以主動式網路抵禦DDoS攻擊

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：20

、訪客IP：3.146.105.194

姓名

王凱平(Kai-Ping Wang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

以主動式網路抵禦DDoS攻擊
(Active Defense against DDoS Attacks)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

近年來利用分散式阻絕服務攻擊(DDoS)事件層出不窮，而這些攻擊都有一些共同特點：利用某些系統的安全漏洞進行攻擊，且攻擊者就會入侵使用者的系統，並進而操縱使用者系統成為攻擊的跳板，造成網路癱瘓。
在DDoS攻擊擴散的同時，如果能迅速確認網路各節點的健康狀況(physical condition)並啟動相對應機制的話，將可隔離並縮小攻擊者所造成的攻擊區域。本論文利用主動式網路(Active Network)快速散佈策略(policy)的優點，逐步對網路中每個節點進行偵測，先將整個網路分成三個區域：安全區域(safe area)、可疑區域(uncertain area)、攻擊區域(attacked area)。接著，利用主動式網路封包攜帶特定攻擊的解毒疫苗，修補可疑區域內各節點的安全漏洞。最後，整個網路拓樸可以明確區分出安全區域與攻擊區域，達到阻絕攻擊的目的。
本論文規劃之系統-主動式網路DDoS抵禦系統(Active DDoS Defense System，簡稱ADDS)採用主動式網路做為疫苗的傳輸媒介，並且使用Active Network Transfer System(ANTS)作為主動式網路的執行環境(execution environments，簡稱EE)，使用者不需要再額外建立一個傳輸協定即可將客制化的程式放在膠囊(capsules)中傳輸，達到程式化網路(programming network)目的。
根據本論文第四章中模擬數據得知，相較於沒有防守機制時，使用ADDS可以讓網路存活時間(network survival time)增加232%，並且在攻擊發生時平均降低CPU使用率(CPU utilization wasted by undetected attacks)33.55%；但相對的，也有9.98%合法封包會被誤判成攻擊封包(legal traffic dropped rate)。

摘要(英)

The events of DDoS attacks grow rapidly in recent years, and these attacks all contain some common features: if the user did not repair these securities loophole as soon as possible, those attackers will make use of the safe loophole of some systems to carry on attacks and invade the system of the user becoming the zombie of the attacker. It will cause the network to paralyze and can’’t provide service.
If network can confirm the physical condition of each node and starts cleaning mechanisms when DDoS attacks start spreading, it will isolate and shrink attacker’’s affairs. This thesis uses the advantage of Active Network, fast on distributing policies, to detect every node gradually. It will be divided whole network into three areas: safe area, uncertain area and attacked area. And then repair the safe loophole of each network node by making use of Active Network packets to take the particular attack antivirus. Finally, the whole network topology can be divided into safe area and attacked area, and restrain DDoS attacks.
This thesis proposed Active DDoS Defense System (ADDS), it uses Active Network Transfer System (ANTS) to the chosen execution environment (EE). ANTS is a popular EE and uses capsules to transport user’’s program. Simulation results show that ADDS is able to make network survival time increase 224%, and while attacks occurrence reduces the CPU rate wasted by undetected attacks 34.58%. But ADDS also make the legal traffic dropped rate increase 8.12%.

關鍵字(中)

★ 主動式網路DDoS抵禦系統
★ 主動式網路
★ 分散式阻絕攻擊
★ ANTS

關鍵字(英)

