KR20140028535A - Apparatus and method for providing distributed denial of service - Google Patents
Apparatus and method for providing distributed denial of service Download PDFInfo
- Publication number
- KR20140028535A KR20140028535A KR1020120095026A KR20120095026A KR20140028535A KR 20140028535 A KR20140028535 A KR 20140028535A KR 1020120095026 A KR1020120095026 A KR 1020120095026A KR 20120095026 A KR20120095026 A KR 20120095026A KR 20140028535 A KR20140028535 A KR 20140028535A
- Authority
- KR
- South Korea
- Prior art keywords
- service
- server
- distributed denial
- traffic
- information
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
Abstract
Existing static threshold method does not provide normal service by discarding normal user's packet because it responds regardless of user profile and server status and responds to packets exceeding certain threshold without distinguishing attacker and normal user. Cases may occur. Accordingly, in the embodiment of the present invention, the service request pattern information for each host, for example, service request time, request service, service usage time, etc. are collected on a time series basis, and the collected service request pattern information is included in a traffic profile table (traffic profile table). In this paper, we propose a distributed denial of service attack countermeasure that can efficiently detect and respond to distributed denial of service attacks. In addition, by estimating and adjusting the amount of traffic entering the server by using the information in the traffic profile table and the server state table, the server service can be maintained continuously and normally as well as in response to a distributed denial of service attack. A table can store and manage state information such as CPU, memory, and service request numbers of various servers located in a server farm.
Description
FIELD OF THE INVENTION The present invention relates to distributed denial of service (DDoS) attack detection and response techniques, in particular taking into account time series based profiles of service request traffic and server state (e.g., CPU, memory, service throughput, etc.). A distributed denial of service attack response device suitable for efficient detection and response of distributed denial of service attacks.
Distributed Denial of Service (DDoS) attacks provide a large number of unspecified attackers by sending large amounts of data for the purpose of disrupting the normal service of the system, resulting in a drastic deterioration in the performance of the target network or server system. It is an attack that prevents general users from using the service.
In the past, the network service packet requests were handled within the processing capacity of the server, and the packets were processed in the form of simply discarding packets above a certain threshold. Increase the false positive rate such as discarding normal end-user packets when the performance or state of various servers constituting the server farm is different and simply responds by a specific fixed value without seeing the state of the servers. It is not an effective response.
On the other hand, the static threshold method is a method of statically defining a single threshold for the response to the distributed denial of service attacks, it is a way to easily block a certain amount of traffic when a large number of service requests suddenly increased. That is, when the traffic increases above a certain threshold, a blocking policy may be applied to a certain amount of traffic.
However, since the static threshold method responds regardless of the user profile and the server state, and responds to packets exceeding a certain threshold without distinguishing between attackers and normal users, the static threshold method fails to provide normal service by discarding packets of normal users. It can also happen. In other words, it is difficult to distinguish between the normal user and the abnormal user, so that the traffic of the normal user may be blocked, thereby lowering the service efficiency.
Accordingly, in the embodiment of the present invention, the service request pattern information for each host, for example, service request time, request service, service usage time, etc. are collected on a time series basis, and the collected service request pattern information is included in a traffic profile table (traffic profile table). In this paper, we propose a distributed denial of service attack countermeasure that can efficiently detect and respond to distributed denial of service attacks.
By using the information in the traffic profile table and the server state table to predict and adjust the amount of traffic entering the server, it is possible to maintain the normal and normal service of the server as well as respond to distributed denial of service attacks.
The server state table may store and manage state information such as CPU, memory, and number of service requests of various servers located in a server farm.
Distributed service denial of service attack response device according to an embodiment of the present invention, the traffic profile information collection unit for collecting the service request pattern information for each host including a traffic profile through the network based on the time series, and collected through the traffic profile information collection unit A traffic profile table storing the service request pattern information for each host, a server state information collecting unit collecting server state information from a server farm, and the server state information collected through the server state information collecting unit. Distributed to estimate and adjust the amount of traffic entering the server farm from the network using a server state table to store, the service request pattern information per host of the traffic profile table, and the server state information of the server state table. Denial of service attacks Response may include portions.
According to the present invention, by applying a dynamic threshold response technique that comprehensively considers the time series-based host service request pattern and the server state, it is possible to efficiently block illegal user packets such as distributed denial of service attack packets to ensure the normal user service It works. For example, distributed services by applying optimal dynamic response policies according to the situation of a server or security area in consideration of the number of service requests, incoming traffic, usage time, server status, etc. for servers located in the server farm area. By efficiently responding to denial attacks, the quality of service provided to normal users can be improved.
1 is a block diagram illustrating a distributed denial of service attack response device according to an embodiment of the present invention.
Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. To fully disclose the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. Like numbers refer to like elements throughout.
In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions in the embodiments of the present invention, which may vary depending on the intention of the user, the intention or the custom of the operator. Therefore, the definition should be based on the contents throughout this specification.
Each block of the accompanying block diagrams and combinations of steps of the flowchart may be performed by computer program instructions. These computer program instructions may be loaded into a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus so that the instructions, which may be executed by a processor of a computer or other programmable data processing apparatus, And means for performing the functions described in each step are created. These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce a manufacturing item containing instruction means for performing the functions described in each block or flowchart of the block diagram. Computer program instructions may also be stored on a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the processing equipment provide the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.
Also, each block or each step may represent a module, segment, or portion of code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative embodiments, the functions mentioned in the blocks or steps may occur out of order. For example, two blocks or steps shown in succession may in fact be performed substantially concurrently, or the blocks or steps may sometimes be performed in reverse order according to the corresponding function.
Prior to the description of the embodiments, the present invention can effectively detect and respond to distributed denial of service (DDoS) attacks in consideration of time series based profiles of service request traffic and server state (eg, CPU, memory, service processing capability, etc.). By providing a method, it is possible to easily achieve the object of the present invention from this technical idea.
The number of clients connecting to the server and the service requests that each client sends to the server are highly periodic. Time series-based traffic control and server health checks through periodicity analysis can provide efficient detection and response by applying dynamic thresholds to distributed denial of service attacks.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
1 is a block diagram illustrating a distributed denial of service attack response device according to an embodiment of the present invention. The traffic profile
As shown in FIG. 1, the traffic profile
The server state
By using the information in the traffic profile table 102 and the server state table 106, the distributed denial of
Here, the traffic profile table 102 and the server state table 106 may be databaseized and managed by the traffic profile
The
Here, the broadband wireless communication network is involved in call setup and resource allocation of client terminal devices that may be connected to the
The
The traditional static threshold method can statically define a single threshold for distributed denial-of-service attacks to block more than a certain amount of traffic when a large number of service requests suddenly increase, but responds regardless of user profile and server state. Since a response is made to a packet exceeding a certain threshold without distinguishing a normal user, a normal service may not be provided by discarding a normal user's packet.
On the other hand, the distributed denial of service attack response technique according to an embodiment of the present invention can cope with distributed denial of service attacks in consideration of the state of the server as well as network traffic, and the adaptive threshold algorithm applies a time series based threshold and the server state. By verifying this, it responds to distributed denial of service attacks to detect and block the packets of illegal attackers to ensure the service of normal users.
In addition, if the attacker slowly increases the traffic transmission rate at a low rate, it has a host-based service request profile for each host, so that it can preferentially respond to packets that exceed a certain threshold, and it is difficult to provide service by analyzing the resource state of the server. In this case, it is possible to respond to distributed denial of service attacks by preferentially blocking these packets.
According to the embodiment of the present invention as described above, it is possible to provide a continuous service to normal Internet users through efficient traffic management using a dynamic threshold application method that improves the disadvantages of the conventional static threshold based response method. The existing static threshold method applies a blocking policy to a certain amount of traffic when the traffic increases above a certain threshold, so it is difficult to detect normal and abnormal users, which may result in cases where normal users are blocked and traffic is not served. However, in the distributed denial of service attack response technique according to an embodiment of the present invention, by applying a dynamic threshold response technique that comprehensively considers a time series-based host service request pattern and a server state, a distributed denial of service attack packet such as a distributed denial of service attack packet is applied. By blocking the service can be guaranteed to normal users.
100: traffic profile information collection unit
102: Traffic profile table
104: server status information collecting unit
106: server status table
108: Distributed Denial of Service Attack Response
Claims (1)
A traffic profile table storing the service request pattern information for each host collected through the traffic profile information collecting unit;
A server status information collecting unit which collects server status information from a server farm,
A server state table for storing the server state information collected through the server state information collecting unit;
A distributed denial of service attack counter configured to predict and adjust the amount of traffic entering the server farm from the network using the service request pattern information for each host of the traffic profile table and the server state information of the server state table.
Distributed Denial of Service Attack Response Device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120095026A KR20140028535A (en) | 2012-08-29 | 2012-08-29 | Apparatus and method for providing distributed denial of service |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120095026A KR20140028535A (en) | 2012-08-29 | 2012-08-29 | Apparatus and method for providing distributed denial of service |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20140028535A true KR20140028535A (en) | 2014-03-10 |
Family
ID=50641934
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120095026A KR20140028535A (en) | 2012-08-29 | 2012-08-29 | Apparatus and method for providing distributed denial of service |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20140028535A (en) |
-
2012
- 2012-08-29 KR KR1020120095026A patent/KR20140028535A/en not_active Application Discontinuation
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11431550B2 (en) | System and method for network incident remediation recommendations | |
US10630547B2 (en) | System and method for automatic closed loop control | |
US8438639B2 (en) | Apparatus for detecting and filtering application layer DDoS attack of web service | |
Buragohain et al. | FlowTrApp: An SDN based architecture for DDoS attack detection and mitigation in data centers | |
US9781157B1 (en) | Mitigating denial of service attacks | |
KR101900154B1 (en) | SDN capable of detection DDoS attacks and switch including the same | |
US8881281B1 (en) | Application and network abuse detection with adaptive mitigation utilizing multi-modal intelligence data | |
Phan et al. | OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks | |
US9584531B2 (en) | Out-of band IP traceback using IP packets | |
KR101747079B1 (en) | Methods and systems for detecting and mitigating a high-rate distributed denial of service (ddos) attack | |
US11005865B2 (en) | Distributed denial-of-service attack detection and mitigation based on autonomous system number | |
US10911473B2 (en) | Distributed denial-of-service attack detection and mitigation based on autonomous system number | |
CN106713216B (en) | Flow processing method, device and system | |
Manavi | Defense mechanisms against distributed denial of service attacks: A survey | |
CN106790193B (en) | The method for detecting abnormality and device of Intrusion Detection based on host network behavior | |
RU2480937C2 (en) | System and method of reducing false responses when detecting network attack | |
KR101812403B1 (en) | Mitigating System for DoS Attacks in SDN | |
Aggarwal et al. | Securing IoT devices using SDN and edge computing | |
Dang et al. | Sdn-based syn proxy—a solution to enhance performance of attack mitigation under tcp syn flood | |
Giotis et al. | A scalable anomaly detection and mitigation architecture for legacy networks via an OpenFlow middlebox | |
KR20110022141A (en) | Apparatus for detecting and preventing application layer distribute denial of service attack and method | |
Priyadharshini et al. | Prevention of DDOS attacks using new cracking algorithm | |
Sanjeetha et al. | Mitigating HTTP GET FLOOD DDoS attack using an SDN controller | |
US10834110B1 (en) | Methods for preventing DDoS attack based on adaptive self learning of session and transport layers and devices thereof | |
US10296744B1 (en) | Escalated inspection of traffic via SDN |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WITN | Withdrawal due to no request for examination |