KR20110054537A - Apparatus for detecting and filtering ddos attack based on distribution - Google Patents

Abstract

PURPOSE: An apparatus for detecting and measuring a DDoS(Distribute Denial of Service) attack based on distribution is provided to deal with a DDoS attack while minimizing the amount of calculations. CONSTITUTION: A time distribution calculating unit(135) produces the distribution of a difference between reception time of an HTTP request. A time information comparing unit(137) compares the pre-stored normal traffic distribution information. The time information comparing unit generates the sum of distribution values which is larger than normal traffic distribution information. If the sum is larger than a predetermined threshold value, a DDoS determining unit(139) detects an access of a client terminal as a DDoS attack.

Description

Apparatus for detecting and filtering DDoS attack based on distribution}

TECHNICAL FIELD The present invention relates to electronic devices, and more particularly, to a distribution-based DDoS attack detection and response device.

Distributed Denial of Service (DDoS) attacks, which have been causing a lot of damage for a long time, are becoming more difficult to cope with attack methods using botnets such as Netbot Attacker, Blackenergy, and 7.7 DDoS. In particular, the existing DDoS attack has occurred bandwidth-intensive attacks at the network layer such as SYN, UDP, SYN + ACK, ICMP Flooding, etc. Recently, the CPU of the system such as HTTP GET Flooding, Cache Control (CC) Attack, etc. Application-based DDoS attacks that deplete resources, memory, and DB server resources are occurring.

However, most DDoS countermeasures on the market provide functions focused on DDoS attacks at the network layer, so that application layers such as Netbot Attacker and Blackenergy, which stops a specific host when a small amount of HTTP traffic is generated. Is unable to respond to DDoS attacks. Such an attack tool is capable of various attacks such as HTTP GET Flooding and CC Attack as well as DDoS attacks on the existing network layer.

In order to cope with such application layer DDoS attacks, some researches have recently been conducted. Due to the characteristics of web services, the list of user IPs is not uniformly distributed, and by using the features of those who have already entered, the DDoS attack detection method and the web service usage pattern information are analyzed using the ratio to target the suspicious IPs. A study on how to classify as a greylist, allocate less resources to them, analyze each URL page hit distribution based on statistical method, and then distinguish between temporary request congestion and DDoS attacks, web It has been proposed to respond by analyzing the service user page movement path and controlling the access to the abnormal user that causes the DDoS attack.

However, according to the related art, the URL page hit distribution requires a large amount of computation, and it is difficult to set a threshold because it varies greatly depending on the content and timing of the web service, and the access control scheme is out of pass. path) cannot be operated, and it must be operated inline, but session management is required.

The background art described above is technical information possessed by the inventors for the derivation of the present invention or acquired in the derivation process of the present invention, and is not necessarily a publicly known technique disclosed to the general public before the application of the present invention.

The present invention is to provide a distribution-based DDoS attack detection and response device that can perform a response mechanism that can respond to DDoS attacks while minimizing the amount of computation.

In addition, the present invention is to provide a distribution-based DDoS attack detection and response device that can perform the application layer-based DDoS attack detection and response algorithm for the web service that is the main target of the DDoS attack.

Technical problems other than the present invention will be easily understood through the following description.

According to an aspect of the present invention, the receiving unit for receiving an HTTP request from a client terminal specified by a predetermined IP, calculating the time information for calculating the difference in receiving time between the HTTP request by measuring the receiving time of the HTTP request for a predetermined observation time A time distribution calculator for calculating a distribution of the difference in the reception time of the HTTP request, comparing the calculated distribution of the difference in the reception time with previously stored normal traffic distribution information, and comparing a distribution value larger than the normal traffic distribution information. A time information comparison unit for generating a summed value, and comparing the summed value with a predetermined threshold value and, if the summed value is greater than a predetermined threshold value, a DDoS to detect a connection of the client terminal of the IP as a DDoS attack. Blocking to block the access of the client terminal when the determination unit and the DDoS determination unit detects a DDoS attack The distribution-based DDoS attack detection and a corresponding apparatus is provided comprising a.

