使用Openflow 交換器偵測Botnet 受害者與通知機制

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：86

、訪客IP：18.218.95.236

姓名

彭士家(Shi-Jia Peng) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

使用Openflow 交換器偵測Botnet 受害者與通知機制
(Botnet Victim Detection and Notification based on Openflow Switch)

相關論文

★ 整合多樣配置組態下的藍芽射頻驗證系統	★ 具檔案敘述相關語查詢之智慧型檔案搜尋系統
★ 具遲到者支援功能之網際網路簡報系統	★ 以快速廣播法建構熱門視訊隨選服務伺服器
★ 具事件同步再現特性之遠程電傳展示伺服器	★ 無線網路環境下之廣播資訊快速下載
★ 中文網站繁簡互訪協助系統	★ 支援時光平移播放之調適性現場直播演算法
★ 用於互動式廣播之段落對齊法	★ 熱門影片廣播法之影片區段復原機制
★ 配合熱門影片廣播的本地伺服器高效快取法	★ 一個增進SIP在防火牆環境中應用的協同模組
★ 考量網頁熱門度之一致性雜湊法解決網頁代理伺服器之負載平衡	★ 以網域名稱伺服器為基礎之色情網站過濾系統
★ 使用熱門廣播法及支援點對點傳輸之影音內容傳遞網路	★ 變動頻寬平滑化之熱門廣播演算法

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

隨著網路不斷的發展，網路上的資料越來越重要，網路交易也越來越頻繁。
同時網路犯罪開始興起，而殭屍網路（botnet）就是其中一種。殭屍網路有攻擊
者隱密、且彈性大的特性，而且能夠一次對多台電腦進行控制。
本篇論文以IRC 協定的botnet 為研究對象，首先說明botnet 的運作機制，
和botnet 對於資安人員難以解決的問題。接著介紹由史丹佛大學開發的NetFPGA
網卡和openflow 計劃的特色及優點，並說明用linux gateway 來阻擋的效率問題。
本篇論文透過史丹佛大學設計的NetFPGA 和openflow 網路，設計了一套可以使
用openflow switch 來偵測已中毒的電腦。我們假設正常使用者皆會瀏覽網頁，
利用openflow switch 將中毒的電腦導向至一個警告頁面，告知使用者中毒資訊，
再透過網路的封鎖策略，讓使用者了解解決中毒情況的必要性和急迫性。

摘要(英)

Over the years, the network developed quickly and constantly. Because the rise
of trade networks, data on the network become more and more important.
Unfortunately, the rise of internet crime became a big problem at the same time such
as Botnet. Botnet have hidden attackers, and the characteristics of high flexibility, but
also an ability to control multiple computers.
This paper describes the IRC-based botnet. First, we explain the botnet behavior
and the hard to solve problems for security officer. Then we introduced the NetFPGA
card developed by the Stanford University and explained the openflow project
features and advantages. These devices are used as a linux gateway to be an efficient
firewall. This paper use the NetFPGA card and openflow network project designed by
Stanford University to detect bot in the botnet. Assume that normal users browser web
everyday, we use openflow switch redirect the bot traffic to a particular page that
show the warning information. Then through the network disconnected strategy, we
try to let the user know the necessity and urgency.

關鍵字(中)

★ Openflow
★ 封包轉向
★ NetFPGA
★ 殭屍網路

關鍵字(英)

★ Botnet
★ Openflow
★ redirect
★ NetFPGA

論文目次

第一章簡介 ............................................................................................................... 1
1.1 研究背景.................................................................................................... 1
1.2 研究動機.................................................................................................... 5
1.3 論文架構.................................................................................................... 6
第二章相關研究 ....................................................................................................... 7
2.1 偵測botnet 的方法 ...................................................................................... 7
2.2 利用Honey Pot 來取得可疑C&C 名單 ..................................................... 7
2.3 透過封包分析偵測並瓦解殭屍網路........................................................... 8
2.4 Ethane ......................................................................................................... 10
2.5 Openflow ..................................................................................................... 12
第三章問題分析與對策 ......................................................................................... 14
3.1 針對botnet 的bot 部份進行阻擋 ............................................................. 14
3.2 使用linux 閘道與NetFPGA 的差異性 ................................................ 14
3.3 如何通知使用者中毒資訊......................................................................... 15
3.4 導向通知頁面............................................................................................. 16
3.4.1 利用DNS 導向[8] ........................................................................... 16
3.4.2 利用DNS 的WPAD RECORD ................................................... 17
3.4.3 利用Transparent Proxy 導向 .......................................................... 17
3.5 中毒後之網路封鎖策略............................................................................. 18
3.6 使用者已解毒之判定................................................................................. 18
3.7 總結............................................................................................................. 19
第四章系統設計 ..................................................................................................... 20
4.1 系統設計之假設......................................................................................... 20
4.1.1 使用者皆會使用www 服務之假設 ............................................... 20
4.1.2 使用honeypot 誘捕系統蒐集到可疑位址之假設 ........................... 20
4.2 實驗架構..................................................................................................... 21
4.3 系統流程..................................................................................................... 23
4.4 規劃中毒封鎖策略..................................................................................... 24
4.5 中毒通知頁面設計 .................................................................................... 26
4.6 規劃解毒之判定......................................................................................... 26
第五章系統實驗與分析 ......................................................................................... 28
5.1 實驗環境..................................................................................................... 28
5.2 系統架設..................................................................................................... 29
5.3 封包過濾與轉向......................................................................................... 31
5.3.2 紀錄封包資訊.................................................................................. 32
5.3.3 將特定來源封包轉向...................................................................... 34
5.3.4 通知使用者中毒資訊...................................................................... 34
5.3.5 中毒期間將封包轉向且紀錄封包.................................................. 36
5.3.6 阻擋特定來源封包.......................................................................... 38
5.4 效能分析..................................................................................................... 39
5.5 實驗結果與討論 ........................................................................................ 42
第六章結論與未來工作 ......................................................................................... 43
參考文獻 ……………………………………………………………………………..44

參考文獻

[1] Chao Li, et. al.,”Botnet: Survey and Case Study”, 2009 Fourth International
Conference on Innovative Computing, Information and Control, Kaohsiung,
Taiwan, pp.1184-1187
[2] C. Kalt, “Internet Relay Chat: Architecture.” RFC 2810, 2000
[3] http://www.openflowswitch.org/foswiki/bin/view/OpenFlow/Deployment/H
OWTO/LabSetup
[4] https://uncia.cc.ncu.edu.tw/dormnet/
[5] Nick McKeown, et. al. , “Prototyping Fast, Simple, Secure Switches for
Ethane”, 15th IEEE Symposium on High-Performance Interconnects 2007,
pp.73 - 82
[6] Nick McKeown, et. al., “Openflow : Enabling Innovation in Campus
Networks”, Openflow White Paper March 14, 2008
[7] Nick McKeown, et. al. “Implementing an OpenFlow Switch on the
NetFPGA platform” ANCS ’08, November 6–7, 2008, San Jose, CA, USA
[8] 郭廖軒，“以網域名稱伺服器為基礎之色情網站過濾系統“，國立中央大
學資訊工程學系碩士論文，民92
[9] Paul Barford, et. al. “An Inside Look at Botnets”, Computer Sciences
Department University of Wisconsin, Madison, 2007
[10] Dae-il Jang, et. al. “Analysis of HTTP2P Botnet: Case Study Waledac”,
Proceedings of the 2009 IEEE 9th Malaysia International Conference on
Communications 15-17 December 2009 Kuala Lumpur Malaysia,
pp.409-412
[11] David Dagon, et. al. ,”A Taxonomy of Botnet Structures”, 23rd Annual
Computer Security Applications Conference, pp.325-339
[12] http://www.malwaredomains.com/
[13] Cliff C. Zou, et. al. ,”Honeypot-Aware Advanced Botnet Construction and
Maintenance”, Proceedings of the 2006 International Conference on
Dependable Systems and Networks(DSN’06),pp.199-208
[14] Kazuya Kuwabara, et. al. ,”Heuristics for Detecting Botnet Coordinated
Attacks”, 2010 International Conference on Availability, Reliability and
Security,pp.603-607
[15] Jose Nazario, et. al.,”As the Net Churns: Fast-Flux Botnet Observations”,
2008 3rd International Conference on Malicious and Unwanted
Software(MALWARE) at the Hilton Alexandria Mark Center, Fairfax,
Virginia ,pp. 24-31
[16] Cliff C. Zou, Ryan Cunningham, “Honeypot-Aware Advanced Botnet
Construction and Maintenance” 2006 International Conference on
Dependable Systems and Networks,pp. 199-208
[17] OpenFlow Switch Specification Version 0.8.9(Wire Protocol 0x97)
December 2, 2008
[18] Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose and Andreas Terzis, ”A
Multifaceted Approach to Understanding the Botnet Phenomenon”, In
IMC’06, October 25–27, 2006, Rio de Janeiro, Brazil
[19] 陳天豪，“透過封包分析偵測並瓦解殭屍網路”，國立中央大學資訊工程
學系碩士論文，民98
[20] Trends for 2009 “Symantec Global Internet Security Threat Report” 網路安
全威脅研究報告Published April 2010

指導教授

曾黎明(Li-Ming Tseng)

審核日期

2010-8-24

推文