1. Field of the Invention
The present invention relates to a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. More particularly, the present invention relates to a method of identifying a zombie host infected with a malicious bot and performing a malicious action, a virtual server for performing the method, a method of recognizing the scale and distribution of zombies by analyzing zombie information obtained from such a virtual server, and a sinkhole server for performing the method.
2. Discussion of Related Art
As Internet services have diversified lately, use of the Internet is increasing. Thus, malicious code, such as computer viruses and Internet worms, is widespread over the Internet and causes extensive damage to Internet users. In particular, distributed denial of service (DDoS) attacks are considered a serious problem, in which multiple computers infected with a bot (referred to as “botnets”), that is, malicious code, explosively increase traffic toward a specific web server and hinder the web server from normally operating.
A computer infected with a bot is controlled by a hacker to perform a malicious action regardless of an intention of a user of the computer, and thus is referred to as a zombie host. To prevent infection with such a bot and a malicious action, a sinkhole server is used.
In a conventional method of preventing a malicious action using a sinkhole server, when a zombie host sends a query to a domain name service (DNS) server to obtain the Internet protocol (IP) address of the domain of a botnet control server, the IP address of a sinkhole server is transferred in response to the query to direct traffic of the zombie host to the sinkhole server and prevent a malicious action thereafter. However, this method has a problem in that it can only handle zombie hosts querying the domains of known botnet control servers.