CN102394868B - Detection method for DDoS attacked address of dynamic threshold - Google Patents
Detection method for DDoS attacked address of dynamic threshold Download PDFInfo
- Publication number
- CN102394868B CN102394868B CN201110309008.2A CN201110309008A CN102394868B CN 102394868 B CN102394868 B CN 102394868B CN 201110309008 A CN201110309008 A CN 201110309008A CN 102394868 B CN102394868 B CN 102394868B
- Authority
- CN
- China
- Prior art keywords
- time
- address
- value
- data
- threshold
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention, which belongs to the communication technology field, relates to a detection method for a DDoS attacked address of a dynamic threshold. According to the method, data flow addresses that are collected within a period are collected and an overflow accumulation variable is calculated. When a real-time data flow is greater than a threshold, values of increased overflow accumulation variables are added up until the value of the overflow accumulation variable is less than or equal to zero; and meanwhile, the value of the overflow accumulation variable is set into zero when the real-time data flow is less than the threshold. According to the method, it is determined whether an IP address is attacked or not according to a value of a data overflow accumulation variable; and real-time updating is carried out on a threshold; furthermore, data information is updated and real-time monitoring is carried out on an attacked situation of the attacked network IP address.
Description
Technical field
The present invention relates to a kind of dynamic threshold DDoS and attacked address detection method, belong to communication technical field.
Background technology
For the ddos attack that may exist, being on the defensive is that data traffic is monitored.In prior art, there is static fixed threshold DDoS to be attacked address inspecting and measuring technique and dynamic threshold DDoS detection technique.
It is simple to operate that static fixed threshold DDoS is attacked address inspecting and measuring technique, be easy to dispose, efficiency of algorithm is high, but is unsuitable for the network environment that flow is larger and lacks flexibility, static threshold is difficult for determining simultaneously, and the reduction that improper meeting causes detection efficiency and detects effect is set.
In dynamic threshold DDoS detection technique, the calculating of threshold value has two kinds of methods: region average thresholding algorithm and EWMA algorithm.Region average thresholding algorithm is treated the impact of all flow value degree threshold values on an equal basis, tax is with identical weights, in fact this effect is differentiated, general recent value effect value effect more at a specified future date is larger, in network traffics, change in violent environment, the threshold value and the actual flow gap that according to said method produce can be very large, often do not have detection effect.
The existing threshold value generating algorithm shortcoming based on EWMA algorithm is that the threshold value of calculating under compared with low load condition when the Chief Web Officer time is less, if load becomes conference and causes because low threshold value produces wrong report suddenly.
In addition, the setting of region average thresholding algorithm and EWMA algorithm threshold value is network traffics based on current only all, to threshold value, do not leave between the buffering area of increase and the traffic the bursting property of anti-shake algorithm when adapting to proper communication increases, also the higher limit of setting threshold not.
Summary of the invention
Technical problem to be solved by this invention is the deficiency for above-mentioned background technology, provides a kind of dynamic threshold DDoS to be attacked address detection method.
The present invention adopts following technical scheme for achieving the above object:
A kind of dynamic threshold DDoS is attacked address detection method and is comprised the steps:
Work as TF
n> TH
ntime, enter step 3-1;
Work as TF
n≤ TH
ntime, enter step 3-2;
Step 3-1, utilizes formula S
n=S
n-1+ TF
n-TH
ncalculate while upgrading for the n time and overflow and accumulate variable S
nvalue;
Step 3-2, works as S
n-1during > 0, utilize following formula to calculate while upgrading for the n time and overflow and accumulate variable S
nvalue;
Wherein, S
1=0;
Work as S
n-1≤ 0, S
n=0;
Step 4, the maximum that accumulation variable is overflowed in setting is S
max, while relatively upgrading for the n time, overflow accumulation variable S
nvalue with overflow accumulation variable maximum S
max, only work as S
n> S
maxtime, S
n=S
max;
Step 5, checks when each IP address is upgraded for the n time and overflows and accumulate variable S
nvalue whether be 0,
Work as S
nduring < 0, represent that this IP address is attacked and finished;
Work as S
nduring > 0, classify this IP address as suffer ddos attack destination address;
Work as S
n=0 o'clock, utilize following formula to calculate this IP address threshold, upgrade threshold data table, the data on flows of not attacked with IP address covers historical data table:
Wherein, α is Data Update coefficient, and BT is buffer traffic, 0≤α≤1, m ∈ n;
Step 6, enters next data collection cycle, returns to step 2.
Described dynamic threshold DDoS is attacked in address detection method, the following principle of the basis for selecting of sign in step 5:
While calculating n subthreshold, if the data traffic of the n-1 time is greater than the data traffic of the n-2 time, just get, otherwise get negative.
The present invention adopts technique scheme, has following beneficial effect: dynamically update threshold value, implement the situation that monitoring network IP address is attacked.
Accompanying drawing explanation
Fig. 1 is the flow chart that dynamic threshold DDoS is attacked address detection method.
Fig. 2 is the schematic diagram of BloomFilter algorithm address mapping.
Embodiment
Below in conjunction with accompanying drawing, the technical scheme of invention is elaborated:
As shown in Figure 1, a kind of dynamic threshold DDoS is attacked address detection method, comprises the steps:
As shown in Figure 2: adopt BloomFilter algorithm mapping address.In the system of IPv4 address, IP address is divided into 4 sections, the value desirable metric 1 to 255 of every section.According to Bloom Filter algorithm, the IP bag number that a list structure of 4 * 256 being comprised of 4 independent hash functions to arrive by router in tracking time section t different destination addresses is set.When an IP bag enters after router, its destination address by 4 independently hash function (for 4 sections of IP address mappings respectively) be mapped to respectively some (value to each section is shone upon) in 256 different separately territories, now be kept at the variable a in mapped territory (totally 4, corresponding one of each hash)
ij(1≤i≤256,1≤j≤4) add 1.
Work as TF
n> TH
ntime, enter step 3-1;
Work as TF
n≤ TH
ntime, enter step 3-2;
Step 3-1, utilizes formula S
n=S
n-1+ TF
n-TH
ncalculate while upgrading for the n time and overflow and accumulate variable S
nvalue;
Step 3-2, works as S
n-1during > 0, utilize following formula to calculate while upgrading for the n time and overflow and accumulate variable S
nvalue;
Wherein, S
1=0;
Work as S
n-1≤ 0, S
n=0;
Step 4, the maximum that accumulation variable is overflowed in setting is S
max, while relatively upgrading for the n time, overflow accumulation variable S
nvalue with overflow accumulation variable maximum S
max, only work as S
n> S
maxtime, S
n=S
max;
Step 5, checks when each IP address is upgraded for the n time and overflows and accumulate variable S
nvalue whether be 0,
Work as S
nduring < 0, represent that this IP address is attacked and finished;
Work as S
nduring > 0, classify this IP address as suffer ddos attack destination address;
Work as S
n, utilize following formula to calculate S at=0 o'clock
nvalue equals 0 o'clock corresponding IP address threshold, upgrades threshold data table, and the data on flows of not attacked with IP address covers historical data table:
Wherein, α is Data Update coefficient, and BT is buffer traffic, the following principle of the basis for selecting of sign in formula: while calculating n subthreshold, just get, otherwise get negative if the data traffic of the n-1 time is greater than the data traffic of the n-2 time.
Step 6, enters next data collection cycle, returns to step 2.
Claims (2)
1. dynamic threshold DDoS is attacked an address detection method, it is characterized in that comprising the steps:
Step 1, analysis of history tables of data obtains threshold value TH
nand threshold data table, wherein: TH
nthe threshold value of predicting while being the n time renewal, n is more than or equal to 1 natural number;
Step 2, image data bag in data collection cycle, extracts IP address to the packet gathering, statistics real time data flow TF
n, TF
nreal time data flow while being the n time renewal;
Step 3, contrast real time data flow TF
nwith threshold value TH
n, calculate each data and when upgrading for the n time, overflow accumulation variable S
nvalue, and upgrade and to overflow accumulation variable S
nthe storage list of value, overflows accumulation variable S
nthe specific algorithm of value is as follows:
Work as TF
n> TH
ntime, enter step 3-1;
Work as TF
n≤ TH
ntime, enter step 3-2;
Step 3-1, utilizes formula S
n=S
n-1+ TF
n-TH
ncalculate while upgrading for the n time and overflow and accumulate variable S
nvalue;
Step 3-2, works as S
n-1during > 0, utilize following formula to calculate while upgrading for the n time and overflow and accumulate variable S
nvalue;
Wherein, S
1=0;
Work as S
n-1≤ 0, S
n=0;
Step 4, the maximum that accumulation variable is overflowed in setting is S
max, while relatively upgrading for the n time, overflow accumulation variable S
nvalue with overflow accumulation variable maximum S
max, only work as S
n> S
maxtime, S
n=S
max;
Step 5, checks when each IP address is upgraded for the n time and overflows and accumulate variable S
nvalue whether be 0,
Work as S
nduring < 0, represent that this IP address is attacked and finished;
Work as S
nduring > 0, classify this IP address as suffer ddos attack destination address;
Work as S
n=0 o'clock, utilize following formula to calculate this IP address threshold, upgrade threshold data table, the data on flows of not attacked with IP address covers historical data table:
Wherein, α is Data Update coefficient, and BT is buffer traffic, 0≤α≤1, m ∈ n;
Step 6, enters next data collection cycle, returns to step 2.
