結論

本篇論文主要提出了兩種布署穿隧追蹤、標記追蹤器及過濾追蹤器的方式，並利 用四種類型的穿隧機制且互相搭配。

本文提出的核心布署法利用數個穿隧追蹤器圍成數個保護區域，而任一個保護區 域都能夠保證封包在經過 K 個路由器內，將會遇到一個穿隧追蹤器，而穿隧追蹤器 則會依穿隧的機制決策是否將封包轉送至過濾追蹤器進行封包檢查過濾的工作。而本 文提出的環繞布署法是利用所有的追蹤器圍成數個保護區域，且同樣能夠保證封包在 K 個路由器內，將會遇上任一追蹤器，若是遇到穿隧追蹤器，同樣也會依照穿隧的機 制決策是否將封包轉送至過濾追蹤器進行封包檢查過濾的工作，若是直接遇到過濾追 蹤器，則會直接進行封包檢查過濾的工作。除了利用穿隧追蹤器配合過濾追蹤器外，

我們同時加入了標記追蹤器進行封包標記的工作，而標記的封包可以協助我們找出較 靠近送出惡意封包的節點外，也可以配合穿隧追蹤器協助系統找出上游無惡意節點的 穿隧追蹤器，並關閉其穿隧的功能，而這樣不只能夠減輕路由器的負擔外，同時也能 夠使正常的使用者不會受到大量封包被轉傳所帶來的影響。

在模擬的結果中，我們可以發現環繞布署法在整體上的表現最為突出，尤其是配 合有動態調整穿隧機率的機制，包含距離估算法配合動態機率及標記協助法配合動態 機率，而核心布署法則是使用標記協助法配合動態的調整穿隧機率得到的結果最為突 出，除此之外，我們也可以由追蹤成本上發現在受害端遭受攻擊時，而發出追蹤請求 給追蹤器所需要的時間成本比其他方法低。

未來如果能夠配合軟體定義網路（Software-Defined Network） [45]，實作穿隧追 蹤器、標記追蹤器及過濾追蹤器於 Openflow 交換器，則本文提出的方法就更能夠改 善目前充滿惡意攻擊的現實網路。

77

參考文獻

[1] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Tim_Berners-Lee.

[Accessed 7 8 2014].

[2] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/World_Wide_Web.

[3] "Prolexic," [Online]. Available:

http://www.prolexic.com/knowledge-center-ddos-attack-report-2014-q1.html.

[4] "ALTAS," [Online]. Available: https://atlas.arbor.net/summary/dos.

[5] "iThome," [Online]. Available: http://download.ithome.com.tw/article/index/id/1942.

[6] 黃 繼 民 , " 資 安 人 ," 23 12 2013. [Online]. Available:

http://www.informationsecurity.com.tw/article/article_detail.aspx?aid=7737.

[7] "Wikipedia," [Online]. Available:

http://en.wikipedia.org/wiki/Ddos#Internet_Control_Message_Protocol_.28ICMP.29_

flood.

[8] "Wikipedia," [Online]. Available:

http://en.wikipedia.org/wiki/Ddos#.28S.29SYN_flood.

[9] "Wikipedia," [Online]. Available:

http://en.wikipedia.org/wiki/Ddos#Teardrop_attacks.

[10] "Wikipedia," [Online]. Available:

http://en.wikipedia.org/wiki/Ddos#R-U-Dead-Yet.3F_.28RUDY.29.

[11] "IETF," 9 1981. [Online]. Available: http://tools.ietf.org/html/rfc791.

[12] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/IP_address_spoofing.

78

[Accessed 16 7 2014].

[13] S. Savage, D. Wetherall, A. Karlin and T. Anderson, "Practical Network Support for IP Traceback," ACM SIGCOMM, vol. 30, no. 4, pp. 295-306, 2000.

[14] D. X. Song and A. Perrig, "Advanced and Authenticated Marking Schemes for IP Traceback," INFOCOM, vol. 2, pp. 876-886, 2001.

[15] A. Belenky and N. Ansari, "IP Traceback With Deterministic Packet Marking," IEEE

COMMUNICATIONS LETTERS, vol. 7, no. 4, pp. 162-164, 2003.

[16] Y. Bhavani, V. Janaki and R. Sridevi, "IP Traceback through Modified Probabilistic Packet Marking Algorithm," in TENCON, 2013.

[17] M. Okada, N. Goto, A. Kanaoka and E. Okamoto, "A Device for Transparent Probabilistic Packet Marking," Computer Software and Applications Conference

Workshops, pp. 242-247, 2013.

[18] M. Alenezi and M. J. Reed, "Efficient AS DoS Traceback," Computer Applications

Technology (ICCAT),, pp. 1-2, 2013.

[19] L. Yonghui, W. Yulong, Y. Fangchun, S. Sen and Y. Dong, "Deterministic Packet Marking Based on the Coordination of Border Gateways," Education Technology and

Computer (ICETC), vol. 2, pp. 154-161, 2010.

[20] Y. Xiang, W. Zhou and M. Guo, "Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks," Parallel and Distributed

Systems, vol. 20, no. 4, pp. 567-580, 2009.

[21] Z. Deshan and C. Bin, "Research on the Algorithm of Data Packet Marking for DDoS Attack," Information Science and Engineering (ICISE), pp. 1828-1830, 2009.

[22] V. Soundar Rajam and S. Shalinie, "A novel traceback algorithm for DDoS attack with marking scheme for online system," Recent Trends In Information Technology

79

(ICRTIT), pp. 407-412, 2012.

[23] K. Stefanidis and D. Serpanos, "Packet Marking Scheme and Deployment Issues," in

Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, 2007.

[24] A. Yaar, A. Perrig and D. Song, "Pi: a path identification mechanism to defend against DDoS attacks," in Security and Privacy, 2003.

[25] A. Yaar, A. Perrig and D. Song, "StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense," IEEE Journal on Selected Areas in

Communications, vol. 24, no. 10, pp. 1853-1863, 2006.

[26] L. A. Sanchez, W. C. Milliken, A. C. Snoeren, F. Tchkountio, C. E. Jones, S. T. Kent, C. Partridge and W. T. Strayer, "Hardware Support for a Hash-Based IP Traceback," in

BBN Technologies, 2001.

[27] A. C. Snoeren, C. E. Jones, C. Partridge, L. A. Sanchez, F. Tchakountio, S. T. Kent and W. T. Strayer, "Hash-Based IP Traceback," in BBN Technologies, 2001.

[28] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent and W. T. Strayer, "Single-Packet IP Traceback," Networking, vol. 10, no. 6, pp. 721-734, 2002.

[29] H. Tian and J. Bi, "An Incrementally Deployable Flow-Based Scheme for IP Traceback," IEEE COMMUNICATIONS LETTERS, vol. 16, no. 7, pp. 1140-1143, 2012.

[30] V. Aghaei-Foroushani and A. N. Zincir-Heywood, "On Evaluating IP Traceback Schemes: A Practical Perspective," in IEEE Security and Privacy Workshops, 2013.

[31] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Firewall_(computing).

[32] C.-H. Wang and C. D. Chang, "Heterogeneous tracers against DDoS Attacks," in

80

Communication Technology, 2011.

[33] B. Al-Duwairi and M. Govindarasu, "Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback," PARALLEL AND DISTRIBUTED SYSTEMS, vol. 17, no. 5, pp. 403-418, 2006.

[34] G. Chao and S. Kamil, "A More Practical Approach for Single-Packet IP Traceback Using Packet Logging and Marking," PARALLEL AND DISTRIBUTED SYSTEMS, vol. 19, no. 10, pp. 1310-1324, 2008.

[35] X.-j. WANG and Y.-l. XIAO, "IP Traceback based on Deterministic Packet Marking and Logging," Scalable Computing and Communications;, pp. 178-182, 2009.

[36] N. Lu, Y. Wang, F. Yang and M. Xu, "A Novel Approach for Single-Packet IP Traceback Based on Routing Path," Parallel, Distributed and Network-Based

Processing (PDP), pp. 253-260, 2012.

[37] S. Saurabh and A. S. Sairam, "Computer and Communication Technology," in Eagle

Eyes: Protocol Independent Packet Marking Scheme to Filter Attack Packets and Reduce Collateral Damage During Flooding Based DoS and DDoS Attacks, 2012.

[38] C.-H. Wang, C.-W. Yu, C.-K. Liang, K.-M. Yu, W. Ouyang, C.-H. Hsu and Y.-G.

Chen, "Tracers Placement for IP Traceback against DDoS Attacks," in Wireless

communications and mobile computin, New York, 2006.

[39] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Bloom_filter.

[40] "Wikipedia," [Online]. Available: http://en.wikipedia.org/wiki/Tunneling_protocol.

[41] J. Keegan, "Infrastructure Adventures," 5 12 2010. [Online]. Available:

http://infrastructureadventures.com/2010/12/05/network-virtualization-beyond-vlans-%E2%80%93-part-4-tunnels/.

[42] C.-C. Lien, "Tracers Deployment of Nodes-Aware Protection Areas against DDoS