分散式阻斷服務攻擊已經變成一個嚴重的安全問題在現今的網際網路中。當攻擊開始時，被攻擊主機的頻寬資料將全部被無用的封包佔用，以至於無法繼續提供服務。一個在被攻擊主機周圍的單點防禦將無法有效的處理大量而分散的攻擊性流量。在本篇論文中，我們提出一個以標籤為基礎之疊加網路架構作時時網路位址追蹤暨防禦分散式阻斷服務攻擊於來源端。 這以標籤為基礎之疊加網路架構是一個兩層的疊加防禦網路，其中包含數個小區域的疊加網路及一個全域的疊加網路。而疊加網路是由邊緣路由器所組成。為了分辨分散式阻斷服務攻擊的流量，每個通過邊緣路由器的封包將會被貼上一個可被唯一識別的標籤。這標籤是一種固定式的封包註記且用來分別封包來自不同的邊緣路由器。防禦機制可以分為兩個階段。在第一階段，被攻擊的主機會藉由疊加網路送出一種AT signature 給所有的邊緣路由器並過濾掉在AT signature中有記載的標籤。在第二階段，被攻擊的主機會再送出一種AT&IP signature 給所有的邊緣路由器並過濾掉在AT&IP signature中更詳細記載的標籤及網路位址。 我們利用GTNetS網路模擬器模擬並驗證我們提出的方法。模擬的結果顯示我們的方法可以有效而即時地過濾攻擊性流量並一定程度地保護合法的流量.

DDoS attack has become a serious security problem in the Internet nowadays. When DDoS attack starts, all of the bandwidth or resources of the victim will be occupied by the useless packets and the attack traffic will deny services of the victim. A single point defense near the victim side is not effective in dealing with the enormous and distributed attack traffic. In this paper, we propose a tag-based overlay architecture for real time IP traceback and defending against DDoS attacks with spoofing source address, large scale, and highly distributed features. The tag-based overlay architecture is a two-layer overlay defense network consists of several local overlay defense networks and one global overlay defense network to be the framework of real time IP traceback. To characterize the DDoS attack flows, each packet that passes through an edge router to the Internet will be associated with a packet tag by the edge router. The packet tag is a kind of deterministic packet marking and is used to characterize the packet flows of edge routers. The defending against DDoS attack consists of two stages. In the first stage, a victim sends out the AT signature to all edge routers via the overlay network and edge routers block all traffic (attack and good) if the packet tag generated by it is in the AT signature. In the second stage, a victim sends out the AT&IP signature to all edge routers via the overlay network and edge routers block those packets whose packet tag and IP address match those in the AT&IP signature. We simulate and verify the proposed approach using GTNetS network simulator. The simulation results demonstrate that our approach can effectively block attack traffic and protect legitimate traffic when all edge routers are all participated in the overlay network.

[1] K. Argyraki and D. Cheriton, "Active Internet Traffic Filtering: Real-Time Response to Denial-of-Service Attacks," Proceedings of USENIX 2005Annual Technical Conference, pp. 135-148.
[2] CERT Coordination Center, "Trends in Denial of Service Attack Technology," October 2001.
[3] P. Ferguson, D. Senie, "RFC 2267 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," Network Working Group, January 1998.
[4] J. Ioannidis and S. M. Bellovin, "Pushback: Router-Based Defense Against DDoS Attacks, " Proceedings of Network Distributed System Security Simposium (NDSS), February 2002.
[5] Y. Jing, Z. Xiao, X. Wang, G. Zhang, "O2-DN: An Overlay-based Distributed Rate Limit Framework to Defeat DDoS Attacks," Proceedings of IEEE ICNICONSMCL, April 2006, pp.23-29.
[6] A. D. Keromytis, V. Misra, D. Rubenstein, "SOS: Secure Overlay Services," Proceedings of ACM SIGCOMM Conference, Vol. 32, Issue 4, August 2002, pp. 61-72.
[7] TKT Law, JCS Lui, DKY Yau, "You Can Run, But You Can’t Hide: An Effective Statistical Methodology to Trace Back DDoS Attackers," IEEE Transactions on Parallel and Distributed System, Vol. 16, Issue 9, September 2005, pp.799-813.
[8] R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, "Controlling High Bandwidth Aggregates in the Network," ACM SIGCOMM Computer Communications Review,Vol. 32, Issue 3, July 2002, pp. 62-73.
[9] J. Mirkovic, J. Martin, and P. Reiher, "A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms," ACM SIGCOMM Computer Communication Review, Vol. 34, Issue 2, 2004, pp. 39-53.
[10] J. Mirkovic, P. Reiher, "D-WARD: a source-end defense against flooding denial-of-service attacks," IEEE Transactions on Dependable and Secure Computing, Vol. 2, Issue 3, July 2005, pp. 216-232.
[11] J. Mirkovic, M. Robinson, P. Reiher and G. Oikonomou, "Distributed Defense Against DDoS Attacks," University of Delaware CIS Department Technical Report CIS-TR-2005-02, 2005.
[12] Y. Ohsita, S. Ata, M. Murata, "Deployable overlay network for defense against distributed SYN flood attacks," IEEE Computer Communications and Networks, October 2005, pp. 407-412.
[13] G. F. Riley, "Tools: The Georgia Tech Network Simulator," Proceedings of ACM SIGCOMM workshop, August 2003, pp.5-12.
[14] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical Network Support for IP Traceback,"Proceedings of ACM SIGCOMM Conference, Vol. 30, Issue 4, August 2000, pp. 295-306.
[15] V. A. Siris, Ilias Stavrakis, "Provider-Based Deterministic Packet Marking against Distributed DoS Attacks," IEEE Parallel and Distributed Processing Symposium, April 2005.
[16] A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, W. Strayer , "Hash-based IP traceback," Proceedings of ACM SIGCOMM Conference, Vol. 31, Issue 4, August 2001, pp. 3-14.
[17] DX. Song, A. Perrig, "Advanced and Authenticated Marking Schemes for IP Traceback," IEEE INFOCOM, Vol. 2, April 2001, pp. 878-886.
[18] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan, "Chord: A scalable peer-to-peer lookup service for Internet applications," IEEE/ACM Transactions on Networking, Vol. 11, Issue 1, February 2003, pp.17-32.
[19] M. Sung, J. Xu, "IP Traceback-based Intelligent Packet Filtering: A Novel Technique for Defending Against Internet DDoS Attacks," IEEE Transactions on Parallel and Distributed Systems, Novenber 2002, pp. 302-311.
[20] H. Wang and K. G. Shin, "Transport-Aware IP Routers: A built-in protection mechanism to counter ddos attacks," IEEE Transactions on Parallel and Distributed System, Vol. 14, Issue 9, September 2003, pp. 873-884.
[21] A. Yaar, A. Perrig, D. Song, "Pi: A Path Identification Mechanism to Defend against DDoS Attacks," IEEE Security and Privacy, May 2003, pp. 93-107.
[22] A. Yaar, A. Perrig, D. Song, "SIFF: A Stateless Internet Flow Filter to Mitigate DdoS Flooding Attacks," IEEE Security and Privacy, May 2004, pp. 130-143.
[23] D. K. Y. Yau, J. C. S. Lui, F. Liang, and Y. Yam, "Defending Against Distributed Denial-of-Service Attacks with Max-min Fair Server-centric Router Throttles," IEEE/ACM Transactions on Networking, Vol. 13, Issue 1, February 2005, pp. 29-42.