在本研究中我們提出一偽造封包檢測過濾之系統,希望對於 DDoS 的攻擊能更多一層的防護。本研究之 HCFS 系統不用進行廣大的網路佈 署及修改現存之網路協定,可以很容易就能建置完成。惟較困難的地方 在於 AHCT 資料庫的建立,它必需對網路上的廣大網域進行探測,如果 能搭配 Router 的防偽造封包過濾功能,對於在 border Router 中不可能 出現的來源位址封包將之過濾,將能使得系統發揮更大的效用,減少資 料庫的建置成本。未來資料庫將可以以更有效率更簡便的資料結構進行 存取,將比對的效能更進一步的提升。DDoS 的原理與應付的方法的研 究一直再持續的進行中,DDoS 的防範需靠網路上的每個人一起來努 力,每個人都應該避免自己成為 DDoS 的幫兇,而最重要的工作就是管 理好自己的主機,除此之外,在平常就應該採取一些防禦的措施來防範 自己的主機變成攻擊的目標,例如:
1. 關閉一些不必要的服務。
2. 確認自己的封包過濾器或防火牆對於外送的封包只允許封包上的 來源位址來自於自己的網路。
3. 經常的更新系統。
4. 隨時注意主機內的一些活動日誌,觀察有無可疑行為。
系統安全最重要的一個環節就是人,有許多入侵行為的發生常常不是
因為系統的不堅固,而是由於使用者的不注意,而網路上的一些攻擊行 為也就是靠著這些有漏洞的系統持續的擴大,如近幾年出現的蟯蟲,擴 散速度之快,令人措手不及。而隨著科技的演變及網路頻寬的增加,將 來的攻擊型態將會越來越趨向於快速、複雜化。在未來網路經濟的環境 下,這勢必是ㄧ個很嚴重的問題。如果每個人能對自己的主機多加注 意,將可減少網路上一些資安事件的發生。
參考文獻
[1] Ipv4 全球核發(Allocated)統計:
http://www.twnic.net.tw/ipstats/ipv4stats.php
[2] 李傳亮編譯(2001),「TCP/IP 網路實驗程式設計第二版」,全華書局。
[3] Anthony Jones and Jim Ohlund(2002),「Microsoft Windows 網路程 式設計」,文魁資訊。
[4] Stephen Northcutt and Judy Novak,陳正昌譯,「網路入侵偵測教戰手 冊」, 培生書局。
[8] Alifri, H. (2003), “IP Traceback: A New Denial-of-service Deterrent? ,”
IEEE Security & Privacy magazine, Vol.1, No.3, pp.24-31.
[9] Alex, C., Luis, A., Christine, E., Fabrice, T., Stephen, T. and Timothy, W.
(2001), “Single-Packet IP Traceback,” ACM SIGCOMM’01 in San Diego, CA.
[10] Baba, T. and Matsuda, S. (2002), “Tracing Network Attacks to Their Sources,” IEEE Internet Computer, Vol. 6, No. 3, pp.20-26.
[11] Bellovin, S., Leech M. and Taylor. T. (2001), “The ICMP traceback message,” Internet-Draft, IETF, draft-ietf-itrace-01.txt.
[12] Belenky, A. and Ansari, N. (2003), “Tracing Multiple Attackers with Deterministic Packet Marking (DPM),” Proc. of 2003 IEEE Pacific Rim
Conference on Communications, Computers and Signal Processing (PACRIM ’03), Victoria, B.C., Canada, pp. 49-52.
[13] CERT/CC Statistics 1988-2004, http://www.cert.org/stats/
[14] Chen, Z., and Lee, M. C. (2003), “An IP traceback technique against denial-of-service attacks,” Proc. of IEEE 19th Annual Computer Security Applications Conference (ACSAC 2003), pp.96–104.
[15] Corbet, J., Rubini, A. and Kroah-Hartman, G. (2005), Linux Device Driver, Third Edition, O’REILLY.
[16] Dittrich, D. (2004), ”Distributed denial of service (DDoS) attack/tools,” Available: http://staff.washington.edu/dittrich/misc/ddos/
[17] Feinstein, L., Schnackenberg, D., Balupari, R., and Kindred, D. (2003),
“Statistical Approaches to DDoS Attack Detection and Response,” Proc.
of DARPA Information Survivability Conference and Exposition, Vol. 1, pp. 303-214.
[18] Goodrich, M.T. (2002), ”Efficient Packet Marking for Large-Scale IP Traceback,” Proc. of Conference on Computer and Communications Security (CCS).
[19] Ioannidis, J. and Bellovin, S. M. (2002), “Implementing Pushback:
Router-Based Defense Against DDoS Attacks,” Proc. of Network and Distributed System Security Symp., pp.6–8, San Diego, CA.
[20] Jin, C., Wang H. and Shin K.G. (2003), “Hop-Count Filtering: An Effective Defense Against Spoofed DdoS Traffic,” Proc. of Conference on Computer and Communications Security (CCS)’ 2003, Washington, D.C.
[21] Jones, A., Jim, O., Jim O., and James O. (2002), Network Programming for Microsoft Windows, Second Edition, Microsoft Corporation.
[22] Kaufman, C., Perlman, R., and Sommefeld, B. (2003), “DoS Protection for UDP-based Protocols,” Proc. of Conference on Computer and Communications Security (CCS)’2003, Washington, D.C.
[23] Koh, J. L. (2001), “Recent Developments and Emerging Defenses to D/DoS: The Microsoft Attacks and Distributed Network Security,”
SANS Institute 2000 – 2002.
[24] Mirkovic, J., Prier, G., and Reiher, P. (2003), “Source-End DDoS Defense,” Proceedings of the Second IEEE international Symposium on Network Computing and Applications (NCA’03).
[25] Naraine, R. (2002), “Massive DDoS Atack Hit DNS Root Servers,”
http://www.esecurityplanet.com/trends/article.php/1486981 [26] Netfilter, http://www.netfilter.org/
[27] Park, K. and Lee, H. (2001), “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack,”
Proceedings of the IEEE INFOCOM ‘01, pp.338-347.
[28] Park, K. and Lee, H. (2001), “On the Effectiveness of Router-Based Packet Filtering for Distributed DoS Attack Prevention In Power-Law Internets”, Proc. of SIGCOMM’01, San Diego, California USA, pp.15-26.
[29] Paxson, V. (1997), “End-to-end routing behavior in the internet,”
IEEE/ACM Transactions on Networking, Vol. 5, pp.601-615.
[30] Peng, T., Leckie, C. and Ramamohanarao, k. (2003), “Protection from Distributed Denial of Service attack using history-based IP filtering,”
Proceedings of IEEE International Conference on Communications (ICC 2003), Anchorage, AL, USA.
[31] Peng, T., Leckie C., and Ramamohanarao, K. (2003), “Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring,” The University of Melbourne, Australia.
[32] Savage, S., Wetherall, D., Karlin, A., and Anderson, T. (2001), “Network support for IP traceback,” IEEE/ACM Transactions on Networking, Vol.
9, No. 3, pp. 226-237.
[33] Stone, R. (2000), “Centertrack: An IP overlay network for tracking DoS
floods,” Proc. of 9th USENIX Security Symposium ’00, pp.199-212.
[34] Sung, M. and Xu, J. (2003), “IP traceback-based intelligent packet filtering: A novel technique for defending against Internet DDoS attacks,” IEEE Trans. Parallel and Distributed Systems, Vol.14, No.9, pp. 861–872.
[35] Templeton, S.J. and levitt K.E. (2003), “Detecting Spoofed Packets,”
Proceedings of The Third DARPA Information Survivbility Conference and Exposition (DISCEX III)’2003, Washington, D.C.
[36] The Swiss Education and Research Network (2002), “Default TTL Values in TCP/IP,”
http://secfr.nerim.net/docs/fingerprint/en/ttl_default.html.
[37] Tupakula, U. and Varadharajan, V. (2003), “A Practical Method to Counteract Denial of Service Attacks,” Proc. of Twenty-Fifth Australasian Computer Science Conference (ACSC2003).
作者簡介
作者姓名:陳偉羣 籍 貫:臺灣省
生 日:70 年 5 月 8 日
學 經 歷:正修工商專校電子工程科 南台科技大學資訊管理系 屏東商業技術學院資訊管理所
興 趣:旅遊、電影、閱讀、網際網路、籃球