A Survey on Defense Mechanism against Distributed Denial of Service (DDoS) Attacks in Control System

Kwon, YooJin Korea Electric Power Corporation 2015 KEPCO Journal on electric power and energy Vol.1 No.1

Denial of Service (DoS) attack is to interfere the normal user from using the information technology services. With a rapid technology improvements in computer and internet environment, small sized DoS attacks targeted to server or network infrastructure have been disabled. Thus, Distributed Denial of Service (DDoS) attacks that utilizes from tens to several thousands of distributed computers as zombie PC appear to have as one of the most challenging threat. In this paper, we categorize the DDoS attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS attacks. Then we propose a comprehensive defense mechanism against DDoS attacks in Control System to detect attacks efficiently.

SSL 디도스 공격 대응 방안에 대한 연구

이상근,김도형,정순기 한국융합보안학회 2021 융합보안 논문지 Vol.21 No.5

디도스 공격은 예전부터 있어 왔었던 고전적인 공격방법으로 기업 인터넷서비스를 마비시키는 가장 쉬운 방법 중에 하나 로 오늘날까지도 지속적으로 이용되어 지고 있다. 지금까지 디도스 공격에 대해서는 많은 분석이 이루어 졌으며 다양한 디도 스 대응 장비들이 출시되어 기업의 인터넷서비스를 디도스로 부터 보호하고 있다. 하지만 데이터 보안의 이유로 인터넷서비스 에 SSL 통신 사용이 대중화되고 있으며 이를 이용한 디도스 공격에 대한 우려도 증가하고 있다. 본 논문에서는 SSL 디도스 공격 사례를 분석하고 이를 기 운영중이었던 디도스 대응 시스템 및 SSL 가속기에서 효과적으로 대응할 수 있는 방안에 대해 제시한다. DDoS attacks are one of the easiest ways to paralyze corporate Internet services as a classic attack method that has existed for a long time, and are still being used today. So far, many analyses have been conducted on DDoS attacks, and various DDoS defense system has been released to protect corporate Internet services from DDoS. However, the use of SSL communication in Internet services is becoming popular for data security reasons, and concerns about DDoS attacks using it are also increasing. In the paper, we analyze cases of SSL DDoS attacks and defense ways to effectively defense to DDoS defense system and SSL accelerator that were previously in operation.

제한된 트래픽 영역에서의 분산 서비스 거부(DDoS) 방어 방법

김홍일(Hong-Il Kim) 한국엔터테인먼트산업학회 2010 한국엔터테인먼트산업학회논문지 Vol.4 No.1

본 논문에서는 중소기업이나 작은 규모의 사이트를 운영하는 단체가 받는 DDoS에 대하여 각 유형별로 구분하였다. 작은 규모의 서버 운영체제로 주로 이용되는 Linux 시스템과 네트워크 장비에서 실질적으로 수행할 수 있는 적절한 DDoS 방어 용 보안 설정을 제시한다. 또한, 거의 대부분의 DDoS 공격이 웹서버를 중심으로 이루어지며, 입력되는 트래픽 량의 증가에 의하여 서비스가 마비되는 것 보다는, 불순한 의도를 가지는 다량의 웹페이지 호출에 웹서버가 여과 없이 응답함에 따라 출력 트래픽의 증가에 의한 서비스 마비되는 것을 방지하기 위하여. 홈페이지 접근 구성을 변경하여 정상적인 사용자가 사용하는 웹서버와는 별개의 외부의 방어용 서버로 트래픽을 유도하는 방법을 제시한다. This paper classified each type of DDoS which is attacked in the small companies or small scale groups. l propose defense security configuration for apposite DDoS in Linux system which usually operate as server operation system in the small groups ,and actually can accomplish in the network device. Also most of DDoS attank consists of certering around web server,for prevention which service is paralyzed by an output traffic increase than servie is paralyzed by increased a rate of inputed traffic as a result of web server respond without filtering web pages callings with interested motives. l advance leading method traffics as another external prevention server differ from webserver which normal users use by changing homepage acess constitution.

DDoS 공격에 대한 분석 및 대응방안

홍성혁 한국디지털정책학회 2014 디지털융복합연구 Vol.12 No.1

정보통신망장애죄에서 장애의 의미 및 예비,음모에 대한 입법론

최호진 ( Ho Jin Choi ),백소연 ( So Yeon Baek ) 단국대학교 법학연구소 2015 법학논총 Vol.39 No.3

In information society where information technology is networked throughout society, the act of causing damage to computer system is a criminal act that can bring about a severe threat on information communication network, not simply a problem of the use of software function. In order to cause interference on the targeting system, attackers go through the structures of many stages from preparing attacks to implementing them, which involves various illegal acts. However, the existing criminal punishments do not reflect the structural characteristics of information communications network interference crime, and merely stipulate the behavior methods and results as elements of a crime; thus they are unable to appropriately regulate the actual criminal acts of information communications network interference. Therefore, by focusing on Distributed Denial of Service (DDoS), one of the most common attack techniques of information communications network interference crime, this research aims to present an analysis of the current criminal rules and problems of applicability, and a plan to increase the efficiency of regulation. To begin with, this research first divided the behavioral forms according to each stage of DDoS process in regards to when criminal standards intervene. Then it discussed the time at which the direct risk of infringement on information communications network-the benefit and protection of this crime? is admitted. Furthermore, in order to clarify the range of actual information communications network interference crime within the scope of criminal protection, this research reviews the meaning of ‘interference,’ which is the standard for classifying the actual and attempted crime. Next, the research discussed the applicability of information communications network interference crime (Information Network Law §48 ③), computer interference with business crime (Criminal Law §314 ②), and property damage crime (Criminal Law §366). Information communications network interference is a concept that includes damage on software and hardware, and it also refers to the cases of being unable to practically use information communications network, using it for other purposes, or deteriorated information processing function. However, when information communications network interference is interpreted by including the use of its function for other purposes and deteriorated function to expand the concept of interference, a problem that the punishment rules of this crime can be applied to a general and legal use of information network is raised. Therefore, in order to maintain the legitimacy of criminal intervention, this paper suggests an interpretation that the concept of interference should be limited to cases in which the integrity and availability of information communications network have been clearly infringed, considering the benefit and protection of this crime. The flaws of punishment for this crime appear when the characteristics of attack technique according to technological development are not considered. Recently, many information and communications network crimes occur in the form of DDoS, which attackers carry out by using remote-control botnets above a certain scale to attack. A botnet is an element that determines interference, the component result of this crime. Considering its development process and completed development, it is necessary to punish a botnet as its illegal purpose and the risk of infringement on information communications network can be admitted. This research presented a criminal legislative theory on botnet, by reviewing whether the components of botnet development fulfills the preparation·conspiracy crime.

인터넷 AS 레벨 토폴로지에서 분산서비스거부 공격 징후 탐지

강구홍(Koohong Kang),이희만(Heeman Lee),김익균(Ikkyun Kim),오진태(Jintae Oh),장종수(Jong Soo Jang) 한국정보과학회 2010 정보과학회논문지 : 정보통신 Vol.37 No.5

각각의 AS 레벨에서 정확한 연결구조를 얻기 위해 들이는 노력에도 불구하고 이들 AS 레벨 인터넷 토폴로지를 이용한 응용 연구들이 매우 드물다. 본 논문에서는 UCLA IRL 연구실이 제공하는 데이터를 이용해 AS 노드의 하위 스트림 AS 분포의 power-laws 특징과 인터넷 라우팅 패스 구조에 가장 중요한 역할을 하는 AS 링크 분포를 살펴 보았다. 또한, 한국과 미국 사이트를 중심으로 (발신지-목적지) 라우팅 홉 수 분포를 조사하고 이들 분포와 BGP 밸리-프리 라우팅 정책 특징을 이용하여 분산서비스거부(DDoS) 공격 시 예상되는 인터넷 트래픽 임의성(randomness)을 근거로 DDoS 공격 징후를 인터넷 AS 레벨에서 발견하는 방법을 제시하였다. Despite lots of efforts to obtain an accurate picture of structure at the level of individual ASes, there is a few application works using the AS-level Internet topology. In this paper, we show that the power-law fits the number of down-stream customer ASes very well and also present the distributions of AS links with the “public view” from UCLA IRL laboratory. Moreover, we obtain the distributions of source-destination pairs of routing hops for two sites in Korea and the United States, and then we propose a new method to decide the randomness of Internet traffic using the obtained distributions and the BGP valley-free routing policy. The randomness of traffic must be a portent of outbreak of the distributed denial-of-service attacks.

DDoS 공격에 대한 효과적인 보안 관제 방안

정일권,김귀남,김점구,하옥현 한국융합보안학회 2009 융합보안 논문지 Vol.9 No.4

DDoS 공격은 외부의 공격자가 일반 사용자들의 PC를 감염시킨 후 감염된 PC에서 특정 웹 사이트 나 서버에 대량의 트래픽을 전송하여 리소스를 고갈시키거나 네트워크 대역폭을 점유함으로써 서비스 를 마비시키는 공격으로, 완벽하게 막는 것이 대단히 어렵다. IDS(Intrusion Detection System:침입 탐지 시스템), IPS(Intrusion Prevention System:침입 방지 시스템), ITS(Intrusion Tolerance System), FW(Firewall) 또는 DDoS 전용 보안 장비 등을 이용하여 DDoS 공격을 막아내거나, 감내하려고 한다. 여러 종류의 보안 장비 비용 문제가 발생하기도 하고, 각 시스템 간의 연계성을 고려하지 않은 설치 로 제 기능을 발휘하지 못하기도 한다. 본 논문에서는 DDoS 공격에 대한 보안 장비의 효과적인 연계 와 대응 방법론을 제시한다. 설계된 방법론을 적용할 경우 기존의 네트워크 구조상에서보다 DDoS 공 격에 대한 차단 및 감내 효율이 실험을 통해 입증되었다. 따라서 차별화된 DDoS 공격을 대응 및 감 내하는 관제 방안을 본 연구를 통해 제시하고자 한다. It is very difficult to completely block the DDoS attack, which paralyzes services by depleting resources or occupying the network bandwidth by transmitting a vast amount of traffic to the specific website or server from normal users' PCs that have been already infected by an outside attacker. In order to defense or endure the DDoS attack, we usually use various solutions such as IDS (Intrusion Detection System), IPS (Intrusion Prevention System), ITS (Intrusion Tolerance System), FW (Firewall), and the dedicated security equipment against DDoS attack. However, diverse types of security appliances cause the cost problem, besides, the full function of the equipments are not performed well owing to the unproper setting without considering connectivity among systems. In this paer, we present the effective connectivity of security equipments and countermeasure methodology against DDoS attack. In practice, it is approved by experimentation that this designed methdology is better than existing network structure in the efficiency of block and endurance. Therefore, we would like to propose the effective security control measures responding and enduring against discriminated DDoS attacks through this research.

정량적인 DDoS 공격 위험도 산출을 위한 연구

백남균 보안공학연구지원센터 2017 보안공학연구논문지 Vol.14 No.6

위험이란 원하지 않은 사건이 발생하여 손실 또는 부정적인 영향을 미칠 가능성을 말하며 DDoS 공격에서는 서비스 지연, 중단 등이 위험에 속할 수 있다. 이러한 위험을 확인하기 위해서는 관련된 모든 요소들이 어떻게 위험도에 영향을 주는지를 분석해야 한다. 이를 통해 보호대상 자산에 비용대비 효과적인 정보보호 대책을 선택하게 함으로써 제공 서비스를 더욱 효과적으로 보호할 수 있다. 이에 본 연구에서는 DDoS 공격에 대한 위험도를 측정하고자 정성적인 방법인 아닌 정량적인 새로운 사항(DDoS 공격에 의한 손실 정도 및 발생 확률)들을 도출하고 이를 위험도 산정에 적용하고자 한다. Risk is the likelihood that an unwanted event will occur, causing loss or adverse effects. Therefore, in a DDoS attack, service delays and interruptions can be at risk. To identify these risks, you need to analyze how all the relevant factors affect the risk. This will enable us to protect our offerings more effectively by selecting cost-effective information protection measures for protected assets. In this paper, to measure the risk of DDoS attack, new quantitative items(Degree of loss due to DDoS attack and probability of occurrence) other than qualitative methods are derived and applied to the risk assessment.

NS-3와 이산 사건 시뮬레이터를 이용한 유연한 DDoS 시뮬레이션에 관한 연구

윤승현,최창범 대한산업공학회 2015 대한산업공학회 춘계학술대회논문집 Vol.2015 No.4

In recent days, the DDoS (Distributed Denial of Service) attack is one of the popular electronic attack method involving multiple computers in order to achieve malicious objectives. In DDoS attack method, distributed computers send repeated HTTP requests or pings to server, so that the server cannot respond to normal requests. In order to predict the DDoS attack or handle the attack, the modeling DDoS attack, and the simulation of the attack is important. In this study, we model the behavior of the slow HTTP Read DoS attack, which is one of the DDoS attack method, by utilizing various simulators. Especially, we use ns-3 network simulator to organize the network topology and discrete event simulator to model the malicious bot and services protocol.

NS-3와 이산 사건 시뮬레이터를 이용한 유연한 DDoS 시뮬레이션에 관한 연구

윤승현,최창범 한국경영과학회 2015 한국경영과학회 학술대회논문집 Vol.2015 No.4

In recent days, the DDoS (Distributed Denial of Service) attack is one of the popular electronic attack method involving multiple computers in order to achieve malicious objectives. In DDoS attack method, distributed computers send repeated HTTP requests or pings to server, so that the server cannot respond to normal requests. In order to predict the DDoS attack or handle the attack, the modeling DDoS attack, and the simulation of the attack is important. In this study, we model the behavior of the slow HTTP Read DoS attack, which is one of the DDoS attack method, by utilizing various simulators. Especially, we use ns-3 network simulator to organize the network topology and discrete event simulator to model the malicious bot and services protocol.