論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus:永不公開 not available
博碩士論文 etd-0728118-204138 詳細資訊
Title page for etd-0728118-204138
論文名稱 Title |
利用IP變異性於SDN網路中有效偵測巨量資料流與阻擋DDoS攻擊 Using IP variability to efficiently detect elephant flows and defend DDoS attacks in SDN-based networks |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
61 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2018-08-07 |
繳交日期 Date of Submission |
2018-08-28 |
關鍵字 Keywords |
OpenFlow協定、巨量資料流、分散式阻斷攻擊、軟體定義網路 OpenFlow protocol, Elephant flow, DDoS attack, SDN |
||
統計 Statistics |
本論文已被瀏覽 5701 次,被下載 0 次 The thesis/dissertation has been browsed 5701 times, has been downloaded 0 times. |
中文摘要 |
在現今的網際網路中,分散式阻斷攻擊( distributed denial-of-service attack,簡稱為 DDoS attack )是常見的威脅,它利用多台電腦針對同一目標發送大量連線請求而造成該目標電腦無法提供正常服務,傳統方法對於 DDoS 攻擊僅能透過防火牆來做阻擋,但是仍然存在許多的問題,而新興的軟體定義網路( software-defined networking,簡稱為 SDN )同樣也受到DDoS的威脅,因為 DDoS 會利用很多的殭屍電腦發動攻擊,從而產生非常多的IP位址,而導致控制器( Controller )癱瘓,而在過往SDN解決方法中,在處理攻擊的發生時,往往會記錄大量的特徵資訊,而造成Controller的負擔並浪費資源;此外僅依靠特徵來分辨DDoS攻擊也可能造成誤判( false alarm ),例如Elephant Flow會在一段時間內傳送大量資料,儘管是合法連線,卻可能因為特徵類似DDoS而被阻擋。 針對 DDoS攻擊具有多重IP位址的特性,我們提出了一個IP變異性的存取機制。在攻擊發生時我們的方法會使用較有效率的存取方式來記錄期間的IP位址,接著Controller會判斷在IP儲存空間中的IP變異性是否過高,若相異性過高,我們會安裝新的Flow Rule使這些攻擊暫時隔離,如此一來可以防止原本的流量受到影響,並且在觀察這些流量是否回歸正常後,將這條 Flow Rule 刪除,讓整個拓撲維持穩定的狀態。 藉由模擬後我們的方法可降低攻擊並避免阻擋到Elephant Flow,在DDoS攻擊發生時更可以有效阻擋TCP的SYN Flood、UDP Flood、ICMP Flood。 |
Abstract |
Distributed denial-of-service attack (DDoS attack) is a common threat in the Internet. It uses multiple zombie computers to send a large number of requests to the same victim host to prevent the victim from providing normal services. Traditional methods usually block the DDoS attack through a firewall, but the performance is not good. On the other hand, a software-defined network (SDN) is also threatened by DDoS attacks, because the controller will be paralyzed by numerous spam packets. In the past SDN solutions, a lot of feature information is recorded to identify DDoS attacks. However, they may burden the controller with a heavy load and waste its computational resource. Besides, these methods could also cause false alarms on normal services, for example, elephant flows, as such flows also produce a large amount of data in a short period. Since DDoS attacks usually multiple random IP source addresses, this thesis proposes a DDoS defense mechanism based on IP variability. When an potential attack occurs, our mechanism will record necessary packet information on an efficient manner. Then, the controller will check if the IP variability of stored packet exceeds a threshold. If so, the controller will adaptively install flow rules in switches to discard DDoS packets. After the attack, these flow rules will be discarded accordingly, in this way, we can prevent DDoS packets from attacking the network. Through simulations, we show that our proposed mechanism can efficiently detect and defend DDoS attacks (including TCP SYN flood, UPP flood, and ICMP flood), and also identity elephant flows. |
目次 Table of Contents |
論文審定書 i 致謝 ii 摘要 iii Abstract iv 目錄 v 圖次 vii 表次 ix 第一章 緒論 1 1.1 簡介 1 1.2 論文研究動機 3 1.3 論文文章架構 4 第二章 研究背景 5 2.1 SDN網路架構 5 2.2 OpenFlow協定 6 2.3 RYU 8 2.4 DDoS攻擊 9 2.5 巨量資料流 12 第三章 相關文獻 14 3.1 防火牆技術 14 3.2 傳統網路的防禦技術 15 3.3 SDN中的防禦技術 17 第四章 問題定義 20 第五章 研究方法與網路架構 21 5.1 變異性偵測機制 22 5.2 突流檢測機制 32 5.3 DDoS阻擋機制 33 5.4 Elephant Flow與DDoS之分辨 36 第六章 實驗結果 37 6.1 不同儲存機制之比較 38 6.2 不同DDoS阻擋方法之比較 40 第七章 結論以及未來展望 45 7.1 結論 45 7.2 未來展望 45 第八章 參考文獻 46 |
參考文獻 References |
