1. Technical Field
Example embodiments of the present invention relate to methods of detecting a distributed denial of service (DDoS) or denial of service (DoS) attack, which drops a normal service connection, so that network and server resources are protected from the DDoS or DoS attack to provide smooth service, and more particularly, to methods of detecting only a type of attack traffic of a malicious user.
2. Related Art
As a representative open protocol of transmission control protocol/Internet protocol (TCP/IP) for service, a domain name system (DNS) is open to anyone. Due to this openness, an initial DNS service does not have any security concept. However, with increased commercial use of the Internet, the DNS has been exploited for query forgery and has been a target vulnerable to malicious DDoS or DoS attacks.
DNS failures caused by attacks occurred on Jan. 25, 2003 all over the world. Representative examples of attacks using security vulnerability of the DNS are a DNS cache poisoning attack, a DNS amplification attack, a malicious attack using a recursion query, an unauthorized zone transfer information disclosure, an unauthorized Berkeley Internet Name Domain (BIND) version information disclosure, and the like.
A representative DDoS or DoS attack is the DNS amplification attack, illustrated in FIG. 1, in which a caching DNS server is misused as a tool for DDoS or DoS attacks against other systems.
DDoS or DoS attacks that pose a significant threat to the availability of a network or server are globally developing while targeting nations or Internet-based systems as in an attack against a root DNS server. Due to attacks by several tens of thousands to several hundreds of thousands of zombie personal computers (PCs), the damage is increasing day by day. A recent attack at a level of several to several tens of gigabits per second (Gbps) has completely disabled a network infrastructure.
Although hacking or DDoS or DoS attacks were previously recognized as specialized technology, it is possible to easily obtain a netbot attacker mainly used as an attack tool in a command and control (C&C) server, which is a command delivery server of the DDoS or DoS attacks, on the Internet.
Because it is possible to easily obtain the attack tool as described above, malicious attack traffic may be easily generated. However, there is a problem in that it is difficult for existing attack detection and defense techniques to distinguish normal users and malicious users. Also, a fixed dropping operation based on traffic measurement may drop traffic of normal users.