CN102882894A - Method and device for identifying attack - Google Patents
Method and device for identifying attack Download PDFInfo
- Publication number
- CN102882894A CN102882894A CN2012104242778A CN201210424277A CN102882894A CN 102882894 A CN102882894 A CN 102882894A CN 2012104242778 A CN2012104242778 A CN 2012104242778A CN 201210424277 A CN201210424277 A CN 201210424277A CN 102882894 A CN102882894 A CN 102882894A
- Authority
- CN
- China
- Prior art keywords
- session
- server
- client
- attack
- entry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for identifying an attack, which belongs to the technical field of network safety. The method comprises the steps as follows: establishing a session list according to interactive message between a client and a server; acquiring the amount of the one-way session in the session list; and determining that the server is attacked when the amount of the one-way session is larger than a preset attack threshold value. The method and the device can improve message attack identification efficiency.
Description
Technical field
The present invention relates to the network security technology field, relate in particular to a kind of method and device of identifying attack.
Background technology
Along with the progress of the network communications technology, diverse network is attacked the concern that the network security problem that causes is subject to people day by day.Wherein, distributed denial of service attack (Distributed Denial of Service, DDOS) is a kind of common network attack, and DDOS attacks and is commonly called as extensive aggression.Denial of Service attack refers to that the assailant passes through certain means, can not provide needed service or so that lowering service quality to validated user thereby cause wittingly computer or network not to run well.So-called distributed be exactly that a plurality of assailants that are in diverse location launch a offensive to one or several targets simultaneously.
Fig. 1 is the schematic diagram that DDOS attacks in the prior art.As shown in Figure 1, it is exactly that one or more assailants pass through a large amount of computer of control as the attack source that DDOS attacks, and sends mass data to certain server simultaneously, finally causes servers go down.DDOS attacks and will cause network resources waste, link bandwidth obstruction, server resource to exhaust and service disconnection.
Since the utilization that the Denial of Service attack of network layer has the leak of procotol, what have then seizes network or the limited disposal ability of equipment, so that the control of Denial of Service attack is become a problem that makes the keeper have a headache very much.The equipment such as the fire compartment wall that generally uses on the key circuit of most network environment especially at present, load balancing, the bottleneck whole network occurs often to become when DDOS attacks causes the paralysis of the whole network.
DDOS attacks and is divided into following two types:
Stationary source is attacked, malicious attacker is constructed a class message and is sent with attack server in a large number to server, some feature field of the packet of this kind attack is identical, be attack server attack stream feature class seemingly, have very large identical degree, for example the assailant utilizes certain stationary source IP structure SYN request message to send in a large number attack server to server.
Discrete source is attacked, the high easily identification of the identical degree of the message that stationary source is attacked is taken precautions against, the malicious attack that is full of network at present is mainly take the discrete source attack as main, and the source IP of discrete source attack traffic is the personation IP of change at random, because the high conventional method of using of attack stream dispersion degree is difficult to identification and protection.
The scheme of existing DDOS attack recognition, it mainly is the message flow according to different agreement type statistics access objective of defense IP, if exceeding normal value, message flow thinks that then attack produces, similarly in comparatively special DNS protection, be not aimed at the concrete objective of defense but count according to source IP or the domain name field of DNS request bag, surpass normal value and then think to attack and produce.
Existing DDOS attack recognition scheme, just according to protocol type or certain the class message characteristic message flow by the statistical analysis access server, when exceeding normal value, message flow thinks that attack produces, attack is used this program analysis attack stream feature can obtain the attack source and is then taked targetedly protection for stationary source, because fixedly the attack traffic of attack source is easy to identification, the malicious attack of current injection network is mainly take the discrete source attack as main, the source IP that is attack traffic is the personation IP of change at random, attacks existing attack recognition scheme for discrete source and is difficult to quickly and efficiently identification attack.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of method and device of identifying attack, to improve the efficient that message aggression is identified.
For achieving the above object, the invention provides technical scheme as follows:
A kind of method of identifying attack is applied in the Network Security Device, and described Network Security Device is positioned at before the server, and described method comprises:
Set up conversational list according to the mutual message between client and the server;
Obtain the number of sessions that is in one-way coversation in the conversational list;
When the described number of sessions that is in one-way coversation during greater than default attack threshold value, determine that described server is under attack.
A kind of device of identifying attack is applied in the Network Security Device, and described Network Security Device is positioned at before the server, and described device comprises:
Conversational list is set up the unit, is used for setting up conversational list according to the mutual message between client and the server;
The session statistic unit is used for obtaining the number of sessions that conversational list is in one-way coversation;
The attack recognition unit is used for determining that when the described number of sessions that is in one-way coversation during greater than default attack threshold value described server is under attack.
Identify message aggression with prior art according to flow threshold and compare, the present invention utilizes session status to identify message aggression, does not form the one-way coversation quantity of two-way interactive by statistics, can fast and effeciently identify message aggression.
Description of drawings
Fig. 1 is the schematic diagram that DDOS attacks in the prior art;
Fig. 2 is the method flow diagram that the identification of the embodiment of the invention is attacked;
Fig. 3 is the structure drawing of device that the identification of the embodiment of the invention is attacked.
Embodiment
Exist according to the method for flow threshold identification message aggression for prior art, discrete source is attacked the problem that is not easy to identify, the embodiment of the invention provides a kind of scheme of utilizing session status identification to attack, according to assailant's general using personation IP or other means destination server to be attacked, can't normally set up session with destination server and form service interaction, the one-way coversation quantity that does not form two-way interactive by statistics can fast and effeciently be identified attack.
Describe the present invention below in conjunction with accompanying drawing.
Fig. 2 is the method flow diagram that the identification of the embodiment of the invention is attacked, and described method is applied in the Network Security Device, and described Network Security Device is positioned at before the server.Described Network Security Device can be the equipment such as fire compartment wall, load balancing etc.Network Security Device is positioned at server and refers to before, and described Network Security Device can obtain the mutual message between user side and the server, is appreciated that this Network Security Device also can be used as a logical device and is arranged on the server.
With reference to Fig. 2, the method that described identification is attacked can comprise the steps:
Network Security Device can obtain the mutual message between client and the server, then, sets up conversational list according to described mutual message.Comprise a plurality of session entries in the described conversational list, each session entry can identify with the five-tuple information of message.Wherein five-tuple refers to, source IP, purpose IP, source port, destination interface and protocol number.
Wherein, session refers to, client is by source port sport, the open destination interface dport of access server, after server accepts request, with dport as source port, sport responds the request of client as destination interface, and client and server is like this mutual back and forth.Can set up session according to five-tuple information, session is to connect mutual unique identification, is a kind of connection-oriented reliable communication mode.
At first, for each session entry in the described conversational list, obtain session status corresponding to this session entry; Then, when described session status is unsteady state, determine that session corresponding to this session entry is one-way coversation; At last, add up the session entry number of all unsteady states, obtain being in the number of sessions of one-way coversation.
For example, for the TCP session, described session status corresponding to this session entry that obtain can comprise:
When described session entry represented that user end to server is initiated connection request, the session of determining client was newly-built state;
When described session entry represented that server responds the connection request of client, the session of determining client was reverse response state;
When described session entry represented that client and server carry out service interaction, the session of determining client was stable state.
Again for example, for the DNS session, described session status corresponding to this session entry that obtain can comprise:
When described session entry represented that user end to server sends the DNS response message, the session of determining client was unsteady state.
Here, described attack threshold value can be rule of thumb or emulation determine.
The above-mentioned scheme of utilizing session status identification to attack, can't form the mutual characteristics of regular traffic with server end according to malicious client, connect the five-tuple information of setting up according to client and server and as a token of carry out flow status statistical decision session status, do not judge the attack state thereby statistics forms mutual one-way coversation.
Wherein, it is newly-built state that the user end to server end is initiated the connection request session, and server end customer in response end session status this moment is reverse response state, and session entered stable state after client and server regular traffic were mutual.Malicious client can't form interactive sessions with server can't enter stable state, and connection status belongs to imperfect connection.Utilizing session status identification to attack is to judge the number of sessions that does not form two-way interactive by statistics, judges to attack when the number of sessions that does not form two-way interactive exceeds normal value to produce.
For example, malicious client sends SYN message aggression server, and malicious client can be not again and server interaction after the server response, and session can't enter stable state; Malicious client sends DNS response message attack server for another example, and server can not responded client and form one-way coversation, and client can not be set up with server and complete the connection enter stable state.
Corresponding to said method, the embodiment of the invention also provides a kind of device of identifying attack, and described application of installation is in Network Security Device, and described Network Security Device is positioned at before the server.Described Network Security Device can be the equipment such as fire compartment wall, load balancing etc.Network Security Device is positioned at server and refers to before, and described Network Security Device can obtain the mutual message between user side and the server, is appreciated that this Network Security Device also can be used as a logical device and is arranged on the server.
With reference to Fig. 3, the device that described identification is attacked can comprise that conversational list sets up unit 10, session statistic unit 20 and attack recognition unit 30.
Described conversational list is set up unit 10 and is used for setting up conversational list according to the mutual message between client and the server.Network Security Device can obtain the mutual message between client and the server, and then, described conversational list is set up unit 10 and set up conversational list according to described mutual message.Comprise a plurality of session entries in the described conversational list, each session entry can identify with the five-tuple information of message.Wherein five-tuple refers to, source IP, purpose IP, source port, destination interface and protocol number.
Described session statistic unit 20 is used for obtaining the number of sessions that conversational list is in one-way coversation.Particularly, described session statistic unit 20 can obtain the number of sessions of one-way coversation in the following manner: at first, for each session entry in the described conversational list, obtain session status corresponding to this session entry; Then, when described session status is unsteady state, determine that session corresponding to this session entry is one-way coversation; At last, add up the session entry number of all unsteady states, obtain being in the number of sessions of one-way coversation.
For example, for the TCP session, described session status corresponding to this session entry that obtain comprises:
When described session entry represented that user end to server is initiated connection request, the session of determining client was newly-built state;
When described session entry represented that server responds the connection request of client, the session of determining client was reverse response state;
When described session entry represented that client and server carry out service interaction, the session of determining client was stable state.
Again for example, for the DNS session, described session status corresponding to this session entry that obtain comprises: when described session entry represented that user end to server sends the DNS response message, the session of determining client was unsteady state.
Described attack recognition unit 30 is used for determining that when the described number of sessions that is in one-way coversation during greater than default attack threshold value described server is under attack.
Here, described attack threshold value can be rule of thumb or emulation determine.
In sum, the session status that utilizes that the embodiment of the invention provides is identified the scheme of attack, can fast and effeciently judge message aggression, and is more efficient and sensitive by the method that statistic flow exceeds the threshold determination message aggression than prior art.
The above only is preferred embodiment of the present invention, and is in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (10)
1. a method of identifying attack is applied in the Network Security Device, and described Network Security Device is positioned at before the server, it is characterized in that, described method comprises:
Set up conversational list according to the mutual message between client and the server;
Obtain the number of sessions that is in one-way coversation in the conversational list;
When the described number of sessions that is in one-way coversation during greater than default attack threshold value, determine that described server is under attack.
2. the method for claim 1 is characterized in that, the described number of sessions that is in one-way coversation in the conversational list of obtaining comprises:
For each session entry in the described conversational list, obtain session status corresponding to this session entry;
When described session status is unsteady state, determine that session corresponding to this session entry is one-way coversation;
Add up the session entry number of all unsteady states, obtain being in the number of sessions of one-way coversation.
3. method as claimed in claim 2 is characterized in that, for the TCP session, described session status corresponding to this session entry that obtain comprises:
When described session entry represented that user end to server is initiated connection request, the session of determining client was newly-built state;
When described session entry represented that server responds the connection request of client, the session of determining client was reverse response state;
When described session entry represented that client and server carry out service interaction, the session of determining client was stable state.
4. method as claimed in claim 2 is characterized in that, for the DNS session, described session status corresponding to this session entry that obtain comprises:
When described session entry represented that user end to server sends the DNS response message, the session of determining client was unsteady state.
5. the method for claim 1 is characterized in that:
Session entry in the described conversational list identifies with five-tuple information.
6. a device of identifying attack is applied in the Network Security Device, and described Network Security Device is positioned at before the server, it is characterized in that, described device comprises:
Conversational list is set up the unit, is used for setting up conversational list according to the mutual message between client and the server;
The session statistic unit is used for obtaining the number of sessions that conversational list is in one-way coversation;
The attack recognition unit is used for determining that when the described number of sessions that is in one-way coversation during greater than default attack threshold value described server is under attack.
7. device as claimed in claim 6 is characterized in that, described session statistic unit specifically is used for:
For each session entry in the described conversational list, obtain session status corresponding to this session entry;
When described session status is unsteady state, determine that session corresponding to this session entry is one-way coversation;
Add up the session entry number of all unsteady states, obtain being in the number of sessions of one-way coversation.
8. device as claimed in claim 7 is characterized in that, for the TCP session, described session status corresponding to this session entry that obtain comprises:
When described session entry represented that user end to server is initiated connection request, the session of determining client was newly-built state;
When described session entry represented that server responds the connection request of client, the session of determining client was reverse response state;
When described session entry represented that client and server carry out service interaction, the session of determining client was stable state.
9. device as claimed in claim 7 is characterized in that, for the DNS session, described session status corresponding to this session entry that obtain comprises:
When described session entry represented that user end to server sends the DNS response message, the session of determining client was unsteady state.
10. device as claimed in claim 6 is characterized in that:
Session entry in the described conversational list identifies with five-tuple information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012104242778A CN102882894A (en) | 2012-10-30 | 2012-10-30 | Method and device for identifying attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012104242778A CN102882894A (en) | 2012-10-30 | 2012-10-30 | Method and device for identifying attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102882894A true CN102882894A (en) | 2013-01-16 |
Family
ID=47484037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012104242778A Pending CN102882894A (en) | 2012-10-30 | 2012-10-30 | Method and device for identifying attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102882894A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104202297A (en) * | 2014-07-30 | 2014-12-10 | 杭州华三通信技术有限公司 | Anti-attack method and device dynamically adapting to server performance |
| CN105592050A (en) * | 2015-09-07 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and firewall for preventing attacks |
| WO2016106592A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Method and device for feature information analysis |
| CN106453350A (en) * | 2016-10-31 | 2017-02-22 | 杭州华三通信技术有限公司 | Anti-attack method and apparatus |
| CN106850511A (en) * | 2015-12-07 | 2017-06-13 | 阿里巴巴集团控股有限公司 | Identification accesses the method and device attacked |
| WO2017193271A1 (en) * | 2016-05-10 | 2017-11-16 | 华为技术有限公司 | Method and device for detecting network attack |
| CN107517195A (en) * | 2016-06-17 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of content distributing network seat offence domain name |
| CN107547503A (en) * | 2017-06-12 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of session entry processing method and processing device |
| CN114666398A (en) * | 2020-12-07 | 2022-06-24 | 深信服科技股份有限公司 | Application classification method, device, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697397A (en) * | 2004-05-13 | 2005-11-16 | 华为技术有限公司 | Method for guarding against attack realized for networked devices |
| JP2006191433A (en) * | 2005-01-07 | 2006-07-20 | Nippon Telegr & Teleph Corp <Ntt> | Step packet approaching repeater specifying device |
| CN1972286A (en) * | 2006-12-05 | 2007-05-30 | 苏州国华科技有限公司 | A defense method aiming at DDoS attack |
| CN101022384A (en) * | 2007-03-12 | 2007-08-22 | 杭州华为三康技术有限公司 | Method for determining out interface and multi-switch-in wideband router |
| CN101197858A (en) * | 2008-01-07 | 2008-06-11 | 杭州华三通信技术有限公司 | Address translation method, device and router with the same |
| CN101257454A (en) * | 2008-03-21 | 2008-09-03 | 北京星网锐捷网络技术有限公司 | Apparatus and method for managing band width |
| CN101854333A (en) * | 2009-03-30 | 2010-10-06 | 华为技术有限公司 | Method and device for detecting incomplete session attack |
| US20110131646A1 (en) * | 2009-12-02 | 2011-06-02 | Electronics And Telecommunications Research Institute | Apparatus and method for preventing network attacks, and packet transmission and reception processing apparatus and method using the same |
-
2012
- 2012-10-30 CN CN2012104242778A patent/CN102882894A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697397A (en) * | 2004-05-13 | 2005-11-16 | 华为技术有限公司 | Method for guarding against attack realized for networked devices |
| JP2006191433A (en) * | 2005-01-07 | 2006-07-20 | Nippon Telegr & Teleph Corp <Ntt> | Step packet approaching repeater specifying device |
| CN1972286A (en) * | 2006-12-05 | 2007-05-30 | 苏州国华科技有限公司 | A defense method aiming at DDoS attack |
| CN101022384A (en) * | 2007-03-12 | 2007-08-22 | 杭州华为三康技术有限公司 | Method for determining out interface and multi-switch-in wideband router |
| CN101197858A (en) * | 2008-01-07 | 2008-06-11 | 杭州华三通信技术有限公司 | Address translation method, device and router with the same |
| CN101257454A (en) * | 2008-03-21 | 2008-09-03 | 北京星网锐捷网络技术有限公司 | Apparatus and method for managing band width |
| CN101854333A (en) * | 2009-03-30 | 2010-10-06 | 华为技术有限公司 | Method and device for detecting incomplete session attack |
| US20110131646A1 (en) * | 2009-12-02 | 2011-06-02 | Electronics And Telecommunications Research Institute | Apparatus and method for preventing network attacks, and packet transmission and reception processing apparatus and method using the same |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104202297A (en) * | 2014-07-30 | 2014-12-10 | 杭州华三通信技术有限公司 | Anti-attack method and device dynamically adapting to server performance |
| CN104202297B (en) * | 2014-07-30 | 2018-09-14 | 新华三技术有限公司 | A kind of anti-attack method and equipment adapting dynamically to server performance |
| WO2016106592A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Method and device for feature information analysis |
| CN105592050A (en) * | 2015-09-07 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and firewall for preventing attacks |
| CN105592050B (en) * | 2015-09-07 | 2019-02-19 | 新华三技术有限公司 | It is a kind of prevent attack method and firewall |
| CN106850511B (en) * | 2015-12-07 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Method and device for identifying access attack |
| CN106850511A (en) * | 2015-12-07 | 2017-06-13 | 阿里巴巴集团控股有限公司 | Identification accesses the method and device attacked |
| CN108028832A (en) * | 2016-05-10 | 2018-05-11 | 华为技术有限公司 | Detect the method and apparatus of network attack |
| WO2017193271A1 (en) * | 2016-05-10 | 2017-11-16 | 华为技术有限公司 | Method and device for detecting network attack |
| CN107517195A (en) * | 2016-06-17 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of content distributing network seat offence domain name |
| CN107517195B (en) * | 2016-06-17 | 2021-01-29 | 阿里巴巴集团控股有限公司 | Method and device for positioning attack domain name of content distribution network |
| CN106453350A (en) * | 2016-10-31 | 2017-02-22 | 杭州华三通信技术有限公司 | Anti-attack method and apparatus |
| CN106453350B (en) * | 2016-10-31 | 2021-06-11 | 新华三技术有限公司 | Anti-attack method and device |
| CN107547503A (en) * | 2017-06-12 | 2018-01-05 | 新华三信息安全技术有限公司 | A kind of session entry processing method and processing device |
| CN107547503B (en) * | 2017-06-12 | 2020-12-25 | 新华三信息安全技术有限公司 | Session table item processing method and device, firewall equipment and storage medium |
| CN114666398A (en) * | 2020-12-07 | 2022-06-24 | 深信服科技股份有限公司 | Application classification method, device, equipment and storage medium |
| CN114666398B (en) * | 2020-12-07 | 2024-02-23 | 深信服科技股份有限公司 | Application classification method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102882894A (en) | Method and device for identifying attack | |
| CN103607399B (en) | Private IP network network safety monitoring system and method based on darknet | |
| Lu et al. | Review and evaluation of security threats on the communication networks in the smart grid | |
| JP5826920B2 (en) | Defense method against spoofing attacks using blocking server | |
| Prasad et al. | An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic | |
| CN108173812B (en) | Method, device, storage medium and equipment for preventing network attack | |
| US8966627B2 (en) | Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session | |
| Phan et al. | OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks | |
| CN100579003C (en) | Method and system for preventing TCP attack by utilizing network stream technology | |
| CN109327426A (en) | A kind of firewall attack defense method | |
| KR101553264B1 (en) | System and method for preventing network intrusion | |
| CN101616131A (en) | A kind of method of defensing attack of Arp virus | |
| Hong et al. | Dynamic threshold for DDoS mitigation in SDN environment | |
| Ubale et al. | SRL: An TCP SYNFLOOD DDoS mitigation approach in software-defined networks | |
| Monshizadeh et al. | An adaptive detection and prevention architecture for unsafe traffic in SDN enabled mobile networks | |
| Huang et al. | FSDM: Fast recovery saturation attack detection and mitigation framework in SDN | |
| Priyadharshini et al. | Prevention of DDOS attacks using new cracking algorithm | |
| CN104125213A (en) | Distributed denial of service DDOS attack resisting method and device for firewall | |
| Boppana et al. | Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks | |
| Jeyanthi et al. | RQA based approach to detect and prevent DDoS attacks in VoIP networks | |
| Beitollahi et al. | A cooperative mechanism to defense against distributed denial of service attacks | |
| CN111641628B (en) | Monitoring and early warning method for DDoS attack in subnet deception | |
| Wang et al. | An approach for protecting the openflow switch from the saturation attack | |
| Yang et al. | Modeling and mitigating the coremelt attack | |
| Khamruddin et al. | A rule based DDoS detection and mitigation technique |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20130116 |