根據「2005年FBI計算機犯罪與安全調查」顯示分散阻斷式服務攻擊(Distributed Denial of Service Attack，簡稱DDoS)是列為第二名的網路攻擊。攻擊者本身並未入侵被攻擊系統，而是藉由不正常的「動作」，消耗受害者的系統資源或是降低網路效能。以DDoS攻擊的發展歷史來說，以注入暴增的流量去攻陷主機已被研究出很多偵測的機制；然而，變動頻率式的是未來的攻擊模式之一。
本論文提出了以三層偵測機制來辨識出變動頻率式的攻擊。首先，我們先分析封包中那些欄位可以提供辨識特徵來偵測。將這些具有相似的特徵依據他們的特性組合成每層的偵測層。每層都精準的量化伺服器的正常行為模式。只要出現攻擊時，便可以很輕易且立即的偵測出異常行為。
實作環境則以學校的網頁伺服器當作我們實驗的對象，以四台電腦同時攻擊學校網頁伺服器來觀測出攻擊前後封包欄位的差異性。在根據每層的特性，做立即性的偵測，可以達到很好的效果在。

According to FBI 2003 Computer Crime and Security Survey Result, Distributed Denial of Service Attack is the second dangerous network attack in the world. The attacker use abnormal activities to consume the system resource or to degrade the performance of network instead of intruding the system itself. Detection mechanisms are researched that are able to detect the abnormal activities when the attackers use the large amount of packets to break the system down in the development of DDoS. However, the changeable frequency mode will be the tendency in the future.
In this paper, we proposed the three layers detection mechanism which can look for the changeable frequency attack mode. Firstly, we will analyze which fields in the packet may be our features. After analyzing, the similar features will be grouped into each layer which quantifies the normal service behavior precisely according to their characteristics. It is easy and immediate to detect the abnormal behavior when the attacks occur.
We implement our proposed mechanism in the NTUST’s Web Server. We will attack the Web server in practice to observe the difference for beginning to end. And our proposed mechanism can reach a higher performance.

Table of Contents

Chapter 1 Introduction 1

1.1. Background 1
1.2. Objective 1
1.3. Synopsis 2

Chapter 2 Distributed Denial of Service Attack 3

2.1 Denial of Service and Distributed Denial of Service Attack 3
2.1.1 Denial of Service Attack 3
2.1.2 Distributed Denial of Service Attack 4
2.2 Common Tactics of DDoS Attack 6
2.2.1. Trin00 6
2.2.2. TFN(Tribe Flood Network) 8
2.2.3. TFN2K 11
2.2.4. Stacheldraht 12
2.2.5. Land 13
2.2.6. TearDrop 13
2.2.7. Winnuke 15
2.2.8. Mstream 15
2.2.9. TCP SYN Flood 16
2.2.10. ICMP Flood 20
2.2.11. Ping of Death 20
2.2.12. Smurf 21
2.2.13. Trinity V3 22
2.2.14. DRDoS 22
2.3 Summarization of DDoS Attack 23

Chapter 3 Our proposed algorithms 25

3.1. Our System Architecture 25
3.1.1 Ruled-Based Detection 27
3.1.2 Anomaly-Based Detection 28
3.1.3 Network Trace Data Collection 30

3.2. Entropy-Based Flow 32
3.2.1 Concept of the Entropy 32
3.2.2 Application of the Entropy-Based Flow 33
3.2.3 The Anomaly Table for the Entropy-Based Flow 36
3.3. KNN-Based Port Numbers 43
3.3.1 Concept of the K-Nearest Neighbor classifier 44
3.3.2 Application of the KNN-Based Port Numbers 46
3.3.3 Performance Metrics 53
3.4. Statistic-Based Control Flags 54
3.4.1 Application the Statistics-Based Ports Numbers 55
3.4.2 The Anomaly Table for the Control Flags 57
3.5. Performance Metrics 65

Chapter 4 Conclusion and Future Research 73

4.1. Conclusion 73
4.2 Future Research 73

References 74

[1] L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson. 2004 CSI/FBI Computer Crime and Security Survey. Available at www.gocsi.com/forms/fbi/csi_f
bi_survey.jhtml, 2004.

[2] L. Garber, "Denial-of-Service Attacks Rip the Internet," Computer, vol. 33, no. 4,pp. 12-17. Apr. 2000.

[3] J. Howard, "An Analysis of Security Incidents on the Internet," PhD thesis, Carnegie Mellon Univ., Aug 1998.

[4] D. Dittrich, “The ‘Stacheldraht’ Distributed Denial of Service Attack Tool”, http://staff.washington.edu/dittrich/ misc/stacheldraht.analysis, 1999.

[5] CERT, "TCP SYN Flooding and IP Spoofing Attacks," Advisory CA-96-21, Sept. 1996. URL:http://www.cert.org/advisories/CA-1996-21.html

[6] C. Schuba et al., "Analysis of a Denial of Service Attack on TCP," Proc. 1997 IEEE Symp. Security and Privacy, 1997.

[7] J. Jung, B. Krishnamurthy, M. Rabinovich. Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. The Eleventh International World Wide Web Conference, Honolulu, Hawaii, May 2002.

[8] S. Gibson, "The Strange Tale of the Denial of Service Attacks against GRC.COM," http://grc.com/dos/grcdos.htm, 2002.

[9] CERT Research. 2004 Annual Report. At www.cert.org/archive/pdf/cert_rsrch_ann
ual_rpt_2004.pdf

[10] B. A. Forouzan. TCP/IP Protocol Suite, Second Edition. McGraw Hill, 2003.

[11] E. T. Jaynes, “Information theory and statistical mechanics,” Phys. Rev., vol. 106, pp. 620–630, 1957.

[12] G. J. Chaitin, “Information-theoretic Limitations of Formal Systems,” J . ACM 21,403 (1974).

[13] G. Markowsky: Introduction to algorithmic information theory. J. Universal Computer Science 2(5): pp. 245-269, 1996.

[14] C.E. Shannon, and W. Weaver, The Mathematical Theory of Communication, University of Illinois Press, 1963.

[15] L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred, “Statistical Approaches to DDoS Attack Detection and Response,” to appear in Proc. of DISCEX III, April 2003.

[16] D. W. Aha, D. Kibler, and M. k. Alber, "Instance-based learning," Artificial Intelligence, vo1. 29, pp. 241-288, 1986.

[17] J. Han and M. Kamber, Data Mining：Concepts and Techniques. San Diego： Academic Press, 2001.

[18] T.M. Cover and P.E. Hart, “Nearest Neighbor Pattern Classification,” IEEE
Trans. Information Theory, vol. 13, pp. 21-27, Jan. 1968.

[19] F. Aurenhammer. Voronoi diagrams: a survey of a fundamental geometric data structure. ACM Comput. Surv., 23:345–405, 1991.

[20] S. Jin, D. Yeung, ”A covariance analysis model for DDoS attack detection,” IEEE International Conference on Communications (ICC’2004), Paris, France, 20-24 June 2004.

[21] D. C. Montgomery, Introduction to Statistical Quality Control: John Wiley and Sons, 1997.

[22] D. Marchette, "A Statistical Method for Profiling Network Traffic," the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Apr. 1999

[23] T. P. Ryan, Statistical Methods for Quality Improvement: JohnWiley and Sons, 1989.

[24] J. F. MacGregor and T. J. Harris, “The exponentially weighted moving variance,” J. Qual. Technol., vol. 25, no. 1, pp. 106–118, 1993.

[25] J. S. Hunter, “The exponentially weighted moving average,” J. Qual. Technol., vol. 18, pp. 203–209, 1986.

[26] S. W. Roberts, “Control chart tests based on geometric moving averages,
”Technometrics, vol. 1, pp. 239–251, 1959.

[27] T. P. Ryan, Statistical Methods for Quality Improvement: JohnWiley and Sons, 1989.

[28] B. A. Forouzan. TCP/IP Protocol Suite, Second Edition. McGraw Hill, 2003.

[29] I. Yoo, "Protocol anomaly detection and verification," Information Assurance Workshop, 2004. Proceedings from the Fifth Annual IEEE SMC, pp. 74-81. June 2004.

[30] C. Manikopoulos, S. Papavassiliou. Network Intrusion and Fault Detection: A Statistical Anomaly Approach. IEEE Communications Magazine, October 2002.