by the poller’s operator.

A poll is considered successful if its result is based on a minimum number of inner circle votes,the quorum, which is typically10,but may change according to the application’s needs for fault tolerance.To ensure that a poll is likely to succeed,a poller invites into its poll a larger inner circle than the quorum(typically,twice as large).If at?rst try,an inner circle peer fails to respond to an invitation,or refuses it,the poller contacts a different inner circle voter,re-trying the reluctant peer later in the same vote solicitation phase.

An individual vote solicitation consists of four mes-sages(see Figure1):Poll,PollAck,PollProof,and Vote. For the duration of a poll,a poller establishes an en-crypted TLS session with each voter individually,via an anonymous Dif?e-Hellman key exchange.Every proto-col message is conveyed over this TLS session,either keeping the same TCP connection from message to mes-sage,or resuming the TLS session over a new one.

The Poll message invites a voter to participate in a poll on an AU.The invited peer responds with a PollAck mes-sage,indicating either a refusal to participate in the poll at the time,or an acceptance of the invitation,if it can compute a vote within a predetermined time allowance. The voter commits and reserves local resources to that effect.The PollProof message supplies the voter with a random nonce to be used during vote construction.To compute its vote,the voter uses a cryptographic hash function(e.g.,SHA-1)to hash the nonce supplied by the poller,followed by its replica of the AU,block by block. The vote consists of the running hashes produced at each block boundary.Finally,the voter sends its vote back to the poller in a Vote message.

These messages also contain proofs of computational effort,such as those introduced by Dwork et al.[15], suf?cient to ensure that,at every protocol stage,the re-quester of a service has more invested in the exchange than the supplier of the service(see Section5.1).

4.2Peer Discovery

The poller uses the vote solicitation phase of a poll not only to obtain votes for the current poll,but also to dis-cover new peers for its reference list from which it can solicit inner circle votes in future polls.

Discovery is effected via nominations included in Vote messages.A voter picks a random subset of its cur-rent reference list,which it includes in the Vote message. The poller accumulates these nominations.When it con-cludes its inner circle solicitations,it chooses a random sample of these nominations as its outer circle.It pro-ceeds to solicit regular votes from these outer circle peers in a manner identical to that used for inner circle peers. The purpose of the votes obtained from outer circle voters is to show the“good behavior”of newly discov-ered peers.Those who perform correctly,by supplying votes that agree with the prevailing outcome of the poll, are added into the poller’s reference list at the conclu-sion of the poll;the outcome of the poll is computed only from inner-circle votes.

4.3Vote Evaluation

Once the poller has accumulated all votes it could obtain from inner and outer circle voters,it begins the poll’s evaluation phase.During this phase,the poller computes,

in parallel,all block hashes that each voter should have computed,if that voter’s replica agreed with the poller’s.

A vote agrees with the poller on a block if the hash in the vote and that computed by the poller are the same.

For each hash computed by the poller for an AU block, there are three possibilities:?rst,the landslide majority of inner-circle votes(e.g.,80%)agree with the poller;in this case,the poller considers the audit successful up to this block and proceeds with the next block.Second,the landslide majority of inner-circle votes disagree with the poller;in this case,the poller regards its own replica of the AU as damaged,obtains a repair from one of the dis-agreeing voters(via the RepairRequest and Repair mes-sages),and reevaluates the block hoping to?nd itself in the landslide majority,as above.Third,if there is no landslide majority of agreeing or disagreeing votes,the poller deems the poll inconclusive,raising an alarm that requires attention from a human operator. Throughout the evaluation phase,the poller may also decide to obtain a repair from a random voter,even if one is not required(i.e.,even if the corresponding block met with a landslide agreement).The purpose of such frivolous repairs is to prevent targeted free-riding via the refusal of repairs;voters are expected to supply a small number of repairs once they commit to participate in a poll,and are penalized otherwise(Section5.1).

If the poller hashes all AU blocks without raising an alarm,it concludes the poll by sending an evaluation re-ceipt to each voter(with an EvaluationReceipt message), indicating that it will not be requesting any more repairs. The poller then updates its reference list by removing all voters whose votes determined the poll outcome and by inserting all agreeing outer-circle voters and some peers from the friends list(for details see[29]).The poller then restarts a poll on the same AU,scheduling it to conclude an inter-poll interval into the future.

5LOCKSS Defenses

Here we outline the attrition defenses of the LOCKSS protocol:admission control,desynchronization,and re-dundancy.These defenses raise system costs for both loyal peers and attackers,but favor ostensible legiti-macy.Given a constant amount of over-provisioning, loyal peers continue to operate at the necessary rate re-gardless of the attacker’s power.Many systems over-provision resources to protect performance from known worst-case behavior(e.g.,the Unix?le system[30]). 5.1Admission Control

The purpose of the admission control defense is to ensure that a peer can control the rate at which it considers poll invitations from others,favoring invitations from those who operate at roughly the same rate as itself and pe-nalizing others.We implement admission control using three mechanisms:rate limitation,?rst-hand reputation, and effort balancing.

Rate Limitation:Without limits on the rate at which they attempt to service requests,peers can be over-whelmed by?oods of ostensibly valid requests.Rate Limitation suggests that peers should initiate and sat-isfy requests no faster than necessary rather than as fast as possible.Because readers access only their lo-cal LOCKSS peer,the audit and repair protocol is not subject to end-users’unpredictable request patterns.The protocol can proceed at its own pace,providing an inter-esting test case for rate limitation.

We identify three possible attacks based on deviation from the necessary rate of polling.A poll rate adversary would seek to trick victims into either decreasing(e.g., by causing back-off behavior)or increasing(e.g.,in an attempt to recover from a failed poll)their rate of calling polls.A poll?ood adversary would seek,under a multi-tude of identities,to invite victims into as many frivolous polls as possible hoping to crowd out the legitimate poll requests and thereby reduce the ability of loyal peers to audit and repair their content.A vote?ood adversary would seek to supply as many bogus votes as possible hoping to exhaust loyal pollers’resources in useless but expensive proofs of invalidity.

Peers defend against all these adversaries by setting their rate limits autonomously,not varying them in re-sponse to other peers’actions.Responding to adversity (inquorate polls or perceived contention)by calling polls more frequently could aggravate the problem;backing off to a lower rate of polls would achieve the adversary’s aim of slowing the detection and repair of damage;Kuz-manovic et al.[25]describe a similar attack in the context of TCP retransmission timers.Because peers do not re-act,the poll rate adversary has no opportunity to attack. The price of this?xed rate of operation is that,absent manual intervention,a peer may take several inter-poll intervals to recover from a catastrophic storage failure. The poll?ood adversary tries to get victims to over-commit their resources or at least to commit excessively to the adversary.To prevent over-commitment,peers maintain a task schedule of their promises to perform ef-fort,both to generate votes for others and to call their own polls.If the effort of computing the vote solicited by an incoming Poll message cannot be accommodated in the schedule,the invitation is refused.Furthermore, peers limit the rate at which they even consider poll invi-tations(i.e.,establishing a secure session,checking their schedule,etc.).A peer sets this rate limit for considering poll invitations according to the rate of poll invitations it sends out to others;this is essentially a self-clocking mechanism.We explain how this rate limit is enforced in

the?rst-hand reputation description below.We evaluate our defenses against poll?ood strategies in Section7.3. The vote?ood adversary is hamstrung by the fact that votes can be supplied only in response to an invitation by the putative victim poller,and pollers solicit votes at a?xed rate.Unsolicited votes are ignored.

First-hand reputation:A peer locally maintains and uses?rst-hand reputation(i.e.,history)for other peers. Each peer P maintains a known-peers list,separately for each AU it preserves.The list contains an entry for ev-ery peer that P has encountered in the past,tracking its exchange of votes with that peer.The entry holds a rep-utation grade for the peer,which is one of three values: debt,even,or credit.A debt grade means that the peer has supplied P with fewer votes than P has supplied it.

A credit grade means P has supplied the peer with fewer votes than the peer has supplied P.An even grade means that P and the peer are even in their recent exchanges of votes.Entries in the known-peers list“decay”with time toward the debt grade.

In a protocol interaction,both the poller and a voter modify the grade they have assigned to each other de-pending on their respective behaviors.If the voter sup-plies a valid vote and valid repairs for any blocks the poller requests,then the poller increases the grade it has assigned to the voter(from debt to even,from even to credit,or from credit to credit)and the voter correspond-ingly decreases the grade it has assigned to the poller.If either the poller or the voter misbehave(e.g.,the voter commits to supplying a vote but does not,or the poller does not send a valid evaluation receipt),then the other peer decreases its grade to debt.This is similar to the re-ciprocative strategy of Feldman et al.[17],in that it pe-nalizes peers who do not reciprocate,i.e.,do not supply votes in return for the votes they receive.

Peers randomly drop some poll invitations arriving from previously unknown peers and from pollers with a debt grade.Invitations from pollers with an even or credit grade are not dropped.This reputation system re-duces free-riding,as it is not possible for a peer to main-tain an even or credit grade without providing valid votes. To discourage identity whitewashing the drop probabil-ity imposed on unknown pollers is higher than that im-posed on known in-debt pollers.Furthermore,invitations from unknown or in-debt pollers are subject to a rigid rate limit;after it admits one such invitation for consid-eration,a voter enters a refractory period during which it automatically rejects all invitations from unknown or in-debt pollers.Like the known-peers list,refractory pe-riods are maintained on a per AU basis.Consequently, during every refractory period,a voter admits at most one invitation from unknown or in-debt peers,plus at most one invitation from each of its fellow peers with a credit or even grade.Since credit and even grades decay with time,the total“liability”of a peer in the number of in-vitations it must admit per refractory period is limited to a small constant number.As a result,the duration of the refractory period is inversely proportional to the rate limit imposed by the peer on the poll invitations that it considers for each AU it preserves.

Continuous triggering of the refractory period can stop a victim voter from accepting invitations from unknown peers who are loyal;this can limit the choices a poller has in potential voters to peers that know the poller al-ready.To reduce this impediment to diversity,we in-stitute the concept of peer introductions.A peer may introduce peers that it considers loyal to others;peers introduced in this way can bypass random drops and re-fractory periods.Introductions are bundled along with nominations during the regular discovery process(Sec-tion4.2).Speci?cally,a poller randomly partitions the peer identities in a Vote message into outer circle nomi-nations and introductions.A poll invitation from an in-troduced peer is treated as if coming from a known peer with an even grade.This unobstructed admission con-sumes the introduction in such a way that at most one in-troduction is honored per(validly voting)introducer,and unused introductions do not accumulate.Speci?cally, when consuming the introduction of peer B by peer A for AU X,all other introductions of other introducees by peer A for AU X are“forgotten,”as are all introduc-tions of peer B for X by other introducers.Furthermore, introductions by peers who have entered and left the ref-erence list are also removed,and the maximum number of outstanding introductions is capped.

Effort Balancing:If a peer expends more effort to re-act to a protocol message than the sender of that message did to generate and transmit it,then an attrition attack need consist only of a?ow of ostensibly valid protocol messages,enough to exhaust the victim peer’s resources. We adapt the ideas of pricing via processing[15]to discourage such attacks from resource-constrained ad-versaries by effort balancing our protocol.We in?ate the cost of a request by requiring it to include a proof of com-putational effort suf?cient to ensure that the total cost of generating the request exceeds the cost to the supplier of both verifying the effort proof and satisfying the re-quest.We favor Memory-Bound Functions(MBF)[14] rather than CPU-bound schemes such as“client puz-zles”[12]for this purpose,because the spread in memory system performance is smaller than that of CPU perfor-mance[13].Note that an adversary with ample compu-tational resources is not hindered by effort balancing. Applying an effort balancing?lter at each step of a multi-step protocol defends against three attack patterns:?rst,desertion strategies in which the attacker stops tak-ing part some way through the protocol,having spent less effort in the process than the effort in?icted upon

his victim;second,reservation strategies that cause the victim to schedule or commit resources that the attacker does not use,but successfully take away from other,use-ful tasks;and,third,wasteful strategies in which service is obtained but the result is not“consumed”by the re-quester as expected by the protocol,in an attempt to min-imize the attacker’s total expended effort.

