結論

在本篇論文提出四種穿隧策略，利用過濾器（Filter）過濾攻擊封包，使 DDoS 攻擊中的大量攻擊封包對網路造成影響降低，在網路中隨機散佈異質性追蹤器 Tracers，包含有穿隧與標記功能的路由器，使用穿隧路由器（Tunneling-enabled router）將封包轉送到 Filter，除了可使 Filter 過濾觸角延伸，不因數量分佈過少 而效果不佳，穿隧路由器依照動態機率決策封包轉送到 Filter 做過濾的機率，可 讓原本因為封包轉送造成的多餘成本降低，不僅讓攻擊封包在網路上可盡早地被 過濾掉，也更符合不同節點的流量現況。加入標記路由器（Marking-enabled router）

為輔助後，可分辨出攻擊路徑的區域，使不需要全部穿隧路由器都啟動轉送封包 的動作，可降低啟動率（Active Ratio of Tracers），也減少路由器負擔。在模擬結 果中，可以證明就算是在極端的低攻擊量之下（例如：30%攻擊量），動態穿隧 也能使網路總成本降低，配合標記路由器劃分出穿隧路由器的啟動區域，使穿隧 路由器的啟動率降低至 80%以下，幫助節省網路總成本。未來如果穿隧路由器選 擇的 Filter 位置能選擇轉送成本最少的 Filter，或是 Tracers 有方法的佈置在網路 中位置較為重要的地方，如邊界路由器（Border Router）、邊際路由器（Edge Router），將能達更好的過濾攻擊封包效果。

- 47 -

參考文獻

[1] L. Garber, “Denial-of-service rip the internet,” IEEE Computer, vol. 33 no.4, pp.

12-17, April 2000.

[2] John Elliott, “Distributed denial of service attack and the zombie ant effect,” IT Professional, pp. 55–57, March/April 2000.

[3] R. K. Chang, “Defending against flooding-based Distributed Denial-of-service attacks: a tutorial,” IEEE Communications Magazine, Vol. 40, Issue 10, pp. 42-51, Oct. 2002.

[4] S. M. Bellovin, “ICMP Traceback Messages,” IETF draft, 2000.

[5] Robert Stone, “CenterTrack: An IP Overlay Network for Tracking DoS Floods,”

9^th USENIX Security Symposium Inc. 2000, vol. 9, pp.15-15, 2000.

[6] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Network Support for IP Traceback,” In ACM/IEEE Transactions on Networking, vol. 9, no. 3, pp. 226-37, June 2001.

[7] Stefan Savage, David Wetherall, Anna Karlin, Tom Anderson, “Practical network support for IP traceback,” ACM SIGCOMM Computer Communication Review , Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication SIGCOMM '00, Vol. 30, Issue 4, August 2000.

[8] Yaar, A.; Perrig, A. and Song, D., “Pi: a path identification mechanism to defend against DDoS attacks,” 2003 Symposium on Security and Privacy, pp. 93-107, May 2003.

[9] A. Yaar, A. Perrig and D. Song, “FIT: Fast Internet Traceback,” INFOCOM 2005.

24^th Annual Joint Conference of the IEEE Computer and Communications Societies 2005, vol. 2, pp. 1395-1406, Mar. 2005.

[10] A. Belenky and N. Ansari, “IP traceback with deterministic packet marking,”

IEEE Communications Letters, Vol. 7, Issue 4, pp. 162-164, April 2003.

[11] Abraham Yaar, Adrian Perrig, Dawn Song, “SIFF: A Stateless Internet Flow Filter

to Mitigate DDoS Flooding Attacks,” In Proceedings of the IEEE Security and Privacy Symposium, May 2004.

- 48 -

[12] Xiaowei Yang, David Wetherall, Thomas Anderson, “TVA: a DoS-limiting

network architecture,” IEEE/ACM Transactions on Networking (TON) , Vol.

16, Issue 6, December 2008.

[13] A. C. Soneren et al., “Single-packet IP Traceback,” IEEE/ACM Transactions on Networking, vol. 10, pp. 721-34, Dec. 2002.

[14] Chao Gong, Trihn Le, T. Korkmaz, K. Sarac, “Single packet IP traceback in AS-level partial deployment scenario, ” IEEE Global Telecommunications Conference, GLOBECOM’05, Vol.3, Dec. 2005, pp.5-28, 2005.

[15] Jangwon Lee, Gustavo de Veciana, “Scalable multicast based filtering and

tracing,” IEEE/ACM International Journal of Network Management, vol. 15, Issue 1, pp. 43-60, Jan. 2005.

[16] Wu, N.; Zhang, J., “Investigation of pushback based detection and prevention of network bandwidth attacks” IEEE/ACM Fifth Annual IEEE SMC Information Assurance Workshop, 2004., pp. 416-423, June 2004.

[17] Chang H.Y., Narayan R., Wu S.F., Vetter B.M., Wang X., Brown M., Yuill J.J., Sargor C., Jou F., Gong F., “DECIDUOUS: decentralized source identification for network-based intrusions,” Sixth IFIP/IEEE International Symposium on Integrated Network Management, 1999., pp.701–714, May 1999.

[18] Chun-Hsin Wang, Yen-Chih Chiang, “Multi-Layer Traceback under the

Hierarchical Tracers Deployment,” AINAW 2008, IEEE 22nd International Conference on Advanced Information Networking and Applications - Workshops 2008, pp. 590-595, March 2008.

[19] Xin Liu, Xiaowei Yang, Yanbin Lu , "To filter or to authorize: network-layer DoS defense against multimillion-node botnets," ACM SIGCOMM 2008 conference on Data communication, Vol. 38, Issue 4 , Oct. 2008.

[20] W. Simpson, RFC2890 - "IP in IP Tunneling," Network Working Group, http://tools.ietf.org/html/rfc1853, Oct. 1995.

[21] Tunneling Protocol, http://en.wikipedia.org/wiki/Tunneling_protocol

[22] C. Perkins, RFC2003 - "IP Encapsulation within IP," Network Working Group, http://tools.ietf.org/html/rfc2003, Oct. 1996.