Nothing Special   »   [go: up one dir, main page]

KR20110027386A - Apparatus, system and method for protecting malicious packets transmitted outside from user terminal - Google Patents

Apparatus, system and method for protecting malicious packets transmitted outside from user terminal Download PDF

Info

Publication number
KR20110027386A
KR20110027386A KR1020090085455A KR20090085455A KR20110027386A KR 20110027386 A KR20110027386 A KR 20110027386A KR 1020090085455 A KR1020090085455 A KR 1020090085455A KR 20090085455 A KR20090085455 A KR 20090085455A KR 20110027386 A KR20110027386 A KR 20110027386A
Authority
KR
South Korea
Prior art keywords
packet
threshold
harmful
tcp
fragment
Prior art date
Application number
KR1020090085455A
Other languages
Korean (ko)
Inventor
노철희
Original Assignee
모젠소프트 (주)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 모젠소프트 (주) filed Critical 모젠소프트 (주)
Priority to KR1020090085455A priority Critical patent/KR20110027386A/en
Publication of KR20110027386A publication Critical patent/KR20110027386A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An apparatus, system, and method are provided for blocking harmful packets outgoing from a user terminal.

An apparatus for blocking harmful packets outgoing from a user terminal according to an embodiment of the present invention, comprising: modulation determination means for determining whether or not the source Internet protocol address of a packet outgoing from the user terminal is modulated; And a packet blocking means for blocking the packet when the source Internet protocol address is modified as a result of the determination by the modulation determining means.

Description

Apparatus, system and method for protecting malicious packets transmitted outside from user terminal}

The present invention relates to an apparatus, a system, and a method for blocking harmful packets outgoing from a user terminal. More particularly, the present invention relates to a method of determining a source IP address of a packet outgoing from a user terminal. The present invention relates to a device, a system, and a method for blocking a packet from a user terminal that blocks the packet, and checks the protocol of the unmodulated packet to determine whether the packet is harmful by protocol.

Denial of Service Attack (“DoS Attack”) is an external attacker sending excessive data to a specific computer system and the network to which the system belongs. It is an attack method that causes the computer system to refuse to provide a service to a user.

In addition, a distributed denial of service attack (DDoS attack) is a distributed denial-of-service program that can flood packets to a large number of hosts. Degrading the performance of your computer system or network or paralyzing your system.

These DoS and DDoS attacks are divided into TCP SYN flooding attacks, UDP flooding attacks, Internet Control Message Protocol (ICMP) echo requesting attacks, and ICMP broadcasting attacks. This can be further divided into flooding attacks, attacks based on inappropriate fragmentation of IP packets, and attacks based on inappropriate packet header format.

In general, when a DoS attack is performed, a DoS agent generates a large amount of packets from a planted attacker to attack the host computer, thereby preventing the host computer from properly providing services to other legitimate users. Denial of service attacks are made.

Such a denial of service attack is made by an attacker's computer spoofing an IP address and repeatedly sending an infinite number of synchronization signals for a TCP connection to an attacking host computer. In response to repeating an infinite notification that the connection is ready, the host computer is overloaded so that a service cannot be provided to a party user.

However, the existing DoS or DDoS defense system technology was developed to block attacks from the outside into the internal server or the Victim network. In addition, IPS systems also defend on network boundaries to block outbound Worm virus ingress. However, it could not be effectively dealt with when a large number of zombies were mass produced and an attack was started at each zombie PC stage due to the infection of the Worm virus or the boot program through various paths.

In terms of gateway security, it cannot detect and block DoS or DDoS attacks or the spread of worm viruses by internal users using modified IP addresses, which makes it difficult to secure the stability of the internal network. In addition, there was a problem that it is difficult to prevent the operation of the zombie PC in the internal network using the modified IP address.

In addition, in terms of security of the user's PC, first, in case of the existing vaccine program, the vaccine is developed by analyzing the activity history after the DDoS attack or the worm virus attack, which is a solution for post-processing after the attack occurs. However, it did not play a role in limiting or preventing DoS / DDoS or worm virus activity in advance. Second, the existing PC firewall does not distinguish zombie PCs participating in DoS / DDoS attacks because it allows unlimited access to web services for outgoing packets from user PCs.

Therefore, the problem to be solved by the present invention in order to solve the above-mentioned problems, the DoS / DDoS or worm virus inherently in the user PC stage to join the attack to overcome the limitations of the existing vaccine program defended at the gateway stage It is to provide an apparatus, system and method for blocking harmful packets outgoing from the user terminal to block the attack.

In addition, another technical problem to be solved by the present invention is the external from the user terminal, which can detect and block the proliferation of harmful traffic that infects other computers or computer systems of the internal network through the self-replicating function in the previously infected PC. It is to provide an apparatus, system and method for blocking outgoing harmful packets.

Problems to be solved by the present invention are not limited to the above-mentioned problems, and other problems not mentioned will be clearly understood by those skilled in the art from the following description.

An apparatus for blocking harmful packets outgoing from a user terminal according to an embodiment of the present invention for achieving the above technical problem comprises: modulation determination means for determining whether or not the source Internet protocol address of the packet outgoing from the user terminal; And a packet blocking means for blocking the packet when the source Internet protocol address is modified as a result of the determination by the modulation determining means.

In addition, the system for blocking harmful packets outgoing from the user terminal according to another embodiment of the present invention for achieving the above-described technical problem, is modulated by grasping the source Internet protocol address of the packet transmitted to the outside A user terminal provided with a harmful packet blocking device for blocking the packet and blocking the harmful packet according to a comparison result of the number of transmissions of the unmodulated packet and a threshold value; A central management server that manages the harmful packet blocking apparatus installed in each of a plurality of user terminals, sets a security policy of the user terminal, and collects log information of the user terminal; And a log storage database that stores the collected log information and calculates statistics using the stored log information.

In addition, the method for blocking harmful packets outgoing from the user terminal according to another embodiment of the present invention for achieving the above technical problem, to determine whether the source Internet protocol address of the outgoing packet from the user terminal is modulated step; Blocking the packet if the source Internet protocol address is modified as a result of the determination.

Specific details of other embodiments are included in the detailed description and the drawings.

According to the apparatus, system and method for blocking harmful packets outgoing from the user terminal according to the embodiment of the present invention as described above, there are one or more of the following effects.

First, by overcoming the limitations of the existing anti-virus program defended at the gateway stage, it is possible to block DoS / DDoS or worm virus attacks on the user's PC.

Second, the self-replicating function can detect and block the spread of harmful traffic from previously infected PCs that infect other computers or computer systems of internal networks.

The effects of the present invention are not limited to the above-mentioned effects, and other effects not mentioned will be clearly understood by those skilled in the art from the description of the claims.

Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. However, the present invention is not limited to the embodiments disclosed below, but can be implemented in various different forms, and only the embodiments make the disclosure of the present invention complete, and the general knowledge in the art to which the present invention belongs. It is provided to fully inform the person having the scope of the invention, which is defined only by the scope of the claims. Like reference numerals refer to like elements throughout.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. As used herein, “comprises” and / or “comprising” refers to the presence of one or more other components, steps, operations and / or elements. Or does not exclude additions. Unless otherwise defined, all terms (including technical and scientific terms) used in the present specification may be used in a sense that can be commonly understood by those skilled in the art. Also, the terms defined in the commonly used dictionaries are not to be interpreted ideally or excessively unless they are clearly specifically defined.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings in order to describe the present invention in more detail.

1 is a view showing the overall configuration of a system for blocking harmful packets outgoing from the user terminal according to an embodiment of the present invention.

Referring to FIG. 1, the system includes a user terminal 100, a central management server 200, a management console 300, and a log storage database 400.

The user terminal 100 is a terminal equipped with a harmful packet blocking device according to an embodiment of the present invention, and may be a computer device connected to a network such as a personal computer located at an end of the network or a server inside the network. It doesn't matter whether it's wired or wireless.

In the present invention, the user terminal 100 equipped with a harmful packet blocking device detects whether or not the source IP (Internet Protocol) address of the packet going out from the outside, and blocks the modified packet without sending out to the outside, and modulates If the number of untransmitted packets exceeds the predetermined threshold, the unmodified packet is considered to block harmful traffic. The configuration and role of the harmful packet blocking device provided in the user terminal 100 will be described with reference to FIG. 2.

In addition, the user terminal 100 monitors its network activity and reports it to the central management server 200, guarantees normal connection for transmission of unmodulated packets, and records the security audit record in the central management server 200. Can be sent to.

The central management server 200 is a server that manages the harmful packet blocking apparatus installed in the user terminal 100 described above, and sets and controls a security policy of the user terminal 100 to control the user terminal 100. Statistics can be generated by collecting individual log information. In addition, it is possible to generate a report for each user terminal 100 by monitoring the security status of the user terminal 100 in real time, and generate a period-by-period report by analyzing the activity of harmful traffic such as DDoS or worm virus by period. It may be.

In addition, the central management server 200 calculates activity statistics of a packet whose source IP address is modulated or a packet which is determined to be harmful but not harmful, and is determined to be dangerous as a result of analysis of the calculated activity statistics. 100 may be notified in real time.

The management console 300 is a device for accessing the central management server 200 and may serve to establish a policy of a harmful packet blocking device installed in the user terminal 100.

The log storage database 400 stores log information of the user terminal 100 collected by the central management server 200 and calculates statistics using the stored log information.

2 is a view showing the configuration of a device for blocking harmful packets outgoing from the user terminal according to an embodiment of the present invention.

Referring to FIG. 2, the apparatus for blocking a harmful packet includes a modulation determining means 110, a protocol checking means 120, a harmfulness determining means 130, a packet blocking means 140, a packet transmitting means 150, and a control. It comprises a means (160).

The modulation determining means 110 determines whether the source IP address of the packet leaving the user terminal 100 has been modulated. Here, whether the source IP address of the packet is modulated will be described with reference to FIG. 5.

5 is a diagram illustrating a principle of determining whether a source IP address of a packet sent from a user terminal is modulated according to an embodiment of the present invention. That is, as shown in Figure 5, in the header area of the packet outgoing from the user terminal information about the source (Source), source port number, destination IP, and destination port number is described, among which source IP By comparing the address with the IP address set in the user terminal (192.168.2.7 in Figure 5), it is determined whether or not the modulation.

In general, since most of the harmful traffic generated during the DDoS attack or the spread of the worm virus attacks by modulating the source IP address, detecting and blocking whether the source IP address has been tampered with is necessary for the DDoS attack or the spread of the worm virus. This is very important in the initial response.

Referring back to FIG. 2, if the source IP address is not modulated as a result of the determination of the modulation determining unit 110, the protocol checking unit 120 may check the protocol of the packet.

Hazard determination means 130 serves to determine the hazard for each protocol identified by the protocol identification means 120.

Referring to FIG. 3 showing the configuration of the hazard determination means, it can be seen that the hazard determination means 130 includes a threshold exceeding determination means 131 and a fragment inspection means 132.

The threshold exceeding judging means 131 determines whether the number of packets transmitted per minute from the user terminal exceeds a threshold value, and determines that the packet is harmful when the threshold value is exceeded, and when the threshold value is less than the threshold value, the packet is not harmful. Will be judged not. Here, the threshold may be set based on a policy downloaded from the central management server 200 for the communication according to the protocol confirmed by the protocol checking means 120.

The fragment inspection means 132 detects whether there is a fragment attack by inspecting the fragment of the packet when the threshold value exceeding determination means 131 is less than or equal to the threshold value. In the case of the fragment attack, the packet is detected. If it is determined to be harmful and there is no fragment attack, it is determined that the packet is not harmful.

Here, the hazard determination means 130 will be described in more detail to determine whether the hazard for each protocol.

First, in the case where the packet outgoing from the user terminal 100 is a UDP packet (User Datagram Protocol) as a result of checking by the protocol checking unit 120, the threshold exceeding determination unit 131 determines that the number of UDP packets transmitted per minute is the UDP threshold. It is determined whether or not to exceed the UDP threshold is determined that the UDP packet is harmful. Here, the UDP threshold may be set based on a policy downloaded from the central management server 200 for UDP communication.

In addition, the fragment inspection means 132 checks the fragment of the UDP packet when the threshold value exceeding determination means 131 is less than the UDP threshold value, and determines that the UDP packet is harmful when there is the fragment attack, If there is no fragment attack, it is determined that the UDP packet is not harmful.

