臺灣博碩士論文加值系統

網路應用範圍隨著時間不斷的擴大，而網路的各類攻擊與破壞也與日俱增。其中，DDoS攻擊技術因其隱蔽性、效率高而成為網路攻擊者最青睞的攻擊方式之一，這種方式嚴重地威脅著網頁伺服器的安全。例如DDoS攻擊者曾大規模攻擊許多全球重要的電子商務網站，而令雅虎、亞馬遜、電子港灣與CNN等一度陷入癱瘓，所以網路安全已經成為全球資訊安全的重要組成部分。在研究的過程中，我們針對DDoS攻擊所具有異於正常流量的多維欄位之統計特徵，本文設計實現了一種基於網路處理器的即時檢測及控制系統模組。該系統通過監控網路流量和多元分析其網路位元構成比例，獲得當前流量結構的描述參數，再與預先訓練得到的正常參數比較，根據兩者偏離程度判斷是否出現異常，然後進行相應佇列控制，從而達到檢測和防禦DDoS攻擊、保護後端網路系統的目的。本文所實現的是這個系統，本系統的多元統計子模組，包括統計量的設計和對資料封包進行解析、統計和異常標記。模擬實驗中表明，多元統計模組能為異常檢測與控制模組提供更全面而準確的統計資料，面對常見的各種DDoS攻擊亦能快速檢測並控制，達到一個較為全面的入侵檢測與防禦系統的要求。本系統具有高性能的處理能力，適合於部署在網際網路的關鍵出入口，對網路安全進行有力的維護。

Internet applications continued to expand time over time. And all types of network attacks and destruction are increasing day by day. Which of one, the DDoS attacks have become the most popular one of the attacks because of their covert technology, high efficiency and network attacks? It poses a serious threat to the security of web servers. For example, large-scale DDoS attackers had attacked many of the world''s major e-commerce sites, such as Yahoo!Ò, AmazonÒ, eBayÒ, CNNÒ and so on.. So network security has become an important part of global information security. In the process of research, we had discovered the difference of DDoS attack from the normal flow of the multi-dimensional statistical field characteristics. This paper designed and implemented a network processor-based real-time detection and control system module. The system monitors network traffic through the analysis of their network and multi-bit ratio. It also got the descriptions of the current flow structure parameters, pre-training with the normal parameters to be compared and the according to both determine whether the degree of deviation from the abnormal, and then proceed to the corresponding queue control. That will achieve DDoS attack detection, prevention and the protection of the back-end network or server purposes. This article realized this system’s multivariate statistical sub-modules including the design and statistics for analysis of the data packets, statistics and unusual markings. Simulation and experiments showed that multivariate statistical anomaly detection module and control module could provide a more comprehensive and accurate statistical information. In the face of a variety of common DDoS attacks, it can quickly detect and control to achieve more comprehensive intrusion detection and defense system requirements. The system has high-performance processing capability and suitable to deploy on the Internet key import and export points through a strongly safety maintenance on network.

目錄
中文摘要 I
Abstract II
誌謝 IV
表目錄 VIII
圖目錄 IX
第一章 緒論 1
1.1 研究背景 1
1.2 研究目的 2
1.3 研究方法 3
1.4 論文架構 3
第二章 相關研究與背景知識 4
2.1 DDoS攻擊的工作原理 4
2.2常見的DDoS攻擊及其特點 6
2.2.1 常見的DDoS攻擊分類 6
2.2.2 常見的DDoS攻擊工具 10
2.2.3 常見DDoS攻擊的特點 10
2.3 DDoS攻擊的防範 11
2.3.1 DDoS攻擊的預防 11
2.3.2 DDoS攻擊的檢測與控制 12
2.3.3 對攻擊來源的追蹤 14
2.4 目前對DDoS的防禦狀況 15
2.4.1 導致DDoS攻擊的原因 15
2.4.2 DDoS攻擊的防禦狀況 17
2.4.3 異常檢測系統 20
2.5 網路處理器的介紹 21
2.5.1 硬體結構 22
2.5.2 軟體架構 26
2.6 網路處理器的開發方法 27
2.6.1 軟體編譯 27
2.6.2 模擬環境調整 28
2.6.3 開發板介紹 32
第三章 系統方案設計 33
3.1 系統的設計概念 33
3.2 系統結構 34
3.2.1 多元統計模組 35
3.2.2 異常檢測模組 36
3.2.3 發送控制模組 36
3.3 系統的詳細設計 36
3.3.1 多元統計分析和設計 37
3.3.1.1 連結層統計 37
3.3.1.2 網路層統計 39
3.3.1.3 傳輸層統計 42
3.3.2 模擬系統的設計 44
3.4 網路處理器的應用 47
3.4.1 微引擎 47
3.4.2 儲存單元 48
3.4.3 主要資料結構 48
第四章 模擬實驗結果 50
4.1 模擬實驗驗證 50
4.1.1 實驗拓撲 50
4.1.2 功能驗證 51
4.1.3 實驗結果分析 53
4.2 攻擊模擬實驗 56
4.2.1 實驗拓撲 57
4.2.2 實驗結果分析 58
第五章 結論與未來研究方向 61
參考文獻 63

表目錄
表3-1. 目的MAC統計 39
表3-2. 框架類型統計 39
表3-3. 網路層統計方法 41
表3-4. 傳輸層統計 43
表3-5. 系統微引擎的分配及其通訊介面 47
表3-6. 多元統計的儲存資源分配 48
表3-7. 異常標記控制字元 49
表4-1. 多元統計資料 54

圖目錄
圖2-1. DDoS攻擊模型 4
圖2-2. 反射式DDoS攻擊模型 5
圖2-3. IXP2400硬體結構圖 22
圖2-4. IXP微引擎結構圖 24
圖2-5. ME多線程機制 24
圖2-6. Intel IXA 可移植框架結構 26
圖2-7. 軟體編譯過程 28
圖2-8. 時鐘頻率設定 29
圖2-9. 記憶體設定 29
圖2-10. MSF設備設定 30
圖2-11. 網路連接設定 30
圖2-12. CBUS連接設定 31
圖2-13. 資料流程模擬設定 31
圖3-1. 多元統計異常檢測系統結構圖 35
圖3-2. 連結層框架格式 38
圖3-3. 網路層表頭位元格式圖 40
圖3-4. TCP表頭位元格式 42
圖3-5. UDP表頭位元格式 43
圖3-6. 模擬系統的結構圖 44
圖4-1. 模擬實驗拓撲 50
圖4-2. 多元統計系統的統計資料 53
圖4-3. Client與Server封包抓取內容比較 54
圖4-4. 部分位元的過濾結果 55
圖4-5. 網路處理器連接埠1上的封包抓取 56
圖4-6. 攻擊實驗拓撲 57
圖4-7. 各種攻擊效果圖 59
圖4-8. 混合DDoS攻擊防禦圖 60

[1] Clyde R.A.(2002)，「資安著重管理架構」，資訊傳真週刊，第352期，2002年11月，第46-47頁。
[2] 立駭科技(2000)，「資訊安全委外服務研究」，資訊與電腦，第257期，2000年12月，第33-38頁。
[3] 吳宗磻(1996)，「政府機構資訊系統安全稽核制度」，存款保險資訊季刊，1996年，第10卷，第2期，第21-40頁。
[4] M. Adiletta, M. Rosenbluth, D. Bernstein, G. Wolrich and H. Wilkinson(2002), "The next generation of Intel IXP network processors", Intel Technology Journal, August 2002, Vol. 6, No. 3, pp.6-18.
[5] N. Ansari and A. Belenky(2003), “IP traceback with Deterministic Packet Marking”, IEEE. Communications Letters, April 2003, Vol. 7, No. 4, pp. 162-164.
[6] A. Belenky, N. Ansari and N. Jersey(2003), “On IP Traceback”, IEEE Communications Magazine, July 2003, Vol. 41, No. 7, pp.142-153.
[7] S. M. Bellovin(1996), "Problem Areas for the IP Security Protocols", Proceedings of the Sixth Usenix Unix Security Symposium, San Jose, CA., pp. 1-16.
[8] S. Bellovin(2000), “ICMP Traceback Messages” Internet Draft, March 2000.
[9] L. S. Brakmo and L. Peterson(1995), "TCP Vegas: End to End Congestion Avoidance on a Global Internet", IEEE Journal on Selected Areas in Communication, 13(8): 14651480.
[10]M. Bykova, S. Ostermann and B. Tjaden(2001), ”Detecting network intrusions via a statistical analysis of network packet characteristics”, Proceedings of the 33rd Southeastern Symposium on System Theory, pp. 309-314.
[11]J. B. D. Caberera, B. Ravichandran and R. K. Mehra(2000), “Statistical traffic modeling for network intrusion detection”, Proceedings of the 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, 2000, pp. 466-473.
[12] M. Christiansen, K. Jeffay, D. Ott and F. D. Smith(2000), "Tuning RED for Web traffic", Proceedings of ACM SIGCOMM, Stockholm, Sweden, 1391 S0. Firoiu V., Borden M.(2000), "A study of active queue management for congestion control”, Proceedings of INFOCOM 2000, Tel Aviv, Israel, 14351444.
[13]DECÒ(1982), "The Ethernet - A Local Area Network: Data Link Layer and Physical Layer Specifications", DigitalÒ, IntelÒ and XeroxÒ, November 1982.
[14]IntelÒ, “IntelÒ IXP2400 Network Processor: Flexible, High-Performance Solution for Access and Edge Applications”, http://www.intel.com/design/network/papers/ixp2400.pdf.
[15]IntelÒ(2003), “IntelÒ Internet Exchange Architecture Software Development Kit: Tools Installation Guide”, November 2003.
[16]IntelÒ(2004), “IXP2400 Network Processor Hardware Reference Manual”, Oct 2004.
[17]C. Jin, H. Wang and K. G. Shin(2003), “Hop-count filtering: an effective defense against spoofed DDoS traffic”, Conference on Computer and Communications Security archive, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30 2003, Washington D.C., USA, pp.30-41.
[18]J. Jung, B. Krishnamurthy, and M. Rabinovich(2002), “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites”, the Eleventh International World Wide Web Conference, Honolulu, Hawaii, pp.252-262.
[19]Y. Kim, W. C. Lau, M. C. Chuah and H. J. Chao(2004), “Packetscore: statistics-based overload control against distributed denial-of-service attacks”, INFOCOM 2004. Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies, Vol. 4, No. 7-11, pp.2594-2604.
[20]K. Lahiri, A. Raghunathan and S. Dey(2001), "System level performance analysis for designing on-chip communication architectures", IEEE Transactions on Computer Aided-Design of Integrated Circuits and Systems, 20(6):768783.
[21]W. Lee, S. J. Stolfo and K. W. Mok(1999), ”A data mining framework for building intrusion detection models”, Security and Privacy, Proceedings of the IEEE Symposium on 1999, pp.120-132.
[22]B. P. Lim and M. S. Uddin(2005), “Statistical-Based SYN-Flooding Detection Using Programmable Network Processor”, Decision and Control, 2005 and 2005 European Control Conference. CDC-ECC ''05. 44th IEEE Conference on 12-15 Dec., pp.7347-7351.
[23]Y. N. Lin, C. H. Lin, Y. D. Lin and Y. C. Lai(2005), “VPN Gateways over Network Processors: Implementation and Evaluation”, Proceedings of the 11th IEEE Real Time and Embedded Technology and Applications Symposium(RTAS’05), pp. 480-486.
[24]R. Ramaswamy, N. Weng and T. Wolf(2005), “A network processor based passive measurement node”, Proc. of Passive and Active Measurement Workshop(PAM), Mar. 2005, pp. 337-340, (Extended Abstract).
[25]C. Siaterlis and V. Maglaris(2005),.“Detecting incoming and outgoing DDoS attacks at the edge using a single set of network characteristics”, IEEE Symposium on 27-30 June, pp.469-475.
[26]T. Verdickt, W. V. d. Meerssche and K. Vlaeminck(2005), “Modeling the Performance of a NAT/Firewall Network Service for the IXP2400”, Proceedings of the Fifth International Workshop on Software and Performance, WOSP 2005, Palma, Illes Balears, Spain, July 12-14, pp.137-144.