KR20110026926A - (method for blocking distributed denial of service - Google Patents
(method for blocking distributed denial of service Download PDFInfo
- Publication number
- KR20110026926A KR20110026926A KR1020090084782A KR20090084782A KR20110026926A KR 20110026926 A KR20110026926 A KR 20110026926A KR 1020090084782 A KR1020090084782 A KR 1020090084782A KR 20090084782 A KR20090084782 A KR 20090084782A KR 20110026926 A KR20110026926 A KR 20110026926A
- Authority
- KR
- South Korea
- Prior art keywords
- attack
- traffic
- server
- network
- blocking
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
Description
The present invention provides a method for defending against a denial of service attack, more specifically, a distributed service denial of service attack that bypasses the attack traffic using a VPN and then defends the attack through multi-level filtering when a distributed denial of service attack occurs on the network. It is about a method.
Distributed Denial of Service Attack (DDoS Attack) is an attack that depletes network resources or resources of internal system and prevents normal users from receiving desired services. Since various attack tools are open to the public, anyone can easily perform a distributed service denial attack using the attack tool, and the damage to the target system is relatively severe. Therefore, many techniques for defending such distributed service denial attacks are used.
However, many techniques for defending distributed service denial attacks simply limit the incoming traffic (QoS) or classify normal traffic and attack traffic. Even if such a technology is perfect, there is a problem that the network is disconnected when excessive attack traffic occurs due to insufficient traffic bandwidth of the network interworking network.
Distributed denial of service attacks are divided into attacks using TCP protocol connection establishment and attacks using simple UDP traffic. The most common type of attack using the TCP protocol connection establishment is the TCP Flooding Attack, which exploits the vulnerability of 3way handshaking when attempting to communicate using TCP.
In 3way-handshaking, when a client sends a SYN packet specifying the server's port number and initial sequence number (ISN), the server then sends the client the server's initial sequence number and the client's ISN + 1. It sends the included SYN-ACK packet, so that the client responds with an ACK packet to the SYN-ACK packet from the server. This three-step process establishes a TCP connection. An attack using TCP connection establishment bypasses the last three steps and sends only a large number of SYN packets to the server, exhausting all the buffers used by the server and making it impossible to make any more connections.
Attacks that simply use traffic congestion include attacks that send large UDP packets or ICMP packets, and attacks that generate normal HTTP requests. An Internet Control Message Protocol (ICMP) attack is a type of attack that sends a large amount of ICMP echo packets, such as ping flooding and smurf attacks.
Conventional techniques for blocking DoS attacks include improving the server side algorithms of the TCP protocol or adjusting the traffic volume. Improving the server side algorithm of the TCP protocol improves the TCP connection establishment algorithm to distinguish spoofed client IPs or to prevent incorrect connection attempts. However, attacks that overrun a normal TCP connection or exceed network bandwidth with UDP or ICMP cannot be prevented.
Defending Distributed Service Rejection Attacks As a defense device, there are two types of defense devices: detecting a distributed service attack and analyzing and defending the attack from the detected attacks. Detection of distributed service denial attacks is generally based on the threshold of communication. Is done. More specifically, pre-specify or dynamically determine the thresholds for traffic and traffic (QoS) that you want to allow for each network situation, and then monitor all communication across the network to see if the threshold has been exceeded. . At this time, if the allowed threshold is exceeded and the source address of incoming traffic is distributed to several places, it is determined as a distributed service denial attack.
If it is determined that the distributed service denial of attack, it is generally responded to the distributed denial of service attack by adjusting the amount of traffic transmitted to the attacked system or adjusting the amount of traffic for a specific service. However, distributed service denial attacks are concentrated traffic congestion that many attacking clients attack specific target servers. However, even though the distinction between normal and attacking clients is clear, if the network bandwidth where the target server is located is not secured, The work paralyzes.
The present invention has been made to solve the above problems, more specifically, it is determined whether the traffic state from the network to the target server in the network is a distributed denial of service attack; If the traffic state is attack traffic detected as a distributed service denial of attack, bypassing the attack traffic to the virtual private network having the network bandwidth of the physical line to the DNS server through the attack defense device; Block or filter attack traffic in a virtual private network step by step to guarantee the bandwidth of the network where the target server is located; It is an object of the present invention to provide a method for blocking a distributed service denial attack that provides normal traffic to a VPN server located in a virtual private network and a target server to be tunneled.
In the method for blocking a distributed service denial attack of the present invention for achieving the above object, the traffic state toward the target server S1 in a network through the attack defense device 10 is denied distributed service. Attack detection step (S1) for determining whether the attack; If the traffic state is attack traffic detected as a distributed denial of service attack, a virtual private network (VPN: virtual network secured a network bandwidth of a physical line to the
In the attack detection step (S1), the traffic state is one of the form of ICMP flow, UDP flow, TCP SYN flooding (TCP) through the TCP packet or the form of increasing the session value generation of the target server (4) By monitoring, the
The bypass step (S2), through the attack defense device 10, the IP address to which the attack traffic is directed to change from the IP address of the
The attack blocking step (S3), the first attack blocking step (S31) for defending the distributed service denial attack of at least one type of ICMP flow or UDP flow of the attack traffic through the attack defense equipment (10); A second attack blocking step (S32) of defending the distributed service denial attack in the form of TCP SYN flooding through a TCP packet of the attack traffic passing through the first attack blocking step (S31); And a third attack blocking step (S33) of defending the distributed service rejection attack in the form of increasing the session value generation of the
The normal traffic providing step (S4), through the attack defense device 10, characterized in that to provide the normal traffic to the target server (4), which is a VPN client tunneled TCP with the
According to the present invention as described above, by bypassing the attack traffic to the virtual private network to block the attack traffic, defend the distributed service denial attack, and provides only the normal packet to the target server in the state of the data loss and slowdown does not occur There is.
In addition, by using the VPN tunneling technology, by switching the traffic to a place where the network bandwidth is secured, there is an effect that can prevent the network is paralyzed in the case of bandwidth overrun attack.
In addition, by determining and filtering abnormal traffic and normal traffic, the server availability is guaranteed, and the attacker does not know the location or IP of the actual network, making it difficult to collect information and guaranteeing normal user access.
Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings such that those skilled in the art may easily implement the present invention.
1 is a diagram illustrating a network configuration for a method for blocking a distributed service denial attack according to an embodiment of the present invention, and FIG. 2 is a detailed view of an attack defense device according to a method for blocking a distributed service denial attack according to an embodiment of the present invention. 3 is a flowchart of a method for blocking a distributed denial of service attack according to an embodiment of the present invention. A description with reference to FIGS. 1 to 3 is as follows.
The attack defense equipment 10 for applying a method for blocking a distributed service denial attack includes: an attack detection unit 12 for monitoring whether a traffic condition is directed to an
The attack defense device 10 determines whether the traffic suspected of being a distributed service denial attack is a distributed service denial attack, and thus, in the case of a distributed service denial attack, blocks the distributed service denial attack.
The virtual private network (internal network) may be composed of attack defense equipment 10 having a router 18 and a switch. As shown in FIG. 1, the attack defense device 10 to defend against distributed service denial attacks includes a router 18 capable of accommodating a large amount of attack traffic, and a
The attack defense device 10 may be connected to the
Through the Internet, an attacker modulates a source address into an arbitrary address and performs a distributed service denial attack to the target server (4). At this time, the attack defense equipment 10 for defending the distributed service denial attack performs a function of detecting and defending the attack.
The present invention provides a normal packet to the
The external network may be composed of a network network, an attacker terminal 2 (ATTACK PC) and a source used for an attack. In addition, the external network may include an
The
The
One embodiment of the present invention, through the attack defense equipment 10, attack detection step (S1) for determining whether the traffic (traffic) to the attack target server (S1) in the network network is a distributed service rejection attack; If the traffic state is attack traffic detected as a distributed denial of service attack, a virtual private network (VPN: virtual network secured a network bandwidth of a physical line to the
In a normal network state where a distributed denial of service attack does not occur, the virtual private network is not used, but in the case of a distributed denial of service attack, the distributed denial of service attack can be prevented by utilizing the components of the virtual private network that is already established. .
In the attack detection step (S1), the traffic state is one of the form of ICMP flow, UDP flow, TCP SYN flooding (TCP) through the TCP packet or the form of increasing the session value generation of the target server (4) By monitoring, it is possible to detect whether the
Attack detection step (S1) may be performed through the attack detection unit 12 provided in the attack defense equipment 10, the attack detection unit 12 may be implemented through a monitoring server for DDoS attack detection.
The attack detection unit 12 inspects the traffic destined for the
That is, when the traffic state of the
Traffic conditions may be detected while being classified in the attack detection unit 12 in the form of ICMP flow, UDP flow, TCP SYN flooding through TCP packets, or increasing the generation of session values of the
The attack detection unit 12 may be included in a site or servers to which the method for blocking a distributed service denial attack according to the present invention may be applied, or may be performed in a separate device.
The bypass step (S2), through the attack defense device 10, the IP address to which the attack traffic is directed to change from the IP address of the
When traffic suspected of a distributed service rejection attack to the
In this case, the IP changing unit 14 requests the
As shown, the
Through this, the distributed denial of service attack destination is changed to the
The virtual private network according to the present invention may block an attack in which network bandwidth is exhausted due to a distributed service denial attack in the form of ICMP flow or UDP flow among attack traffic. There is an advantage that can block overall UDP, ICMP protocol used in network bandwidth vulnerability attack.
To this end, the virtual private network may be formed of a 200G network in which network bandwidth of a physical circuit is secured to block a large amount of ICMP flow or UDP flow.
The attack blocking step (S3), the first attack blocking step (S31) for defending the distributed service denial attack of at least one type of ICMP flow or UDP flow of the attack traffic through the attack defense equipment (10); A second attack blocking step (S32) of defending the distributed service denial attack in the form of TCP SYN flooding through a TCP packet of the attack traffic passing through the first attack blocking step (S31); And a third attack blocking step (S33) of defending the distributed service rejection attack in the form of increasing the session value generation of the
The first to third attack blocking steps S1, S2, and S3 may be performed through the attack blocking unit 16 provided in the attack defense equipment 10.
In the first attack blocking step S31, the router 18 provided in the attack blocking unit 16 can protect a distributed service denial attack in the form of ICMP flows and UDP flows while accommodating a large amount of ICMP flows and UDP flows. have. That is, through the 20G (Giga) bandwidth of the virtual private network, when a bandwidth attack through a large amount of ICMP flow, UDP flow, it is possible to block the distributed service denial attack.
In the second attack blocking step S32, the
That is, the second attack blocking step (S32) analyzes the network behavior, and when the overload attack of the target server (4) through the TCP SYN flooding attack enters the attack through the TCP packet without affecting the network line bandwidth To defend.
In the third attack blocking step S33, when the
The present invention is able to block the attack traffic for abnormal distributed denial of service attack step by step through the three-step attack blocking, there is an advantage that can be passed through the normal traffic.
In the normal traffic providing step S4, the normal traffic may be provided to the
Through the normal traffic providing step S4, the
To this end, the
That is, the present invention bypasses the attack traffic directed to the
The present invention has been described with reference to the preferred embodiment as described above, but is not limited to the above embodiment, it should be interpreted by the appended claims. In addition, various modifications and variations may be made by those skilled in the art within the equivalent scope of the technical concept of the present invention and the appended claims.
1 is a diagram illustrating a network configuration for a method for blocking a distributed service denial attack according to an embodiment of the present invention.
Figure 2 is a detailed view of the attack defense equipment according to the method for blocking distributed service denial of attack of an embodiment of the present invention,
3 is a flowchart illustrating a method for blocking a distributed service denial attack according to an embodiment of the present invention.
BRIEF DESCRIPTION OF THE DRAWINGS FIG.
2: attacker terminal 4: target server
6: DNS Server 10: Attack Defense
12: attack detection unit 14: IP change unit
16: Attack Blocker 22: VPN Server
Claims (5)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020090084782A KR20110026926A (en) | 2009-09-09 | 2009-09-09 | (method for blocking distributed denial of service |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020090084782A KR20110026926A (en) | 2009-09-09 | 2009-09-09 | (method for blocking distributed denial of service |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20110026926A true KR20110026926A (en) | 2011-03-16 |
Family
ID=43933822
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020090084782A KR20110026926A (en) | 2009-09-09 | 2009-09-09 | (method for blocking distributed denial of service |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20110026926A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101231035B1 (en) * | 2011-09-06 | 2013-02-07 | 건국대학교 산학협력단 | A system of invite flooding attack detection and defense using sip in voip service and the mehtod thereof |
KR101235782B1 (en) * | 2011-06-14 | 2013-02-22 | 주식회사 엘지유플러스 | System and method for protecting communication network using terminal remote control |
KR101379803B1 (en) * | 2012-07-04 | 2014-03-31 | 주식회사 비씨클라우드 | System for distributing abnormal traffic and method of distributing abnormal traffice using the same |
KR101502490B1 (en) * | 2013-10-18 | 2015-03-13 | 주식회사 케이티 | Subscibe terminal and security farm node for monitoring network traffic |
KR20150132746A (en) * | 2014-05-16 | 2015-11-26 | 주식회사 케이티 | Method and system for protecting DDoS attack |
KR20170103481A (en) * | 2016-03-04 | 2017-09-13 | 삼성에스디에스 주식회사 | System and method for network security |
KR102162976B1 (en) * | 2020-01-10 | 2020-10-07 | 박승필 | System for eqluating security effectiveness and responding and method thereof |
-
2009
- 2009-09-09 KR KR1020090084782A patent/KR20110026926A/en not_active Application Discontinuation
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101235782B1 (en) * | 2011-06-14 | 2013-02-22 | 주식회사 엘지유플러스 | System and method for protecting communication network using terminal remote control |
KR101231035B1 (en) * | 2011-09-06 | 2013-02-07 | 건국대학교 산학협력단 | A system of invite flooding attack detection and defense using sip in voip service and the mehtod thereof |
KR101379803B1 (en) * | 2012-07-04 | 2014-03-31 | 주식회사 비씨클라우드 | System for distributing abnormal traffic and method of distributing abnormal traffice using the same |
KR101502490B1 (en) * | 2013-10-18 | 2015-03-13 | 주식회사 케이티 | Subscibe terminal and security farm node for monitoring network traffic |
US9674142B2 (en) | 2013-10-18 | 2017-06-06 | Kt Corporation | Monitoring network traffic |
KR20150132746A (en) * | 2014-05-16 | 2015-11-26 | 주식회사 케이티 | Method and system for protecting DDoS attack |
KR20170103481A (en) * | 2016-03-04 | 2017-09-13 | 삼성에스디에스 주식회사 | System and method for network security |
KR102162976B1 (en) * | 2020-01-10 | 2020-10-07 | 박승필 | System for eqluating security effectiveness and responding and method thereof |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7930740B2 (en) | System and method for detection and mitigation of distributed denial of service attacks | |
US7836498B2 (en) | Device to protect victim sites during denial of service attacks | |
KR101442020B1 (en) | Method and apparatus for preventing transmission control protocol flooding attacks | |
US7043759B2 (en) | Architecture to thwart denial of service attacks | |
US7398317B2 (en) | Thwarting connection-based denial of service attacks | |
US7124440B2 (en) | Monitoring network traffic denial of service attacks | |
EP2974215B1 (en) | Protecting networks from cyber attacks and overloading | |
US7743134B2 (en) | Thwarting source address spoofing-based denial of service attacks | |
US7278159B2 (en) | Coordinated thwarting of denial of service attacks | |
US7356689B2 (en) | Method and apparatus for tracing packets in a communications network | |
US7702806B2 (en) | Statistics collection for network traffic | |
US7301899B2 (en) | Prevention of bandwidth congestion in a denial of service or other internet-based attack | |
Mihai-Gabriel et al. | Achieving DDoS resiliency in a software defined network by intelligent risk assessment based on neural networks and danger theory | |
KR20110026926A (en) | (method for blocking distributed denial of service | |
KR100950900B1 (en) | Protection Method and System for Distributed Denial of Service Attack | |
Ashutosh | An insight in to network traffic analysis using packet sniffer | |
US10911484B2 (en) | Method for providing a connection between a communications service provider and an internet protocol, IP, server, providing a service, as well as a perimeter network, comprising the IP server, and an IP server providing the service | |
Kumarasamy et al. | An active defense mechanism for TCP SYN flooding attacks | |
Thang et al. | Synflood spoofed source DDoS attack defense based on packet ID anomaly detection with bloom filter | |
Kumar et al. | An analysis of tcp syn flooding attack and defense mechanism | |
KR20170066907A (en) | Software Defined Network based Network Flooding Attack Detection/Protection Method and System | |
Malekzadeh et al. | Assessment of high and low rate protocol-based attacks on Ethernet networks | |
Sharma et al. | Everything on DDoS Attacks, DDoS incidents & DDoS Defense Mechanisms! | |
Chou et al. | gore: Routing-assisted defense against DDoS attacks | |
Bala et al. | Quality based Bottom-up-Detection and Prevention Techniques for DDOS in MANET |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |