KR101048000B1 - DDoS Attack Detection and Defense - Google Patents

Abstract

The present invention obtains control by infecting a virus, a worm, a Trojan horse, etc. among all the terminals using the Internet connected to the broadband network, and deliberately repeatedly accesses a specific site to deplete network bandwidth or access server resources. It is a method of detecting and defending Distributed Denial of Service (DDoS) that denies access to normal terminals by making it denied. The existing DDoS attack defense devices are located in the middle of the external network and server connected to the site. To prevent it.

However, the network load between the defense equipment and the server can be reduced only, and the network portion from the external network to the defense equipment is exposed to the attack, so the DDoS attack traffic increases the defense function as soon as the network bandwidth exceeds the network bandwidth from the external network to the defense equipment. It came to a limit that could not be strange.

In order to overcome this limitation, it detects the attack of the infected terminal, changes the response of the request to access the attack site, directs it to the attack blocking site, and blocks the access to the target site. The traffic volume for the network bandwidth is a stable detection / detection and defense system.

 DDoS: Distributed Denial of Service (SDo), SYN: Due to the nature of the TCP protocol, a requesting packet is called a SYN to establish a reliable connection. Passing domain information to obtain an IP address (consisting of DNS Request packet and DNS Response packet), DNS packet modulation technology: When DNS Lookup responds faster than Domain Name Server, the site's IP address can be modified. Technology, DNS Flush: clearing DNS cache information, DNS cache: storage for storing the URL and IP address of a site acquired through DNS Lookup for a certain time, domain view: homepage domain where Internet users are on the Internet The number of times you access the website, pageviews: The number of times an Internet user opens the homepage on the Internet, the zombie PC: The computer infected with malware Emitter (C & C used mainly under the control of the server, etc. DDoS attack)

Description

A method for detecting and protecting DDoS attack

The present invention obtains control by infecting a virus, a worm, a Trojan horse, etc. among all terminals connected to a broadband network using the Internet, and performs a distributed denial of service attack (DDoS) attacking a specific site. It is about detection / detection and defense method of security. It detects abnormal traffic signs by classifying terminals that are attacked by DDoS and blocking the attack just before the arrival of destination, which is the existing method, when infected terminal tries to access a specific site. Detects terminals acting as a zombie PC, and bypasses the target site to a separate attack blocking network and attack blocking site to prevent DDoS attacks. In addition, by sending a message such as pop-up notification / blocking notification to the corresponding zombie PC terminal affected by the virus, the terminal user is protected by informing the facts and protecting the target site. In order to prevent the terminal from finding and inducing treatment and blocking, the security of the network bandwidth between the Internet network and the target server is enhanced.

Previously, DDoS attack defense devices were located in the middle of the external network and server accessing the site, and when attacked, the attack pattern was analyzed to prevent the request for the IP when it was determined to be a zombie PC terminal.

However, even if the request is rejected, traffic is generated to analyze the request and determine whether it is a zombie PC terminal. However, network traffic between the defense equipment and the server decreases, but traffic from the external network to the defense equipment continues to increase. Beyond the limitable traffic or network traffic, defenses can no longer process and respond to requests.

In particular, since there are physical limitations in increasing network bandwidth, even if a large site is used, if the number of attack terminals is increased, a method of blocking a command by searching for a command terminal that gives an attack command to infected terminals is blocked. It was difficult to do so it was hard to respond.

Recently, there have been frequent cases where a predetermined terminal is not programmed to attack and continuously attacks specific sites as soon as the terminal is infected. In such a situation, if the malware is lurking until the majority of infected terminals are distributed, and when a predetermined time comes, a malicious program pre-programmed to attack a specific site is spread, and the damage is not only serious but also traced to who issued the attack command. There is a problem that may be impossible.

Therefore, the present invention has been devised to solve the above problems, detects an attack of an infected terminal and changes the response to a request for access to the target site to induce the attack blocking site and treat the malicious program with a vaccine. By reducing the number of infected terminals and blocking access to the target site, even if the DDoS attack increases, the traffic volume for the network bandwidth of the target site can be stably maintained. Also, by inducing the treatment of the infected terminal, It aims to provide a DDoS attack detection and defense method that can also improve quality.

The present invention for achieving the above object, in the environment that the terminal can monitor the corresponding traffic when using the Internet, when using the Internet to detect the traffic by the detection engine to analyze the Internet connection tendency at a set time to access the server DB Storing in a record table;

A technique of collecting and analyzing data of unusual patterns in order to detect abnormal traffic signs and making data based on the patterns;

Analyzing a connection tendency of the Internet stored in the access record table to distinguish between a normal use terminal and an infected terminal infected by a malicious program to attack a specific site, and detect a user of the infected terminal and store the detected list in a defense policy;

Storing the information stored in the defense policy as a report DB for management supervision;

The policy engine downloads the information stored in the defense policy and detects DNS lookup for the terminal to access the Internet first. If the infected terminal user is infected, the address of the site to be accessed is changed to the attack blocking site to normalize the service operation of the site. Technology to make it possible;

Transmitting a message such as a pop-up notification / blocking notification to a corresponding zombie PC that continues to generate abnormal traffic due to a virus, thereby informing the terminal user of the fact and inducing access to a treatment guide site;

A technique of transmitting and inducing a message so that a DNS lookup such as (1) rebooting recommendation and (2) DNS Flush occurs again to the corresponding terminal user;

It is characterized by including a technology that excludes the terminal that has been treated by the malicious program received from the treatment information site from the list of infected terminal users of the policy engine through the verification process.

According to an aspect of the present invention, there is provided a method and technology for classifying a target subject to DDoS attack among all the terminals using the Internet connected to the broadband network to the blocking or treatment guide page.

Due to the characteristics of the present invention, when an infected terminal attempts to access an attacked site, the ISP does not block the IPS device, a firewall, or the like immediately before the network arrives. As a method of detecting and blocking the source of infected devices, by bypassing and inducing DDoS attack targets elsewhere, the security is strengthened so as not to affect the network bandwidth between the internet network and the target server, so the actual target site can be protected. .

According to another aspect of the present invention, the client using most of the infected terminal is not used to know that the infection, the treatment guide page to inform the user of the infection and can also provide the effect of improving the Internet network by recommending the installation of the vaccine have.

Hereinafter, one preferred embodiment according to the present invention will be described in detail with reference to the accompanying drawings. First, like reference numerals designate functionally identical or similar parts throughout the drawings.

1 is an overall configuration diagram for detecting and blocking an attack of an infected terminal, and FIG. 2 is a diagram illustrating a configuration of an engine and an analysis server for detecting and blocking an attack of an infected terminal.

As shown in FIG. 1, among all the terminals 101 and 102 connected to the broadband network, viruses, worms, and Trojan horses are infected with the terminal 101 to obtain control and attack specific sites. As a detection and defense method of a distributed denial of service (DDoS), the infected terminal 101 attacks the specific site 113 by the DNS server 110 to the corresponding site 113, for example, www. DNS lookup requesting an IP address of .abc.com), the DNS server 110 has an IP address of a specific site (www.abc.com) 113 that is an attack target of the infected terminal 101 at 255.255. It says .111.111.

The infected terminal 101 sends an HTTP GET / POST message to the attack target site 113 using the received IP address to attack. At this time, only the HTTP GET / POST is collected by the detection engine 106 among the attack packets copied through the TAP device 105, and the data is collected and transmitted to the access record table of the analysis server 107 at regular intervals.

As shown in FIG. 2, the analysis server 107 analyzes the raw data recorded in the connection record table 201 at regular time intervals, and analyzes the number of SYN packets, the domain view and the page view ratio, and corresponds to a policy set. If so, it is stored as a defense policy. The IP information of the infected terminal 101 is stored in the infected user table 202, and the URL of the attack target site 113 is stored in the attack target table 203.

The data of the defense policy is provided as a report DB for the purpose of writing a report and grasping the status, and the policy engine 108 accesses the defense policy at regular intervals and utilizes the data to be used as a policy, that is, the target IP and the target IP at regular intervals. The attack target site URL is downloaded from the analysis server 107.

