CN114124474A - DDOS attack source handling method and device based on BGP flowspec - Google Patents
DDOS attack source handling method and device based on BGP flowspec Download PDFInfo
- Publication number
- CN114124474A CN114124474A CN202111293568.3A CN202111293568A CN114124474A CN 114124474 A CN114124474 A CN 114124474A CN 202111293568 A CN202111293568 A CN 202111293568A CN 114124474 A CN114124474 A CN 114124474A
- Authority
- CN
- China
- Prior art keywords
- handling
- flow
- bgp flowspec
- ddos attack
- rule template
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a DDOS attack source handling method and device based on BGPflow spec, wherein the method comprises the following steps: constructing a BGPfilowspec routing network; defining a BGPflo wspec routing matching rule template; defining a BGPflo wspec routing disposal rule template; constructing a DDOS attack source disposal model; analyzing tasks, and confirming a matched DDOS attack source disposal model; translating the task and generating a control instruction; and entering different treatment flows according to the treatment modes. The method and the device construct a DDOS attack source disposal model by defining BGPflo wspec routing matching rules and disposal rules, and an adaptation model issues BGPflo wspec routing strategies as required to dispose DDOS attack sources.
Description
Technical Field
The invention relates to the field of DDOS attack handling, in particular to a DDOS attack source handling method and device based on BGP flowspec.
Background
At present, the handling of DDOS (distributed denial of service attack) attacks by a network environment is a traffic handling scheme based on a destination address, and is suitable for protection of a specific network target, but the following problems exist in part of DDOS attack scenarios:
1. the destination address based traffic handling scheme cannot be used for attack source handling. The current DDOS attack disposal is realized based on the routing redirection regardless of drainage or suppression, can be used for attacking targets, can only dispose the flow flowing to an attack source by using the same type of strategy for the attack source, can not dispose the attack flow flowing out from the attack source, and is ineffective in protection.
2. If an attack source with high threat attacks multiple targets at the same time, a traffic handling scheme based on a destination address needs to issue multiple handling tasks, so that the efficiency is reduced, and the attack targets are difficult to find.
3. An attack source needs to be blocked in an actual service scene. There is a need for a traffic handling scheme that can specify the source of an attack.
Disclosure of Invention
In order to solve the problems in a part of DDOS attack scenes, the invention provides a DDOS attack source handling method and device based on BGP flowspec.
In order to achieve the purpose, the invention adopts the following technical scheme:
in an embodiment of the present invention, a DDOS attack source handling method based on BGP flowspec is provided, where the method includes:
building a BGP flowspec routing network;
a BGP flowspec route matching rule template is defined;
defining a BGP flowspec route handling rule template;
constructing a DDOS attack source disposal model;
analyzing tasks, and confirming a matched DDOS attack source disposal model;
translating the task and generating a control instruction;
and entering different treatment flows according to the treatment modes.
Further, the BGP flowspec route matching rule template includes:
a matching rule template according to the flow characteristics, a matching rule template according to the protocol type, and a matching rule template according to the total length of the IP data packet.
Further, the BGP flowspec route handling rule template includes:
a disposal rule template for flow suppression according to a source address, flow speed limit and flow redirection; wherein, the flow redirection is to guide the flow to the flow cleaning equipment for global cleaning.
Further, constructing a DDOS attack source handling model, comprising:
combining the BGP flowspec route matching rule template and the BGP flowspec route handling rule template of at least one type to construct a DDOS attack source handling model.
Further, task analysis, confirming matching DDOS attack source handling model, comprises:
the task analysis is based on the guarantee level of a user, threat intelligence based on flow detection and attack analysis and attack threat level provided by a situation awareness platform, a BGP flowspec route matching rule template is selected to confirm flow needing to be handled, and a BGP flowspec route handling rule template is selected to determine a flow handling mode.
Further, a reference system of a traffic handling mode is constructed according to the guarantee level of the user, threat intelligence of traffic detection and attack analysis and attack threat level provided by a situation awareness platform.
Further, different treatment flows are entered according to the treatment modes, including:
and if the flow handling mode is speed limit or suppression, issuing a control instruction to the routing controller, and issuing the routing strategy to the BGP flowspec network through the routing controller.
If the flow processing mode is cleaning, calling a cleaning processing flow: the method comprises the steps of firstly starting the overall cleaning capability of the flow cleaning equipment, then issuing a control instruction to a route controller, and issuing a route strategy to a BGP flowspec network through the route controller.
In an embodiment of the present invention, a DDOS attack source handling apparatus based on BGP flowspec is further provided, where the apparatus includes:
the network building module is used for building a BGP flowspec routing network;
the model building module is used for defining a BGP flowspec route matching rule template and a BGP flowspec route handling rule template and building a DDOS attack source handling model;
the business processing module is used for analyzing tasks and confirming the processing model of the matched DDOS attack source; translating the task and generating a control instruction; and entering different treatment flows according to the treatment modes.
Further, the BGP flowspec route matching rule template includes:
a matching rule template according to the flow characteristics, a matching rule template according to the protocol type, and a matching rule template according to the total length of the IP data packet.
Further, the BGP flowspec route handling rule template includes:
a disposal rule template for flow suppression according to a source address, flow speed limit and flow redirection; wherein, the flow redirection is to guide the flow to the flow cleaning equipment for global cleaning.
Further, constructing a DDOS attack source handling model, comprising:
combining the BGP flowspec route matching rule template and the BGP flowspec route handling rule template of at least one type to construct a DDOS attack source handling model.
Further, task analysis, confirming matching DDOS attack source handling model, comprises:
the task analysis is based on the guarantee level of a user, threat intelligence based on flow detection and attack analysis and attack threat level provided by a situation awareness platform, a BGP flowspec route matching rule template is selected to confirm flow needing to be handled, and a BGP flowspec route handling rule template is selected to determine a flow handling mode.
Further, a reference system of a traffic handling mode is constructed according to the guarantee level of the user, threat intelligence of traffic detection and attack analysis and attack threat level provided by a situation awareness platform.
Further, different treatment flows are entered according to the treatment modes, including:
and if the flow handling mode is speed limit or suppression, issuing a control instruction to the routing controller, and issuing the routing strategy to the BGP flowspec network through the routing controller.
If the flow processing mode is cleaning, calling a cleaning processing flow: the method comprises the steps of firstly starting the overall cleaning capability of the flow cleaning equipment, then issuing a control instruction to a route controller, and issuing a route strategy to a BGP flowspec network through the route controller.
In an embodiment of the present invention, a computer device is further provided, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the processor implements the foregoing method for handling a source of a BGP flowspec-based DDOS attack.
In an embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program for executing the BGP flowspec-based DDOS attack source handling method is stored.
Has the advantages that:
1. the method realizes the disposal of the DDOS attack appointed attack source based on the basic network capability, can be combined with threat information, inhibits the DDOS attack from the network source, and realizes more efficient network space safety management.
2. The invention provides a richer disposal means for DDOS attack.
3. The operator can cooperate with the whole framework of national network security regulation and control to realize the effective management of the botnet.
