隨著網際網路快速發展,網路安全也日益重要,在這安全議題下,分散式阻絕服務攻擊(Distributed Denial of Service Attacks)至今卻還沒有十分完整的防禦方法;儘管相關資訊安全技術日益精進,但如何建立有效率的防禦機制是目前網路管理單位重要考量的因素之一。 抵禦這類攻擊的關鍵因素在於是否能夠有效地區分合法與攻擊的封包。本論文提出了DLWD(Dynamic Level Weight Distribution)防禦攻擊機制,它將網路流量做分類,並且針對不同類別的流量採用不同的處理策略。使用本機制能減輕遭受攻擊時之傷害程度,以達到保障合法使用者應獲得之服務品質,同時亦能有效地限制惡意攻擊者無限制使用網路頻寬,經使用NS2(Network Simulator, version 2)軟體進行模擬比對,證明本論文所提之機制,確實可有效防禦分散式阻絕服務攻擊。
Followed by the rapid development of the Internet, the network security catches more eyes on it gradually. Under this subject, there is still no complete solution for protection against Distributed Denial of Service (DDoS) attacks. Though, the related technique for information security is getting better day after day, how to create an effective scheme for defending DDoS attacks is one of the major issues for internet administrations. The key point on defending DDoS attacks is to distinguish the assault traffic from legitimate traffic. This thesis proposes Dynamic Level Weight Distribution (DLWD) scheme which classifies the traffic and applies unique policy to distinct traffic. While being attacked, this scheme can really alleviate the damage, guarantee the service quality for legitimate users, and confine the bandwidth used by those malicious attackers. We adopted NS2 for simulation and comparison, and verified that this scheme can defend DDoS attacks effectively.