分散式阻斷服務攻擊是近幾年來最常發生的攻擊事件，對網路經營者的損失也是數一數二的。由於網路的發達，近幾年來各個公司幾乎都有自己的伺服器，像是網站伺服器，郵件伺服器，檔案伺服器等等。一旦遭受到攻擊，便會對公司造成重大的損失。最常被使用的阻斷式服務攻擊是TCP SYN Flooding，它是利用TCP 通訊協定(three-way handshake)的弱點。傳統的防火牆與入侵偵測系統並不足以抵禦TCP SYN Flooding 攻擊，而目前也沒有一個完全的解決辦法。本篇論文提出了一個藉由針對每一個服務(service)，收集其合法使用者位址的資料庫，並幫每一個服務建構一個backlog佇列，以此backlog佇列為判斷攻擊的依據。當攻擊快發生時，系統會啟動一封包過濾機制藉由合法使用者位址資料庫來進行封包的過濾。
本系統的特色有下列五點:(1) 同時保護後端的多個服務(service)而不需要知道各個主機的backlog佇列的資訊。(2)可即時偵測攻擊並啟動封包過濾機制。(3)對於封包過濾的比對演算法，做IP位址的查詢的時間複雜度為O(n)，n取決於正被攻擊的服務數量，這可以減少合法使用者的延遲。(4)對於攻擊者利用資料庫中的合法IP位址來發動攻擊，我們可以即時發現並暫時過濾掉此一IP位址。(5)可置於 edge router，NAT router 或是直接置於被保護的主機上。
透過封包過濾機制可以動態地阻擋攻擊封包，使得正常使用者仍能在DDoS攻擊之下正常的存取伺服器的服務。最後，透過實驗來測試這個機制是否有效，並且分析系統效能、防禦有效性以及對正常使用者的影響。本論文將會展示實驗的重要結果以證明這個方法的確可以保護多重伺服器免於TCP SYN Flooding攻擊。

In recent years, DDoS attacks occur frequently and cause a great deal of damage to enterprises that provide network services. With the growth of the network, almost every enterprise provides more and more services on the network, like Web service, Mail service, Ftp service, and so on. If these services suffer the DDoS attack, it will cause great losses to the enterprise. The famous type of the DDoS attack is TCP SYN flooding attack and it is based on the vulnerability of the TCP three-way handshake. The firewall and intrusion detection system are not effectively to defend this type of attack. There is still not a completed solution to defend this attack.
In this thesis, we collect the legitimate IP addresses in the databases for each service and protect these services according to these databases. We also create a backlog queue for each service that we can detect the attack by checking it. When attack is detected, the packet filtering mechanism will be activated to protect the victim services.
There are five characteristics in our system: (1) Protecting multi-service without knowing any information about these services. (2) Detecting the attack and activate the packet filter instantly. (3) The complexity of IP searching algorithm is only O (n), where n is the number of the under-attack service. It will reduce the delay of the legitimate users. (4) We can instantly find that the attacker uses the legitimate IP address to do the attack and then we filter out this IP address. (5) The system can be built in edge router, NAT server or the protected server.
With our proposed mechanism, we can effectively defend the TCP SYN flooding attack and successfully provide the service for legitimate users. Finally, we will do the experiment to evaluate this mechanism and analyze the system performance, effectiveness and influence of the legitimate users. We will show that this mechanism is effectively to protect multi-service against TCP SYN flooding attack.

[1] Computer Emergency Response Team, CERT, “Denial of Service Attacks,” June 4, 2001. Available: http://www.cert.org/tech_tips/denial_of_service.html

[2] L. Garber, “Denial-of-Service Attack Rip the Internet”, Computer, vol.33 no.4, Apr. 2000, pp. 12–17.

[3] Computer Emergency Response Team, CERT, “TCP SYN Flooding Attacks,” Available: http://www.cert.org/advisories/CA-1996-21.html

[4] D. Moore, G. Voelker and S. Savage, “Inferring Internet Denial of Service Activity”, in Proc. USENIX Security Symposium’2001, Aug. 2001, pp. 9–22.

[5] W. Lee, S. J. Stolfo, and K. W. Mok. “A data mining framework for building intrusion detection models,” In Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999.
[6] H. M. Sun, S. M. Chen and K.S. Yung, “Intrusion Prevention System Suitable for Protecting Servers from TCP SYN Flooding Attack,”.

[7] H. M. Sun, Y. K. Peng, C. M. Chen, “A Robust IP Packets Filtering Mechanism to Protect Servers from DDoS Attacks,” ISC2005.

[8] R. W. Stevens and G. R. Wright, “TCP/IP Illustrated, The Implementation,” vol. 2, Prentice-Hall, Englewood Cliffs, New Jersey, 1995

[9] Computer Emergency Response Team, CERT, “Buffer Overflow in Sendmail,” Available: http://www.cert.org/advisories/CA-2003-25.html

[10] Computer Emergency Response Team, CERT, “Smurf IP Denial-of-Service attacks,” Available: http://www.cert.org/advisories/CA-1998-01.html

[11] DDoS tools. Available: http://www.packetstormsecurity.org/distributed/indexsize2.html

[12] Computer Emergency Response Team, CERT, “UDP Port Denial-of-Service Attack,” Available: http://www.cert.org/advisories/CA-1996-01.html

[13] A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava and V. Kumar, “A comparative study of anomaly detection schemes in network intrusion detection,” in Proc. SIAM Conf. Data Mining, 2003.

[14] B. Mukherjee, L.T. Heberlein, and K.N. Levitt, “Network Intrusion Detection,” IEEE Network, vol.8, no.3, May–June 1994, pp. 26–41.

[15] A. Sundaram, “An Introduction to Intrusion Detection,” The ACM Student Magazine, vol.2 no.4, Apr. 1996, p. 3–7.

[16] T. Verwoerd and R. Hunt, “Intrusion Detection Techniques and Approaches,” in Computer Communications, vol.25, Issue 15, May 2002, pp. 1356–1365.

[17] D. Neil,” Intrusion Prevention Systems: the Next Step in the Evolution of IDS,” Available: http://www.securityfocus.com/infocus/1670

[18] L. Ricciulli, P. Lincoln, P. Kakkar, “TCP SYN Flooding Defense,” In Simulation Multiconference CNDS'99, January 17-20 1999.

[19] J. Lemon, “Resisting SYN flooding DoS attacks with a SYN cache, “ in Proc. USENIX BSDCon2002, Feb. 2002, pp. 89–98.

[20] A. Zuquete, “Improving the functionality of SYN cookies,” in Proc. 6th IFIP Communications and Multimedia Security Conference, Sept. 2002, pp. 57–77.

[21] P. Ferguson and D. Senie. “Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,” RFC 2267, Jan. 1998.

[22] Engress Filtering. v 0.2. GIAC Special Notice, SANS Institute Resources, Feb. 2000.

[23] C. Jin, H. Wang, K. G. Shin, “Hop-Count Filtering: An Effective Defense Against Spoofed Traffic,” 10th ACM conference on CCS'03, 2003, pp. 30–41.

[24] T. Peng, C. Leckie, and K. Ramamohanarao, “Protection from Distributed Denial of Service Attack Using History-based IP Filtering,” IEEE ICC 2003, May 2003, pp. 482–486.

[25] Bloom Filters - the math. Available: http://www.cs.wisc.edu/~cao/papers/summary-cache/node8.html

[26] B. Al-Duwairi and G. Manimaran , “Intentional Dropping: A Novel Scheme for SYN Flooding Mitigation,” in Proc. IEEE Infocom '05, Mar. 2005, pp. 2820–2824.

[27] D. X. SONG and A. PERRIG,”Advanced and authenticated marking schemes for IP traceback,” In Proc. IEEE Infocom '01, Apr. 2001, pp. 878–886.

[28] A. Belenky and N. Ansari, “IP traceback with deterministic packet marking,” IEEE Commun. Lett., vol. 7, no. 4, Apr. 2003, pp. 162–164.

[29] B. A. Duwairi and G. Manimaran. “A Novel Packet Marking Scheme for Traceback,” in Proc. International Conference on Parallel and Distributed Systems (ICPADS 2004), Newport Beach, California, USA, July 2004, pp. 195–202.

[30] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical network support for IP traceback,” in Proc. ACM SIGCOMM ’2000, Stockholm, Sweden, Aug. 2000, pp. 295–306.

[31] D. X. SONG and A. PERRIG ,”Advanced and authenticated marking schemes for IP traceback,” In Proc. IEEE Infocom '01, Apr. 2001, pp. 878–886.

[32] S. Bellovin, M. Leech, and T. Taylor, “ICMP traceback messages, “ Internet Draft: draft-bellovin-itrace-00.txt, 2000.

[33] A. Belenky and N. Ansari, “IP traceback with deterministic packet marking,” IEEE Commun. Lett., vol. 7, no. 4, Apr. 2003, pp. 162–164.

[34] Y. Kim, 1. lo, and E L. Mcrat, “Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking,” in Pmc.GL0EECOM 2W3, Dec. 2003, pp. 1363–1367.

[35] C. H. Schuba, I. V. Krsul, M. G. Khan, E. H. Spafford, A. Sundaram, and D. Zamboni, “Analysis of a Denial of Service Attack on TCP,” in Proc. the IEEE Symposium on Security and Privacy, May 1997, pp. 208.

[36] M. Chouman, H. Safa, H. Artail, “A Novel Defense Mechanism against SYN Flooding Attacks in IP Networks,” Electrical and Computer Engineering, May 2005, pp. 2151–2154.

[37] R.K.C. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: a Tutorial,” IEEE Communications Magazine, vol.40, no. 10 , 2002, pp. 42-51.