CN102035850A - Defense method of distributed denial of service attack - Google Patents
Defense method of distributed denial of service attack Download PDFInfo
- Publication number
- CN102035850A CN102035850A CN2010106058101A CN201010605810A CN102035850A CN 102035850 A CN102035850 A CN 102035850A CN 2010106058101 A CN2010106058101 A CN 2010106058101A CN 201010605810 A CN201010605810 A CN 201010605810A CN 102035850 A CN102035850 A CN 102035850A
- Authority
- CN
- China
- Prior art keywords
- user
- packet
- frequent
- record
- user record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to communication control and processing of an internet communication system, in particular to a defense method of distributed denial of service attack. The defense method is characterized in that a frequent user record chart and a waiting user record chart are established in each boundary router of an autonomous domain network with a topology structure; after data packets forwarded by access users reach the frequency user part of the frequent user record chart, the frequency users forwarding more than or equal to two data packets smoothly pass the boundary router of the autonomous domain network and random users forwarding one data packet and new users for accessing for the first time can pass the boundary router of the autonomous domain network by requesting for more than two times. Therefore, network attackers for controlling multiple computers to transmit information to autonomous domain services can be thoroughly denied, and further, the network in the autonomous domain can be ensured to be smooth.
Description
Technical field
The present invention relates to the Control on Communication and the communication process of internet communication system, be specifically related to network security, particularly relate to and adopt many computers as the defence method that sends the network attack of information to target.
Background technology
Distributed denial of service (DDoS:Distributed Denial of Service) is attacked and is referred to by means of the client/server technology, a plurality of computers are joined together as attacking platform, one or more targets are started DoS attack, thereby improve the power of Denial of Service attack exponentially.Usually, the assailant uses the account number of a stealing that the DDoS primary control program is installed on the computer, primary control program and a large amount of Agent communications in the time of a setting, Agent is installed on many computers on the Internet, utilizes the client/server technology in seconds to activate the operation of hundreds and thousands of Agents.When the program of agency is received instruction, just start to attack, thereby make victim be difficult to more take precautions against.Therefore, become the research focus of this area at the defence method of ddos attack.
Publication number is that the application for a patent for invention of CN 1972286A discloses a kind of defence method of attacking at DDOS, and it is characterized in that of this method carried out the operation of following steps when the network equipment when receiving TCP connection message:
1. according to detecting current whether being in by the attack state of the rule judgment network equipment, (one of state in the rule thinks that the network equipment is attacked, and 3. 2. execution in step otherwise carry out step if inspection barium; Described detection rule is:
The SYN message amount that partly connects in the formation of a. shaking hands for the first time in the system surpasses normal value;
B. the SYN message that partly connects in the formation of shaking hands for the first time in the system has surpassed 95% of heap(ed) capacity;
That c. shakes hands for the first time in the system partly connects SYN message growth rate value of overstepping the extreme limit in the formation;
2. the SYN message that is surpassed 1 second the time of staying in the system is abandoned;
3. the normal TCP connection procedure of executive system;
The normal value of described SYN message amount is the mean value of the daily treating capacity of the network equipment;
The maximum of the newly-increased TCP linking number of per second when the limiting value of described SYN message growth rate is network device processing normal burst flow.
By top description as seen; publication number is that the described scheme of the application for a patent for invention of CN 1972286A is a kind of guard method of avoiding server to suffer network attack; therefore must occupy each bar circuit in this territory, server place before attack stream arrives server, the problem of network congestion still exists.
Publication number is that the application for a patent for invention of CN 101383812A discloses a kind of IP spoofing ddos attack defence method based on active IP record, this method utilization activity IP table limits the network flow that enters wherein at autonomous system boundary, preferentially allow the network flow from movable IP pass through, and be not to abandon arbitrarily to the network flow from non-movable IP, be allowed to condition at and be dropped before arriving this autonomous domain server but reduce its ttl value.This shows, though the described method of above-mentioned patent application can guarantee the client (client of movable IP) of real IP and preferentially pass through, the client that need determine one's identity (client of non-movable IP) then can't not be connected with server before having retransmission data packet may, thereby guarantees the safety of server.But, the described method of above-mentioned patent application, just let pass just change a less TTL randomly into for the packet of non-movable IP in the route of border after, although therefore it can not arrive autonomous domain server, and its harm that causes network congestion in the autonomous territory is conspicuous.
Summary of the invention
In view of there is above-mentioned deficiency in prior art; technical problem to be solved by this invention provides a kind of network security scheme of defending DDoS (Distributed Denial of Service) attacks; this scheme both can protect in the autonomous territory server not under fire can not guarantee under the limited resources condition that again autonomous territory Intranet ruton is smooth.
The technical scheme that the present invention addresses the above problem is as described below:
A kind of defence method of distributed denial of service attack is characterized in that,
In each border router of the autonomous territory of topological structure network, set up a frequent user record sheet and first-class is treated user's record sheet, wherein,
Described frequent user record sheet is divided into frequent user part and random user part, wherein, frequent user partly is capable 3 row of N, and 3 row of each row record have respectively been transmitted the bag number more than or equal to residue time-to-live of the IP of 2 frequent user, current data packet with transmitted the bag number; Random user partly is N ' row 3 row, and 3 row of each row record have respectively been transmitted the residue time-to-live of IP that the bag number equals 1 random user, current data packet and transmitted the bag number; Described N and N ' are the natural number more than or equal to 1, and the ratio of the two is 1;
Described wait user record table is capable 3 row of M, IP, the numbering of current data APMB package and the packet sum of being stored of the random user when the random user part that 3 row of each row are recorded in the frequent user record sheet has respectively been filled up; Described M is the natural number more than or equal to 1;
When initial, directly each that arrives border router to the server forwards of this autonomous territory network is from overseas packet, this user's IP and transmitted the bag number under the frequent user partial record of frequent user record sheet simultaneously, and the residue time-to-live of current data packet was changed to 7 days; After this just ceaselessly refresh all records in the frequent user record sheet, the residue time-to-live of deleted data bag is zero user record, and in 3 hour time, upgraded and once wait for the user record table, deletion is lastly recorded in 500 user records waiting in the user record table; After the frequent user of frequent user record sheet is partly filled up, each that arrives border router is carried out following operation from overseas packet:
(1) checks whether this user's IP has been recorded in the frequent user part of frequent user record sheet, if, this record that upgrades the frequent user record sheet resets to the residue time-to-live of its packet 7 days, it has been transmitted the bag number added 1, then to the server forwards of this autonomous territory network; If not,
(2) whether the random user part of then checking the frequent user record sheet fills up, if do not fill up, just this user is added to the random user part of frequent user record sheet, note this user's IP, and the residue time-to-live of its packet was changed to 7 days, it has been transmitted the bag number be changed to 1, then to the server forwards of this autonomous territory network; If fill up,
(3) whether the IP that then checks this user has been recorded in and has waited in the user record table, if, just the packet file of sending with this user is replaced the packet file that this user is stored the last time, refresh the record of this user in waiting for the user record table simultaneously, be about to the packet sum that this user deposited and add 1; In case the packet sum that this user deposited is more than or equal to 2, just this user is moved to the frequent user part of frequent user record sheet, note this user's IP when to be had vacant position, and, the residue time-to-live of its packet was changed to 7 days, its packet of depositing is total as transmitting the bag number; If not,
(4) check then whether wait user record table fills up, if do not fill up, just store packet that this user sends and, waiting for that the user record table adds a new record simultaneously titled with numbering, note the numbering of this user's IP and institute's deposit data APMB package, and the packet sum that it is deposited is changed to 1; If fill up, then just abandon the packet that this user sends.
The size of line number M in line number N in the above-mentioned frequent user record sheet and the size of N ' and ratio and the wait user record table is all looked the size and the average visit capacity of memory space in this border router and is made by oneself by the keeper, is principle to improve the connection rate as far as possible.
Method of the present invention, arrive the frequent user part of described frequent user record sheet when packet that calling party is sent out after, only be to have transmitted the bag number could pass through this autonomous territory smoothly more than or equal to 2 frequent user border router, transmit that the bag number equals 1 random user and the new user of maiden visit must ask the above border router that could pass through this autonomous territory of secondary, therefore can thoroughly many computers of control be kept outside of the door as the network attack person to this autonomous territory service transmission information, thereby guarantee that this autonomous territory Intranet ruton is smooth.
Description of drawings
Fig. 1 is a specific embodiment and the anti-ddos attack configuration diagram thereof of the autonomous territory network of topological structure of the present invention.
The defence method that Fig. 2 attacks for distributed denial of service of the present invention (DDoS) is after the frequent user of frequent user record sheet is partly filled up, to arriving each process chart from overseas packet of border router.
Embodiment
Referring to Fig. 1, the autonomous territory network of topological structure of the present invention is by the computer network that comprises that a station server and a plurality of work station couple together by cable, this network is connected with the Internet (Internet) by many edge of table circle router, has one or more nodes between each border router and the server.
Referring to Fig. 1, implement the method for the invention at first must be opened up the packet file that a memory access client sent in each border router space, make up just like the frequent user record sheet shown in following table 1 and 2 simultaneously and wait for the user record table.Wherein, the frequent user record sheet to go up half be the frequent user part, N is capable altogether, half is the random user part down, N ' is OK altogether; Wait for that the user record table is that M is capable, can write down M and wait for the user.
Table 1 frequent user record sheet
Table 2 is waited for the user record table
Referring to Fig. 1, suppose that the some time has four clients to send packet through a certain border router in this autonomous territory to server, wherein, the IP address of normal main frame 1 is 210.43.109.101, the IP address of normal main frame 2 is 44.56.128.1, the IP address of attacking main frame 1 is 21.87.94.7, and the IP address of attacking main frame 2 is 77.69.5.2.If,
1) this autonomous territory is an initial condition, frequent user record sheet in the border router and wait user record table are empty at this moment, the packet that border router receives and directly sends to four main frames of server forwards, while this user's IP address under the frequent user partial record of frequent user record sheet, putting and transmitting the bag number is 1, and the residue time-to-live of current data packet was changed to 7 days; This moment the frequent user record sheet record such as following table 3:
Table 3
2) after this, system ceaselessly refreshes all records in the frequent user record sheet, the residue time-to-live of deleted data bag is zero user record, and upgrades in 3 hour time and once wait for the user record table, and deletion is lastly recorded in 500 user records waiting in the user record table.Referring to Fig. 2,, promptly carry out following operation from overseas packet to what arrive border router in case the frequent user of frequent user record sheet is partly filled up:
1. check whether this user's IP has been recorded in the frequent user part of frequent user record sheet, if normal main frame 1 and 2 packet that just directly they are sent each time to server, revolution is sent out the bag number of once soon having transmitted increases by 1, and the residue time-to-live of resetting be 7 days, suppose that the frequent user part of a certain moment frequent user record sheet is as shown in table 4 below.By table 4 as seen, attacking main frame 1 and 2 will be deleted when the residue time-to-live is zero.
Table 4
2. if the IP address is the main frame 3 of 102.34.56.45, after border router receives packet, whether the random user record number of just checking the frequent user record sheet fills up, if less than, promptly the random user partial record is less than N, just main frame 3 is added to the random user part of frequent user record sheet, note the IP of main frame 3, and the residue time-to-live of its packet was changed to 7 days, it is transmitted the bag number be changed to 1, and to this packet of server forwards (seeing Table 5); If fill up, promptly the random user partial record equals N,
Table 5
Whether the IP that 3. then checks main frame 3 has been recorded in the wait user record table, if, just the packet file of sending with main frame 3 is replaced the packet file that 3 last times of main frame are stored (that supposes packet file that 3 last times of main frame are stored is numbered 3), refresh the record of main frame 3 in waiting for the user record table simultaneously, be about to the packet sum that main frame 3 deposited and add 1, promptly equal 2 (seeing Table 6).
Table 6
By table 6 as seen, the packet sum that main frame 3 is deposited equals 2, therefore main frame 3 is moved to the frequent user part of frequent user record sheet, note the IP of main frame 3 when to be had vacant position, and, the residue time-to-live of its packet was changed to 7 days, its packet of depositing sum 2 is wrapped number (seeing Table 7) as transmitting.If not,
4. then check and wait for whether the user record table fills up, if do not fill up, wait for that promptly the user record number in the user record table is less than M, just the packet sent of storage host 3 and titled with numbering, waiting for that the user record table adds a new record simultaneously, note the numbering of IP and institute's deposit data APMB package of main frame 3, and the packet sum that it is deposited is changed to 1 (seeing Table 8); If fill up, wait for that promptly the user record number in the user record table equals M, then just abandon the packet that main frame 3 is sent.
Table 7
Table 8
Claims (1)
1. the defence method of a distributed denial of service attack is characterized in that:
In each border router of the autonomous territory of topological structure network, set up a frequent user record sheet and first-class is treated user's record sheet, wherein,
Described frequent user record sheet is divided into frequent user part and random user part, wherein, frequent user partly is capable 3 row of N, and 3 row of each row record have respectively been transmitted the bag number more than or equal to residue time-to-live of the IP of 2 frequent user, current data packet with transmitted the bag number; Random user partly is N ' row 3 row, and 3 row of each row record have respectively been transmitted the residue time-to-live of IP that the bag number equals 1 random user, current data packet and transmitted the bag number; Described N and N ' are the natural number more than or equal to 1, and the ratio of the two is 1;
Described wait user record table is capable 3 row of M, IP, the numbering of current data APMB package and the packet sum of being stored of the random user when the random user part that 3 row of each row are recorded in the frequent user record sheet has respectively been filled up; Described M is the natural number more than or equal to 1;
When initial, directly each that arrives border router to the server forwards of this autonomous territory network is from overseas packet, this user's IP and transmitted the bag number under the frequent user partial record of frequent user record sheet simultaneously, and the residue time-to-live of current data packet was changed to 7 days; After this just ceaselessly refresh all records in the frequent user record sheet, the residue time-to-live of deleted data bag is zero user record, and in 3 hour time, upgraded and once wait for the user record table, deletion is lastly recorded in 500 user records waiting in the user record table; After the frequent user of frequent user record sheet is partly filled up, each that arrives border router is carried out following operation from overseas packet:
(1) checks whether this user's IP has been recorded in the frequent user part of frequent user record sheet, if, this record that upgrades the frequent user record sheet resets to the residue time-to-live of its packet 7 days, it has been transmitted the bag number added 1, then to the server forwards of this autonomous territory network; If not,
(2) whether the random user part of then checking the frequent user record sheet fills up, if do not fill up, just this user is added to the random user part of frequent user record sheet, note this user's IP, and the residue time-to-live of its packet was changed to 7 days, it has been transmitted the bag number be changed to 1, then to the server forwards of this autonomous territory network; If fill up,
(3) whether the IP that then checks this user has been recorded in and has waited in the user record table, if, just the packet file of sending with this user is replaced the packet file that this user is stored the last time, refresh the record of this user in waiting for the user record table simultaneously, be about to the packet sum that this user deposited and add 1; In case the packet sum that this user deposited is more than or equal to 2, just this user is moved to the frequent user part of frequent user record sheet, note this user's IP when to be had vacant position, and, the residue time-to-live of its packet was changed to 7 days, its packet of depositing is total as transmitting the bag number; If not,
(4) check then whether wait user record table fills up, if do not fill up, just store packet that this user sends and, waiting for that the user record table adds a new record simultaneously titled with numbering, note the numbering of this user's IP and institute's deposit data APMB package, and the packet sum that it is deposited is changed to 1; If fill up, then just abandon the packet that this user sends.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106058101A CN102035850A (en) | 2010-12-26 | 2010-12-26 | Defense method of distributed denial of service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010106058101A CN102035850A (en) | 2010-12-26 | 2010-12-26 | Defense method of distributed denial of service attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102035850A true CN102035850A (en) | 2011-04-27 |
Family
ID=43888173
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010106058101A Pending CN102035850A (en) | 2010-12-26 | 2010-12-26 | Defense method of distributed denial of service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102035850A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1972286A (en) * | 2006-12-05 | 2007-05-30 | 苏州国华科技有限公司 | A defense method aiming at DDoS attack |
| CN101383812A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | IP spoofing DDoS attack defense method based on active IP record |
-
2010
- 2010-12-26 CN CN2010106058101A patent/CN102035850A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1972286A (en) * | 2006-12-05 | 2007-05-30 | 苏州国华科技有限公司 | A defense method aiming at DDoS attack |
| CN101383812A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | IP spoofing DDoS attack defense method based on active IP record |
Non-Patent Citations (1)
| Title |
|---|
| 谢冬青等: "一种基于分组漏斗的DDoS防御机制", 《湖南大学学报(自然科学版)》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6816910B1 (en) | Method and apparatus for limiting network connection resources | |
| JP5377337B2 (en) | Server computer | |
| CN105827646B (en) | The method and device of ssyn attack protection | |
| Kargl et al. | Protecting web servers from distributed denial of service attacks | |
| CN102291441B (en) | Method and security agent device for protecting against attack of synchronize (SYN) Flood | |
| CN101415012B (en) | Method and system for defending address analysis protocol message aggression | |
| CN101378395B (en) | Method and apparatus for preventing reject access aggression | |
| CN101175013A (en) | Method, network system and proxy server for preventing denial of service attack | |
| CN111756712B (en) | Method for forging IP address and preventing attack based on virtual network equipment | |
| US20010042200A1 (en) | Methods and systems for defeating TCP SYN flooding attacks | |
| CN106411910A (en) | Defense method and system for distributed denial of service (DDoS) attacks | |
| CN108809923A (en) | The system and method for traffic filtering when detecting ddos attack | |
| US20040236966A1 (en) | Queuing methods for mitigation of packet spoofing | |
| Yoon | Using whitelisting to mitigate DDoS attacks on critical internet sites | |
| Kavisankar et al. | A mitigation model for TCP SYN flooding with IP spoofing | |
| US11329959B2 (en) | Virtual routing and forwarding (VRF)-aware socket | |
| CN108881233A (en) | anti-attack processing method, device, equipment and storage medium | |
| CN101163041A (en) | Method of preventing syn flood and router equipment | |
| Priyadharshini et al. | Prevention of DDOS attacks using new cracking algorithm | |
| CN108667829A (en) | A kind of means of defence of network attack, device and storage medium | |
| CN105429975B (en) | A kind of data safety system of defense, method and cloud terminal security system based on cloud terminal | |
| EP1154610A2 (en) | Methods and system for defeating TCP Syn flooding attacks | |
| Wang et al. | A multi-layer framework for puzzle-based denial-of-service defense | |
| Bani-Hani et al. | SYN flooding attacks and countermeasures: a survey | |
| CN114024731B (en) | Message processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110427 |