KR20160113911A - Apparatus and Method for Detecting and Protecting DDos based on Flow - Google Patents
Apparatus and Method for Detecting and Protecting DDos based on Flow Download PDFInfo
- Publication number
- KR20160113911A KR20160113911A KR1020150040252A KR20150040252A KR20160113911A KR 20160113911 A KR20160113911 A KR 20160113911A KR 1020150040252 A KR1020150040252 A KR 1020150040252A KR 20150040252 A KR20150040252 A KR 20150040252A KR 20160113911 A KR20160113911 A KR 20160113911A
- Authority
- KR
- South Korea
- Prior art keywords
- packet
- flow
- attack
- detecting
- ddos
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/143—Denial of service attacks involving systematic or selective dropping of packets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Field of the Invention [0002] The present invention relates to a technology for detecting and defending a DOS, and more particularly, to an apparatus and method for detecting and defending a DOS attack through flow-based traffic attribute analysis.
A Denial of Service Attack (DoS) is an attack that exhausts system resources in various ways and prevents legitimate users from receiving services.
In particular, attacks that cause massive damage by attacking a target server at a time by making a large number of computers on a network as zombie PCs are called Distributed Denial of Service Attacks (DDoS).
A DDoS attack is an attack that paralyzes an attack target network through a method of depleting bandwidth depending on an attack target, an attack that paralyzes a server by exhausting resources of a target system, an attack that attacks a vulnerability of the service, .
In addition, depending on the type of attack, a connectionless flooding attack that transmits a large number of packets by modulating the sender IP, causing an overload of the target network or occupying all of bandwidth to prevent normal users from receiving service, However, there are connection attacks that interfere with the service of ordinary users with a large number of connection connections.
Typical connectionless flooding attacks include TCP SYN flooding, ICMP flooding, and UDP flooding. Connection-type connection exhaustion attacks include HTTP Get Flushing, SMTP Flushing, and SIP Flushing.
The DDoS protection device is mainly based on a threshold based detection method that classifies a packet according to the characteristics of an attack type and recognizes it as an attack if the packet counter per second exceeds a predetermined threshold value. In addition, to protect the detected attack, the suspicious packet is blocked or the attack is protected by limiting the bandwidth to IP or victim IP.
Existing Packet Per Second (PPS) threshold detection method is that when the traffic is rapidly increased due to DDoS, the processing load inside the equipment explosively increases, so that the DDoS protection device is down or the overflow packet is allowed to pass through the internal network Lt; / RTI > In addition, a defensive method of limiting bandwidth based on IP for detected attacks significantly degrades the quality of service for legitimate users. Also, in case of infected zombie PC, connection is blocked based on IP without distinguishing between legitimate service and attack.
The present invention provides a flow-based DDoS detection and defense apparatus and method for performing flow / threshold-based DDoS detection using the property that the number of 5-tuple flows rapidly increases in the case of a connectionless IP modulation attack.
The present invention protects a DDoS attack in such a manner as to restrict the flow, not the IP, against the detected attack.
The present invention relates to a flow-based method and a method for detecting and defending a flow, comprising the steps of: checking whether there is a DOS attack attribute for each input packet, The method of
The present invention relates to a flow-based DODOS detection and defense apparatus, comprising: a DODOS detection unit for detecting whether a DODSS attack is performed for each IP by using a value obtained by collecting IP address counters included in flow information by IP; And a flow counter for indicating presence or absence of the attack attribute and reporting a flag indicating the presence or absence of the attack attribute, and a dispatch counter indicating the number of times, to the dispatcher, And a traffic processing unit for limiting the bandwidth and transmitting the packet, except for a case where a packet transmitted in an IP attack state detected is a packet corresponding to a flow in which a service has been analyzed previously.
According to the present invention, by reducing the amount of processing data of the detection module, overflow does not occur even when traffic increases.
Also, by protecting the DDoS based on the 5-tuple flow, the service quality of legitimate users is not degraded.
