This application claims the priority of Korean Patent Application Nos. 2003-92569, filed on Dec. 17, 2003 and 2004-26639, filed on Apr. 19, 2004 in the Korean Intellectual Property Office, the disclosures of which are incorporated herein in their entirety by reference.
1. Field of the Invention
The present invention relates to an apparatus and method for limiting bandwidths of burst aggregate flows which act to deteriorate network service quality by generating abnormal and excessive traffic, such as denial of service (DoS) attacks and worm scan attacks.
2. Description of the Related Art
Attacks, which generate excessive traffic, cause network congestion by concentrating a lot of traffic over a short time. Therefore, the attacks may act to deteriorate service quality provided to authenticated users and finally paralyze the attacked network. Conventional technologies for preventing a network congestion are as follows.
(1) Queuing Technology
A packet to be dropped when a network is congested or in order to prevent network congestion is determined using queuing technology. As methods of determining the packet to be dropped, first-in first-out (FIFO), fair queuing (FQ), and random early detection (RED) have been suggested. In a case of traffic following a network status, that is, traffic where the transmission amount decreases if it is detected that the network status is in a congested state, the conventional queuing technology provides a significant effect for dropping or preventing the network congestion. However, in DoS attacks continuously generating excessive traffic even in the congested state or many kinds of artificial flows, the excessive traffic cannot be controlled by those technologies.
(2) Intrusion Detection and Prevention Technology
An intrusion detection system has been suggested to detect activities, such as scanning, hacking, or paralyzing a target system by generating abnormal packets or flows, in a network. The intrusion detection system drops traffic recognized as an attack by linked to a firewall or with its own ability. The latter is called an “intrusion prevention system”, which detects and then drops the intrusions by itself. The intrusion prevention system uses a technology for protecting a destination system and a network by detecting the attacking activities and then early dropping them. However, the biggest problem of the intrusion prevention system is a false-positive problem of dropping normal traffic, which occurs when the normal traffic is wrongly determined as attack traffic. Due to this problem, most systems are operated by a method of automatically detecting attacks and manually dropping the attacks by a manager's decision.
(2) Threshold—Based Rate-limit
This technology drops DoS attacks by transmitting or discarding each packet by comparing measured traffic volumes and threshold values, respectively. The threshold values are obtained using statistic values obtained by directly measuring each subscriber's traffic. This technology provides an effect of dropping the DoS attacks since the amount of traffic cannot exceed the threshold values. However, it is impossible to precisely measure the threshold values. Therefore, when the threshold values are not accurately measured, it may lead to the false-positive problem of dropping normal traffic.
(4) Aggregate Congestion Control (ACC)
ACC technology monitors a status of a packet transmission queue in each interface of router. In the ACC technology, if the packet transmission queue is full for a predetermined time, a network status is regarded as a congested status, and the congested network status is solved by classifying packets with aggregate flows according to destination addresses of the packets and limiting bandwidths of the aggregate flows each having a relatively larger bandwidth. Since this technology limits bandwidths of aggregate flows according to a destination address, a DoS attack on a specific destination address can be effectively dropped. However, this technology requires new protocol for communication between routers, and since a bandwidth is limited only by a traffic volume without checking whether a packet is abnormal, the false-positive problem cannot be completely solved.
As described above, the conventional technologies for counter-attack against abnormal burst traffic provide partial effects. However, the technologies cannot radically drop various attacks, such as a DoS attack and a worm scan attack. Also, the technologies may generate the false-positive problem.