WO2009064114A2 - Procédé et système de protection destinés à contrer une attaque de déni de service distribué - Google Patents
Procédé et système de protection destinés à contrer une attaque de déni de service distribué Download PDFInfo
- Publication number
- WO2009064114A2 WO2009064114A2 PCT/KR2008/006673 KR2008006673W WO2009064114A2 WO 2009064114 A2 WO2009064114 A2 WO 2009064114A2 KR 2008006673 W KR2008006673 W KR 2008006673W WO 2009064114 A2 WO2009064114 A2 WO 2009064114A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- traffic
- attack
- segments
- target server
- distributed denial
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/141—Denial of service attacks against endpoints in a network
Definitions
- the present invention relates to a protection method and system for a distributed denial of service attack; and, more particularly, to a protection method and system for a distributed denial of service attack, which occurs in a network, via a multi-stage coun- termeasure.
- DDoS Distributed Denial of Service
- attack tools Since a variety of attack tools is disclosed today, anyone can easily deliver a DDoS attack on an attack target by using corresponding attack tools, which causes a relatively serious damage to the attack target. Hence, techniques to protect against the DDoS attacks are being widely used.
- TCP connection establishment procedure and attacks saturating an attack target with meaningless traffic.
- a representative attack using the TCP connection establishment procedure is the TCP SYN flooding attack, which abuses 3way-handshaking performed during the TCP connection establishment procedure.
- the 3 way-handshaking is performed as follows. First, a client desiring to establish a connection with a server sends to the server a SYN packet containing a port number of the server and an ISN (Initial Sequence Number) of the client. Next, the server sends to the client a SYN-ACK packet containing an ISN of the server and ISN+ 1, which is obtained by increasing the ISN of the client by one, and the client then sends to the server an ACK packet in response to the SYN-ACK packet.
- the TCP connection is established via the above-described three steps.
- the attacks using the TCP connection establishment procedure are implemented by omitting the last step, i.e., the third step, and sending a flood of SYN packets to the server, which exhausts buffers (backlogs) of the server to thereby disable the server from establishing more connections.
- an attacker sends to the attack target a flood of UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) packets, or generates a flood of normal HTTP (Hypertext Transfer Protocol) requests.
- UDP User Datagram Protocol
- ICMP Internet Control Message Protocol
- HTTP Hypertext Transfer Protocol
- Some conventional protection techniques for the above-described DDoS attacks are implemented by improving a server-side TCP algorithm or adjusting traffic amount.
- Techniques improving the server-side TCP algorithm modify a TCP connection establishment algorithm to distinguish spoofed client IP addresses or to block ill- intentioned connection establishment attempts.
- Such protection techniques cannot protect attack targets from an attack, e.g., the F5 attack, in which normal TCP connections are flooded.
- Protection methods for a DDoS attack include steps for detecting the DDoS attack and for analyzing the detected attack to protect an attack target.
- detecting the DDoS attack is performed based on a threshold value on traffic.
- an allowable threshold value on traffic according to a status of a network is set in advance or determined dynamically, and traffic passing through the network is then monitored to inspect whether the traffic exceeds the allowable threshold value. If the traffic exceeds the allowable threshold value and source addresses of the traffic are widely distributed, it is determined that a DDoS attack occurs.
- a countermeasure against the DDoS attack is taken, in general, by adjusting traffic amount toward the attack target or by adjusting the amount of traffic associated with specific services.
- DDoS attacks are attacks in which a number of attacking clients generates a flood of traffic concentrated to a specific attack target, i.e., a server to be attacked, to attack the attack target, it is difficult to distinguish legitimate clients and attacking clients. Further, if a maximum allowable bandwidth is set, traffic associated with the legitimate clients may also be blocked. That is, considering attack patterns of the DDoS attacks, simply restricting the traffic cannot efficiently block the DDoS attacks and causes a problem in that legitimate services may also be restricted.
- the present invention provides an efficient protection method and system for a DDoS attack.
- the present invention provides a method and system for efficiently distinguishing, if it is determined that a DDoS attack occurs, legitimate traffic and illegitimate traffic and selectively restricting inbound traffic toward an attack target by segmenting a network according to IP addresses.
- a protection method for a distributed denial of service attack including: [15] segmenting a network based on source IP addresses of traffic;
- a specific threshold value Preferably, in segmenting the network, an entire IP area of the network is segmented into main-segments and each of the main-segments is segmented into sub-segments.
- the traffic toward the attack target server is classified into legitimate traffic and illegitimate traffic, and the illegitimate traffic is restricted.
- the specific threshold value is derived based on normal status of the network before the distributed denial of service attack occurs.
- a protection system for a distributed denial of service attack including: [22] an attack detecting unit for monitoring traffic to detect occurrence of the distributed denial of service attack and find an attack target server; and [23] a traffic restriction unit for performing filtering to restrict traffic having source addresses belonging to IP areas in which traffic toward the attack target server exceeds a specific threshold value.
- the protection system may further include a traffic blocking unit for classifying the traffic toward the attack target server into legitimate traffic and illegitimate traffic and restricting the illegitimate traffic.
- a DDoS attack occurs, in a first stage, traffic is filtered by distinguishing illegitimate traffic and legitimate traffic, thereby guaranteeing availability of a server.
- traffic restriction is selectively performed on IP areas associated with an attacker, thereby guaranteeing connections of legitimate users.
- the illegitimate traffic and the legitimate traffic are distinguished by analyzing legitimate traffic in past as well as current traffic, a large amount of traffic generated by legitimate users can be distinguished from attack traffic and can pass without being blocked.
- FIG. 1 illustrates a configuration diagram of a network for protecting against DDoS attacks
- FIG. 2 illustrates a configuration diagram of a DDoS attack protection system in accordance with an embodiment of the present invention
- FIG. 3 illustrates a flowchart of operation of the DDoS attack protection system of
- FIG. 4 illustrates an exemplary SYN cookie processing in the spoofing traffic blocking unit of Fig. 2;
- FIG. 5 illustrates an exemplary segment filtering process in the area-based traffic restriction unit of Fig. 2;
- Fig. 6 illustrates a flowchart of registering a new attack target server and adding a segment restriction in the DDoS attack protection system of Fig. 2;
- Fig. 7 illustrates a flowchart of performing segment filtering in the DDoS attack protection system of Fig. 2.
- Fig. 1 illustrates a configuration diagram of a network for protecting against DDoS attacks.
- An internal network 120 includes a general router 121, a general switch 122 and an internal system 123.
- An external network 110 includes the Internet 111, attacker's computer 112 and attacking points (sources) 113 which are zombie computers for use in attacks along with the attacker's computer 112. Further, a DDoS attack protection system 130 is interposed between the router 121 and the switch 122.
- Fig. 2 illustrates a configuration diagram of a DDoS attack protection system in accordance with an embodiment of the present invention.
- the DDoS protection system 130 may be configured in connection with other functional blocks in a hardware device.
- a hardware device including a kernel which is a general or specialized operating system, a firewall operating on the kernel, an IPS (Intrusion Prevention System), a VPN (Virtual Private Network) functional block and an application proxy associated with various application programs, the IPS may have the DDoS attack protection system 130.
- a kernel which is a general or specialized operating system
- IPS Intrusion Prevention System
- VPN Virtual Private Network
- the DDoS attack protection system 130 includes an attack detecting unit 132 for detecting a DDoS attack and an attack blocking unit 134 for blocking DDoS attack traffic.
- the attack blocking unit 134 has a spoofing traffic blocking unit 136, which uses SYN cookies to distinguish and filter legitimate traffic and illegitimate traffic, and an area-based traffic restriction unit 138, which protects against the attack on the basis of subnetwork.
- Fig. 3 illustrates a flowchart of operation of the DDoS attack protection system 130 of Fig. 2.
- a network is segmented based on source IP areas of traffic toward a server (step S310).
- the attack detecting unit 132 determines whether a DDoS attack occurs and checks an IP address of the server, which is an attack target server (step S320). Such determination is carried out by using a preset or automatically-set threshold value. If it is determined in the step S320 that the DDoS attack occurs, corresponding information is sent to the attack blocking unit 134.
- the attack blocking unit 134 performs more detailed analysis on the attack. To be specific, inbound traffic toward the attack target server is analyzed to distinguish legitimate traffic and illegitimate traffic (step S330, see Fig. 4). Then, an IP area-based traffic restriction is performed on subnetworks associated with the illegitimate traffic and subnetworks associated with excessively heavy legitimate traffic (steps S340 and S350). That is, traffic restriction according to a sub-segment filtering in the step S340 and a main-segment filtering in the step S350 are carried out sequentially or selectively (see, Fig. 5).
- detecting the DDoS attack is performed based on a threshold value on traffic.
- an allowable threshold value on traffic according to the status of the network is set in advance or determined dynamically, and traffic passing through the network is then monitored to inspect whether the traffic exceeds the allowable threshold value. If the traffic exceeds the allowable threshold value and source addresses of the traffic are widely distributed, it is determined that a DDoS attack occurs.
- Fig. 4 illustrates an exemplary SYN cookie processing to distinguish legitimate traffic and illegitimate traffic in the spoofing traffic blocking unit 136 of Fig. 2.
- Spoofing filtering is performed by using SYN cookies.
- SYN cookies In order to distinguish legitimate traffic and illegitimate traffic, it is required to determine whether inbound traffic from outside is sent from real source addresses. For this purpose, if a first packet for TCP communications, i.e., a SYN packet, is received, a response packet, i.e., a SYN+ ACK packet, is generated to be forwarded to the source addresses, instead of forwarding the SYN packet to the internal system.
- a packet When a packet is received, it is determined whether the packet is a SYN packet. If the received packet is an outbound SYN packet toward outside, the packet is sent outside without being subjected to SYN cookie processing. Meanwhile, if the packet is an inbound SYN packet from outside, a session table is searched to find a corresponding session. If the corresponding session is not found, a corresponding response is subjected to the SYN cookie processing and a session is created.
- Fig. 5 illustrates an exemplary segment filtering process in the area-based traffic restriction unit 138 of Fig. 2. The process shown in Fig. 5 is performed when traffic amount exceeds a processing limit of the spoofing traffic blocking unit 136 of Fig. 4, or when an UDP or ICMP packet flooding occurs though the packets are legitimate packets.
- a segment is divided into main-segments and each main-segment is divided into sub- segments. That is, the main-segment and the sub-segment are an upper-class segmentation unit and a lower-class segmentation unit, respectively.
- IPv4 Internet Protocol version 4
- IPv4 addresses can be classified and managed statically. Further, such management system can also be applied to network address systems other than IPv4 in the same manner.
- legitimate traffic is updated for each main-segment in normal traffic conditions. If it is determined that an attack occurs, current traffic is compared with the legitimate traffic for each main-segment to find main-segments in which traffic amount increases suddenly. After that, each of thus found main-segments is divided into sub-segments, and traffic amount of each of the sub-segments is inspected to find sub-segments in which traffic is saturated. Traffic amount of each of thus found sub-segments is restricted to be below a specific level. As such, by accurately detecting sub-segments in which traffic is suddenly flooded, traffic restriction can be selectively performed, which guarantees desired services to legitimate users in IP areas other than the restricted IP areas.
- attack points are widely distributed all over the network, i.e., if the number of randomly spoofed IP addresses of the attacking points (sources) exceeds a processing limit of a device, the IP areas become to be widely distributed.
- traffic restriction is carried out via the main-segment filtering.
- the traffic restriction i.e., the filtering, means restriction of amount of traffic per second.
- Fig. 6 illustrates a flowchart of registering a new attack target server and adding a segment restriction in the DDoS attack protection system 130 of Fig. 2.
- step S601 determines whether the attack target server has already been registered to the target list. If it is determined in the step S601 that the attack target server has already been registered to the target list, a frequency of repeated-call is checked (step S603). If it is determined in the step S603 that the frequency of repeated-call is equal to or greater than a preset maximum frequency of repeated-call, a maximum hit count of a corresponding main-segment is decreased (step S605). If it is determined in the step S603 that the frequency of repeated-call is smaller than the maximum frequency of repeated-call, the corresponding main-segment is searched for in a main-segment list (step S609).
- step S601 if it is determined in the step S601 that the attack target server has not yet been registered to the target list, the attack target server is newly registered to the target list (step S607), and the corresponding main-segment is searched for in the main-segment list in the step S609.
- step S611 it is determined whether the corresponding main-segment is one of existing attacking main-segments. If it is determined in the step S611 that the corresponding main-segment is an existing attacking main-segment, a maximum hit count of a corresponding sub-segment is decreased (step S613), thereby performing sub-segment filtering. If it is determined in the step S611 that the corresponding main- segment is not an existing attacking main-segment, the number of main-segments determined to be the attacking main-segments is checked (step S615).
- step S615 If it is determined in the step S615 that the number of main-segments determined to be the attacking main-segments is equal to or greater than a preset maximum value, only main-segment filtering is performed without performing sub-segment filtering (step S617). If it is determined in the step S615 that the number of main-segments determined to be the attacking main-segments is smaller than a preset maximum value, additional sub-segment filtering is performed (step S619).
- Fig. 7 illustrates a flowchart of performing segment filtering in the DDoS attack protection system 130 of Fig. 2.
- a destination IP address of a SYN packet is checked to determine whether the packet is destined to a target server (step S701). If it is determined in the step S701 that the destination IP address is the address of the target server, it is determined whether to perform sub-segment filtering or to perform main-segment filtering (step S703). If it is determined in the step S703 that the packet is to be subjected to main-segment filtering, the main-segment filtering is performed by using a maximum hit count (step S705).
- step S703 If it is determined in the step S703 that the packet is to be subjected to sub-segment filtering, it is determined whether the sub-segment to which the source address of the packet belongs is an attacking sub-segment (step S707). If it is determined in the step S707 that the sub-segment is an attacking sub-segment, an expiration of validity time is checked (step S709). If it is determined in the step S709 that the packet is valid, a corresponding sub-segment list is searched to find the currently attacking sub-segment (step S711), thereby performing sub-segment filtering (step S713).
- step S709 If it is determined in the step S709 that the packet is invalid, the sub-segment filtering in the step S713 is directly performed. If it is determined in the step S707 that the sub-segment is not an attacking sub-segment, a hit count of the corresponding sub-segment is updated (step S715) and the passes the packet.
- step S701 if it is determined in the step S701 that the destination IP address is not the address of the target server, the expiration of validity time is checked (step S717) and the hit count of the corresponding main-segment is updated (step S719), thereby passing the packet.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
L'invention concerne un procédé de protection permettant de contrer une attaque de déni de service distribué. Ce procédé consiste à : segmenter un réseau en fonction d'adresses IP source de trafic; surveiller le trafic pour détecter l'apparition d'une attaque de déni de service distribué et pour trouver un serveur qui est la cible de l'attaque; et effectuer un filtrage permettant de filter une restriction de trafic sur les segments dans lesquels le trafic dirigé vers le serveur cible de l'attaque dépasse une valeur seuil spécifique. De préférence, lors de la segmentation du réseau, une zone IP entière du réseau est segmentée en segments principaux et chacun de ces segments principaux est segmenté en sous-segments.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2007-0114875 | 2007-11-12 | ||
KR1020070114875A KR100950900B1 (ko) | 2007-11-12 | 2007-11-12 | 분산서비스거부 공격 방어방법 및 방어시스템 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2009064114A2 true WO2009064114A2 (fr) | 2009-05-22 |
WO2009064114A3 WO2009064114A3 (fr) | 2009-07-02 |
Family
ID=40639310
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2008/006673 WO2009064114A2 (fr) | 2007-11-12 | 2008-11-12 | Procédé et système de protection destinés à contrer une attaque de déni de service distribué |
Country Status (2)
Country | Link |
---|---|
KR (1) | KR100950900B1 (fr) |
WO (1) | WO2009064114A2 (fr) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110055921A1 (en) * | 2009-09-03 | 2011-03-03 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
WO2011099773A2 (fr) * | 2010-02-10 | 2011-08-18 | 주식회사 유섹 | Système et procédé de protection contre le trafic d'attaques par déni de service distribué |
GB2494384A (en) * | 2011-08-31 | 2013-03-13 | Metaswitch Networks Ltd | Handling Potentially Malicious Communication Activity |
US8914878B2 (en) | 2009-04-29 | 2014-12-16 | Juniper Networks, Inc. | Detecting malicious network software agents |
US9531749B2 (en) | 2014-08-07 | 2016-12-27 | International Business Machines Corporation | Prevention of query overloading in a server application |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101042226B1 (ko) * | 2009-08-13 | 2011-06-16 | 이니텍(주) | 화이트 리스트를 모니터링하는 네트워크 필터와 더미 웹 서버를 이용한 분산서비스거부 공격 차단 방법 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040054924A1 (en) * | 2002-09-03 | 2004-03-18 | Chuah Mooi Choo | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks |
JP2004248185A (ja) * | 2003-02-17 | 2004-09-02 | Nippon Telegr & Teleph Corp <Ntt> | ネットワークベース分散型サービス拒否攻撃防御システムおよび通信装置 |
JP2006164038A (ja) * | 2004-12-09 | 2006-06-22 | Nippon Telegr & Teleph Corp <Ntt> | DoS攻撃あるいはDDoS攻撃に対処する方法、ネットワーク装置、および分析装置 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100479202B1 (ko) * | 2002-12-26 | 2005-03-28 | 한국과학기술정보연구원 | 분산서비스거부 공격 대응 시스템 및 방법과 그프로그램을 기록한 기록매체 |
CN100370757C (zh) * | 2004-07-09 | 2008-02-20 | 国际商业机器公司 | 识别网络内分布式拒绝服务攻击和防御攻击的方法和系统 |
KR100608136B1 (ko) | 2005-02-18 | 2006-08-08 | 재단법인서울대학교산학협력재단 | 티씨피 연결의 스테이트풀 인스펙션에 있어서의 보안성능향상방법 |
US8089871B2 (en) * | 2005-03-25 | 2012-01-03 | At&T Intellectual Property Ii, L.P. | Method and apparatus for traffic control of dynamic denial of service attacks within a communications network |
-
2007
- 2007-11-12 KR KR1020070114875A patent/KR100950900B1/ko active IP Right Grant
-
2008
- 2008-11-12 WO PCT/KR2008/006673 patent/WO2009064114A2/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040054924A1 (en) * | 2002-09-03 | 2004-03-18 | Chuah Mooi Choo | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks |
JP2004248185A (ja) * | 2003-02-17 | 2004-09-02 | Nippon Telegr & Teleph Corp <Ntt> | ネットワークベース分散型サービス拒否攻撃防御システムおよび通信装置 |
JP2006164038A (ja) * | 2004-12-09 | 2006-06-22 | Nippon Telegr & Teleph Corp <Ntt> | DoS攻撃あるいはDDoS攻撃に対処する方法、ネットワーク装置、および分析装置 |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9344445B2 (en) | 2009-04-29 | 2016-05-17 | Juniper Networks, Inc. | Detecting malicious network software agents |
US8914878B2 (en) | 2009-04-29 | 2014-12-16 | Juniper Networks, Inc. | Detecting malicious network software agents |
US8789173B2 (en) * | 2009-09-03 | 2014-07-22 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
EP2293513A1 (fr) | 2009-09-03 | 2011-03-09 | Juniper Networks, Inc. | Protection contre des attaques par inondation du réseau distribué |
CN102014116A (zh) * | 2009-09-03 | 2011-04-13 | 丛林网络公司 | 防御分布式网络泛洪攻击 |
US20110055921A1 (en) * | 2009-09-03 | 2011-03-03 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
CN102014116B (zh) * | 2009-09-03 | 2015-01-21 | 丛林网络公司 | 防御分布式网络泛洪攻击 |
WO2011099773A2 (fr) * | 2010-02-10 | 2011-08-18 | 주식회사 유섹 | Système et procédé de protection contre le trafic d'attaques par déni de service distribué |
WO2011099773A3 (fr) * | 2010-02-10 | 2011-12-15 | 주식회사 유섹 | Système et procédé de protection contre le trafic d'attaques par déni de service distribué |
GB2494384B (en) * | 2011-08-31 | 2013-07-24 | Metaswitch Networks Ltd | Handling potentially malicious communication activity |
GB2494384A (en) * | 2011-08-31 | 2013-03-13 | Metaswitch Networks Ltd | Handling Potentially Malicious Communication Activity |
US9537875B2 (en) | 2011-08-31 | 2017-01-03 | Metaswitch Networks Ltd. | Handling potentially malicious communication activity |
US9531749B2 (en) | 2014-08-07 | 2016-12-27 | International Business Machines Corporation | Prevention of query overloading in a server application |
Also Published As
Publication number | Publication date |
---|---|
WO2009064114A3 (fr) | 2009-07-02 |
KR20090048819A (ko) | 2009-05-15 |
KR100950900B1 (ko) | 2010-04-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11005865B2 (en) | Distributed denial-of-service attack detection and mitigation based on autonomous system number | |
US20210112091A1 (en) | Denial-of-service detection and mitigation solution | |
US10911473B2 (en) | Distributed denial-of-service attack detection and mitigation based on autonomous system number | |
US20200137112A1 (en) | Detection and mitigation solution using honeypots | |
Bogdanoski et al. | Analysis of the SYN flood DoS attack | |
EP3635929B1 (fr) | Défense contre une attaque par déni de service | |
Sanmorino et al. | DDoS attack detection method and mitigation using pattern of the flow | |
WO2004047383A1 (fr) | Procede et appareil de protection de trafic legitime contre des attaques par dos et ddos | |
US20110026529A1 (en) | Method And Apparatus For Option-based Marking Of A DHCP Packet | |
Kavisankar et al. | A mitigation model for TCP SYN flooding with IP spoofing | |
Lukaseder et al. | An sdn-based approach for defending against reflective ddos attacks | |
WO2009064114A2 (fr) | Procédé et système de protection destinés à contrer une attaque de déni de service distribué | |
Maheshwari et al. | Defending network system against IP spoofing based distributed DoS attacks using DPHCF-RTT packet filtering technique | |
Robinson et al. | Evaluation of mitigation methods for distributed denial of service attacks | |
Tritilanunt et al. | Entropy-based input-output traffic mode detection scheme for dos/ddos attacks | |
Wang et al. | Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks | |
Mopari et al. | Detection and defense against DDoS attack with IP spoofing | |
Saad et al. | A study on detecting ICMPv6 flooding attack based on IDS | |
KR20110026926A (ko) | 분산서비스거부 공격의 차단 방법 | |
WO2003050644A2 (fr) | Protection contre un trafic malveillant | |
Salunkhe et al. | Analysis and review of TCP SYN flood attack on network with its detection and performance metrics | |
KR20030009887A (ko) | 서비스거부 공격 차단시스템 및 방법 | |
EP1461704A2 (fr) | Protection contre un trafic malveillant | |
Piskozub | Denial of service and distributed denial of service attacks | |
Niknami et al. | Towards Analysis of the Performance of IDSs in Software-Defined Networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 08850658 Country of ref document: EP Kind code of ref document: A2 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 08850658 Country of ref document: EP Kind code of ref document: A2 |