KR102027434B1 - Security apparatus and method for operating the same - Google Patents

Abstract

The present invention relates to a security device applicable to an asynchronous network having a unidirectional network characteristic and a method of operating the same. The security apparatus of the present invention receives the first packet from the client, and determines whether the IP address of the client that sent the first packet exists in the ticket list; If the IP address of the client does not exist in the ticket list, determine whether the client is a new session; If the client is a new session, calculate a predicted sequence number of a second packet to be transmitted later by the client based on the sequence information of the first packet; When the second packet is received from the client, it is determined whether the client is normal by using the sequence information of the second packet and the predicted sequence number of the second packet, and when the client is determined to be a normal client, a ticket is sent to the client's IP address. It is characterized by issuing.

Description

SECURITY APPARATUS AND METHOD FOR OPERATING THE SAME}

The present invention relates to a security apparatus and a method of operating the same, and more particularly, to an apparatus and a method of operating the security apparatus capable of determining a normal user and an abnormal user using only a packet transmitted from a client in an asynchronous network. It is about.

There are several attacks that threaten network network traffic from external network to internal system. Therefore, security equipment is installed in the internal system to block such attacks and form a good network. Types of attacks that enter the internal system from the outside are typical Denial of Service (DOS), Distributed Denial of Service (DDOS), and Flooding attacks that threaten network bandwidth. Other types of attacks include hacking and virus attacks. .

Here, the DOS attack refers to an attack method that temporarily or completely stops a service function of a network by introducing harmful traffic to a target network / server. DDOS attack, a form of DOS attack, is an attack that concentrates traffic on a target network / server by integrating multiple attack programs, which is harder to detect than general DOS attacks, and much more powerful than DOS attacks. Have DDOS attacks use up large amounts of harmful traffic to deplete resources throughout the network, while also putting a heavy load on the network and paralyzing the network.

In order to prepare for such a DDOS attack, conventionally, a security device is added to a network configuration, and a method of blocking a DDOS attack through the security device has been adopted. Here, the security equipment may be present in, for example, a synchronous network section or an asynchronous network section.

1A and 1B are diagrams showing an example of configuring the security device 2 within a synchronous network section. In the prior art, SYN-Cookie or SYN-Proxy is configured in the security device (2) when the security device (2) is configured in the synchronous network section, and the normal IP and the abnormal IP are distinguished by the SYN-Cookie or SYN-Proxy method. . That is, when configuring the security device 2 in the synchronous network section, the security device (2) by the SYN-Cooke or SYN-Proxy method using the response mechanism of the 3-way handshake process of TCP ) Is configured to respond in place of the server 50.

2A and 2B are diagrams for explaining a method of configuring the security equipment 21 and 22 and an operation thereof in an asynchronous network section. In the asynchronous network shown in FIG. 2A, there are a plurality of security devices 21 and 22. For example, in the asynchronous network shown in FIG. 2A, the packet transmitted by the client 10 is delivered to the server 50 via the first security device 21, and the packet transmitted from the server 50 is the second security. It has the characteristic of a one-way network being passed to the client 10 via the equipment 22. In the example for the asynchronous network shown in FIG. 2A, the prior art uses the client 10 by applying a SYN-Cookie or SYN-Proxy scheme between the client 10 and the first security device 21, as shown in FIG. 2B. Certification was performed. However, this method cannot determine whether the client 10 is authenticated from the position of the second security device 22. Accordingly, this method requires a process of notifying the authentication IP to the second security device 22 through an interworking process (ie, a synchronization process) of the authentication IP in the first security device 21. This synchronization process is problematic due to problems with network speed and synchronization time. In addition, even if the client 10 is authenticated through the first security device 21, the SYN-ACK packet of the server according to the SYN packet is second in the 3-way handshake process for establishing a connection with the server 50. It requires a process of sharing the session information since it must be checked whether it has been answered through the security device 22.

3 and 4 are views for explaining another configuration method of the security equipment (21, 22) and the operation thereof in the asynchronous network section. In the asynchronous network shown in FIG. 3, a plurality of security devices 21 and 22 exist, where the second security device 22 is a preliminary concept of the first security device 21. For example, the network configuration shown in FIG. 3 is a configuration for blocking harmful traffic by bypass, and represents a type in which a clean zone of an asynchronous network is configured. In the case of the configuration shown in Figure 3, it is difficult to accurately determine whether the client is normal only by the above-described features of the prior art.

As described above, the SYN-Cookie or SYN-Proxy method requires a three-way handshake process between the client 10 and the security device. In this regard, as shown in FIG. 4, after the client 10 transmits the first packet (ie, SYN packet) to the first security equipment 21, the second packet (ie, ACK packet) is transmitted to the second security device. There may be a situation of transmitting to the equipment 22. In this case, the second security device 22 is to receive the ACK packet in the situation that no packet previously received, the first security device 21 may continue to wait for the ACK packet may occur. Therefore, in the prior art, even if the client 10 is a normal client, it is difficult to determine whether the client 10 is normal through the security equipment.

Thus, new techniques are needed to block DDOS attacks on asynchronous networks.

Korean Registered Patent No.0858271

An object of the present invention is to provide a security device capable of determining the normality of a client without synchronization between a plurality of security devices in an asynchronous network, and furthermore, a security device capable of blocking DDOS attacks and a method of operating the same.

Security device connected to the server in the network of the present invention for solving the above problems is a ticket list database including a ticket list that stores the IP address issued ticket; A ticket confirmation unit that receives the first packet from the client and determines whether an IP address of the client that has transmitted the first packet exists in the ticket list; A new session determination unit determining whether the client is a new session when the IP address of the client does not exist in the ticket list; If the client is a new session, a new session processing unit for calculating a predicted sequence number of the second packet to be transmitted later by the client based on the sequence information of the first packet-the sequence information of the packet is a sequence number, ACK number, And a data length; And when the second packet is received from the client, determine whether the client is normal by using the sequence information of the second packet and the predicted sequence number of the second packet, and when the client is determined to be a normal client, ticket to the client's IP address. Characterized in that it comprises an authentication IP processing unit for issuing.

Also, in a network, packets sent from a client may be delivered to the server through the secure device, and packets generated at the server may be delivered to the client without passing through the secure device.

The authentication IP processor may compare the sequence number of the second packet with the prediction sequence number of the second packet to determine whether the sequence number of the second packet and the prediction sequence number of the second packet are the same.

In addition, when the sequence number and the prediction sequence number of the second packet are the same, the authentication IP processing unit may have an ACK number of the second packet greater than that of the first packet, and the ACK number of the first packet and the maximum transmission unit (MTU) The client may be determined to be a normal client when the ACK number of the second packet is greater than the ACK number of the first packet and smaller than the sum of the ACK number of the first packet and the MTU.

The new session processor may calculate the predicted sequence number of the second packet by adding the sequence number of the first packet and the data length.

In addition, the size of the authentication IP tunnel through which the traffic of the network network according to the security device is communicated is larger than the size of the unauthorized IP tunnel, and the new session processor may transmit the first packet to the server through the unauthorized IP tunnel.

In addition, when the ticket is issued to the client's IP address, the ticket confirmation unit may transmit a packet received from the client to the server through the authentication IP tunnel.

