Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

A Novel Application-Layer DDoS Attack Detection A1gorithm based on Client Intention

사용자 의도 기반 응용계층 DDoS 공격 탐지 알고리즘

  • Received : 2010.08.26
  • Accepted : 2010.09.27
  • Published : 2011.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

An application-layer attack can effectively achieve its objective with a small amount of traffic, and detection is difficult because the traffic type is very similar to that of legitimate users. We have discovered a unique characteristic that is produced by a difference in client intention: Both a legitimate user and DDoS attacker establish a session through a 3-way handshake over the TCP/IP layer. After a connection is established, they request at least one HTTP service by a Get request packet. The legitimate HTTP user waits for the server's response. However, an attacker tries to terminate the existing session right after the Get request. These different actions can be interpreted as a difference in client intention. In this paper, we propose a detection algorithm for application layer DDoS attacks based on this difference. The proposed algorithm was simulated using traffic dump files that were taken from normal user networks and Botnet-based attack tools. The test results showed that the algorithm can detect an HTTP-Get flooding attack with almost zero false alarms.

서버의 응용계층에 대한 DDoS 공격은 매우 적은 량의 패킷으로 효과적인 공격이 가능하며, 공격 트래픽이 정상 트래픽과 유사하여 탐지가 매우 어렵다. 하지만 HTTP 응용계층 공격 트래픽에는 사용자 의도에 의한 특성이 있음을 찾았다. 정상 사용자와 DDoS 공격자는 동일하게 TCP 계층에서 세션을 맺는다. 이후 최소 한번의 HTTP Get 요구 패킷을 발생한다. 정상적인 HTTP 요구는 서버의 응답을 기다리지만 공격자는 Get 요청 직후 세션을 종료한다. 이러한 행위는 사용자 의도에 의한 차이로 해석할 수 있다. 본 논문에서는 이러한 차이를 기반으로 응용계층 분산서비스 거부 공격 탐지 알고리즘을 제안하였다. 제안된 알고리즘은 정상 네트워크와 봇 기반 분산서비스거부 공격 툴에서 발생한 트래픽으로 실험되었으며, 거의 오탐 없이 HTTP-Get 공격을 탐지함을 보여 주였다.

Keywords

References

  1. Kargl, F., Maier, J., and Weber, M. "Protecting web servers from distributed denial of service attacks," In Proceedings of the 10th International World Wide Web Conference. pp. 130-143, 2001.
  2. Honeynet "Know your enemy:tracking botnets," Whitepaper. The Honeynet Project & Research Alliance. Feb. 2005. www.honeynet.org/index.html.
  3. Wang, H., Zhang, D., and Shin, K. G. "Detecting SYN flooding attacks," In Proceedings of IEEE Infocom 2002, pp. 1530-1539, 2002.
  4. Tuncer, T. and Tatar,Y. "Detection SYN Flooding Attacks Using Fuzzy Logic." Proc. Int. Conf. Information Security and Assurance (ISA'08), Washington, DC, USA, pp. 321-325. Apr. 24-26, 2008.
  5. http://www.topology.org/src/bwshare/README.html
  6. http://www.sakura.ad.jp/tanaka/apache/module/mod access limit.tar.gz
  7. Abdelsayed, S., Glimsholt, D., Leckie, C., Ryan, S., and Shami, S. "An efficient filter for denial of service bandwidth attacks," In Proceedings of the 46th IEEE Global Telecommunications Conference (Globecom'03). pp. 1353-1357, 2003.
  8. Gil, T. M. and Poletto, M. "MULTOPS: A data-structure for bandwidth attack detection," In Proceedings of the 10th Usenix Security Symposium. 2001.
  9. http://www.zdziarski.com/projects/mod evasive/
  10. Jun Lv, Xing Li, and Tong Li, "Web based Application for Traffic Anomaly Detection Algorithm," Second International Conference on Internet and Web Applications and Services (ICIW'07), pp. 44-49, 2007.
  11. Takeshi Yatagai, Takamasa Isohara, and Iwao Sasase, "Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior," Communications, Computers and Signal Processing, pp. 232-235, 2007.
  12. Wei Zhou Lu and Shun Zheng Yu, "A HTTP Flooding Detection Method Based on Browser Behavior," IEEE Computational Intelligence and Security, 2006 International Conference on, vol. 2, pp. 1151-1154, Nov. 2006.
  13. Supranamaya Ranjan, Ram Swaminathan, Mustafa Uysl, Antonio Nucci, and Edward Knightly, "DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks," IEEE/ACM Transactions on networking, vol. 17, no. 1, pp. 26-39, Feb. 2009. https://doi.org/10.1109/TNET.2008.926503
  14. Fiona Fui-Hoon Nah, "A study on tolerable waiting time: how long are Web users willing to wait?," http://sigs.aisnet.org/sighci/bit04/BIT_Nah.pdf