| 摘要 |
Disclosed are a method and an apparatus for detecting distributed denial of service (DDoS). The method includes the steps of: receiving a data packet; and determining if a packet transmission history for a payload of the data packet exists by comparing the payload of the data packet with information used to identify a payload contained in the packet transmission history, wherein the packet transmission history includes the information used to identify the payload and information of the number of times transmitting the payload. The determining step includes the steps of increasing the number of times transmitting the payload in the packet transmission history if the packet transmission history for the payload of the data packet exists; comparing the increased number of times transmitting the payload with a predetermined threshold value; and determining the data packet as being an abnormal packet if the increased number of times transmitting the payload exceeds the predetermined threshold value in the comparing step. According to the present invention, in DDoS attack, traffic by a normal packet is distinguished from traffic by an abnormal packet resulting from the DDoS attack by using the fact that the same payloads are repeated through a plurality of data packet, so that the reliability of the detection of the DDoS can be improved and the DDoS can be previously detected. [Reference numerals] (310) Receive data packet.; (320) Search for packet transmission history.; (330) Increase the number of times for transmission.; (340) Compare the number of times for transmission with threshold value.; (350) Determination as being abnormal packet.; (360,370) Determination as being normal packet.; (380) Store packet transmission history.; (AA) Start; (BB) Exist x; (CC) Exist o; (DD) The number of times for transmission <= threshold value.; (EE) The number of times for transmission > threshold value.; (FF) End |
