臺灣博碩士論文加值系統

網路安全隨著網路蓬勃發展愈顯重要，各種網路入侵事件層出不窮，使傳統的資訊安全市場產生巨變，不斷翻新的網路入侵技術、類型多變的病毒與網蟲攻擊，藉著貫通全球的網際網路和電子郵件散發。面對攻擊工具流通快速且普遍被濫用，反觀一般使用者對網路安全普遍漠視形成強烈的對比，這種情況使得網路安全問題越來越嚴重。資訊安全的重要性與攻擊者入侵問題，近年持續受到企業與政府關切；其中又以分散式阻絕服務 (Distributed Denial of Service，簡稱DDoS) 攻擊對網路所造成威脅及損害最為嚴重。同時許多論文提出各類型的防禦機制來對抗DDoS攻擊。然而攻擊方式愈來愈多，攻擊模式相較於過去也更加複雜，因此抵禦這類網路攻擊的困難度不斷增加。
本文提出階層式聯合防衛DDoS攻擊系統架構；聯合網路型入侵預防系統 (WallGuard) ，主機型入侵預防系統 (WallAgent) 及區域派送員 (Domain dispatcher) 三個元件，組成階層式聯合防衛機制。WallGuard負責多網域間聯防工作，實作流量統計與控制路由設備過濾攻擊。同時利用區域劃分的概念，WallGuard可以進一步的透過所管轄之Domain dispatcher通報子網路下的WallAgent共同防衛DDoS攻擊，將攻擊阻絕在最近攻擊者端。另外提出分析系統記錄檔之預防機制防止DDoS攻擊發生，達到事前的預防效果。

With the rise of internet, network security has also become important. Various incidents of intrusion emerges which make great changes in the traditional market of information security. Continuous innovating internet intrusion techniques, changeful viruses, and worm attacks, it spreads through global internet and e-mails. Attack tools travel fast and has been misapplies; which makes a great contradiction when we observe how the general users ignore network security. Such situation is becoming worse, thus, it has received great concerns from both the cooperation and the government. And among them, the attack of Distributed Denial of Service, DDoS, causes more threats and damages to the internet than that of others. At the same time, many dissertations have proposed every kind of defending mechanism to confront DDoS attacks. However, the more attacks there are, the more complicated the attack modules; therefore, the difficulties of defending these internet attacks increases.
This paper proposes a hierarchical cooperative defending system against DDoS attacks, uniting its subsidiary systems WallGuard, WallAgent, and domain dispatcher to defend DDoS attacks. WallGuard is in charge of defense cooperatively in DDoS attack and it implements traffic statistics and controls the devices of router to filter the attacks. WallGuard can announce to the WallAgent in the subnet through the governed domain dispatcher to cooperatively defense the attacks of DDoS by using the concept of the division of area. It is also proposed to analyze the logs of system to prevent the DDoS attacks

第一章 緒論 1
1.1 研究背景 1
1.2 研究動機與目標 4
1.3 研究範圍與方法 5
1.4 論文架構 6
第二章 背景知識與需求分析 7
2.1 DDoS攻擊事件與手法分析 7
2.2 基本入侵防禦系統背景知識 12
2.2.1 防火牆與入侵偵測預防系統 13
2.2.2 Snort 16
2.3 相關研究 16
2.3.1 Micro-firewalls with distributed intrusion detection 16
2.3.2 Middleware-based approach 18
2.3.3 D-WARD system 20
2.3.4 Aggregate congestion control system 21
2.4 需求分析 22
2.4.1 抵禦DDoS攻擊之生命週期 22
2.4.2 抵禦DDoS攻擊之位置 24
第三章 系統聯防演算法設計 27
3.1 聯防系統設計 27
3.2 聯防系統通用規則設計 31
3.3 聯防系統訊息傳遞機制 32
3.4 聯防系統模組分析 37
3.4.1 WallAgent子系統功能模組 37
3.4.2 WallGuard子系統功能模組 37
3.4.3 Domain dispatcher子系統功能模組 39
3.5 利用分析系統記錄檔之預防演算法 41
第四章 階層式聯合防衛系統之實作 44
4.1 系統實作架構 44
4.2 系統實驗網路環境介紹及配備 49
4.3 系統功能與實作成果 54
4.3.1 監視流量之工具及攻擊程式 54
4.3.2 WallAgent使用者介面 58
4.3.3 WallGuard使用者介面 61
4.3.4 Domain dispatcher使用者介面 64
第五章 模擬實驗測試 65
5.1 實驗ㄧ：無防禦狀態DDoS攻擊對於網路影響測試(ㄧ) 65
5.2 實驗二：無防禦狀態DDoS攻擊對於網路影響測試(二) 67
5.3 實驗三：預先限流保留路由器通道測試 74
5.4 實驗四：WallAgent獨立運作測試 77
5.5 實驗五：WallGuard獨立運作測試 85
5.6 實驗六：階層式聯合防衛系統運作測試(ㄧ) 92
5.7 實驗七：階層式聯合防衛系統運作測試之二 98
5.8 實驗八：分析系統紀錄檔之預防演算法測試 107
第六章 結論及未來發展工作 112
6.1 結論 112
6.2 未來發展工作 113
參考文獻 114

[1]Computer Emergency Response Team Coordination Center, CERT/CC, http://ww.cert.org.
