1. Field of the Invention
The present invention relates to an electronic apparatus, especially to an application layer DDoS attack detecting and responding apparatus.
2. Description of the Related Art
Distributed Denial of Service (DDoS) attacks have long caused great damage, and recent botnet-based attacks such as Netbot Attacker, Blackenergy and 7.7 DDoS are making it more difficult to respond. The earlier DDoS attacks such as SYN, UDP, SYN+ACK and ICMP Flooding tended to consume bandwidth on the network layer. Recently, application-layer DDoS attacks which exploit the system's CPU, memory, DB server resources, etc, occurred including HTTP GET Flooding and Cache Control (CC) Attack.
Most of the existing DDoS defense tools are designed, however, to cope mainly with network layer DDoS attacks, not with application layer DDoS attacks such as Netbot Attacker and Blackenergy which generate small amount of HTTP traffics but make victim hosts unavailable. Various types of attacks can be carried out, including HTTP Get Flooding and CC Attack as well as the network-layer DDoS attacks.
In recent years, several studies have been reported to deal with the application-layer DDoS attacks. For example, given that IP addresses are not uniformly distributed in Web services and that users are likely to revisit the web site, by using traffic analysis, the proportion of regular users can be utilized in the detection of a DDoS attack. Using Web services usage pattern analysis, suspicious IP addresses can be classified as ‘Greylist’ to which less resources are allocated. Statistical approaches can be applied on the URL page-hit distribution in attempt to distinguish between a sudden spike in requests and a DDoS attack. Other defense methods are also proposed including the web usage path analysis and Admission Control for abnormal users.
Under the conventional technology, however, the URL page-hit distribution requires heavy computation, varies widely with time and contents to be delivered, and thus results in challenges with regard to a threshold configuration. The Admission Control method is deployed in an in-line configuration, not in out-of-path configuration, thus requiring session management.
The above mentioned background arts have been possessed or acquired in the course of eliciting the invention by the inventor. Therefore it is not conclusive that they are prior arts disclosed to the public.