Data structure and algorithm of destination ip address monitoring for detecting ddos attack

A structure for detecting DDoS(Distributed Denial of Service) attack based on improved Bloom filter and a detection algorithm using the same are provided to detect the DDoS attack effectively by measuring traffic quantity based on a table including relation among detail IP(Internet Protocol) addresses while keeping a real-time traffic detection function. A destination IP address is read by separating an IP header value of a packet when the packet is generated(301). Each detail address divided by dots is converted into an index by a basic hash function(302). One is added to a space value by indexing an index value to four basic tables(303), and a common index value among the detail addresses is generated by using a second algorithm and an additional hash function at the same time(304). One is added to the space value of an additional table by corresponding to the common index value(305). The packet is determined as abnormal traffic when five space values exceed a threshold value by comparing the space values corresponding to five indexes of four basic tables and one additional table with the threshold value(307).