[1] International Organization for Standardization. [Online]. Available: https://www.iso.org/home.html. [2] McKeown, Nick. "Software-defined networking." INFOCOM keynote talk 17.2 (2009): 30-32. [3] Kreutz, Diego, et al. "Software-defined networking: A comprehensive survey." Proceedings of the IEEE 103.1 (2015): 14-76. [4] Tran, Thuy Vinh, and Heejune Ahn. "A network topology-aware selectively distributed firewall control in SDN." Information and Communication Technology Convergence (ICTC), 2015 International Conference on. IEEE, 2015. [5] Kumar, Krishan, R. C. Joshi, and Kuldip Singh. "Predicting Number of Attackers Using Regression Anlaysis." Information and Communication Technology, 2007. ICICT'07. International Conference on. IEEE, 2007. [6] McKeown, Nick, et al. "OpenFlow: enabling innovation in campus networks." ACM SIGCOMM Computer Communication Review 38.2 (2008): 69-74. [7] Open Networking Foundation.[Online]. Available: https://www.opennetworking.org. [8] RYU SDN Framework. [Online]. Available: https://osrg.github.io/ryu. [9] Dong, Ping, et al. "A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows." Communications (ICC), 2016 IEEE International Conference on. IEEE, 2016. [10] Bogdanoski, Mitko, Tomislav Suminoski, and Aleksandar Risteski. "Analysis of the SYN flood DoS attack." International Journal of Computer Network and Information Security (IJCNIS) 5.8 (2013): 1-11. [11] Lee, Keunsoo, et al. "DDoS attack detection method using cluster analysis." Expert systems with applications 34.3 (2008): 1659-1665. [12] Udhayan, J., and R. Anitha. "Demystifying and rate limiting ICMP hosted DoS/DDoS flooding attacks with attack productivity analysis." Advance computing conference, 2009. IACC 2009. IEEE International. IEEE, 2009.. [13] Kumar, S., et al. "Can microsoft’s service pack2 (sp2) security software prevent smurf attacks?." Telecommunications, 2006. AICT-ICIW'06. International Conference on Internet and Web Applications and Services/Advanced International Conference on. IEEE, 2006. [14] Lin, Chun-Yu, et al. "Elephant flow detection in datacenters using openflow-based hierarchical statistics pulling." Global Communications Conference (GLOBECOM), 2014 IEEE. IEEE, 2014. [15] Greenberg, Albert, et al. "VL2: a scalable and flexible data center network." ACM SIGCOMM computer communication review. Vol. 39. No. 4. ACM, 2009. [16] Kandula, Srikanth, et al. "The nature of data center traffic: measurements & analysis." Proceedings of the 9th ACM SIGCOMM conference on Internet measurement. ACM, 2009. [17] Lunt, Teresa F. "A survey of intrusion detection." Computers & Security 12 (1993): 405-418. [18] Pengfule, Ding, et al. "Detection and defense of SYN flood attacks based on dual stack network firewall." Data Science in Cyberspace (DSC), IEEE International Conference on. IEEE, 2016. [19] Chae, Cheol-Joo, et al. "A Study of Defense DDoS Attacks Using IP Traceback." Intelligent Pervasive Computing, 2007. IPC. The 2007 International Conference on. IEEE, 2007. [20] Savage, Stefan, et al. "Practical network support for IP traceback." ACM SIGCOMM Computer Communication Review. Vol. 30. No. 4. ACM, 2000. [21] Karthik, S., V. P. Arunachalam, and T. Ravichandran. "A comparative study of various IP trace back Strategies and simulation of IP trace back." Asian Journal of Information Technology 7.10 (2008): 454-458. [22] Gong, Chao, and Kamil Sarac. "IP traceback based on packet marking and logging." Communications, 2005. ICC 2005. 2005 IEEE International Conference on. Vol. 2. IEEE, 2005. [23] Bellovin, Steven Michael, Marcus Leech, and Tom Taylor. "ICMP traceback messages." (2003). [24] Vacca, John R. Computer and information security handbook. Newnes, 2012. [25] Smith, Craig, and Ashraf Matrawy. "Comparison of operating system implementations of SYN flood defenses (cookies)." Communications, 2008 24th Biennial Symposium on. IEEE, 2008. [26] Bernstein, Daniel J. "Syn cookies, 1996." URL http://cr. yp. to/syncookies. html (2016). [27] Xu, Rui, Wen-li Ma, and Wen-ling Zheng. "Defending against UDP flooding by negative selection algorithm based on eigenvalue sets." Information Assurance and Security, 2009. IAS'09. Fifth International Conference on. Vol. 2. IEEE, 2009. [28] Arulampalam, M. Sanjeev, et al. "A tutorial on particle filters for online nonlinear/non-Gaussian Bayesian tracking." IEEE Transactions on signal processing 50.2 (2002): 174-188. [29] Mohammadi, Reza, Reza Javidan, and Mauro Conti. "Slicots: An sdn-based lightweight countermeasure for tcp syn flooding attacks." IEEE Transactions on Network and Service Management 14.2 (2017): 487-497. [30] Kalkan, Kübra, Gürkan Gür, and Fatih Alagöz. "SDNScore: A statistical defense mechanism against DDoS attacks in SDN environment." Computers and Communications (ISCC), 2017 IEEE Symposium on. IEEE, 2017. [31] Openstack Home Page. http://www.openstack.org. Last visited: 23-09-2013. [32] Iannucci, Pietro, and Manav Gupta. IBM SmartCloud: Building a cloud enabled data center. IBM Redbooks, 2013. [33] Rengaraju, Perumalraja, V. Raja Ramanan, and Chung-Horng Lung. "Detection and prevention of DoS attacks in Software-Defined Cloud networks." Dependable and Secure Computing, 2017 IEEE Conference on. IEEE, 2017. [34] Wei Hung-Chuan, Yung-Hao Tung, and Chia-Mu Yu. "Counteracting UDP flooding attacks in SDN." NetSoft Conference and Workshops (NetSoft), 2016 IEEE. IEEE, 2016. [35] Yu, Huiming, et al. "A visualization analysis tool for DNS amplification attack." Biomedical Engineering and Informatics (BMEI), 2010 3rd International Conference on. Vol. 7. IEEE, 2010. [36] Official website of the Department of Homeland Security[Online] Available:https://www.us-cert.gov/ncas/alerts/TA14-017A, Original release date:January 17, 2014, Accessed on Dec 16, 2014 [37] Mirkovic, Jelena, Gregory Prier, and Peter Reiher. "Attacking DDoS at the source." Network Protocols, 2002. Proceedings. 10th IEEE International Conference on. IEEE, 2002. [38] Mutu, Laura, Rania Saleh, and Ashraf Matrawy. "Improved SDN responsiveness to UDP flood attacks." Communications and Network Security (CNS), 2015 IEEE Conference on. IEEE, 2015. [39] Al-Duwairi, Basheer, and G. Manimaran. "Intentional dropping: a novel scheme for SYN flooding mitigation." INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE. Vol. 4. IEEE, 2005. [40] You-Chiun Wang, Yao-Yu Hsieh, and Yu-Chee Tseng. "Multiresolution spatial and temporal coding in a wireless sensor network for long-term monitoring applications." IEEE Transactions on Computers 58.6 (2009): 827-838. [41] Rahman, Syed M., and Amitava Karmaker. "Providing “Second Chance” to Students and Improving Retention." Information Technology: New Generations, 2009. ITNG'09. Sixth International Conference on. IEEE, 2009. [42] Tirumala, Ajay. "Iperf: The TCP/UDP bandwidth measurement tool." http://dast. nlanr. net/Projects/Iperf/ (1999). [43] You-Chiun Wang,Han hu, et al. " Using SDN technology to reduce broadcasts in local area network " International Conference on Information and Communication Technology Convergence 2016. [44] Tomonori, F. U. J. I. T. A. "Introduction to ryu sdn framework." Open Networking Summit (2013). [45] Hyden, William P., et al. "System for automated generation of config to order software stacks." U.S. Patent No. 7,360,211. 15 Apr. 2008. [46] Enns, Rob. NETCONF configuration protocol. No. RFC 4741. 2006. [47] Fayaz, Seyed Kaveh, et al. "Bohatei: Flexible and Elastic DDoS Defense." USENIX Security Symposium. 2015. |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 您的 IP(校外) 位址是 18.116.36.192 論文開放下載的時間是 校外不公開 Your IP address is 18.116.36.192 This thesis will be available to you on Indicate off-campus access is not available. |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |
國立中山大學 圖書與資訊處 │ 諮詢服務:2452 論文審查小組 │ 服務信箱 │ 系統開發維運:圖資處知識創新組
Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2452 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS