臺灣博碩士論文加值系統

阻斷服務泛指駭客試圖癱瘓某種服務，進而使一般的使用者沒有辦法去存取、使用該服務。分散式阻斷服務更成為近年來網路安全的一大威脅。
由於目前的入侵偵測系統都無法保證可以百分之百的正確偵測所有的攻擊行為，有些正常的封包也會被入侵偵測系統誤認為帶有攻擊行為的封包，而通知防火牆將其阻絕在企業網路外。於是在本論文，我們提出一個系統架構，將入侵偵測系統與網路流量控制等兩個技術結合在一起。以降低因入侵偵測系統的誤判所帶來的影響。
在我們所提出的系統中，流量控制模組利用流量控制技術將流入企業內部網路的資料流區分成兩個虛擬資料流：一般資料流與惡意資料流。假設一個封包被入侵偵測模組判定為帶有阻斷服務攻擊的特徵，該模組將會通知流量控制模組將該封包所屬的資料流導向到惡意資料流的虛擬通道中。由於惡意資料流虛擬通道的頻寬受系統所控制，我們所提出的系統將控制此一虛擬通道的頻寬使正常網路的頻寬或伺服器的資源並不會因為阻斷服務或分散式阻斷服的攻擊而癱瘓。
本論文中，我們將以NS-2進行模擬實驗，建立系統所需的各項參數，接著我們將建立一網路環境以驗證本系統的結果。

Denial of Service (DoS) refers to malicious paralyzing of network service resulting in the inaccessibility as well as non-usability of normal users. Distributed denial of Service (DDoS) attack has even become a category of major threat to network security.
Current intrusion detection systems fail to guarantee perfect solutions, and normal packets have the possibility of being misjudged as malicious packets. Therefore in this paper, by combining the technology of intrusion detection and network traffic controlling, we have designed and implemented a defensive system which has minimized the effects caused by false positive.
In the proposed system, traffic flowing into enterprise intranets is divided by the traffic controlling module into to two virtual data flows: normal data flow and malicious data flow. Assume a packet is judged by the intrusion detection module as having DoS attack feature, the traffic controlling module will be notified to redirect the data flow of the packet into the malicious virtual data flow. Since the malicious virtual data flow is controlled by the system, our proposed architecture will administrate the bandwidth of this virtual channel so that the normal data flow channel can work unaffected, and the system resource will not be consumed by Dos or DDoS attack.
The simulation of our system is done using NS-2. The experimental result shows that the proposed system indeed lowered the effects brought by false positive.

致謝 i
中文摘要 ii
Abstract iii
目錄 iv
圖目錄 v
表目錄 vi
Chapter 1 緒論 1
1.1 背景與動機 1
1.2 論文架構 2
Chapter 2 文獻研究與回顧 3
2.1 背景說明 3
2.2 DDoS防禦機制分類 7
2.3 現有的防禦機制 9
Chapter 3 系統架構 16
3.1 系統架構 16
3.2 入侵偵測模組 17
3.3 入侵回應模組 24
3.4 系統流程 27
3.5 系統實作 30
3.6 討論 32
Chapter 4 實驗分析 33
4.1 實驗一 ─ 以tfn2k DDoS攻擊程式測試 33
4.2 實驗二 ─ 以Stacheldraht 攻擊程式測試 42
4.3 評估分析與討論 50
Chapter 5 結論與未來研究方向 53
5.1 結論 53
5.2 未來工作 53
參考文獻 55

