- 學位論文
多重服務環境下抵擋TCP SYN Flooding DDoS 攻擊之入侵防禦系統
An Effective Intrusion Prevention System to Protect Multi-Services against TCP SYN Flooding DDoS Attacks
摘要
分散式阻斷服務攻擊是近幾年來最常發生的攻擊事件,對網路經營者的損失也是數一數二的。由於網路的發達,近幾年來各個公司幾乎都有自己的伺服器,像是網站伺服器,郵件伺服器,檔案伺服器等等。一旦遭受到攻擊,便會對公司造成重大的損失。最常被使用的阻斷式服務攻擊是TCP SYN Flooding,它是利用TCP 通訊協定(three-way handshake)的弱點。傳統的防火牆與入侵偵測系統並不足以抵禦TCP SYN Flooding 攻擊,而目前也沒有一個完全的解決辦法。本篇論文提出了一個藉由針對每一個服務(service),收集其合法使用者位址的資料庫,並幫每一個服務建構一個backlog佇列,以此backlog佇列為判斷攻擊的依據。當攻擊快發生時,系統會啟動一封包過濾機制藉由合法使用者位址資料庫來進行封包的過濾。 本系統的特色有下列五點:(1) 同時保護後端的多個服務(service)而不需要知道各個主機的backlog佇列的資訊。(2)可即時偵測攻擊並啟動封包過濾機制。(3)對於封包過濾的比對演算法,做IP位址的查詢的時間複雜度為O(n),n取決於正被攻擊的服務數量,這可以減少合法使用者的延遲。(4)對於攻擊者利用資料庫中的合法IP位址來發動攻擊,我們可以即時發現並暫時過濾掉此一IP位址。(5)可置於 edge router,NAT router 或是直接置於被保護的主機上。 透過封包過濾機制可以動態地阻擋攻擊封包,使得正常使用者仍能在DDoS攻擊之下正常的存取伺服器的服務。最後,透過實驗來測試這個機制是否有效,並且分析系統效能、防禦有效性以及對正常使用者的影響。本論文將會展示實驗的重要結果以證明這個方法的確可以保護多重伺服器免於TCP SYN Flooding攻擊。
並列摘要
In recent years, DDoS attacks occur frequently and cause a great deal of damage to enterprises that provide network services. With the growth of the network, almost every enterprise provides more and more services on the network, like Web service, Mail service, Ftp service, and so on. If these services suffer the DDoS attack, it will cause great losses to the enterprise. The famous type of the DDoS attack is TCP SYN flooding attack and it is based on the vulnerability of the TCP three-way handshake. The firewall and intrusion detection system are not effectively to defend this type of attack. There is still not a completed solution to defend this attack. In this thesis, we collect the legitimate IP addresses in the databases for each service and protect these services according to these databases. We also create a backlog queue for each service that we can detect the attack by checking it. When attack is detected, the packet filtering mechanism will be activated to protect the victim services. There are five characteristics in our system: (1) Protecting multi-service without knowing any information about these services. (2) Detecting the attack and activate the packet filter instantly. (3) The complexity of IP searching algorithm is only O (n), where n is the number of the under-attack service. It will reduce the delay of the legitimate users. (4) We can instantly find that the attacker uses the legitimate IP address to do the attack and then we filter out this IP address. (5) The system can be built in edge router, NAT server or the protected server. With our proposed mechanism, we can effectively defend the TCP SYN flooding attack and successfully provide the service for legitimate users. Finally, we will do the experiment to evaluate this mechanism and analyze the system performance, effectiveness and influence of the legitimate users. We will show that this mechanism is effectively to protect multi-service against TCP SYN flooding attack.
參考文獻
延伸閱讀
- 陳英誠(2011)。整合多平台應用於防禦DDoS攻擊〔碩士論文,國立臺中科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0061-2608201111350900
- 劉泓銘(2006)。利用路徑編碼資訊抵禦分散式阻絕服務攻擊〔碩士論文,淡江大學〕。華藝線上圖書館。https://doi.org/10.6846/TKU.2006.00705
- 洪子超(2018)。運用軟體定義網路流程表阻擋物聯網環境中之攻擊〔碩士論文,淡江大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0002-2708201818335900
- 陳賢智(1996)。關於TCP SYN FLOODING ATTACK 之防火牆設計〔碩士論文,元智大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0009-3004200913344426
- Chu, Y. M. (2010). Deep Packet Inspection in Network Intrusion Detection and Prevention Systems [doctoral dissertation, National Tsing Hua University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0016-1901201111412105