대한전자공학회논문지TC (Journal of the Institute of Electronics Engineers of Korea TC)

대한전자공학회 (The Institute of Electronics and Information Engineers)
권호 표지

DDoS 공격에 대응하는 분산 네트워크 보안관리 기법

A Scheme of Distributed Network Security Management against DDoS Attacks

  • 김성기 (인천대학교 컴퓨터공학과) ;
  • 유승환 (인천대학교 컴퓨터공학과) ;
  • 김문찬 (인천대학교 컴퓨터공학과) ;
  • 민병준 (인천대학교 컴퓨터공학과)
  • Kim Sung-Ki (Dept. of Computer Science & Eng. Univ. of Incheon) ;
  • Yoo Seung-Hwan (Dept. of Computer Science & Eng. Univ. of Incheon) ;
  • Kim Moon-Chan (Dept. of Computer Science & Eng. Univ. of Incheon) ;
  • Min Byoung-Joon (Dept. of Computer Science & Eng. Univ. of Incheon)
  • 발행 : 2006.07.01
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

웜 확산이나 자동화된 공격 도구에 의한 DDoS(Distributed Denial of Service) 공격은 도메인 경계를 넘어 통신 경로를 공유하는 정당한 사용자의 접근을 방해하기 때문에 지엽적인 도메인 차원의 방어와 대응은 현실적인 해결책이 되지 못한다. 더욱이 발신지 IP 주소를 위조하거나 정당한 발신지 IP 주소를 가지고 bogus 패킷을 과도하게 전송시키는 DDoS 공격은 정당한 사용자의 접근을 식별할 수 없게 한다. 본 논문에서는 이러한 문제점을 해결하기 위해 이웃하는 도메인간에 DDoS 공격 플로우를 식별하고 공격자 추적과 대응을 협업하는 분산 네트워크 보안관리 기법을 제시한다. 본 논문에서는 인터넷이 다수의 도메인으로 이루어져 있고 각 도메인에는 하나의 이상의 도메인 보안 관리자가 있다고 가정한다. 분산된 도메인 보안 관리자는 자신의 도메인 경계 라우터와 물리적 회선을 공유하면서 도메인 안팎으로 유통되는 공격성 패킷들을 식별하고 이웃하는 도메인 보안 관리자와 공격 발원지 추적 및 대응을 위한 메시지 교환을 수행한다. 도메인 보안 관리자를 구현하고 테스트베드를 통해 실험한 결과 지엽적인 도메인 차원의 탐지 및 대응에 비하여 탐지의 정확성 (FPR: False Positive Rate, FNR: False Negative Rate)과 대응 효과 (NPSR: Normal Packet Survival Rate)가 우수하였다.

It is not a practical solution that the DDoS attacks or worm propagations are protected and responded within a domain itself because it clogs access of legitimate users to share communication lines beyond the boundary a domain. Especially, the DDoS attacks with spoofed source address or with bogus packets that the destination addresses are changed randomly but has the valid source address does not allow us to identify access of legitimate users. We propose a scheme of distributed network security management to protect access of legitimate users from the DDoS attacks exploiting randomly spoofed source IP addresses and sending the bogus packets. We assume that Internet is divided into multiple domains and there exists one or more domain security manager in each domain, which is responsible for identifying hosts within the domain. The domain security manager forwards information regarding identified suspicious attack flows to neighboring managers and then verifies the attack upon receiving return messages from the neighboring managers. Through the experiment on a test-bed, the proposed scheme was verified to be able to maintain high detection accuracy and to enhance the. normal packet survival rate.

키워드

참고문헌

  1. Peter Mell, 'An Overview of Issues in Testing Intrusion Detection Systems', NIST Interagency Reprots 7007, 2003
  2. Haining Wang, Danlu Zhang, and Kang Shin. 'Detecting SYN flooding attacks', In Proceedings of the IEEE Infocom https://doi.org/10.1109/INFCOM.2002.1019404
  3. Dan Schnackenberg, Kelly Djahandari, Dan Sterne, 'Infrastructure for Intrusion Detection and Response,' DARPA Information Survivability Conference and Exposition, DISCEX 2000, Jan., 2000 https://doi.org/10.1109/DISCEX.2000.821505
  4. Dan Schnackenberg, Harley Holiday, et al., 'Cooperative Intrusion Traceback and Response Architecture (CITRA),', DISCEX 2001, June, 2001 https://doi.org/10.1109/DISCEX.2001.932192
  5. Dan Stenrne, et al., 'Active Network Based DDoS Defense', Proceedings of the DARPA Active Networks Conference and Exposition (DANCE.02), p. 193, May, 2002
  6. Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. 'Practical network support for IP traceback', In Proceedings of the ACM SIGCOMM Conference, pages 295-306, Stockholm, Sweeden, August 2000. ACM https://doi.org/10.1145/347059.347560
  7. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker. 'Controlling high bandwidth aggregates in the network', In ACM ComputerCommunication Review, July 2001 https://doi.org/10.1145/571697.571724
  8. Robert Stone, 'Centertrack: An IP overlay network for tracking DoS floods', In Proceedings of the USENIX Security Symposium, p. 199-212, Denver, CO, USA, July 2000. USENIX
  9. Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker, 'Controlling high bandwidth aggregates in the network', In ACM ComputerCommunication Review, July 2001 https://doi.org/10.1145/571697.571724
  10. Stefan Savage, David Wetherall, Anna Karlin, Tom Anderson, 'Practical network support for IP traceback', In Proceedings of the ACM SIGCOMM Conference, pages https://doi.org/10.1145/347059.347560
  11. Steven Bellovin, 'ICMP traceback messages', Work in Progress: draft-bellovin-itrace-00.txt
  12. David L. Tennenhouse, J. Smith, W. Sincoskie, D. Wetherall, G. Minden, 'A Survey of Active Network Research', In IEEE Communications Magazine, 1997 https://doi.org/10.1109/35.568214
  13. M. E. J. Newman, 'Power laws, Pareto distri-butions and Zipf's law', International Journal of Contemporary Physics 46, p. 323-351, 2005 https://doi.org/10.1080/00107510500052444
  14. Michalis Faloutsos, Petros Faloutsos, and Christos Faloutsos. 'On power-law relationships of the internet topology', In SIGCOMM, p. 251 - 262, 1999 https://doi.org/10.1145/316188.316229
  15. Laura Feinstein, Dan Schnackenberg, Ravindra Balupari, Darrell Kindred. 'Statistical Approaches to DDoS Attack Detection and Response,' DISCEX 2003, p. 303, DARPA Information Survivability Conference and Exposition - Volume I, 2003
  16. 'Linux Advanced Routing and Traffic Control HOWTO', http://www.lartc.org/lartc.html
  17. Spread Toolkit, 'http://www.spread.org'