網路匯集點的Flooding訊務偵測與自動通告系統

Abstract

依據多年的區網管理經驗,我們發現:絕大部分的abuse 抱怨事件均源自用戶的忽視電腦安全,致大量主機成為spammer持續散播廣告信,發動 DDoS攻擊的掩護工具.然而,遭誤用的系統會持續,頻繁地建立網路連接到單一或多部主機.所以,不僅源自遭感染主機的flow連接與封包量會超量增加,其超量訊務持續時段也明顯拉長.依據這些Flooding異常特徵,本研究運用節點router Netflow 轉送紀錄, 實做Flooding異常訊務偵測(Flooding Detection System, FDS).\n系統首先選定適當的傳訊特徵, 讀取 NetFlow data,累計/排序相關的訊務數值,再據以偵測flooding異常訊務,協助管理人員監看PortScan, Spam,及UDP Packet flooding的具體傳訊數據. 此外,系統也萃取flooding source IP, 連接RWhois IP管理資訊server 查詢對應的管理人員資訊,自動email通知網管,協助端點用戶修補遭感染的系統,主動阻截攻擊或廣告信訊務.

The rapid growth in DoS attack, spam and mass-mail viruses has increased the need to develop effective approaches for detecting the significant flooding anomaly. As all traffic between the public Internet and the customer’s desktop are interconnected through ISP’s access router, it might be feasible and effective for adding an extra level flooding filtering over aggregate networks for detecting the source hosts that launch flooding based DoS attack and delivery huge amount of spam.\nThis work makes use of the transportation traffic log gathered from backbone router to develop flooding detection system (FDS) that measures and detects the extremely anomalous traffic according to the bulk distribution aspect of the obvious anomalies, including: packet flooding attack, portscan, spam distribution, and packet flooding attack.\nFDS system has been deployed in one regional network center over a TANet (Taiwan Academic Network) network center for offering an extra level filtering and assisting network users grasping the significantly anomalous traffic.