南京航空航天大学硕士学位论文基于概率包标记的入侵追踪技术研究姓名：奚洋申请学位级别：硕士专业：通信与信息系统指导教师：夏洪山20090101南京航空航天大学硕士学位论文 I摘 要 随着网络技术与和互联网应用的发展，网络安全问题显得越来越重要。拒绝服务攻击由于其实现容易、追踪困难、后果严重等而成为最难解决的网络安全问题之一。IP 追踪技术是应对拒绝服务攻击的重要手段之一。 本文重点研究 IP 追踪技术中的概率包标记算法， 并在追踪的基础上，研究入侵防御技术。 本文在分析当前互联网安全现状的基础上，首先研究了拒绝服务攻击的攻击机制、方法以及防御技术，着重对以概率包标记的方式的追踪攻击来源算法进行了深入的研究，分析了各自的优缺点，并针对动态概率包标记进行了改进，给出了改进的动态概率包标记算法 ADPPM。该算法利用标记域中的距离域（distance）选择标记概率，既可使得其重构攻击路径时所需的数据包数量接近理想值，又可以有效抵抗攻击者伪造 TTL 域和距离域带来的影响。同时，该算法将标记分为节点标记和边标记的三片路径信息存储于 IP 报头的服务类型域和标识域， 既充分挖掘了 IP 报头空间，又能不需要网络拓扑图就可重构攻击路径。通过使用流行的网络模拟软件NS2 对标记方案进行了模拟对比，验证了此算法的优越性。 针对现有的 IP 追踪技术仅聚焦于追踪攻击源， 而几乎没有考虑在攻击发生时削弱攻击影响的情况，本文在深入研究 Windows 平台下基于 NDIS 中间层驱动的封包截取、过滤技术和基于IP 追踪的智能包过滤技术的基础上， 设计了基于 ADPPM 的入侵防御系统， 该防御系统借助 ADPPM方案获得攻击包信息，在边界路由和受害者端过滤攻击包。在 NS2 模拟平台上对该防御系统的过滤性能进行了测试，实验结果表明，对于攻击数据包的过滤比例可达 85%以上，从而可以提高合法流量的整体吞吐量。并且该系统充分考虑到一旦边界路由器失效，可在受害者处使用中间层驱动阻断攻击，保证系统的安全。 关键词：关键词：网络安全，拒绝服务攻击，入侵追踪，概率包标记，包过滤 基于概率包标记的入侵追踪技术研究 II ABSTRACT With the development of network technology and Internet application, network security becomes increasingly more important. Denial of service attack is one of the hardest security problems to solve because it is easy to launch, difficult to trace and may produce serious consequences. One of the important counter measures is IP traceback. This paper focuses on the intrusion traceback technology and Probabilistic Packet Marking. With these foundations, there is a research on the technology and measures to defend intrusion attacks. This paper is starting with an analysis of the current state of Internet security. First, the mechanism, methods and countermeasures to denial of services attacks are discussed. Then, several probabilistic packet marking schemes for traceback are mainly discussed and some improvements to the Dynamic Probabilistic Packet Marking scheme are given. The improved scheme is called ADPPM. The distance field of this packet marking scheme is used to make a decision of marking probability, so that ADPPM can decrease the number of needed packets of reconstructing attack paths and also can be effective against the impact of TTL field and distance field forged by attackers. In order to store the path information which is divided into three fragments by node marking and edge marking, this scheme use the TOS and Identification fields of IP head for its storage space. The ADPPM utilizes the IP packet header space adequately and can reconstruct attack paths without Internet topography. The results of simulation experiment with NS2 validate the conclusion. Most existing traceback technologies only focus on tracing the location of the attackers, and little is done to mitigate the effect of an attack while being attacked. After studying deeply on capturing and filtering packets based on NDIS intermediate driver and the technology of IP traceback-based intelligent packet filtering, ADPPM-based intrusion defense system presented in this paper that can obtain information of attack traffic and filter illegal packets on the perimeter routers and victim. By testing the performance with NS2, the simulation results demonstrate that the BDR（Bad Drop Ratio） is up to more than 85% , so that it can improve the throughput of the legitimate traffic. By considering the perimeter routers may be disabled under huge attack, this system can ensure the safety by using the intermediate driver to block attack packets. Key Words: network security，denial of service attack，intrusion traceback，probabilistic packet marking，packet filtering 南京航空航天大学硕士学位论文 V图、表清单 图 2.1 DoS 攻击原理示意图 .5 图 2.2 DDoS 攻击原理示意图.6 图 2.3 攻击模型 .11 图 3.1 攻击源不确定性示意图.19 图 3.2 基本包标记 IP 头标记格式.22 图 3.3 标记概率与路径长度关系.27 图 3.4 ADPPM 标记方案.28 图 3.5 NS2 进行模拟的方法和过程.31 图 3.6 各种算法收敛包数比较.33 图 4.1 Windows 网络体系结构.37 图 4.2 NDIS 中间层驱动安装前后结构对比 .41 图 4.3 封包结构 .42 图 4.4 Passthru 数据发送流程