Here, the sum value is a sum of an excess value of the distribution value for the normal traffic distribution information, and the time distribution calculation unit calculates the distribution of the difference in the reception time with respect to the ratio of the entire population of the HTTP request. Can be. Here, the threshold may be 40 to 60% when the above-described observation time is 10 seconds.

In addition, the present embodiment may further include a determination initiation unit for comparing the sum with the threshold and initiating the operation of the DDoS determination unit when the sum is greater than a predetermined ratio of the threshold.

Other aspects, features, and advantages other than those described above will become apparent from the following drawings, claims, and detailed description of the invention.

The distribution-based DDoS attack detection and response device according to the present invention can respond to DDoS attacks while minimizing the amount of computation by using the distribution characteristic, and the application layer based DDoS that targets web services that are the main targets of the DDoS attacks. There is an effect that can perform attack detection and response algorithm.

As the invention allows for various changes and numerous embodiments, particular embodiments will be illustrated in the drawings and described in detail in the written description. However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all changes, equivalents, and substitutes included in the spirit and scope of the present invention.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. Singular expressions include plural expressions unless the context clearly indicates otherwise. As used herein, the terms "comprise" or "have" are intended to indicate that there is a feature, number, step, action, component, part, or combination thereof described on the specification, and one or more other features. It is to be understood that the present invention does not exclude the possibility of the presence or the addition of numbers, steps, operations, components, components, or a combination thereof.

In the following description of the present invention with reference to the accompanying drawings, the same components are denoted by the same reference numerals regardless of the reference numerals, and redundant explanations thereof will be omitted. In the following description of the present invention, if it is determined that the detailed description of the related known technology may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.

1 is a system configuration diagram of a device for detecting and responding to DDoS attacks according to an embodiment of the present invention. Referring to FIG. 1, a client terminal 110, a web server 120, a DDoS attack detection and response device 130, and a network 140 are shown. The DDoS attack detection and response device 130 may be located inline on a network traffic path or operate in an out-off pass method that receives traffic information separately.

This embodiment has a feature of detecting a DDoS attack by using a difference in the distribution of HTTP requests in a normal traffic state and a DDoS attack state. The present invention can be embodied in various embodiments. Specifically, the first embodiment of the present invention detects a DDoS attack by comparing a distribution value regarding a difference in reception time of an HTTP request for each IP with a distribution value in a steady state. There is a characteristic to. That is, in the first embodiment, in the case of a DDoS attack, the difference in the reception time of the HTTP request is different from the value of the steady state, and the DDoS attack is detected using the difference value.

In addition, according to the second embodiment of the present invention, a DDoS attack symptom is detected through a distribution vector for each IP, and traffic from the corresponding IP is filtered when an abnormal symptom occurs. That is, according to the second embodiment, even if a small amount of HTTP traffic is generated, there is a feature of providing an optimal response mechanism that can cope with DDoS attacks while minimizing the amount of calculation based on the generated URI distribution.

In addition, according to the third embodiment of the present invention, the distribution of the HTTP request is converted into a vector form, thereby comparing the normal distribution with the distribution during the DDoS attack. That is, according to the third embodiment of the present invention, the HTTP request may be represented as a predetermined N-dimensional vector for each type, and the normal distribution and the distribution upon DDoS attack may be distinguished from each other based on the distribution of the vector. Each embodiment described above is described in detail below.

GET Flooding attack types in web services include GET Flooding, which generates a large amount of HTTP requests per IP, per unit time, GET Flooding, which generates HTTP requests that exceed a certain threshold for a specific URI per IP, per unit time, GET flooding, where the average HTTP request per URI per unit time per IP exceeds a certain threshold, GET flooding with abnormal URI distribution per IP, per unit time, minimum HTTP requests for multiple URIs per IP, per unit time It has various types of attacks, including GET Flooding. The GET Flooding attack types in the above-described web services include not only a number of DDoS attack tools, conventional 7.7 DDoS attacks, etc. that have occurred so far, but also future attack types. The DDoS attack detection and response method according to the present embodiment is a method capable of effectively coping with the aforementioned attack types.

The client terminal 110 is a terminal that attacks a DDoS attack against the web server 120 and may be referred to as a so-called zombie PC. The DDoS attack detection and response device 130 detects the DDoS attack of the client terminal 110 and blocks the client terminal 110 from accessing the web server 120 when the DDoS attack is detected.

DDoS attack detection and response device 130 is provided in the router of the network 140 or located in a modified router or DDoS dedicated equipment, intrusion prevention system, or as a specific component or firewall of each web server 120 By doing so, it can block DDoS attacks. In addition, the present invention will be described based on the case where the client terminal 110 performs a DDoS attack on the web server 120, but is not limited thereto, for example, various subjects, hardware such as a specific website, application server Alternatively, it may be applied to attacking a software module.

The DDoS attack detection and response device 130 implements an application layer based DDoS attack detection and response algorithm for a web service that is a main target of the DDoS attack. That is, the DDoS attack detection and response device 130 proposes a mechanism for detecting and responding to a DDoS attack when a small amount of HTTP traffic for each IP is generated. Hereinafter, various embodiments of the present invention will be described in detail.

2A is a block diagram illustrating a device for detecting and responding to a DDoS attack according to a first embodiment of the present invention. Referring to FIG. 2A, a receiver 132, a time information calculator 133, a time distribution calculator 135, a time information comparator 137, a dose determination unit 139, and a blocker 138 are illustrated. do.

This embodiment calculates this difference quantitatively by using different distributions of HTTP requests for normal web services and distributions of HTTP requests in abnormal traffic, and detects a DDoS attack by comparing the calculated value with a threshold. There is a characteristic.

In other words, in the case of a normal web service, a large number of HTTP requests are generated at the same time at the initial time according to the user's action, and thereafter, the requests are rarely generated. Referring to FIG. 2B, the distribution of HTTP requests between a normal web service and an abnormal web service is described below.

When the X-axis is set as the difference in receiving time between the HTTP requests received from the client terminal 110, and the Y-axis is set as the distribution ratio (%) for X, the HTTP request by the normal user has a black graph shape. In addition, HTTP requests caused by DDoS attacks have a red graph. Here, the reception time difference between the HTTP requests may be calculated in a specific unit, for example, a unit such as ms.

The Y axis is the ratio of the corresponding receive time difference to the total population, with a unit scale of 10.00%. By such setting, the present embodiment can be applied regardless of the amount of traffic by comparing the distribution ratios with each other. Of course, other types of graphs may be applied to the present invention, such as setting the number of X's per predetermined observation time to the Y axis instead of the distribution ratio.

All existing DDoS attack tools have the characteristics of periodicity, and during a DDoS attack, the HTTP request is different from the HTTP request by the normal user. The present embodiment uses this difference to determine abnormal traffic. Here, the HTTP request by the normal user may be compared with the distribution regarding the HTTP request stored in advance and received in real time. The distribution of the HTTP request by the normal user may be calculated by various methods, such as calculated through traffic statistics recorded in a normal state or as a test result of normal use for a predetermined period.

The receiving unit 132 receives an HTTP request from the client terminal 110 specified by a predetermined IP. The receiving unit 132 receives the HTTP packet collected at the TCP 80 port and parses the HTTP header so that the data measuring unit 134 can measure and calculate related data.

The time information calculator 133 calculates a reception time difference between the HTTP requests by measuring the reception time of the HTTP request received by the reception unit 132 for a predetermined observation time. Here, the difference in reception time between HTTP requests may be a difference in reception time between adjacent HTTP requests. For example, when HTTP requests such as A, B, C, and D are sequentially received by the receiver 132, the difference between the reception time of A and B, the difference of the reception time of B and C, and the difference of the reception time of C and D are seen. In an embodiment, the data may be calculated as a distribution value.

The time distribution calculator 135 calculates a distribution of the difference in the reception time of the HTTP request. That is, the time distribution calculation unit 135 represents the difference in the reception time existing in a specific time zone as a distribution ratio with respect to the whole as described above. Referring to FIG. 2B, in the case of DDoS attack of Netbot Attacker, the ratio of receiving time difference is more than 40% of 10ms, and the ratio of 40ms is about 10%. The time distribution calculating unit 135 calculates the distribution by collecting the difference in the reception time in the distribution ratio or the absolute number.

