一精確度可至單一主機單一Port之IP; Spoofing 偵測法 IP Spoofing Detector

NCUIR > College of Electrical Engineering & Computer Science > Graduate Institute of Computer Science and Information Engineering > Electronic Thesis & Dissertation > Item 987654321/9435

Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/9435

Title:	一精確度可至單一主機單一Port之IP;Spoofing 偵測法 IP Spoofing Detector
Authors:	吳宏毅;Hung-I Wu
Contributors:	資訊工程研究所
Keywords:	位址;偽造;偵測;IP spoofing
Date:	2007-07-10
Issue Date:	2009-09-22 11:47:42 (UTC+8)
Publisher:	國立中央大學圖書館
Abstract:	由於今日網路攻擊多以IP spoofing 掩護攻擊者的來源位置、使得被攻擊者因難以找出攻擊者的真正位置，而無法有效的阻絕攻擊者的攻擊，此外 IP spoofing 亦常被用來發起 TCP session hijacking 或 Trusted host attacks 等造成嚴重資安問題的攻擊，因此發展出一快速精確的偽造封包偵測法，便成為一迫切及重要的議題。在本篇論文中我們將研發出一全新且辨識度可精確至單一主機上單一socket之IP spoofing 偵測法 -- IP Spoofing Detector (ISD)。在不需要修改被保護網路內任何電腦的軟體及硬體的前題下，在不需使用任何加密解密金鑰的技術下，以edge router為基礎的 ISD，將可快速有效地偵測IP spoofed 封包，結合ingress egress filter的方法，使任一經由 ISD送出的封包皆經過來源的證實與確認，不論被保護的網路內部的電腦佈局有任何改變，不論被保護的網路是否允許mobile IPs，任何由 ISD 所在網路產生的且來源是偽造的IP封包皆能被其偵測及封鎖。本篇論文利用TCP/IP協定中任一主機的 socket 在不同的狀態 (state)下對某些特殊的封包會產生不同回應的原理及 socket 在送出不同的封包後會進入不同的狀態的規定，借由目標主機對 ISD 送出的查證封包的反應來查證 ISD 所收到的封包的真偽。此外本論文亦利用TCP protocol中對建立通訊的兩台主機必需先完成3-way handshaking 後才能利用TCP封包傳遞資訊到對方的原則來減少查證封包的數目。根據以上的方法我們可以建立一辨識度可至單一主機上單一 TCP connection的快速 IP spoofing 偵測法。實驗顯示在僅需微量的工作負擔下，本法可有效地偵測出來源位址被偽造的IP封包。 In this project， we plan to develop a novice IP spoofing detection solution named IP Spoofing Detector (ISD) to solve this notorious security threat to computers and networks. ISD can accurately recognize whether an IP packet belongs to a TCP connection indicated in the TCP/IP header of that packet and drop all spoofed IP packets. As a result， attackers can no longer launch attacks through spoofed IP packets from the network protected by ISD. ISD will be an edge router-based solution to IP spoofing; hence， to install it there is no requirement to modify any software and hardware in any host of the protected network and there is no need to use any encryption and decryption method to authentication packets. After being installed， ISD can efficiently and effectively detect and block spoofed IP packets no matter how the layout of the protected network is changed and no matter whether mobile IPs are supported by the protected network. Since the IP spoofing problem was reported to the public by S. Bellovin of Bell Lab. in 1989， it have been used by many attackers to either conceal the attack sources (such as DoS/DDoS attacks， port scanning decoy， and IdlesScan) or forge packets as coming from hosts trusted by attacked hosts to get access to the attacked hosts (such as Man-in-the-Middle Attacks and trusted host attack). The former thwarts victims’ capability to make appropriate response to attack traffic. The later disables attacked hosts’ authentication mechanism. Both result in great damage on attacked hosts. According to FBI， in 2003， DoS/DDoS attacks alone caused about sixty-six million dollar lost in the USA. The trend of this kind of attacks continues increasing. According to TCP/IP protocol， the response of a socket to a packet changes when it is in a different state and the state of a socket changes after sending an IP packet. Based on the above principle， we can accurately confirm whether an IP packet was really sent by a specific socket. Besides， unless a 3-way handshaking is finished， a TCP connection can not be built; hence， for all packets claimed to belong to a TCP connection， ISD only needs to confirm the validity of the TCP SYN packet. The above rule can dramatically decrease the number of IP packets whose validity is needed to be verified. Based on the above analysis， we plan to develop and implement ISD on a Linux platform. The precision of the recognition of IDS could be to the socket level. Until now none of the IP spoofing detection solution could achieve such a fine precision level.
Appears in Collections:	[Graduate Institute of Computer Science and Information Engineering] Electronic Thesis & Dissertation

Files in This Item:

File	Size	Format

社群 sharing

Loading...