中大學術數位典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/99382
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 94201/94201 (100%)
Visitors : 81585054      Online Users : 2455
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: https://ir.lib.ncu.edu.tw/handle/987654321/99382


    Title: DuSDA - 抵禦大型檔案下載攻擊的雙系統架構;DuSDA: A Dual-System Architecture for Defending Against Large File Downloading Attacks
    Authors: 蔡侑辰;CAI, You-Chen
    Contributors: 資訊工程學系在職專班
    Keywords: 分散式阻斷服務攻擊;HTTP 洪水攻擊;服務隔離;雙系統架構;流量分析;協同防禦;Distributed Denial-of-Service Attack;HTTP Flood;Service Isolation;Dual-System Architecture;Traffic Analysis;Coordinated Defense
    Date: 2026-01-14
    Issue Date: 2026-03-06 18:51:16 (UTC+8)
    Publisher: 國立中央大學
    Abstract: 隨著網路攻擊技術的演進,應用層分散式阻斷服務攻擊 (Application Layer DDoS) 已成為網路服務的重大威脅。攻擊者常鎖定高資源消耗的端點,例如大檔案下載服務,發動 HTTP Flood 攻擊。在傳統的單一系統架構 (Single-System Architecture) 中,所有服務共享網路頻寬與運算資源,一旦大檔案下載服務遭受攻擊並耗盡頻寬,將導致包含小檔案下載在內的所有服務同時崩潰,造成全面的服務中斷。現有的防禦機制如 Web 應用程式防火牆 (WAF) 或速率限制,往往難以在不影響合法用戶下載體驗的前提下,精確區分惡意的大量下載行為。

    為解決上述問題,本論文提出了一種名為 DuSDA (Dual-System Architecture) 的雙系統防禦架構。本研究的核心策略是將大檔案與小檔案服務進行資源與架構上的隔離,透過部署統一的路由器 (DuSDA Dispatcher) 作為入口,利用 HTTP 302 重定向機制將用戶請求分流至獨立運作的大檔案系統或小檔案系統。為了精準偵測攻擊,本系統實作了基於 Nginx 日誌分析的即時監控模組,採用多維度評分機制 (Multi-Dimensional Scoring Mechanism) 來評估用戶行為的風險等級;同時設計了跨系統協同防禦機制 (Cross-System Monitoring and Coordination),利用 UDP 封包在隔離的系統間即時同步威脅情資,一旦偵測到惡意 IP,即可觸發聯動封鎖。

    實驗結果顯示,在模擬 Layer-7 HTTP GET Flood 攻擊的情境下,DuSDA 架構能成功將攻擊流量限制在受害的子系統中。當大檔案系統因攻擊而導致效能下降時,小檔案系統仍能維持高服務可用性與穩定的回應時間,不受攻擊波及。本研究證實了透過服務隔離結合協同防禦機制,能有效提升檔案下載服務在面臨針對性 DDoS 攻擊時的系統韌性。
    ;With the evolution of cyberattack techniques, application-layer distributed denial-of-service (Application Layer DDoS) attacks have become a major threat to online services. Attackers often target resource-intensive endpoints, such as large file download services, to launch HTTP Flood attacks. In a traditional single-system architecture, all services share the same network bandwidth and computing resources. Once the large-file download service is attacked and exhausts the available bandwidth, all services—including small-file downloads—collapse simultaneously, resulting in a complete service outage. Existing defense mechanisms, such as Web Application Firewalls (WAFs) or rate limiting, often struggle to accurately distinguish malicious high-volume download behavior without degrading the experience of legitimate users.

    To address this issue, this thesis proposes a dual-system defense architecture named DuSDA (Dual-System Defense Architecture). The core strategy of this research is to isolate large-file and small-file services in both resource allocation and system architecture. A unified DuSDA Dispatcher is deployed as the entry point, and user requests are distributed to the independently operated large-file or small-file subsystems through HTTP 302 redirection. To achieve precise attack detection, the system implements a real-time monitoring module based on Nginx log analysis and adopts a Multi-Dimensional Scoring Mechanism to evaluate the risk level of user behavior. In addition, a Cross-System Monitoring and Coordination mechanism is designed to synchronize threat intelligence between the isolated subsystems using UDP packets, enabling coordinated blocking once a malicious IP is detected.

    Experimental results show that under simulated Layer-7 HTTP GET Flood attacks, the DuSDA architecture effectively confines the attack traffic within the targeted subsystem. When the large-file subsystem experiences performance degradation due to attacks, the small-file subsystem continues to maintain high availability and stable response times, remaining unaffected. This research demonstrates that service isolation combined with coordinated defense mechanisms can significantly enhance the resilience of file download systems against targeted DDoS attacks.
    Appears in Collections:[Executive Master of Computer Science and Information Engineering] Electronic Thesis & Dissertation

    Files in This Item:

    File Description SizeFormat
    index.html0KbHTML87View/Open


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明