Second, when the packet outgoing from the user terminal 100 is a TCP packet as a result of the protocol checking means 120, the threshold exceeding determination means 131 determines that the number of TCP Syn / Ack packets transmitted per minute is TCP Syn / Ack. It is determined whether the threshold is exceeded, and when the TCP Syn / Ack threshold is exceeded, it is determined that the TCP Syn / Ack packet is harmful. In addition, when the TCP Syn / Ack threshold is less than or equal to the number of TCP Get packets transmitted per minute, the TCP Get threshold is exceeded. When the TCP Get threshold is exceeded, the TCP Get packet is determined to be harmful. In addition, when the TCP Get threshold is less than or equal to the TCP RST / FIN threshold, the number of TCP RST / FIN packets transmitted per minute exceeds the TCP RST / FIN threshold. I judge it.

In this case, when it is determined that the threshold exceeded determination means 131 is less than or equal to the TCP RST / FIN threshold, the fragment inspection means 132 examines the fragment of the TCP RST / FIN packet and the fragment is attacked. If it is determined that the TCP RST / FIN packet is harmful and there is no fragment attack, it is determined that the TCP RST / FIN packet is not harmful.

Third, in the case where the packet outgoing from the user terminal 100 is an ICMP (Internet Control Message Protocol) packet as a result of checking by the protocol confirming means 120, the threshold exceeding determination means 131 transmits the ICMP threshold number of ICMP packets transmitted per minute. If the ICMP threshold is exceeded, it is determined that the ICMP packet is harmful. Here, the ICMP threshold may be set based on a policy downloaded from the central management server 200 for ICMP communication.

In addition, the fragment inspection means 132 examines the fragment of the ICMP packet when the threshold value exceeding determination means 131 is less than the ICMP threshold, and determines that the ICMP packet is harmful when there is the fragment attack. If there is no fragment attack, it is determined that the ICMP packet is not harmful.

2, if the source IP address is modified as a result of the determination by the modulation determining unit 110 or when it is determined that the packet is harmful as a result of the determination by the harmfulness determination unit 130, It can serve to block packets.

If it is determined that the harmfulness means 130 is not harmful, the packet transmitting means 150 transmits the packet to the outside.

The control means 160 controls each of the aforementioned means and transmits a signal to interact with each other.

4 is a view showing the overall flow of a method for blocking harmful packets outgoing from the user terminal according to an embodiment of the present invention.

First, it is determined whether the source IP address of the packet outgoing from the user terminal 100 is modulated (S110).

If the result of the determination is modulated, the packet is blocked (S170). If the packet is not modulated, the protocol of the packet is checked to determine whether the packet is harmful for each protocol (S120).

Here, the packet protocols can be broadly classified into three types, which can be classified into UDP, TCP, and ICMP.

First, when the packet is a UDP (User Datagram Protocol) packet, it is determined whether the number of UDP packets transmitted per minute exceeds the UDP threshold (S132). If the UDP threshold is exceeded, it is determined that the UDP packet is harmful (S170). If the UDP threshold is less than the UDP threshold, the fragment of the UDP packet is examined to detect whether there is a fragment attack (S134). If there is the fragment attack, it is determined that the UDP packet is harmful (S170). If there is no fragment attack, it is determined that the UDP packet is not harmful and transmits the packet to the outside (S160).

Second, if the packet is a TCP packet, it is determined whether the number of TCP Syn / Ack packets transmitted per minute exceeds the TCP Syn / Ack threshold (S142). Here, in the normal communication process of the TCP Syn / Ack packet, as shown in FIG. 6A, the user PC and the server confirm each other's response for TCP connection for communication, and communicate safely through the next connection step. However, in an abnormal communication process, as shown in FIG. 6B, after repeatedly attempting to connect to the Victim server, a large amount of connection attempts are repeatedly performed, thereby damaging the exhaust queue.

Such a Syn / Ack attack can block a large number of unidirectional connection attempts based on the threshold policy downloaded from the central management server 200. That is, if the TCP Syn / Ack threshold is exceeded, the TCP Syn / Ack packet is determined to be harmful (S170). If the TCP Syn / Ack threshold is less than the TCP Syn / Ack threshold, the number of TCP Get packets transmitted per minute exceeds the TCP Get threshold. It is determined whether or not (S144).

Here, in the normal communication process of the TCP Get packet, as shown in FIG. 7A, the user PC and the server confirm each other's response for communication and communicate safely through the next connection step. However, in an abnormal communication process, as shown in FIG. 7B, Victim resources are depleted by repeatedly performing a data request without going through a response confirmation process after attempting to connect to a Victim server.

In response to the server load-induced attack, the Get flooding attack, which is a large data request attack, may be blocked based on the threshold policy for the Get packet downloaded from the central management server 200. That is, if the TCP Get threshold is exceeded, it is determined that the TCP Get packet is harmful (S170). If the TCP Get threshold is less than the TCP Get threshold, whether the number of TCP RST / FIN packets transmitted per minute exceeds the TCP RST / FIN threshold. Determine (S146).

If the TCP RST / FIN threshold is exceeded, it is determined that the TCP RST / FIN packet is harmful (S170). If the TCP RST / FIN threshold is less than the TCP RST / FIN threshold, the fragment of the TCP RST / FIN packet is examined to determine whether there is a fragment attack. Whether it is detected (S148). If there is the fragment attack, it is determined that the TCP RST / FIN packet is harmful (S170). If there is no fragment attack, it is determined that the TCP RST / FIN packet is not harmful and transmits the packet to the outside (S160). ).

Third, if the packet is an Internet Control Message Protocol (ICMP) packet, it is determined whether the number of ICMP packets transmitted per minute exceeds the ICMP threshold (S152). If the ICMP threshold is exceeded, the ICMP packet is determined to be harmful (S170). If the ICMP threshold is less than the ICMP threshold, the fragment of the ICMP packet is inspected to detect whether there is a fragment attack (S154). If there is the fragment attack, it is determined that the ICMP packet is harmful (S170). If there is no fragment attack, it is determined that the ICMP packet is not harmful and transmits the packet to the outside (S160).

On the other hand, the method for blocking harmful packets outgoing from the user terminal according to an embodiment of the present invention can be implemented by being stored in a computer-readable recording medium recording a program for executing the method.

As described above, the present invention has been described with reference to the embodiments shown in the drawings, but it is only for the purpose of describing the present invention. It will be appreciated that one embodiment is possible. Accordingly, the true scope of the present invention should be determined by the technical idea of the claims.

1 is a view showing the overall configuration of a system for blocking harmful packets outgoing from the user terminal according to an embodiment of the present invention.

2 is a view showing the configuration of a device for blocking harmful packets outgoing from the user terminal according to an embodiment of the present invention.

3 is a diagram showing the configuration of the hazard determination means shown in FIG.

4 is a view showing the overall flow of a method for blocking harmful packets outgoing from the user terminal according to an embodiment of the present invention.

5 is a diagram illustrating a principle of determining whether a source IP address of a packet sent from a user terminal is modulated according to an embodiment of the present invention.

6A is a diagram illustrating a normal communication process of a TCP Syn / Ack packet.

6B is a diagram illustrating an attack process of a TCP Syn / Ack packet.

7A is a diagram illustrating a normal communication process of a TCP Get packet.

7B is a diagram illustrating an attack process of a TCP Get packet.

Claims (17)

Modulation determination means for determining whether or not the source Internet protocol address of the outgoing packet from the user terminal has been modulated; And a packet blocking means for blocking the packet when the source Internet protocol address is modified as a result of the determination by the modulation determining means. The method of claim 1, Protocol confirmation means for confirming a protocol of the packet when the source Internet protocol address is not modulated as a result of the determination by the modulation determination means; Hazard determination means for determining the hazard for each identified protocol; If it is not harmful as a result of the determination of the harmfulness determining means further comprises a packet transmitting means for transmitting the packet to the outside, And the packet blocking means blocks the harmful packet outgoing from the user terminal when the harmfulness determination means is harmful. The method of claim 2, The modulation determination means, And determining whether the packet has been tampered with by comparing the Internet protocol address in the header area of the packet outgoing from the user terminal with the Internet protocol address set in the user terminal. The method according to claim 2 or 3, The hazard determination means, It is determined whether the number of packets transmitted per minute from the user terminal exceeds a threshold value. If the threshold value is exceeded, the packet is determined to be harmful, and when the threshold value is less than the threshold value, the threshold is exceeded to determine that the packet is not harmful. Way; If it is less than the threshold as a result of the determination of the threshold exceeding means, the fragment of the packet is examined to detect whether there is a fragment attack. If there is the fragment attack, the packet is determined to be harmful, and if there is no fragment attack, the packet is detected. An apparatus for blocking harmful packets outgoing from the user terminal, comprising fragment inspection means for determining that the harmful signals are not harmful. The method of claim 4, wherein When the packet is a UDP (User Datagram Protocol) packet as a result of confirming the protocol checking means, The threshold exceeding determination means determines whether the number of UDP packets transmitted per minute exceeds a UDP threshold, and determines that the UDP packet is harmful when the UDP threshold is exceeded. When the fragment inspection means determines that the UDP threshold is less than the UDP threshold as a result of the determination by the threshold exceeding means, the fragment inspection means determines that the UDP packet is harmful when the fragment attack exists, and when the fragment attack does not exist. The apparatus for blocking harmful packets outgoing from the user terminal to determine that the UDP packet is not harmful. The method of claim 4, wherein When the packet is a TCP packet as a result of confirming the protocol checking means, The threshold exceeding determination means, It is determined whether the number of TCP Syn / Ack packets transmitted per minute exceeds the TCP Syn / Ack threshold, and when the TCP Syn / Ack threshold is exceeded, the TCP Syn / Ack packet is determined to be harmful, and the TCP Syn / Ack threshold is determined. If it is less than or equal to the number of TCP Get packets transmitted per minute is determined whether or not exceeds the TCP Get threshold, if the TCP Get threshold is exceeded, it is determined that the TCP Get packet is harmful, if it is less than the TCP Get threshold, TCP transmitted per minute It is determined whether the number of RST / FIN packets exceeds the TCP RST / FIN threshold, and when the TCP RST / FIN threshold is exceeded, the TCP RST / FIN packet is determined to be harmful. The fragment checking means checks the fragment of the TCP RST / FIN packet when the TCP RST / FIN threshold is less than the TCP RST / FIN threshold as a result of the determination by the threshold exceeding determination means. And judging that the TCP RST / FIN packet is not harmful when there is no fragment attack. The method of claim 4, wherein When the packet is an Internet Control Message Protocol (ICMP) packet as a result of confirming the protocol checking means, The threshold exceeding judging means determines whether the number of ICMP packets transmitted per minute exceeds an ICMP threshold, and determines that the ICMP packet is harmful when the ICMP threshold is exceeded. If the fragment inspection means determines that the ICMP packet is harmful when the fragment is less than the ICMP threshold as a result of the determination by the threshold determination means, the fragment of the ICMP packet is detected and the fragment attack exists, and the fragment attack is not present. And the harmful packet is blocked from the user terminal to determine that the ICMP packet is not harmful. User installed with harmful packet blocking device that blocks outgoing packet by understanding whether source Internet protocol address of outgoing packet has been tampered with, and blocks harmful packet according to the result of comparing the number of unmodulated packet and threshold Terminal; A central management server that manages the harmful packet blocking apparatus installed in each of a plurality of user terminals, sets a security policy of the user terminal, and collects log information of the user terminal; And a log storage database that stores the collected log information and calculates statistics using the stored log information. The method of claim 8, The harmful packet blocking device, Modulation determination means for determining whether or not the source Internet protocol address of the outgoing packet from the user terminal has been modulated; Protocol confirmation means for confirming a protocol of the packet when the source Internet protocol address is not modified as a result of the determination; Hazard determination means for determining the hazard for each identified protocol; Packet blocking means for blocking the packet when the source Internet protocol address is modified as a result of the determination by the modulation determining means or when it is harmful as a result of the determination by the harmfulness determining means; And a packet transmitting means for transmitting the packet to the outside when it is not harmful as a result of the determination by the harmfulness judging means. The method of claim 8, The modulation determination means, And determining whether the packet has been tampered with by comparing the Internet protocol address in the header area of the packet outgoing from the user terminal with the Internet protocol address set in the user terminal. The method of claim 8, The central management server, Calculating the activity statistics of the packet of which the source Internet protocol address has been modified or the packet determined to be harmful as a result of the determination of the harmfulness means, and notifying the user terminal in real time if it is determined that the risk is a result of the analysis of the calculated activity statistics; System for blocking harmful packets outgoing from the user terminal. Determining whether the source Internet protocol address of the outgoing packet from the user terminal has been tampered with; Blocking the packet when the source Internet protocol address is modified as a result of the determination. 13. The method of claim 12, Confirming a protocol of the packet when the source internet protocol address is not modified as a result of the determination; Determining whether harmfulness is determined for each of the identified protocols; And blocking the packet if it is harmful as a result of the determination of the harmfulness, and transmitting the packet to the outside if it is not harmful. The method according to claim 12 or 13, Determining whether or not the source Internet Protocol address has been modified, And determining whether the packet has been tampered with by comparing the Internet protocol address of the header area of the packet outgoing from the user terminal with the Internet protocol address set in the user terminal. The method of claim 13, Determining whether the hazard is, After checking the protocol of the packet, if the packet is a UDP (User Datagram Protocol) packet, Determining whether the number of UDP packets transmitted per minute exceeds a UDP threshold; Determining that the UDP packet is harmful when the UDP threshold is exceeded, and detecting a fragment attack by inspecting a fragment of the UDP packet when the UDP packet is less than the UDP threshold; And determining that the UDP packet is harmful when there is the fragment attack, and determining that the UDP packet is not harmful when there is no fragment attack. . The method of claim 13, Determining whether the hazard is, If the packet is a TCP packet as a result of checking the protocol of the packet, Determining whether the number of TCP Syn / Ack packets transmitted per minute exceeds a TCP Syn / Ack threshold; When the TCP Syn / Ack threshold is exceeded, it is determined that the TCP Syn / Ack packet is harmful. When the TCP Syn / Ack threshold is less than the TCP Syn / Ack threshold, it is determined whether the number of TCP Get packets transmitted per minute exceeds the TCP Get threshold. step; Determining that the TCP Get packet is harmful when the TCP Get threshold is exceeded, and determining whether the number of TCP RST / FIN packets transmitted per minute exceeds the TCP RST / FIN threshold when the TCP Get threshold is less than the TCP Get threshold; When the TCP RST / FIN threshold is exceeded, it is determined that the TCP RST / FIN packet is harmful, and when the TCP RST / FIN threshold is lower than the TCP RST / FIN threshold, the fragment of the TCP RST / FIN packet is examined to detect whether there is a fragment attack. step; Determining that the TCP RST / FIN packet is harmful when there is the fragment attack, and determining that the TCP RST / FIN packet is not harmful when there is no fragment attack. How to block harmful packets. The method of claim 13, Determining whether the hazard is, Checking the protocol of the packet, if the packet is an Internet Control Message Protocol (ICMP) packet, Determining whether the number of ICMP packets transmitted per minute exceeds an ICMP threshold; Determining that the ICMP packet is harmful when the ICMP threshold is exceeded, and detecting a fragment attack by inspecting a fragment of the ICMP packet when the ICMP packet is less than the ICMP threshold; And determining that the ICMP packet is harmful when there is the fragment attack, and determining that the ICMP packet is not harmful when the fragment attack is not present. .
KR1020090085455A 2009-09-10 2009-09-10 Apparatus, system and method for protecting malicious packets transmitted outside from user terminal KR20110027386A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020090085455A KR20110027386A (en) 2009-09-10 2009-09-10 Apparatus, system and method for protecting malicious packets transmitted outside from user terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020090085455A KR20110027386A (en) 2009-09-10 2009-09-10 Apparatus, system and method for protecting malicious packets transmitted outside from user terminal

Publications (1)

Publication Number Publication Date
KR20110027386A true KR20110027386A (en) 2011-03-16

Family

ID=43934208

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020090085455A KR20110027386A (en) 2009-09-10 2009-09-10 Apparatus, system and method for protecting malicious packets transmitted outside from user terminal

Country Status (1)

Country Link
KR (1) KR20110027386A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013166126A1 (en) * 2012-05-01 2013-11-07 Taasera, Inc. Systems and methods for providing mobile security based on dynamic attestation
WO2014038737A1 (en) * 2012-09-07 2014-03-13 에스케이텔레콤 주식회사 Network traffic management system using monitoring policy and filtering policy, and method thereof
US9467360B2 (en) 2011-06-27 2016-10-11 Sk Telecom Co., Ltd. System, device and method for managing network traffic by using monitoring and filtering policies
KR101910496B1 (en) * 2018-01-19 2018-10-26 주식회사 애니아이티 Network based proxy setting detection system through wide area network internet protocol(IP) validation and method of blocking harmful site access using the same

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9467360B2 (en) 2011-06-27 2016-10-11 Sk Telecom Co., Ltd. System, device and method for managing network traffic by using monitoring and filtering policies
WO2013166126A1 (en) * 2012-05-01 2013-11-07 Taasera, Inc. Systems and methods for providing mobile security based on dynamic attestation
US8776180B2 (en) 2012-05-01 2014-07-08 Taasera, Inc. Systems and methods for using reputation scores in network services and transactions to calculate security risks to computer systems and platforms
US8850588B2 (en) 2012-05-01 2014-09-30 Taasera, Inc. Systems and methods for providing mobile security based on dynamic attestation
US8990948B2 (en) 2012-05-01 2015-03-24 Taasera, Inc. Systems and methods for orchestrating runtime operational integrity
US9027125B2 (en) 2012-05-01 2015-05-05 Taasera, Inc. Systems and methods for network flow remediation based on risk correlation
US9092616B2 (en) 2012-05-01 2015-07-28 Taasera, Inc. Systems and methods for threat identification and remediation
WO2014038737A1 (en) * 2012-09-07 2014-03-13 에스케이텔레콤 주식회사 Network traffic management system using monitoring policy and filtering policy, and method thereof
KR101910496B1 (en) * 2018-01-19 2018-10-26 주식회사 애니아이티 Network based proxy setting detection system through wide area network internet protocol(IP) validation and method of blocking harmful site access using the same

Similar Documents

Publication Publication Date Title
US8423645B2 (en) Detection of grid participation in a DDoS attack
TWI294726B (en)
US7478429B2 (en) Network overload detection and mitigation system and method
US7356689B2 (en) Method and apparatus for tracing packets in a communications network
US7984493B2 (en) DNS based enforcement for confinement and detection of network malicious activities
US8117657B1 (en) Detection and mitigation of rapidly propagating threats from P2P, IRC and gaming
TW201738796A (en) Prevention and control method, apparatus and system for network attack
Haris et al. Detecting TCP SYN flood attack based on anomaly detection
KR101219796B1 (en) Apparatus and Method for protecting DDoS
KR102088299B1 (en) Apparatus and method for detecting drdos
CN101631026A (en) Method and device for defending against denial-of-service attacks
JP2006512856A (en) System and method for detecting and tracking DoS attacks
KR101042291B1 (en) System and method for detecting and blocking to distributed denial of service attack
US20040250158A1 (en) System and method for protecting an IP transmission network against the denial of service attacks
Xiao et al. A novel approach to detecting DDoS attacks at an early stage
JP2004140524A (en) Method and apparatus for detecting dos attack, and program
Singh et al. Analysis of Botnet behavior using Queuing theory
KR20110027386A (en) Apparatus, system and method for protecting malicious packets transmitted outside from user terminal
Prabha et al. A survey on IPS methods and techniques
Keshariya et al. DDoS defense mechanisms: A new taxonomy
KR20130009130A (en) Apparatus and method for dealing with zombie pc and ddos
CN104348785B (en) The method, apparatus and system for preventing host PMTU from attacking in IPv6 nets
Selvaraj Distributed Denial of Service Attack Detection, Prevention and Mitigation Service on Cloud Environment
GB2418563A (en) Monitoring for malicious attacks in a communications network
TWI258286B (en) Methods for intrusion detection system (IDS) thwarting and mitigating network attacks

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application