Title page for 93522018


[Back to Results | New Search]

Student Number 93522018
Author Ping-Hsien Yu(游秉賢)
Author's Email Address phsien.yu@gmail.com
Statistics This thesis had been viewed 1561 times. Download 885 times.
Department Computer Science and Information Engineering
Year 2005
Semester 2
Degree Master
Type of Document Master's Thesis
Language zh-TW.Big5 Chinese
Title An Application of Proportional Probabilistic Packet Marking Trace in the DDoS Overlay Defense System
Date of Defense 2006-07-05
Page Count 51
Keyword
  • DDoS
  • overlay network
  • packet marking
  • Abstract With the extreme popularity of Internet, network attacks emerge in an endless stream in recent years. One of the most serious attacks is distributed denial of service attack (DDoS), which easily causes large damage. DDoS attackers usually forge the source address of IP packet to hide their positions such that it is difficult to trace back attackers. To alleviate DDoS, this work takes advantage of the packet-marking method to trace the attacker’s location, as well as to detect DDoS attacks. Once detecting and locating DDoS attacks, this work initiates an overlay-network defense system to block the attacks.
    The basic concept of the packet-marking method is to insert some route information into rare-used fields of IP header. The insertion is based on probability. Even if attackers forges the source address of IP packet, this method can find out the attacking path by using the route information carried by the marked packets. With the attacking path, our work is also able to detect some attack packets, which have same source address but come from different far routers.
    Finally, this work implemented a system based on the packet marking method and the overlay-network defense approach. And this work integrated a new detection method based on packet marking into Snort. The experimental results show that our system can detect, locate, and block DDoS effectively.
    Table of Content 摘要I
    AbstractII
    目錄IV
    圖目錄VI
    表目錄VIII
    第一章 緒論1
    1.1 研究背景1
    1.2 研究動機1
    1.3 論文架構2
    第二章 相關研究3
    2.1 分散式阻斷服務攻擊3
    2.2 現有的防禦策略5
    2.2.1 D-ward5
    2.2.2 流量控制服務6
    2.2.3 WebSOS7
    2.2.4 MOVE8
    2.2.5 重疊網路防禦系統9
    2.2.6 系統比較10
    2.3 現有的追蹤策略12
    2.3.1 控制流量法12
    2.3.2 CenterTrack13
    2.3.3 封包標記14
    2.3.3.1 決定性封包標記14
    2.3.3.2 機率性封包標記15
    第三章 系統設計17
    3.1 系統架構17
    3.2 運作流程18
    3.3 重疊伺服器20
    3.3.1 標記代理程式21
    3.3.2 重疊防禦代理程式24
    3.4 追蹤伺服器25
    3.4.1 偵測代理程式26
    3.4.2 路徑重組代理程式27
    3.4.3 分析代理程式28
    第四章 系統實作30
    4.1 重疊伺服器實作30
    4.1.1 標記代理程式30
    4.1.1.1 IP標頭簡介30
    4.1.1.2部署方式33
    4.1.1.3 實作33
    4.1.2 重疊防禦代理程式35
    4.2 追蹤伺服器實作36
    4.2.1 整合Snort的偵測功能37
    第五章 實驗測試38
    5.1實驗環境38
    5.2 實驗一40
    5.3 實驗二44
    第六章 結論47
    參考文獻48
    Reference [1]Williams, M., EBay, Amazon, Buy.com hit by attacks, 2000. http://www.nwfusion.com/news/2000/0209attack.html
    [2]Fonseca, B., Yahoo outage raises Web concerns, 2000 http://www.nwfusion.com/news/2000/0209yahoo2.html
    [3]E. Eugene Schultz, “The MSBlaster worm: going from bad to worse,” in Network Security, vol. 2003, no. 10, pp. 4-8, Oct. 2003.
    [4]Brian McKenna, “Cisco and Trend Micro tighten collaboration around Sasser-like attacks,” in Network Security, vol. 2004, no. 6, pp 3, June 2004.
    [5]Andrey Belenky and Nirwan Ansari, “On IP Traceback,” in IEEE Communication Magazine, July 2003, pp. 142-153.
    [6]Zhiqiang Gao and Nirwan Ansari, “Traceing Cyber Attacks from the Practical Perspective,” in IEEE Communications Magazine, May 2005, pp. 123-131.
    [7]Rocky K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” in IEEE Communications Magazine, Oct. 2002, pp. 42-51.
    [8]Jelena Mirkovic and Peter Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms,” in ACM SIGCOMM Computer Communications Review, vol. 34, no. 2, Apr. 2004, pp. 39-54.
    [9]Noureldien, N, “Protecting web servers from DoS/DDoS flooding attacks: a technical overview,” in International Conference on Web-Management for International Organizations, October 2002.
    [10]“The smurf denial-of-service attack,” in Network Security, vol. 1998, no. 1, pp. 2, Jan. 1998.
    [11]“TCP SYN flooding and IP spoofing attacks,” in Network Security, vol. 1996, no. 10, pp. 2, Oct. 1996.
    [12]UDP flood attacks, http://www.javvin.com/networksecurity/UDPFloodAttack.html
    [13]ICMP flood attacks, http://www.anml.iu.edu/ddos/types.html
