KR20140028535A - Apparatus and method for providing distributed denial of service - Google Patents

Apparatus and method for providing distributed denial of service Download PDF

Info

Publication number
KR20140028535A
KR20140028535A KR1020120095026A KR20120095026A KR20140028535A KR 20140028535 A KR20140028535 A KR 20140028535A KR 1020120095026 A KR1020120095026 A KR 1020120095026A KR 20120095026 A KR20120095026 A KR 20120095026A KR 20140028535 A KR20140028535 A KR 20140028535A
Authority
KR
South Korea
Prior art keywords
service
server
distributed denial
traffic
information
Prior art date
Application number
KR1020120095026A
Other languages
Korean (ko)
Inventor
허영준
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020120095026A priority Critical patent/KR20140028535A/en
Publication of KR20140028535A publication Critical patent/KR20140028535A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles

Abstract

Existing static threshold method does not provide normal service by discarding normal user's packet because it responds regardless of user profile and server status and responds to packets exceeding certain threshold without distinguishing attacker and normal user. Cases may occur. Accordingly, in the embodiment of the present invention, the service request pattern information for each host, for example, service request time, request service, service usage time, etc. are collected on a time series basis, and the collected service request pattern information is included in a traffic profile table (traffic profile table). In this paper, we propose a distributed denial of service attack countermeasure that can efficiently detect and respond to distributed denial of service attacks. In addition, by estimating and adjusting the amount of traffic entering the server by using the information in the traffic profile table and the server state table, the server service can be maintained continuously and normally as well as in response to a distributed denial of service attack. A table can store and manage state information such as CPU, memory, and service request numbers of various servers located in a server farm.

Description

Distributed Denial of Service Attack Response Device {APPARATUS AND METHOD FOR PROVIDING DISTRIBUTED DENIAL OF SERVICE}

FIELD OF THE INVENTION The present invention relates to distributed denial of service (DDoS) attack detection and response techniques, in particular taking into account time series based profiles of service request traffic and server state (e.g., CPU, memory, service throughput, etc.). A distributed denial of service attack response device suitable for efficient detection and response of distributed denial of service attacks.

Distributed Denial of Service (DDoS) attacks provide a large number of unspecified attackers by sending large amounts of data for the purpose of disrupting the normal service of the system, resulting in a drastic deterioration in the performance of the target network or server system. It is an attack that prevents general users from using the service.

In the past, the network service packet requests were handled within the processing capacity of the server, and the packets were processed in the form of simply discarding packets above a certain threshold. Increase the false positive rate such as discarding normal end-user packets when the performance or state of various servers constituting the server farm is different and simply responds by a specific fixed value without seeing the state of the servers. It is not an effective response.

On the other hand, the static threshold method is a method of statically defining a single threshold for the response to the distributed denial of service attacks, it is a way to easily block a certain amount of traffic when a large number of service requests suddenly increased. That is, when the traffic increases above a certain threshold, a blocking policy may be applied to a certain amount of traffic.

However, since the static threshold method responds regardless of the user profile and the server state, and responds to packets exceeding a certain threshold without distinguishing between attackers and normal users, the static threshold method fails to provide normal service by discarding packets of normal users. It can also happen. In other words, it is difficult to distinguish between the normal user and the abnormal user, so that the traffic of the normal user may be blocked, thereby lowering the service efficiency.

Korea Patent Registration 0695489, Profiling-based web service security system and method, 2007.03.14 Registration notification

 Using Adaptive Bandwidth Allocation Approach to Defend DDoS Attacks, International Journal of Software Engineering and its Application, Vol. 2 No. 4, 61-72pp., 2008.10.04

Accordingly, in the embodiment of the present invention, the service request pattern information for each host, for example, service request time, request service, service usage time, etc. are collected on a time series basis, and the collected service request pattern information is included in a traffic profile table (traffic profile table). In this paper, we propose a distributed denial of service attack countermeasure that can efficiently detect and respond to distributed denial of service attacks.

By using the information in the traffic profile table and the server state table to predict and adjust the amount of traffic entering the server, it is possible to maintain the normal and normal service of the server as well as respond to distributed denial of service attacks.

The server state table may store and manage state information such as CPU, memory, and number of service requests of various servers located in a server farm.

Distributed service denial of service attack response device according to an embodiment of the present invention, the traffic profile information collection unit for collecting the service request pattern information for each host including a traffic profile through the network based on the time series, and collected through the traffic profile information collection unit A traffic profile table storing the service request pattern information for each host, a server state information collecting unit collecting server state information from a server farm, and the server state information collected through the server state information collecting unit. Distributed to estimate and adjust the amount of traffic entering the server farm from the network using a server state table to store, the service request pattern information per host of the traffic profile table, and the server state information of the server state table. Denial of service attacks Response may include portions.

According to the present invention, by applying a dynamic threshold response technique that comprehensively considers the time series-based host service request pattern and the server state, it is possible to efficiently block illegal user packets such as distributed denial of service attack packets to ensure the normal user service It works. For example, distributed services by applying optimal dynamic response policies according to the situation of a server or security area in consideration of the number of service requests, incoming traffic, usage time, server status, etc. for servers located in the server farm area. By efficiently responding to denial attacks, the quality of service provided to normal users can be improved.

1 is a block diagram illustrating a distributed denial of service attack response device according to an embodiment of the present invention.

Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. To fully disclose the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. Like numbers refer to like elements throughout.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions in the embodiments of the present invention, which may vary depending on the intention of the user, the intention or the custom of the operator. Therefore, the definition should be based on the contents throughout this specification.

Each block of the accompanying block diagrams and combinations of steps of the flowchart may be performed by computer program instructions. These computer program instructions may be loaded into a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus so that the instructions, which may be executed by a processor of a computer or other programmable data processing apparatus, And means for performing the functions described in each step are created. These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce a manufacturing item containing instruction means for performing the functions described in each block or flowchart of the block diagram. Computer program instructions may also be stored on a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the processing equipment provide the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.

Also, each block or each step may represent a module, segment, or portion of code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative embodiments, the functions mentioned in the blocks or steps may occur out of order. For example, two blocks or steps shown in succession may in fact be performed substantially concurrently, or the blocks or steps may sometimes be performed in reverse order according to the corresponding function.

Prior to the description of the embodiments, the present invention can effectively detect and respond to distributed denial of service (DDoS) attacks in consideration of time series based profiles of service request traffic and server state (eg, CPU, memory, service processing capability, etc.). By providing a method, it is possible to easily achieve the object of the present invention from this technical idea.

The number of clients connecting to the server and the service requests that each client sends to the server are highly periodic. Time series-based traffic control and server health checks through periodicity analysis can provide efficient detection and response by applying dynamic thresholds to distributed denial of service attacks.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram illustrating a distributed denial of service attack response device according to an embodiment of the present invention. The traffic profile information collecting unit 100, the traffic profile table 102, and the server state are shown in FIG. The information collection unit 104, a server state table 106, a distributed denial of service attack counter 108, a network 10, a server farm 12, and the like may be included.

As shown in FIG. 1, the traffic profile information collection unit 100 may include a traffic profile through the network 10, for example, service request pattern information for each host including a service request time, a requested service type, and a service usage time. By analyzing the time series based on, and storing and managing the collected service request pattern information in the traffic profile table 102, a distributed denial of service attack response technique capable of detecting and responding to a distributed denial of service attack is proposed.

The server state information collecting unit 104 may store and manage server information from the server farm 12, for example, CPU state information, memory state information, and the number of service requests through the server state table 106. Can be.

By using the information in the traffic profile table 102 and the server state table 106, the distributed denial of service attack counter 108 predicts and adjusts the amount of traffic entering the server farm 12 from the network 10, In addition to responding to a distributed denial of service attack, services provided to the server farm 12 can be continuously and normally maintained.

Here, the traffic profile table 102 and the server state table 106 may be databaseized and managed by the traffic profile information collecting unit 100 and the server state information collecting unit 104, for example, Oracle, Informix. By using relational database management systems (RDBMS) such as Infomix, Sybase, DB2, or object-oriented database management systems (OODBMS) such as Gemston, Orion, O2, etc. It may be implemented according to the purpose, and may have appropriate fields to achieve its function.

The network 10 may include a broadband wireless communication network or a near field communication network or a broadband wired communication network or a near field wire communication network.

Here, the broadband wireless communication network is involved in call setup and resource allocation of client terminal devices that may be connected to the server farm 12, and serves to ensure mobility of the client terminal devices. It can support both synchronous and asynchronous. In addition, the short range wireless communication network in the network 10 may include a wireless communication environment such as, for example, Wi-Fi. In addition, the broadband wired communication network is, for example, the Internet, and includes various services existing in the TCP / IP protocol and its upper layers, namely, Hyper Text Transfer Protocol (HTTP), Telnet, File Transfer Protocol (FTP), and DNS. It may include a worldwide open computer network architecture that provides Domain Name System (SAP), Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP), Network File Service (NFS), and Network Information Service (NIS). In addition, the short-range wired communication network may include, for example, a local area network (LAN).

The server farm 12 is a server group in which a plurality of servers are collectively accommodated and operated. The server farm 12 may be connected to the network 10 and managed separately from a separate client network.

The traditional static threshold method can statically define a single threshold for distributed denial-of-service attacks to block more than a certain amount of traffic when a large number of service requests suddenly increase, but responds regardless of user profile and server state. Since a response is made to a packet exceeding a certain threshold without distinguishing a normal user, a normal service may not be provided by discarding a normal user's packet.

On the other hand, the distributed denial of service attack response technique according to an embodiment of the present invention can cope with distributed denial of service attacks in consideration of the state of the server as well as network traffic, and the adaptive threshold algorithm applies a time series based threshold and the server state. By verifying this, it responds to distributed denial of service attacks to detect and block the packets of illegal attackers to ensure the service of normal users.

In addition, if the attacker slowly increases the traffic transmission rate at a low rate, it has a host-based service request profile for each host, so that it can preferentially respond to packets that exceed a certain threshold, and it is difficult to provide service by analyzing the resource state of the server. In this case, it is possible to respond to distributed denial of service attacks by preferentially blocking these packets.

According to the embodiment of the present invention as described above, it is possible to provide a continuous service to normal Internet users through efficient traffic management using a dynamic threshold application method that improves the disadvantages of the conventional static threshold based response method. The existing static threshold method applies a blocking policy to a certain amount of traffic when the traffic increases above a certain threshold, so it is difficult to detect normal and abnormal users, which may result in cases where normal users are blocked and traffic is not served. However, in the distributed denial of service attack response technique according to an embodiment of the present invention, by applying a dynamic threshold response technique that comprehensively considers a time series-based host service request pattern and a server state, a distributed denial of service attack packet such as a distributed denial of service attack packet is applied. By blocking the service can be guaranteed to normal users.

100: traffic profile information collection unit
102: Traffic profile table
104: server status information collecting unit
106: server status table
108: Distributed Denial of Service Attack Response

Claims (1)

A traffic profile information collection unit collecting time-based service request pattern information for each host including a traffic profile through a network;
A traffic profile table storing the service request pattern information for each host collected through the traffic profile information collecting unit;
A server status information collecting unit which collects server status information from a server farm,
A server state table for storing the server state information collected through the server state information collecting unit;
A distributed denial of service attack counter configured to predict and adjust the amount of traffic entering the server farm from the network using the service request pattern information for each host of the traffic profile table and the server state information of the server state table.
Distributed Denial of Service Attack Response Device.
KR1020120095026A 2012-08-29 2012-08-29 Apparatus and method for providing distributed denial of service KR20140028535A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120095026A KR20140028535A (en) 2012-08-29 2012-08-29 Apparatus and method for providing distributed denial of service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120095026A KR20140028535A (en) 2012-08-29 2012-08-29 Apparatus and method for providing distributed denial of service

Publications (1)

Publication Number Publication Date
KR20140028535A true KR20140028535A (en) 2014-03-10

Family

ID=50641934

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120095026A KR20140028535A (en) 2012-08-29 2012-08-29 Apparatus and method for providing distributed denial of service

Country Status (1)

Country Link
KR (1) KR20140028535A (en)

Similar Documents

Publication Publication Date Title
US11431550B2 (en) System and method for network incident remediation recommendations
US10630547B2 (en) System and method for automatic closed loop control
US8438639B2 (en) Apparatus for detecting and filtering application layer DDoS attack of web service
Buragohain et al. FlowTrApp: An SDN based architecture for DDoS attack detection and mitigation in data centers
US9781157B1 (en) Mitigating denial of service attacks
KR101900154B1 (en) SDN capable of detection DDoS attacks and switch including the same
US8881281B1 (en) Application and network abuse detection with adaptive mitigation utilizing multi-modal intelligence data
Phan et al. OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks
US9584531B2 (en) Out-of band IP traceback using IP packets
KR101747079B1 (en) Methods and systems for detecting and mitigating a high-rate distributed denial of service (ddos) attack
US11005865B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
US10911473B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
CN106713216B (en) Flow processing method, device and system
Manavi Defense mechanisms against distributed denial of service attacks: A survey
CN106790193B (en) The method for detecting abnormality and device of Intrusion Detection based on host network behavior
RU2480937C2 (en) System and method of reducing false responses when detecting network attack
KR101812403B1 (en) Mitigating System for DoS Attacks in SDN
Aggarwal et al. Securing IoT devices using SDN and edge computing
Dang et al. Sdn-based syn proxy—a solution to enhance performance of attack mitigation under tcp syn flood
Giotis et al. A scalable anomaly detection and mitigation architecture for legacy networks via an OpenFlow middlebox
KR20110022141A (en) Apparatus for detecting and preventing application layer distribute denial of service attack and method
Priyadharshini et al. Prevention of DDOS attacks using new cracking algorithm
Sanjeetha et al. Mitigating HTTP GET FLOOD DDoS attack using an SDN controller
US10834110B1 (en) Methods for preventing DDoS attack based on adaptive self learning of session and transport layers and devices thereof
US10296744B1 (en) Escalated inspection of traffic via SDN

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination