雷欽隆臺灣大學：電機工程學研究所黃俊穎Huang, Chun-YingChun-YingHuang2007-11-262018-07-062007-11-262018-07-062007http://ntur.lib.ntu.edu.tw//handle/246246/53512隨著 Internet 基礎建設的成熟，愈來愈多主機可以透過 Internet 來存取。人們可以簡易地在家裡享受高速的網路服務。而現代進步的電信技術更使得手持移動裝置可以隨時隨地的上網。然而，這些進步也帶來不少新問題。由於程式永遠都會有臭蟲而大部份的使用者也往往無法察覺安全性漏洞，這使得連上 Internet 的這些個人電腦或甚至企業伺服器都可能被建造成病毒、蠕蟲以及駭客的遊樂園。同儕式檔案分享及多媒體串流軟體的廣泛使用也給網路帶來了新的挑戰。同儕式網路服務所產生的流量目前已佔所有網路流量的大部份。這些流量已大到對於傳統的 Internet 應用產生不好的影響。 在這份論文裡，我們嘗試解決現代網路應用所產生的問題。尤其是針對網路系統安全以及高負載的同儕式網路流量。我們解決問題所使用的步驟可以簡短的以三個階段說明。首先，我們搜集不同的網路流量資訊，包括可以公開取得的 Internet 流量以及校園內包含封包標頭和內容的完整流量資料。基於這些資訊，我們設計出可以偵測、減輕、或過濾這些對網路或系統可能有害的流量。最後，我們使用直實的網路流量，對這些演算法進行模擬的實驗，以評估其效益。 我們的主要貢獻有三。其一為替信任網域之間提供偵測及減輕分散式阻斷攻擊的解決方案。這個解決方案需要與位於傳輸另一端信任網域互相合作，才能得以作用。因此，我們又提出另一個有效率的演算法來減輕針對一般用戶端網路 (也就是大部份的主機都是用戶端所組成的網路) 的網路攻擊。這個演算法是基於我們在校園的用戶端網路所觀察到的網路流量特徵來設計。它不需要與其他的網路合作即可運作，同時它的計算與儲存空間複雜度都是為常數。雖然演算法的設計是基於學校網路的流量來設計，但這些流量都是完全未經過過濾的，因此我們相信這些流量足以代表一般的網路流量。只要稍做修改，相同演算法也可以拿來限制用戶端網路的同儕式網路流量中的上傳頻寬。但直接使用此方法，有時也會濾掉非攻擊或是非同儕式運算網路應用的流量。因此，我們提出另一個大大提升精確度的輔助判斷演算法，以降低不當過濾的誤判率。使用這些方法，我們成功地建置了可適用於處理網路攻擊以及同儕式網路服務流量的通用流量過濾器。As the maturity of Internet infrastructures, more and more hosts can be reached through the Internet. People now can enjoy high-speed network easily in their own places. Also the evolving of modern telecommunication technologies makes it possible for hand-held and mobile devices to access the Internet everywhere. However, these changes also bring several new problems. Since there are always bugs in softwares and most users are unaware of security flaws, Internet-connected personal computers or even enterprise servers are possible to be used to construct playgrounds for virus, worms, and hackers. The popularity of peer-to-peer file sharing and multimedia streaming softwares also brings new challenges to the network. The load of peer-to-peer traffic has now dominated the whole traffic and is even harmful to traditional Internet applications. In this thesis, we endeavored to solve problems brought by modern network applications in the matured networks, especially focused on network system security and heavy-loaded peer-to-peer traffic problems. Our methodologies to solve these problems can be explained briefly in three stages. First, we collect several different traces including publicly available Internet traces and privately header or full-payload packet traces in our campus. Based on these traces, we then design algorithms to detect, mitigate, and filter those unwanted or harmful network traffic. Finally, these algorithms are evaluated by running simulation using the collected real traffic. Our main contributions are three-fold. First, we propose a solution to detect and mitigate distributed denial-of-service between trusted network domains. The solution requires cooperations of the two trusted network domains. Therefore, we then propose another efficient algorithms to mitigate network attacks against general client networks, which is mostly composed of client hosts. The proposed algorithm, which is based on the observed traffic in our campus, does not need any cooperations and have only constant complexities on both computations and storage spaces. Although the algorithm is designed based on observations from campus network, we believe that the traffic we collected can be representative of general network because it is unfiltered. With a little bit of modifications, the algorithm can be also used to bound the upload peer-to-peer traffic in client networks. However, it has some probabilities of dropping non-attack or non-peer-to-peer traffic. For this reason, a more accurate co-algorithm is proposed to reduce the false positives induced by the main algorithm. With these solutions, we have successfully built network traffic filters to handle network attacks and upload peer-to-peer traffic.1 Introduction . . . 11 2 Background . . . 15 2.1 Traffic Source . . . 15 2.1.1 Source of Attack Traffic . . . 15 2.1.2 Source of Peer-to-Peer Traffic . . . 18 2.1.3 Common Characteristics . . . 19 2.2 Attack Traffic Filtering Mechanisms . . . 20 2.2.1 Intrusion Detection and Intrusion Prevention . . . 20 2.2.2 Mitigate Flooding Attacks . . . 21 2.2.3 Address Filtering . . . 23 2.2.4 Bandwidth Throttling . . . 24 2.2.5 Traceback . . . 25 2.2.6 Overlay Network . . . 27 2.3 Peer-to-Peer Traffic Filtering Mechanisms . . . 28 2.3.1 Traffic Identification . . . 28 2.4 Methodology . . . 29 2.4.1 Test of Approximation Member Sets . . . 29 2.4.2 Count Distinct Elements . . . 30 3 End-to-End Network Survivability Using Router Stamps . . . 33 3.1 Motivation . . . 33 3.2 The Network Architecture and Assumptions . . . 34 3.3 The Detailed Design . . . 36 3.3.1 The Key Setup Process . . . 36 3.3.2 The Stamp Generator . . . 37 3.3.3 The Stamp Analyzer . . . 38 3.4 Performance Analysis . . . 40 3.4.1 Impacts on Packet Loss . . . 40 3.4.2 Memory Requirement . . . 41 3.5 Simulation . . . 42 3.6 Summary . . . 43 4 DDoS Mitigation Using the Bitmap Filter . . . 45 4.1 Motivation . . . 45 4.2 The Bitmap Filter . . . 47 4.2.1 The Usage Model . . . 48 4.2.2 The Client Network Traffic Characteristics . . . 48 4.2.3 Construct the Bitmap Filter . . . 50 4.2.4 Choose Proper Parameters . . . 54 4.3 Evaluation . . . 55 4.3.1 False Positives and False Negatives . . . 55 4.3.2 Performance . . . 57 4.3.3 Simulation with the Packet Trace . . . 57 4.4 Discussion . . . 60 4.4.1 Compatibility . . . 61 4.4.2 Attack from Insiders . . . 62 4.4.3 Adaptive Packet Dropping . . . 62 4.4.4 Colluding with Attackers . . . 64 4.5 Summary . . . 64 5 Bounding Peer-to-Peer Upload Traffic in Client Networks . . . 67 5.1 Motivation . . . 67 5.2 The Client Network Traffic Characteristics . . . 69 5.2.1 Network Setup . . . 69 5.2.2 The Traffic Analyzer . . . 70 5.2.3 Traffic Characteristics . . . 72 5.3 The Modified Bitmap Filter . . . 77 5.4 Evaluation . . . 80 5.5 Summary . . . 81 6 Accurate Peer-to-Peer Upload Traffic Filtering . . . 83 6.1 Motivation . . . 83 6.2 Diversity Measurement . . . 85 6.2.1 Trace Collection . . . 85 6.2.2 Overview of Host Diversities . . . 86 6.2.3 Observations on Peer-to-Peer Hosts . . . 87 6.2.4 Observations on Non-Peer-to-Peer Hosts . . . 89 6.3 The Peer-to-Peer Host Identification Algorithm . . . 92 6.4 Evaluation . . . 98 6.4.1 Accuracy of the Diversity Estimator . . . 98 6.4.2 Effects of Bandwidth Throttling . . . 100 6.5 Summary . . . 103 7 Conclusion . . . 105en-US位元映像(位元陣列)分散式服務阻斷 (DDoS) 攻擊主機連線多樣性同儕式計算戳記流量過濾bitmapdistributed denial of service (DDoS) attackhost diversitypeer-to-peer computingstamptraffic filteringthesis