封包標記技術在協同追蹤與防禦系統之應用

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：32

、訪客IP：18.222.67.251

姓名

游秉賢(Ping-Hsien Yu) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

封包標記技術在協同追蹤與防禦系統之應用
(An Application of Proportional Probabilistic Packet Marking Trace in the DDoS Overlay Defense System)

相關論文

★ 整合多樣配置組態下的藍芽射頻驗證系統	★ 具檔案敘述相關語查詢之智慧型檔案搜尋系統
★ 具遲到者支援功能之網際網路簡報系統	★ 以快速廣播法建構熱門視訊隨選服務伺服器
★ 具事件同步再現特性之遠程電傳展示伺服器	★ 無線網路環境下之廣播資訊快速下載
★ 中文網站繁簡互訪協助系統	★ 支援時光平移播放之調適性現場直播演算法
★ 用於互動式廣播之段落對齊法	★ 熱門影片廣播法之影片區段復原機制
★ 配合熱門影片廣播的本地伺服器高效快取法	★ 一個增進SIP在防火牆環境中應用的協同模組
★ 考量網頁熱門度之一致性雜湊法解決網頁代理伺服器之負載平衡	★ 以網域名稱伺服器為基礎之色情網站過濾系統
★ 使用熱門廣播法及支援點對點傳輸之影音內容傳遞網路	★ 變動頻寬平滑化之熱門廣播演算法

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

近年來網路攻擊事件層出不窮，而在所有的攻擊行為中，易造成巨大損害的是分散式阻斷服務攻擊(Distributed Denial of Service，簡稱DDoS)。由於攻擊者大都會偽造封包的來源位址，以隱藏攻擊者的位置，造成追蹤攻擊來源不易，所以本論文提出利用封包標記的技術來判讀攻擊發起與追蹤攻擊者的來源位置，並協同重疊網路防禦系統進行精確位置之阻擋攻擊流量，以達到阻擋DDoS攻擊之目的。封包標記是利用IP標頭一些很少使用的欄位，以機率來選擇填入封包經過的部份路徑資料，縱使攻擊者偽造來源位址，也可以從多個封包的記號找出攻擊路徑資訊，同時提出利用封包標記的路徑資訊來發現不符合繞徑位置的來源位址，協助判讀攻擊封包之發生。最後本文以實作來證明封包標記技術應用於協同追蹤與防禦系統的可行性，並將本文所提出之利用標記的路徑資訊來判斷攻擊封包之方法整合到Snort的偵測功能，實驗結果顯示本系統可以追出攻擊來源，且有效阻擋DDoS攻擊。

摘要(英)

With the extreme popularity of Internet, network attacks emerge in an endless stream in recent years. One of the most serious attacks is distributed denial of service attack (DDoS), which easily causes large damage. DDoS attackers usually forge the source address of IP packet to hide their positions such that it is difficult to trace back attackers. To alleviate DDoS, this work takes advantage of the packet-marking method to trace the attacker’s location, as well as to detect DDoS attacks. Once detecting and locating DDoS attacks, this work initiates an overlay-network defense system to block the attacks.
The basic concept of the packet-marking method is to insert some route information into rare-used fields of IP header. The insertion is based on probability. Even if attackers forges the source address of IP packet, this method can find out the attacking path by using the route information carried by the marked packets. With the attacking path, our work is also able to detect some attack packets, which have same source address but come from different far routers.
Finally, this work implemented a system based on the packet marking method and the overlay-network defense approach. And this work integrated a new detection method based on packet marking into Snort. The experimental results show that our system can detect, locate, and block DDoS effectively.