★ ADDS
★ Active Network
★ DDoS
★ ANTS

論文目次

第一章緒論.................................................................................................................1
1.1 網路安全.......................................................................................................1
1.2 主動式網路...................................................................................................2
1.3 研究目標.......................................................................................................9
1.4 論文架構.....................................................................................................10
第二章背景知識與相關研究................................................................................... 11
2.1 DDoS 攻擊..................................................................................................11
2.2 抵禦DDoS 相關研究.................................................................................16
第三章 ADDS 系統設計............................................................................................25
3.1 ADDS 模組.................................................................................................26
3.2 ADDS 網路架構.........................................................................................34
3.3 ADDS 系統流程.........................................................................................38
3.4 系統比較.....................................................................................................44
第四章系統之模擬...................................................................................................48
4.1 模擬環境說明.............................................................................................48
4.2 模擬結果與討論.........................................................................................54
4.2.1 不同的平均攻擊比率之比較..........................................................54
4.2.2 不同的過濾攻擊封包持續時間之比較..........................................61
4.2.3 不同的過濾攻擊封包時間間隔之比較..........................................66
4.2.4 不同CPU 門檻值與攻擊擴散機率之比較....................................70
第五章結論及未來發展工作...................................................................................75
參考文獻......................................................................................................................78
對照表..........................................................................................................................82

