| Summary: | 碩士 === 國立交通大學 === 資訊科學與工程研究所 === 104 === DDoS(Distributed Denial of Service) attack can disable the network service easily, if the system is not well managed and defended. One of the DDoS attack methods is using some open services as a reflector to launch attacks, called DRDoS(Distributed Reflection Denial of Service). For this type of attack, it is difficult to trace the attackers due to the fact that attackers usually spoof their IP addresses, and always generate more traffics than normal DDoS attack. Attackers amplify the amount of attack traffic by targeting at the vulnerabilities of protocols and services. This kind of attack is called amplification attack. DNS amplification attack is an instance of these attacks. DNS systems translate domain names to the numerical IP addresses, but DNS servers reply packets that are substantially larger than the request packets. Hence open recursive DNS server is used as packet amplifier by attacker to launch DRDoS attack. In order to avoid this type of attack in campus network, we propose a system to block amplification attack automatically. Due to our system is built at network entrance, we use SDN technique to mirror only the packets needed to our detection agent. When our detection agent classifies the flow as attack, we use SDN controller's RESTful API to add flow rules on OpenFlow switch to drop the malicious packets. Thus we can block attacks by adding flow rule to drop the packets from the specific IP address. DRDoS attack has similar features, so we can detect them with machine learning technique. Our system can detect both DNS and NTP amplification attacks.
|
|---|
