抵禦分散式阻斷服務攻擊之來源判別機制

Abstract

近年來層出不窮的分散式阻斷服務攻擊始終影響網路服務的使用。然而在這類攻擊的封包中的來源位址往往是假造的,這不僅使得受害者或執法者難以找到攻擊來源，更難以找到抵禦這方面攻擊的準則。抵禦這類攻擊的關鍵因素在於是否能夠有效的區分合法與攻擊的封包。在我們的觀察中發現在離目的地越遠的地方越能看出封包間的差異，所以我們基於這項特性提出一套方法可以使得受害者有效的區分出合法與攻擊的封包並進而過濾。我們利用實際的網路拓蹼來模擬在受到分散式阻斷服務攻擊時這個方法的成效。實驗結果證明採用這套方法後可以在受到攻擊時能有效的減輕攻擊的影響。而且這套方法不需所有的路由器配合就能達到很好的效果。

Distributed Denial of Service (DDoS) attacks still threaten the Internet. The difficult part in defending against DDoS attacks is the source IP address of attack packets are spoofed. While defending against DDoS attacks, the most important point is to identify the legitimate traffic and attack traffic. In our observation, we find that traffic converge toward the destination from sources, so it is easier to observe the difference of packets come from different sources while packets are far away from the destination. Therefore, a marking-based source identification scheme that can distinguish packets come from different sources obviously so that the victim can filter attack packets effectively is proposed. To verify the proposed scheme, we use the real Internet topologies (CAIDA’s Skitter map and Burch and Cheswick’s Internet map) to simulate DDoS attacks. The simulation results show the significant improvement of legitimate traffic throughput during DDoS attacks. Moreover, the simulation results also demonstrate the scheme is also effective even if not all routers support the marking scheme.