臺灣博碩士論文加值系統

基於網際網路的快速發展和電腦主機存在的漏洞(vulnerabilities)逐年增加，網路蠕蟲(network worm)對網路的威脅日益升高。網路蠕蟲帶來的災害，不僅僅是利用電腦主機存在的特定漏洞來植入木馬(Trojan horse)或後門程式(backdoor)，企圖對遠端電腦的遙控或是資料竊取；網路蠕蟲在進行獨立地大規模傳播時所帶來的網路擁塞，更讓企業和政府損失慘重。
本論文使用開放原始碼(open source code)的SSFNet網路模擬器模擬本校校園網路遭受網路蠕蟲傳播攻擊的情形，進而提出防治的方法。防治的方法是希望在網路蠕蟲進入校園網路感染電腦主機時，位於骨幹網路的各個第三層交換器(layer 3 switch)收集其子網路受感染主機的台數，並藉此選擇適合的阻斷門檻值和阻斷間隔時間，進行定時且循環的阻斷子網路動作來減緩蠕蟲的持續擴散，以阻止校園網路受感染主機進一步感染網路上其它的主機。由模擬結果可知，本論文提出的防治方法確實能減緩蠕蟲的擴散。

Due to the rapid growth of Internet and the vulnerabilities existed in hosts increasing recently, the threats from network worms are rising gradually. Disasters that brought by the network worms not only cause the remote computers which have been embedded Trojan horse or backdoor being controlled by hackers for stealing some secret information but also cause network congestion.
In 2001, while CodeRed worms spread out, information security experts began a serious studies and research works on network worms. In this paper, we adopt open source code network simulator, SSFNet, to simulate and analyze network worms'' infection pattern in campus network, and then propose a prevention method for their propagation. By reporting the number of infection hosts, which are collected by layer-3 switches in campus backbone network, the scheme will choose proper cutting threshold and cutting time interval for executing periodical block to the subnets to prevent unceasing infections to the other hosts. From the simulation results, this proposed method can certainly alleviate network worms'' spread out.

目 錄

中文摘要 i
英文摘要 ii
誌謝 iii
目錄 iv
表目錄 vi
圖目錄 vii
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機 2
1.3 研究目的 2
1.4 研究範圍 2
1.5 論文章節編排 3
第二章 網路蠕蟲 4
2.1 網路蠕蟲之由來與演進 4
2.2 網路蠕蟲之特徵與生命週期 6
2.2.1 基本觀念與技術 6
2.2.2 網路蠕蟲之生命週期 7
2.2.3 網路蠕蟲之功能結構 11
2.3 網路蠕蟲與電腦病毒之異同 12
2.4 網路蠕蟲之研究概況 13
2.4.1 網路蠕蟲傳播模型之論文回顧 14
2.4.2 網路蠕蟲掃瞄策略之論文回顧 15
第三章 校園網路安全與網路蠕蟲防治 16
3.1 校園網路與校園網路安全 16
3.1.1 台灣學術網路 16
3.1.2 大學校園網路之特點 17
3.1.3 校園網路安全 18
3.2 網路蠕蟲防治之相關論文回顧 21
3.2.1 針對網路蠕蟲生命週期之防治研究 21
3.2.2 防治網路蠕蟲傳播之系統需求 22
3.2.3 網路蠕蟲傳播防治技術之研究 22
3.2.4 其他網路蠕蟲防治技術之研究 23
第四章 校園網路模型之建立與模擬 24
4.1 校園網路之架構與特點 24
4.1.1 國立國立臺北科技大學校園網路之架構 24
4.1.2 國立國立臺北科技大學校園網路之特點 26
4.1.3 包括各單位網段之國立國立臺北科技大學校園網路架構圖 26
4.2 SSFNet網路模擬器 27
4.2.1 為什麼要使用SSFNet網路模擬器 28
4.2.2 SSFNet之介紹 28
4.2.3 SSFNet之相關應用與研究 31
4.3 國立國立臺北科技大學校園網路之模擬 31
4.3.1 模擬之步驟 31
4.3.2 模擬之環境限制 32
第五章 網路蠕蟲傳播防治之模擬結果與分析 34
5.1 國立國立臺北科技大學校園網路蠕蟲傳播之模擬 34
5.1.1 SSF.App.Worm蠕蟲模組介紹 34
5.1.2 基於古典簡單傳染病模型之宏觀蠕蟲傳播模型 36
5.1.3 相關模擬參數設定 37
5.1.4 CodeRed蠕蟲傳播模擬 38
5.2 防治網路蠕蟲傳播之模擬 39
5.2.1 防治蠕蟲傳播之方法 39
5.2.2 防治蠕蟲傳播之模擬結果與分析 40
第六章 結論與未來工作 42
參考文獻 43

