Detecting a network problem-causing client by using a client route control system, for example, identifying an Internet Protocol (IP) of a distributed denial-of-service (DDoS) attack orderer may refer to detecting and identifying a DDoS attack by controlling a client route by designating an edge server to be accessed by a user by using a domain name server (DNS) and a client route control server and several edge servers.
DDoS attacks may be generally classified into two types. The first-type DDoS attack may paralyze the server by burdening the server with an excessive load. When such an attack occurs, the server may be paralyzed by failing to process other jobs due to an excessive load thereon.
The second-type DDoS attack may disable a network line by overflowing the network line with traffic. When such an attack occurs, since the server may have no problem but the network line connected with the server may be disabled, the server and the client may not communicate with each other. That is, although the server may have no problem, since the network may have a problem, the service maintenance may become difficult. Although many DDoS security technologies have been developed in preparation for this situation, they fail to become fundamental solutions thereof.
For example, Honeynet is one of the DDoS defense technologies that have been widely used recently. The Honeynet may refer to a network including a plurality of honey pots. Herein, the honey pots may refer to virtual networks that are implemented to induce various external attacks to find a hacking trend thereof. This is a technology for intentionally exposing a virtual service with service components to a DDoS attack orderer to induce hacking. This technology is spotlighted because it may detect a hacker without affecting the server used in an actual service.
However, the honey pots constituting the Honeynet may have several problems. First, when a DDoS attack orderer identifies a honey pot, the DDoS attack orderer may re-attack by avoiding the honey pot. That is, the once-used honey pot may be difficult to reuse. Also, in the case of using the honey pot to detect the DDoS attack orderer IP, it may be necessary to cause the attack orderer to remain on the honey pot until the attack orderer leaves sufficient evidence on the honey pot. Thus, it may be difficult to quickly cope with the DDoS attack. The biggest problem of the honey pot is that the honey pot may become useless when an attack (among the above DDoS attack types) occurs to cause excessive traffic in the network line.
There is a method for defending by Null Routing. The Null Routing may refer to a technology for deleting a packet by forwarding the packets for a particular destination to a virtual interface “Null 0”. This technology may block a DDoS packet directed toward the server without causing an overload in the network equipment, but may provide only IP-based filtering and may not provide filtering based on service ports or contents.
There are various other defense technologies, but these conventional technologies have a common problem. The conventional DDoS defense technology may block a DDoS attack, but may not find and identify an IP of an attack orderer corresponding to an attacker thereof.
Also, when an attacked line or IP range is blocked in order to block a DDoS attack, even a normal user belonging to the relevant line or range may not use a service. This may cause a time loss and an excessive cost in service providers (e.g., financial institutions, public institutions, and games) that should maintain a service continuously 24 hours a day.