CN114124474B - DDOS attack source disposal method and device based on BGP flowspec - Google Patents

DDOS attack source disposal method and device based on BGP flowspec Download PDF

Info

Publication number
CN114124474B
CN114124474B CN202111293568.3A CN202111293568A CN114124474B CN 114124474 B CN114124474 B CN 114124474B CN 202111293568 A CN202111293568 A CN 202111293568A CN 114124474 B CN114124474 B CN 114124474B
Authority
CN
China
Prior art keywords
bgpflowspec
flow
handling
rule template
ddos attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111293568.3A
Other languages
Chinese (zh)
Other versions
CN114124474A (en
Inventor
郭兆旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unihub China Information Technology Co Ltd
Original Assignee
Unihub China Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unihub China Information Technology Co Ltd filed Critical Unihub China Information Technology Co Ltd
Priority to CN202111293568.3A priority Critical patent/CN114124474B/en
Publication of CN114124474A publication Critical patent/CN114124474A/en
Application granted granted Critical
Publication of CN114124474B publication Critical patent/CN114124474B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a DDOS attack source disposal method and device based on BGPflowspec, wherein the method comprises the following steps: building a BGPflowspec routing network; defining a BGPflowspec route matching rule template; defining a BGPflowspec route treatment rule template; constructing a DDOS attack source disposal model; task analysis, namely confirming matching of a DDOS attack source disposal model; task translation, generating a control instruction; different treatment flows are entered according to the treatment mode. The method and the device construct a DDOS attack source disposal model by defining BGPflowspec route matching rules and disposal rules, and the adaptation model issues BGPflowspec route policies according to needs to dispose against the DDOS attack source.

