KR-20260062750-A - METHOD AND DEVICE FOR DETECTING AND DEFENDING AGAINST DDOS ATTACKS

Abstract

According to one embodiment of the present disclosure, a computer program stored on a computer-readable storage medium is disclosed. The computer program performs the following methods for responding to a DDoS attack, wherein the method may include: generating a flow group based on a 5-tuple including a source IP, a destination IP, a source port, a destination port, and a protocol from flow information collected from a backbone router; determining that the traffic of the flow group is a Distributed Denial of Service (DDoS) attack if the traffic of the flow group exceeds a preset threshold within a set time; diverting the traffic of the flow group determined to be a DDoS attack to a DDoS defense device through a set path before being delivered to a customer network; and filtering the DDoS attack traffic detected by the DDoS defense device to deliver only normal traffic to the customer network.

Inventors

• 김성민

Assignees

• (주) 케이티클라우드

Dates

Publication Date

20260507

Application Date

20241029

Claims (17)

1. A computer program stored on a computer-readable storage medium, wherein the computer program performs the following methods for responding to a DDoS attack, and the method is A step of generating a flow group based on a 5-tuple including source IP, destination IP, source port, destination port, and protocol from flow information collected from a backbone router; A step of determining that it is a Distributed Denial of Service (DDoS) attack if the traffic of the above flow group exceeds a preset threshold within a certain period of time; A step of diverting traffic of the above flow group, determined to be a DDoS attack, to DDoS defense equipment through a configured path before it is delivered to the customer network; and A step of filtering DDoS attack traffic detected by the above DDoS defense equipment and transmitting only normal traffic to the above customer network; including, A computer program stored on a computer-readable storage medium.
2. In Article 1, The step of creating the above flow group is, A step of creating flow groups by classifying traffic data based on Netmask and grouping them into 24-bit or 32-bit subnet units; including, A computer program stored on a computer-readable storage medium.
3. In Article 1 The above threshold is, It is configured based on the normal traffic pattern of the above customer network and adjusted according to normal traffic fluctuations of the above customer network, A computer program stored on a computer-readable storage medium.
4. In Article 1, The above threshold is, The traffic of the above customer network is divided into predetermined time units and independently configured for each time unit according to the traffic for each time unit, A computer program stored on a computer-readable storage medium.
5. In Article 4, The above threshold is, Based on the analysis of traffic data over a predetermined period for each time zone of the above-mentioned customer network, the maximum traffic value recorded in each time zone is set as the threshold value for that time zone, A computer program stored on a computer-readable storage medium.
6. In Article 1, The above threshold is, Set differently depending on the nature of the above customer network, A computer program stored on a computer-readable storage medium.
7. In Article 1, The step of diverting traffic of the flow group identified as the above DDoS attack to DDoS defense equipment through a configured path before it is delivered to the customer network is A step of diverting traffic identified as a DDoS attack from the backbone router to the IDC provider's DDoS defense equipment, so that the diverted traffic passes through the DDoS defense equipment and is transmitted to the customer network via the customer switch; including, A computer program stored on a computer-readable storage medium.
8. In Article 7, The step of diverting traffic of the flow group identified as the above DDoS attack to DDoS defense equipment through a configured path before it is delivered to the customer network is A step of diverting the above traffic to a DDoS defense device determined by the protocol or amount of traffic; including, A computer program stored on a computer-readable storage medium.
9. In Article 7, The step of diverting traffic of the flow group identified as the above DDoS attack to DDoS defense equipment through a configured path before it is delivered to the customer network is Performed according to the routing control of the aforementioned backbone router of the operations center, A computer program stored on a computer-readable storage medium.
10. In Article 9, The above operation center controls the backbone router so that traffic is transmitted to the customer network via the normal path after the above DDoS attack has ended; including, A computer program stored on a computer-readable storage medium.
11. In Article 1, The above DDoS defense equipment is, Compares traffic with preset DDoS attack patterns to block traffic matching the said DDoS attack patterns and forwards normal traffic to the customer network. A computer program stored on a computer-readable storage medium.
12. In Article 1, The above DDoS defense equipment is, By analyzing the above traffic by protocol, filtering traffic by applying different filtering rules for each protocol to block DDoS attack traffic and deliver normal traffic to the customer network, A computer program stored on a computer-readable storage medium.
13. In Article 1, The above DDoS defense equipment is, Logging DDoS attack traffic to security logs and updating filtering rules based on the logged DDoS attack traffic, A computer program stored on a computer-readable storage medium.
14. In Article 1, The step of diverting traffic of the flow group identified as the above DDoS attack to DDoS defense equipment through a configured path before it is delivered to the customer network is A step of controlling predetermined traffic to be delivered to the customer network without bypassing DDoS defense equipment; including, A computer program stored on a computer-readable storage medium.
15. In Article 1, A step of generating a traffic analysis report and providing real-time notifications to the client in the event of a DDoS attack; including, A computer program stored on a computer-readable storage medium.
16. As a method to respond to DDoS attacks, A step of generating a flow group based on a 5-tuple including source IP, destination IP, source port, destination port, and protocol from flow information collected from a backbone router; A step of determining that it is a Distributed Denial of Service (DDoS) attack if the traffic of the above flow group exceeds a preset threshold within a certain period of time; A step of diverting traffic of the above flow group, determined to be a DDoS attack, to DDoS defense equipment through a configured path before it is delivered to the customer network; and A step of filtering DDoS attack traffic detected by the above DDoS defense equipment and transmitting only normal traffic to the above customer network; including, method.
17. As a computer device, One or more processors; and Memory for storing instructions executable on one or more of the above processors; Includes, The above one or more processors, Create a flow group based on a 5-tuple including source IP, destination IP, source port, destination port, and protocol from flow information collected from backbone routers, and If the traffic of the above flow group exceeds a preset threshold within a certain period of time, it is determined to be a Distributed Denial of Service (DDoS) attack, and The traffic of the above flow group, identified as a DDoS attack, is diverted to DDoS defense equipment via a configured path before being delivered to the customer network, and Filtering DDoS attack traffic detected by the above DDoS defense equipment and forwarding only normal traffic to the above customer network, Computer device.

Description

Method and Device for Detecting and Defending Against DDoS Attacks The present invention relates to the field of network security, and in particular to a method for detecting and responding to Distributed Denial of Service (DDoS) attacks. In network environments such as the Internet, a DDoS attack is an attack in which multiple distributed systems simultaneously send excessive traffic to a target server or network, disrupting the provision of normal services. Such attacks generate massive traffic and exhaust the resources of the target network, causing a denial of service. As illustrated in FIG. 1, the existing DDoS defense system is installed inside the customer network to monitor traffic and defend against attacks. In the example of FIG. 1, the customer network (300) may include DDoS defense equipment (200), a firewall (30), and customer network equipment (40). In the example illustrated in FIG. 1, the backbone router (10) of the IDC provider and the customer switch (20) may be equipment of the service provider. As illustrated in FIG. 1, since the DDoS defense equipment (200) is included in the customer network (300), a process of identifying attack patterns through TCP/IP Layer 7 traffic analysis was required for DDoS detection, and a large amount of resources were required for large-scale traffic analysis. Therefore, building a system to analyze large-scale traffic in real-time and block attacks requires significant cost and infrastructure, and realistically, this structure presents a problem in that it is difficult to apply to all customers. Furthermore, depending on the network structure, there may be cases where DDoS attacks go undetected or efficient traffic diversion paths are not established to defend against attack traffic. Existing systems feature defense frameworks concentrated on specific equipment and suffer from the problem of being unable to adapt to real-time fluctuating traffic. These problems highlight the importance of defending against DDoS attacks from outside the customer network, and efficient traffic analysis and filtering technologies are required to address this. In this regard, Korean Registered Patent No. 10-2575526 discloses a method for detecting distributed denial-of-service attacks using learned historical data. Figure 1 is an example diagram of a network configuration for a conventional DDoS defense system. FIG. 2 is an example diagram of a network configuration for a DDoS defense system of one embodiment of the present disclosure. FIG. 3 is a flowchart illustrating a method for responding to a DDoS attack in one embodiment of the present disclosure. FIG. 4 illustrates a brief and general schematic diagram of an exemplary computing environment in which embodiments of the present disclosure may be implemented. Various embodiments are now described with reference to the drawings. In this specification, various descriptions are provided to provide an understanding of the present disclosure. However, it is evident that these embodiments can be practiced without such specific descriptions. As used herein, terms such as “component,” “module,” “system,” etc. refer to computer-related entities, hardware, firmware, software, combinations of software and hardware, or executions of software. For example, a component may be, but is not limited to, a procedure executed on a processor, a processor, an object, an execution thread, a program, and/or a computer. For example, both an application executed on a computer device and the computer device itself may be a component. One or more components may reside within a processor and/or an execution thread. A component may be localized within a single computer. A component may be distributed among two or more computers. Additionally, these components may be executed from various computer-readable media having various data structures stored therein. Components may communicate through local and/or remote processes, for example, according to signals having one or more data packets (e.g., data from a component interacting with another component in a local system or distributed system, and/or data transmitted through signals to other systems and networks such as the Internet). Furthermore, the term "or" is intended to mean an implicit "or" rather than an exclusive "or." That is, unless otherwise specified or evident from the context, "X uses A or B" is intended to mean one of the natural implicit substitutions. In other words, if X uses A; if X uses B; or if X uses both A and B, "X uses A or B" may apply to any of these cases. Additionally, the term "and/or" as used herein should be understood to refer to and include all possible combinations of one or more of the enumerated related items. Additionally, the terms “comprising” and/or “comprising” should be understood to mean that such features and/or components are present. However, the terms “comprising” and/or “comprising” should be understood not to exclude the presence or addition of one or more