臺灣博碩士論文加值系統

網路安全問題於近幾年來層出不窮，其中較為嚴重的問題為分散式阻斷服務攻擊（DDoS），它的攻擊方式為佔據目標主機資源和網路頻寬使之無法提供服務給正常使用者，達到癱瘓主機的效果。為了有效解決DDoS所產生問題，傳統的路由器必須增加額外的功能，如可追蹤攻擊來源或過濾可疑封包等。在此我們將增加額外功能的路由器稱之為追蹤器。在考量布署成本下，要在短期內將實際網路中所有的路由器升級為追蹤器是非常困難的。因此追蹤器的布署方式成為防制DDoS效能上的關鍵。
於先前文獻中，會將網路切割成許多的保護區域，且各保護區域內的長度均不會超過所指定的路徑長，而追蹤器即被布署於保護區域的周圍。雖然這種布署方式可保證封包在路由器中轉送次數在大於或等於保護區域的長度時可以達到追蹤的效果，但於保護區域內搜尋攻擊來源的成本上卻是無法控制的。這是由於保護區域內的節點數過多所造成的影響。
於本篇論文中，我們試著提出可降低布署成本的方法並與先前文獻做比較，另外再提出以節點感知的追蹤器布署方式達到限制保護區域內的數量。模擬結果顯示我們提出的方法其布署成本在小型網路中可以達到改善的效果，而以節點感知的追蹤器布署方式可以達到搜尋攻擊來源成本上的控制。

Network security problems emerge in an endless stream. One of serious problems is Distributed Denial of Service (DDoS) attack, which paralyzes hosts such that they cannot provide service for their clients by occupying their resources or network bandwidth. To solve the DDoS problems efficiently, traditional routers have to be enhanced with additional capabilities such as tracing attacks origins, filtering malicious packets, etc. We refer the enhanced routers to as tracers. Under the cost consideration in practice, it is hard to upgrade all of routers to be tracers in short-term. Therefore the tracer deployment becomes the key to the performance of DDoS defense.
In previous work, tracers can be deployed on the surrounds of protection areas, which the diameter of each one is limited to an assigned number of hop counts. Although the deployment can guarantee packet traceable when the path of packet is longer than or equal to the diameter of protection area, searching cost of attack origins cannot be controlled. This is because the number of nodes in a protection area may be too many.
In this thesis, we first try to reduce tracer density compared to the previous work and then propose a new node-aware tracer deployment that can limit the number of nodes in a protection area. The simulation results show that the tracer density can be improved in small networks and node-aware tracer deployment can control the searching cost of attack origins.

摘要 i
Abstract ii
致謝 iii
目錄 iv
表目錄 vi
圖目錄 vii
第一章、 序論 1
1.1背景簡介 1
1.2研究動機 5
1.3研究貢獻 6
1.4論文架構 7
第二章、 相關研究 8
2.1流量監控法 9
2.2封包標記法（Packet Marking） 10
2.3封包記錄儲存法（Packet Logging） 13
2.4混合法（Hybrid Scheme） 14
2.5布署方式（Deployment） 15
第三章、 論文方法 17
3.1方法大綱 17
3.2符號及基本定義 19
3.3考慮最小節點分支度布署演算法 21
3.3.1以最小節點分支度當起始點方法 21
3.3.2以最小離心率節點當起始點方法 23
3.4考慮群集係數布署演算法 25
3.4.1以最小節點分支度當起始點方法 25
3.4.2以最小離心率節點當起始點方法 27
3.4.3以目前執行圖的直徑考慮起始點方法 29
3.4.4比較最小節點分支度和最小離心率考慮起始點方法 31
3.5可控制區域內節點個數布署演算法 34
3.5.1嚴謹限制各區域內個數上限布署法 34
3.5.2彈性限制各區域內個數上限布署法 37
第四章、 實驗模擬 39
4.1模擬工具及參數設定 39
4.2量測方法 43
4.3模擬結果 46
4.3.1實驗一：比較各方法之追蹤器密度 47
4.3.2實驗二：追蹤器密度（Tracer Density） 49
4.3.3實驗三：限制區域內個數差異（Non-Restrict N &; Restrict N） 52
4.3.4實驗四：嚴格及彈性限制個數（Strict N &; Flex N） 58
4.3.5實驗五：追蹤器成本（The Cost of Tracer） 60
4.3.6實驗六：效能評估（Performance） 65
4.3.6.1 未被偵測到攻擊比率（Undetected Ratio） 68
4.3.6.2 攻擊節點搜尋成本（Searching Cost） 71
4.3.6.3攻擊流量減少成本（Saving Cost） 76
4.3.6.4 攻擊流量存在比（Survival Malicious Traffic Ratio） 79
第五章、 結論 81
參考文獻 82

[1] L. Garber, "Denial-of-Service Attacks Rip the Internet," IEEE Computer, vol. 33, no. 4, pp. 12 - 17, 2000.
