Newsletter No. 452

4 452 • 4.2.2015 在 2014年12月25日，Sony PSN 及 Xbox Live 這兩大 網路遊戲平台同時遭受攻擊，服務被癱瘓，令打算趁 聖誕假期在家玩遊戲的玩家敗興不已。黑客攻擊的模式，是 所謂分散式阻斷服務攻擊（DDoS）。 信息工程學系 劉永昌 教授解釋：「顧名思義，這種攻擊的目 的，是令某個網站或伺服器無法正常為用戶提供服務；所謂 分散式，表示攻擊者並非以一部電腦發動攻擊，而是控制世 界各地數以百萬甚至千萬計的電腦或其他互聯網終端機， 同時向受襲目標發放大量資訊或服務要求，使之招架不住 而癱瘓。」 香港人對於DDoS攻擊並不陌生，去年就有香港公投網站 受到流量超過每秒二十萬兆位（200Gbps）的DDoS攻擊而 無法運作。劉教授說：「如果你的電腦丶手機甚至機頂盒感 染了病毒，或被安裝惡意軟件，黑客除了可盜取你的個人資 訊，還可以遙遠控制這些你所擁有的互聯網終端來作惡，包 括發放垃圾郵件和實施DDoS攻擊。這些被控制的電腦稱 為殭屍電腦（Bot）。」 DDoS攻擊除了被人用來在網上惡意破壞，還被歹徒用來敲 詐勒索。劉教授舉例：「國外有些賭博網站，在世界盃決賽 前夕等日子，一定有很多人下注，這時歹徒就可以要脅這些 網站，如不付錢，就攻擊網站，令它二十四小時完全癱瘓。」 此外，DDoS攻擊還可以用來建構更複雜的攻擊，比如先用 這種手段癱瘓某些伺服器，然後冒充那伺服器發放虛假丶誤 導的信息以達至其他目的。 劉教授說，現時要防禦DDoS攻擊並不容易，釜底抽薪的 方法是將現有互聯網的基礎結構和通訊協定推倒重來，引 入全新設計，即所謂「從新開始方案」。世界各國已有未來 互聯網架構設計的研究，但要達到廣泛應用，還是很遙遠 的事。 DDoS攻擊的主要對象是提供服務的機構，而非個人，但這 並不等於個別用家可以安枕。劉教授指出，雲端服務、流動 裝置應用程式對於個人的影響更大。他說：「現在智能手機 盛行，不少手機應用程式可能是一、兩個學生寫出來，在有 限的資源和認知下，這些應用程式在資訊保安方面未必很 完善。」 劉教授說，網絡安全正是信息工程學系近年重點發展方向 之一。除了科研方面，課程也加入了一系列相關的元素，旨 在培養學生在這方面的專業知識和警覺性。例如一般人在 設計系统或編寫程式時，通常會偏重於考慮正常情況下的 流程和效率，往往忽略了由主動、有系統攻擊而引發的最極 端情況。但黑客正正就是會鍥而不捨地尋找程式的漏洞和 系統的瓶頸，不斷觸發極端情況，令程式、系統一下子被拖 慢一百倍甚至一千倍。 未來的物聯網（Internet of Things）也是網絡保安的新挑 戰，因為愈來愈多智能家居設備如室內監察、燈光和温度控 制裝置都有上網功能，惡意攻擊者已把目標延伸至電腦以 外的這些新裝置。因此，網絡保安也是劉教授領導的移動 通訊科技中心近年的研究重點之一。 這個中心主力研究流動通訊科技和應用，其他研究重點還 有無線射頻辨識（RFID）、雲端系统、分散式社交網絡等。 劉教授說：「我們研究了一些軟件，可以用來掃瞄和監察流 動應用程式或社交平台的漏洞，業界對這種偵測技術很有 興趣，希望可以幫助他們找出應用程式的問題。」 劉教授補充：「研發成果如能藉技術轉移來解決業界的問 題，為社會帶來影響，對於我們中大人來說，這樣是最有意 義的。」 W hen services were taken down on Sony’s PlayStation network and Microsoft’s Xbox Live network on 25 December 2014, the mood of many gamers who intended to spend their Christmas holidays playing online games was spoiled. The reason for the stoppage was overloading by a ‘distributed denial of service attack’, aka a DDoS attack. Prof. Lau Wing-cheong of the Department of Information Engineering explains, ‘A DDoS attack is meant to interrupt or suspend the services of a server or website. It’s called “distributed” because the incoming traffic flooding the victim originates not from one source, but hundreds of thousands of different sources.’ Hong Kong people are no strangers to DDoS attacks. Last year a popular voting website in the city was crippled by a massive 200Gbps DDoS attack. Professor Lau says, ‘If your computer, smartphone or TV box is infected with a computer virus or malware, hackers can not only steal your personal information, but can also remotely control such an Internet endpoint to do something harmful, such as sending out junk mail and launching DDoS attacks. The computers under their control are called Bots.’ In addition to cyber mischief, DDoS attacks have been used for extortion. Professor Lau explains, ‘There are betting sites overseas where gamblers may try their luck before a competition such as a World Cup match. People could blackmail these websites, threatening attack and prolonged paralysis.’ DDoS attacks can also be used to launch more sophisticated attacks, such as taking down a certain website and making a fake one to spread misleading or false messages or to achieve other purposes. Professor Lau says that defending a site against DDoS attacks is not an easy task. The so-called ‘clean slate approach’, which means replacing the current internet infrastructure and protocol with new ones, is one of the more ideal solutions. Research on the future architecture of the internet has been conducted around the world. But the widespread adoption of a new internet architecture is not something that will happen in the near future. The chief targets of DDoS attacks are service providers rather than individuals. But that doesn’t mean that individual users are immune. Professor Lau points out that cloud services and mobile apps have more serious implications for individual users. He explains, ‘Now almost everyone has a smartphone. But some mobile apps may be written by one or two students. Because of limited resources and awareness, these apps may not be very safe in terms of cybersecurity.’ Professor Lau says that cybersecurity is one of the recent focuses of the Department of Information Engineering. The department not only makes this a main area of research, but also sees it as a key element of its curricula, with an aim to improving students’ technical know-how and awareness about this subject. When programmers design a system or write a programme, they normally attach the greatest importance to its efficiency and its ability to run smoothly. They may not prepare it well enough for a worst-case scenario brought about by active and systematic attacks. And hackers will constantly look for the vulnerabilities of a programme and bottlenecks of a system to trigger corner cases, causing the programme to run a hundred or a thousand times slower than normal. The future Internet of Things also presents a new challenge to cybersecurity. It’s because more and more household devices such as home monitors, lighting systems, and thermostats are connected to the Internet. Malicious actors are shifting their focus to devices beyond the commonly- targeted personal computers. In view of this trend, mobile security is one of the recent research interests of the Mobile Technologies Centre led by Professor Lau. This centre focuses on the research of mobile technologies and its applications. Other research interests include cloud services, radio-frequency identification, decentralized social network. Professor Lau says, ‘We’ve developed some programmes that can scan and detect vulnerabilities of mobile apps and social networks. The industry is interested in this technology and hope that we can help them to identify problems of their apps.’ He adds, ‘The most rewarding thing for us as members of the Chinese University is to see that our research results can solve problems for the industry through knowledge transfer and make an impact on society.’ 網絡 攻防戰 DDoS Attacks: A Powerful Cyber-war Tool 劉永昌教授 Prof. Lau Wing-cheong Photo by ISO staff 洞明集 In Plain View