HTTP Get Flooding 기술을 이용한 APT(지능적 지속 위협)공격 도구의 설계와 구현

정태명,천우봉,박원형 한국컴퓨터교육학회 2011 컴퓨터교육학회 논문지 Vol.14 No.6

최근 사이버공격을 보면 전세계 해킹공격 트랜드로 APT 공격이 지속 발생하고 있다. 특히, HTTP Get Flooding 공격은 사이버공격기법 중 가장 효과적인 공격 중 하나이다. 기존의 HTTP Get Flooding 공격 기술에 대해 알아보고 ATP 공격 특성을 결합한 새로운 공격 기술을 제안한다. 본 논문은 HTTP Get Flooding 기술을 이용하여 효과적인 APT 공격 도구 제작 관한 내용이다. 이 공격도구를 통해 지속적인 DDoS 공격에 대한 적극적 방어 대책이 필요하다. As we can see from the recent cyber attack, APT(Advanced Persistent Threat) is trend of hacking attack in the World. Thus, HTTP Get Flooding attack is considered to be one of the most successful attacks in cyber attack method. In this paper, designs and implements new technique for the cyber attack using HTTP get flooding technology. also, I need a defence about DDoS attack through APT Tools.

한(韓),대(臺) 홍수남매혼신화(洪水男妹婚神話)의 서사구조(敍事構造) 고찰(考察)

림추행 ( Chiu Hsing Lin ) 한국비교문학회 2011 比較文學 Vol.55 No.-

This study was conducted in order to: (i) comparison of myth of brother-sister got married in flood myth between Korea and Taiwan for sketching the reason of a human universality origins in flood myth; (ii) we talked about the origin of flood myth of brother-sister who got married were belonged to continental type and island type. Flood myth of in Korea formed reputation to speak under the influence of China, and this study discoursed the process of myth of brother-sister got married which in flowed from China and received by Korea. The myth date back to the minority nationality regions of south west China, and appeared largely in literature from the late Warring States period to the tang dynasty, and then in flowed to Korea during the China-Korea dense exchange. Comparision of myth between in Korea afferented from china and Tang dynasty "YiZhi alone" Since `` myth putted into writing in Japanese colonial era, therefore, the study of aborigins myth became a popular subject and published numerous related literature. Moreover, aborigins showed very high similarity of the content in common subject, but affiliated content showed all ethnic group`s characteristics. In narrative form of flood myth of brother-sister got married, the first half was nearly same between Korea and Taiwan which told about flooding and destroying the world completely. Finally, the only both brother and sister escaped to the high mountain for prolonging human being`s life and they planed to marry. However, the content of last half was entirely different. In Korea, the story content was examined in order to break the taboo against marriage between brother and sister and obtain the proof which agreed by Destiny. However, in Taiwan, brother and sister`s marriage gave birth to unhealthy progeny, and sometimes produced nonhuman animals. Marriage between brother and sister was considered as the consequences of violation of taboo, and had to go through the god of gods help and guidance before healthy children was produced. In summary, this study was conducted to discuss three important parts. First, the function of flooding was the relationship of destruction and regeneration and common elements; however, there was more punishment element in the reason of flooding in aborigins of Taiwan. Second, when flooding came, brother and sister`s survival means was all refuging mountains; however, there was more escape element using mortar on wood in aborigins of Taiwan. Third, according to the matter of brother and sister`s marriage, Korea conducted the experiment for asking godsend using positive attitude, however, Taiwan waited and hoped the conditions which got better under the attitude of believing god-help.

韓ㆍ臺 洪水男妹婚神話의 敍事構造 考察

임추행 한국비교문학회 2011 比較文學 Vol.0 No.55

This study was conducted in order to: (i) comparison of myth of brother-sister got married in flood myth between Korea and Taiwan for sketching the reason of a human universality origins in flood myth; (ii) we talked about the origin of flood myth of brother-sister who got married were belonged to continental type and island type. Flood myth of in Korea formed reputation to speak under the influence of China, and this study discoursed the process of myth of brother-sister got married which in flowed from China and received by Korea. The myth date back to the minority nationality regions of south west China, and appeared largely in literature from the late Warring States period to the tang dynasty, and then in flowed to Korea during the China-Korea dense exchange. Comparision of myth between in Korea afferented from china and Tang dynasty “YiZhi alone” Since ’ myth putted into writing in Japanese colonial era, therefore, the study of aborigins myth became a popular subject and published numerous related literature. Moreover, aborigins showed very high similarity of the content in common subject, but affiliated content showed all ethnic group’s characteristics. In narrative form of flood myth of brother-sister got married, the first half was nearly same between Korea and Taiwan which told about flooding and destroying the world completely. Finally, the only both brother and sister escaped to the high mountain for prolonging human being’s life and they planed to marry. However, the content of last half was entirely different. In Korea, the story content was examined in order to break the taboo against marriage between brother and sister and obtain the proof which agreed by Destiny. However, in Taiwan, brother and sister’s marriage gave birth to unhealthy progeny, and sometimes produced nonhuman animals. Marriage between brother and sister was considered as the consequences of violation of taboo, and had to go through the god of gods help and guidance before healthy children was produced. In summary, this study was conducted to discuss three important parts. First, the function of flooding was the relationship of destruction and regeneration and common elements; however, there was more punishment element in the reason of flooding in aborigins of Taiwan. Second, when flooding came, brother and sister’s survival means was all refuging mountains; however, there was more escape element using mortar on wood in aborigins of Taiwan. Third, according to the matter of brother and sister’s marriage, Korea conducted the experiment for asking godsend using positive attitude, however, Taiwan waited and hoped the conditions which got better under the attitude of believing god-help.

웹페이지 내 인라인 오브젝트 액세스 행위 및 NetFlow 정보를 활용한 HTTP-GET Flood 공격 검출

강구홍(Koo-Hong Kang) 한국컴퓨터정보학회 2016 韓國컴퓨터情報學會論文誌 Vol.21 No.7

Nowadays, distributed denial of service (DDoS) attacks on web sites reward attackers financially or politically because our daily lifes tightly depends on web services such as on-line banking, e-mail, and e-commerce. One of DDoS attacks to web servers is called HTTP-GET flood attack which is becoming more serious. Most existing techniques are running on the application layer because these attack packets use legitimate network protocols and HTTP payloads; that is, network-level intrusion detection systems cannot distinguish legitimate HTTP-GET requests and malicious requests. In this paper, we propose a practical detection technique against HTTP-GET flood attacks, based on the access behavior of inline objects in a webpage using NetFlow data. In particular, our proposed scheme is working on the network layer without any application-specific deep packet inspections. We implement the proposed detection technique and evaluate the ability of attack detection on a simple test environment using NetBot attacker. Moreover, we also show that our approach must be applicable to real field by showing the test profile captured on a well-known e-commerce site. The results show that our technique can detect the HTTP-GET flood attack effectively.

이상 접근 분석을 이용한 GET Flooding DDoS 공격 탐지

김진(Jin Kim),오창석(Chang-Suk Oh) 한국엔터테인먼트산업학회 2013 한국엔터테인먼트산업학회논문지 Vol.7 No.2

최근 나타나고 있는 DDoS 공격의 특징을 보면 소량의 트래픽을 이용하여 특정한 응용 계층 서비스를 마비시키는 형태로 진화하고 있다. 정상적인 TCP 세션 수립 후 DB와 연동되는 웹서버의 dynamic 콘텐츠에 대한 대량의 GET request를 발생시켜 웹서버와 DB서버 간 connection full 및 서버 부하를 유발함으로써 웹서비스를 중단시킨다. 이에 본 논문에서는, 공격 시간 전 후에 수집된 각 IP 탐색트리의 cost 정보를 추출하여 정렬하고, 각 IP별 cost 크기를 비교하여 정상과 공격 모집단으로 구분한다. 각 모집단에서 표본조사를 실시하여 모평균의 신뢰구간을 계산하며 각 신뢰구간에서 임의추출을 통한 상대 도수 분포를 작성한다. 이를 통하여 정상 집단과 이상 집단의 각 IP별로 값을 비교하여 최종 공격을 판단한 후 해당 IP를 차단한다. 제안 시스템은 평균 92.51%로 높은 탐지 성능을 보였으며 GET flooding 형태의 DDoS 공격 탐지에 특화된 것임을 알 수 있다. The characteristic trend of DDoS attacks appeared recently, has evolved into a form paralyzing specific application layer services using small amount of traffic. After establishing a normal TCP session, the attacks cause suspension of the web services by exhaustion of connection resources and maximum load between the web server and DB server occurring a large numner of GET request for the dynamic contents of the web server that interworks with DB server. In the study, cost information in each IP navigation tree is collected and sorted before and after the attack and traffics are divide into normal and attack population by comparing the total cost per each IP address. Calculation of the confidence interval of the mean is performed from a population sample and relative frequency distribution is constructed by randomization in confidence interval. Upon the distribution, the cost of each IP in normal and abnormal group is compared and it is determined whether or not the attack finally. The proposed system showed high detection performance with an average of 92.51%, and verified that it was specialized to DDoS attack detection of GET flooding type.

IP Session Tree를 이용한 GET Flooding 형태의 DDoS 공격 탐지

김진(Jin Kim),오창석(Chang-Suk Oh) 한국정보기술학회 2012 한국정보기술학회논문지 Vol.10 No.8

With the recent advances in web-related technologies, a wide variety of services and business areas are concentrating onto the web and there have been a rapidly increasing number of attacks that use the vulnerabilities of web applications. This results from the openness of web-based services and their complicated systems with a hierarchical structure. Therefore, for effective detection of Get Flooding, a type of DDoS attack, the present paper, attempts to normalize the search rule into a tree structure by tracking links between web pages in a website and collects normal search rule tables by learning to search normal web pages based on the search rule for fast detection. Rule table based on information collected in the normal navigation tools, the pattern of recent attacks were analyzed, and by learning the normal behavior of the system anomaly detection technique is proposed. The proposed system against GET Flooding attacks showed specific detection performance based on accurate and reliable detection was possible to ensure the availability of the target system.

HTTP Cache Control 공격에 대한 고찰

백남균 보안공학연구지원센터(JSE) 2016 보안공학연구논문지 Vol.13 No.6

불특정 다수가 대상인 웹서비스의 경우, 침입 대응을 위한 접근통제 방식의 보안정책 적용의 어려움이 있어, DDoS 공격은 침해영향력에 있어 가장 위협적인 공격방식으로 생각되어 지고 있다. HTTP Cache Control 공격은 Get Flooding 시, HTTP 헤더옵션의 cache control 필드 값 조작으로 웹클라이 언트 cache에 저장된 정보를 사용하지 못하게 하여 웹서버의 불필요한 리소스 소모를 유발하고 궁극적으로 서비스 장애를 일으키는 공격이다. 하지만, 지금까지 알려진 공격논리는 ‘no cache(또는 no store)’ 필드값으로만 개념적으로 설명될 뿐 다른 필드 값 그리고 기술적인 해석 등은 설명되고 있지 않고 있다. 본 논문에서는 HTTP 프로토콜을 준수 여부, 웹서버의 구현 취약점, 공격 영향 정도 다중프로토콜 Flooding 공격 등을 통하여 몇 가지 새로운 사항들을 도출하고 이를 실험을 통하여 검증하고자 한다. 이를 통해, 향후 동일하거나 유사한 공격 발생 시 조금 더 정확하고 효율적인 예방 및 대응에 적극 활용할 수 있기를 기대한다. In the case of web services targeted at an unspecified number of users, it is difficult to apply the security policy of the access control method for the intrusion countermeasure. Therefore, DDoS attacks are considered to be the most threatening attack method in infringement influence. The HTTP Cache Control attack prevents the information stored in the Web client cache from being used by manipulating the value of the cache control field of the HTTP header option, thereby causing unnecessary resource consumption of the Web server. However, the attack logic which has been known so far is conceptually explained only by the ‘no cache(or ’no store’)’ field value, but the other field value and the technical interpretation are not explained. In this study, some new issues are derived through experiments such as compliance with HTTP protocol, implementation vulnerability of web server, and attacks of multiprotocol flooding attacks.

A Novel Application-Layer DDoS Attack Detection A1gorithm based on Client Intention

오진태,박동규,장종수,류재철,Oh, Jin-Tae,Park, Dong-Gue,Jang, Jong-Soo,Ryou, Jea-Cheol Korea Institute of Information Security and Crypto 2011 정보보호학회논문지 Vol.21 No.1

서버의 응용계층에 대한 DDoS 공격은 매우 적은 량의 패킷으로 효과적인 공격이 가능하며, 공격 트래픽이 정상 트래픽과 유사하여 탐지가 매우 어렵다. 하지만 HTTP 응용계층 공격 트래픽에는 사용자 의도에 의한 특성이 있음을 찾았다. 정상 사용자와 DDoS 공격자는 동일하게 TCP 계층에서 세션을 맺는다. 이후 최소 한번의 HTTP Get 요구 패킷을 발생한다. 정상적인 HTTP 요구는 서버의 응답을 기다리지만 공격자는 Get 요청 직후 세션을 종료한다. 이러한 행위는 사용자 의도에 의한 차이로 해석할 수 있다. 본 논문에서는 이러한 차이를 기반으로 응용계층 분산서비스 거부 공격 탐지 알고리즘을 제안하였다. 제안된 알고리즘은 정상 네트워크와 봇 기반 분산서비스거부 공격 툴에서 발생한 트래픽으로 실험되었으며, 거의 오탐 없이 HTTP-Get 공격을 탐지함을 보여 주였다. An application-layer attack can effectively achieve its objective with a small amount of traffic, and detection is difficult because the traffic type is very similar to that of legitimate users. We have discovered a unique characteristic that is produced by a difference in client intention: Both a legitimate user and DDoS attacker establish a session through a 3-way handshake over the TCP/IP layer. After a connection is established, they request at least one HTTP service by a Get request packet. The legitimate HTTP user waits for the server's response. However, an attacker tries to terminate the existing session right after the Get request. These different actions can be interpreted as a difference in client intention. In this paper, we propose a detection algorithm for application layer DDoS attacks based on this difference. The proposed algorithm was simulated using traffic dump files that were taken from normal user networks and Botnet-based attack tools. The test results showed that the algorithm can detect an HTTP-Get flooding attack with almost zero false alarms.

사용자 의도 기반 응용계층 DDoS 공격 탐지 알고리즘

오진태(Jin-tae Oh),박동규(Dong-gue Park),장종수(Jong-soo Jang),류재철(Jeacheol Ryou) 한국정보보호학회 2011 정보보호학회논문지 Vol.21 No.1

서버의 응용계층애 대한 DDoS 공격은 매우 적은 량의 패킷으로 효과적인 공격이 가능하며, 공격 트래픽이 정상 트래픽과 유사하여 탐지가 매우 어렵다. 하지만 HTTP 응용계층 공격 트래픽에는 사용자 의도에 의한 특성이 있음을 찾았다. 정상 사용자와 DDoS 공격자는 동일하게 TCP 계층에서 세션을 맺는다. 이후 최소 한번의 HTTP Get 요구 패킷을 발생한다. 정상적인 HTTP 요구는 서버의 응답을 기다리지만 공격자는 Get 요청 직후 세션을 종료한다. 이러한 행위는 사용자 의도에 의한 차이로 해석할 수 있다. 본 논문에서는 이러한 차이를 기반으로 응용계층 분산서비스 거부 공격 탐지 알고리즘을 재안하였다. 제안된 알고리즘은 정상 네트워크와 봇 기반 분산서비스거부 공격 툴에서 발생한 트래픽으로 실험되었으며, 거의 오탐 없이 HTTP-Get 공격을 탐지함을 보여 주었다. An application-layer attack can effectively achieve its objective with a small amount of traffic, and detection is difficult because the traffic type is very similar to that of legitimate users. We have discovered a unique characteristic that is produced by a difference in client intention: Both a legitimate user and DDoS attacker establish a session through a 3-way handshake over the TCP/IP layer. After a connection is established, they request at least one HTTP service by a Get request packet. The legitimate HlTP user waits for the server's response. However, an attacker tries to terminate the existing session right after the Get request. Thcse different actions can be interpreted as a diffcrence in client intention. In this paper, we propose a detection algorithm for application layer DDoS attacks based on this difference. The proposed algorithm was simulated using traffic dump files that were taken from normal user networks and Botnet-based attack tools. Thc test results showed that the algorithm can detect an HTTP-Get flooding attack with almost zero false alarms.

Content-Length 통제기반 HTTP POST DDoS 공격 대응 방법 분석

이대섭(Dae-seob Lee),원동호(Dong-ho Won) 한국정보보호학회 2012 정보보호학회논문지 Vol.22 No.4

OSI 7계층 DDoS 공격 기법중 하나인 HTTP POST DDoS 공격은 서버의 자원을 고갈시켜 정상적인 서비스를 방해하는 서비스 거부 공격 기법이다. 이 공격은 적은 양의 공격 트래픽만으로도 효과적인 공격이 가능하며 정상적인 TCP 연결을 이용하고 있어 정상적인 사용자 트래픽과 공격 트래픽을 구분하는 것이 어렵다. 본 논문에서는 HTTP POST DDoS 공격에 대한 대응 방안으로 비정상 HTTP POST 트래픽 탐지 알고리즘과 HTTP POST 페이지별 Content-Length 제한기법을 제안한다. 제안한 방안은 HTTP POST 공격도구인 r-u-dead-yet과 자체 개발한 공격 도구를 이용하여 HTTP POST DDoS 공격을 오탐 없이 탐지 대응하였음을 보여주었다. One of the OSI 7 Layer DDoS Attack, HTTP POST DDoS can deny legitimate service by web server resource depletion. This Attack can be executed with less network traffic and legitimate TCP connections. Therefore, It is difficult to distinguish DDoS traffic from legitimate users. In this paper, I propose an anomaly HTTP POST traffic detection algorithm and http each page Content-Length field size limit with defense method for HTTP POST DDoS attack. Proposed method showed the result of detection and countermeasure without false negative and positive to use the r-u-dead-yet of HTTP POST DDoS attack tool and the self-developed attack tool.