CN114124419A - DDOS attack defense method and device - Google Patents
DDOS attack defense method and device Download PDFInfo
- Publication number
- CN114124419A CN114124419A CN202010880461.8A CN202010880461A CN114124419A CN 114124419 A CN114124419 A CN 114124419A CN 202010880461 A CN202010880461 A CN 202010880461A CN 114124419 A CN114124419 A CN 114124419A
- Authority
- CN
- China
- Prior art keywords
- target source
- total bandwidth
- risk
- source
- ddos attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a DDOS attack defense method and a device, and the method comprises the following steps: acquiring the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP; judging whether the total bandwidth of the inlet direction of each target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP; when the total bandwidth of the entrance direction of at least one target source IP is larger than the total bandwidth of the exit direction corresponding to the target source IP, respectively calculating the exceeding proportion of the total bandwidth of the at least one target source IP; obtaining a corresponding risk target source IP set according to the sequencing result of the exceeding proportion from large to small; judging whether the exceeding proportion corresponding to each risk target source IP in the risk target source IP set is larger than a preset threshold value or not; and when the exceeding proportion corresponding to the risk target source IP is larger than the preset threshold value, determining the risk target source IP as a DDOS attack source IP, and establishing a black hole route according to the risk target source IP so as to block the risk target source IP. The DDOS attack defense efficiency is improved.
Description
Technical Field
The invention relates to the field of network security, in particular to a DDOS attack defense method and device.
Background
At present, with the development of internet technology, the dependence degree of production and life on the internet is increasingly improved, and the requirement of network security is particularly highlighted. Distributed Denial of Service (DDOS) attacks refer to a malicious network behavior in which one or more attackers control a large number of computers as attack sources and send a large amount of data to a target, thereby finally causing the target to be paralyzed.
In the prior art, DDOS attacks are generally defended by adding a firewall against DDOS, increasing bandwidth, purchasing traffic cleaning services of an operator, and the like.
However, when the existing technology is used to defend against DDOS, when it is determined that the current network is attacked by DDOS, an operator needs to manually adopt a sealing IP or apply for blocking by an operator, and the processing efficiency is low. Therefore, a DDOS attack defense method with high defense efficiency is urgently needed, and has important significance for improving network security.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to overcome the defect of low DDOS attack defense efficiency in the prior art, thereby providing a DDOS attack defense method and apparatus.
A first aspect of the present application provides a DDOS attack defense method, including: acquiring the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP;
judging whether the total bandwidth of the inlet direction of each target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP;
when the total bandwidth of the entrance direction of at least one target source IP is larger than the total bandwidth of the exit direction corresponding to the target source IP, respectively calculating the exceeding proportion of the total bandwidth of the at least one target source IP; determining a preset number of risk target source IPs according to the sequencing result of the exceeding proportion from large to small so as to obtain a corresponding risk target source IP set;
judging whether the exceeding proportion corresponding to each risk target source IP in the risk target source IP set is larger than a preset threshold value or not;
and when the exceeding proportion corresponding to the risk target source IP is larger than the preset threshold value, determining that the risk target source IP is a DDOS attack source IP, and establishing a black hole route according to the risk target source IP so as to block the risk target source IP.
Optionally, the method further includes:
and when determining that the total bandwidth of the inlet direction of each target source IP is less than or equal to the total bandwidth of the outlet direction corresponding to the target source IP, or that the exceeding proportion corresponding to the risk target source IP is less than or equal to a preset threshold, returning to the step of obtaining the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP.
Optionally, after obtaining the corresponding risk target source IP set, the method further includes:
judging whether the risk target source IP set comprises a preset safe target source IP or not;
and when the risk target source IP set comprises a preset safe target source IP, removing the preset safe target source IP from the risk target source IP set.
Optionally, after determining that the risk target source IP is a DDOS attack source IP, the method further includes:
and generating alarm information according to the total bandwidth of the risk target source IP in the inlet direction and the total bandwidth of the risk target source IP in the outlet direction.
Optionally, the method further includes:
and sending the alarm information for prompting an operator that the risk target source IP is a DDOS attack source IP.
A second aspect of the present application provides a DDOS attack defense apparatus, including: the defense system comprises an acquisition module, a first judgment module, a detection module, a second judgment module and a defense module;
the acquisition module is used for acquiring the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP;
the first judging module is used for judging whether the total bandwidth of the inlet direction of each target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP;
the detection module is used for respectively calculating the exceeding proportion of the total bandwidth of at least one target source IP when the total bandwidth of the inlet direction of the at least one target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP, and determining a preset number of risk target source IPs according to the sequencing result of the exceeding proportion from large to small so as to obtain a corresponding risk target source IP set;
the second judging module is used for judging whether the exceeding proportion corresponding to each risk target source IP in the risk target source IP set is larger than a preset threshold value or not;
the defense module is used for determining that the risk target source IP is a DDOS attack source IP when the corresponding exceeding proportion of the risk target source IP is larger than the preset threshold value, and establishing a black hole route according to the risk target source IP so as to block the risk target source IP.
Optionally, the apparatus further comprises a supervision module;
and the supervision module is used for returning to the step of acquiring the total bandwidth of the inlet directions of the target source IPs and the total bandwidth of the outlet directions corresponding to the target source IPs when determining that the total bandwidth of the inlet directions of the target source IPs is smaller than or equal to the total bandwidth of the outlet directions corresponding to the target source IPs or the exceeding proportion corresponding to the risk target source IPs is smaller than or equal to a preset threshold value.
Optionally, the detection module is further configured to:
judging whether the risk target source IP set comprises a preset safe target source IP or not;
and when the risk target source IP set comprises a preset safe target source IP, removing the preset safe target source IP from the risk target source IP set.
Optionally, the defense module is further configured to, after determining that the risk target source IP is a DDOS attack source IP, generate alarm information according to a total bandwidth in an entry direction of the risk target source IP and a total bandwidth in an exit direction corresponding to the risk target source IP.
Optionally, the defense module is further configured to send the alarm information to prompt an operator that the risk target source IP is a DDOS attack source IP.
A third aspect of the present application provides an electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes computer-executable instructions stored by the memory to cause the at least one processor to perform the method as set forth in the first aspect above and in various possible designs of the first aspect.
A fourth aspect of the present application provides a storage medium containing computer-executable instructions for performing a method as set forth in the first aspect above and in various possible designs of the first aspect when executed by a computer processor.
This application technical scheme has following advantage:
according to the DDOS attack defense method and device, the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP are obtained; judging whether the total bandwidth of the inlet direction of each target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP; when the total bandwidth of the entrance direction of at least one target source IP is larger than the total bandwidth of the exit direction corresponding to the target source IP, respectively calculating the exceeding proportion of the total bandwidth of the at least one target source IP; determining a preset number of risk target source IPs according to the sequencing result of the exceeding proportion from large to small so as to obtain a corresponding risk target source IP set; judging whether the exceeding proportion corresponding to each risk target source IP in the risk target source IP set is larger than a preset threshold value or not; and when the exceeding proportion corresponding to the risk target source IP is larger than the preset threshold value, determining the risk target source IP as a DDOS attack source IP, and establishing a black hole route according to the risk target source IP so as to block the risk target source IP. According to the DDOS attack defense method provided by the scheme, whether each target source is a DDOS attack source or not is detected according to the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP, which are obtained in real time, and the black hole route is established for the determined DDOS attack source so as to block the DDOS attack source in time, so that the DDOS attack defense efficiency is improved, and a foundation is laid for improving the safety of a network environment.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic structural diagram of a DDOS attack defense system based on an embodiment of the present application;
fig. 2 is a schematic flowchart of a DDOS attack defense method provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a DDOS attack defense apparatus provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. In the description of the following examples, "plurality" means two or more unless specifically limited otherwise.
In the prior art, DDOS attacks are generally defended by adding anti-DDOS firewalls, increasing bandwidth, purchasing traffic cleaning services of operators and the like. However, when the existing technology is used to defend against DDOS, when it is determined that the current network is attacked by DDOS, an operator needs to manually adopt a sealing IP or apply for blocking by an operator, and the processing efficiency is low.
In order to solve the above problems, the DDOS attack defense method and apparatus provided in the embodiments of the present application obtain a total bandwidth in an entry direction of each target source IP and a total bandwidth in an exit direction corresponding to each target source IP; judging whether the total bandwidth of the inlet direction of each target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP; when the total bandwidth of the entrance direction of at least one target source IP is larger than the total bandwidth of the exit direction corresponding to the target source IP, respectively calculating the exceeding proportion of the total bandwidth of the at least one target source IP; determining a preset number of risk target source IPs according to the sequencing result of the exceeding proportion from large to small so as to obtain a corresponding risk target source IP set; judging whether the exceeding proportion corresponding to each risk target source IP in the risk target source IP set is larger than a preset threshold value or not; and when the exceeding proportion corresponding to the risk target source IP is larger than the preset threshold value, determining the risk target source IP as a DDOS attack source IP, and establishing a black hole route according to the risk target source IP so as to block the risk target source IP. According to the DDOS attack defense method provided by the scheme, whether each target source is a DDOS attack source or not is detected according to the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP, which are obtained in real time, and the black hole route is established for the determined DDOS attack source so as to block the DDOS attack source in time, so that the DDOS attack defense efficiency is improved, and a foundation is laid for improving the safety of a network environment.
The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
First, the structure of the DDOS attack defense system based on the present application will be described:
the DDOS attack defense method and device provided by the embodiment of the application are suitable for detecting and defending DDOS attack sources in a network environment. As shown in fig. 1, the structural schematic diagram of a DDOS attack defense system based on the embodiment of the present application mainly includes at least one client and an electronic device for performing DDOS attack defense. Specifically, the electronic device obtains, at least one client, a total bandwidth in an entry direction of each target source IP corresponding to each client and a total bandwidth in an exit direction corresponding to the target source IP; and detecting the DDOS attack source according to the acquired related data, and establishing a corresponding black hole route for the determined DDOS attack source so as to block the attack source in time.
The embodiment of the application provides a DDOS attack defense method, which is used for solving the technical problem of low DDOS attack defense efficiency in the prior art. The execution subject of the embodiment of the application is an electronic device, such as a server, a desktop computer, a notebook computer, a tablet computer, and other electronic devices that can be used for performing DDOS attack defense.
As shown in fig. 2, a schematic flow chart of a DDOS attack defense method provided in an embodiment of the present application is shown, where the method includes:
It should be explained that the total bandwidth of the ingress direction of the target source IP is equivalent to the input bandwidth of the client corresponding to the target source IP, and correspondingly, the total bandwidth of the egress direction corresponding to the target source IP is equivalent to the output bandwidth of the client corresponding to the target source IP.
Specifically, when the total bandwidth of the ingress direction of the target source IP is greater than the total bandwidth of the egress direction corresponding to the target source IP, it may be determined that a network congestion occurs at the client corresponding to the target source IP. The network card is a concrete representation of the network environment suffering from DDOS attack.
The preset number may be determined according to the number of the secure target source IPs in the VIP group in the network environment, and specifically, the preset number may be greater than or equal to the number of the secure target source IPs in the VIP group. In order to further improve the DDOS attack defense efficiency, the preset number may be set to 1.
And 204, judging whether the exceeding proportion corresponding to each risk target source IP in the risk target source IP set is larger than a preset threshold value.
The preset threshold may be set according to actual conditions of each device in the current network environment, and the embodiment of the present application is not limited.
And step 205, when the exceeding proportion corresponding to the risk target source IP is larger than the preset threshold, determining the risk target source IP as a DDOS attack source IP, and establishing a black hole route according to the risk target source IP so as to block the risk target source IP.
Exemplarily, when a switch is arranged in a network environment, sflow is configured on the switch, and an sflow message is sent to an sflow-rt traction server (electronic device); the switch establishes an EBGP neighbor with sflow-rt and configures the next hop on the switch for static routing to 192.0.2.1 as null 0. When the exceeding proportion corresponding to the risk target source IP is larger than the preset threshold value, the blackhole plug-in generates a black hole route corresponding to the IP in the server, the next hop of the black hole route is forced to be 192.0.2.1, the black hole route is redistributed into a BGP protocol at the same time, the switch learns that the next hop of the route from sflow-rt to the IP is 192.0.2.1, and the black hole route of 192.0.2.1 is superposed at the same time to block the DDOS attack source in time.
Correspondingly, when the total bandwidth of the inlet direction of each target source IP is determined to be smaller than or equal to the total bandwidth of the outlet direction corresponding to the target source IP, or the exceeding proportion corresponding to the risk target source IP is determined to be smaller than or equal to the preset threshold value, the step of obtaining the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP is returned.
Specifically, in an embodiment, after obtaining the corresponding risk target source IP set, the method further includes: judging whether the risk target source IP set comprises a preset safe target source IP or not; and when the risk target source IP set comprises the preset safe target source IP, removing the preset safe target source IP from the risk target source IP set.
It should be explained that the security target source IP is set by an operator according to actual conditions, and the security target source IP does not have a risk of being attacked by DDOS, so in order to further improve the DDOS attack defense efficiency and save related defense resources, before further defense detection is performed on each risk target source IP, a preset security target source IP is removed from a risk target source IP set.
If the risk target source IP set is an empty set after the preset safe target source IP is removed from the risk target source IP set, returning to the step of acquiring the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP.
Specifically, in an embodiment, after determining that the risk target source IP is a DDOS attack source IP, the method further includes: and generating alarm information according to the total bandwidth of the risk target source IP in the inlet direction and the total bandwidth of the risk target source IP in the outlet direction.
Further, alarm information is sent out for prompting the risk target IP of the operator to be the DDOS attack source IP.
The alarm information may be reported in a manner of instrument display, or may be reported in a manner of a warning light or a warning sound, an email, a short message, or the like, and the embodiment of the present application is not limited.
Specifically, in an embodiment, the DDOS attack type, the attack level, and the attack event may be detected according to the determined relevant data corresponding to the DDOS attack source, and a corresponding detection result may be generated, and the corresponding detection result may be sent while sending the alarm information.
According to the DDOS attack defense method provided by the embodiment of the application, the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP are obtained; judging whether the total bandwidth of the inlet direction of each target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP; when the total bandwidth of the entrance direction of at least one target source IP is larger than the total bandwidth of the exit direction corresponding to the target source IP, respectively calculating the exceeding proportion of the total bandwidth of the at least one target source IP; determining a preset number of risk target source IPs according to the sequencing result of the exceeding proportion from large to small so as to obtain a corresponding risk target source IP set; judging whether the exceeding proportion corresponding to each risk target source IP in the risk target source IP set is larger than a preset threshold value or not; and when the exceeding proportion corresponding to the risk target source IP is larger than the preset threshold value, determining the risk target source IP as a DDOS attack source IP, and establishing a black hole route according to the risk target source IP so as to block the risk target source IP. According to the DDOS attack defense method provided by the scheme, whether each target source is a DDOS attack source or not is detected according to the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP, which are obtained in real time, and the black hole route is established for the determined DDOS attack source so as to block the DDOS attack source in time, so that the DDOS attack defense efficiency is improved, and a foundation is laid for improving the safety of a network environment.
The embodiment of the application provides a DDOS attack defense device, which is used for solving the technical problem of low DDOS attack defense efficiency in the prior art. As shown in fig. 3, a schematic structural diagram of a DDOS attack defense apparatus provided in an embodiment of the present application is shown, where the apparatus 30 includes: the defense system comprises an acquisition module 301, a first judgment module 302, a detection module 303, a second judgment module 304 and a defense module 305.
