Recent years most of enterprises use IPS(Intrusion Prevention System) or IDS(Intrusion Detection System) including firewalls in order to protect their own important information and to improve service availabilities for customers. Although these systems are able to react to various attacks effectively, it is very difficult to respond DDoS (Distributed Denial of Service) attacks, which damages the service availability. The conventional defense systems implement detections of attacking traffics for such DDoS attacks and respond to the attacks. However, many cases of the systems attacked by DDoS have already got out of providing customer services any more because the DDoS attacks generate attacking traffics for dozens of Gbps.
That is, it is not possible to ensure enough times to defense such attacks because the conventional systems respond to attacks after detecting corresponding attacks as DDoS attacks occur.
Thus, the objective of this study is to solve the issue of responding time in the conventional systems through bringing the detection time of attacks forward as the time of prediction. The method proposed in this study implements a user authentication process using trace route information in order to control user accesses. Then, a DDoS attack detection model is designed by analyzing instantaneous and mean rate of changes in user traffics in which the analysis result is applied to a prediction method. In addition, this model is to consider a packet analysis process in order to implement possible responses for different situations under DDoS attacks while detections are applied using such a prediction method. Then, a design is proposed to response to the results through identifying normal and general overload traffics, and warm/virus data. Moreover, the service stability and availability in normally accessed users are improved by designing a responding method for the warm/virus data detected during a packet analysis process.
The simulation and experiment implemented in this study are verified before applying the design to practical uses. The simulation is performed by considering a general case that the design is applied to an ethernet environment. The performance of the proposed model is examined and verified. Also, the simulation and experiment results are compared and analyzed. The results reveal that the proposed model in this study is superior to DDoS attacks under the conventional firewalls and IDS/IPS. In addition, it is recognized that the proposed model can easily be used to the conventional defense system based on the simulation results.