在軟體定義網路的環境下偵測分散式反射阻斷服務攻擊

标题:	在软体定义网路的环境下侦测分散式反射阻断服务攻击 Detecting Distributed Reflection Denial of Service Attack in Software Defined Network
作者:	吕伟志蔡锡钧 Lu, Wei-Chih Tsai, Shi-Chun 资讯科学与工程研究所
关键字:	分散式反射阻断服务攻击;软体定义网路;机器学习;DNS放大攻击;DDoS;DNS amplification attack;software defined network;machine learning
公开日期:	2016
摘要:	分散式阻断服务攻击时常造成网站中断服务，遂行攻击目的并造成使用者不方便，而其中一种攻击方法是利用开放服务当作反射点及封包放大来进行攻击，称为分散式反射阻断服务攻击，这种攻击会伪造来源IP位址所以很难溯源，也会造成比一般的阻断服务攻击更大的流量。而DNS放大攻击就是其中一个例子，DNS提供了域名与IP位址之间的转换服务，让人们可以不用去记忆没有规则的IP位址。由于DNS提供的服务会产生查询封包与回应封包大小不对等的现象，在DNS伺服器没有设定正确的情况下会帮助所有IP来源去查询他们所询问的域名及IP位址的转换，因此这种没有设定正确的DNS伺服器会被滥用成为放大流量的工具，攻击者会利用它进行DDoS攻击，攻击者只需要伪造被害者的IP并送出小流量的查询封包，就可以产生出数十倍的回覆流量到被害者的位址，而这种情况在校园网路中又更为常见。为了防止校园中的网路可能有人架设DNS或NTP这种开放服务却没设定好而被骇客利用来发动DDoS攻击，所以在本文中提出一个架构：在网路出入口中使用机器学习方法来侦测放大反射式攻击的流量，由于在网路出入口中的流量繁重，所以我们需要使用SDN的技术来复制封包，并引导复制的封包进入到我们用来侦测攻击的机器，透过SDN我们可以只取得我们想要侦测的流量，且在测出恶意流量时可以再透过SDN的机制来阻挡放大攻击。由于这类型的攻击都有相似的特征，使用机器学习方式可以有效地识别这类流量放大的网路攻击。 DDoS(Distributed Denial of Service) attack can disable the network service easily, if the system is not well managed and defended. One of the DDoS attack methods is using some open services as a reflector to launch attacks, called DRDoS(Distributed Reflection Denial of Service). For this type of attack, it is difficult to trace the attackers due to the fact that attackers usually spoof their IP addresses, and always generate more traffics than normal DDoS attack. Attackers amplify the amount of attack traffic by targeting at the vulnerabilities of protocols and services. This kind of attack is called amplification attack. DNS amplification attack is an instance of these attacks. DNS systems translate domain names to the numerical IP addresses, but DNS servers reply packets that are substantially larger than the request packets. Hence open recursive DNS server is used as packet amplifier by attacker to launch DRDoS attack. In order to avoid this type of attack in campus network, we propose a system to block amplification attack automatically. Due to our system is built at network entrance, we use SDN technique to mirror only the packets needed to our detection agent. When our detection agent classifies the flow as attack, we use SDN controller's RESTful API to add flow rules on OpenFlow switch to drop the malicious packets. Thus we can block attacks by adding flow rule to drop the packets from the specific IP address. DRDoS attack has similar features, so we can detect them with machine learning technique. Our system can detect both DNS and NTP amplification attacks.
URI:	http://etd.lib.nctu.edu.tw/cdrfb3/record/nctu/#GT070356095 http://hdl.handle.net/11536/138535
显示于类别：	Thesis

APA	吕., 蔡., Lu, W., & Tsai, S. (2016). 在软体定义网路的环境下侦测分散式反射阻断服务攻击. http://hdl.handle.net/11536/138535.
Bibtex	@article{吕伟志 and 蔡锡钧 and Lu2016, title={在软体定义网路的环境下侦测分散式反射阻断服务攻击}, author={吕伟志 and 蔡锡钧 and Lu, Wei-Chih and Tsai, Shi-Chun}, journal={http://hdl.handle.net/11536/138535}, year={2016}, url={https://ir.lib.nycu.edu.tw/handle/11536/138535}, }