Description

DDOS attack source disposal method and device based on BGP flowspec
Technical Field
The invention relates to the field of DDOS attack disposal, in particular to a DDOS attack source disposal method and device based on BGP flowspec.
Background
At present, the network environment is a traffic handling scheme based on a destination address for handling DDOS (distributed denial of service) attacks, which is suitable for protecting specific network targets, but has the following problems for part of DDOS attack scenes:
1. the destination address based traffic handling scheme cannot be used for attack source handling. The current DDOS attack treatment is realized based on route redirection no matter drainage or suppression, and can be used for an attack target, and the same type of strategy is used for an attack source to only treat the flow flowing to the attack source, but not treat the attack flow flowing out of the attack source, so that the protection is invalid.
2. If a high-threat attack source is found to attack multiple targets simultaneously, the destination address-based traffic handling scheme needs to issue multiple handling tasks, efficiency can be reduced, and attack target discovery can also be difficult.
3. The attack source is required to be plugged in the actual service scene. There is a need for a traffic handling scheme that can specify the source of the attack.
Disclosure of Invention
In order to solve the problems of partial DDOS attack scenes, the invention provides a DDOS attack source disposal method and device based on BGP flowspec, which constructs a DDOS attack source disposal model by defining matching rules and disposal rules of BGP flowspec routes, and the adaptation model issues BGP flowspec route strategies as required to perform disposal such as suppression, speed limiting, cleaning and the like on the DDOS attack source.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in an embodiment of the present invention, a DDOS attack source handling method based on BGP flowspec is provided, where the method includes:
constructing a BGP flowspec routing network;
defining a BGP flowspec route matching rule template;
defining a BGP flowspec route treatment rule template;
constructing a DDOS attack source disposal model;
task analysis, namely confirming matching of a DDOS attack source disposal model;
task translation, generating a control instruction;
different treatment flows are entered according to the treatment mode.
Further, the BGP flowspec route matching rule template includes:
a matching rule template according to flow characteristics, a matching rule template according to protocol types, and a matching rule template according to the total length of the IP data packet.
Further, BGP flowspec route handling rule templates include:
a disposal rule template for traffic suppression, traffic speed limiting and traffic redirection according to the source address; the flow redirection is to drain the flow to the flow cleaning equipment for global cleaning.
Further, constructing a DDOS attack source handling model, including:
and combining at least one type of BGP flowspec route matching rule template and BGP flowspec route disposal rule template to construct a DDOS attack source disposal model.
Further, task analysis, confirming matching DDOS attack source handling model, includes:
task analysis is based on the security level of a user, threat information based on flow detection and attack analysis and attack threat level provided by a situation awareness platform, a BGP flowspec route matching rule template is selected to confirm the flow to be treated, and a BGP flowspec route treatment rule template is selected to determine the flow treatment mode.
Further, a reference system of a flow disposal mode is constructed according to the security level of the user, threat information of flow detection and attack analysis and attack threat level provided by the situation awareness platform.
Further, entering different treatment flows according to the treatment mode, including:
if the traffic handling mode is speed limiting or suppressing, a control instruction is issued to the routing controller, and a routing strategy is issued to the BGP flowspec network through the routing controller.
If the flow handling mode is cleaning, calling a cleaning handling flow: the global cleaning capability of the flow cleaning equipment is started, then a control instruction is issued to the routing controller, and the routing strategy is issued to the BGP flowspec network through the routing controller.
In an embodiment of the present invention, a DDOS attack source handling device based on BGP flowspec is further provided, where the device includes:
the network building module is used for building a BGP flowspec routing network;
the model building module is used for defining a BGP flowspec route matching rule template and a BGP flowspec route disposal rule template and building a DDOS attack source disposal model;
the business disposal module is used for task analysis and confirming to be matched with the DDOS attack source disposal model; task translation, generating a control instruction; different treatment flows are entered according to the treatment mode.
Further, the BGP flowspec route matching rule template includes:
a matching rule template according to flow characteristics, a matching rule template according to protocol types, and a matching rule template according to the total length of the IP data packet.
Further, BGP flowspec route handling rule templates include:
a disposal rule template for traffic suppression, traffic speed limiting and traffic redirection according to the source address; the flow redirection is to drain the flow to the flow cleaning equipment for global cleaning.
Further, constructing a DDOS attack source handling model, including:
and combining at least one type of BGP flowspec route matching rule template and BGP flowspec route disposal rule template to construct a DDOS attack source disposal model.