The time information comparison unit 137 compares the distribution value of the received time difference calculated by the time distribution calculation unit 135 with previously stored normal traffic distribution information, and adds the corresponding distribution value when the distribution value is larger than the normal traffic distribution information. To generate a sum value. Here, the normal traffic distribution information may be a distribution regarding an HTTP request by a normal user as described above.

Further, according to another embodiment, the time information comparison unit 137 compares the distribution value of the received time difference calculated by the time distribution calculator 135 with the normal traffic distribution information stored in advance, and the distribution value is normal traffic distribution information. If larger, the sum may be generated by summing excess values for the normal traffic distribution information of the corresponding distribution value. That is, the DDoS attack may be detected by summing the difference between the distribution values of the difference in reception time greater than the normal traffic distribution information and the normal traffic distribution information, and comparing the summed value with the threshold value.

The DDoS determination unit 139 may compare the sum of the sum with a predetermined threshold, and detect the connection of the client terminal as a DDoS attack when the sum is greater than the predetermined threshold. Accordingly, the criteria for detecting DDoS attacks are presented as follows.

(1)

(One)

Here, F (x) is a function representing a distribution of HTTP requests by a normal user, and G (x) is a distribution of HTTP requests by a DDoS attack. In the above formula, the sum of D (x) may integrate D (x), and of course, the summation value may be derived by adding the number of Y-axis or adding a numerical value about the unit of the X-axis. Here, the threshold may be 40 to 60% when the above-described observation time is 10 seconds.

The blocking unit 138 blocks the connection of the client terminal 110 when the DDoS determination unit 136 detects the DDoS attack. In this case, the blocking unit 138 may perform various countermeasures such as blocking the connection for a predetermined time, blocking a packet of IP, or generating a DDoS attack warning sound. The blocking unit 138 may respond to the DDoS attack by blocking the connection of the client terminal 110 when the client terminal 110 of the specific IP is determined to be the DDoS attack terminal.

3 is a flowchart of a DDoS attack detection and response method according to the first embodiment of the present invention. The flowchart shown may be a response mechanism performed by the DDoS attack detection and response device 130.

In step S310, a packet is introduced from the client terminal 110. In operation S320, the client terminal 110 determined as a DDoS attack in advance is blocked based on the IP. If the IP of the client terminal 110 is determined to be a new IP, the IP of the client terminal 110 may be stored as a new IP in a predetermined database.

In step S330, the TCP 80 port and the HTTP packet are collected, and in step S340, the HTTP header is parsed. For example, the present embodiment may include a kernel-based high speed traffic processing engine to collect a corresponding HTTP from a packet pool, which is an NDIS intermediate driver and a kernel object, to parse an HTTP header.

In step S350, the difference in the reception time of the received HTTP request and the distribution thereof are calculated. In step S360, the distribution value calculated as described above is compared with the normal traffic distribution information, and the distribution value larger than the normal traffic distribution information is calculated. Generate a sum value.

In step S370, the sum is compared with a predetermined threshold, and if the sum is greater than the threshold (which may include the same case), in step S320, the connection of the specific client terminal 110 is blocked based on the IP. If the sum is not greater than the threshold, the IP connection is maintained.

4 is a block diagram illustrating a device for detecting and responding to a DDoS attack according to a second embodiment of the present invention. Referring to FIG. 4, a receiver 132, a data measuring unit 134, a ddos determination unit 136, and a blocking unit 138 are illustrated. The differences from the above will be explained mainly.

The receiving unit 132 receives an HTTP request from the client terminal 110 specified by a predetermined IP.

The data measuring unit 134 calculates the number of received HTTPs by IP during a predetermined observation time and calculates the number of URIs of HTTP during the observation time. In detail, the data measuring unit 134 may search for and update the corresponding IP and URI for each received packet. The present embodiment may include a separate storage unit for storing data such as IP, unit time, HTTP number, URI number, and the like. For management by IP and URI, a hash / mod method or the like may be used. Since such a technology is easily implemented by those skilled in the art, a detailed description thereof will be omitted.

The DDoS determination unit 136 compares the operation result including the measured number of HTTPs per URI with a predetermined threshold value, and if the number of HTTPs per URI is larger than the threshold value, the DDoS determination unit 136 detects the connection of the client terminal 110 of the IP. Detect by DOS attack.

This embodiment can detect and block abnormal traffic distributions if the URI hit distribution is concentrated on a specific URI in the case of the DDoS attack type that greatly increases the number of URIs and keeps the HTTP threshold for each URI low. That is, the present embodiment may be a method of detecting a DDoS attack based on the generated URI distribution even if a small amount of HTTP traffic occurs. Accordingly, the criteria for detecting DDoS attacks are presented as follows.

(2)

(2)

는 분포에 기반한 임계치,

이고,

,

는 단위시간 t 및 특정 IP인 s에서의 k번째 URI에 대한 HTTP PPS이며, T는 관측시간,

,

,

는 관측시간 T의 시간구간인 t 및 특정 IP인 s에서의 HTTP PPS(packet per second), n은 상기 관측시간 T동안 요청했던 URI 개수이다. 여기서, 단위시간 t는 시간구간, 예를 들면, 1초를 의미한다. 즉,

는 특정 IP에서 t ~t+1초 사이의 HTTP 개수를 의미한다. 본 실시예에 따르면, 디도스 공격 탐지 및 대응 방법은 관측시간 T를 기준으로 수행될 수 있으며, 본 명세서에서 설명하는 실시예들도 동일하게 관측시간 T를 기준으로 수행될 수 있다. 관측시간 T는 디도스 공격을 유효하게 탐지할 수 있으면서도 빠른 시간내에 탐지할 수 있는 시간, 예를 들면, 5초 내지 20초가 될 수 있다. 이는 웹 서비스의 특 징상 PPS를 기준으로는 해당 IP의 현재 행위를 판단하기 어렵기 때문이다. 또한,

의 범위는 관측시간 T가 달라지는 비율만큼 그 범위도 달라질 수 있다. here,

Is a threshold based on the distribution,

ego,

,

Is the HTTP PPS for the k th URI at unit time t and the specific IP s, where T is the observation time,

,

,

Is the time interval t of the observation time T and HTTP PPS (packet per second) at a specific IP s, and n is the number of URIs requested during the observation time T. Here, the unit time t means a time interval, for example, 1 second. In other words,

Is the number of HTTPs between t and t + 1 seconds for a specific IP. According to the present embodiment, the DDoS attack detection and response method may be performed based on the observation time T, and the embodiments described herein may also be performed based on the observation time T. The observation time T may be a time for detecting a DDoS attack while still being able to detect it within a short time, for example, 5 to 20 seconds. This is because it is difficult to determine the current behavior of the IP based on the PPS. Also,

The range of may vary according to the rate at which the observation time T varies.

)을 계산하면, 정상적인 웹 서비스의 경우, 분포값(Distribution vector의 분포)은 URI당 평균 히트수와 큰 차이가 나지 않음을 알 수 있다.For a normal web service, the distribution

), It can be seen that for a normal web service, the distribution value (distribution of the distribution vector) is not significantly different from the average number of hits per URI.

5 is a flowchart of a DDoS attack detection and response method according to a second embodiment of the present invention. The flowchart shown may be a response mechanism performed by the DDoS attack detection and response device 130.

In step S510, the packet flows in from the client terminal 110. In operation S520, the client terminal 110 that is determined to be a DDoS attack in advance is blocked based on the IP. If the IP of the client terminal 110 is determined to be a new IP, the IP of the client terminal 110 may be stored as a new IP in a predetermined database.

In step S530, the TCP 80 port and the HTTP packet are collected, and in step S540, the HTTP header is parsed. For example, the present embodiment may include a kernel-based high speed traffic processing engine to collect a corresponding HTTP from a packet pool, which is an NDIS intermediate driver and a kernel object, to parse an HTTP header.

In step S550, the number of HTTPs per IP and URI is calculated. In step S560, the cumulative number of HTTPs per IP and URI is calculated for the observation time T as described above.

In step S570, the predetermined distribution value for the calculated number of HTTPs per URI is compared with a predetermined threshold, and if the predetermined distribution value for the number of HTTPs per URI is larger than the corresponding threshold (the same case may be included). In step S520, the connection of the specific client terminal 110 is blocked based on the corresponding IP, and if the predetermined distribution value for the number of HTTPs per URI is not greater than the corresponding threshold, the connection of the corresponding IP is maintained.

In addition, according to the third embodiment of the present invention, the DDoS attack response mechanism may be implemented in other forms as follows. In general, when a GET Request is requested to a specific site, the web server 120 gives a corresponding response. The response includes various information such as image, iframe, html, and flash. The web browser of the client terminal 110 generates a GET Request for each of these various pieces of information, receives data, and displays the received result in the web browser.

Here, a number of HTTP requests can be divided into requests generated by a user taking an action directly and requests executed further by the request. The request by the user action may be, for example, a request by executing a web browser, a request by refreshing a web page by pressing F5, or a request by a user clicking on a menu or a link.

HTTP requests by user actions and additional HTTP requests that occur when they occur have the following characteristics:

user Connection URI sequence User1 1,2,3,4,5, ..., 100,1,2,3,4,5, ..., 100 User2 1,2,3,4,5,1,2,3,4,5,6, ..., 100 User3 1,1,1,1,1,1,1, ..., 1,1,1 User4 1,101,5,6,101,5,6, ..., 1 User5 1,2,3,4,5, ..., 100,1,2,3,4,5, ... 99,101

In the table, 1 in the access URI sequence is an HTTP request by a user action, and 2 to 101 are HTTP requests additionally generated when 1 is generated. Normally, it works like User1 and User2. User2's connection URI sequence may be the case of refreshing when page 5 is received.

In a typical botnet, only certain pages are requested continuously, such as User3.In the case of intelligent botnets, which are not present, they are expected to behave like User4 and User5.

According to the prior art, there are various methods for detecting this, but there is a large amount of calculation, which is not suitable for actual use. The algorithm according to the present embodiment uses a method of converting a request distribution into a vector form and comparing the same. The distribution vector for each action described in the table is converted and expressed as follows.

user Distribution vector User1 (2,2,2,2,2,2, ... 2,0) User2 (2,2,2,2,2,1, ..., 1,0) User3 (67,0, ..., 0,0,0,0,0) User4 (2,0,0,0,33,33,0, ..., 0,33) User5 (2,2,2,2,2, ..., 2,1,1)

Here, the case where the distribution vector is 101-dimensional, that is, the case where 101 connection URIs are considered is considered. Referring to the normal distribution expressed as a vector, User1 is the same for all dimensions, and User2 is about 1 to 2 different. In other words, if you convert any type of request from a normal USER into a vector, the difference will not be significant.

Referring to Figure 6A, the distribution of requests by a normal user is shown. The X axis represents the identifier of the URI and the Y axis represents the number of URIs. Even if a normal user refreshes continuously, the number of URIs does not exceed 33 for a predetermined observation time, for example, 10 seconds. 6B, the distribution vector for each of the above-described actions of User1 to User5 is shown on the graph. The request by a normal user has its distribution within a predetermined range. This embodiment uses this to detect DDoS attacks. For example, a distribution in which the number of URIs is located in an area of 33 or more may be determined as a DDoS attack.

The blocking unit 138 blocks the packet of the IP when the DDoS determination unit 136 detects the DDoS attack. The blocking unit 138 may respond to the DDoS attack by blocking the packet of the client terminal 110 when the client terminal 110 of the specific IP is determined to be a DDoS attack terminal.

In addition, the present invention may further include a component for preliminarily checking for abnormal symptoms before the above-described DDOS determination unit 136 and 139 and the blocking unit 138 operate. That is, according to the present embodiment, the DDoS attack detection and countermeasure device 130 can be operated only when the abnormality of the web server 120 connection is delayed or the load is severe. It is possible to reduce the efficiency and perform the operation efficiently.

To this end, the present embodiment compares the above-described sum with a predetermined threshold, and if the sum is greater than a predetermined ratio of the threshold, starts the operation of the DDoS determination unit 139 or is calculated in each of the above-described embodiments. The apparatus may further include a determination initiation unit (not shown) for comparing the HTTP number of URIs with a predetermined threshold and initiating the operation of the DDoS determination unit 136 when the HTTP number of URIs is greater than a predetermined ratio of the thresholds. .

Here, the predetermined ratio of the threshold may be determined by default, automatically set according to the network and / or server environment, or arbitrarily determined by user setting. In the case of automatic configuration, a predetermined ratio of the threshold may be adjusted according to the frequency of the network and / or the server, the load, and the like. For example, if the frequency of the load is high, a predetermined ratio may be high as a situation of interest. Also. In the case of user setting, the present embodiment may further include a user interface for adjusting a predetermined ratio of the threshold. The predetermined percentage of the threshold may be, for example, 50 to 70% of the threshold described above.

In addition, a detailed system configuration diagram of a DDoS attack detection and response device according to an embodiment of the present invention, a common platform technology such as O / S, a communication protocol, and an interface standardization technology such as an I / O interface will be described in detail. As it is obvious to those skilled in the art, it will be omitted.

In the above description, the apparatus for detecting and responding to a DDoS attack according to an embodiment of the present invention, and a method thereof include specific formulas and numerical values of thresholds, according to an exemplary embodiment, but need not be limited thereto. Even if the numerical value is different, if there is no difference in the overall operation and effect, such other configuration may be included in the scope of the present invention, and those of ordinary skill in the art will have the idea of the present invention described in the claims below. It will be understood that various modifications and variations can be made in the present invention without departing from the scope of the invention.

1 is a system configuration diagram of a DDoS attack detection and response device according to an embodiment of the present invention.

2A is a block diagram of an apparatus for detecting and responding to DDoS attacks in accordance with a first embodiment of the present invention.

2b is a comparison graph of a reception time difference for detecting and responding to a DDoS attack according to the first embodiment of the present invention;

3 is a flowchart of a DDoS attack detection and response method according to the first embodiment of the present invention.

4 is a block diagram illustrating a device for detecting and responding to a DDoS attack according to a second embodiment of the present invention.

5 is a flowchart of a DDoS attack detection and response method according to a second embodiment of the present invention.

6A is a graph showing the distribution of requests by a normal user according to a third embodiment of the present invention.

6B is a graph showing the distribution of requests due to normal user and DDoS attacks according to the third embodiment of the present invention.

<Description of the symbols for the main parts of the drawings>

110: client terminal 120: web server

130: DDoS attack detection and response device 132: Receiver

133: time information calculation unit 134: data measurement unit

135: time distribution calculation unit 136, 139: ddos determination unit

137: time information comparing unit 138: blocking unit

140: network

Claims (5)

A receiving unit which receives an HTTP request from a client terminal specified by a predetermined IP; A time information calculator for measuring a reception time of the HTTP request for a predetermined observation time and calculating a difference in reception time between HTTP requests; A time distribution calculator for calculating a distribution of the difference in reception time of the HTTP request; A time information comparison unit for comparing the calculated distribution time difference between the received time difference with pre-stored normal traffic distribution information and generating a sum value obtained by adding a distribution value larger than the normal traffic distribution information; A dos determination unit for comparing the sum value with a predetermined threshold value and detecting a connection of the client terminal of the IP as a dos attack if the sum value is larger than a predetermined threshold value; And And a blocking unit which blocks a connection of the client terminal when the DDoS determination unit detects the DDoS attack. The method of claim 1, The sum value is a distribution-based DDoS attack detection and response device, characterized in that the sum of the excess value for the normal traffic distribution information of the distribution value. The method of claim 1, The time distribution calculator, The distribution-based DDoS attack detection and response device, characterized in that for calculating the distribution of the difference in the reception time with respect to the ratio of the entire population of the HTTP request. The method of claim 3, The threshold is distributed based DDoS attack detection and response device, characterized in that 40 ~ 60% when the observation time is 10 seconds. The method of claim 1, And a determination initiation unit for comparing the sum value with the threshold and starting the operation of the dos determination unit when the sum value is greater than a predetermined ratio of the threshold value.

Images