Drawings
FIG. 1 is a flow chart of a method for handling a source of a BGP flowspec-based DDOS attack according to the invention;
FIG. 2 is a flow chart of the preparation work of the present invention;
FIG. 3 is a business process flow diagram of the present invention;
FIG. 4 is a schematic diagram of BGP flowspec routing network setup according to the present invention;
FIG. 5 is a routing rule matching flow diagram of the present invention;
FIG. 6 is a schematic view of a handling reference frame of the present invention;
FIG. 7 is a schematic structural diagram of a DDOS attack source handling device based on BGP flowspec of the present invention;
FIG. 8 is a schematic diagram of the structure of the computer device of the present invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, which should be understood to be presented only to enable those skilled in the art to better understand and implement the present invention, and not to limit the scope of the present invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a DDOS attack source handling method and a DDOS attack source handling device based on BGP flowspec are provided, a BGP flowspec routing network is constructed, a BGP flowspec routing strategy is issued to a boundary router of a BGP network entrance through a routing controller, the attack source is matched through the routing strategy, and the flow is handled at the BGP network entrance. A BGP flowspec route matching rule and a disposal rule are defined in a system layer, and a DDOS attack source disposal model is constructed; the matching rules can specify network parameters of flows such as a matching source address, a source port and a protocol, and the treatment rules comprise suppression, speed limit, redirection and the like, wherein the redirection can be guided to flow cleaning equipment for global cleaning; the DDOS attack source handling model is a combination of a matching rule and a handling rule, and multiple matching rules can be adopted in one model to realize accurate matching of a complex traffic model. The business application side needs to analyze tasks, selects a proper disposal model, combines the tasks with the disposal model to generate a control instruction, and then disposes according to a predefined business process; the disposal flow of the pressing and the speed limiting is to issue a control instruction to the controller; the cleaning treatment process is to start the global cleaning function of the corresponding cleaning equipment and then send a control instruction to the controller.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
FIG. 1 is a flow diagram illustrating a DDOS attack source handling method based on BGP flowspec. As shown in fig. 1, the method includes:
1. building BGP flowspec network
As shown in fig. 4, includes a routing controller, a route reflector RR and a border router. The route controller is a BGP router in the BGP network and publishes a BGP flowspec route to the BGP flowspec network. The route reflector RR is located between the route controller and the border router, receives the BGP flowspec route issued by the control router, and synchronizes to the border router. The border router is a BGP router of a network entry in the BGP network and may receive BGP flowspec routes synchronized by the route reflector RR. And the BGP flowspec route consists of a matching rule and a handling rule and is used for matching the traffic and handling the traffic according to the configuration rule.
2. Constructing attack source disposal model
(1) As shown in fig. 2, a BGP flowspec route matching rule template is defined, which may be divided into matching according to source address and matching according to source port according to traffic characteristics, matching according to protocol type includes matching according to TCP flag bit, matching according to total length of IP packet, and the like;
for example: matching according to the source address, wherein a BGP flowspec route matching rule template is as follows:
if-match source [ IPv4_ address ] [ mask ], IPv4_ address represents an IPv4 address, and mask represents a network address mask.
(2) As shown in fig. 2, a BGP flowspec route handling rule template is defined, and traffic suppression, traffic speed limitation, and traffic redirection may be performed according to a source address, where redirection may be directed to a traffic cleaning device for global cleaning;
cleaning equipment overall cleaning: the general cleaning task is created aiming at a destination network address, the global cleaning is that cleaning equipment does not distinguish the destination address, any flow passing through the cleaning equipment is cleaned and treated, and then the cleaned flow is sent back to a flow destination through a routing channel;
for example: the handling mode is pressing, and the BGP flowspec routing handling rule template is as follows:
apply deny。
(3) as shown in fig. 2, a DDOS attack source handling model is constructed, and the BGP flowspec route matching rule template and the BGP flowspec route handling rule template defined in steps (1) and (2) are combined to construct the DDOS attack source handling model;
for example: model "specify source address squashing":
if-match source[ipv4_address][mask]
apply deny;
different types of BGP flowspec route matching rule templates may also be combined, supporting more refined complex models, such as: "designate source address destination port throttle":
if-match source[ipv4_address][mask]
if-match destination-port [ port ], indicating a matching destination port
apply deny;
The examples herein represent the involvement of variable parts in control instructions, common control instructions not being enumerated in the present invention.
