The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지

Design of Defence Mechanism against DDoS Attacks in NCP-based Broadband Convergence Networks

NCP 기반의 광대역 융합 망에서 DDoS 공격 대응 기법 설계

  • 한경은 (한국전자통신연구원) ;
  • 양원혁 (전북대학교 컴퓨터공학과 영상정보신기술연구소) ;
  • 유경민 (전북대학교 컴퓨터공학과 영상정보신기술연구소) ;
  • 유재영 (전북대학교 컴퓨터공학과 영상정보신기술연구소) ;
  • 김영선 (한국전자통신연구원) ;
  • 김영천 (전북대학교 컴퓨터공학과 영상정보신기술연구소)
  • Published : 2010.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we propose the NCP (Network Control Platform)-based defense mechanism against DDoS (Distributed Denial of Service) attacks in order to guarantee the transmission of normal traffic and prevent the flood of abnormal traffic. We also define defense modules, the threshold and packet drop-rate used for the response against DDoS attacks. NCP analyzes whether DDoS attacks are occurred or not based on the flow and queue information collected from SR (Source Router) and VR (Victim Router). Attack packets are dopped according to drop rate decided from NCP. The performance is simulated using OPNET and evaluated in terms of the queue size of both SR and VR, the transmitted volumes of legitimate and attack packets at SR.

본 논문에서는 DDoS (Distributed Denial of Service) 공격에 따른 비정상적인 트래픽의 범람(flood)을 방지하고 합법적인 트래픽 전송을 보장하기 위하여 NCP (Network Control Platform) 기반의 DDoS 공격 대응 기법을 제안한다. 또한 이를 위하여 NCP와 SR (Source Router), VR (Victim Router)의 기능 모듈을 정의하고 high-flow 감지를 위한 임계값 및 공격 패킷 폐기율 결정식을 제안한다. 제안한 기법에서 NCP는 SR과 VR로부터 수집된 high-flow정보와 큐 정보를 기반으로 DDoS 공격 여부를 판단하고 이에 따라 패킷 폐기율을 결정한다. SR과 VR은 NCP에 의하여 결정된 패킷 폐기율에 따라 해당 플로우에 속하는 패킷을 폐기시킨다. 성능 평가를 위하여 OPNET 환경에서 시뮬레이션을 수행하고 SR, VR의 큐 크기, 공격 트래픽의 전송량 관점에서 비교 분석한다.

Keywords

References

  1. J. Mirkovic, M. Robinson, P. Reiher and G. Oikonomou, "Distributed Defense Against DDOS Attacks," Technical Report, University of Delaware CIS Department, Feb., 2006.
  2. R. Manajan, S. M. Bellovin, S. Floyd, J. Loannidis, V. Paxson and S. Shenker, "Controlling High Bandwidth Aggregates in the Network," ACM SIGCOMM Computer Communication, Vol.32, pp.62-73, July, 2002.
  3. M. Kim, H. Kong, S. Hong, S. Chung and J. Hong, "A Flow-based Method for Abnormal Network Traffic Detection," Proceedings of NOMS'04, pp.599-612, April, 2004.
  4. G. Zhang and M. Parashar, "Cooperative Defense against Network Attacks," Proceedings of WOSIS'05, ICEIS'05, INSTICC Press, pp.113-122, May, 2005.
  5. Y. Fan, H. Hassanein and P. Martin, "Proactive Control of Distributed Denial of Service Attacks with Source Router Preferential Dropping," Computer Systems and Applications'05, April, 2005.
  6. J. Mirkovic, G. Prier and P. Reiher, "Attacking DDoS at the Source," Proceedings of the ICNP'02, November, 2002.
  7. D. Xuan, R. Bettati and W. Zhao, "A Gateway-based Defense System for Distributed DoS Attacks in High-speed Networks," Proceedings of 2001 IEEE workshop on Information Assureance and Security, June, 2001.
  8. J. Mirkovic, "D-WARD:Source-End defense Against Distributed Denial-of-Service Attacks", Ph.D Thesis, 2003.
  9. K. Jozic, "Tracing back DDoS attacks", Masters Thesis, 2002.