Pollers could mount a desertion attack by cheaply so-liciting an expensive vote.To discourage this,the poller must include provable effort in its vote solicitation mes-sages(Poll and PollProof)that in total exceeds,by at least an amount described in the next paragraph,the effort re-quired by the voter to verify that effort and to produce the requested vote.Producing a vote amounts to fetching an AU replica from disk,hashing it,and shipping back to the poller one hash per block in the Vote message.

V oters could mount a desertion attack by cheaply gen-erating a bogus vote in response to an expensive solici-tation,returning garbage instead of block hashes in the hope of wasting not merely the poller’s solicitation effort but also its effort to verify the hashes.Because the poller evaluates the vote one block at a time,it costs the ef-fort of hashing one block to detect that the vote disagrees with its own AU replica,which may mean either that the vote is bogus,or that the poller’s and voter’s replicas of the AU differ in that block.The voter must therefore include in the Vote message provable effort suf?cient to cover the cost of hashing a single block and of verifying this effort.The extra effort in the solicitation messages referred to above is required to cover the generation of this provable effort.

Pollers could mount a reservation attack by sending a valid Poll message that causes the voter to reserve time for computing a vote in anticipation of a PollProof mes-sage which the poller never sends.To discourage this, pollers must include suf?cient introductory effort in Poll messages to match the effort the voter could expend while waiting for the poller’s PollProof before timing out. Upon receiving the af?rmative PollAck,the poller per-forms the balance of the provable effort the voter needs to defend against desertion attacks.The poller includes the resulting proof in the PollProof message.

Pollers could mount a wasteful attack by soliciting ex-pensive votes and then discarding them unevaluated.To discourage this we require the poller,after evaluating a vote,to supply the voter with an unforgeable evaluation receipt proving that it evaluated the vote.V oters generate votes and pollers evaluate them using very similar pro-cesses:generating or validating effort proofs and hashing blocks of the local AU replica.Conveniently,generating a proof of effort using our chosen MBF mechanism also generates160bits of unforgeable byproduct.The voter remembers the byproduct;the poller uses it as the evalua-tion receipt to send to the voter.If the receipt matches the voter’s remembered byproduct the voter knows the poller performed the necessary effort,regardless of whether the poller was loyal or malicious.

In Section7.4we show how our series of effort balanc-ing?lters fare against such attacks mounted by pollers, evaluating the success of an adversary who defects at dif-ferent key points in the protocol,seeking to maximize the defenders’wasted effort.We omit the evaluation of ef-fort balancing attacks by voters,since they are rendered ineffective by the rate limits described above.

5.2Desynchronization

The desynchronization defense requires that measures such as randomization be applied to avoid the kind of inadvertent synchronization that has been observed in many distributed systems.Examples include TCP sender windows at bottleneck routers,clients waiting for a busy server,and periodic routing messages[18].Peer-to-peer systems in which a peer requesting service must?nd many others simultaneously available to supply that ser-vice(e.g.,in a read-one-write-many fault-tolerant sys-tem[27])may encounter this problem.If they do,even absent an attack,moderate levels of peer busyness can prevent the system from delivering services.A poll?ood attacker in this situation may only need to increase peer busyness slightly to have a large effect.

Simulations of poll?ood attacks on an earlier version of the protocol[28]showed this effect.Loyal pollers were at a great disadvantage against the attrition adver-sary because they needed to?nd a quorum of voters who could simultaneously vote on an AU.The voters must be chosen at random to make directed subversion hard for the adversary.They must also have free resources at the speci?ed time,in the face of resource contention from other peers who are also competing for voters on the same or other AUs at the same time.The adversary has no such requirements;he can?nd and invite an indi-vidual victim into a futile poll.

Peers avoid this problem by soliciting votes individu-ally rather than synchronously,extending the period dur-ing which a quorum of votes can be collected before they are all evaluated.A poll is thus a sequence of two-party interactions rather than a single multi-party interaction.

5.3Redundancy

If the survival of,or access to,an AU relied only on a few replicas,an attrition attack could focus on those replicas, cutting off the communication between them needed for audit and repair.Each LOCKSS peer preserving an AU maintains its own replica and serves it only to its local clients.This massive redundancy helps resist attacks in

two ways.First,it ensures that a successful attrition at-tack must target most of the replicas,typically a large number of peers.Second,it forces the attrition attack to suppress the communication or activity of the targeted peers continuously for a long period.Unless the attack does both,the targeted peers recover by auditing and re-pairing themselves from the untargeted peers,as shown in Section7.2.This is because massive redundancy al-lows peers at each poll to choose a sample of their ref-erence list that is bigger than the quorum and continue to solicit votes from them at random times for the entire duration of a poll(typically3months)until the voters ac-cept.Further,the margin between the rate at which peers call polls and the rate at which they suffer undetected damage provides redundancy in time.A single failed poll has little effect on the safety of its caller’s replica.

6Simulation

In this section we give details about the simulation envi-ronment and the metrics we use to evaluate the system’s effectiveness in meeting its goals.

The?rst requirement for the system is to preserve the long-term integrity of the replicated AU,by ensuring that a majority of all replicas re?ect the correct AU contents. If a majority of replicas are corrupt,we consider the sys-tem to have failed with irrecoverable damage.

An attrition adversary could in theory mount a pipe stoppage attack of suf?cient coverage,intensity,and du-ration to prevent all communication between all replicas for long enough for undetected storage errors to corrupt a majority of replicas.In practice this attack would have to last for years;other non-attrition attacks aimed more di-rectly at corrupting data are more likely to make progress at these timescales[29].

The second requirement for the system is to preserve access to a correct replica at each peer for as much of the time as possible,in the face of local storage failures and attacks.Reducing the probability that a particular correct replica is accessible is a more attainable goal for an attri-tion attack than causing irrecoverable damage through an attrition attack,thus our simulations measure the success of the adversary against this goal.

6.1Evaluation Metrics

We use four metrics to measure the effectiveness of our defenses against the attrition adversary:access failure probability,delay ratio,coef?cient of friction,and cost ratio.

Access failure probability:To measure the success of an attrition adversary at increasing the probability that a reader obtains a damaged AU replica,we compute the access failure probability as the fraction of all replicas in the system that are damaged,averaged over all time points in the experiment.

Delay ratio:To measure the degradation an attrition adversary achieves,we compute the delay ratio as the mean time between successful polls at loyal peers with the system under attack divided by the same measure-ment without the attack.

Coef?cient of friction:To measure the cost of an attack to loyal peers,we measure the coef?cient of friction,de-?ned as the average effort expended by loyal peers per successful poll during an attack divided by their average per-poll effort absent an attack.

Cost ratio:To compare the cost of an effortful attack to the adversary and to the defenders,we compute the cost ratio,which is the ratio of the total effort expended by the attackers during an attack to that of the defenders.

6.2Environment and Adversaries

We run our experiments using Narses[19],a discrete-event simulator that exports a sockets-like network inter-face and provides facilities for modeling computationally expensive operations,such as computing MBF efforts and hashing documents.Narses allows experimenters to pick from a range of network models that trade off speed for accuracy.In this study we are mostly interested in the application-level effects of an attrition attack,so we choose a simplistic network model that takes into ac-count network delays but not congestion,except for the side-effects of arti?cial congestion used by a pipe stop-page adversary.The link bandwidths with which peers connect to the network are uniformly distributed among three choices:1.5,10,and100Mbps.Link latencies are uniformly distributed between1and30milliseconds. Nodes in the system are divided into two categories: loyal peers and the adversary’s minions.Loyal peers are uncompromised peers that execute the protocol correctly. Adversary minions are nodes that collaborate to execute the adversary’s attack strategy.

We conservatively simulate the adversary as a cluster of nodes with as many IP addresses and as much compute power as he needs.Each adversary minion has complete and instantaneous knowledge of all adversary state and has a magically incorruptible copy of all AUs.Other as-sumptions about our adversary that are less relevant to attrition can be found in[29].

To distill the adversary’s actual cost of attack from any other effort he might have to shoulder(e.g.,to masquer-ade as a loyal peer),the adversary in these experiments is completely outside of the network of loyal peers.Loyal peers never ask the adversary’s minions to vote in polls and the adversary only asks loyal peers to vote in his polls.This differs from LOCKSS adversaries we have studied before[29].

6.3Simulation Parameters

We evaluate the preservation of a collection of AUs dis-tributed among a population of loyal peers.For simplic-ity in this stage of our exploration,we assume that each AU contains0.5GBytes(a large AU in practice).Each peer maintains a number of AUs ranging from50to600. All peers have replicas of all AUs;we do not yet simu-

late the diversity of local collections that we expect will evolve over time.These simpli?cations allow us to fo-cus our attention on the common performance of our at-trition resistance machinery,ignoring for the time being how that performance varies when AUs vary in size and popularity.Note that our600simulated AUs total about 10%of the size of the annual AU intake of a large journal collection such as that of Stanford University Libraries. Adding the equivalent of10of today’s low-cost PCs per year and consolidating them as old PCs are rendered ob-solete is an affordable deployment scenario for a large library.We set all costs of primitive operations(hashing, encryption,L1cache and RAM accesses,etc.)to match the capabilities of such a low-cost PC.

All simulations have a constant loyal peer population of100nodes and run for two simulated years,with3 runs per data point.Each peer runs a poll on each of its AUs on average every3months.Each poll uses a quorum of10peers and considers landslide agreement as having a maximum of three disagreeing votes.These parameters were empirically determined from previous iterations of the deployed beta protocol.We set the?xed drop probability to be0.90for unknown peers and0.80 for in-debt peers.

Memory limits in the Java Virtual Machine prevent Narses from simulating more than about50AUs/peer in a single run.We simulate600AU collections by layering 50AUs/peer runs,adding the tasks caused by this layer’s 50AUs to the task schedule for each peer accumulated during the preceding layers.In effect,layer n is a simula-tion of50AUs on peers already running a realistic work-load of50(n?1)AUs.The effect is to over-estimate the peer’s busyness for AUs in higher layers and under-estimate it for AUs in lower layers;AUs in a layer com-pete for the resources left over by lower layers but AUs in lower layers are unaffected by the resources used in higher layers.We have validated this technique against unlayered simulations in smaller collections,as well as against simulations in which in?ated per-AU preserva-tion costs cause similar levels of peer load;we found negligible differences.

We are currently exploring the parameter space but use the following heuristics to help determine parame-ter values.The refractory period of one day allows for 90invitations from unknown or in-debt peers to be ac-cepted per3-month inter-poll interval;in contrast,a peer

0.0002

0.0005

0.001

0.002

0.005

0.01

A

c

c

e

s

s

f

a

i

l

u

r

e

p

r

o

b

a

b

i

l

i

t

y

Poll Interval (months)

Figure2:Mean access failure probability(y axis in log scale)for increasing inter-poll intervals(x axis)at vari-able mean times between storage failure(from1to5 years per disk),absent an attack.We show results for collection sizes of50(points only)and of600AUs(line-spoints).For illustration,we show minimum and maxi-mum values for the2-year data set;this variance is repre-sentative of all measurements,which we omit for clarity.

requires an average of30votes per poll and,because of self-clocking,should be able to accept at least an aver-age of30poll invitations per inter-poll interval.Conse-quently,we allow up to a total of four times the rate of poll invitations that should be expected in the absence of attacks.At this rate,even if all poll invitations are bogus, the total cost of detecting them as bogus is negligible. We set the?xed drop probability for in-debt peers and the cost of verifying an introductory effort so that the cumulative introductory effort expended by an effortful attack on dropped invitations is more than the voter’s ef-fort to consider the adversary’s eventually admitted invi-tation.Since an adversary has to try with in-debt iden-tities on average5times to be admitted(thanks to the 1?0.8=0.2admission probability),we set the intro-ductory effort to be20%of the total effort required of a poller;by the time the adversary has gotten his poll invi-tation admitted,even if he defects for the rest of the poll, he has already expended on average100%of the effort he would have,had he behaved well in the?rst place.

7Results

The probability of access failure summarizes the success of an attrition attack.We start by establishing a baseline rate of access failures absent an attack.We then assess the effectiveness against this baseline of the effortless at-tacks we consider:network-level?ooding attacks on the bandwidth?lter in Section7.2,and Sybil attacks on the admission control?lter in Section7.3.Finally,we assess against this baseline each of the effortful attacks corre-sponding to each effort veri?cation?lter in Section7.4.

