English  |  正體中文  |  简体中文  |  Items with full text/Total items : 69937/69937 (100%)
Visitors : 23026057      Online Users : 411
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/68752


    Title: TRAP: A TCP Three-Way Handshake Server for TCP Connection Establishment
    Authors: 蔡維泰;Cai,Wei-tai
    Contributors: 資訊工程學系
    Keywords: 通訊控制協定;阻斷服務攻擊;三方交握;Linux;Netfilter;TCP options;TCP;DoS;Three-way Handshake;Linux;Netfilter;TCP options
    Date: 2015-07-22
    Issue Date: 2015-09-23 14:24:32 (UTC+8)
    Publisher: 國立中央大學
    Abstract: 因為發起的門檻十分低,分散式阻斷服務攻擊(DDoS)在這幾年變得來越常見。於 2013 年,垃圾郵件防禦組織SpamHaus就遭受了來自全球各地高峰達到75Gbps的DDoS流量攻擊,而知名程式碼託管網站GitHub也於2015年3月遭受了經過中間人之DDoS放大攻擊。然而,即使TCP/IP的規格已經被公佈數十年之久,至今對於分散式阻斷服務攻擊依然沒有良好的防禦方式。

    本篇論文嘗試透過 TCP設計時保留之option欄位,因一般進行SYN-flood之惡意客戶端不會嘗試完成TCP三方交握之程序,如果有一經過認證、合法的客戶端嘗試連線至正遭受SYN-flood分散式阻斷服務攻擊之伺服器,在完成三方交握之後,伺服器端會回傳一特定封包,其TCP封包檔頭之option欄位會包含有新伺服器的IP位置與祕密字串,合法客戶端連線至新伺服器時,新伺服器會檢查是否有包含此祕密字串,若是檢查通過才放行此SYN封包,允許建立連線。;Distributed denial of service (DDoS) attacks has become more and more frequent nowadays. In 2013, a massive DDoS attack was launched against Spamhaus, a non-profit anti-spam mail organization. Up to 75Gbps of DNS reflection traffic were directed to Spamhaus′ servers, causing the service to shut down.

    Although DDoS has been long around ever since the internet has become popular, no good solutions has been offered yet.

    In this paper, we present a solution based on TCP redirection using TCP header options. When a legitimate client attempted to connect to a server undergoing an SYN-flood DDoS attack, it will try to initiate a TCP three-way handshake, after it has successfully established a connection, the server will reply with a RST packet, which a new server address and a secret is embedded in the TCP header options. The client can thus connect to the new server that only accepts SYN packets with the corrected secret using the supplied secret.
    Appears in Collections:[資訊工程研究所] 博碩士論文

    Files in This Item:

    File Description SizeFormat
    index.html0KbHTML211View/Open


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback  - 隱私權政策聲明