以封包標注為基礎之分散式阻絕服務攻擊封包過濾及阻塞之近似最佳化聯防策略

Abstract

近年來，分散式阻絕服務攻擊成為網際網路服務最大的威脅之一，在分散式阻絕服務攻擊發生時，大量的惡意攻擊封包消耗絕大部分的網路頻寬與網路伺服器之資源，致使合法的使用者無法存取服務。對此類攻擊我們提出一個由網路服務提供者與應用服務提供者合作以封包標注為基礎結合封包過濾與封包阻塞之聯合防禦策略。藉由封包標注以觀察、紀錄網路的使用狀況，做為網路流量異常增加時的參考資訊；當攻擊發生時便可依此參考資訊採取封包過濾－在邊界路由器過濾攻擊流量；或利用封包阻塞策略－在防禦者端進行阻塞，緩解分散式阻絕服務攻擊。 在本論文中，我們將防禦分散式阻絕服務攻擊之攻防情境轉換成一個雙層的數學規劃問題。在內層問題中，防禦者利用有限的防禦資源最大化受分散式阻絕服務攻擊之合法流量；在外層問題則描述攻擊者分配其有限的攻擊資源最小化合法流量。為求得此問題之最佳解，我們將採用以拉格蘭日鬆弛法為基礎的演算法處理內層問題，並利用次梯度法為基礎的演算法處理外層問題。

In recent years, DDoS has become one of the acute threaten to the Internet. During the DDoS attack, huge amount of attack traffic not only heavily consumes the network bandwidth but seriously depletes the victim server’s key resource, which, for the legitimate user, leads to service inaccessibility. To defense against this type of attack, joint defense strategies are proposed, requiring the cooperation between the ISP and the ASP, which combine packet marking, packet filtering strategy and packet blocking policy. With packet marking the approximation of legitimate traffic of each time zone could be observed and recorded. Once the aggregate traffic increases abnormally, the amount of attack traffic can be calculated and a near optimal filtering and blocking strategy for defense can be developed. In the thesis, the DDoS attack-defense scenario is modeled as a two level mathematical programming problem. In the inner problem, the defender strategically utilizes the limited resource to maximize the legitimate traffic. In the outer problem, the attacker tries to allocate its attack resource to minimize the legitimate traffic. A Lagrangean relaxation-based algorithm is proposed to solve the inner problem, and a subgradient-based heuristic algorithm is proposed to solve the outer problem.