KR20090022131A - Hierarchical overlay network system and ddos attack tolerant method using the same - Google Patents

Abstract

A hierarchic overlay network system for guaranteeing the fast and normal transmission of a control traffic and DDoS attack opposing method using the same are provided to guarantee the transmission of the control traffic for the co-operating used in the DDoS attack intercepting process. A join sensing message tightened including its own capacity is broadcasted to a join request node tightened to a neighboring node. Each overlay node receives the discovery message. It transmits in the request node joining a join response message including the information about an overlay network layer. An overlay network layer is determined in reference with the join request message. The request node is unable to receive the response message tightened within the predetermined time. The discovery message tightened is directly delivered to the highest complementary system.

Description

Hierarchical overlay network system and DDoS attack tolerant method using the same}

The present invention relates to a network system, and more particularly, to a hierarchical overlay network system capable of countering an attack and a method for countering a DDoS attack using the same.

In general, Denial of Service (DoS) attacks destroy network nodes such as websites, Internet service providers (ISPs), and other servers with a large amount of traffic that exceeds their processing capacity, and thus the duration of the attack. It is defined as destroying a node that has been broken in the network.

In addition, in distributed denial of service (DDoS) attacks that are stronger than DoS, an attacker attempting to launch an attack destroys many nodes through well-known security loopholes. This compromised node must become the attacker's slave controller and act as a launch point for injecting traffic into the network. Thus, an attacker can launch a broad attack on a large network by cascading traffic from multiple starting points.

DDoS attack is a simple and very powerful attack that can deplete not only one system resource but also network resource by distributing multiple attack agents at the same time. In fact, there are a growing number of cases that cause connection failures or slowdowns in Internet use due to massive abnormal traffic caused by DDoS attacks along with worm viruses, and the damages are getting worse. In particular, many local area networks (LANs) have a hierarchical network structure, such as a tree. In this case, if a specific router is paralyzed by an attack, the subordinate network also loses its connection to the Internet, which can disrupt communication. Can be made larger.

1 is a diagram illustrating a conventional network system subjected to a DoS attack.

Referring to Fig. 1, most conventional network systems 10 have a hierarchical structure like a tree. That is, the top node 11 of the network system is provided with a top node 11 that is connected to other Internet and manages all nodes included in the network system. There is a router 12 that can be routed step by step based on the top node, each node is connected to the general node.

As shown in FIG. 1, when an attack is applied to a router belonging to a specific layer, the router 14 victimized by the attack is completely paralyzed, and the lower nodes 13 connected to the router 14 are connected to the Internet. The connection will be blocked. That is, in the conventional hierarchical network system 10, when a router is paralyzed by an attack, communication of lower nodes is also affected.

In order to prepare a countermeasure against a conventional DDoS attack, various studies on a Denial of Service (DoS) attack or a DDoS attack have recently been conducted. However, security mechanisms proposed to date are focused on detection, filtering of attack traffic, and tracking of attack agents. Especially, in the hierarchical structure as shown in FIG. 1, control traffic transmission for cooperative response to distributed attacks is not smooth. There is a problem that you may not. In addition, even if the filtering function is performed in such a network structure, the overall damage is increased because general routing may affect the traffic transmission of other nodes by the attack traffic until the attack agent is completely removed.

Therefore, it is possible to guarantee the fast and normal transmission of control traffic for cooperation used in the DDoS attack blocking process and to minimize the damage of normal traffic when an attack occurs, and furthermore, considering that there are hierarchical network structures and nodes with various processing capabilities. What is needed is a way to reduce the head.

It is an object of the present invention to ensure fast and normal transmission of control traffic for cooperation used in the DDoS attack blocking process and to minimize damage of normal traffic when an attack occurs, and furthermore, there is a hierarchical network structure and nodes with various processing capabilities. It is to provide a hierarchical overlay network system that can reduce overhead in consideration.

Another object of the present invention is to provide a method for countering DDoS attacks of the hierarchical overlay network system.

The hierarchical overlay network system according to an embodiment of the present invention includes at least one general node having a general operation mode for routing data packets with reference to a general routing table, and an overlay for routing data packets with reference to the overlay routing table. An overlay network comprising an operation mode and at least one overlay node having the normal operation mode, wherein the general node and the overlay node comprise a plurality of hierarchical structures; And a top-level corresponding system that controls the overlay node to operate in an overlay mode of operation when a DDoS attack is detected, wherein in the overlay mode of operation, the overlay node routes to bypass the DDoS attack.

The above-described overlay node performs an operation of detecting a DDoS attack, and when detecting a DDoS attack, the overlay node may notify the top-level corresponding system of an attack detection message indicating that the DDoS attack has been damaged under the overlay operation mode.

Meanwhile, when the general node detects a DDoS attack and detects a DDoS attack, an attack detection message indicating that the DDoS attack has been damaged by an overlay node that is not affected by the DDoS attack among overlay nodes adjacent to the node. And the overlay node notified of the attack detection message from the general node may notify the highest correspondent system of the notified attack detection message under the overlay operation mode.

The above-described attack detection message may include information on an attack detection node, information on an attack damage node, and information on a vertical relationship between an attack detection node and an attack damage node.

On the other hand, the above-described top level corresponding system determines a blocking node set composed of blocking nodes bypassing the attack damage node based on the detection result message, and provides information on the blocking node set and information on the attack damage node. The blocking notification message may be transmitted to the blocking nodes.

In addition, overlay nodes included in the same layer in the above-described plurality of layers may have similar processing capacities of data packets.

On the other hand, the overlay routing table, the first block for storing the serial number of the corresponding overlay node + 2 ^m ; A second block for storing a number for the destination node; And a third block for storing information about the next node, wherein 2 ^m represents the number of overlay nodes that can be included in the overlay network at a maximum, and m is a natural number of 1 or more.

On the other hand, in order for the node to join the overlay and constitute a member of the overlay network, the member join method by the administrator's setting and the member join method by the message may be performed.

Here, the method of joining members by setting the manager is a method in which the manager can set the overlay layer of each node and the processing power range included in the overlay layer at the initial configuration of the overlay, and join them as members. You can use it.

In addition, the member join method by a message is a member node is dynamically performed by a join exploration message and a join response message in a dynamic network environment by additional node placement and relocation after initial overlay network configuration. The join request node to join as the overlay node transmits a join exploration message requesting to join as the overlay node together with its data packet processing capacity to the overlay nodes included in the overlay network, and the join exploration node. The overlay nodes receiving the message transmit a join response message including the data packet processing capacity and information on the overlay network layer to which the node belongs, to the join request node, and the join request node sends the join response message. Overlay to join by reference The network layer may be determined and joined to the new overlay node by transmitting a join request message to the overlay nodes included in the determined overlay network layer.

Meanwhile, the join request node determines a network layer to join a network layer to which a node having a value equal to or smaller than its own data packet processing capacity belongs by referring to the data packet processing capacity of the overlay nodes included in the join response message. Can be.

In addition, the overlay nodes receiving the join request message may update their overlay routing table according to the Chord protocol with reference to the received join request message.

Meanwhile, when the join request node is connected to an overlay node belonging to an upper or lower layer of the network layer determined to join, the join request message includes layer information and connection information of the join request node.

The blocking node may also route data packets under the overlay mode of operation.

Meanwhile, the blocking node set may be determined to include nodes detecting a DDoS attack, nodes connected to a victim node victimized by the DDoS attack in the direction of attack traffic, and nodes of the same level as the victim nodes.

DDoS attack countermeasure using a hierarchical overlay network system according to another embodiment of the present invention, at least one general node having a normal operation mode for routing data packets with reference to the general routing table, and the overlay routing table And an overlay operation mode for routing data packets and at least one overlay node having the general operation mode, wherein the general node and the overlay node form an overlay network having a plurality of hierarchical structures; The general node or the overlay node detecting a DDoS attack; If the DDoS attack is detected, controlling the overlay node to operate in an overlay mode of operation; And in the overlay operation mode, the overlay node may route to bypass a DDoS attack.

Meanwhile, when the overlay node detects a DDoS attack, the overlay node may notify the top response system of the attack detection message indicating that the DDoS attack has been damaged under the overlay operation mode.

In addition, when the general node detects a DDoS attack, the general node notifies an attack detection message indicating that the DDoS attack has been damaged by an overlay node which is not damaged by the DDoS attack among the adjacent overlay nodes, and the attack from the general node. The overlay node notified of the detection message may notify the top response system of the notified attack detection message under the overlay operation mode.

Meanwhile, overlay nodes included in the same layer in the plurality of layers may have similar processing capacities of data packets.

In addition, a join request node that wants to join as the overlay node among the general nodes sends a join exploration message requesting to join as the overlay node together with its data packet processing capacity to overlay nodes included in the overlay network. The overlay nodes that have received the join discovery message transmit a join response message including their data packet processing capacity and information about the overlay network layer to which they belong, to the join requesting node. With reference to the join response message, an overlay network layer to be joined may be determined, and a join request message may be transmitted to overlay nodes included in the determined overlay network layer, thereby joining to a new overlay node.

Meanwhile, the join request node determines a network layer to join a network layer to which a node having a value equal to or smaller than its own data packet processing capacity belongs by referring to the data packet processing capacity of the overlay nodes included in the join response message. Can be.

In addition, the overlay nodes receiving the join request message may update their overlay routing table according to the Chord protocol with reference to the received join request message.

Meanwhile, when the join request node is connected with an overlay node belonging to an upper or lower layer of the network layer determined to join, the join request message may include layer information and connection information of the join request node.

In addition, when receiving the attack detection message, the highest-level corresponding system determines a blocking node set to which uplink or downlink traffic is bypassed, and includes a blocking notification message including information on the determined blocking node set in the blocking node set. Transmits to a blocking node, and the blocking node can route data packets under the overlay operation mode.

Meanwhile, the blocking node set may be determined to include nodes detecting a DDoS attack, nodes connected to a victim node victimized by the DDoS attack in the direction of attack traffic, and nodes of the same level as the victim nodes.

According to such a hierarchical overlay network system and a method for countering DDoS attacks using the same, it is possible to ensure fast and normal transmission of control traffic for cooperation used in the process of blocking DDoS attacks and to minimize damage of normal traffic when an attack occurs. Considering the network structure and the presence of nodes having various processing capacities, overhead can be reduced by configuring a plurality of hierarchical overlays.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

2 is a diagram illustrating a hierarchical overlay network system according to an embodiment of the present invention. FIG. 3A illustrates a transmission path of the attack detection message when the attack damage node is an overlay node, and FIG. 3B illustrates a transmission path of the attack detection message when the attack damage node is a general node.

Referring to FIG. 2, the hierarchical overlay network system 100 includes a hierarchical overlay network 120 including a top-level corresponding system 110 and a plurality of overlay nodes 121.

The overlay network 120 includes at least one general node having a general operation mode for routing data packets with reference to a general routing table, an overlay operation mode for routing data packets with reference to an overlay routing table, and the general operation mode. It includes at least one overlay node having a general node and the overlay node has a plurality of hierarchical structure. Here, in the overlay mode of operation, the overlay node routes to bypass a DDoS attack.

When the DDoS attack is detected, the top-level system 110 controls the overlay node to operate in an overlay operation mode.

The overlay node performs an operation of detecting a DDoS attack, and upon detecting a DDoS attack, the overlay node notifies the top response system of an attack detection message indicating that the DDoS attack has been damaged under the overlay operation mode, and the general node provides a DDoS. When the DDoS attack is detected by detecting an attack, an attack detection message indicating that the DDoS attack has been damaged by an overlay node that is not damaged by the DDoS attack is detected, and the general node is detected. The overlay node notified of the attack detection message from the controller notifies the highest level corresponding system of the notified attack detection message under the overlay operation mode.

The top level correspondence system 110 is a node that is responsible for all nodes included in the hierarchical overlay network system 100, and its location may be different from that of one embodiment of the hierarchical overlay network system 100. The top response system 110 instructs each node to detect an attack through a preset detection mechanism.

Attack detection methods include, for example, methods in which intermediate nodes use network configuration information to examine the sending and receiving IP addresses of packets or to monitor the rate of change of the sender's IP address and MAC address (Mihui Kim, Kijoon Chae, “Detection and Identification Mechanism against”). Spoofed Traffic Using Distributed Agents, ”ICCSA2004, LNCS 3043, pp.673-682, May, 2004.), or using data mining to construct normal traffic patterns and use them to examine traffic patterns (Mihui Kim, Hyunjung Na, Kijoon Chae, Hyochan Bang, Jungchan Na, “A Combined Data Mining Approach for DDoS Attack Detection,” ICOIN2004, LNCS 3090, pp. 943-950, Feb., 2004). In addition, other methods of performing distributed attack detection at intermediate nodes in the network may be used.

The attack detection node determines whether an attack has occurred in a specific node by using the above-described attack detection method, and transmits an attack detection message to the top-level counterpart system 110. For example, an attack detection node sends an attack detection message using its finger table (routing table) to the next node (H_TB) connected to the upper layer in its overlay layer, and the H_TB node that receives the attack detection message. The node transmits the received message to the higher layer node connected to the node, and the node receiving the same also transmits the message to its H_TB node. This process is repeated to deliver the corresponding attack detection message to the top response system 110.

Attack detection messages include attack detection node information (IP address, overlay layer), extent to attack damage node (IP address, overlay layer if any), and information about the relationship between attack detection node and attack damage node (up / down, down). / Upper, same layer), neighbor node information (information connected to the upper, lower, or same layer) of the detection node and the like are stored.

The attack detection node described above assumes an overlay node in the proposed overlay structure, and the victim or victim node may or may not be an overlay node. If the first victim node is an overlay node, the detection node forwards the attack detection message that it created to the next node (H_TB) connected to the upper layer, and attacks the top response system through the layer overlay according to the above-described mechanism. Deliver a detection message. If the second victim node is not the overlay node, the attack detection message is sent to the top attack blocking node through the layer overlay with the attack node's information along with the victim node's information (IP address). 3A and 3B to be described below illustrate a path for delivering an attack detection message to a top-level response system when a detection node detects a victim node.

In FIG. 3A and FIG. 3B, it is assumed that the attack detection node is the overlay node 121, and the attack damage node is divided into the overlay node 121 or the general node 131.

Referring to FIG. 3A, when the attack damage node is the overlay node 121, the attack detection node forwards the attack detection message to the top-level counterpart system 110 using a mechanism for delivering the attack detection message to the next node connected to the higher overlay network. As shown in FIG. 3B, when the attack damage node is the general node 131, the attack detection node passes the hierarchical overlay network 120 to transmit the attack detection message to the top-level counterpart system 110.

The top-level response system 110 determines the location of the attack damage node based on the attack detection message transmitted as described above, and sets a blocking node set to bypass the attack damage node when the attack damage node is detected. Thereafter, the uppermost response system 110 transmits a blocking notification message including configuration information of the blocking node and information on the attack damage node to the blocking nodes using the hierarchical overlay network 120. Blocking nodes that receive this message operate in overlay mode using overlay routing to bypass attack victim nodes through the hierarchical overlay network 120. After bypassing the attack victim node, it operates in normal mode using normal routing.

A method of determining an attack damage node and a blocking node in the top response system 110 will be described in detail.

Upon receiving one or more attack detection messages, the top-level response system selects a victim node and attack type, a set of blocking nodes that block actual attack traffic and bypass normal traffic based on the detection information contained in the message. The top-level response system that collects information about the victim node or region determines the victim node and region (the victim node set = x | victim node x ∈ ∀ ADM ), where ADM is an attack detection message. At this time, the victim node stops the router function (strong attack) regardless of the attack traffic direction (upward / downward) and when only a specific interface of the victim node cannot transmit smoothly due to the specific attack traffic direction (weak) Attack). As shown in Table 1 below, in the former case, the position of the detection node will be higher / lower / same layer around the victim node, and in the latter case, detection nodes in the higher / same layer or lower / same layer will receive the attack detection message. Will deliver. By analyzing the relationship between the detection node and the victim node, in the former case, the set of blocking nodes to bypass the up / down traffic is bypassed to bypass the victim node or region as a whole, and in the latter case, the specific direction (up or down) is determined. Determine the set of blocking nodes to bypass traffic

if ((minD _layer ≥ maxV _layer ) or (DV _rel ⊆ UD, S)) AttackType = Weak_Down else if ((maxD _layer ≤ minV _layer ) or (DVrel ⊆ DU, S)) AttackType = Weak_Up else AttackType = Strong ■ minD _layer / maxD _layer : Minimum / maximum overlay layer of detection node set ■ minV _layer / maxV _layer : Minimum / maximum overlay layer of victim node set ■ DV _rel : Connection set of detection node and victim node (UD: Top and Bottom, DU: Bottom, S: Same) ■ AttackType: Attack Type (Strong: Strong Attack, Weak_Down: Weak Attack by Downward Attack Traffic Weak_Up: Weak Attack by Upward Attack Traffic)

According to an embodiment of the present invention, if the victim node set and the attack type are determined by the attack detection message information, the top-level counterpart system may determine the blocked node set according to the principle of Table 2 below.

Block node set = detection nodes, nodes connected to victim node in the direction of attack traffic, nodes at the same level as victim node

After determining the blocking node set, the top-level counterpart system 110 transmits a blocking notification message (Defense Notification Message, DNM) including the blocking node configuration information and victim node set information (IP address, layer information, etc.) through a hierarchical overlay network. Is sent to the blocking node set. Upon receiving this, the blocked node set bypasses the attack damage area by using the overlay network as shown in Figure 4. In other words, the upstream attack bypasses the damaged area above one layer of the damage overlay, and the paths behind it use normal routing. Bypassing the path afterwards will use normal routing. In particular, blocking nodes at the same level as the victim node, such as node (1) in Figure 4a, bypass the traffic using the generic routing protocol to bypass the traffic of the common nodes (nodes 2) connected to them. . Unlike Fig. 4a and Fig. 4b, even when the attack type is Strong, the blocking node set can be determined according to a similar principle, and the up / down normal traffic can be bypassed through the overlay network.

The topmost correspondence system 110 in FIG. 2 is connected to the highest overlay network and the number thereof is one, but is not limited thereto, and the position and number of the topmost correspondence system 110 may vary.

Referring back to FIG. 2, the hierarchical overlay network 120 is divided hierarchically from the top correspondence system 110, and the top correspondence system 110 is associated with the top overlay network 120a of the hierarchical overlay network 120. Connected. Each overlay network 120a, 120b, 120c includes a plurality of overlay nodes 121 logically connected to each other. Here, logically connected does not exclude physically connected. That is, each overlay node 121 may be directly connected to an adjacent overlay node or may be connected through the general node 131.

Here, an example of an overlay network is a network structure for data sharing in a peer to peer (P2P) network (Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan, “Chord: A Scalable Peer to peer Lookup Service”). for Internet Applications, ”SIGCOMM'01, pp. 149-160, Aug., 2001; M. Kaashoek, D. Karger,“ Koorde: A Simple Degree Optimal Distributed Hash Table, ”Second Int'l Workshop Peer to Peer Systems, Feb., 2003.).

Meanwhile, the overlay nodes 121 included in the same overlay network may have similar processing capacities. That is, the hierarchical overlay network 120 may be said to be divided hierarchically according to processing capacity. However, even if the overlay nodes 121 do not have similar processing capacity, the object of the present invention can be achieved. Thus, the overlay nodes 121 do not necessarily have similar throughput.

In addition, the hierarchical overlay network 120 is connected to an overlay network adjacent to each other through two or more overlay nodes. Two or more overlay nodes included in each overlay network layer may include a high overlay node for routing packets to an upper network layer and a low overlay node for routing packets to a lower network layer.

Each overlay node 121 uses a general routing table 121a used to route packets when the attack victim node is operating in the undetected normal mode, and routes packets when the attack victim node is detected and operates in the overlay mode. An overlay routing table 121b is used. On the other hand, the general node includes only the general routing table 131a used for routing packets in the normal mode.

FIG. 5 is a diagram illustrating overlay nodes forming one overlay network and the structure of an overlay table used for each overlay node.

Referring to FIG. 5, one overlay network includes a plurality of overlay nodes. Here, the size of the overlay network is defined as 2 ^m , m is an integer of 1 or more. In FIG. 5, m has a value of 5, so that the overlay network shown in FIG. 5 may have up to 32 overlay nodes.

In FIG. 5, seventh and sixteenth overlay routing tables N7-1 and N16-1 of each of the seventh and sixth overlay nodes N7 and 16 are illustrated.

As shown in FIG. 5, the first block FB, which is the first block of each of the seventh and sixteenth overlay routing tables N7-1 and N16-1, stores "own node number + 2 ^m ", where m is a natural number from 0 to 4. A number for the destination node is stored in the destination block, which is the second block SB of each of the seventh and sixteenth overlay routing tables N7-1 and N16-1. The number is stored in the destination block SB in the form of, for example, [8, 9), [9, 11) and the like. Here, [8, 9) means that 8 is included and 9 is not included, [9,11) means 9, 10 is included and 11 is not included.

Finally, the next node block, which is the third block TB of each of the seventh and sixteenth overlay routing tables N7-1 and N16-1, stores the number of the next node to be moved. For example, according to the seventh overlay routing table N7-1, when the number of the destination node is 8, it moves to node 10, and when the number of the destination node is 11, 12, 13, or 14, 12 Go to node 1. For example, according to the sixteenth overlay routing table N16-1, when the number of the destination node is 17, it moves to node 17, and when the number of the destination node is 20, 21, 22, or 23, 22 Go to node 1.

Unlike the general routing table, the overlay routing table stores the number of overlay nodes so that each overlay node can select the number of the next overlay node to route according to the destination number stored in the packet by referring to the corresponding overlay routing table. . Thus, in order to bypass the attack victim node, the packet may be routed using a hierarchical overlay network composed of overlay nodes only.

The overlay routing table described by way of example in FIG. 5 is a table defined by the Chord protocol.

The Chord protocol is a representative distributed routing protocol for finding nodes in which data is stored in P2P networks. In a network consisting of N nodes, each node only needs to store O (logN) other node information. O (logN) message transmission is required to reach the destination, and O (log ² N) message is transmitted when joining / leave a node, and routing of all nodes is reconfigured.

In detail about chord routing, each node is assigned a node ID by a hash function in the range of [0, 2 ^m-1 ], and each node conceptually constitutes a cycle as shown in FIG. 5 by the node ID. Each node x joined to the overlay network stores routing information for m other nodes, called the Pinker table, with the i th information of each routing being the nearest next overlay for node ID x + 2 ^i-1 (mod 2 ^m ). Information about the node. As described above, when describing the finger table of overlay node 7 of FIG. 5, Interval (denoted as "SB") [8, 9), that is, the node responsible for node 8 is represented as successor node ("TB"). Node 10, and node responsible for node 9, 10 is also a successor node node 10, so the packet to node 10 is sent to node 10. . In the packet routing method, when node x receives a packet destined for node y, it transmits to a successor node of a routing entry having an Interval value including y. The latter node is the representative node in charge of the packet. For example, in FIG. 5, when node 7 receives a packet destined for 20, 20 is included in Interval [15, 23) and transmitted to node 16. In the received node 16, packet destined for packet 20 is received in Interval [20, 24) and transmits to node 22. Node 22 knows that it is the destination it should be responsible for because the 20 is less than its ID number.

Now, a hierarchical overlay configuration will be described. The hierarchical overlay configuration according to the present invention has the following features.

■ Fast detection of detection information to the top response system after attack detection

■ After judging the attack damage area, select the blocking node to quickly bypass the normal and control traffic of other nodes to minimize the damage.

■ Use of hierarchical overlay structure to minimize management costs and provide scalability

The hierarchical overlay configuration according to an embodiment of the present invention is a structure that minimizes the damage of an attack by inducing the notification to the top-level corresponding system and the bypass of normal traffic using a plurality of chord overlay networks. To this end, a hierarchical overlay network is formed by joining an overlay network of an appropriate layer according to the capacity and connection structure of each node.

There are two methods for a node joining an overlay to be configured as a member of the overlay network. The node may be performed by a member join by an administrator and a member join by a message. In the initial configuration of the overlay, a join method by setting an administrator to join the member by setting the overlay layer of each node and the processing capability range included in the overlay layer may be used. In the join method by setting an administrator, the administrator sets the information and then joins the member, for example, using the Chord method.

On the other hand, after the initial overlay network configuration, in the dynamic network environment by additional node placement and relocation, the member join is dynamically performed by the join exploration message and the join response message. Hereinafter, a process of dynamically joining nodes will be described with reference to FIG. 6.

6 illustrates a process of joining a node to an overlay network.

Referring to FIG. 6, a new node n _{new to be} joined (also referred to as a "join request node") broadcasts a join exploration message containing its capacity to neighboring nodes. The peripheral node refers to neighbor nodes that can be delivered by broadcast when connected to a medium sharing network such as Ethernet and a lower node directly connected to itself. When each overlay node (n _ij , n _{i (j + 1)} , n _{(i + 1) j} ) receives a join exploration message, the join response includes information about its capacity and the overlay network layer to which it belongs. Send the message to the new node (n _new ) to join. Where overlay node n _ij represents j node of the i-th overlay network, overlay node n _{(i + 1) j} represents j node of the (i + 1) th overlay network, and the top-level overlay network is the first overlay Network. The new node n _new determines the overlay network layer to join by referring to the join response message. If the new node n _new does not receive the join response message within a predetermined time, the new node n _new may directly transfer the join exploration message to the top-level corresponding system.

Also, the new node n _new determines the overlay network layer to which it joins according to the capacity included in the join response message. An overlay network layer determination method according to an embodiment of the present invention will be described with reference to Table 3.

if (Capacity _i ≤ Capacity _new <Capacity _{(i + 1)} ) Level _new = Level _i else if (Capacity ₁ ≥ Capacity _new ) Level _new = Level ₁ else if (Capacity _K ≤ Capacity _new ) Level _new = Level _K ■ n _i (1≤i≤K, K: Number of nodes sending join response message) ■ Capacity _i : Capacity of node n _i (Capacity _i ≤Capacity _{(i + 1)} in ascending order of capacity) ■ Level _i : Overlay layer on node n _i ■ Capacity _new : The capacity of the newly joining node ■ Level _new : The determined level of the newly joining node

That is, the capacity of the received join response message is sorted to determine a section including its own capacity, and if there is a section including its own capacity, the join response has a value equal to or less than its own capacity. The layer to which the nodes sent by the message belong is determined as its own layer. Or, if there is no interval including its own capacity, and all the capacity of the received join response message is smaller than its own capacity, the layer that sends the smallest capacity in the join response message is determined as its own layer. On the contrary, if there is no interval including its own capacity and all of the capacity of the received join response message is larger than its own capacity, the layer sending the largest capacity as the join response message is determined as its own layer.

In this way, upon determining its own overlay network layer, the new node n _new transmits a join request message to the overlay nodes n _ij , n _{i (j + 1)} belonging to the determined overlay network layer. . At this time, the join process may be performed according to the Chord protocol as shown in FIG.

On the other hand, if the new node to be joined (n _new ) is already connected with the overlay of the upper layer of the network layer to be joined or the overlay node of the lower layer, the join request message. It transmits its hierarchical information and connection information together. The overlay nodes (n _ij , n _{i (j + 1)} ) already belonging to the overlay network layer may have their own information, for example, based on the layer information and connection information provided from the new node (n _new ). For example, the information on the previous node, the overlay routing table, the next node H_TB of the same layer directly connected to the upper layer and the next node L_TB of the same layer directly connected to the lower layer are updated. The H_TB / L_TB node is the first node that contains a connection with the parent / child overlay node when the ring rotates clockwise, including itself. Through the above process, the join process is completed. Meanwhile, in FIG. 6, reference numerals 'N _i ' and 'N _{i +1} ', which are not described, denote general nodes.

In the case where the upper overlay node and the lower overlay node exist, the joining process will be described in detail.

The join process consists of 1) the previous node (predecessor) of the node n _new to be joined and the finger table (meaning the routing table) and the next node connected to the upper / lower hierarchy, and 2) the addition of node n _new . Adjust the previous node, finger table and H_TB / L_TB of existing affected nodes. At this time, the method of configuring a finger table with the previous node follows the Chord protocol. Meanwhile, a method of configuring a next node of the same layer in which a direct connection exists to a node of a higher / lower layer additionally managed for a hierarchical overlay configuration is as follows.

If there is node information (H_TB / L_TB) connected to the upper / lower layer included in the join request message sent from node n _new to join, the existing node n _{* x} (x node of any layer) Update own information if it is first in clockwise order based on itself compared to the next / lower node information (H_TB _x / L_TB _x ), ie H_TB _x >new> x or L_TB _x >new> x do. Referring to FIGS. 7 and 8, in the case where the upper overlay node and the lower overlay node exist, the joining process will be described.

7 is a diagram illustrating an overlay routing table of an overlay node included in an overlay network before a new node is joined, and FIG. 8 is a diagram illustrating an updated overlay routing table after a new node is joined.

The constant m that determines the size of the overlay network shown in FIG. 7 is 3, and thus, the overlay network may be provided with up to eight overlay nodes. As shown in FIG. 7, an overlay node connected to the overlay network includes a zero overlay node N0, a first overlay node N1, and a third overlay node N3. Here, the first overlay node N1 is an upper overlay node connected to an upper layer, and the third overlay node N3 is a lower overlay node connected to a lower layer. Also, the second, fourth, fifth, sixth, and seventh nodes N2, N4, N5, N6, and N7 are general nodes.

In FIG. 7, the first, third and third overlay routing tables N0-1, N1-1, and N3-1 corresponding to the zeroth, first and third overlay nodes N0, N1, and N3 are presented. do. Referring to the zeroth, first and third overlay routing tables N0-1, N1-1, and N3-1, for example, the starting node is the zero overlay node N0, and the destination node is the fourth node ( In the case of N4), the next node is shown as the 0th overlay node N0. In addition, when the start node is the first overlay node N1 and the destination node is the fifth node N5, the next node appears as the 0th overlay node N0. In addition, when the start node is the third overlay node N3 and the destination node is the fourth, fifth, sixth and seventh nodes (N4, N5, N6, N7), the next node is all the 0 overlay node. (N0).

However, as shown in FIG. 8, when the sixth node N6 is joined to the overlay network and the sixth node N6 is determined to be a high overlay node connected to an upper layer, the 0th, Both the first and third overlay routing tables N0-1, N1-1, and N3-1 are updated.

Referring to FIG. 8, when the starting node is the zero overlay node N0 and the destination node is the fourth node N4, the next node appears as the sixth overlay node N6, and the starting node is the first overlay node. When node N1 and the destination node is fifth node N5, the next node appears as sixth node N6. In addition, when the start node is the third overlay node N3 and the destination node is the fourth, fifth, and sixth nodes N4, N5, and N6, all of the following nodes are shown as the sixth node N6. . That is, when the sixth node N6 is added to the current overlay network layer as described above, all of the existing 0th, 1st, and 3rd overlay routing tables N0-1, N1-1, and N3-1 are updated. .

Now, in the following, the overhead network analysis and the likelihood and speed of the rapid attack detection delivery when the attack detection for the overlay network system according to an embodiment of the present invention, and finally through the rate analysis for normal traffic bypass using the overlay The effect of this system is explained.

<Overhead Analysis>

In the present invention, when an attack is detected, an overlay network is configured to enable fast processing through control traffic bypass required for blocking an attack and to minimize damage due to a DDoS attack through normal traffic bypass. This overlay network uses a hierarchical overlay network according to the capacity of each node for heterogeneity of nodes and scalability of a large number of nodes. Since this overlay follows the existing Chord overlay default configuration, when the total number of nodes is N, O (log ² N) needs to be sent for joining and leaving the member, which can be changed to O (logN) by practical optimization. Reduce configuration overhead (Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan, “Chord: A Scalable Peer-to-peer Lookup Service for Internet Applications,” SIGCOMM'01, pp.149- 160, Aug., 2001.). According to an embodiment of the present invention, since it is assumed that the overlay network structure is based on the number of different hierarchical nodes, the configuration overhead requires less overhead than the case where one overlay is configured by the relational expression as shown in Table 4 below. It can be seen that in the case of multiple overlays, configuring the same number of nodes requires minimal overhead. Α _i in Table 4 is the node number of each overlay of β. In addition, FIG. 9 shows an overhead comparison diagram according to the increase of N according to this relation. As N increases, the overhead difference of the hierarchical overlay and the overlay when one overlay increases. In this figure, the hierarchical overlay is composed of three layers, and in the case of a hierarchical overlay consisting of 1000 nodes (1: 10: 100), 10 nodes, 100 nodes, and 890 nodes are composed of each overlay. The overhead of the time is shown.

One overlay configuration ≥ β overlay configuration consisting of different numbers of nodes ≥ β overlay configuration consisting of equal numbers of nodes

Rapidness of Attack Detection Delivery

Glomosim [GloMoSim (Global Mobile Information Systems Simulation Library), http://pcl.cs.ucla.edu/, which enables extensive network simulation in wired and wireless network systems to simulate the possibility of rapid forwarding of control packets upon attack detection. projects / glomosim /] simulator was used to configure the network as shown in FIG. This constitutes an overlay network consisting of three layers, and the top-level corresponding system is connected to overlay layer 1. In FIG. 10, the main routing path is indicated by a solid line. Indirect connections exist between nodes belonging to an overlay layer, and when the overlay node detects an attack, up to five attack detection messages are sent to the top response node in one second. Assume that you pass. Table 5 describes the attack scenarios and the normal traffic.

Attack type traffic   Strong Attack -5 Attack Agent Attack Traffic (Node 29-> Node 26), 1ms Cycle, Attack Time 10 ～ 150s-5 Attack Agent Attack Traffic (Node 31-> Node 26), 1ms Cycle, Attack Time 10 ～ 150s-Normal Traffic node 30-> node 16, 1ms period, traffic occurrence time 0 ～ 150s Node 32-> node 16, 1ms period, traffic occurrence time 0 ～ 150s   Weak up (weak up) -1 attack agent attack traffic (node 29-> node 26), 1ms cycle, attack time 10 ～ 150s-1 attack agent attack traffic (node 31-> node 26), 1ms cycle, attack time 10 ～ 150s-normal Traffic: Node 30-> Node 16, 1ms period, traffic occurrence time 0 ～ 150s Node 32-> Node 16, 1ms period, traffic occurrence time 0 ～ 150s

The attack traffic and normal traffic are all routed through the router of node 10, and the link capacity of node 10 is smaller than the traffic, so bottleneck caused by traffic overload occurs in node 10, and nodes 12 and 13 detect and attack The message will be delivered to the top level response system through the overlay. For example, node 12 becomes the H_TB node, so it is forwarded to the parent overlay node 11 connected to it, which is the same for node 13, so that the corresponding attack detection message is transmitted through node 11 to node 2, which is the top-level detection system. Passed to node 1. Comparing the results of the attack detection traffic transmission time and the transmission rate with respect to the case of not using the overlay network system according to the present invention (comparative example) and using (this embodiment) is shown in Table 6. Experimental results show that the attack detection message must pass through the victim node when the overlay endurance structure is not used, thus showing the possibility of transmission loss.In the case of using the overlay endurance structure, the high probability and speed of forwarding the attack detection message can be prevented. The possibility could be proved.

 Attack type  Transfer rate  Transmission time (Sec) Comparative example Example Comparative example Example  A strong attack 20% 100% 4.139377 0.006121  Weak attack 20% 100% 2.219606 0.006121

<Normal traffic  Throughput>

The result of comparing normal traffic in DDoS attack is shown in Table 7 below. As a result of the experiment, it can be seen that when the overlay blocking structure is used, normal traffic traffic is provided without significantly affecting the attack strength, thereby minimizing the damage of the attack.

Attack type Comparative example Example A strong attack 5639 12364 Weak attack 7771 12364

It is to be understood that the articles mentioned herein above are combined as part of the present specification.

1 is a diagram illustrating a conventional hierarchical network system subjected to a DoS attack.

2 is a diagram illustrating a hierarchical overlay network system according to an embodiment of the present invention.

3A is a diagram illustrating a transmission path of an attack detection message when an attack damage node is an overlay node.

3B is a diagram illustrating a transmission path of an attack detection message when an attack damage node is a general node.

4A and 4B are diagrams illustrating party traffic bypass by a blocking node set when an attack is detected.

FIG. 5 is a diagram illustrating overlay nodes forming one overlay network and the structure of an overlay table used for each overlay node.

6 is a diagram illustrating a process of joining a node to an overlay network.

FIG. 7 illustrates an overlay routing table of overlay nodes included in an overlay network before a new node is joined.

8 illustrates an updated overlay routing table after a new node is joined.

9 is an overhead comparison of one overlay configuration and multiple hierarchical overlay configurations.

10 is a diagram illustrating a network configuration for simulation.

Claims (25)

At least one general node having a general operation mode for routing the data packet with reference to the general routing table, and an overlay operation mode for routing the data packet with reference to the overlay routing table and at least one overlay node having the general operation mode An overlay network comprising: a general node and an overlay node comprising a plurality of hierarchical structures; And A top-level corresponding system for controlling the overlay node to operate in an overlay operation mode when a DDoS attack is detected; In the overlay mode of operation, the overlay node is routed to bypass a DDoS attack. The method of claim 1, And the overlay node detects a DDoS attack and, upon detecting a DDoS attack, notifies the top response system of an attack detection message indicating that the DDoS attack has been damaged under the overlay operation mode. The method of claim 1, The general node detects a DDoS attack, and when a DDoS attack is detected, an attack detection message indicating that the DDoS attack has been damaged by an overlay node that is not affected by the DDoS attack is detected. And the overlay node notified of the attack detection message from the general node notifies the highest correspondence system of the notified attack detection message under the overlay operation mode. The method according to claim 2 or 3, The attack detection message is a hierarchical overlay network system comprising information on an attack detection node, information on an attack damage node, and information on the upper and lower relations between an attack detection node and an attack damage node. The method according to claim 2 or 3, The highest level response system determines a blocking node set including blocking nodes bypassing the attack damage node based on the attack detection message, and includes a block including information on the blocking node set and information on the attack damage node. And sending a notification message to the blocking nodes. The method of claim 1, The overlay nodes included in the same layer in the plurality of layers, the processing capacity of the data packet is similar to each other, characterized in that the hierarchical overlay network system. The method of claim 1, The overlay routing table, A first block storing the serial number of the corresponding overlay node + 2 ^m ; A second block for storing a number for the destination node; And Contains a third block that stores information about the next node, Where 2 ^m represents the number of overlay nodes that can be included in the overlay network to the maximum, hierarchical overlay network system, characterized in that m is one or more natural numbers. The method of claim 1, Hierarchical overlay network system, characterized in that the member join method by the administrator's settings, and the member join method by the message can be performed in order for the node to join the overlay to form a member of the overlay network. The method of claim 8, The member join method by the administrator's setting is a method in which the administrator can set the overlay layer of each node and the processing range included in the overlay layer at the initial stage of overlay configuration, and join the member. An overlay network system that can utilize the Chord method after administrator setup. The method of claim 8, The member join by message method is a method in which member join is dynamically performed by a join exploration message and a join response message in a dynamic network environment by additional node placement and relocation after initial overlay network configuration. A join request node that wants to join as the overlay node among the general nodes sends a join exploration message to the overlay nodes included in the overlay network requesting to join as the overlay node together with its data packet processing capacity. , Overlay nodes receiving the join discovery message transmit a join response message including information on a data packet processing capacity and information on the overlay network layer to which the join probe message belongs, to the join requesting node. The join request node may determine an overlay network layer to join with reference to the join response message, and join to a new overlay node by transmitting a join request message to overlay nodes included in the determined overlay network layer. Hierarchical overlay network system. The method of claim 10, The join request node refers to the data packet processing capacity of the overlay nodes included in the join response message, and determines that the network layer to join the network layer to which the node having a value equal to or less than its own data packet processing capacity belongs. Characterized by a hierarchical overlay network system. The method of claim 10, The overlay nodes receiving the join request message update their overlay routing table according to the Chord protocol with reference to the received join request message. The method of claim 10, If the join request node is connected to an overlay node belonging to a higher layer of the network layer determined to join, the join request message includes hierarchical information and connection information of the join request node in the join request message. Network system. The method of claim 5, And the blocking node routes a data packet under the overlay mode of operation. The method of claim 14, The blocking node set is determined to consist of nodes detecting a DDoS attack, nodes connected to a victim node victimized by the DDoS attack in the direction of attack traffic, and nodes of the same level as the victim nodes. Hierarchical overlay network system. At least one general node having a general operation mode for routing the data packet with reference to the general routing table, and an overlay operation mode for routing the data packet with reference to the overlay routing table and at least one overlay node having the general operation mode Comprising: The general node and the overlay node comprises a plurality of hierarchically structured overlay network; The general node or the overlay node detecting a DDoS attack; If the DDoS attack is detected, controlling the overlay node to operate in an overlay mode of operation; Including; In the overlay operation mode, the overlay node is routed to bypass the DDoS attack, DDoS attack countermeasure method using a hierarchical overlay network system. The method of claim 16 And when the overlay node detects a DDoS attack, notifies the highest correspondence system of an attack detection message indicating that the DDoS attack has been damaged under the overlay operation mode. The method of claim 16, When the general node detects a DDoS attack, the general node notifies an attack detection message indicating that the DDoS attack has been damaged by an overlay node that is not damaged by the DDoS attack among the adjacent overlay nodes. The overlay node that is notified of the attack detection message from the general node, notifies the highest level corresponding system of the notified attack detection message under the overlay operation mode. The method of claim 16, The overlay nodes included in the same layer in the plurality of layers are processing capacity of the data packet is similar to each other, DDoS attack countermeasure method using a hierarchical overlay network system. The method of claim 16, A join request node that wants to join as the overlay node among the general nodes sends a join exploration message to the overlay nodes included in the overlay network requesting to join as the overlay node together with its data packet processing capacity. , Overlay nodes receiving the join discovery message transmit a join response message including information on a data packet processing capacity and information on the overlay network layer to which the join probe message belongs, to the join requesting node. The join request node may determine an overlay network layer to join with reference to the join response message, and join to a new overlay node by transmitting a join request message to overlay nodes included in the determined overlay network layer. DDoS attack countermeasure using hierarchical overlay network system. The method of claim 20, The join request node refers to the data packet processing capacity of the overlay nodes included in the join response message, and determines that the network layer to join the network layer to which the node having a value equal to or less than its own data packet processing capacity belongs. DDoS attack countermeasure using hierarchical overlay network system. The method of claim 20, The overlay nodes receiving the join request message update their overlay routing table according to the Chord protocol with reference to the received join request message. The method of claim 20, If the join request node is connected to an overlay node belonging to a higher layer of the network layer determined to join, the join request message includes hierarchical information and connection information of the join request node in the join request message. How to counter DDoS attack using network system. The method of claim 20, The highest level response system, upon receiving the attack detection message, determines a blocking node set to which upstream or downward traffic is bypassed, and sends a blocking notification message including information of the determined blocking node set to the blocking node set. To, The blocking node is a method for countering DDoS attacks using a hierarchical overlay network system, characterized in that for routing data packets under the overlay operation mode. The method of claim 24, The blocking node set is determined to consist of nodes detecting a DDoS attack, nodes connected to a victim node victimized by the DDoS attack in the direction of attack traffic, and nodes of the same level as the victim nodes. DDoS attack countermeasure using hierarchical overlay network system.

Images