In addition, an infected zombie PC can not be attacked or the user can be guaranteed legitimate services.
FIG. 1 is a block diagram of a flow-based DDoS detection and defense apparatus according to an embodiment of the present invention.
2 is a block diagram of a traffic processing unit according to an embodiment of the present invention.
3 is a block diagram of a data detection unit according to an embodiment of the present invention.
FIG. 4 is a flowchart illustrating a flow-based detection and defense method according to an embodiment of the present invention.
5 is a flowchart illustrating an error packet blocking process according to an embodiment of the present invention.
6 is a flowchart illustrating an IP-based attribute attribute counting step according to an embodiment of the present invention.
FIG. 7A is a flowchart illustrating an IP-based DDoS attack detection step according to an embodiment of the present invention.
FIG. 7B is a flowchart for explaining the decision level determining step according to an embodiment of the present invention.
FIG. 8 is a flow chart for explaining a flow-based bandwidth limiting step according to the DoDOS attack according to an embodiment of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout.
In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear.
The terms used throughout the specification are defined in consideration of the functions in the embodiments of the present invention and can be sufficiently modified according to the intentions and customs of the user or the operator. It should be based on the contents of.
FIG. 1 is a block diagram of a flow-based DDoS detection and defense apparatus according to an embodiment of the present invention.
Referring to FIG. 1, a flow-based data detection and defense apparatus (hereinafter referred to as a "device") mainly includes a
The
The DODOS
2 is a block diagram of a traffic processing unit according to an embodiment of the present invention.
Referring to FIG. 2, the
Upon receiving the inbound packet, the error
Upon receiving the packet from the error
On the other hand, if the
Upon receiving the packet from the
3 is a block diagram of a data detection unit according to an embodiment of the present invention.
Referring to FIG. 3, the deduce detecting
The
Then, the
The
FIG. 4 is a flowchart illustrating a flow-based detection and defense method according to an embodiment of the present invention.
Referring to FIG. 4, the flow-based method of detecting and protecting a DDoS includes checking a presence or absence of a DDoS attack attribute for each input packet, a flag indicating the presence or absence of a DDoS attack attribute, (S430, Fig. 7B) of detecting whether a DDoS attack is performed by IP by using a value obtained by collecting IP address counters included in the flow information by IP (S420, Fig. 6B) (S440, FIG. 8), except for the case where the packet transmitted in IP in the DDoS attack state is a packet corresponding to the flow in which the service was previously analyzed, as a result of the detection . In addition, the method further includes a step S410 (FIG. 5) of checking an error of the input packet before S420 and blocking the error packet. Each step will now be described in detail with reference to FIGS. 5 to 8 below.
5 is a flowchart illustrating an error packet blocking process according to an embodiment of the present invention. Here, the error packet blocking step is performed by the error
Referring to FIG. 5, in step S510, the error
If it is determined in step S530 that the packet error is a packet error, the error
On the other hand, if it is determined in step S530 that the packet error is not detected, or if it is determined in step S550 that the blocking policy is inactivated, the error
FIG. 6 is a flowchart illustrating a flow-based descriptor attribute counting step according to an embodiment of the present invention. Here, the attribute attribute counting step is performed by the
Referring to FIG. 6, the
If the determination result in S630 is affirmative, the
On the other hand, if it is determined in step S630 that the conditions do not match, or after step S640, the
FIG. 7A is a flowchart illustrating a step of detecting a DoDOS attack by IP according to an embodiment of the present invention. Here, the step of detecting the DDoS attack by IP is performed by the
Referring to FIG. 7A, the
Then, the
If it is determined in step S730 that the threshold is not exceeded for each of the data attributes, it is determined that no deadspot is necessary, and the process returns to step S720. On the other hand, if it is determined in step S730 that the threshold is exceeded for each of the data attributes, the
Then, the
On the other hand, if it is determined in step S750 that the dead time state maintenance time has not been exceeded, the
Therefore, if the
On the other hand, if it is one of the Attention Level and the Critical Level (S790), the
FIG. 7B is a flowchart for explaining the decision level determining step according to an embodiment of the present invention.
