偽造來源分散式阻斷攻擊之來源端防禦方法

Abstract

分散式阻斷攻擊對網路是一個嚴重的威脅，尤其是偽造來源的分散式阻斷攻擊，更是嚴重。儘管已經有許多防禦這類型攻擊的方法被提出，但是這些方法在一些應用環境下並不適用，像在Mobile IP的環境。因為這些方法會直接過濾掉偽造來源的封包。 我們提出一個準確偵測及有效阻止的來源端防禦方法來防止受害端遭受到偽造來源的分散式阻斷攻擊。這個方法能充許不是攻擊的偽造來源流量進入網路。因為它將網路流量做分類，並且針對不同類別的流量採用不同的處理策略。偵測攻擊的方法是根據攻擊的三個特徵來設計。第一，攻擊者會送大量封包到受害端。第二，攻擊者為了隱藏攻擊來源和在受害端難以過濾的目的，會偽造封包的來源位址。第三，分散式阻斷攻擊會造成到受害端的路徑上有嚴重的封包漏失。防止攻擊的方法是依據攻擊的行為來阻絕或限制頻寬。此外，實驗的結果證實了這個方法能有效的防止攻擊。

Distributed Denial of Service (DDoS) attacks, especially spoofed DDoS attacks, are a serious threat to the Internet. In the last few years, much research has been devoted to investigate the detection and prevention of spoofed DDoS attacks. However, these approaches are impractical for some types of services, such as Mobile IP, because they filter all spoofed traffic. We proposed a source-end spoofed DDoS defense scheme that accurately detects and effectively prevents spoofed DDoS attacks to protect servers. The scheme allows the non-attack spoofed traffic to enter the Internet because it classifies the traffic and applies different policies to distinct types. Three characteristics of spoofed DDoS attacks are applied to design the detection scheme. First, the enormous volume of attack traffic is sent to the victim. Second, source addresses of packets are forged in order to conceal origins of attacks and to filter hard at the victim. Third, there is the high packet loss rate along paths to the victim. The prevention scheme blocks or limits the allowed bandwidth of attack traffic according to its behavior. Finally, experiment results showed that the scheme can effectively prevent spoofed DDoS attacks.