利用路徑編碼資訊抵禦分散式阻絕服務攻擊

本篇論文主要是針對分散式阻絕服務攻擊提出的解決方案，由於目前的網路協定屬於IPv4架構，存在無法確認來源端的問題，且此種攻擊不易防禦進而威脅到商業主機營運。在Yaar等人提出的PI架構利用路徑編碼資訊來抵禦攻擊，藉由完整二元樹演算法(Complete Binary Tree)將網路架構進行編碼程序能夠獲得良好的效果，然而根據網路測量顯示出網路上的路由器有27%的網路卡超過2張，顯示PI架構無法滿足真實網路架構，接著Gao等人提出了Color架構來解決PI架構網路卡數之問題，尚有不足之處。因此本研究繼續藉由利用位元編碼(Bits-Encoding)方式對路由器的網路卡編碼成2位元來記錄路徑，其次藉由雜湊路徑上第一台路由器的網路卡獲得Path Signature (PS) Number資訊，經由此兩種觀念改變原有架構效能，除了滿足真實網路架構和改善路徑追蹤效能，也能夠對可能的攻擊路徑數目減少至最低。

關鍵字

分散式阻絕服務攻擊；路徑追蹤；封包標記

並列摘要

In this paper,we present a solution for Distributed Denial of Service Attack. Owing to the insecurity design of IP Protocol,it could not identify source. And those online company might be threatened and lost a lot of money. Yaar presented PI scheme to use path-encoding information against the attack. It is good to proceed to encode internet framework with the complete binary tree. However,The CAIDA study show that only 27% interfaces is more than 2 interfaces. After that, Gao improved the problem of insufficient interfaces of PI scheme. But it is not enough for the scheme. By Bit-Encoding and PS-Number information ,We strengthen the above-mentioned schemes. It could either improve the efficiency of Traceback and decrease the possible of attack paths.

並列關鍵字

Distributed Denial of Service Attack ； Packet Marking ； IP Traceback

參考文獻

[2]D.X.Song,A.Perrig,“Advanced and Authenticated Marking Schemes for IP Traceback”,In:Proc: IEEE INFOCOM ,Apr ,2001,pp.878-886

[3]A.Yaar,A.Perrig,D.Song,“Pi: A Path Identification Mechanism to Defend against DDoS Attacks”, In:Proc. IEEE Symposium on Security and Privacy,May ,2003,pp.93-107

[4]S.Savage,D.Wetherall,A.Karlin,T.Anderson, Practical Network Support for IP Traceback, In Proc.ACM SIGCOMM Conference ,August,2000,pp.295-306

[6]A.Belenky and N.Ansari, IP Traceback with Deterministic Packet Marking, IEEE Comm.Letters, vol.7, no.4, Apr, 2003, pp.162-164

[7]F.Y.Lee and S.Shieh ,“Defending against spoofed DDoS attacks with path fingerprint”, Computers & Security 24, May, 2005, pp.571-586

國際替代計量

利用路徑編碼資訊抵禦分散式阻絕服務攻擊

全文下載

主題瀏覽