傳統阻斷服務(DoS)攻擊大多仰賴大量流量或是殭屍網路持續發送請求,達到癱瘓目標系統的目的。然而,本論文聚焦的一種新型攻擊——應用層流量迴圈(Application-Layer Traffic Loops)僅需要透過一個偽裝來源的觸發封包,即可誘發兩台伺服器間不斷地相互回應,最終耗盡資源或導致系統崩潰,形成幾乎「零成本、無須持續控制」的 DoS 攻擊。 由於傳統的 DoS 防禦措施,如流量分析與頻率限制,難以防禦此類應用層迴圈攻擊,本論文專注於應用層流量迴圈在 DNS 協定中的防禦方式。我們首先重現攻擊流程,驗證僅透過特定錯誤回應即可在現有的 DNS 伺服器間引發流量迴圈。接著提出一套針對 DNS 伺服器的防禦機制,藉由短時間內重複錯誤回應的特徵進行判斷,即時阻擋潛在迴圈封包。實驗結果顯示,本系統能在不影響正常服務的前提下,達成 95% 以上的防禦準確率,有效提升 DNS 系統面對此類新型攻擊的防護能力。;Traditional Denial-of-Service (DoS) attacks often rely on high traffic volume or botnets continuously sending requests to overwhelm target systems. However, this thesis focuses on a novel attack technique, Application-Layer Traffic Loops, which can be triggered by a single spoofed packet, causing two servers to endlessly respond to each other. This leads to resource exhaustion or system crashes, forming an almost zero-cost, controlfree DoS attack. Since conventional DoS defense mechanisms, such as traffic analysis and rate limiting, are ineffective against this type of application-layer loop attack, this study concentrates on a defensive approach specifically for DNS-based traffic loops. We first replicate the attack process and verify that specific error responses alone are sufficient to induce looping behavior between DNS servers. Then, we propose a defense mechanism for DNS servers that detects short-term repetitive error responses and promptly blocks potential loop-inducing packets. The experimental results show that the proposed system can achieve a defense accuracy of over 95% without affecting normal services, effectively enhancing the DNS system’s ability to defend against this new type of attack.