[2] "DDoS attacks in the first half of 2014," Arbor Network, [Online]. Available: http://www.arbornetworks.com/corporate/blog/5243-volumetric-with-a-capital-v.
[3] "Denial-of-service attack," Wikipedia, [Online]. Available: http://en.wikipedia.org/wiki/Denial-of-service_attack.
[4] "IP Denial-of-Service Attacks," CERT, 12 1997. [Online]. Available: https://www.cert.org/historical/advisories/CA-1997-28.cfm?.
[5] "Windows 7, Vista exposed to 'teardrop attack'," 9 2009. [Online]. Available: http://www.zdnet.com/blog/security/windows-7-vista-exposed-to-teardrop-attack/4222.
[6] "LAND Attack," Wikipedia, [Online]. Available: http://en.wikipedia.org/wiki/LAND.
[7] "DNS Amplification Attacks," US-CERT, 2013. [Online]. Available: https://www.us-cert.gov/ncas/alerts/TA13-088A.
[8] "Distributed Denial of Service attacks with DNS amplification against Spamhaus," Cert-IST, 2013. [Online]. Available: http://www.cert-ist.com/public/en/SO_detail?code=201304_spamhaus.
[9] S. M. Bellovin, "Security Problems in the TCP/IP Protocol Suite," ACM SIGCOMM Computer Communication, vol. 19, no. 2, pp. 32-48 , 1989.
[10] "IP Spoofing Attacks and Hijacked Terminal Connections," CERT Advisory CA-96.01, 1995. [Online]. Available: https://www.cert.org/historical/advisories/CA-1995-01.cfm.
[11] K. Wakasa, K. Takemori, T. Kai and H. Hazeyama, "Demonstration Experiments Towards Practical IP Traceback on the Internet," Consumer Communications and Networking Conference, pp. 1-5, 2010.
[12] O. Demir and B. Khan, "Quantifying Distributed System Stability through Simulation: A Case Study of an Agent-Based System for Flow Reconstruction of DDoS Attacks," International Conference on Intelligent Systems, Modelling and Simulation, pp. 312 - 317, 2010.
[13] S. Yu, W. Zhou, R. Doss and W. Jia, "Traceback of DDoS Attacks Using Entropy Variations," IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 3, pp. 412 - 425, 2011.
[14] Y. Xiang, K. Li and W. Zhou, "Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics," IEEE Transactions on Information Forensics and Security, vol. 6, no. 2, pp. 426 - 437, 2011.
[15] J. François, I. Aib and R. Boutaba, "FireCol: A Collaborative Protection Network for the Detection of Flooding DDoS Attacks," IEEE/ACM Transactions on Networking, vol. 20, no. 6, pp. 1828 - 1841, 2012.
[16] S. Savage, D. Wetherall, A. Karlin and T. Anderson, "Practical Network Support for IP Traceback," SIGCOMM Comput. Commun. Rev., vol. 30, no. 4, pp. 295-306, 2000.
[17] A. Belenky and N. Ansari, "IP Traceback With Deterministic Packet Marking," IEEE Communications Letters, vol. 7, no. 4, pp. 162 - 164, 2003.
[18] M. Okada, A. Kanaoka, Y. Katsuno and E. Okamoto, "32-bit as Number Based IP Traceback," Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp. 628 - 633, 2011.
[19] A. R. Kiremire, M. R. Brust and V. V. Phoha, "A Prediction Based Approach to IP Traceback," IEEE 37th Conference on Local Computer Networks Workshops, pp. 1022 - 1029, 2012.
