透過增量式分群過濾脈衝式阻斷服務攻擊

Abstract

低速分散式阻斷服務攻擊是一種具有隱蔽地攻擊性的網際網路攻擊手法。其中一種又稱之為脈衝分散式阻斷服務攻擊,這種攻擊的原理為利用 TCP 擁塞控制的弱點,只需要傳輸少於傳統的洪水型分散式阻斷服務攻擊的惡意流量,就能達到攻擊合法的 TCP 流量。它可以透過大量卻只維持短暫時間的流量來使目標網路暫時性地被中斷,導致合法的使用者發生封包遺失而無法順暢地連接。這種狡猾地攻擊難以被現今的防禦機制偵測。 本論文方法使用漸進式分群來處理網路流量,因為其資料形式為封包依序進入。透過漸進式分群我們可以對各個使用者做分群依據擁塞時所傳送的行為。透過布隆過濾器 (Bloom Filter) 我們可以有效率地儲存在分群時所需要的資料。在分群之後,我們可以依群組做排序並動態地計算出閥值。透過閥值,可以增加小流量的 TCP 使用者通過的機會同時處理惡意的流量透過阻擋具有大流量的使用者。

The Low-rate Distributed Denial-of-Service (LDDoS) attack is a network attack technique which can be harmful but stealthy. One type of the LDDoS attack, called pulsing DDoS attack, leverages the adaptive nature of the TCP congestion control mechanism. Pulsing DDoS attacks can suppress legitimate TCP traffic by sending fewer packets than traditional flooding DDoS attack. With a short period burst traffic, the pulsing DDoS attack aims to interrupt the target network temporarily and thus packet drop occurs, which makes the users unable to access the network. This kind of attack is crafty and hard to be detected efficiently by existing defensive approaches. In this thesis, we propose an efficient LDDoS defense mechanism using incremental clustering. Instead of keeping per-flow state, which is too heavy-weight for core routers, we classify flows according to the amount of traffic they sent during the congestion periods. Groups with larger flows get a lower priority and will be blocked ealier during congestion. With such, we increase the probability of small TCP traffic to pass the link and block the huge flows which most of them are malicious. In addition, we record the data which is necessary for the clustering and other related work in Bloom filters to keep up with high-speed per-packet processing.