[2]Taiwan Computer Emergency Response Team Coordination Center, TWCERT/CC, http://www.cert.org.tw.
[3]CERT/CC Overview Incident and Vulnerability Trends, CERT Coordination Center, Pittsburgh, http://www.cert.org/present/cert-overview-trends/, 2002.
[4]McAfee, Inc., http://vil.nai.com/vil/default.asp.
[5]D. Moore, G..M. Voelker, and S. Savage, “Inferring Internet denial-of-service activity”, Proceedings of 10th USENIX Security Symposium, Washington, DC, 2001.
[6]Jelena Mirkovic, Janice Martin, and Peter Reiher, “A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms,” UCLA Technical Report #020018, 2002.
[7]Rocky K. C., Chang, “Defending against flooding-based distributed denial-of-service attack: a tutorial,” IEEE Communication Magazine, Vol. 40, pp. 42-51, Oct. 2002.
[8]CERT Advisory CA-2003-04 MS-SQL Server Worm, http://www.cert.org/advisories/CA-2003-04.html.
[9]CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks, http://www.cert.org/advisories/CA-1996-21.html.
[10]D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, RFC 2827, http://www.ietf.org/rfc/rfc2827.txt, May 2000.
[11]CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attacks, http://www.cert.org/advisories/CA-1996-01.html.
[12]CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks, http://www.cert.org/advisories/CA-1998-01.html.
[13]CERT Advisory CA-1997-28 IP Denial-of-Service Attacks, http://www.cert.org/advisories/CA-1997-28.html.
[14]D. Schnackenberg, K. Djahandari, and D. Sterne, “Infrastructure for intrusion detection and response”, Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX), South Carolina, Jan. 2000.
[15]Thomas R., Mark B., Johnson T., Croall, J.,"NetBouncer: client-legitimacy-based high-performance DDoS filtering," Proceedings of Conference and Exposition on DARPA Information Survivability, Washington, DC, vol.1, pp. 14-25, April 2003.
[16]M. Roghan, D. Veitch, and P. Abry. “Real-time estimation of the parameters of long-range dependence,” IEEE/ACM RANS. on Networking, Vol.8, pp 467-478,Aug. 2000.
[17]K. Fox, R. Henning, J. Reed, and R. Simonian, “A Neural Network Approach Towards Intrusion Detection,” Technical Report, Harris Corporation, July 1990.
[18]T. M. Gil and M. Poletto, “MULTOPS: a data-structure for bandwidth attack detection,” Proceedings of 10th Usenix Security Symposium, Washington, DC, August 2001.
[19]P. Barford, J. Kline, D. Plonka and A.Ron, “A signal analysis of network traffic anomalies,” Internet Measurement Workshop, Marseille, FranceNov. 2002.
[20]L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred, "Statistical Approaches to DDoS Attack Detection and Response," Proceedings of DISCEX 3, April 2003.
[21]Jiejun Kong; Mirza, M.; Shu, J.; Yoedhana, C.; Gerla, M.; Songwu Lu, "Random flow network modeling and simulations for DDoS attack mitigation," Proceedings of ICC IEEE International Conference on Communications, Alask, USA, vol.1, pp. 487 - 491, 11-15 May 2003.
[22]T. Peng, C. Leckie and R. Kotagiri, "Protection from Distributed Denial of Service Attack Using History-based IP Filtering," Proceedings of IEEE International Conference on Communications, Anchorage, Alaska, USA, May 2003.
[23]Belenky, A.; Ansari, N., "On IP traceback," IEEE Communications Magazine, vol.41, pp.142-153, July 2003.
[24]Minho Sung; Jun Xu, "IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks," IEEE Transactions on Parallel and Distributed Systems, vol.14, pp. 861-872, Sept. 2003.
[25]H. Burch and B. Cheswick, “Tracing anonymous packets to their approximate source,” Proceedings of the 14th Systems Administration Conference, New Orleansm Louisiana, U.S.A., December 2000.
[26]M.Oe, "A hierarchical architecture for IP Traceback," Proceedings of 54th IETF, BoF, Yokohama, Japan, , Jul. 2002.
[27]A. Yaar, A. Perrig, and D. Song, “PI: A Path Identification Mechanism to Defend against DDoS Attacks,” Proceedings of IEEE Symposium on Security and Privacy, pp. 93-107, May 2003.
[28]R. Russell and H. Welte, “Linux Netfilter Hacking HOWTO,” http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html.
[29]B. Hubert, “Linux Advanced Routing and Traffic Control HOWTO,” http://lartc.org/howto/.
[30]S. Ioannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith, “Implementing a Distributed Firewall”, Proceedings of 7th ACM Conference on Computer and Communication Security, Athens, Greece, Nov. 2000.
[31]M. Roesch, “Snort - Lightweight Intrusion Detection for Networks,” Proceedings of the 13th Systems Administration Conference (LISA'99), USENIX Association, pp. 229-238, 1999.
[32]K. Hwang and M. Gangadharan, “Micro-Firewalls for Dynamic Network Security with Distributed Intrusion Detection,” Proceedings of IEEE International Symposium on Network Computing and Applications, pp. 68-79, Oct. 2001.
[33]M. Gangadhran and K. Hwang, “Intranet Secuity with Micro-Firewalls and Mobil Agent for Proactive Intrusion Response,” Proceedings of IEEE Int’l Conferences on Computer Networks and Mobile Computing, Beijing, China, Oct. 2001.
[34]Wei Yu, Dong Xuan, Wei Zhao, "Middleware-based approach for preventing distributed deny of service attacks," Proceedings of MILCOM, vol. 2, pp.1124-1129, Oct. 2002.
[35]J. Mirkovic, G. Prier and P. Reiher, “Attacking DDoS at the Source,” Proceedings of ICNP, pp. 312-321, Paris, France, November 2002.
[36]Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker, “Controlling High Bandwidth Aggregates in the Network,” Computer Communications Review 32:3, pp. 62-73, July 2002.
[37]John Ioannidis and Steven M. Bellovin, “Implementing Pushback: Router-Based Defense DDoS Attacks”, Proceedings of NDSS, February 2002.
[38]K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets,” Proceedings of ACM SIGCOMM, August 2001.
[39]J. Ioannidis and S. M. Bellovin, “Pushback: Router-Based Defense Against DDoS Attacks,” Proceedings of NDSS, February 2002.
[40]CERT, Intruder Detection Checklist, Jul 20, 1999. http://www.cert.org/tech_tips/intruder_detection_checklist.html.
[41]G. Vigna, R.A. Kemmerer, and P. Blix, "Stateful Intrusion Detection for High-Speed Networks," Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), pp.69-84, Springer-Verlag avis, CA, Oct. 2001.
[42]Byeong Kil Lee and Lizy John, "NpBench: A Benchmark Suite for Control Plane and Data Plane Applications for Network Processors," Proceedings of the International Conference on Computer Design (ICCD'03), San Jose, Oct. 2003.
[43]BroadWeb, http://www.broadweb.com.tw.