摘 要 在本篇論文中我們提出一個新的保護系統以防止伺服器面臨分散式阻斷服務攻擊的問題。他可以改善判斷惡意攻擊的精確度,並且有效提升網路品質。 在提出的第一步驟中,我們提出監測系統結合路由導向的系統建構,這機制能有效疏導惡意封包,以保護伺服器。由於分散式阻斷服務攻擊的封包是有規律性的,我們可以依照這些特性擋下大部分的惡意封包。此外,對懷疑的IP位址做圖形化識別測試,以雙重防線讓分散式阻斷服務攻擊損害降到最小。 在第二步驟中,平時我們會建立IP位址名單的資料庫,當攻擊發生時用以辨別合法使用者,讓用戶能正常使用服務避免受到干擾。 在這篇論文中將具有以下貢獻: (1) 在我們的系統中,能有效判斷惡意封包,改善錯誤率的問題 (2) 透過建立名單的方式,減少重新分析的時間,避免用戶受到 干擾。 我們相信這些機制可以大大降低DDOS攻擊損害,本論文的研究結果將會給予未來研究防禦分散式阻斷服務上的幫助。
Abstract In this thesis, we propose a new protection system, it can effectively resist the distributed denial-of-service (DDoS) attacks. It can improve the accuracy of judgment of the malicious attacks, and it can make the network quality more effectively. In the first step, we propose the combination of the detection and routing-redirect to resist DDoS attacks. This method can effectively channelize the malicious packets. Due to the DDoS packets is features, the monitor-side can use as reference to blocked most of the malicious packets. Besides, we will use the double lines of defense to minimize the damage. In the second step, we establish a list of IP address to determine legitimate users in peacetime. When the attack occurred, it can judge normal users to avoid interference with the user of services. The contributions of work are as follows. (1) In our system, we can effectively judge malicious packets to lower the error rates. (2) The establishment of the list method can reduce the time of re-analysis to avoid interference with the users. We trust these mechanisms can significantly reduce attack volume. The results of our research in thesis shows that it will be much helpful to future research in the category of the DDoS defense.