In general, the Internet based on the current transmission control protocol/Internet protocol (TCP/IP) is very vulnerable to security when a malicious user arbitrarily changes a source and a destination. In particular, a basic cause of a distributed denial of service (DDoS) attack lies in distribution of a packet whose source address is changed.
Thus, various countermeasure methods for detecting a source address spoofing packet have been proposed. Representative countermeasure methods may include a detection method using a statistical technique, a filtering method in a router, and the like. An attack detection technique using a statistical technique calculates the frequency number of each source IP address is calculated, based on which a distribution model of source addresses is generated, and determines whether a source IP address of a packet has been selected randomly by an attack tool based on the generated distribution model.
This has a structure of detecting an attack by using the fact that a distribution of a source address in actual normal traffic and that of attack traffic are different. Finally, there is a method in which a network input/output terminal of a router filters a packet having an invalid source address or filters a packet received by an erroneous interface based on a routing table.
However, in spite of the various conventional methods for detecting source address spoofing packets, an attack of DDoS by source address spoofing packets is still made. A basic reason thereof is because an IP layer handles only a forwarding function of packets without having a function of verifying a source address of a transferred packet.