KR20040105355A - Network interface card with function for protecting denial of service attack and distributed denial of service attack and method for protecting denial of service attack and distributed denial of service attack using thereof - Google Patents

Abstract

PURPOSE: A network interface card having DoS(Denial of Service) attack and DDoS(Distributed Denial of Service) attack functions and a method for intercepting DoS and DDoS attacks by using the network interface card are provided to intercept the DoS and DDoS attacks incoming and outgoing outside from a network interface card level, thereby reducing an amount of traffic. CONSTITUTION: A packet processor(33) comprises as follows. A program memory(36) preserves an operating program and attack detecting/preventing programs. An RAM(34) loads various programs from the program memory(36), and stores data. A data processor(35) is mounted with an RTOS(Real Time Operating System) to control the program memory(36) and the RAM(34), and processes the data according to the programs to sense and intercept attacks.

Description

NETWORK INTERFACE CARD WITH FUNCTION FOR PROTECTING DENIAL OF SERVICE ATTACK AND DISTRIBUTED DENIAL OF SERVICE ATTACK AND METHOD FOR PROTECTING DENIAL OF SERVICE ATTACK AND DISTRIBUTED DENIAL OF SERVICE ATTACK USING THEREOF}

The present invention relates to a network interface card having a function of blocking a denial of service attack and a distributed denial of service attack, and a method of preventing a denial of service attack and a distributed denial of service attack using the same, and more particularly, a network interface for connecting a computer system to the Internet network. At the card level, blocking incoming and outgoing Denial of Service (DOS) attacks and Distributed Denial of Service (DDoS) attacks reduces traffic throughout the network without overloading computer systems. The present invention relates to a network interface card having a denial of service attack and a distributed denial of service attack function that can block attacks in the local area as well as a method for preventing a denial of service attack and distributed denial of service attacks using the same.

Denial of Service Attack (“DoS Attack”) is an external attacker who sends excessive data to a specific computer system and the network to which it belongs. An example of a denial of service attack by causing the computer system to refuse to provide a service to a user is to allow one user to monopolize or destroy the resources of a particular system so that other users cannot receive the service of the system. Used.

In addition, a distributed denial of service attack (hereinafter referred to as a "DDoS attack") is a program in which denial-of-service programs that can flood packets to a large number of hosts are distributed to each other to form a target. Degrading the performance of your computer system or network or paralyzing your system.

These DoS and DDoS attacks come in the form of TCP SYN floating attacks, UDP floating attacks, Internet Control Message Protocol (ICMP) echo requesting attacks, and ICMP broadcasting attacks.

This can be further broken down into flooding attacks, attacks based on improper fragmentation of IP packets, and attacks based on inappropriate packet header formats.

1 is a conceptual diagram illustrating a service network in which a DoS attack is generally performed.

As shown here, the DoS agent generates a large amount of packets at the planted computer (attack) 11 to attack the host computer 12, thereby allowing the host computer 12 to properly serve other legitimate users. Denial of service attacks are made by not providing it.

In other words, the equipment connecting the attacker computer 11, to which the DoS agent is planted, to the Internet 13 is called a subscriber access point 14, which is a device for connecting a server not intended for individual users or services to the Internet 13; to be. In addition, a device for connecting the host computer 12 to be attacked to the Internet 13 is called a host connection end 15, which is a device for connecting a server for the purpose of providing a service to the Internet (13).

In general, the subscriber access point 14 and the host access point 15 are edge routers having a routing function, and have information on a group of IP addresses under their control. ), NAS (Network Access System), RAS (Remote Access System).

Such a denial of service attack in the service network is performed by repeatedly sending a synchronization signal for TCP connection to the attack target host computer 12 indefinitely while the attacker computer 11 disguises the IP address. 12) responds to the spoofed IP address for the connection and repeatedly announces that it is ready for access. Therefore, the host computer is overloaded and cannot provide service to the party user.

Thus, in order to prevent such DoS or DDoS attacks, as shown in FIG. 2, a firewall 24 and a network intrusion prevention system (IPS; 25) are installed in the local network 27 where the host computer 22 is located. The attack on the target host computer 22 to be attacked is prevented from the attacker computer 21 connected to (23).

In other words, when an attack occurs from the attacker computer 21, the traffic in the local network 27 is rapidly increased. At this time, the intrusion prevention system 25 blocks the attack by detecting the attack and discarding the attack packets.

However, since the intrusion prevention system 25 is located in the middle of the network, all data transmitted to all the host computers 22 connected to the local network 27 must be processed at the same time. Due to the processing of the packets, there is a problem of deteriorating the network's passability.

In addition, not only the attack by packets moving in the local network 27 is detected but also the master and daemon for the DDoS attack to attack other host computers 22 outside the local network 27. There is a problem in that it does not detect outgoing packets.

On the other hand, the intrusion prevention system 25 may be installed in the host computer 22 so as to process only the traffic delivered to each of them.

However, in order to prevent the intrusion in the host computer as described above, the packet processing from the network is performed by the operating system to detect an attack of the DoS or the DDoS, thereby preventing the intrusion by discarding the abnormal packet. However, there is a problem that the function of the application program of the host computer is significantly degraded as the processing time and operator resources required for the processing of the packet coming from the network in order to prevent intrusion in the operating system of the host computer.

To protect the server from DoS or DDoS attacks like this, it is necessary to solve the problem of processing a large amount of information quickly. However, while network-based intrusion prevention systems (IPSs) partially protect the network, some specific host computers do not protect against DoS or DDoS attacks, and outgoing attacks from host computers inside the network or host computers located within the local network. The host-based intrusion prevention system requires a lot of computing power of the host as a software solution, which significantly degrades the host's original functions such as the server, thus effectively attacking hackers. There is a problem that can not be prevented.

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems, and an object of the present invention is to provide a denial of service (DoS) attack that enters or exits from the outside at a network interface card level for connecting a computer system to an Internet network. By denying Distributed Denial of Service (DDoS) attacks, you can reduce the amount of traffic in the entire network without putting a load on the computer system, as well as to prevent attacks in the local area. The present invention provides a network interface card having a denial of service attack blocking function and a method for preventing a denial of service attack and a distributed denial of service attack using the same.

1 is a conceptual diagram illustrating a service network in which a DoS attack is generally performed.

2 is a diagram illustrating a network in which a conventional network intrusion prevention system is installed.

Figure 3 is a block diagram showing a network interface card having a function of denial of service attack and distributed denial of service attacks according to the present invention.

4 is a flowchart illustrating a method of denial of service attack and distributed denial of service attack using a network interface card according to the present invention.

5 is a view for explaining the index matrix array method applied in the present invention.

6 is a view for explaining a memory area preallocation method applied in the present invention.

7 is a flowchart illustrating a method of removing a dormant session applied in the present invention.

-Explanation of symbols for the main parts of the drawings-

30: network 31: network interface card

32: network connection unit 33: packet processing unit

34: RAM 35: data processing unit

36: program memory 37: host computer

A network interface card having a service denial attack and a distributed service denial attack prevention function according to the present invention for realizing the above object includes a network connection unit for receiving a packet from a network or delivering a packet to a network. In the network interface card to be connected, it further comprises a packet processing unit for detecting and blocking DoS and DDoS attacks while interacting with the host computer and the network connection.

From the above, the packet processing unit is equipped with a program memory for storing an operating program and an attack detection and prevention program, a RAM storing data for loading and processing various programs from the program memory, and controlling a program memory and RAM with a real-time operating system. The data processing unit detects and blocks an attack by processing data according to a program.

At this time, the program memory is preferably made of a flash memory.

Therefore, when the power is applied, the operating program and the packet processing and filtering program are loaded into the RAM from the program memory, and the packets received through the network connection are received by the packet processing unit, and the packets are processed by the data processing unit to detect the attack and discard the attack. If not, it not only forwards the received packet to the server, but also receives the packet from the server and discards it when it detects an attack.

In addition, according to the present invention, the method of denial-of-service attack and distributed denial-of-service attack using the network interface card according to the present invention corresponds to the average packet transmission amount from the initial to the predetermined time point of each packet type and the same during the control value period at a certain time point for the input packet. Analyzing the traffic change by analyzing the rate of the type packet transmission; analyzing the traffic change and checking whether the header format of the packet matches the header format according to the denial of service attack and the distributed denial of service attack type; In case of an attack by checking the format, discarding the corresponding packet and receiving a new packet. If the header format is not an attack, a packet whose traffic is rapidly increased according to the analysis result of the traffic change is checked in the current session within the control time range. Flooding by analyzing the ratio between total packet volume and specific type of packet volume It discards the packet when the step and, as a result attack upon detection of a flooding attack to detect and is characterized in that comprising the step of outputting the packet if it is not receiving a new packet attack.

In the step of analyzing the traffic change, if the incoming packet is fragmented after analyzing the traffic change, assembling the fragmented packet, checking the capacity of the packet and the location of the fragmented packet with respect to the assembled packet; The method may further include discarding the packet in which the abnormality occurred and accepting a new packet after performing the inspection.

In addition, in the step of checking the header format, if the incoming packet is a TCP packet and the incoming packet is a TCP packet, the server checks whether the incoming port is allowed, and if the incoming port is not allowed, And discarding the incoming packet and accepting a new packet.

In addition, in the step of analyzing traffic changes, the index is searched and counted by the index matrix array for fast retrieval of the session.

In this case, the index of the index matrix array is characterized in that the index is arranged by dividing the IP address, the server port number, and the client port number in byte units.

In addition, the memory allocated by the index matrix array in the step of analyzing the traffic change is characterized in that the size of the memory area in advance to allocate, delete and reuse in a ring shape.

In addition, in the step of analyzing traffic changes, it is characterized by analyzing the statistics of the flooding attack only for packets that are continuously input in the session refreshed within the control time range by removing the dormant session.

According to the present invention, the network interface card searches for fast sessions through the index matrix arrangement and the memory area pre-allocation method for the packets continuously input in the session refreshed within the control time range for the packets coming in through the network. In addition to analyzing changes and detecting hackers' intrusions during fragmentation of fragmented packets, packet header analysis primarily blocks denial of service attacks and distributed denial of service attacks, prevents unauthorized access to ports, By detecting flooding attacks only for changed sessions, it is possible to prevent denial of service attacks and distributed service denial attacks in a short time.

Hereinafter, exemplary embodiments of the present invention will be described with reference to the accompanying drawings. In addition, the present embodiment is not intended to limit the scope of the present invention, but is presented by way of example only and the same parts as in the conventional configuration using the same reference numerals and names.

Figure 3 is a block diagram showing a network interface card having a function of denial of service attack and distributed denial of service attacks according to the present invention.

As shown here, a network connection part applied to a standard network interface card 31 to be connected to each other between the host computer 37 and the network 30 so as to receive packets from the network 30 or deliver them to the network 30 ( 32 and a packet processor 33 for detecting and blocking DoS and DDoS attacks while interacting with the host computer 37 and the network connection 32.

At this time, the packet processor 33 includes a program memory 36 for storing an operating program and an attack detection and prevention program, a RAM 34 storing various data loaded and processed from the program memory 36, and a real time; An operating system (RTOS; Real Time Operating System) is mounted to control the program memory 36 and the RAM 34 and process the data according to the program consists of a data processor 35 for detecting and blocking an attack.

The program memory 36 is composed of a flash memory so that the stored contents are not erased even when the power is turned off.

Therefore, when the power is applied, the operating program and the packet processing and filtering program are loaded into the RAM from the program memory 36 and the packets received through the network connection unit 32 are received from the packet processing unit 33 to receive the packets from the data processing unit 35. If the attack is detected, it discards it. If the attack is not detected, it not only passes the packet received to the host computer, but also receives the packet from the host computer 37 and discards it if it detects the attack. Transfer to network 30 via 32.

Denial of service attack and distributed service denial using a network interface card according to the present invention shown in Figure 4 a method for blocking DoS attack and DDoS attack using a network interface card having a DoS attack and a DDoS attack blocking function made in this way Referring to the flow chart for sequentially explaining the attack blocking method as follows.

First, a packet entering the host computer 37 from the network 30 or out of the host computer 37 to the network 30 is input through the network connection unit 32 and delivered to the packet processing unit 33. Then, the packet processing unit 33 first obtains statistical values for detecting a sudden increase in network traffic by packet type, i.e., UDP, ICMP, TCP SYN, or the like (S20).

To this end, the average transmission rate As of the TCP SYN packet As and the transmission amount Cs of the same packet during the control value time are extracted from the time when the system starts to run. Then, the traffic variation of TCP SYN packet is analyzed by comparing the Cs value and the As value within a certain error range. As a result, the packet increase amount of the type is determined.

At this time, the control value time and the size of the traffic change allowance value of each packet are automatically determined according to the network type and the packet type.

When analyzing statistical values on these incoming packets, Indexed Matrixes Array is applied to quickly search the entered sessions to count incoming packets according to the sessions. The pre-allocated memory pool is applied to quickly allocate and delete the necessary memory.

In addition, Dormant Session Deleting, which eliminates dormant sessions to reduce throughput and memory allocation, is applied.

First, the above-described index matrix array method (IMA) will be described in detail with reference to FIG. 5 as follows.

The search key for searching the input session is an 8 byte value consisting of an IP address, a server port number, and a client port number. That is, "211.145.233.12:80:20" means that this value is limited to all protocols including the ICMP protocol and the port value is 0 for the ICMP protocol.

In the present invention, the information is searched by the index matrix array method, which is an information index search method that does not require data sorting by key values.

The structure of the search key is broken into 8 bytes each. Each byte is then mapped into a subset of 256 bytes in size with a subset. Each component of the mass consists of a pointer to the next subset. If there is no next subset, it consists of a pointer to "NULL". The subsets form levels, Level 4 points to data 1, and Level 2, the second last, refers to data 2.

In order to detect an attack, for example, the session "211.145.233.12:80:257" would require a new subset Level 8 with a numeric value of 1 at Level 7, which would be a Level with an existing numeric value of 1 It will point to a subset of 7 and data 2.

Therefore, each time a packet is input, the byte array of the key is allocated for each level by the index matrix method, and the session can be quickly searched by directly accessing the data 1 and the data 2 and collecting statistical data.

In addition, a memory area pre-allocation method (Reallocated Memory Pool) that reuses a memory previously allocated for fast allocation and deletion of memory required for data storage will be described with reference to FIG. 6.

This method fixes the size of the used memory to a predetermined size. Pools are indexed subsets whose elements are pointers to fixed-size parts of memory.

For example, if the number of elements in a subset is 6, in Step 1, there is a pool of a fixed size previously defined for the elements. The starting and ending pointers of the blocks being used are zero. In Step 2, a request was made for an unused portion of memory, with an end pointer of 1 and a start pointer of 0. In step 3, memory allocation is done four times, so the end pointer changes from 1 to 5 and the start pointer changes to 1. In Step 4, memory requests and requests are made, the end pointer is 6, and the start pointer is 2. In step 5 the request and release are made, the end pointer is 1 and the start pointer is 3. In Step 6, the memory is released three times, with the end pointer equal to 1 and the start pointer equal to 6. In step 7, the memory allocation is done four times, the end pointer is five, and the start pointer is six.

In this way, the size of the memory area is allocated in advance, and the ring area is allocated, deleted, and reused.

In addition, the method of removing the dormant session will be described with reference to FIG. 7.

There is usually a session start time and end time when the client and host computer communicate. When the first packet is received, the start time of the session is determined. However, the end time of the session may not always be determined. In the case of a TCP connection, the session end time may be determined by the time when the packet containing the FIN or RST flag is received. However, if the connection itself is disconnected, the session end time cannot be determined. For other protocols, there is no way to set a session end time.

Thus, Dormant Session Deleting is based on an analysis of the time of receipt of the last packet of the session, and if the session end time is greater than the predetermined timeout time, the session is removed from the index matrix array. The timeout value is automatically determined by the network type and packet type.

The main part of the present invention is an ordered set of Dormant Sessions Arrays that hold a session pointer of an index matrix array and a data pointer of an index array session. The sort key is determined by the time of receiving the last packet in the session, and is arranged in increasing order so that the oldest session is located at the top of the dormant session array.

Therefore, when packet P ₁ ¹ is received as in (a), a new session is created and the time S _L1 ¹ is received in data 1 ₁ . The structure with key S _L1 ¹ is added to the dormant session array.

And, as shown in (b), when a packet P ₂ ¹ is received, a new session is created, and a structure with a key S _L2 ¹ is added to the dormant session array, storing the time S _L2 ¹ received the packet in data 1 ₂ .

If the packet P ₁ ² is received again as shown in (C), the session already exists, so the time S _L1 ¹ of the data 1 ₁ is changed to the time S _L1 ² of the packet P ₁ ² while S _L1 ¹ remains in the dormant session array. It remains and becomes the first component of the dormant session array as before.

In this way, each time a packet is received, the dormant session array is reviewed once. Then, the difference between the current time and the time of receiving the last packet of the session is calculated and the value is compared with the timeout time.

When the packet P ₁ ² is received, if the session has not been refreshed, it is compared with S _L1 ² of the data 1 ₁ and the first component of the dormant session array as shown in (c). As a result, since the two elements are different, the key of data 1 ₁ changes to S _L1 ² , the time S _L1 ^{1, which} is the first component of the dormant session array, is removed and S _L2 ¹ becomes the first component. As the structure with the key S _L1 ² is added, a new sort is performed on the dormant session array.

However, if the session has not been refreshed during the timeout period, the pointer removes the first component of the session and dormant session arrays in the index matrix that point to the first component of the dormant session array, and the second component sorts new with the first component. This is done.

In other words, a session that is not refreshed during the timeout period cannot be determined to be an attack as a dormant session, and the session is removed from the index matrix array because the packet processing for attack detection is not necessary.

By using the dormant session elimination method, statistics for flooding attacks are collected only for packets that are continuously input in the session refreshed within the timeout time range, thereby reducing the time and memory for attack detection.

After collecting the statistical value in the above manner, if the input packet is a fragmented IP packet (S30), the packet is stored in the RAM 34 for the packet and the assembly process is performed to perform fragmented packet processing (S40). At this time, if an inappropriately fragmented IP packet is found after assembling the packet or the capacity of the packet is different or the fragmented packet is different (S50), the packet is discarded (S110). That is, the packet is discarded because the server can be paralyzed by changing the location of the fragmented packet or a change in capacity due to a hacker attack. In addition, a new packet is input and the packet processing is repeated (S10).

In this case, after assembling the fragmented IP packet, if no abnormality is found or the received packet is a packet that is not fragmented, the header is analyzed (S60).

That is, when an attack is detected by comparing with a list of headers according to the attack type of DoS or DDoS, the corresponding packet is discarded (S110) and a new packet is input to repeat the packet processing (S10).

However, if an attack is not detected, it checks whether the packet is a TCP packet, and, in the case of the TCP packet, monitors attempts to accept the packet to an illegal port (S70). That is, the host computer 37 receives the ports allowed by the server administrator and the ports in the standby mode (Listen mode) to make a list.

Therefore, when a packet coming into the host computer 37 is denied to the port, the packet is discarded (S110) and a new packet is input to repeat the packet processing (S10).

In this way, it not only prevents the flow of data by "Trojan" virus or "backdoor", but also protects the server and ultimately protects the server from DoS and DDoS attacks such as flooding attacks.

Then, as a result of analyzing the traffic variation, in the case of the packet whose traffic variation is more than the allowable value, the ratio of the packet amount of the type currently being processed and the total packet quantity in the session in which the traffic variation has rapidly increased is analyzed (S80). At this time, the packet of the type being processed is analyzed only for the packet amount continuously coming in within a predetermined time interval value. The ratio of the amount of the packet currently being processed and the total amount of time in the associated session and the size of the time interval value are automatically determined according to the network type and the packet type.

At this time, if an attack is detected (S90), the related packet is discarded (S110) and a new packet is received and the packet processing is repeated (S10).

If the attack is not detected through the packet analysis as described above, the packet is passed to the host computer 37, and a new packet is received and the packet processing is repeated (S10).

On the other hand, if an attack is not detected through the same process for the packet going from the host computer 37 to the network 30, the packet is passed to the network 30, and a new packet is input and the packet processing is repeated. .

As described above, the present invention puts a heavy load on the computer system by blocking a denial of service (DoS) attack and a distributed denial of service (DDoS) attack at the network interface card level for connecting the computer system to the Internet. There is an advantage that can reduce the amount of traffic throughout the network without having to.

It also has the advantage that it can also block attacks from host computers in the local network area.

On the other hand, since most host computers that are serviced on the Internet are serviced at the end of the network, in addition to blocking attacks in the network-based intrusion prevention system, the attacks are blocked at the network interface card level of the host computer. As a result, there is an advantage that can further increase the effect of blocking the attack.

Claims (10)

A network interface card having a denial of service attack and a distributed denial of service attack blocking function includes a network interface for receiving a packet from a network or forwarding a packet to a network. Packet processing unit for detecting and blocking DoS and DDoS attacks while interacting with the host computer and the network connection unit Network interface card having a denial of service attack and distributed denial of service attacks, characterized in that further comprises a. The method of claim 1, wherein the packet processing unit Program memory for storing operating programs and attack detection and prevention programs; RAM in which various programs are loaded and processed from the program memory; Data processing unit equipped with a real-time operating system to control the program memory and the RAM and to process the data according to the program to detect and block the attack Network interface card having a denial of service attack and distributed denial of service attacks, characterized in that consisting of. 3. The network interface card of claim 2, wherein the program memory comprises a flash memory. Analyzing the traffic change by the ratio analysis of the average packet transmission amount from the initial packet type by packet type to the predetermined time point and the same type packet transmission amount during the control value time interval at a certain time point, Analyzing the traffic change and checking whether the header format of the packet matches the header format according to the denial of service attack and the distributed denial of service attack type; Inspecting the header format and discarding the corresponding packet in case of an attack and receiving a new packet; If the header format is not an attack, the flooding attack is detected by analyzing the ratio of the total packet amount and the specific type of packet amount in the current session within the control time range for the packet whose traffic increased rapidly according to the analysis result of the traffic change. To do that, Discarding the packet in case of an attack as a result of detecting the flooding attack and receiving a new packet and outputting the packet if the attack is not an attack Method for blocking service denial attack and distributed service denial attack using a network interface card, characterized in that consisting of. The method of claim 4, further comprising: assembling the fragmented packet when the incoming packet is fragmented after analyzing the traffic change in analyzing the traffic change; Checking the capacity of the packet and the location of the fragmented packet with respect to the assembled packet; A method for preventing a denial of service attack and a distributed denial of service attack using a network interface card, characterized in that the method further comprises the step of discarding a packet in which an abnormality occurs after the inspection and accepting a new packet. The method as claimed in claim 4, further comprising: checking whether the incoming packet is a TCP packet when the incoming packet is a TCP packet after checking the header format; Checking the port and discarding the incoming packet and accepting a new packet when the port is entered. Service denial attack and distributed service denial attack blocking method using a network interface card, characterized in that further comprising. 5. The denial of service attack and distributed denial of service attack using a network interface card according to claim 4, wherein in the step of analyzing the traffic change, the index is searched and counted by the index matrix array for fast retrieval of the session. How to block. 8. The denial of service attack using a network interface card according to claim 7, wherein the index of the index matrix array is indexed by dividing the IP address, the server port number, and the client port number in byte units. How to block distributed denial of service attacks. 5. The network interface card according to claim 4, wherein the memory allocated by the index matrix array in the analyzing of the traffic change is allocated in advance by allocating the size of the memory area, and allocating and deleting the network interface card. How to block denial of service attacks and distributed denial of service attacks. 5. The network interface of claim 4, wherein, in the analyzing of the traffic change, the statistics of flooding attacks are analyzed only for packets continuously input in a session refreshed within a control time range by removing a dormant session. How to block denial of service attacks and distributed denial of service attacks using cards.