CN111641628B - Monitoring and early warning method for DDoS attack in subnet deception - Google Patents
Monitoring and early warning method for DDoS attack in subnet deception Download PDFInfo
- Publication number
- CN111641628B CN111641628B CN202010456650.2A CN202010456650A CN111641628B CN 111641628 B CN111641628 B CN 111641628B CN 202010456650 A CN202010456650 A CN 202010456650A CN 111641628 B CN111641628 B CN 111641628B
- Authority
- CN
- China
- Prior art keywords
- tcp
- subnet
- alarm
- state
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention relates to a monitoring and early warning method for a subnet spoofing DDoS attack, which comprises the steps of receiving user network flow through a bypass mirror image of a switch and separating TCP flow; carrying out aggregation according to the source address, the destination port and the TCP ending state; and extracting the number of the alarm source addresses of the same subnet from the alarm information, if the number of the alarm source addresses of a certain subnet exceeds a threshold value, sending an alarm, otherwise, retrieving the number of the source addresses of the subnet with unsuccessful TCP three-way handshake and the corresponding total number of unsuccessful connections from the TCP aggregated data, and if the source addresses and the total number of connections both exceed the threshold value, sending the alarm. The invention uses multi-level rules to carry out pipeline type combination, extracts the sub-network number from the low-level alarm information, and retrieves the DDoS attack flow from the TCP full-flow data by the extracted sub-network number, thereby generating a higher-level subnet deception DDoS alarm, greatly reducing the computation amount and the complexity of the rules, and improving the identification accuracy.
Description
Technical Field
The invention relates to the technical field of network equipment security management, in particular to a monitoring and early warning method for DDoS attack in subnet deception.
Background
Distributed denial-of-service attack (DDoS) is one of the most important threats of the internet today. DDoS attack means that an attacker consumes computing resources of an attack target through a puppet host mass request to prevent the target from providing service for a legal user. The Web server and the DNS server are the most common attack targets, and the consumable computing resources can be a CPU, a memory, a bandwidth and the like; both domestic and foreign websites such as Amazon, eBay, Yahoo, Sina, Baidu have been attacked by DDoS. DDoS attacks can not only achieve a specific objective, such as attacks on a WEB server or a DNS server, but also attack on network infrastructure, such as routers. By using huge attack flow, the infrastructure of the internet regional network obtained by an attack target can be overloaded, so that the network performance is greatly reduced, and the service borne by the network is influenced.
IP spoofing, or source IP address spoofing, refers to a technique that lies around the return address (i.e., source address) of a packet. Using IP spoofing, an attacker can gain unauthorized access to a computer or network by "spoofing" the computer's IP address, making it appear as if it were a message from some trusted computer. In subnet spoofing, addresses are generated from an address space corresponding to the subnet in which the agent computer is located. For example, a computer belonging to the 143.89.124.0/24 network may spoof any address between 143.89.124.0 and 143.89.124.255. Strictly speaking, IP spoofing is not an attack per se, but it is merely a scheme for DDoS attacks.
TCP-based flooding attacks are a common form of distributed denial of service (DDoS) attacks that abuse network resources and may pose a serious threat to the Internet. Incorporating IP spoofing makes it more difficult to defend against such attacks. Subnet spoofing is the most problematic type among different IP spoofing techniques, including random spoofing, subnet spoofing, and fixed spoofing.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a subnet deception DDoS attack monitoring and early warning method which has the advantages that the identification does not depend on manual registration identification, the problems that a server is established in a network privately and is difficult to find after a system is reinstalled or a new network address is allocated are avoided, the identification is rapid, and the accuracy is high.
The Chinese corresponding to English referred in the following documents is explained as follows: DDoS refers to distributed denial of service attacks; TCP refers to transmission control protocol messages; dip refers to the destination address; sip refers to the source address; dip refers to the destination address; timeout _ state refers to the ending state of the current TCP connection; flow refers to the number of TCP streams; info refers to a message or message; war refers to warning or vigilance.
In order to achieve the purpose, the invention adopts the following technical scheme.
A monitoring and early warning method for DDoS attack in subnet deception specifically comprises the following steps:
step S1: capturing network flow data from a switch mirror image through bypass monitoring equipment, separating TCP flow from the network flow data, and then performing classification and aggregation according to a source address, a destination port and a TCP ending state;
step S2: cleaning the data aggregated in the step S1, and collecting four features including an extracted source address (sip), a destination address (dip), a current end state (timeout _ state) of the TCP connection, and a TCP flow number (flow);
step S3: collecting four characteristic values of step S2 of each device communication data, then judging whether the source address belongs to an address for initiating DDoS attack according to a set trigger condition, and generating an info alarm if the source address accords with the trigger condition;
step S4: counting the number of source addresses belonging to the same subnet and corresponding subnet numbers according to the info alarm information of the step S3, and if the number of the info alarm source addresses of a certain subnet exceeds a preset threshold, sending a war alarm; otherwise, performing subsequent further judgment analysis on the subnet;
step S5: the further decision analysis in step S4 includes retrieving, from the TCP aggregate data, the number of source addresses of the TCP unsuccessful connections and the corresponding total number of unsuccessful connections existing in the subnet, and if both the number of source addresses and the total number of unsuccessful connections exceed a preset threshold, issuing a war alarm, otherwise, not issuing a war alarm.
As a further improvement of the present invention, the step S2 extracts characteristic data of the ending state (timeout _ state) of the TCP connection from the aggregated TCP data, where the characteristic data includes various state parameters occurring in the TCP communication process, including an unconnected state, a connected state, an unfinished state, and an ended state.
As a further improvement of the present invention, the triggering condition in step S3 is specifically that data of "the number of TCP flows is greater than or equal to 60 per minute and the ending state characteristic value of the current TCP connection is any one of 1, 2, 10, and 11" exists in the TCP traffic data, which indicates that the source address is initiating a syn flood attack, and issues an info alarm and gives a message prompt to the administrator that a syn flood attack currently exists.
As a further improvement of the present invention, the step S5 of presetting the threshold and the alarm feedback specifically includes retrieving, from the TCP aggregate data, the source address number and the total number of flow of the ending state feature data timeout _ state of the TCP connection of the subnet, which is any one of 1, 2, 10, and 11, and if both the source address number and the total number of flow exceed preset values, issuing a war alarm.
Due to the application of the technical scheme, the technical scheme of the invention has the following beneficial effects: according to the technical scheme, the network flow is obtained through the switch mirror image, the purpose of bypass detection is achieved, the performance of a backbone network is not influenced, the data state is judged through the separated TCP flow through state aggregation analysis according to a source address, a destination port and TCP ending, and if the data state meets a trigger condition, an info alarm is generated for subsequent analysis and use again, so that a primary screening effect is achieved; according to the technical scheme, the number of the source addresses belonging to the same subnet and the corresponding subnet number are counted in the alarm information through analysis, if the number of the alarm source addresses of a certain subnet exceeds a threshold value, a war alarm is sent out, and abnormal data classification is realized; the technical scheme also extracts the sub-network number from the alarm information and judges whether the sub-network number is a sub-network spoofing DDoS attack or not, thereby greatly reducing the rule complexity and the operation amount; according to the technical scheme, the sub-network numbers counted in the alarm information are used for rechecking the TCP data, so that the identification accuracy is improved; according to the technical scheme, the mirror flow is only required to be acquired from the switch, the configuration operation is simple and convenient, the identification and judgment process is accelerated by analyzing the technical characteristic information of the flow, corresponding early warning information is immediately sent out after the identification and judgment, and managers are prompted to carry out technical treatment, so that the working efficiency of system managers is greatly improved, and the communication safety is greatly improved.
Detailed Description
The present invention will be described in further detail with reference to specific examples.
A monitoring and early warning method for DDoS attack in subnet deception specifically comprises the following steps: step S1: capturing network flow data from a switch mirror image through bypass monitoring equipment, separating TCP flow from the network flow data, and then performing classification and aggregation according to a source address, a destination port and a TCP ending state; step S2: cleaning the data aggregated in the step S1, and collecting four features including an extracted source address (sip), a destination address (dip), a current end state (timeout _ state) of the TCP connection, and a TCP flow number (flow); step S3: collecting four characteristic values of step S2 of each device communication data, then judging whether the source address belongs to an address for initiating DDoS attack according to a set trigger condition, and generating an info alarm if the source address accords with the trigger condition; step S4: counting the number of source addresses belonging to the same subnet and corresponding subnet numbers according to the info alarm information of the step S3, and if the number of the info alarm source addresses of a certain subnet exceeds a preset threshold, sending a war alarm; otherwise, performing subsequent further judgment analysis on the subnet; step S5: the further decision analysis in step S4 includes retrieving, from the TCP aggregate data, the number of source addresses of the TCP unsuccessful connections and the corresponding total number of unsuccessful connections existing in the subnet, and if both the number of source addresses and the total number of unsuccessful connections exceed a preset threshold, issuing a war alarm, otherwise, not issuing a war alarm.
For the value of the data feature timeout _ state and the corresponding meaning, see the following table of the corresponding meaning of the timeout _ state:
the step S2 extracts characteristic data of the ending state (timeout _ state) of the TCP connection from the aggregated TCP data, which includes various state parameters occurring in the TCP communication process, including an unconnected state, a connected state, an unfinished state, and a finished state.
The triggering condition in step S3 is specifically that data "the number of TCP flows is greater than or equal to 60 per minute and the end state characteristic value of the current TCP connection is any one of 1, 2, 10, and 11" exists in the TCP traffic data, which indicates that the source address is initiating a syn flood attack, and issues an info alarm and gives an administrator a message prompt that a syn flood attack currently exists.
The step S5 of presetting the threshold and the alarm feedback specifically includes retrieving, from the TCP aggregate data, that the ending state feature data timeout _ state of the TCP connection of the subnet is the source address number of any one of 1, 2, 10, and 11 and the total number of the corresponding flow, and if both the source address number and the total number of the flow exceed preset values, sending a war alarm.
The above is only a specific application example of the present invention, and the protection scope of the present invention is not limited in any way. All the technical solutions formed by equivalent transformation or equivalent replacement fall within the protection scope of the present invention.
Claims (4)
1. A monitoring and early warning method for DDoS attack in subnet deception is characterized by comprising the following steps:
step S1: capturing network flow data from a switch mirror image through bypass monitoring equipment, separating TCP flow from the network flow data, and then performing classification and aggregation according to a source address, a destination port and a TCP ending state;
step S2: cleaning the data aggregated in the step S1, and collecting four features including an extracted source address (sip), a destination address (dip), a current end state (timeout _ state) of the TCP connection, and a TCP flow number (flow);
step S3: collecting four characteristic values of step S2 of each device communication data, then judging whether the source address belongs to an address for initiating DDoS attack according to a set trigger condition, and generating an info alarm if the source address accords with the trigger condition;
step S4: counting the number of source addresses belonging to the same subnet and corresponding subnet numbers according to the info alarm information of the step S3, and if the number of the info alarm source addresses of a certain subnet exceeds a preset threshold, sending a war alarm; otherwise, performing subsequent further judgment analysis on the subnet;
step S5: the further decision analysis in step S4 includes retrieving, from the TCP aggregate data, the number of source addresses of the TCP unsuccessful connections and the corresponding total number of unsuccessful connections existing in the subnet, and if both the number of source addresses and the total number of unsuccessful connections exceed a preset threshold, issuing a war alarm, otherwise, not issuing a war alarm.
2. The method for monitoring and warning the DDoS attack of subnet spoofing as recited in claim 1, wherein the method comprises the following steps: the step S2 extracts characteristic data of the ending state (timeout _ state) of the TCP connection from the aggregated TCP data, which includes various state parameters occurring in the TCP communication process, including an unconnected state, a connected state, an unfinished state, and a finished state.
3. The method for monitoring and warning the DDoS attack of subnet spoofing as recited in claim 1, wherein the method comprises the following steps: the triggering condition in step S3 is specifically that data "the number of TCP flows is greater than or equal to 60 per minute and the end state characteristic value of the current TCP connection is any one of 1, 2, 10, and 11" exists in the TCP traffic data, which indicates that the source address is initiating a syn flood attack, and issues an info alarm and gives an administrator a message prompt that a syn flood attack currently exists.
4. The method for monitoring and warning the DDoS attack of subnet spoofing as recited in claim 1, wherein the method comprises the following steps: the step S5 of presetting the threshold and the alarm feedback specifically includes retrieving, from the TCP aggregate data, that the ending state feature data timeout _ state of the TCP connection of the subnet is the source address number of any one of 1, 2, 10, and 11 and the total number of the corresponding flow, and if both the source address number and the total number of the flow exceed preset values, sending a war alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010456650.2A CN111641628B (en) | 2020-05-26 | 2020-05-26 | Monitoring and early warning method for DDoS attack in subnet deception |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010456650.2A CN111641628B (en) | 2020-05-26 | 2020-05-26 | Monitoring and early warning method for DDoS attack in subnet deception |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111641628A CN111641628A (en) | 2020-09-08 |
| CN111641628B true CN111641628B (en) | 2022-04-19 |
Family
ID=72330969
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010456650.2A Active CN111641628B (en) | 2020-05-26 | 2020-05-26 | Monitoring and early warning method for DDoS attack in subnet deception |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111641628B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112583850B (en) * | 2020-12-27 | 2023-02-24 | 杭州迪普科技股份有限公司 | Network attack protection method, device and system |
| CN113645256B (en) * | 2021-10-13 | 2021-12-28 | 成都数默科技有限公司 | Aggregation method without reducing TCP session data value density |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7743134B2 (en) * | 2000-09-07 | 2010-06-22 | Riverbed Technology, Inc. | Thwarting source address spoofing-based denial of service attacks |
| CN101383812A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | IP spoofing DDoS attack defense method based on active IP record |
| CN107864155A (en) * | 2017-12-12 | 2018-03-30 | 蔡昌菊 | A kind of DDOS attack detection method of high-accuracy |
| CN109587179B (en) * | 2019-01-28 | 2021-04-20 | 南京云利来软件科技有限公司 | SSH (Single sign indicating) protocol behavior pattern recognition and alarm method based on bypass network full flow |
-
2020
- 2020-05-26 CN CN202010456650.2A patent/CN111641628B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111641628A (en) | 2020-09-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107018084B (en) | DDOS attack defense network security method based on SDN framework | |
| Phan et al. | OpenFlowSIA: An optimized protection scheme for software-defined networks from flooding attacks | |
| EP1844596B1 (en) | Method and system for mitigating denial of service in a communication network | |
| US7478429B2 (en) | Network overload detection and mitigation system and method | |
| Prasad et al. | An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic | |
| KR102088299B1 (en) | Apparatus and method for detecting drdos | |
| Sanmorino et al. | DDoS attack detection method and mitigation using pattern of the flow | |
| Haris et al. | Detecting TCP SYN flood attack based on anomaly detection | |
| TWI492090B (en) | System and method for guarding against dispersive blocking attacks | |
| CN101631026A (en) | Method and device for defending against denial-of-service attacks | |
| CN108683686B (en) | Random sub-domain DDoS attack detection method | |
| KR20120126674A (en) | Method of defending a spoofing attack using a blocking server | |
| CN111641628B (en) | Monitoring and early warning method for DDoS attack in subnet deception | |
| Foroushani et al. | TDFA: traceback-based defense against DDoS flooding attacks | |
| Song et al. | Flow-based statistical aggregation schemes for network anomaly detection | |
| Shen et al. | Mitigating SYN Flooding and UDP Flooding in P4-based SDN | |
| KR101209214B1 (en) | Denial of Service Prevention Method and Apparatus based on Session State Tracking | |
| Wang et al. | Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks | |
| Mopari et al. | Detection and defense against DDoS attack with IP spoofing | |
| Siregar et al. | Intrusion prevention system against denial of service attacks using genetic algorithm | |
| WO2009064114A2 (en) | Protection method and system for distributed denial of service attack | |
| Satrya et al. | The detection of DDOS flooding attack using hybrid analysis in IPv6 networks | |
| CN113765849A (en) | Abnormal network traffic detection method and device | |
| Yen et al. | Defending application DDoS with constraint random request attacks | |
| Park et al. | An effective defense mechanism against DoS/DDoS attacks in flow-based routers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230328 Address after: Room 101, No. 163, Pingyun Road, Tianhe District, Guangzhou City, Guangdong Province 510000 Room 103, self-made Patentee after: GUANGZHOU RADIO AND TELEVISION RESEARCH INSTITUTE Co.,Ltd. Address before: 210000 room 1-2-1, No.1, Guanghua East Street, Qinhuai District, Nanjing City, Jiangsu Province Patentee before: NANJING CLEARCLOUD SOFTWARE TECHNOLOGY CO.,LTD. |