Further, task analysis, confirming matching DDOS attack source handling model, includes:
task analysis is based on the security level of a user, threat information based on flow detection and attack analysis and attack threat level provided by a situation awareness platform, a BGP flowspec route matching rule template is selected to confirm the flow to be treated, and a BGP flowspec route treatment rule template is selected to determine the flow treatment mode.
Further, a reference system of a flow disposal mode is constructed according to the security level of the user, threat information of flow detection and attack analysis and attack threat level provided by the situation awareness platform.
Further, entering different treatment flows according to the treatment mode, including:
if the traffic handling mode is speed limiting or suppressing, a control instruction is issued to the routing controller, and a routing strategy is issued to the BGP flowspec network through the routing controller.
If the flow handling mode is cleaning, calling a cleaning handling flow: the global cleaning capability of the flow cleaning equipment is started, then a control instruction is issued to the routing controller, and the routing strategy is issued to the BGP flowspec network through the routing controller.
In an embodiment of the present invention, a computer device is further provided, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the aforementioned DDOS attack source handling method based on BGP flowspec when executing the computer program.
In an embodiment of the present invention, a computer readable storage medium is also provided, where a computer program for executing the DDOS attack source handling method based on BGP flowspec is stored.
The beneficial effects are that:
1. the invention realizes the treatment of the DDOS attack appointed attack source based on the basic network capability, can be combined with threat information, inhibits the DDOS attack from the network source, and realizes more efficient network space security treatment.
2. The invention provides a richer treatment means for DDOS attack.
3. The method and the system can be used by operators to cooperate with the national network security improvement overall framework to realize the effective management of the botnet.
Drawings
FIG. 1 is a flow chart of a DDOS attack source handling method based on BGP flowspec of the present invention;
FIG. 2 is a preparation workflow diagram of the present invention;
FIG. 3 is a flow chart of the business process of the present invention;
FIG. 4 is a schematic diagram of the BGP flowspec routing network setup of the present invention;
FIG. 5 is a flow chart of the routing rule matching of the present invention;
FIG. 6 is a schematic view of a treatment mode reference system according to the present invention;
FIG. 7 is a schematic diagram of a DDOS attack source handling device structure based on BGP flowspec of the present invention;
FIG. 8 is a schematic diagram of a computer device of the present invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, with the understanding that these embodiments are merely provided to enable those skilled in the art to better understand and practice the invention and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Those skilled in the art will appreciate that embodiments of the invention may be implemented as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the following forms, namely: complete hardware, complete software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a DDOS attack source disposal method and device based on BGP flowspec are provided, a BGP flowspec routing network is constructed, a BGP flowspec routing strategy is issued to a border router of a BGP network inlet through a routing controller, and traffic is disposed at the BGP network inlet through the routing strategy matching attack source. The system layer needs to define BGP flowspec route matching rules and disposal rules, and builds a DDOS attack source disposal model; the matching rule can specify network parameters of traffic such as a source address, a source port, a protocol and the like, and the treatment rule comprises suppression, speed limiting, redirection and the like, wherein the redirection can be conducted to the traffic cleaning equipment for global cleaning; the DDOS attack source treatment model is a combination of matching rules and treatment rules, and multiple matching rules can be adopted in one model to realize accurate matching of the complex flow model. The business application surface needs to analyze the task, selects a proper disposal model, combines the task with the disposal model to generate a control instruction, and then disposes according to a predefined business flow; the treatment flow of pressing and speed limiting is to issue a control instruction to a controller; the cleaning treatment process is to start the global cleaning function of the corresponding cleaning equipment and then issue a control instruction to the controller.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments thereof.
Fig. 1 is a flow diagram of a DDOS attack source handling method based on BGP flowspec of the present invention. As shown in fig. 1, the method includes:
1. building BGP (Border gateway protocol) flowspec network
As shown in fig. 4, a route controller, a route reflector RR and a border router are included. The route controller is a BGP router in the BGP network and issues BGP flowspec routes to the BGP flowspec network. The route reflector RR is positioned between the route controller and the boundary router, receives the BGP flowspec route issued by the control router and synchronizes to the boundary router. The border router is a BGP router of a network entry in the BGP network that can receive BGP flowspec routes synchronized by the route reflector RR. BGP flowspec routing, consisting of matching rules and handling rules, is used to match traffic and handle traffic according to the configuration rules.
