A Distributed Denial of Service (DDoS) attack refers to a type of attack in which a plurality of computers are simultaneously operated to cause an excessive load on a specific website. That is, such a DDoS attack takes place by a hacker inserting programs which are tools for the DDoS attack into a plurality of computers and simultaneously transmitting a considerable number of packets that cannot be processed by the system of a specific target website to the target website to attack the target website, thus resulting in the deterioration of network performance or the paralysis of a system due to a system overload. When being DDoS attacked in this way, it is difficult for a user to normally access the website. In a serious case, network equipment or the hardware of the server may be damaged. Recently, as DDoS attacks have spread while exhibiting a criminal propensity to target money, the damage attributable thereto has increased.
Computer systems on which DDoS attack tools have been installed via a route are used as the host of a DDoS attack before they are aware of it. Among these DDoS attack tools, well-known tools include Trinoo, a Tribal Flood Network (TFN), Stacheldraht, and the like. DDoS attack tools invade the computer systems of normal persons by being inserted into malicious code (malware) such as worms or viruses, or by passing through various routes. As the DDoS attack tools are distributed and propagated in various manners, hackers can attack a target website using stronger and more various methods. It is not easy to effectively predict or defend from DDoS attacks due to the plurality of distributed attack sources and the various types of attack patterns.
A conventional DDoS attack detection and prevention technology was implemented using a method of detecting and preventing the unique attack patterns of DDoS or a method of limiting traffic at the level of a network or a server and guaranteeing the validity of the server. Here, the term “unique attack pattern” denotes a pattern in which an excessive number of packets forged in a specific format for each DDoS are generated to impose a load to the server. Representatives of a unique attack pattern include Synchronize sequence Number (SYN) flood, Transmission Control Protocol (TCP) flag flood, Hypertext Transfer Protocol (HTTP) flood, User Datagram Protocol (UDP) flood, and the like.
However, as such DDoS attacks are gradually coming to use normal network packets without using distinctive attack patterns, it is becoming more and more difficult to detect DDoS attacks using attack patterns. Further, DDoS attackers construct a large-scale attacking computer network, such as a botnet, to make detection increasingly more difficult. As more attacking computers are provided, it is possible to make DDoS attacks only by attempting to normally access the server, thus making it further difficult to detect and prevent DDoS attacks.