摘要: | 近年來,新型網路架構蓬勃發展、對於網路攻擊的防禦思維也日新月異,其中軟體定義網路(Software Define Network, SDN)的技術被提出,將控制層從交換機硬體中抽離,使控制層透過軟體定義其行為並集中管理。隨著SDN技術日益成熟,Programming Protocol-independent Packet Processors(P4)被提出,不同於原始SDN技術使控制層可程式化,P4技術使資料層也可程式化,使得SDN的網路管理者不再只能單純基於交換機晶片廠提供的封包欄位進行程式編寫,在P4的網路環境中,是由網路管理者自行決定封包的處理轉發方式,以此達到真正的軟體定義網路。另一方面,入侵檢測系統(Intrusion Detection System, IDS)技術也被提出,IDS透過網路攻擊的特徵定義捕捉封包的規則,每一個封包都必須接受IDS中的規則比對,而IDS會針對符合規則描述特徵的封包發出Alert,並記錄成具可讀性的log以供網路管理者做日後分析。 本論文所提出的系統是針對分散式阻斷服務攻擊(Distributed Denial of Service, DDoS)及分散式反射阻斷服務攻擊(Distributed Reflection Denial of Service, DRDoS)泛洪攻擊的偵測與防禦機制,並提出基於入侵數據的複合型閥值演算法(Intrusion Statistics-based Hybrid Threshold AlgoRithm, ISHTAR),透過IDS針對每一個封包進行規則比對,將符合特徵的封包資訊構成入侵數據,ISHTAR將透過入侵數據計算當前時間段是否正遭受惡意攻擊,若正遭受攻擊,則會利用P4的protocol-independency的特性,對P4交換機佈建基於custom protocol的惡意攻擊防禦機制,使惡意封包被丟棄,並使合法封包能正常通訊,進而達成惡意攻擊的偵防機制。 ;In recent years, new network architectures are booming and defense thinking against cyber attacks is also evolving. Among them, Software Define Network (SDN) technology has been proposed to separate the control layer from the switch hardware, centrally manage the control layer and define what it should do by software. As SDN technology becomes more mature, Programming Protocol-independent Packet Processors (P4) are proposed. Unlike the original SDN technology that the control layer can be programmed. P4 technology enables the data layer to be programmed, so that SDN network managers no longer be restricted by switch manufacture. In the P4 network environment, the network administrator decides the packet processing and forwarding method to achieve a true software-defined network. Also, Intrusion Detection System (IDS) technology has also been proposed. IDS defines the rules for capturing packets through the characteristics of network attacks. Each packet must go through the rule comparison in IDS, and IDS will claim the alert to those packets which match the rules, and record it into a readable log for network administrators to do later analysis. The system proposed in this paper is aimed at the detection and defense mechanism of Distributed Denial of Service (DDoS) and Distributed Reflection Denial of Service (DRDoS) flood attacks, and Intrusion Statistics-based Hybrid Threshold AlgoRithm (ISHTAR) is proposed. The IDS is used to compare the rules of each packet to match the characteristics of the packet information into the intrusion data. ISHTAR will use the intrusion data to calculate whether the current time period is under malicious attack. If it is under attack, it will use the protocol-independency feature of P4 to build a malicious attack defense mechanism based on custom protocol for the P4 switch. So that malicious packets are discarded, and legal packets can keep normal communication, and then achieve a malicious attack detection and prevention mechanism. |