Apparatus and method of detecting distributed reflection denial of service attack based on flow information
First Claim
Patent Images
1. An apparatus for detecting a distributed reflection denial of service (DRDoS) attack, the apparatus comprising:
- a monitoring unit obtaining flow information and the number and the sizes of packets of data which flows at one point of a communication network, the flow information including an IP of a source, a port number of the source, an IP of a destination, and a port number of the destination of the data;
a memory unit storing a flow table in which the flow information of the data, the packet number, and the packet size are input; and
a control unit;
inputting the number and the sizes of packets of data obtained by the monitoring unit for a predetermined time as a first entry for the flow information in the flow table when at least one of the port number of the source and the port number of the destination of the data is a predetermined port number,detecting the DRDoS attack by using
1) at least one of the number of packets and the size of packet of the first entry, and
2) the flow information of the first entry, anddetermining, using the first entry, a victim of the DRDoS attack, an IP which an attacker of the DRDoS attack spoofs, or both.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is an apparatus of detecting a distributed reflection denial of service attack, including: a monitoring unit obtaining flow information including an IP and a port number of a source, an IP and a port number of a destination of data, and the number and the sizes of packets; a memory unit storing a flow table in which the flow information of the data, the packet number and the packet size are input; and a control unit detecting the DRDoS attack by using at least one of the number and the size of packets of the first entry and the flow information of the first entry.
5 Citations
19 Claims
-
1. An apparatus for detecting a distributed reflection denial of service (DRDoS) attack, the apparatus comprising:
-
a monitoring unit obtaining flow information and the number and the sizes of packets of data which flows at one point of a communication network, the flow information including an IP of a source, a port number of the source, an IP of a destination, and a port number of the destination of the data; a memory unit storing a flow table in which the flow information of the data, the packet number, and the packet size are input; and a control unit; inputting the number and the sizes of packets of data obtained by the monitoring unit for a predetermined time as a first entry for the flow information in the flow table when at least one of the port number of the source and the port number of the destination of the data is a predetermined port number, detecting the DRDoS attack by using
1) at least one of the number of packets and the size of packet of the first entry, and
2) the flow information of the first entry, anddetermining, using the first entry, a victim of the DRDoS attack, an IP which an attacker of the DRDoS attack spoofs, or both. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of detecting a distributed reflection denial of service (DRDoS) attack, the method comprising:
-
obtaining flow information and the number and the sizes of packets of data which flows at one point of a communication network, the flow information including an IP of a source, a port number of the source, an IP of a destination, and a port number of the destination of the data; inputting the number and the sizes of packets of data obtained for a predetermined time as a first entry for the flow information in the flow table when at least one of the port number of the source and the port number of the destination of the data is a predetermined port number; detecting the DRDoS attack by using
1) at least one of the number of packets and the size of packet of the first entry, and
2) the flow information of the first entry, anddetermining, using the first entry, a victim of the DRDoS attack, an IP which an attacker of the DRDoS attack spoofs, or both. - View Dependent Claims (12, 13, 14, 15, 18, 19)
-
-
16. A method of detecting a distributed reflection denial of service (DRDoS) attack, the method comprising:
-
obtaining flow information including an IP of a source, a port number of the source, an IP of a destination, and a port number of the destination of data which flows at one point of a communication network, and the number and the sizes of packets; inputting the number and the sizes of packets of data obtained for a predetermined time as a first entry for each flow information in the flow table when at least one of the port number of the source and the port number of the destination of the data is a predetermined port number; detecting the DRDoS attack by using
1) at least one of the number of packets and the size of packet of the first entry, and
2) the flow information of the first entry;newly generating the flow table every predetermined time to input the number and the sizes of packets of the data obtained by the monitoring unit for a predetermined time in the flow table generated as the first entry for each flow information; generating F1, F2, F3, F4, and F5 items in the first entry and granting 1 to the F1 value of the first entry when the source port number item value of the first entry is the predetermined port number and the packet number item value of the first entry is larger than a predetermined 6-th value, granting 1 to the F2 value of the first entry when the source port number item value of the first entry is the predetermined port number and the packet size item value of the first entry is larger than a predetermined 7-th value, granting 1 to the F3 value of the first entry when the destination port number item value of the first entry is the predetermined port number and the packet number item value of the first entry is larger than a predetermined 8-th value, calculating the number of first entries in which the destination IP item value is the same and the source port number item value is the same among the first entries input in the flow table, granting 1 to the F4 value of the first entry in which the destination IP item value is the same and the source port number item value is the same when the calculated number of first entries is larger than a predetermined 9-th value, and calculating the number of first entries in which the source IP item value is the same and the destination port number item value is the same among the first entries input in the flow table and granting 1 to the F5 value of the first entry in which the source IP item value is the same and the destination port number item value is the same when the calculated number of first entries is larger than a predetermined 10-th value; generating an Acc flow table; inputting F1 to F5 of the first entry of the flow table in the Acc flow table as the second entry for each flow information and aggregating and inputting the F1 to F5 values of the second entry having the same flow information; and determining that the DRDoS attack occurs when at least one of F1 to F5 of the second entry in the Acc flow table is larger than a predetermined 11-th value whenever all of the first entries of the respective generated flow tables are input every predetermined time. - View Dependent Claims (17)
-
Specification