• Proceedings of the KAIS Fall Conference
• /
• 2011.05a
• /
• pp.53-56
• /
• 2011

지난 7.7 DDoS(Distributed Denial of Service), 3.3 DDoS 대란을 통해서 보여주듯 DDoS 공격이 네트워크 주요 위협요소로 매우 부각되고 있으나, 공격에 대해서 실시간으로 감지하고 대응하기에 어렵다. 그리고 현재 여러 분야에서 매우 많은 용도로 사용되는 SMS(Short Message Service)도 DDoS 공격 수단으로 사용되어 이동전화 시스템에 큰 혼란을 야기할 수 있다. 기존의 Bloom Filter 탐지 기법은 구조가 간단하고 실시간 탐지가 가능한 장점을 갖지만 오탐지율에 대한 문제점을 가진다. 본 논문에서는 목적지 기반의 다중의 해시함수를 사용한 Counting Bloom Filter 기법을 이용하여 임계치 이상 카운트된 동일한 목적지로 발송되는 SMS에 대하여 공격으로 탐지하고 SMSC에 통보하여 차단시키는 시스템을 제안한다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.5
• /
• pp.1726-1743
• /
• 2014

DDoS (Distributed Denial of Service) has been a continuous threat to the cyber world with the growth in cyber technology. This technical evolution has given rise to a number of ultra-sophisticated ways for the attackers to perform their DDoS attack. In general, the attackers who generate the denial of service, use the vulnerabilities of the TCP. Some of the vulnerabilities like SYN (synchronization) flooding, and IP spoofing are used by the attacker to create these Distributed Reflected Denial of Service (DrDoS) attacks. An attacker, with the assistance of IP spoofing creates a number of attack packets, which reflects the flooded packets to an attacker's intended victim system, known as the primary target. The proposed scheme, Efficient Spoofed Flooding Defense (ESFD) provides two level checks which, consist of probing and non-repudiation, before allocating a service to the clients. The probing is used to determine the availability of the requested client. Non-repudiation is taken care of by the timestamp enabled in the packet, which is our major contribution. The real time experimental results showed the efficiency of our proposed ESFD scheme, by increasing the performance of the CPU up to 40%, the memory up to 52% and the network bandwidth up to 67%. This proves the fact that the proposed ESFD scheme is fast and efficient, negating the impact on the network, victim and primary target.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.1
• /
• pp.147-153
• /
• 2015

Since the DoS(Denial of Service) attack is still an important vulnerable element in many web service sites, sites including public institution should try their best in constructing defensive systems. Recently, DDoS(Distributed Denial of Service) has been raised by prompting mass network traffic that uses NTP's monlist function or DoS attack has been made related to the DNS infrastructure which is impossible for direct defense. For instance, in June 2013, there has been an outbreak of an infringement accident where Computing and Information Agency was the target. There was a DNS application DoS attack which made the public institution's Information System impossible to run its normal services. Like this, since there is a high possibility in having an extensive damage due to the characteristics of DDoS in attacking unspecific information service and not being limited to a particular information system, efforts have to be made in order to minimize cyber threats. This thesis proposes a method for using TTL (Time To Live) value in IP header to detect DDoS attack with IP spoofing, which occurs when data is transmitted under the agreed regulation between the international and domestic information system.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.7
• /
• pp.3671-3689
• /
• 2019

Software defined networking brings unique security risks such as control plane saturation attack while enhancing the performance of wireless sensor networks. The attack is a new type of distributed denial of service (DDoS) attack, which is easy to launch. However, it is difficult to detect and hard to defend. In response to this, the attack threat model is discussed firstly, and then a DDoS attack prevention extension, called FuzzyGuard, is proposed. In FuzzyGuard, a control network with both the protection of data flow and the convergence of attack flow is constructed in the data plane by using the idea of independent routing control flow. Then, the attack detection is implemented by fuzzy inference method to output the current security state of the network. Different probabilistic suppression modes are adopted subsequently to deal with the attack flow to cost-effectively reduce the impact of the attack on the network. The prototype is implemented on SDN-WISE and the simulation experiment is carried out. The evaluation results show that FuzzyGuard could effectively protect the normal forwarding of data flow in the attacked state and has a good defensive effect on the control plane saturation attack with lower resource requirements.

• Proceedings of the Korean Information Science Society Conference
• /
• 2011.06d
• /
• pp.215-218
• /
• 2011

VoIP(Voice over Internet Protocol) 서비스는 기존의 음성전화 서비스(Public Switched Telephone Network, PSTN)와 달리 IP 프로토콜을 이용한 저렴한 통신비용 등의 장점이 있는 음성통신 기술로써, 기존의 아날로그 음성전화 서비스를 대신하는 서비스이며, 새로운 인터넷 융합서비스로 많은 사용자가 이용하고 있다. 하지만 VoIP 서비스가 인터넷망을 이용함으로 IP Spoofing, DoS (Denial of Server) / DDoS(Distributed Denial of Service), 등의 여러 가지 보안의 문제점을 가지고 있다. VoIP 서비스에서 DDoS 공격은 Proxy 서버 등에 대량의 공격 메시지를 보냄으로써 서버의 자원을 고갈시켜 정상적인 서비스를 하지 못하게 한다. DoS, DDoS 공격 중 Invite Flooding 공격은 1분에 수천 개의 Invite 메시지를 보내 회선의 자원을 고갈시키는 공격이다. 특히 IP/Port 위조하여 공격 경우 공격 패킷 탐지하기 어려우므로 차단할 수 없다. 따라서 본 논문에서는 VoIP의 DoS/DDoS 중 하나인 Invite Flooding 공격 시 SIP Proxy Server에서 메시지 분산시키는 방법과 MAC Address와 사용자 번호 등 IP 이외의 고정적인 사용자 정보를 확인하여 공격을 탐지하고, 공격 Agent에 감염된 Phone을 공격차단서비스로 보내 복구시키는 방법을 제안한다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.7
• /
• pp.2512-2531
• /
• 2014

We propose a new Distributed Denial of Service (DDoS) defense mechanism that protects http web servers from application-level DDoS attacks based on the two methodologies: whitelist-based admission control and busy period-based attack flow detection. The attack flow detection mechanism detects attach flows based on the symptom or stress at the server, since it is getting more difficult to identify bad flows only based on the incoming traffic patterns. The stress is measured by the time interval during which a given client makes the server busy, referred to as a client-induced server busy period (CSBP). We also need to protect the servers from a sudden surge of attack flows even before the malicious flows are identified by the attack flow detection mechanism. Thus, we use whitelist-based admission control mechanism additionally to control the load on the servers. We evaluate the performance of the proposed scheme via simulation and experiment. The simulation results show that our defense system can mitigate DDoS attacks effectively even under a large number of attack flows, on the order of thousands, and the experiment results show that our defense system deployed on a linux machine is sufficiently lightweight to handle packets arriving at a rate close to the link rate.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.7 no.4
• /
• pp.895-909
• /
• 2013

Distributed Denial-of-Service (DDoS) attacks towards name servers of the Domain Name System (DNS) have threaten to disrupt this critical service. This paper studies the vulnerability of the cache server to the flooding DNS query traffic. As the resolution service provided by cache server, the incoming DNS requests, even the massive attacking traffic, are maintained in the waiting queue. The sojourn of requests lasts until the corresponding responses are returned from the authoritative server or time out. The victim cache server is thus overloaded by the pounding traffic and thereafter goes down. The impact of such attacks is analyzed via the model of queuing process in both cache server and authoritative server. Some specific limits hold for this practical dual queuing process, such as the limited sojourn time in the queue of cache server and the independence of the two queuing processes. The analytical results are presented to evaluate the impact of DDoS attacks on cache server. Finally, numerical results are provided for further analysis.

• The KIPS Transactions:PartC
• /
• v.12C no.6 s.102
• /
• pp.827-838
• /
• 2005

DDoS (Distributed Denial of Service) attack is a critical threat to current Internet. To solve the detection and response of DDoS attack on BcN, we have investigated detection algorithms of DDoS and Implemented anomaly detection modules. Recently too many technologies of the detection and prevention have developed, but it is difficult that the IDS distinguishes normal traffic from the DDoS attack Therefore, when the DDoS attack is detected by the IDS, the firewall just discards all over-bounded traffic for a victim or absolutely decreases the threshold of the router. That is just only a method for preventing the DDoS attack. This paper proposed the mechanism of response for the legitimated clients to be protected Then, we have designed and implemented the statistic based system that has the automated detection and response functionality against DDoS on Linux Zebra router environment.

• Proceedings of the Korea Multimedia Society Conference
• /
• 2004.05a
• /
• pp.25-28
• /
• 2004

DDoS(Distributed Denial-of-Service) 공격은 인터넷을 통한 보안 위협 중 대표적인 분산 서비스 거부 공격이다. DDoS은 해킹 공격자가 공격 근원지 IP 주소를 스누핑하여 공격목표로 하는 시스템의 가용자원을 고갈시키거나 과도한 부하를 유발시커 서비스를 중단시킨다. 이러한 공격에 대한 대응 기술로 제시된 IP 역추적 기술은 DDoS 공격의 근원지를 판별하고 전달된 공격 패킷을 통하여 네트워크상에서 공격 패킷 전달 경로를 재구성한다. 기존의 역추적 기술인 패킷 마킹 기법에서 DDoS 공격에 대한 판별 과정 없이 임의의 패킷에 대해 역추적 정보를 생성 즉 DDoS 공격에 능동적으로 대응하고 있지 못하는 단점에 착안하여 본 연구에서는 SVM 모듈을 적용한 라우터에서 DDoS 트래픽에 대한 판별 기능을 제공하고 또한 DDoS 공격 패킷에 대해 개선된 마킹 기법을 제시하였다. 연구 실험 결과 네트워크 부하를 줄이면서도 역추적 성능을 향상시킬 수 있었다.

• Journal of the Institute of Electronics and Information Engineers
• /
• v.51 no.5
• /
• pp.127-134
• /
• 2014

In DRDoS(Distributed Reflective Denial of Service) attacks, the victim is bombarded by packets from legitimate reflector unlike DDoS(Distributed Denial of Service) attacks through zombie, which is more dangerous than DDoS attack because it is in stronger disguise. Therefore, the method of filtering packet method on router are useless. Moreover SCTP(Stream Control Transmission Protocol) multi-homing feature, such as with an improved transmission protocol allows detecting attacks is more difficult and the effect of the attack can be maximized. In this paper we propose a DRDoS detection mechanism based on DRDoS utilizing attention to the characteristics of stateful protocols. The proposed scheme is backed by stateful firewall, and detect DRDoS attacks through a rules table and perform a defense treatment against DRDoS attack. Rules table with a simple structure is possible to easily adapt for any kind of stateful protocol can used by DRDoS attack. The experimental result confirm that our proposed scheme well detect DRDoS attacks using SCTP, the next-generation transmission protocol which not known by victim, and reduce the attacking packets rapidly.