(3.235.41.241) 您好!臺灣時間:2021/04/15 03:23
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:林子傑
研究生(外文):Tzu-Chieh Lin
論文名稱:基於監控網路效能所提出之追蹤與緩和分散式阻斷服務攻擊的新方法
論文名稱(外文):A New DDoS Attack Traceback and Mitigation Scheme based on Network Performance Monitoring
指導教授:郭耀煌郭耀煌引用關係
指導教授(外文):Yau-Hwang Kuo
學位類別:碩士
校院名稱:國立成功大學
系所名稱:資訊工程學系碩博士班
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2004
畢業學年度:92
語文別:英文
論文頁數:79
中文關鍵詞:網路效能測量流速控制機制網路模擬器2IP 追溯分散式阻斷服務攻擊
外文關鍵詞:IP TracebackRate-ControlNS-2DDoSNetwork Performance Measurement
相關次數:
  • 被引用被引用:1
  • 點閱點閱:130
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:37
  • 收藏至我的研究室書目清單書目收藏:0
  分散式阻斷服務攻擊是目前網路上最嚴重的安全問題之一,攻擊者試著耗盡受害者的系統資源或是降低網路效能,使得受害者無法提供服務。

  在本論文,我們提出了一個完整的對策架構,在所提出的架構中可以分做兩方面:網路效能監控機制與流速控制機制。

  分散式阻斷服務攻擊會注入大量的封包至網路中,而這可能會影響網路特徵之變化,所以我們可以利用監控網路效能(延遲與封包遺失)來偵測分散式阻斷服務攻擊的存在。首先,我們的系統會監控網路內使用者連線之延遲。接著,再針對延遲超過預設門檻之連線收集其封包遺失之資訊,並以此找出最可能的正常與攻擊封包會合點。然後再從此點追溯至最遠感受到異常之路由器,並啟動流速控制機制以緩和攻擊之影響。在我們架構下的核心路由器會使用較少的記憶體來收集使用者連線資訊,同時我們也利用網路模擬器2(NS-2)建立了模擬網路,而模擬結果亦顯示攻擊的影響已緩和。
  The attack of Distributed Denial of Service (DDoS) is one of the most serious security problems on the Internet. It tries to exhaust the resources of victim system and degrade the network performance, which cause the victim system failing to provide services.

  In this thesis, we propose a complete countermeasure framework. There are two phases in the proposed framework: network performance monitoring mechanism and rate-control mechanism.

  DDoS attacks will inject great deal of packets into the network and this may cause the changing of network characteristics. Therefore, we detect the existence of DDoS attacks and deduce the attack behavior by monitoring the network performance (delay, loss). First, our system will monitor the delay of all flows in the network. Afterward we will collect the loss information of flows whose delay exceeds the pre-defined threshold to find out the possible convergence nodes of legitimate and illegitimate traffic. Then a traceback process is started from possible convergence nodes to the farthest routers that can be aware the abnormities and rate-control mechanism is enforced to mitigate the influence. The core routers in our architecture will consume less memory in gathering flow information. We also use the network simulator 2 (NS-2) to set up the simulation networks, and the simulation results show that the influence of attacks is mitigated.
Chapter 1 - Introduction   1
 1.1 - Motivation and Goal   1
 1.2 - Organization of the Thesis   3

Chapter 2 - Related Works   5
 2.1 - A Brief of DDoS Attacks   5
 2.2 - The Detection Schemes of DDoS Attacks   7
  2.2.1 - Logging   8
  2.2.2 - ICMP Traceback   8
  2.2.3 - Packet Marking   9
 2.3 - Prevention Schemes   11
  2.3.1 - Ingress Filtering   12
  2.3.2 - Route-based Filtering   12
 2.4 - Present Network Monitoring Schemes   13
  2.4.1 - Simple Network Management Protocol (SNMP)   13
  2.4.2 - NetFlow   15
  2.4.3 - IP Performance Metrics (IPPM)   16
  2.4.4 - Core-assisted and Edge-based Monitoring   16

Chapter 3 - A New Scheme of DDoS Attacks Traceback and Mitigation   18
 3.1 - System Overview   18
 3.2 - Network Performance Measurements   21
  3.2.1 - Delay Measurements   21
  3.2.2 - Loss Measurements   26
  3.2.3 - Packet Arrival Rate Measurements   32
 3.3 - The Traceback Process of DDoS Attacks   33
  3.3.1 - Traffic Convergence Nodes Determination   33
  3.3.2 - Traceback from Traffic Convergence Nodes   39
 3.4 - Mitigation Scheme   44
  3.4.1 - Observing the Distribution of Detected Source IP Addresses   44
  3.4.2 - Rate-control Mechanism to Mitigate the DDoS Traffic   47

Chapter 4 - Simulation and Evaluation   51
 4.1 - Simulation Design   51
  4.1.1 - Simulation Topology   51
  4.1.2 - Simulation Scenario   52
 4.2 - Performance Evaluation   54
  4.2.1 - Phase I: Delay Measurements   54
  4.2.2 - Phase II: Loss Measurements   58
  4.2.3 - Phase III: Traffic Convergence Nodes Determination and Retrieving Their Host Information   58
  4.2.4 - Phase IV: Traceback from Traffic Convergence Nodes   59
  4.2.5 - Phase V: Mitigation Scheme   62
 4.3 - The Experiment for the Observing the Distribution of Source IP Addresses   68

Chapter 5 - Conclusions and Future Works   72
 5.1 - Conclusions   72
 5.2 - Future Works   72

References   74
Biography   79
[1] Gary C. Kessler, “Defense against distributed denial of service attacks,” Nov. 2000. Available: http://www.garykessler.net/library/ddos.html.

[2] Dave Dittrich, “Distributed denial of service (DDoS) attacks/tools,” 2004. Available: http://staff.washington.edu/dittrich/misc/ddos/.

[3] Rocky K. C. Chang, “Defending against flooding-based distributed denial-of-service attacks: a tutorial,” IEEE Communication Magazine, vol. 40, pp. 42-51, Oct. 2002.

[4] CERT Advisory CA-1996-21, “TCP SYN flooding and IP spoofing attacks,” Nov. 29, 2000. Available: http://www.cert.org/advisories/CA-1996-21.html.

[5] CERT Advisory CA-1998-01, “Smurf IP denial-of-service attacks,” Mar. 13, 2000. Available: http://www.cert.org/advisories/CA-1998-01.html.

[6] CERT Incident Note IN-2000-04, “Denial of service attacks using nameservers,” Apr. 28, 2000. Available: http://www.cert.org/incident_notes/IN-2000-04.html.

[7] Vern Paxson, “An analysis of using reflectors for distributed denial-of-service attacks,” ACM Computer Communications Review, vol. 31(3), July 2001.

[8] Robert Stone, “CenterTrack: an IP overlay network for tracing DoS floods,” in Proc. USENIX Security Symposium 2000, Denver, USA, August 2000, pp. 199-212.

[9] Steve Bellovin, Marcus Leech, and Tom Taylor, “ICMP traceback messages,” Internet Draft: draft-ietf-itrace-01.txt, Oct. 2001.

[10] Cesar E. Barros, “A proposal for ICMP traceback messages,” Sep. 18, 2000. Available: http://www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html.

[11] Hal Burch and Bill Cheswick, “Tracing anonymous packets to their approximate source,” in Proc. USENIX LISA Conference 2000, New Orleans, USA, Dec. 2000, pp. 319-327.

[12] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson, “Network support for IP traceback,” IEEE/ACM Transactions on Networking, vol. 9(3), pp. 226-237, June 2001.

[13] Kihong Park and Heejo Lee, “On the effectiveness of probabilistic packet marking for IP traceback under denial-of-service attack,” in Proc. IEEE INFOCOM 2001, Alaska, USA, Apr. 2001, pp. 338-347.

[14] Dawn Xiaodong Song and Adrian Perrig, “Advanced and authenticated marking schemes for IP traceback,” in Proc. IEEE INFOCOM 2001, Alaska, USA, Apr. 2001, pp. 878-886.

[15] Drew Dean, Matt Franklin, and Adam Stubblefiled, “An algebraic approach to IP traceback,” ACM Transactions on Information and System Security, vol. 5(2), pp. 119-137, May 2002.

[16] Michael T. Goodrich, “Efficient packet marking for large-scale IP traceback,” in 9th ACM Conference on Computer and Communications Security, Washington, DC, USA, Nov. 2002, pp. 117-126.

[17] Marcel Waldvogel, “GOSSIB vs. IP traceback rumors,” in Proc. 18th Annual Computer Security Applications Conference, San Diego, California, USA, Dec. 2002, pp. 5-13.

[18] Andrey Belenky and Nirwan Ansari, “IP traceback with deterministic packet marking,” IEEE Communications Letters, vol. 7(4), Apr. 2003, pp. 162-164.

[19] Paul Ferguson and Daniel Senie, “Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing,” RFC 2828, May 2000.

[20] Kihong Park and Heejo Lee, “On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets,” in Proc. ACM SIGCOMM 2001, San Diego, USA, Aug. 2001, pp. 15-26.

[21] Jeffrey D. Case, Mark Fedor, Martin L. Schoffstall, and James R. Davin, “A simple network management protocol (SNMP),” RFC 1157, May 1990.

[22] Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose, and Steven Waldbusser, “Introduction to version 2 of the Internet-standard network management framework,”RFC 1441, Apr. 1993.

[23] Bert Wijnen, David Harrington, and Randy Presuhn, “An architecture for describing simple network management protocol (SNMP) management frameworks,” RFC 3411, Dec. 2002.

[24] Marshall T. Rose and Keith McCloghrie, “Structure and identification of management information for TCP/IP-based Internets,” RFC 1155, May 1990.

[25] Keith McCloghrie and Marshall T. Rose, “Management information base for network management of TCP/IP-based Internets,” RFC 1156, May 1990.

[26] Keith McCloghrie, David Perkins, and Juergen Schoenwaelder, “Structure of management information version 2 (SMIv2),” RFC 2578, Apr. 1999.

[27] Keith McCloghrie, David Perkins, and Juergen Schoenwaelder, “Textual conventions for SMIv2,” RFC 2579, Apr. 1999.

[28] Keith McCloghrie, David Perkins, and Juergen Schoenwaelder, “Conformance statements for SMIv2,” RFC 2580, Apr. 1999.

[29] Randy Presuhn, Jeffrey D. Case, Keith McCloghrie, Marshall T. Rose, and Steven Waldbusser, “Management information base (MIB) for the simple network management protocol (SNMP),” RFC 3418, Dec. 2002.

[30] Cisco Systems, Inc. “NetFlow.” Available: http://www.cisco.com/en/US/tech/tk812/tech_protocol_home.html.

[31] Benoit Claise, “Cisco systems NetFlow services export version 9,” Internet Draft: draft-bclaise-netflow-9-00.txt, June 2002.

[32] Benoit Claise, Mark Fullmer, Paul Calato, and Reinaldo Penno, “IPFIX protocol specifications,” Internet Draft: draft-ietf-ipfix-protocol-3.txt, Jan. 2003.

[33] Jamshid Mahdavi and Vern Paxson, “IPPM metrics for measuring connectivity,” RFC 2678, Sept. 1999.

[34] Guy Almes, Sunil Kalidindi, and Matthew J. Zekauskas, “A one-way delay metric for IPPM,” RFC 2679, Sept. 1999.

[35] Guy Almes, Sunil Kalidindi, and Mathew J. Zekauskas, “A one-way packet loss metric for IPPM,” RFC 2680, Sept. 1999.

[36] Guy Almes, Sunil Kalidindi, and Mathew J. Zekauskas, “A round-trip delay metric for IPPM,” RFC 2681, Sept. 1999.

[37] Stanislav Shalunov, Benjamin Teitelbaum, Anatoly Karp, Jeff Boote, and Mathew J. Zekauskas, “A one-way active measurement protocol (OWAMP),” Internet Draft: draft-ietf-ippm-owdp-08.txt, May 2004.

[38] Emile Stephan and Jessie Jewitt, “IPPM reporting MIB,” Internet Draft: draft-ietf-ippm-reporting-mib-05.txt, Feb. 2004.

[39] Ahsan Habib, Mohamed M. Hefeeda, and Bharat K. Bhargava, “Detecting service violations and DoS attacks,” in Proc. Network and Distributed System Security Symposium, San Diego, USA, Feb. 2003, pp. 177-189.

[40] Ahsan Habib, Sonia Fahmy, Srinivas R. Avasarala, Venkatesh Prabhakar, and Bharat Bhargava, “On detecting service violatioins and bandwidth theft in QoS network domains,” Computer Communications, Elsevier, vol. 26(8), pp. 861-871, May 2003.

[41] N. G. Duffield, F. L. Presti, V. Paxson, and D.Towsley, “Inferring link loss using striped unicast probes,” in Proc. IEEE INFOCOM 2001, Alaska, USA, Apr. 2001, pp. 915-923.

[42] Ahsan Habib, Maleq Khan, and Bharat Bhargava, “Edge-to-edge measurement-based distributed network monitoring,” Computer Networks, vol. 44(2), pp. 211-233, Feb. 2004.

[43] Laura Feinstein, Dan Schnackenberg, Ravindra Balupari, and Darrell Kindred, “Statistical approaches to DDoS attack detection and response,” in Proc. DARPA Information Survivability Conference and Exposition, Washington, DC, USA, vol. 1, Apr. 2003, pp. 303-314.

[44] VINT project, “The network simulator – ns-2,” Sept. 1996. Available: http://www.isi.edu/nsnam/ns/.

[45] Minho Sung and Jun Xu, “IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks,” IEEE Transactions on Parallel and Distributed Systems, vol. 14(9), pp. 861-872, Sept. 2003.

[46] National Science Foundation (NSF) and the NLANR Measurement and Network Analysis Group, “NLANR MOAT: NZIX-II trace archive,” Oct. 10, 2001. Available: http://pma.nlanr.net/Traces/long/nzix2.html.
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