Referring to FIG. 7B, the
If it is determined in step S772 that the measured value exceeds the number of warning acknowledgments, the
As a result of the determination in S773, if the measurement value does not exceed the number of times of caution, the
On the other hand, if it is determined in step S773 that the measured value exceeds the number of times of caution, the
If the measured value does not exceed the critical rate as a result of the determination in step S777, the
On the other hand, if it is determined in step S777 that the measured value exceeds the critical rate, the
FIG. 8 is a flow chart for explaining a flow-based bandwidth limiting step according to the DoDOS attack according to an embodiment of the present invention. Here, the flow-based bandwidth limiting step according to the DoDOS attack is performed by the
Referring to FIG. 8, the
As a result of the determination in step S820, in the case of the data mode, the
If it is determined in step S830 that the packet to be transmitted is a packet in which the whitelist flag is set, that is, the packet corresponds to the flow previously analyzed as a service, the
On the other hand, if it is determined in step S830 that the packet to be transmitted is not set in the whitelist flag, the
Thereafter, the
Claims (10)
Detecting a DDoS attack by IP using a value obtained by collecting the IDs counters included in the flow information by IP;
The method of claim 1, further comprising the step of limiting the bandwidth and transmitting the packet except for the case where the packet transmitted to the IP in the DDoS attack state is a packet corresponding to the flow analyzed in the previous service as a result of the detection. Detection and defense methods.
Further comprising: checking whether the input packet is erroneous and blocking an error packet. ≪ Desc / Clms Page number 20 >
And transmitting the bandwidth unrestricted if the packet transmitted in the IP attack state corresponds to a flow previously analyzed for the service.
Setting a whitelist flag in the packet if the input packet corresponds to a flow of a well-known service;
The transmitting step
Further comprising the step of determining whether to limit the bandwidth based on whether the whitelist flag is set in the packet corresponding to the IP determined to be in the DDoS attack state in the detecting step, And defense methods.
Detecting an IP in which a value obtained by collecting IP address counters included in the flow information by IP exceeds a predetermined threshold;
According to the range in which the measured value for each of the disassociated elements is included in the detected IP, a clearance level (Clear Level), a dead level attack state (Attention Level), and a danger The method comprising the steps of: determining one of a first level and a second level as a critical level.
Reports to the deduce detecting unit flow information including the presence or absence of a DOS attack attribute for each of the input packets, a flag indicating a presence or absence of a DOS attack attribute and a DOS counter indicating a number of times, And a traffic processing unit for limiting the bandwidth and transmitting the packet, except for a case where a packet transmitted in an IP attack state detected by the DOS detection unit is a packet corresponding to a flow in which the service has been analyzed previously Flow-based detection and defense devices.
And checks whether the input packet is erroneous, and blocks the error packet.
And transmits the bandwidth unrestricted when the packet transmitted in the IDOS attack state corresponds to the flow previously analyzed for the service.
When the input packet corresponds to a flow of a well-known service, a white list flag is set for the packet, and a packet corresponding to the IP determined to be in the DOS attack state is transmitted to the packet Wherein the bandwidth limitation is determined based on whether the white list flag is set or not.
Detecting an IP in which a value obtained by collecting the data counters included in the flow information by IP exceeds a predetermined threshold value and determining a result of the detection based on a range in which a measured value for each of the disassociated elements is included in the detected IP Based on a clearance level of a dead-zone non-attack state and an attitude level and a critical level of a dead-zone attack state.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150040252A KR101683781B1 (en) | 2015-03-23 | 2015-03-23 | Apparatus and Method for Detecting and Protecting DDos based on Flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150040252A KR101683781B1 (en) | 2015-03-23 | 2015-03-23 | Apparatus and Method for Detecting and Protecting DDos based on Flow |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20160113911A true KR20160113911A (en) | 2016-10-04 |
KR101683781B1 KR101683781B1 (en) | 2016-12-08 |
Family
ID=57165454
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150040252A KR101683781B1 (en) | 2015-03-23 | 2015-03-23 | Apparatus and Method for Detecting and Protecting DDos based on Flow |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101683781B1 (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102020488B1 (en) * | 2019-03-21 | 2019-09-11 | 주식회사그린존시큐리티 | An apparatus for Internet access control of IoT devices and a method therefor |
KR20240059276A (en) | 2022-10-27 | 2024-05-07 | (주)하몬소프트 | Machine learning-based ddos anomaly traffic detection system using flow data |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100803029B1 (en) * | 2006-12-01 | 2008-02-18 | 경희대학교 산학협력단 | Method for cooperatively defending of ddos attack using statistical detection |
KR20110037645A (en) * | 2009-10-07 | 2011-04-13 | 한국전자통신연구원 | Apparatus and method for protecting ddos |
KR20110061217A (en) * | 2009-12-01 | 2011-06-09 | 주식회사 케이티 | Distributed denial of service detection system using flow patterns and method thereof |
-
2015
- 2015-03-23 KR KR1020150040252A patent/KR101683781B1/en active IP Right Grant
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100803029B1 (en) * | 2006-12-01 | 2008-02-18 | 경희대학교 산학협력단 | Method for cooperatively defending of ddos attack using statistical detection |
KR20110037645A (en) * | 2009-10-07 | 2011-04-13 | 한국전자통신연구원 | Apparatus and method for protecting ddos |
KR20110061217A (en) * | 2009-12-01 | 2011-06-09 | 주식회사 케이티 | Distributed denial of service detection system using flow patterns and method thereof |
Also Published As
Publication number | Publication date |
---|---|
KR101683781B1 (en) | 2016-12-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101424490B1 (en) | Reverse access detecting system and method based on latency | |
US7607170B2 (en) | Stateful attack protection | |
KR101231975B1 (en) | Method of defending a spoofing attack using a blocking server | |
EP1558937B1 (en) | Active network defense system and method | |
US8966627B2 (en) | Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session | |
US8356349B2 (en) | Method and system for intrusion prevention and deflection | |
US20060075084A1 (en) | Voice over internet protocol data overload detection and mitigation system and method | |
US20110072515A1 (en) | Method and apparatus for collaboratively protecting against distributed denial of service attack | |
KR101219796B1 (en) | Apparatus and Method for protecting DDoS | |
CN109327426A (en) | A kind of firewall attack defense method | |
US20170353478A1 (en) | Packet relay apparatus | |
US8006303B1 (en) | System, method and program product for intrusion protection of a network | |
Zhang et al. | The security in cognitive radio networks: a survey | |
KR101380015B1 (en) | Collaborative Protection Method and Apparatus for Distributed Denial of Service | |
JP2004140524A (en) | Method and apparatus for detecting dos attack, and program | |
KR101683781B1 (en) | Apparatus and Method for Detecting and Protecting DDos based on Flow | |
JP3609382B2 (en) | Distributed denial of service attack prevention method, gate device, communication device, and program | |
JP2006100874A (en) | Defense method against application type denial of service attack, and edge router | |
KR101065800B1 (en) | Network management apparatus and method thereof, user terminal for managing network and recoding medium thereof | |
KR20030009887A (en) | A system and method for intercepting DoS attack | |
JP4014599B2 (en) | Source address spoofed packet detection device, source address spoofed packet detection method, source address spoofed packet detection program | |
JP2003289337A (en) | Communication network, router, and distributed service refusal attack detection and defense method | |
KR101231966B1 (en) | Server obstacle protecting system and method | |
KR20110027386A (en) | Apparatus, system and method for protecting malicious packets transmitted outside from user terminal | |
RU183015U1 (en) | Intrusion detection tool |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E90F | Notification of reason for final refusal | ||
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20191202 Year of fee payment: 4 |