跳到主要內容

臺灣博碩士論文加值系統

(3.235.185.78) 您好!臺灣時間:2021/07/27 16:38
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:王凱平
研究生(外文):Kai-Ping Wang
論文名稱:以主動式網路抵禦DDoS攻擊
論文名稱(外文):Active Defense against DDoS Attacks
指導教授:周立德周立德引用關係
指導教授(外文):Li-Der Chou
學位類別:碩士
校院名稱:國立中央大學
系所名稱:資訊工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2004
畢業學年度:92
語文別:中文
論文頁數:93
中文關鍵詞:分散式阻絕攻擊主動式網路主動式網路DDoS抵禦系統ANTS
外文關鍵詞:DDoSActive NetworkADDSANTS
相關次數:
  • 被引用被引用:0
  • 點閱點閱:472
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
近年來利用分散式阻絕服務攻擊(DDoS)事件層出不窮,而這些攻擊都有一些共同特點:利用某些系統的安全漏洞進行攻擊,且攻擊者就會入侵使用者的系統,並進而操縱使用者系統成為攻擊的跳板,造成網路癱瘓。
在DDoS攻擊擴散的同時,如果能迅速確認網路各節點的健康狀況(physical condition)並啟動相對應機制的話,將可隔離並縮小攻擊者所造成的攻擊區域。本論文利用主動式網路(Active Network)快速散佈策略(policy)的優點,逐步對網路中每個節點進行偵測,先將整個網路分成三個區域:安全區域(safe area)、可疑區域(uncertain area)、攻擊區域(attacked area)。接著,利用主動式網路封包攜帶特定攻擊的解毒疫苗,修補可疑區域內各節點的安全漏洞。最後,整個網路拓樸可以明確區分出安全區域與攻擊區域,達到阻絕攻擊的目的。
本論文規劃之系統-主動式網路DDoS抵禦系統(Active DDoS Defense System,簡稱ADDS)採用主動式網路做為疫苗的傳輸媒介,並且使用Active Network Transfer System(ANTS)作為主動式網路的執行環境(execution environments,簡稱EE),使用者不需要再額外建立一個傳輸協定即可將客制化的程式放在膠囊(capsules)中傳輸,達到程式化網路(programming network)目的。
根據本論文第四章中模擬數據得知,相較於沒有防守機制時,使用ADDS可以讓網路存活時間(network survival time)增加232%,並且在攻擊發生時平均降低CPU使用率(CPU utilization wasted by undetected attacks)33.55%;但相對的,也有9.98%合法封包會被誤判成攻擊封包(legal traffic dropped rate)。
The events of DDoS attacks grow rapidly in recent years, and these attacks all contain some common features: if the user did not repair these securities loophole as soon as possible, those attackers will make use of the safe loophole of some systems to carry on attacks and invade the system of the user becoming the zombie of the attacker. It will cause the network to paralyze and can't provide service.
If network can confirm the physical condition of each node and starts cleaning mechanisms when DDoS attacks start spreading, it will isolate and shrink attacker's affairs. This thesis uses the advantage of Active Network, fast on distributing policies, to detect every node gradually. It will be divided whole network into three areas: safe area, uncertain area and attacked area. And then repair the safe loophole of each network node by making use of Active Network packets to take the particular attack antivirus. Finally, the whole network topology can be divided into safe area and attacked area, and restrain DDoS attacks.
This thesis proposed Active DDoS Defense System (ADDS), it uses Active Network Transfer System (ANTS) to the chosen execution environment (EE). ANTS is a popular EE and uses capsules to transport user's program. Simulation results show that ADDS is able to make network survival time increase 224%, and while attacks occurrence reduces the CPU rate wasted by undetected attacks 34.58%. But ADDS also make the legal traffic dropped rate increase 8.12%.
第一章 緒論.................................................................................................................1
1.1 網路安全.......................................................................................................1
1.2 主動式網路...................................................................................................2
1.3 研究目標.......................................................................................................9
1.4 論文架構.....................................................................................................10
第二章 背景知識與相關研究................................................................................... 11
2.1 DDoS 攻擊..................................................................................................11
2.2 抵禦DDoS 相關研究.................................................................................16
第三章 ADDS 系統設計............................................................................................25
3.1 ADDS 模組.................................................................................................26
3.2 ADDS 網路架構.........................................................................................34
3.3 ADDS 系統流程.........................................................................................38
3.4 系統比較.....................................................................................................44
第四章 系統之模擬...................................................................................................48
4.1 模擬環境說明.............................................................................................48
4.2 模擬結果與討論.........................................................................................54
4.2.1 不同的平均攻擊比率之比較..........................................................54
4.2.2 不同的過濾攻擊封包持續時間之比較..........................................61
4.2.3 不同的過濾攻擊封包時間間隔之比較..........................................66
4.2.4 不同CPU 門檻值與攻擊擴散機率之比較....................................70
第五章 結論及未來發展工作...................................................................................75
參考文獻......................................................................................................................78
對照表..........................................................................................................................82
[1]Dai KASHIEA, Eric Y. CHEN, Hitoshi FUJI, Shuichi MACHIDA, Hiroshi SEIGENO, Ken-ichi OKADA and Yutaka MATSUSHITA, “Active Countermeasure Platform against DDoS Attacks,” IEICE TRANS. INF. & SYST., vol. E85-D, no. 12, Dec. 2002.
[2]D. Moore, G..M. Voelker and S. Savage, “Inferring Internet denial-of-service activity,” Proceedings of 10th USENIX Security Symposium, 2001.
[3]D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” RFC 2827, http://www.ietf.org/ rfc/rfc2827.txt, May 2000.
[4]D. Tennenhouse, J. Smith, W. Sincoskie, D. Wetherall and G.. Minden, “A Survey of Active Network Research,” IEEE Communication Magazine, vol. 135, no. 1, pp.80-86, Jan. 1997.
[5]David Wetherall, Ulana Legefza and John Guttag, “Introducing New Internet Services: Why and How,” IEEE NETWORK Magazine Special Issue on Active and Programmable Network, July 1998.
[6]Fadi al-moussa, “Active Networking Applied to Network Security,” 2nd Annual Postgraduate Symposium on the Convergence of Telecommunications, Networking and Broadcasting, PGNet 2001. EPSRC, Liverpool John Moores University, ISBN:1 902560 078, pp147-151, June 2001.
[7]Active Network Backbone home page. http://www.isi.edu/abone.
[8]Bob Braden, Alberto Cerpa, Ted Faber, Bob Lindell, Graham Phillps, Jeff Kann and Vivek Shenoy, ”Introduction to the ASP Execution Environment (v1.6),“ Technical report, University of Southern California, Information Science Institute, http://www.isi.edu/active-signal/ARP/, Feb. 2003.
[9]David Wetherall, John Guttag and David Tennenhouse, “ANTS: A Toolkit for Building and Dynamically Deploying Network Protocols,” IEEE OPENARCH’98, pp. 117-129, San Francisco, CA, April 1998.
[10]Dan Sterne, Kelly Djahandari, Ravaindra Balupari, William La Cholter, Bill Babson, Brett Wilson, Priya Narasimhan and Andrew Purtell, “Active Network Based DDoS Defense,” Proceedings of DARPA Active Networks Conference and Exposition, pp. 193-203, Glenwood, MD, 2002.
[11]A. Hess, M. Jung, G. Schafer, ”FIDRAN: A Flexible Intrusion Detection and Response Framework for Active Networks,” Proceedings of Eighth International Symposium on Computers and Communication, Kemer, Antalya, Turkey, July 2003.
[12]J. Scambray, S. McClure and G.Kurtz, Hacking Exposed: Network Security Secrets & Solutions, Second Edition, McGraw Hill, 2001.
[13]W. Richard Stevens, TCP/IP Illustrated Volume 1 : The Protocols.
[14]CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks, http://www.cert.org/advisories/CA-1996-21.html.
[15]CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attacks, http://www. cert.org/advisories/CA-1996-01.html.