關鍵字(中)

★ 重疊網路
★ 分散式阻斷服務攻擊
★ 封包標記

關鍵字(英)

★ packet marking
★ DDoS
★ overlay network

論文目次

摘要 I
Abstract II
目錄 IV
圖目錄 VI
表目錄 VIII
第一章緒論 1
1.1 研究背景 1
1.2 研究動機 1
1.3 論文架構 2
第二章相關研究 3
2.1 分散式阻斷服務攻擊 3
2.2 現有的防禦策略 5
2.2.1 D-ward 5
2.2.2 流量控制服務 6
2.2.3 WebSOS 7
2.2.4 MOVE 8
2.2.5 重疊網路防禦系統 9
2.2.6 系統比較 10
2.3 現有的追蹤策略 12
2.3.1 控制流量法 12
2.3.2 CenterTrack 13
2.3.3 封包標記 14
2.3.3.1 決定性封包標記 14
2.3.3.2 機率性封包標記 15
第三章系統設計 17
3.1 系統架構 17
3.2 運作流程 18
3.3 重疊伺服器 20
3.3.1 標記代理程式 21
3.3.2 重疊防禦代理程式 24
3.4 追蹤伺服器 25
3.4.1 偵測代理程式 26
3.4.2 路徑重組代理程式 27
3.4.3 分析代理程式 28
第四章系統實作 30
4.1 重疊伺服器實作 30
4.1.1 標記代理程式 30
4.1.1.1 IP標頭簡介 30
4.1.1.2部署方式 33
4.1.1.3 實作 33
4.1.2 重疊防禦代理程式 35
4.2 追蹤伺服器實作 36
4.2.1 整合Snort的偵測功能 37
第五章實驗測試 38
5.1實驗環境 38
5.2 實驗一 40
5.3 實驗二 44
第六章結論 47
參考文獻 48

