臺灣博碩士論文加值系統

為了有效減緩DoS/DDoS的攻擊，我們強化傳統的路由器，讓路由器具有追蹤攻擊來源與即時過濾異常封包的功能。在先前的研究中，我們稱這些擁有不同能力的路由器為追蹤器，且將這些追蹤器分為三種類型，分別為穿隧追蹤器、標記追蹤器及過濾追蹤器。穿隧追蹤器可輕易地將封包轉送至其他兩種追蹤器，以提升標記封包或是過濾攻擊封包的機率，但是在隨機布署追蹤器的環境下，過濾攻擊封包的結果及轉送封包所帶來的負擔皆不夠理想。
在本篇論文中，我們致力於研究如何布署異質性的追蹤器來改善先前的研究，基本上，我們將網路切割成數個保護區域，每個保護區域的直徑可控制在一定的封包轉送次數，進而穿隧追蹤器將會布署於這些保護區域的外圍，而其它的追蹤器將依本篇論文提出的核心布署法及環繞布署法，分別布署於保護區域的核心及保護區域的外圍。由模擬結果，可得知在大型的網路拓撲結構中，論文所提出的核心布署法相較於無布署任何追蹤器的網路結構，可提升31%的效益，比隨機布署法多出了11%的效益；而論文所提出的環繞布署法，相較於無布署任何追蹤器的網路結構，可提升42%的效益，比隨機布署法多出了20%的效益。

To mitigate the DoS/DDoS attacks efficiently, traditional routers are supposed to enhance with different capabilities for tracing attacks origins and filtering abnormal packets in time. In previous work, the enhanced routers are referred to as tracers and classified into three categories, namely tunneling-enabled tracers, marking-enabled tracers and filtering-enabled tracers. The tunneling-enabled tracers can easily reroute packets to the other two kinds of tracers and then the probability of marking and filtering attack packets can be increased. In the environment of random tracers deployment, the performance of filtering abnormal packets is not good enough compared to optimal situation, and the overhead of rerouting packets is not ideal.
In this thesis, we focus on heterogeneous tracers deployment problem to improve the pervious work. Basically, network topology is divided into many protection areas, which the diameter of each one is limited to a number of hop counts. The tunneling-enabled tracers are deployed on the surrounds of protection areas. Two methods, namely “Core Deployment” and “Surround Deployment”, are proposed to deploy the other tracers on the cores and surrounds of protection areas respectively. The simulation results show the performance of core deployment can be improved 31% better than it of no tracer deployment, and 11% better than it of random deployment in large scaled networks. The performance of surround deployment can be improved 42% better than it of no tracer deployment, and 20% better than random deployment in large scaled network.

摘要 i
Abstract ii
致謝 iii
目錄 iv
表目錄 vi
圖目錄 vii
第一章、 序論 1
1.1背景簡介 1
1.2研究動機 4
1.3研究貢獻 5
1.4論文架構 6
第二章、 相關研究 7
2.1封包記錄儲存法（Packet Logging） 8
2.2封包標記法（Packet Marking） 10
2.3混合法（Hybrid） 13
2.4過濾器（Filter） 15
2.5穿隧協定（Tunneling Protocol） 16
第三章、 論文方法 17
3.1方法大鋼 17
3.2穿隧方法 18
3.2.1固定機率穿隧法（Static Probabilistic Tunneling） 20
3.2.2動態機率穿隧法（Dynamic Probabilistic Tunneling） 21
3.2.3距離估算穿隧法（Consider-Distance Tunneling） 22
3.2.4標記協助法（Marking Assistance） 24
3.3標記方法 26
3.4布署方法 27
3.4.1核心布署法（Core Deployment） 28
3.4.2環繞布署法（Surround Deployment） 32
第四章、 模擬結果 36
4.1模擬工具 37
4.2模擬討探與參數設定 39
4.3模擬結果 41
4.3.1模擬1：固定機率穿隧法 44
4.3.2模擬2：動態機率穿隧法 49
4.3.3模擬3：距離估算法配合固定機率 52
4.3.4模擬4：距離估算法配合動態機率 55
4.3.5模擬5：標記協助法配合固定機率 58
4.3.6模擬6：標記協助法配合動態機率 63
4.3.7模擬7：標記協助法配合距離估算 67
4.3.8模擬8：追蹤成本 71
4.4模擬結果總結 72
第五章、 穿隧迴圈之避免 74
5.1穿隧迴圈的可能 74
5.2重複標記或重複穿隧至過濾追蹤器的問題 74
5.3標記的安全性 75
第六章、 結論 76
參考文獻 77

