姓名 |
吳宏毅(Hung-I Wu)
查詢紙本館藏 |
畢業系所 |
資訊工程學系 |
論文名稱 |
一精確度可至單一主機單一Port之IP Spoofing 偵測法 (IP Spoofing Detector)
|
相關論文 | |
檔案 |
[Endnote RIS 格式]
[Bibtex 格式]
[相關文章] [文章引用] [完整記錄] [館藏目錄] [檢視] [下載]- 本電子論文使用權限為同意立即開放。
- 已達開放權限電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。
- 請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
|
摘要(中) |
由於今日網路攻擊多以IP spoofing 掩護攻擊者的來源位置、使得被攻擊者因難以找出攻擊者的真正位置,而無法有效的阻絕攻擊者的攻擊,此外 IP spoofing 亦常被用來發起 TCP session hijacking 或 Trusted host attacks 等造成嚴重資安問題的攻擊,因此發展出一快速精確的偽造封包偵測法,便成為一迫切及重要的議題。
在本篇論文中我們將研發出一全新且辨識度可精確至單一主機上單一socket之IP spoofing 偵測法 -- IP Spoofing Detector (ISD)。在不需要修改被保護網路內任何電腦的軟體及硬體的前題下,在不需使用任何加密解密金鑰的技術下,以edge router為基礎的 ISD,將可快速有效地偵測IP spoofed 封包,結合ingress egress filter的方法,使任一經由 ISD送出的封包皆經過來源的證實與確認,不論被保護的網路內部的電腦佈局有任何改變,不論被保護的網路是否允許mobile IPs,任何由 ISD 所在網路產生的且來源是偽造的IP封包皆能被其偵測及封鎖。
本篇論文利用TCP/IP協定中任一主機的 socket 在不同的狀態 (state)下對某些特殊的封包會產生不同回應的原理及 socket 在送出不同的封包後會進入不同的狀態的規定,借由目標主機對 ISD 送出的查證封包的反應來查證 ISD 所收到的封包的真偽。此外本論文亦利用TCP protocol中對建立通訊的兩台主機必需先完成3-way handshaking 後才能利用TCP封包傳遞資訊到對方的原則來減少查證封包的數目。根據以上的方法我們可以建立一辨識度可至單一主機上單一 TCP connection的快速 IP spoofing 偵測法。實驗顯示在僅需微量的工作負擔下,本法可有效地偵測出來源位址被偽造的IP封包。 |
摘要(英) |
In this project, we plan to develop a novice IP spoofing detection solution named IP Spoofing Detector (ISD) to solve this notorious security threat to computers and networks. ISD can accurately recognize whether an IP packet belongs to a TCP connection indicated in the TCP/IP header of that packet and drop all spoofed IP packets. As a result, attackers can no longer launch attacks through spoofed IP packets from the network protected by ISD.
ISD will be an edge router-based solution to IP spoofing; hence, to install it there is no requirement to modify any software and hardware in any host of the protected network and there is no need to use any encryption and decryption method to authentication packets. After being installed, ISD can efficiently and effectively detect and block spoofed IP packets no matter how the layout of the protected network is changed and no matter whether mobile IPs are supported by the protected network.
Since the IP spoofing problem was reported to the public by S. Bellovin of Bell Lab. in 1989, it have been used by many attackers to either conceal the attack sources (such as DoS/DDoS attacks, port scanning decoy, and IdlesScan) or forge packets as coming from hosts trusted by attacked hosts to get access to the attacked hosts (such as Man-in-the-Middle Attacks and trusted host attack). The former thwarts victims’ capability to make appropriate response to attack traffic. The later disables attacked hosts’ authentication mechanism. Both result in great damage on attacked hosts. According to FBI, in 2003, DoS/DDoS attacks alone caused about sixty-six million dollar lost in the USA. The trend of this kind of attacks continues increasing.
According to TCP/IP protocol, the response of a socket to a packet changes when it is in a different state and the state of a socket changes after sending an IP packet. Based on the above principle, we can accurately confirm whether an IP packet was really sent by a specific socket. Besides, unless a 3-way handshaking is finished, a TCP connection can not be built; hence, for all packets claimed to belong to a TCP connection, ISD only needs to confirm the validity of the TCP SYN packet. The above rule can dramatically decrease the number of IP packets whose validity is needed to be verified. Based on the above analysis, we plan to develop and implement ISD on a Linux platform. The precision of the recognition of IDS could be to the socket level. Until now none of the IP spoofing detection solution could achieve such a fine precision level. |
關鍵字(中) |
★ 位址 ★ 偽造 ★ 偵測 |
關鍵字(英) |
★ IP spoofing |
論文目次 |
摘要 i
致謝 iii
目錄 iv
圖目錄 v
表目錄 vi
第一章 緒論 1
1-1 研究背景與目的 1
1-1-1.DoS/DDoS Attack: 2
1-1-2.Port Scanning Decoy: 3
1-1-3.Trusted Host Attack: 3
1-1-4.Man-in-the-Middle Attack: 3
1-2 相關研究 4
為解決 IP Spoofing 此一嚴重影響資安秩序的問題,許多的研究資源已紛紛地投入此一領域,在以下的章節中我們將介紹一些主要的研究成果。 4
1-2-1 Ingress/Egress router: 4
1-2-2 StackPi: 4
1-2-3 Hop-countfiltering: 5
1-2-4 Spoofing Prevention Method: 5
1-2-5 SAVE: source address validity enforcement protocol: 5
1-3論文架構 6
第二章 研究方法與原理 7
第三章 IP Spoofing Detector 10
3-1 查證封包必備的條件 10
3-2 Socket 的狀態與反應 11
3-3 推論 11
3-4 ISD演算法 13
3-5 等待時間 14
第四章 程式系統架構 15
4-1 基本架構 15
4-2 程式內容簡述 17
第五章 實驗與討論 19
5-1 實驗環境設定 19
5-2 實驗與結果 20
5-3 攻擊分析 25
5-4 Host A使用Microsoft Windows XP sp2 25
第六章 結論 26
6-1 貢獻 26
6-2 總結 26
6-3 未來方向 26
參考文獻 27
附錄 30 |
參考文獻 |
〔1〕 Bellovin,S.M., “Security Problems in the TCP/IP Protocol”, Computer Communication Review,Vol 19,No.2.32-48, 1989,April.
〔2〕 Matt Tanase, “Closing the Floodgates:DDos Mitgation Techniques”, http://www.securityfocus.com/infocus/1655
〔3〕 D. Moore, G.~M. Voelker, and S. Savage, “nferring Internet Denial-of-Service Activity”,in Usenix Security Symposium, Washington, D.C., Aug 2001.
〔4〕 V. Paxson, “ An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks”, Computer Communication Review 31(3), July 2001.
〔5〕 Mark Crother, “ IP Address Spoofing and Hijacked Session Attacks”, Bugtraq: CIAC Advisory F-08.
〔6〕 Dave Dittrich, “Session hijacking demonstration and notes”, http://althing.cs.dartmouth.edu/secref/resources/network-layer2.shtml
〔7〕 J. P. McDermott, “Attack net penetration testing”, workshop on New security paradigms, Ballycotton, Ireland, 2001.
〔8〕 WEISSMAN, C. “Penetration Testing”,Handbook for the Computer Security Certification of Trusted Systems.
〔9〕 P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”,' RFC 2267.
〔10〕 Perrig A., Song D., Yaar A. “StackPi: a new defense mechanism against IP spoofing and DDoS attacks.”CMU technical report. February 2003.
〔11〕 C. Jin, H. Wang and K. Shin. “Hop-count Filtering: An Effective Defense Against Spoofed DDoSAttacks,”ACM Computer and Communications Security, 2003.
〔12〕 A. Bremler-Barr and H. Levy, “Spoofing Prevention Method”, IEEE INFOCOM, Miami, FL, USA, March, 2005.
〔13〕 Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher, Lixia Zhang. "SAVE: source address validity enforcement protocol," IEEE INFOCOM, New York, New York, June 2002.
〔14〕 Lamont Granquist, “NMAP guide”, 取自http://insecure.org/nmap/lamont-nmap-guide.txt
〔15〕 Insecure, “Idlescan”, http://insecure.org/nmap/idlescan.html
〔16〕 “2003 CSI/FBI Computer Crime and Security Survey. Security”,取自
http:// www.reddshell.com/docs/csi_fbi_2003.pdf
〔17〕 “Linux Networking Kernel” ,取自
http://www.ecsl.cs.sunysb.edu/elibrary/linux/network/LinuxKernel.pdf
〔18〕 “socket states” ,取自
http://www.cis.temple.edu/~ingargio/cis307/readings/unix4.html#states |
指導教授 |
許富皓(Fu-Hau Hsu)
|
審核日期 |
2007-7-18 |
推文 |
facebook plurk twitter funp google live udn HD myshare reddit netvibes friend youpush delicious baidu
|
網路書籤 |
Google bookmarks del.icio.us hemidemi myshare
|