CN109218265B - Four-layer distributed denial of service attack detection method and device - Google Patents
Four-layer distributed denial of service attack detection method and device Download PDFInfo
- Publication number
- CN109218265B CN109218265B CN201710538834.1A CN201710538834A CN109218265B CN 109218265 B CN109218265 B CN 109218265B CN 201710538834 A CN201710538834 A CN 201710538834A CN 109218265 B CN109218265 B CN 109218265B
- Authority
- CN
- China
- Prior art keywords
- public network
- target
- site
- domain name
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a four-layer distributed denial of service attack detection method and a device, wherein the method comprises the following steps: carrying out four-layer distributed denial of service attack (DDoS) detection on a first public network IP; when detecting a four-layer DDoS attack, determining a target first public network IP suffering from the four-layer DDoS attack and each site domain name corresponding to the target first public network IP; respectively allocating the second public network IP to the site domain names in a one-to-one corresponding mode, and updating mapping relation information in a Domain Name System (DNS) so as to provide services for the corresponding site domain names by using the second public network IP; performing four-layer DDoS detection on the second public network IP; when detecting a four-layer DDoS attack, determining a target second public network IP suffering from the four-layer DDoS attack, and determining a target site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP. By the method and the device, when a certain public network IP is attacked by four-layer DDoS, the sites actually attacked can be positioned.
Description
Technical Field
The application relates to the technical field of four-layer distributed denial of service attack detection, in particular to a four-layer distributed denial of service attack detection method and device.
Background
There are many DoS (Denial of service) attacks, and the most basic DoS attack is to use a reasonable service request to occupy too many service resources, so that the server cannot process the instructions of the legitimate users. Single DoS attacks generally use a one-to-one approach, and as the processing power of computers rapidly increases, the memory greatly increases, and gigabit-class networks also appear, which makes DoS attacks more difficult. Thus, a Distributed Denial of service attack (DDoS) has been derived, which uses more puppet machines to launch an attack on a larger scale than DoS.
According to different attack modes, DDoS attacks can be divided into four-layer DDoS attacks and seven-layer DDoS attacks, wherein the four-layer DDoS attacks aiming at IP addresses, and the seven-layer DDoS attacks aiming at domain names. That is to say, after a certain site is selected as an attack target, the four-layer DDoS can directly send an instruction to an actual back-end server for attack according to an IP address corresponding to a site domain name.
In order to reduce the impact caused by DDoS attack, after a certain IP address is found to be attacked, various measures can be generally taken, including network protection processing such as flow limiting or traffic cleaning on the attacked IP address. However, in practical applications, because public network IP resources are limited, in a traditional virtual machine or PaaS (Platform-as-a-Service) product, a manner that a plurality of sites share the same or a limited plurality of public network IPs is generally collected, that is, the same public network IP corresponds to a plurality of sites. However, when a certain site is subjected to a four-layer DDoS attack on a public network IP, since a plurality of sites share one public network IP, it is impossible to locate which site is specifically subjected to the attack. Therefore, not only can the network protection of the sites really attacked not be carried out, but also other sites sharing the public network IP can be influenced because the network protection is carried out on the public network IP dimension.
Therefore, how to locate a site actually suffering from an attack when a certain public network IP is attacked by a four-layer DDoS attack is a technical problem to be solved by a skilled person in the art, so as to perform targeted network protection on the site and reduce the influence on other sites sharing the same public network IP.
Disclosure of Invention
The application provides a four-layer distributed denial of service attack detection method and device, which can be used for positioning a site which is actually attacked when a certain public network IP is attacked by four-layer DDoS so as to carry out targeted network protection on the site and reduce the influence on other sites sharing the same public network IP.
The application provides the following scheme:
a four-layer distributed denial of service attack detection method, mount a plurality of public network IPs under the server cluster, wherein include a plurality of first public network IPs and a plurality of second public network IPs, under the default state, utilize said first public network IP to provide the service for the corresponding website domain name to the outside, the same first public network IP corresponds to a plurality of website domain names;
the method comprises the following steps:
carrying out four-layer distributed denial of service attack (DDoS) detection on the first public network IP;
when detecting a four-layer DDoS attack, determining a target first public network IP suffering from the four-layer DDoS attack and each site domain name corresponding to the target first public network IP;
respectively allocating the second public network IP to the site domain names in a one-to-one corresponding mode, and updating mapping relation information in a Domain Name System (DNS) so as to provide services for the corresponding site domain names by using the second public network IP;
performing four-layer DDoS detection on the second public network IP;
when detecting a four-layer DDoS attack, determining a target second public network IP suffering from the four-layer DDoS attack, and determining a target site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP.
