在本篇論文中我們提出一套針對SYN封包的IP spoofing偵測法:Spoofed SYN Packet Detector (SPD)。由於根據TCP protocol,兩台主機要交換資料封包前必須先完成三向交握 (three way handshaking),而SPD又能夠對三向交握最開始傳送的SYN封包的來源IP位址進行真偽的確認,SPD就可以在傳遞非法資料封包之前先阻止整個連線的建立。
實驗結果顯示,只要稍微增加一點工作負擔,在阻斷服務式攻擊如TCP SYN flooding attack之下,SPD能夠有效地防禦並維持網路服務的正常運作。 ;Abstract
Over the past several decades, the Internet usage is becoming more and more prevalent. But many network attacks are created following this trend. In 2015, the total amounts of user of Internet reach 3.3 billion. Hence once the attack like Distributed Denial of Service (DDoS) attack occurs, they will make tremendous financial losses and credential damage.
Network attacks nowadays are followed by the IP spoofing technique. IP spoofing is a technique to masquerade source address of the attacker. It causes security software or hardware difficult to trace attack path and then the security device cannot make correct response.
In this thesis, we propose a mechanism, called Spoofed SYN Packet Detector (SPD), to detect and defense IP spoofing for SYN packet. According to TCP protocol, before two machines want to exchange data packets, they must complete three way handshaking first. Besides, SPD can confirm the validity of the source IP address of the SYN packet in the beginning of the three-way handshaking. Therefore SPD can deny the following connection before the two machine start to exchange illegal data packets.
Experimental results show that under the attack of DDoS attack like TCP SYN flooding attack, SPD can defense it effectively and make the network service operate normally as if there is no attack.
