中大學術數位典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/99384
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 94201/94201 (100%)
Visitors : 81560456      Online Users : 3612
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: https://ir.lib.ncu.edu.tw/handle/987654321/99384


    Title: DASSH - 防禦 DNS 放大攻擊的應用層負載平衡多代理可擴展防護機制;DASSH - Application-Layer Load-Balanced Scaling Multi-Proxy Shield against DNS Amplification Attacks
    Authors: 莫兆全;Mo, Zhao-Quan
    Contributors: 資訊工程學系在職專班
    Keywords: DNS 放大攻擊;應用層防禦;負載平衡;iptables;conntrack;solicited-only filtering;DNS amplification attack;application-layer defense;load balancing;iptables;conntrack;solicited-only filtering
    Date: 2026-01-16
    Issue Date: 2026-03-06 18:51:31 (UTC+8)
    Publisher: 國立中央大學
    Abstract: DNS放大攻擊利用UDP無連線特性與來源位址可偽造性,透過公開DNS解析器以小型查詢觸發大型回應並反射至目標,對公開UDP服務造成嚴重負載。
    本研究提出DASSH(DNS Amplification Scaling Shield),一種部署於應用層服務入口的負載平衡多代理防禦架構,用以強制執行DNS查詢與回應的一致性。系統由對外的負載平衡器與多個代理節點組成,代理節點透過核心層的連線狀態追蹤機制阻擋未經請求的DNS回應,並於應用層結合DNS查詢追蹤機制,確保僅有本節點主動發起之查詢回應能被放行。
    透過容器化實驗環境驗證,結果顯示在DNS放大攻擊情境下,DASSH能有效隔離未經請求的放大回應流量,使後端UDP服務於攻擊期間仍維持正常運作,且無需修改既有 DNS協定或外部網路基礎設施。;DNS amplification attacks exploit the stateless nature of UDP and source IP spoofing to reflect amplified DNS responses toward victims, imposing severe load on UDP-based services.
    DASSH, an application-layer, load-balanced multi-proxy defense that enforces DNS query–response consistency at the service entry point. The system consists of a public load balancer and multiple independent proxy nodes. Each proxy blocks unsolicited DNS responses using kernel-level connection state tracking and application-layer DNS query validation, allowing only responses corresponding to queries issued by the same proxy.
    Experiments conducted in a containerized environment demonstrate that DASSH effectively isolates amplified DNS response traffic and preserves the availability of backend UDP services during DNS amplification attacks, without requiring modifications to the DNS protocol or external network infrastructure.
    Appears in Collections:[Executive Master of Computer Science and Information Engineering] Electronic Thesis & Dissertation

    Files in This Item:

    File Description SizeFormat
    index.html0KbHTML87View/Open


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明