发明名称 |
Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session |
摘要 |
There are provided a method and apparatus for defending a Distributed Denial-of-Service (DDoS) attack through abnormally terminated sessions. The DDoS attack defending apparatus includes: a session tracing unit configured to parse collected packets, to extract header information from the collected packets, to trace one or more abnormally terminated sessions corresponding to one of pre-defined abnormally terminated session cases, based on the header information, and then to count the number of the abnormally terminated sessions; and an attack detector configured to compare the number of the abnormally terminated sessions to a predetermined threshold value, and to determine whether a DDoS attack has occurred, according to the results of the comparison. Therefore, it is possible to significantly reduce a false-positive rate of detection of a DDoS attack and the amount of computation for detection of a DDoS attack. |
申请公布号 |
US8966627(B2) |
申请公布日期 |
2015.02.24 |
申请号 |
US201213612749 |
申请日期 |
2012.09.12 |
申请人 |
Electronics and Telecommunications Research Institute |
发明人 |
Yoon Seung Yong |
分类号 |
G06F21/00;H04L29/06 |
主分类号 |
G06F21/00 |
代理机构 |
|
代理人 |
|
主权项 |
1. A method for defending a Distributed Denial-of-Service (DDoS) attack, the method comprising:
parsing packets collected during sessions between clients and a server to extract header information from the collected packets; tracing a session as an abnormally terminated session when the header information indicates the session corresponds to a pre-defined abnormally terminated session case, the pre-defined abnormally terminated session case including a case where a client transmits a FIN packet to the server and then transmits a Reset packet to the server to terminate a session after a TCP session connection between the client and the server is established and data is completely transmitted between the client and the server; counting a number of sessions traced as abnormally terminated sessions; comparing the number of sessions traced as abnormally terminated sessions to a predetermined threshold value; and determining whether a DDoS attack has occurred based on the comparison. |
地址 |
Daejeon KR |