| 姓名 |
姚昭宇(Chao-Yu Yao)
查詢紙本館藏 |
畢業系所 |
通訊工程學系在職專班 |
| 論文名稱 |
透過DPDK技術實現容器化環境中的VPP應用防火牆部署
|
| 檔案 |
 [Endnote RIS 格式]
[Bibtex 格式]
 [相關文章]  [文章引用]  [完整記錄]  [館藏目錄]  至系統瀏覽論文 (2029-6-30以後開放)
|
| 摘要(中) |
近年來,隨著網路的蓬勃發展,各種網路服務提供範圍不斷擴大,人們的生活和工作已經密不可分地與網路連結在一起。然而,便利的同時也帶來了嚴峻的安全挑戰。特別是應用層攻擊和分散式阻斷服務攻擊(DDoS)的威脅日益凸顯,給企業和用戶的隱私和資料安全帶來了嚴重的威脅。
應用層攻擊是針對網路應用層協議的攻擊,通常是利用應用程式的漏洞來進行攻擊,攻擊者可能會利用這些漏洞竊取敏感資訊、破壞系統運作,甚至控制系統進行惡意操作。而DDoS攻擊旨在癱瘓正常運作的服務,使得合法使用者無法訪問,造成極大損失。
為了應對這些威脅,本論文提出了一種基於容器化和DPDK技術的應用程式防火牆。容器化技術實現了快速部署和輕量化運行,而DPDK技術則提高了封包處理效率。結合這些特點,為本應用程式防火牆系統增加了強大的防禦能力,在與原生Linux相比提高了百分之五效能的情況下,還能有效保護網路應用服務免受應用層攻擊的威脅。 |
| 摘要(英) |
In recent years, with the rapid development of the Internet, the range of various online services has been continuously expanding, making people′s lives and work inseparably connected to the network. However, this convenience also brings severe security challenges. Particularly, the threats of application layer attacks and Distributed Denial of Service (DDoS) attacks are becoming increasingly prominent, posing significant risks to the data security and privacy of enterprises and users.
Application layer attacks target network application layer protocols, often exploiting vulnerabilities in applications. Attackers may use these vulnerabilities to steal sensitive information, disrupt system operations, or even control systems for malicious purposes. DDoS attacks aim to paralyze normally functioning services, denying legitimate users access to them, resulting in substantial losses.
To solve these problems, this paper proposes an application firewall based on containerization and DPDK technology. Containerization technology enables rapid deployment and lightweight operation, while DPDK technology enhances packet processing efficiency. Combining these features, the proposed application firewall system significantly strengthens defensive capabilities, achieving a 5% performance improvement compared to native Linux, and effectively protects network application services from application layer attack threats. |
| 關鍵字(中) |
★ 應用程式防火牆
★ 容器化
★ DPDK
★ 網頁應用程式攻擊 |
關鍵字(英) |
★ WAF
★ Containerization
★ DPDK
★ Application Attack |
| 論文目次 |
目錄
中文摘要 I
ABSTRACT II
誌謝 IV
圖目錄 VII
表目錄 IX
第 1 章 緒論 1
1-1 研究動機 1
1-2 研究目的 3
1-3 DDoS(Distributed Denial-of-Service attack) 4
1-4 應用程式層攻擊 6
1-5 網頁應用程式防火牆 8
第 2 章 背景介紹 9
2-1 DPDK 9
2-2 VPP 12
2-3 Docker 13
2-4 Modsecurity 15
第 3 章 相關研究 16
3-1 改善部署架構 16
3-2 硬體加速 18
第 4 章 系統設計與開發 19
4-1 系統介紹 21
4-2 系統元件 22
4-3 系統運作 24
4-3-1 VDC-Accelerator 24
4-3-2 VDC-Filter 25
4-3-3 Module Collaboration 26
第 5 章 實驗結果與分析 28
5-1 實驗環境 28
5-1-1 Wrk 32
5-1-2 OWASP ZAP(Zed Attack Proxy) 33
5-2 有效性驗證 34
5-2-1 CLI Verify 34
5-2-2 OWASP ZAP 35
5-3 效能分析 41
第 6 章 討論 46
6-1 結合Kubernetes 46
第 7 章 結論 48
參考文獻 49 |
| 參考文獻 |
[1] Cloudflare,“DDoS Attack Trends for 2024 Q1”,16 Apr 2024,Available:https://radar.cloudflare.com/reports/ddos-2024-q1
[2] Akamai,“What Is a Bot Network? ”,Available:https://www.akamai.com/glossary/what-is-a-bot-network
[3] Cloudflare,“What is the OSI Model?”,Available:https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/
[4] OWASP,“Top 10 Web Application Security Risks”,Available:https://owasp.org/www-project-top-ten/
[5] FortiNet,“WAF 與防火牆:Web 應用程序和網路防火牆”,Available:https://www.fortinet.com/tw/resources/cyberglossary/waf-vs-firewall
[6] Intel,“Intel® Ethernet Controller E810 Data Plane Development Kit (DPDK)”,Available:
