分散式阻斷服務攻擊是一種藉由耗盡受害者的系統以及網路資源，使得受害者無法提供服務，再加上偽裝來源技術讓受害者難以防範，進而嚴重地威脅著現今網路的攻擊方法。因此，如何追蹤攻擊者來源並有效緩和攻擊以減低其威脅便成為了一門網路安全上的重要課題。在本論文中，我們為了改善過去追蹤分散式阻斷服務攻擊者來源所需時間較長的特性而提出了一個能夠快速追蹤並緩和分散式阻斷服務攻擊的新方法，這個方法可以大致分成四個階段：拓樸分歧標記、網路效能監控、追蹤攻擊來源與流速控制機制。
　　在分散式阻斷服務攻擊發動以前，邊境路由器會預先進行拓樸分歧表的建立以幫助縮短追蹤攻擊者的過程與時間。在分散式阻斷服務攻擊發生時，攻擊者會將大量的封包注入至網路中使得網路原本的特徵被劇烈地影響，因此邊境路由器可以藉由監控正常連線的網路效能來觀察原有連線的延遲時間是否超過了預設的品質服務保證門檻，以偵測到阻斷服務攻擊的存在。在確定阻斷服務攻擊的存在之後，根據受到影響的網路路徑資訊，邊境路由器可以透過事先建立的拓樸分歧表來找出最有可能是正常與攻擊封包聚合點的路由器。接著利用封包從各介面注入的數量從聚合點開始逐步地追蹤(逼近)攻擊者的來源，直到無法再繼續追蹤或是到達邊境路由器為止。最後，停止追蹤的終點會採取流速控制機制以緩和攻擊所造成的影響。
　　相較於既有追蹤攻擊者來源的方法，在本架構下，邊境路由器能夠更快速地決定出聚合點位置以縮短追蹤攻擊者來源的時間。我們也利用網路模擬器2(NS-2)來模擬真實的台灣高品質學術網路，以證明攻擊的影響在我們的方法下得以被有效地緩和。

　　The Distributed Denial of Service (DDoS) Attacks are menacing Internet. DDoS tries to exhaust the resources of victim system and degrades the network performance, which cause the victim system failing to provide services. Because DDoS attacks are spoofing and impossible to guard against how to traceback and mitigation of attacks become one of the most serious security problems. In this thesis, because the above traceback techniques need long time to trace the source of DDoS attacks, a Fast DDoS Traceback Approach (FTA) using branch label and network performance monitoring techniques is proposed. There are four phases in the proposed framework: the preparation of branch label, the network performance monitoring mechanism, the traceback mechanism, and the rate-control mechanism.
　　Before DDoS attacks occur, the edge router establishes the prepared branch label table which shortens the time of the traceback mechanism. When packets are injected into the network, these may cause the change of network characteristics. Therefore, FTA detects the existence of DDoS attacks by monitoring the network performance. Then FTA starts the traceback mechanism from the possible convergence nodes to the farthest routers that can be aware of the abnormities, and rate-control mechanism is enforced to mitigate the influence.
　　FTA modifies the above traceback mechanism. The core routers in our architecture consume less memory in gathering flow information during a shorter time. Moreover, the network simulator 2 (NS-2) is used to set up the simulation networks, and the simulation results show that the influence of attacks is mitigated.

[1] R. Richardson, “2003 CSI/FBI Computer Crime and Security Survey Eighth Annual”, CSI/FBI, 2003.
[2] L. A. Gordon, “2004 CSI/FBI Computer Crime and Security Survey Ninth Annual”, CSI/FBI, 2004.
[3] G. C. Kessler, “Defense against distributed denial of service attacks,” Nov. 2000. Available: http://www.garykessler.net/library/ddos.html.
[4] L. Garber, “Denial-of-Service Attacks Rip the Internet,” Computer, vol.33, no.4, pp.12-17, Apr, 2000.
[5] SANS Institute, “Help Defeat Denial of Service Attacks: step-be-step”, http://www.sans.org/dossstep/index.htm, Mar 23, 2000.
[6] Cisco White Papers, “Strategies to Protect Against Distributed Denial of Service Attacks (DDoS),” Feb, 2000.
[7] A. Belenky, “On IP Traceback,” IEEE Communications Magazine, July, 2003.
[8] K. C. Chang, “Defending Against Flooding-based Distributed Denial-of-Service Attacks: A Tutorial,” IEEE Communication Magazine, vol. 40, pp. 42-51, Oct. 2002.
[9] CERT Advisory CA-1996-21, “TCP SYN flooding and IP spoofing attacks,” Nov. 29, 2000. Available: http://www.cert.org/advisories/CA-1996-21.html.
[10] CERT Incident Note IN-2000-04, “Denial of service attacks using nameservers,” Apr. 28, 2000. Available: http://www.cert.org/incident_notes/IN-2000-04.html.
[11] P. J. Criscuolo. “Distributed Denial of Service Trin00, Tribe Flood Network, Tribe Flood Network 2000, And Stacheldraht CIAC-2319,” Department of Energy Computer Incident Advisory Capability (CIAC), UCRL-ID-136939, Rev.1, Lawrence Livermore National Laboratory, Feb 14, 2000.
[12] W. Stevens, “TCP/IP Illustrated Volume 1, The Protocols.“ Addison-Wesley, 1994.
[13] CERT Advisory CA-1998-01, “Smurf IP denial-of-service attacks,” Mar. 13, 2000. Available: http://www.cert.org/advisories/CA-1998-01.html.
[14] V. Paxson, “An analysis of using reflectors for distributed denial-of-service attacks,” ACM Computer Communications Review, vol. 31(3), July 2001.
[15] T. Xun, “Research on DDoS Attack and Its Countermeasures,” Tsinghua Tongfang Optical Disc Co., Ltd, PRC, 2004.
[16] P. Ferguson and D. Senie, “Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing,” RFC 2828, May 2000.
[17] K. Park and H. Lee, “On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets,” in Proc. ACM SIGCOMM 2001, San Diego, USA, Aug. 2001, pp. 15-26.
[18] N. Weiler, “Honeypots for Distributed Denial of Service,” Enabling Technologies: Infrastructure for Collaborative Enterprises, 2002. WET ICE 2002. Proceedings. Eleventh IEEEE International Workshops, 2002. pp. 109-114.
[19] Cisco Systems, Inc. “NetFlow.” Available:
http://www.cisco.com/en/US/tech/tk812/tech_protocol_home.html.
[20] J. D. Case, M. Fedor, M. L. Schoffstall, and J. R. Davin, “A simple network management protocol (SNMP),” RFC 1157, May 1990.
[21] J. D. Case, K. McCloghrie, M. T. Rose, and S. Waldbusser, “Introduction to version 2 of the Internet-standard network management framework,” RFC 1441, Apr. 1993.
[22] B. Wijnen, D. Harrington, and R. Presuhn, “An architecture for describing simple network management protocol (SNMP) management frameworks,” RFC 3411, Dec. 2002.
[23] A Snoeren, “Hashed-based IP traceback,” ACM SIGCOMM, Aug, 2001.
[24] S. Bellovin, M. Leech, and T. Taylor, “ICMP traceback messages,” Internet Draft: draft-ietf-itrace-01.txt, Oct. 2001.
[25] C. E. Barros, “A proposal for ICMP traceback messages,” Sep. 18, 2000. Available: http://www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html.
[26] H. Burch and B. Cheswick, “Tracing anonymous packets to their approximate source,” in Proc. USENIX LISA Conference 2000, New Orleans, USA, Dec. 2000, pp. 319-327.
[27] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Network support for IP traceback,” IEEE/ACM Transactions on Networking, vol. 9(3), pp. 226-237, June 2001.
[28] K. Park and H. Lee, “On the effectiveness of probabilistic packet marking for IP traceback under denial-of-service attack,” in Proc. IEEE INFOCOM 2001, Alaska, USA, Apr. 2001, pp. 338-347.
[29] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Network support for IP traceback,” IEEE/ACM Transactions on Networking, vol. 9(3), pp. 226-237, June 2001.
[30] D. Xiaodong Song and A. Perrig, “Advanced and authenticated marking schemes for IP traceback,” in Proc. IEEE INFOCOM 2001, Alaska, USA, Apr. 2001, pp. 878-886.
[31] D. Dean, M. Franklin, and A. Stubblefiled, “An algebraic approach to IP traceback,” ACM Transactions on Information and System Security, vol. 5(2), pp. 119-137, May 2002.
[32] M. T. Goodrich, “Efficient packet marking for large-scale IP traceback,” in 9th ACM Conference on Computer and Communications Security, Washington, DC, USA, Nov. 2002, pp. 117-126.
[33] M. Waldvogel, “GOSSIB vs. IP traceback rumors,” in Proc. 18th Annual Computer Security Applications Conference, San Diego, California, USA, Dec. 2002, pp. 5-13.
[34] A. Belenky and N. Ansari, “IP traceback with deterministic packet marking,” IEEE Communications Letters, vol. 7(4), Apr. 2003, pp. 162-164.
[35] T. J. Lin, “A New DDoS Attack Traceback and Mitigation Scheme based on Network Performance Monitoring“, master thesis of National Cheng Kong University, ROC, 2004.
[36] A. Habib, Mohamed M. Hefeeda, and B. K. Bhargava, “Detecting service violations and DoS attacks,” in Proc. Network and Distributed System Security Symposium, San Diego, USA, Feb. 2003, pp. 177-189.
[37] A. Habib, S. Fahmy, S. R. Avasarala, V. Prabhakar, and B. Bhargava, “On detecting service violatioins and bandwidth theft in QoS network domains,” Computer Communications, Elsevier, vol. 26(8), pp. 861-871, May 2003.
[38] N. G. Duffield, F. L. Presti, V. Paxson, and D. Towsley, “Inferring link loss using striped unicast probes,” in Proc. IEEE INFOCOM 2001, Alaska, USA, Apr. 2001, pp. 915-923.
[39] A. Habib, M. Khan, and B. Bhargava, “Edge-to-edge measurement-based distributed network monitoring,” Computer Networks, vol. 44(2), pp. 211-233, Feb. 2004.
[40] VINT project, “The network simulator – ns-2,” Sept. 1996. Available: http://www.isi.edu/nsnam/ns/.
[41] TWAREN, “Taiwan Advanced Research & Education Network,” http://www.twaren.net/english/operation/
[42] K. Y. Yau, “Defending Against Distributed Denial-of-Service Attacks With Max-Min Fair Server-Centric Router Throttles”, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 13, NO. 1, FEBRUARY 2005.
[43] O. Demir and K. Ghose, “Real-Time Protection against DDoS Attacks Using Active Gateways, ” IEEE International Conference, Distributed Computing Systems Workshops (ICDCSW’05), 2005.
[44] V. Kuznetsov, A. Simkin, and H. Sandstrom, “An evaluation of different IP traceback approaches,” Proc. 4th Intl. Conf. Information and Communications Security, pp.37–48, 2002.