Open Access  Subscription Access

DDoS攻擊擴散的時候，如果能迅速確認網路各節點的健康狀況(physical condition)並啟動相對應機制的話，將可隔離並縮小攻擊者所造成的攻擊區域。本論文提出一主動式網路DDoS抵禦系統（Active DDoS Defense System，簡稱ADDS），利用主動式網路(Active Network)快速散佈策略(policy)的優點，逐步對網路中每個節點進行偵測，將整個網路分成三個區域：安全區域(safe area)、可疑區域(uncertain area)、攻擊區域(attacked area)，再利用主動式網路封包攜帶特定攻擊的解毒疫苗，修補可疑區域內各節點的安全漏洞。根據模擬數據得知，使用ADDS可以讓網路存活時間(network survival time)增加232%，並且在攻擊發生時平均降低CPU使用率(CPU utilization wasted by undetected attacks) 33.55%；但相對的，也有9.98%合法封包會被誤判成攻擊封包(legal traffic dropped rate)。If the infected condition of each network node can be determined when the DDoS attacks start to spread, the attacked area can then be restricted and isolated. The paper proposed the Active DDoS Defense System (ADDS) that utilizes the advantage of Active Networks, fast on distributing policies, to detect every node gradually and divide the whole network into three areas: safe area, uncertain area and attacked area. Then repair the vulnerability of each network node by delivering virus pattern using active packets. Finally, the whole network topology can be divided into safe area and attacked area, and thus the DDoS attacks will be restricted and isolated. Simulation results show that ADDS is able to increase network survival time for 224%, and decrease the ratio of CPU time wasted by undetected attacks for 34.58%. But ADDS also increase the legal traffic dropped rate to 8.12%.

分散式阻絕攻擊; 主動式網路; 主動式網路DDoS抵禦系統; ANTS; active networks; ADDS; ANTS; DDoS