表目錄

表1.1 電腦網路危機處理暨協調中心 1995-2004年的漏洞報告 1
表2.1 電腦病毒和網路蠕蟲的一些差別 13
表5.1 北科大各子網路的第三層交換器第一次進行阻斷動作時間表 40

圖目錄

圖2.1 第一隻「惡意」蠕蟲之作者─Mr. Robert Morris 4
圖2.2 網路蠕蟲歷史演進圖 6
圖2.3 蠕蟲生命週期的四個階段 8
圖2.4 CodeRed II的感染流程圖 9
圖2.5 CodeRed II的傳播流程圖 10
圖2.6 網路蠕蟲功能結構 11
圖3.1 國立中山大學校園網路主機安全漏洞分佈圖 18
圖3.2 整合性校園網路安全管理架構 19
圖3.3 當使用者被限制存取時所顯示的網頁 20
圖3.4 一個基本的校園網路安全防治系統 21
圖4.1 國立國立臺北科技大學校園網路架構圖 25
圖4.2 包括各系所單位網段之北科大校園網路架構圖 27
圖4.3 SSFNet的模擬層次 29
圖4.4 SSFNet的檔案階層組織 30
圖4.5 模擬執行之文字畫面 33
圖5.1 混合抽象階層模型 35
圖5.2 SSFNet的模擬架構 36
圖5.3 蠕蟲模擬之參數值 38
圖5.4 CodeRed蠕蟲在網路傳播之感染主機數統計圖 38
圖5.5 第三層交換器的監控流程圖 39
圖5.6 未加入與加入防治方法的感染主機數統計圖 41

[1] CERT/CC, "CERT-CC Statistics 1988-2005," 2005, https://www.cert.org/stats/index.html.
[2] CERT/CC, "Incident Note IN-2001-08 Code Red Worm Exploiting Buffer Overflow in IIS Indexing Service DLL," July 2001, http://www.cert.org/incident_notes/IN-2001-08.html.
[3] H. Talkad, "Survey of Worm Traffic Simulator: Course project for Security and Privacy in Computing," Csci 8980-002, Fall 2003.
[4] (Online Source) Scalable Simulation Framework, http://www.ssfnet.org/.
[5] E. Anderson, K. Eustice, S. Markstrum, M. Hansen, P. Reiher, "Mobile Contagion: Simulation of Infection & Defense," Proceedings of the Workshop on Principles of Advanced and Distributed Simulation (PADS''05), June 1-3, 2005, pp. 80-87.
[6] R. G. Cole, N. Phamdo, M. A. Rajab, A. Tezis, "Requirements on Worm Mitigation Technologies in MANETS," Proceedings of the Workshop on Principles of Advanced and Distributed Simulation (PADS''05), June 1-3, 2005, pp. 207-214.
[7] J. F. Shoch and J. A. Hupp, "The Worm Programs: Early Experience with a Distributed Computation," Communications of the ACM, vol. 25, no. 3, March 1982, pp. 172-180.
[8] 鄭輝，Internet蠕蟲研究，博士研究生專業(學位)論文，中華人民共和國南開大學控制理論與控制工程專業，天津，2003。
[9] Taiwan.CNET.com, "第一隻網路蠕蟲滿16週年," April 2004, http://taiwan.cnet.com/news/software/0,2000064574,20093844,00.htm.
[10] Computerworld, "The Story So Far: IT Security and Disaster Recovery," http://www.computerworld.com/securitytopics/security/story/0,10801,72646,00.html.
[11] 王士豪，基於網路訊務動態基線分析之網路蠕蟲偵測機制，碩士論文，中華民國國立暨南國際大學資訊管理研究所，南投，2004。
[12] CERT/CC, "CERT Advisory CA-1989-04 WANK Worm on SPAN Network," http://www.cert.org/advisories/CA-1989-04.html.
[13] M. Vision, "A Brief Analysis of the ADM Internet Worm," http://www.whitehats.com/library/worms/adm/.
[14] J. R. Collins, "RAMEN – A Linux Worm," http://rr.sans.org/malicious/ramen3.php.
[15] A. Kasarda, "The Lion Worm: King of the Jungle?" http://rr.sans.org/malicious/lion.php.
[16] M. Fearnow, William Stearns, "Adore worm," http://www.sans.org/y2k/adore.htm.
[17] B. Barber, "Cheese Worm: Pros and Cons of a ‘Friendly’ Worm," http://rr.sans.org/malicious/cheese.php.
[18] CERT/CC, "CERT Advisory CA-2001-11 sadmind/IIS Worm," http://www.cert.org/advisories/CA-2001-11.html.
[19] CERT/CC, "Incident Note IN-2001-09 Code Red II: Another Worm Exploiting buffer Overflow In IIS Indexing Service DLL," August 6, 2001, http://www.cert.org/incident_notes/IN-2001-09.html
[20] CERT/CC, "CERT Advisory CA-2001-26 Nimda Worm," http://www.cert.org/advisories/CA-2001-26.html.
[21] D. Song, R. Malan, and R. Stone, "A Snapshot of Global Internet Worm Activity," Arbor Networks, Technical Report, November 2001.
[22] 李美雯，紅色警戒(Code Red)事件分析，台大資通安全小組，2001，http://cert.ntu.edu.tw/virusDocument/Nimda.doc.
[23] Mudge, "How to Write Buffer Overflows," http://www.insecure.org/stf/mudge_buffer_overflow_tutorial.html.
[24] The CERIAS Intrusion Detection Research Group, "Digging for Worms, Fishing for Answers," Proceedings of the Annual Computer Security Application Conference (ACSAC''02), Las Vegas, USA, December 9-13, 2002.
[25] J. Nazario, J. Anderson, R. Wash, C. Connelly, "The future of Internet worms," Crimelabs research, 2001, http://www.crimelabs.net/docs/worm.html.
[26] 文偉平、卿斯漢、蔣建春、王業君，「網路蠕蟲研究與進展」，中華人民共和國軟件學報，第十五卷，第八期，2004，第1208-1219頁。
[27] 鄭輝、李冠一、涂菶生，「蠕蟲的行為特徵描述和工作原理分析」，第三屆中華人民共和國信息與通信安全學術會議，2003。
[28] The 3rd Workshop on Rapid Malcode (WORM 2005), http://www1.cs.columbia.edu/~angelos/worm05/.
[29] S. Staniford, V. Paxson, and N. Weaver, "How to Own the Internet in Your Spare Time," Proceedings of the 11th USENIX Security Symposium, August 2002.
[30] C. C. Zou, W. Gong, and D. Towsley, "Code Red worm propagation modeling and analysis," Proceedings of the 9th ACM Symposium on Computer and Communication Security, Washington, 2002, pp.138-147.
[31] C. C. Zou, L. Gao, W. Gong, and D. Towsley, "Monitoring and Early Warning for Internet Worms," Proceedings of 10th ACM Conference on Computer and Communication Security (CCS’03), Washington D.C., USA, October 2003.
[32] 姜啟源，數學模型，台北：凡異出版社，1996，第102至111頁。
[33] Z. Chen, L. Gao, and K. Kwiat, "Modeling the Spread of Active Worms," IEEE Infocom 2003, San Francisco, April 2003.
[34] N. Weaver, "Potential strategies for high speed active worms," 2002, http://www.cs.berkeley.edu/~nweaver/worms.pdf
[35] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer Worm," IEEE Security and Privacy, vol. 1 No. 4, August 2003, pp. 33-39.
[36] 教育部全球資訊網，台灣學術網路環境介紹，http://www.edu.tw/EDU_WEB/EDU_MGT/MOECC/EDU0688001/tanet/1.htm.
[37] 教育部全球資訊網，台灣學術網路(TANet)概述，2002，http://www.edu.tw/EDU_WEB/EDU_MGT/MOECC/EDU0688001/tanet/environ/introduction.html.
[38] 教育部全球資訊網，台灣學術網路(TANet)骨幹架構圖，2002，http://www.edu.tw/EDU_WEB/EDU_MGT/MOECC/EDU0688001/tanet/environ/backbone.html.
[39] 教育部全球資訊網，台灣學術網路(TANet)與國內ISP互連現況，2003，http://www.edu.tw/EDU_WEB/EDU_MGT/MOECC/EDU0688001/tanet/environ/peering.html.
[40] M. Mazuhelli, "A virus and a worm: lessons learned from SirCam and Code Red in a university," SANS Institute, 2001.
[41] 台灣網路危機處理暨協調中心，校園網路安全性評估，2001，http://www.cert.org.tw/document/docfile/campus.pdf.
[42] 袁勤國、李秋華，「校園網路安全防護機制之建立」，網際網路技術學刊，第四卷，第二期，2003，第99-104頁。
[43] 陳柏榆，「從Code Red癱瘓學術網路看校園網路主機管理問題」，2001台灣網際網路研討會，嘉義，2001。
[44] N. P. Kutner, "Virus, Update, and Security: Making the Campus Aware," SIGUCCS’04, Baltimore, Maryland, USA, October 10-13, 2004.
[45] 鄭輝、孫彬、鄭先偉、段海新，「大規模網路中Internet蠕蟲主動防治技術研究—利用DNS服務抑制蠕蟲傳播」，中華人民共和國軟件學報，第十五卷，第一期，2004，第1-7頁。
[46] 賴守全、謝木政、郭文曲，「校園網路安全事故自動防治系統之設計與實作」，網際網路技術學刊，第四卷，第二期，2003，第119-125頁。
[47] D. Moore, C. Shannon, G. Voelker, and S. Savage, "Internet quarantine: requirements for containing self-propagating code," IEEE Infocom 2003, San Francisco, April 2003.
[48] M. M. Williamson, "Throttling Viruses: Restricting propagation to defeat malicious mobile code," Proceedings of 18th Annual Computer Security Applications Conference (ACSAC ''02), 2002, p. 61.
[49] S. Chen and Y. Tang, "Slowing Down Internet Worms," Proceedings of 24th IEEE International Conference on Distributed Computing Systems (ICDCS’04), Tokyo, Japan, March 2004.
[50] R. Dantu, J. Cangussu, and A. Yelimeli, "Dynamic Control of Worm Propagation," Proceedings of IEEE International Conference on Information Technology (ITCC’04), April 2004.
[51] 鄭輝，「主動Internet蠕蟲防治技術—接種疫苗」，中華人民共和國北京清華大學網路工程研究中心，2004。
[52] H. Kim and I. Kang, "On the functional validity of the worm-killing worm," Proceedings of the IEEE International Conference on Communications, vol. 4, pp. 1902-1906, June 2004.
[53] 國立國立臺北科技大學電子計算機中心，國立國立臺北科技大學校園網路架構圖，2005，http://www.cc.ntut.edu.tw/~wwwcc/new/main-8.htm.
[54] 蕭文龍、陳怡如，CISCO ROUTER入門之理論、實務與認證，台北：�眳p資訊，2002，第356-361頁。
[55] 傳識資訊、林峻山、陸潤濤，CCNP Switching認證講義，台北：旗標出版，2003，第2-16至2-20頁。
[56] 傳韻電子，第四層網路交換器之應用，http://www.cuan-yuan.com.tw/data/document/62/312.htm.
[57] 傳識資訊、林峻山、陸潤濤，CCNP Switching認證講義，台北：旗標出版，2003，第8-02至8-29頁。
[58] 聚碩科技，WS-C6506-E網路基礎建設交換器，http://www.sysage.com.tw/Guest/productDetail.aspx?prdid=151.
[59] 傳識資訊、林峻山、陸潤濤，CCNP Switching認證講義，台北：旗標出版，2003，第4-9至4-29頁。
[60] H. C. Lin, S. C. Lai and P. W. Chen, "An Algorithm for Automatic Topology Discovery of IP Networks," Proceedings of IEEE ICC''98, Atlanta, Georgia, U.S.A., June 7-11, 1998.
[61] V. Jacobson, "Traceroute Software," Lawrence Berkeley Laboratories, 1989.
[62] Floyd S and Paxson V, "Difficulties in simulating the Internet," IEEE/ACM Transactions on Networking, vol. 9,No. 4, 2001, pp. 392-403.
[63] J. Hughes, "An Introduction to Network Simulation," http://www.openxtra.co.uk/articles/network-simulation.php.
[64] L. Breslau, D. Estrin, K. Fall, S. Floyd, J. Heidemann, A. Helmy, P. Huang, S. McCanne, K. Varadhan, Y. Xu, and H. Yu, "Advances in Network Simulation," IEEE Computer, vol. 33, No. 5, May 2000, pp. 59-67.
[65] G. F. Riley, M. I. Sharif, and W. Lee, "Simulating internet worms," Proceedings of 12th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS 2004), October 2004.
[66] (Online Source) The Georgia Tech Network Simulator (GTNetS), http://www.ece.gatech.edu/research/labs/MANIACS/GTNetS/.
[67] Dartmouth College ISTS, "Modeling with SSFNet: A Step-by-Step Tutorial, " Dartmouth College Institute for Security Technology Studies: Simulation Group Seminar, 2000, http://bj.premore.net/edu/talks/2000.11.17/.
[68] R. Blum, Network Performance Open Source Toolkit: Using Netperf, tcptrace, NIST Net, and SSFNet, New York: John Wiley & Sons, 2003, pp. 346-353.
[69] S. Ibraheem, "Network Simulation Using The Scalable Simulation Framework (SSFNet)," 2003, http://www.cs.sunysb.edu/~kostas/mpls/ssfnet_intro.pdf.
[70] J. H. Cowie, D. M. Nicol, and A. T. Ogielski, "Modeling the Global Internet," Computing in Science & Engineering, Volume 1, Issue 1, January-February, 1999, pp. 42-50.
[71] J. H. Cowie, H. Liu, J. Liu, D. M. Nicol, A. T. Ogielski, "Toward Realistic Million-Node Internet Simulations," Proceedings of International Conference on Parallel and Distributed Processing Techniques and Applications (PDPTA’99), Las Vegas, Nevada, June 28-July 1, 1999.
[72] J. H. Cowie, "SCALABLE SIMULATION FRAMEWORK API REFERENCE MANUAL," 1999, http://www.ssfnet.org/SSFdocs/ssfapiManual.pdf.
[73] J. H. Han, Y. Alkhimov, G. H. Jung, S. K. Park, K. H. Choi, J. B. Yun, and J. T. Seo, "Implanting a DNS Server into the SSFNet," Proceedings of 10th Asia-Pacific Conference on Communication and 5th International Symposium on Multi-Dimensional Mobile Communications, vol. 2, August 29-September 1, 2004, pp. 643-646.
[74] C. H. Baek, E. G. Im, E. K. Park, K. H. Choi, and G. H. Jung, "Design and Implementation of Firewall Simulation based on SSFNet," Proceedings of 6th International Conference on Advanced Communication Technology (ICACT’04), vol. 1, 2004, pp. 312-316.
[75] J. H. Lee, E. G. lm, J. B. Yun, and S. K. Park, "Network Intrusion and Defense Simulation Framework based on SSFNet," Proceedings of 6th International Conference on Advanced Communication Technology (ICACT’04), vol. 1, 2004, pp. 213-217.
[76] J. H. Kim, S. K. Park, J. K. Seo, J. B. Yun, and D. S. Choi, "Implementation of IDS for network intrusion simulation based on SSFNet," Proceedings of 10th Asia-Pacific Conference on Communication and 5th International Symposium on Multi-Dimensional Mobile Communications, vol. 2, August 29-September 1, 2004, pp. 715-719.
[77] (Online Source) The Source for Perl -- perl development, perl conferences, http://www.perl.com/.
[78] (Online Source) tcptrace - Official Homepage, http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html.
[79] (Online Source) gnuplot homepage, http://www.gnuplot.info/.
[80] (Online Source) VMware - Virtual Infrastructure Software, http://www.vmware.com/.
[81] (Online Source) SSF.App.Worm, http://www.crhc.uiuc.edu/~mili/research/ssf/worm/.
[82] M. Liljenstam, Y. Yuan, B. Premore, and D. Nicol, "A Mixed Abstraction Level Simulation Model of Large-Scale Internet Worm Infestations," Proceedings of the Tenth IEEE/ACM Symposium on Modeling, Analysis, and Simulation of Computer Telecommunication Systems (MASCOTS), Fort Worth, Texas, USA, October 11-16, 2002.
[83] 荊濤、周慶國、武文忠，「基於SSFNet的網路蠕蟲實驗床」，CERNET第十一屆學術年會，中華人民共和國，2004。http://www.edu.cn/download/11thcernetppt/jingtao.ppt.
[84] 姜啟源，數學模型，台北：凡異出版社，1996，第16至17頁。