Distributed reflection denial of service (hereinafter, referred to as DRDoS) is an attack type evolved from DDoS by one step. As the DRDoS, a Smurf attack is representative, which knocks down an attack target by transmitting numerous echo reply packets to the attack target by sending an ICMP echo request packet to which an IP address is spoofed to a broadcast address.
The DRDoS attack uses as an agent of the DRDoS attack a system that operates a normal service by using vulnerability of a network communication protocol structure without installing a separate agent.
Therefore, it is known that it is easy for hackers to use the DRDoS attack and it is also difficult to recover an attacked site. The DRDos attack has shown primarily abroad in recent years and the maximum DDoS attack traffic which had ever been announced was also an attack which occurs by the DRDoS.
The DRDoS attack uses a structural characteristic of DNS, NTP, SNMP, CHARGEN service, and the like using a UDP protocol and is generally divided into reflection and amplification attack patterns.
An attacker sends a large quantity of request messages to a server using a vulnerable service by falsifying a source IP to an attack target IP and the server attempts to reflect response messages to the requests to the attack target IP. In this case, the reflected response message is amplified by mass traffic to be transferred to the attack target.
The attacker may attack the attack target by using a server which is opened to the outside as a stop without using a zombie PC, and the like in order to make the mass traffic and the mass traffic flows into a victim from not the attacker but the server to cause service denial.
For example, a MON_GETLIST command is performed, which modulates the IP, requests ANY and TXT to the DNS server or requests IP addresses of 6000 hosts which communicate with the corresponding NTP server in recent years to the NTP server.
Traffic monitoring for the server which may be used as the DRDoS attack stop is required for detecting such an attack symptom and an apparatus and a method which can detect information on the stop, an attack source, and the like used in the DRDoS attack from monitored flow data are required to be developed.