When the infected terminal 101 performs a DNS lookup to attack the specific site 113 again, the policy engine 108 first detects the request, and as shown in FIG. 3, the specific site using the DNS packet modulation technique. IP address 113 is modulated.

In order for the infected terminal 101 to attempt an attack, first, a DNS request packet is sent to a DNS server to a URL of an attack target site 113 to obtain an IP address. At this time, the policy engine 108 drops a policy from the analysis server 107. In response, the DNS Lookup of the infected terminal 101 to access the Internet site is detected and a DNS Response packet is generated.

The generated DNS Response packet structure is composed of ID header, Flag, Queries, and Answers. Here, the Answer RRs value is changed and the Answers part is added among Flag values. Forward to 101 faster than the DNS server's response.

The infected terminal 101 determines that the DNS server is a normal response and inputs the IP address of the attack target site 113 into the DNS cache as a modulated IP address, thereby ignoring the originally called response. By modifying the DDoS attack target with the tampered IP address entered in the DNS cache, the target site is bypassed and directed to the attack blocking site 111, and the normal use site is infected and the treatment guide page 112. Send a pop-up or other message to the web site or induce access to the guide site.

As shown in FIG. 4, when the terminals 101 and 102 use the Internet, the detection engine 106 collects the corresponding traffic (S101) and analyzes the traffic in the detection engine 106 to extract necessary information. (S102). Thereafter, the extracted information is stored in the access record table 201 of the analysis server 107 (S103), and the analysis of the access record table 201 periodically to use the infected user IP and the target URL as a defense policy. Stored in the policy engine 108 (S104), and transmits a list of defense policies (S105).

Thereafter, the DNS terminal receives a DNS Lookup request from the target site 113 from the infected terminal 101 (S106), modulates a DNS packet, and returns an IP address of the attack blocking site 111 (S107).

For example, when the infected terminal 101 attacks a site called www.abc.com, the DNS server 110 sends a DNS Request packet, which is a DNS Lookup procedure, and the policy engine 108 detects this and analyzes the IP. If it is an infected person in the policy, it generates a DNS Response packet. In FIG. 3, when the Answer RRs value of the Flag part indicated in the DNS packet part to be responded is changed, and the response part is sent faster than the DNS server 110 by adding the Addr value and the IP address of the site to be derived, Infected terminal 101 recognizes 111.111.111.111 instead of 255.255.111.111, which is the actual IP address of www.abc.com, and identifies the IP of the target site 113 as 111.111.111.111 in the DNS cache as shown in FIG. I will remember.

In addition, FIG. 5 shows a flow chart of detecting Internet usage of an infected terminal user and leading to a treatment guidance site, and the detailed description thereof is omitted since the defense policy list is transmitted to the policy engine 108 as described in FIG. 4. do.

Thereafter, the user of the infected terminal 101 receives the DNS lookup request of the normal site (S201), modulates the DNS packet, and returns the IP address of the treatment guide site 112 (S202).

Therefore, the IP address to be modulated is determined to be a DDoS attack if the target site is attacked as shown in FIG. 4 according to the URL requested by the infected terminal, and the IP address of the attack blocking page. If it is determined to be used, it is altered to the IP address of the treatment guide page.

The infected terminal 101 attacks the attack blocking site 111 with the modified IP address when the attack attempts, and is led to the treatment guide site 112 when the user accesses the general site.

6 shows an overall configuration diagram of the unblocking procedure, and FIG. 7 shows an overall flowchart of the unblocking procedure. As shown in Figures 6 and 7, the treatment guide site 112 informs the fact of infection and provides a therapeutic vaccine and a method of unblocking.

First, a vaccine is installed in the treatment guide site 112 (S301), and the malicious program is removed through the installed vaccine (S302). The user's PC 601, which has been treated using the vaccine, has confirmed the treatment fact through the unblocking site 602 (S303), or analyzed the access records in the analysis server 107 at predetermined time intervals to determine infection. It is lowered (S304), or the fact that the malicious program has been removed to the terminal through the call center 603 (S305), if the DDoS attack is stopped, the block is released (S306).

Then, the user 601 is removed from the infected user table 202 in the analysis server 107 (S307), and the corresponding user 601 for the blocking policy is deleted from the policy engine 108 (S308).

Thus, while continuing in the above manner, it is possible to detect and defend DDoS attacks.

While the preferred embodiments of the present invention have been described using specific conditions, these descriptions are for illustrative purposes only, and modifications and changes may be made without departing from the spirit and scope of the following claims. .

1 is an overall configuration diagram of detecting and blocking an attack of an infected terminal.

2 is a flowchart of an engine and an analysis server for detecting and blocking an attack of an infected terminal.

3 is a block diagram of a DNS packet modulation technique.

4 is an overall flowchart of detecting and blocking an infected terminal attacking an attack target site.

5 is an overall flowchart of detecting the Internet usage of an infected terminal user and leading to a treatment guidance site.

6 is an overall configuration diagram of an unblocking procedure for a terminal after treatment.

7 is an overall flowchart illustrating an unblocking procedure for a terminal which has been treated.

Claims (3)

Attack detection and defense against distributed denial of service (DDoS) attacks that attack specific sites by using abnormal traffic of viruses, worms, and Trojans among all devices connected to the broadband network using the Internet To Monitoring the traffic in an environment where the user terminal can monitor the traffic when the user terminal uses the Internet, and storing the internet access record in the analysis server at a set time; Collecting and analyzing data of unusual patterns to make and manage DBs to detect abnormal traffic signs; Based on the pattern, it analyzes the user's internet connection tendency stored in the analysis server to detect the user of the infected terminal by classifying the infected terminal attacking a specific site by infecting the normal use terminal and malicious program and saving the detected list in the analysis server Making; Analyzing which sites and networks the infected terminal attacks and storing the attack target site in the analysis server; Storing as a report DB to manage and supervise the information of the confirmed infection user stored in the analysis server; Downloading information of the confirmed infection user and attack target site information stored in the analysis server to a policy engine, and setting a user who is not in the policy to use the Internet without sanction; When an infected terminal attempts DNS Lookup to access the Internet, the policy engine first detects it and checks if the infected terminal user is a site in the defense policy, and checks the IP address of the site to be attacked. Bypassing and inducing access to the attack blocking site by tampering with the IP address of the server; Transmitting a message such as a pop-up notification / blocking notification to the infected zombie PC so as to inform and recognize the fact to the corresponding terminal user, and inducing and responding to the treatment; Inviting the terminal user to send a message so that rebooting and DNS Lookup of DNS Flush can occur again; After checking the message and receiving guidance from the unblocking site, the terminal that has been treated as the malicious program is removed from the infected user table in the defense policy of the analysis server for the user identified as a normal terminal. Including steps for excluding users, The analysis server analyzes a connection record transferred from the detection engine, obtains a pattern, and detects a user of an infected terminal according to a policy of the number of SYN packet occurrences per time, the ratio of domain view and page view. (DDoS) Attack Detection and Defense. delete The method of claim 1, When the infected terminal attempts to attack, the DNS server sends a DNS Request packet to the DNS server to obtain an IP address, and the policy engine downloads the policy from the analysis server to access the Internet site. Detecting a lookup and generating a DNS Response packet; The structure of the generated DNS response packet includes an ID header, a flag, a query, and answers, and by changing an answer RRs value among the flag values and adding an answers part, the IP address item Addr is changed to an IP address to be modulated. Deliver faster than the DNS server's response to the infected terminal, The infected terminal determines that it is a normal response of the DNS server, and the IP address of the attack target site is input to the DNS cache as a modulated IP address, and the originally called response is ignored, and the modified IP address is input to the DNS cache. The target of DDos attack is from the target site to the attack blocking site, and if it is a normal use site, DDoS (DDoS) is characterized by sending a pop-up message to the fact of infection and treatment guide page or inducing access to the guide site. ) Attack detection and defense method.

Images