利用封包標誌追蹤攻擊者並降低封包遺失時之錯誤率

Abstract

隨著網路應用服務的增加，網路安全的議題也就受到廣泛的重視，如何偵測攻擊並找到攻擊者就成為近年來研究的重點。決定式封包標誌 (DPM; Deterministic Packet Marking) 是其中一種封包標誌的方法，這種方法只需在邊緣路由器(edge router)上執行標誌的動作，和其他封包標誌的方法相比，較有擴充性且不會洩漏網路拓樸；此外決定式封包標誌更可以解決虛假標誌(marking spoofing)的問題，攻擊者無法假造標誌影響被攻擊端的判斷。由於封包標頭(header)只有十七個位元可以用來標誌，若要完整攜帶路由器三十二位元的位址，需要兩個以上的封包，因此如何有效率的利用封包攜帶資訊，並降低受害端重組位址的複雜度和錯誤率是問題所在。之前所提出之決定式封包標誌的演算法誤判率太高，而且沒有考慮部分標誌封包遺失時，受害端重組出位址的遺漏率。因此本論文提出一個新的演算法，可以大幅降低錯誤率，並提供封包遺失補救的辦法，以提升錯誤率的方式降低遺漏率。

Deterministic packet marking (DPM) has recently been proposed as an alternative approach for tracing attackers. It is more scalable, simple to implement, backward compatible with Internet equipments that do not implement it, and requires no extra bandwidth. Besides, service providers can implement DPM without revealing their internal network topology. Unfortunately, the false positive rate of the previous DPM schemes could be very high. And the previous DPM schemes all discuss their performances under the assumption that victims receive all kinds of the marked packets. In realistic, the victims will collect the marked packets in a time interval and they can’t identify if all marked packets are received. In this paper, a new DPM scheme is proposed with an optional lost-correction process that can reduce the false negative rate caused by not receiving some marked packets. Compared with the DPM-Hash scheme, for 1K simultaneous attackers, the false positive rate of the proposed scheme without lost-correction process is around 0.11% and the reconstruction process is much faster.