Also, the security apparatus according to an embodiment of the present invention may further include a session allowance determining unit that compares the number of session attempt sessions received from the plurality of clients and the session allowance when the IP address of the client does not exist in the ticket list. Can be.

In addition, the session tolerance determiner may drop the first packet when the number of query sessions exceeds the session tolerance, and the new session determiner may be operated when the number of query sessions is less than or equal to the session tolerance.

In addition, when the client is a new session, the new session processor issues a temporary ticket to the client's IP address and updates the ticket list, and the IP authentication processor receives the second packet from the client for which the temporary ticket has been issued. It can be determined.

In addition, the security apparatus according to an embodiment of the present invention, if the ticket is issued to the IP address of the client that sent the first packet, as a result of the confirmation through the ticket confirmation unit, whether the IP address is overflowed, and the IP address May further include a threshold and attack checker configured to check at least one of attacking, drop the first packet when the client's IP address is determined to be abnormal, and add the client's IP address to the blacklist. .

In the network of the present invention for solving the above problems, a method of operating a security device connected to a server includes a ticket confirmation unit that receives a first packet from a client and sends an IP address of the client that has transmitted the first packet. Determining whether the IP address where the ticket was issued exists in a ticket list stored therein; Determining, by the new session determination unit, if the client's IP address does not exist in the ticket list, the client is a new session; Calculating, by the new session processor, a predicted sequence number of a second packet to be transmitted later by the client based on the sequence information of the first packet, wherein the sequence information of the packet is the sequence number of the packet; , ACK number, and data length; Determining, by the authentication IP processing unit, whether the client is normal using the sequence information of the second packet and the predicted sequence number of the second packet when receiving the second packet from the client; And issuing a ticket to the IP address of the client when the client is determined to be a normal client by the authentication IP processing unit.

Also, in a network, packets sent from a client may be delivered to the server through the secure device, and packets generated at the server may be delivered to the client without passing through the secure device.

The determining of whether the client is normal may include comparing the sequence number of the second packet with the prediction sequence number of the second packet and determining whether the sequence number of the second packet and the prediction sequence number of the second packet are the same. It may include.

The determining of whether the client is normal may include: when the sequence number of the second packet and the prediction sequence number are the same, an ACK number of the second packet is greater than an ACK number of the first packet, and Determining whether the sum is less than the sum of the MTUs; And determining the client as a normal client when the ACK number of the second packet is greater than the ACK number of the first packet and smaller than the sum of the ACK number of the first packet and the MTU.

The calculating of the predicted sequence number of the second packet may be performed by adding the sequence number and the data length of the first packet.

In addition, the size of the authentication IP tunnel through which the traffic of the network network according to the security device is communicated is larger than that of the non-authentication IP tunnel, and after calculating the predicted sequence number of the second packet, the new session processing unit generates a non-authentication IP tunnel. The method may further include transmitting the first packet to the server.

In addition, the method of operating a security device according to an embodiment of the present invention, when the ticket is issued to the client's IP address by the ticket confirmation unit, transmitting a packet received from the client to the server through the authentication IP tunnel It may further include.

In addition, according to an embodiment of the present invention, in the method of operating a security device, the session allowance determination unit determines the number of session attempt sessions and session allowance values received from a plurality of clients when the IP address of the client does not exist in the ticket list. Comparing may further comprise the step.

In addition, comparing the number of connection attempt sessions and the session allowance may further include dropping the first packet when the number of query sessions exceeds the session allowance, and determining whether the client is a new session may include: It may be performed when

In addition, when the client is a new session, the method of operating a security device according to an embodiment of the present invention further includes, by the new session processing unit, issuing a temporary ticket to the IP address of the client and updating the ticket list. The determining of whether the client is normal may be performed when receiving the second packet from the client for which the temporary ticket has been issued.

In addition, the operation method of the security device according to an embodiment of the present invention, when the ticket is issued to the IP address of the client that sent the first packet, as a result of the check through the ticket confirmation unit, the threshold value and the attack check unit, Checking at least one of whether it is overflowing and whether the IP address is under attack; When it is determined that the IP address of the client is abnormal, the method may further include dropping the first packet and adding the client IP address to the blacklist.

According to the security apparatus of the present invention and its operation method, it is possible to recognize spoofed IP for non-Spoofed IP, non-spoofed IP for TCP session in an asynchronous network (or unidirectional network), and abnormal IP at high speed even in a single security device.

In addition, according to the security device of the present invention and its operation method, as a method of recognizing a normal IP even in a single flow communication, after generating a response packet, as in the conventional user recognition method through the SYN-Cookie / SYN-Proxy, the response result Because it does not use the method of verifying, the user and the attacker can be quickly recognized without increasing the latency for normal user communication.

In addition, according to the security device of the present invention and its operation method, in the data transmission process of the TCP communication process, there is an advantage that can recognize the normal and abnormal only by communication analysis on a single flow. In addition, since the security apparatus and method according to an embodiment of the present invention do not reproduce packets, there is an advantage in that it does not occupy network traffic bandwidth.

1A and 1B are diagrams for explaining an example of configuring a security device within a synchronous network section.
2A and 2B are diagrams for explaining an example of configuring a security device within an asynchronous network section.
3 and 4 are diagrams for explaining another example when configuring the security equipment within the asynchronous network interval.
5 is a conceptual diagram of a security system according to an embodiment of the present invention.
6 is a block diagram of a security device according to an embodiment of the present invention.
7 is a graph for explaining the concept of session tolerance according to an embodiment of the present invention.
8 is a conceptual diagram illustrating the concept of an authenticated IP tunnel and an unauthenticated IP tunnel according to an embodiment of the present invention.
9A to 9D are flowcharts illustrating a method of authenticating a client in a one-way network through a security device according to an embodiment of the present invention.
10 is a flowchart illustrating a method of operating a security apparatus according to an embodiment of the present invention.
11 is a flowchart of an authentication IP processing step according to an embodiment of the present invention.
12 is a flowchart of a process of processing a new session according to an embodiment of the present invention.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. Here, the repeated description, well-known functions and configurations that may unnecessarily obscure the subject matter of the present invention, and detailed description of the configuration will be omitted. Embodiments of the present invention are provided to more completely describe the present invention to those skilled in the art. Accordingly, the shape and size of elements in the drawings may be exaggerated for clarity.

Hereinafter, the security device 100 according to an embodiment of the present invention will be described.

5 is a conceptual diagram of a security system 1000 according to an embodiment of the present invention. The security device 100 according to an embodiment of the present invention may have the security device 100 configured in an asynchronous and / or one-way network to effectively block abnormal attacks from the outside such as a DDOS attack. have. To this end, the security device 100 according to an embodiment of the present invention considers the characteristics of an asynchronous network composed of a unidirectional network. The security device 100 may be, for example, a DDOS attack blocking device.

As described above, a plurality of security devices according to an embodiment of the present invention may exist in the asynchronous network (see reference numerals 100 and 100_1). Here, the security devices 100 and 100_1 may be disposed between the client 10 and the server 50. The security device 100 receives the packet from the client 10 and transmits the packet to the server 50, and determines whether the client 10 is normal by using the packet received from the client 10. The second security device 100_1 functions to deliver the packet generated from the server 50 to the client 10 (that is, the packet transmitted from the server 50 is transmitted through the second security device 100_1, or It may be delivered to the client 10 without passing through the security device (100, 100_1) (not shown).