A four-layer distributed denial of service attack detection device is characterized in that a plurality of public network IPs are mounted under a server cluster, wherein the public network IPs comprise a plurality of first public network IPs and a plurality of second public network IPs, under a default state, the first public network IPs are used for providing services for corresponding site domain names, and the same public network IP corresponds to the site domain names;
the device comprises:
a first detection unit, configured to perform four-layer distributed denial of service attack (DDoS) detection on the first public network IP;
a site domain name determining unit, configured to determine, when detecting a four-layer DDoS attack, a target first public network IP that is subject to the four-layer DDoS attack, and each site domain name corresponding to the target first public network IP;
the first mapping relation updating unit is used for respectively allocating the second public network IP to the site domain names in a one-to-one corresponding mode and updating mapping relation information in a Domain Name System (DNS) so as to provide services for the corresponding site domain names by using the second public network IP;
the second detection unit is used for carrying out four-layer DDoS detection on the second public network IP;
and the target site determining unit is used for determining a target second public network IP suffering from the four-layer DDoS attack when the four-layer DDoS attack is detected, and determining a target site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP.
A computer system is applied to a server cluster, a plurality of public network IPs are mounted on the server cluster, wherein the server cluster comprises a plurality of first public network IPs and a plurality of second public network IPs, the first public network IPs are used for providing services for corresponding site domain names in a default state, and the same public network IP corresponds to the plurality of site domain names;
the computer system includes:
one or more processors; and
a memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform operations comprising:
carrying out four-layer distributed denial of service attack (DDoS) detection on the first public network IP;
when detecting a four-layer DDoS attack, determining a target first public network IP suffering from the four-layer DDoS attack and each site domain name corresponding to the target first public network IP;
respectively allocating the second public network IP to the site domain names in a one-to-one corresponding mode, and updating mapping relation information in a Domain Name System (DNS) so as to provide services for the corresponding site domain names by using the second public network IP;
performing four-layer DDoS detection on the second public network IP;
when detecting a four-layer DDoS attack, determining a target second public network IP suffering from the four-layer DDoS attack, and determining a site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP.
A method of detection, comprising:
determining that a first IP is in a preset network state, wherein the first IP corresponds to at least one domain name;
acquiring a domain name corresponding to the first IP, wherein the domain name corresponds to a preset application;
allocating a second IP for the domain name;
and determining that the second IP is in a preset network state, so as to determine that the preset application is the target application.
A detection device, comprising:
a first network status determining unit, configured to determine that a first IP is in a preset network status, where the first IP corresponds to at least one domain name;
a domain name obtaining unit, configured to obtain a domain name corresponding to the first IP, where the domain name corresponds to a preset application;
the IP allocation unit is used for allocating a second IP for the domain name;
and the second network state determining unit is used for determining that the second IP is in a preset network state, so that the preset application is determined to be the target application.
According to the specific embodiments provided herein, the present application discloses the following technical effects:
according to the embodiment of the application, a plurality of public network IPs can be mounted in the server cluster and divided into a first public network IP and a second public network IP, under a normal default state, the first public network IP can be used for providing service for specific sites, and the second public network IP is in an idle state. And once detecting that one of the first public network IPs suffers from the four-layer DDoS, a second public network IP may be respectively allocated to each site domain name corresponding to the first public network IP, and the mapping relationship between each site domain name and the second public network IP is updated to the DNS. Therefore, if a hacker reorganizes the four-layer DDoS for a certain site, the IP corresponding to the site acquired by the hacker is the redistributed second public network IP, and the second public network IP only uniquely corresponds to one site domain name, so that only four-layer DDoS detection is performed on the second public network IP, and after a certain second public network IP is detected to suffer from DDoS, the target site actually attacked by the hacker can be determined. Furthermore, the network protection can be performed only for the station, and other stations which are not attacked are not affected.
Of course, it is not necessary for any product to achieve all of the above-described advantages at the same time for the practice of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a schematic diagram of a DDoS attack mode;
fig. 2 is a schematic diagram of a public network IP scheme provided in an embodiment of the present application;
FIG. 3 is a flow chart of a method provided by an embodiment of the present application;
FIG. 4 is a schematic view of an apparatus provided by an embodiment of the present application;
FIG. 5 is a schematic diagram of a computer system provided by an embodiment of the present application;
FIG. 6 is a flow chart of another method provided by embodiments of the present application;
fig. 7 is a schematic diagram of another apparatus provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments that can be derived from the embodiments given herein by a person of ordinary skill in the art are intended to be within the scope of the present disclosure.
For ease of understanding, a brief description of the four-tier DDoS attack is provided below. For a DDoS attacker (hacker), if one wants to attack a site on the internet (e.g. http:// www.abc.com), two preparation tasks are mainly performed:
the preparation of the first aspect is to determine the target host and address situation that is attacked, i.e. to determine which host or hosts are supporting the site. Com, for example, DDoS may determine, via Ping, etc., an IP address serving http:// www.abc.com, which may include, for example, 122.226.199.3, 122.226.167.4, 122.226.167.5, etc.
The preparation in the second aspect is to occupy some "puppet machine" from the network. For example, a hacker can randomly or specifically utilize a scanner to discover leaking machines on the internet, and then try to intrude into the machines to obtain the highest management authority for the machines, or at least obtain an account authorized to complete a DDoS attack task, so as to make the machines become "puppet machines". Usually, the number of "puppet machines" is very large, or the number of "puppet machines" is determined based on information such as the number of hosts that need to be attacked.
After completing the preparation in the above two aspects, referring to fig. 1, hacker 101 can send attack commands to "puppet" 103(1) to 103(n) through console 102, and at this time, the DDoS attack program embedded in the "puppet" will respond to the commands of console 102 and send a large number of packets to victim host 104 at high speed, so that the host cannot respond to normal requests or even crash.
That is, when an attacker organizes a four-layer DDoS once, it is necessary to first determine an IP address of a host that provides service for an attacked site, and then launch an attack to the victim host with the IP address as a target. It is because, in the case of sharing the public network IP, if an attacker prepares to perform four-layer DDoS on a certain site, the actual attack is the public network IP corresponding to the site. And because the host corresponding to the public network IP provides service for a plurality of sites at the same time, even if it is detected that which public network IP suffers from the four-layer DDoS, it is impossible to determine which site suffers from the four-layer DDoS specifically according to the mode in the prior art.
In the embodiment of the present application, in order to locate a site actually suffering from an attack when a certain public network IP is attacked by a four-layer DDoS attack, so as to perform targeted network protection on the site and mitigate the influence on other sites sharing the same public network IP, a plurality of public network IP addresses may be mounted on a server cluster, and the public network IPs are divided into two parts, where one part is a first public network IP and may be a plurality of, and the other part is referred to as a second public network IP and may also be a plurality of. In a default state, the site may be served through the first public network IP. When a certain first public network IP site is found to be attacked, the site domain name corresponding to the first public network IP may be determined first, and the second public network IP may be allocated to each site domain name again, and the allocation process may be in a one-to-one correspondence manner, that is, the site domain name and the second public network IP are in a one-to-one relationship. Thereafter, if a hacker reorganizes a four-layer DDoS attack on one of the sites, the hacker needs to re-acquire the server IP serving the site, and since the mapping relationship between the domain name of the site and the public network IP has been changed, when the hacker re-acquires the IP corresponding to the domain name of the site through a ping or other instruction, the obtained result may be a re-allocated second public network IP, and instructs a puppet to initiate an attack on the second public network IP. In this way, as long as it can be detected which second public network IP is subjected to the four-layer DDoS, it can be determined which site the hacker specifically performs on.
Specific implementations are described in detail below.
As described above, in the embodiment of the present application, a plurality of public network IPs can be mounted in a server cluster, where the public network IPs include a plurality of first public network IPs and a plurality of second public network IPs, and in a default state, the first public network IP is used to provide services for a corresponding site domain name, and the same public network IP corresponds to a plurality of site domain names.
Here, so-called mounting a plurality of public network IPs under a server cluster, that is, all the public network IP addresses can be mapped to the server cluster, and a specific access packet can be sent to the server cluster as long as the target IP address falls within the range of the mounted public network IPs. In this embodiment of the present application, a plurality of public network IPs installed in the same server cluster may also be divided into two parts, where one part is a first public network IP and may be a plurality of public network IPs, and the other part is referred to as a second public network IP and may also be a plurality of public network IPs. That is, assuming that 20 public network IPs, respectively IP1 to IP20, are mounted under a certain server cluster, the IPs 1 to IP10 may be used as the first public network IP, the IPs 11 to IP20 may be used as the second public network IP, and so on.
In a default state, the first public network IP may be used to provide services for the corresponding site Domain Name, that is, when a site is created, a Domain Name a of the site may be recorded on one of the first public network IPs by calling an interface of a Domain Name System (DNS), and after the number of the sites increases, the same first public network IP may be shared by multiple sites. For example, referring to fig. 2, as the number of sites increases, there may be m sites with domain names (test1. alias pp.com, test2. alias pp.com … … test m. alias pp.com) all mapped to the same first public network IP a1, and the other first public network IPs are similar. After the mapping between the domain name of the site and the first public network IP is established in the above manner and configured in the DNS, the external service can be provided for each corresponding site through the first public network IP.
That is, in the default state, the mapping maintained by the DNS may be as shown in table 1 below:
TABLE 1
| Site domain name | First public |
| Station | |
| 1 | First public network |
| Station | |
| 2 | First public network IP A1 |
| …… | …… |
| Station m | First public network IP A1 |
The mapping relationship between the domain name of other site and the IP of other first public network is not shown in table 1. After the mapping relationship between the specific site domain name and the first public network IP is saved, when a user accesses the site of test1. alias pp.com, the DNS can resolve the domain name into the first public network IP a1, and the first public network IP a1 is within the range of the public network IP mounted under the server cluster, so that the relevant data packet generated in the access is finally sent to the server cluster for processing.
When a hacker organizes a four-layer DDoS once, if it is determined that the hacker needs to attack the site 1, the hacker may first collect the public network IP of the server serving the site 1 in some manner, and through the table 1, the hacker may also know that the specific public network IP is the first public network IP a1, and then instruct a puppet computer to attack the first public network IP a 1.
Example one
On the basis of the above preparation work, referring to fig. 3, the four-layer DDoS detection method provided in the embodiment of the present application may specifically include:
s301: carrying out four-layer distributed denial of service attack (DDoS) detection on the first public network IP;
after the configuration is performed, the server cluster may perform four-layer DDoS detection on the first public network IP through a special detection program, and a specific detection mode is not described in detail in this embodiment of the application. The next task to be done is to find out a target site actually suffering from four-layer DDoS from a plurality of site domain names corresponding to the first public network IP.
S302: when detecting a four-layer DDoS attack, determining a target second public network IP suffering from the four-layer DDoS attack and each site domain name corresponding to the target first public network IP;
specifically, in the embodiment of the present application, after finding that a target first public network IP suffers from four-layer DDoS, each site domain name corresponding to the target first public network IP may be determined first, and specifically, the determination may be performed by means of querying table 1 and the like.
S303: respectively allocating the second public network IP to the site domain names in a one-to-one corresponding mode, and updating mapping relation information in a Domain Name System (DNS) so as to provide services for the corresponding site domain names by using the second public network IP;
after determining the domain names of the sites corresponding to the first public network IP subjected to the four-layer DDoS attack target, respectively allocating the second public network IP to the domain names of the sites in a one-to-one correspondence manner, and updating the mapping relation recorded in the DNS by calling the related interfaces of the DNS, so that when a user requests to access the domain names of the sites, specific access can be resolved into access to the corresponding second public network IP by the DNS, and the second public network IP is also mounted under the same server cluster, and therefore, a data packet generated in the access can be finally sent to the server cluster for processing.
For example, as shown in fig. 2, assuming that the target first public network IP subjected to four-layer DDoS is the first public network IP a1, it can be known through query that the corresponding site domain names include site 1, site 2, and site 3 … …, and then the first public network IP may be newly allocated to each of the above sites, for example, the allocation result may be as shown in table 2 below:
TABLE 2
That is, after finding that a target first public network IP is subjected to four-layer DDoS, each site domain name corresponding to the target first public network IP is redistributed to the public network IP, and in a one-to-one manner, one second public network IP corresponds to only one site domain name.
In the process of executing the attack, because a hacker usually determines the IP address corresponding to the domain name of the target site through ping and other instructions, the IP address corresponding to the domain name of the target site obtained by the attacker is also the reallocated second public network IP after the mapping relationship updated in the above manner, and then the hacker instructs a puppet machine to attack the second public network IP through the control station.
S304: performing four-layer DDoS detection on the second public network IP;
after the mapping relation between the site domain name and the public network IP is modified, four-layer DDoS detection can be carried out on the second public network IP, and the specific detection mode can be the same as that of the first public network IP.
S305: when detecting a four-layer DDoS attack, determining a target second public network IP suffering from the four-layer DDoS attack, and determining a target site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP.
If it is detected that the target second public network IP is attacked by the four-layer DDoS attack, in the embodiment of the present application, the second public network IP only uniquely corresponds to one site domain name, and therefore, the target site actually attacked by the four-layer DDoS attack can be determined according to the site domain name uniquely corresponding to the target second public network IP.
Therefore, according to the embodiment of the application, a plurality of public network IPs can be mounted in the server cluster and divided into a first public network IP and a second public network IP, and under a normal default state, the first public network IP can be used for providing service for a specific site, and the second public network IP is in an idle state. And once detecting that one of the first public network IPs suffers from the four-layer DDoS, a second public network IP may be respectively allocated to each site domain name corresponding to the first public network IP, and the mapping relationship between each site domain name and the second public network IP is updated to the DNS. Therefore, if a hacker reorganizes the four-layer DDoS for a certain site, the IP corresponding to the site acquired by the hacker is the redistributed second public network IP, and the second public network IP only uniquely corresponds to one site domain name, so that only four-layer DDoS detection is performed on the second public network IP, and after a certain second public network IP is detected to suffer from DDoS, the target site actually attacked by the hacker can be determined. Furthermore, the network protection can be performed only for the station, and other stations which are not attacked are not affected.
In addition, in specific implementation, after detecting that the target second public network IP is attacked by the four-layer DDoS attack, the second public network IP resources occupied by other site domain names not attacked by the four-layer DDoS can be released, mapping is established between the other site domain names not attacked by the four-layer DDoS and the target first public network IP again, and mapping relationship information stored in the DNS is updated, so that the first public network IP is used for providing services to the outside. Therefore, the released second public network IP resources can provide services for other sites suffering from the four-layer DDoS, and meanwhile, other sites not suffering from the four-layer DDoS attack can be prevented from being involved.
And for the determined sites actually suffering from the four-layer DDoS attack, network protection processing can be performed on the target sites. The specific network protection manner may be various, for example, the traffic may be limited, abnormal traffic may be filtered, and/or security isolation processing may be performed on the target second public network IP. When detecting that the target second public network IP is not attacked by the four-layer DDoS, the target second public network IP resource can be released, mapping is established between the domain name of the target site and the target first public network IP again, and mapping relation information stored in a DNS is updated, so that the first public network IP is used for providing services for the target site to the outside, and the purpose of saving the public network IP resource is achieved.
It should be noted that, in this embodiment of the present application, an execution subject of each step may be a four-layer DDoS protection program or device in a server cluster, or the like.
Corresponding to the four-layer distributed denial of service attack detection method, the embodiment of the present application further provides a four-layer distributed denial of service attack detection apparatus, which may be applied to a server cluster, where the server cluster mounts a plurality of public network IPs, where the public network IPs include a plurality of first public network IPs and a plurality of second public network IPs, and in a default state, the first public network IP is used to provide services for corresponding site domains, and a same public network IP corresponds to a plurality of site domains;
specifically, referring to fig. 4, the apparatus may include:
a first detecting unit 401, configured to perform four-layer distributed denial of service attack (DDoS) detection on the first public network IP;
a site domain name determining unit 402, configured to determine, when detecting a four-layer DDoS attack, a target first public network IP that is subject to the four-layer DDoS attack, and each site domain name corresponding to the target first public network IP;
a first mapping relationship updating unit 403, configured to allocate the second public network IP to the site domain names respectively in a one-to-one correspondence manner, and update mapping relationship information in a domain name system DNS, so as to provide external services for the corresponding site domain names by using the second public network IP;
a second detecting unit 404, configured to perform four-layer DDoS detection on the second public network IP;
a target site determining unit 405, configured to determine a target second public network IP suffering from a four-layer DDoS attack when the four-layer DDoS attack is detected, and determine a target site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP.
Specifically, the apparatus may further include:
the first resource releasing unit is used for releasing second public network IP resources occupied by other site domain names not subjected to the four-layer DDoS attack after detecting the four-layer DDoS attack and determining a target second public network IP subjected to the four-layer DDoS attack;
and the second mapping relation updating unit is used for reestablishing mapping between the other site domain names which are not attacked by the four-layer DDoS and the target first public network IP, and updating the mapping relation information stored in the DNS so as to provide services for the outside by using the first public network IP.
In addition, the apparatus may further include:
and the network protection unit is used for performing network protection processing on the target site after the target site is determined.
Specifically, the network protection unit may be configured to:
and limiting the flow of the target second public network IP, filtering abnormal flow, and/or carrying out safety isolation processing.
Furthermore, the apparatus may further include:
a second resource releasing unit, configured to release the target second public network IP resource when detecting that the target second public network IP is no longer under a four-layer DDoS attack;
and the third mapping relation updating unit is used for reestablishing mapping between the domain name of the target site and the target first public network IP and updating the mapping relation information stored in the DNS so as to provide external services for the target site by using the first public network IP.
Corresponding to the four-layer distributed denial of service attack detection method and apparatus, the embodiment of the present application further provides a computer system, where the computer system is applied to a server cluster, where the server cluster mounts a plurality of public network IPs, where the public network IPs include a plurality of first public network IPs and a plurality of second public network IPs, and in a default state, the first public network IP is used to provide service for a corresponding site domain name, and a same public network IP corresponds to a plurality of site domain names;
referring to fig. 5, the computer system may include:
one or more processors 501; and
a memory 502 associated with the one or more processors 501, the memory 502 for storing program instructions that when read executed by the one or more processors 501 perform the following:
carrying out four-layer distributed denial of service attack (DDoS) detection on the first public network IP;
when detecting a four-layer DDoS attack, determining a target first public network IP suffering from the four-layer DDoS attack and each site domain name corresponding to the target first public network IP;
respectively allocating the second public network IP to the site domain names in a one-to-one corresponding mode, and updating mapping relation information in a Domain Name System (DNS) so as to provide services for the corresponding site domain names by using the second public network IP;
performing four-layer DDoS detection on the second public network IP;
when detecting a four-layer DDoS attack, determining a target second public network IP suffering from the four-layer DDoS attack, and determining a site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP.
In addition to the processor 501 and the memory 502, the system may further include an input/output interface 503, a communication interface 504, and a bus 505. Wherein the processor 501, the memory 502, the input/output interface 503 and the communication interface 504 are communicatively connected to each other within the device via a bus 505.
The processor 501 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solution provided in the present Application.
The Memory 502 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 502 may store an operating system and other application programs, and when the technical solution provided by the present application is implemented by software or firmware, the relevant program codes are stored in the memory 602 and called to be executed by the processor 501.
The input/output interface 503 is used for connecting an input/output module to realize information input and output. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 504 is used for connecting a communication module (not shown in the figure) to realize communication interaction between the device and other devices. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
It should be noted that although the above-mentioned device only shows the processor 501, the memory 502, the input/output interface 503, the communication interface 504 and the bus 505, in a specific implementation, the device may also include other components necessary for normal operation. Furthermore, it will be understood by those skilled in the art that the apparatus described above may also include only the components necessary to implement the solution of the present application, and not necessarily all of the components shown in the figures.
According to the embodiment of the application, a plurality of public network IPs can be mounted in the server cluster and divided into a first public network IP and a second public network IP, under a normal default state, the first public network IP can be used for providing service for specific sites, and the second public network IP is in an idle state. And once detecting that one of the first public network IPs suffers from the four-layer DDoS, a second public network IP may be respectively allocated to each site domain name corresponding to the first public network IP, and the mapping relationship between each site domain name and the second public network IP is updated to the DNS. Therefore, if a hacker reorganizes the four-layer DDoS for a certain site, the IP corresponding to the site acquired by the hacker is the redistributed second public network IP, and the second public network IP only uniquely corresponds to one site domain name, so that only four-layer DDoS detection is performed on the second public network IP, and after a certain second public network IP is detected to suffer from DDoS, the target site actually attacked by the hacker can be determined. Furthermore, the network protection can be performed only for the station, and other stations which are not attacked are not affected.
Example two
The second embodiment further provides a detection method, which may specifically include, referring to fig. 6:
s601: determining that a first IP is in a preset network state, wherein the first IP corresponds to at least one domain name;
the preset network state may be an attacked network state, and specific attack types may be various, for example, DDoS attack described in the foregoing embodiment may be included.
S602: acquiring a domain name corresponding to the first IP, wherein the domain name corresponds to a preset application;
under the condition that the first IP is in a preset network state, each domain name having a corresponding relationship with the first IP may be acquired.
S603: allocating a second IP for the domain name;
similar to the embodiments, the IPs may be reassigned for each domain name corresponding to the first IP such that one second IP corresponds to only one domain name. In addition, in specific implementation, after the IP is reallocated, the corresponding relationship between the domain name and the IP in the domain name system DNS can be updated.
S604: and determining that the second IP is in a preset network state, so as to determine that the preset application is the target application.
In this way, the network states of the IPs are detected again, and if one of the IPs is found to be in the preset network state, the target domain name corresponding to the second IP can be determined, and the application corresponding to the target domain name can become the target application. When the preset network state is an attacked state, the target application refers to the attacked application. In this way, the application in the preset network state can be more accurately positioned.
Corresponding to the second embodiment, the embodiment of the present application further provides a detection apparatus, referring to fig. 7, where the apparatus may specifically include:
a first network status determining unit 701, configured to determine that a first IP is in a preset network status, where the first IP corresponds to at least one domain name;
a domain name obtaining unit 702, configured to obtain a domain name corresponding to the first IP, where the domain name corresponds to a preset application;
an IP allocating unit 703, configured to allocate a second IP for the domain name;
a second network status determining unit 704, configured to determine that the second IP is in a preset network status, so as to determine that the preset application is a target application.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments of the present application.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, the system or system embodiments are substantially similar to the method embodiments and therefore are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described system and system embodiments are only illustrative, wherein the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The four-layer distributed denial of service attack detection method and device provided by the present application are introduced in detail, and a specific example is applied in the text to explain the principle and the implementation manner of the present application, and the description of the above embodiment is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific embodiments and the application range may be changed. In view of the above, the description should not be taken as limiting the application.
Claims (13)
1.A four-layer distributed denial of service attack detection method is characterized in that a plurality of public network IPs are mounted under a server cluster, wherein the public network IPs comprise a plurality of first public network IPs and a plurality of second public network IPs, under a default state, the first public network IPs are used for providing services for corresponding site domain names, and the same first public network IP corresponds to the plurality of site domain names;
the method comprises the following steps:
carrying out four-layer distributed denial of service attack (DDoS) detection on the first public network IP;
when detecting a four-layer DDoS attack, determining a target first public network IP suffering from the four-layer DDoS attack and each site domain name corresponding to the target first public network IP;
respectively allocating the second public network IP to the site domain names in a one-to-one corresponding mode, and updating mapping relation information in a Domain Name System (DNS) so as to provide services for the corresponding site domain names by using the second public network IP;
performing four-layer DDoS detection on the second public network IP;
when detecting a four-layer DDoS attack, determining a target second public network IP suffering from the four-layer DDoS attack, and determining a target site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP.