2. Constructing attack source disposal model
(1) As shown in fig. 2, a BGP flowspec route matching rule template is defined, and according to traffic characteristics, the matching can be classified into matching according to source address and matching according to source port, matching according to protocol type includes matching according to TCP flag bit, matching according to total length of IP data packet, etc.;
for example: according to source address matching, the BGP flowspec route matching rule template is:
if-match source [ IPv4_address ] [ mask ], IPv4_address represents an IPv4 address, and mask represents a network address mask.
(2) As shown in fig. 2, a BGP flowspec route treatment rule template is defined, and traffic suppression, traffic speed limiting and traffic redirection can be performed according to a source address, wherein the redirection can be conducted to a traffic cleaning device for global cleaning;
the cleaning equipment globally cleans: the general cleaning task creation aims at a target network address, the global cleaning is that the cleaning equipment does not distinguish the target address, any flow passing through the cleaning equipment is cleaned, and the cleaned flow is sent back to a flow destination through a routing channel;
for example: the treatment mode is pressing, and the BGP flowspec route treatment rule template is:
apply deny。
(3) As shown in fig. 2, a DDOS attack source disposition model is constructed, and the BGP flowspec route matching rule template and the BGP flowspec route disposition rule template defined in the step (1) and the step (2) are combined to construct the DDOS attack source disposition model;
for example: model "specified source address suppression":
if-match source[ipv4_address][mask]
apply deny;
different types of BGP flowspec route matching rule templates may also be combined, supporting more refined complex models, such as: "specified source address destination port suppression":
if-match source[ipv4_address][mask]
if-match destination-port [ port ], indicating a matching destination port
apply deny;
The examples herein represent control instructions involving variable portions, common control instructions not being enumerated in the present invention.
3. Task analysis, model selection
As shown in fig. 3, task analysis confirms a DDOS attack source disposal model based on the security level of the relevant user, threat information based on flow detection and attack threat level provided by a situation awareness platform, and can select a route to be disposed according to a source address, a source port, an attack protocol and other modes, and can select various flow disposal modes such as suppression, speed limiting, cleaning and the like;
the flow from the boundary router to the backbone network needs to match the routing rule of the boundary router, BGP flow spec route matching is carried out on the flow entering the network through the BGP routing protocol, and if the flow hits, the corresponding flow handling rule is executed, and the routing rule matching flow is shown in figure 5;
the treatment mode can be selected by referring to the following method:
confirming a reference system of a disposal mode according to the threat information of user level and flow detection and attack analysis and attack threat level provided by a situation awareness platform; the users can be classified into three-level users, two-level users, one-level users and the like according to the network security importance level, and the threat level of attack to the network can be classified into general, serious and very serious according to the network security importance level; the specific classification needs to be classified according to the service condition; a frame of reference is constructed based on user level, threat level, treatment style, etc., as shown in fig. 6.
4. Task translation, generation of control instructions
As shown in fig. 3, the actual service parameters are matched with the model to generate control instructions.
5. Treatment in a predefined treatment flow
As shown in fig. 3, different treatment flows are entered according to the treatment mode, if the treatment mode is speed limiting or pressing, a control instruction is issued to a route controller, and a route strategy is issued to a BGP flowspec network through the route controller; if the treatment mode is cleaning, calling a cleaning treatment flow: the global cleaning capability of the cleaning equipment is started, then a control instruction is issued to the routing controller, and the routing strategy is issued to the BGP flowspec network through the routing controller.
It should be noted that although the operations of the method of the present invention are described in a particular order in the above embodiments and the accompanying drawings, this does not require or imply that the operations must be performed in the particular order or that all of the illustrated operations be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
In order to more clearly explain the DDOS attack source handling method based on BGP flowspec, a specific embodiment is described below, but it should be noted that this embodiment is only for better explaining the present invention and does not constitute an undue limitation of the present invention.
Realizing a first scene: source suppression is carried out on attack sources of 192.168.10.0/24 and 192.168.101.0/24 according to threat information requirements, and traffic of two network segments is forbidden to flow into a backbone network, and the specific steps are as follows:
1. and building a BGP flowspec routing network.
2. Defining a matching rule template and a disposition rule template, constructing a DDOS attack source disposition model, and constructing models such as 'specified source address suppression', 'specified source port suppression', 'specified source address source port suppression', 'specified protocol suppression', 'specified source address cleaning', 'specified source address speed limit', and the like.
3. Selecting a specified source address suppression model according to a scene;
4. task translation, generating control instructions (only the variable part is exemplified here, common control instructions are not described in detail);
public instruction:
if-match source 192.168.10.0 255.255.255.0
if-match source 192.168.101.0 255.255.255.0
apply deny
5. the scene treatment mode is pressing, and the pressing treatment flow is entered: and issuing a control instruction to a routing controller, and then issuing a routing strategy through the built BGP flowspec network, wherein traffic applied to all boundary routers and applied to two network segments 192.168.10.0/24 and 192.168.101.0/24 is suppressed at the boundary routers and does not flow into a backbone network.
Based on the same inventive concept, the invention also provides a DDOS attack source disposal device based on BGP flowspec. The implementation of the device can be referred to as implementation of the above method, and the repetition is not repeated. The term "module" as used below may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 7 is a schematic structural diagram of a DDOS attack source handling device based on BGP flowspec according to an embodiment of the present invention. As shown in fig. 7, the apparatus includes:
the network construction module 101 is configured to construct a BGP flowspec routing network.
The model building module 102 is used for defining a BGP flowspec route matching rule template and a BGP flowspec route disposal rule template and building a DDOS attack source disposal model;
BGP flowspec route matching rule templates, including:
a matching rule template according to flow characteristics, a matching rule template according to protocol types and a matching rule template according to the total length of the IP data packet;
BGP flowspec route handling rule templates, comprising:
a disposal rule template for traffic suppression, traffic speed limiting and traffic redirection according to the source address; the flow redirection is to drain the flow to the flow cleaning equipment for global cleaning;
constructing a DDOS attack source disposal model, comprising:
and combining at least one type of BGP flowspec route matching rule template and BGP flowspec route disposal rule template to construct a DDOS attack source disposal model.
A service handling module 103, configured to perform task analysis, and confirm matching with the DDOS attack source handling model; task translation, generating a control instruction; entering different treatment flows according to the treatment modes;
task analysis, confirming matching DDOS attack source treatment model, comprising:
task analysis is based on the security level of a user, threat information based on flow detection and attack analysis and attack threat level provided by a situation awareness platform, a BGP flowspec route matching rule template is selected to confirm the flow to be treated, and a BGP flowspec route treatment rule template is selected to determine the flow treatment mode; the treatment mode can be selected by referring to the following method:
constructing a reference system of a flow disposal mode according to the security level of the user, threat information of flow detection and attack analysis and attack threat level provided by a situation awareness platform;
entering different treatment flows according to the treatment mode, including:
if the traffic handling mode is speed limiting or suppressing, a control instruction is issued to the routing controller, and a routing strategy is issued to the BGP flowspec network through the routing controller.
If the flow handling mode is cleaning, calling a cleaning handling flow: the global cleaning capability of the flow cleaning equipment is started, then a control instruction is issued to the routing controller, and the routing strategy is issued to the BGP flowspec network through the routing controller.
It should be noted that while several modules of BGP flowspec-based DDOS attack source handling devices are mentioned in the detailed description above, this partitioning is merely exemplary and not mandatory. Indeed, the features and functions of two or more modules described above may be embodied in one module in accordance with embodiments of the present invention. Conversely, the features and functions of one module described above may be further divided into a plurality of modules to be embodied.
Based on the foregoing inventive concept, as shown in fig. 8, the present invention further proposes a computer device 200, including a memory 210, a processor 220, and a computer program 230 stored in the memory 210 and capable of running on the processor 220, where the processor 220 implements the aforementioned DDOS attack source handling method based on BGP flowspec when executing the computer program 230.
Based on the foregoing inventive concept, the present invention further proposes a computer readable storage medium storing a computer program for executing the foregoing BGP flowspec-based DDOS attack source handling method.
According to the DDOS attack source disposal method and device based on BGP flowspec, a DDOS attack source disposal model is constructed by defining BGP flowspec route matching rules and disposal rules, and an adaptation model issues BGP flowspec route strategies according to needs to dispose against the DDOS attack source.
While the spirit and principles of the present invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments nor does it imply that features of the various aspects are not useful in combination, nor are they useful in any combination, such as for convenience of description. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
It should be apparent to those skilled in the art that various modifications or variations can be made in the present invention without requiring any inventive effort by those skilled in the art based on the technical solutions of the present invention.

