分散式阻斷攻擊防禦機制之研發與設計

Abstract

隨著電腦網路技術的不斷進展，人們的日常生活和電腦網路產生了密切的關聯，同時，網 路攻擊也成了一個值得注意的議題。近年來，分散式阻斷攻擊成了諸多網路攻擊事件中最引人 注目的焦點。攻擊者藉由入侵眾多安全防護較薄弱的電腦系統，進而利用這些被入侵的系統對 網路伺服器進行阻斷式攻擊。在攻擊期間，該網路伺服器的使用者將感受到明顯的網路延遲、 大量的封包遺失，或根本無法與伺服器建立網路連線，攻擊者據此可輕易達到其阻斷服務之效 果。反之，要抵抗或偵測這類型的網路攻擊事件是非常困難的，其主要原因來自於網路上大量 的防護層級較低的電腦、偽造網路位址的使用、攻擊封包與合法封包間的高相似度以及分散式 網路管理所造成的困難。 本計畫將著眼於分散式阻斷攻擊防禦機制之設計。對於該類型網路攻擊的對策，我們擬從 三個不同的角度切入：追?攻擊者的技術、受害者端的防禦以及攻擊者端的防禦。為了要嚇阻 攻擊者持續進行攻擊，在本計畫的第一階段將提出一可行之追?攻擊者的技術。第二階段將提 出一受害者端的防禦系統，用來偵測偽造來源位址之網路封包。由於分散式阻斷攻擊的攻擊流 量主要由這類型的封包組成，因此，我們可以藉由辨認並阻?偽造來源位址之網路封包來達成 過濾攻擊封包的目的，進而維護網路伺服器繼續提供服務的能力。另外，由於攻擊者可以任意 偽造來源位址，受害者無法辨認攻擊封包的來源，而攻擊者也藉此來降低被發現的風險。第三 階段將提出一個可以將攻擊封包限制於攻擊者端網路的防禦技術，以阻止攻擊封包進入網際網 路，進而減少因攻擊流量而造成網路雍塞之情形。最後，再將受害者端防禦系統、攻擊者端防 禦系統以及攻擊來源追蹤技術整合起來，有效阻絕網路攻擊。

The widespread incidences of distributed denial-of-service (DDoS) attacks have highlighted a great demand for effective DDoS countermeasures. Owing to a large number of insecure systems supplying DDoS attackers with abundant attack zombies and the set of easily acquired and deployed DDoS attack tools, malicious users can easily overwhelm Internet servers with DDoS attack packets. On the other hand, the defense of DDoS attacks has been made very complicated by large sets of attack zombies, IP spoofing techniques, high level of similarity between legitimate and attack packets, and the independent and distributed nature of network administration. We will present a DDoS attacks defense mechanisms is this proposal. In particular, it explores defensive approaches from three distinct directions, namely victim-end defense, attack traceback and attackerend defense. To deter future DDoS attacks, it is imperative to locate origins of DDoS attack flows, and therefore the first stage of our proposal will propose a traceback mechanisms to trace the sources of spoofed DDoS attack flows even if there is only one single packet in each attack flow. The second stage of this proposal will focus on the design of victim-end defense scheme. It aims at identifying spoofed IP packets which dominate DDoS attack traffic. This allows Internet servers to sustain their services to legitimate clients when under attack. With the presence of IP spoofing, the source IP addresses inscribed in DDoS attack packets are usually untrustworthy, and DDoS attackers run at low risk of being discovered. The third stage will targets at detecting DDoS attack flows at their sources and confining attack packets at source networks. With a widespread deployment of this scheme, we can stop attack packets from entering the Internet and subsequently reduce possible network congestions caused by attack streams.