The acquiring module 301 is configured to acquire a total bandwidth in an entry direction of each target source IP and a total bandwidth in an exit direction corresponding to each target source IP; the first determining module 302 is configured to determine whether a total bandwidth in an ingress direction of each target source IP is greater than a total bandwidth in an egress direction corresponding to the target source IP; the detection module 303 is configured to, when the total bandwidth in the inlet direction of at least one target source IP is greater than the total bandwidth in the outlet direction corresponding to the target source IP, calculate an excess proportion of the total bandwidth of the at least one target source IP, and determine a preset number of risk target source IPs according to a sorting result of the excess proportion from large to small to obtain a corresponding risk target source IP set; the second determining module 304 is configured to determine whether an exceeding proportion corresponding to each risk target source IP in the risk target source IP set is greater than a preset threshold; the defense module 305 is configured to determine that the risk target source IP is a DDOS attack source IP when the corresponding excess proportion of the risk target source IP is greater than a preset threshold, and establish a black hole route according to the risk target source IP to block the risk target source IP.
Specifically, in one embodiment, the apparatus further comprises a supervision module 306;
the supervision module 306 is configured to, when it is determined that the total bandwidth of the entry direction of each target source IP is smaller than or equal to the total bandwidth of the exit direction corresponding to the target source IP, or the exceeding proportion corresponding to the risk target source IP is smaller than or equal to the preset threshold, return to the step of obtaining the total bandwidth of the entry direction of each target source IP and the total bandwidth of the exit direction corresponding to each target source IP.
Specifically, in an embodiment, the detecting module 303 is further configured to:
judging whether the risk target source IP set comprises a preset safe target source IP or not;
and when the risk target source IP set comprises the preset safe target source IP, removing the preset safe target source IP from the risk target source IP set.
Specifically, in an embodiment, the defense module 305 is further configured to, after determining that the risk target source IP is a DDOS attack source IP, generate alarm information according to a total bandwidth in an ingress direction of the risk target source IP and a total bandwidth in an egress direction corresponding to the risk target source IP.
Specifically, in an embodiment, the defense module 305 is further configured to send an alarm message for prompting the operator that the risk target source IP is the DDOS attack source IP.
The DDOS attack defense device provided in the embodiment of the present application is configured to execute the DDOS attack defense method provided in the above embodiment, and an implementation manner of the DDOS attack defense device is the same as a principle, and is not described in detail again.
The embodiment of the application also provides electronic equipment which is used for executing the method provided by the embodiment.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device 40 includes: at least one processor 41 and memory 42;
wherein execution of the memory-stored computer-executable instructions by the at least one processor causes the at least one processor to perform the instructions of the method as in any one of the preceding embodiments.
The electronic device provided in the embodiment of the present application is configured to execute the DDOS attack defense method provided in the above embodiment, and an implementation manner and a principle thereof are the same and are not described again.
The embodiment of the present application provides a storage medium containing computer executable instructions, where the storage medium stores computer processor execution instructions, and when the processor executes the computer execution instructions, the method provided in any one of the above embodiments is implemented.
The storage medium containing the computer executable instructions of the embodiment of the present application may be used to store the computer executable instructions of the DDOS attack defense method provided in the foregoing embodiment, and an implementation manner and a principle thereof are the same and are not described again.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (10)
1. A DDOS attack defense method is characterized by comprising the following steps:
acquiring the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP;
judging whether the total bandwidth of the inlet direction of each target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP;
when the total bandwidth of the entrance direction of at least one target source IP is larger than the total bandwidth of the exit direction corresponding to the target source IP, respectively calculating the exceeding proportion of the total bandwidth of the at least one target source IP; determining a preset number of risk target source IPs according to the sequencing result of the exceeding proportion from large to small so as to obtain a corresponding risk target source IP set;
judging whether the exceeding proportion corresponding to each risk target source IP in the risk target source IP set is larger than a preset threshold value or not;
and when the exceeding proportion corresponding to the risk target source IP is larger than the preset threshold value, determining that the risk target source IP is a DDOS attack source IP, and establishing a black hole route according to the risk target source IP so as to block the risk target source IP.
2. A DDOS attack defense method according to claim 1, further comprising:
and when determining that the total bandwidth of the inlet direction of each target source IP is less than or equal to the total bandwidth of the outlet direction corresponding to the target source IP, or that the exceeding proportion corresponding to the risk target source IP is less than or equal to a preset threshold, returning to the step of obtaining the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP.
3. A DDOS attack defense method according to claim 1, wherein after obtaining the respective set of risk target source IPs, the method further comprises:
judging whether the risk target source IP set comprises a preset safe target source IP or not;
and when the risk target source IP set comprises a preset safe target source IP, removing the preset safe target source IP from the risk target source IP set.
4. A DDOS attack defense method according to claim 1, wherein after determining that the risk target source IP is a DDOS attack source IP, the method further comprises:
and generating alarm information according to the total bandwidth of the risk target source IP in the inlet direction and the total bandwidth of the risk target source IP in the outlet direction.
5. A DDOS attack defense method according to claim 4, characterized in that the method further comprises:
and sending the alarm information for prompting an operator that the risk target source IP is a DDOS attack source IP.
6. A DDOS attack defense apparatus, comprising: the defense system comprises an acquisition module, a first judgment module, a detection module, a second judgment module and a defense module;
the acquisition module is used for acquiring the total bandwidth of the inlet direction of each target source IP and the total bandwidth of the outlet direction corresponding to each target source IP;
the first judging module is used for judging whether the total bandwidth of the inlet direction of each target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP;
the detection module is used for respectively calculating the exceeding proportion of the total bandwidth of at least one target source IP when the total bandwidth of the inlet direction of the at least one target source IP is larger than the total bandwidth of the outlet direction corresponding to the target source IP, and determining a preset number of risk target source IPs according to the sequencing result of the exceeding proportion from large to small so as to obtain a corresponding risk target source IP set;
the second judging module is used for judging whether the exceeding proportion corresponding to each risk target source IP in the risk target source IP set is larger than a preset threshold value or not;
the defense module is used for determining that the risk target source IP is a DDOS attack source IP when the corresponding exceeding proportion of the risk target source IP is larger than the preset threshold value, and establishing a black hole route according to the risk target source IP so as to block the risk target source IP.
7. A DDOS attack defense apparatus as defined in claim 6, wherein the apparatus further comprises a supervision module;
and the supervision module is used for returning to the step of acquiring the total bandwidth of the inlet directions of the target source IPs and the total bandwidth of the outlet directions corresponding to the target source IPs when determining that the total bandwidth of the inlet directions of the target source IPs is smaller than or equal to the total bandwidth of the outlet directions corresponding to the target source IPs or the exceeding proportion corresponding to the risk target source IPs is smaller than or equal to a preset threshold value.
8. A DDOS attack defense apparatus as defined in claim 6, wherein the detection module is further configured to:
judging whether the risk target source IP set comprises a preset safe target source IP or not;
and when the risk target source IP set comprises a preset safe target source IP, removing the preset safe target source IP from the risk target source IP set.
9. An electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method of any one of claims 1-5.
10. A storage medium containing computer-executable instructions for performing the method of any one of claims 1-5 when executed by a computer processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010880461.8A CN114124419A (en) | 2020-08-27 | 2020-08-27 | DDOS attack defense method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010880461.8A CN114124419A (en) | 2020-08-27 | 2020-08-27 | DDOS attack defense method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114124419A true CN114124419A (en) | 2022-03-01 |
Family
ID=80374622
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010880461.8A Pending CN114124419A (en) | 2020-08-27 | 2020-08-27 | DDOS attack defense method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124419A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7797738B1 (en) * | 2005-12-14 | 2010-09-14 | At&T Corp. | System and method for avoiding and mitigating a DDoS attack |
| KR20110049282A (en) * | 2009-11-04 | 2011-05-12 | 주식회사 컴트루테크놀로지 | System and method for detecting and blocking to distributed denial of service attack |
| CN106302318A (en) * | 2015-05-15 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of website attack defense method and device |
| CN107104921A (en) * | 2016-02-19 | 2017-08-29 | 阿里巴巴集团控股有限公司 | Ddos attack defence method and device |
| CN107395554A (en) * | 2016-05-17 | 2017-11-24 | 阿里巴巴集团控股有限公司 | The defence processing method and processing device of flow attacking |
| US20180013787A1 (en) * | 2015-03-24 | 2018-01-11 | Huawei Technologies Co., Ltd. | SDN-Based DDOS Attack Prevention Method, Apparatus, and System |
| US20190068626A1 (en) * | 2017-08-31 | 2019-02-28 | Charter Communications Operating, Llc | Distributed denial-of-service attack detection and mitigation based on autonomous system number |
| US20190068624A1 (en) * | 2017-08-31 | 2019-02-28 | Charter Communications Operating, Llc | Distributed denial-of-service attack detection and mitigation based on autonomous system number |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
| CN110620787A (en) * | 2019-09-30 | 2019-12-27 | 怀来斯达铭数据有限公司 | Method and system for preventing DDoS attack |
-
2020
- 2020-08-27 CN CN202010880461.8A patent/CN114124419A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7797738B1 (en) * | 2005-12-14 | 2010-09-14 | At&T Corp. | System and method for avoiding and mitigating a DDoS attack |
| KR20110049282A (en) * | 2009-11-04 | 2011-05-12 | 주식회사 컴트루테크놀로지 | System and method for detecting and blocking to distributed denial of service attack |
| US20180013787A1 (en) * | 2015-03-24 | 2018-01-11 | Huawei Technologies Co., Ltd. | SDN-Based DDOS Attack Prevention Method, Apparatus, and System |
| CN106302318A (en) * | 2015-05-15 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of website attack defense method and device |
| CN107104921A (en) * | 2016-02-19 | 2017-08-29 | 阿里巴巴集团控股有限公司 | Ddos attack defence method and device |
| CN107395554A (en) * | 2016-05-17 | 2017-11-24 | 阿里巴巴集团控股有限公司 | The defence processing method and processing device of flow attacking |
| US20190068626A1 (en) * | 2017-08-31 | 2019-02-28 | Charter Communications Operating, Llc | Distributed denial-of-service attack detection and mitigation based on autonomous system number |
| US20190068624A1 (en) * | 2017-08-31 | 2019-02-28 | Charter Communications Operating, Llc | Distributed denial-of-service attack detection and mitigation based on autonomous system number |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
| CN110620787A (en) * | 2019-09-30 | 2019-12-27 | 怀来斯达铭数据有限公司 | Method and system for preventing DDoS attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Valdes et al. | Probabilistic alert correlation | |
| US7917393B2 (en) | Probabilistic alert correlation | |
| US11888882B2 (en) | Network traffic correlation engine | |
| Pomorova et al. | Multi-agent based approach for botnet detection in a corporate area network using fuzzy logic | |
| Faghani et al. | Mobile botnets meet social networks: design and analysis of a new type of botnet | |
| Cheang et al. | Multi-VMs Intrusion Detection for Cloud Security Using Dempster-shafer Theory. | |
| KR100950079B1 (en) | Network abnormal state detection device using HMMHidden Markov Model and Method thereof | |
| EP4028918A1 (en) | Threat mitigation system and method | |
| Hsu et al. | Detecting web-based botnets using bot communication traffic features | |
| CN111510434A (en) | Network intrusion detection method, system and related equipment | |
| Rohloff et al. | Deterministic and stochastic models for the detection of random constant scanning worms | |
| Li et al. | Identifying passive message fingerprint attacks via honey challenge in collaborative intrusion detection networks | |
| CN114124419A (en) | DDOS attack defense method and device | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN112532617B (en) | Detection method, device, equipment and medium for HTTP Flood attack | |
| JP2018098727A (en) | Service system, communication program, and communication method | |
| CN114205096A (en) | DDOS attack defense method and device | |
| CN114765555A (en) | Network threat processing method and communication device | |
| Ramprasath et al. | Virtual Guard Against DDoS Attack for IoT Network Using Supervised Learning Method | |
| Song et al. | Collaborative defense mechanism using statistical detection method against DDoS attacks | |
| Zhai et al. | Network intrusion early warning model based on DS evidence theory | |
| CN114285660B (en) | Honey net deployment method, device, equipment and medium | |
| Patel et al. | An approach to detect and prevent distributed denial of service attacks using blockchain technology in cloud environment | |
| CN111931168B (en) | Alarm correlation-based zombie machine detection method | |
| CN113542302B (en) | Attack interference method, device, gateway and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |