CN102137075A - System and method for preventing DDoS (Distributed Denial of Service) attack - Google Patents
System and method for preventing DDoS (Distributed Denial of Service) attack Download PDFInfo
- Publication number
- CN102137075A CN102137075A CN2010101042056A CN201010104205A CN102137075A CN 102137075 A CN102137075 A CN 102137075A CN 2010101042056 A CN2010101042056 A CN 2010101042056A CN 201010104205 A CN201010104205 A CN 201010104205A CN 102137075 A CN102137075 A CN 102137075A
- Authority
- CN
- China
- Prior art keywords
- package
- filtering
- distributed denial
- flow
- service attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a system and method for preventing DDoS (Distributed Denial of Service) attack, which are applied to sensing and defending the DDoS attack. The system comprises a sensing device and a protecting device. The sensing device is used for sensing and guiding the DDoS attack, and the protecting device is used for receiving flow packets guided by the sensing device and filtering the flow packets, wherein the protecting device comprises a filtering module, a routing device and a regulating module. The filtering module is used for filtering abnormal packets according to a preset filtering rule, the routing device is used for guiding and transmitting the filtered flow packets, and the regulating module is used for analyzing the filtered flow packet so as to regulate the filtering rule and provide alarm information. In addition, the invention provides a method for preventing DDoS attack, wherein the method comprises the following steps of sensing abnormal flow at network main nodes, executing multilayer filtration on the network main nodes after guiding, and regulating the filtering rule according to the analysis to strengthen the filtration results, thus the network service interruption caused by the DDoS attack is avoided.
Description
Technical field
The present invention relates to a kind of distributed denial of service attack guard system and method thereof, more detailed and, relate to a kind of relevant for be used for that network leads at the detecting of distributed denial of service attack and with its flow package and the system of filtering with and method.
Background technology
Along with the internet develops rapidly, people also increase gradually to the network usage degree, relatively also following about network security problem, particularly server or main frame are emerged in an endless stream by assault, thereby the network environment of safety more comes into one's own.
Distributed denial of service attack (Distributed Denial of Service, DDoS) promptly be the common example of attacking computer by a large amount of network package, main package transmission by the service of a large amount of request network, provide the normal operation of service host with destruction, cause and consume frequency range, consume situations such as host resource even paralysis operating system thus.Present treatment measures and imperfection for this large-scale distributed Denial of Service attack, for example: build the treatment measures of putting safeguard voluntarily with client, its protection effect is subject to the frequency range of being applied for, then can't effectively stop above its frequency range when attacking quantity; With the treatment measures of considering to increase frequency range or promoting server usefulness, calculate owing to the hundreds of easily MB of attack scale even with GB, so scale can bear scope far above general enterprise frequency range and main frame usefulness; To be attacked the treatment measures that IP blocks with request Internet service provider (ISP), this method can cause this IP that service can't be provided; To block the treatment measures of attack source IP,, thereby attack source IP can't be blocked fully owing to its attack source IP too disperses mostly; With at the treatment measures that can consider to block external attack traffic from external attack, it also can't stop attack fully, and can block external normal discharge; Attacked the treatment measures of IP to change to avoid being attacked, need change DNS host setting in the enterprise in the lump because of changing IP, other outside DNS main frame is learnt new IP simultaneously needs spended time, may cause normal user can't link this website during this section, moreover the distributed denial of service attack person still can find replacing back IP to continue to attack.
Comprehensive above-mentioned technical problem, though in user's end, enterprise host, service provision server or or even ISP practitioner, protection for this class distributed denial of service attack is obviously not enough, normally wait is gone wrong by the attack main frame and is just discovered, and processing mode only can passive blockade attack source or is negatively blocked or change and attacked IP, but may cause and be involved with the normal package of route with this attack source or form situations such as service disruption is provided, therefore, still have to be strengthened at this type of distributed refusal service attack defending at present.
Therefore, how to provide the network user when suffering distributed denial of service attack, can alleviate fast and effectively or recover network and serve, to avoid client running to stop or, to become the problem that needs to be resolved hurrily at present then because of being attacked situation such as can't provide services on the Internet.
Summary of the invention
Shortcoming in view of above-mentioned prior art, the present invention is used for network at the detecting of distributed denial of service attack and defence and propose a kind of distributed denial of service attack guard system and method thereof, by exception flow of network is detected and is analyzed, this distributed denial of service attack is led and unusual filtering packets, avoid influencing the normal operation of client thus.
For achieving the above object, the invention provides a kind of distributed denial of service attack guard system, be used for detecting and the defence of network at distributed denial of service attack, comprise: detection equipment, be used to detect this distributed denial of service attack, and the flow package of the distributed denial of service attack that detected is led; And safeguard, be used to receive the flow package that this detection equipment imports, and this flow package is filtered.Wherein, this safeguard comprises: filtering module, and the filtering rule that foundation is preset is to filter the unusual package in this flow package; Route device receive the flow package after this filtering module filters, and the flow package after will filtering is sent to client; And adjusting module, take and analyze in order to the flow package after the analysis and filter, to adjust this filtering rule in this filtering module and warning information is provided.
In one embodiment, this filtering module also comprises: broken packet processing unit provides filtration treatment at the broken package in this flow package, and avoids this flow package to be cut apart; And the attack packet processing unit, the filtration treatment that the flow package after this fragmentation packet processing unit filtered is attacked package.
In another embodiment, this safeguard comprises a plurality of filtering modules, handles in order to this flow package is carried out dispense filter; This a plurality of filtering modules front and back end connects front end packet-switched device and rear end packet-switched device respectively, and this front end packet-switched device and this rear end packet-switched device provide non-on-line (for example UDP, ICMP) and on-line (for example TCP) package to carry out filtration treatment by the filtering module of hash computing to determine that this flow package is flowed to thus simultaneously.
In another embodiment, also comprise analysis module, will flow package mirror by this filtering module after, to carry out the analysis of this flow package; And this analysis module connects a packet information database, in order to note down the information after this flow package is analyzed.
In addition, the present invention also provides a kind of distributed denial of service attack means of defence, be used to detect distributed denial of service attack and with package guiding and the defence method that filters, may further comprise the steps: 1) the flow package of network primary circuit routing node is detected, so that the flow package of Traffic Anomaly is analyzed; 2) this flow package is imported the protection prefecture and carry out filtering packets; 3) carry out the flow filtering packets according to default filtering rule, so that the unusual filtering packets in this flow package is removed; And 4) the flow package after will filtering is analyzed, with the adjustment foundation as this filtering rule.
Wherein, this filtering rule with the online quantity threshold value of this client as the protection parameter; This protection parameter comprises permission online quantity, network address frequency of access and/or access requested number.
In one embodiment, this step 3) is further comprising the steps of: the filtration of broken package in this flow package 3-1) is provided, and avoids this flow package to be cut apart; And 3-2) behind this fragmentation filtering packets, the attack package in the remaining flow package is refiltered.
In addition, also comprise step 5): the flow package after will filtering is led back client, so that the network service of this client to be provided.
Than prior art, distributed denial of service attack guard system of the present invention and method thereof, detect in main network node, so that the flow package guiding one of distributed denial of service attack is protected the prefecture to filter, by default filtering rule unusual package is filtered, be affected to slow down or to reduce the client network service; In addition, the network package after the filtration is taked to analyze equally, thereby to adjust this filtering rule the filtration effect is promoted by analysis result.Not only initiatively detect outside the distributed denial of service attack by this distributed denial of service attack guard system, defense mechanism fast and effectively also is provided, be subjected to the network attack influence degree to lower customer group.
Description of drawings
Fig. 1 is the package guiding figure of distributed denial of service attack guard system of the present invention;
Fig. 2 is the system architecture diagram of first embodiment of distributed denial of service attack guard system of the present invention;
Fig. 3 is the part system architecture diagram of second embodiment of distributed denial of service attack guard system of the present invention;
Fig. 4 is the part system architecture diagram of third and fourth embodiment of distributed denial of service attack guard system of the present invention;
Fig. 5 is the part system architecture diagram of the 5th embodiment of distributed denial of service attack guard system of the present invention;
Fig. 6 is the process step figure of distributed denial of service attack means of defence of the present invention; And
Fig. 7 is the thin portion block diagram of distributed denial of service attack means of defence of the present invention.
[primary clustering symbol description]
1 protection prefecture
10,11 routing nodes
12 attack the end network
13 client networks
2 distributed denial of service attack guard systems
21 detection equipments
22,32,42,62 safeguards
221,321,421,421 ', 421 ", 621 filtering modules
222,322,422,622 route devices
223,323,623 adjusting modules
3211 broken packet processing units
3212 attack packet processing unit
30,40,60 front end route devices
411 front end packet-switched devices
412 rear end packet-switched devices
624 analysis modules
625 packet information databases
S701~S704 step
S7031~S7032 step
Embodiment
Below by specific instantiation technology contents of the present invention is described, those skilled in the art can understand other advantage of the present invention and effect easily by the content that this specification disclosed.The present invention also can be implemented or be used by other different instantiation, and the every details in this specification also can be based on different viewpoints and application, carries out various modifications and change under the spirit of the present invention not deviating from.
See also Fig. 1, it is for the package guiding figure of distributed denial of service attack guard system of the present invention, mainly in order to show the trend of attacking package on the internet.Generally speaking, has the primary circuit routing node that connects numerous networks on the backbone network, routing node 10,11 as shown in the figure, when attack end network 12 starts to attack, to attack package in a large number and be passed to routing node 11 through path a by primary circuit routing node 10, be sent to client network 13 again, thereby be difficult in transport process, provide safeguard function.Distributed denial of service attack guard system of the present invention, the equipment that is provided for detecting in routing node 10, when the attack situation occurring, then with whole flow package guide fence prefecture 1 (promptly by path b) to carry out filtration treatment, at last, to filter back residual flow package again and send client network 13 back to, and slow down distributed denial of service attack thus and damage.
First embodiment:
See also Fig. 2, it is the system architecture diagram of first embodiment of distributed denial of service attack guard system of the present invention.As shown in Figure 2, distributed denial of service attack guard system 2 of the present invention is used for detecting and the defence of network at distributed denial of service attack, comprising: detection equipment 21 and safeguard 22.
Safeguard 22 is in order to receive the flow package that detection equipment 21 is imported, so that this flow package is filtered.Wherein, safeguard 22 comprises filtering module 221, route device 222 and adjusting module 223.Filtering module 221 is according to presetting filtering rule to filter the unusual package in this flow package.Flow package after route device 222 receiving filtration modules 221 are filtered, and the flow package after will filtering is sent to client.Adjusting module 223 is taked in order to the flow package after the analysis and filter and is analyzed, to adjust the filtering rule in the filtering module 221 and warning information is provided.
In other words,, be sent to route device 222 and provide adjusting module 223 to take to analyze,, provide warning information in case of necessity to obtain the unusual package quantity of filtering back flow package via the flow package after filtering module 221 filtrations.In addition, if the flow package after finding to filter still makes distributed denial of service attack be under the state of high-risk, at this moment, except that warning information is provided and immediately, adjust this filtering rule by adjusting module 223, and then strengthen outside the program of filtering packets, the same time, the flow package by after filtering module 221 filtrations transfers to client via route device 222.
Second embodiment:
See also Fig. 3, it is the part system architecture diagram of second embodiment of distributed denial of service attack guard system of the present invention.As shown in Figure 3, second embodiment is identical with the primary clustering of first embodiment, and its difference is that the filtering module 321 in the safeguard 32 also comprises: broken packet processing unit 3211 and attack packet processing unit 3212.
This fragmentation packet processing unit 3211 provides filtration treatment at the broken package in the flow package, and avoids the flow package to be cut apart.In the present embodiment, the flow package that is imported by detection equipment 21 is to be received and be sent to filtering module 321 by front end route device 30 to handle, owing to may comprise broken package (IP fragment packet) in the flow package that is imported, not only can't Direct Filtration come out and the easy paralysis of broken package attack whole protection equipment 32, it is former because when general safeguard during at a large amount of fragment package of processing, the package reorganization need be carried out and just judgement can be protected, make safeguard can reserve suitable system resource and store the fragment that these are not recombinated as yet, therefore, the attack characteristic of fragment package comes moment to take the system resource of safeguard with regard to being a large amount of transmission successful package of can't recombinating, and causes safeguard to attempt checking or form system resource when recombinating so a large amount of fragment easily to exhaust and cause equipment to operate.Thereby present embodiment further carries out filtration treatment with filtering module 321 separated into two parts.At first, carry out the filtration treatment of broken package by broken packet processing unit 3211, mainly will block (block) by the broken package of broken packet processing unit 3211, the flow package of the broken packet processing unit 3211 of restricted passage is simultaneously cut apart again, follow-up filtering packets is impacted avoiding, in one embodiment, this fragmentation packet processing unit 3211 can be has the package exchanger (switch) that stops broken packet function, that is utilize the peculiar function of package exchanger to forbid package cutting, can directly abandon first later package of cutting apart of same sequence number thus, with the overall load of effective reduction safeguard 32, judge and first abnormal package of cutting apart of filtration by attacking packet processing unit 3212 again.Have a large-scale fire compartment wall that stops broken packet function than existing, the present invention does this fragmentation packet processing unit 3211 times so that package exchanger is real, must be via numerous and diverse step, and can reduce dimension fortune difficulty and cost.
The filtration treatment that this attack packet processing unit 3212 will be attacked package through the flow package that broken packet processing unit 3211 is filtered.Particularly, after broken package being filtered by broken packet processing unit 3211, attack packet processing unit 3212 and then the attack filtering packets in the flow package is come out, thereby make the flow package after the filtration be left normal package by default filtering rule.At last, the flow package after attack packet processing unit 3212 will filter is sent to route device 322 and transmits, and while adjusting module 323 takes and whether analysis and judgement need be adjusted this default filtering rule and warning information is provided.
Wherein, as the protection parameter, and this protection parameter comprises permission online quantity, network address frequency of access and/or access requested number etc. to this filtering rule with the online quantity threshold value of client.In other words, can bear the threshold value of online requirement (TCP/UDP/ICMP), and provide warning information in good time to network manager according to client.Specifically, this filtering rule judges that this flow package requires online, whether access etc. requests quantity is in normal range (NR), it is by allowing the online quantity of source end (source), can allow source end access particular web site frequency, or parameter value such as network address access request (request) quantity assists to judge whether to belong to the unusual packet services request of network, if be the network abnormality after judging, then carry out filtration treatment, package can be taked to analyze again after the identical filtration, if still distributed denial of service attack can't be reduced in the safe range, then adjusting module 323 can be adjusted this filtering rule automatically according to filtering the post analysis data, strengthens follow-up filter effect thus.
The 3rd embodiment:
See also Fig. 4, it is the part system architecture diagram of the 3rd embodiment of distributed denial of service attack guard system of the present invention.Be simplicity of illustration and explanation, system architecture herein only shows the member relevant with present embodiment, as shown in the figure, present embodiment and second embodiment shown in Figure 3 different be in, the safeguard 42 of present embodiment comprises a plurality of filtering modules 421,421 ', 421 ", to provide filtration treatment is carried out in the distribution of flow package.Particularly, after unusual network traffics package is directed to safeguard 42, pass on through 40 receptions of front end route device and 411 distribution of front end packet-switched device, to allow a plurality of filtering modules 421,421 ', 421 " wherein one carry out filtration treatment, and the flow package after filtering is sent to client via rear end packet-switched device 412 and route device 422 equally.
So,, can make whole distributed denial of service attack guard system have more ductility, so that along with the attack scale enlarges and safeguard is expanded with the carrying challenging dose by the setting of a plurality of filtering modules.Preferably, each filtering module can be carried out filtration treatment according to different package kenels, but the not only load of dispersing and filtering module thus also allows the treatment facility can be according to package characteristic speed up processing.As for the quantity of filtering module, then visual actual demand is adjusted.
The 4th embodiment:
See also Fig. 4, it is the local system Organization Chart of the 4th embodiment of distributed denial of service attack guard system of the present invention.Be simplicity of illustration and explanation, system architecture herein only shows the member relevant with present embodiment, as shown in the figure, the 4th embodiment and the 3rd embodiment are the identical systems Organization Chart, its difference is for can be simultaneously to non-on-line package, for example user's packet communications protocol (User Datagram Protocol; UDP) or Internet control Message Protocol (Internet Control Message Protocol; ICMP) package, with the on-line package, transmission control protocol (Transmission Control Protocol for example; TCP) package carries out filtration treatment, can be by carrying out the hash computing in front end packet-switched device 411 and the rear end packet-switched device 412, with the flow direction of decision flow package.
Under the situation of front end packet-switched device 411 that present embodiment is not set and rear end packet-switched device 412, because after front end route device 40 receives the flow package, can deliver to a plurality of filtering modules 421,421 ', 421 " wherein filtration treatment, pass on by route device 422 again.Right this type of package transport architecture can have problems for the on-line package, its main cause is that on-line package complexity is high and needs two-way communication just can know packet information, thereby, if the flow package is when the path of passing through is different filtering module back and forth, for example module 421 is sent after filtration, but send another filtering module 421 ' back to, then can cause and to judge the package content.
Therefore, present embodiment carries out hash computing (hash) in front end packet-switched device 411 and rear end packet-switched device 412, transmit the filtering module of being flowed through with decision flow package, can provide non-on-line and on-line package to carry out filtration treatment thus simultaneously.Specifically, this front end packet-switched device 411 carries out the hash computing with source IP, to determine that this flow package is down to flow to wherein a filtering module by a certain port (port), and this rear end packet-switched device 412 carries out the hash computing with same algorithm once more with purpose IP, to determine this flow package is up flowed back to the filtering module of former flow package institute warp by which port, that is carry out identical hash by this front end packet-switched device 411 and this rear end packet-switched device 412 and calculate to specify described these flow package delivering positions, so that the on-line package is reached treatment effect, thereby the front end packet-switched device 411 of present embodiment can be realized by package exchanger (switch) with rear end packet-switched device 412, in other words, this front end packet-switched device 411 can have simultaneously to be handled broken packet function and the flow packet-switched is distributed, and makes the filtering module 421 that it connected, 421 ', 421 " reach load balance.System architecture by third and fourth embodiment is known, can reach load balance by a plurality of filtering modules, and can handle filtration simultaneously to non-on-line and on-line package, and then reaches filtering packets, load balance and take into account system expansibility.
The 5th embodiment:
As shown in Figure 5, it is the local system Organization Chart of the 5th embodiment of explanation distributed denial of service attack guard system of the present invention.Be simplicity of illustration and explanation, system architecture herein only shows the member relevant with present embodiment, as shown in the figure, present embodiment and aforesaid described these embodiment different be in, the safeguard 62 of present embodiment also comprises an analysis module 624, after will flow package mirror, to carry out the analysis of this flow package by filtering module 621.That is before front end route device 60 is delivered to filtering module 621 and is filtered, the flow package that imports is transmitted portion to analysis module 624 by the mirror mode to be analyzed, use and understand the package state of this abnormal flow at present, flow package as for former importing is unaffected, continuation is delivered to route device 622 after filtering via filtering module 621, simultaneously adjusting module 623 is taked to analyze, with as the filtering rule adjustment and warning information is provided.
In addition, analysis module 624 connects a packet information database 625, mainly in order to note down the information after described these flow packages are analyzed, checks its state of unusual package that imports safeguard 62 so that network manager to be provided.
In sum, by distributed denial of service attack guard system of the present invention, can on the network main node, detect, import in the protection prefecture so that unusual filtering packets is fallen with flow package distributed denial of service attack, in addition, judge as threshold value by can bear online quantity etc., adjust filtering rule thus, form and protect to stop the attack of single or mixed species at many levels with the intensive filtration effect.
See also Fig. 6, it is the process step figure of distributed denial of service attack means of defence of the present invention.As shown in the figure, in step S701, flow package to network primary circuit routing node is detected, so that the flow package of Traffic Anomaly is analyzed, just detect network traffics when producing unusual package situation, monitoring is provided immediately and analyzes, take a decision as to whether distributed denial of service attack thus and subsequent treatment is provided in case of necessity to judge whether these network traffics reach preset critical.Then proceed to step S702.
In step S702, this flow package is imported the protection prefecture carry out filtering packets, if detect the situation that the flow package belongs to abnormal flow, then this flow package is imported a protection prefecture and carry out filtration treatment.In one embodiment, after this step S702 also comprises the flow package mirror that will be imported, so that the analysis before the filtering packets to be provided, obtain thus filter before flow package state.Then proceed to step S703.
In step S703, carry out the flow filtering packets according to default filtering rule, so that the unusual filtering packets in this flow package is removed.Particularly, promptly filter judgement by predetermined filtering rule, mainly be as the protection parameter with the online quantity threshold value of client, with the foundation of this protection parameter as filtering rule, for example can allow online quantity or network address frequency of access, and website access requested number etc., filter as the judgement of abnormal flow and then with its unusual package thus.
In another embodiment, this step S703 also can comprise the flow direction distribution of carrying out this flow package by the hash computing, to provide filtration treatment to non-on-line and on-line package simultaneously, specifically, only need can know whether be to attack package for non-on-line package through unidirectional processing, review the on-line package and need just can know the package content through two-way communication, therefore, at on-line package characteristic, before and after handling the equipment of attacking package, the packet-switched device is set and carries out identical hash algorithm, by source IP and purpose IP are carried out the hash computing, determining this flow package to transmit in the past, and then reach the filtration that to handle all types of packages simultaneously via which port.Then proceed to step S704.
In step S704, the flow package after filtering is analyzed, with adjustment foundation as this filtering rule.This step main purpose is filtration back flow package to be taked and analyzed, to judge present protection effect, particularly, take delivering to behind the flow package mirror after filtering and analyze, the foundation of adjusting as filtering rule thus, also even filter effect is not good, then adjusts filtering rule to strengthen filter effect.
See also Fig. 7, it is the thin portion block diagram of distributed denial of service attack means of defence of the present invention.Preferably, aforesaid step S703 also comprises step S7031 and step S7032.In step S7031, the filtration of the broken package in this flow package is provided, and avoids this flow package to be cut apart.Then proceed to step S7032.
In step S7032, behind this fragmentation filtering packets, the attack package in the remaining flow package is refiltered.
Particularly, earlier broken package is handled among the step S7031, except avoiding broken package to cause protection prefecture paralysis situation, also the limited flow package is cut apart simultaneously, thereafter the flow package after just step S7031 being filtered, attack the filtration of package, multi-level protection effect is provided thus.
In addition; distributed denial of service attack means of defence of the present invention; can be further combined with specific ISP practitioner's backbone network; attack stops comprehensively at particular network; if such as from external network attack, then can pass through and stop on the routing node in this external institute that attacks, perhaps be the package of protecting the specific user and then stopping non-this ISP practitioner's flow; cooperatively interact so, in several ways so that better protection effect to be provided.
In sum, the present invention proposes a kind of distributed denial of service attack guard system and method thereof, be used for the detecting and the defence of distributed denial of service attack, than existing shortcoming, the invention provides and initiatively detect exception flow of network, import the protection prefecture with package with abnormal flow, by filtering rule unusual filtering packets is wherein fallen, wherein, not only at broken package, different kenel packages such as connection oriented type package provide outside the processing, more the filter result row is analyzed with the foundation as the adjustment filtering rule, strengthen the integral filter effect thus, and then reach multi-level protection effect, to reduce and to slow down the situation that distributed denial of service attack is caused the network service disruption.
The foregoing description is illustrative principle of the present invention and effect thereof only, but not is used to limit the present invention.Any those skilled in the art all can be under spirit of the present invention and category, and the foregoing description is modified and changed.Therefore, the scope of the present invention should be listed as claims of the present invention.
Claims (19)
1. a distributed denial of service attack guard system is used for detecting and the defence of network at distributed denial of service attack, comprising:
Detection equipment in order to the detecting distributed denial of service attack, and leads the flow package of the distributed denial of service attack that detected; And
Safeguard in order to receiving the flow package that this detection equipment imports, and filters this flow package, comprising:
Filtering module is in order to filter the unusual package in this flow package according to default filtering rule;
Route device, in order to receiving the flow package after this filtering module filters, and the flow package after will filtering is sent to client; And
Adjusting module, in order to being taked at the flow package after filtering and to be analyzed, and adjust in this filtering module should default filtering rule and warning information is provided.
2. distributed denial of service attack guard system according to claim 1, wherein, this detection equipment is arranged on each primary circuit routing node of network, so that the monitoring of this routing node flow package to be provided.
3. distributed denial of service attack guard system according to claim 1, wherein, this detection equipment imports to this safeguard in order to judge at exception flow of network with the package with this exception flow of network.
4. distributed denial of service attack guard system according to claim 1, wherein, this adjusting module is in order to analyze the flow package by this route device, to obtain the unusual package quantity in this flow package, according to this as the foundation of adjusting this filtering rule.
5. distributed denial of service attack guard system according to claim 1, wherein, this filtering rule is the online quantity threshold value of this client.
6. distributed denial of service attack guard system according to claim 5, wherein, this filtering rule comprises permission online quantity, network address frequency of access and/or access requested number.
7. distributed denial of service attack guard system according to claim 1, wherein, this filtering module also comprises:
Broken packet processing unit in order to providing filtration treatment at the broken package in this flow package, and avoids this flow package to be cut apart; And
Attack packet processing unit, the filtration treatment of attacking package in order to the flow package after should the fragmentation packet processing unit filtering.
8. distributed denial of service attack guard system according to claim 1 also comprises analysis module, in order to giving mirror by the flow package of this filtering module, analyzes at this flow package of mirror again.
9. distributed denial of service attack guard system according to claim 8, wherein, this analysis module connects a packet information database, in order to note down the information after this flow package is analyzed.
10. distributed denial of service attack guard system according to claim 1, wherein, this safeguard comprises a plurality of filtering modules, handles in order to this flow package is carried out dispense filter.
11. distributed denial of service attack guard system according to claim 10, wherein, this a plurality of filtering modules front and back end connects front end packet-switched device and rear end packet-switched device respectively, and this front end packet-switched device and this rear end packet-switched device provide non-on-line and on-line package to carry out filtration treatment by the filtering module of hash computing to determine that this flow package is flowed to thus simultaneously.
12. a distributed denial of service attack means of defence is used for detecting and the defence of network at distributed denial of service attack, may further comprise the steps:
1) the flow package of network primary circuit routing node is detected, and analyzed at the flow package of Traffic Anomaly;
2) this flow package is imported the protection prefecture and carry out filtering packets;
3) carry out the flow filtering packets according to default filtering rule, so that the unusual filtering packets in this flow package is removed; And
4) the flow package after will filtering is analyzed, with the adjustment foundation as this filtering rule.
13. distributed denial of service attack means of defence according to claim 12, wherein, step 2) also comprises this flow package is given mirror, analyze at this flow package of mirror again.
14. distributed denial of service attack means of defence according to claim 12, this step 3) is further comprising the steps of:
3-1) filter the interior broken package of this flow package, and avoid this flow package to be cut apart; And
3-2) behind this fragmentation filtering packets, filter the attack package in the residual flow package.
15. distributed denial of service attack means of defence according to claim 12, wherein, this step 3) also comprises the flow direction distribution of carrying out this flow package by the hash computing, to provide filtration treatment to non-on-line and on-line package simultaneously.
16. distributed denial of service attack means of defence according to claim 12, wherein, this step 4) also comprises takes and analyzes this flow package, warning information to be provided and to preset the foundation that filtering rule is adjusted as being somebody's turn to do.
17. distributed denial of service attack means of defence according to claim 12, wherein, this filtering rule is the online quantity threshold value of this client.
18. distributed denial of service attack means of defence according to claim 17, wherein, this filtering rule comprises permission online quantity, network address frequency of access and/or access requested number.
19. distributed denial of service attack means of defence according to claim 18 also comprises step 5): the flow package after will filtering is led back client, so that the network service of this client to be provided.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101042056A CN102137075A (en) | 2010-01-27 | 2010-01-27 | System and method for preventing DDoS (Distributed Denial of Service) attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101042056A CN102137075A (en) | 2010-01-27 | 2010-01-27 | System and method for preventing DDoS (Distributed Denial of Service) attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102137075A true CN102137075A (en) | 2011-07-27 |
Family
ID=44296733
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101042056A Pending CN102137075A (en) | 2010-01-27 | 2010-01-27 | System and method for preventing DDoS (Distributed Denial of Service) attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102137075A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110290156A (en) * | 2019-07-26 | 2019-09-27 | 太仓红码软件技术有限公司 | A kind of defence for Scattered Attack and network security device based on big data |
| CN112437035A (en) * | 2019-08-26 | 2021-03-02 | 南宁富桂精密工业有限公司 | Distributed denial of service attack protection method and related equipment |
| CN114338067A (en) * | 2020-10-09 | 2022-04-12 | 中国移动通信有限公司研究院 | DDoS detection method, device and detection node |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030014665A1 (en) * | 2001-07-03 | 2003-01-16 | Anderson Todd A. | Apparatus and method for secure, automated response to distributed denial of service attacks |
| CN101111053A (en) * | 2006-07-18 | 2008-01-23 | 中兴通讯股份有限公司 | System and method for defending network attack in mobile network |
| CN101447996A (en) * | 2008-12-31 | 2009-06-03 | 成都市华为赛门铁克科技有限公司 | Defending method for distributed service-refusing attack and system and device thereof |
-
2010
- 2010-01-27 CN CN2010101042056A patent/CN102137075A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030014665A1 (en) * | 2001-07-03 | 2003-01-16 | Anderson Todd A. | Apparatus and method for secure, automated response to distributed denial of service attacks |
| CN101111053A (en) * | 2006-07-18 | 2008-01-23 | 中兴通讯股份有限公司 | System and method for defending network attack in mobile network |
| CN101447996A (en) * | 2008-12-31 | 2009-06-03 | 成都市华为赛门铁克科技有限公司 | Defending method for distributed service-refusing attack and system and device thereof |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110290156A (en) * | 2019-07-26 | 2019-09-27 | 太仓红码软件技术有限公司 | A kind of defence for Scattered Attack and network security device based on big data |
| CN110290156B (en) * | 2019-07-26 | 2021-09-24 | 济南法诺商贸有限公司 | Big data-based defense and network security device for distributed attack |
| CN112437035A (en) * | 2019-08-26 | 2021-03-02 | 南宁富桂精密工业有限公司 | Distributed denial of service attack protection method and related equipment |
| US11522909B2 (en) | 2019-08-26 | 2022-12-06 | Nanning Fulian Fugui Precision Industrial Co., Ltd. | Method for preventing distributed denial of service attack and related equipment |
| CN114338067A (en) * | 2020-10-09 | 2022-04-12 | 中国移动通信有限公司研究院 | DDoS detection method, device and detection node |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100609170B1 (en) | system of network security and working method thereof | |
| EP2619958B1 (en) | Ip prioritization and scoring method and system for ddos detection and mitigation | |
| US7607170B2 (en) | Stateful attack protection | |
| EP1905197B1 (en) | System and method for detecting abnormal traffic based on early notification | |
| US7681235B2 (en) | Dynamic network protection | |
| EP1911243B1 (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
| US7808897B1 (en) | Fast network security utilizing intrusion prevention systems | |
| KR101231975B1 (en) | Method of defending a spoofing attack using a blocking server | |
| US20150341380A1 (en) | System and method for detecting abnormal behavior of control system | |
| US20090300759A1 (en) | Attack prevention techniques | |
| EP1911241B1 (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| TWI492090B (en) | System and method for guarding against dispersive blocking attacks | |
| KR20200014968A (en) | Method and apparatus for detecting anomalous traffic | |
| CN102137075A (en) | System and method for preventing DDoS (Distributed Denial of Service) attack | |
| JP2005210601A (en) | Intrusion detector | |
| CN100380336C (en) | Protecting against malicious traffic | |
| KR101268104B1 (en) | Intrusion prevention system and controlling method | |
| Sedaghat | The Forensics of DDoS Attacks in the Fifth Generation Mobile Networks Based on Software-Defined Networks. | |
| Yerriswamy et al. | An Efficient Hybrid Protocol Framework for DDoS Attack Detection and Mitigation Using Evolutionary Technique | |
| JP2006148778A (en) | Packet transfer control unit | |
| KR20160087448A (en) | Outlier sensing based ddos attacker distinction method and apparatus using statistical information of flow | |
| CN103856455A (en) | Method and system for protecting computer network against data flood attack | |
| Ladigatti et al. | Mitigation of DDoS Attacks in SDN using Access Control List, Entropy and Puzzle-based Mechanisms | |
| KR101136938B1 (en) | Network Traffic Filters and its Associated Filtering Process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1154724 Country of ref document: HK |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110727 |
|
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: WD Ref document number: 1154724 Country of ref document: HK |