CN111107069A - DoS attack protection method and device - Google Patents
DoS attack protection method and device Download PDFInfo
- Publication number
- CN111107069A CN111107069A CN201911252784.6A CN201911252784A CN111107069A CN 111107069 A CN111107069 A CN 111107069A CN 201911252784 A CN201911252784 A CN 201911252784A CN 111107069 A CN111107069 A CN 111107069A
- Authority
- CN
- China
- Prior art keywords
- dos
- source
- dos attack
- address
- address list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method and a device for protecting DoS attack, wherein the method comprises the following steps: extracting a source IP address of the received DoS attack feature packet; searching the DoS source IP address list type to which the source IP address belongs, wherein the DoS source IP address list is dynamically updated according to the number of the received DoS attack feature packets within the preset period duration; and determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs. According to the method and the device for protecting the DoS attack, the DoS attack source can be rapidly identified by dynamically updating the DoS source IP address list according to the periodic statistical characteristics of the DoS attack feature packet, the DoS attack judgment is rapidly made when the DoS attack occurs, and the DoS attack prevention processing speed is improved.
Description
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a DoS attack protection method and apparatus.
Background
Denial of Service (DoS) refers to the deliberate drawback of attacking network protocol implementations or exhausting the resources of an attacked object devastating directly through brute force means. The aim is to prevent the computer or the network from providing normal service and to stop the response or even break down the target system service system. Common DoS attacks include syn (synchronization) Flood attack, udp (user data program) Flood attack, and the like. The DoS attack almost comes from the birth of the internet, and has been developed and upgraded with the development of the internet, and the DoS attack brings a great threat to the rapidly developed internet security.
The premise of DoS attack prevention is to detect DoS attack and then adopt a certain method or strategy to perform DoS attack prevention processing, so as to avoid equipment from being broken down or incapable of providing normal service due to DoS attack. In the prior art, a single-threshold DoS attack detection method is generally adopted in network equipment, and when the rate of receiving a DoS attack feature packet is greater than the DoS attack detection threshold, it is considered that the DoS attack is received, and then the packet from the IP address is discarded all at once.
However, in the method provided by the prior art, under the condition of DoS attack source IP address conversion, the DoS attack prevention processing is performed again each time until the DoS attack source IP address conversion exceeds the threshold value, and DoS attack judgment cannot be made quickly when DoS attack occurs.
Therefore, there is a need for a DoS attack protection method to solve the above problems.
Disclosure of Invention
In order to solve the problem that the method provided by the prior art performs statistics on the DoS attack feature packet again each time under the condition that the DoS attack source IP address is transformed, embodiments of the present invention provide a DoS attack protection method and apparatus that overcome the above problems or at least partially solve the above problems.
In a first aspect, an embodiment of the present invention provides a DoS attack protection method, including:
extracting a source IP address of the received DoS attack feature packet;
searching the DoS source IP address list type to which the source IP address belongs, wherein the DoS source IP address list is dynamically updated according to the number of the received DoS attack feature packets within the preset period duration;
and determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs.
Wherein the method further comprises:
and comparing the quantity of the received DoS attack feature packets in a preset period duration with a preset threshold value to update the DoS source IP address list.
The method includes the steps of comparing the number of DoS attack feature packets received within a preset period duration with a preset threshold value to update the DoS source IP address list, where the preset threshold value includes a first threshold value and a second threshold value, and the first threshold value is smaller than the second threshold value, and accordingly, the method specifically includes the steps of:
if the number of the received DoS attack feature packets in the preset period duration is larger than a second threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into denial-type DoS source IP addresses, and storing the denial-type DoS source IP addresses in the DoS source IP address list.
Wherein, the comparing the number of DoS attack feature packets received in the preset period duration with the preset threshold value to update the DoS source IP address list further comprises:
if the number of the received DoS attack feature packets in the preset period duration is not greater than a second threshold value and is greater than a first threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into the restricted DoS source IP addresses, and storing the restricted DoS source IP addresses in the DoS source IP address list.
Wherein, the comparing the number of DoS attack feature packets received in the preset period duration with the preset threshold value to update the DoS source IP address list further comprises:
if the number of the received DoS attack feature packets in the preset period duration is not more than a first threshold value, increasing the preset period duration;
and if the number of the received DoS attack feature packets in the preset period duration is still not greater than a first threshold value after the preset period duration is increased to a preset maximum value, deleting the source IP addresses corresponding to all the received DoS attack feature packets in the preset period from the DoS source IP address list.
