KR101598187B1 - Method and apparatus for blocking distributed denial of service - Google Patents

Abstract

The present invention relates to a method and a device for blocking distributed denial of service (DDoS). The method for blocking DDoS according to an embodiment of the present invention comprises the steps of: receiving an HTTP packet from a source ID; determining whether a GET method is included in an HTTP request line of the HTTP packet or not; determining whether an uniform resource identifier (URI) requested by the GET method is a text or an image if it is determined the GET method is included in the HTTP request line of the HTTP packet; increasing a text counter if the URI requested by the GET method is the text, and increasing an image counter if the URI requested by the GET method is the image; and blocking a packet received from the source IP by comparing the text counter with the image counter.

Description

METHOD AND APPARATUS FOR BLOCKING DISTRIBUTED DENIAL OF SERVICE [0002]

The present invention relates to a DDoS attack blocking method and apparatus.

DDoS or Distributed Denial of Service attack is one of the hacking methods that attack specific sites by distributing and deploying multiple attackers at the same time. The tools for attacking the service are put on several computers and the system of the network is degraded or the system is paralyzed by overflowing a lot of packets simultaneously so that the site's computer system can not handle the attack target.

In the case of the conventional web flooding defense function against the DDoS attack, if the number of requests of the HTTP method such as GET / POST occurs more than the threshold value for each time period of the source IP, it is determined that the attack Most of the way to block that IP. However, according to the related art, it is difficult to judge whether a normal web connection or an abnormal web connection occurs, so that there is a problem that a normal web connection may be blocked.

An object of the present invention is to provide a method and apparatus for blocking a DDoS attack by determining normal web connection and abnormal web connection, and maintaining a service for a normal web connection request and blocking an attack against an abnormal web connection request.

A method for blocking a DDoS attack according to an embodiment of the present invention includes receiving an HTTP packet from a source IP, including a GET method in an HTTP request line of the HTTP packet Determining whether a Uniform Resource Identifier (URI) requested by the GET method is a text or an image if the HTTP request line of the HTTP packet includes a GET method; Incrementing a text counter if the URI requested by the GET method is text and incrementing an image counter if the URI requested by the GET method is an image; Comparing the text counter with the value of the image counter, and blocking the packet received from the source IP.

A DDoS attack blocking apparatus according to another embodiment of the present invention includes a communication unit for receiving an HTTP packet from a source IP, a packet analyzing unit for determining whether the HTTP request line of the HTTP packet includes a GET method, Wherein the GET method comprises a request URI analysis unit, a text counter, and an image counter for determining whether a URI requested by the GET method is text or an image, when the HTTP request line of the HTTP packet includes a GET method, A counter for incrementing an image counter when the URI requested by the GET method is an image, and a counter for comparing the text counter and the value of the image counter when the URI is text, And a control unit for blocking a packet to be received.

In a computer-readable storage medium storing instructions executed by a processor for blocking a DDoS attack according to another embodiment of the present invention, an instruction executed by a processor for blocking the DDoS attack is transmitted from a source IP to an HTTP Determining whether the HTTP request line of the HTTP packet includes a GET method, determining whether the HTTP request line of the HTTP packet includes a GET method, receiving a URI requested by the GET method Incrementing a text counter if the URI requested by the GET method is text and incrementing an image counter if the URI requested by the GET method is an image; And compares the value of the image counter with the packet received from the source IP, And performing the steps as claimed.

According to the present invention, in order to attack an HTTP web server, a normal request and an abnormal request are determined for a malicious GET-flooding attack, and the service is continued for a normal request. If an abnormal request is determined to be an attack, Can be protected. Especially, it can cope with false alarms and intelligent defenses.

1 is a diagram showing a network system to which the present invention is applied.
2 is a flowchart illustrating a DDoS attack blocking method according to an embodiment of the present invention.
3 is a flowchart illustrating a DDoS attack blocking method according to another embodiment of the present invention.
4 is a block diagram illustrating an internal configuration of a DDoS attack blocking apparatus according to an embodiment of the present invention.
5 to 7 are views showing actual examples to which the present invention is applied.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. Note that, in the drawings, the same components are denoted by the same reference symbols as possible. Further, the detailed description of well-known functions and constructions that may obscure the gist of the present invention will be omitted.

Throughout the specification, when a part is referred to as being "connected" to another part, it includes not only "directly connected" but also "indirectly connected" between the devices in the middle. Throughout the specification, when an element is referred to as "comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise.

1 is a diagram showing a network system to which the present invention is applied.

Referring to FIG. 1, a network system includes a plurality of terminal devices 111, 112, ..., 11k, a network 120, a DDoS security device 130, and a web server 140.

The plurality of terminal devices 111 to 112 may be connected to the web server 140 via the network 120 and use the services provided by the web server 140. The plurality of terminal devices 111, 112, ..., and 11k may include all terminals capable of connecting to the network 120, such as a computer, a PC, a notebook computer, and a mobile phone.

The network 120 connects the plurality of terminal devices 111, 112, ..., and 11k to the web server 140. In addition, the network 120 may include all networks to which a plurality of terminal devices 111, 112, ..., 11k such as the Internet, an intranet, etc. can be connected.

The DDoS attack blocking device 130 may be located between the network 120 and the web server 140. In addition, the DDoS attack intercepting device 130 may be configured to manage data packets communicated between the network 120 and the web server 140. The DDoS attack blocking device 130 may perform other security functions together. For example, the DDoS attack blocking device 130 may include a firewall, an Intrusion Prevention System (IPS), an anti-virus, an anti-spam, Related functions and the like. In addition, the DDoS attack blocking device 130 may be configured to perform various functions such as a Unified Threat Management (UTM) device, a firewall device, an Intrusion Prevention System (IPS) device, a WAF (Web Application Firewall) It may be combined with equipment.

In addition, the DDoS attack blocking device 130 may be located between the plurality of terminal devices 111, 112, ..., 11k and the network 120. In this case, it is possible to manage the data packets transmitted from the internal network to the outside and participating in the DDoS attack.

The DDoS attack blocking device 130 according to an exemplary embodiment of the present invention can determine a normal web connection and an abnormal web connection so as to maintain a service for a normal web access request and block an attack against an abnormal web access request. Therefore, it can cope with malfunctioning and intelligent defense system in particular.

The web server 140 is connected to the network 120 through the DDoS attack blocking device 130. The web server 110 is connected to a plurality of terminal devices 111, 112, ..., 11k through a network 120 and can provide services to a plurality of terminal devices 111, 112, ..., 11k.

2 is a flowchart illustrating a DDoS attack blocking method according to an embodiment of the present invention.

First, in step 210, an HTTP packet is received from a source IP. In step 220, the received HTTP packet is analyzed to determine whether or not the HTTP request line includes a GET method (GET method) . In case of normal web connection, after requesting TEXT / HTML, request GET method such as image, script or Flash file in corresponding HTML file. In comparison, in the case of a web flooding attack, only specific pages and paths are requested. According to an embodiment of the present invention, it is determined whether or not the HTTP request line includes a GET method (GET method) in order to utilize the difference between the normal and abnormal requests.

If it is determined in step 220 that the HTTP request line of the HTTP packet includes the GET method, the flow advances to step 230 to determine whether the URI (Uniform Resource Identifier) requested by the GET method is text or image. If the URI requested by the GET method is text, the flow advances to step 240 to increase the text counter. If the URI requested by the GET method is an image, the flow advances to step 250 to increase the image counter . Text can be checked by extension such as HTML, ASP, CGI, PHP, etc. Images can be viewed with JPG, JPEG, PNG, GIF or other extensions.

Thereafter, in step 260, the text counter and the image counter are compared with each other, and the packet received from the source IP is blocked. In this case, according to an embodiment of the present invention, when only one counter of the text counter or the image counter increases beyond the set value, the source IP can be blocked. In particular, if only one counter of the text counter or the image counter increases beyond the set value during the set time, the source IP may be blocked. In other words, after determining how many total GET methods have arrived for a certain period of time, it is determined whether there are several text URIs and image URIs in the GET method, and only the text count is incremented. Thereby blocking the source IP.

Common BOT attacks are characterized by repetitive flooding attacks on specific URLs. The specific URL may be a text URL or an image URL, but the prior art has determined the attack only by the threshold for the GET method for each source IP. Therefore, if there is a large number of images in a specific URL, there are cases where a large number of GET methods occur and attacks are misleading. In order to prevent false positives, when the threshold value for the GET method is increased, attack traffic is increased .

In contrast to this, according to the embodiment of the present invention, not only the threshold value of the GET method is considered but also the value of the text counter and the image counter are compared to prevent the false alarm, and the inflow of the attack traffic can be blocked.

3 is a flowchart illustrating a DDoS attack blocking method according to another embodiment of the present invention.

First, in step 310, an HTTP packet is received from the source IP.

If it is determined in step 320 that the source IP is the IP registered in the black list, if it is determined that the source IP is the IP registered in the black list, the source IP is immediately blocked in step 340.

If it is determined in step 320 that the source IP is not the IP registered in the black list, the process proceeds to step 330 and determines whether the source IP is an IP registered in the white list. If it is determined that the source IP is an IP registered in the whitelist, the flow advances to step 350 and the HTTP packet is immediately passed.

If it is determined in step 330 that the source IP is not the IP registered in the whitelist, it is determined whether or not the HTTP request line of the HTTP packet includes a GET method, that is, the process proceeds to step 220 of FIG. 2, Go ahead.

According to the embodiment of the present invention, IPs that have been judged as IPs to be blocked and registered in the black list are immediately blocked without performing an analysis process. Similarly, IPs judged to be passed are registered in the whitelist IP can be bypassed without going through the analysis process, thus increasing efficiency.

In this case, the order of steps 320 and 330 may be changed. That is, it is possible to first check whether the source IP is an IP registered in the whitelist, and then check whether the source IP is an IP registered in the black list.

Further, the source IP determined to be a normal web connection may be registered in the whitelist for a certain period of time to bypass the defensive function, and the source IP determined to be an abnormal web connection may be registered in the black list for a certain period of time have.

The embodiments of the invention thus far described may be embodied in instructions carried out by a processor and stored in a computer-readable storage medium. When these instructions are executed by a processor, they may generate means for implementing the functions / operations specified in the flowcharts and / or block diagrams described above. Each block in the flowcharts / block diagrams may represent hardware and / or software modules or logic that implement embodiments of the present invention. Further, the functions referred to in the block diagrams may occur outside the order mentioned in the drawings, or may occur simultaneously.

The computer-readable medium can include, for example, but is not limited to, a non-volatile memory such as a floppy disk, ROM, flash memory, disk drive memory, CD-ROM, and other persistent storage, Available.

4 is a block diagram illustrating an internal configuration of a DDoS attack blocking apparatus according to an embodiment of the present invention.

4, a DDoS attack blocking apparatus 400 according to an embodiment of the present invention includes a communication unit 410, a packet analysis unit 420, a request URI analysis unit 430, a counter unit 440, (450) and a control unit (460).

The communication unit 410 connects the DDoS attack blocking device 400 and the network system, and performs wired and / or wireless communication. The communication unit 410 may perform a function of transmitting and receiving data for communication between the DDoS attack blocking device 400, the web server 140, and the network 120. [ According to the embodiment of the present invention, the communication unit 410 receives the HTTP packet from the source IP.

The packet analyzing unit 420 analyzes the HTTP packet received through the communication unit 410. According to an embodiment of the present invention, the packet analyzing unit 420 determines whether or not the HTTP request line of the HTTP packet includes a GET method. In addition, the packet analyzer 420 can analyze the HTTP packet received based on the information registered in the temporary list 450.

The request URI analysis unit 430 analyzes the URI requested by the GET method. According to an embodiment of the present invention, when determining that the HTTP request line of the HTTP packet received by the packet analyzing unit 420 includes a GET method, the request URI analyzing unit 430 determines whether the URI requested by the GET method is a text It is determined whether or not it is a recognition image. In addition, the request URI analysis unit 430 may analyze the URI requested by the GET method based on the information registered in the temporary list 450.

The counter unit 440 includes a text counter 441 and an image counter 442, and performs counting. According to one embodiment of the present invention, the counter unit 440 increases the text counter when the URI requested by the GET method is text, and increases the image counter when the URI requested by the GET method is an image.

The storage unit 450 stores programs and data necessary for the operation of the DDoS attack intercepting apparatus 400. The storage unit 450 may be a volatile storage medium or a nonvolatile storage medium, or may be a combination of both storage media. The volatile storage medium may include a semiconductor memory such as a RAM, a DRAM, and a SRAM. The nonvolatile storage medium may include a hard disk and a flash NAND memory. According to one embodiment of the present invention, the storage unit 450 stores a black list 451, a whitelist 452, and a temporary list 450.

The control unit 460 is a component that controls the overall operation of the DDoS attack intercepting apparatus 400. [ In the present invention, the control unit 460 controls the overall operation of the process in which the DDoS attack intercepting apparatus 400 analyzes the packet and determines the passage / blocking of the packet. According to an embodiment of the present invention, the control unit 460 compares the values of the text counter 441 and the image counter 442 to block packets received from the source IP. In addition, the control unit 460 may block the source IP when the counter of only one of the text counter 441 and the image counter 442 increases beyond the set value. In particular, If only one of the counter 441 or the image counter 442 is increased beyond the set value, the source IP may be blocked.

In addition, according to an embodiment of the present invention, the control unit 460 may block the source IP when the source IP is determined to be the IP registered in the black list 451. In addition, when the controller 460 determines that the source IP is an IP registered in the whitelist, the controller 460 can pass the HTTP packet. Furthermore, when the source IP is an IP that is not registered in the black list or the whitelist, the controller 460 may register the IP in the temporary list.

As described above, the DDoS attack blocking apparatus 400 according to the embodiment of the present invention includes a communication unit 410, a packet analysis unit 420, a request URI analysis unit 430, a counter unit 440, a storage unit 450, And the control unit 460, and determine the passing / blocking of the packet.

In the above description, the packet analyzing unit 420, the request URI analyzing unit 430, the counter unit 440, and the control unit 460 are configured as separate blocks, and each block performs a different function. However, For convenience, these functions are not necessarily distinguished. For example, the functions performed by the packet analyzer 420, the request URI analyzer 430, and the counter 440 may be performed by the controller 460 itself.

5 to 7 are views showing an actual example to which the present invention is applied. FIG. 5 is a screen capturing a packet passing through the DDoS attack blocking device 130.

First, referring to FIG. And Time 510 indicate an index, Source 520 indicates a source IP, Destination 530 indicates a destination IP, Protocol 540 indicates a protocol used, Length 550 indicates a size, Info 560 indicates a packet .

FIG. 5 shows a process of evenly requesting text and images in the case of a normal web connection. Looking at the Info 560, when using the GET method, text (html, css, javascript) may be requested, and images (PNG) may be used.

FIG. 6 shows a request for only text (html) on a screen showing an abnormal web connection, and FIG. 7 shows a request for only an image (jpeg) on a screen showing an abnormal web connection.

5 to 7, it can be seen that the normal web connection and the abnormal web connection are significantly different from each other. The present invention is based on this point, and it can judge a normal request and an abnormal request by using the difference as described above, and continues the service for a normal request, and judges that an abnormal request is an attack, thereby protecting the web server from an attack. Especially, it can cope with false alarms and intelligent defenses.

