Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session

摘要

There are provided a method and apparatus for defending a Distributed Denial-of-Service (DDoS) attack through abnormally terminated sessions. The DDoS attack defending apparatus includes: a session tracing unit configured to parse collected packets, to extract header information from the collected packets, to trace one or more abnormally terminated sessions corresponding to one of pre-defined abnormally terminated session cases, based on the header information, and then to count the number of the abnormally terminated sessions; and an attack detector configured to compare the number of the abnormally terminated sessions to a predetermined threshold value, and to determine whether a DDoS attack has occurred, according to the results of the comparison. Therefore, it is possible to significantly reduce a false-positive rate of detection of a DDoS attack and the amount of computation for detection of a DDoS attack.

主权项

1. A method for defending a Distributed Denial-of-Service (DDoS) attack, the method comprising:
parsing packets collected during sessions between clients and a server to extract header information from the collected packets; tracing a session as an abnormally terminated session when the header information indicates the session corresponds to a pre-defined abnormally terminated session case, the pre-defined abnormally terminated session case including a case where a client transmits a FIN packet to the server and then transmits a Reset packet to the server to terminate a session after a TCP session connection between the client and the server is established and data is completely transmitted between the client and the server; counting a number of sessions traced as abnormally terminated sessions; comparing the number of sessions traced as abnormally terminated sessions to a predetermined threshold value; and determining whether a DDoS attack has occurred based on the comparison.