CN102075535B - Distributed denial-of-service attack filter method and system for application layer - Google Patents
Distributed denial-of-service attack filter method and system for application layer Download PDFInfo
- Publication number
- CN102075535B CN102075535B CN 201110005704 CN201110005704A CN102075535B CN 102075535 B CN102075535 B CN 102075535B CN 201110005704 CN201110005704 CN 201110005704 CN 201110005704 A CN201110005704 A CN 201110005704A CN 102075535 B CN102075535 B CN 102075535B
- Authority
- CN
- China
- Prior art keywords
- page
- request
- embedded object
- ddos attack
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention provides a distributed denial-of-service (DDoS) attack filter method and a DDoS attack filter system for an application layer. The method comprises the following steps of: 100) receiving a service request; and 200) judging whether the service request is a DDoS attack according to the embedded object number and the thinking time of the page of the request object, wherein the request that the embedded object number of the page of the request object is smaller than the maximum embedded object number of the page and the thinking time is smaller than the minimum thinking time is not the attack, and the thinking time is from the judged current time to the page arrival time. At the same time of effectively filtering the DDoS attack, the invention has the advantages that: (1) the calculation complexity is low, and the method and system are simple, convenient and quick; (2) the system can run independent of a server; and (3) any interference is not caused to users.
Description
Technical field
The present invention relates to network security and detect and control field, more specifically, relate to the filtration to distributed denial of service attack.
Background technology
It is one of chief threat of internet security that distributed denial of service (Distributed Denial-of-Service, DDoS) is attacked, and it is generally realized for network layer or application layer.Current, detection and filtration studies to the network layer ddos attack have obtained suitable achievement in research, laminar flow amount Network Based is unusual, and the Network Security Devices such as fire compartment wall can effectively detect and resist the network layer ddos attack, attacks such as SYN Flood, ICMP Flood etc.The application layer ddos attack at first submits to normal connection to set up request, after connecting foundation, submits service request to destination server, consumes the server computational resource.Because the application layer ddos attack is acted normally in the network layer behavior, so it can effectively escape detection and the filtration of application level.When SYN Flood attacked the attack effect that can't obtain, the assailant can adopt the application layer ddos attack to reach the attack intension purpose.The method of resisting to the application layer ddos attack mainly comprises turing test, speak-up method.
Wherein, effectively distinguishing attack person and normal visitor of turing test.Because validated user can correctly be finished test, and attack the ability that main frame does not possess the test finished, can distinguish exactly thus the two, but turing test tends to disturb the visitor to the normal access of server.
Adopt the speak-up method to resist application layer DDoS, with slowed down or to weaken assailant's filter method opposite in the past, this speak-up method allows all clients improve transmission rate, but the assailant is in order to reach preferably attack effect, usually take the attack principle that do one's best, when the commence firing, maximum transmission rate will be adopted, so can increase the validated user that is of transmission rate, legitimate traffic can be identified thus.But when attacking generation, adopt the speak-up method further to strengthen arrival by the flow of attack server.
Summary of the invention
The present invention will solve is application layer distributed denial of service attack filter method calculation of complex, can not be independent of the server operation and increased the technical problems such as inconvenience to user's access.
According to an aspect of the present invention, provide the distributed denial of service of a kind of application layer (DDoS) attaching filtering method, comprised the following steps:
100) receive service request;
200) judge according to embedded object number and the think time of the page under the requested object whether described service request is ddos attack, wherein, the request of the maximum embedded object number of the embedded object number of the page<page and think time<minimum think time is not to attack under the requested object, and think time is (judgement current time-page time of advent).
In said method, described step 200) comprising:
210) judge that requested object is embedded object or the page;
220) judge whether described service request belongs to new session;
230) for the embedded object request that does not belong to new session, carry out the ddos attack anticipation according to the time interval and/or continuous embedded object number with previous embedded object request;
240) for the embedded object request that may be ddos attack, determine according to embedded object number and the think time of the page under the described requested object whether described service request is ddos attack;
250) for the page request that does not belong to new session, determine according to embedded object number and the think time of the page under the described requested object whether described service request is ddos attack.
In said method, described step 230) and step 240) between also comprise:
Step 235) for the embedded object request that may be ddos attack, carrying out ddos attack according to the page number of session just declares, if the page number of session<(1+afa) * MAX_MP_NUM, the request that then belongs to this session may be ddos attack, wherein afa is to adjust parameter and is the maximum page number more than or equal to 0, MAX_MP_NUM;
Described step 230) and step 250) between also comprise:
Step 245) for the page request that may be ddos attack, carry out ddos attack according to the page number of session and just declare, if the page number of session<(1+afa) * MAX_MP_NUM, the request that then belongs to this session may be ddos attack.
In said method, described maximum embedded object number, minimum think time and/or maximum page number obtain by training.
According to a further aspect in the invention, also provide a kind of application layer distributed denial of service attack filtration system, having comprised:
Cache module is used for receiving and the stores service request;
Filtering module, be used for judging according to embedded object number and the think time of the page under the requested object whether described service request is ddos attack, wherein, the request of the maximum embedded object number of the embedded object number of the page<page and think time<minimum think time is not to attack under the requested object, and think time is (judgement current time-page time of advent);
Forwarding module is used for transmitting the request by described filtering module.
Preferably, this system also comprises: study module is used for training the maximum embedded object number of the described page and minimum think time.
Application layer DDoS filter method disclosed in this invention is compared with existing method, when can effectively filtering ddos attack, also has following advantage concurrently: (1) computational complexity is low, simple and efficient; (2) can be independent of the server operation; (3) the user is not caused any interference.
Description of drawings
Fig. 1 is the filtration step flow chart of application layer distributed denial of service attack filter method in accordance with a preferred embodiment of the present invention;
Fig. 2 is the training step flow chart of application layer distributed denial of service attack filter method in accordance with a preferred embodiment of the present invention;
Fig. 3 is network design schematic diagram according to an embodiment of the invention;
Fig. 4 is the block diagram of application layer distributed denial of service attack filtration system according to an embodiment of the invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing, to application layer distributed denial of service attack filter method and system further describe according to an embodiment of the invention.Should be appreciated that specific embodiment described herein only in order to explain the present invention, is not intended to limit the present invention.
The present invention provides protection by real time filtering is carried out in all requests of accessing protected system.Can judge whether service request is ddos attack according to embedded object number and the think time of the page under the requested object, if the embedded object number of the page is less than the request less than minimum think time of the maximum embedded object number of the page and think time, then this request generally is not to attack, wherein think time is the time of user's browsing page, and it equals the judgement time and deducts page time of advent in the present invention.Because ddos attack generally is to continue to send a large amount of requests, in other words, generally comprise many times page request for the session of ddos attack, thus preferred, can also judge according to the page number of the affiliated session of request whether request is ddos attack first.
Shown in Fig. 1 flow chart, this filter process comprises the steps:
(1) at first, initiation parameter: make that page exception frequency threshold value Anom_thd is 4, and set up a unusual session storage list, be used for storing the session identification of unusual session, and be initially sky.
(2) receive a request.
(3) according to the content in the unusual session storage list, whether judge this request from unusual session, if so, change step (4) over to, otherwise change step (5) over to.
(4) abandon this request.
(5) judge whether the object of asking is the page, if not, change step (6) over to; Otherwise change step (18) over to.
(6) judge that this request whether from a new session, if so, changes step (7) over to, otherwise change step (8) over to.
(7) preserve the information of this new session, make that its current page is NULL, the embedded object number that makes this page is 1, and this page time of advent is the current time.Change step (2) over to.
(8) if this embedded object and previous embedded object distinguish threshold value EOBJ_INTV_THD interval greater than the embedded object subordinate, or the embedded object number of current page surpassed page embedded object number threshold value EOBJ_NUM_THD, then changes step (9) over to; Otherwise change step (17) over to.
(9) find the affiliated session of current request, its page number is added 1.
(10) if page number more than or equal to (1+afa) * MAX_MP_NUM, changes step (11) over to.Wherein afa represents to adjust parameter, and its scope is [0.1,0.5], and preferably, it is 0.2 or 0.3; Otherwise change step (12) over to, MAX_MP_NUM represents the maximum page number.
(11) marking this session is unusual session, is about to this session identification and stores unusual page stores table into, changes step (2) over to.
(12) embedded object number and the Think time value of the statistics page.
(13) if the embedded object number of current page is counted MAX_EOBJ less than the maximum embedded object of this page, and Think time then changes step (14) over to less than the minimum think time MIN_TT of this page, otherwise changes step (15) over to.
(14) current page with this session is made as NULL, and be the current time time of advent of this page, and the embedded object number is 1.
(15) the unusual page number anom_mp of this session adds 1, changes step (16) over to.
(16) if anom_mp, changes step (11) over to greater than Anom_thd, otherwise change step (14) over to.
