Journal of the Institute of Electronics and Information Engineers (전자공학회논문지)

The Institute of Electronics and Information Engineers (대한전자공학회)
권호 표지
DOI QR코드

DOI QR Code

A Detect and Defense Mechanism of Stateful DRDoS Attacks

상태기반 DRDoS 공격에 대한 탐지 및 방어기법

  • Kim, Minjun (Dept. Computer Eng., Pukyong National University) ;
  • Seo, Kyungryong (Dept. Computer Eng., Pukyong National University)
  • 김민준 (부경대학교 컴퓨터공학과) ;
  • 서경룡 (부경대학교 컴퓨터공학과)
  • Received : 2014.02.06
  • Accepted : 2014.04.28
  • Published : 2014.05.25
Download PDF
⟨ Previous Next ⟩

Abstract

In DRDoS(Distributed Reflective Denial of Service) attacks, the victim is bombarded by packets from legitimate reflector unlike DDoS(Distributed Denial of Service) attacks through zombie, which is more dangerous than DDoS attack because it is in stronger disguise. Therefore, the method of filtering packet method on router are useless. Moreover SCTP(Stream Control Transmission Protocol) multi-homing feature, such as with an improved transmission protocol allows detecting attacks is more difficult and the effect of the attack can be maximized. In this paper we propose a DRDoS detection mechanism based on DRDoS utilizing attention to the characteristics of stateful protocols. The proposed scheme is backed by stateful firewall, and detect DRDoS attacks through a rules table and perform a defense treatment against DRDoS attack. Rules table with a simple structure is possible to easily adapt for any kind of stateful protocol can used by DRDoS attack. The experimental result confirm that our proposed scheme well detect DRDoS attacks using SCTP, the next-generation transmission protocol which not known by victim, and reduce the attacking packets rapidly.

DRDoS(Distributed Reflective Denial of Service)공격은 정상적인 동작을 하는 반사서버를 통해 이루어지며 공격을 위해 숙주를 필요로 하는 DDoS(Distributed Denial of Service) 에 비하여 훨씬 치명적이다. 유입되는 공격 패킷이 정상적 활동을 하는 반사서버로부터 오기 때문에 전통적인 방식인 소스패킷 분석법으로 DRDoS를 탐지하거나 막는 것은 매우 어렵다. 더욱이 최근에 관심이 대두되는 SCTP(Stream Control Transmission Protocol)의 멀티호밍(multihoming)같은 개선된 기능을 가진 전송프로토콜을 사용하여 공격하면 이에 대한 대처는 더욱 힘들게 되고 공격의 효과는 극대화 할 수 있다. 본 논문에서는 DRDoS가 상태기반 프로토콜의 특징을 활용하는데 착안하여 이에 대응하는 상태기반 탐지방법을 제안하였다. 제안된 방식은 상태기반 파이어 월과 연동하고 전송프로토콜에 따라 구성된 규칙테이블을 통하여 DRDoS공격을 탐지하고 공격에 대한 방어를 수행한다. 규칙테이블은 단순한 구조로 쉽게 갱신이 가능하며 특정한 프로토콜에 대한 제한을 받지 않고 모든 종류의 상태 기반프로토콜의 DRDoS공격에도 대응할 수 있다. 실험을 통하여 공격대상이 알지 못하는 SCTP 같은 차세대 전송프로토콜을 활용한 공격에 대해서도 SCTP의 DRDoS 공격패킷을 잘 탐지하였으며 제안한 방어방식을 통하여 공격패킷의 수를 급격히 감소시키는 것을 확인하였다.

Keywords

References

  1. J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms." ACM SIGCOMM Computer Communication Review, Vol. 32, no. 2, pp. 39-53, 2004.
  2. M. McDowell, "Understanding Denial-of-Service Attacks." Security Tip (ST04-015), US-CERT, http://www.us-cert.gov/ncas/tips/st04-015.
  3. Douligeris C., and Mitrokotsa A., DDoS Attacks and Defense Mechanisms." A Classification Signal Processing and Information Technology, 2003. ISSPIT 2003. Proceedingsof the 3rd IEEE International Symposium, pp. 190-193, 2003.
  4. S. Gibson, "DRDOS: Distributed Reflection Denial of Service." http://grc.com/dos/drdos.htm, 2002.
  5. J. J. A. Hamilton, Denial of Service: Distributed Reflection DOS Attack, Auburn Information Assurance Laboratory, 2012.
  6. H. Tsunoda, K. Ohta, A. Yamamoto, N. Ansari, Y. Waizumi and Y. Nemoto, "Detecting DRDoS attacks by a simple response packet confirmation mechanism." Computer Communications, Vol. 32, no. 14, pp. 3299-3306, 2008.
  7. Wei Zhou, Lina Wang, Huanguo Zhang, Jianming Fu, "A New DDoS Attack and Countermeasure against It." Computer Engineer and Application, Vol. 1, pp. 144-146, 2003.
  8. Tao Peng, Leckie C., Ramamohanarao K., "Protection from Distributed Denial of Service Attacks Using History-based IP Filtering." 2003. ICC'03, IEEE International Conference on Communications, pp. 482-486. 2003.
  9. Fan Y., Hassanein H., Martin P., "Proactively Defeating Distributed Denial of Service Attacks." Vol. 2, IEEE CCECE 2003. Canadian Conference on Electrical and Computer Engineering, pp. 1047-1050, 2003.
  10. X. Yang, W. Yang, Y. Shi and Y. Gong, "The Detection and Orientation Method to DRDoS Attack Based on Fuzzy Association Rules." Journal of Communication and Computer, Vol. 3, no. 8, pp. 1-10, 2006.
  11. R. Stewart, Q. Xie, K. Morneault, C. Sharp, H. Schwarzbauer, T. Taylor, I. Rytina, M. Kalla, L. Zhang and V. Paxson, "Stream Control Transmission Protocol." rfc2960, 2000.
  12. Jong Shik Ha, Seok Joo Koh and Jung Soo Park, "SCTP versus TCP." 대한전자공학회, ITC-CSCC : 2005 Proceedings Vol. 4, pp. 1477-1478, 2005.
  13. R. Stewart, M. Tuexen and G. Camarillo, "Security Attacks Found Against the Stream Control Transmission Protocol (SCTP) and Current Countermeasures." rfc5062, 2007.
  14. E. P. Rathgeb, C. Hohendorf and M. Nordhoff, "On the Robustness of SCTP against DoS Attacks." Convergence and Hybrid Information Technology, 2008. ICCIT'08. Third International Conference on, pp. 1144-1149, 2008.
  15. H. Kim, J.-H. Kim, I. Kang and S. Bahk, "Preventing session table explosion in packet inspection computers." Computers, IEEE Transactions on, Vol. 54, no. 2, pp. 238-240, 2005. https://doi.org/10.1109/TC.2005.31
  16. Mohamed G Gouda, and Alex X Liu, "A Model of Stateful Firewalls and Its Properties," in Dependable Systems and Networks, DSN 2005. Proceedings. International Conference on (IEEE, 2005), pp. 128-37, 2005.

Cited by

  1. DRDoS 증폭 공격 대응 시스템 vol.10, pp.12, 2014, https://doi.org/10.22156/cs4smb.2020.10.12.022