泛濫攻擊(Flooding Attack)在最近幾年是備受注目的課題，有心的駭客除了製作惡意的封包以外，使用大量正常的封包造成頻寬攻擊(bandwidth attack)，佔用網路頻寬、耗盡系統資源，使系統無法提供服務。這是著名的DoS阻斷服務攻擊或DDoS阻斷服務攻擊。目前市面上「安全資訊管理系統(SIM)」主要對網路架構中異質的網路安全設備提供事件資料蒐集及分析能力，仍不具備主動式的防禦。並且協定異常入侵偵測系統、統計異常入侵偵測系統、防火牆和安全資訊管理系統已廣泛為企業所用，但「安全資訊管理系統」的產品目前尚未成熟，在未來幾年該產品有非常大的成長空間。有鑑於此，我們制定一智慧型主動式的防禦策略以改善「安全資訊管理系統」只能被動回報安全日誌，仍無法有效的控制網路設備的缺點。我們稱此種「安全資訊管理系統」為「智慧型的安全資訊管理系統(I-SIM)」。在此篇論文中，除了提出一個完整防禦泛濫攻擊的網路架構(Flooding Unthreat Network)之外。主要根據異常入侵偵測系統、統計異常入侵偵測系統的回報，制定一動態過濾機制在防火牆的第一道防線即可將可疑的攻擊者攔截出來。此外泛濫的攻擊往往是以大量正常的封包傳送，使得特徵比對偵測系統失效，這時以動態流量調整的方式，便可以有效的遏止惡意頻寬的攻擊。最後我們將透過模擬實驗證明遭遇泛濫攻擊時，正常使用者可以獲得較低的阻斷率。

Nowadays, flooding attack is the most common network threat and to alleviation this kind of attack is the most important security topic. Attacker makes a large amount of traffic to consume the bandwidth which causes network congestion and limits new connection establishment from other users. They also waste server capacity, cause the server always busy and deny services for normal users. These are well-known DoS attack and DDoS attack. All of current “security information management” (SIM) products only provide functions to report events, to monitor, and to trigger alerts. No active alleviation procedure is included, thus they can only detect attack without any prevention. Heterogeneous network security devices including SIM, statistically-based IDS, protocol anomaly IDS and firewall have been widely implemented in the most networks. In this thesis, based on heterogeneous network, we not only propose a flooding unthreat network (FUN) architecture to integrate different types of IDS systems but also explore a better intelligence mechanism to deterrent flooding attack. The “black list” and “fair allocation list” mechanisms are designed to block the attack traffic at its ingress firewall. The simulation result and performance improvement of the proposed FUN system are also illustrated.

[1]CERT/CC,”Security Statistics during 1988-2002”, Computer Emergency Response Team, Carnegie Mellon University, Oct. 20. 2002, http://www.cert.org/stats/cert_atates.html.
[2]Y. Bai, and H. Kobayashi,”Intrusion Detection Systems: Technology and Development”, International Conference on Advanced Information Networking and Applications (AINA’03), Fukuoka, Japan, March 2003, pp.710 – 715.
[3]Netscreen 100 Firewall Appliance, http://www.netscreen.com/.
[4]J. Lemon, “Resisting SYN Flooding DOS Attacks with a SYN Cache”, Proceedings of USENIX BSDC, San Francisco, California, USA February 2002, pp.89-98.
[5]D. J. Bermtan and E. Schenk, “Linux Kernel SYN Cookie Firewall Project”, http://www.bronzesoft.org/projects/scfw.
[6]C.L. Schuba, I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram, and D. Zamboni , “Analysis of a Denial of Service Attack on TCP”, IEEE Symposium on Security and Privacy, Oakland, CA, May 1997, pp.208 – 223.
[7]E. Lemonnier, “Protocol Anomaly Detection in Network-based IDSs”, June 2001. http://erwan.lemonnier.free.fr/exjobb/report/protocol_anomaly_detection.pdf
[8]Stephen W.Neville, “On the Sufficiency of Time-Based Correlation for Signature-Based IDS Alerts”, 2003 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM’03), Victoria, Canada, 28-30 Aug 2003, pp.836-839.
[9]Cisco whitepaper,” The Science of Intrusion Detection System Attack Identification”, http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_white_paper09186a0080092334.shtml
[10]S. Zanero and Sergio M. Savaresi,” Unsupervised learning techniques for an intrusion detection system”, ACM Symposium on Applied Computing SAC'04, Nicosia, Cyprus, 4-17March 2004, pp.412-419.
[11]Denise Dubie, “Users shoring up net security with SIM”, Network World, http://www.nwfusion.com/news/2002/0930apps.html, 30 September 2002.
[12]NetForensics, http://www.netforensics.com/
[13]Network Security Manager (NSM), http://www.intellitactics.com/index.cfm
[14]NeuSECURE, http://www.guarded.net/
[15]Security Threat Manager (STM), http://www.open.com/
[16]E-Security, http://www.esecurityinc.com/
[17]ArcSight, http://www.arcsight.com/product.htm
[18]Network Intelligence Engine, http://www.network-intelligence.com/
[19]D. Curry and H. Debar, “Intrusion detection message exchange format “, draft-ietf-idwg-idmef-xml-12, 8 July, 2004.
[20]F. Baker and P. Savola, “Ingress Filtering for Multihomed Networks”, IETF RFC2827, March 2004.
[21]Internet Assigned Numbers Authority (IANA), "Special-Use IPv4 Addresses", IETF RFC 3330, September 2002.
[22]D. Moore, G. Voelker, and S. Savage, "Inferring Internet Denial of Service Activity", Proceedings of the 2001 USENIX Security Symposium, Washington D.C., USA, August 2001, pp. 13-17.
[23]M. Butto, E. Caverolla, and A. Tonietti, “Effectiveness of the `leaky bucket' policing mechanism in ATM networks”, IEEE Journal Selected Areas in Communications, Volume: 9, Issue: 3, April 1991, pp.335 – 342.
[24]H.K. Choi, John O. Limb, “A Behavioral Model of Web Traffic,” International Conference on Network Protocols (ICNP '99), Toronto, Canada, Oct. 1999, pp.327 – 334.
[25]S. Shakkottai, R. Srikant, N. Brownlee, A. Broido, and KC Claffy, “The RTT Distribution of TCP Flows in the internet and its Impact on TCP-based Flow Control”, Technical Report TR-2004-02, Cooperative Association for Internet Data Analysis (CAIDA), 2004, http://www.caida.org/outreach/papers/2004/tr-2004-02/.
[26]N. Brownlee and KC Claffy, “Understanding Internet Traffic Streams: Dragonflies and Tortoises”, IEEE Communication Magazine, October 2002, pp. 110-117.
[27]C. Fraleigh, S. Moon, B. Lyles,C. Cotton, M. Khan, D. Moll,R. Rockell, T. Seely, and S.C. Diot, “Packet-level traffic measurements from the Sprint IP backbone”, IEEE Networks, Nov.-Dec. 2003. pp.6-16.
[28]Microsoft knowledge base id: 262635, “Error Message: HTTP 403.9 - Access Forbidden: Too many users are connected”, http://support.microsoft.com/default.aspx?scid=kb;en-us;262635.
[29]Cisco system Inc, http://www.cisco.com/