DOI QR코드

DOI QR Code

An Analysis of Network Traffic on DDoS Attacks against Web Servers

웹 서버에 대한 DDoS공격의 네트워크 트래픽 분석

  • 이철호 (아주대학교 정보통신전문대학원 정보통신공학과) ;
  • 최경희 (아주대학교 정보통신전문대학원) ;
  • 정기현 (아주대학교 전자공학부) ;
  • 노상욱 (가톨릭대학교 컴퓨터정보공학부)
  • Published : 2003.06.01

Abstract

This paper presents the analytic model of Distributed Denial-of-Service (DDoS) attacks in two settings: the normal Web server without any attack and the Web server with DDoS attacks. In these settings, we measure TCP flag rate, which is expressed in terms of the ratio of the number of TCP flags, i.e., SYN, ACK, RST, etc., packets over the total number of TCP packets, and Protocol rate, which is defined by the ratio of the number of TCP (UDP or ICMP) packets over the total number of W packets. The experimental results show a distinctive and predictive pattern of DDoS attacks. We wish our approach can be used to detect and prevent DDoS attacks.

본 연구에서는 웹 서비스를 대상으로 한 다양한 DDoS 공격이 진행 중일 때 패킷들의 TCP 헤더 내에 SYN, ACK 혹은 RST 등 다양한 플래그 값들이 설정된 패킷의 수와 총 패킷수와의 비율을 조사 분석하였다. 그 결과, 특정 플래그가 설정된 패킷 수의 비율이 각각의 DDoS 공격 유형에 따라서 매우 독특한 특성을 가짐을 발견하였다. 본 연구의 결과로 얻어진 이 특징들은 DDoS 공격을 조기에 탐지하는 기법과 시스템을 DDoS 공격으로부터 보호하는 기법 연구에 많은 도움을 줄 것으로 예상된다.

Keywords

References

  1. M. Arlitt and T. Jin, 'Workload Characterization of the 1998 World Cup Web Site,' IEEE Network, Vol.14, No.3, pp.30-37, May/June, 2000 https://doi.org/10.1109/65.844498
  2. V. Paxson, 'Growth Trends in Wide-Area TCP Connections,' IEEE Network, Vol.8, No.4, pp.8-17, July, 1994 https://doi.org/10.1109/65.298159
  3. David Moore, Geoffrey M. Voelker and Stefan Savage, 'Inferring Internet Denial-of-Service Activity,' Proceedings of the 10th USENIX Security Symposium, pp.9-22, August, 2001
  4. Kevin J. Houle and George M. Weaver, 'Trends in Denial of Service Attack Technolgy,' CERT Coordination Center, October, 2001
  5. Rich Pethia, 'Internet Security Trends,' CERT Coordination Center, February, 2001
  6. NIPC(National Infrastructure Protection Center), 'find_ddos,' http://www.nipc.gov/wanings/advisories, 2001
  7. BindView's RAZOR Security Team, 'Zombie Zapper,' http://razor.bindview.com/tools/Zombiezapper_form.shtml, 2001
  8. TheoryGroup, 'Remote Intrusion Detector(RID),' http://www.theorygroup.com/Software/RID, 2001
  9. Dave Dittrichs, 'Dave Dittrichs Homepage,' http://www.washington.edu/People/dad, 2002
  10. Packet Storm, 'DDoS Attack Tools,' http://www.packetstorm.widexs.nl/distributed/indexdate.shtml, 2002
  11. Fielding, R., Mogul, J., Frystyk, H., Frystyk, H., Masinter, L., Leach, P. and Bernerslee, T., 'Hypertext Transfer Protocol-HTTP/1.1,' Tech.Rep.RFC 2616 IETF, http://www.ietf.org/rfc/rfc2616.txt
  12. Standard Performance Evaluation Corporation, 'SPEC web99 benchmark,' http://www.spec.org/osg/web99
  13. Joao B. D. Cabrera, 'Proactive Detection of Distributed Denial of Service Attacks using MIB Traffic Variables A Feasibility Study,' Proceedings of International Symposium of Integrated Network Management, May, 2001 https://doi.org/10.1109/INM.2001.918069
  14. Haining Wang, Danlu Zhang and Kang G. Shin, 'Detecting SYN Flooding Attacks,' Proceedings of IEEE INFOCOM'02, 2002
  15. A. B. Kulkarni, S. F. Bush and S. C. Evans, 'Detecting Distrubuted Denial-of-Service Attacks Using Kolmogorov Complexity Metrics,' GE Research and Development Center, December, 2001
  16. Allen Householder, Art Manion, Linda Pesante and George M. Weaver, 'Managing the Threat of Denial-of-Service Attacks,' CERT Coordination Center, October, 2001
  17. Thomer M. Gil and Massimiliano Poletto, 'MULTOPS : a data-structure for bandwidth attack detection,' Proceedings of the 10th USENLX Security Symposium, pp.23-38, August, 2001
  18. Thomer M. Gil, 'MULTOPS : a data structure for denial-of service attack detection,' Master thesis, Division of Mathematics and Computer Science, VCRIJE University, December, 2000
  19. Alan Piszcz, Nicholas Orlans, Zachary Eyler-Walker and David Moore, 'Engineering Issues for an Adaptive Defense Network,' MITRE Technical Report, June, 2001
  20. L. Garber, 'Denial-of-Service Attacks Rip the Internet,' IEEE Computer, pp.12-17, April, 2000 https://doi.org/10.1109/MC.2000.839316
  21. The Tcpdump Group, 'LIBPCAP 0.6.2,' http://www.tcpdump.org, June, 2001
  22. Pars Mutaf, 'Defending against a Denial-of-Service Attack on TCP,' Proceedings of the 2nd International Workshop on Recent Advances in Intrusion detection(RAID'99), 1999
  23. Frank Kargl, Joem Maier and Michael Weber, 'Protecting Web Servers from Distributed Denial of Service Attacks,' In Proceedings of the 10th International Conference on World Wide Web, April, 2001 https://doi.org/10.1145/371920.372148
  24. Neil Macehiter, 'Web Server Performance and Scalability,' Zeus Technology, November, 2002
  25. David J. Morse and Yi-Ming Xiong, 'Exploring the Impact of Hyper-Threading on Web Workloads,' Dell Computer Corporation, August, 2002
  26. WinCom System, 'Enhancing Web Performance with the WInCom Switching Server and Storage Area Networks,' Application Note, January, 2002
  27. Venkata N. Padmanabhan and Lili Oiu, 'The Content and Access Dynamics of a Busy Web Site : Findings and Implications,' ACM SIGCOMM'00, August, 2000 https://doi.org/10.1145/347059.347413