Journal of the Korea Institute of Information and Communication Engineering (한국정보통신학회논문지)

The Korea Institute of Information and Commucation Engineering (한국정보통신학회)
권호 표지
DOI QR코드

DOI QR Code

Multi-level detection method for DRDoS attack

DRDoS 공격에 대한 다단계 탐지 기법

  • Baik, Nam-Kyun (Department of Information Security, Busan University of Foreign Studies)
  • Received : 2020.09.10
  • Accepted : 2020.09.18
  • Published : 2020.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

In this study, to provide the basis for establishing effective network based countermeasures against DRDoS(Distributed Reflection Denial of Service) attacks, we propose a new 'DRDoS attack multi-level detection method' that identifies the network based characteristics of DRDoS and applies probability and statistical techniques. The proposed method removes the limit to which normal traffic can be indiscriminately blocked by unlimited competition in network bandwidth by amplification of reflectors, which is characteristic of DRDoS. This means that by comparing 'Server to Server' and 'Outbound Session Incremental' for it, accurate DRDoS identification and detection is possible and only statistical and probabilistic thresholds are applied to traffic. Thus, network-based information security systems can take advantage of this to completely eliminate DRDoS attack frames. Therefore, it is expected that this study will contribute greatly to identifying and responding to DRDoS attacks.

본 연구에서는 DRDoS 공격에 대한 효과적인 네트워크 기반 대응책을 수립하는데 필요한 기초 자료를 제공하고자, DRDoS의 네트워크 기반 특징을 식별하고 이에 대한 확률 및 통계 기법을 적용한 새로운 'DRDoS 공격 다단계 탐지기법'을 제안하고자 한다. 제안된 기법은 DRDoS의 특징인 반사 서버의 증폭에 의한 네트워크 대역폭에서 무제한 경쟁으로 정상적인 트래픽이 무분별하게 차단될 수 있는 한계를 제거하고자 'Server to Server' 및 이에 대한 'Outbound 세션 증적' 여부를 비교하여 정확한 DRDoS 식별 및 탐지가 가능하고 이에 대한 트래픽에 대해서만 통계 및 확률적 임계값을 적용하기에, 네트워크 기반 정보보호 제품은 이를 활용하여 완벽하게 DRDoS 공격 프레임을 제거가 가능하다. 시험을 통해 제안한 기법이 DRDoS 공격에 대한 식별 및 탐지 정확성을 높이고 희생자 서버의 서비스 가용성을 확보함을 확인하였다. 따라서 본 연구결과는 DRDoS 공격 식별 및 대응에 크게 기여할 수 있을 것으로 기대한다.

Keywords

References

  1. DDoS Attack Response Guide for Small and Medium Businesses: [Internet]. Available: https://www.boho.or.kr/data/guideView.do?bulletin_writing_sequence =35135, 2019.
  2. Kaspersky DDOS attacks in Q1 2017: [Internet]. Available: https://securelist.com/ddos-attacks-in-q1-2017/78285/, 2017.
  3. TCP: [Internet]. Available: https://www.rfc-editor.org, 1981.
  4. M. Kuhrer, T. Hupperich, C. Rossow and T. Holz, "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks," USENIX Workshop on Offensive Technologies, 2014.
  5. H. Huang, L. Hu, J. Chu, and X. Cheng, "An Authentication Scheme to Defend Against UDP DrDoS Attacks in 5G Networks," Institute of Electrical and Electronics Engineers, vol. 7, 2019
  6. NTP Amplification DDoS Attack: [Internet]. Available: http://cve.mitre.org, 2013.
  7. CVE-2006-0987 Learn more at National Vulnerability Database (NVD): [Internet]. Available: https://cve.mitre.org, 2006.
  8. R.g Xu, J. Cheng, F. Wang, X. Tang, and J. Xu, "A DRDoS Detection and Defense Method Based on Deep Forest in the Big Data Environment," Symmetry, vol. 11, no. 1, Nov. 2019.
  9. Web Server Traffic in Crisis Conditions: [Internet]. Available: https://lup.lub.lu.se/search/ws/files/6029596/625288.pdf, 2005.
  10. N. Baik and N. Kang, "Multi-Phase Detection of Spoofed SYN Flooding attacks," International journal of Grid and Distributed Computing, vol. 11, no. 3, Mar. 2018.