0.0002

0.00050.0010.0020.0050.01

A c c e s s f a i l u r e p r o b a b i l i t y

Attack duration (days)

Figure 3:The access failure probability (y axis in log scale)observed during repeated pipe stoppage attacks of varying duration (x axis in log scale),covering between 10and 100%of the peers.

In each case we show the effect of increasing scales of attack on the access failure probability,and relevant sup-porting graphs including the delay ratio,the coef?cient of friction,and for effortful attacks the cost ratio.

Our mechanisms for defending against an attrition adversary raise the effort required per loyal peer.To achieve a bound on access failure probabilities,one must be willing to over-provision the system to accommodate the extra effort.Over-provisioning the system by a con-stant factor,we can defend it against

application-level at-trition attacks of unlimited power (Sections 7.3and 7.4).

7.1Baseline

Our simulated peers suffer random storage damage at rates of one block in 1to 5disk years (50AUs per disk).This is a very high rate of damage,as the LOCKSS beta test suggests that one such undetected occurrence every 5machine years would be a gross overestimate;we in-?ate this failure rate to encompass other types of storage failure,including temporary tampering and human error.Figure 2plots the access failure probability versus the inter-poll interval.It shows that as the inter-poll interval increases relative to the mean interval between storage failures,the access failure probability increases because damage takes longer to detect and repair.The access failure probability is similar for a 50-AU collection all the way up to a 600-AU collection (we omit intermediate collection sizes for clarity).

For comparison purposes in the rest of the experi-ments,the baseline access failure probability of 4.8×10?4for a 50-AU collection and of 5.2×10?4for a 600-AU collection correspond to our inter-poll interval of 3months and a storage damage rate of one block per 5disk years.

1

2 5 10 201

510306090

180

D e l a y r a t i o

Attack duration (days)

Figure 4:The delay ratio (y axis in log scale)imposed by repeated pipe stoppage attacks of varying duration (x axis in log scale)and coverage of the population.Absent an attack,this metric has value 1.

1

2 5 10 201

510306090

180

C o e f f i c i e n t o f f r i c t i o n

Attack duration (days)

Figure 5:The coef?cient of friction (y axis in log scale)imposed by pipe stoppage attacks of varying duration (x axis in log scale)and coverage of the population.

7.2Targeting the Bandwidth Filter

The “pipe stoppage”adversary models packet ?ood-ing or more sophisticated attacks [25].This adversary suppresses all communication between some proportion of the total peer population (its coverage )and other LOCKSS peers.During a pipe-stoppage attack,local readers may still access content.Each attack consists of a period of pipe stoppage,which lasts between 1and 180days,followed by a 30-day recuperation period dur-ing which all communication is restored;this pattern is repeated for the entire experiment,affecting a different random subset of the population in each iteration.

Figure 3plots the access failure probability versus the attack duration for varying coverage values (10to 100%).As expected,the access failure probability increases as the coverage of the attack increases.At 100%coverage,we see that the larger 600-AU collection tracks the small 50-AU collection closely,albeit at a slight disadvantage,due to increased scheduling contention as peers get more loaded.Even in the extreme case where 100%of the pop-ulation has no communication for 6months,access fail-ures occur with a mean probability of about 2.9×10?3for a 600-AU collection;this is well within tolerable lim-its for any service that is widely open to the Internet.Figures 4and 5plot the delay ratio and coef?cient of friction,respectively,versus attack duration.We ?nd that attacks must last at least 60days to raise the delay ratio by an order of magnitude.Similarly,the coef?cient of

0.0002

0.00050.0010.0020.0050.01

A c c e s s f a i l u r e p r o b a b i l i t y

Attack duration (days)

Figure 6:The access failure probability (y axis in log scale)for attacks of increasing duration (x axis in log scale)by the admission control adversary over 10to 100%of the peer population.

friction during repeated attacks that last less than a few days each is negligibly greater than 1;for longer attacks,the coef?cient can reach 10.

7.3Targeting the Admission Control Filter

The admission control adversary aims to reduce the like-lihood of a victim admitting a loyal poll request by trig-gering that victim’s refractory period as often as possi-ble.This adversary sends cheap garbage invitations to varying fractions of the peer population for varying pe-riods of time separated by a ?xed recuperation period of 30days.The adversary sends his invitations using poller addresses that are unknown to the victims.These,when eventually admitted,cause those victims to enter their re-fractory periods and drop all subsequent invitations from unknown

and in-debt peers.

Figures 6,7,and 8show that these attacks have little effect on the access failure probability or the delay ra-tio.The access failure probability is raised to 5.9×10?4when the duration of the attack reaches the entire du-ration of our simulations (2years)for full population coverage and a 600-AU collection.At that attack inten-sity,loyal peers no longer admit poll invitations from unknown or in-debt loyal peers,unless supported by an introduction.This causes discovery to operate more slowly;loyal peers waste a lot of their resources on in-troductory effort proofs that are summarily rejected by peers in their refractory period.This wasted effort is ap-parent in Figure 8,which shows that when the attack is sustained for long periods of time,it can raise the cost to loyal peers of every successful poll by 33%.

Note that techniques such as blacklisting,commonly used to defeat denial-of-service attacks in the context of email spam,or server selection [17]by which pollers only invite voters they believe will accept,could signi?-cantly reduce the friction caused by this attack.However,

1

2 5 10 201

5

103090180

720

D e l a y r a t i o

Attack duration (days)

Figure 7:Delay ratio (y axis in log scale)for attacks of increasing duration (x axis in log scale)by the admission control adversary over 10to 100%of the peer population.

1

2 5 10 201

5

103090180

720

C o e f f i c i e n t o f f r i c t i o n

Attack duration (days)

Figure 8:Coef?cient of friction (y axis in log scale)for attacks of increasing duration (x axis in log scale)by the admission control adversary over 10to 100%of the peer population.

we have yet to explore whether these defenses would be compatible with our goal of also protecting against sub-version attacks that operate by biasing the opinion poll sample toward corrupted peers [29].

7.4Targeting the Effort Veri?cation Filters

To attack ?lters downstream of admission control,the ad-versary must get through admission control as fast as al-lowable.We consider an attack by a “brute force”adver-sary who continuously sends enough poll invitations with valid introductory efforts to get past the random drops;such invitations cannot arrive from credit or even identi-ties at the steady attack state,because they are more fre-quent than what is considered legitimate.Since unknown peers suffer more random drops than peers in debt,the adversary launches attacks from in-debt addresses.We conservatively initialize all adversary addresses with a debt grade at all loyal peers.We also give the adversary an oracle that allows him to inspect all the loyal peers’schedules.This spares him the generation of introduc-tory efforts that would be wasted because of scheduling con?icts at loyal peers.

Once through admission control,the adversary can de-fect at any stage of the protocol exchange:after provid-ing the introductory effort in the Poll message (INTRO)by never following up with a PollProof ,after providing the remaining effort in the PollProof message (REMAIN-ING)by never following up with an EvaluationReceipt ,

Defection Coeff.Delay

ratio failure INTRO1.401.11

2.046.35×10?4

1.555.90×10?4 ING

2.501.10

NONE2.601.11

1.066.19×10?4 Table1:The effect of the brute force adversary defect-ing at various points in the protocol on the coef?cient of friction,the cost ratio,the delay ratio,and the access fail-ure probability.For each point,the upper numbers cor-respond to the50-AU collection and the lower numbers correspond to the600-AU collection.

and not defecting at all(NONE).

Table1shows that the brute force adversary’s most cost-effective strategy(i.e.,with the lowest cost ratio metric)is to participate fully in the protocol;by doing so he is able to raise loyal peers’preservation cost(i.e., their coef?cient of friction)by a factor of2.60(2.49for the large collection).Doing so raises the baseline prob-ability of access failure to6.19×10?4at a cost almost identical to that incurred to the defenders(by a factor of1.06).Fortunately,this continuous attack even from a brute force adversary unconcerned by his own effort expenditure is unable to increase the access failure prob-ability of the victims greatly;the rate limits prevent him from bringing his advantage in resources to bear.Simi-lar behavior in our earlier work[29]prevented a differ-ent unconstrained adversary from modifying the content without detection.

In the analysis above,we conservatively assume that the brute force adversary uses attacking identities in the debt grade of their victims.Space constraints lead us to omit experiments with an adversary whose minions may be in either even or credit grade.This adversary polls a victim only after he has supplied that victim with a vote,then defects in any of the ways described above. He then recovers his grade at the victim by supplying an appropriate number of valid votes in succession.Each vote he supplies is used to introduce new minions that thereby bypass the victim’s admission control before de-fecting.This attack requires the victim to invite minions into polls and is thus rate-limited enough that it is less effective than brute force.It is also further limited by the decay of?rst-hand reputation toward the debt grade.We leave the details for an extended version of this paper.8Related Work

The protocol described here is derived from earlier work[29]in which we covered the background of the LOCKSS system.That protocol used redundancy, rate limitation,effort balancing,bimodal behavior(polls must be won or lost by a landslide)and friend bias(solic-iting some percentage of votes from peers on the friends list)to prevent powerful adversaries from modifying the content without detection,or discrediting the intrusion detection system with false alarms.To mitigate its vul-nerability to attrition,in this work we reinforce these de-fenses using admission control,desynchronization,and redundancy,and restructure votes to support a block-based repair mechanism that penalizes free-riding.In this section we list work that describes the nature and types of denial of service attacks,as well as related work that applies defenses similar to ours.

Our attrition adversary draws on a wide range of work in detecting[22],measuring[31],and combating[2,26, 38,39]network-level DDoS attacks capable of stopping traf?c to and from our peers.This work observes that current attacks are not simultaneously of high intensity, long duration,and high coverage(many peers)[31]. Redundancy is a key to survival during some DoS at-tacks,because pipe stoppage appears to other peers as a failed peer.Many systems use redundancy to mask stor-age failure[24].Byzantine Fault Tolerance[7]is related to the LOCKSS opinion polling mechanism in its goal of managing replicas in the face of attack.It provides stronger guarantees but is not as well adapted to large numbers of replicas.Routing along multiple redundant paths in Distributed Hash Tables(DHTs)has been sug-gested as a way of increasing the probability that a mes-sage arrives at its intended recipient despite nodes drop-ping messages due to malice[6]or pipe stoppage[23]. Rate limits are effective in slowing the spread of viruses[40,44].They have also been suggested for lim-iting the rate at which peers can join a DHT[6,43]as a defense against attempts to control part of the hash space. Our work suggests that DHTs will need to rate limit not only joins but also stores to defend against attrition at-tacks.Another study[37]suggests that the increased la-tency this will cause will not affect users’behavior. Effort balancing is used as a defense against spam, which may be considered an application-level DoS at-tack and has received the bulk of the attention in this area.Our effort balancing defense draws on pricing via processing concepts[15].We measure cost by memory cycles[1,14];others use CPU cycles[4,15]or even Turing tests[41].Crosby et al.[10]show that worst-case behavior of application algorithms can be exploited in application-level DoS attacks;our use of nonces and the bounded veri?cation time of MBF avoid this risk.In

the LOCKSS system we avoid strong peer identities and infrastructure changes,and therefore rule out many tech-niques for excluding malign peers such as Secure Over-lay Services[23].

Related to?rst-hand reputation is the use of game-theoretic analysis of peer behavior by Feldman et al.[17] to show that a reciprocative strategy in admission control policy can motivate cooperation among sel?sh peers. Admission control has been used to improve the us-ability of overloaded services.For example,Cherkasova et al.[8]propose admission control strategies that help protect long-running Web service sessions(i.e.,related sequences of requests)from abrupt termination.Pre-serving the responsiveness of Web services in the face of demand spikes is critical,whereas LOCKSS peers need only manage their resources to make progress at the nec-essary rate in the long term.They can treat demand spikes as hostile behavior.In a P2P context,Daswani et al.[11]use admission control(and rate limiting)to mitigate the effects of a query?ood attack against super-peers in unstructured?le-sharing peer-to-peer networks such as Gnutella.

Golle and Mironov[20]provide compliance enforce-ment in the context of distributed computation using a receipt technique similar to ours.Random auditing us-ing challenges and hashing has been proposed[9,43]as a means of enforcing trading requirements in some dis-tributed storage systems.

In DHTs waves of synchronized routing updates caused by joins or departures cause instability during pe-riods of high churn.Bamboo’s[33]desynchronization defense using lazy updates is effective.

9Future Work

We are currently exploring the admission control param-eter space.In particular,we are studying the effects of varying the length of the refractory period,the drop prob-abilities for unknown and in-debt peers,and the effects of running the audit protocol over a larger number of AUs. As the number of AUs increases and peers are naturally more busy participating in polls,a longer refractory pe-riod may be more appropriate to allow loyal peers time to handle the load of polls called by other loyal peers. We have three immediate goals for future work.First, we observe that although the protocol is symmetric,the attrition adversary’s use of it is asymmetric.It may be that adaptive behavior of the loyal peers can exploit this asymmetry.For example,loyal peers could modulate the probability of acceptance of a poll request according to their recent busyness.The effect would be to raise the marginal effort required to increase the loyal peer’s busy-ness as the attack effort increases.Second,we need to understand how our defenses against attrition work in a more dynamic environment,where new loyal peers con-tinually join the system over time.Third,we need to con-sider combined adversary strategies;it could be that the adversary can use an attrition attack to weaken the sys-tem in some way that leaves it more vulnerable to other attack goals.

10Conclusion

The defenses of this paper equip the LOCKSS system to resist attrition well:

?Application-level attrition attacks,even from adver-saries with no resource constraints and sustained for two years,can be defeated with a constant factor of over-provisioning.Such over-provisioning is natu-ral in our application,but further work may signi?-cantly reduce the required amount.

?The strategy that provides an unconstrained adver-sary with the greatest impact on the system is to be-have as a large number of new loyal peers.?Network-level attacks do not affect the system sig-ni?cantly unless they are(a)intense enough to stop all communication between peers,(b)widespread enough to target all of the peers,and(c)sustained over a signi?cant fraction of an inter-poll interval. Digital preservation is an unusual application,in that the goal is to prevent things from happening.The LOCKSS system resists failures and attacks from pow-erful adversaries without normal defenses such as long-term secrets and central administration.The techniques that we have developed may be primarily applicable to preservation,but we hope that our conservative design will assist others in building systems that better meet so-ciety’s need for more reliable and defensible systems. Both the LOCKSS project and the Narses simulator are hosted at SourceForge,and both carry BSD-style Open Source licenses.Implementation of this protocol in the production LOCKSS system is in progress.

11Acknowledgments

We are grateful to Kevin Lai,Joe Hellerstein,Yanto Mu-liadi,Geoff Goodell,Ed Swierk,and Lucy Cherkasova for their help.We are especially thankful to Vicky Reich, the director of the LOCKSS program.

This work is supported by the National Science Foun-dation(Grant No.9907296)and by the Andrew W.Mel-lon Foundation.Any opinions,?ndings,and conclusions or recommendations expressed here are those of the au-thors and do not necessarily re?ect the views of these funding agencies.

References

[1]A BADI ,M.,B URROWS ,M.,M ANASSE ,M.,AND W OBBER ,T.

Moderately Hard,Memory-bound Functions.In NDSS (2003).[2]A RGYRAKI ,K.,AND C HERITON ,D.Active Internet Traf?c

Filtering:Real-time Response to Denial of Service Attacks.Tech.Rep.cs.NI/0309054,Stanford University,Sept.2003.[3]ARL

–

A SSOCIATION OF R ESEARCH L I -BRARIES .

ARL Statistics 2000-01.https://www.doczj.com/doc/8b7963834.html,/stats/arlstat/01pub/intro.html ,2001.[4]B ACK ,A.Hashcash -a denial of service counter measure,2002.

https://www.doczj.com/doc/8b7963834.html,/hashcash.pdf .[5]C ANTARA ,L.Archiving Electronic Journals.

https://www.doczj.com/doc/8b7963834.html,/preserve/ejp.htm ,2003.[6]C ASTRO ,M.,D RUSCHEL ,P.,G ANESH ,A.,R OWSTRON ,A.,AND W ALLACH ,D.S.Secure Routing for Structured Peer-to-Peer Overlay Networks.In OSDI (2002).[7]C ASTRO ,M.,AND L ISKOV ,B.Practical Byzantine Fault Toler-ance.In OSDI (1999).[8]C HERKASOVA ,L.,AND P HAAL ,P.Session-Based Admission Control:A Mechanism for Peak Load Management of Commer-cial Web Sites.IEEE Trans.on Computers 51,6(2002).[9]C OX ,L.P.,AND N OBLE ,B.D.Samsara:Honor Among

Thieves in Peer-to-Peer Storage.In SOSP (2003).[10]C ROSBY ,S.,AND W ALLACH ,D.S.Denial of Service via Algo-rithmic Complexity Attacks.In USENIX Security Symp.(2003).[11]D ASWANI ,N.,AND G ARCIA -M OLINA ,H.Query-Flood DoS

Attacks in Gnutella.In ACM Conf.on Computer and Communi-cations Security (2002).[12]D EAN ,D.,AND S TUBBLEFIELD ,https://www.doczj.com/doc/8b7963834.html,ing Client Puzzles to

Protect TLS.In USENIX Security Symp.(2001).[13]D OUCEUR ,J.The Sybil Attack.In 1st Intl.Workshop on Peer-to-Peer Systems (2002).[14]D WORK ,C.,G OLDBERG ,A.,AND N AOR ,M.On Memory-Bound Functions for Fighting Spam.In CRYPTO (2003).[15]D WORK , C.,AND N AOR ,M.

Pricing via Processing.

In

CRYPTO (1992).[16]E LECTRONIC

F RONTIER

F OUND .DMCA

Archive.

https://www.doczj.com/doc/8b7963834.html,/IP/DMCA/.

[17]F ELDMAN ,M.,L AI ,K.,S TOICA ,I.,AND C HUANG ,J.Ro-bust Incentive Techniques for Peer-to-Peer Networks.In ACM Electronic Commerce (2004).[18]F LOYD ,S.,AND J ACOBSON ,V.The Synchronization of Peri-odic Routing Messages.ACM Trans.on Networking 2,2(1994).[19]G IULI ,T.,AND B AKER ,M.Narses:A Scalable,Flow-Based

Network Simulator.Technical Report arXiv:cs.PF/0211024,Computer Science Department,Stanford University,Stanford,CA,USA,Nov.2002.[20]G OLLE ,P.,AND M IRONOV ,I.Uncheatable Distributed Compu-tations.Lecture Notes in Computer Science 2020(2001).

[21]H ORLINGS ,J.Cd-r’s binnen twee jaar onleesbaar.

http://www.pc-active.nl/toonArtikel.asp?artikelID=508,

2003.https://www.doczj.com/doc/8b7963834.html,/news/7751.[22]H USSAIN ,A.,H EIDEMANN ,J.,AND P APADOPOULOS ,C.A Framework for Classifying Denial of Service Attacks.In SIG-COMM (2003).

[23]K EROMYTIS ,A.,M ISRA ,V.,AND R UBENSTEIN ,D.SOS:Se-cure Overlay Services.In SIGCOMM (2002).

[24]K UBIATOWICZ ,J.,B INDEL ,D.,C HEN ,Y.,C ZERWINSKI ,S.,

E ATON ,P.,G EELS ,D.,G UMMADI ,R.,R HEA ,S.,W EATH -ERSPOON ,H.,W EIMER ,W.,W ELLS , C.,AND Z HAO , B.OceanStore:An Architecture for Global-Scale Persistent Stor-age.In ASPLOS (2000).[25]K UZMANOVIC ,A.,AND K NIGHTLY ,E.W.Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs.the Mice and Elephants).In SIGCOMM (2003).

[26]M AHAJAN ,R.,B ELLOVIN ,S.,F LOYD ,S.,I OANNIDIS ,J.,

P AXSON ,V.,AND S HENKER ,S.Controlling high bandwidth aggregates in the https://www.doczj.com/doc/8b7963834.html,puter Communications Review

32,3(2002).[27]M ALKHI ,D.,AND R EITER ,M.Byzantine Quorum Systems.J.

Distributed Computing 11,4(1998),203–213.[28]M ANIATIS ,P.,G IULI ,T.,R OUSSOPOULOS ,M.,R OSENTHAL ,D.,AND B AKER ,M.Impeding Attrition Attacks on P2P Sys-tems.In SIGOPS European Workshop (2004).[29]M ANIATIS ,P.,R OUSSOPOULOS ,M.,G IULI ,T.,R OSENTHAL ,

D.S.H.,B AKER ,M.,AND M ULIADI ,Y.Preserving Peer Repli-cas By Rate-Limited Sampled V oting.In SOSP (2003).[30]M C K USICK ,M.K.,J OY ,W.N.,L EFFLER ,S.J.,AND F ABRY ,

R.S.A Fast File System for UNIX.ACM Trans.on Computer Systems 2,3(1984),181–197.[31]M OORE ,D.,V OELKER ,G.M.,AND S AVAGE ,S.Inferring

Internet Denial-of-Service Activity.In USENIX Security Symp.(2001).[32]N EEDHAM ,R.Denial of Service.In ACM Conf.on Computer

and Communications Security (1993).[33]R HEA ,S.,G EELS ,D.,R OSCOE ,T.,AND K UBIATOWICZ ,J.

Handling churn in a DHT.In USENIX (2004).[34]R ODRIGUES ,R.,AND L ISKOV ,B.Byzantine Fault Tolerance in

Long-Lived Systems.In FuDiCo (2004).[35]R OSENTHAL ,D.S.,R OUSSOPOULOS ,M.,G IULI ,T.,M ANI -ATIS ,P.,AND B AKER ,https://www.doczj.com/doc/8b7963834.html,ing Hard Disks For Digital Preser-vation.In Imaging Science and Technology Archiving Conference (2004).[36]R OSENTHAL ,D.S.H.,AND R EICH ,V.Permanent Web Pub-lishing.In USENIX,Freenix Track (2000).[37]S AROIU ,S.,G UMMADI ,K.,D UNN ,R.,G RIBBLE ,S.,AND

L EVY ,H.An Analysis of Internet Content Delivery Systems.In OSDI (2002).[38]S AVAGE ,S.,W ETHERALL ,D.,K ARLIN ,A.,AND A NDERSON ,

T.Practical Network Support for IP Traceback.In SIGCOMM (2000).[39]S NOEREN ,A.,P ARTRIDGE ,C.,S ANCHEX ,L.,J ONES ,C.E.,

T CHAKOUNTIO ,F.,K ENT ,S.T.,AND S TRAYER ,T.,W.Hash-based IP Traceback.In SIGCOMM (2001).[40]S OMAYAJI ,A.,AND F ORREST ,S.Automated Response Using

System-Call Delays.In Usenix Security Symp.(2000).[41]S PAM A RREST ,LLC.Take Control of your Inbox.

https://www.doczj.com/doc/8b7963834.html, .

[42]T ENOPIR , C.Online Scholarly Journals:How

Many?The Library Journal ,2(2004).https://www.doczj.com/doc/8b7963834.html,/index.asp?layout=articlePrint [43]W ALLACH ,D.A Survey of Peer-to-Peer Security Issues.In Intl.Symp.on Software Security (2002).

[44]W ILLIAMSON ,M.Throttling Viruses:Restricting Propagation

to Defeat Malicious Mobile Code.In Annual Computer Security Applications Conf.(2002).

景区讲解员工作总结

景区讲解员工作总结 景区讲解员工作总结一 XX年是不平凡的一年，XX年我从学校走了出来，把两年里所学到的关于导游 的知识运用到我的工作中，从理论转向实践。XX年6月开始我在南岳衡山从事 地接导游导游工作，时间不长，资力也不深，而感慨却颇多：“导游”工作给我的 生活带来了许多快乐，却也让我知道，“导游”不是一项简单的工作，与其他职业 有一个显著的不同，那就是你必须与客人近距离接触，这自然使我们对服务的感 触比一般人深刻。从某种意义上可以这么讲，导游职业的无穷魅力正是源于我们 对服务的感知和热爱。 通过几个月的工作实践，我深深的体会到，取得了导游证，并不代表你就永远 是一个合格的导游员，而是要不断的的学习、充实、提高。在旅游者的眼中，导 游员应该是无所不知的“万事通”。导游服务是知识密集型的高智能的服务工作， 丰富的知识、广博的见闻是做好导游服务工的前提。作为一个导游员就要“与时俱进”，永远保持积极的求知欲，以适应社会进步和发展的需求。更重要的是。我们 自己千万不敢把自己当成“万事通”，要保持谦虚谨慎的态度，要切记“学海无涯”、“学无止境”，“人外有人，天外有天”，“三人行，必有我师”。 要时刻牢记导游的职责，认真学习《导游人员管理暂行规定》、《中华人民共 和国国家标准导游服务质量》，努力的实施好旅游计划，作好联系、协调、讲解 等服务工作。坚持“宾客至上、服务至上、为大家服务、合理而可能”的四大服务 原则细致、热心、周到的作好导游服务工作。也就是一切工作以旅游者为出发点，以服务为出发点，时刻考虑旅游者的利益和要求，绝不能拒绝游客的合理合法要求。服务过程中要坚持“为大家服务”的原则，不能有亲疏之分，厚此薄彼，而应 对每个游客都热情、周到、友好、尊重，不偏不倚、一视同仁;要坚持“合理而可能”的原则，在旅游服务过程中，要时刻关注游客的情绪变化，耐心倾听旅游者的 意见、要求，冷静分析、仔细甄别，合理又能实现的，就努力的去做，如果没有 作好或是已经错过机会，就想办法及时弥补，以求最大限度的达到游客的满意。 导游讲解服务是整个旅游服务活动过程中极为重要的一个方面，在导游讲解过程中，我认为“准确、清楚、生动”三者相辅相成，缺一不可，首先“准确”是首当其冲，至关重要的，在讲解过程中牢记“一伪灭千真”的教训，切忌胡编乱造、张冠 李戴、信口开河，这样会使游客有被蒙蔽、愚弄的感觉，会引起游客的反感、责备。旅游者在旅游活动中“求知”是重要的内容之一，而我们导游就起着传播知识 信息、传递审美观念、播洒中华文明的重任，因此导游语言必须科学、规范，传 递的信息必须正确无误，这样更能够吸引游客的注意，满足游客的“求知”愿望。 其次，“清楚”是关键，在导游讲解中，清楚、简洁流利的语言表达，是导游语言 科学性的又一体现。口齿清楚、言简意赅、措词恰当、组合相宜、层次分明、逻

讲解员接待服务管理办法

张掖丹霞文化旅游股份有限公司 讲解员接待服务管理办法 为加强公司的规范化管理，加强讲解员队伍建设，为游客提供优质、快捷、高效的旅游讲解服务，维护和提高景区文明服务形象，促进公司发展，特制定本办法。 一、讲解员应热爱讲解工作，树立良好的责任意识，统一着装，佩戴工作证、文明用语、礼貌待人,做到热情、主动、周到服务，自觉维护景区形象。 二、做好上车前的一切准备工作：包括观光车上的麦克风、音响设施等的调试检查。 三、在游客进入景区后，讲解员应在观光车门前等待迎接，并致欢迎词，引导游客有序乘车。 四、耐心解答在讲解服务过程中游客提出的各种问题，不断提高应变能力及服务水平。 五、讲解员应针对游客的特点和需求，因人施讲，调动游客的游览兴趣，提高参观的效果。要注意收集游客各方面意见和建议并及时做好信息的反馈工作。 六、讲解内容应规范准确、语言应风趣幽默。在游览过程中，及时将景区卫生间分布状况和到达时间告知游客。 七、讲解员不得以任何方式向游客兜售物品和索要小费、礼品，不得串通摊主、店主、车主欺骗、胁迫、敲诈游客消费。

八、讲解员讲解费由售票处统一收取，月底结算，严禁讲解员擅自违规收费。 九、讲解员在服务过程中要主动做好地貌保护的宣传和现场维护工作。 十、在讲解结束后应送游客到景区门口，并致欢送词。 十一、讲解员不得与游客发生争执，遇到特殊情况沉着应对并及时向领导反映，避免与游客发生冲突。 十二、讲解员违反本管理办法的，将给予每次20元—100元罚款；脱岗1次，罚款20元；因讲解员失误发生投诉案件的，每次处100元罚款；同时责令其限期改正，对逾期不改正或情节严重的，建议调整岗位。 十三、本办法由景区运营部负责解释。 十四、本办法自颁布之日起执行。

景区讲解员的服务流程

景区讲解员的服务流程-标准化文件发布号：（9456-EUATWK-MWUB-WUNN-INNUL-DDQTY-KII

景区讲解员的服务流程 1准备工作 熟悉接待计划：旅游团的基本信息，旅游团成员的情况，交通工具，是否有特殊要求和注意事项。 落实接待事宜：落实旅游车辆、住宿及用餐，掌握全陪或者司机的联系电话。与他们联系商定第二天的接团时间及地点。 物质准备：游客接待确认书，游客意见单，话筒，导游旗。 形象准备：上团前要做好仪容、仪表方面的准备。整洁、大方、自然、不浓妆艳抹。 语言和知识准备：要在大脑里面准备好第二天要讲解的内容；接待有专业知识的团队，要做好相关的专业知识、词汇的准备工作。语言要生动、流畅和清楚。 心理准备：我们要能有技巧的回答客人提出的任何问题，面对客人的指责、抱怨，我们要冷静、沉着的面对。 联络畅通准备：上团前一天，要把手机，话筒的电充足，随时保持畅通。 2接团服务 出发前的准备：在旅行团到达之前，打电话给全陪或者司机，前一天晚上20：00前确定好到达时间、人数、停车位置、集合地点等，在集合地点恭候旅游团的到来。旅游团到达后，协助全陪或者司机购票，提醒客人山顶温度较低，指引乘客上车，清点一下车上的人数。检票后通知司机师傅开车。 途中导游：致欢迎词，山路崎岖，提醒客人把车辆扶手打下并系好安全带，当日活动安排（参观景点名称、途中所经地点、所需时间），介绍游览景点（讲安全讲游客接待中心，讲内循环通道，讲景区公交车的发班时间，讲游览线路，讲中途会经过哪几个景点，讲三条游步道），活跃气氛（做些娱乐互动，与游客互动） 景点讲解：抵达景点下车之前，告知游客车牌号、停车地点、开车时间、游览线路、游览所需时间、游览过程中的注意事项（不能随便雕刻、不能在景区乱扔垃圾、不能在景区内吸烟、不能随意摘取野果实，以免误食）等。抵达景点后，组织客人有顺序的下车，提醒客人注意脚下的安全，带领游客沿着游览线路对所见景物进行精彩的导游讲解。在游览过程中要随时随地注意游客的安全，特别是老弱病残的游客，要防止游客走失和意外事件的发生。 3送团服务 清点团队人数，后提醒客人清点一下随身携带物品，如无遗漏则请司机开车离开。致欢送词（感谢语、惜别语、征求意见语、致歉语、祝愿语）。致完欢送词后，将“游客意见反馈表”发给游客，请其填写。游客填写完毕后如数收回，妥善保留。 4总结工作 认真做好带团小结，实事求是的汇报接团情况。 2

旅游景区讲解员讲解服务标准

旅游景区讲解员讲解服务标准 1范围 本标准规定了XX风景名胜区随车讲解员服务应达到的目的和要求。 本标准适用于XX风景名胜区随车讲解员讲解工作。 2 服务目的 为游客提供随车讲解服务，方便游客游览。 3 服务要求 3.1 时效性讲解人员应提前10分钟到岗，做好各项准备工作。 3.2 准确性 3.2.1 车辆出发前简单告知游客乘车注意事项，待游客坐稳后告知司机发车。 3.2.2 讲解员在讲解过程中要详细讲解景区的总体概况、沿途风光及景区各服务区基本情况，不得擅自减少或变更讲解内容。 3.2.3 在游客乘车过程中，告知游客景区投诉电话、游览注意事项等信息，当车辆快到站时，应提前准确报站。 3.3 文明性 3.3.1 在车辆启动的同时，致欢迎词：“尊敬的游客朋友，你们好，欢迎您来到XX世界地质公园观光游览”，介绍本人和司机师傅，公布景区投诉电话号码，表示诚挚服务的愿望，告知门票及安全注意事项。

3.3.2 讲解员举止大方得体，讲解内容生动形象，在沿途讲解中，不能随意减少讲解内容，严禁掺杂庸俗下流的内容，更不能接听电话，与人闲谈打闹。 3.3.3 讲解员处理各种事情要以大局为重，时刻维护景区利益与游客合法权益。耐心细致地解答游客提出的问题，想游客所想，急游客所急，主动为游客排忧解难。 3.4 着装要求讲解员须统一着装、佩戴工牌，保持良好的仪容仪表，穿着朴素大方，严禁穿奇装异服、浓妆艳抹，任何时候不得在游客面前整理衣裤。 3.5 行为要求讲解时要面对游客，站立服务，表情要自然、诚恳、和蔼，语言准确、生动、富有表达力，同时注意使用礼貌用语。严禁掺杂庸俗下流的内容，不得私自接听或拨打与工作无关的电话。 3.6 功能性告知游客使用门票的注意事项，建议游客合理安排旅游线路，介绍沿途风光及各服务区状况，提前报站，下车时提醒游客携带好随身物品。

景区讲解员的含义

景区讲解员的含义：景点讲解员是在博物馆或重要景区为游客提供导游讲解服务的人员，通常由所在景区景点统一培训和管理，具有较丰富的相关专业知识。 景区讲解员的岗位职责：1.认真做好旅游者在的接待服务； 2.热情做好导游讲解工作，积极向游客介绍和传播公司文化； 3.妥善处理好旅游相关服务各方面的协作关系，认真处理旅游者发生的各类问题； 4.维护旅游者的人身和财物安全，做好事故防范和安全提示工作。 5.做好导游讲解团队登记工作； 6.完成主管领导安排的其他工作。 景区讲解员应具备的设备：1、必须要一个袖珍的笔记本，将你所有的东西记下来，以防记不起来，这一点非常重点，在外面好多突发事情，不可能想得太多； ２、一支笔，在特殊情况之下，能帮你避免法律纠纷，能将你所有的经历记录来，大家能签名确认的，最好。 3、旅行社的标旗，带队时使用； ４、能录音的、收音的、拍摄、照相的手机，最好就是相机。将旅途上的纠纷、突发事情拍下来，有据可依。 ５、扩音器，这个不说了。 景区讲解员的职业素养：1、迎客走在前，送客走在后；全程讲解，讲解词熟练，知识面广，做到游客有问必答，满足游客的合理要求。

2、结合景点自然景观传播科普知识。及时有效地讲解景区线路中有关注意事项和旅游知识，随时解答游客提问，不得敷衍。 3、做到站姿标准，讲解生动，语言文明规范，仪表整洁，举止端庄。 4、接待热情耐心，微笑服务；对有残疾智障的游客主动帮助，给予特别关照。听取游客批评意见时，态度诚恳，虚心接受。 5、使用普通话接待观众，使用文明礼貌用语，说话得体，语言亲切。 6、不得迎合个别游客的低级趣味，在讲解、介绍中掺杂庸俗下流的内容。 7、不得欺骗、胁迫游客消费。不得向游客索取小费及提出其他要求。

景区讲解员的服务流程

景区讲解员的服务流程 1准备工作 熟悉接待计划：旅游团的基本信息，旅游团成员的情况，交通工具，是否有特殊要求和注意事项。 落实接待事宜：落实旅游车辆、住宿及用餐，掌握全陪或者司机的联系电话。与他们联系商定第二天的接团时间及地点。 物质准备：游客接待确认书，游客意见单，话筒，导游旗。 形象准备：上团前要做好仪容、仪表方面的准备。整洁、大方、自然、不浓妆艳抹。 语言和知识准备：要在大脑里面准备好第二天要讲解的内容；接待有专业知识的团队，要做好相关的专业知识、词汇的准备工作。语言要生动、流畅和清楚。 心理准备：我们要能有技巧的回答客人提出的任何问题，面对客人的指责、抱怨，我们要冷静、沉着的面对。 联络畅通准备：上团前一天，要把手机，话筒的电充足，随时保持畅通。 2接团服务 出发前的准备：在旅行团到达之前，打电话给全陪或者司机，前一天晚上20：00前确定好到达时间、人数、停车位置、集合地点等，在集合地点恭候旅游团的到来。旅游团到达后，协助全陪或者司机购票，提醒客人山顶温度较低，指引乘客上车，清点一下车上的人数。检票后通知司机师傅开车。 途中导游：致欢迎词，山路崎岖，提醒客人把车辆扶手打下并系好安全带，当日活动安排（参观景点名称、途中所经地点、所需时间），介绍游览景点（讲安全讲游客接待中心，讲内循环通道，讲景区公交车的发班时间，讲游览线路，讲中途会经过哪几个景点，讲三条游步道），活跃气氛（做些娱乐互动，与游客互动） 景点讲解：抵达景点下车之前，告知游客车牌号、停车地点、开车时间、游览线路、游览所需时间、游览过程中的注意事项（不能随便雕刻、不能在景区乱扔垃圾、不能在景区内吸烟、不能随意摘取野果实，以免误食）等。抵达景点后，组织客人有顺序的下车，提醒客人注意脚下的安全，带领游客沿着游览线路对所见景物进行精彩的导游讲解。在游览过程中要随时随地注意游客的安全，特别是老弱病残的游客，要防止游客走失和意外事件的发生。 3送团服务 清点团队人数，后提醒客人清点一下随身携带物品，如无遗漏则请司机开车离开。致欢送词（感谢语、惜别语、征求意见语、致歉语、祝愿语）。致完欢送词后，将“游客意见反馈表”发给游客，请其填写。游客填写完毕后如数收回，妥善保留。 4总结工作 认真做好带团小结，实事求是的汇报接团情况。

景区讲解员的培训总结

景区讲解员的培训总结 尊敬的各位领导、各位同事： 大家好!我是经营部的讲解员徐丹。 我是xx年12月28日以实习生的身份加入了神龙水世界的大集体中。一开始我对与所学专业不对口的工作很不熟悉，在领导和同事的帮助与支持下，我花了三个月的时间逐渐找到了适合的方式、方法，顺利适应并融入讲解员的工作中。 在讲解过程中，我是以下列的标准严格要求自己： 1、迎客走在前，送客走在后;全程讲解，讲解词熟练，知识面广，做到游客有问必答，满足游客的合理要求。 2、结合景点自然景观传播科普知识。及时有效地讲解景区线路中有关注意事项和旅游知识，随时解答游客提问，不得敷衍。 3、做到站姿标准，讲解生动，语言文明规范，仪表整洁，举止端庄。 4、接待热情耐心，微笑服务;对有残疾智障的游客主动帮助，给予特别关照。听取游客批评意见时，态度诚恳，虚心接受。 5、使用普通话接待观众，使用文明礼貌用语，说话得体，语言亲切。 6、不得迎合个别游客的低级趣味，在讲解、介绍中掺

杂庸俗下流的内容。 7、不得欺骗、胁迫游客消费。不得向游客索取小费及提出其他要求。 接下来我给大家报告，我在工作中遇到的一些问题及其解决的办法。 到神龙水世界的第一个月，我学会办公室常用工具的基本操作。同事们忙不过来时，我很乐意帮他们复印急需的文件，或者帮来访客人泡泡茶。记得有一次，央经理急着要开会，开会用的工程设计图纸90份没复印好，她情急之下给我帮忙复印，我正在复印时不知道为什么复印机罢工了，这下可急死人了，该怎么办呢?这时央经理来拿图纸了，见我这么久没把图纸复印好，她并没有责备我办事不利，而是安慰我，不用急，其实她心里比谁都急。她说：“没复印好再复印一次就ok。”心里涌出一股暖流，想着在这样一个和谐的大家庭里成长很是庆幸，我一定要好好努力发挥自己的优势，把自己和公司的利益结合在一起，为公司创造出更多的财富。 景区没有正式开放前，有时候餐厅和客房确忙得热火朝天。领导们身体力行，他们忙碌的背影时常出现在餐厅和客房。在领导的带领下，我们也没闲着，哪里需要人手，我们就往哪里去。虽然经常累得汗流浃背，当顺利完成艰巨的工作任务时，我们都觉得很有成就感。这就是累并快乐着的含

任务四做擅长讲解景点的讲解员

任务四做擅长讲解景点的讲解员 任务描述 鲁迅先生说过：世上本没有路，走的人多了也就成了路。景点讲解本来也没有固定的方法，都是讲解员们在讲解工作过程中积累了经验，总结出的方法，我们通过学习，掌握相应的方法，能让我们的讲解更清晰、更生动、更易为游客接受。 任务分析 通过学习，能表述什么是景点讲解的方法有哪些，并能运用相关方法。 相关知识 为了使自己成为游客的注意中心并将他们吸引在自己周围，景区讲解员必须讲究景点讲解的方式方法。 一、组织整体讲解内容的常见方法 （一）分段讲解法 所谓分段讲解法，就是将一处大景点分为前后衔接的若干部分来讲解。也就是说，在参观一个大的、重要的景区之前，先概括地介绍这个景区的基本情况，包括历史沿革、战地面积、欣赏价值等，使游客对即将游览的景点有个初步定的印象，然后，讲解员再带领游客顺次参观，边看边讲，将游客导入审美对象的意境。如介绍蒙顶山时，一般先从其概况、历史、传说开始讲起，继而带出天梯、蒙泉井、阴阳石麒麟、天盖寺、皇茶园、甘露石室、红军纪念馆等具体景点的讲解，游客边欣赏沿途美景，边倾听讲解员有声有色、层次分明、环环相扣的讲解，顶会心旷神怡，获得美的享受。

图1-4-1 蒙顶山景区主要景点 （二）突出重点法 突出重点法就是景点讲解时避免面面俱到，而是着重介绍参观景点的特点和与众不同之处的方法。一处景点，往往内容很多，讲解员必须根据不同的时空条件和对象区别对待，做到轻重搭配、详略得当，必要时去粗取精、去伪存真、由

此及彼、由表及里，并着力从以下一个方面把握其脉络： 图1-4-2 上里古镇 1、突出大景点中具有代表性的景观 大的景点，讲解员必须根据这些景点的特征，进行重点讲解。如去上里古镇游览，主要是参观韩家大院和二仙桥，并加以重点介绍，不仅能让游客了解景点全貌，还能使游客领略古建筑和当地文化，从中得到美的享受。 2、突出景点的特征与与众不同之处 游客在游览过程中总会发觉很多同类的东西，如同样的园林建筑、同样的佛教寺院等，俗话说：内行看门道、外行看热闹，即使是同一佛教宗派的寺院，其历史、规模、结构、建筑艺术、供奉的佛像也不尽相同，讲解员在讲解时必须讲出其特征及与众不同之处，才能使游客避免枯燥乏味的游览，增加知识的趣味性，提高旅游兴趣。 图1-4-3 上里古镇韩家大院镶嵌式木雕

讲解员工作流程与服务标准

讲解员工作流程与公司工作人员服务标准讲解员服务流程如下： 讲解员统一于游客服务中心验票出口处随观光车一起候客 （标准讲解时间：约1.5分钟） 观光车行驶途中讲解员介绍奥园概况、龙形水系介绍 （标准讲解时间：约10分钟） 观光车行至鸟巢东北口游客下车后讲解员做简短游览注意事项说明 （标准讲解时间：约1.5分钟） 引领客人至火炬广场参观讲解、拍照，给予客人片刻自由活动时间 （标准讲解时间：约10分钟） 火炬广场参观结束后引领游客到鸟巢KL参观入口检票进入鸟巢参观 （标准讲解时间：约2分钟） 鸟巢内部展厅讲解 （标准讲解时间：约20-25分钟）

鸟巢内部参观结束后，讲解员引领游客至鸟巢BC口出，组织游客参观景观大道并做景观大道概况及大道两旁建筑物的讲解，给予游客适当的拍照与自由活动时间 （标准讲解时间：约10分钟） 游客景观大道拍照结束后讲解员集合游客步行至水立方入口验票参观 （标准讲解时间：约10分钟） 讲解员水立方内部讲解 （标准讲解时间：约20分钟） 参观结束后讲解员引领游客至水立方出口处配合观光车站点人员组织游客有序候车 （标准讲解时间：约3-5分钟） 乘观光车至娘娘庙参观，讲解员做娘娘庙的讲解 （标准讲解时间：约15分钟） 参观完娘娘庙后，讲解员组织客人至候车点乘车 （标准讲解时间：约3-5分钟） 乘车返回游客服务中心，沿途致欢送词，结束愉快的游览行程 （标准讲解时间：约2分钟）

工作人员服务规范标准： 1、职业道德 爱国爱企自尊自强 遵纪守法敬业爱岗 公私分明诚实善良 克勤克俭宾客至上 热情大度清洁端庄 一视同仁不卑不亢 耐心细致文明礼貌 团结服从大局不忘 优质服务好学向上 2、职业形象 精神饱满佩证上岗 着装整洁仪态大方 站姿挺拔行姿稳重 微笑服务细致周详 语言标准言词得当 3、职业纪律 遵守职业纪律，做到“四不”：不擅自离岗、不嘻笑打闹、在岗时不吸烟、不酗酒、不用电话聊天。 4、公司园区主要岗位服务规范 （一）园区接待服务规范 园区接待服务的主要工作包括售票服务、入门接待服务（包括验票及咨询）和投诉受理服务。 1、售票服务： （1）积极开展优质服务，礼貌待客，热情周到，售票处应公示门票价格及优惠办法。（2）主动解答游客的提问，做到百忙不厌，杜绝与游客发生口角，能熟练使用普通话。（3）主动向游客解释优惠票价的享受条件，售票时做到热情礼貌、唱收唱付。 （4）向闭园前一小时内购票的游客提醒景区的闭园时间及景区内仍有的主要活动。 （5）游客购错票或多购票，在售票处办理退票手续，售票员应按景区有关规定办理，如确不能办理退票的，应耐心向游客解释。 （6）热情待客，耐心回答游客的提问，游客出现冲动或失礼时，应保持克制态度，不能恶语相向。 （9）耐心听取游客批评，注意收集游客的建议，及时向上一级领导反映。 2、验票服务： （1）验票岗位工作人员，应保持良好的工作状态，精神饱满，面带微笑。 （2）游客入景区时，应使用标准普通话及礼貌用语。

景区讲解员培训材料

景区讲解员培训材料 基本架构 ?一、基本理论篇二、工作技巧篇 ?三、礼貌用语篇四、修养篇 ?五、实战篇六、培养篇 基本理论 ? 1.什么是景区讲解员 ? 2.讲解员的职业特点 3.应具备的综合素质 4.主要职责 ? 5.工作环境 6.服务的基本原则 7.职业要求48字 1.什么是景区讲解员 ?讲解是以陈列景观为对象，运用科学系统的语言和其它辅助方式，将景观相关知识传递给游客的一种社会活动。 ?讲解员是沟通景区与社会的桥梁和纽带，是景区的名片，讲解服务的质量和水平直接影响着观众的受教育和参观质量，影响着景区的窗口形象，甚至影响到一个地区的形象。 ?讲解员在西方是级别最高的导游人员。 2.讲解员的职业特点 ?讲解是知识和语言的高度综合艺术，其职业特点与导游员有着显著的区别；它综合了教师、播音、演讲、话剧、表演等专业的技术手段，是专业性、知识性和艺术性的综合。

?讲解员处于一个特殊关键的岗位，她面对的是一个知识层次、年龄层次等不相同的特殊团体，讲解员既担负着宣传和教育的职能，同时要能有效的组织引导观众参观，此外还担负着协调处理、协作研究等义务和职责。 3、应具备的综合素质 ?一是讲解员应具有良好的思想品德与职业道德。 ?二是要具有良好的文化素质和知识修养。 ?三是应具有良好的公众形象。 ?四是具有良好的嗓音条件和语言表达能力。 ?五是应具有良好的性格特征、心理素质、沟通能力和敏捷的反应能力。 4、主要职责 1）游览向导 2）宣传讲解 3）提醒安全 5、工作环境 ?1）工作服务对象(五湖四海的游客)复杂 ?性格、年龄、职业、性别、宗教信仰差异大 ?2）旅游审美需求多种多样（自然、人文） ?3）工作客观环境复杂(风雨无阻) 注意：不满意的游客 ◆一个投诉不满的顾客背后有25个不满的顾客 ◆ 24人不满但并不投诉

导游部景区导游讲解管理规定

导游部景区导游讲解管 理规定 集团标准化工作小组 [Q8QX9QT-X8QQB8Q8-NQ8QJ8-M8QMN]

景区导游讲解管理制度 1.导游讲解员行为规范 1.1 热爱本职工作，爱岗敬业，牢记全心全意为人民服务的宗旨，为游客着想，遵纪守法，自觉遵守和认真执行各项规章管理制度、相关法律法规。认真学习业务知识，永不自满，谦虚谨慎。高标准严要求，为游客提供高标准的服务，在工作中增长才干。 1.2 导游讲解员必须服从导游部的统一管理，严格服从导游部的日常工作安排，遵守关于团队运行中的相关注意事项，自觉维护景区利益，以最优质的服务接待各方游客。严禁不服从工作安排，随意挑团、甩客。 1.3 自觉遵守导游部工作作息时间规定按时上、下班，不得无故迟到、早退。病假、事假应及时履行相关职责，严禁未经批准随意外出或无故连续缺勤和旷工。 1.4 如要带实习导游讲解员跟团学习时，必须经导游部主要领导批准，禁止导游讲解员在带团过程中将旅游团交给实习员工讲解。 1.5 讲解活动必须经导游部委派，导游讲解员不得私自承揽或者以其它任何方式或借口直接承揽导游、讲解业务。如确因游客临时需要讲解服务的，应事先告知导游部并经同意后，方可办理手续再提供讲解服务。 1.6 向旅游者讲明景区的环保须知。同时在服务全程中，讲解员应始终自觉当好“景区卫生宣传员”，用实际行动影响、带动每一位旅游者自觉遵守景区环保卫生规定。 2.安全管理 2.1 导游讲解员在工作中应始终和游客在一起，牢固树立“安全第一”的理念，时刻做好提示工作，确保游客生命、财产的安全。对可能危及旅游者人身、财物安全的情况，做出及时的警告和强调。 2.2 在屋檐下、台阶处随时提示，严防游客摔伤。阴雨天不带游客去高处，提醒游客不在高出撑雨伞。 3.3 带老年团、未成年人、醉酒游客时要请其监护人随团照顾。客流高峰时要避免拥挤和踩踏事故的发生。

景区导游讲解员管理制度

***景区导游人员管理制度 一、导游人员应格按照要求及公司要求进行各项工作。 二、导游人员应保持良好的仪容仪表，穿着朴素大，带团禁穿高跟鞋、奇装异服、浓妆艳抹。 三、导游人员应提前半个小时抵达团队集合的地点，做好各项准备工作：携带话筒、社旗、出团预算书、确认书、意见表、团款。团队出发时致欢迎词，行程概况、景区概况，注意事项，路途中要尽量调动游客情绪，最少要表演三到五个节目，结束时要致欢送词，到家后要写工作日记。 四、导游人员应始终坚持微笑服务，认真负责，细心到，体贴入微，尽量满足游客合理要求，能与每一位游客交流、沟通。如遇问题立即报公司解决。 五、导游人员应配合并监督司机、地陪工作，尊重领队意见。团队夜间行车时导游要提醒司机行车安全，不开疲劳车。每开四个小时车，要停车休息20分钟。 六、导游人员处理各种事情要以大局为重，时刻维护公司利益与游客合法权益。 七、导游人员应公私分明，禁与地陪联合鼓动游客购物，擅自增加景点与购物点，禁私拿回扣，发现老乡店要立即中止。

八、导游人员带团时帐目要清楚，随时记清每一笔开支，保存好发票，禁虚开、虚报，损公肥私，团队返回后一天交清账目。 九、导游员禁与游客共餐（特殊团队除外），每餐最少要看三次，住宿时要检查房间，发现问题及时解决。 十、导游人员要时刻与游客在一起，禁脱离游客，单独活动。 十一、导游人员要与驾驶员、地陪保持距离，禁与司机、地陪单独行动或交头接耳。 十二、导游人员要保守公司各项，不得泄露。 十三、导游人员应加强学习，在上团前要熟知前往地的景点特色、民俗风情，沿途交通状况，途经省份、城市、景点概况，要准备好调节团队气氛的节目。 十四、遇到紧急事件应立即通知公司，并采取各种应急措施。 十五、导游人员应时刻监督团队食、宿、游、行质量，发现问题立即解决，禁把问题团带回来，确保团队质量。 十六、导游人员在带团期间，要格按照团队确认书上行程执行，如因导游擅自更改行程或自身原因造成的损失，由导游个人承担。 十七、导游带团返回，末团及长线团休息一天。

最新讲解员培训

讲解员—基本素质 1．讲解员须加强的自身修养主要有哪几方面？ 情操修养，道德修养，文化修养。 2．讲解员应具备什么样的情操修养？ （1）对国家，讲解员要树立爱国心；（2）对集体，讲解员要树立集体主义精神；（3）对游客，讲解员要树立全心全意为之服务的精神； （4）对个人，讲解员要树立远大的人生理想。 3．从职业特点来看，讲解员应从哪几方面加强自身良好心理品质的建设？ 良好的观察能力；良好的注意能力；良好的意志品质；性格开朗，兴趣广泛。 4．构成导游服务的三要素是什么？ 语言，知识，服务技能。 5．讲解员的职责？ 导游讲解；安全提示；宣传保护知识。 6．致欢送辞的内容一般包括哪些？ （1）回顾旅游活动，感谢大家的合作；（2）表达友谊和惜别之情；（3）诚恳征求游客对接待工作的意见和建议；（4）若旅游活动中有不顺利或旅游服务有不尽如人意之处，景点讲解员可借此机会再次向游客赔礼道歉；（5）表达美好的祝愿。 7．什么是景区(点)讲解员？ 景区(点)讲解员是在博物馆或重要景区为游客提供导游讲解服务的人员，通常由所在景区景点统一培训和管理，具有较丰富的相关专业知识。 8．讲解员怎样做到真诚待人？ （1）真诚待人是最本质的灵魂；（2）真诚待人不要怕“碰钉子”；（3）真诚待人要建筑在实事求是的基础上；（4）真诚待人最需要景点讲解员自身的感受。 9．调节游客情绪，消除其消极情绪的方法主要有哪些？ （1）补偿法；（2）转移注意法；（3）分析法。 10．讲解员应具备哪些行为规范？ 忠于祖国，坚持“内外有别”原则；严格按照规章制度办事，执行请示汇报制度；自觉遵纪守法；自尊自爱，不失人格、国格；注意小节。

旅游景区讲解服务规范

旅游景区 tourist attraction 定义：以旅游及其相关活动为主要功能之一的（或其经营项目一部分的）空间或地域。即：具有参观游览、休闲度假、游乐体验、康体健身等功能，具备相应旅游服务设施并提供相应旅游服务的独立管理区（或管理区的一部分）。 注：包括风景区、文博院馆、寺庙观堂、旅游度假区、自然保护区、主题公园、森林公园、地质公园、游乐园、动物园、植物园，以及以工业、农业、经贸、科教、军事、体育、文化艺术等旅游为吸引内容的各类营业性和非营业性旅游活动区。 旅游景区讲解员 tourist attraction interpreter 定义：受旅游景区委派或安排，为旅游团或旅游者提供讲解服务的专职人员和兼职人员。 一、旅游景区讲解员的基本素质要求 1、思想品德 a) 时时注意维护国家和民族尊严； b) 努力学习掌握并模范遵守国家和地方的有关法律和法规； c) 遵守社会公德，爱护公共财物； d) 尊重民族传统，尊重游客的风俗习惯和宗教信仰； e) 对待游客谦虚有礼、朴实大方、热情友好，尤其注意对老幼病残孕等弱势群体的关照，并且努力维护旅游者的合法权益； f) 热爱本职工作，忠于职守； g) 增强服务意识，不断提高自己的业务能力； h) 不得以暗示或其他方式引导游客为讲解员本人或相关群体非法谋取荣誉或物质利益。 2、体质与基本从业能力 a) 身体健康，无传染性疾病；

b) 能够使用普通话（或民族语言，或外语）进行景区内容的讲解，有较强的语言表达能力（做到口齿清楚，发音准确，表达逻辑清楚，用语礼貌自然），并努力实现语言的适度生动； c) 具有相应的文化素养和较为广博的知识，并努力学习和把握与讲解内容有关的政治、经济、历史、地理、法律法规、政策，熟悉相关的自然和人文知识及风土习俗，从而将其运用于讲解工作； d) 具有相应的应变能力和组织协调能力。 3、旅游景区讲解员的服务准备 知识准备应符合： a) 熟悉并掌握本景区讲解内容所需的情况和知识（基于景区的差异，可分别包括自然科学知识，历史和文化遗产知识，建筑与园林艺术知识，宗教知识，文学、美术、音乐、戏曲、舞蹈知识等；以及必要时与国内外同类景区内容对比的文化知识）； b) 基于游客对讲解的时间长度、认知深度的不同要求，讲解员应对讲解内容做好两种或两种以上讲解方案的准备，以适应旅游团队或个体的不同需要。 c) 预先了解游客所在地区或国家的宗教信仰、风俗习惯，了解客人的禁忌，以便能够实现礼貌待客。 接待前的准备包括： a) 接待游客前，讲解员要认真查阅核实所接待团队或贵宾的接待计划及相关资料，熟悉该群体或个体的总体情况，如停留时间、游程安排、有无特殊要求等诸多细节，以使自己的讲解更有针对性； b) 对于临时接待的团队或散客，讲解员同样也应注意了解客人的有关情况，一般应包括客人主体的来源、职业、文化程度以及其停留时间、游程安排、有无特殊要求等，以便使自己的讲解更能符合游客的需要。 上岗时应准备： a) 佩戴好本景区讲解员的上岗标志； b) 如有需要，准备好无线传输讲解用品； c) 需要发放的相关资料；

景区讲解员的服务流程审批稿

景区讲解员的服务流程 YKK standardization office【 YKK5AB- YKK08- YKK2C- YKK18】

景区讲解员的服务流程 1准备工作 熟悉接待计划：旅游团的基本信息，旅游团成员的情况，交通工具，是否有特殊要求和注意事项。 落实接待事宜：落实旅游车辆、住宿及用餐，掌握全陪或者司机的联系电话。与他们联系商定第二天的接团时间及地点。 物质准备：游客接待确认书，游客意见单，话筒，导游旗。 形象准备：上团前要做好仪容、仪表方面的准备。整洁、大方、自然、不浓妆艳抹。 语言和知识准备：要在大脑里面准备好第二天要讲解的内容；接待有专业知识的团队，要做好相关的专业知识、词汇的准备工作。语言要生动、流畅和清楚。 心理准备：我们要能有技巧的回答客人提出的任何问题，面对客人的指责、抱怨，我们要冷静、沉着的面对。 联络畅通准备：上团前一天，要把手机，话筒的电充足，随时保持畅通。 2接团服务 出发前的准备：在旅行团到达之前，打电话给全陪或者司机，前一天晚上20：00前确定好到达时间、人数、停车位置、集合地点等，在集合地点恭候旅游团的到来。旅游团到达后，协助全陪或者司机购票，提醒客人山顶温度较低，指引乘客上车，清点一下车上的人数。检票后通知司机师傅开车。 途中导游：致欢迎词，山路崎岖，提醒客人把车辆扶手打下并系好安全带，当日活动安排（参观景点名称、途中所经地点、所需时间），介绍游览景点（讲安全讲游客接待中心，讲内循环通道，讲景区公交车的发班时间，讲游览线路，讲中途会经过哪几个景点，讲三条游步道），活跃气氛（做些娱乐互动，与游客互动） 景点讲解：抵达景点下车之前，告知游客车牌号、停车地点、开车时间、游览线路、游览所需时间、游览过程中的注意事项（不能随便雕刻、不能在景区乱扔垃圾、不能在景区内吸烟、不能随意摘取野果实，以免误食）等。抵达景点后，组织客人有顺序的下车，提醒客人注意脚下的安全，带领游客沿着游览线路对所见景物进行精彩的导游讲解。在游览过程中要随时随地注意游客的安全，特别是老弱病残的游客，要防止游客走失和意外事件的发生。 3送团服务 清点团队人数，后提醒客人清点一下随身携带物品，如无遗漏则请司机开车离开。致欢送词（感谢语、惜别语、征求意见语、致歉语、祝愿语）。致完欢送词后，将“游客意见反馈表”发给游客，请其填写。游客填写完毕后如数收回，妥善保留。 4总结工作 认真做好带团小结，实事求是的汇报接团情况。

旅游部景区讲解员管理制度

旅游部景区讲解员管理制度 景区讲解员管理办法 第一条为了规范景区导游活动～保障旅游者的合法权益～促进景区的健康可持续发展制定本办法。 第二条在景区从事讲解活动～必须依照规定参加培训～通过考试合格取得讲解员证。 第三条讲解员应规范保管和使用讲解证～严禁随意转借、涂改、伪造讲解证和未经批准擅自使用讲解证外出从事讲解活动。 第四条讲解员进行讲解活动时～必须佩戴讲解员证。 第五条讲解员进行讲解活动时～应当着装统一整洁～礼貌待人～尊重旅游者的宗教信仰、民族风俗和生活习惯。 第六条 10人以上旅游团队团队～需持话筒向游客进行讲解。第七条散客需要讲解员进行讲解服务的～讲解员可收取讲解费～收取标准如下:10人以内,含10人,30元,11人—20人,含20人,40元,20人以上50元。 第七条讲解员应严格服从景区的日常工作安排～遵守景区关于团队运行中的相关注意事项～自觉维护景区利益～积极以最优质的服务接待各方游客。严禁不服从工作安排～随意挑团、甩客。 第八条讲解员进行讲解活动时～不得以明示或暗示的方式向旅游者索要小费。 第九条讲解员应当严格按照规定的游览线路和游览内容进行讲解服务～不得擅自减少服务项目或中途终止讲解活动。若旅游者中途自愿减少游览内容或终止讲解服务的～讲解员应请旅游者以书面形式确认。 第十条讲解内容及语言应规范准确、健康文明,不得在讲解中有恐吓及强迫游客的言词。

第十一条旅游者对讲解员违反本办法规定的行为～有权向生态园管理处或游客中心进行投诉。生态园管理处或游客中心对讲解员违反本办法规定的行为～将进行及时调查和据实严肃处理。 第十二条违反上述规定～由生态园管理处按照以下规定进行处罚: ,一,对讲解员未经批准～随意不假外出或无故连续缺勤,随意不假外 出或无故连续缺勤视同旷工处理,和旷工15天以上的～将予以暂扣讲解 证停团或除名处理。 ,二,对讲解员未佩戴讲解证或未按照要求配带话筒的处于50元罚款。 ,三,对讲解员不服从工作安排～随意挑团、甩客的～将对第一次不服 从安排者处罚50—100元～第二次不服从安排者将予以停团整顿、暂扣 讲解证～直至除名处理。 ,四,对造成游客投诉或重大影响的～将责令停团整顿～暂扣讲解证和 深刻检查～并经学习合格后方可重返讲解岗位。 ,五,对讲解员在讲解过程中有恐吓游客的言词或其他原因造成游客投 诉的～无重大影响的将责令停团整顿～暂扣讲解证和深刻检查～并经学 习合格后方可重返讲解岗位,有重大影响的将处以500元以上的罚款或 除名处理。 第十四条本办法自公布之日起施行。

核心景区讲解员管理办法

核心景区讲解员管理办法 总则 第一条:为加强中心讲解员队伍建设,充分调动员工工作积极性,提升导服队伍得整体素质与服务水平,确实提高核心景区(景点)讲解服务得质量，特制定本办法： 第二条：讲解员实行星级管理，依次为:三星级、二星级、一星级。 第三条:讲解员得星级评定以基本素质、业务技能、服务质量、工作业绩、服从性、考核积分等为依据。 第四条:公司根据讲解员得综合素质，结合武陵源区旅游质量监督管理所与景区讲解员服务中心及服务对象得反馈信息进行星级评定。 第五条：讲解员星级评定实行季评制,每季度一次,每季度底公布星级评定结果,并于当日将结果上报公司人力资源部备案。 第六条:评定程序 1、讲解员服务中心文员核实《服务质量跟踪表》，收集旅游质监所得相关资料,提出拟评定星级意见，报送服务中心负责人审核,评定讲解员星级。 2、服务中心将星级评定结果上报公司导服部门主管,公司领导审定后公布。 3、将讲解员星级评定结果上报公司人力资源部备案。 分

讲解员行为规范 1、讲解员必须服从公司得统一管理,遵守劳动纪律与各项管理制度。 2、讲解员应妥善保管与使用讲解证,严禁随意转借、涂改、伪造讲解证，未经批准不得擅自使用讲解证外出带团。 ３、遵守景区管理规定,自觉维护景区形象，以优质得服务态度与高质量得服务水平诚待各方游客。严禁不服从工作安排,随意挑团、甩客或中途私自换团。 4、讲解员应自觉遵守讲解工作作息时间规定,按时上、下班，不得无故迟到、早退。病假、事假须事先具备书面手续,经主管领导批准方可请假(迟到超过30分钟后再临时请假得将一律不予准假,并视同旷工处理)，病假三天以上需持医院证明与医院收费收据,如无医院收费收据视同事假处理。 5、讲解员在带团开展讲解活动前，应认真遵守与执行以下规定:

景区讲解员的服务操作规范

景区讲解员的服务操作 规范 文稿归稿存档编号：[KKUY-KKIO69-OTM243-OLUI129-G00I-FDQS58-

景区讲解员的服务流程1准备工作 熟悉接待计划：旅游团的基本信息，旅游团成员的情况，交通工具，是否有特殊要求和注意事项。 落实接待事宜：落实旅游车辆、住宿及用餐，掌握全陪或者司机的联系电话。与他们联系商定第二天的接团时间及地点。 物质准备：游客接待确认书，游客意见单，话筒，导游旗。 形象准备：上团前要做好仪容、仪表方面的准备。整洁、大方、自然、不浓妆艳抹。 语言和知识准备：要在大脑里面准备好第二天要讲解的内容；接待有专业知识的团队，要做好相关的专业知识、词汇的准备工作。语言要生动、流畅和清楚。 心理准备：我们要能有技巧的回答客人提出的任何问题，面对客人的指责、抱怨，我们要冷静、沉着的面对。 联络畅通准备：上团前一天，要把手机，话筒的电充足，随时保持畅通。 2接团服务 出发前的准备：在旅行团到达之前，打电话给全陪或者司机，前一天晚上20：00前确定好到达时间、人数、停车位置、集合地点等，在集合地点恭候旅游团的到来。旅游团到达后，协助全陪或者司机购票，提醒客人山顶温度较低，指引乘客上车，清点一下车上的人数。检票后通知司机师傅开车。 途中导游：致欢迎词，山路崎岖，提醒客人把车辆扶手打下并系好安全带，当日活动安排（参观景点名称、途中所经地点、所需时间），介绍游览景点（讲安全讲游客接待中心，讲内循环通道，讲景区公交车的发班时间，讲游览线路，讲中途会经过哪几个景点，讲三条游步道），活跃气氛（做些娱乐互动，与游客互动）

景点讲解：抵达景点下车之前，告知游客车牌号、停车地点、开车时间、游览线路、游览所需时间、游览过程中的注意事项（不能随便雕刻、不能在景区乱扔垃圾、不能在景区内吸烟、不能随意摘取野果实，以免误食）等。抵达景点后，组织客人有顺序的下车，提醒客人注意脚下的安全，带领游客沿着游览线路对所见景物进行精彩的导游讲解。在游览过程中要随时随地注意游客的安全，特别是老弱病残的游客，要防止游客走失和意外事件的发生。 3送团服务 清点团队人数，后提醒客人清点一下随身携带物品，如无遗漏则请司机开车离开。致欢送词（感谢语、惜别语、征求意见语、致歉语、祝愿语）。致完欢送词后，将“游客意见反馈表”发给游客，请其填写。游客填写完毕后如数收回，妥善保留。 4总结工作 认真做好带团小结，实事求是的汇报接团情况。

旅游景区讲解员等级划分与考核总则

旅游景区讲解员等级划分与考评总则 （试行稿） 为建立旅游景区讲解员公平竞争机制，规范讲解员管理，提高讲解员整体素质，树立我县景区良好形象，经研究，特制定本标准。本标准适用于旅游发 展有限公司下属旅游景区。 一、等级划分与标准 景区讲解员分为见习讲解员、初级讲解员、中级讲解员、高级讲解员、特级讲解员五个等级。见习讲解员、初级讲解员、中级讲解员由各景区组织考评，高级讲解员、特级讲解员由县旅游局组织考评。 （一）见习讲解员标准与要求 1.具有良好的素质和职业道德，热爱景区及本职工作； 2.形象良好； 3.普通话标准； 4.能独立完成讲解接待工作。 （二）初级讲解员标准与要求 1.具有良好的素质和职业道德，热爱景区及本职工作； 2.形象良好，举止大方得体； 3.普通话标准； 4.能独立完成讲解接待工作； 5.熟练掌握景区导游知识； 6.无游客投诉，游客反映抽查良好率不低于80%。 （三）中级讲解员标准与要求 1.具有良好的素质和职业道德，热爱景区及本职工作；

2.形象良好，举止大方得体； 3.普通话标准； 4.了解县情县况； 5.掌握景区导游知识，了解其他旅游景区的有关知识； 6.能接待不同性质、类型和规模的团队，能独立处理接待中发生的一般性 事件； 7.工作成绩明显，为景区业务骨干； 8.无服务质量方面的事故，游客抽查反映良好率不低于85%； 9.能很好地营销景区及参与性旅游项目。 （四）高级讲解员标准与要求 1.具有良好的素质和职业道德，热爱景区及本职工作； 2.形象良好，气质佳，有亲和力，举止大方得体； 3.讲解语言生动、流畅，能调动游客积极性，与游客进行互动； 4.普通话标准，具有二级乙等以上的普通话水平测试证书或由旅游局组织 考评员测试通过的； 5.熟练掌握景区讲解内容，并能丰富讲解内容； 6.能创作内容丰富、富有艺术性的景区讲解词； 7.熟悉我县所有的旅游线路和景区讲解知识； 8.熟悉有关旅游的政策法规及我县经济、历史、地理、宗教、艺术和民俗 等方面的知识； 9.能妥善处理游客游览中发生的问题； 10.在景区讲解员中起带头示范作用； 11.无服务质量方面的事故，游客反映良好率不低于90%，在行业中有一 定影响。 （五）特级讲解员标准与要求

旅游景区讲解员讲解服务提供能力标准

旅游景区讲解员讲解服务提供能力标准 1 范围 本标准规定了XX风景名胜区随车讲解员讲解服务提供能力要求。 本标准适用于XX风景名胜区随车讲解员管理工作。 2 服务要求 2.1 准备工作 2.1.1 上岗前做好一切准备工作，统一着装，佩证上岗，衣着整洁，车内清洁卫生，话筒完好，音响音量适中。 2.1.2 熟悉沿途讲解内容等。 2.2 迎接游客讲解员应站在车门前等待游客，热情迎接游客。 2.3 讲解服务 2.3.1 在游客上车后要播放景区风光片，车辆启动前，关闭VCD 音响，告知游客坐稳扶好，讲解员拉开靠背站在指定位置面对游客开始讲解。 2.3.2 讲解员在讲解过程中，要自觉维护国家利益和民族尊严，不得有损害国家利益和民族尊严的行为，讲解员要按照本景区的特点进行讲解，讲解内容不得随意变更，包括景点的文化、传说等，讲解的语言要生动，富有表达力。 2.3.3 讲解时必须使用普通话和文明礼貌用语，对于游客的咨询要耐心细致地解答，主动为游客排忧解难。严禁与游客发生争执、吵架等有损景区形象的事情。

2.3.4 在车辆行驶过程中，应特别关照老、弱、病、残的旅游者，如发生特殊情况应及时与部门领导联系，讲解途中要诚恳接受游客对景区的意见、建议和投诉，同时要感谢游客对景区工作的关心和支持。 2.3.5 讲解员在讲解活动中，要始终以饱满的热情、礼貌的态度和标准的普通话为游客讲解。 2.3.6 在讲解服务过程中如果出现意外，讲解员应立即做出反应，采取应急措施，并安慰游客，不要惊慌，妥善安排好游客并向有关部门报告。 2.4 讲解结束 2.4.1 返程时，要播放“XX之歌”或XX风光碟，不准随意插播其他内容。同时要提前报站，提醒游客到站下车。 2.4.2 返程至百家岩景点时，致欢送词，与游客微笑告别，提醒游客不要遗忘随身物品，欢迎游客再次光临。 2.4.3 返程时注意收集游客意见并汇总，及时向主管领导汇报。