[go: up one dir, main page]

WO2009064114A2 - Protection method and system for distributed denial of service attack - Google Patents

Protection method and system for distributed denial of service attack Download PDF

Info

Publication number
WO2009064114A2
WO2009064114A2 PCT/KR2008/006673 KR2008006673W WO2009064114A2 WO 2009064114 A2 WO2009064114 A2 WO 2009064114A2 KR 2008006673 W KR2008006673 W KR 2008006673W WO 2009064114 A2 WO2009064114 A2 WO 2009064114A2
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
attack
segments
target server
distributed denial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2008/006673
Other languages
French (fr)
Other versions
WO2009064114A3 (en
Inventor
Jong Hyun Lee
Young Gon Kim
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ahnlab Inc
Original Assignee
Ahnlab Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ahnlab Inc filed Critical Ahnlab Inc
Publication of WO2009064114A2 publication Critical patent/WO2009064114A2/en
Publication of WO2009064114A3 publication Critical patent/WO2009064114A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Definitions

  • the present invention relates to a protection method and system for a distributed denial of service attack; and, more particularly, to a protection method and system for a distributed denial of service attack, which occurs in a network, via a multi-stage coun- termeasure.
  • DDoS Distributed Denial of Service
  • attack tools Since a variety of attack tools is disclosed today, anyone can easily deliver a DDoS attack on an attack target by using corresponding attack tools, which causes a relatively serious damage to the attack target. Hence, techniques to protect against the DDoS attacks are being widely used.
  • TCP connection establishment procedure and attacks saturating an attack target with meaningless traffic.
  • a representative attack using the TCP connection establishment procedure is the TCP SYN flooding attack, which abuses 3way-handshaking performed during the TCP connection establishment procedure.
  • the 3 way-handshaking is performed as follows. First, a client desiring to establish a connection with a server sends to the server a SYN packet containing a port number of the server and an ISN (Initial Sequence Number) of the client. Next, the server sends to the client a SYN-ACK packet containing an ISN of the server and ISN+ 1, which is obtained by increasing the ISN of the client by one, and the client then sends to the server an ACK packet in response to the SYN-ACK packet.
  • the TCP connection is established via the above-described three steps.
  • the attacks using the TCP connection establishment procedure are implemented by omitting the last step, i.e., the third step, and sending a flood of SYN packets to the server, which exhausts buffers (backlogs) of the server to thereby disable the server from establishing more connections.
  • an attacker sends to the attack target a flood of UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) packets, or generates a flood of normal HTTP (Hypertext Transfer Protocol) requests.
  • UDP User Datagram Protocol
  • ICMP Internet Control Message Protocol
  • HTTP Hypertext Transfer Protocol
  • Some conventional protection techniques for the above-described DDoS attacks are implemented by improving a server-side TCP algorithm or adjusting traffic amount.
  • Techniques improving the server-side TCP algorithm modify a TCP connection establishment algorithm to distinguish spoofed client IP addresses or to block ill- intentioned connection establishment attempts.
  • Such protection techniques cannot protect attack targets from an attack, e.g., the F5 attack, in which normal TCP connections are flooded.
  • Protection methods for a DDoS attack include steps for detecting the DDoS attack and for analyzing the detected attack to protect an attack target.
  • detecting the DDoS attack is performed based on a threshold value on traffic.
  • an allowable threshold value on traffic according to a status of a network is set in advance or determined dynamically, and traffic passing through the network is then monitored to inspect whether the traffic exceeds the allowable threshold value. If the traffic exceeds the allowable threshold value and source addresses of the traffic are widely distributed, it is determined that a DDoS attack occurs.
  • a countermeasure against the DDoS attack is taken, in general, by adjusting traffic amount toward the attack target or by adjusting the amount of traffic associated with specific services.
  • DDoS attacks are attacks in which a number of attacking clients generates a flood of traffic concentrated to a specific attack target, i.e., a server to be attacked, to attack the attack target, it is difficult to distinguish legitimate clients and attacking clients. Further, if a maximum allowable bandwidth is set, traffic associated with the legitimate clients may also be blocked. That is, considering attack patterns of the DDoS attacks, simply restricting the traffic cannot efficiently block the DDoS attacks and causes a problem in that legitimate services may also be restricted.
  • the present invention provides an efficient protection method and system for a DDoS attack.
  • the present invention provides a method and system for efficiently distinguishing, if it is determined that a DDoS attack occurs, legitimate traffic and illegitimate traffic and selectively restricting inbound traffic toward an attack target by segmenting a network according to IP addresses.
  • a protection method for a distributed denial of service attack including: [15] segmenting a network based on source IP addresses of traffic;
  • a specific threshold value Preferably, in segmenting the network, an entire IP area of the network is segmented into main-segments and each of the main-segments is segmented into sub-segments.
  • the traffic toward the attack target server is classified into legitimate traffic and illegitimate traffic, and the illegitimate traffic is restricted.
  • the specific threshold value is derived based on normal status of the network before the distributed denial of service attack occurs.
  • a protection system for a distributed denial of service attack including: [22] an attack detecting unit for monitoring traffic to detect occurrence of the distributed denial of service attack and find an attack target server; and [23] a traffic restriction unit for performing filtering to restrict traffic having source addresses belonging to IP areas in which traffic toward the attack target server exceeds a specific threshold value.
  • the protection system may further include a traffic blocking unit for classifying the traffic toward the attack target server into legitimate traffic and illegitimate traffic and restricting the illegitimate traffic.
  • a DDoS attack occurs, in a first stage, traffic is filtered by distinguishing illegitimate traffic and legitimate traffic, thereby guaranteeing availability of a server.
  • traffic restriction is selectively performed on IP areas associated with an attacker, thereby guaranteeing connections of legitimate users.
  • the illegitimate traffic and the legitimate traffic are distinguished by analyzing legitimate traffic in past as well as current traffic, a large amount of traffic generated by legitimate users can be distinguished from attack traffic and can pass without being blocked.
  • FIG. 1 illustrates a configuration diagram of a network for protecting against DDoS attacks
  • FIG. 2 illustrates a configuration diagram of a DDoS attack protection system in accordance with an embodiment of the present invention
  • FIG. 3 illustrates a flowchart of operation of the DDoS attack protection system of
  • FIG. 4 illustrates an exemplary SYN cookie processing in the spoofing traffic blocking unit of Fig. 2;
  • FIG. 5 illustrates an exemplary segment filtering process in the area-based traffic restriction unit of Fig. 2;
  • Fig. 6 illustrates a flowchart of registering a new attack target server and adding a segment restriction in the DDoS attack protection system of Fig. 2;
  • Fig. 7 illustrates a flowchart of performing segment filtering in the DDoS attack protection system of Fig. 2.
  • Fig. 1 illustrates a configuration diagram of a network for protecting against DDoS attacks.
  • An internal network 120 includes a general router 121, a general switch 122 and an internal system 123.
  • An external network 110 includes the Internet 111, attacker's computer 112 and attacking points (sources) 113 which are zombie computers for use in attacks along with the attacker's computer 112. Further, a DDoS attack protection system 130 is interposed between the router 121 and the switch 122.
  • Fig. 2 illustrates a configuration diagram of a DDoS attack protection system in accordance with an embodiment of the present invention.
  • the DDoS protection system 130 may be configured in connection with other functional blocks in a hardware device.
  • a hardware device including a kernel which is a general or specialized operating system, a firewall operating on the kernel, an IPS (Intrusion Prevention System), a VPN (Virtual Private Network) functional block and an application proxy associated with various application programs, the IPS may have the DDoS attack protection system 130.
  • a kernel which is a general or specialized operating system
  • IPS Intrusion Prevention System
  • VPN Virtual Private Network
  • the DDoS attack protection system 130 includes an attack detecting unit 132 for detecting a DDoS attack and an attack blocking unit 134 for blocking DDoS attack traffic.
  • the attack blocking unit 134 has a spoofing traffic blocking unit 136, which uses SYN cookies to distinguish and filter legitimate traffic and illegitimate traffic, and an area-based traffic restriction unit 138, which protects against the attack on the basis of subnetwork.
  • Fig. 3 illustrates a flowchart of operation of the DDoS attack protection system 130 of Fig. 2.
  • a network is segmented based on source IP areas of traffic toward a server (step S310).
  • the attack detecting unit 132 determines whether a DDoS attack occurs and checks an IP address of the server, which is an attack target server (step S320). Such determination is carried out by using a preset or automatically-set threshold value. If it is determined in the step S320 that the DDoS attack occurs, corresponding information is sent to the attack blocking unit 134.
  • the attack blocking unit 134 performs more detailed analysis on the attack. To be specific, inbound traffic toward the attack target server is analyzed to distinguish legitimate traffic and illegitimate traffic (step S330, see Fig. 4). Then, an IP area-based traffic restriction is performed on subnetworks associated with the illegitimate traffic and subnetworks associated with excessively heavy legitimate traffic (steps S340 and S350). That is, traffic restriction according to a sub-segment filtering in the step S340 and a main-segment filtering in the step S350 are carried out sequentially or selectively (see, Fig. 5).
  • detecting the DDoS attack is performed based on a threshold value on traffic.
  • an allowable threshold value on traffic according to the status of the network is set in advance or determined dynamically, and traffic passing through the network is then monitored to inspect whether the traffic exceeds the allowable threshold value. If the traffic exceeds the allowable threshold value and source addresses of the traffic are widely distributed, it is determined that a DDoS attack occurs.
  • Fig. 4 illustrates an exemplary SYN cookie processing to distinguish legitimate traffic and illegitimate traffic in the spoofing traffic blocking unit 136 of Fig. 2.
  • Spoofing filtering is performed by using SYN cookies.
  • SYN cookies In order to distinguish legitimate traffic and illegitimate traffic, it is required to determine whether inbound traffic from outside is sent from real source addresses. For this purpose, if a first packet for TCP communications, i.e., a SYN packet, is received, a response packet, i.e., a SYN+ ACK packet, is generated to be forwarded to the source addresses, instead of forwarding the SYN packet to the internal system.
  • a packet When a packet is received, it is determined whether the packet is a SYN packet. If the received packet is an outbound SYN packet toward outside, the packet is sent outside without being subjected to SYN cookie processing. Meanwhile, if the packet is an inbound SYN packet from outside, a session table is searched to find a corresponding session. If the corresponding session is not found, a corresponding response is subjected to the SYN cookie processing and a session is created.
  • Fig. 5 illustrates an exemplary segment filtering process in the area-based traffic restriction unit 138 of Fig. 2. The process shown in Fig. 5 is performed when traffic amount exceeds a processing limit of the spoofing traffic blocking unit 136 of Fig. 4, or when an UDP or ICMP packet flooding occurs though the packets are legitimate packets.
  • a segment is divided into main-segments and each main-segment is divided into sub- segments. That is, the main-segment and the sub-segment are an upper-class segmentation unit and a lower-class segmentation unit, respectively.
  • IPv4 Internet Protocol version 4
  • IPv4 addresses can be classified and managed statically. Further, such management system can also be applied to network address systems other than IPv4 in the same manner.
  • legitimate traffic is updated for each main-segment in normal traffic conditions. If it is determined that an attack occurs, current traffic is compared with the legitimate traffic for each main-segment to find main-segments in which traffic amount increases suddenly. After that, each of thus found main-segments is divided into sub-segments, and traffic amount of each of the sub-segments is inspected to find sub-segments in which traffic is saturated. Traffic amount of each of thus found sub-segments is restricted to be below a specific level. As such, by accurately detecting sub-segments in which traffic is suddenly flooded, traffic restriction can be selectively performed, which guarantees desired services to legitimate users in IP areas other than the restricted IP areas.
  • attack points are widely distributed all over the network, i.e., if the number of randomly spoofed IP addresses of the attacking points (sources) exceeds a processing limit of a device, the IP areas become to be widely distributed.
  • traffic restriction is carried out via the main-segment filtering.
  • the traffic restriction i.e., the filtering, means restriction of amount of traffic per second.
  • Fig. 6 illustrates a flowchart of registering a new attack target server and adding a segment restriction in the DDoS attack protection system 130 of Fig. 2.
  • step S601 determines whether the attack target server has already been registered to the target list. If it is determined in the step S601 that the attack target server has already been registered to the target list, a frequency of repeated-call is checked (step S603). If it is determined in the step S603 that the frequency of repeated-call is equal to or greater than a preset maximum frequency of repeated-call, a maximum hit count of a corresponding main-segment is decreased (step S605). If it is determined in the step S603 that the frequency of repeated-call is smaller than the maximum frequency of repeated-call, the corresponding main-segment is searched for in a main-segment list (step S609).
  • step S601 if it is determined in the step S601 that the attack target server has not yet been registered to the target list, the attack target server is newly registered to the target list (step S607), and the corresponding main-segment is searched for in the main-segment list in the step S609.
  • step S611 it is determined whether the corresponding main-segment is one of existing attacking main-segments. If it is determined in the step S611 that the corresponding main-segment is an existing attacking main-segment, a maximum hit count of a corresponding sub-segment is decreased (step S613), thereby performing sub-segment filtering. If it is determined in the step S611 that the corresponding main- segment is not an existing attacking main-segment, the number of main-segments determined to be the attacking main-segments is checked (step S615).
  • step S615 If it is determined in the step S615 that the number of main-segments determined to be the attacking main-segments is equal to or greater than a preset maximum value, only main-segment filtering is performed without performing sub-segment filtering (step S617). If it is determined in the step S615 that the number of main-segments determined to be the attacking main-segments is smaller than a preset maximum value, additional sub-segment filtering is performed (step S619).
  • Fig. 7 illustrates a flowchart of performing segment filtering in the DDoS attack protection system 130 of Fig. 2.
  • a destination IP address of a SYN packet is checked to determine whether the packet is destined to a target server (step S701). If it is determined in the step S701 that the destination IP address is the address of the target server, it is determined whether to perform sub-segment filtering or to perform main-segment filtering (step S703). If it is determined in the step S703 that the packet is to be subjected to main-segment filtering, the main-segment filtering is performed by using a maximum hit count (step S705).
  • step S703 If it is determined in the step S703 that the packet is to be subjected to sub-segment filtering, it is determined whether the sub-segment to which the source address of the packet belongs is an attacking sub-segment (step S707). If it is determined in the step S707 that the sub-segment is an attacking sub-segment, an expiration of validity time is checked (step S709). If it is determined in the step S709 that the packet is valid, a corresponding sub-segment list is searched to find the currently attacking sub-segment (step S711), thereby performing sub-segment filtering (step S713).
  • step S709 If it is determined in the step S709 that the packet is invalid, the sub-segment filtering in the step S713 is directly performed. If it is determined in the step S707 that the sub-segment is not an attacking sub-segment, a hit count of the corresponding sub-segment is updated (step S715) and the passes the packet.
  • step S701 if it is determined in the step S701 that the destination IP address is not the address of the target server, the expiration of validity time is checked (step S717) and the hit count of the corresponding main-segment is updated (step S719), thereby passing the packet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A protection method for a distributed denial of service attack includes: segmenting a network based on source IP addresses of traffic; monitoring the traffic to detect occurrence of the distributed denial of service attack and find an attack target server; and performing, on segments in which traffic toward the attack target server exceeds a specific threshold value, filtering for traffic restriction. Preferably, in segmenting the network, an entire IP area of the network is segmented into main-segments and each of the main-segments is segmented into sub-segments.

Description

Description
PROTECTION METHOD AND SYSTEM FOR DISTRIBUTED DENIAL OF SERVICE ATTACK
Technical Field
[1] The present invention relates to a protection method and system for a distributed denial of service attack; and, more particularly, to a protection method and system for a distributed denial of service attack, which occurs in a network, via a multi-stage coun- termeasure.
[2]
Background Art
[3] DDoS (Distributed Denial of Service) attacks disable legitimate users from being provided with desired services by exhausting resources of a network or of an internal system. Since a variety of attack tools is disclosed today, anyone can easily deliver a DDoS attack on an attack target by using corresponding attack tools, which causes a relatively serious damage to the attack target. Hence, techniques to protect against the DDoS attacks are being widely used.
[4] However, most of the techniques protect the attack targets by simply restricting inbound traffic thereto, and thus, they cannot classify legitimate traffic and attack traffic to perform proper traffic processing.
[5] The DDoS attacks are classified into attacks using a TCP (Transmission Control
Protocol) connection establishment procedure and attacks saturating an attack target with meaningless traffic. A representative attack using the TCP connection establishment procedure is the TCP SYN flooding attack, which abuses 3way-handshaking performed during the TCP connection establishment procedure.
[6] The 3 way-handshaking is performed as follows. First, a client desiring to establish a connection with a server sends to the server a SYN packet containing a port number of the server and an ISN (Initial Sequence Number) of the client. Next, the server sends to the client a SYN-ACK packet containing an ISN of the server and ISN+ 1, which is obtained by increasing the ISN of the client by one, and the client then sends to the server an ACK packet in response to the SYN-ACK packet. The TCP connection is established via the above-described three steps. The attacks using the TCP connection establishment procedure are implemented by omitting the last step, i.e., the third step, and sending a flood of SYN packets to the server, which exhausts buffers (backlogs) of the server to thereby disable the server from establishing more connections.
[7] In the attacks flooding an attack target with meaningless traffic, e.g., the F5 attack or a cyber-demonstration, an attacker sends to the attack target a flood of UDP (User Datagram Protocol) or ICMP (Internet Control Message Protocol) packets, or generates a flood of normal HTTP (Hypertext Transfer Protocol) requests. In the attacks using the ICMP packets, e.g., the Ping flooding attack or the Smurf attack, an attacker sends a flood of ICMP Echo packets to the attack target.
[8] Some conventional protection techniques for the above-described DDoS attacks are implemented by improving a server-side TCP algorithm or adjusting traffic amount. Techniques improving the server-side TCP algorithm modify a TCP connection establishment algorithm to distinguish spoofed client IP addresses or to block ill- intentioned connection establishment attempts. Such protection techniques, however, cannot protect attack targets from an attack, e.g., the F5 attack, in which normal TCP connections are flooded.
[9] Protection methods for a DDoS attack include steps for detecting the DDoS attack and for analyzing the detected attack to protect an attack target. In general, detecting the DDoS attack is performed based on a threshold value on traffic. To be specific, an allowable threshold value on traffic according to a status of a network is set in advance or determined dynamically, and traffic passing through the network is then monitored to inspect whether the traffic exceeds the allowable threshold value. If the traffic exceeds the allowable threshold value and source addresses of the traffic are widely distributed, it is determined that a DDoS attack occurs.
[10] If it is determined that the DDoS attack occurs, a countermeasure against the DDoS attack is taken, in general, by adjusting traffic amount toward the attack target or by adjusting the amount of traffic associated with specific services. However, since DDoS attacks are attacks in which a number of attacking clients generates a flood of traffic concentrated to a specific attack target, i.e., a server to be attacked, to attack the attack target, it is difficult to distinguish legitimate clients and attacking clients. Further, if a maximum allowable bandwidth is set, traffic associated with the legitimate clients may also be blocked. That is, considering attack patterns of the DDoS attacks, simply restricting the traffic cannot efficiently block the DDoS attacks and causes a problem in that legitimate services may also be restricted.
[H]
Disclosure of Invention Technical Problem
[12] In view of the above, the present invention provides an efficient protection method and system for a DDoS attack. To be specific, the present invention provides a method and system for efficiently distinguishing, if it is determined that a DDoS attack occurs, legitimate traffic and illegitimate traffic and selectively restricting inbound traffic toward an attack target by segmenting a network according to IP addresses. [13]
Technical Solution
[14] In accordance with an aspect of the invention, there is provided a protection method for a distributed denial of service attack, the method including: [15] segmenting a network based on source IP addresses of traffic;
[16] monitoring the traffic to detect occurrence of the distributed denial of service attack and find an attack target server; and [17] performing, on segments in which traffic toward the attack target server exceeds a specific threshold value, filtering for traffic restriction. [18] Preferably, in segmenting the network, an entire IP area of the network is segmented into main-segments and each of the main-segments is segmented into sub-segments. [19] Preferably, in performing the filtering, the traffic toward the attack target server is classified into legitimate traffic and illegitimate traffic, and the illegitimate traffic is restricted. [20] Preferably, the specific threshold value is derived based on normal status of the network before the distributed denial of service attack occurs. [21] In accordance with another aspect of the invention, there isprovided a protection system for a distributed denial of service attack, the system including: [22] an attack detecting unit for monitoring traffic to detect occurrence of the distributed denial of service attack and find an attack target server; and [23] a traffic restriction unit for performing filtering to restrict traffic having source addresses belonging to IP areas in which traffic toward the attack target server exceeds a specific threshold value. [24] The protection system may further include a traffic blocking unit for classifying the traffic toward the attack target server into legitimate traffic and illegitimate traffic and restricting the illegitimate traffic. [25]
Advantageous Effects
[26] According to the present invention, if a DDoS attack occurs, in a first stage, traffic is filtered by distinguishing illegitimate traffic and legitimate traffic, thereby guaranteeing availability of a server. In a second stage, traffic restriction is selectively performed on IP areas associated with an attacker, thereby guaranteeing connections of legitimate users. Further, since the illegitimate traffic and the legitimate traffic are distinguished by analyzing legitimate traffic in past as well as current traffic, a large amount of traffic generated by legitimate users can be distinguished from attack traffic and can pass without being blocked.
[27] Brief Description of Drawings
[28] Fig. 1 illustrates a configuration diagram of a network for protecting against DDoS attacks;
[29] Fig. 2 illustrates a configuration diagram of a DDoS attack protection system in accordance with an embodiment of the present invention;
[30] Fig. 3 illustrates a flowchart of operation of the DDoS attack protection system of
Fig. 2;
[31] Fig. 4 illustrates an exemplary SYN cookie processing in the spoofing traffic blocking unit of Fig. 2;
[32] Fig. 5 illustrates an exemplary segment filtering process in the area-based traffic restriction unit of Fig. 2;
[33] Fig. 6 illustrates a flowchart of registering a new attack target server and adding a segment restriction in the DDoS attack protection system of Fig. 2; and
[34] Fig. 7 illustrates a flowchart of performing segment filtering in the DDoS attack protection system of Fig. 2.
[35]
Best Mode for Carrying out the Invention
[36] Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings, which form a part hereof.
[37] Fig. 1 illustrates a configuration diagram of a network for protecting against DDoS attacks.
[38] An internal network 120 includes a general router 121, a general switch 122 and an internal system 123. An external network 110 includes the Internet 111, attacker's computer 112 and attacking points (sources) 113 which are zombie computers for use in attacks along with the attacker's computer 112. Further, a DDoS attack protection system 130 is interposed between the router 121 and the switch 122.
[39] An attacker fakes source addresses to specific addresses to deliver a DDoS attack to the internal system 123, which is an attack target system, via the Internet 111. In such case, the DDoS attack protection system 130 detects the attack and functions to protect against the attack.
[40] Fig. 2 illustrates a configuration diagram of a DDoS attack protection system in accordance with an embodiment of the present invention. The DDoS protection system 130 may be configured in connection with other functional blocks in a hardware device. For example, as shown in the drawing, in a hardware device including a kernel which is a general or specialized operating system, a firewall operating on the kernel, an IPS (Intrusion Prevention System), a VPN (Virtual Private Network) functional block and an application proxy associated with various application programs, the IPS may have the DDoS attack protection system 130.
[41] The DDoS attack protection system 130 includes an attack detecting unit 132 for detecting a DDoS attack and an attack blocking unit 134 for blocking DDoS attack traffic. The attack blocking unit 134 has a spoofing traffic blocking unit 136, which uses SYN cookies to distinguish and filter legitimate traffic and illegitimate traffic, and an area-based traffic restriction unit 138, which protects against the attack on the basis of subnetwork.
[42] Fig. 3 illustrates a flowchart of operation of the DDoS attack protection system 130 of Fig. 2. First, a network is segmented based on source IP areas of traffic toward a server (step S310). The attack detecting unit 132 determines whether a DDoS attack occurs and checks an IP address of the server, which is an attack target server (step S320). Such determination is carried out by using a preset or automatically-set threshold value. If it is determined in the step S320 that the DDoS attack occurs, corresponding information is sent to the attack blocking unit 134.
[43] The attack blocking unit 134 performs more detailed analysis on the attack. To be specific, inbound traffic toward the attack target server is analyzed to distinguish legitimate traffic and illegitimate traffic (step S330, see Fig. 4). Then, an IP area-based traffic restriction is performed on subnetworks associated with the illegitimate traffic and subnetworks associated with excessively heavy legitimate traffic (steps S340 and S350). That is, traffic restriction according to a sub-segment filtering in the step S340 and a main-segment filtering in the step S350 are carried out sequentially or selectively (see, Fig. 5).
[44] In general, detecting the DDoS attack is performed based on a threshold value on traffic. To be specific, an allowable threshold value on traffic according to the status of the network is set in advance or determined dynamically, and traffic passing through the network is then monitored to inspect whether the traffic exceeds the allowable threshold value. If the traffic exceeds the allowable threshold value and source addresses of the traffic are widely distributed, it is determined that a DDoS attack occurs.
[45] Fig. 4 illustrates an exemplary SYN cookie processing to distinguish legitimate traffic and illegitimate traffic in the spoofing traffic blocking unit 136 of Fig. 2. Spoofing filtering is performed by using SYN cookies. In order to distinguish legitimate traffic and illegitimate traffic, it is required to determine whether inbound traffic from outside is sent from real source addresses. For this purpose, if a first packet for TCP communications, i.e., a SYN packet, is received, a response packet, i.e., a SYN+ ACK packet, is generated to be forwarded to the source addresses, instead of forwarding the SYN packet to the internal system. At this time, necessary cookie information is generated and inserted in the SYN+ ACK packet to be forwarded to the source addresses, thereby verifying whether an acknowledgement received from the respective source addresses is a legitimate acknowledgement. The source addresses from which the legitimate acknowledgements are sent are determined to be legitimate addresses and guaranteed with legitimate services.
[46] When a packet is received, it is determined whether the packet is a SYN packet. If the received packet is an outbound SYN packet toward outside, the packet is sent outside without being subjected to SYN cookie processing. Meanwhile, if the packet is an inbound SYN packet from outside, a session table is searched to find a corresponding session. If the corresponding session is not found, a corresponding response is subjected to the SYN cookie processing and a session is created.
[47] Fig. 5 illustrates an exemplary segment filtering process in the area-based traffic restriction unit 138 of Fig. 2. The process shown in Fig. 5 is performed when traffic amount exceeds a processing limit of the spoofing traffic blocking unit 136 of Fig. 4, or when an UDP or ICMP packet flooding occurs though the packets are legitimate packets.
[48] A segment is divided into main-segments and each main-segment is divided into sub- segments. That is, the main-segment and the sub-segment are an upper-class segmentation unit and a lower-class segmentation unit, respectively. As for 32-bit IPv4 (Internet Protocol version 4) addresses, upper sixteen bits are used as indexes for 65,535 main-segments and the next eight bits are used as indexes for 256 sub- segments, for example.
[49] That is, packets having source addresses in a range from 192.168.0.0 to
192.168.255.255 belong to an identical main-segment, and packets having source addresses in a range from 192.168.0.0 to 192.168.0.255 belong to an identical sub- segment. From this, all IPv4 addresses can be classified and managed statically. Further, such management system can also be applied to network address systems other than IPv4 in the same manner.
[50] Referring to Fig. 5, legitimate traffic is updated for each main-segment in normal traffic conditions. If it is determined that an attack occurs, current traffic is compared with the legitimate traffic for each main-segment to find main-segments in which traffic amount increases suddenly. After that, each of thus found main-segments is divided into sub-segments, and traffic amount of each of the sub-segments is inspected to find sub-segments in which traffic is saturated. Traffic amount of each of thus found sub-segments is restricted to be below a specific level. As such, by accurately detecting sub-segments in which traffic is suddenly flooded, traffic restriction can be selectively performed, which guarantees desired services to legitimate users in IP areas other than the restricted IP areas.
[51] If attacking points are widely distributed all over the network, i.e., if the number of randomly spoofed IP addresses of the attacking points (sources) exceeds a processing limit of a device, the IP areas become to be widely distributed. In such case, since the memory load exceeds a processing limit of the sub-segment filtering, traffic restriction is carried out via the main-segment filtering. Here, the traffic restriction, i.e., the filtering, means restriction of amount of traffic per second.
[52] Fig. 6 illustrates a flowchart of registering a new attack target server and adding a segment restriction in the DDoS attack protection system 130 of Fig. 2.
[53] First, it is determined whether an attack target server, which is an attack target of a
DDoS attack, has already been registered to a target list (step S601). If it is determined in the step S601 that the attack target server has already been registered to the target list, a frequency of repeated-call is checked (step S603). If it is determined in the step S603 that the frequency of repeated-call is equal to or greater than a preset maximum frequency of repeated-call, a maximum hit count of a corresponding main-segment is decreased (step S605). If it is determined in the step S603 that the frequency of repeated-call is smaller than the maximum frequency of repeated-call, the corresponding main-segment is searched for in a main-segment list (step S609).
[54] Meanwhile, if it is determined in the step S601 that the attack target server has not yet been registered to the target list, the attack target server is newly registered to the target list (step S607), and the corresponding main-segment is searched for in the main-segment list in the step S609.
[55] Thereafter, it is determined whether the corresponding main-segment is one of existing attacking main-segments (step S611). If it is determined in the step S611 that the corresponding main-segment is an existing attacking main-segment, a maximum hit count of a corresponding sub-segment is decreased (step S613), thereby performing sub-segment filtering. If it is determined in the step S611 that the corresponding main- segment is not an existing attacking main-segment, the number of main-segments determined to be the attacking main-segments is checked (step S615). If it is determined in the step S615 that the number of main-segments determined to be the attacking main-segments is equal to or greater than a preset maximum value, only main-segment filtering is performed without performing sub-segment filtering (step S617). If it is determined in the step S615 that the number of main-segments determined to be the attacking main-segments is smaller than a preset maximum value, additional sub-segment filtering is performed (step S619).
[56] Fig. 7 illustrates a flowchart of performing segment filtering in the DDoS attack protection system 130 of Fig. 2.
[57] First, a destination IP address of a SYN packet is checked to determine whether the packet is destined to a target server (step S701). If it is determined in the step S701 that the destination IP address is the address of the target server, it is determined whether to perform sub-segment filtering or to perform main-segment filtering (step S703). If it is determined in the step S703 that the packet is to be subjected to main-segment filtering, the main-segment filtering is performed by using a maximum hit count (step S705).
[58] If it is determined in the step S703 that the packet is to be subjected to sub-segment filtering, it is determined whether the sub-segment to which the source address of the packet belongs is an attacking sub-segment (step S707). If it is determined in the step S707 that the sub-segment is an attacking sub-segment, an expiration of validity time is checked (step S709). If it is determined in the step S709 that the packet is valid, a corresponding sub-segment list is searched to find the currently attacking sub-segment (step S711), thereby performing sub-segment filtering (step S713). If it is determined in the step S709 that the packet is invalid, the sub-segment filtering in the step S713 is directly performed. If it is determined in the step S707 that the sub-segment is not an attacking sub-segment, a hit count of the corresponding sub-segment is updated (step S715) and the passes the packet.
[59] Meanwhile, if it is determined in the step S701 that the destination IP address is not the address of the target server, the expiration of validity time is checked (step S717) and the hit count of the corresponding main-segment is updated (step S719), thereby passing the packet.
[60] While the invention has been shown and described with respect to the embodiments, it will be understood by those skilled in the art that various changes and modification may be made without departing from the scope of the invention as defined in the following claims.
[61]

Claims

Claims
[1] A protection method for a distributed denial of service attack, the method comprising: segmenting a network based on source IP addresses of traffic; monitoring the traffic to detect occurrence of the distributed denial of service attack and find an attack target server; and performing, on segments in which traffic toward the attack target server exceeds a specific threshold value, filtering for traffic restriction. [2] The protection method of claim 1, wherein, in segmenting the network, an entire
IP area of the network is segmented into main-segments and each of the main- segments is segmented into sub-segments. [3] The protection method of claim 1, wherein, in performing the filtering, the traffic toward the attack target server is classified into legitimate traffic and illegitimate traffic, and the illegitimate traffic is restricted. [4] The protection method of claim 2, wherein, in performing the filtering, the traffic toward the attack target server is classified into legitimate traffic and illegitimate traffic, and the illegitimate traffic is restricted. [5] The protection method of claim 1, wherein the specific threshold value is derived based on normal status of the network before the distributed denial of service attack occurs. [6] The protection method of claim 2, wherein the specific threshold value is derived based on normal status of the network before the distributed denial of service attack occurs. [7] A protection system for a distributed denial of service attack, the system comprising: an attack detecting unit for monitoring traffic to detect occurrence of the distributed denial of service attack and find an attack target server; and a traffic restriction unit for performing filtering to restrict traffic having source addresses belonging to IP areas in which traffic toward the attack target server exceeds a specific threshold value. [8] The protection system of claim 7, further comprising a traffic blocking unit for classifying the traffic toward the attack target server into legitimate traffic and illegitimate traffic and restricting the illegitimate traffic.
PCT/KR2008/006673 2007-11-12 2008-11-12 Protection method and system for distributed denial of service attack Ceased WO2009064114A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2007-0114875 2007-11-12
KR1020070114875A KR100950900B1 (en) 2007-11-12 2007-11-12 Distributed service denial attack defense method and defense system

Publications (2)

Publication Number Publication Date
WO2009064114A2 true WO2009064114A2 (en) 2009-05-22
WO2009064114A3 WO2009064114A3 (en) 2009-07-02

Family

ID=40639310

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2008/006673 Ceased WO2009064114A2 (en) 2007-11-12 2008-11-12 Protection method and system for distributed denial of service attack

Country Status (2)

Country Link
KR (1) KR100950900B1 (en)
WO (1) WO2009064114A2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110055921A1 (en) * 2009-09-03 2011-03-03 Juniper Networks, Inc. Protecting against distributed network flood attacks
WO2011099773A3 (en) * 2010-02-10 2011-12-15 주식회사 유섹 Protection system and method against distributed denial of service attack traffic
GB2494384A (en) * 2011-08-31 2013-03-13 Metaswitch Networks Ltd Handling Potentially Malicious Communication Activity
US8914878B2 (en) 2009-04-29 2014-12-16 Juniper Networks, Inc. Detecting malicious network software agents
US9531749B2 (en) 2014-08-07 2016-12-27 International Business Machines Corporation Prevention of query overloading in a server application
CN116566628A (en) * 2022-01-27 2023-08-08 华为技术有限公司 An attack defense method, device and system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101042226B1 (en) * 2009-08-13 2011-06-16 이니텍(주) How to prevent distributed service denial attack using network filter and white web server monitoring white list

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8201252B2 (en) * 2002-09-03 2012-06-12 Alcatel Lucent Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks
KR100479202B1 (en) * 2002-12-26 2005-03-28 한국과학기술정보연구원 System and method for protecting from ddos, and storage media having program thereof
JP2004248185A (en) * 2003-02-17 2004-09-02 Nippon Telegr & Teleph Corp <Ntt> System for protecting network-based distributed denial of service attack and communication device
CN100370757C (en) * 2004-07-09 2008-02-20 国际商业机器公司 Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack
JP2006164038A (en) * 2004-12-09 2006-06-22 Nippon Telegr & Teleph Corp <Ntt> Method, network device, and analyzer for coping with DoS attack or DDoS attack
KR100608136B1 (en) 2005-02-18 2006-08-08 재단법인서울대학교산학협력재단 How to Improve Security Performance in Stateful Inspection of TPC Connections
US8089871B2 (en) * 2005-03-25 2012-01-03 At&T Intellectual Property Ii, L.P. Method and apparatus for traffic control of dynamic denial of service attacks within a communications network

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8914878B2 (en) 2009-04-29 2014-12-16 Juniper Networks, Inc. Detecting malicious network software agents
US9344445B2 (en) 2009-04-29 2016-05-17 Juniper Networks, Inc. Detecting malicious network software agents
US8789173B2 (en) * 2009-09-03 2014-07-22 Juniper Networks, Inc. Protecting against distributed network flood attacks
US20110055921A1 (en) * 2009-09-03 2011-03-03 Juniper Networks, Inc. Protecting against distributed network flood attacks
CN102014116A (en) * 2009-09-03 2011-04-13 丛林网络公司 Protecting against distributed network flood attacks
CN102014116B (en) * 2009-09-03 2015-01-21 丛林网络公司 Protecting against distributed network flood attacks
EP2293513A1 (en) 2009-09-03 2011-03-09 Juniper Networks, Inc. Protecting Against Distributed Network Flood Attacks
WO2011099773A3 (en) * 2010-02-10 2011-12-15 주식회사 유섹 Protection system and method against distributed denial of service attack traffic
GB2494384A (en) * 2011-08-31 2013-03-13 Metaswitch Networks Ltd Handling Potentially Malicious Communication Activity
GB2494384B (en) * 2011-08-31 2013-07-24 Metaswitch Networks Ltd Handling potentially malicious communication activity
US9537875B2 (en) 2011-08-31 2017-01-03 Metaswitch Networks Ltd. Handling potentially malicious communication activity
US9531749B2 (en) 2014-08-07 2016-12-27 International Business Machines Corporation Prevention of query overloading in a server application
CN116566628A (en) * 2022-01-27 2023-08-08 华为技术有限公司 An attack defense method, device and system
EP4366237A4 (en) * 2022-01-27 2025-01-01 Huawei Technologies Co., Ltd. ATTACK DEFENSE METHOD, DEVICE AND SYSTEM

Also Published As

Publication number Publication date
WO2009064114A3 (en) 2009-07-02
KR20090048819A (en) 2009-05-15
KR100950900B1 (en) 2010-04-06

Similar Documents

Publication Publication Date Title
US10911473B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
US12069092B2 (en) Network security attack detection and mitigation solution using honeypots
US11005865B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
US20210112091A1 (en) Denial-of-service detection and mitigation solution
Bogdanoski et al. Analysis of the SYN flood DoS attack
EP3635929B1 (en) Defend against denial of service attack
Sanmorino et al. DDoS attack detection method and mitigation using pattern of the flow
WO2004047383A1 (en) Method and apparatus for protecting legitimate traffic from dos and ddos attacks
US20110026529A1 (en) Method And Apparatus For Option-based Marking Of A DHCP Packet
WO2009064114A2 (en) Protection method and system for distributed denial of service attack
Lukaseder et al. An sdn-based approach for defending against reflective ddos attacks
Maheshwari et al. Defending network system against IP spoofing based distributed DoS attacks using DPHCF-RTT packet filtering technique
Salunkhe et al. Analysis and review of TCP SYN flood attack on network with its detection and performance metrics
Mopari et al. Detection and defense against DDoS attack with IP spoofing
Saad et al. A study on detecting ICMPv6 flooding attack based on IDS
WO2003050644A2 (en) Protecting against malicious traffic
KR20110026926A (en) How to block distributed service denial attacks
Niknami et al. Towards analysis of the performance of idss in software-defined networks
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
Vrat et al. Anomaly detection in IPv4 and IPv6 networks using machine learning
EP1461704A2 (en) Protecting against malicious traffic
KR20030009887A (en) A system and method for intercepting DoS attack
KR101772292B1 (en) Software Defined Network based Network Flooding Attack Detection/Protection Method and System
Tritilanunt et al. Entropy-based input-output traffic mode detection scheme for dos/ddos attacks
Thang et al. Synflood spoofed source DDoS attack defense based on packet ID anomaly detection with bloom filter

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08850658

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08850658

Country of ref document: EP

Kind code of ref document: A2