簡易檢索 / 詳目顯示
| 研究生: |
陳俊傑 Chun-Chieh Chen |
|---|---|
| 論文名稱: |
以重疊網路防禦分散式阻斷服務攻擊 An Overlay Defense System against DDoS |
| 指導教授: |
曾黎明
Li-Ming Tseng |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
資訊電機學院 - 資訊工程學系 Department of Computer Science & Information Engineering |
| 畢業學年度: | 93 |
| 語文別: | 中文 |
| 論文頁數: | 45 |
| 中文關鍵詞: | 監測系統 、分散式阻斷服務攻擊 、重疊網路 |
| 外文關鍵詞: | overlay network, detection system, DDoS |
| 相關次數: | 點閱:10 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
近年來的許多網路攻擊突顯出網路上許多的弱點,更加顯示了網路安全的重
要性。其中造成損害最大的可說是分散式阻斷服務攻擊 (Distributed Denial of
Service, 簡稱DDoS)。
由於DDoS 攻擊是大量且分散的,沒有任何防護措施的伺服器,在受到DDoS
攻擊時,可能在數分鐘內就會被癱瘓,所以抵禦DDoS 攻擊的防禦措施很重要。
我們提出利用監測系統和重疊網路的技術來及時啟動防禦系統,隱藏服務主機的
位置,阻擋分散式阻絕服務攻擊,並提供正常的服務給合法使用者。重疊網路
(Overlay Network)係指利用Proxy 等技術,將某應用伺服器多點散布在廣大的
網路中,以達到增進網路安全之目的。在攻擊發生時,可以立刻有效的針對分散
的攻擊加以阻擋來保護伺服器。
我們藉由建立實體的測試網路來實驗我們所提系統的可行性。實驗結果證明
本系統可以有效的阻擋攻擊。
Many attacks on the internet reveal much vulnerability in recent years
that more emphasizes the importance of the security of Internet. Among
them, DDoS causes the largest damage.
Due to DDoS attack is huge and distributed, so that the servers with
no protection may be to become paralyzed under attacks in several minutes.
So the defense mechanism against DDoS is very important. We proposal is
that using detection system and overlay network to start defense system
in time, to hide the location of servers, to resist DDoS attacks and to
provide services to legitimate users. What Overlay Network means is that
using proxy to distribute some service server over the internet, so that
to achieve the purpose of enhancing internet security. When attacks
happens, it can effectively resist distributed attacks to protect
servers.
We use the physical topology to experiment the practice of our system.
The result of our experiment evidenced that our system cat effectively
resist attacks.
[1] Rocky K. C. Chang, “Defending against Flooding-Based Distributed
Denial-of-Service Attacks: A Tutorial,” IEEE Communications Magazine, Oct.
2002, pp. 42-51.
[2] Jelena Mirkovic and Peter Reiher, “A Taxonomy of DDoS Attack and DDoS
Defense Mechanisms,” ACM SIGCOMM Computer Communications Review, Apr.
2004, Vol. 34, No. 2, pp. 39-54.
[3] Alefiya Hussain, John Heidemann and Christos Papadopoulos, “A Framework for
Classifying Denial of Service Attacks,” ACM SIGCOMM, Augest 2003, pp.
99-110.
[4] Andrey Belenky and Nirwan Ansari, “On IP Traceback,” IEEE Communication
Magazine, July 2003, pp. 142-153.
[5] Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioammidis, Vern Paxson
and Scott Shenker, “Aggregate-Base Congestion Control,” ICSI Center for
Internet Research (ICIR) AT&T Labs Research.
[6] John Ioammidis and Steven M. Dellovin, “Implementing Pushback: Router-Based
Defense Against DDoS Attack,” Proc. Network and Distributed System Security
Symp., pp.6–8.
[7] Jelena Mirkovic, Gregory Prier and Peter Reiher, “Attacking DDoS at the Source,”
Proceedings of ICNP 2002, Nov. 2002, pp. 312-321.
[8] Ju Wang, Linyuan Lu and Andrew A. Chien, “Tolerating Denial-of-Service
Attacks Using Overlay Networks – Impact of Topology,” ACM SSRS 2003, Oct.
2003.
[9] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: Secure Overlay Services,”
Proc. ACM SIGCOMM, Aug. 2002, pp. 61-72.
[10] A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: An Architecture for
Mitigating DDoS Attacks,” IEEE JOURNAL ON SELECTED AREAS IN
COMMUNICATIONS, Vol. 22, No. 1, Jan. 2004.
[11] D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra and D. Rubenstein,
“WebSOS: Protecting Web Servers from DDoS Attacks,” 11th IEEE International
Conference 2003, pp. 461-466.
[12] W. G. Morein, A. Stavrou, D. L. Cook, A. D. Keromytis, V. Misra and D.
Rubenstein, “Using Graphic Turing Tests To Counter Automated DDoS Attacks
Against Web Servers,” CCS’03, Oct. 2003.
[13] Angelos Stavrou, Angelos D. Keromytis, Jason Nieh, Vishal Misra and Dan
Rubenstein, “MOVE: An End-to-End Solution To Network Denial of Service,”
Internet Society NDSS’05, Feb. 2005.
[14] Steven Osman, Dinesh Subhraveti, Gong Su and Jason Nieh, “The Design and
Implementation of Zap: A System for Migrating Computing Environments,”
Proc. Of the 5th Symposium on Operating Systems Design and Implementation,
Dec. 2002.
[15] Min Cai, Kai Hwang, Yu-Kwong Kwok, Shanshan Song and Yu Chen,
“Collaborative Internet Worm Containment,” IEEE SECURITY & PRIVACY,
2005, pp. 24-33
[16] Vinod Yegneswaran, Paul Barford and Somesh Jha, “Global Intrusion Detection
in the DOMINO Overlay System,” Computer Sciences Department, University
of Wisconsin, Madison.
[17] 謝彥偉, “分散式阻斷服務下之過載保護機制, ? 國立中央大學資訊工程
所碩士論文, 民國93 年.
[18] 參考網站
http://www.cert.org/
[19] 參考網站
http://www.sans.org/
[20] 參考網站
http://www.insecure.org/
[21] 參考網站
http://www.securityfocus.com/
[22] 參考網站
Microsoft Security Home Page
http://www.microsoft.com/security/default.mspx
[23] 參考網站
D-WARD: DDoS Network Attack Recognition and Defense
http://www.lasr.cs.ucla.edu/ddos/
[24] 參考網站
DDoS attack tool timeline
http://staff.washington.edu/dittrich/talks/sec2000/timeline.html
[25] 參考網站
Tfn attack tool analysis
http://staff.washington.edu./dittrich/misc/tfn.analysis.txt
[26] 參考網站
stacheldraht attack tool analysis
http://staff.washington.edu./dittrich/misc/stacheldraht.analysis.txt
[27] 參考網站
TFN2K attack tool analysis
http://packetstormsecurity.com/distributed/TFN2K_Analysis-1.3.txt
[28] 參考網站
shaft attack tool analysis
http://home.adelphi.edu/~spock/shaft_analysis.txt