[16]CERT Advisory CA-1996-26 Denial-of-Service Attack via ping, http://www. cert.org/advisories/CA-1996-26.html.
[17]CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks, http://www. cert.org/advisories/CA-1998-01.html.
[18]A. Barone, P. Chirco, G. Di Fatta and G. Lo Re, “A Management Architecture for Active Networks,” Proceedings of the Fourth Annual International Workshop on Active Middleware Services (AMS’02), Edinburgh, United Kingdom, July 2002.
[19]David Wetherall, John Guttag and David Tennenhouse, “ANTS: Network Services Without the Red Tape,” IEEE Computer Magazine, vol. 32, no. 4, April 1999.
[20]L.-D. Chou and S.-L. Wu, “Precautionary measures against TCP SYN flooding attack,” Proceedings of IFIP WCC 2000-World Computer Congress: The 15th International Conference on Information Security, Beijing, China, Aug. 2000.
[21]CERT Advisory CA-1997-28 IP Denial-of-Service Attacks, http://www. cert.org/advisories/CA-1997-28.html.
[22]D. Schnackenberg, K. Djahandari, and D. Sterne, “Infrastructure for intrusion detection and response,” Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX '00), South Carolina, vol. 2, pp. 3-11, Jan. 2000.
[23]William La Cholter, Priya Narasimhan, Dan Sterne, Ravindra Balupari, Kelly Djahandari, Arvind Mani and Sandra Murphy, “IBAN: Intrusion Blocker based on Active Networks,” Proceedings of the DARPA Active Networks Conference and Exposition (DANCE’02), pp. 182-192, May 2002.
[24]Gitae Kim, Tony Bogovic and Dana Chee, “Active edge-Tagging (ACT): An Intruder Identification & Isolation Scheme in Active Network,” Proceedings of the Sixth IEEE Symposium on Computers and Communications (ISCC'01), Hammamet, Tunisia, July 2001.
[25]John Ioannidis and Steven M. Bellovin, “Implementing Pushback: Router-Based Defense DDoS Attacks,” NDSS, Feb. 2002.
[26]Jelena Mirkovi´c, Gregory Prier and Peter Reiher, “Attacking DDoS at the Source,” Proceedings of 10th IEEE International Conference on Network Protocols (ICNP'02), pp. 312-321, Nov. 2002.
[27]Scott Shyne, Adam Hovak and Joseph Riolo, “Using Active Networking to Thwart Distributed Denial of Service Attacks,” Proceedings of 2001 IEEE Aerospace Conference, vol. 3, pp. 1103-1108, 2001.
[28]D. L. Tennenhouse, S.J. Garland, L. Shrira and M. F. Kaashoek, “From Internet to ActiveNet,” http://www.sce.carleton.ca/netmanage/activeNetworks/rfc96.html, Jan. 1996.
[29]D.Scott Alexander, B. Braden, C. Gunter, A. Jackson, A. Keromytis, G. Minden and D, Wetherall, “Active Network Encapsulation Protocol (ANEP),” Experimental RFC draft, July 1997.
[30]B. Barden, M. Hicks and C. Tschudin, “Active Network Overlay Network(ANON),” Experiment RFC draft, Dec. 1997.
[31]Rob Thomas, “Monitoring DoS Attacks with the VIP Console and NetFlow v1.0,” http://www.cymru.com/Documents/dos-and-vip.html, May 2001.
[32]David Harmelin, “Tackling Network DoS on Transit Networks,” http://www.dante.net/pubs/dip/42/42.html, March 2001.
[33]The Network Simulator, http://www.isi.edu/nsman/ns.
[34]K. Fall and K. Varadhan, “The ns Manual,” http://ww.isi/edu/ns, Dec. 2003.
[35]A. Barone, P. Chirco, G. Di Fatta, G. Lo Re, http://www.cere.pa.cnr. it/~difatta/ANgate/, July. 2004.
[36]Abocom Enterprise, http://www.aboway.com.tw/product_detail.php?id=58.
[37]Kerio WinRoute, http://www.leetide.net/support_kwf_008B14.htm.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top