CN106534068A - Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system - Google Patents
Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system Download PDFInfo
- Publication number
- CN106534068A CN106534068A CN201610867555.5A CN201610867555A CN106534068A CN 106534068 A CN106534068 A CN 106534068A CN 201610867555 A CN201610867555 A CN 201610867555A CN 106534068 A CN106534068 A CN 106534068A
- Authority
- CN
- China
- Prior art keywords
- message
- jumping
- source
- address
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004140 cleaning Methods 0.000 title claims abstract description 52
- 230000007123 defense Effects 0.000 title claims abstract description 36
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000009191 jumping Effects 0.000 claims description 174
- 239000000523 sample Substances 0.000 claims description 33
- 238000013459 approach Methods 0.000 claims description 25
- 230000004044 response Effects 0.000 claims description 25
- 238000001514 detection method Methods 0.000 claims description 23
- 238000012360 testing method Methods 0.000 claims description 20
- 230000001174 ascending effect Effects 0.000 claims description 6
- 238000011156 evaluation Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000000151 deposition Methods 0.000 claims 1
- 230000004083 survival effect Effects 0.000 abstract 2
- 230000008569 process Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 6
- 241000270322 Lepidosauria Species 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 230000006854 communication Effects 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000005242 forging Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000005194 fractionation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000006116 polymerization reaction Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention discloses a method and a device for cleaning a forged source IP in a DDOS (Distributed Denial of Service) defense system. The method comprises steps: a message flow with an access address to be a target server is detected; when the message flow exceeds a set threshold, a preset number of messages are intercepted from the flow as to-be-detected messages; the source IP address and the survival time value of one to-be-detected message are acquired, and according to the survival time value, the hop number when the to-be-detected message passes through a network node is calculated; and a hop set corresponding to the source IP address is queried in a local data sheet, when the hop number does not belong to the hop set, the to-be-detected message is discarded, and thus, the to-be-detected message can be prevented from arriving at the target server. Thus, the forged flow can be effectively and accurately cleaned.
Description
Technical field
The present invention relates to technical field of network security, more particularly, to cleaning forgery source in a kind of DDOS systems of defense
The method and apparatus of IP.
Background technology
It is that attacker passes through to allow that distributed denial of service (DDoS, Distributed Denial of Service) is attacked
Substantial amounts of network traffics pour into target of attack simultaneously, cause destination host network congestion, resource exhaustion or even delay machine, and realization allows mesh
The purpose of mark main frame refusal service.
DDOS attack typically produces a large amount of stream by various attack softwares, application software on Botnet and proxy server
Measure to realize.In attack, it is the mode being in daily use to forge source IP attack, and reason has:(1) can avoid supervising and reviewing;
(2) destination host is avoided to bring pressure to the attack main frame that responds to for attacking data;(3) can also be realized instead by forgery source IP
Attack is penetrated, its power is huge.
, exactly for detecting and cleaning these abnormal flows, ensureing being capable of consistently online by attack main frame for DDOS systems of defense
Service.Within the system, source IP identifications and associated statistics are conventional flow cleaning foundations.For example, (1) passes through source IP
Whether match to decide whether to let pass with white list, malice list;(2) need to calculate SYN when avoiding SYNFLOOD from attacking
Cookie using SYN first packets discarding/SYN proxy technologies and safeguards substantial amounts of session table;(3) apply in HTTP
In, by sealing source IP, by way of to source IP speed limits to solve that source IP access frequencys are too fast, flow is excessive, malicious access etc.;(4)
Distinguish that by reverse DNS lookup being carried out to reptile source IP the true and false of website reptile is searched for by google, Baidu etc., it is to avoid reptile
DDOS attack.
During above-mentioned DDOS defence, source IP attack is forged if a large amount of, attack traffic can be caused to bypass defence system
System brings immense pressure to system of defense:
(1) if forging source IP hit white lists may be directed through DDOS systems of defense and not blocked;
(2) attack signature for forging source IP is that attack message is more, but is belonging to the message of the same streams of same source IP/
Seldom, a source IP only has a message to number in most cases so that based on statistics, flow the cleaning algorithm of analysis mode
Effectively can not play, cleaning performance is undesirable;
(3) forgery source IP enormous amounts in the short time so that safeguard source IP statistical tables/session table/calculating syn
Cookie will expend the resource of many DDOS systems of defense.This is brought challenges in itself to system of defense.
The content of the invention
In view of the above problems, the present invention proposes a kind of method for cleaning forgery source IP in DDOS systems of defense and is
System, contributes to effectively accurately cleaning and forges flow.
A kind of method for cleaning forgery source IP in providing DDOS systems of defense in the embodiment of the present invention, including:
Message flow of the test access address for destination server;
When the message flow exceedes given threshold, the message of predetermined number is intercepted from the flow as to be detected
Message;
The source IP address and lifetime value of one of them message to be detected is obtained, this is calculated according to the lifetime value and is treated
The jumping figure of detection messages approach network node;
The corresponding jumping figure set of the source IP address is inquired about in local data table, when the jumping figure is not belonging to the jumping figure
During set, the message to be detected is abandoned, to avoid the message to be detected from reaching the destination server.
Preferably, the step of jumping figure of the message approach network node to be detected being calculated according to the lifetime value, including:
From in the middle of the system initial setting of message life span, choose one and be more than and closest to the lifetime value
System initial setting, as the message initial value of the message to be detected;
The message initial value is deducted into the lifetime value, the jump of the message approach network node to be detected is obtained
Number.
Preferably, the local data table is including at least the IP address section and the IP address section being made up of continuous IP address
Corresponding jumping figure set, the step of inquire about the corresponding jumping figure set of the source IP address in local data table, including:
The IP address section is arranged with ascending order or descending in local data table;
According to the IP address section of source IP address ownership, corresponding jumping figure set is obtained.
Preferably, after the step of inquiring about the corresponding jumping figure set of the source IP address in local data table, also include:
When the jumping figure belongs to the jumping figure set, and judge that the message to be detected meets the destination server and presets
Examination condition when, the message to be detected is forwarded to into the destination server.
Preferably, after the step of inquiring about the corresponding jumping figure set of the source IP address in local data table, also include:
When inquiring about in local data table less than the source IP address, or the jumping figure collection for inquiring is when being combined into empty set,
Anti- probe messages are sent to the source IP address;
If receiving response message of the source IP address to the anti-probe messages, according to the existence of the response message
Time value calculates jumping figure, and the jumping figure is added to the corresponding jumping figure set of the source IP address, in case next to be checked
Observe and predict the inquiry of text;
If can not receive response message of the source IP address to the anti-probe messages, by the message approach to be detected
The jumping figure of network node, add to the corresponding jumping figure set of the source IP address, in case next message to be detected is looked into
Ask.
Correspondingly, the device of forgery source IP is cleaned in embodiments providing a kind of DDOS systems of defense, including:
Traffic monitoring unit, for the message flow that test access address is destination server;
Flow lead unit, for when the message flow exceedes given threshold, intercepting present count from the flow
The message of amount is used as message to be detected;
Jumping figure computing unit, for obtaining the source IP address and lifetime value of one of them message to be detected, according to this
Lifetime value calculates the jumping figure of the message approach network node to be detected;
Judge cleaning unit, for inquiring about the corresponding jumping figure set of the source IP address in local data table, when described
When jumping figure is not belonging to the jumping figure set, the message to be detected is abandoned, to avoid the message to be detected from reaching the destination service
Device.
Preferably, the jumping figure computing unit, including:
Initial value evaluation unit, for from the middle of the system initial setting of message life span, chooses one and is more than and most
The system initial setting of the lifetime value is close to, as the message initial value of the message to be detected;
Jumping figure presumption units, for the message initial value is deducted the lifetime value, obtain the message to be detected
The jumping figure of approach network node.
Preferably, the local data table is including at least the IP address section and the IP address section being made up of continuous IP address
Corresponding jumping figure set, the judgement cleaning unit, including:
IP section arrangement units, for being arranged to the IP address section with ascending order or descending in local data table;
Ownership query unit, for the IP address section belonged to according to the source IP address, obtains corresponding jumping figure set.
Preferably, also include:Judge retransmission unit and/or reverse probe unit;
The judgement retransmission unit, for belonging to the jumping figure set when the jumping figure, and judges the message to be detected
When meeting the default examination condition of the destination server, the message to be detected is forwarded to into the destination server;
The reverse probe unit, inquires about less than the source IP address in local data table for working as, or inquire
When the jumping figure collection is combined into empty set, anti-probe messages are sent to the source IP address;
The reverse probe unit is also connected with the local data table, if receiving the source IP address to the anti-detection
The response message of message, then calculate jumping figure according to the lifetime value of the response message, and the jumping figure added to the source
Among the corresponding jumping figure set of IP address, in case the inquiry of next message to be detected;If can not receive the source IP address to institute
The response message of anti-probe messages is stated, then by the jumping figure of the message approach network node to be detected, is added to source IP ground
Among the corresponding jumping figure set in location, in case the inquiry of next message to be detected.
Correspondingly, the embodiment of the present invention additionally provides a kind of DDOS systems of defense, including:Switch, cleaning equipment and inspection
Measurement equipment;Wherein, the cleaning equipment includes the device for cleaning forgery source IP in DDOS systems of defense as the aforementioned, the detection
Equipment includes local data table;Wherein, the switch is connected with destination server, is destination service for forwarding reference address
The message of device;The cleaning equipment is in parallel with the switch, for shunting the message that reference address is destination server;It is described
Testing equipment is connected between the switch and the cleaning equipment, for the report that test access address is destination server
Text, generates local data table, so that the cleaning equipment is cleaned.
Relative to the scheme that prior art, the present invention are provided, message flow of the test access address for destination server;When
When the message flow exceedes given threshold, the message of predetermined number is intercepted from the flow as message to be detected.Flow
Detection can be judged by protection service using the inlet flow rate that core switch mirror image comes is analyzed, detects and is counted
Whether attack is had on device, if it is decided that is had attack, then is sent to destination server by flow lead technique intercepts
The flow of part predetermined number.Flow is counted, analyzed and is recognized etc. and processed, obtained the source of one of them message to be detected
IP address and lifetime value, calculate the jumping figure of the message approach network node to be detected according to the lifetime value;Local
The corresponding jumping figure set of the source IP address is inquired about in tables of data, and when the jumping figure is not belonging to the jumping figure set, abandoning should
Message to be detected, to avoid the message to be detected from reaching the destination server.So as to abnormal flow is washed, finally can be with
Normal discharge re-injection core switch so as to reach server according to normal link.Such scheme is based in IP headers
Lifetime value TTL detecting forgery source IP, its principle is, wired network topology, core network node and position of host machine phase
To stablizing, the jumping figure (being embodied by lifetime value TTL) passed through by message reflects between each node of network service in itself
Relative logical location relation, therefore the node and target server node three's strong correlation of jumping figure, source IP address, in certain hour
The jumping figure of interior message tends towards stability and there is no linear rule.Attacker forges source IP easily, but will obtain forgery attack source
Network topology between IP and target of attack server is difficult to, and will especially obtain substantial amounts of attack source IP and attack mesh
Network topology between mark server is hardly possible.So, based on source IP address and the side of jumping figure set in the present invention
Formula is recognizing whether source IP forges, rather than the simple mode based on source IP and TTL, so as to effectively accurately stream is forged in cleaning
Amount.
The additional aspect of the present invention and advantage will be set forth in part in the description, and these will become from the following description
Obtain substantially, or recognized by the practice of the present invention.
Description of the drawings
For the technical scheme being illustrated more clearly that in the embodiment of the present invention, below will be to making needed for embodiment description
Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for
For those skilled in the art, on the premise of not paying creative work, can be attached to obtain others according to these accompanying drawings
Figure.
Fig. 1 is the flow chart of the method for cleaning forgery source IP in a kind of DDOS systems of defense of the invention.
Fig. 2 is the embodiment flow chart of the method for cleaning forgery source IP in a kind of DDOS systems of defense of the invention.
Fig. 3 is the schematic diagram of the device of cleaning forgery source IP in a kind of DDOS systems of defense of the invention.
Fig. 4 is the embodiment schematic diagram of the device of cleaning forgery source IP in a kind of DDOS systems of defense of the invention.
Fig. 5 is a kind of schematic diagram of DDOS systems of defense of the invention.
Specific embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Accompanying drawing, is clearly and completely described to the technical scheme in the embodiment of the present invention.
In some flow processs of description in description and claims of this specification and above-mentioned accompanying drawing, contain according to
Multiple operations that particular order occurs, but it should be clearly understood that these operations can not be according to the suitable of its appearance herein
Performing or executed in parallel, sequence number such as 101,102 of operation etc. is only used for distinguishing each different operation, sequence number sequence
Any execution sequence is not represented itself.In addition, these flow processs can include more or less of operation, and these operations can
To perform in order or executed in parallel.It should be noted that the description such as " first ", " second " herein, is for distinguishing not
Message together, equipment, module etc., do not represent sequencing, and it is different types also not limit " first " and " second ".
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than the embodiment of whole.It is based on
Embodiment in the present invention, the every other enforcement obtained under the premise of creative work is not made by those skilled in the art
Example, belongs to the scope of protection of the invention.
Fig. 1 is the flow chart of the method for cleaning forgery source IP in a kind of DDOS systems of defense of the invention, including:
S101:Message flow of the test access address for destination server;
S102:When the message flow exceedes given threshold, the message conduct of predetermined number is intercepted from the flow
Message to be detected;
S103:The source IP address and lifetime value of one of them message to be detected is obtained, according to the lifetime value meter
Calculate the jumping figure of the message approach network node to be detected;
S104:The corresponding jumping figure set of the source IP address is inquired about in local data table, when the jumping figure is not belonging to institute
When stating jumping figure set, the message to be detected is abandoned, to avoid the message to be detected from reaching the destination server.
Relative to the scheme that prior art, the present invention are provided, message flow of the test access address for destination server;When
When the message flow exceedes given threshold, the message of predetermined number is intercepted from the flow as message to be detected.Flow
Detection can be judged by protection service using the inlet flow rate that core switch mirror image comes is analyzed, detects and is counted
Whether attack is had on device, if it is decided that is had attack, then is sent to destination server by flow lead technique intercepts
The flow of part predetermined number, depending on the quantity of intercepting can be according to the part of cleaning efficiency or super predetermined threshold value.Flow is carried out
Statistics, analysis and identification etc. are processed, and obtain the source IP address and lifetime value of one of them message to be detected, according to the existence
Time value calculates the jumping figure of the message approach network node to be detected;It is corresponding that the source IP address is inquired about in local data table
Jumping figure set, when the jumping figure is not belonging to the jumping figure set, abandons the message to be detected, to avoid the message to be detected from reaching
To the destination server.So as to abnormal flow is washed, finally can be normal discharge re-injection core switch so as to press
Server is reached according to normal link.
For example, in IPv4, TTL (Time To Live, life span) is the one of the IP agreement of 8 binary digits
Individual header.This value is considered the number of times upper limit that packet can jump in internet systems.Main flow is operated
System TTL initial value has 32,64,128,255, and general communication process jumping figure is jumped less than 30.TTL is by the transmission of packet
What person was arranged, during destination is gone to, often through a main frame or equipment, this value will be reduced a bit.If
Before packet is arrived at, ttl value has been reduced to 0, then the packet as an ICMP mistake is dropped by this bag.
Such scheme detects forgery source IP based on the lifetime value TTL in IP headers, and its principle is, wired network
Network topology, core network node and position of host machine are relatively stable, and the jumping figure (being embodied by lifetime value TTL) passed through by message exists
The relative logical location relation substantially reflected between each node of network service, therefore node and the target of jumping figure, source IP address
Server node three's strong correlation, within a certain period of time the jumping figure of message tend towards stability and there is no linear rule.Attacker is pseudo-
Make source IP easily, but the network topology that will be obtained between forgery attack source IP and target of attack server is difficult to, especially
It is hardly possible which is the network topology that will be obtained between substantial amounts of attack source IP and target of attack server.
Because attacker does not know the attack source IP actual positions of its random setting to the definite jump between destination server
Number, this programme can obtain between the two jumping figure conscientiously really by way of reversely detection or Active Learning, when with according to treating
When jumping figure that detection messages are calculated is inconsistent, it is judged to attack message, abandons the message.
So, it is based on the mode of source IP address and jumping figure set recognizing whether source IP forges in the present invention rather than single
The pure matching method based on source IP and TTL, so as to effectively accurately flow is forged in cleaning.
In order to further accurately obtain message jumping figure, the message approach network section to be detected is calculated according to the lifetime value
The step of jumping figure of point, including:
From in the middle of the system initial setting of message life span, choose one and be more than and closest to the lifetime value
System initial setting, as the message initial value of the message to be detected;
The message initial value is deducted into the lifetime value, the jump of the message approach network node to be detected is obtained
Number.
It should be added that, it is however generally that, the corresponding jumping figure collection of the source IP address described in local data table is fated
In, if comprising be jumping figure between source IP and destination server, above-mentioned preferred jumping figure calculation is simply from source IP
Address to intercept and capture the message network node between jumping figure because for avoiding the impact to destination server, above-mentioned calculating must
It is fixed to occur before message reaches destination server.So, now also need to consider that the network node for intercepting and capturing the message is taken with target
Jumping figure between business device, if the network node for intercepting and capturing the message occurs the access switch one-level in destination server, is entering
A step jumping figure is differed between mouth switch one-level and destination server.
For further quickly inquiry source IP address, the local data table is including at least being made up of continuous IP address
IP address section and the corresponding jumping figure set of the IP address section, inquire about the corresponding jumping figure of the source IP address in local data table
The step of set, including:
The IP address section is arranged with ascending order or descending in local data table;
According to the IP address section of source IP address ownership, corresponding jumping figure set is obtained.
Source IP has about 4,000,000,000 in theory, if directly describing source IP and jumping figure or IP and TTL relations, data volume is huge
Greatly, it is impossible to be loaded directly into, into internal memory, not only searching and compare speed slowly, and the source IP quantity of the reverse detection of needs is also a lot,
It is inadvisable in Project Realization.Through finding to IP storehouses source IP analyses and its jumping figure detection, unified area and operator is belonged to
IP is typically continuous, and these continuous source IP are typically relatively-stationary to the jumping figure of same destination server.Therefore, exist
In the present invention, source IP and jumping figure relation is not directly recorded, nor record IP and TTL relations, but record source IP sections and jumping figure
Relation.One IP section is area and operator's identical IP polymerization in IP storehouses, also can root in follow-up study and detection process
Factually border detection information carries out some fractionations to IP sections, to describe the hop count information of special IP address or IP address section, for example,
From the IP address section 119.33.110.01 to 119.33.180.33 that operator is known, its jumping figure should be 18 steps, but by reverse
Detection, knows that the jumping figure of IP address section 119.33.180.5 to 119.33.180.12 therein is 20, then can be by local data
In table, (119.33.110.01-119.33.180.33,18) one is split as (119.33.110.01- for jumping figure set
119.33.180.4,18), (119.33.180.5-119.33.180.12,20), (119.33.180.13-
119.33.180.33 18) etc., three.When source IP is 119.33.120.11, is compared by size, can rapidly inquire about which
Affiliated IP address section is 119.33.110.01-119.33.180.4, then it is 18 to obtain the jumping figure in corresponding jumping figure set.
Fig. 2 is the embodiment flow chart of the method for cleaning forgery source IP in a kind of DDOS systems of defense of the invention.
S201:Message flow of the test access address for destination server;
S202:When the message flow exceedes given threshold, the message conduct of predetermined number is intercepted from the flow
Message to be detected;
S203:The source IP address and lifetime value of one of them message to be detected is obtained, according to the lifetime value meter
Calculate the jumping figure of the message approach network node to be detected;
The corresponding jumping figure set of the source IP address is inquired about in local data table;
S204:When the jumping figure is not belonging to the jumping figure set, the message to be detected is abandoned, to avoid this to be checked observing and predicting
Wonder is to the destination server;
S205:When the jumping figure belongs to the jumping figure set, and judge that the message to be detected meets the destination service
During the default examination condition of device, the message to be detected is forwarded to into the destination server;
S206:When inquiring about in local data table less than the source IP address, or the jumping figure collection for inquiring is combined into sky
During collection, anti-probe messages are sent to the source IP address.
If receiving response message of the source IP address to the anti-probe messages, according to the existence of the response message
Time value calculates jumping figure, and the jumping figure is added to the corresponding jumping figure set of the source IP address, in case next to be checked
Observe and predict the inquiry of text;
If can not receive response message of the source IP address to the anti-probe messages, by the message approach to be detected
The jumping figure of network node, add to the corresponding jumping figure set of the source IP address, in case next message to be detected is looked into
Ask.
By above-mentioned reverse detection, jumping figure set can be constantly trained, further improve the standard of examination message to be detected
Exactness.Preferably, the jumping figure set of local data table memory storage is as shown in the table:
For example when the source IP of message to be detected is IP1, when the jumping figure of message to be detected belongs to the jumping figure set, for example,
14 steps, and when judging that the message to be detected meets the default examination condition of the destination server, such as destination server from
The source IP of the to be detected message is not included in the middle of the examination blacklist of body, at this point it is possible to the message to be detected is forwarded to
The destination server.
For example when the source IP of message to be detected is IP5, when inquiring about in local data table less than the source IP address, or look into
When the jumping figure collection ask is combined into empty set, anti-probe messages are sent to the source IP address.
For example when the source IP of message to be detected is IP1, anti-probe messages are sent to the source IP address.If receiving the source
Response message of the IP address to the anti-probe messages, then calculate jumping figure according to the lifetime value of the response message, for example
It is 13 according to the jumping figure that response message is calculated, the jumping figure is added to the corresponding jumping figure set of the source IP address, in case
The inquiry of next message to be detected.Learnt by the calculating to 1000 messages to be detected, known in the middle of this 1000 messages,
Jumping figure and probability distribution for (15,80%), (14,5%), (13,5%).And pass through to send 10 anti-probe messages, also obtain
15,14 grade jumping figures.Understand IP1 jumping figure set be that more accurately, its credibility is set to 1.Credibility can also be used as institute
One of default examination condition of destination server is stated, when flow is close to the boundary that destination server can bear, will can be sieved
It is only to allow the message to be detected that credibility is 1 to enter destination server to look into condition setting.
For example when the source IP of message to be detected is IP2, anti-probe messages are sent to the source IP address.If can not receive described
Response message of the source IP address to the anti-probe messages, then by the jumping figure of the message approach network node to be detected, addition
To the corresponding jumping figure set of the source IP address, in case the inquiry of next message to be detected.By to be detected to 17
The study of message, know (17,80%), (18, jumping figure set 20%).But, after sending 1 anti-probe messages, and confiscate
To any response message, the credibility for now arranging the jumping figure set is 0.5.
Fig. 3 is the schematic diagram of the device of cleaning forgery source IP in a kind of DDOS systems of defense of the invention, including:
Traffic monitoring unit, for the message flow that test access address is destination server;
Flow lead unit, for when the message flow exceedes given threshold, intercepting present count from the flow
The message of amount is used as message to be detected;
Jumping figure computing unit, for obtaining the source IP address and lifetime value of one of them message to be detected, according to this
Lifetime value calculates the jumping figure of the message approach network node to be detected;
Judge cleaning unit, for inquiring about the corresponding jumping figure set of the source IP address in local data table, when described
When jumping figure is not belonging to the jumping figure set, the message to be detected is abandoned, to avoid the message to be detected from reaching the destination service
Device.
Fig. 3 is corresponding with Fig. 1, in figure the embodiment of unit with it is identical in method.
Preferably, the jumping figure computing unit, including:
Initial value evaluation unit, for from the middle of the system initial setting of message life span, chooses one and is more than and most
The system initial setting of the lifetime value is close to, as the message initial value of the message to be detected;
Jumping figure presumption units, for the message initial value is deducted the lifetime value, obtain the message to be detected
The jumping figure of approach network node.
Preferably, the local data table is including at least the IP address section and the IP address section being made up of continuous IP address
Corresponding jumping figure set, the judgement cleaning unit, including:
IP section arrangement units, for being arranged to the IP address section with ascending order or descending in local data table;
Ownership query unit, for the IP address section belonged to according to the source IP address, obtains corresponding jumping figure set.
Fig. 4 is the embodiment schematic diagram of the device of cleaning forgery source IP in a kind of DDOS systems of defense of the invention.
As shown in figure 4, also including:Judge retransmission unit and/or reverse probe unit;
The judgement retransmission unit, for belonging to the jumping figure set when the jumping figure, and judges the message to be detected
When meeting the default examination condition of the destination server, the message to be detected is forwarded to into the destination server;
The reverse probe unit, inquires about less than the source IP address in local data table for working as, or inquire
When the jumping figure collection is combined into empty set, anti-probe messages are sent to the source IP address;
The reverse probe unit is also connected with the local data table, if receiving the source IP address to the anti-detection
The response message of message, then calculate jumping figure according to the lifetime value of the response message, and the jumping figure added to the source
Among the corresponding jumping figure set of IP address, in case the inquiry of next message to be detected;If can not receive the source IP address to institute
The response message of anti-probe messages is stated, then by the jumping figure of the message approach network node to be detected, is added to source IP ground
Among the corresponding jumping figure set in location, in case the inquiry of next message to be detected.
Fig. 4 is corresponding with Fig. 2, in figure the embodiment of unit with it is identical in method.
Fig. 5 is a kind of schematic diagram of DDOS systems of defense of the invention, including:Switch, cleaning equipment and testing equipment;Its
In, the cleaning equipment includes the device for cleaning forgery source IP in DDOS systems of defense as the aforementioned, and the testing equipment is included
Local data table;Wherein, the switch is connected with destination server, for the report for forwarding reference address to be destination server
Text;The cleaning equipment is in parallel with the switch, for shunting the message that reference address is destination server;The detection sets
It is standby to be connected between the switch and the cleaning equipment, it is the message of destination server for test access address, generates
Local data table, so that the cleaning equipment is cleaned.
Concrete processing procedure is:
<1>Testing equipment starts study and the snooping logic of (IP sections, jumping figure) when judging not attack generation;
<2>Each message come to mirror image, is analyzed, if message is without exception, into learning process;If message
There is particular protocol fingerprint, then the credibility of this study can be higher;Wherein, particular protocol fingerprint is referred to by the software of copyrighted software
The message sent by business's server.
<3>Learning process extracts the source IP and TTL of each message first;Then jumping figure, main flow operation system are estimated according to TTL
System TTL initial values have 32,64,128,255, and general communication process jumping figure is jumped less than 30, so according to current TTL upwards
Initial TTL is deduced closely, initial TTL deducts current TTL and obtains the jumping figure D1 that source IP reaches destination server A;
<4>Go to inquire about local data table using source IP, obtain the IP sections belonging to which, jumping figure set, study and detection information,
The information such as credibility.And the jumping figure set in jumping figure D1 and local data table is compared process;Certainly, if do not had before
Learn and detected, this is recorded as sky;
<5>According to the number of times situation for having learnt and detect, credibility, jumping figure compare situation and pre-configured strategy, determine
Whether need to continue detection;If can determine that this secondary data apparent error, discarding is disregarded;If it is determined that this secondary data
For effective, then jump to<10>, update local data table;If necessary to continue detection, then detection mission is submitted to detecting module;
<6>Detecting module is according to the source IP for submitting to, and the information such as port initiates to source IP that ping or tcpsyn is counter to be visited
Observe and predict text;
<7>If source IP has responded anti-probe messages, can get response packet, calculate the jump that source IP reaches testing equipment
Number is D2;
<8>Relatively D1 and D2, if the deviation of D1 and D2 is 1, then it is assumed that D1 is effective;If D1 and D2 bigger errors,
Need to refer to the network discrepancy (whether cross operator) of testing equipment IP and destination server A to correct, according to correction result come
Judge whether D1 is effective;If it is determined that D1 effectively, is then jumped to<10>Local data table is updated, is otherwise abandoned and is disregarded;
<9>If source IP is not responding to detect flow, can also jump to<10>Local data table is updated, difference is that credibility can compare
Relatively low, after repeatedly effectively learning, (such as with particular protocol fingerprint) just can constantly mention its credibility;
<10>Update local data table record, modification study and detection times, change credibility, optimization jumping figure set and its
Probability distribution.If the IP is clearly distinguishable from other IP in the IP sections, the IP is splitted out individually record.
<11>During detection, no matter source IP whether feedback response messages, can be according to the study feelings recorded in local data table
Condition, configuration strategy and detecting module load come decide whether select some IPs adjacent with source IP as detected object,
Repeat<6>Middle process.
<12>In a word, study and detection process be one preferentially, checking, the artificial intelligence process of iteration, with program transport
OK, the result of record will be more much more accurate.
For cleaning treatment process:
<1>During cleaning, jumping figure is deduced according to the ttl value carried in message first;
<2>Then belonged to IP sections and its jumping figure set distribution, credibility are obtained using source IP inquiries local data table
Etc. information;
<3>Forgery source IP or real source IP that whether source IP be to determine is judged according to lookup information.
The beneficial effect that the technical program is brought is the DDOS attack mode for effectively preventing forgery source IP, and is forged
The situation that DDOS defence effectively may not work when source is attacked.
Those skilled in the art can be understood that, for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be described here.
Embodiment described above only expresses the several embodiments of the present invention, and its description is more concrete and detailed, but and
Therefore the restriction to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that for one of ordinary skill in the art
For, without departing from the inventive concept of the premise, some deformations and improvement can also be made, these belong to the guarantor of the present invention
Shield scope.Therefore, the protection domain of patent of the present invention should be defined by claims.
Claims (10)
1. a kind of method for cleaning forgery source IP in DDOS systems of defense, it is characterised in that include:
Message flow of the test access address for destination server;
When the message flow exceedes given threshold, the message for intercepting predetermined number from the flow is observed and predicted as to be checked
Text;
The source IP address and lifetime value of one of them message to be detected is obtained, this is calculated according to the lifetime value to be detected
The jumping figure of message approach network node;
The corresponding jumping figure set of the source IP address is inquired about in local data table, when the jumping figure is not belonging to the jumping figure set
When, the message to be detected is abandoned, to avoid the message to be detected from reaching the destination server.
2. the method for cleaning forgery source IP in DDOS systems of defense according to claim 1, it is characterised in that according to the life
The step of depositing time value and calculate the jumping figure of the message approach network node to be detected, including:
In the middle of the system initial setting of message life span, choose one and be more than and closest to the lifetime value be
System initial setting, used as the message initial value of the message to be detected;
The message initial value is deducted into the lifetime value, the jumping figure of the message approach network node to be detected is obtained.
3. the method for cleaning forgery source IP in DDOS systems of defense according to claim 1, it is characterised in that described local
Tables of data is locally being counted including at least the IP address section and the corresponding jumping figure set of the IP address section that are made up of continuous IP address
The step of according to the corresponding jumping figure set of the source IP address is inquired about in table, including:
The IP address section is arranged with ascending order or descending in local data table;
According to the IP address section of source IP address ownership, corresponding jumping figure set is obtained.
4. the method for cleaning forgery source IP in DDOS systems of defense according to claim 1, it is characterised in that locally counting
After the step of inquiring about the corresponding jumping figure set of the source IP address in table, also include:
When the jumping figure belongs to the jumping figure set, and judge that the message to be detected meets the default sieve of the destination server
When looking into condition, the message to be detected is forwarded to into the destination server.
5. the method for cleaning forgery source IP in DDOS systems of defense according to claim 1, it is characterised in that locally counting
After the step of inquiring about the corresponding jumping figure set of the source IP address in table, also include:
When inquiring about in local data table less than the source IP address, or the jumping figure collection for inquiring is when being combined into empty set, to institute
State source IP address and send anti-probe messages;
If receiving response message of the source IP address to the anti-probe messages, according to the life span of the response message
Value calculates jumping figure, and the jumping figure is added to the corresponding jumping figure set of the source IP address, in case the next one is to be checked observing and predicting
The inquiry of text;
If can not receive response message of the source IP address to the anti-probe messages, by the message approach network to be detected
The jumping figure of node, adds to the corresponding jumping figure set of the source IP address, in case the inquiry of next message to be detected.
6. the device of forgery source IP is cleaned in a kind of DDOS systems of defense, it is characterised in that included:
Traffic monitoring unit, for the message flow that test access address is destination server;
Flow lead unit, for when the message flow exceedes given threshold, intercepting predetermined number from the flow
Message is used as message to be detected;
Jumping figure computing unit, for obtaining the source IP address and lifetime value of one of them message to be detected, according to the existence
Time value calculates the jumping figure of the message approach network node to be detected;
Judge cleaning unit, for inquiring about the corresponding jumping figure set of the source IP address in local data table, when the jumping figure
When being not belonging to the jumping figure set, the message to be detected is abandoned, to avoid the message to be detected from reaching the destination server.
7. the device of forgery source IP is cleaned in DDOS systems of defense according to claim 6, it is characterised in that the jumping figure
Computing unit, including:
Initial value evaluation unit, is more than and closest for from the middle of the system initial setting of message life span, choosing one
The system initial setting of the lifetime value, used as the message initial value of the message to be detected;
Jumping figure presumption units, for the message initial value is deducted the lifetime value, obtain the message approach to be detected
The jumping figure of network node.
8. the device of forgery source IP is cleaned in DDOS systems of defense according to claim 6, it is characterised in that described local
Tables of data is including at least the IP address section and the corresponding jumping figure set of the IP address section being made up of continuous IP address, the judgement
Cleaning unit, including:
IP section arrangement units, for being arranged to the IP address section with ascending order or descending in local data table;
Ownership query unit, for the IP address section belonged to according to the source IP address, obtains corresponding jumping figure set.
9. the device of forgery source IP is cleaned in DDOS systems of defense according to claim 6, it is characterised in that also included:
Judge retransmission unit and/or reverse probe unit;
The judgement retransmission unit, for belonging to the jumping figure set when the jumping figure, and judges that the message to be detected meets
During the default examination condition of the destination server, the message to be detected is forwarded to into the destination server;
The reverse probe unit, for when inquiring about in local data table less than the source IP address, or inquire it is described
When jumping figure collection is combined into empty set, anti-probe messages are sent to the source IP address;
The reverse probe unit is also connected with the local data table, if receiving the source IP address to the anti-probe messages
Response message, then according to the lifetime value of the response message calculate jumping figure, and by the jumping figure add to the source IP ground
Among the corresponding jumping figure set in location, in case the inquiry of next message to be detected;If can not receive the source IP address to described anti-
The response message of probe messages, then by the jumping figure of the message approach network node to be detected, add to the source IP address pair
Among the jumping figure set answered, in case the inquiry of next message to be detected.
10. a kind of DDOS systems of defense, it is characterised in that include:Switch, cleaning equipment and testing equipment;Wherein, it is described clear
Equipment is washed comprising the device for cleaning forgery source IP in the DDOS systems of defense as described in any one of claim 6-9, the detection
Equipment includes local data table;Wherein, the switch is connected with destination server, is destination service for forwarding reference address
The message of device;The cleaning equipment is in parallel with the switch, for shunting the message that reference address is destination server;It is described
Testing equipment is connected between the switch and the cleaning equipment, for the report that test access address is destination server
Text, generates local data table, so that the cleaning equipment is cleaned.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610867555.5A CN106534068B (en) | 2016-09-29 | 2016-09-29 | Method and device for cleaning counterfeit source IP in DDOS defense system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610867555.5A CN106534068B (en) | 2016-09-29 | 2016-09-29 | Method and device for cleaning counterfeit source IP in DDOS defense system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106534068A true CN106534068A (en) | 2017-03-22 |
| CN106534068B CN106534068B (en) | 2023-12-22 |
Family
ID=58344534
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610867555.5A Active CN106534068B (en) | 2016-09-29 | 2016-09-29 | Method and device for cleaning counterfeit source IP in DDOS defense system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534068B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108566384A (en) * | 2018-03-23 | 2018-09-21 | 腾讯科技(深圳)有限公司 | A kind of flow attacking means of defence, device, protection server and storage medium |
| CN108769055A (en) * | 2018-06-14 | 2018-11-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of falseness source IP detection method and device |
| CN109861961A (en) * | 2017-11-30 | 2019-06-07 | 松下电器(美国)知识产权公司 | Cyber-defence device and cyber-defence system |
| CN110213254A (en) * | 2019-05-27 | 2019-09-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
| WO2021082834A1 (en) * | 2019-10-31 | 2021-05-06 | 华为技术有限公司 | Message processing method, device and apparatus as well as computer readable storage medium |
| CN114785876A (en) * | 2022-04-07 | 2022-07-22 | 湖北天融信网络安全技术有限公司 | Message detection method and device |
| CN115085957A (en) * | 2021-03-12 | 2022-09-20 | 中国电信股份有限公司 | Malicious access data determination method, device, medium and electronic equipment |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030110274A1 (en) * | 2001-08-30 | 2003-06-12 | Riverhead Networks Inc. | Protecting against distributed denial of service attacks |
| CN101383812A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | IP spoofing DDoS attack defense method based on active IP record |
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN101834833A (en) * | 2009-03-13 | 2010-09-15 | 丛林网络公司 | Server protection for distributed denial-of-service attack |
| CN102438025A (en) * | 2012-01-10 | 2012-05-02 | 中山大学 | Indirect distributed denial of service attack defense method and system based on Web agency |
| WO2013078776A1 (en) * | 2011-12-02 | 2013-06-06 | Hangzhou H3C Technologies Co., Ltd. | Establishing a label distribution protocol ldp remote neighbor relationship |
| CN103685298A (en) * | 2013-12-23 | 2014-03-26 | 上海交通大学无锡研究院 | Deep packet inspection based SSL (Secure Sockets Layer) man-in-the-middle attack discovering method |
| CN103685315A (en) * | 2013-12-30 | 2014-03-26 | 曙光云计算技术有限公司 | Method and device for defending denial of service attack |
| KR101420196B1 (en) * | 2013-01-18 | 2014-07-18 | 한남대학교 산학협력단 | METHOD AND APPARATUS FOR RESPONDING DDoS OFFENSIVE |
| CN104735043A (en) * | 2013-12-24 | 2015-06-24 | 北京力控华康科技有限公司 | Method for preventing suspicious data package from attacking PLC via industrial Ethernet |
| CN105187359A (en) * | 2014-06-17 | 2015-12-23 | 阿里巴巴集团控股有限公司 | Method and device for detecting attack client |
| CN105471741A (en) * | 2015-12-16 | 2016-04-06 | 青岛大学 | Method for determining bidirectional trustworthy routing in mobile Ad Hoc network |
| CN105491060A (en) * | 2015-12-30 | 2016-04-13 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending attack of distribution denial of service (DDOS), client and defense device |
| CN105939346A (en) * | 2016-05-04 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for preventing DNS (Domain Name System) cache attack |
-
2016
- 2016-09-29 CN CN201610867555.5A patent/CN106534068B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030110274A1 (en) * | 2001-08-30 | 2003-06-12 | Riverhead Networks Inc. | Protecting against distributed denial of service attacks |
| CN101383812A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | IP spoofing DDoS attack defense method based on active IP record |
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| CN101834833A (en) * | 2009-03-13 | 2010-09-15 | 丛林网络公司 | Server protection for distributed denial-of-service attack |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| WO2013078776A1 (en) * | 2011-12-02 | 2013-06-06 | Hangzhou H3C Technologies Co., Ltd. | Establishing a label distribution protocol ldp remote neighbor relationship |
| CN102438025A (en) * | 2012-01-10 | 2012-05-02 | 中山大学 | Indirect distributed denial of service attack defense method and system based on Web agency |
| KR101420196B1 (en) * | 2013-01-18 | 2014-07-18 | 한남대학교 산학협력단 | METHOD AND APPARATUS FOR RESPONDING DDoS OFFENSIVE |
| CN103685298A (en) * | 2013-12-23 | 2014-03-26 | 上海交通大学无锡研究院 | Deep packet inspection based SSL (Secure Sockets Layer) man-in-the-middle attack discovering method |
| CN104735043A (en) * | 2013-12-24 | 2015-06-24 | 北京力控华康科技有限公司 | Method for preventing suspicious data package from attacking PLC via industrial Ethernet |
| CN103685315A (en) * | 2013-12-30 | 2014-03-26 | 曙光云计算技术有限公司 | Method and device for defending denial of service attack |
| CN105187359A (en) * | 2014-06-17 | 2015-12-23 | 阿里巴巴集团控股有限公司 | Method and device for detecting attack client |
| CN105471741A (en) * | 2015-12-16 | 2016-04-06 | 青岛大学 | Method for determining bidirectional trustworthy routing in mobile Ad Hoc network |
| CN105491060A (en) * | 2015-12-30 | 2016-04-13 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending attack of distribution denial of service (DDOS), client and defense device |
| CN105939346A (en) * | 2016-05-04 | 2016-09-14 | 杭州迪普科技有限公司 | Method and device for preventing DNS (Domain Name System) cache attack |
Non-Patent Citations (2)
| Title |
|---|
| "IP网络中DoS攻击源定位技术研究" * |
| 是晨航: "互联网环境下网络目标探测与获取技术研究" * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109861961A (en) * | 2017-11-30 | 2019-06-07 | 松下电器(美国)知识产权公司 | Cyber-defence device and cyber-defence system |
| CN109861961B (en) * | 2017-11-30 | 2022-10-28 | 松下电器(美国)知识产权公司 | Network defense device and network defense system |
| CN108566384A (en) * | 2018-03-23 | 2018-09-21 | 腾讯科技(深圳)有限公司 | A kind of flow attacking means of defence, device, protection server and storage medium |
| CN108566384B (en) * | 2018-03-23 | 2021-09-28 | 腾讯科技(深圳)有限公司 | Traffic attack protection method and device, protection server and storage medium |
| CN108769055A (en) * | 2018-06-14 | 2018-11-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of falseness source IP detection method and device |
| CN110213254A (en) * | 2019-05-27 | 2019-09-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
| WO2021082834A1 (en) * | 2019-10-31 | 2021-05-06 | 华为技术有限公司 | Message processing method, device and apparatus as well as computer readable storage medium |
| CN115085957A (en) * | 2021-03-12 | 2022-09-20 | 中国电信股份有限公司 | Malicious access data determination method, device, medium and electronic equipment |
| CN114785876A (en) * | 2022-04-07 | 2022-07-22 | 湖北天融信网络安全技术有限公司 | Message detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106534068B (en) | 2023-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10673874B2 (en) | Method, apparatus, and device for detecting e-mail attack | |
| CN106534068A (en) | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system | |
| US8966627B2 (en) | Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session | |
| US8634717B2 (en) | DDoS attack detection and defense apparatus and method using packet data | |
| US10911473B2 (en) | Distributed denial-of-service attack detection and mitigation based on autonomous system number | |
| US20140189867A1 (en) | DDoS ATTACK PROCESSING APPARATUS AND METHOD IN OPENFLOW SWITCH | |
| US11005865B2 (en) | Distributed denial-of-service attack detection and mitigation based on autonomous system number | |
| CN106357660A (en) | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system | |
| KR102088299B1 (en) | Apparatus and method for detecting drdos | |
| Li et al. | Detecting saturation attacks based on self-similarity of OpenFlow traffic | |
| CN109922072B (en) | Distributed denial of service attack detection method and device | |
| EP2619958A1 (en) | Ip prioritization and scoring system for ddos detection and mitigation | |
| JP5015014B2 (en) | Traffic analysis / diagnosis device, traffic analysis / diagnosis system, and traffic tracking system | |
| JP2007179131A (en) | Event detection system, management terminal and program, and event detection method | |
| CN110213254A (en) | A kind of method and apparatus that Internet protocol IP packet is forged in identification | |
| Song et al. | Flow-based statistical aggregation schemes for network anomaly detection | |
| Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| EP2112800B1 (en) | Method and system for enhanced recognition of attacks to computer systems | |
| US20210234871A1 (en) | Infection-spreading attack detection system and method, and program | |
| CN109889470B (en) | Method and system for defending DDoS attack based on router | |
| Neethu et al. | Detection of DDoS Attacks in SDN | |
| CN108521413A (en) | A kind of network of Future Information war is resisted and defence method and system | |
| JP2005130121A (en) | Network management apparatus, method, and program | |
| KR101587845B1 (en) | Method for detecting distributed denial of services attack apparatus thereto |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |