臺灣博碩士論文加值系統

現今有成千上萬的電腦連接到網際網路並且在電腦安裝許多軟體。但攻擊者可能入侵或完全地阻攔合法的用戶、網路、系統或其它資源。攻擊者可能是單一來源攻擊(來源在只有一個主機), 或多來源(多個來源主機)攻擊,充斥受害者與巨大攻擊封包。此類的攻擊稱為阻絕服務(DoS)攻擊和分散的阻絕服務(DDoS) 攻擊。攻擊者發動DDoS攻擊手法比較著名幾種, 譬如SYN flood、 ICMP flood、UDP flood and Smurf[1-3]。在2000 年2月，有某個已知的網站譬如雅虎、 eBay、 亞馬遜、Buy.com [ 4 ]、 CNN.com、 E*TRADE和ZDNet適合DDoS攻擊的受害者。有以上案例指出, 就是沒有完全地控制免受這些攻擊。但是我們可以限制惡意用戶的流量。在論文中,我們提出利用高速流量計算分辨DDoS攻擊。在網際網路, 我們能看到IP偽裝的封包但是如果利用firewall限制此IP的活動，這樣也不能解決頻寬壅塞也不能全自動偵測然後限制其IP位址，所以本文採取頻寬探知然後排入優先權，只要是DDoS攻擊將會排定在低權限，正常的使用者將會獲得較高的優先權。

Denial of service attacks occur when the attacks are from a single host, whereas distributed denial of service attacks occur when multiple affected systems flood the bandwidth or resources of a targeted system. Although it is not possible to exempt entirely from denial of service or distributed denial of service attacks, we can limit the malicious user by controlling the traffic flow. In the paper, we propose to monitor the traffic pattern in order to alleviate distributed denial of service attacks. A bandwidth allocation policy will be adopted to assign normal users to a high priority queue and suspected attackers to a low priority queue. Simulations conducted in network simulator of our proposed priority queue-based scheme shows its effectiveness in blocking attack traffic while maintaining constant flows for legitimate traffic.

Contents
Chapter 1 Introduction
Chapter 2 Background
Chapter 3 Priority Queue-based Adaptive Scheme
3.1. Structure of the Scheme
3.2. Adaptive Adjustment of Priority Queue
Chapter 4 Experiment Setup
Chapter 5 Experimental Results
5.1. Comparison of Priority Queue-based and DropTail Queue Schemes
5.2. Effect of Factor number
5.2.1. Results with Factor number = 1
5.2.2. Results with Factor number = 3
5.2.3. Results with Factor number = 5
5.2.4. Results with Factor number = 7
5.2.5. Results with Factor number = 7.1
5.2.6 Results with Factor number = 7.5
Chapter 6 Discussion
Bibliography

[1] Y. Chen, Y. -K. Kwok, and K. Hwang, “MAFIC: Adaptive Packet Dropping for Cutting Malicious Flows to Push Back DDoS Attacks,” Proc. of 25th IEEE Int' Conf. Distributed Computing Systems Workshops 2005, June 2005.
[2] Naqamalai, D. Dhinakaran, C. Jae Kwang Lee, “Multi Layer Approach to Defend DDoS Attacks Caused by Spam,” Proc. of International Conf. of Multimedia and Ubiquitous Engineering, April, 2007.
[3] Dhinaharan Naqamalai, Cynthia Dhinakaran and Jae Kwang Lee, “Novel Mechanism to Defend DDoS Attacks Caused by Spam,” International Journal of Smart Home, Vol. 1, No. 2, July 2007, pp.83-95.
[4] X. Geng and A. B. Whinston, “Defeating Distributed Denial of Service Attacks,” IT Pro, July-August 2000.
[5] A. Legout, E.W. Biersack, “Revisiting the Fair Queuing Paradigm for End-to-end Congestion Control,” IEEE Network, Volume 16, Issue 5, Sept.-Oct. 2002.
[6] K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets,” Proc. of ACM SIGCOMM 2001, Aug. 2001.
[7] K. Park and H. Lee, “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attacks,” Proc. of IEEE INFOCOM 2001, Mar. 2001.
[8] M. Song and J. Xu, “IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against InternetDDoS Attacks,” Proc. of 10th IEEE Int’l Conf. Network Protocols (ICNP 2002), Nov. 2002.
[9] Bao-Tung Wang, H. Schulzrinne, “An IP traceback mechanism for reflective DoS attacks,” Proc. of IEEE Electrical and Computer Engineering 2004, May 2004.
[10] H. Wang, D. Zhang, and K.G. Shin, “SYN-dog: Sniffing SYN Flooding Sources,” Proc. of 22nd Int’l Conf. Distributed Computing Systems (ICDCS ’02), July 2002.
[11] Tu Xu; Da Ke He; Yu Zheng, “Detecting DDOS Attack Based on One-Way Connection Density,” Proc. of IEEE ICCS 2006, Oct. 2006.
[12] http://www.isi.edu/nsnam/ns/
[13] http://en.wikipedia.org/wiki/Harmonic_Mean
[14] http://en.wikipedia.org/wiki/SYN_flood