(17) the embedded object number of current page adds 1, changes step (2) over to.
(18) judge that this request whether from a new session, if so, changes step (19) over to; Otherwise change step (20) over to.
(19) preserve the information of this session, the current page of establishing this session is the current page of asking, and the embedded object number of the page is 0, and current page time of advent is the current time.Change step (2) over to.
(20) find session corresponding to this request, its page number adds 1, changes step (21) over to.
(21) if page number more than or equal to (1+afa) * MAX_MP_NUM, changes step (11) over to; Otherwise change step (22) over to.
(22) embedded object number and the Think time value of statistics current page change step (23) over to.
Whether the embedded object number of (23) judging current page counts MAX_EOBJ less than the maximum embedded object of this page, and whether Think time is less than the minimum Think time value MIN_TT of this page, if the embedded object number of current page is counted MAX_EOBJ less than the maximum embedded object of this page, and Think time<MIN_TT changes step (24) over to; Otherwise change step (25) over to.
(24) establishing this session current page is the request that receives, and the embedded object number of this page is 0, and be the current time time of advent.Change step (2) over to.
(25) the unusually several anom_mp of this session add 1, change step (26) over to.
(26) judge whether anom_mp<Anom_thd sets up, if so, change step (24) over to; Otherwise change step (11) over to.
For the required a plurality of parameters of above-mentioned filter process: the maximum embedded object number of the page, maximum page number and minimum think time can rule of thumb be worth to arrange or obtain by other method.In a preferred embodiment of the invention, obtain by training method, the below will describe this training process in detail.One of ordinary skill in the art will appreciate that, this training process is preferred, rather than necessary.
Fig. 2 shows the according to an embodiment of the invention training step flow chart of application layer distributed denial of service attack filter method, and as shown in Figure 2, the training process in the filter method of the present invention and above-mentioned filter process are similar, specifically comprise the steps:
(1) initiation parameter: establishing the superseded time threshold Remove_THD of inactive session is 100 seconds; It is 5 seconds that the embedded object subordinate is distinguished threshold value EOBJ_INTV_THD.Wherein, session be the user when browsing some websites, from enter the website to browser close or stop to browse process during this period of time in, the information of user and website direct interaction.
(2) receive a request.And, for all sessions, if the time gap current time of sending of last request of session has surpassed Remove_THD, think that then this session is inactive, eliminate sluggish session; The page number of the session that statistics is active.
(3) judge whether the request receive is page request, namely ask to as if the page or embedded object.If embedded object changes step (4) over to; If the page then changes step (11) over to.
(4) find session under this request according to session identification, judge whether new session of this session, if it is change step (5) over to; Otherwise change step (6) over to.
(5) set up a data structure and preserve session information.This session information comprises session identification (session id), conversation page number, unusual page number, current page, the embedded object of current page, current page time of advent.The conversation page number that makes this session is 1, and current page also is that first page is NULL, and the embedded object number of current page is 1.Change step (16) over to.
(6) for the session under this request, judge the embedded object ask whether with the previous embedded object of this session interval greater than EOBJ_INTV_THD, if greater than, then change step (7) over to; Otherwise change step (10) over to.
(7) page number of this session adds 1.
(8) embedded object number and the think time (Think time) of statistics current page.Time of advent Think time=current time-current page.
(9) current page of establishing this session is NULL, and its embedded object number is 1, and be the current time time of advent.Change step (16) over to.
(10) the embedded object number of current page adds 1.
(11) judge that whether the request receive is from a new session.If new, change step (12) over to; Otherwise change step (13) over to.
(12) preserve this session information.Make that its first page is current page, the embedded object number of this page is 0; Be the current time time of advent of this page.Change step (16) over to.
(13) find session corresponding to this request, the page number of this session adds 1.
(14) add up Think time and the embedded object number of this page.Wherein, time of advent Think time=current time-this page.Change step (15) over to
(15) current page that makes this session by the page of reception request, this page time of advent is the current time, the embedded object number is 0.Change step (16) over to.
(16) whether training of judgement finishes, if finish, changes step (17) over to.Otherwise change step (2) over to.
(17) maximum page that obtains session is counted MAX_MP_NUM, and the maximum embedded object of each page is counted MAX_EOBJ, and minimum value MIN _ TT of Think time, and finishes training.
The present invention also provides a kind of application layer DDoS filtration system.This Account Dept is deployed between couple in router and the protected information system, and concrete deployment connected mode can be referring to shown in Figure 3.
Filtration system provided by the present invention comprises cache module, filtering profile and forwarding template.Cache module is used for receiving and preserving request, usually stores with the form of packet.Filtering module is responsible for attack is filtered and tackled, and namely judges according to above-mentioned filter method whether request is ddos attack.Forwarding module is responsible for the forward filtering module and is allowed the request passed through.
Preferably, this system also comprises study module, and it is used for the required a plurality of parameters of training filtering module, comprises the maximum embedded object number of the page, maximum page number and minimum think time.
Ddos attack not only can effectively filter in above-mentioned application layer ddos attack filter method and system; And have lower computational complexity, and be independent of server and client side's operation, need not existing server and client side is carried out any modification.
Should be noted that and understand, in the situation that do not break away from the desired the spirit and scope of the present invention of accompanying claim, can make to the present invention of foregoing detailed description various modifications and improvement.Therefore, the scope of claimed technical scheme is not subjected to the restriction of given any specific exemplary teachings.
Claims (6)
1. the distributed denial of service ddos attack of an application layer filter method comprises the following steps:
100) receive service request;
200) judge according to embedded object number and the think time of the page under the requested object whether described service request is ddos attack, wherein, the request of the maximum embedded object number of the embedded object number of the page<page and think time<minimum think time is not to attack under the requested object, and the current time that think time equals to judge deducts page time of advent;
Wherein, described step 200) comprising:
210) judge that requested object is embedded object or the page;
220) judge whether described service request belongs to new session;
230) for the embedded object request that does not belong to new session, carry out the ddos attack anticipation according to the time interval and/or continuous embedded object number with previous embedded object request;
240) for the embedded object request that may be ddos attack, determine according to embedded object number and the think time of the page under the described requested object whether described service request is ddos attack;
250) for the page request that does not belong to new session, determine according to embedded object number and the think time of the page under the described requested object whether described service request is ddos attack.
2. method according to claim 1 is characterized in that,
Described step 230) and step 240) between also comprise:
Step 235) for the embedded object request that may be ddos attack, carrying out ddos attack according to the page number of session just declares, if the page number of session<(1+afa) * MAX_MP_NUM, the request that then belongs to this session may be ddos attack, wherein afa is to adjust parameter and is the maximum page number more than or equal to 0, MAX_MP_NUM;
Described step 230) and step 250) between also comprise:
Step 245) for the page request that may be ddos attack, carry out ddos attack according to the page number of session and just declare, if the page number of session<(1+afa) * MAX_MP_NUM, the request that then belongs to this session may be ddos attack.
3. method according to claim 2 is characterized in that, described maximum embedded object number, minimum think time and/or maximum page number obtain by training.
4. method according to claim 2 is characterized in that, the scope of described afa is [0.1,0.5].
5. application layer distributed denial of service attack filtration system comprises:
Cache module is used for receiving and the stores service request;
Filtering module, be used for judging according to embedded object number and the think time of the page under the requested object whether described service request is ddos attack, wherein, the request of the maximum embedded object number of the embedded object number of the page<page and think time<minimum think time is not to attack under the requested object, and the current time that think time equals to judge deducts page time of advent; Wherein, described filtering module is configured to:
Judge that requested object is embedded object or the page;
Judge whether described service request belongs to new session;
For the embedded object request that does not belong to new session, carry out the ddos attack anticipation according to the time interval and/or continuous embedded object number with previous embedded object request;
For the embedded object request that may be ddos attack, determine according to embedded object number and the think time of the page under the described requested object whether described service request is ddos attack;
For the page request that does not belong to new session, determine according to embedded object number and the think time of the page under the described requested object whether described service request is ddos attack;
Forwarding module is used for transmitting the request by described filtering module.
6. system according to claim 5 is characterized in that, also comprises:
Study module is used for training the maximum embedded object number of the described page and minimum think time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110005704 CN102075535B (en) | 2011-01-12 | 2011-01-12 | Distributed denial-of-service attack filter method and system for application layer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201110005704 CN102075535B (en) | 2011-01-12 | 2011-01-12 | Distributed denial-of-service attack filter method and system for application layer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102075535A CN102075535A (en) | 2011-05-25 |
| CN102075535B true CN102075535B (en) | 2013-01-30 |
Family
ID=44033879
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201110005704 Expired - Fee Related CN102075535B (en) | 2011-01-12 | 2011-01-12 | Distributed denial-of-service attack filter method and system for application layer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102075535B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103218361A (en) * | 2012-01-19 | 2013-07-24 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for controlling browser window |
| CN102638474B (en) * | 2012-05-08 | 2014-09-17 | 山东大学 | Application layer DDOS (distributed denial of service) attack and defense method |
| CN103078856B (en) * | 2012-12-29 | 2015-04-22 | 大连环宇移动科技有限公司 | Method for detecting and filtering application layer DDoS (Distributed Denial of Service) attack on basis of access marking |
| CN104392175B (en) | 2014-11-26 | 2018-05-29 | 华为技术有限公司 | Cloud application attack processing method, apparatus and system in a kind of cloud computing system |
| CN105592070B (en) * | 2015-11-16 | 2018-10-23 | 中国银联股份有限公司 | Application layer DDoS defence methods and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465855A (en) * | 2008-12-31 | 2009-06-24 | 中国科学院计算技术研究所 | Method and system for filtrating synchronous extensive aggression |
| US20100212005A1 (en) * | 2009-02-09 | 2010-08-19 | Anand Eswaran | Distributed denial-of-service signature transmission |
-
2011
- 2011-01-12 CN CN 201110005704 patent/CN102075535B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465855A (en) * | 2008-12-31 | 2009-06-24 | 中国科学院计算技术研究所 | Method and system for filtrating synchronous extensive aggression |
| US20100212005A1 (en) * | 2009-02-09 | 2010-08-19 | Anand Eswaran | Distributed denial-of-service signature transmission |
Non-Patent Citations (1)
| Title |
|---|
| 《基于会话异常度模型的应用层分布式拒绝服务攻击过滤》;肖军,张永铮,云晓春;《计算机学报》;20100930;第33卷(第9期);摘要,第1714页右栏第1段,第1718页左栏4.3节,图2,第1720页右栏第4段,第1722页右栏第2段,第1716页右栏第2段,第1717页左栏第1段,第1722页右栏第6.2.1节,第1716页右栏第4.2节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102075535A (en) | 2011-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| DE602006000127T2 (en) | Recognition of denial of service attacks for the purpose of deducting energy in wireless networks | |
| CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
| EP3337123B1 (en) | Network attack prevention method, apparatus and system | |
| US8966627B2 (en) | Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session | |
| Yu et al. | A detection and offense mechanism to defend against application layer DDoS attacks | |
| CN102075535B (en) | Distributed denial-of-service attack filter method and system for application layer | |
| CN102821081B (en) | Method and system for monitoring DDOS (distributed denial of service) attacks in small flow | |
| CN102263788B (en) | Method and equipment for defending against denial of service (DDoS) attack to multi-service system | |
| CN103442018A (en) | Dynamic defense method and system for CC (Challenge Collapsar) attack | |
| CN102281298A (en) | Method and device for detecting and defending challenge collapsar (CC) attack | |
| CN103916387B (en) | A kind of method and system of protection DDOS attack | |
| CN102271068A (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
| CN102638474B (en) | Application layer DDOS (distributed denial of service) attack and defense method | |
| CN111385235A (en) | DDoS attack defense system and method based on dynamic transformation | |
| Foroushani et al. | TDFA: traceback-based defense against DDoS flooding attacks | |
| CN101150586A (en) | CC attack prevention method and device | |
| CN102882894A (en) | Method and device for identifying attack | |
| CN103916379B (en) | A kind of CC attack recognition method and system based on high frequency statistics | |
| CN106254394B (en) | A kind of recording method and device of attack traffic | |
| CN104202344B (en) | A kind of method and device for the anti-ddos attack of DNS service | |
| CN102238049A (en) | Method for detecting denial of service (DoS) attacks in media access control (MAC) layer | |
| CN104125213A (en) | Distributed denial of service DDOS attack resisting method and device for firewall | |
| Huang et al. | Detecting stepping-stone intruders by identifying crossover packets in SSH connections | |
| CN106357661A (en) | Switch-rotation-based distributed denial of service attach defending method | |
| CN106888221A (en) | A kind of Secure Information Tanslation Through Netware method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190214 Address after: Room 1103, Building B2, 700 Yishan Road, Xuhui District, Shanghai, 2003 Patentee after: SHANGHAI YINGLIAN INFORMATION TECHNOLOGY CO.,LTD. Address before: 100190 South Road, Zhongguancun Science Academy, Haidian District, Beijing 6 Patentee before: Institute of Computing Technology, Chinese Academy of Sciences |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130130 Termination date: 20220112 |