[1] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Tim_Berners-Lee. [Accessed 7 8 2014].
[2] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/World_Wide_Web.
[3] "Prolexic," [Online]. Available: http://www.prolexic.com/knowledge-center-ddos-attack-report-2014-q1.html.
[4] "ALTAS," [Online]. Available: https://atlas.arbor.net/summary/dos.
[5] "iThome," [Online]. Available: http://download.ithome.com.tw/article/index/id/1942.
[6] 黃繼民, "資安人," 23 12 2013. [Online]. Available: http://www.informationsecurity.com.tw/article/article_detail.aspx?aid=7737.
[7] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Ddos#Internet_Control_Message_Protocol_.28ICMP.29_flood.
[8] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Ddos#.28S.29SYN_flood.
[9] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Ddos#Teardrop_attacks.
[10] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Ddos#R-U-Dead-Yet.3F_.28RUDY.29.
[11] "IETF," 9 1981. [Online]. Available: http://tools.ietf.org/html/rfc791.
[12] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/IP_address_spoofing. [Accessed 16 7 2014].
[13] S. Savage, D. Wetherall, A. Karlin and T. Anderson, "Practical Network Support for IP Traceback," ACM SIGCOMM, vol. 30, no. 4, pp. 295-306, 2000.
[14] D. X. Song and A. Perrig, "Advanced and Authenticated Marking Schemes for IP Traceback," INFOCOM, vol. 2, pp. 876-886, 2001.
[15] A. Belenky and N. Ansari, "IP Traceback With Deterministic Packet Marking," IEEE COMMUNICATIONS LETTERS, vol. 7, no. 4, pp. 162-164, 2003.
[16] Y. Bhavani, V. Janaki and R. Sridevi, "IP Traceback through Modified Probabilistic Packet Marking Algorithm," in TENCON, 2013.
[17] M. Okada, N. Goto, A. Kanaoka and E. Okamoto, "A Device for Transparent Probabilistic Packet Marking," Computer Software and Applications Conference Workshops, pp. 242-247, 2013.
[18] M. Alenezi and M. J. Reed, "Efficient AS DoS Traceback," Computer Applications Technology (ICCAT),, pp. 1-2, 2013.
[19] L. Yonghui, W. Yulong, Y. Fangchun, S. Sen and Y. Dong, "Deterministic Packet Marking Based on the Coordination of Border Gateways," Education Technology and Computer (ICETC), vol. 2, pp. 154-161, 2010.
[20] Y. Xiang, W. Zhou and M. Guo, "Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks," Parallel and Distributed Systems, vol. 20, no. 4, pp. 567-580, 2009.
[21] Z. Deshan and C. Bin, "Research on the Algorithm of Data Packet Marking for DDoS Attack," Information Science and Engineering (ICISE), pp. 1828-1830, 2009.
[22] V. Soundar Rajam and S. Shalinie, "A novel traceback algorithm for DDoS attack with marking scheme for online system," Recent Trends In Information Technology (ICRTIT), pp. 407-412, 2012.
[23] K. Stefanidis and D. Serpanos, "Packet Marking Scheme and Deployment Issues," in Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, 2007.
[24] A. Yaar, A. Perrig and D. Song, "Pi: a path identification mechanism to defend against DDoS attacks," in Security and Privacy, 2003.
[25] A. Yaar, A. Perrig and D. Song, "StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense," IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp. 1853-1863, 2006.
[26] L. A. Sanchez, W. C. Milliken, A. C. Snoeren, F. Tchkountio, C. E. Jones, S. T. Kent, C. Partridge and W. T. Strayer, "Hardware Support for a Hash-Based IP Traceback," in BBN Technologies, 2001.
[27] A. C. Snoeren, C. E. Jones, C. Partridge, L. A. Sanchez, F. Tchakountio, S. T. Kent and W. T. Strayer, "Hash-Based IP Traceback," in BBN Technologies, 2001.
[28] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent and W. T. Strayer, "Single-Packet IP Traceback," Networking, vol. 10, no. 6, pp. 721-734, 2002.
[29] H. Tian and J. Bi, "An Incrementally Deployable Flow-Based Scheme for IP Traceback," IEEE COMMUNICATIONS LETTERS, vol. 16, no. 7, pp. 1140-1143, 2012.
[30] V. Aghaei-Foroushani and A. N. Zincir-Heywood, "On Evaluating IP Traceback Schemes: A Practical Perspective," in IEEE Security and Privacy Workshops, 2013.
[31] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Firewall_(computing).
[32] C.-H. Wang and C. D. Chang, "Heterogeneous tracers against DDoS Attacks," in Communication Technology, 2011.
[33] B. Al-Duwairi and M. Govindarasu, "Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback," PARALLEL AND DISTRIBUTED SYSTEMS, vol. 17, no. 5, pp. 403-418, 2006.
[34] G. Chao and S. Kamil, "A More Practical Approach for Single-Packet IP Traceback Using Packet Logging and Marking," PARALLEL AND DISTRIBUTED SYSTEMS, vol. 19, no. 10, pp. 1310-1324, 2008.
[35] X.-j. WANG and Y.-l. XIAO, "IP Traceback based on Deterministic Packet Marking and Logging," Scalable Computing and Communications;, pp. 178-182, 2009.
[36] N. Lu, Y. Wang, F. Yang and M. Xu, "A Novel Approach for Single-Packet IP Traceback Based on Routing Path," Parallel, Distributed and Network-Based Processing (PDP), pp. 253-260, 2012.
[37] S. Saurabh and A. S. Sairam, "Computer and Communication Technology," in Eagle Eyes: Protocol Independent Packet Marking Scheme to Filter Attack Packets and Reduce Collateral Damage During Flooding Based DoS and DDoS Attacks, 2012.
[38] C.-H. Wang, C.-W. Yu, C.-K. Liang, K.-M. Yu, W. Ouyang, C.-H. Hsu and Y.-G. Chen, "Tracers Placement for IP Traceback against DDoS Attacks," in Wireless communications and mobile computin, New York, 2006.
[39] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Bloom_filter.
[40] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Tunneling_protocol.
[41] J. Keegan, "Infrastructure Adventures," 5 12 2010. [Online]. Available: http://infrastructureadventures.com/2010/12/05/network-virtualization-beyond-vlans-%E2%80%93-part-4-tunnels/.
[42] C.-C. Lien, "Tracers Deployment of Nodes-Aware Protection Areas against DDoS Attacks," in 中華大學博碩士論文資料庫, 2014.
[43] A. Medina, A. Lakhina, I. Matta and J. Byers, "Brite," [Online]. Available: http://www.cs.bu.edu/brite/.
[44] "SQLite," [Online]. Available: http://www.sqlite.org/.
[45] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Software-defined_networking.