近幾年最常發生的攻擊事件莫過於分散式服務攻擊，影響了資訊安全中的可得性，對於網路的經營者更是一項重大的損失。因此，這些提供服務的網路伺服器需要一個IP封包過濾機制來避免DDoS攻擊。尤其是這些伺服器的特質是開放給任何人存取的，對於網管人員來說，很難去設定其防火牆的規則來阻擋這一類型的攻擊。而且最困難的一點是這些攻擊封包的來源IP位址往往是透過隨機變數而產生的，防火牆更無法去分辨那些為合法封包或者是攻擊封包。因此，我們改進Cheng Jin等人提的“Hop-Count Filtering”來建立更強韌的IP封包過濾機制來保護伺服器的資源遭受攻擊。主要特點有如下：(1) 增加一個欄位來記錄優先權，再加上原有的來源IP位址與Hop-count，合稱為Address Table。當我們遭受DDoS攻擊時，可依優先權決定封包通過與否，增加伺服器的存活能力。(2) 使用三維的陣列結構來處理Address Table的資料存放，而且搜尋時只需花O(1)的時間。(3) 透過網路探測的技術，主動地建立Address Table的資料，使得Address Table夠大而足以捕抓偽造的封包以及節省訓練時間。(4) 在保護伺服器安裝佇列監控器，使得佇列在接近滿的時候，可以通知這個封包過濾機制保留空間給其它人，使它能夠持續的提供服務。
透過在防火牆或是此區網的路由器使用此IP封包過濾機制可以動態地阻擋攻擊封包，使得正常使用者仍能在DDoS攻擊之下正常的存取伺服器的服務。最後，我們透過所設計好的兩個攻擊場景來測試這個機制是否有效，並且分析一些重要參數改變對於系統效能、防禦有效性所帶來的影響。我們將會展示實驗的重要結果以證明這個方法的確可以增加伺服器防禦DDoS攻擊的能力。

DDoS attacks have occurred frequently in recent years, impacting the availability of Information Security. They also cause a great deal of damage to enterprises which provide web services. Therefore, the Internet servers need a robust IP packets filtering mechanism to strengthen their ability to resist DDoS attacks. To configure a firewall to filter out these attacks is hard due to the open nature of Internet servers. Furthermore, the flooding sources of attacks are spoofed, and the firewall is beset by the task of configuring appropriate rules. To cleverly identify packets that are legitimate from those that are malicious is a difficult task for a firewall. Therefore, we improve the idea of “Hop-Count Filtering” addressed by Cheng Jin, et al. to build a robust IP packets Filtering Mechanism. It can detect and reduce DDoS attacks by inspecting inbound packets with an IP address database. There are distinguishing features about our IP packets filtering mechanism: (1) The IP address database, we call the Address Table, has three fields to identify packets. They are source IP address, hop-counts, and priority. The use of priority field is our idea and allows good users to keep connections on the protected server under any situations. (2) Implement a three-dimension array structure to store our Address Table, and looking up addresses on the Address Table only takes O(1) time . (3) Use probing technologies to actively construct the Address Table, and make it sufficient to detect spoofed packets by having an appropriately sized Address Table. (4) Put a queue monitor on the protected servers to prevent running out of space resources. If it is close to being full, then we will start the filter to save space resources.
To establish this robust IP packets filtering mechanism on an edge router or a firewall can dynamically block attacking traffic to protect our servers from DDoS attacks. We used the Netfilter technologies, a framework inside the Linux 2.4.x which is flexible and extendable, to implement it on a victim server. Finally, we use two DDoS attacks scenarios to evaluate this mechanism and analyze the influence of some important parameters on system performance and effectiveness. We will show that this mechanism is effective against DDoS attacks.

[1] Yahoo Attributes a Lengthy Service Failure to an Attack, http://www.nytimes.com/library/tech/00/02/biztech/articles/08yahoo.html
[2] DDoS tools, http://www.packetstormsecurity.org/distributed/indexsize2.html
[3] CERT, http://www.cert.org/
[4] Kihong Park and Heejo Lee, “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack”, Proceedings of IEEE INFOCOM'2001 (20th), Page(s): 338-347 vol.1.
[5] A. Belenky and N. Ansari, “IP Traceback with Deterministic Packet Marking,” IEEE Communications Leters, vol.7, No.4 April 2003.
[6] S. Bellovin, M. Leech, and T. Taylor. The ICMP Traceback message. Internet-Draft, draft-ietf-itrace-01.txt, Oct. 2001 Work in progress, avaiable at ftp://ftp.ietf.org/internet-drafts/draft-ietf-itrace-01.txt
[7] Stephanie Hagopian, "Network-Based Intrusion Prevention System Technology Evaluation" SANS Institute 2004.
[8] Ingress Filteirng, http://www.faqs.org/rfcs/rfc2267.html
[9] Cheng Jin, Haining Wang, Kang G. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed Traffic,” 10th ACM conference on CCS'03.
[10] Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao, "Protection from Distributed Denial of Service Attack Using History-based IP Filtering," IEEE ICC 2003.
[11] C.L. Tao Peng, and K. Ramamohanarao, “Detecting distributed denial of service attacks using source IP address monitoring,” available at http://www.ee.mu.oz.au/pgrad/taop/research/detection.pdf, November 2002.
[12] Netfiler firewalling, NAT, and Packet mangling for Linux 2.4, http://www.netfilter.org/
[13] “CERT advisory CA-1996-21 TCP SYN flooding and IP spoofing attacks,”
available at http://www.cert.org/advisories/CA-1996-21.html, September 1996.
[14] Ping of Death, http://www.ovb.ch/?http://www.ovb.ch/Ping/pod.html
[15] CERT® Advisory CA-2003-25 Buffer Overflow in Sendmail, http://www.cert.org/advisories/CA-2003-25.html, September 29, 2003.
[16] "CERT advisory CA-1998-01 smurf IP Denial-of-Service attacks," available at http://www.cert.org/advisories/CA-1998-01.html, January 1998.
[17] Iris® Network Traffic Analyzer, available at http://www.eeye.com/html/Products/Iris/index.html
[18] http_load - multiprocessing http test client , http://www.acme.com/software/http_load/
[19] IPv4 World Allocated statistics of TWNIC, http://www.twnic.net.tw/ipstats/ipv4stats.php
[20] C. Labovitz, A. Ahuja, and F. Jahanian. Experimental study of internet stability and backbone failure. In Proceedings of the 29th International Symposium on Fault-Tolerant Computing, Madison, WI, June 1999.
[21] J. Li, J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. Save: Source address validity enforcement protocol. In Proceedings of IEEE INFOCOM ‘20002, New York City, NY, June 2002.
[22] Default TTL Values in TCP/IP of different type of operating systems, http://secfr.nerim.net/docs/fingerprint/en/ttl_default.html
[23] Stateful firewall, http://www.fact-index.com/s/st/stateful_firewall.html
[24] Intrusion Detection System, http://www.intrusion-detection-system-group.co.uk/