Claims (8)

1. A DDOS attack source disposal method based on BGPflowspec is characterized by comprising the following steps:
building a BGPflowspec routing network;
defining a BGPflowspec route matching rule template, comprising:
a matching rule template according to flow characteristics, a matching rule template according to protocol types and a matching rule template according to the total length of the IP data packet;
defining a BGPflowspec route handling rule template, comprising:
a disposal rule template for traffic suppression, traffic speed limiting and traffic redirection according to the source address; the flow redirection is to drain the flow to the flow cleaning equipment for global cleaning;
constructing a DDOS attack source disposal model, comprising:
combining at least one type of BGPfflowspec route matching rule template and BGP flowspec route disposal rule template to construct a DDOS attack source disposal model;
task analysis, confirming matching DDOS attack source treatment model, comprising:
task analysis is based on the security level of a user, and on the threat information and the attack analysis and attack threat level provided by the situation awareness platform of flow detection, a BGPflowspec route matching rule template is selected to confirm the flow to be treated, and a BGPflowspec route treatment rule template is selected to determine the flow treatment mode;
task translation, generating a control instruction;
different treatment flows are entered according to the treatment mode.
2. The DDOS attack source handling method based on BGPflowspec according to claim 1, wherein a reference system of a traffic handling mode is constructed according to a security level of a user and threat information of traffic detection and attack analysis and attack threat level provided by a situation awareness platform.
3. The BGPflowspec-based DDOS attack source handling method of claim 1, wherein entering different handling flows according to handling modes comprises:
if the traffic handling mode is speed limiting or suppressing, a control instruction is issued to a routing controller, and a routing strategy is issued to a BGPflowspec network through the routing controller;
if the flow handling mode is cleaning, calling a cleaning handling flow: the global cleaning capability of the flow cleaning equipment is started, then a control instruction is issued to the routing controller, and the routing strategy is issued to the BGPflowspec network through the routing controller.
4. A DDOS attack source handling device based on BGPflowspec, the device comprising:
the network building module is used for building a BGPflowspec routing network;
the model construction module is used for defining a BGPfflowspec route matching rule template and a BGP flowspec route disposal rule template and constructing a DDOS attack source disposal model;
BGPflowspec route matching rule template, including: a matching rule template according to flow characteristics, a matching rule template according to protocol types and a matching rule template according to the total length of the IP data packet;
BGPflowspec route handling rule templates, comprising: a disposal rule template for traffic suppression, traffic speed limiting and traffic redirection according to the source address; the flow redirection is to drain the flow to the flow cleaning equipment for global cleaning;
constructing a DDOS attack source disposal model, comprising: combining at least one type of BGP flowspec route matching rule template and BGP flowspec route treatment rule template to construct a DDOS attack source treatment model;
the service handling module is used for task analysis and confirming matching of the DDOS attack source handling model, and comprises the following steps: task analysis is based on the security level of a user, and on the threat information and the attack analysis and attack threat level provided by the situation awareness platform of flow detection, a BGPflowspec route matching rule template is selected to confirm the flow to be treated, and a BGPflowspec route treatment rule template is selected to determine the flow treatment mode; task translation, generating a control instruction; different treatment flows are entered according to the treatment mode.
5. The DDOS attack source handling device based on BGPflowspec according to claim 4, wherein a reference system of a traffic handling manner is constructed according to a security level of a user and threat information of traffic detection and an attack analysis and attack threat level provided by a situation awareness platform.
6. The BGPflowspec-based DDOS attack source handling apparatus of claim 4, wherein entering different handling flows according to handling style comprises:
if the traffic handling mode is speed limiting or suppressing, a control instruction is issued to a routing controller, and a routing strategy is issued to a BGPflowspec network through the routing controller;
if the flow handling mode is cleaning, calling a cleaning handling flow: the global cleaning capability of the flow cleaning equipment is started, then a control instruction is issued to the routing controller, and the routing strategy is issued to the BGPflowspec network through the routing controller.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-3 when executing the computer program.
8. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program for executing the method of any one of claims 1-3.
CN202111293568.3A 2021-11-03 2021-11-03 DDOS attack source disposal method and device based on BGP flowspec Active CN114124474B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111293568.3A CN114124474B (en) 2021-11-03 2021-11-03 DDOS attack source disposal method and device based on BGP flowspec

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111293568.3A CN114124474B (en) 2021-11-03 2021-11-03 DDOS attack source disposal method and device based on BGP flowspec

Publications (2)

Publication Number Publication Date
CN114124474A CN114124474A (en) 2022-03-01
CN114124474B true CN114124474B (en) 2023-06-23

Family

ID=80380403

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111293568.3A Active CN114124474B (en) 2021-11-03 2021-11-03 DDOS attack source disposal method and device based on BGP flowspec

Country Status (1)

Country Link
CN (1) CN114124474B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566384A (en) * 2018-03-23 2018-09-21 腾讯科技(深圳)有限公司 A kind of flow attacking means of defence, device, protection server and storage medium
CN111181910A (en) * 2019-08-12 2020-05-19 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN113242210A (en) * 2021-04-09 2021-08-10 杭州闪电玩网络科技有限公司 DDoS (distributed denial of service) prevention method and system based on user grade distribution

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108289104B (en) * 2018-02-05 2020-07-17 重庆邮电大学 Industrial SDN network DDoS attack detection and mitigation method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108566384A (en) * 2018-03-23 2018-09-21 腾讯科技(深圳)有限公司 A kind of flow attacking means of defence, device, protection server and storage medium
CN111181910A (en) * 2019-08-12 2020-05-19 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN113242210A (en) * 2021-04-09 2021-08-10 杭州闪电玩网络科技有限公司 DDoS (distributed denial of service) prevention method and system based on user grade distribution

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于流量清洗测量的DDoS攻击防御系统研究;张哲;《中国优秀硕士学位论文全文数据库(电子期刊)》;全文 *

Also Published As

Publication number Publication date
CN114124474A (en) 2022-03-01

Similar Documents

Publication Publication Date Title
US11349854B1 (en) Efficient threat context-aware packet filtering for network protection
Zou et al. The monitoring and early detection of internet worms
JP4690480B2 (en) How to provide firewall service
CN103650436B (en) Service path distribution method, router and business perform entity
US8495738B2 (en) Stealth network node
CN104954367B (en) A kind of cross-domain ddos attack means of defence of internet omnidirectional
CN108156079B (en) Data packet forwarding system and method based on cloud service platform
US20140068701A1 (en) Automatically Recommending Firewall Rules During Enterprise Information Technology Transformation
CN101447996B (en) Defending method for distributed service-refusing attack and system and device thereof
CN104580249A (en) Botnet, Trojan horse and worm network analysis method and system based on logs
CN107493272A (en) A kind of flow cleaning methods, devices and systems
Meena et al. HyPASS: Design of hybrid-SDN prevention of attacks of source spoofing with host discovery and address validation
CN114124474B (en) DDOS attack source disposal method and device based on BGP flowspec
Yu et al. TARN: A SDN-based traffic analysis resistant network architecture
US8788823B1 (en) System and method for filtering network traffic
CN114221815A (en) Intrusion detection method, storage medium and system based on honey arranging net
Cisco Working With Security Policies
Palmieri et al. Containing large-scale worm spreading in the Internet by cooperative distribution of traffic filtering policies
US7356027B1 (en) Application decoding engine for computer networks
EP4080822B1 (en) Methods and systems for efficient threat context-aware packet filtering for network protection
Kantola et al. White Paper on Cooperative Security for 5G and the Internet
CN112866031B (en) Route configuration method, device, equipment and computer readable storage medium
Kotenko et al. Packet level simulation of cooperative distributed defense against Internet attacks
Wang et al. Tracers placement for IP traceback against DDoS attacks
Andre et al. Open vSwitch Configuration for Separation of KVM/libvirt VMs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant