A DoS attack concentrates large volume of traffic on a target network/server in a short time so that the target system is not able to provide services. A DDoS attack, which is one type of DoS attack, concentrates traffic of multitude of attacking sites on the target network/server at once, and therefore, it is more difficult to detect and cut off.
According to attacking method, the DoS attacks are categorized into attacks using characteristics of a TCP protocol and attacks for simply congesting traffic.
Attacks using the characteristics of a TCP protocol are performed as a three-step operation of setting up a connection between a TCP client and a TCP server. First of all, the client sends a synchronous (SYN) packet to the server. Secondly, the server sends a synchronous acknowledge (SYN-ACK) packet to the client. As a final step, the client sends the ACK packet to the server. A TCP SYN flooding attack is an example of such attack, which keeps sending the SYN packet to the server but ignores the SYN-ACK packet transmitted by the server.
Attacks for simply congesting traffic are divided into a UDP packet flooding attack, a ping flooding attack and a HTTP flooding attack.
Conventional techniques for cutting off such DoS attacks are described as follows:
(1) a technique for improving an algorithm of a TCP protocol server
(2) a fair-queuing technique
(3) a rate-limit technique
The technique for improving the algorithm of the TCP protocol server is restrictively used for cutting off conventional SYN packet flooding attacks, so that it is not able to avoid traffic congestion attacks.
The fair-queuing technique is used for controlling congestion and fairly distributing resources (bandwidth) in a router.
FIG. 1 is a drawing for showing a basic algorithm of a conventional fair-queuing. Each of transmitted packets is separated on a flow basis and sent to a next node by using a corresponding queue. In this case, queues are fairly distributed by using a round-robin service, so that each queue is provided with 1/n of a total link bandwidth. While the technique is able to effectively cut off DoS attacks, DDoS attacks are not completely avoidable. That is to say, the more increase the total number of malicious flows, the more decrease the bandwidth share allocated to legitimate flows.
The rate-limit technique cuts off not only TCP SYN flooding attacks but also traffic congestion attacks.
FIG. 2 illustrates a basic algorithm of a conventional rate-limit. The rate-limit technique measures a bandwidth of specific flows. Then, if the measured value exceeds a maximum allowable bandwidth determined by an administrator, surplus packets are dropped. The technique has two drawbacks. First, the administrator is required to check traffic of a network for a certain time in order to determine the maximum allowable bandwidth. Second, it is difficult to effectively cut off DDoS attacks. A power of the DDoS attacks is due to enormous traffic generated by concentrating multitude of attacking sites on one target network/server, and therefore, a volume of traffic generated by each attack site is not considerable. In other words, since there is only a little difference between volumes of traffic generated by an attacking site and a legitimate site in the DDoS attacks, it is very difficult to determine the maximum allowable bandwidth. For example, if the maximum allowable bandwidth is set low, both DDoS traffic and legitimate traffic can be cut off.
As described above, the conventional techniques are effectively used to cut off the DoS attacks but not the DDoS attacks. Further, even if the DDoS attacks can be cut off, the legitimate traffic cannot be protected.