臺灣博碩士論文加值系統

低速分散式阻斷服務攻擊是一種具有隱蔽地攻擊性的網際網路攻擊手法。其中一種又稱之為脈衝分散式阻斷服務攻擊,這種攻擊的原理為利用 TCP 擁塞控制的弱點,只需要傳輸少於傳統的洪水型分散式阻斷服務攻擊的惡意流量,就能達到攻擊合法的 TCP 流量。它可以透過大量卻只維持短暫時間的流量來使目標網路暫時性地被中斷,導致合法的使用者發生封包遺失而無法順暢地連接。這種狡猾地攻擊難以被現今的防禦機制偵測。

本論文方法使用漸進式分群來處理網路流量,因為其資料形式為封包依序進入。透過漸進式分群我們可以對各個使用者做分群依據擁塞時所傳送的行為。透過布隆過濾器 (Bloom Filter) 我們可以有效率地儲存在分群時所需要的資料。在分群之後,我們可以依群組做排序並動態地計算出閥值。透過閥值,可以增加小流量的 TCP 使用者通過的機會同時處理惡意的流量透過阻擋具有大流量的使用者。

The Low-rate Distributed Denial-of-Service (LDDoS) attack is a network attack technique which can be harmful but stealthy. One type of the LDDoS attack, called pulsing DDoS attack, leverages the adaptive nature of the TCP congestion control mechanism. Pulsing DDoS attacks can suppress legitimate
TCP traffic by sending fewer packets than traditional flooding DDoS attack. With a short period burst traffic, the pulsing DDoS attack aims to interrupt the target network temporarily and thus packet drop occurs, which makes the users unable to access the network. This kind of attack is crafty and hard to be detected efficiently by existing defensive approaches.

In this thesis, we propose an efficient LDDoS defense mechanism using incremental clustering. Instead of keeping per-flow state, which is too heavy-weight for core routers, we classify flows according to the amount of traffic they sent during the congestion periods. Groups with larger flows get a lower priority and will be blocked ealier during congestion. With such, we increase the probability of small TCP traffic to pass the link and block the huge flows which most of them are malicious. In addition, we record the data which is necessary for the clustering and other related work in Bloom filters to keep up with high-speed per-packet processing.

口試委員會審定書 ...................... iii
誌謝 .................................. v
Acknowledgements ...................... vii
摘要 .................................. ix
Abstract .............................. xi
1 Introduction ........................ 1
2 Background .......................... 3
2.1 Background ........................ 3
2.1.1 Pulsing Denial of Service ....... 3
2.1.2 Bloom Filter .................... 3
2.1.3 Spectral Bloom Filter ........... 4
2.1.4 Incremental Clustering .......... 5
2.2 Related Work ...................... 5
2.2.1 Defense on Mechanism ............ 5
2.2.2 Difference of Behavior .......... 5
3 Problem Definition .................. 7
4 Proposed Solution ................... 9
4.1 Concept ........................... 9
4.2 Workflow .......................... 11
5 Evaluation .......................... 15
5.1 Analysis .......................... 15
5.2 Experiment Environment ............ 16
5.2.1 Abstraction of Reality .......... 16
5.2.2 Experiment Setup ................ 16
5.3 Result ............................ 17
5.4 Discussion ........................ 21
6 Conclusion .......................... 23
Bibliography .......................... 25

[1] M. Ackerman and S. Dasgupta. Incremental clustering: The case for extra clusters. In Advances in Neural Information Processing Systems, pages 307–315, 2014.

[2] A. Broder and M. Mitzenmacher. Network applications of bloom filters: A survey. Internet mathematics, 1(4):485–509, 2004.

[3] S. Cohen and Y. Matias. Spectral bloom filters. In Proceedings of the 2003 ACM SIGMOD international conference on Management of data, pages 241–252. ACM, 2003.

[4] Y.-M. Ke, C.-W. Chen, H.-C. Hsiao, A. Perrig, and V. Sekar. Cicadas: Congesting the internet with coordinated and decentralized pulsating attacks. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 699–710. ACM, 2016.

[5] A. Kuzmanovic and E. W. Knightly. Low-rate tcp-targeted denial of service attacks: the shrew vs. the mice and elephants. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, pages 75–86. ACM, 2003.

[6] S. J. Templeton and K. E. Levitt. Detecting spoofed packets. In DARPA Information Survivability Conference and Exposition, 2003. Proceedings, volume 1, pages 164–175. IEEE, 2003.

[7] H. Wang, C. Jin, and K. G. Shin. Defense against spoofed ip traffic using hop-count

filtering. IEEE/ACM Transactions on Networking (ToN), 15(1):40–53, 2007.

[8] A. Yaar, A. Perrig, and D. Song. Stackpi: New packet marking and filtering mechanisms for ddos and ip spoofing defense. IEEE Journal on Selected Areas in Communications, 24(10):1853–1863, 2006.

[9] C. Zhang, Z. Cai, W. Chen, X. Luo, and J. Yin. Flow level detection and filtering of low-rate ddos. Computer Networks, 56(15):3417–3431, 2012.