[20] M. D. D. Moreira, R. P. Laufer, N. C. Fernandes and O. C. M. B. Duarte, "A Stateless Traceback Technique for Identifying the Origin of Attacks from a Single Packet," IEEE International Conference on Communications, pp. 1 - 6, 2011.
[21] S. Saurabh and A. S. Sairam, "Linear and Remainder Packet Marking for fast IP traceback," Fourth International Conference on Communication Systems and Networks, pp. 1 - 8, 2012.
[22] S. Saurabh and A. S. Sairam, "A More Accurate Completion Condition for Attack-Graph Reconstruction in Probabilistic Packet Marking Algorithm," National Conference on Communications, pp. 1 - 5, 2013.
[23] V. A. Foroushani and A. N. Zincir-Heywood, "Deterministic and Authenticated Flow Marking for IP Traceback," IEEE 27th International Conference on Advanced Information Networking and Applications, pp. 397 - 404, 2013.
[24] L. A. Sanchez, W. C. Milliken, A. C. Snoeren, F. Tchakountio, Christine, E. Jones, S. T. Kent, C. Partridge and W. T. Strayer, "Hardware Support for a Hash-Based IP Traceback," Proceedings on DISCEX '01, vol. 2, pp. 146 - 152, 2001.
[25] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, S. T. Kent and W. T. Strayer, "Hash-Based IP Traceback," Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications (SIGCOMM '01), vol. 31, no. 4, pp. 3-14, 2001.
[26] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent and W. T. Strayer, "Single-Packet IP Traceback," IEEE/ACM Transactions on Networking, vol. 10, no. 6, pp. 721 - 734, 2002.
[27] A. Castelucio, A. Ziviani and R. M. Salles, "An AS-level overlay network for IP traceback," IEEE Network, pp. 36 - 41, 2009.
[28] W. C. Kuo, Y. L. Chen, S. C. Tsai and J. S. Li, "Single-Packet IP Traceback with Less Logging," Seventh International Conference on Intelligent Information Hiding and Multimedia Signal Processing, pp. 97 - 100, 2011.
[29] M.Vijayalakshmi, S. Shalinie and A. Pragash, "IP traceback system for network and application layer attacks," International Conference on Recent Trends In Information Technology, pp. 439 - 444, 2012.
[30] M. H. Yang and M. C. Yang, "RIHT: A Novel Hybrid IP Traceback Scheme," IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 789 - 797, 2012.
[31] J. S. Bong, Y. W. Choi and S. Kim, "An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks," Proceedings of the 5th international conference on Information Security Applications (WISA'04), pp. 204-210 , 2004.
[32] C. H. Wang, C. W. Yu, C. K. Liang, K. M. Yu, W. Ouyang, C. H. Hsu and Y. G. Chen, "Tracers Placement for IP Traceback against DDoS Attacks," international conference on Wireless communications and mobile computing (IWCMC '06), pp. 355-360 , 2006.
[33] C. H. Wang and Y. C. Chiang, "Multi-Layer Traceback under the Hierarchical," 22nd International Conference on Advanced Information Networking and Applications - Workshops, pp. 590 - 595, 2008.
[34] M. H. Islam, K. Nadeem and S. A. Khan, "Optimal Placement of Detection Nodes against Distributed Denial of Service Attack," International Conference on Advanced Computer Control, pp. 675 - 679, 2009.
[35] E. Kline, A. Afanasyev and P. Reiher, "Shield: DoS filtering using traffic deflecting," 19th IEEE International Conference on Network Protocols, pp. 37 - 42, 2011.
[36] H. S. Kang and S. R. Kim, "Small DDoS defense system using routing deployment method," World Congress on Internet Security, pp. 204 - 206, 2012.
[37] O. Demir, B. Khan, G. B. Brahim and A. Al-Fuqaha, "Optimizing agent placement for flow reconstruction of DDoS attacks," 9th International on Wireless Communications and Mobile Computing Conference, pp. 83 - 89, 2013.
[38] "BRITE," [Online]. Available: http://www.cs.bu.edu/brite/.
[39] "SKITTER," [Online]. Available: http://www.caida.org/tools/measurement/skitter/.
[40] "SQLite," [Online]. Available: http://www.sqlite.org/.