跳到主要內容

臺灣博碩士論文加值系統

(98.80.143.34) 您好!臺灣時間:2024/10/14 01:08
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:吳宥徵
研究生(外文):Yo-Cheng Wu
論文名稱:分散式阻斷服務攻擊防禦系統之設計
論文名稱(外文):Designing A Protection System against DDoS Attacks
指導教授:涂世雄涂世雄引用關係
指導教授(外文):Shih-Hsiung Twu
學位類別:碩士
校院名稱:中原大學
系所名稱:電機工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
語文別:英文
論文頁數:44
中文關鍵詞:分散式阻斷服務
外文關鍵詞:DDoS
相關次數:
  • 被引用被引用:0
  • 點閱點閱:570
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
摘 要

 在本篇論文中我們提出一個新的保護系統以防止伺服器面臨分散式阻斷服務攻擊的問題。他可以改善判斷惡意攻擊的精確度,並且有效提升網路品質。 
  在提出的第一步驟中,我們提出監測系統結合路由導向的系統建構,這機制能有效疏導惡意封包,以保護伺服器。由於分散式阻斷服務攻擊的封包是有規律性的,我們可以依照這些特性擋下大部分的惡意封包。此外,對懷疑的IP位址做圖形化識別測試,以雙重防線讓分散式阻斷服務攻擊損害降到最小。
  在第二步驟中,平時我們會建立IP位址名單的資料庫,當攻擊發生時用以辨別合法使用者,讓用戶能正常使用服務避免受到干擾。
 在這篇論文中將具有以下貢獻:
 (1) 在我們的系統中,能有效判斷惡意封包,改善錯誤率的問題
 (2) 透過建立名單的方式,減少重新分析的時間,避免用戶受到 
干擾。
  我們相信這些機制可以大大降低DDOS攻擊損害,本論文的研究結果將會給予未來研究防禦分散式阻斷服務上的幫助。
Abstract

  In this thesis, we propose a new protection system, it can effectively resist the distributed denial-of-service (DDoS) attacks. It can improve the accuracy of judgment of the malicious attacks, and it can make the network quality more effectively.
  In the first step, we propose the combination of the detection and routing-redirect to resist DDoS attacks. This method can effectively channelize the malicious packets. Due to the DDoS packets is features, the monitor-side can use as reference to blocked most of the malicious packets. Besides, we will use the double lines of defense to minimize the damage. In the second step, we establish a list of IP address to determine legitimate users in peacetime. When the attack occurred, it can judge normal users to avoid interference with the user of services.    
  The contributions of work are as follows.
  (1) In our system, we can effectively judge malicious packets to lower the error rates.
  (2) The establishment of the list method can reduce the time of re-analysis to avoid interference with the users.
  We trust these mechanisms can significantly reduce attack volume. The results of our research in thesis shows that it will be much helpful to future research in the category of the DDoS defense.
Contents
Chinese Abstract..................................................I
English Abstract..................................................II
Acknowledgment....................................................III
List of Figures...................................................VI
List of Tables....................................................VII
Chapter 1 Introduction............................................1
1.1 Background....................................................1
1.2 Objective.....................................................5
1.3 Organization of This Thesis...................................6

Chapter 2 Background of Distributed Denial-of-Service Attacks.....7
2.1 Distributed Denial-of-Service.................................7
2.1.1 Denial of Service Attack....................................7
2.1.2 Distributed Denial-of-Service Attack........................8
2.2 Classification of Distributed Denial-of-Service...............10
2.2.1 Trin00......................................................11
2.2.2 TFN.........................................................12
2.2.3 TFN2k.......................................................13
2.2.4 Stacheldraht................................................14
2.2.5 Mstream.....................................................14
2.2.6 TCP SYN Flood...............................................15
2.2.7 ICMP Flood..................................................17
2.2.8 Smurf.......................................................17
2.2.9 DRDoS.......................................................18
2.3 Existing Strategies of Defense................................20
2.3.1 Traceback...................................................20
2.3.2 Pushback....................................................21
2.3.3 Overlay Network.............................................22

Chapter 3 The Proposed System.....................................23
3.1 The Structure of System.......................................23
3.2 Process of System.............................................30
3.3 The Performance of Our Defenses system........................32

Chapter 4 Conclusions and Future Works............................34
References........................................................35



List of Figures
Figure 1.1 DDoS attack structure……………………………………….…..3
Figure 2.1 Category of DDos attack……………………………………….11
Figure 2.2 Mstream working flow…………………….…………………..15
Figure 2-3 SYN Flood Attack…………………………………………..….16
Figure 2-4 The normal operation for ICMP………...…........................17
Figure 2-5 The operation for Smurf..................................................18
Figure 2-6 DRDoS working concept……………………..……………….19
Figure 2.7 Pushback method ……………………………………………....20
Figure 2.8 Pushback method ………………..……………………………..21
Figure 2.9 Overlay Network method ………………......................……22
Figure 3.1 System Architecture……………….…………......................24
Figure 3.2 General situation.……………………………….……………...25
Figure 3.3 Attack situation.…............…...........................................26
Figure 3.4 Monitor-side………………………………………………….27
Figure 3.5 Graphical Identification………………………………………28
Figure 3.6 Process of System…………………………………………31



List of Tables
Table 3.1 A comparison sheet……………………………………………33
References

[1] L. Garber, “Denial-of-Service Attacks Rip the Internet,” Computer, vol. 33, pp.12-17, Apr. 2000.
[2] J. Howard, “An Analysis of Security Incidents on the Internet,” Carnegie Mellon Univ., Aug. 1998.
[3] I. Kotenko. “Multi-agent Simulation of Attacks and Defense Mechanisms in Computer Networks,” The Journal of Computing, Vol. 7, Issue 2, pp.35-43, 2008.
[4] CNN, “DDoS attacks on Yahoo, Buy.com, eBay, Amazon, Datek,. E Trade,” CNN Headline News,. Feb. 7–11, 2000.
[5] CERT Coordination Center, “Code Red II,” Sept. 2001.
http://www.cert.org/incident_notes/IN-2001-09.html
[6] CERT Coordination Center, “Nimda worm,” Sept. 2001.
http://www.cert.org/advisories/CA-2001-26.html
[7] B. Young, “MyDoom a Taste of Viruses to Come, Says Security Analyst,” Reuters, Feb. 2004.
[8] J. Markoff, “Before the Gunfire, Cyberattacks,” Aug. 2008 http://www.nytimes.com/2008/08/13/technology/13cyber.html
[9] Shachtman, “Activists Launch Hack Attacks on Tehran Regime,” Noah, Jun. 2009.http://www.wired.com/dangerroom/2009/06
/activists-launch-hack-attacks-on-tehran-regime/.
[10] CERT Coordination Center, “CERTR Incident Note IN-99-07 Distributed Denial of Service Tools,” Jan. 1999.
[11] D. Dittrich, “The DoS Project’s trinoo distributed denial of service attack tool,” Oct. 1999.
[12] D. Dittrich, “The Tribe Flood Network distributed denial of service attack tool,” Oct. 1999.
[13] B. Schneier, “Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish),” Proccedings of Fast Software Encryption, Cambridge Security Workshop, pp. 191–204. Springer-Verlag, 1994.
[14] J. Barlow and W. Thrower, “TFN2K - An Analysis,” Feb. 2000.
[15] CERT Coordination Center, “CERTR Advisory CA-1999-17 Denial-of-Service Tools,” Dec. 1999.
[16] P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” Internet Engineering Task Force, RFC 2827, May. 2000.
[17] CERT Coordination Center, “CERTR Advisory CA-2000-01 Denial-
of-Service Developments,” Jan. 2000.
[18] D. Dittrich, “The stacheldraht distributed denial of service attack tool,” Dec. 1999.
[19] CERT, "TCP SYN Flooding and IP Spoofing Attacks," Advisory CA-96-21, Sept. 1996.
[20] C. Schuba et al., "Analysis of a Denial of Service Attack on TCP," Proc. 1997 IEEE Symp. Security and Privacy, 1997.Distributed Denial-of-Service Attacks,” CoRR, vol. cs.NI/0403042, 2004.
[21] J. Jung, B. Krishnamurthy, M. Rabinovich. “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites,” The Eleventh International World Wide Web Conference, Honolulu, Hawaii, May. 2002.
[22] S. Gibson, “The Strange Tale of the Denial of Service Attacks against GRC.COM,” http://grc.com/dos/grcdos.htm, 2002.
[23] Andrey Belenky and Nirwan Ansari, “On IP Traceback,” IEEE Communication Magazine, pp. 142-153, July. 2003.
[24] Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioammidis, Vern Paxson and Scott Shenker, “Aggregate-Base Congestion Control,” ICSI Center for Internet Research (ICIR) AT&T Labs Research.
[25] John Ioammidis and Steven M. Dellovin, “Implementing Pushback: Router-Based Defense Against DDoS Attack,” Proc. Network and Distributed System Security Symp., pp.6–8.
[26] Ju Wang, Linyuan Lu and Andrew A. Chien, “Tolerating Denial
-of-Service Attacks Using Overlay Networks – Impact of Topology,” ACM SSRS 2003, Oct. 2003.
[27] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure Overlay Services,” Proc. ACM SIGCOMM, pp. 61-72, Aug. 2002.
[28] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: An Architecture for Mitigating DDoS Attacks,” IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, Vol. 22, No. 1, Jan. 2004.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top