以與攻擊者端距離為基礎將IP封包蓋標記之IP追溯架構

Abstract

DDoS 攻擊現在仍是Internet上的一個很大的威脅。當出現DDoS攻擊時，IP封包上的位址經常是假造的。這就使一些IP 追溯的方法出現了。其中一種有效的方法就是Probabilistic Packet Marking，這種方法讓路由器依著機率在封包上面寫上自己的位址，這樣受害者端就可用收到的封包建出攻擊路徑。然而，基於機率的本質，這些方法都不能在期待的封包數目之內建立攻擊路徑。在本篇論文中，我們提供了一個以與攻擊者端距離為基礎將封包蓋印之IP 追溯架構，它的英文縮寫是DBPM。DBPM需要比其他方法少得多的封包數目就可建出攻擊者路徑。因此，當使用DBPM去對付DDoS攻擊時，就能夠快速地對攻擊做出反應進而緩和攻擊的果效。DBPM嘗試使受害端依著路由器在攻擊路徑的順序收到它們蓋過印的封包，然後就快速地建出攻擊路徑。我們的研究顯示DBPM真的可以比其他方法使用更少的封包建出攻擊路徑。此外，DBPM也考慮了設置上的問題，DBPM可使用較少支援DBPM的路由器達到相同的效果。

DDoS attacks are still a major treat for the Internet. In such attacks, IP packets are always sent with spoofed IP address. Therefore, some IP traceback approaches have appeared. One promising approach is the Probabilistic Packet Marking, in this approach, routers write their IP addresses in a packet with a probability, and then the victim can reconstruct attack paths with collected packets. However due to their probabilistic nature, they always need more than the expected number of packets to reconstruct attack paths. In this research, we have proposed a Packet Marking scheme called Distance-Based Packet Marking scheme (DBPM) that requires much fewer packets than other Packet Marking schemes to reconstruct attack paths. Consequently with DBPM, it is faster to react against DDoS attacks and mitigate the attack effect. DBPM tries to make the victim receive packets marked by each router in the order of their position on the attack path, and then achieves the rapid reconstruction of attack paths. As result of our research, DBPM can really uses fewer packets relative to other packet marking schemes for the reconstruction of attack path. Besides DBPM is improved in deployment issue, that is, DBPM can achieve the same effect with fewer routers supporting DBPM.