2. dynamic threshold DDoS according to claim 1 is attacked address detection method, it is characterized in that in the formula described in step 5 the following principle of the basis for selecting of sign:
While calculating n subthreshold, if the data traffic of the n-1 time is greater than the data traffic of the n-2 time, just get, otherwise get negative.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110309008.2A CN102394868B (en) | 2011-10-12 | 2011-10-12 | Detection method for DDoS attacked address of dynamic threshold |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201110309008.2A CN102394868B (en) | 2011-10-12 | 2011-10-12 | Detection method for DDoS attacked address of dynamic threshold |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102394868A CN102394868A (en) | 2012-03-28 |
CN102394868B true CN102394868B (en) | 2014-05-07 |
Family
ID=45862077
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201110309008.2A Expired - Fee Related CN102394868B (en) | 2011-10-12 | 2011-10-12 | Detection method for DDoS attacked address of dynamic threshold |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102394868B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103795590B (en) * | 2013-12-30 | 2017-07-04 | 北京天融信软件有限公司 | A kind of computational methods of network traffics detection threshold value |
CN108259426B (en) * | 2016-12-29 | 2020-04-28 | 华为技术有限公司 | DDoS attack detection method and device |
CN108810948B (en) * | 2018-05-29 | 2021-03-19 | 每日互动股份有限公司 | Method for identifying real flow |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101060531A (en) * | 2007-05-17 | 2007-10-24 | 华为技术有限公司 | A method and device for avoiding the attack of network equipment |
CN101378394A (en) * | 2008-09-26 | 2009-03-04 | 成都市华为赛门铁克科技有限公司 | Detection defense method for distributed reject service and network appliance |
CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
JP4654092B2 (en) * | 2005-08-25 | 2011-03-16 | 日本電信電話株式会社 | Attack protection method, system and program for SIP server |
-
2011
- 2011-10-12 CN CN201110309008.2A patent/CN102394868B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4654092B2 (en) * | 2005-08-25 | 2011-03-16 | 日本電信電話株式会社 | Attack protection method, system and program for SIP server |
CN101060531A (en) * | 2007-05-17 | 2007-10-24 | 华为技术有限公司 | A method and device for avoiding the attack of network equipment |
CN101378394A (en) * | 2008-09-26 | 2009-03-04 | 成都市华为赛门铁克科技有限公司 | Detection defense method for distributed reject service and network appliance |
CN101547129A (en) * | 2009-05-05 | 2009-09-30 | 中国科学院计算技术研究所 | Method and system for detecting distributed denial of service attack |
Non-Patent Citations (1)
Title |
---|
JP特许第4654092号B2 2011.03.16 |
Also Published As
Publication number | Publication date |
---|---|
CN102394868A (en) | 2012-03-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102088754B (en) | Network access behavior-based access control method and system for wireless local area network | |
CN102882881B (en) | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service | |
CN104767692A (en) | Network traffic classification method | |
CN106921507B (en) | Method and apparatus for predicting user complaints in a wireless communication network | |
CN104503826A (en) | Virtual machine mapping method and device for cloud computing data center | |
CN104102700A (en) | Categorizing method oriented to Internet unbalanced application flow | |
CN101808351B (en) | Method and system for business impact analysis | |
CN101155085A (en) | Method and device for real-time flux prediction and real-time flux monitoring and early warning | |
CN104093197A (en) | Equipment energy saving method and system applied to mobile internet | |
Li et al. | HQTimer: a hybrid ${Q} $-Learning-Based timeout mechanism in software-defined networks | |
CN102394868B (en) | Detection method for DDoS attacked address of dynamic threshold | |
EP2905931A1 (en) | Method and apparatus for determining data flow rate of service access port | |
CN105049298A (en) | Method and system for monitoring cloud resource | |
Zhao et al. | PLOFR: An online flow route framework for power saving and load balance in SDN | |
CN106027288A (en) | Communication traffic prediction method for distribution line information monitoring service | |
CN102883352A (en) | GSM (global system for mobile communications) cell parameter optimization method based on traffic modeling and traffic prediction | |
CN106817340A (en) | The method of early warning decision, node and subsystem | |
CN103853826A (en) | Distributed type performance data processing method | |
CN103916478B (en) | The method and apparatus that streaming based on distributed system builds data side | |
CN103546319B (en) | The alarming flow method and system of the network equipment | |
CN102801548A (en) | Intelligent early warning method, device and information system | |
CN107920024A (en) | A kind of SDN controllers dynamic stream table management method | |
CN104426796A (en) | Congestion avoiding method and apparatus of router | |
CN104852831B (en) | A kind of Forecasting Methodology of hierarchical network RTT | |
CN102592038B (en) | DS-based data association method for multi-target tracking of wireless sensor network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140507 Termination date: 20171012 |
|
CF01 | Termination of patent right due to non-payment of annual fee |