1. Technical Field
The present invention relates generally to a Transmission Control Protocol (TCP) flooding attack prevention method and apparatus, and, more particularly, to a TCP flooding attack prevention method and apparatus which defines a plurality of session states based on the kind and direction of a packet, tracks the session states for each flow, and detects and responds to a flooding attack, thereby rapidly and accurately detecting and preventing TCP flooding attacks.
2. Description of the Related Art
A Distributed Denial-of-Service (DDoS) attack is performed such that an unspecified number of attackers transmit a large amount of data for the purpose of disturbing the normal service of a system, so that the performance of a target network or system is rapidly deteriorated, thereby disabling the service provided from the corresponding system from being used.
A DDoS attack is divided into a network level attack and an application level attack. The network level attack designates a network level/layer attack such as TCP flooding, User Datagram Protocol (UDP) flooding, and Internet Control Message Protocol (ICMP) flooding. The application level attack designates an application layer attack such as Hypertext Transfer Protocol (HTTP) flooding, Session Initiation Protocol (SIP) flooding, and Domain Name Server (DNS) flooding. Since the attack properties of the two types of attacks are different from each other, the detection and response methods thereof are different from each other.
Most of existing DDoS prevention techniques use a simple method of measuring the amount of traffic, such as Bit per Second (BPS) or Packet per Second (PPS), and blocking packets for a predetermined time if the amount of traffic is greater than a predetermined threshold. Further, Intrusion Detection System/Intrusion Prevention System (IDS/IPS) products use a method of applying string patterns, which mainly appear in a DDoS attack tool, to detection rules, performing a pattern matching function, and instantly blocking a corresponding packet when the packet is detected. However, since there are limits on simple pattern matching, attempts at effective response have been recently made by providing priority queues combined with Quality of Service (QoS) or applying a rate limiting technique.
However, such existing DDoS prevention techniques perform detection and response based on the basically simple amount of traffic and string patterns, so that there are limits on realizing rapid and accurate prevention in an actual DDoS attack situation.