System and method for determining application layer-based slow distributed denial of service (DDoS) attack

摘要

A technology for defending a Distributed Denial-of-Service (DDoS) attack is provided. A system for determining an application layer-based slow DDoS attack may include a packet collecting unit to collect a packet in a network, a packet parsing unit to extract at least one header field from the collected packet, and a DDoS attack determining unit to determine whether a DDoS attack against the packet is detected, using a session table and a flow table.

主权项

1. A system for determining an application layer-based slow Distributed Denial-of-Service (DDoS) attack, the system comprising:
a packet collecting unit to collect a packet in a network; a packet parsing unit to extract at least one header field from the collected packet; and a DDoS attack determining unit to generate a flow table including a plurality of entries, track and manage session information for each entry in the flow table, and determine, using an active session count for an entry, whether an application layer-based slow DDoS attack is detected, the session information for each entry including the active session count, wherein the session information includes an established session count, the session information includes a session trial count, and the DDoS attack determining unit determines whether the application layer-based slow DDoS attack is detected based on variations in a time interval of the session trial count, the established session count, a terminated session count, and the active session count of the entry and based on a comparison of the active session count of the entry to a constant.