WO2009064114A2 - Procédé et système de protection destinés à contrer une attaque de déni de service distribué - Google Patents

Procédé et système de protection destinés à contrer une attaque de déni de service distribué Download PDF

Info

Publication number
WO2009064114A2
WO2009064114A2 PCT/KR2008/006673 KR2008006673W WO2009064114A2 WO 2009064114 A2 WO2009064114 A2 WO 2009064114A2 KR 2008006673 W KR2008006673 W KR 2008006673W WO 2009064114 A2 WO2009064114 A2 WO 2009064114A2
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
attack
segments
target server
distributed denial
Prior art date
Application number
PCT/KR2008/006673
Other languages
English (en)
Other versions
WO2009064114A3 (fr
Inventor
Jong Hyun Lee
Young Gon Kim
Original Assignee
Ahnlab., Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ahnlab., Inc. filed Critical Ahnlab., Inc.
Publication of WO2009064114A2 publication Critical patent/WO2009064114A2/fr
Publication of WO2009064114A3 publication Critical patent/WO2009064114A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Definitions

  • the present invention relates to a protection method and system for a distributed denial of service attack; and, more particularly, to a protection method and system for a distributed denial of service attack, which occurs in a network, via a multi-stage coun- termeasure.
  • DDoS Distributed Denial of Service
  • attack tools Since a variety of attack tools is disclosed today, anyone can easily deliver a DDoS attack on an attack target by using corresponding attack tools, which causes a relatively serious damage to the attack target. Hence, techniques to protect against the DDoS attacks are being widely used.
  • TCP connection establishment procedure and attacks saturating an attack target with meaningless traffic.
  • a representative attack using the TCP connection establishment procedure is the TCP SYN flooding attack, which abuses 3way-handshaking performed during the TCP connection establishment procedure.
  • the 3 way-handshaking is performed as follows. First, a client desiring to establish a connection with a server sends to the server a SYN packet containing a port number of the server and an ISN (Initial Sequence Number) of the client. Next, the server sends to the client a SYN-ACK packet containing an ISN of the server and ISN+ 1, which is obtained by increasing the ISN of the client by one, and the client then sends to the server an ACK packet in response to the SYN-ACK packet.
  • the TCP connection is established via the above-described three steps.
  • the attacks using the TCP connection establishment procedure are implemented by omitting the last step, i.e., the third step, and sending a flood of SYN packets to the server, which exhausts buffers (backlogs) of the server to thereby disable the server from establishing more connections.
  • an attacker sends to the attack target a flood of UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) packets, or generates a flood of normal HTTP (Hypertext Transfer Protocol) requests.
  • UDP User Datagram Protocol
  • ICMP Internet Control Message Protocol
  • HTTP Hypertext Transfer Protocol
  • Some conventional protection techniques for the above-described DDoS attacks are implemented by improving a server-side TCP algorithm or adjusting traffic amount.
  • Techniques improving the server-side TCP algorithm modify a TCP connection establishment algorithm to distinguish spoofed client IP addresses or to block ill- intentioned connection establishment attempts.
  • Such protection techniques cannot protect attack targets from an attack, e.g., the F5 attack, in which normal TCP connections are flooded.
  • Protection methods for a DDoS attack include steps for detecting the DDoS attack and for analyzing the detected attack to protect an attack target.
  • detecting the DDoS attack is performed based on a threshold value on traffic.
  • an allowable threshold value on traffic according to a status of a network is set in advance or determined dynamically, and traffic passing through the network is then monitored to inspect whether the traffic exceeds the allowable threshold value. If the traffic exceeds the allowable threshold value and source addresses of the traffic are widely distributed, it is determined that a DDoS attack occurs.
  • a countermeasure against the DDoS attack is taken, in general, by adjusting traffic amount toward the attack target or by adjusting the amount of traffic associated with specific services.
  • DDoS attacks are attacks in which a number of attacking clients generates a flood of traffic concentrated to a specific attack target, i.e., a server to be attacked, to attack the attack target, it is difficult to distinguish legitimate clients and attacking clients. Further, if a maximum allowable bandwidth is set, traffic associated with the legitimate clients may also be blocked. That is, considering attack patterns of the DDoS attacks, simply restricting the traffic cannot efficiently block the DDoS attacks and causes a problem in that legitimate services may also be restricted.
  • the present invention provides an efficient protection method and system for a DDoS attack.
  • the present invention provides a method and system for efficiently distinguishing, if it is determined that a DDoS attack occurs, legitimate traffic and illegitimate traffic and selectively restricting inbound traffic toward an attack target by segmenting a network according to IP addresses.
  • a protection method for a distributed denial of service attack including: [15] segmenting a network based on source IP addresses of traffic;
  • a specific threshold value Preferably, in segmenting the network, an entire IP area of the network is segmented into main-segments and each of the main-segments is segmented into sub-segments.
  • the traffic toward the attack target server is classified into legitimate traffic and illegitimate traffic, and the illegitimate traffic is restricted.
  • the specific threshold value is derived based on normal status of the network before the distributed denial of service attack occurs.
  • a protection system for a distributed denial of service attack including: [22] an attack detecting unit for monitoring traffic to detect occurrence of the distributed denial of service attack and find an attack target server; and [23] a traffic restriction unit for performing filtering to restrict traffic having source addresses belonging to IP areas in which traffic toward the attack target server exceeds a specific threshold value.
  • the protection system may further include a traffic blocking unit for classifying the traffic toward the attack target server into legitimate traffic and illegitimate traffic and restricting the illegitimate traffic.
  • a DDoS attack occurs, in a first stage, traffic is filtered by distinguishing illegitimate traffic and legitimate traffic, thereby guaranteeing availability of a server.
  • traffic restriction is selectively performed on IP areas associated with an attacker, thereby guaranteeing connections of legitimate users.
  • the illegitimate traffic and the legitimate traffic are distinguished by analyzing legitimate traffic in past as well as current traffic, a large amount of traffic generated by legitimate users can be distinguished from attack traffic and can pass without being blocked.
  • FIG. 1 illustrates a configuration diagram of a network for protecting against DDoS attacks
  • FIG. 2 illustrates a configuration diagram of a DDoS attack protection system in accordance with an embodiment of the present invention
  • FIG. 3 illustrates a flowchart of operation of the DDoS attack protection system of
  • FIG. 4 illustrates an exemplary SYN cookie processing in the spoofing traffic blocking unit of Fig. 2;
  • FIG. 5 illustrates an exemplary segment filtering process in the area-based traffic restriction unit of Fig. 2;
  • Fig. 6 illustrates a flowchart of registering a new attack target server and adding a segment restriction in the DDoS attack protection system of Fig. 2;
  • Fig. 7 illustrates a flowchart of performing segment filtering in the DDoS attack protection system of Fig. 2.
  • Fig. 1 illustrates a configuration diagram of a network for protecting against DDoS attacks.
  • An internal network 120 includes a general router 121, a general switch 122 and an internal system 123.
  • An external network 110 includes the Internet 111, attacker's computer 112 and attacking points (sources) 113 which are zombie computers for use in attacks along with the attacker's computer 112. Further, a DDoS attack protection system 130 is interposed between the router 121 and the switch 122.
  • Fig. 2 illustrates a configuration diagram of a DDoS attack protection system in accordance with an embodiment of the present invention.
  • the DDoS protection system 130 may be configured in connection with other functional blocks in a hardware device.
  • a hardware device including a kernel which is a general or specialized operating system, a firewall operating on the kernel, an IPS (Intrusion Prevention System), a VPN (Virtual Private Network) functional block and an application proxy associated with various application programs, the IPS may have the DDoS attack protection system 130.
  • a kernel which is a general or specialized operating system
  • IPS Intrusion Prevention System
  • VPN Virtual Private Network
  • the DDoS attack protection system 130 includes an attack detecting unit 132 for detecting a DDoS attack and an attack blocking unit 134 for blocking DDoS attack traffic.
  • the attack blocking unit 134 has a spoofing traffic blocking unit 136, which uses SYN cookies to distinguish and filter legitimate traffic and illegitimate traffic, and an area-based traffic restriction unit 138, which protects against the attack on the basis of subnetwork.
  • Fig. 3 illustrates a flowchart of operation of the DDoS attack protection system 130 of Fig. 2.
  • a network is segmented based on source IP areas of traffic toward a server (step S310).
  • the attack detecting unit 132 determines whether a DDoS attack occurs and checks an IP address of the server, which is an attack target server (step S320). Such determination is carried out by using a preset or automatically-set threshold value. If it is determined in the step S320 that the DDoS attack occurs, corresponding information is sent to the attack blocking unit 134.
  • the attack blocking unit 134 performs more detailed analysis on the attack. To be specific, inbound traffic toward the attack target server is analyzed to distinguish legitimate traffic and illegitimate traffic (step S330, see Fig. 4). Then, an IP area-based traffic restriction is performed on subnetworks associated with the illegitimate traffic and subnetworks associated with excessively heavy legitimate traffic (steps S340 and S350). That is, traffic restriction according to a sub-segment filtering in the step S340 and a main-segment filtering in the step S350 are carried out sequentially or selectively (see, Fig. 5).
  • detecting the DDoS attack is performed based on a threshold value on traffic.
  • an allowable threshold value on traffic according to the status of the network is set in advance or determined dynamically, and traffic passing through the network is then monitored to inspect whether the traffic exceeds the allowable threshold value. If the traffic exceeds the allowable threshold value and source addresses of the traffic are widely distributed, it is determined that a DDoS attack occurs.
  • Fig. 4 illustrates an exemplary SYN cookie processing to distinguish legitimate traffic and illegitimate traffic in the spoofing traffic blocking unit 136 of Fig. 2.
  • Spoofing filtering is performed by using SYN cookies.
  • SYN cookies In order to distinguish legitimate traffic and illegitimate traffic, it is required to determine whether inbound traffic from outside is sent from real source addresses. For this purpose, if a first packet for TCP communications, i.e., a SYN packet, is received, a response packet, i.e., a SYN+ ACK packet, is generated to be forwarded to the source addresses, instead of forwarding the SYN packet to the internal system.
  • a packet When a packet is received, it is determined whether the packet is a SYN packet. If the received packet is an outbound SYN packet toward outside, the packet is sent outside without being subjected to SYN cookie processing. Meanwhile, if the packet is an inbound SYN packet from outside, a session table is searched to find a corresponding session. If the corresponding session is not found, a corresponding response is subjected to the SYN cookie processing and a session is created.
  • Fig. 5 illustrates an exemplary segment filtering process in the area-based traffic restriction unit 138 of Fig. 2. The process shown in Fig. 5 is performed when traffic amount exceeds a processing limit of the spoofing traffic blocking unit 136 of Fig. 4, or when an UDP or ICMP packet flooding occurs though the packets are legitimate packets.
  • a segment is divided into main-segments and each main-segment is divided into sub- segments. That is, the main-segment and the sub-segment are an upper-class segmentation unit and a lower-class segmentation unit, respectively.
  • IPv4 Internet Protocol version 4
  • IPv4 addresses can be classified and managed statically. Further, such management system can also be applied to network address systems other than IPv4 in the same manner.
  • legitimate traffic is updated for each main-segment in normal traffic conditions. If it is determined that an attack occurs, current traffic is compared with the legitimate traffic for each main-segment to find main-segments in which traffic amount increases suddenly. After that, each of thus found main-segments is divided into sub-segments, and traffic amount of each of the sub-segments is inspected to find sub-segments in which traffic is saturated. Traffic amount of each of thus found sub-segments is restricted to be below a specific level. As such, by accurately detecting sub-segments in which traffic is suddenly flooded, traffic restriction can be selectively performed, which guarantees desired services to legitimate users in IP areas other than the restricted IP areas.
  • attack points are widely distributed all over the network, i.e., if the number of randomly spoofed IP addresses of the attacking points (sources) exceeds a processing limit of a device, the IP areas become to be widely distributed.
  • traffic restriction is carried out via the main-segment filtering.
  • the traffic restriction i.e., the filtering, means restriction of amount of traffic per second.
  • Fig. 6 illustrates a flowchart of registering a new attack target server and adding a segment restriction in the DDoS attack protection system 130 of Fig. 2.
  • step S601 determines whether the attack target server has already been registered to the target list. If it is determined in the step S601 that the attack target server has already been registered to the target list, a frequency of repeated-call is checked (step S603). If it is determined in the step S603 that the frequency of repeated-call is equal to or greater than a preset maximum frequency of repeated-call, a maximum hit count of a corresponding main-segment is decreased (step S605). If it is determined in the step S603 that the frequency of repeated-call is smaller than the maximum frequency of repeated-call, the corresponding main-segment is searched for in a main-segment list (step S609).
  • step S601 if it is determined in the step S601 that the attack target server has not yet been registered to the target list, the attack target server is newly registered to the target list (step S607), and the corresponding main-segment is searched for in the main-segment list in the step S609.
  • step S611 it is determined whether the corresponding main-segment is one of existing attacking main-segments. If it is determined in the step S611 that the corresponding main-segment is an existing attacking main-segment, a maximum hit count of a corresponding sub-segment is decreased (step S613), thereby performing sub-segment filtering. If it is determined in the step S611 that the corresponding main- segment is not an existing attacking main-segment, the number of main-segments determined to be the attacking main-segments is checked (step S615).
  • step S615 If it is determined in the step S615 that the number of main-segments determined to be the attacking main-segments is equal to or greater than a preset maximum value, only main-segment filtering is performed without performing sub-segment filtering (step S617). If it is determined in the step S615 that the number of main-segments determined to be the attacking main-segments is smaller than a preset maximum value, additional sub-segment filtering is performed (step S619).
  • Fig. 7 illustrates a flowchart of performing segment filtering in the DDoS attack protection system 130 of Fig. 2.
  • a destination IP address of a SYN packet is checked to determine whether the packet is destined to a target server (step S701). If it is determined in the step S701 that the destination IP address is the address of the target server, it is determined whether to perform sub-segment filtering or to perform main-segment filtering (step S703). If it is determined in the step S703 that the packet is to be subjected to main-segment filtering, the main-segment filtering is performed by using a maximum hit count (step S705).
  • step S703 If it is determined in the step S703 that the packet is to be subjected to sub-segment filtering, it is determined whether the sub-segment to which the source address of the packet belongs is an attacking sub-segment (step S707). If it is determined in the step S707 that the sub-segment is an attacking sub-segment, an expiration of validity time is checked (step S709). If it is determined in the step S709 that the packet is valid, a corresponding sub-segment list is searched to find the currently attacking sub-segment (step S711), thereby performing sub-segment filtering (step S713).
  • step S709 If it is determined in the step S709 that the packet is invalid, the sub-segment filtering in the step S713 is directly performed. If it is determined in the step S707 that the sub-segment is not an attacking sub-segment, a hit count of the corresponding sub-segment is updated (step S715) and the passes the packet.
  • step S701 if it is determined in the step S701 that the destination IP address is not the address of the target server, the expiration of validity time is checked (step S717) and the hit count of the corresponding main-segment is updated (step S719), thereby passing the packet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé de protection permettant de contrer une attaque de déni de service distribué. Ce procédé consiste à : segmenter un réseau en fonction d'adresses IP source de trafic; surveiller le trafic pour détecter l'apparition d'une attaque de déni de service distribué et pour trouver un serveur qui est la cible de l'attaque; et effectuer un filtrage permettant de filter une restriction de trafic sur les segments dans lesquels le trafic dirigé vers le serveur cible de l'attaque dépasse une valeur seuil spécifique. De préférence, lors de la segmentation du réseau, une zone IP entière du réseau est segmentée en segments principaux et chacun de ces segments principaux est segmenté en sous-segments.
PCT/KR2008/006673 2007-11-12 2008-11-12 Procédé et système de protection destinés à contrer une attaque de déni de service distribué WO2009064114A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2007-0114875 2007-11-12
KR1020070114875A KR100950900B1 (ko) 2007-11-12 2007-11-12 분산서비스거부 공격 방어방법 및 방어시스템

Publications (2)

Publication Number Publication Date
WO2009064114A2 true WO2009064114A2 (fr) 2009-05-22
WO2009064114A3 WO2009064114A3 (fr) 2009-07-02

Family

ID=40639310

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2008/006673 WO2009064114A2 (fr) 2007-11-12 2008-11-12 Procédé et système de protection destinés à contrer une attaque de déni de service distribué

Country Status (2)

Country Link
KR (1) KR100950900B1 (fr)
WO (1) WO2009064114A2 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110055921A1 (en) * 2009-09-03 2011-03-03 Juniper Networks, Inc. Protecting against distributed network flood attacks
WO2011099773A2 (fr) * 2010-02-10 2011-08-18 주식회사 유섹 Système et procédé de protection contre le trafic d'attaques par déni de service distribué
GB2494384A (en) * 2011-08-31 2013-03-13 Metaswitch Networks Ltd Handling Potentially Malicious Communication Activity
US8914878B2 (en) 2009-04-29 2014-12-16 Juniper Networks, Inc. Detecting malicious network software agents
US9531749B2 (en) 2014-08-07 2016-12-27 International Business Machines Corporation Prevention of query overloading in a server application

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101042226B1 (ko) * 2009-08-13 2011-06-16 이니텍(주) 화이트 리스트를 모니터링하는 네트워크 필터와 더미 웹 서버를 이용한 분산서비스거부 공격 차단 방법

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054924A1 (en) * 2002-09-03 2004-03-18 Chuah Mooi Choo Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks
JP2004248185A (ja) * 2003-02-17 2004-09-02 Nippon Telegr & Teleph Corp <Ntt> ネットワークベース分散型サービス拒否攻撃防御システムおよび通信装置
JP2006164038A (ja) * 2004-12-09 2006-06-22 Nippon Telegr & Teleph Corp <Ntt> DoS攻撃あるいはDDoS攻撃に対処する方法、ネットワーク装置、および分析装置

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100479202B1 (ko) * 2002-12-26 2005-03-28 한국과학기술정보연구원 분산서비스거부 공격 대응 시스템 및 방법과 그프로그램을 기록한 기록매체
CN100370757C (zh) * 2004-07-09 2008-02-20 国际商业机器公司 识别网络内分布式拒绝服务攻击和防御攻击的方法和系统
KR100608136B1 (ko) 2005-02-18 2006-08-08 재단법인서울대학교산학협력재단 티씨피 연결의 스테이트풀 인스펙션에 있어서의 보안성능향상방법
US8089871B2 (en) * 2005-03-25 2012-01-03 At&T Intellectual Property Ii, L.P. Method and apparatus for traffic control of dynamic denial of service attacks within a communications network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054924A1 (en) * 2002-09-03 2004-03-18 Chuah Mooi Choo Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks
JP2004248185A (ja) * 2003-02-17 2004-09-02 Nippon Telegr & Teleph Corp <Ntt> ネットワークベース分散型サービス拒否攻撃防御システムおよび通信装置
JP2006164038A (ja) * 2004-12-09 2006-06-22 Nippon Telegr & Teleph Corp <Ntt> DoS攻撃あるいはDDoS攻撃に対処する方法、ネットワーク装置、および分析装置

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9344445B2 (en) 2009-04-29 2016-05-17 Juniper Networks, Inc. Detecting malicious network software agents
US8914878B2 (en) 2009-04-29 2014-12-16 Juniper Networks, Inc. Detecting malicious network software agents
US8789173B2 (en) * 2009-09-03 2014-07-22 Juniper Networks, Inc. Protecting against distributed network flood attacks
EP2293513A1 (fr) 2009-09-03 2011-03-09 Juniper Networks, Inc. Protection contre des attaques par inondation du réseau distribué
CN102014116A (zh) * 2009-09-03 2011-04-13 丛林网络公司 防御分布式网络泛洪攻击
US20110055921A1 (en) * 2009-09-03 2011-03-03 Juniper Networks, Inc. Protecting against distributed network flood attacks
CN102014116B (zh) * 2009-09-03 2015-01-21 丛林网络公司 防御分布式网络泛洪攻击
WO2011099773A2 (fr) * 2010-02-10 2011-08-18 주식회사 유섹 Système et procédé de protection contre le trafic d'attaques par déni de service distribué
WO2011099773A3 (fr) * 2010-02-10 2011-12-15 주식회사 유섹 Système et procédé de protection contre le trafic d'attaques par déni de service distribué
GB2494384B (en) * 2011-08-31 2013-07-24 Metaswitch Networks Ltd Handling potentially malicious communication activity
GB2494384A (en) * 2011-08-31 2013-03-13 Metaswitch Networks Ltd Handling Potentially Malicious Communication Activity
US9537875B2 (en) 2011-08-31 2017-01-03 Metaswitch Networks Ltd. Handling potentially malicious communication activity
US9531749B2 (en) 2014-08-07 2016-12-27 International Business Machines Corporation Prevention of query overloading in a server application

Also Published As

Publication number Publication date
WO2009064114A3 (fr) 2009-07-02
KR20090048819A (ko) 2009-05-15
KR100950900B1 (ko) 2010-04-06

Similar Documents

Publication Publication Date Title
US11005865B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
US20210112091A1 (en) Denial-of-service detection and mitigation solution
US10911473B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
US20200137112A1 (en) Detection and mitigation solution using honeypots
Bogdanoski et al. Analysis of the SYN flood DoS attack
EP3635929B1 (fr) Défense contre une attaque par déni de service
Sanmorino et al. DDoS attack detection method and mitigation using pattern of the flow
WO2004047383A1 (fr) Procede et appareil de protection de trafic legitime contre des attaques par dos et ddos
US20110026529A1 (en) Method And Apparatus For Option-based Marking Of A DHCP Packet
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
Lukaseder et al. An sdn-based approach for defending against reflective ddos attacks
WO2009064114A2 (fr) Procédé et système de protection destinés à contrer une attaque de déni de service distribué
Maheshwari et al. Defending network system against IP spoofing based distributed DoS attacks using DPHCF-RTT packet filtering technique
Robinson et al. Evaluation of mitigation methods for distributed denial of service attacks
Tritilanunt et al. Entropy-based input-output traffic mode detection scheme for dos/ddos attacks
Wang et al. Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks
Mopari et al. Detection and defense against DDoS attack with IP spoofing
Saad et al. A study on detecting ICMPv6 flooding attack based on IDS
KR20110026926A (ko) 분산서비스거부 공격의 차단 방법
WO2003050644A2 (fr) Protection contre un trafic malveillant
Salunkhe et al. Analysis and review of TCP SYN flood attack on network with its detection and performance metrics
KR20030009887A (ko) 서비스거부 공격 차단시스템 및 방법
EP1461704A2 (fr) Protection contre un trafic malveillant
Piskozub Denial of service and distributed denial of service attacks
Niknami et al. Towards Analysis of the Performance of IDSs in Software-Defined Networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08850658

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08850658

Country of ref document: EP

Kind code of ref document: A2