In this case, from the standpoint of the security device 100 according to an embodiment of the present invention, the security device 100 according to an embodiment of the present invention only receives the packet from the client 10, but the server 50 may not be able to receive the packet. Packets generated by do not receive. However, a general DDOS attack detection technique (eg, SYN-Cookie or SYN-Proxy) cannot know which packet is sent from the server 50 and delivered to the client 10, and thus cannot be applied to a unidirectional network.

Accordingly, while the prior art uses the response packet in the server 50, the security device 100 according to an embodiment of the present invention is a packet transmitted from the client 10, without a response packet from the server 50 It is characterized by determining whether the client 10 is normal by using only. In order to determine whether the client 10 is normal in an asynchronous network, the security device 100 according to an embodiment of the present invention may analyze a packet transmitted from the client 10 during a data transmission process during a typical TCP communication process. Can be.

As is well known, the TCP communication process can be broadly divided into three phases, including establishing a connection, transmitting a data, and disconnecting. In this case, the connection establishment step represents a step of establishing a connection between two devices through a three-way handshake process, and the connection release step indicates a connection between two devices through a four-way handshake process. Indicates a step of releasing. Typically, the authentication of the client 10 occurs during the connection establishment phase of the three steps described above, while the security device 100 according to one embodiment of the invention performs authentication during the data transfer phase. This is to consider the characteristics of an asynchronous network, which is a one-way network, to perform authentication using an ACK packet rather than a SYN packet.

As described above, in a unidirectional network, a security device receives only a packet transmitted from a client or only a packet transmitted from a server, so that an authentication method using SYN packets that require the use of a packet transmitted from both a client and a server (for example, Cannot adopt SYN-proxy or SYN-cookie schemes where SYN packets are required. On the other hand, in the data transmission process, a packet transmitted from a client or a server is mainly an ACK packet (i.e., a packet with an ACK flag set), and according to the configuration and method described below, only a ACK packet transmitted from a client or transmitted from a server The client's authentication is also possible with only an ACK packet (i.e. without utilizing all of the packets sent from both sides). Now, a description will be given of the security device 100 according to an embodiment of the present invention with reference to FIG.

6 is a block diagram of a security device 100 according to an embodiment of the present invention. The security device 100 according to an embodiment of the present invention includes a blacklist checker 110 and a ticket checker 120 to determine whether a client is normal and to block a DDOS attack even in an asynchronous network having a one-way network characteristic. , Threshold and attack checker 130, session tolerance determiner 140, new session determiner 150, new session processor 160, authenticated IP processor 170, and non-authenticated IP processor 180. Can be. Here, the configurations are classified for each configuration by function in order to help the understanding of the present invention, and may be implemented through one processing device such as a CPU, an MPU, and a GPU.

The blacklist checker 110 checks whether the client 10 that has transmitted the packet corresponds to the blacklist. To this end, the blacklist checker 110 first receives a packet transmitted from the client 10 and extracts an IP address of the client 10 based on the received packet. The blacklist checker 110 interoperates with the blacklist database DB1 and checks whether the extracted IP address of the client 10 corresponds to the blacklist. Here, the blacklist database DB1 represents a database that is registered in the blacklist table and managed to be blocked for a predetermined time when it is determined that the traffic is harmful through the intrusion prevention systems (IPS) engine and the intrusion detection systems (IDS) engine. .

As a result of the check through the blacklist checker 110, when the client 10 corresponds to the blacklist, the blacklist checker 110 performs a process of dropping a packet transmitted by the client 10. Otherwise, whether or not to verify the authentication IP described below is performed.

The ticket confirmation unit 120 checks whether the client 10 is an authenticated client through interworking with the ticket list database DB2. Specifically, the ticket confirmation unit 120 confirms whether the client 10 is an authenticated client by confirming whether the IP address of the client 10 exists in the ticket list. As a result of the check, in the case of an authenticated client, the ticket confirmation unit 120 may perform a process of updating the ticket time issued to the client.

Here, the ticket list database DB2 represents a store for storing a ticket list for determining that the IP address of the schedule client 10 is a normal session. That is, the ticket list is a list storing details of issuance of a traffic ticket so as to determine whether the session is a normal session with respect to the IP address or the like of the client 10 to be connected. The ticket list may also include the history of issuing a temporary ticket, as mentioned below. For example, the ticket list database DB2 may store clients' IP addresses and temporary tickets and tickets issued in the form of a table, and the ticket list may be generated based on the temporary tickets and tickets issued in the stored table. Can be. Due to this characteristic, the ticket confirmation unit 120 may determine whether a ticket is issued for a corresponding session through a search, and the session in which the ticket exists after the verification process through the threshold and attack inspection unit 130 described below. It may be delivered to the server 50.

The threshold and attack checker 130 is configured to perform additional verification of the client 10 after a ticket is issued to the client 10 through the ticket checker 120, and the IP address of the client 10 is over. It checks whether it is a flow or other attack methods such as attack, hacking and virus (or abnormal attack method). If it is determined that the IP address of the client 10 is overflowed or abnormal, the process of adding the IP address of the client 10 to the blacklist database DB1 is performed. In addition, the inspection method made through the threshold value and the attack inspection unit 130 has various methods, and thus the present invention does not limit it to a specific method.

The session allowance determination unit 140 is configured to operate when the IP address of the client 10 does not exist in the ticket list, and compares the session allowance with the number of query sessions received from the clients. Here, the session tolerance is a value that is set to determine whether or not it is normal for only some of them, not all clients without tickets or temporary tickets. If it is determined that all the clients are normal without the session allowance, the security device (ie, the security device 100) in a DDOS attack situation is likely to cause an overload or a system down. In this case, the server 50 may be directly exposed to a DDOS attack, or a situation may occur in which all packets to the server 50 may not be delivered.

Accordingly, the security device 100 according to an embodiment of the present invention determines whether it is normal for only some of the clients without the ticket or the temporary ticket with the session allowance. That is, the security device 100 according to an embodiment of the present invention performs the determination of the new session and authentication IP processing described below for clients belonging to the session allowance s_a as shown in FIG. Dropping the packets transmitted by the clients out of this (i.e., zone da) ensures the stability of the security apparatus 100. The session tolerance may be, for example, 100 CPS (Connection Per Second), and this value can be changed to various values depending on the situation.

The new session determination unit 150 is operated when the IP address of the client 10 does not exist in the ticket list, and when the number of query sessions is less than or equal to the session allowance, and determines whether the client is a new session. For example, the new session determination unit 150 may check the past request of the client that sent the packet by searching a database (for example, DB1, DB2, or other database). The new session determination unit 150 may determine the client 10 as a new session if the IP address of the client 10 does not exist in the database, and conversely, if the IP address exists, the client 10 may not be a new session. It can be judged that. Of course, various methods may be applied to the method of determining whether a new session exists.

When the client 10 is a new session, the new session processor 160 analyzes the packet transmitted by the client 10, issues a temporary ticket to the IP address of the client 10 according to the analysis result, and generates a ticket list. Update As described above, the security device 100 according to an embodiment of the present invention uses the ACK packet transmitted from the client 10, not the SYN packet. This is because the authentication scheme using the SYN packet requires both a packet transmitted from the client and a packet transmitted from the server. Accordingly, the new session processing unit 160 determines whether the first packet is an ACK packet by analyzing the packet (hereinafter, referred to as a first packet) transmitted by the client 10.

When it is determined that the first packet is an ACK packet (that is, when the ACK flag is present in the first packet, the new session processing unit 160 issues a temporary ticket to the IP address of the client and stores it in the ticket list database DB2). When the first packet is determined to be an ACK packet, the new session processing unit 160 checks the sequence information of the first packet to confirm whether the client is a normal client described below. The sequence information includes a sequence number, an ACK number, and a data length of a packet, that is, the sequence information of the first packet may include a sequence number, an ACK number, and a data length of the first packet.

Thereafter, the new session processor 160 calculates a predicted sequence number of a packet (hereinafter, referred to as a second packet) that the client 10 will transmit later, based on the sequence information of the first packet. Here, the prediction sequence number of the second packet may be derived by adding the sequence number of the first packet and the data length of the first packet. Thereafter, the new session processing unit 160 stores the sequence information about the first packet and the predicted sequence number of the second packet to be received in the temporary database DB3, and delivers the first packet to the server 50. .

If it is determined that the first packet is a packet other than the ACK packet (that is, the ACK flag does not exist in the first packet), the new session processor 160 delivers the first packet to the server 50. . As described above, in an embodiment of the present invention, since the scheme uses the ACK packet, the first packet is transmitted to the server 50 without additional work when the packet is not an ACK packet. The reason why the first packet is not dropped even if the first packet is not an ACK packet is that the packet is transmitted only enough to be handled by the server 50 through the session allowance determining unit 140, so that the security apparatus 100 according to an embodiment of the present invention is provided. This is because there is no fear of overloading the communication line between the server and the server 50 and the server 50. Accordingly, even if the client 10 is a malicious attacker, the server 50 does not suffer any damage due to the packet transmitted by the client 10, so that the first packet may not be dropped.

In addition, the security device 100 according to an embodiment of the present invention delivers the packet to the server 50 in different communication tunnels according to whether a ticket is issued to the IP address of the client. As shown in FIG. 8, there is an authenticated IP tunnel and an unauthenticated IP tunnel to enable communication between the security device 100 and the server 50 according to an embodiment of the present invention. In other words, the authenticated IP tunnel and the non-authenticated IP tunnel may be physical (eg, using a different line when there are a plurality of communication lines between the security device 100 and the server 50) or logical (eg, , A method of configuring two communication tunnels having different bandwidths for one or a plurality of circuits). In addition, the size of the authenticated IP tunnel among the entire traffic of the network according to the security device 100 is preferably larger than the size of the unauthenticated IP tunnel. Accordingly, a session without a ticket is delivered to an unauthenticated IP tunnel to limit bandwidth, and a session with a ticket is delivered to an authenticated IP tunnel to communicate at a normal speed.

Since the client 10 processed by the new session processor 160 assumes a client without a ticket, the packet transmitted to the server 50 through the new session processor 160 is transferred to the server 50 through an unauthenticated IP tunnel with limited bandwidth. Is delivered.

Now assume the situation in which the second packet is sent by the client 10 where a temporary ticket has been issued. That is, the second packet refers to a packet newly transmitted by the client who transmitted the first packet after the temporary ticket is issued by the new session processing unit 160.

The blacklist checker 110 determines whether the client 10 is blacklisted and transfers control to the ticket checker 120. The ticket checking unit 120 checks whether the IP address of the client 10 exists in the ticket list. In this example, it is assumed that the temporary ticket is issued to the client 10 through the new session processing unit 160, ticket confirmation unit 120 is the client 10 through the ticket list search through the temporary ticket Will be determined to be a issued client. Thereafter, a process of considering the packet transmitted from the client 10 in which the temporary ticket is issued as the second packet is performed. Here, the second packet refers to a packet transmitted after the first packet is transmitted from the client 10 in which the temporary ticket is issued, and at the next time point.

When the second packet is transmitted from the client 10 in which the temporary ticket is issued, the authentication IP processing unit 170 determines whether to issue a ticket to the IP address of the client 10 in which the temporary ticket was issued by analyzing the second packet. do. In order to determine whether to issue a ticket, the authentication IP processor 170 may perform the following determinations.

First, the authentication IP processor 170 determines whether the second packet is an ACK packet (that is, whether the ACK flag exists in the second packet). Here, if it is determined that the second packet is a packet other than the ACK packet (that is, a packet without the ACK flag), the authentication IP processing unit 170 may transmit the second packet to the server 50 through the unauthenticated IP tunnel without further authentication. To pass. On the contrary, if it is determined that the second packet is an ACK packet, the authentication IP processor 170 may further perform the following determination.

If it is determined that the second packet is an ACK packet, the authentication IP processing unit 170 analyzes the second packet to extract sequence information of the second packet, and stores the sequence information of the second packet and the second stored in the temporary database DB3. Compare the predicted sequence numbers of the packets. Here, if the client 10 is a normal client, the sequence number of the second packet will be equal to the prediction sequence number obtained by adding the sequence number of the first packet and the data length of the first packet. Accordingly, the authentication IP processor 170 checks whether the sequence number and the prediction sequence number of the second packet are the same. As a result of the determination, when the sequence number and the predicted sequence number of the second packet are different, the authentication IP processor 170 transmits the second packet to the server 50 through the unauthenticated IP tunnel without further authentication. In contrast, when the sequence number and the prediction sequence number of the second packet are the same, the authentication IP processor 170 further performs the following determination.

The authentication IP processor 170 checks whether the ACK sequence number of the second packet is within a normal range. Specifically, the authentication IP processor 170 checks whether the ACK sequence number of the second packet is larger than the ACK sequence number of the first packet and smaller than the sum of the ACK sequence number of the first packet and the maximum transmission unit (MTU). It may be determined whether the ACK sequence number of the second packet is within a normal range. As a result of the check, when the ACK sequence range of the second packet is out of the normal range, that is, the ACK sequence number of the second packet is less than the ACK sequence number of the first packet or is greater than the sum of the ACK sequence number of the first packet and the MTU. The second packet is transmitted to the server 50 through the unauthenticated IP tunnel without additional authentication. Conversely, when the ACK sequence number of the second packet is within the normal range, the client 10 is determined to be a normal client, a ticket is issued to the IP address of the client 10, the ticket list is updated, and the second packet is determined. The packet may be forwarded to the server 50.

In addition, before transmitting the second packet to the server 50, the authentication IP processor 170 checks whether the IP address of the client 10 corresponds to an attack method, a hacking attack and a virus (or an abnormal attack method). Can be performed. That is, the authentication IP processor 170 determines whether the newly issued ticket 10 corresponds to an attack, a hack, and a virus (or an abnormal attack method). However, unlike the threshold and the attack checker 130, the client ( It is not essential to determine whether an overflow occurs for the IP address of 10). This is because it is possible to sufficiently check whether an IP address overflow occurs during the aforementioned communication process. In this process, when the IP address of the client 10 is determined to be normal, the authentication IP processor 170 transmits the second packet to the server 50, and the server 50 responds to the request according to the second packet. Accordingly, a process of transmitting the response packet back to the client 10 is performed.

In the above description, the authentication IP processing unit 170 has been described as operating regardless of the session allowance. However, this is only an example, and like the new session processing unit 160, a method of operating in consideration of the session allowance may be considered.

In addition, in the above description, when the second packet is not an ACK packet, when the predicted sequence number and the actual sequence number of the second packet are different, or when the ACK sequence range of the second packet is out of the normal range, It was described that the second packet is delivered to the server without processing. However, this is merely an example, and the authentication IP processor 170 may determine that the second packet is not an ACK packet, the predicted sequence number is different from the actual sequence number of the second packet, or the ACK sequence range of the second packet is different. When out of the normal range, a predetermined authentication mechanism may be performed for authentication of the client, and it may be determined whether or not to forward the second packet based on the result of the authentication mechanism.

The non-authenticated IP processing unit 180 is operated when the session is a ticket for which no ticket is issued and is not a new session. Specifically, the non-authenticated IP processing unit 180 is operated when a client does not issue a ticket and a packet other than a new session is transmitted, thereby processing the packet transmitted from the client. The non-authenticated IP processing unit 180 is a component for processing a client that is not a malicious client but does not meet the above-described condition due to a communication error. To this end, the unauthenticated IP processing unit 180 has an unauthenticated IP allowance value different from the session allowance value, and performs authentication processing for the corresponding client according to whether the number of sessions sent to the security device exceeds the unauthenticated IP allowance value. Or drop the packet. The authentication processing method performed through the non-authentication IP processing unit 180 is not limited to a specific method.

In addition, the security device 100 according to an embodiment of the present invention may further include a learning database and a learning unit (not shown). Here, the learning database is a database that classifies and stores a ticket list. Here, the classifying method is a ticket list management technique, and when an IP address of a certain band is registered in the ticket list more than a certain amount, the IP address of a certain band is considered to be likely to be an IP address band to normally communicate with. That's the way it is. In other words, the classifying method classifies a ticket list in a certain class unit (a unit specifying a range of IP address allocation according to size to avoid a network collision), reissues it, and stores it in a learning database. Even if an IP address not registered in the ticket list is accessed, it is regarded as registered in the ticket list. Therefore, it is a management technique that delivers the IP address with a normal ticket to the next state.

When the ticket list of the IP address reaches a predetermined value, the learning unit classifies and stores it in the learning database or checks whether the IP address checked by the ticket checking unit 120 is included in the learning database.

Through the above configurations, the security device 100 according to an embodiment of the present invention can not only check whether the client is normal in an asynchronous network having a one-way network characteristic, but also effectively block DDOS attacks, This can ensure the stability of the server 50. In addition, the security device 100 can manage the load of the device through the concept of session allowance, thereby enabling stable and efficient DDOS management.

9A to 9D are flowcharts illustrating a method of authenticating a client in a one-way network through a security device according to an embodiment of the present invention. First, FIG. 9A is a flowchart illustrating communication characteristics in an asynchronous network. As described above, there are many security devices (here, security devices) in their asynchronous network. Among them, as shown in the example of the one-way network, as shown in FIG. 9A, from among the plurality of security devices, from the standpoint of one security device 100 (hereinafter, referred to as the first security device 100), the client 10 may be configured as a single network. Although the information of the packet transmitted from the client 10 to the server 40 by receiving the transmitted packet can be confirmed, the packet transmitted from the server 40 to the client 10 exists in an asynchronous network, not itself. Since it is transmitted to the client 10 via another security device (ie, the second security device) or directly, the information cannot be confirmed. Accordingly, the security device 100 (i.e., the first security device 100) is the sequence information of the packet transmitted from the client 10 to the server 40 as shown in Figure 9a (i.e., the sequence number of the packet, While the ACK number and the packet length can be known, the sequence information of the packet transmitted from the server 40 to the client 10 cannot be grasped as indicated by the areas num ₁ , num ₂ , and num ₃ .

General security equipment adopts a method of collecting a packet transmitted from a client and a packet transmitted from a server, and analyzing all of them to determine whether the client is normal (eg, SYN-Cookie, SYN-Proxy, etc.). However, as shown in FIG. 9A, since the security device in the asynchronous network cannot collect both the packet from the client and the packet from the server, DDOS attack detection is almost difficult through the general security device. Of course, a method of solving such a problem by continuously performing synchronization between a plurality of security devices can be considered, but the synchronization process is problematic due to problems of network speed and synchronization time.

Accordingly, the security device 100 according to an embodiment of the present invention is characterized by determining whether the client 10 is normal using only the packet transmitted from the client 10. In addition, the security device 100 according to an embodiment of the present invention determines whether the client 10 is normal through a data transmission step during the TCP communication process. A method of operating the security device 100 according to an embodiment of the present invention will now be described with reference to FIGS. 9B to 9D. In addition, the following description is made on the assumption that the client 10 is a new session.

First, referring to FIG. 9B, the client 10 generates a packet and transmits it. Here, since the packet assumes a packet transmitted after the 3-way handshake process, the PUSH flag and the ACK flag may be set. In this example, the sequence number of the packet is 1, the ACK number is 1, and the data length is 200. Assume that

When the security device 100 receives a packet from the client 10, the security device 100 checks whether the IP address of the client 10 corresponds to a blacklist and a ticket list. In this case, when it corresponds to the blacklist, the security device 100 drops the received packet. Conversely, if a ticket is issued to the client's IP address, the security device 100 determines whether the client's IP address is overflowing through the threshold and attack check as described above, and other attack methods such as attack, hacking and virus (or abnormality). Attack method). As a result of the check, if a ticket is issued to the IP address of the client 10 and no abnormality is found through the threshold and the attack checker, the packet is forwarded to the server 50 without further authentication. As described above, if the IP of the client 10 is determined to be normal, the security device 100 may transmit the packet to the server 50 through the authentication IP tunnel. On the contrary, even when a ticket is issued to the IP address of the client 10, when an abnormality is found through the threshold and attack checker, the packet is dropped, the ticket issued to the IP address of the client 10 is removed, and the client 10 The blacklist may be added to the IP address.

As a result of the verification through the security device 100, when the IP address of the client 10 does not exist in both the black list and the ticket list, a process of checking the load of the security device 100 is performed. That is, when the IP address of the client 10 does not exist in both the blacklist and the ticket list, the security apparatus 100 compares the session allowance with the number of query sessions received from the clients through the session allowance determination unit. As a result of the comparison, if the number of query sessions is greater than or equal to the session allowance, the security apparatus 100 drops the packet transmitted from the client 10. Otherwise, the security device 100 checks whether the client 10 is a new session. Here, the method of checking whether the client 10 is a new session may be performed by searching for logs existing in a database (not shown). Since a description thereof has been made in detail with reference to FIG. 6 above, a redundant description will be omitted.

If it is determined that the client 10 is not a new session, the security device 100 performs control through the unauthorized IP processing unit described above. Here, in this example, it is assumed that the client 10 is a new session, the security device 100 performs the processing described below.

If it is determined that the client 10 is a new session, the security device 100 checks whether the first packet is an ACK packet (that is, whether the packet has the ACK flag set). As a result of the check, when the first packet is identified as the ACK packet, the control described below is further performed. Otherwise, the security device 100 adds the number of control sessions and delivers the first packet to the server 50 without further work.

If the client 10 is a new session and the first packet is determined to be an ACK packet, the security device 100 issues a temporary ticket to the IP address of the client 10 and updates the ticket list. In addition, the security apparatus 100 checks a packet (hereinafter, referred to as a first packet) transmitted from the client 10, extracts sequence information, and stores it in a database (temporary database in the description of FIG. 6). Here, the sequence information includes the sequence number, ACK number, and data length of the first packet.