參考文獻

[1] Dai KASHIEA, Eric Y. CHEN, Hitoshi FUJI, Shuichi MACHIDA, Hiroshi SEIGENO, Ken-ichi OKADA and Yutaka MATSUSHITA, “Active Countermeasure Platform against DDoS Attacks,” IEICE TRANS. INF. & SYST., vol. E85-D, no. 12, Dec. 2002.
[2] D. Moore, G..M. Voelker and S. Savage, “Inferring Internet denial-of-service activity,” Proceedings of 10th USENIX Security Symposium, 2001.
[3] D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” RFC 2827, http://www.ietf.org/ rfc/rfc2827.txt, May 2000.
[4] D. Tennenhouse, J. Smith, W. Sincoskie, D. Wetherall and G.. Minden, “A Survey of Active Network Research,” IEEE Communication Magazine, vol. 135, no. 1, pp.80-86, Jan. 1997.
[5] David Wetherall, Ulana Legefza and John Guttag, “Introducing New Internet Services: Why and How,” IEEE NETWORK Magazine Special Issue on Active and Programmable Network, July 1998.
[6] Fadi al-moussa, “Active Networking Applied to Network Security,” 2nd Annual Postgraduate Symposium on the Convergence of Telecommunications, Networking and Broadcasting, PGNet 2001. EPSRC, Liverpool John Moores University, ISBN:1 902560 078, pp147-151, June 2001.
[7] Active Network Backbone home page. http://www.isi.edu/abone.
[8] Bob Braden, Alberto Cerpa, Ted Faber, Bob Lindell, Graham Phillps, Jeff Kann and Vivek Shenoy, ”Introduction to the ASP Execution Environment (v1.6),“ Technical report, University of Southern California, Information Science Institute, http://www.isi.edu/active-signal/ARP/, Feb. 2003.
[9] David Wetherall, John Guttag and David Tennenhouse, “ANTS: A Toolkit for Building and Dynamically Deploying Network Protocols,” IEEE OPENARCH’98, pp. 117-129, San Francisco, CA, April 1998.
[10] Dan Sterne, Kelly Djahandari, Ravaindra Balupari, William La Cholter, Bill Babson, Brett Wilson, Priya Narasimhan and Andrew Purtell, “Active Network Based DDoS Defense,” Proceedings of DARPA Active Networks Conference and Exposition, pp. 193-203, Glenwood, MD, 2002.
[11] A. Hess, M. Jung, G. Schafer, ”FIDRAN: A Flexible Intrusion Detection and Response Framework for Active Networks,” Proceedings of Eighth International Symposium on Computers and Communication, Kemer, Antalya, Turkey, July 2003.
[12] J. Scambray, S. McClure and G.Kurtz, Hacking Exposed: Network Security Secrets & Solutions, Second Edition, McGraw Hill, 2001.
[13] W. Richard Stevens, TCP/IP Illustrated Volume 1 : The Protocols.
[14] CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks, http://www.cert.org/advisories/CA-1996-21.html.
[15] CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attacks, http://www. cert.org/advisories/CA-1996-01.html.
[16] CERT Advisory CA-1996-26 Denial-of-Service Attack via ping, http://www. cert.org/advisories/CA-1996-26.html.
[17] CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks, http://www. cert.org/advisories/CA-1998-01.html.
[18] A. Barone, P. Chirco, G. Di Fatta and G. Lo Re, “A Management Architecture for Active Networks,” Proceedings of the Fourth Annual International Workshop on Active Middleware Services (AMS’02), Edinburgh, United Kingdom, July 2002.
[19] David Wetherall, John Guttag and David Tennenhouse, “ANTS: Network Services Without the Red Tape,” IEEE Computer Magazine, vol. 32, no. 4, April 1999.
[20] L.-D. Chou and S.-L. Wu, “Precautionary measures against TCP SYN flooding attack,” Proceedings of IFIP WCC 2000-World Computer Congress: The 15th International Conference on Information Security, Beijing, China, Aug. 2000.
[21] CERT Advisory CA-1997-28 IP Denial-of-Service Attacks, http://www. cert.org/advisories/CA-1997-28.html.
[22] D. Schnackenberg, K. Djahandari, and D. Sterne, “Infrastructure for intrusion detection and response,” Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX '00), South Carolina, vol. 2, pp. 3-11, Jan. 2000.
[23] William La Cholter, Priya Narasimhan, Dan Sterne, Ravindra Balupari, Kelly Djahandari, Arvind Mani and Sandra Murphy, “IBAN: Intrusion Blocker based on Active Networks,” Proceedings of the DARPA Active Networks Conference and Exposition (DANCE’02), pp. 182-192, May 2002.
[24] Gitae Kim, Tony Bogovic and Dana Chee, “Active edge-Tagging (ACT): An Intruder Identification & Isolation Scheme in Active Network,” Proceedings of the Sixth IEEE Symposium on Computers and Communications (ISCC'01), Hammamet, Tunisia, July 2001.
[25] John Ioannidis and Steven M. Bellovin, “Implementing Pushback: Router-Based Defense DDoS Attacks,” NDSS, Feb. 2002.
[26] Jelena Mirkovi´c, Gregory Prier and Peter Reiher, “Attacking DDoS at the Source,” Proceedings of 10th IEEE International Conference on Network Protocols (ICNP'02), pp. 312-321, Nov. 2002.
[27] Scott Shyne, Adam Hovak and Joseph Riolo, “Using Active Networking to Thwart Distributed Denial of Service Attacks,” Proceedings of 2001 IEEE Aerospace Conference, vol. 3, pp. 1103-1108, 2001.
[28] D. L. Tennenhouse, S.J. Garland, L. Shrira and M. F. Kaashoek, “From Internet to ActiveNet,” http://www.sce.carleton.ca/netmanage/activeNetworks/rfc96.html, Jan. 1996.
[29] D.Scott Alexander, B. Braden, C. Gunter, A. Jackson, A. Keromytis, G. Minden and D, Wetherall, “Active Network Encapsulation Protocol (ANEP),” Experimental RFC draft, July 1997.
[30] B. Barden, M. Hicks and C. Tschudin, “Active Network Overlay Network(ANON),” Experiment RFC draft, Dec. 1997.
[31] Rob Thomas, “Monitoring DoS Attacks with the VIP Console and NetFlow v1.0,” http://www.cymru.com/Documents/dos-and-vip.html, May 2001.
[32] David Harmelin, “Tackling Network DoS on Transit Networks,” http://www.dante.net/pubs/dip/42/42.html, March 2001.
[33] The Network Simulator, http://www.isi.edu/nsman/ns.
[34] K. Fall and K. Varadhan, “The ns Manual,” http://ww.isi/edu/ns, Dec. 2003.
[35] A. Barone, P. Chirco, G. Di Fatta, G. Lo Re, http://www.cere.pa.cnr. it/~difatta/ANgate/, July. 2004.
[36] Abocom Enterprise, http://www.aboway.com.tw/product_detail.php?id=58.
[37] Kerio WinRoute, http://www.leetide.net/support_kwf_008B14.htm.

指導教授

周立德(Li-Der Chou)

審核日期

2004-7-19

推文