2. The method of claim 1, wherein after detecting a four-layer DDoS attack and determining a target second public network IP suffering from the four-layer DDoS attack, further comprising:
releasing second public network IP resources occupied by other site domain names not subjected to the four-layer DDoS attack;
and re-establishing mapping between the other site domain names which are not attacked by the four-layer DDoS and the target first public network IP, and updating the mapping relation information stored in the DNS so as to provide services for the outside by using the first public network IP.
3. The method of claim 1, after determining the target site, further comprising:
and carrying out network protection processing on the target station.
4. The method of claim 3, wherein the performing network defense processing on the target station comprises:
and limiting the flow of the target second public network IP, filtering abnormal flow, and/or carrying out safety isolation processing.
5. The method of claim 3, further comprising:
when detecting that the target second public network IP is not attacked by the four-layer DDoS, releasing the target second public network IP resources;
and reestablishing mapping between the domain name of the target site and the target first public network IP, and updating the mapping relation information stored in the DNS so as to provide external services for the target site by using the first public network IP.
6. A four-layer distributed denial of service attack detection device is characterized in that a plurality of public network IPs are mounted under a server cluster, wherein the public network IPs comprise a plurality of first public network IPs and a plurality of second public network IPs, under a default state, the first public network IPs are used for providing services for corresponding site domain names, and the same public network IP corresponds to the site domain names;
the device comprises:
a first detection unit, configured to perform four-layer distributed denial of service attack (DDoS) detection on the first public network IP;
a site domain name determining unit, configured to determine, when detecting a four-layer DDoS attack, a target first public network IP that is subject to the four-layer DDoS attack, and each site domain name corresponding to the target first public network IP;
the first mapping relation updating unit is used for respectively allocating the second public network IP to the site domain names in a one-to-one corresponding mode and updating mapping relation information in a Domain Name System (DNS) so as to provide services for the corresponding site domain names by using the second public network IP;
the second detection unit is used for carrying out four-layer DDoS detection on the second public network IP;
and the target site determining unit is used for determining a target second public network IP suffering from the four-layer DDoS attack when the four-layer DDoS attack is detected, and determining a target site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP.
7. The apparatus of claim 6, further comprising:
the first resource releasing unit is used for releasing second public network IP resources occupied by other site domain names not subjected to the four-layer DDoS attack after detecting the four-layer DDoS attack and determining a target second public network IP subjected to the four-layer DDoS attack;
and the second mapping relation updating unit is used for reestablishing mapping between the other site domain names which are not attacked by the four-layer DDoS and the target first public network IP, and updating the mapping relation information stored in the DNS so as to provide services for the outside by using the first public network IP.
8. The apparatus of claim 6, further comprising:
and the network protection unit is used for performing network protection processing on the target site after the target site is determined.
9. The apparatus according to claim 8, wherein the network guard unit is specifically configured to:
and limiting the flow of the target second public network IP, filtering abnormal flow, and/or carrying out safety isolation processing.
10. The apparatus of claim 8, further comprising:
a second resource releasing unit, configured to release the target second public network IP resource when detecting that the target second public network IP is no longer under a four-layer DDoS attack;
and the third mapping relation updating unit is used for reestablishing mapping between the domain name of the target site and the target first public network IP and updating the mapping relation information stored in the DNS so as to provide external services for the target site by using the first public network IP.
11. A computer system is characterized in that the computer system is applied to a server cluster, a plurality of public network IPs are mounted on the server cluster, wherein the server cluster comprises a plurality of first public network IPs and a plurality of second public network IPs, the first public network IPs are used for providing services for corresponding site domain names under a default state, and the same public network IP corresponds to the plurality of site domain names;
the computer system includes:
one or more processors; and
a memory associated with the one or more processors for storing program instructions that, when read and executed by the one or more processors, perform operations comprising:
carrying out four-layer distributed denial of service attack (DDoS) detection on the first public network IP;
when detecting a four-layer DDoS attack, determining a target first public network IP suffering from the four-layer DDoS attack and each site domain name corresponding to the target first public network IP;
respectively allocating the second public network IP to the site domain names in a one-to-one corresponding mode, and updating mapping relation information in a Domain Name System (DNS) so as to provide services for the corresponding site domain names by using the second public network IP;
performing four-layer DDoS detection on the second public network IP;
when detecting a four-layer DDoS attack, determining a target second public network IP suffering from the four-layer DDoS attack, and determining a site actually suffering from the four-layer DDoS attack according to a site domain name corresponding to the target second public network IP.
12. A method of detection, comprising:
determining that a first IP is in a preset network state, wherein the first IP corresponds to at least one domain name;
acquiring a domain name corresponding to the first IP, wherein the domain name corresponds to a preset application;
allocating a second IP for the domain name;
determining that the second IP is in a preset network state, and accordingly determining that the preset application is a target application; wherein the network state is an attacked network state, and the target application is an attacked application;
the allocating a second IP to the domain name includes:
respectively allocating second IPs for the domain names corresponding to the first IPs in a one-to-one corresponding mode;
the allocating the second IP to the domain name further comprises:
and updating the corresponding relation between the domain name and the IP in the domain name system DNS.
13. A detection device, comprising:
a first network status determining unit, configured to determine that a first IP is in a preset network status, where the first IP corresponds to at least one domain name;
a domain name obtaining unit, configured to obtain a domain name corresponding to the first IP, where the domain name corresponds to a preset application;
the IP allocation unit is used for allocating a second IP for the domain name;
a second network state determining unit, configured to determine that a second IP is in a preset network state, so as to determine that the preset application is a target application; wherein the network state is an attacked network state, and the target application is an attacked application;
the domain name acquisition unit is used for respectively allocating second IPs to the domain names corresponding to the first IPs in a one-to-one corresponding mode; and updating the corresponding relation between the domain name and the IP in the domain name system DNS.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710538834.1A CN109218265B (en) | 2017-07-04 | 2017-07-04 | Four-layer distributed denial of service attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710538834.1A CN109218265B (en) | 2017-07-04 | 2017-07-04 | Four-layer distributed denial of service attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109218265A CN109218265A (en) | 2019-01-15 |
| CN109218265B true CN109218265B (en) | 2021-05-28 |
Family
ID=64993133
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710538834.1A Active CN109218265B (en) | 2017-07-04 | 2017-07-04 | Four-layer distributed denial of service attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109218265B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110012123B (en) * | 2019-03-22 | 2022-05-10 | 新华三技术有限公司 | Network address translation method, device and access equipment |
| CN110636072B (en) * | 2019-09-26 | 2021-05-14 | 腾讯科技(深圳)有限公司 | Target domain name scheduling method, device, equipment and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7797738B1 (en) * | 2005-12-14 | 2010-09-14 | At&T Corp. | System and method for avoiding and mitigating a DDoS attack |
| CN103209192B (en) * | 2013-05-10 | 2016-03-23 | 张昱 | For domain name state purging system during ddos attack and detection method |
| CN106713220A (en) * | 2015-07-24 | 2017-05-24 | 中兴通讯股份有限公司 | DDOS-attack-based prevention method and device |
| CN105681133B (en) * | 2016-03-14 | 2018-09-07 | 中国科学院计算技术研究所 | A method of the detection whether anti-network attack of dns server |
-
2017
- 2017-07-04 CN CN201710538834.1A patent/CN109218265B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109218265A (en) | 2019-01-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106302434B (en) | Server adaptation method, device and system | |
| KR100780494B1 (en) | User terminal management apparatus, recording medium recording user terminal management program, and user terminal management system | |
| JP6037016B2 (en) | Method and apparatus for determining virtual machine migration | |
| US11671402B2 (en) | Service resource scheduling method and apparatus | |
| JP6007458B2 (en) | Packet receiving method, deep packet inspection apparatus and system | |
| JP6820342B2 (en) | Environmental isolation methods and equipment | |
| EP3306900B1 (en) | Dns routing for improved network security | |
| CN109218265B (en) | Four-layer distributed denial of service attack detection method and device | |
| WO2020088170A1 (en) | Domain name system configuration method and related apparatus | |
| CN110730250A (en) | Information processing method and device, service system and storage medium | |
| CN111404951A (en) | Tenant creating method of cloud network, computer equipment and storage medium | |
| US7916733B2 (en) | Data communication apparatus, data communication method, program, and storage medium | |
| CN101945053B (en) | Method and device for transmitting message | |
| JP6484166B2 (en) | Name resolution device, name resolution method, and name resolution program | |
| CN106470193A (en) | A kind of anti-DoS of DNS recursion server, the method and device of ddos attack | |
| US10057210B2 (en) | Transaction-based network layer address rotation | |
| KR101096129B1 (en) | Method for allocating ip and domain name of host | |
| CN107231339B (en) | Method and device for detecting DDoS attack | |
| JP6408721B2 (en) | Domain name system DNS resolution processing method and apparatus, program, and recording medium | |
| CN110995738B (en) | Violent cracking behavior identification method and device, electronic equipment and readable storage medium | |
| CN105991466B (en) | Information backup method and device | |
| CN114710302A (en) | Internet access control method and control device thereof | |
| CN108712450B (en) | Method and system for preventing DDoS attack | |
| US10862898B2 (en) | Polymorphic network interface | |
| CN105376835A (en) | Portable equipment and method for connecting mobile terminal with portable equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |