- 學位論文
基於軟體定義網絡之Crossfire攻擊預防方法
A Crossfire Attack Prevention Approach for Software Defined Networks
本文將於2024/08/27開放下載。若您希望在開放下載時收到通知,可將文章加入收藏。
摘要
鏈路洪泛攻擊是一種新型態的阻斷服務攻擊,其著重於阻斷網絡中的重要線路。Crossfire 為一種鏈路洪泛攻擊的形式,它藉由將封包送至鄰近目標區域的誘餌服務端,可以達到封鎖整個目標區域的效果。我們的做法目標在於讓攻擊者無法蒐集正確情報以阻止其發動攻擊。在軟體定義網絡的環境中,我們可以任意決定ICMP 超時訊息的來源位址。我們藉由不斷改變超時訊息的來源位址,使攻擊者將相同的路由器錯認成不同的。攻擊者便會建出幾乎找不到攻擊流經過的鏈路圖,使他難以發動攻擊。攻擊者便只好放棄發動Crossfire 攻擊。我們在mininet 環境中以ryu作為控制器進行實驗,驗證攻擊流數量的降低程度。
並列摘要
Link-Flooding Attack(LFA) is a new type of Distributed Denial-of-Service(DDoS) which focuses on important links in the network. Crossfire is one of LFA that blocks the whole area from networks by sending packets to decoy servers near to the target area. We present Router Mutation that stops attackers by forcing them to get wrong network information. In the Software-Defined Networks(SDN) environment, We can send ICMP time exceeded message with any source IP address we want. We send a message with a virtual IP address that keeps changing. The adversary may consider the same router as a different one, so he will build a link-map with few attack flow going through it. It is hard for him to launch an attack based on this information, so the adversary would give up the Crossfire. We verify our approach on Mininet with Ryu controller.
參考文獻
[1] Min Suk Kang, Soo Bum Lee, and Virgil D Gligor. The crossfire attack. In 2013 IEEE Symposium on Security and Privacy, pages 127–141. IEEE, 2013.
[2] Ahren Studer and Adrian Perrig. The coremelt attack. In European Symposium on Research in Computer Security, pages 37–52. Springer, 2009.
[3] Christos Liaskos, Vasileios Kotronis, and Xenofontas Dimitropoulos. A novel framework for modeling and mitigating distributed link flooding attacks. In IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications, pages 1–9. IEEE, 2016.
[4] Dimitrios Gkounis, Vasileios Kotronis, Christos Liaskos, and Xenofontas Dimitropoulos. On the interplay of link-flooding attacks and traffic engineering. ACM SIGCOMM Computer Communication Review, 46(2):5–11, 2016.
[5] Abdullah Aydeger, Nico Saputro, Kemal Akkaya, and Mohammed Rahman. Mitigating crossfire attacks using sdn-based moving target defense. In 2016 IEEE 41st Conference on Local Computer Networks (LCN), pages 627–630. IEEE, 2016.
延伸閱讀
- 林聖元(2015)。氣隙網路攻擊實作與應用模式之研究〔碩士論文,健行科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0022-1407201517091200
- Yeh, C. H. (2014). 以入侵防禦之案例探討將加值服務對應到延伸軟體定義網路架構 [master's thesis, National Chiao Tung University]. Airiti Library. https://doi.org/10.6842/NCTU.2014.00328
- 吳嘉龍(2007)。資訊管理系統之網路安全弱點評估與入侵偵測防禦技術探討。危機管理學刊,4(2),1-8。https://doi.org/10.6459/JCM.200709_4(2).0001
- Sobh, T. S., Elgohary, A., & Zaki, M. (2008). Performance Improvements on the Network Security Protocols. International Journal of Network Security, 6(1), 103-115. https://doi.org/10.6633/IJNS.200801.6(1).13
- Chen, B. T., & Huang, Y. L. (2010). The Design and Implementation of a Multi-core Supported Network Intrusion Detection System. In 中華民國資訊安全學會 (Ed.), 全國資訊安全會議 (pp. 175-180). 中華民國資訊安全學會. https://doi.org/10.29615/CISC.201005.0175