Wherein, the determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs includes:
and if the DoS source IP address list type to which the source IP address belongs is a denial type DoS source IP address, discarding the DoS attack feature packet to protect the DoS attack.
Wherein, the determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs further includes:
if the DoS source IP address list type to which the source IP address belongs is a restricted address, detecting the DoS attack feature packet rate;
and if the rate of the DoS attack feature packet is greater than the rate limiting threshold, discarding the DoS attack feature packet to protect the DoS attack.
In a second aspect, an embodiment of the present invention further provides a DoS attack protecting apparatus, including:
the source IP address extraction module is used for extracting the source IP address of the received DoS attack feature packet;
the system comprises a Dos source IP address query module, a DoS source IP address list module and a DoS source IP address list module, wherein the Dos source IP address list module is used for searching the type of the DoS source IP address list to which the source IP address belongs, and the DoS source IP address list is dynamically updated according to the number of received DoS attack feature packets within the preset period duration;
the DoS attack protection module is used for determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs;
and the IP address list updating module is used for comparing the number of the received DoS attack feature packets in the preset period duration with a preset threshold value so as to update the DoS source IP address list.
Wherein the preset threshold includes a first threshold and a second threshold, the first threshold is smaller than the second threshold, and the IP address list updating module is specifically configured to:
if the number of the received DoS attack feature packets in the preset period duration is greater than a second threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into denial-type DoS source IP addresses, and storing the denial-type DoS source IP addresses in the DoS source IP address list;
if the number of the received DoS attack feature packets in the preset period duration is not greater than a second threshold value and is greater than a first threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into limited DoS source IP addresses, and storing the limited DoS source IP addresses in the DoS source IP address list;
if the number of the received DoS attack feature packets in the preset period duration is not more than a first threshold value, increasing the preset period duration;
and if the number of the received DoS attack feature packets in the preset period duration is still not greater than a first threshold value after the preset period duration is increased to a preset maximum value, deleting the source IP addresses corresponding to all the received DoS attack feature packets in the preset period from the DoS source IP address list.
Wherein the DoS attack protection module is specifically configured to:
if the DoS source IP address list type to which the source IP address belongs is a denial type DoS source IP address, discarding the DoS attack feature packet to protect the DoS attack; if the DoS source IP address list type to which the source IP address belongs is a restricted address, detecting the DoS attack feature packet rate;
and if the rate of the DoS attack feature packet is greater than the rate limiting threshold, discarding the DoS attack feature packet to protect the DoS attack.
Third aspect an embodiment of the present invention provides an electronic device, including:
a processor, a memory, a communication interface, and a bus; the processor, the memory and the communication interface complete mutual communication through the bus; the memory stores program instructions executable by the processor, and the processor calls the program instructions to execute the DoS attack protection method.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute a DoS attack protection method as described above.
According to the method and the device for protecting the DoS attack, the IP address list is dynamically updated according to the periodic statistical characteristics of the DoS attack feature packet, the DoS attack source can be rapidly identified, the DoS attack judgment is rapidly made when the DoS attack occurs, and the DoS attack prevention processing speed is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a DoS attack protection method according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a DoS source IP address list updating process provided in an embodiment of the present invention;
fig. 3 is a schematic diagram of a DoS attack protection flow provided by an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a DoS attack protection apparatus according to an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a DoS attack protection method provided by an embodiment of the present invention, as shown in fig. 1, including:
101. extracting a source IP address of the received DoS attack feature packet;
102. searching the DoS source IP address list type to which the source IP address belongs, wherein the DoS source IP address list is dynamically updated according to the number of the received DoS attack feature packets within the preset period duration;
103. and determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs.
As can be seen from the background, for the DoS attack detection method generally using a single threshold in the prior art, when the rate of receiving the DoS attack feature packet is greater than the DoS attack detection threshold, it is considered that the DoS attack is received, and the packet from the IP address is discarded all at once. But once the source of the IP address changes, the statistics needs to be repeated, so that the rapid protection cannot be achieved.
In view of the above problems, the method provided by the embodiment of the present invention can make a decision quickly when a DoS attack occurs, thereby improving the DoS attack protection processing efficiency. Specifically, in step 101, it can be understood that, when performing a DoS attack, generally, the DoS attack is performed in a form of sending a data packet carrying DoS attack features, and in the embodiment of the present invention, the data packet is collectively referred to as a DoS attack feature packet, so that when receiving any one DoS attack feature packet, the embodiment of the present invention may immediately detect a sending source IP address of the DoS attack feature packet.
Further, in step 102, the embodiment of the present invention searches in the DoS source IP address list according to the source IP address extracted in step 101, so as to determine the DoS source IP address list type to which the DoS attack feature packet belongs. It should be noted that the DoS source IP address list is dynamically updated according to the number of DoS attack feature packets received within the preset period duration, the DoS source IP address list included in the DoS source IP address list is generally divided into a denial-type DoS source IP address and a restriction-type DoS source IP address, when the number of DoS attack feature packets received within the preset period duration satisfies the addition condition of the denial-type IP address, the source IP addresses corresponding to all DoS attack feature packets received within the preset period duration are classified into denial-type DoS source IP addresses and stored in the DoS source IP address list, and similarly, when the number of DoS attack feature packets received within the preset period duration satisfies the addition condition of the restriction-type DoS source IP addresses, the source IP addresses corresponding to all DoS attack feature packets received within the preset period duration are stored as the restriction-type DoS source IP addresses, and storing the source IP address into a DoS source IP address list, so that when any DoS attack feature packet is received at present, the source IP address can be extracted immediately and the type of the DoS source IP address list to which the source IP address belongs can be inquired in the DoS source IP address list. It can be understood that if the DoS attack feature packet is not queried in the DoS source IP address list, the DoS attack feature packet is proved to have no influence, and the data packet can be directly accepted. Preferably, in the embodiment of the present invention, two sub-tables may also be set up in the DoS source IP address list: and the limitation source IP address list and the rejection source IP address list are directly stored in the rejection source IP address list for the IP address judged to be the rejection class, and are directly stored in the limitation source IP address list for the IP address judged to be the limitation class.
Finally, in step 103, according to the DoS source IP address list type found in the DoS source IP address list, a protection method corresponding to the type is adopted for protection, for example: when the DoS source IP address is rejected, the embodiment of the invention directly discards the DoS attack feature packet so as to perform protection, when the DoS source IP address is limited, the judgment can be performed according to some additional conditions, and if the DoS attack feature packet is still not satisfied, the DoS attack feature packet is discarded.
According to the DoS attack protection method provided by the embodiment of the invention, the DoS attack source can be quickly identified by dynamically updating the DoS source IP address list according to the periodic statistical characteristics of the DoS attack feature packet, and when the DoS attack occurs, the DoS attack judgment is quickly made, so that the DoS attack prevention processing speed is improved.
On the basis of the above embodiment, the method further includes:
and comparing the quantity of the received DoS attack feature packets in a preset period duration with a preset threshold value to update the DoS source IP address list.
As can be seen from the content of the foregoing embodiment, in the embodiment of the present invention, the DoS source IP address list type to which the source IP address belongs is searched in the DoS source IP address list, so it can be understood that the embodiment of the present invention maintains the dynamic update of the DoS source IP address list.
Specifically, the embodiment of the present invention may count the number of received DoS attack feature packets according to a preset period duration, and preferably may be implemented in a timer manner, where each DoS attack feature packet is received, the count NUM of the DoS attack feature packets is added to 1, when the timer duration reaches, the number of NUM is counted, and then the number of NUM is compared with a preset threshold value to determine the type of the IP address, thereby updating the DoS source IP address list.
On the basis of the foregoing embodiment, the preset threshold includes a first threshold and a second threshold, where the first threshold is smaller than the second threshold, and correspondingly, the comparing the number of DoS attack feature packets received within the preset period duration with the preset threshold to update the DoS source IP address list specifically includes:
if the number of the received DoS attack feature packets in the preset period duration is larger than a second threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into denial-type DoS source IP addresses, and storing the denial-type DoS source IP addresses in the DoS source IP address list.
Preferably, the method provided by the embodiment of the present invention dynamically updates the DoS source IP address list by using a double-threshold detection method. Specifically, firstly, a preset threshold value is set as a first threshold value C1 and a second threshold value C2, C1 is less than C2, then the number NUM of DoS attack feature packets received within a preset period duration is counted, NUM is compared with C2, if NUM is greater than C2, it is proved that the attack frequency of the DoS attack feature packets is very fast, the corresponding source IP address has a very high threat, and then the source IP address is classified as a denial-like DoS source IP address and stored in a DoS source IP address list.
On the basis of the foregoing embodiment, the comparing the number of DoS attack feature packets received within a preset period duration with a preset threshold value to update the DoS source IP address list further includes:
if the number of the received DoS attack feature packets in the preset period duration is not greater than a second threshold value and is greater than a first threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into the restricted DoS source IP addresses, and storing the restricted DoS source IP addresses in the DoS source IP address list.
As can be seen from the content of the foregoing embodiment, the first threshold C1 and the second threshold C2 are set in the embodiment of the present invention, where C1 is less than C2, then the number NUM of DoS attack feature packets received within a preset period duration is compared with C2, if NUM is greater than C2, the corresponding source IP address is classified as a denial type address, if NUM is less than or equal to C2, NUM is compared with C1, and if NUM is greater than C1, it is verified that the DoS attack feature packet has a certain attack frequency and has a certain threat and needs to be limited, so that the corresponding source IP address is classified as a limitation type address and stored in the DoS source IP address list.
On the basis of the foregoing embodiment, the comparing the number of DoS attack feature packets received within a preset period duration with a preset threshold value to update the DoS source IP address list further includes:
if the number of the received DoS attack feature packets in the preset period duration is not more than a first threshold value, increasing the preset period duration;
and if the number of the received DoS attack feature packets in the preset period duration is still not greater than a first threshold value after the preset period duration is increased to a preset maximum value, deleting the source IP addresses corresponding to all the received DoS attack feature packets in the preset period from the DoS source IP address list.
As can be seen from the content of the foregoing embodiment, the first threshold C1 and the second threshold C2 are set in the embodiment of the present invention, where C1 is less than C2, then the number NUM of DoS attack feature packets received within a preset period duration is compared with C2, if NUM is greater than C2, the corresponding source IP address is classified as a denial type address, and if C1 is greater than NUM and less than or equal to C2, the corresponding source IP address is classified as a limitation type IP address. If NUM is less than or equal to C1, it is proved that the DoS attack feature packet has a low attack frequency within the period duration, and then the embodiment of the present invention preferably increases the preset period duration, so as to more accurately detect the source IP address. Preferably, the preset period duration T initially set is T1, and when NUM is less than or equal to C1, T is extended to 2T and NUM is counted again, it can be understood that the specific increase and decrease of T may be set according to an actual situation, which is not described again in the embodiments of the present invention.
Further, in the embodiment of the present invention, when NUM is less than or equal to C1, the size of the preset period time T is appropriately increased and counted again, it can be understood that the preset period time cannot be endlessly increased, so the embodiment of the present invention sets a preset maximum value for the preset period time, and when NUM obtained by counting when the preset maximum value is reached is still not greater than C1, it can be proved that the source IP address is substantially threat-free, and can be deleted from the DoS source IP address list. For example, when T > 40 seconds, 40 is a preset maximum value set by the embodiment of the present invention, NUM is not yet greater than C1, and the DoS attack feature packet source IP address is deleted from the DoS source IP address list, it is understood that 40 is a preferred value provided by the embodiment of the present invention, and a specific value may be set according to an actual situation, and the embodiment of the present invention is not limited specifically.
On the basis of the above embodiment, the determining, according to the DoS source IP address list type to which the source IP address belongs, a DoS attack protection manner corresponding to the DoS source IP address list type for protection includes:
and if the DoS source IP address list type to which the source IP address belongs is a denial type DoS source IP address, discarding the DoS attack feature packet to protect the DoS attack.
As can be seen from the content of the foregoing embodiment, the DoS source IP address list type is classified into the denial type address and the restriction type address in the embodiment of the present invention, and it can be understood that, for the denial type address, because the threat is high, once it is determined that the source IP address to which the current DoS attack feature packet belongs is the denial type DoS source IP address, the data packet is directly discarded, thereby effectively protecting against DoS attacks.
On the basis of the above embodiment, the determining, according to the DoS source IP address list type to which the source IP address belongs, a DoS attack protection manner corresponding to the DoS source IP address list type for protection further includes:
if the DoS source IP address list type to which the source IP address belongs is a restricted DoS source IP address, detecting the DoS attack feature packet rate;
and if the rate of the DoS attack feature packet is greater than the rate limiting threshold, discarding the DoS attack feature packet to protect the DoS attack.
As can be seen from the content of the foregoing embodiment, the DoS source IP address list type is divided into the reject class address and the limit class address in the embodiment of the present invention, and it can be understood that, as the limit class address has only a certain threat, further determination is required to determine whether the packet can be received.
Specifically, the embodiment of the present invention may detect the sending rate of the DoS attack feature packet in real time, compare the sending rate with a preset rate limiting threshold R1, and if the sending rate is greater than R1, prove that the threat is great, and need to discard the data packet, thereby protecting DoS attack. If the sending rate is less than R1, it proves less threatening and the packet can be received.
One exemplary embodiment is described below: fig. 2 is a schematic diagram of a DoS source IP address list update process provided in an embodiment of the present invention, and as shown in fig. 2, the process of performing update determination on the DoS source IP address list in the embodiment of the present invention includes:
s201, setting DoS attack detection thresholds C1 and C2, wherein C1 is less than C2;
s202, after a first DoS attack packet from a certain source IP is received, starting a timer, setting a DoS attack detection period T as T1, and starting timing; it should be noted that each DoS attack source IP is provided with a one-to-one corresponding timer, so that a corresponding timer can be started for any source IP address; next, jumping to S204;
s203, resetting the DoS attack detection period T to T1, and then jumping to S204;
s204, receiving a DoS attack feature packet;
s205, adding 1 to the DoS attack feature packet count NUM;
s206, judging whether the detection period T is expired, if so, executing the step S207, otherwise, executing the step S204;
s207, judging whether NUM is larger than a DoS attack detection threshold C2, if so, executing a step S208, otherwise, executing a step S209;
s208, adding the source IP address of the DoS attack feature packet into a DoS attack rejection IP address list, and executing the step S203;
s209, judging whether NUM is larger than a DoS attack detection threshold C1, if so, executing a step S210, otherwise, executing a step S211;
s210, adding the source IP address of the DoS attack feature packet into a DoS attack restriction IP address list, and executing the step S203;
s211, judging whether the detection period T is greater than 4T1, if so, executing a step S212, otherwise, executing a step S213;
s212, deleting the source IP address of the DoS attack feature packet from the DoS attack rejection IP address list and the DoS attack limitation IP address list, releasing the timer resource corresponding to the IP address after deletion, and ending the process;
s213, setting the DoS attack signature packet counting period to be doubled, that is, T is 2T, and executing step S204.
Fig. 3 is a schematic diagram of a DoS attack protection process provided by an embodiment of the present invention, and as shown in fig. 3, the DoS attack protection process performed by the embodiment of the present invention is as follows:
s301, setting a DoS attack feature packet limiting rate threshold R1;
s302, receiving a DoS attack feature packet;
s303, judging whether the source IP address of the DoS attack feature packet exists in a DoS attack rejection IP address list or not, and executing a step S304, otherwise, executing a step 305;
s304, discarding the DoS attack feature packet;
s305, judging whether the source IP address of the DoS attack feature packet exists in a DoS attack limiting IP address list or not, and executing a step S306, otherwise, executing a step 307;
s306, judging whether the DoS attack feature packet rate is greater than a DoS limiting threshold R1, if so, executing a step S304, otherwise, executing a step S307;
and S307, receiving the DoS attack feature packet.
Fig. 4 is a schematic structural diagram of a DoS attack protection device according to an embodiment of the present invention, as shown in fig. 4, including: a source IP address extracting module 401, a Dos source IP address querying module 402, and a Dos attack protecting module 403, where:
the source IP address extraction module 401 is configured to extract a source IP address of the received DoS attack feature packet;
the Dos source IP address query module 402 is configured to search a Dos source IP address list type to which the source IP address belongs, where the Dos source IP address list is dynamically updated according to the number of Dos attack feature packets received within a preset period duration;
the DoS attack protection module 403 is configured to determine, according to the DoS source IP address list type to which the source IP address belongs, a DoS attack protection manner corresponding to the DoS source IP address list type for protection.
The device further comprises:
and the IP address list updating module is used for comparing the number of the received DoS attack feature packets in the preset period duration with a preset threshold value so as to update the DoS source IP address list.
Specifically, how to use the source IP address extraction module 401, the DoS source IP address query module 402, and the DoS attack protection module 403 to execute the technical solution of the DoS attack protection method embodiment shown in fig. 1 is implemented, and the implementation principle and the technical effect are similar, which is not described herein again.
According to the DoS attack protection device provided by the embodiment of the invention, the DoS attack source can be quickly identified by dynamically updating the DoS source IP address list according to the periodic statistical characteristics of the DoS attack feature packet, the DoS attack judgment is quickly made when the DoS attack occurs, and the DoS attack prevention processing speed is improved.
The preset threshold includes a first threshold and a second threshold, where the first threshold is smaller than the second threshold, and correspondingly, the Dos source IP address list updating module is specifically configured to:
if the number of the received DoS attack feature packets in the preset period duration is greater than a second threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into denial-type DoS source IP addresses, and storing the denial-type DoS source IP addresses in the DoS source IP address list;
if the number of the received DoS attack feature packets in the preset period duration is not greater than a second threshold value and is greater than a first threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into limited DoS source IP addresses, and storing the limited DoS source IP addresses in the DoS source IP address list;
if the number of the received DoS attack feature packets in the preset period duration is not more than a first threshold value, increasing the preset period duration;
and if the number of the received DoS attack feature packets in the preset period duration is still not greater than a first threshold value after the preset period duration is increased to a preset maximum value, deleting the source IP addresses corresponding to all the received DoS attack feature packets in the preset period from the DoS source IP address list.
On the basis of the above embodiment, the DoS attack prevention module is configured to:
if the DoS source IP address list type to which the source IP address belongs is a denial type DoS source IP address, discarding the DoS attack feature packet to protect the DoS attack;
if the DoS source IP address list type to which the source IP address belongs is a restricted address, detecting the DoS attack feature packet rate;
and if the rate of the DoS attack feature packet is greater than the rate limiting threshold, discarding the DoS attack feature packet to protect the DoS attack.
Fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention, and referring to fig. 5, the electronic device includes: a processor (processor)501, a communication Interface (Communications Interface)502, a memory (memory)503, and a bus 504, wherein the processor 501, the communication Interface 502, and the memory 503 are configured to communicate with each other via the bus 504. The processor 501 may call logic instructions in the memory 503 to perform the following method: extracting a source IP address of the received DoS attack feature packet; searching the DoS source IP address list type to which the source IP address belongs, wherein the DoS source IP address list is dynamically updated according to the number of the received DoS attack feature packets within the preset period duration; and determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs.
An embodiment of the present invention discloses a computer program product, which includes a computer program stored on a non-transitory computer readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, the computer can execute the methods provided by the above method embodiments, for example, the method includes: extracting a source IP address of the received DoS attack feature packet; searching the DoS source IP address list type to which the source IP address belongs, wherein the DoS source IP address list is dynamically updated according to the number of the received DoS attack feature packets within the preset period duration; and determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs.
Embodiments of the present invention provide a non-transitory computer-readable storage medium, which stores computer instructions, where the computer instructions cause the computer to perform the methods provided by the above method embodiments, for example, the methods include: extracting a source IP address of the received DoS attack feature packet; searching the DoS source IP address list type to which the source IP address belongs, wherein the DoS source IP address list is dynamically updated according to the number of the received DoS attack feature packets within the preset period duration; and determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to each embodiment or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A DoS attack protection method is characterized by comprising the following steps:
extracting a source IP address of the received DoS attack feature packet;
searching the DoS source IP address list type to which the source IP address belongs, wherein the DoS source IP address list is dynamically updated according to the number of the received DoS attack feature packets within the preset period duration;
and determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs.
2. The DoS attack protection method according to claim 1, wherein the method further comprises:
and comparing the quantity of the received DoS attack feature packets in a preset period duration with a preset threshold value to update the DoS source IP address list.
3. The DoS attack protection method according to claim 2, wherein the preset threshold includes a first threshold and a second threshold, the first threshold is smaller than the second threshold, and accordingly, the number of DoS attack feature packets received within a preset period duration is compared with the preset threshold to update the DoS source IP address list, which specifically includes:
if the number of the received DoS attack feature packets in the preset period duration is larger than a second threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into denial-type DoS source IP addresses, and storing the denial-type DoS source IP addresses in the DoS source IP address list.
4. The DoS attack protection method according to claim 3, wherein the comparing the number of DoS attack feature packets received within a preset period duration with a preset threshold to update the DoS source IP address list further comprises:
if the number of the received DoS attack feature packets in the preset period duration is not greater than a second threshold value and is greater than a first threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into the restricted DoS source IP addresses, and storing the restricted DoS source IP addresses in the DoS source IP address list.
5. The DoS attack protection method according to claim 4, wherein the comparing the number of DoS attack feature packets received within a preset period duration with a preset threshold to update the DoS source IP address list further comprises:
if the number of the received DoS attack feature packets in the preset period duration is not more than a first threshold value, increasing the preset period duration;
and if the number of the received DoS attack feature packets in the preset period duration is still not greater than a first threshold value after the preset period duration is increased to a preset maximum value, deleting the source IP addresses corresponding to all the received DoS attack feature packets in the preset period from the DoS source IP address list.
6. The DoS attack protection method according to claim 2, wherein the determining, according to the DoS source IP address list type to which the source IP address belongs, a DoS attack protection mode corresponding to the DoS source IP address list type for protection includes:
and if the DoS source IP address list type to which the source IP address belongs is a denial type DoS source IP address, discarding the DoS attack feature packet to protect the DoS attack.
7. The DoS attack protection method according to claim 2, wherein the DoS attack protection mode corresponding to the DoS source IP address list type is determined for protection according to the DoS source IP address list type to which the source IP address belongs, and further comprising:
if the DoS source IP address list type to which the source IP address belongs is a restricted address, detecting the DoS attack feature packet rate;
and if the rate of the DoS attack feature packet is greater than the rate limiting threshold, discarding the DoS attack feature packet to protect the DoS attack.
8. A DoS attack protection device, comprising:
the source IP address extraction module is used for extracting the source IP address of the received DoS attack feature packet;
the system comprises a Dos source IP address query module, a DoS source IP address list module and a DoS source IP address list module, wherein the Dos source IP address list module is used for searching the type of the DoS source IP address list to which the source IP address belongs, and the DoS source IP address list is dynamically updated according to the number of received DoS attack feature packets within the preset period duration;
the DoS attack protection module is used for determining a DoS attack protection mode corresponding to the DoS source IP address list type for protection according to the DoS source IP address list type to which the source IP address belongs;
and the IP address list updating module is used for comparing the number of the received DoS attack feature packets in the preset period duration with a preset threshold value so as to update the DoS source IP address list.
9. The DoS attack protection device according to claim 8, wherein the preset threshold includes a first threshold and a second threshold, the first threshold is smaller than the second threshold, and the IP address list updating module is specifically configured to:
if the number of the received DoS attack feature packets in the preset period duration is greater than a second threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into denial-type DoS source IP addresses, and storing the denial-type DoS source IP addresses in the DoS source IP address list;
if the number of the received DoS attack feature packets in the preset period duration is not greater than a second threshold value and is greater than a first threshold value, classifying the source IP addresses corresponding to all the received DoS attack feature packets in the preset period into limited DoS source IP addresses, and storing the limited DoS source IP addresses in the DoS source IP address list;
if the number of the received DoS attack feature packets in the preset period duration is not more than a first threshold value, increasing the preset period duration;
and if the number of the received DoS attack feature packets in the preset period duration is still not greater than a first threshold value after the preset period duration is increased to a preset maximum value, deleting the source IP addresses corresponding to all the received DoS attack feature packets in the preset period from the DoS source IP address list.
10. The DoS attack protection device according to claim 9, wherein the DoS attack protection module is specifically configured to:
if the DoS source IP address list type to which the source IP address belongs is a denial type DoS source IP address, discarding the DoS attack feature packet to protect the DoS attack; if the DoS source IP address list type to which the source IP address belongs is a restricted address, detecting the DoS attack feature packet rate;
and if the rate of the DoS attack feature packet is greater than the rate limiting threshold, discarding the DoS attack feature packet to protect the DoS attack.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911252784.6A CN111107069A (en) | 2019-12-09 | 2019-12-09 | DoS attack protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911252784.6A CN111107069A (en) | 2019-12-09 | 2019-12-09 | DoS attack protection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111107069A true CN111107069A (en) | 2020-05-05 |
Family
ID=70422648
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911252784.6A Pending CN111107069A (en) | 2019-12-09 | 2019-12-09 | DoS attack protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111107069A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019520A (en) * | 2020-08-07 | 2020-12-01 | 广州华多网络科技有限公司 | Request interception method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090300759A1 (en) * | 2005-12-28 | 2009-12-03 | Foundry Networks, Inc. | Attack prevention techniques |
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN105610851A (en) * | 2016-01-14 | 2016-05-25 | 北京乐动卓越科技有限公司 | Method and system for defending distributed denial of service (DDoS) attack |
| CN108173812A (en) * | 2017-12-07 | 2018-06-15 | 东软集团股份有限公司 | Prevent method, apparatus, storage medium and the equipment of network attack |
| CN110113290A (en) * | 2018-02-01 | 2019-08-09 | 华为技术有限公司 | Detection method, device, host and the storage medium of network attack |
-
2019
- 2019-12-09 CN CN201911252784.6A patent/CN111107069A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090300759A1 (en) * | 2005-12-28 | 2009-12-03 | Foundry Networks, Inc. | Attack prevention techniques |
| CN101631026A (en) * | 2008-07-18 | 2010-01-20 | 北京启明星辰信息技术股份有限公司 | Method and device for defending against denial-of-service attacks |
| CN105610851A (en) * | 2016-01-14 | 2016-05-25 | 北京乐动卓越科技有限公司 | Method and system for defending distributed denial of service (DDoS) attack |
| CN108173812A (en) * | 2017-12-07 | 2018-06-15 | 东软集团股份有限公司 | Prevent method, apparatus, storage medium and the equipment of network attack |
| CN110113290A (en) * | 2018-02-01 | 2019-08-09 | 华为技术有限公司 | Detection method, device, host and the storage medium of network attack |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019520A (en) * | 2020-08-07 | 2020-12-01 | 广州华多网络科技有限公司 | Request interception method, device, equipment and storage medium |
| CN112019520B (en) * | 2020-08-07 | 2022-08-16 | 广州华多网络科技有限公司 | Request interception method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109617931B (en) | DDoS attack defense method and system of SDN controller | |
| KR102039842B1 (en) | How to prevent network attacks, devices, and systems | |
| CN109831461B (en) | Distributed denial of service (DDoS) attack defense method and device | |
| US20080104702A1 (en) | Network-based internet worm detection apparatus and method using vulnerability analysis and attack modeling | |
| US10505952B2 (en) | Attack detection device, attack detection method, and attack detection program | |
| JP2009534001A (en) | Malicious attack detection system and related use method | |
| CA3159619C (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| WO2021017318A1 (en) | Cross-site scripting attack protection method and apparatus, device and storage medium | |
| WO2020037781A1 (en) | Anti-attack method and device for server | |
| EP3297221A1 (en) | Technique for detecting suspicious electronic messages | |
| CN103916387A (en) | DDOS attack protection method and system | |
| CN112671759A (en) | DNS tunnel detection method and device based on multi-dimensional analysis | |
| CN109657463A (en) | A kind of defence method and device of message flood attack | |
| CN114374569B (en) | Message detection method and device, electronic equipment and storage medium | |
| US20140075537A1 (en) | Method and apparatus for controlling blocking of service attack by using access control list | |
| CN113242260B (en) | Attack detection method and device, electronic equipment and storage medium | |
| CN111107069A (en) | DoS attack protection method and device | |
| CN112738110A (en) | Bypass blocking method and device, electronic equipment and storage medium | |
| CN115017502A (en) | Flow processing method and protection system | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| CN105429980A (en) | Network security processing method and network security processing device | |
| CN109617893B (en) | Method and device for preventing botnet DDoS attack and storage medium | |
| Shan-Shan et al. | The APT detection method based on attack tree for SDN | |
| CN110445799B (en) | Method and device for determining intrusion stage and server | |
| CN113890760B (en) | Data packet processing method and device based on single packet authorization, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200505 |
|
| RJ01 | Rejection of invention patent application after publication |