請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/86094
標題: | 透過流量分組與隨機化延時緩解脈衝分散式阻斷服務攻擊 Mitigating Pulsing DDoS Attack with Flow Grouping and Latency Randomization |
作者: | Jonathan J. Mao 毛煥為 |
指導教授: | 葉丙成(Ping-Cheng Yeh) |
共同指導教授: | 蕭旭君(Hsu-Chun Hsiao) |
關鍵字: | 脈衝分散式服務阻斷攻擊,攻擊緩解,協同防禦,流量分組,流量延時隨機化, pulsing DDoS attack,attack mitigation,collaborative defense,flow grouping,flow latency randomization, |
出版年 : | 2022 |
學位: | 碩士 |
摘要: | 脈衝分散式阻斷服務攻擊通過不同發送源的低速流量 (low-rate flow) 集結成一 個短的流量脈衝,對於部分動態網路而言其產生效果與洪水式攻擊相當。然而, 在異質網路中,因為其組成為不同計算資源的設備,外加先前的研究提出的防禦 機制皆需要部屬在運算能力較強的設備上才能監測和緩解攻擊,這將造成運算較 弱的設備上無法部署相關防禦機制抵禦脈衝分散式阻斷服務攻擊。為此,我們提 出了一種名為 FLARE 的防禦機制,透過運算能力較強的設備協力合作而保護異 質網路中的所有網通設備。具體來說,FLARE 可分為三個階段,第一階段是在運 算能力較強的設備上將具有相同估計抵達受害者時間的流量進行分組。這些資訊 將進行交換用以識別出可疑的組。第二階段是透過修改被標記為可疑組別內流量 的路徑延遲,以破壞攻擊者所建立的時間同步。第三階段則是 FLARE 透過監測 抓到的可疑流量找出那些反覆被抓到的,並將其標記為惡意與在一段時間內阻止 它們的訪問。我們進一步將 FLARE 擴展為三種模型,主要在權衡脈衝檢測延遲 和計算資源之間的要求。實驗結果顯示,流量分組的總體準確率為 92%;在四次脈衝後,平均錯誤阻斷率低於 1%。 A pulsing DDoS attack produces the effect of persistent flooding to many Internet services that dynamically adjust settings. Such an attack sends a short traffic pulse through low-rate traffic from various sources of bots. Prior research proposed defense algorithms on a network device with powerful computing resources to monitor and mitigate such attacks. However, a heterogeneous network consisting of devices with diverse computing resources may fail to deploy such defense algorithms on a resource-constrained device. Instead of improving the prior defense approach to fit devices with diverse computing resources, we propose a defense approach named FLARE that collaborates powerful computing devices to protect resource-constrained devices. FLARE exchanges traffic information between powerful computing devices to explore the flows that intend to participate in constructing pulses at the victim and further block their access to the network. Specifically, FLARE has three phases, starting with powerful devices grouping flows with the same estimated arrival time at the victim and exchanging them to identify suspiciousness. Second, FLARE randomizes the path latency of a suspicious group to disrupt time synchronization between bots. Third, with those phases running continuously, FLARE considers those suspicious flows that are repeatedly caught as malicious and blocks them for a period of time. We further extend FLARE into three models with trade-offs between detection delay and required computing resources. Our experiment results show an overall 92% of accuracy on grouping flows and an under 1% of mis-blocking ratio after four pulses. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/86094 |
DOI: | 10.6342/NTU202203236 |
全文授權: | 同意授權(全球公開) |
電子全文公開日期: | 2022-09-16 |
顯示於系所單位: | 電信工程學研究所 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
U0001-0709202221222000.pdf | 7.34 MB | Adobe PDF | 檢視/開啟 |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。