1. Technical Field
An example embodiment of the present invention relates in general to technology for defending Distributed Denial-of-Service (DDoS) attacks, and more specifically, to a method and apparatus for defending DDoS attacks through abnormally terminated sessions, capable of detecting and responding with TCP-based DDoS attacks.
2. Related Art
A Distributed Denial of Service (“DDoS”) attack is a DoS attack in which a plurality of unspecific attackers transmit a large amount of data to a target server for the purpose of disrupting service provided by the server to sharply deteriorate the performance of the corresponding network or server, thereby disabling users from using the service provided by the server.
DDoS attacks are greatly classified into network layer attacks and application layer attacks. Network layer attacks include TCP Flooding, UDP Flooding, ICMP Flooding, ICMP Flooding, etc., and application layer attacks include HTTP Get Flooding, SIP Flooding, DNS Flooding, etc.
Conventional DDoS attacks could be easily detected and defended by a statistical method based on traffic volume since they generated a large amount of abnormal traffic using spoofed IP thereby exhausting the available bandwidth of a network or resources of a server.
However, DDoS attacks have evolved to attempts of establishing a TCP connection using correct IP without using spoofed IP and then making attacks. Accordingly, it is difficult to distinguish attack traffic from normal traffic, and also it is impossible to detect such attacks using either a behavior-based method or a statistical method. A representative example of the attacks is TCP Connection Flooding.
TCP Connection Flooding is an attack to add load to a server by establishing a TCP session and then transmitting a FIN (finish) packet or a Reset packet directly without transmitting any data packets to terminate the TCP session. That is, in normal operation, a TCP session is established, data is transmitted, and then the session terminates, but, in the case of TCP Connection Flooding, a TCP session is established and directly terminates without data transfer. TCP Connection Flooding may be called CPS Flooding since it adds connections per second (CPS) to a server.
Most DDoS attack detectors for detecting TCP Connection Flooding have a high false-positive rate since they use a method of counting the number of SYN packets that request session connections, and detecting occurrence of a DDoS attack if the count value of the SYN packets exceeds a predetermined threshold value.
The TCP Connection Flooding described above is a representative TCP-based DDoS attack of a network layer, and HTTP Get Flooding is a representative DDoS attack of an application layer. HTTP Get Flooding is an attempt of establishing a TCP session and then transmitting a large amount of HTTP Get Request messages to a server to add load to resources of the server, thereby disabling the server from providing service.
A conventional method of detecting HTTP Get Flooding is to count the number of HTTP Get Request packets and determine, if the count value exceeds a predetermined threshold value, that a DDoS attack has occurred. However, the conventional method also has a high false-positive rate of detection of DDoS attacks. Other than the conventional method, many methods for detecting HTTP Get Flooding have been proposed. For example, there are a method of tracing the history of source IPs transmitting HTTP Get Request messages to a specific Unique Resource Identifier (URI) to detect an attack, a method of analyzing a distribution of hits to the URI page of a server, a method in which a server analyzes a distribution of times at which HTTP Get Request messages have been received to detect an attack, a method of tracing the state of an application layer to detect an attack, etc.
However, the above-described methods require a large amount of computation since they analyze data (that is, payloads of packets) of an application layer to seek Get strings and trace connection states in the application layer or process analysis for each flow (for example, for each URI) in the application layer.
Korean Laid-open Patent Application No. 2011-0054537 (entitled “Apparatus for Detecting and Filtering DDoS Attack Based on Distribution”) discloses a technique in which the reception times of HTTP requests are measured for a predetermined time period to produce a distribution of differences between the reception times of the HTTP requests, and the distribution of the reception time differences is compared to pre-stored normal traffic distribution information to detect a DDoS attack according to the results of the comparison in order to defend HTTP Get Flooding among application layer DDoS attacks.
However, Korean Laid-open Patent Application No. 2011-0054537 may detect a case where a large amount of HTTP requests are generated in a server due to a specific event, as an DDoS attack, since a DDoS attack is determined based on the reception times of HTTP requests. Also, Korean Laid-open Patent Application No. 2011-0054537 can detect only application layer attacks.