[1] W. Almesberger, “Linux Network Traffic Control ― Implementation Overview”, EPFL ICA, February 4, 2001.
[2] Jay Beale, James C. Foster, Jeffrey Posluns, Ryan Russell, and Brian Caswell.
Snort 2.0 Intrusion Detection. Syngress, 2003.
[3] J. Barlow and W. Thrower, 2000, “TFN2K - An Analysis,”
http://packetstormsecurity.org/distributed/TFN2k_Analysis-1.3.txt
[4] V. Broucek, and P. Turner, 2003, “Intrusion Detection: Forensic Computing Insights arising from a Case Study on SNORT”, In U. E. Gattiker (Ed.), EICAR2003 Conference. Copenhagen, Denmark.
[5] C. Douligeris., A. Mitrokotsa., 2003 “DDoS attacks and defense mechanisms: a classification.” Proc. 3rd IEEE Symposium on Signal Processing and Information Technology, Pages 190-193.
[6] D. Dittrich, 1999, “The "Tribe Flood Network" distributed denial of service attack tool,” http://staff.washington.edu/dittrich/misc/tfn.analysis
[7] D. Dittrich, 1999, “The DoS Project''s "trinoo" distributed denial of service attack tool,” http://staff.washington.edu/dittrich/misc/trinoo.analysis
[8] D. Dittrich, 2000, “The "mstream" distributed denial of service attack tool,” http://packetstormsecurity.org/distributed/Mstream_Analysis.txt
[9] K. David ,Y. Yau, C. John, S. Lui, F. Liang, and Y. Yam, 2005, “Defending Against Distributed Denial-of-Service Attacks With Max-Min Fair Server-Centric Router Throttles”, IEEE/ACM Transactions on Networking, vol. 13, Pages 29-42.
[10] K. Fall and K. Varadhan. The ns manual.
http://www.isi.edu/nsnam/ns/ns-documentation.html.
[11] J. Haggerty, Q. Shi, and M. Merabti, 2005, "Early Detection and Prevention of Denial-of-Service Attacks: A Novel Mechanism with Propagated Traced-Back Attack Blocking ", IEEE Journal on Selected Areas in Communications, Vol. 23, No. 10.
[12] K. Houle, “Trends in Denial of Service Attack Technology”, CERT report,
October 2001,http://www.cert.org/archive/pdf/DoS_trends.pdf
[13] J. Ioannidis and S. M. Bellovin, 2002 “Implementing Pushback: Router-Based Defense Against DDoS Attacks. In Proc. of the Network and Distributed System Security Symposium(NDSS)”. http://citeseer.ist.psu.edu/ioannidis02implementing.html
[14] A. D. Keromytis, V. Misra, and D. Rubenstein, 2004, “ SOS: an architecture for mitigating DDoS attacks.” Selected Areas in Communications, IEEE Journal Vol. 22, Issue: 1.
[15] S. Kumar, 1995. Classification and detection of computer intrusions. PhD thesis, Purdue University, W. http://citeseer.ist.psu.edu/kumar95classification.html
[16] J. Lemon, 2002, “Resisting SYN flood DoS attacks with a SYN cache”. In Proceedings　oftheBSDCon2002　Conference. http://citeseer.ist.psu.edu/lemon02resisting.html
[17] L. Limwiwatkul, A. Rungsawang, 2004, “Distributed denial of service detection using TCP/IP header and traffic measurement analysis,” IEEE Symposium on Communications and Information Technology, vol. 1, Pages 605-610.
[18] J. Mirkovic, S. Dietrich, D. Dittrich and P. Reiher, 2000, “Internet Denial of Service: Attack and Defense Mechanisms,” Prentice Hall.
[19] R. Mahajan , S. M. Bellovin , S. Floyd , J. Ioannidis , V. Paxson and S. Shenker, 2002, “Controlling high bandwidth aggregates in the network”, ACM SIGCOMM Computer Communication Review, Vol.32,No. 3, pp.62-73.
[20] Roesch, Martin, 1999, "Snort - Lightweight Intrusion Detection for Networks", Proc. USENIX Lisa ''99, Seattle: Nov. 7-12.
[21] M. Robinson, J. Mirkovic, M. Schnaider, S Michel, and P. Reiher, 2003, “Challenges and principles of DDoS defense.” SIGCOMM 2003.
[22] C. Siaterlis , V. Maglaris , 2005,“Detecting incoming and outgoing DDoS attacks at the edge using a single set of network characteristics,” Proc. 10th IEEE Symposium on Computers and Communications, Pages 469-475.
[23] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, 2001, "Network Support for IP Traceback," ACM/IEEE Trans. Networking , Vol. 9, No. 3.
[24] S. Tanachaiwiwat and K. Hwang, 2003, “Differential packet filtering against DDoS flood attacks.” ACM Conference on Computer and Communications Security (CCS). Washington, DC.
[25] Hardaker, W. et al. Justification and Requirements for a National DDoS
Defense Technology Evaluation Facility. Network Associates Laboratories
Report 02-052, July 26, 2002
[26] S. Wash, 2000, “Aladdin Security Alert - Distributed Denial of Service (DDOS) attacks straining the Internet - Windows Attack Trojansfound” http://www.aladdin.com/news/2000/esafe/eSafeDDOSApplets.asp
[27] A. Yaar, A. Perrig, D. Song, 2003, ”Pi: a path identification mechanism to defend against DDoS attacks.” Proc. IEEE Symposium on Security and Privacy, Pages 93-107.
[28] S. Zhang and P. Dasgupta, 2003, “Denying denial-of service attacks: a router based solution.” International Conference on Internet Computing.