In addition, the security apparatus 100 calculates a predicted sequence number of the second packet to be transmitted later by the client 10 based on the sequence information of the first packet. In the example of FIGS. 9A to 9D, since the first packet is assumed to have a sequence number of 1, an ACK number of 1, and a data length of 200, the security apparatus 100 may determine the prediction sequence number of the second packet of the first packet. The sum of the sequence number 1 and the data length 200, that is, 201 can be calculated. Thereafter, the security apparatus 100 stores the predicted sequence number of the calculated second packet together in a database (temporary database in the example of FIG. 6). Thereafter, the security device 100 transmits the received first packet to the server 50. In this case, since only a temporary ticket is issued to the client 100, the security device 100 may transmit the first packet through an unauthenticated IP tunnel.

See FIG. 9C. After receiving the first packet, the server 50 indicates an ACK packet indicating that the first packet was well received and including contents according to the request of the client 10 (in this example, the sequence number is 1 and the ACK number). 201 and an ACK packet having a data length of 1448) are transmitted to the client 10. As described above, the packet transmitted from the server 50 will be transmitted to the client 10 via a security device (not shown) other than the security device 100 or without the security device. Accordingly, the security device 100 according to an embodiment of the present invention does not know at all whether the ACK packet is generated in the server 50 and transmitted to the client 10.

Thereafter, the client 10 generates a new packet (ie, a second packet) according to the ACK packet received from the server 50 and transmits it to the security device 100. Here, it is assumed that the sequence number of the second packet is 201 and the ACK number is 1449. In addition, the security device 100 checks whether the IP address of the client 10 corresponds to the blacklist or the ticket list. In this example, since it is assumed that a temporary ticket is issued to the IP address of the client 10, the security device 100 checks whether the second packet is an ACK packet (that is, a packet in which an ACK flag is set).

As a result of the check, when the second packet is not an ACK packet (ie, when the ACK flag is not set), the security apparatus 100 adds the number of control sessions, and transmits the second packet without additional control. To pass). On the contrary, when it is determined that the second packet is an ACK packet (that is, when the ACK flag is set), the security apparatus 100 checks the sequence information of the second packet, and the sequence number of the second packet and the second described above. Compare the predicted sequence numbers of the packets. If these numbers are different as a result of the comparison, the security apparatus 100 adds the number of control sessions and delivers the second packet to the server 50 without further control. If these numbers, that is, the sequence number of the second packet and the predicted sequence number are the same, the security apparatus 100 checks whether the ACK number of the second packet is within the normal range, as described below.

The security apparatus 100 determines whether the ACK number of the second packet is within the normal range by determining whether the ACK number of the second packet is greater than the ACK number of the first packet and smaller than the sum of the ACK number of the first packet and the MTU. Can be. In this example, since the ACK number of the second packet is assumed to be 1449 and the MTU value is assumed to be 1500, the ACK number 1449 of the second packet is greater than 1, which is the ACK number of the first packet, and the ACK of the first packet. Is less than 1501, the sum of the number and MTU.

As such, when the sequence number and the prediction sequence number of the second packet are the same and the ACK number of the second packet is within the normal range, the security apparatus 100 determines the client 10 as a normal client, and transmits a ticket to its IP address. Issue a second packet to the server 50. Of course, before transmitting the second packet to the server 50, the security device 100 checks whether the IP address of the client 10 corresponds to an attack method, an attack method, a hacking virus, or a virus (or an abnormal attack method). Can be done. In other words, the security apparatus 100 determines whether the newly issued ticket 10 corresponds to an attack, a hack, and a virus (or an abnormal attack method), but an overflow occurs with respect to the IP address of the client 10. It is not essential to judge whether or not. This is because it is possible to sufficiently check whether an IP address overflow occurs during the aforementioned communication process. In this process, when the IP address of the client 10 is determined to be normal, the security apparatus 100 transmits the second packet to the server 50, and the server 50 responds to the request according to the second packet. A process of transmitting the response packet back to the client 10 is performed (see FIG. 9D).

Conversely, when the ACK number of the second packet is not within the normal range, the security device 100 adds the number of control sessions and delivers the second packet to the server 50 without further control.

As described with reference to FIGS. 9A to 9D, the security device 100 according to an embodiment of the present invention uses DDOS only by using the packet transmitted from the client 10 without information on the packet transmitted from the server 50. Enables blocking of attacks. Accordingly, even if the security device 100 according to an embodiment of the present invention is applied to an asynchronous network having a one-way network characteristic, it has an advantage of blocking the DDOS attack only by analyzing the communication on a single flow.

10 to 12 are flowcharts illustrating a method of operating a security device according to an embodiment of the present invention. As described above, the method of operating the security apparatus according to an embodiment of the present invention may determine whether the client is normal using only the packet transmitted from the client, without the packet generated by the server. The method of operating a security device according to an embodiment of the present invention may detect whether or not a DDOS attack occurs by using only a packet transmitted from a client, and block it. Due to the fact that only the packet transmitted from the client is used without the packet transmitted from the server, the method of operating the security apparatus according to an embodiment of the present invention may be applied to an asynchronous network or a unidirectional network. As described above, the security device may be a DDOS attack blocking device. A method of operating a security device according to an embodiment of the present invention will now be described with reference to FIGS. 10 to 12. In addition, below, the thing which overlaps with the above-mentioned part is abbreviate | omitted.

In step S101, the communication unit receives a packet transmitted from the client.

In step S102, the blacklist checking unit checks whether the client that has sent the packet corresponds to the blacklist. As described above, step S102 may be performed by interworking with the blacklist database to check whether the IP address of the client that has sent the packet corresponds to the blacklist. As a result of the check, if the client's IP address is blacklisted, step S102 drops the packet. Conversely, if the IP address of the client does not correspond to the blacklist, step S102 transfers control to step S103.

The step S103 is a step of confirming, by the ticket confirming unit, whether the client identified as not being blacklisted through the step S102 is a client having a ticket. Specifically, step S103 may be performed by searching the ticket list database for whether the IP address of the corresponding client exists in the ticket list. If it is confirmed that the IP address of the client exists in the ticket list, control is passed to step S104. Otherwise control passes to step S107.

In step S104, the ticket confirmation unit confirms whether the ticket held by the client (that is, issued to the client's IP address) is a ticket or a temporary ticket. As described above, a method of operating a security device according to an embodiment of the present invention proposes a ticket having a concept of a pass ticket and a concept of a temporary ticket used for verification for ticket issuance. In this case, the temporary ticket is issued to a new session that is determined to be normal, and the method for operating a security device according to an embodiment of the present invention determines whether the client is normal by analyzing a packet transmitted from the client where the temporary ticket is issued. do. As a result of the determination in step S104, when a ticket is issued to the client, control is passed to step S105. Otherwise, control passes to a step S106.

Step S105 is a step of checking whether the client's IP address is an overflow or other attack methods such as attack, hacking, and virus (or abnormal attack method) through the threshold and attack checker. Description of whether the IP address overflows and other attack methods is described in detail with reference to FIG. 6 above, and thus redundant description will be omitted. If it is determined in step S105 that the client is a normal client, a process of updating a ticket issued to the IP address of the client and delivering the first packet to the server is performed. Control then passes to the return block.

In step S106, the authentication IP processing unit performs processing on a packet (i.e., a second packet) transmitted from the client. To this end, step S106 includes checking whether the second packet is an ACK packet, checking sequence information of the second packet, comparing a sequence number of the second packet with a prediction sequence number, and confirming that the ACK number of the second packet is Determining whether it is within a normal range. As a result of the check, if the second packet is an ACK packet and both the sequence number and the ACK number of the second packet are normal, step S106 includes issuing a ticket to the client's IP address and delivering the second packet to the server. . Of course, in step S106, even if it is determined that the second packet is an ACK packet and both the sequence number and the ACK number are normal, an additional verification process for checking whether the corresponding IP address is abnormal may be further performed. Since the description thereof has been mentioned in detail above, redundant descriptions will be omitted. When the second packet is not an ACK packet, when the sequence number or the ACK number of the second packet is determined to be abnormal as a result of the determination through step S106, the number of control sessions is added, and the second packet is performed without further processing. It may include the step of delivering to the server.

The step S107 is performed when the IP address of the client that has sent the first packet does not exist in the ticket list, and the session allowance determination unit compares the number of query sessions received from the clients with the session allowance. The session tolerance is a value that is set to determine whether it is normal for only some of them (i.e., the range the security device can accommodate), not all clients without tickets or temporary tickets. As a result of the determination in step S107, if the number of query sessions exceeds the session tolerance, control is passed to step S108, and a process of dropping the first packet is performed. Otherwise control passes to step S109.

In step S109, the new session determination unit determines whether the client that has transmitted the first packet is a new session. As described above, step S109 may be accomplished by retrieving the client's IP address from the database. For example, step S109 may check whether there is a history of sending a packet from the IP address of the client to the security device, and if there is no history, the client may be determined to be a new session. As a result of the determination, if the client that transmitted the first packet is confirmed as the new session, control is passed to step S111. Otherwise control passes to step S110.

Step S110 is a step of performing an unauthorized IP processing by the unauthorized IP processing unit. As described above, step S110 is operated when a packet is not issued and a client other than a new session is sent a packet, and performs a non-authenticated IP process for the client. Specifically, step S110 compares the number of query sessions with the unauthenticated IP allowance, drops the packet sent from the client when the number of query sessions exceeds the unauthenticated IP allowance, and otherwise performs authentication processing on the client. It may include the step. Here, the unauthorized IP allowance value is set lower than the session allowance value. In addition, the authentication method made through the step S110 may be adopted in various ways, and is not limited to a specific method.

In step S111, the new session processing unit performs processing on a new session. The step S111 includes checking whether the first packet is an ACK packet, calculating a predicted sequence number of the second packet, storing sequence information of the first packet and the predicted sequence number of the second packet, and storing the first packet. It may include delivering to.

And in the above description, it has been described that step S106 is performed regardless of the session tolerance. However, this is only an example and a method in which step S106 is operated after step S107 may be considered.

11 is a flowchart of an authentication IP processing step according to an embodiment of the present invention. As described above, the authentication IP processing step according to an embodiment of the present invention may regard the second packet as a second packet and perform processing when the packet is transmitted from the client where the temporary ticket is issued. In addition, below, the thing which overlaps with the above-mentioned part is abbreviate | omitted.

Step S201 is to check whether the second packet is an ACK packet. Specifically, step S201 may be performed by checking whether the ACK flag is set in the second packet by checking the second packet. If the second packet confirms the ACK packet as a result of the check, then control is passed to step S202. Otherwise control passes to step S206.

In step S202, the sequence information of the second packet is checked. Specifically, step S202 is to confirm the sequence number and the ACK number of the second packet.

In step S203, the sequence number of the second packet is determined to be the same as the predicted sequence number of the second packet calculated through step S111. If it is determined that the sequence number and the prediction sequence number of the second packet are the same, then control is passed to step S204. Otherwise, control passes to a step S206.

Step S204 is a step of determining whether the ACK number of the second packet is within a normal range. Specifically, step S204 is a step of determining whether the ACK number of the second packet is greater than the ACK number of the first packet and less than the sum of the ACK number of the first packet and the MTU. If it is determined that the ACK number of the second packet is within the normal range (that is, the ACK number of the second packet is greater than the ACK number of the first packet and is determined to be smaller than the sum of the ACK number of the first packet and the MTU). Control is passed to step S205. Otherwise control passes to step S206.

In step S205, a ticket is issued to the IP address of the client and the ticket list is updated. In addition, the step S205 may further include determining whether the new ticket is issued to the attack, hacking and virus (or abnormal attack method).

Step S206 is a step of delivering the second packet to the server. Thereafter, control passes to step S101, and the process described with reference to FIG. 10 is performed again.

Further, in the above description, through steps S201, S203, and S204, and in the above description, when the second packet is not an ACK packet, when the predicted sequence number and the actual sequence number of the second packet are different, or When the ACK sequence range of 2 packets is out of the normal range, the second packet is delivered to the server without any additional processing. However, this is merely an example, when the second packet is not an ACK packet, when the predicted sequence number is different from the actual sequence number of the second packet, or when the ACK sequence range of the second packet is out of the normal range. The method may further include performing a preset authentication mechanism for the terminal, and determining whether to deliver the second packet based on a result of the authentication mechanism.

12 is a flowchart of a process of processing a new session according to an embodiment of the present invention. As mentioned above, the step of processing a new session is performed when a first packet is sent from a client for which no ticket or temporary ticket has been issued, the number of query sessions does not exceed the session tolerance, and the client is determined to be a new session.

In step S301, it is determined whether the first packet transmitted by the client is an ACK packet. Similar to step S201, step S301 may be performed by checking whether an ACK flag is set in the first packet. If it is determined that the result is an ACK packet, then control is passed to step S302. Otherwise control passes to step S304.

In step S302, the sequence information of the first packet is checked, and the predicted sequence number of the second packet is calculated based on the sequence information. Specifically, step S302 is a step in which the client predicts the sequence number of the second packet to be transmitted later by adding the sequence number of the first packet and its data length.

In step S303, the sequence information of the first packet and the predicted sequence number of the second packet calculated in step S302 are stored in a database.

Step S304 is a step of delivering the first packet to the server. Thereafter, control passes to step S101, and the process described with reference to FIG. 10 is performed again.

The teachings of the present principles can be implemented as a combination of hardware and software. In addition, the software may be implemented as an application program that is actually implemented on the program storage unit. The application can be uploaded to and executed by a machine that includes any suitable architecture. Preferably, the machine may be implemented on a computer platform having hardware such as one or more central processing units (CPU), computer processor, random access memory (RAM), and input / output (I / O) interfaces. . In addition, the computer platform may include an operating system and micro instruction code. The various processes and functions described herein may be part of micro instruction code or part of an application program, or any combination thereof, and they may be executed by various processing apparatus including a CPU. In addition, various other peripheral devices such as additional data storage and printers may be connected to the computer platform.

Since some of the configuration system components and methods shown in the accompanying drawings are preferably implemented in software, the actual connections between the system components or process functional blocks may vary depending on how the principles of the invention are programmed. It should be further understood. Given the teachings herein, one of ordinary skill in the pertinent art will be able to contemplate these and similar implementations or configurations of the present principles.

Although illustrative embodiments have been described herein in connection with the accompanying drawings, the principles of the invention are not limited to these precise embodiments, and various changes and modifications may be made without departing from the scope or spirit of the principles of the invention. It should be understood that it may be performed by those skilled in the art. All such changes and modifications are intended to be included within the scope of the principles of the invention as set forth in the appended claims.

As described above, the best embodiment has been disclosed in the drawings and the specification. Although specific terms have been used herein, they are used only for the purpose of describing the present invention and are not used to limit the scope of the present invention as defined in the meaning or claims. Therefore, those skilled in the art will understand that various modifications and equivalent other embodiments are possible from this. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

100: security device 110: blacklist inspection unit
120: ticket confirmation unit 130: threshold and attack detection unit
140: packet analysis unit 150: session allowance determination unit
160: new session processing 170: authentication IP processing unit
180: unauthenticated IP processing unit

Claims (22)

A security device connected to a server in an asynchronous network.
A ticket list database including a ticket list in which an IP address where a ticket is issued is stored;
A ticket confirmation unit that receives a first packet from a client and determines whether an IP address of the client that has transmitted the first packet exists in the ticket list;
A new session determination unit determining whether the client is a new session when the IP address of the client does not exist in the ticket list;
When the client is a new session, it is determined whether the first packet is an ACK packet, and when it is determined that the first packet is an ACK packet, prediction of a second packet to be transmitted later by the client based on sequence information of the first packet. A new session processor for calculating a sequence number, wherein the sequence information of the packet includes a sequence number, an ACK number, and a data length of the packet; And
When the second packet is received from the client, it is determined whether the second packet is an ACK packet, and when it is determined that the second packet is an ACK packet, the sequence information of the second packet and the prediction sequence number of the second packet are used. And determining whether the client is normal, and authenticating the client to issue a ticket to the IP address of the client when the client is determined to be a normal client.
The method of claim 1,
In the network, a packet transmitted from the client is delivered to the server through the secure device, and a packet generated at the server is delivered to the client without passing through the secure device. The method of claim 1,
The authentication IP processing unit,
And comparing the sequence number of the second packet with the prediction sequence number of the second packet to determine whether the sequence number of the second packet and the prediction sequence number of the second packet are the same. The method of claim 3,
The authentication IP processing unit,
If the sequence number of the second packet and the prediction sequence number are the same, the ACK number of the second packet is greater than the ACK number of the first packet and is greater than the sum of the ACK number of the first packet and the maximum transmission unit (MTU). Determining whether the client is a normal client when the ACK number of the second packet is greater than the ACK number of the first packet and less than the sum of the ACK number of the first packet and the MTU. . The method of claim 1,
And the new session processing unit calculates the predicted sequence number of the second packet by adding the sequence number of the first packet and the data length. The method of claim 1,
The size of the authentication IP tunnel through which the traffic of the network is communicated according to the security device is larger than the size of the unauthorized IP tunnel, and the new session processor delivers the first packet to the server through the unauthorized IP tunnel. Security device. The method of claim 6,
And when the ticket is issued to the IP address of the client, the ticket confirmation unit transmits a packet received from the client to the server through the authentication IP tunnel. The method of claim 1,
And a session allowance determining unit which compares the number of query sessions received from a plurality of clients and the session allowance when the IP address of the client does not exist in the ticket list.
The method of claim 8,
And the session allowance determining unit drops the first packet when the number of query sessions exceeds the session allowance, and the new session determination unit is operated when the number of query sessions is less than or equal to the session allowance. The method of claim 1,
The new session processor issues a temporary ticket to the client's IP address and updates the ticket list when the client is a new session, and the authentication IP processor receives the second packet from the client on which the temporary ticket was issued. And determining whether the client is normal. The method of claim 1,
At least one of whether the IP address is overflowing and whether the IP address is under attack when a ticket is issued to the IP address of the client that has sent the first packet And a threshold and an attack checker for dropping the first packet and adding the client's IP address to the blacklist when it is determined that the client's IP address is abnormal. A method of operating a security device connected to a server in an asynchronous network.
Receiving, by the ticket confirmation unit, a first packet from a client, and determining whether an IP address of the client that has transmitted the first packet exists in a ticket list in which an IP address for which a ticket is issued is stored;
Determining, by the new session determining unit, whether the client is a new session when the IP address of the client does not exist in the ticket list;
The new session processor determines whether the first packet is an ACK packet when the client is a new session, and when the client determines that the first packet is an ACK packet, the client subsequently transmits the packet based on the sequence information of the first packet. Calculating a predicted sequence number of the second packet to be performed, wherein the sequence information of the packet includes a sequence number of the corresponding packet, an ACK number, and a data length;
When the authentication IP processing unit receives the second packet from the client, it is determined whether the second packet is an ACK packet, and when it is determined that the second packet is an ACK packet, the sequence information of the second packet and the second packet. Determining whether the client is normal by using a predicted sequence number of; And
And issuing a ticket to the IP address of the client when the client is determined to be a normal client by the authentication IP processing unit. The method of claim 12,
In the network, a packet transmitted from the client is delivered to the server through the security device, and the packet generated at the server is delivered to the client without passing through the security device. The method of claim 12,
Determining whether the client is normal,
And comparing the sequence number of the second packet with the prediction sequence number of the second packet to determine whether the sequence number of the second packet and the prediction sequence number of the second packet are the same. How the device works. The method of claim 14,
Determining whether the client is normal,
If the sequence number of the second packet and the prediction sequence number are the same, determining whether the ACK number of the second packet is greater than the ACK number of the first packet and less than the sum of the ACK number of the first packet and the MTU. ; And
And determining the client as a normal client when the ACK number of the second packet is greater than the ACK number of the first packet and smaller than the sum of the ACK number of the first packet and the MTU. Method of operation. The method of claim 12,
The calculating of the predicted sequence number of the second packet is performed by adding the sequence number and the data length of the first packet. The method of claim 12,
The size of the authenticated IP tunnel through which the traffic of the network is communicated according to the security device is larger than that of the non-authenticated IP tunnel,
And after calculating the predicted sequence number of the second packet, transmitting, by the new session processor, the first packet to the server through the unauthenticated IP tunnel. Way. The method of claim 17,
And when the ticket is issued to the client's IP address by the ticket confirmation unit, transmitting a packet received from the client to the server through the authentication IP tunnel. Way. The method of claim 12,
And comparing, by the session allowance determining unit, the number of query sessions received from a plurality of clients and the session allowance when the IP address of the client does not exist in the ticket list. . The method of claim 19,
Comparing the number of session attempted sessions with a session tolerance further includes dropping the first packet when the number of query sessions exceeds the session tolerance, and determining whether the client is a new session comprises: querying And when the number of sessions is less than or equal to the session allowance. The method of claim 12,
If the client is a new session, further including issuing, by the new session processing unit, a temporary ticket to the IP address of the client and updating the ticket list,
The determining of whether the client is normal is performed when the second packet is received from the client for which the temporary ticket has been issued. The method of claim 12,
When the ticket is issued to the IP address of the client that has sent the first packet as a result of the check by the threshold and attack checking unit, at least one of whether the IP address is overflowing and the IP address is under attack. Examining one;
And dropping the first packet when it is determined that the IP address of the client is abnormal, and adding the IP address of the client to the blacklist.

Images