https://edc.intel.com/content/www/us/en/design/products/ethernet/config-guide-e810-dpdk/dpdk-overview/
[7] Sohail Anjum,"DPDK - Installation and Optimization",2021.02.05,Available:https://hackmd.io/@sohailanjum97/SkWE46ywu
[8] "What is Data Plane Development Kit (DPDK)?",May 3, 2022,Available: https://community.arm.com/arm-community-blogs/b/tools-software-ides-blog/posts/dpdk-optimization-on-arm
[9] Marc Richards,"Linux Kernel vs DPDK: HTTP Performance Showdown",July 4, 2022,Available:https://talawah.io/blog/linux-kernel-vs-dpdk-http-performance-showdown/
[10] FD.io,“VPP/What is VPP?”,Available:https://wiki.fd.io/view/VPP/What_is_VPP%3F
[11] AWS,"How Docker works",Available:https://aws.amazon.com/tw/docker/
[12] S. Agarwal, S. Jain, and A. Kumar, “GUI Docker Implementation: Run Common Graphics User Applications Inside Docker Container,” IEEE Xplore, Dec. 01, 2021. DOI: 10.1109/SMART52563.2021.9676270, Available:https://ieeexplore.ieee.org/document/9676270
[13] "Virtual Machine VS Docker Container",2021.5.28,Available:https://www.omniwaresoft.com.tw/product-news/docker-news/docker-introduction/
[14] OWASP ModSecurity,Ervin Hegedus,Christian Folini,"owasp-modsecurity/ModSecurity"https://github.com/owasp-modsecurity/ModSecurity
[15] R. A. Muzaki, O. C. Briliyant, M. A. Hasditama, and H. Ritchi, “Improving Security of Web-Based Application Using ModSecurity and Reverse Proxy in Web Application Firewall,” IEEE Xplore, Oct. 01, 2020. DOI: 10.1109/IWBIS50925.2020.9255601, Available:https://ieeexplore.ieee.org/abstract/document/9255601/
[16] CRS"OWASP CRS PROJECT" https://coreruleset.org
[17] "What is ModSecurity and why you need it?" https://www.znetlive.com/blog/what-is-mod-security-and-why-should-your-website-have-it/
[18] X. Chen, Q. Shen, P. Cheng, Y. Xiong, and Z. Wu, “RuleCache: Accelerating Web Application Firewalls by On-line Learning Traffic Patterns,” Jul. 10, 2022. DOI: 10.1109/ICWS55610.2022.00044, Available:https://ieeexplore.ieee.org/document/9885745/authors#authors
[19] Cloudflare,“What is a CDN?”,Available:https://www.cloudflare.com/learning/cdn/what-is-a-cdn/
[20]Alan Murphy,“Application Delivery Hardware:A Critical Component”Available:https://www.f5.com/pdf/white-papers/application-delivery-hardware-wp.pdf
[21]Sarah Lamont,"HSM and SSL accelerator card Relation",Available:https://community.imperva.com/communities/community-home/digestviewer/viewthread?MessageKey=50bb4921-bb80-400e-ad8f-2e4789f33d3a&CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af
[22]Fortinet,"Hardware acceleration"Available:https://docs.fortinet.com/document/fortigate/7.4.4/hardware-acceleration/448300/hardware-acceleration
[23]Rapidcode Technologies,"How to create network namespace in linux host."Available:https://medium.com/@tech_18484/how-to-create-network-namespace-in-linux-host-83ad56c4f46f
[24] wg,"wrk - a HTTP benchmarking tool",Available:https://github.com/wg/wrk
[25] ZAP,"ZAPping the OWASP Top 10 (2021)",Available:https://www.zaproxy.org/docs/guides/zapping-the-top-10-2021/
[26] wordpress,"Docker wordpress",Available:https://hub.docker.com/_/wordpress |
| 指導教授 |
許富皓
陳彥文
|
審核日期 |
2024-7-17 |
| 推文 |
 facebook  plurk  twitter  funp  google  live  udn  HD  myshare  reddit  netvibes  friend  youpush  delicious  baidu
|
| 網路書籤 |
 Google bookmarks  del.icio.us  hemidemi myshare
|