    [14]Yoohwan Kim, Ju-Yeon Jo, Chao, H.J. and Merat, F., “High-speed router filter for blocking TCP flooding under DDoS attack,” in Proceedings of the 2003 IEEE International Performance, Computing, and Communications Conference.
    [15]Jelena Mirkovic, Gregory Prier and Peter Reiher, “Attacking DDoS at the Source,” in Proceedings of ICNP 2002, Nov. 2002, pp. 312-321.
    [16]Mirkovic, J. and Reiher, P., “D-WARD: a source-end defense against flooding denial-of-service attacks,” in IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 3, July-Sept. 2005, pp. 216-232.
    [17]Thomas Dubendorfer, Matthias Bossardt, Bernhard Plattner, “Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation,” in Proceedings of the 19th IEEE Intermational Parallel and Distributed Processing Symposium, April 2005
    [18]D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra and D. Rubenstein, “WebSOS: Protecting Web Servers from DDoS Attacks,” in 11th IEEE International Conference 2003, pp. 461-466.
    [19]Ju Wang, Linyuan Lu and Andrew A. Chien, “Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology,” in ACM SSRS 2003, Oct. 2003.
    [20]A. D. Keromytis, V. Misra, and D. Rubenstein, “SOS: An Architecture for Mitigating DDoS Attacks,” in IEEE Journal On Selected Areas In Communications, vol. 22, no. 1, Jan. 2004.
    [21]Angelos Stavrou, Angelos D. Keromytis, Jason Nieh, Vishal Misra and Dan Rubenstein, “MOVE: An End-to-End Solution To Network Denial of Service,” in Internet Society NDSS’05, Feb. 2005.
    [22]Steven Osman, Dinesh Subhraveti, Gong Su and Jason Nieh, “The Design and Implementation of Zap: A System for Migrating Computing Environments,” in Proc. Of the 5th Symposium on Operating Systems Design and Implementation, Dec. 2002.
    [23]陳俊傑,楊宏昌,林宏達,游秉賢,曾黎明,“以重疊網路防禦分散式阻斷服務攻擊,” 台灣網際網路研討會2005.
    [24]H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their Approximate Source,” in Proc. USENIX LISA, 2000, pp. 319-327.
    [25]R. Stone, “Centertrack: An IP Overlay Network for Tracking DoS Floods,” in Proc. 9th USENIX Sec. Symp., 2000, pp. 199-212.
    [26]A. Belenky and N. Ansari, “Tracing Multiple Attackers with Deterministic Packet Marking (DPM),” in Proc. 2003 IEEE Pacific Rim Conf. Commun., Comp. and Sig. Proc., Victoria, BC, Canada, Aug, 2003
    [27]Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson, “Practical Network Support for IP Traceback,” in IEEE/ACM Transactions on Networking, vol. 9, pp. 226-237, June 2001.
    [28]Y. Tseng, H. Chen and W. Hsieh, “Probabilistic Packet Marking with Non-Preemptive Compensation,” in IEEE Communication Letter, vol. 8, no. 6, pp.359-361, June 2004.
    [29]Terence K.T.Law, John C.S. Lui, “You Can Run, But You Can’t Hide: An Effective Statistical Methodology to Trace Back DDoS Attackers,” in IEEE Transactions On Parallel And Distributed Systems, vol. 16, no. 9, pp.799-813, Sept. 2005.
    [30]Dawn Xiaodong Song and Adrian Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” in IEEE INFOCOM, 2001.
    [31]Miao Ma, “Tabu Marking Scheme for IP Traceback,” in IEEE International Parallel and Distributed Processing Symposium, 2005.
    [32]FreeBSD, http://www.freebsd.org/
    [33]The Chord Project, http://pdos.csail.mit.edu/chord/
    [34]Squid, http://www.squid-cache.org/
    [35]Information Sciences Institute University of Southern California,“Internet Protocol,” RFC791, Sep. 1981.
    [36]I. Stoica and H. Zhang, “Providing Guaranteed Services Without Per Flow Management, ” in Proceedings of the 1999 ACM SIGCOMM Conference, pp 81–94, Aug. 1999.
    [37]W. Richard Stevens, “TCP/IP Illustrated Volume 1, The Protocols,” Addison-Wesley.
    [38]Snort, http://www.snort.org/
    [39] DDoS attack tool timeline, http://staff.washington.edu/dittrich/talks/sec2000/timeline.html
    [40]Tfn attack tool analysis, http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
    [41] stacheldraht attack tool analysis, http://staff.washington.edu./dittrich/misc/stacheldraht.analysis.txt
    [42] TFN2K attack tool analysis, http://packetstormsecurity.com/distributed/TFN2K_Analysis-1.3.txt
    [43]Shaft attack tool analysis, http://home.adelphi.edu/~spock/shaft_analysis.txt
    Advisor
  • Li-Ming Tseng(曾黎明)
  • Files
  • 93522018.pdf
  • approve immediately
    Date of Submission 2006-07-24

    [Back to Results | New Search]


    Browse | Search All Available ETDs

    If you have dissertation-related questions, please contact with the NCU library extension service section.
    Our service phone is (03)422-7151 Ext. 57407,E-mail is also welcomed.