CN105577669B - A kind of method and device of the false source attack of identification - Google Patents
A kind of method and device of the false source attack of identification Download PDFInfo
- Publication number
- CN105577669B CN105577669B CN201510998006.7A CN201510998006A CN105577669B CN 105577669 B CN105577669 B CN 105577669B CN 201510998006 A CN201510998006 A CN 201510998006A CN 105577669 B CN105577669 B CN 105577669B
- Authority
- CN
- China
- Prior art keywords
- message
- ttl
- geographic area
- source
- protection server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
Abstract
The invention discloses a kind of method and devices of the false source attack of identification, it can be when server has attack to trigger, for each message for reaching the server, extract the source IP address of the message and current TTL, and according to the source IP address, correspondence and geographic area between source IP address and geographic area and reach the server message ttl threshold of router range between correspondence, determine that the message in the geographic area belonging to the message reaches the ttl threshold of router range of the server, to judge whether the current TTL of the message is located within the scope of determining ttl threshold of router, if not, then determine that the corresponding client of the message is false source.Without carrying out first packet discarding to each message for reaching server or redirecting processing, all messages can be identified, not only avoid on being influenced caused by the operation of the regular traffic of server, and save Internet resources, improve the efficiency of false identifing source.
Description
Technical field
The present invention relates to technical field of network security more particularly to a kind of method and devices of the false source attack of identification.
Background technology
DDOS (Distributed Denial of Service, distributed denial of service attack), refers to by means of visitor
Family/server technology joins together multiple computers as Attack Platform, to one or more target offensive attacks, thus
Double up the attack pattern of the power of Denial of Service attack.The attack pattern can utilize destination server functional defect or
Person directly consumes the system resource of destination server so that destination server can not provide normal business service to the user.
Currently, for the DDOS attack in false source, the hand of protocol stack (Protocol Stack) behavior verification is generally used
Section, to distinguish normal client and attack end.For example, for TCP (Transmission Control Protocol, transmission control
Agreement processed) attack, the mode that destination server generally use first packet abandons identifies false source, if it is normal source, according to
The behavior of protocol stack, client can retransmit the packet being dropped, and if it is false source, then can not be retransmitted, to reach
To the purpose for distinguishing normal client and attack end.For another example for HTTP (Hyper Text Transfer Protocol,
Hypertext transfer protocol) attack, destination server usually responds HTTP GET messages and 302 redirects (302redirect), press
According to protocol stack behavior, normal client can initiate HTTP GET messages again, and use the attack end in false source that can not then accomplish,
Equally achieve the purpose that distinguish normal client and has attacked end.
That is, can effectively identify attack end to a certain extent by the way of protocol stack behavior verification, but
It is, since it may need the first packet that will be received to abandon, thus, it is possible to which normal network connection can be caused to disconnect, to cause
Regular traffic is set to interrupt;In addition, since it may need to redirect message to client response 302 to be initiated again by client
HTTP GET messages waste Internet resources, influence interactive efficiency consequently, it is possible to additionally increasing flow.
Therefore, there is an urgent need for a kind of methods of the false source attack of new identification, to solve the side of the false source attack of existing identification
The operation of influence regular traffic present in formula, or so that the problems such as resource occupying is big, interactive efficiency is low.
Invention content
It is empty to solve existing identification an embodiment of the present invention provides a kind of method and device of the false source attack of identification
The operation of influence regular traffic present in the mode of false source attack, or make resource occupying is big, interactive efficiency is low etc.
Problem.
An embodiment of the present invention provides a kind of method of the false source attack of identification, the method includes:
If it is determined that thering is attack to trigger by protection server, then it is directed to each arrival message by protection server, is carried
Take the message source IP (Internet Protocol, Internet protocol) address and current TTL (Time To Live,
Life span);
According to the correspondence between the source IP address of the message and the source IP address and geographic area of setting, determine
Geographic area belonging to the message;
According to determining geographic area, and the geographic area of setting and the arrival message by protection server
It is described by protection server to determine that the message in the geographic area of the determination reaches for correspondence between ttl threshold of router range
Ttl threshold of router range;
Judge whether the current TTL of the message is located within the scope of the determining ttl threshold of router, if not, it is determined that described
The corresponding client of message is false source.
Optionally, the corresponding pass between geographic area and the ttl threshold of router range for reaching the message by protection server
System obtains in the following manner:
For any geographic area, in the section of any setting learning time triggered without attack by protection server,
Obtain that source IP address belongs to any geographic area normally reaches each message sample by protection server, and
The current TTL of each message sample;
The normally arrival that any geographic area is belonged to according to the source IP address got is described by protection server
Each message sample current TTL, determine that the message in any geographic area reaches the TTL by protection server most
Big value and minimum value, and according to determining TTL maximum values and minimum value, determine that the message in any geographic area arrives
Up to the ttl threshold of router range by protection server;
The ttl threshold of router range by protection server is reached according to the message in determining each geographic area, establishes ground
Manage the correspondence between region and the ttl threshold of router range for reaching the message by protection server.
Optionally, the normally arrival that any geographic area is belonged to according to the source IP address got described is protected
It is described by protection server to determine that the message in any geographic area reaches by the current TTL of each message sample of server
TTL maximum values and minimum value, including:
The source IP address got is belonged to it is in each message sample of any geographic area, first normally arrive
Up to the current TTL of the message sample by protection server, the quilt is reached as the message in any geographic area
Protect the TTL a reference values of server;
The current TTL of each message sample of any geographic area is belonged to according to the source IP address got, is determined
Value is not less than each TTL of the TTL a reference values no more than each TTL and value of the TTL a reference values, and not by value
More than the minimum TTL in each TTL of the TTL a reference values described protected is reached as the message in any geographic area
The minimum TTL of server, using value not less than the maximum TTL in each TTL of the TTL a reference values as any geographic region
Message in domain reaches the maximum TTL by protection server.
Still optionally further, the correspondence between source IP address and geographic area obtains in the following manner:
Determine that any source IP address is returned according to the data that IP address information library provides for any source IP address
The geographic area of category;
According to the geographic area that determining each source IP address is belonged to, establish corresponding between source IP address and geographic area
Relationship.
Optionally, the normally arrival that the source IP address got belongs to any geographic area is described by protection service
Each message sample of device, including:
By each client in any geographic area, to the message sample reported by protection server;With/
Or,
By the software probe in any geographic area is arranged, to the message sample reported by protection server
This.
Optionally, the method further includes:
By the message in determining each geographic area reach it is described shared to by the ttl threshold of router range of protection server it is other
By protection server, message in each geographic area can be obtained by way of shared by protection server arrive so that other
Up to other ttl threshold of router data by protection server.
Still optionally further, while determining that the corresponding client of the message is false source or later, the method
Further include:Discard processing is carried out to the message.
Based on same inventive concept, an embodiment of the present invention provides a kind of device of the false source attack of identification, the dresses
Set including:
Information acquisition unit then reaches described protected for being triggered if it is determined that being had to attack by protection server for each
The message for protecting server, extracts the source IP address of the message and current TTL;
Region positioning unit, for according to the source IP address and geographic area of the source IP address of the message and setting it
Between correspondence, determine the geographic area belonging to the message;
False source judging unit, for according to determining geographic area, and the geographic area of setting and the arrival quilt
The correspondence between the ttl threshold of router range of the message of server is protected, determines that the message in the geographic area of the determination arrives
Up to the ttl threshold of router range by protection server;And judge whether the current TTL of the message is located at the determining TTL
In threshold range, if not, it is determined that the corresponding client of the message is false source.
Optionally, described device further includes the first unit, is taken for establishing geographic area with described protected is reached
Correspondence between the ttl threshold of router range of the message of business device, first unit include:
Sample acquisition module, for being directed to any geographic area, described by any of protection server without attack triggering
It sets in learning time section, the normally arrival that acquisition source IP address belongs to any geographic area is described by protection server
Each message sample and each message sample current TTL;
Threshold determination module, the normal arrival for belonging to any geographic area according to the source IP address got
The current TTL of each message sample by protection server determines that the message in any geographic area reaches the quilt
The TTL maximum values and minimum value of server are protected, and according to determining TTL maximum values and minimum value, is determined described any
Message in geographic area reaches the ttl threshold of router range by protection server;
Relationship establishes module, described by protection server for being reached according to the message in determining each geographic area
Ttl threshold of router range establishes the corresponding pass between geographic area and the ttl threshold of router range for reaching the message by protection server
System.
Optionally, the threshold determination module is specifically used for, and the source IP address got is belonged to any geography
In each message sample in region, first current TTL for normally reaching the message sample by protection server, as institute
It states the message in any geographic area and reaches the TTL a reference values by protection server;
The current TTL of each message sample of any geographic area is belonged to according to the source IP address got, is determined
Value is not less than each TTL of the TTL a reference values no more than each TTL and value of the TTL a reference values, and not by value
More than the minimum TTL in each TTL of the TTL a reference values described protected is reached as the message in any geographic area
The minimum TTL of server, using value not less than the maximum TTL in each TTL of the TTL a reference values as any geographic region
Message in domain reaches the maximum TTL by protection server.
Still optionally further, described device further includes the second unit, for being directed to any source IP address, according to IP
The data that location information bank provides, determine the geographic area that any source IP address is belonged to;According to determining each source IP address
The correspondence between source IP address and geographic area is established in the geographic area belonged to.
Optionally, the normally arrival that the source IP address got belongs to any geographic area is described by protection service
Each message sample of device, including:
By each client in any geographic area, to the message sample reported by protection server;With/
Or,
By the software probe in any geographic area is arranged, to the message sample reported by protection server
This.
Optionally, described device further includes shared cell, described in reaching the message in each geographic area determined
Shared to by the ttl threshold of router range of protection server it is other by protection server so that other can be led to by protection server
It crosses shared mode and obtains the message in each geographic area and reach other ttl threshold of router data by protection server.
Still optionally further, the false source judging unit is additionally operable to determining that the corresponding client of the message is void
While false source or later, discard processing is carried out to the message.
The present invention has the beneficial effect that:
An embodiment of the present invention provides a kind of method and devices of the false source attack of identification, can determine by protection server
In the case of thering is attack to trigger, for each arrival message by protection server, the source IP address of the message is extracted
And current TTL, and according to the correspondence and geography between the source IP address, source IP address and geographic area of the message
Correspondence between region and the ttl threshold of router range for reaching the message by protection server, determines belonging to the message
Geographic area in message reach the ttl threshold of router range by protection server, to judge that the current TTL of the message is
It is no to be located within the scope of the determining ttl threshold of router, if not, it is determined that the corresponding client of the message is false source.That is, being not necessarily to
To reaching each message progress first packet discarding by protection server or redirecting processing, all messages can be identified, not only
It avoids on being influenced caused by the operation of the regular traffic of server, and saves Internet resources, improve false identifing source
Efficiency.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 show the flow diagram of the false source attack method of the identification described in the embodiment of the present invention one;
Fig. 2 show establishing geographic area and reaching by the message of protection server described in the embodiment of the present invention one
The step flow chart of correspondence between ttl threshold of router range;
Fig. 3 show the structural schematic diagram of the false source attack device of the identification described in the embodiment of the present invention two;
Fig. 4 show the structural schematic diagram of the first unit described in the embodiment of the present invention two.
Specific implementation mode
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into
It is described in detail to one step, it is clear that described embodiments are only a part of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts
All other embodiment, shall fall within the protection scope of the present invention.
Embodiment one:
The embodiment of the present invention one provides a kind of method of the false source attack of identification, specifically, as shown in Figure 1, it is this
The flow diagram of the false source attack method of identification described in inventive embodiments one, the method may include following steps:
Step 101:If it is determined that there is attack to trigger by protection server, then be directed to it is each reach it is described by protection server
Message extracts the source IP address of the message and current TTL;
Step 102:According to corresponding between the source IP address of the message and the source IP address of setting and geographic area
Relationship determines the geographic area belonging to the message;
Step 103:According to determining geographic area, and the geographic area of setting with reach it is described by protection server
Correspondence between the ttl threshold of router range of message determines that the message in the geographic area of the determination reaches described protected
The ttl threshold of router range of server;
Step 104:Judge whether the current TTL of the message is located within the scope of the determining ttl threshold of router, if it is not, then
Determine that the corresponding client of the message is false source.
Wherein, it should be noted that described to be received more than setting threshold by protection server in setting time length
When being worth the message of quantity, can determine has attack to trigger by protection server, wherein the setting time length and setting threshold
Value quantity can be flexibly arranged according to actual conditions;In addition, can also be used other manner monitoring it is described by protection server whether
There is attack to trigger, the present embodiment is not limited in any way herein.
In addition, it is necessary to explanation, if the initial value of the ttl field of any two message differs, even if described arbitrary
The affiliated geographic area of two messages is identical, and arrival is described identical by protection server paths traversed, described arbitrary
The end value of the ttl field of two messages is also possible to differ greatly.And since ttl field is by sender's setting of message, no
By described by protection server controls, therefore, each TTL described in the present embodiment is (in such as current TTL or ttl threshold of router range
TTL the decreasing value that) usually may refer to TTL, with identify the node number passed through when each message is reached by protection server or
Path length, details are not described herein for the present embodiment.
Further, in this embodiment geographic area can be divided with city or operator.That is, it is directed to any message,
Geographic area belonging to the message can be by the source in city or the message that the source IP address of the message belongs to
The operator that IP address is belonged to.
In addition, in order to enable recognition result is more accurate, the city that can be also belonged to according to the source IP address of message, and
The operator that the source IP address of message is belonged to determines the geographic area belonging to message jointly.Correspondingly, source IP address and ground
Correspondence between reason region can be expressed as the correspondence between source IP address and city and operator, geographic area
Correspondence between the ttl threshold of router range of the arrival message by protection server is also referred to as city and operation
Correspondence between quotient and the ttl threshold of router range for reaching the message by protection server, the present embodiment are no longer superfluous herein
It states.
In the following, the correspondence between the source IP address and geographic area with foundation can be expressed as source IP address and city
Correspondence between city and operator, geographic area and the ttl threshold of router range for reaching the message by protection server
Between correspondence be also referred to as city and operator and reach the ttl threshold of router model of the message by protection server
For correspondence between enclosing, the identification process described in the present embodiment is briefly described:
Assuming that certain source IP address for being located at Australia, which is being had by protection server for 129.78.5.11, attacks triggering, then
For any arrival message by protection server, its source IP address and current TTL are can extract (that is, TTL's actually subtracts
Few value);
Assuming that the source IP address of the message is 222.211.139.7, current TTL is 17 (that is, the practical reduced value of TTL is
17), then the correspondence between the source IP address pre-established and geographic area can be inquired according to the source IP address, to learn
The city and operator that the source IP address is belonged to;
Assuming that the source IP address belongs to Chinese Chengdu telecommunications, and, by inquiring the geographic area pre-established and arrival
Correspondence between the ttl threshold of router range of the message by protection server, it may be determined that the message of Chinese Chengdu telecommunications arrives
Up to the ttl threshold of router by protection server ranging from 20~22 (that is, under normal circumstances the theoretical reduced value of TTL should be 20~
22), then, it may be determined that the source IP address be 222.211.139.7 message current TTL not within the scope of the ttl threshold of router, from
And can identify that the IP address of the message is spoofed source IP address, i.e., the corresponding client of the message is false source.
That is, can be in the case where determination has attack to trigger by protection server, according to each arrival
By the source IP address of the message of protection server, its affiliated geographic area is determined, and each arrival is described by protection service
The current TTL of the message of device is compared with setting ttl threshold of router range corresponding with its affiliated geographic area, if described
Current TTL then can determine that the IP address of the message is false IP address, that is, without to arriving not within the scope of the ttl threshold of router
First packet discarding is carried out up to each message by protection server or redirects processing, all messages can be identified, not only
It avoids on being influenced caused by the operation of the regular traffic of server, and saves Internet resources, improve false source attack
The efficiency of identification.
Further, for any message, while determining that the corresponding client of the message is false source or later,
Can also discard processing be carried out to the message, details are not described herein for the present embodiment.
In addition, it is necessary to illustrate, in the present embodiment, in addition to geographic area can be divided according to city and/or operator
Except, different geographic areas can be also divided according to IP address, that is, at this point, it is directed to any message, the ground belonging to the message
It can be the source IP address of the message itself to manage region also, also do not repeated this.
In the following, by between source IP address and geographic area correspondence and geographic area described protected with reaching
The process of establishing of the correspondence protected between the ttl threshold of router range of the message of server is described in detail.
Optionally, the correspondence between source IP address and geographic area can obtain in the following manner:
For any source IP address, according to the IP for storing the data such as the corresponding city of each IP address and operator
The data that location information bank provides, determine the geographic area that any source IP address is belonged to;
According to the geographic area that determining each source IP address is belonged to, establish corresponding between source IP address and geographic area
Relationship.
Certainly, the correspondence between source IP address and geographic area can also be achieved other ways, the present embodiment exists
This is not limited in any way.
Further, for any by protection server, geographic area and the arrival message by protection server
Correspondence between ttl threshold of router range can obtain (as shown in Figure 2) in the following manner:
Step 201:For any geographic area, in any setting study triggered without attack by protection server
Between in section, obtain that source IP address belongs to any geographic area normally reaches each message sample by protection server
The current TTL of this and each message sample;
Step 202:The normally arrival that any geographic area is belonged to according to the source IP address got described is protected
It is described by protection service to determine that the message in any geographic area reaches by the current TTL for protecting each message sample of server
The TTL maximum values and minimum value of device, and according to determining TTL maximum values and minimum value, determine any geographic area
Interior message reaches the ttl threshold of router range by protection server;
Step 203:The ttl threshold of router model by protection server is reached according to the message in determining each geographic area
It encloses, establishes the correspondence between geographic area and the ttl threshold of router range for reaching the message by protection server.
It should be noted that it is described by protection server without attack trigger, can refer in setting time length, it is described
Message amount is received by protection server and is less than given threshold quantity, details are not described herein again.
In addition, it is necessary to explanation, the generation moment of the setting learning time section and duration can be according to practical need
Flexibly to be arranged.For example, when learning for the first time, a longer learning time section (such as 10 hours) can be set, to determine as possible
Message in more geographic area reaches the ttl threshold of router range by protection server;It, can be every during follow-up operation
Every setting time (such as every a week), mode of learning is opened in set period of time (such as 2 hours), to update, improves ground
Manage the correspondence between region and the ttl threshold of router range for reaching the message by protection server.
In addition, still it should be noted that, it is described by protection server without attack triggering any setting learning time section in
When establishing the correspondence between geographic area and the ttl threshold of router range for reaching the message by protection server, once inspection
Measure it is described there is attack to trigger by protection server, then can close mode of learning, that is, stop establishing or update and is arrived geographic area
Correspondence up between the ttl threshold of router range of the message by protection server, to ensure the accuracy of data with existing, this
Place repeats no more.
In addition, any geographic area is directed to, described by any setting learning time of the protection server without attack triggering
In section, what the source IP address that gets belonged to any geographic area normally reaches all reports by protection server
Literary sample, can be source IP address belong to any geographic area normally reach all reports by protection server
Text, can also be source IP address belong to any geographic area normally reach all messages by protection server
In segment message, be not limited in any way herein.
Optionally, the normally arrival that any geographic area is belonged to according to the source IP address got described is protected
It is described by protection server to determine that the message in any geographic area reaches by the current TTL of each message sample of server
TTL maximum values and minimum value, it may include:
The source IP address got is belonged to it is in each message sample of any geographic area, first normally arrive
Up to the current TTL of the message sample by protection server, the quilt is reached as the message in any geographic area
Protect the TTL a reference values of server;
The current TTL of each message sample of any geographic area is belonged to according to the source IP address got, is determined
Value is not less than each TTL of the TTL a reference values no more than each TTL and value of the TTL a reference values, and not by value
More than the minimum TTL in each TTL of the TTL a reference values described protected is reached as the message in any geographic area
The minimum TTL of server, using value not less than the maximum TTL in each TTL of the TTL a reference values as any geographic region
Message in domain reaches the maximum TTL by protection server.
For example, there is one to be located at BeiJing, China by protection server, within the learning time of setting, the source IP address that gets
It belongs to the 1st that Chinese Shanghai and operator are China Unicom and normally reaches working as the message sample by protection server
Preceding TTL is 17, then reaches the TTL by protection server as Chinese Shanghai and operator for the message of China Unicom by 17
A reference value;
The source IP address got belongs to the 2nd that Chinese Shanghai and operator are China Unicom and normally reaches the quilt
It is 19 to protect the current TTL of the message sample of server, due to 19>17, so in being as Chinese Shanghais and operator by 19
The message of state's unicom reaches the maximum TTL by protection server;
The source IP address got belongs to the 3rd that Chinese Shanghai and operator are China Unicom and normally reaches the quilt
It is 16 to protect the current TTL of the message sample of server, due to 17>16, so in being as Chinese Shanghais and operator by 16
The message of state's unicom reaches the minimum TTL by protection server;
And so on, if (N is by the source IP address got belongs to Chinese Shanghai and operator is China Unicom N
Positive integer) a current TTL for normally reaching the message sample by protection server is more than 19 (the existing maximums
TTL), then as new maximum TTL;If the current TTL is less than 16 (the existing minimum TTL), as
New minimum TTL, until the setting learning time section terminate, so as to according to finally determine TTL maximum values and minimum value,
It determines Chinese Shanghai and operator reaches the ttl threshold of router range by protection server for the message of China Unicom.
That is, the method for the false source attack of identification that the present embodiment is provided, can determine by protection server
In the case of being triggered without attack, learns the message in each geographic area and reach the ttl threshold of router range by protection server, and
The correspondence between geographic area and the ttl threshold of router range for reaching the message by protection server is established accordingly, due to
The correspondence is sampled to obtain in the case where being triggered without attack by protection server to mass data, therefore compared with
To be accurate, reliable reference can be provided for the identification of false source attack.In addition, it is necessary to explanation, described in the present embodiment
The learning process of correspondence in real time or can be carried out periodically, that is, geographic area is with arrival setting by the message of protection server
Correspondence one between ttl threshold of router range is set up, and real-time or timing update subsequently can be still carried out, to ensure the standard of data
True property, details are not described herein again.
Optionally, the normal of any geographic area is belonged to for any source IP address by protection server, got
Reach each message sample by protection server, it may include:
By each client in any geographic area, to the message sample reported by protection server;With/
Or,
By the software probe that is arranged in any geographic area, (such as Amazon to can be used to be located at described any
Manage the cloud host etc. in region), to the message sample reported by protection server.
That is, in section of any setting learning time, in addition to can be by regarding normal service message as message
Sample learns message in each geographic area and reaches by except the ttl threshold of router range of protection server, also can be in office by being arranged
Software probe in one geographic area actively reports message to described by protection server, described any to learn with this
Message in reason region reaches the ttl threshold of router range by protection server, to improve geographic area and reach described protected
(this mode of learning relates to correspondence between the ttl threshold of router range of the message of shield server especially suitable for destination server
And the scene that flow is smaller, that is, there may be certain geographic areas due to not having the flow of arrival destination server and without the science of law
The case where practising TTL data).
For example, certain be located at BeiJing, China by protection server, in section of a certain setting learning time, be not received by source
IP address belongs to the message in Chinese Xi'an, thus the message without calligraphy learning to Chinese Xi'an reach it is described by protection server
The cloud host that Amazon is located at Chinese Xi'an may be used in ttl threshold of router range, is actively reported to described sent by protection server
Text, to determine that the message in Chinese Xi'an reaches the ttl threshold of router range by protection server, to improve geographic area and arrive
Correspondence up between the ttl threshold of router range of the message by protection server.
Optionally, determining that the message in each geographic area reaches the same of any ttl threshold of router range by protection server
When or later, the method may also include:
By the message in determining each geographic area reach it is described shared to by the ttl threshold of router range of protection server it is other
By protection server, so that other, by protection server, (concretely other not yet study are taken to each of TTL data by protection
Business device) it the message in each geographic area can be obtained by way of shared reaches other TTL thresholds by protection server
Value Data.
That is, the TTL distributed datas that the destination server of single-point learns can be shared, for example, multiple mesh
The TTL that mark server can learn oneself single-point shares, and to one Zhang Yun's TTL shared libraries of structure, does not have more in this way
The single-point destination server for having study to TTL can also obtain TTL data by way of shared.
In addition, it is necessary to explanation, it is described by protection server and it is described it is other can be geographical upper by protection server
In same geographic area, it also can logically be located at the same network segment, to ensure that any two source IP address belongs to same geography
The message in region, reach it is described by protection server and it is described it is other be closer to by protection server paths traversed, into
And ensure the reliability of shared data.
As shown in the above, it by the software probe in any geographic area is arranged, is reported to by protection server
Message sample, and the message in determining each geographic area is reached and described is total to by the ttl threshold of router range of protection server
It enjoys to other by protection server, purpose is provided to improve established geographic area and arrival is described by protection server
Message ttl threshold of router range between correspondence therefore can provide for the identification of false source attack and more comprehensively join
It examines.
An embodiment of the present invention provides a kind of methods of the false source attack of identification, can have attack by protection server determining
In the case of triggering, for each arrival message by protection server, extracts the source IP address of the message and work as
Preceding TTL, and according between the source IP address, source IP address and geographic area of the message correspondence and geographic area
Correspondence between the ttl threshold of router range of the arrival message by protection server, determines the ground belonging to the message
Reason region in message reach the ttl threshold of router range by protection server, with judge the message current TTL whether position
In within the scope of the determining ttl threshold of router, if not, it is determined that the corresponding client of the message is false source.That is, without to arriving
Up to being carried out first packet discarding or redirecting processing by each message of protection server, all messages can be identified, not only be avoided
On being influenced caused by the operation of the regular traffic of server, and Internet resources are saved, improves the effect of false identifing source
Rate.
In addition, the method for the false source attack of identification that the embodiment of the present invention is provided, can also determine by protection server
In the case of being triggered without attack, learns the message in each geographic area and reach the ttl threshold of router range by protection server, and
The correspondence between geographic area and the ttl threshold of router range for reaching the message by protection server is established accordingly, due to
The correspondence is sampled to obtain in the case where being triggered without attack by protection server to mass data, therefore can
Identification for the attack of false source provides reliable reference;Also, it can also be by the way that the software probe in any geographic area be arranged
Device reports message sample to by protection server, and the message in determining each geographic area is reached described protected and is taken
The ttl threshold of router range of business device share to it is other by modes such as protection servers, improve established geographic area and reach described in
By the correspondence between the ttl threshold of router range of the message of protection server, therefore, can also be provided for the identification of false source attack
It more comprehensively refers to, to improve the accuracy of false identifing source.
Embodiment two:
It is described second embodiment of the present invention provides a kind of device of the false source attack of identification based on same inventive concept
Device can be server, can also be the sub-function module of server, can also be the equipment independently of server, and the present embodiment exists
This is not limited in any way.Specifically, as shown in figure 3, it attacks device for the identification falseness source described in the embodiment of the present invention two
Structural schematic diagram, described device may include:
Information acquisition unit 301, for if it is determined that thering is attack to trigger by protection server, then for each arrival quilt
The message for protecting server, extracts the source IP address of the message and current TTL;
Region positioning unit 302, the source IP address of the message for being got according to described information acquiring unit 301
And the correspondence between the source IP address and geographic area of setting, determine the geographic area belonging to the message;
False source judging unit 303, the geographic area for being determined according to the region positioning unit 302, and setting
Geographic area and reach the message by protection server ttl threshold of router range between correspondence, determine it is described really
Message in fixed geographic area reaches the ttl threshold of router range by protection server;And judge the current TTL of the message
Whether it is located within the scope of the determining ttl threshold of router, if not, it is determined that the corresponding client of the message is false source.
That is, described device can be in the case where determination has attack to trigger by protection server, according to each
The source IP address for reaching the message by protection server determines its affiliated geographic area, and each is reached the quilt
The current TTL for protecting the message of server is compared with setting ttl threshold of router range corresponding with its affiliated geographic area
Compared with, if the current TTL not within the scope of the ttl threshold of router, can determine that the IP address of the message is false IP address,
That is, without carrying out first packet discarding to reaching each message by protection server or redirecting processing, can to all messages into
Row identification not only avoids on being influenced caused by the operation of the regular traffic of server, and saves Internet resources, improves
The efficiency of false source attack recognition.
In the following, by the function of each unit described in the embodiment of the present invention is described in detail.
Optionally, for any message, while determining that the corresponding client of the message is false source or later, institute
False source judging unit 303 is stated to can be additionally used in while determining that the corresponding client of the message is false source or later, it is right
The message carries out discard processing.
Optionally, described device may also include the second unit (not indicated in Fig. 3), for for any source IP
Location determines the geographic area that any source IP address is belonged to according to the data that IP address information library provides;According to determining
The correspondence between source IP address and geographic area is established in the geographic area that each source IP address is belonged to.
Certainly, second unit can also be achieved other ways corresponding between source IP address and geographic area
Relationship, the present embodiment are not limited in any way herein.
Further, described device may also include the first unit (not indicated in Fig. 3), for establish geographic area with
The correspondence between the ttl threshold of router range of the message by protection server is reached, specifically as shown in figure 4, it is described
The structural schematic diagram of first unit, including:
Sample acquisition module 401, for being directed to any geographic area, in the appointing without attack triggering by protection server
In one setting learning time section, the normally arrival that acquisition source IP address belongs to any geographic area is described by protection service
Each message sample of device and the current TTL of each message sample;
Threshold determination module 402, for belonging to the normal of any geographic area according to the source IP address got
The current TTL for reaching each message sample by protection server determines that the message in any geographic area reaches institute
State by the TTL maximum values and minimum value of protection server, and according to determining TTL maximum values and minimum value, determine described in
Message in any geographic area reaches the ttl threshold of router range by protection server;
Relationship establishes module 403, described by protection server for being reached according to the message in determining each geographic area
Ttl threshold of router range, establish geographic area and reach the message by protection server ttl threshold of router range between it is corresponding
Relationship.
Optionally, the threshold determination module 402 is specifically used for, and the source IP address got is belonged to described any
In each message sample in region, first current TTL for normally reaching the message sample by protection server is managed, as
Message in any geographic area reaches the TTL a reference values by protection server;And
The current TTL of each message sample of any geographic area is belonged to according to the source IP address got, is determined
Value is not less than each TTL of the TTL a reference values no more than each TTL and value of the TTL a reference values, and not by value
More than the minimum TTL in each TTL of the TTL a reference values described protected is reached as the message in any geographic area
The minimum TTL of server, using value not less than the maximum TTL in each TTL of the TTL a reference values as any geographic region
Message in domain reaches the maximum TTL by protection server.
That is, the device for the false source attack of identification that the present embodiment is provided, can determine by protection server
In the case of being triggered without attack, learns the message in each geographic area and reach the ttl threshold of router range by protection server, and
The correspondence between geographic area and the ttl threshold of router range for reaching the message by protection server is established accordingly, due to
The correspondence is sampled to obtain in the case where being triggered without attack by protection server to mass data, therefore compared with
To be accurate, reliable reference can be provided for the identification of false source attack.In addition, it is necessary to explanation, described in the present embodiment
The learning process of correspondence in real time or can be carried out periodically, that is, geographic area is with arrival setting by the message of protection server
Correspondence one between ttl threshold of router range is set up, and real-time or timing update subsequently can be still carried out, to ensure the standard of data
True property, details are not described herein again.
Optionally, any geographic area is belonged to for any source IP address by protection server, got
Normally reach each message sample by protection server, it may include:
By each client in any geographic area, to the message sample reported by protection server;With/
Or,
By the software probe that is arranged in any geographic area, (such as Amazon to can be used to be located at described any
Manage the cloud host etc. in region), to the message sample reported by protection server.
That is, in section of any setting learning time, first unit is in addition to can be by will be normal
Service message learns message in each geographic area and reaches by except the ttl threshold of router range of protection server as message sample,
Also message actively can be reported by protection server to described, by the way that the software probe in any geographic area is arranged with this
The ttl threshold of router range by protection server is reached to learn the message in any geographic area, to improve geographic region
(this mode of learning is especially suitable for correspondence between domain and the ttl threshold of router range for reaching the message by protection server
It is related to the smaller scene of flow for destination server, that is, there may be certain geographic areas due to not having arrival destination service
The flow of device and without calligraphy learning to TTL data the case where).
Optionally, described device further includes shared cell (not indicated in Fig. 3), is used for, true in first unit
It, will be determining each while message in fixed each geographic area reaches any ttl threshold of router range by protection server or later
Message in geographic area reach it is described shared to by the ttl threshold of router range of protection server it is other by protection server so that
Other messages that can be obtained by way of shared by protection server in each geographic area reach described other protected
The ttl threshold of router data of server.
That is, the TTL distributed datas that the destination server of single-point learns can be carried out by the shared cell
It is shared, for example, the TTL that multiple destination servers can learn oneself single-point shares, to which one Zhang Yun TTL of structure is total
Library is enjoyed, can also obtain TTL data by way of shared without the single-point destination server learnt to TTL more in this way.
As shown in the above, it by the software probe in any geographic area is arranged, is reported to by protection server
Message sample, and the message in determining each geographic area is reached and described is total to by the ttl threshold of router range of protection server
It enjoys to other by protection server, purpose is provided to improve established geographic area and arrival is described by protection server
Message ttl threshold of router range between correspondence therefore can provide for the identification of false source attack and more comprehensively join
It examines.
An embodiment of the present invention provides a kind of devices of the false source attack of identification, can have attack by protection server determining
In the case of triggering, for each arrival message by protection server, extracts the source IP address of the message and work as
Preceding TTL, and according between the source IP address, source IP address and geographic area of the message correspondence and geographic area
Correspondence between the ttl threshold of router range of the arrival message by protection server, determines the ground belonging to the message
Reason region in message reach the ttl threshold of router range by protection server, with judge the message current TTL whether position
In within the scope of the determining ttl threshold of router, if not, it is determined that the corresponding client of the message is false source.That is, without to arriving
Up to being carried out first packet discarding or redirecting processing by each message of protection server, all messages can be identified, not only be avoided
On being influenced caused by the operation of the regular traffic of server, and Internet resources are saved, improves the effect of false identifing source
Rate.
In addition, the device for the false source attack of identification that the embodiment of the present invention is provided, can also determine by protection server
In the case of being triggered without attack, learns the message in each geographic area and reach the ttl threshold of router range by protection server, and
The correspondence between geographic area and the ttl threshold of router range for reaching the message by protection server is established accordingly, due to
The correspondence is sampled to obtain in the case where being triggered without attack by protection server to mass data, therefore can
Identification for the attack of false source provides reliable reference;Also, it can also be by the way that the software probe in any geographic area be arranged
Device reports message sample to by protection server, and the message in determining each geographic area is reached described protected and is taken
The ttl threshold of router range of business device share to it is other by modes such as protection servers, improve established geographic area and reach described in
By the correspondence between the ttl threshold of router range of the message of protection server, therefore, can also be provided for the identification of false source attack
It more comprehensively refers to, to improve the accuracy of false identifing source.
It will be understood by those skilled in the art that the embodiment of the present invention can be provided as method, apparatus (equipment) or computer journey
Sequence product.Therefore, complete hardware embodiment, complete software embodiment or combining software and hardware aspects can be used in the present invention
The form of embodiment.Moreover, the present invention can be used in one or more wherein include computer usable program code calculating
The computer program implemented in machine usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow chart of device (equipment) and computer program product
And/or block diagram describes.It should be understood that each flow in flowchart and/or the block diagram can be realized by computer program instructions
And/or the combination of the flow and/or box in box and flowchart and/or the block diagram.These computer programs can be provided to refer to
Enable the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to generate
One machine so that by the instruction that computer or the processor of other programmable data processing devices execute generate for realizing
The device for the function of being specified in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (12)
1. a kind of method of the false source attack of identification, which is characterized in that the method includes:
If it is determined that thering is attack to trigger by protection server, then it is directed to each arrival message by protection server, extracts institute
State the source IP address of message and current TTL;
According to the correspondence between the source IP address of the message and the source IP address and geographic area of setting, determine described in
Geographic area belonging to message;
According to determining geographic area, and the TTL thresholds of the geographic area of setting and the arrival message by protection server
The correspondence being worth between range, determines that the message in the geographic area of the determination reaches the TTL by protection server
Threshold range;
Judge whether the current TTL of the message is located within the scope of the determining ttl threshold of router, if not, it is determined that the message
Corresponding client is false source;
Correspondence between geographic area and the ttl threshold of router range for reaching the message by protection server is by following
What mode obtained:
It is obtained described by section of any setting learning time of the protection server without attack triggering for any geographic area
What source IP address belonged to any geographic area normally reaches each message sample by protection server, and each report
The current TTL of literary sample;
It is described by each of protection server that normally reaching for any geographic area is belonged to according to the source IP address got
The current TTL of message sample determines that the message in any geographic area reaches the TTL maximum values by protection server
And minimum value, and according to determining TTL maximum values and minimum value, determine that the message in any geographic area reaches institute
It states by the ttl threshold of router range of protection server;
The ttl threshold of router range by protection server is reached according to the message in determining each geographic area, establishes geographic region
Correspondence between domain and the ttl threshold of router range for reaching the message by protection server.
2. the method as described in claim 1, which is characterized in that belong to any geography according to the source IP address got
The current TTL for normally reaching each message sample by protection server in region, determines in any geographic area
Message reaches the TTL maximum values and minimum value by protection server, including:
The source IP address got is belonged to in each message sample of any geographic area, first normal arrival institute
It states by the current TTL of the message sample of protection server, described protected is reached as the message in any geographic area
The TTL a reference values of server;
The current TTL that each message sample of any geographic area is belonged to according to the source IP address got, determines value
No more than each TTL that each TTL and value of the TTL a reference values are not less than the TTL a reference values, and value is not more than
Minimum TTL in each TTL of the TTL a reference values reaches described by protection service as the message in any geographic area
The minimum TTL of device, using value not less than the maximum TTL in each TTL of the TTL a reference values as in any geographic area
Message reach the maximum TTL by protection server.
3. the method as described in claim 1, which is characterized in that the correspondence between source IP address and geographic area is to pass through
What following manner obtained:
Determine what any source IP address was belonged to according to the data that IP address information library provides for any source IP address
Geographic area;
According to the geographic area that determining each source IP address is belonged to, the corresponding pass between source IP address and geographic area is established
System.
4. the method as described in claim 1, which is characterized in that the source IP address got belongs to any geographic area
Normally reach each message sample by protection server, including:
By each client in any geographic area, to the message sample reported by protection server;And/or
By the software probe in any geographic area is arranged, to the message sample reported by protection server.
5. the method as described in claim 1, which is characterized in that the method further includes:
Message in determining each geographic area is reached and described other protected is shared to by the ttl threshold of router range of protection server
Server is protected, so that other message arrival institutes that can be obtained by way of shared by protection server in each geographic area
State other ttl threshold of router data by protection server.
6. the method as described in claim 1, which is characterized in that determining that the corresponding client of the message is the same of false source
When or later, the method further includes:
Discard processing is carried out to the message.
7. a kind of device of the false source attack of identification, which is characterized in that described device includes:
It is described by protection clothes to be then directed to each arrival for being triggered if it is determined that being had to attack by protection server for information acquisition unit
The message of business device, extracts the source IP address of the message and current TTL;
Region positioning unit, for according between the source IP address of the message and the source IP address of setting and geographic area
Correspondence determines the geographic area belonging to the message;
False source judging unit, for according to determining geographic area, and the geographic area of setting with arrival is described is protected
Correspondence between the ttl threshold of router range of the message of server determines that the message in the geographic area of the determination reaches institute
It states by the ttl threshold of router range of protection server;And judge whether the current TTL of the message is located at the determining ttl threshold of router
In range, if not, it is determined that the corresponding client of the message is false source;
Described device further includes the first unit, for establishing geographic area and reaching the message by protection server
Correspondence between ttl threshold of router range, first unit include:
Sample acquisition module, for being directed to any geographic area, described by any setting of the protection server without attack triggering
In learning time section, it is described by each of protection server that acquisition source IP address belongs to normally reaching for any geographic area
The current TTL of message sample and each message sample;
Threshold determination module, for being belonged to described in the normal arrival of any geographic area according to the source IP address got
By the current TTL of each message sample of protection server, determine that the message in any geographic area reaches described protected
The TTL maximum values and minimum value of server, and according to determining TTL maximum values and minimum value, determine any geography
Message in region reaches the ttl threshold of router range by protection server;
Relationship establishes module, for reaching the TTL thresholds by protection server according to the message in determining each geographic area
It is worth range, establishes the correspondence between geographic area and the ttl threshold of router range for reaching the message by protection server.
8. device as claimed in claim 7, which is characterized in that the threshold determination module is specifically used for,
The source IP address got is belonged to in each message sample of any geographic area, first normal arrival institute
It states by the current TTL of the message sample of protection server, described protected is reached as the message in any geographic area
The TTL a reference values of server;
The current TTL that each message sample of any geographic area is belonged to according to the source IP address got, determines value
No more than each TTL that each TTL and value of the TTL a reference values are not less than the TTL a reference values, and value is not more than
Minimum TTL in each TTL of the TTL a reference values reaches described by protection service as the message in any geographic area
The minimum TTL of device, using value not less than the maximum TTL in each TTL of the TTL a reference values as in any geographic area
Message reach the maximum TTL by protection server.
9. device as claimed in claim 7, which is characterized in that described device further includes the second unit;
Second unit, for be directed to any source IP address, according to IP address information library provide data, determine described in
The geographic area that any source IP address is belonged to;According to the geographic area that determining each source IP address is belonged to, with establishing source IP
Correspondence between location and geographic area.
10. device as claimed in claim 7, which is characterized in that the source IP address got belongs to any geographic region
Domain normally reaches each message sample by protection server, including:
By each client in any geographic area, to the message sample reported by protection server;And/or
By the software probe in any geographic area is arranged, to the message sample reported by protection server.
11. device as claimed in claim 7, which is characterized in that described device further includes shared cell, is used for,
Message in determining each geographic area is reached and described other protected is shared to by the ttl threshold of router range of protection server
Server is protected, so that other message arrival institutes that can be obtained by way of shared by protection server in each geographic area
State other ttl threshold of router data by protection server.
12. device as claimed in claim 7, which is characterized in that falseness source judging unit is additionally operable to determining the report
While the corresponding client of text is false source or later, discard processing is carried out to the message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510998006.7A CN105577669B (en) | 2015-12-25 | 2015-12-25 | A kind of method and device of the false source attack of identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510998006.7A CN105577669B (en) | 2015-12-25 | 2015-12-25 | A kind of method and device of the false source attack of identification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105577669A CN105577669A (en) | 2016-05-11 |
| CN105577669B true CN105577669B (en) | 2018-09-21 |
Family
ID=55887326
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510998006.7A Active CN105577669B (en) | 2015-12-25 | 2015-12-25 | A kind of method and device of the false source attack of identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105577669B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106375207A (en) * | 2016-09-05 | 2017-02-01 | 上海斐讯数据通信技术有限公司 | Time exceeded message control method and system based on SDN (Software Defined Network) |
| WO2019021402A1 (en) * | 2017-07-26 | 2019-01-31 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | Communication device, communication method, and communication system |
| CN112398741B (en) * | 2019-08-15 | 2023-09-05 | 华为技术有限公司 | Method for learning routing, method for forwarding message, equipment and storage medium |
| EP4016941A4 (en) | 2019-08-15 | 2022-11-23 | Huawei Technologies Co., Ltd. | Method for learning routing, method for forwarding report, device, and storage medium |
| CN111200611B (en) * | 2020-01-06 | 2021-02-23 | 清华大学 | Method and device for verifying intra-domain source address based on boundary interface equivalence class |
| CN114785876A (en) * | 2022-04-07 | 2022-07-22 | 湖北天融信网络安全技术有限公司 | Message detection method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| US7673032B1 (en) * | 2000-06-09 | 2010-03-02 | Resource Consortium Limited | Determining the geographic location of a network device |
| CN101674312A (en) * | 2009-10-19 | 2010-03-17 | 中兴通讯股份有限公司 | Method for preventing source address spoofing in network transmission and device thereof |
| CN102281295A (en) * | 2011-08-06 | 2011-12-14 | 黑龙江大学 | Method for easing distributed denial of service attacks |
| CN104125242A (en) * | 2014-08-18 | 2014-10-29 | 北京阅联信息技术有限公司 | Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests |
| CN104348794A (en) * | 2013-07-30 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100925176B1 (en) * | 2007-09-21 | 2009-11-05 | 한국전자통신연구원 | Apparatus and method for visualizing network state by using geographic information |
-
2015
- 2015-12-25 CN CN201510998006.7A patent/CN105577669B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7673032B1 (en) * | 2000-06-09 | 2010-03-02 | Resource Consortium Limited | Determining the geographic location of a network device |
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| CN101674312A (en) * | 2009-10-19 | 2010-03-17 | 中兴通讯股份有限公司 | Method for preventing source address spoofing in network transmission and device thereof |
| CN102281295A (en) * | 2011-08-06 | 2011-12-14 | 黑龙江大学 | Method for easing distributed denial of service attacks |
| CN104348794A (en) * | 2013-07-30 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system |
| CN104125242A (en) * | 2014-08-18 | 2014-10-29 | 北京阅联信息技术有限公司 | Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests |
Non-Patent Citations (3)
| Title |
|---|
| Measurements of the Internet Topology in the Asia-Pacific Region;Bradley Huffaker 等;《http://www.isoc.org/inet2000/cdproceedings/8e/8e_3.htm》;20000721;全文 * |
| 基于IP地址检测的DDoS攻击防御方法研究;陈曦;《中国优秀硕士学位论文全文数据库 信息科技辑》;20090115;全文 * |
| 基于TTL 值异常的源地址伪造报文检测方法;荀宝铖 等;《计算机应用研究》;20061231(第12期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105577669A (en) | 2016-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105577669B (en) | A kind of method and device of the false source attack of identification | |
| US10673874B2 (en) | Method, apparatus, and device for detecting e-mail attack | |
| CN108551446B (en) | Anti-attack SYN message processing method and device, firewall and storage medium | |
| US8881281B1 (en) | Application and network abuse detection with adaptive mitigation utilizing multi-modal intelligence data | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| JP6026789B2 (en) | Node device for preventing overflow of pending table in name-based network system, and device and method for preventing overflow | |
| US20140189867A1 (en) | DDoS ATTACK PROCESSING APPARATUS AND METHOD IN OPENFLOW SWITCH | |
| CN109922072B (en) | Distributed denial of service attack detection method and device | |
| CN106657126B (en) | The device and method of detection and defending DDoS (Distributed Denial of Service) attacks | |
| CN110166480B (en) | Data packet analysis method and device | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN111212096B (en) | Method, device, storage medium and computer for reducing IDC defense cost | |
| CN106357660B (en) | Method and device for detecting forged source IP in DDOS defense system | |
| CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
| CN103051605A (en) | Data packet processing method, device and system | |
| CN106534068A (en) | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system | |
| CN110213254A (en) | A kind of method and apparatus that Internet protocol IP packet is forged in identification | |
| CN107241304A (en) | A kind of detection method and device of DDos attacks | |
| CN110365658A (en) | A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium | |
| CN114338120B (en) | Method, device, medium and electronic equipment for detecting sweep attack | |
| Darwish et al. | Vulnerability Assessment and Experimentation of Smart Grid DNP3. | |
| CN107454065A (en) | A kind of means of defence and device of UDP Flood attacks | |
| KR20110140063A (en) | Method for detecting ip shared router and system thereof | |
| CN102932373A (en) | Zombie network detection method and device | |
| CN108769055A (en) | A kind of falseness source IP detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |
|
| CP01 | Change in the name or title of a patent holder |