阻斷服務攻擊伴隨來源位址偽造已經成為網際網路上主要的安全威脅。入侵偵測系統常用來偵測阻斷服務攻擊並且配合防火牆來阻擋攻擊，然而，阻斷服務攻擊封包將會消耗或甚至耗盡所有的資源而導致網路效能降低甚至癱瘓整個網路。

The Denial-of-Service (DoS) attacks with the source IP address spoofing techniques has become a major threat to the Internet. An intrusion detection system is often used to detect DoS attacks and to coordinate with the firewall to block them. However, DoS attack packets consume and may exhaust all the resources, causing degrading network performance or, even worse, network breakdown. A proactive approach to DoS attacks is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic.
In this research, an ant-based traceback approach is proposed to identify the DoS attack origin. Instead of creating a new type or function needed by the router or proceeding the high volume, find-grained data, the proposed traceback approach uses flow level information to spot the origin of a DoS attack.
Two characteristics of ant algorithm, quick convergence and heuristic, are adopted in the proposed approach on finding the DoS attack path. Quick convergence efficiently finds out the origin of a DoS attack; heuristic gives the solution even though partial flow information is provided by the network.
The proposed method is validated and evaluated through the preliminary experiments and simulations generating various network environments by network simulator, NS-2. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments, with full and partial flow information provided by the network.

Chapter 1 Introduction..........................................1
1.1 Problem definition.......................................................................................................2
1.2 Motivation....................................................................................................................4
Chapter 2 Related work........................................6
2.1 IP Traceback.................................................................................................................6
2.1.1. Packet marking.................................................................................................6
2.1.2. Logging............................................................................................................8
2.2 Network Flow............................................................................................................11
2.3 Ant Algorithm............................................................................................................12
Chapter 3 Ant-Based DoS Traceback.................17
3.1 NetFlow......................................................................................................................17
3.2 The Proposed Solution...............................................................................................20
3.3 Extension to partial flow information........................................................................24
Chapter 4 System Design and Verification.........29
4.1 System Architecture...................................................................................................29
4.2 Flow Management.....................................................................................................31
4.3 Preliminary Experiment.............................................................................................34
Chapter 5 Performance evaluation......................42
5.1 Simulation topology...................................................................................................42
iii
5.2 Simulation scenario....................................................................................................44
Chapter 6 Conclusions........................................56
Reference............................................................58

1. Computer Security Institute, “CSI/FBI Computer Crime and Security Survey, “2003, http://www.crime-research.org/news/11.06.2004/423/
2. Computer Emergency Response Team/Coordination Center, “Denial of Service Attacks,” 2001, http://www.cert.org/tech_tips/denial_of_service.html
3. W. Stallings, “Cryptography and Network Security,” 2001
4. S. Savage, D. Wetherall, A.Karlin, and T.Anderson ., “Network Support for IP Traceback,” IEEE/ACM Trans. Networking, vol. 9, no. 3, 2001, pp.226–237.
5. D. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFOCOM, IEEE CS Press, 2001, pp. 878–886.
6. H. Aljifri, M. Smets, and A. Pons, “IP Traceback Using Header Compression,” Computers & Security, vol. 22, no.2, 2003, pp. 136–151.
7. D. Dean, M. Franklin, and A. Stubblefield, “An Algebraic Approach to IP Traceback,” ACM Trans. Information and System Security, vol. 5, no. 2, 2002, pp. 119–137
8. A.C. Soneren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tachakountio, B. Schwartz, S.T. Kent and W.T. Strayer ,”Single-packet IP Traceback,” IEEE/ACM Trans. Networking, vol. 10, no.6, 2002, pp.721–734
9. W.T Strayer, C.E. Jones, F. Tachakountio, B. Schwartz, R.C. Clements, M. Condell and C. Partridge ,”Traceback of Single IP Packets Using SPIE,” Proc. DARPA information Survivability Conference and Exposition – vol. 2 April 22 -24, 2003 Washington, DC. pp. 266
10. T. Baba and S. Matsuda ,“Tracing Network Attacks to Their Sources,” IEEE Internet Computing, vol. 6, no. 3, 2002, pp. 20–26
11. T.L. Pao and P.W. Wang ,”NetFlow Based Instruction Detection System,” Proc. IEEE International Conference on Network, Sensing and Control, March 21-23, 2004 Taipei, pp. 731-736
12. J. Mirkovic, G. Prier and P. Reiher,”Attack DDoS at the Source,” Proc. the 10th IEEE International Conference on Network Protocols, Nov, 2002 Paris, pp.312-321
13. G. Upton, “Swarm Intelligence”
http://www.cs.earlham.edu/~uptongl/project/Swarm_Intelligence.html
14. G. D. Caro and M. Dorigo ,” AntNet: Distributed Stigmergetic Control for Communications Networks,” Journal of Artificial Intelligence Research 9, 1998, pp. 317-36
15. M. Dorigo, V. Maniezzo & A. Colorni,” The Ant System: An Autocatalytic Optimizing Process,” Technical Report No. 91-016 Revised, Politecnico di Milano, Italy, 1991
16. M. Dorigo, V. Maniezzo, and A. Colorni ,” The Ant System: Optimization by a colony of cooperating agents,” IEEE/ACM Trans. On System, Man and Cybernetics-Part B, vol.26, no.1, 1996, pp. 1-13
17. M. Dorigo , G.D. Caro , L.M. Gambardella, “Ant algorithms for discrete optimization, “ Artificial Life, v.5 n.2, pp.137-172, April 1999
18. Y. Gong ,”Detecting Worms and Abnormal Activities with NetFlow,” http://www.securityfocus.com/infocus/1796
19. Cisco ,” NetFlow Services Solutions Guide,” http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm
20. Cisco ,"NetFlow Services and Application,” http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm
21. Scientific Linux
https://www.scientificlinux.org/
22. flow-tools information
http://www.splintered.net/sw/flow-tools/
23. Stanford Stream data manager
http://www-db.stanford.edu/stream/
24. J. Sommers, H. Kim and P. Barford,” Harpoon: a flow-level traffic generator for router and network tests,” ACM SIGMETRICS Performance Evaluation Review, vol 32 , issue 1, June 2004, pp.392
25. VMware
http://www.vmware.com/
26. zebra
http://www.zebra.org/
27. fprobe
http://fprobe.sourceforge.net/
28. hping
http://www.hping.org/
29. NS-2
http://www.isi.edu/nsnam/ns/
30. BRITE
http://www.cs.bu.edu/brite/
31. TIERS
http://www.nrg.cs.uoregon.edu/topology_generation/tiers.html
32. GT-ITM
http://www.cc.gatech.edu/projects/gtitm/
33. O. Heckmann, M Piringer, J. Schmitt and R. Steinmetz,”On Realistic Network Topologies for Simulation”, Proc.the ACM SIGCOMM 2003 Workshops on Models,methods and toos for reproducible network research, 2003 Germany, pp. 28-32