KR101077136B1 - IP filtering method for countering DDoS attacks based on history - Google Patents

Abstract

A history based DDoS response method is disclosed. (a) recording the number of source IP addresses that access the destination IP address, (b) comparing the number of source IP addresses per destination IP address with a first threshold, (c) the source IP address of Specifying the destination IP address whose number is greater than or equal to the first threshold; (d) recording the number of the source IP addresses that access the specified destination IP address; (e) accessing the specified destination IP address. Comparing the number of source IP addresses with a second threshold; (f) determining that a DDoS attack is initiated against the specified destination IP address if the number of source IP addresses is greater than or equal to the second threshold; and (g) The history-based DDoS correspondence method comprising assigning the stored source IP address a high priority for accessing the specified destination IP address. Sampling reduces the set of monitored IP addresses, reduces memory size, and effectively protects existing connections.

DDoS, History, Sampling, Memory.

Description

IP filtering method for countering DDoS attacks based on history}

The present invention relates to an electronic device, and more particularly, to a history-based DDoS response method.

Denial of service (DoS) attacks are malicious attempts to disrupt services provided by a network or server. Nowadays, DoS attacks have been enhanced with distributed denial of service (DDoS) attacks by using thousands of zombie PCs via botnets. Many defense mechanisms have been proposed to defend against DDoS attacks, but recently, the attacks are difficult to defend because they are similar to normal traffic.

Historically, the history-based DDoS attack response algorithm manages whitelisted IPs that have been accessed for a few days or more in recent months. When a DDoS attack is received from multiple IPs at a given time, It is an algorithm that allows access by giving high priority to the white list with existing access records and filtering packets from IP that is first generated in DDoS attack situation.

In addition, if a small number of devices perform a DDoS attack on a particular server, the IP address of the attacking device can be detected relatively easily without managing the flow status. On the other hand, if a large number of devices participate in a DDoS attack, the IP address carrying out the DDoS attack is almost invisible to the Web site before, so it is malicious to observe whether the sudden increase in IP address has normally existed on that Web site before. IP address can be detected. According to the prior art, a method of detecting a DDoS attack by monitoring whether the new IP address has increased based on the above-described observation scheme is proposed.

However, according to the prior art, the history-based countermeasure is very easy to bypass from the attacker's point of view. In other words, there is a problem that it is possible to bypass the defense sufficiently by sending a packet before generating a full-scale DDoS attack. In addition, according to the related art, since memory is not taken into consideration, it is very difficult to manage information on a flow-by-flow basis for a high-speed link or a high profile website.

In addition, according to the related art, when the number of client terminals increases during a DDoS attack, most client terminals have new IP addresses not seen before, and based on these observations, an IP history database is used. However, the prior art requires a state management for each flow, which is a problem that cannot be used in an edge router because the computation is complicated and requires excessive memory.

The background art described above is technical information possessed by the inventors for the derivation of the present invention or acquired during the derivation process of the present invention, and is not necessarily a publicly known technique disclosed to the general public before the application of the present invention.

The present invention is to provide a history-based DDoS response method that can protect the network by assigning different priorities to the existing flow and the new flow based on the IP history information.

In addition, in the present invention, since a device subjected to a DDoS attack is accessible by many devices, even if a small number of packets are detected through sampling, the device is monitored through sampling at the first stage by using a point that can easily detect a damaged device. It is intended to provide a history-based DDoS countermeasure that can reduce the set of IP addresses, reduce memory size, and effectively protect existing connectivity.

In addition, the present invention can reduce processing and memory requirements by adjusting the amount of traffic monitored through sampling, in particular by monitoring only hosts accessible by many external IP addresses, focusing on the protection of a given subnetwork, It is to provide a history-based DDoS response method that can avoid the state management for each flow.

Technical problems other than the present invention will be easily understood through the following description.

According to one aspect of the invention, (a) recording the number of source IP address to access the destination IP address; (b) comparing the number of source IP addresses per destination IP address with a first threshold; (c) specifying the destination IP address whose number of source IP addresses is greater than or equal to the first threshold; (d) recording the number of source IP addresses that access the specified destination IP address; (e) comparing the number of source IP addresses that access the specified destination IP address with a second threshold; (f) determining that a DDoS attack is initiated against the specified destination IP address if the number of source IP addresses is greater than or equal to the second threshold and (g) accessing the specified destination IP address to the stored source IP address. There is provided a history based DDoS countermeasure method comprising the step of assigning a high priority.

Here, in step (a) and step (d), the corresponding value of the destination IP address and the source IP address may be converted into a hash value and stored.

In addition, in step (a) and step (d), the source IP address may be registered in a bloom filter, and the bloom filter may be shared for different destination IP addresses.

Here, the step (d), the bloom filter includes a timer for determining the presence or absence of packets transmitted between the target IP address and the source IP address for a predetermined time interval, the target IP during the time interval If there is no packet transmitted between the address and the source IP address, it may be determined that the connection between the destination IP address and the source IP address is lost.

The second threshold may be greater than the first threshold, and the destination IP address may be an IP address of a terminal connected to the edge router.

According to another aspect of the present invention, in order to perform the above history-based DDoS corresponding method, a program of instructions that can be executed by a digital processing apparatus is tangibly embodied, and a recording medium recording a program that can be read by the digital processing apparatus. May be provided.

Other aspects, features, and advantages other than those described above will become apparent from the following drawings, claims, and detailed description of the invention.

The history-based DDoS response method according to the present invention has an effect of protecting a network by assigning different priorities to existing flows and new flows based on IP history information.

In addition, in the present invention, since a device subjected to a DDoS attack is accessible by many devices, even if a small number of packets are detected through sampling, the device is monitored through sampling at the first stage by using a point that can easily detect a damaged device. This reduces the set of IP addresses, reduces memory size, and effectively protects existing connections.

In addition, the present invention can reduce processing and memory requirements by adjusting the amount of traffic monitored through sampling, in particular by monitoring only hosts accessible by many external IP addresses, focusing on the protection of a given subnetwork, There is an effect that the state management for each flow can be avoided.

As the invention allows for various changes and numerous embodiments, particular embodiments will be illustrated in the drawings and described in detail in the written description. However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all changes, equivalents, and substitutes included in the spirit and scope of the present invention.

Terms including ordinal numbers such as first and second may be used to describe various components, but the components are not limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as the second component, and similarly, the second component may also be referred to as the first component. And / or < / RTI > includes any combination of a plurality of related listed items or any of a plurality of related listed items.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. As used herein, the terms "comprise" or "have" are intended to indicate that there is a feature, number, step, action, component, part, or combination thereof described on the specification, and one or more other features. It is to be understood that the present invention does not exclude the possibility of the presence or the addition of numbers, steps, operations, components, components, or a combination thereof.

In the following description of the present invention with reference to the accompanying drawings, the same components are denoted by the same reference numerals regardless of the reference numerals, and redundant explanations thereof will be omitted. In the following description of the present invention, if it is determined that the detailed description of the related known technology may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.

1 is a network diagram including a history-based DDoS detection apparatus according to an embodiment of the present invention. Referring to FIG. 1, an attacker 110, an external user 120, a network 130, a router 140, a server 150, and an internal user 160 are shown.

This embodiment is characterized by being able to prevent DDoS attacks while efficiently using memory by performing two steps. The present invention uses an IP history database to correspond to a new IP address appearing during a DDoS attack. In order to distinguish a DDoS attack flow from a normal flow, in the present specification, the IP history database is referred to as 'LEA' (List of Existing IP Addresses). Refer to.

The DDoS defense mechanism according to the present embodiment may include the following two steps. In the first step, to reduce the memory size for the LEA, sampling selects an internal IP address with many external connections. In the second step, the LEA is recorded and stored only for the IP address selected in the first step. After the LEA is created, if the number of external IP addresses accessing a specific internal IP address exceeds a preset threshold, it is considered a DDoS attack, and the current connection has a higher priority than a new connection attempt based on the information of the pre-stored LEA. .

The attacker 110 and the external user 120 may be connected to the wired / wireless network 130 and may be connected to the server 150 and the internal user 160 via the router 140. The attacker 110, the external user 120, the server 150, and the internal user 160 refer to terminals that can communicate. Server 150 and internal user 160 are referred to as having an internal IP address to distinguish them from attacker 110 and external user 120 because they connect to router 140 and thereby connect to network 130. . Here, the router 140 may be an edge router.

The history-based DDoS detection apparatus according to the present embodiment may be applied to edge routers, DDoS-dedicated equipment, and the like, and may be applied to inbound traffic flowing into the internal system because the purpose is to protect the internal system.

The first step of this embodiment is to apply the history-based correspondence module to all the incoming traffic is inefficient because of the large amount of computation and the size of data to be managed, it is applied to reduce the amount of data. In addition, the second step of the present embodiment creates and manages a list of source IP addresses that are conventionally accessed only for the destination IP address sampled in the first step. The two steps are described in detail below.

2 is a block diagram of a history-based DDoS detection apparatus according to an embodiment of the present invention. 2, a first connection state table 141, a first bloom filter 142, a second connection state table 143, a second bloom filter 144, a storage unit 145, and a controller 146. Is shown.

In the first step according to this embodiment, each packet is classified into a pair of source IP address and destination IP address, which is converted into a uniform random hash value to detect whether a DDoS attack has occurred on the sampling packets.

The first connection state table 141 is managed for the sampled packets. The first bloom filter 142 may be used to manage the first connection state table 141. For a destination IP address in the first connection state table 141 where the number of source IP addresses exceeds the first threshold, the second step is passed. Information managed in the first connection state table 141 may be the number of source IP addresses introduced per unit time for each destination IP address.

The purpose of the first step according to the present embodiment is not to analyze all packets in incoming traffic analysis, but to view sampled packets and not to analyze all destination IP addresses. It is to apply DDoS response function to the system. If the number of source IP addresses corresponding to the specific destination IP address exceeds the first threshold, all the corresponding data is deleted from the first connection state table 141, and the destination IP address is the second connection state managed in the second step. The table 143 is moved. Of course, the corresponding destination IP address of the first connection state table 141 may be stored and used in the second connection state table 143.

In addition, the second step according to the present embodiment is performed for the destination IP address passing through the first step. In the second step, the second connection state table 143 is managed for the target IP address, and the managed information may be the number of connected source IP addresses for each target IP address and a timer for each source IP address.

The timer may be provided in the second bloom filter 144 and set to R, which is a preset time when a new source IP address is introduced or a previously introduced source IP address is introduced again. When the timer is decremented by 1 per specific time and becomes 0, the corresponding source IP address is deleted from the second bloom filter 144. That is, if there is no traffic inflow for R time from a specific source IP address, the corresponding IP is deleted.

In the second connection state table 143, the number of connected source IP addresses for each destination IP address is managed. If a source IP address occurs that exceeds the second threshold, this indicates that a DDoS attack has occurred for the corresponding destination IP address. You can judge. At this time, the packet at the source IP address managed as many as the second threshold is set to be processed with high priority even in the DDoS attack situation, and the newly connected source IP address at the line exceeding the second threshold is existing. Because it is new without access, it can be predicted by the traffic newly generated by DDoS attack. Therefore, the newly introduced packet of the source IP address is given a low priority to be processed.

Also, the second threshold is a criterion to consider that a DDoS attack has occurred when the number of source IP addresses in the specific destination IP address exceeds the threshold. The third threshold, on the contrary, refers to a criterion for which the number of source IP addresses is significantly reduced and does not need to be managed in the second connection state table 143. If the number of source IP addresses occurs below the third threshold, it is regarded as a normal situation, and all data regarding the corresponding destination IP address may be deleted from the second connection state table 143.

The first connection state table 141, the first bloom filter 142, the second connection state table 143, and the second bloom filter 144 may be managed by the controller 146. The controller 146 may perform functions such as information input, modification, and deletion for managing the table and the bloom filter. In addition, according to another embodiment of the present invention, the table management module and the bloom filter management module may be separately provided to perform the above-described functions of the controller 146 in such a module. The first connection state table 141, the first bloom filter 142, the second connection state table 143, the second bloom filter 144, and the controller 146 may be separately inside or outside the router 140. It may be implemented in hardware or software. The storage unit 145 stores the variables according to the present embodiment, for example, the first to third threshold values, and the control unit 146 may access the storage unit 145 to extract and use necessary information.

3 is a flowchart of a history-based DDoS correspondence method according to an embodiment of the present invention. The flowchart described below may be a flowchart of a method performed by the history-based DDoS detection apparatus described above.

When the packet flows from the source IP address to the destination IP address in step S310, the number of source IP addresses that access the destination IP address is recorded in step S320.

In step S330, the first process described above is performed by comparing the number of source IP addresses per destination IP address with a first threshold, and extracting a specific destination IP address whose number of source IP addresses is greater than or equal to the first threshold in step S340.

In step S350, in order to perform the above-described second process, the number of source IP addresses that access the specified destination IP address is recorded, and in step S360, the number of source IP addresses that access the specified destination IP address is obtained. Compare with 2 thresholds.

In step S370, when the number of source IP addresses is greater than or equal to the second threshold, it is determined that a DDoS attack is initiated for the specified destination IP address. In step S380, a high priority for accessing the destination IP address specified in the stored source IP address is determined. By doing so, it can respond to DDoS attacks. Hereinafter, two steps for DDoS correspondence as described above will be described in detail.

4 is a structural diagram of a table managed in a first step of a history-based DDoS correspondence method according to an embodiment of the present invention.

In the first step, source and destination IP address pairs (SrcIP, DstIP) of arriving packets are sampled. The (SrcIP, DstIP) pair is sampled using a predetermined sampling probability P _S. h _p is defined as a uniform random hash function that maps (SrcIP, DstIP) to [0, 1). If s and d are the source and destination IP addresses of the arriving packet, then if h _p (s, d) < P _S, then the IP address pair (s, d) is sampled.

In the first step according to this embodiment, as shown in FIG. 4, the first connection state table T ₁ and the first bloom filter B ₁ are managed. The first connection state table T ₁ counts the number of IP addresses that access the specific destination IP during the preset time interval I ₁ . To protect internal nodes from DDoS attacks, only internal IP addresses are considered for the destination IP address in T ₁ . COUNT1 (d) counts the number of IP addresses that access the sampled destination address d. In order to check whether the sampled source IP address has been counted, each sampled source IP address is registered with the first bloom filter B ₁ , and as shown in FIG. 4B, the first bloom filter B _1. ) Is M ₁ bits long and has k hash functions. The present embodiment uses a bloom filter to reduce the memory size, and in order to increase the efficiency of the limited memory space, the first bloom filter B ₁ is shared between different destination IP addresses. If the first bloom filter (B ₁ ) collides, the number of IP addresses approaching COUNT1 (d), that is, (d) can be measured small, so that the size of the first bloom filter (B ₁ ), i.e., M ₁ must be large enough to reduce the probability of collision.

If the value of COUNT1 (d) is greater than the preset first threshold value N ₁ , the IP address d is determined to be attacked, and for d during the second phase until the DDoS attack is actively initiated. The LEA is created. COUNT1 (d) only counts sampled source addresses that approach d. Therefore, according to this embodiment, when COUNT1 (d) = N ₁ , the total number of IP addresses actually accessing d becomes N ₁ / P _S on average.

Before considering the second step, the collision of the first connection state table T ₁ will be described. When the first packet from the source address s to d arrives at the router including the DDoS detection apparatus according to the present embodiment, the connection information for the destination address d is determined in the first connection state table T ₁ . Stored in row h _a (d). Where h _a (d) is a uniform random hash function. When the destination address d ₁ is mapped to a row r by the hash function h _a , if another address d ₂ is stored in that row, this kind of contention would conflict in the first linked state table T _1. It is referred to as. This kind of collision occurs with a negligible probability and can have a serious impact on the defense system, so entry management policies are very important in the event of a collision.

According to this embodiment, the entry of the first connection state table T ₁ is managed as follows. IP addresses linked to many IP addresses may be subject to a DDoS attack and therefore need to be maintained in the first connection state table. Therefore, according to the present embodiment, contention of the first connection state table T ₁ is managed in the following manner. That is, if the new IP address d _n reaches a row where another IP address d _o is stored, if COUNT1 (d _o )> 1, then the entry is retained for the old IP address d _o , and if COUNT1 (d _o ) = 1 If so, the new IP address is stored in the entry instead of the old IP address.

If the IP address d is selected in the first step because the value of COUNT1 (d) is greater than N ₁ , the IP address d is likely to be the target of the DDoS attack. However, since the first first threshold N ₁ is generally too small to be used for DDoS detection, this probability cannot reliably detect a DDoS attack at this level. The first first threshold N ₁ is used to filter destination IP addresses accessed by only a small number of IP addresses, which are less likely to be subject to DDoS attacks. Therefore, in the second step according to the present embodiment, when a DDoS attack occurs, the list of IP addresses allowed to access internal IP addresses selected in the first step, that is, LEA, is recorded.

For destination IP addresses not selected in the first step, no traffic restrictions will apply because of the small number of IP addresses being accessed. For the destination IP address selected in the first step, the following traffic control is applied when a DDoS attack occurs. If the number of IP addresses accessing the internal IP address is greater than the second threshold N ₂ , the internal IP address is determined to be subject to a DDoS attack, and packets from IP addresses in the LEA come from other IP addresses. It has a higher priority than a packet. Where N ₂ is greater than N ₁ / P _S. Packets coming from the new IP address are either serviced at a lower priority or discarded if excessive load occurs. Therefore, the edge router having the defense system according to the present embodiment can control the acceptance of the packet by limiting the number of external IP addresses associated with the internal IP address based on the LEA information. If, when the number of IP addresses to access a particular internal IP address is less than N _2, the new IP address, until the number of the external IP address that is connected equal to N ₂ again may be registered with the LEA. If the number of external IP addresses is smaller than the third threshold N ₃ (= N ₁ / P _S ), it is determined that the corresponding internal IP addresses are not subjected to DDoS attacks, and the LEA for these IP addresses is further determined. No longer managed.

5 is a structural diagram of a table managed in a second step of the history-based DDoS correspondence method according to an embodiment of the present invention.

Hereinafter, the management method for the LEA will be described in more detail. In the second step, the second connection state table T ₂ and the second bloom filter B ₂ are managed as shown in FIG. 5. The second connection state table T ₂ records the number of external IP addresses currently connected with each internal IP address selected in the first step. COUNT2 (d) counts the number of IP addresses currently accessing internal IP address (d). A field D of 1 bit size is initially written as 0, and is 1 when a DDoS attack is detected for a corresponding internal address. COUNTp (d) maintains the old value of COUNT2 (d), and its usage is described in detail below when modifying COUNT2 (d). To reduce the memory size, an external IP address that accesses a particular internal IP address is registered and managed in the second bloom filter B2. To further reduce the memory size, B ₂ is shared among all internal IP addresses selected in the first step, so the second bloom filter B ₂ manages the LEA for the selected internal IP address. The main difference between B ₁ and B ₂ is that different timers are allocated for each bit for B ₂ as shown in FIG. 5 (b). TIMER (i) represents the timer assigned for the i th bit in the second bloom filter B ₂ of M ₂ bits. The A (i) field records the arrival of a packet from an external IP address using the i th bit in B ₂ for a given time interval. The value of A (i) is used to modify COUNT2 (d), which will be described in detail below. According to the present embodiment, if there is no packet transmitted between specific pairs of IP addresses during a predetermined time interval, it is determined that the pair of IP addresses is disconnected. The timer of the second bloom filter B ₂ is thus used to monitor the connection between the internal and external IP address pair.

The function of the timer will be described in more detail as follows. k ₂ is the number of hash functions used for the second bloom filter B ₂ , and h _i represents the i th hash function used for B ₂ . When the internal IP address (d) is selected in the first step and registered with T ₂ , if the router detects the first packet from the new source address s' to d, the value of COUNT2 (d) is increased by one and , K ₂ bit position corresponding to h _i (s ') (i = 1,2, ..., k ₂ ) of B ₂ is set to 1, and a timer (TIMER (h _i (s'))) (i = 1, 2, ..., k2)) is set to the constant R. The value of each timer is periodically decremented by one in the interval I _T. Thus, if at least one timer for a given external IP address is reduced to zero after (R-1) x I _T time (e.g., seconds), the bit value corresponding to the exhausted timer is changed to zero and s 'Is considered to be disconnected from d. If a new packet from s 'to d arrives before the timer runs out, the timer corresponding to the hash value of s' is set back to R. The detailed values for R and I _T may be set in consideration of the inter-packet arrival pattern of the normal flow.

According to the conventional analysis, the world wide web (WWW) traffic showed self-similarity, and the silence time in the ON / OF pattern of the web traffic was mainly influenced by the user's thinking time, which resulted in a heavy tail. -tailed) show distribution. In addition, the time between HTTP packet arrivals shows a long-tailed distribution, but the ratio of time between packet arrivals of 2 seconds or more is somewhat lower, which is 3% or less. Therefore, according to the present embodiment, if there is no packet exchange between the pair of nodes for 300 seconds, the connection between the pair of nodes is considered to be disconnected. Since the external IP address must be maintained at B ₂ for at least 300 seconds, (R-1) x I _T must be at least 300 seconds on the second bloom filter B ₂ . In order to reduce the memory size of the timer, at least three bits are allocated to R, and R is set to seven. If I _T is set to 50 seconds, (R-1) × I _T is 300 seconds. These values of R and I _{T become} initial setting variables of the present invention.

According to this embodiment, it is important to keep the value of COUNT2 (d) consistent with the IP addresses present in the second bloom filter B ₂ even after the timer runs out. Assume that B ₂ correctly manages the external IP address currently accessing the internal IP address d. If COUNT2 (d) records a large number of external IP addresses currently connected to d if the timer exhaustion result has not yet been reflected, the defense system according to the present embodiment will operate conservatively. Even if the utilization of the link or internal node is rather low due to this malfunction, the internal node d will be protected from DDoS attack. On the other hand, if COUNT2 (d) records a small number of external IP addresses that are currently accessing d, then the ongoing DDoS attack will not be detected because the value of COUNT2 (d) is small and node d will not be able to detect DDoS attacks. Will not be protected. Therefore, you need to make sure that COUNT2 (d) does not record the current number of connections small.

6 is a diagram illustrating a method of modifying a table of a history-based DDoS detection apparatus according to an embodiment of the present invention. Here, a method of managing COUNT2 (d) according to this embodiment is shown.

Each time a new external IP address s '' approaches internal IP address d, the value of COUNT2 (d) is decremented by one. At the same time s '' is registered in the second bloom filter B ₂ , the timer corresponding to the hash value of s '' is set to R, and the values of A corresponding to the same hash value are set to one. The values of all As become zero in (R-1) × I _T. Referring to FIG. 6, this boundary line is shown by the dashed-dotted line. Therefore, the A value is recorded even if a new packet is transmitted from an existing or new external IP address during (R-1) x I _T period.

To prevent COUNT2 (d) from recording a small number of IP addresses currently associated with d, the value of COUNT2 (d) is increased as soon as a new external IP address is detected to access d, but disconnected from the current interval. The status is reflected only at the end of the current section in the following way. When ten new external IP addresses are detected in the j th interval, if all addresses send only one packet, the timer for all these addresses will be expired in the j + 1 th interval, the connection between them and d Is considered broken. When the j + 1th interval starts, COUNTp (d) is set to the number of IP addresses associated with d at the end of the jth interval, and is maintained for that interval. IP addresses counted in COUNTp (d) are subtracted from COUNT2 (d) at the beginning of the j + 2th interval, which means that if no packets are generated from these IP addresses, the corresponding timers are j + 1th intervals. Because they must be exhausted. The value of COUNTp (d) is set to the newly calculated COUNT2 (d) at the start of each section. If the IP address arrived before j + 1 section transmits a new packet to d in j + 1 section, the duration of the connection is extended by at least (R-1) × I _T , so COUNT2 (d) Increases immediately upon packet arrival. This case corresponds to s ₂ in FIG. 6. If the value of COUNT2 (d) is managed in this way, i.e., to raise the value immediately and reflect the decrease later, COUNT2 (d) can be kept not smaller than the actual IP value as shown in FIG. .

7 is a diagram illustrating an algorithm for implementing a history-based DDoS correspondence method according to an embodiment of the present invention. The DDoS detection and control method according to the present embodiment may be implemented as shown in FIG. 7, but in addition, various other algorithms for implementing the above-described features of the present invention may be implemented.

If COUNT2 (d)> N ₂ , the current flow registered in the LEA, that is, B _2, is serviced at a higher priority than the new flow. When a new packet arrives from the IP address s _m of the malicious nodes, if any bit value corresponding to the hash value of s _m are already set to 1 by the other IP addresses present in B _2, which collisions in B ₂ It is determined that this flow is serviced at a higher priority. Therefore, the size of the filter beulrom B ₂ is required to be sufficiently large to avoid a conflict.

If R _T2 is the number of rows in the second link state table T ₂ of FIG. 5, since no more addresses are allowed if the value of COUNT2 is greater than N ₂ for each internal IP address in T ₂ , The two bloom filter B ₂ can only accept R _T2 × N ₂ external IP addresses. k ₂ is the number of hash functions used for B ₂ . After inserting n 'IP addresses into a bit vector of M ₂ size, the probability that a particular bit is still zero is (1-1 / M ₂ ) ^{k 2n'} . If the new external IP address sees 1 at the position of every bit pointed to by k ₂ hash functions, a bloom filter collision occurs. The collision probability of the source IP address arriving after the (R _T2 N ₂ ) th address is as follows.

(1)

(One)

인 경우 다음과 같이 최소화된다. The right side of equation (1) is

Is minimized as follows.

(2)

(2)

According to equation (2), k ₂ must be greater than or equal to 7 to keep the collision probability less than 1%. Therefore, according to the present embodiment, k ₂ is set to 7, in which case M ₂ is expressed as follows using R _T2 and N ₂ .

(3)

(3)

The size of M ₂ can also be determined in a similar manner.

8 is a diagram illustrating a network configuration and simulation results for a history-based DDoS response method according to an embodiment of the present invention. Hereinafter, the OPNET simulation result for evaluating the method according to the present embodiment will be described.

로 주어진다. 변수들은 α_ON= 1.2, α_OFF =1.5, k_ON =0.167 및 k_OFF = 10이다. 평균적인 on과 off 기간은 각각 1과 30초이다. 주기 동안, 일정하게 1.55 Mbps로 500 바이트 패킷을 전송한다. 하나의 플로우의 평균 속도는 50 Kbps이다. 본 실험에서, 공격자 Z1의 수는 4000이며, 따라서 공격 트래픽의 평균 속도는 200 Mbps이고, 이는 R1과 R2간의 링크 레이트보다 훨씬 크다. 공격 대상 서버 U는 10개이고, 내부 유저 V는 100개이며, 공격 대상 서버에 접속하는 정상 클라이언트 Z2는 200개이고, 내부 사용자 Z3에 접속하는 외부 사용자는 200개이다. Here, we test how well the current traffic can be protected during DDoS attack, and measure the ratio of traffic transmitted successfully, that is, throughput. 8 (a) shows the network structure for the simulation. The proposed DDoS detection device is used for edge router R1. The Z2 client accesses server U, which Z1 then attacks. External user Z3 is connected to internal user V before the DDoS attack. In case of a bandwidth congestion attack, all traffic from the external network passes through a single link between R1 and R2, which has a link rate of 100 Mbps. In order to examine the method when the attack traffic pattern is not distinguished from the normal traffic pattern, the attack and the normal traffic are modeled by using on-off traffic, which has Pareto distributions on and off time. The probability density function

Is given by The variables are α _ON = 1.2, α _OFF = 1.5, k _ON = 0.167 and k _OFF = 10. Average on and off durations are 1 and 30 seconds respectively. During the period, 500 byte packets are constantly transmitted at 1.55 Mbps. The average speed of one flow is 50 Kbps. In this experiment, the number of attackers Z1 is 4000, so the average speed of attack traffic is 200 Mbps, which is much higher than the link rate between R1 and R2. The target server U is 10, the internal user V is 100, 200 normal clients Z2 are connected to the target server, and 200 external users are connected to the internal user Z3.

이다. 본 실험에서는, R_T1 = 50, R_T2 = 20, N₁ =3, N₂ = 50이다. 이 경우 필요한 메모리 크기는 2KB보다 작다.8 (b) is a diagram comparing the throughput implemented by the defense method according to the present embodiment with the throughput obtained by the FIFO queue without defense system. The DDoS attack was performed for 900 seconds, and referring to FIG. 8 (b), it can be seen that much more throughput is maintained by the defense system according to the present embodiment. In addition, although the defense system according to the present embodiment has not been subjected to the DDoS attack, it can be seen that the user in the same subnetwork as the target node can be more effectively protected. If R _T1 and R _T2 refer to the number of rows of T ₁ and T ₂ , the total memory size required is

to be. In this experiment, R _T1 = 50, R _T2 = 20, N ₁ = 3, N ₂ = 50. In this case, the required memory size is less than 2KB.

Therefore, according to the present embodiment, a two-step DDoS defense mechanism is proposed that can protect a subnetwork by using an existing flow and a new flow having a different priority based on IP history information with a reduced memory size. . In the first stage, memory is reduced by reducing the number of IP addresses monitored through sampling and using bloom filters in both stages. Simulation results show that even with a small memory size, high throughput can be maintained for the current flow during DDoS attacks.

In addition, a detailed system configuration for a history-based DDoS compatible device according to an embodiment of the present invention, a common platform technology such as an embedded system, an O / S, a communication protocol, and an interface standardization technology such as an I / O interface will be described. As it is obvious to those skilled in the art, it will be omitted.

The history-based DDoS correspondence method according to the present invention may be implemented in the form of program instructions that can be executed by various computer means and recorded in a computer readable medium. That is, the recording medium may be a computer-readable recording medium having recorded thereon a program for causing a computer to execute the steps described above.

The computer readable medium may include a program command, a data file, a data structure, etc. alone or in combination. Program instructions recorded on the media may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of the computer-readable recording medium include magnetic media such as a hard disk, a floppy disk and a magnetic tape, optical recording media such as CD-ROM and DVD, magnetic recording media such as a floppy disk Optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like.

Those skilled in the art will appreciate that various modifications and changes can be made in the present invention without departing from the spirit and scope of the invention as set forth in the claims below.

1 is a network diagram including a history-based DDoS detection apparatus according to an embodiment of the present invention.

2 is a block diagram of a history-based DDoS detection apparatus according to an embodiment of the present invention.

3 is a flowchart of a history-based DDoS correspondence method according to an embodiment of the present invention;

4 is a structural diagram of a table managed in a first step of a history-based DDoS correspondence method according to an embodiment of the present invention;

5 is a structural diagram of a table managed in a second step of the history-based DDoS correspondence method according to an embodiment of the present invention.

6 is a diagram illustrating a method of modifying a table of a history-based DDoS detection apparatus according to an embodiment of the present invention.

7 illustrates an algorithm for implementing a history-based DDoS correspondence method according to an embodiment of the present invention.

8 is a diagram illustrating a network configuration and simulation results for a history-based DDoS response method according to an embodiment of the present invention.

<Description of the symbols for the main parts of the drawings>

110: attacker 120: external user

130: network 140: router

141: first connection state table 142: first bloom filter

143: second connection state table 144: second bloom filter

145: storage unit 146: control unit

150: server 160: internal users

Claims (8)

(a) recording the number of source IP addresses that access the destination IP address; (b) comparing the number of source IP addresses per destination IP address with a first threshold; (c) specifying the destination IP address whose number of source IP addresses is greater than or equal to the first threshold; (d) storing the source IP address and the number of source IP addresses that access the specified destination IP address; (e) comparing the number of source IP addresses accessing the specified destination IP address with a second threshold, wherein the second threshold is greater than the first threshold; (f) determining that a DDoS attack has been initiated against the specified destination IP address if the number of source IP addresses is greater than or equal to the second threshold; And (g) assigning the stored source IP address a high priority for accessing the specified destination IP address. The method of claim 1, Step (a) and step (d), And a corresponding value between the destination IP address and the source IP address is converted into a hash value and stored. The method of claim 1, Step (a) and step (d), And registering the source IP address in a bloom filter. The method of claim 3, The bloom filter is a history-based DDoS corresponding method, characterized in that shared for the different destination IP address. The method of claim 3, The step (d) The bloom filter includes a timer for determining the presence or absence of a packet transmitted between the destination IP address and the source IP address during a preset time interval. And if there is no packet transmitted between the destination IP address and the source IP address during the time period, determining that the connection between the destination IP address and the source IP address is lost. delete The method of claim 1, The target IP address is a history-based DDoS corresponding method, characterized in that the IP address of the terminal connected to the edge router. A program of instructions that can be executed by a digital processing apparatus for performing the history-based DDoS correspondence method according to any one of claims 1 to 5 and 7 is tangibly implemented and can be read by the digital processing apparatus. Recording medium that records the program.

Images