3. Task analysis, model selection
As shown in fig. 3, the task analysis confirms the DDOS attack source handling model based on the level of guarantee of the relevant user and based on threat intelligence of traffic detection and attack analysis and attack threat level provided by the situation awareness platform, and may select various traffic handling modes such as suppression, speed limitation, cleaning, etc., which match the routing screening of the traffic to be handled according to the source address, the source port, the attack protocol, etc.;
the flow flows from the border router to the backbone network and needs to match the routing rules of the border router, BGP flowspec route matching is performed on the flow entering the network through the BGP routing protocol, if the flow hits, the corresponding flow handling rule is executed, and the routing rule matching flow is as shown in fig. 5;
the treatment method can be selected by the following method:
confirming a reference system of a disposal mode according to threat intelligence of user grade and flow detection and attack analysis and attack threat grade provided by a situation perception platform; according to the importance degree of network guarantee, users can be classified into three-level users, two-level users, one-level users and the like, and the threat degree of attack on the network can be classified into general, serious and serious from high to low; the specific classification needs to be classified according to the service condition; a reference frame is constructed according to the user level, threat level, treatment method, and the like, as shown in fig. 6.
4. Translating tasks to generate control instructions
As shown in fig. 3, the actual service parameters are matched with the model to generate the control command.
5. Treatment according to predefined treatment procedures
As shown in fig. 3, different handling flows are entered according to the processing mode, if the handling mode is speed limit or suppression, the control instruction is issued to the routing controller, and the routing policy is issued to the BGP flowspec network through the routing controller; if the processing mode is cleaning, calling a cleaning processing flow: starting the overall cleaning capability of the cleaning equipment, issuing a control instruction to the routing controller, and issuing a routing strategy to the BGP flowspec network through the routing controller.
It should be noted that although the operations of the method of the present invention have been described in the above embodiments and the accompanying drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the operations shown must be performed, to achieve the desired results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
For a clearer explanation of the method for handling the source of the DDOS attack based on BGP flowspec, a specific embodiment is described below, but it should be noted that the embodiment is only for better explaining the present invention and is not to be construed as an inappropriate limitation to the present invention.
The implementation scenario one is as follows: according to the threat intelligence, the source suppression is carried out on attack sources 192.168.10.0/24 and 192.168.101.0/24, the flow of two network segments is forbidden to flow into a backbone network, and the specific steps are as follows:
1. and building a BGP flowspec routing network.
2. Defining a matching rule template and a disposal rule template, constructing a DDOS attack source disposal model, and constructing models of specified source address suppression, specified source port suppression, specified source address source port suppression, specified protocol suppression, specified source address cleaning, specified source address speed limit and the like.
3. Selecting a 'specified source address suppression' model according to a scene;
4. translating the task and generating a control instruction (only a variable part is illustrated here, and the common control instruction is not described in detail);
common instructions:
if-match source 192.168.10.0 255.255.255.0
if-match source 192.168.101.0 255.255.255.0
apply deny
5. the disposal mode of the scene is pressing, and the process of pressing disposal is started: and the control instruction is transmitted to a routing controller, and then a routing strategy is issued through the established BGP flowspec network, and the flow applied to all the boundary routers, 192.168.10.0/24 and 192.168.101.0/24, of the two network segments can be suppressed at the boundary routers and cannot flow into a backbone network.
Based on the same inventive concept, the invention also provides a DDOS attack source handling device based on BGP flowspec. The implementation of the device can be referred to the implementation of the method, and repeated details are not repeated. The term "module," as used below, may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 7 is a schematic structural diagram of a BGP flowspec-based DDOS attack source handling device according to an embodiment of the present invention. As shown in fig. 7, the apparatus includes:
and the network building module 101 is used for building a BGP flowspec routing network.
The model building module 102 is used for defining a BGP flowspec route matching rule template and a BGP flowspec route handling rule template and building a DDOS attack source handling model;
the BGP flowspec route matching rule template comprises the following steps:
matching rule templates according to flow characteristics, matching rule templates according to protocol types and matching rule templates according to the total length of the IP data packet;
a BGP flowspec route disposition rule template, comprising:
a disposal rule template for flow suppression according to a source address, flow speed limit and flow redirection; the flow redirection is to guide the flow to flow cleaning equipment for global cleaning;
constructing a DDOS attack source handling model, comprising:
combining the BGP flowspec route matching rule template and the BGP flowspec route handling rule template of at least one type to construct a DDOS attack source handling model.
The service handling module 103 is used for task analysis and confirming the matched DDOS attack source handling model; translating the task and generating a control instruction; entering different treatment flows according to the treatment modes;
task analysis, confirming and matching DDOS attack source handling model, comprising:
the task analysis is based on the guarantee level of a user, threat intelligence based on flow detection and attack analysis and attack threat level provided by a situation awareness platform, a BGP flowspec route matching rule template is selected to confirm flow needing to be processed, and a BGP flowspec route processing rule template is selected to determine a flow processing mode; the treatment method can be selected by the following method:
constructing a reference system of a traffic handling mode according to the guarantee level of a user, threat intelligence of traffic detection and attack analysis and attack threat level provided by a situation perception platform;
entering different treatment flows according to treatment modes, wherein the treatment flows comprise:
and if the flow handling mode is speed limit or suppression, issuing a control instruction to the routing controller, and issuing the routing strategy to the BGP flowspec network through the routing controller.
If the flow processing mode is cleaning, calling a cleaning processing flow: the method comprises the steps of firstly starting the overall cleaning capability of the flow cleaning equipment, then issuing a control instruction to a route controller, and issuing a route strategy to a BGP flowspec network through the route controller.
It should be noted that although several modules of the BGP flowspec based DDOS attack source handling apparatus are mentioned in the above detailed description, such partitioning is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the modules described above may be embodied in one module according to embodiments of the invention. Conversely, the features and functions of one module described above may be further divided into embodiments by a plurality of modules.
Based on the aforementioned inventive concept, as shown in fig. 8, the present invention further provides a computer apparatus 200, which includes a memory 210, a processor 220, and a computer program 230 stored on the memory 210 and operable on the processor 220, and when the processor 220 executes the computer program 230, the processor 220 implements the aforementioned method for handling the source of the BGP flowspec-based DDOS attack.
Based on the foregoing inventive concept, the present invention also provides a computer-readable storage medium storing a computer program for executing the foregoing processing method for DDOS attack sources based on BGP flowspec.
The DDOS attack source handling method and device based on BGP flowspec provided by the invention construct a DDOS attack source handling model by defining a BGP flowspec route matching rule and a handling rule, and an adaptive model issues a BGP flowspec route strategy as required to handle the DDOS attack source.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
The limitation of the protection scope of the present invention is understood by those skilled in the art, and various modifications or changes which can be made by those skilled in the art without inventive efforts based on the technical solution of the present invention are still within the protection scope of the present invention.
Claims (16)
1. A DDOS attack source handling method based on BGP flowspec is characterized by comprising the following steps:
building a BGP flowspec routing network;
a BGP flowspec route matching rule template is defined;
defining a BGP flowspec route handling rule template;
constructing a DDOS attack source disposal model;
analyzing tasks, and confirming a matched DDOS attack source disposal model;
translating the task and generating a control instruction;
and entering different treatment flows according to the treatment modes.
2. The method of claim 1, wherein the BGP flowspec route matches a rule template, comprising:
a matching rule template according to the flow characteristics, a matching rule template according to the protocol type, and a matching rule template according to the total length of the IP data packet.
3. The BGP flowspec-based DDOS attack source handling method of claim 1, wherein the BGP flowspec route handling rule template comprises:
a disposal rule template for flow suppression according to a source address, flow speed limit and flow redirection; wherein, the flow redirection is to guide the flow to the flow cleaning equipment for global cleaning.
4. The method of claim 1, wherein constructing a DDOS attack source handling model comprises:
combining the BGP flowspec route matching rule template and the BGP flowspec route handling rule template of at least one type to construct a DDOS attack source handling model.
5. The method of claim 1, wherein the task analysis for confirming matching of DDOS attack source handling model comprises:
the task analysis is based on the guarantee level of a user, threat intelligence based on flow detection and attack analysis and attack threat level provided by a situation awareness platform, a BGP flowspec route matching rule template is selected to confirm flow needing to be handled, and a BGP flowspec route handling rule template is selected to determine a flow handling mode.
6. The DDOS attack source handling method based on BGP flowspec of claim 5, wherein a reference frame of traffic handling mode is constructed according to user's level of guarantee, threat intelligence of traffic detection and attack analysis and attack threat level provided by a situation awareness platform.
7. The method for handling a source of a BGP flowspec-based DDOS attack according to claim 1, wherein entering different handling flows according to a handling manner includes:
and if the flow handling mode is speed limit or suppression, issuing a control instruction to the routing controller, and issuing the routing strategy to the BGP flowspec network through the routing controller.
If the flow processing mode is cleaning, calling a cleaning processing flow: the method comprises the steps of firstly starting the overall cleaning capability of the flow cleaning equipment, then issuing a control instruction to a route controller, and issuing a route strategy to a BGP flowspec network through the route controller.
8. A BGP flowspec-based DDOS attack source handling apparatus, comprising:
the network building module is used for building a BGP flowspec routing network;
the model building module is used for defining a BGP flowspec route matching rule template and a BGP flowspec route handling rule template and building a DDOS attack source handling model;
the business processing module is used for analyzing tasks and confirming the processing model of the matched DDOS attack source; translating the task and generating a control instruction; and entering different treatment flows according to the treatment modes.
9. The BGP flowspec-based DDOS attack source handling device of claim 8, wherein the BGP flowspec route matches a rule template, comprising:
a matching rule template according to the flow characteristics, a matching rule template according to the protocol type, and a matching rule template according to the total length of the IP data packet.
10. The BGP flowspec-based DDOS attack source handling apparatus of claim 8, wherein the BGP flowspec route handling rule template comprises:
a disposal rule template for flow suppression according to a source address, flow speed limit and flow redirection; wherein, the flow redirection is to guide the flow to the flow cleaning equipment for global cleaning.
11. The BGP flowspec-based DDOS attack source handling apparatus of claim 8, wherein constructing a DDOS attack source handling model comprises:
combining the BGP flowspec route matching rule template and the BGP flowspec route handling rule template of at least one type to construct a DDOS attack source handling model.
12. The BGP flowspec-based DDOS attack source handling apparatus of claim 8, wherein task analysis, confirming matching DDOS attack source handling model, comprises:
the task analysis is based on the guarantee level of a user, threat intelligence based on flow detection and attack analysis and attack threat level provided by a situation awareness platform, a BGP flowspec route matching rule template is selected to confirm flow needing to be handled, and a BGP flowspec route handling rule template is selected to determine a flow handling mode.
13. The device for handling the DDOS attack source based on BGP flowspec of claim 12, wherein a reference frame of a traffic handling manner is constructed according to a level of guarantee of a user, threat intelligence of traffic detection, and an attack analysis and attack threat level provided by a situational awareness platform.
14. The BGP flowspec-based DDOS attack source handling device of claim 8, wherein entering different handling flows according to the handling manner includes:
and if the flow handling mode is speed limit or suppression, issuing a control instruction to the routing controller, and issuing the routing strategy to the BGP flowspec network through the routing controller.
If the flow processing mode is cleaning, calling a cleaning processing flow: the method comprises the steps of firstly starting the overall cleaning capability of the flow cleaning equipment, then issuing a control instruction to a route controller, and issuing a route strategy to a BGP flowspec network through the route controller.
15. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-7 when executing the computer program.
16. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for executing the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111293568.3A CN114124474B (en) | 2021-11-03 | 2021-11-03 | DDOS attack source disposal method and device based on BGP flowspec |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111293568.3A CN114124474B (en) | 2021-11-03 | 2021-11-03 | DDOS attack source disposal method and device based on BGP flowspec |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114124474A true CN114124474A (en) | 2022-03-01 |
| CN114124474B CN114124474B (en) | 2023-06-23 |
Family
ID=80380403
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111293568.3A Active CN114124474B (en) | 2021-11-03 | 2021-11-03 | DDOS attack source disposal method and device based on BGP flowspec |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124474B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108566384A (en) * | 2018-03-23 | 2018-09-21 | 腾讯科技(深圳)有限公司 | A kind of flow attacking means of defence, device, protection server and storage medium |
| CN111181910A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Protection method and related device for distributed denial of service attack |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| US20210092153A1 (en) * | 2018-02-05 | 2021-03-25 | Chongqing University Of Posts And Telecommunications | Ddos attack detection and mitigation method for industrial sdn network |
| CN113242210A (en) * | 2021-04-09 | 2021-08-10 | 杭州闪电玩网络科技有限公司 | DDoS (distributed denial of service) prevention method and system based on user grade distribution |
-
2021
- 2021-11-03 CN CN202111293568.3A patent/CN114124474B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210092153A1 (en) * | 2018-02-05 | 2021-03-25 | Chongqing University Of Posts And Telecommunications | Ddos attack detection and mitigation method for industrial sdn network |
| CN108566384A (en) * | 2018-03-23 | 2018-09-21 | 腾讯科技(深圳)有限公司 | A kind of flow attacking means of defence, device, protection server and storage medium |
| CN111181910A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Protection method and related device for distributed denial of service attack |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| CN113242210A (en) * | 2021-04-09 | 2021-08-10 | 杭州闪电玩网络科技有限公司 | DDoS (distributed denial of service) prevention method and system based on user grade distribution |
Non-Patent Citations (1)
| Title |
|---|
| 张哲: "基于流量清洗测量的DDoS攻击防御系统研究", 《中国优秀硕士学位论文全文数据库(电子期刊)》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114124474B (en) | 2023-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9059960B2 (en) | Automatically recommending firewall rules during enterprise information technology transformation | |
| Fan et al. | Honeydoc: an efficient honeypot architecture enabling all-round design | |
| CN103650436B (en) | Service path distribution method, router and business perform entity | |
| US20210006594A1 (en) | Method and apparatus for defending against network attack | |
| US9172651B2 (en) | Denial of service prevention in a software defined network | |
| US8355324B2 (en) | Method and apparatus for filtering data packets | |
| CN107800668B (en) | Distributed denial of service attack defense method, device and system | |
| US9178851B2 (en) | High availability security device | |
| US11671405B2 (en) | Dynamic filter generation and distribution within computer networks | |
| KR102050089B1 (en) | System and method for network security performing adaptive rule-set setting | |
| US11218447B2 (en) | Firewall rule remediation for improved network security and performance | |
| US20090052443A1 (en) | Method and apparatus for managing dynamic filters for nested traffic flows | |
| CN111865996A (en) | Data detection method and device and electronic equipment | |
| US20220006782A1 (en) | Efficient matching of feature-rich security policy with dynamic content using user group matching | |
| EP3140966B1 (en) | Service application with learning capability | |
| CN114124474A (en) | DDOS attack source handling method and device based on BGP flowspec | |
| JP2006067078A (en) | Network system and attack defense method | |
| CN114745142B (en) | Abnormal flow processing method and device, computer equipment and storage medium | |
| Dzeparoska et al. | SDX-based security collaboration: Extending the security reach beyond network domains | |
| US20200145379A1 (en) | Efficient matching of feature-rich security policy with dynamic content using incremental precondition changes | |
| CN115834190B (en) | Host management and control method, device, equipment and storage medium | |
| US10965647B2 (en) | Efficient matching of feature-rich security policy with dynamic content | |
| CN117254978B (en) | Processing method and device for abnormal scanning behaviors | |
| US7356027B1 (en) | Application decoding engine for computer networks | |
| EP4080822B1 (en) | Methods and systems for efficient threat context-aware packet filtering for network protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |