臺灣博碩士論文加值系統

DDoS(Distributed Denial of Service)攻擊，最大的目的在於耗盡被攻擊者有限的網路資源，使得被攻擊者無法提供網路服務。面對DDoS攻擊至今並沒有完善的解決方案，身處於此不安全的網路世界裡，如何強固伺服器安全，讓其有效率地提供網路服務是迫切必要的。為了有效防止伺服器遭受DDoS攻擊，本篇論文將結合Netfilter和Linux核心模組技術，提出一防衛DDoS攻擊的架構。此架構分為兩個部份。第一部份為IP驗證單元，處理將進入Linux核心的封包，在第一時間決定是否能進入Linux核心運作；第二部份為攻擊偵測單元，處理第一部份未能決定是否能進入核心運作的封包，針對此部份，我們提出一個攻擊偵測的方法，尤其針對處理TCP封包。在這樣的架構下能快速判別出DDoS攻擊，並立即啟動封包過濾防禦機制，同時於攻擊結束後，自動解除防禦機制，大幅度降低伺服器因遭受攻擊而導致當機的可能性。最後我們以實驗證明本架構幾乎不影響Linux核心效能，同時具備有效防止大部份DDoS攻擊的能力。

The purpose of Distributed Denial of Service(DDoS) attacks aims at exhausting limited network resources to make the victim unable to offer network services. There is no perfect solution so far in dealing with DDoS attacks. In an open network environment, how to ensure the vulnerable server to offer its services is strongly requested. In order to effectively prevent the server from being attacked by DDoS, this paper takes the advantages from Netfilter and Linux kernel module. And we propose an effective defense mechanism against DDoS attacks. This mechanism is divided into two phases. In the first phase, IP address is validated whenever a packet is received. Once the packet is valid, in the second phase, an attack detection is carried out, especially for TCP packets. It can fast determine whether a DDoS attack has occurred, and immediately start the packets filtering engine whenever an attack is discovered. When the DDoS attack stops, the defending process is released automatically. Consequently, we can reduce the possibility of server halting due to a long duration of attacking. We prove, with several experiments, that this mechanism seldom affects the Linux IP Stack performance, while it enables to prevent the server from most DDoS attacks effectively.

1. 緒論 1
1.1. 前言 1
1.2. 研究動機和目的 4
1.3. 論文架構 5
2. DDOS背景介紹 7
2.1. DDOS與各層通訊協定的關係 7
2.1.1. Internet Protocol (IP) 7
2.1.2. Transmission Control Protocol (TCP) 8
2.1.3. User Datagram Protocol (UDP) 11
2.1.4. Internet Control Message Protocol (ICMP) 12
2.2. DDOS發動攻擊的方法 13
2.2.1. 直接攻擊法(Direct Attacks) 14
2.2.2. 反射攻擊法(Reflector Attacks) 15
2.2.3. DDoS基本攻擊架構 16
2.3. 常見的DOS攻擊和DDOS工具 18
2.3.1. 常見的DoS攻擊原理 18
2.3.2. 常見的DDoS攻擊工具 20
2.4. DDOS防範概論 20
2.4.1. 攻擊預防 21
2.4.2. 資源管理 21
2.4.3. 攻擊偵測與防衛 21
3. 系統架構 23
3.1. 系統設計的考量 23
3.1.1. TCP 協定的考量 23
3.1.2. UDP 協定的考量 28
3.1.3. ICMP協定的考量 29
3.2. DDOS DEFENSE WITH NETIFILTER SYSTEM 架構圖 30
3.3. IP驗證單元 33
3.4. 攻擊偵測單元 34
3.5. DDNS防衛範圍 39
4. 系統實作與測試分析 41
4.1. DDNS模組對LINUX核心網路子系統效能影響測試 41
4.2. DDNS防衛SYN FLOOD攻擊測試結果 42
4.2.1. TCP連線建立評估 43
4.2.2. CPU效能分析比較 44
4.2.3. Backlog佇列分析比較 45
4.3. DDNS防衛UDP FLOOD攻擊測試結果 47
4.4. DDNS防衛ICMP FLOOD攻擊測試結果 48
5. 結論 49
6. 參考文獻 50

1.Al-Kaltham, K.A.-T.a.I.A., "Evaluation and testing of internet firewalls," Int. J. Netw. Manag. Journal, Vol. 14, 1999, pp. 135-149.
2.Belenky, A. and N. Ansari., "Tracing multiple attackers with deterministic packet marking (DPM)," in Communications, Computers and signal Processing, 2003. PACRIM. 2003 IEEE Pacific Rim Conference on. Vol. 1, 2003, pp. 49-52.
3.Chang, R. K. C., "Defending against flooding-based distributed denial-of-service attacks: a tutorial," in Communications Magazine, IEEE. Journal, Vol. 40, 2002, pp. 42-51
4.Jacobson, S.F.a.V., "Random early detection gateways for congestion avoidance." IEEE/ACM Trans. Netw., Vol. 1, 1993, pp. 397--413.
5.Oe, M., Y. Kadobayashi, and S. Yamaguchi. "An implementation of a hierarchical IP traceback architecture." in Applications and the Internet Workshops. 2003. pp. 250 – 253.
6.Regan, J., "An Introduction to Using Linux as a Multipurpose Firewall." Linux J., Vol. 2000, 2000, pp. 40.
7.Reiher, J.M.a.P., "A taxonomy of DDoS attack and DDoS defense mechanisms." SIGCOMM Comput. Commun. Rev., Vol. 34, 2004, pp. 39-53.
8.Shin, C.J.a.H.W.a.K.G. "Hop-count filtering: an effective defense against spoofed DDoS traffic." in CCS '03: Proceedings of the 10th ACM conference on Computer and communications security. 2003, pp.30-41.
9.Stolfo, W.L.a.S.J., "A framework for constructing features and models for intrusion detection systems." ACM Trans. Inf. Syst. Secur., Vol. 3, 2000, pp. 227-261.
10.Denial-of-Service Attack via ping, Cert Coordination Center, http://www.cert.org/advisories/CA-1996-26.html.
11.Denial of Service Attacks, Cert Coordination Center, http://www.cert.org/tech_tips/denial_of_service.html.
12.Distributed Denial of Service (DDoS) Attacks/tools, http://staff.washington.edu/dittrich/misc/ddos/.
13.IP Denial-of-Service Attack, Cert Coordination Center, http://www.cert.org/advisories/CA-1997-28.html.
14.Mstream, Cert Coordination Center, http://www.cert.org/incident_notes/IN-2000-05.html.
15.Queueing Disciplines for Bandwidth Management, http://lartc.org/howto/lartc.qdisc.classless.html.
16.RFC 1631, Network Address Translator, http://www.faqs.org/rfcs/rfc1631.html, 1994.
17.RFC 768, User Datagram Protocol, http://www.faqs.org/rfcs/rfc768.html, 1980.
18.RFC 791, Internet Protocol, http://www.faqs.org/rfcs/rfc791.html, 1981.
19.RFC 792, Internet Control Message Protocol, http://www.faqs.org/rfcs/rfc792.html,1981.
20.RFC 793, Transmission Control Protocol, http://www.faqs.org/rfcs/rfc793.html, 1981.
21.stacheldrahtV4, http://packetstormsecurity.org/distributed/
22.TCP SYN Flooding and IP Spoofing Attacks, Cert Coordination Center, http://www.cert.org/advisories/CA-1996-21.html.
23.TFN, TFN2K, Cert Coordination Center, http://www.cert.org/advisories/CA-1999-17.html.
24.Trinoo, Tribe Flood Network, Cert Coordination Center,