The embodiments of the present invention disclosed in the present specification and drawings are merely illustrative examples of the present invention and are not intended to limit the scope of the present invention in order to facilitate understanding of the present invention. It will be apparent to those skilled in the art that other modifications based on the technical idea of the present invention are possible in addition to the embodiments disclosed herein.

111, 112, ... , 11k: terminal device
120: Network
130: DDoS attack blocking device
140: Web server

Claims (14)

Receiving an HTTP packet from a source IP;
Determining whether the HTTP request line of the HTTP packet includes a GET method;
Determining whether a URI (Uniform Resource Identifier) requested by the GET method is a text or an image if the HTTP request line of the HTTP packet includes a GET method;
Increasing a text counter if the URI requested by the GET method is text and increasing an image counter if the request URI requested by the GET method is an image; And
Comparing the text counter with the value of the image counter, and blocking the packet received from the source IP.
The method according to claim 1,
Comparing the text counter and the value of the image counter to block packets received from the source IP,
And blocking the source IP if a counter of only one of the text counter or the image counter increases by more than a predetermined value.
The method according to claim 1,
Comparing the text counter and the value of the image counter to block packets received from the source IP,
And blocking the source IP when the number of the counter of either the text counter or the image counter increases by more than the set value during the set time.
The method according to claim 1,
After receiving the HTTP packet from the originating IP,
Determining whether the source IP is an IP registered in a black list; And
And blocking the source IP if the source IP is determined to be an IP registered in the black list.
The method according to claim 1,
After receiving the HTTP packet from the originating IP,
Determining whether the source IP is an IP registered in a white list; And
Further comprising the step of passing the HTTP packet if the source IP is determined to be an IP registered in the whitelist.
The method according to claim 1,
After receiving the HTTP packet from the originating IP,
It is determined whether the source IP is an IP registered in the black list or the whitelist. If the source IP is an IP not registered in the black list or the whitelist, whether or not the HTTP request line of the HTTP packet includes a GET method The method comprising the steps of: detecting a DDoS attack;
A communication unit for receiving an HTTP packet from a source IP;
A packet analyzer for determining whether the HTTP request line of the HTTP packet includes a GET method;
A request URI analysis unit for determining whether the URI requested by the GET method is a text or an image if the packet analyzing unit determines that the HTTP request line of the HTTP packet includes a GET method;
A counter for incrementing the image counter if the URI requested by the GET method is an image; and a counter for incrementing the image counter if the URI requested by the GET method is an image; And
And a controller for comparing the text counter and the value of the image counter to block packets received from the source IP.
8. The method of claim 7,
Wherein,
And blocks the source IP when the counter of only one of the text counter and the image counter increases by more than a set value.
8. The method of claim 7,
Wherein,
And blocks the source IP when a counter of only one of the text counter and the image counter increases by more than a predetermined value during a set time.
8. The method of claim 7,
A black list, a whitelist, and a temporary list.
11. The method of claim 10,
Wherein,
And blocks the source IP if the source IP is determined to be an IP registered in the black list.
11. The method of claim 10,
Wherein,
And to pass the HTTP packet if the source IP is determined to be an IP registered in the whitelist.
11. The method of claim 10,
Wherein,
Registering the source IP in the temporary list when the source IP is an IP not registered in the black list or the whitelist,
Wherein the packet analysis unit and the request URI analysis unit perform analysis through information registered in the temporary list.
In a computer readable storage medium in which instructions executed by a processor for blocking a DDoS attack are stored,
The command executed by the processor for blocking the DDoS attack includes:
Receiving an HTTP packet from a source IP;
Determining whether the HTTP request line of the HTTP packet includes a GET method;
Determining whether the URI requested by the GET method is a text or an image if the HTTP request line of the HTTP packet includes a GET method;
Increasing the text counter if the URI requested by the GET method is text, and incrementing the image counter if the URI requested by the GET method is an image; And
Comparing the text counter with the value of the image counter, and blocking the packet received from the source IP.

Images