參考文獻

[1] Williams, M., EBay, Amazon, Buy.com hit by attacks, 2000. http://www.nwfusion.com/news/2000/0209attack.html
[2] Fonseca, B., Yahoo outage raises Web concerns, 2000 http://www.nwfusion.com/news/2000/0209yahoo2.html
[3] E. Eugene Schultz, “The MSBlaster worm: going from bad to worse,” in Network Security, vol. 2003, no. 10, pp. 4-8, Oct. 2003.
[4] Brian McKenna, “Cisco and Trend Micro tighten collaboration around Sasser-like attacks,” in Network Security, vol. 2004, no. 6, pp 3, June 2004.
[5] Andrey Belenky and Nirwan Ansari, “On IP Traceback,” in IEEE Communication Magazine, July 2003, pp. 142-153.
[6] Zhiqiang Gao and Nirwan Ansari, “Traceing Cyber Attacks from the Practical Perspective,” in IEEE Communications Magazine, May 2005, pp. 123-131.
[7] Rocky K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” in IEEE Communications Magazine, Oct. 2002, pp. 42-51.
[8] Jelena Mirkovic and Peter Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” in ACM SIGCOMM Computer Communications Review, vol. 34, no. 2, Apr. 2004, pp. 39-54.
[9] Noureldien, N, “Protecting web servers from DoS/DDoS flooding attacks: a technical overview,” in International Conference on Web-Management for International Organizations, October 2002.
[10] “The smurf denial-of-service attack,” in Network Security, vol. 1998, no. 1, pp. 2, Jan. 1998.
[11] “TCP SYN flooding and IP spoofing attacks,” in Network Security, vol. 1996, no. 10, pp. 2, Oct. 1996.
[12] UDP flood attacks, http://www.javvin.com/networksecurity/UDPFloodAttack.html
[13] ICMP flood attacks, http://www.anml.iu.edu/ddos/types.html
[14] Yoohwan Kim, Ju-Yeon Jo, Chao, H.J. and Merat, F., “High-speed router filter for blocking TCP flooding under DDoS attack,” in Proceedings of the 2003 IEEE International Performance, Computing, and Communications Conference.
[15] Jelena Mirkovic, Gregory Prier and Peter Reiher, “Attacking DDoS at the Source,” in Proceedings of ICNP 2002, Nov. 2002, pp. 312-321.
[16] Mirkovic, J. and Reiher, P., “D-WARD: a source-end defense against flooding denial-of-service attacks,” in IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 3, July-Sept. 2005, pp. 216-232.
[17] Thomas Dubendorfer, Matthias Bossardt, Bernhard Plattner, “Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation,” in Proceedings of the 19th IEEE Intermational Parallel and Distributed Processing Symposium, April 2005
[18] D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra and D. Rubenstein, “WebSOS: Protecting Web Servers from DDoS Attacks,” in 11th IEEE International Conference 2003, pp. 461-466.
[19] Ju Wang, Linyuan Lu and Andrew A. Chien, “Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology,” in ACM SSRS 2003, Oct. 2003.
[20] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: An Architecture for Mitigating DDoS Attacks,” in IEEE Journal On Selected Areas In Communications, vol. 22, no. 1, Jan. 2004.
[21] Angelos Stavrou, Angelos D. Keromytis, Jason Nieh, Vishal Misra and Dan Rubenstein, “MOVE: An End-to-End Solution To Network Denial of Service,” in Internet Society NDSS’05, Feb. 2005.
[22] Steven Osman, Dinesh Subhraveti, Gong Su and Jason Nieh, “The Design and Implementation of Zap: A System for Migrating Computing Environments,” in Proc. Of the 5th Symposium on Operating Systems Design and Implementation, Dec. 2002.
[23] 陳俊傑,楊宏昌,林宏達,游秉賢,曾黎明,“以重疊網路防禦分散式阻斷服務攻擊,” 台灣網際網路研討會2005.
[24] H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their Approximate Source,” in Proc. USENIX LISA, 2000, pp. 319-327.
[25] R. Stone, “Centertrack: An IP Overlay Network for Tracking DoS Floods,” in Proc. 9th USENIX Sec. Symp., 2000, pp. 199-212.
[26] A. Belenky and N. Ansari, “Tracing Multiple Attackers with Deterministic Packet Marking (DPM),” in Proc. 2003 IEEE Pacific Rim Conf. Commun., Comp. and Sig. Proc., Victoria, BC, Canada, Aug, 2003
[27] Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson, “Practical Network Support for IP Traceback,” in IEEE/ACM Transactions on Networking, vol. 9, pp. 226-237, June 2001.
[28] Y. Tseng, H. Chen and W. Hsieh, “Probabilistic Packet Marking with Non-Preemptive Compensation,” in IEEE Communication Letter, vol. 8, no. 6, pp.359-361, June 2004.
[29] Terence K.T.Law, John C.S. Lui, “You Can Run, But You Can’t Hide: An Effective Statistical Methodology to Trace Back DDoS Attackers,” in IEEE Transactions On Parallel And Distributed Systems, vol. 16, no. 9, pp.799-813, Sept. 2005.
[30] Dawn Xiaodong Song and Adrian Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” in IEEE INFOCOM, 2001.
[31] Miao Ma, “Tabu Marking Scheme for IP Traceback,” in IEEE International Parallel and Distributed Processing Symposium, 2005.
[32] FreeBSD, http://www.freebsd.org/
[33] The Chord Project, http://pdos.csail.mit.edu/chord/
[34] Squid, http://www.squid-cache.org/
[35] Information Sciences Institute University of Southern California,“Internet Protocol,” RFC791, Sep. 1981.
[36] I. Stoica and H. Zhang, “Providing Guaranteed Services Without Per Flow Management, ” in Proceedings of the 1999 ACM SIGCOMM Conference, pp 81–94, Aug. 1999.
[37] W. Richard Stevens, “TCP/IP Illustrated Volume 1, The Protocols,” Addison-Wesley.
[38] Snort, http://www.snort.org/
[39] DDoS attack tool timeline, http://staff.washington.edu/dittrich/talks/sec2000/timeline.html
[40] Tfn attack tool analysis, http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
[41] stacheldraht attack tool analysis, http://staff.washington.edu./dittrich/misc/stacheldraht.analysis.txt
[42] TFN2K attack tool analysis, http://packetstormsecurity.com/distributed/TFN2K_Analysis-1.3.txt
[43] Shaft attack tool analysis, http://home.adelphi.edu/~spock/shaft_analysis.txt

指導教授

曾黎明(Li-Ming Tseng)

審核日期

2006-7-24

推文