CN102457489A - Attacking, detecting and defending module for LDoS (Low-rate Denial of Service) - Google Patents
Attacking, detecting and defending module for LDoS (Low-rate Denial of Service) Download PDFInfo
- Publication number
- CN102457489A CN102457489A CN2010105198627A CN201010519862A CN102457489A CN 102457489 A CN102457489 A CN 102457489A CN 2010105198627 A CN2010105198627 A CN 2010105198627A CN 201010519862 A CN201010519862 A CN 201010519862A CN 102457489 A CN102457489 A CN 102457489A
- Authority
- CN
- China
- Prior art keywords
- attack
- ldos
- puppet
- flow
- submodule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 claims abstract description 18
- 238000001514 detection method Methods 0.000 claims description 21
- 230000008859 change Effects 0.000 claims description 15
- 238000001914 filtration Methods 0.000 claims description 11
- 238000005070 sampling Methods 0.000 claims description 7
- 230000007123 defense Effects 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 2
- 238000000151 deposition Methods 0.000 claims 3
- 238000000605 extraction Methods 0.000 claims 1
- 230000009191 jumping Effects 0.000 claims 1
- 238000012360 testing method Methods 0.000 abstract description 15
- 230000005540 biological transmission Effects 0.000 abstract description 9
- 238000004422 calculation algorithm Methods 0.000 abstract description 9
- 230000000694 effects Effects 0.000 abstract description 8
- 230000000737 periodic effect Effects 0.000 abstract description 2
- 230000007246 mechanism Effects 0.000 description 13
- 230000004044 response Effects 0.000 description 10
- 238000011160 research Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000016571 aggressive behavior Effects 0.000 description 3
- 230000007423 decrease Effects 0.000 description 3
- 230000008260 defense mechanism Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000004088 simulation Methods 0.000 description 3
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 2
- 238000006424 Flood reaction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000009897 systematic effect Effects 0.000 description 2
- ZEFNOZRLAWVAQF-UHFFFAOYSA-N Dinitolmide Chemical compound CC1=C(C(N)=O)C=C([N+]([O-])=O)C=C1[N+]([O-])=O ZEFNOZRLAWVAQF-UHFFFAOYSA-N 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003595 spectral effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an attacking, detecting and defending module for an LDoS (Low-rate Denial of Service). The LDoS attack is a novel LDoS attack which utilizes a TCP (Transmission Control Protocol) congestion control system. The average attack rate of the LDoS is lower and a traditional detecting method can be avoided. Firstly, a periodic flow for generating the LDoS attack is simulated and an attack property is tested. A test proves that the LDoS attack is characterized by strong hiding property and high damaging power. Secondly, a detecting algorithm based on time window statistics is invented and a test result shows that the method can be used for efficiently detecting the LDoS attack. Lastly, a 'Black and White List' defending method based on Flow Tables is adopted and a result shows that the defending method can be used for efficiently defending the LDoS attack. According to the technical scheme provided by the invention, the LDoS attack and an attack testing effect can be realized and the LDoS attack can be efficiently detected and defended.
Description
Technical field
The present invention relates to a kind of computer network security technology, a kind of novel low rate denial of service LDoS of this system simulation attacks, and tests attack performance, and attack effectively detects and defends to this kind.
Technical background
(denialofservice, DoS) attacking is the biggest threat that present the Internet faces in denial of service.Traditional Denial of Service attack mainly is through attacking the packet that machine sends magnanimity; Consume the Internet resources or the computational resource of destination server; Make the user can't use server resource, to reach the purpose of denial of service, the attack of this mode is called the formula denial of service that floods (flooding-base denial of service; FDoS) attack, typical example has SYN/ACK extensive aggression, UDP extensive aggression, ICMP extensive aggression etc.A lot of detections of attacking to FDoS and defence method have been arranged at present along with the further developing of attack technology, new Denial of Service attack emerges in an endless stream.LDoS is exactly wherein a kind of.The research of attacking for LDoS still is in the starting stage, but correlative study work mainly appears in the first-class in recent years international conference, explains that it has obtained sufficient attention.2003 on the top-level meeting SIGCOMM aspect the computer network; The Aleksandar of rice university has proposed the low-speed denial of service attack to Transmission Control Protocol first; Be primarily aimed at the leak of TCP congestion control mechanism, proposed a kind of potential low-speed denial of service attack (Low-Rate Denial of Service, LDoS) model in the literary composition; Through accurate calculating, only need a small amount of data of attacking just can cause the victim to hold the decline of denial of service or service quality.On the INFOCOM of the ICNP 2004 and 2005, Guirguis has proposed the RoQ attack, and its essence also is to the leak in congested control in the Transmission Control Protocol and the router queue management mechanism, makes the performance of specific router descend.In the NDSS meeting in 2005, Xiapu Luo has proposed the pulsing attack again, and principle and LDoS attack closely similar.2005, on the Abilene of Internet2 backbone network, found the LDoS attack, LDoS attacks and becomes a reality.
The principle of LDoS attack: two kinds of mechanism of overtime re-transmission in the congested control of TCP and AIMD are separately considered, and will be divided into two types to the LDDoS attack of Transmission Control Protocol: the LDDoS based on overtime retransmission mechanism attacks and attacks based on the machine-processed LDDoS of AIMD.
1, the LDoS based on overtime retransmission mechanism attacks
According to the overtime retransmission mechanism of TCP, transmitting terminal is that each message segment that sends is provided with a timer, if timer is just overtime before receiving the affirmation of this message; Then transmitting terminal is kept to 1 with its send window Cwnd, resends this bag then, and according to exponential backoff algorithm RTO is made as original q doubly (q generally gets 2); The arrival of wait acknowledge bag; If retransmission packet is still overtime, then continue to retransmit, up to retransmitting success or abandoning retransmitting; Successfully receive response packet if retransmit, then system gets into slow starting state.Press Transmission Control Protocol, for non-re-transmission message segment, when transmitting terminal is received its ACK, need upgrade the RTO of this link according to its measured round-trip delay RTT, formula (2.1) is computational methods:
RTO=min{RTO
max,max{RTO
min,SRTT+max(G,4×VRTT)}}
For network is reached near optimum throughput, the minimum retransmission time is recommended RTO
MinBe 1s.RTO
MaxBe the RTO higher limit.G is the clock yardstick, the round-trip delay after SRTT and VRTT represent smoothly respectively and the variation of round-trip delay.
2, the LDDoS based on AIMD mechanism attacks
According to Transmission Control Protocol,, just call AIMD algorithm adjustment congestion window if the TCP transmit leg gets into fast the recovery.Definition broad sense AIMD (a, b), a>0,0<b<1.Algorithm is following: when the transmit leg entering returned to form soon, congestion window was reduced to b * W from W, and every then congestion window increases a at a distance from a RTT, and this process will continue always, up to receiving another congestion signal.TCP Tahoe, TCP Reno etc. uses AIMD (1,0.5).Consider that many TCP just send an ACK when whenever receiving a bag, but receiving that continuous d Bao Shicai sends ACK.So (a, addition increase b) is revised as: every at a distance from d RTT, congestion window increases a to broad sense AIMD.This conclusion can further be expressed as: every at a distance from 1 RTT, congestion window increases a/d.
Attack different with LDDoS based on overtime retransmission mechanism; Based on the LDDoS of AIMD mechanism attack the attack pulse strength sent slightly a little less than; Only can cause the slightly congested of network, the congestion signal that the TCP transmit leg is received is the ACK bag of 3 repetitions, rather than retransmits timer expired.According to the AIMD algorithm, can retransmit this bag immediately receive the ACK of 3 repetitions when the TCP transmit leg after, its congestion window Cwnd is kept to b * cwnd (MD algorithm), and then increases window with linear rule according to increasing algorithm (AI) with formula.Under the LDDoS based on AIMD mechanism attacks; Link is under the AIMD state all the time, and can not get into overtime re-transmission or slow starting state, but its congestion window is ever-reduced; Systematic function progressively descends; Last congestion window reduces to a limiting value and maintains this limiting value left and right sides constant, and it is the poorest that systematic function reaches, and can't recover.
Traditional DoS attack is often to certain destination server or certain concrete application; For example carry out ssyn attack and can send a large amount of SYN bag etc. to 80 ports of server to Web server; LDoS attacks can influence all TCP streams through bottleneck link, and its influence is bigger.According to relevant research; LDoS attacks the Transmission Control Protocol for multiple version; Comprise that TCPTahoe, TCPReno, TCPNewReno, TCPSACK etc. have good attack effect; Its reason is that the Transmission Control Protocol of these versions is not all considered fail safe in design, is attacked congested deception of short-term of making easily.Simultaneously, bottleneck link adopts different queue management mechanisms, comprises Droptail, RED, RED-PD, Choke etc., and is little to the attack effect influence that LDoS attacks.These queue management mechanisms are added up detection to the flow of long period yardstick, can limit the unusual stream of for a long time big flow, but LDoS attacks the just big flow of transmission in very short time, and its average discharge is little, thereby avoids easily detecting and filtering.
Compare with the traditional formula that floods Denial of Service attack, LDoS attacks more hidden.At first, LDoS attacks just at the short period congestion link, can use less flow to reach close attack purpose, and meaning that the hacker need not control a large amount of puppet's machines just can attack, reaches the purpose of attack more easily.Second; LDoS attacks and can adopt various ways to attack, and can use the separate unit main frame to start, and also can adopt multiple host associating attack; The attack that multiple host starts can be escaped and detect so that the attack traffic of every attack main frame further reduces more easily.The 3rd, LDoS only attacks and need cause link congestion just can reach the attack purpose, so it can use any flow, comprises that TCP flows.Attack stream is blended in the normal TCP stream more that difficulty is filtered, and the destination address of flow also can change to some extent simultaneously, as long as flow is through bottleneck link.
For the detection of LDoS, traditional detection method is no longer suitable.YU CHEN, KAI HWANG etc. has proposed the detection method based on Digital Signal Processing, utilizes power spectral density analysis.From then on become the focus of research based on method for processing signals.Afterwards, the method for a kind of HAWK of being called that Kai Hwang and Yu-Kwong Kwok have proposed is discerned the LDoS attack stream of malice, but HAWK only is applicable to the attack that source address is single.Not long ago; LUO and CHANG find that the ACKS flow of the flow of inflow and outflow will change a lot after launching a offensive, and they have proposed a kind of based on method of wavelet analysis according to this specific character; First; Utilize the method for DWT (Discrete Wavelet Transform) to detect abnormal flow, second portion utilizes a kind of special CUSUM (Cumulative Sum) method to come the change detected point.Because the testing result that changes based on small echo depends on parameters of choice very much, therefore be difficult to a selected best parameter and keep a high verification and measurement ratio, very low rate of false alarm and rate of failing to report.
At present, no matter be the world or domestic, how to defend DoS attack effectively, protection target (main frame or server) is not attacked has become a research focus and difficult point.Because LDoS is different from traditional Flood DoS attack, it is little that it has a flow, is difficult to therefore network is had bigger menace and destructiveness by characteristics such as existing testing mechanism detect.Up to the present, domestic research to this attack pattern is also less relatively.Simultaneously, present detection method all has certain deficiency.For the defence that LDoS attacks, present also good without comparison defence method.
Summary of the invention
For LDoS attack effect, detection and defence method are studied; The present invention has at first developed the LDoS attack tool; Adopt detection method to improve detection efficiency then based on time window; Adopt at last based on " black and white lists " method of Flow tables and filter the LDoS attack, experimental result shows that this filter method is effective.Estimate that LDoS will break out in future on a large scale, become the useful tool of black industrial chain.Thereby the present invention has important economic value.
(1) LDoS attacks and the attack effect test subsystems.
The attack tool main body comprises attacks service end with attacking client; Serve end program is implanted the main frame of being captured earlier; Be mainly used in to receive and attack instruction and destination host is initiated the LDoS attack traffic; The client major function is to set target of attack, attacks the duration, specifies some attacks such as main frame of launching a offensive to be provided with.At first be to collect, comprise and confirm to be confirmed link bandwidth by the IP of target of attack and its open port numbers by target of attack information.By the information of collecting, generate the attack traffic of relevant parameter then.Testing tool will simulate normal flow, and the flow of respectively webpage response time of HTTP service and FTP being served is tested and compared.The attack effect test needs the normal user of simulation that server is conducted interviews, and the different and ftp flow amount of webpage response time is not different under relatively not having attack and attack condition being arranged.
(2) LDoS detection subsystem
Detection subsystem is deployed in the end of being injured.Attacking based on LDoS is the fact of periodic pulse, with the interval of t second the end flow of being injured is taken a sample, and a time window is t ' second, and a judgement cycle is T second; Every number that detected the pulse that once suddenlys change at a distance from t ' second: in t ' second, sample, obtain a sequence and be designated as according to the t sampling interval:
X (n) (n=0,1,2 ... K-1), k=t '/t wherein;
From x (n), select maximum max=x (index), and write down peaked subscript index; If index=0 judges
Whether set up.If set up, then there is the sudden change pulse; If index=n-1 judges
Whether set up.If set up, then there is the sudden change pulse; Otherwise, judge
Whether set up.If set up, then there is the sudden change pulse; If there is the sudden change pulse, then each time window t ' back adds 1 for the value C of judgement counter; When arriving time decision T, whether judge the value of adjudicating counter in second,, judge to attack and take place if C>M sets up greater than thresholding M at T.
(3) LDoS defence subsystem
The defence subsystem comprises packet capture, data packet analysis, data statistics, storage, 5 modules of filtration.Possibly have attack if detect in the network, begin to analyze the packet that gets into the end of being injured so, former, the order address of packet, former, eye end slogan and protocol number deposit " white list " (normal flow table) in as flow information; Wait to adjudicate to arrive constantly and compared through learning to set up good " Red List ",, circulate these into " blacklist " (attack stream table) if these suspicious information not in " Red List " (suspicious flow scale), are to attack with regard to decidable so with previous.Last filtering module generates filtering rule through the iptables script generator, checks corresponding attack stream and filters interior through kernel module Netfilter again.
Description of drawings
Fig. 1 is the LDoS attack model, (a) the LDoS attack stream in the single source of expression, (b) the LDoS attack stream of two half rates of expression.
Fig. 2 is the applied network topology of native system.System comprises 6 PCs altogether, 1 station server, 2 routers and 2 switches.Detection-defense system is positioned at last one of the end of being injured and jumps route.Router is Cisco2621 among the figure, the bottleneck bandwidth 100Mbps between router.Other each equipment disposition is as shown in the table:
Identification number | The IP address | Operating system |
Control desk | 10.1.20.8 | RedHat?9.0 |
Puppet's machine 1 | 10.1.20.140 | Fedora?core?4 |
Puppet's |
10.1.20.141 | Fedora?core?4 |
Puppet's |
10.1.20.142 | Fedora?core?4 |
|
10.1.20.150 | Windows?XP |
Normal users 5 | 10.1.20.160 | Windows?XP |
Server | 10.1.10.12 | Fedora?core?4 |
Fig. 3 is the workflow diagram that whole LDoS attacked, detected system of defense.
Fig. 4 is the link bandwidth actual measured results.
Fig. 5 is for reading page response time changing curve figure in the HTTP service.
Fig. 6 is a FTP service data changes in flow rate surveillance map.
Fig. 7 is the detection method flow chart based on time window.
Fig. 8 is defence subsystem structure figure.
The attack stream information that Fig. 9 counts after handling for Flow tables.
Figure 10 is after opening system of defense, the statistical chart of FTP flow of services.
Embodiment
1. adopt Nmap that the port of target of attack 10.1.20.100 is scanned, collect relevant information.Its open port of scanning discovery is 7775, so port 7775 is chosen to be attacked port.
2. attack confirming of amplitude.Adopt the special-purpose software IxChariot of NetIQ company exploitation to test, attack the size that the zombie machine sends attack traffic to confirm each by the maximum throughput of target.Through operation IxChariot test, obtain its average throughput and be about 12.000Mbyts/s (promptly about 100Mbps), as shown in Figure 4.
3. adopt 3 zombie machines to attack, the attack amplitude of setting each zombie is 40Mbps.The concrete parameter that LDoS attacks is: pulse amplitude is 40Mbps, and the pulse duration is 150ms, and the pulse period is 1150ms.
The order that generates attack stream is following:
1)mk_dos_trace.out?0?0?100?150?1150?50?file_name.txt
2)cd/usr/site/bin
3)matlab
4)a=load(′file_name.txt′)
Wherein file_name.txt obtained from the 3rd step.
5)pswrite(′test_file.bin′,a)
Obtain comprising the binary file test_file.bin of attack stream parameter.
4. control desk is implanted puppet's machine with the attack stream Parameter File that generates.
5. adopt LoadRunner software to simulate the generation normal discharge.The webpage of 10 user captures of simulation " Civil Aviation University of China " in test, the webpage size is 52k.Beginning does not add attack traffic period, has only the flow of normal http.In the time of 6:30 minute, initiate LDoS greatly and attack, the duration of attack is about 3 fens halfs, finishes in 10:00 minute.The record webpage response time, as shown in Figure 5.On average be approximately 1.6 seconds from reading the response time of reading the page during the response time of the page: 0:00-6:30 minute; The response time of reading the page between 7:00-9:30 minute then changed to 23.8 seconds from 3.2 seconds; At 10:00 minute constantly, when LDoS attack stop after, the response time of reading the page returns to gradually from 8:30 minute 4.2 seconds and on average is approximately 1.6 seconds.The response time of according to statistics, reading the page has on average risen 15.9 seconds.It is bigger that the result proves that LDoS attacks the influence of normal HTTP service generation.
6. the victim provides FTP service, a file on the normal users Download Server.In the normal users end and the end monitoring changes in flow rate of being injured, as shown in Figure 6 respectively.Do not have LDoS to attack in the incipient stage, it is higher that server is uploaded flow.After adding attack, server is uploaded flow has a significantly decline, and downloading flow increases.
Experimental result: choose 20 representational experiments, the result is as shown in the table:
According to statistics, when not having LDoS to attack, client normal downloading average discharge is 5.473M; After adding the LDoS attack, downloading flow on average is 2.63M.Average decline flow percentage is 51.9%.
7. launch a offensive, in the end sampling of being injured, 1.2s is the statistics that time window carries out the packet number.Employing is based on the detection algorithm of time window.If there is not the sudden change pulse in time window, will be regarded as normal discharge so, the information of normal discharge is recorded the normal flow scale, continue to detect; If the sudden change pulse is arranged, will be regarded as suspicious traffic so, suspicious traffic information is recorded the suspicious flow scale, unison counter adds 1, continues monitoring; If arrive a judgement cycle; And the value of counter is greater than threshold value; Can confirm as attack so; Information in information in the suspicious flow scale and the normal flow scale is compared, the flow information that has in the suspicious flow scale and do not have in the normal flow scale is recorded the attack stream scale.
Testing result: sampling time length is that the test result that obtains under 3 kinds of situation of 200ms, 250ms and 300ms is as shown in the table:
The time-domain sampling time span | 150ms | 200ms | 250ms |
Accuracy rate | 96.5% | 97.1% | 98.3% |
Rate of failing to report | 2.8% | 2.6% | 1.7% |
Rate of false alarm | 2.5% | 2.3% | 1.2% |
The efficient of time window statistical detection method is than higher.Accuracy rate arrives more than 96.5%; Rate of failing to report and rate of false alarm are then less than below 2.8%; In addition, the length in sampling time is related with testing result, and the time span of sampling is big more, and then performance is then good more.
The packet number is added up main realization program:
tcpstat?0.2-s?6-o″%n\n″>temp.txt
The flow information analysis mainly realizes program:
Class=displaycodechar*device; / * be used for catching the title * of the network interface of packet/
Pcap_t*p; / * catches the packet handle, most important data structure */
Struct bpf_program fcode; / * BPF filtering code structure */
Device=pcap_lookupdev (errbuf); / * search the equipment * that can catch packet/
P=pcap_open_live (device, 8000,1,500, errbuf); / * the creates and catches handle, prepare to catch */
If/* user is provided with filtercondition, then the compiling and mounting filtering code */
pcap_compile(p,&fcode,filter_string,0,netmask);
Pcap_setfilter (p , &fcode); / * gets into circulation, catch repeatedly packet */
for(;;)
if(t==time)
eth=(struct?libnet_ethernet_hdr*)ptr;
/ * analyzes the ether head, judges the type of data packet comprised, be further processing */
if(eth->ether_type==ntohs(ETHERTYPE_IP))
............
if(eth->ether_type==ntohs(ETHERTYPE_ARP))
............
}
pcap_close(p);
The flow information that database is deposited, mainly realize function:
1) list structure:
CREATE?TABLE?normalflows(
Id?int,
Saddr?char(20),
Sport?char(10),
Daddr?char(20),
Dport?char(10),
Protocol?int,
PRIMARY?KEY(Id));
2) the relevant API of MySQL database:
Mysql_init (&mysql); // initialization data storehouse
mysql_real_connetc(&mysql,”localhost”,”root”,””,”NULL”3306,”/var/lib/mysql/mysql.sock”)
// connection database server.
Mysql_select_db (&mysql, " netflow "); // connection database netflow
Mysql_num_rows () // the return quantity of a row in the results set.
The SQL query of the character string of band counting is appointed as in mysql_real_query () // execution.
Mysql_real_query (, str, strlen (str)) // the execution SQL statement.
Mysql_close () // closing database connects.
Detect effect
8. after detecting LDoS attack generation, the defence subsystem is started working.Extract the information of attack stream scale and call the iptables script generator, add the corresponding filter rule, abandon the attack packet.The iptables rule is provided with:
#!/bin/sh
echo″filter?the?attack?flows″
echo″1″>/proc/sys/net/ipv4/ip_forward
exec?3<attackflows.txt
while?read -u3?t1?t2?t3?t4?t5
do
echo?$t1?$t4
if[$t5-eq?17]
then?iptables-IINPUT-p?udp-s?$t1-d?$t3--dport?$t4-j?DROP
iptables-I?FORWARD-p?udp-s?$t1-d?$t3--dport?$t4-j?DROP
iptables-I?OUTPUT-p?udp-s?$t1-d?$t3--dport?$t4-j?DROP
elif[$t5-eq?6]
then
iptables-I?INPUT-p?tcp-s?$t1--sport?$t2-d?$t3--dport?$t4-j?DROP
iptables-I?FORWARD-p?tcp-s?$t1--sport?$t2-d?$t3--dport?$t4-j?DROP
iptables-I?OUTPUT-p?tcp-s?$t1--sport?$t2-d?$t3--dport?$t4-j?DROP
elif[$t5-eq?1]
then
iptables-I?INPUT-p?icmp-s?$t1-d?$t3?-j?DROP
iptables-I?FORWARD-p?icmp-s?$t1-d?$t3-j?DROP
iptables-I?OUTPUT-P?icmp-s?$t1-d?$t3-j?DROP
fi
done
exec?3<&-
Protection effect: launch with the contrast of not enabled defense mechanism as shown in the table:
Figure 10 is after opening defence, the surveillance map of normal users end ftp flow amount, and the result shows that LDDoS detection defense mechanism can detect accurately defends LDDoS to attack very much, and has kept lower failing to report and rate of false alarm; What defense mechanism guaranteed that server can be continual and steady provides normal service for validated user.
Claims (3)
1. low rate denial of service LDoS attack, detection and defense module is characterized in that following three sub-module:
(1) LDoS attacks submodule;
(2) LDoS attack detecting submodule;
(3) LDoS attack defending submodule.
2. LDoS attack according to claim 1, detection and defense module, its each submodule is characterised in that:
Wherein: submodule (1) is the LDoS attack tool.It comprises attacks service end and attacks client.Serve end program is implanted the main frame of being captured earlier, is mainly used in to receive to attack instruction and destination host is initiated the LDoS attack traffic; The client major function is selected target of attack, sets and attacks the pulse period, attacks pulse duration and attack pulse strength.The function that is installed in the client completion on the control desk mainly comprises following content: 1) scanning puppet network, watch puppet's main frame of current online, and generate the IP listing file of current available puppet's main frame, preserve into text, supply routine call; 2) upload the bin file that comprises attack parameter for puppet's machine, and announce the IP address and the port numbers of target of attack main frame to puppet's machine; 3) set time and the duration that puppet's machine is launched a offensive, the instruction of launching a offensive.Producing the instrument major function to the service end attack traffic that uploads to puppet's machine comprises: 1) receive the bin file that comprises attack parameter that client is sent; 2) receive the attack instruction, accurately set and attack the moment; 3) produce corresponding attack traffic according to the bin file that receives and launch a offensive.
Submodule (2) is the LDoS attack detection module.Employing is based on the statistical decision method of time window.Be divided into following step: 1) on the end of being injured, one jumping route monitoring flow, takes a sample to flow in every interval at a distance from t second, and a time window is t ' second, and a judgement cycle is T second; 2) every number that detected the pulse that once suddenlys change at a distance from t ' second: in t ' second, sample, obtain a sequence and be designated as according to the t sampling interval:
X (n) (n=0,1,2 ... K-1), k=t '/t wherein;
From x (n), select maximum max=x (index), and write down peaked subscript index; If index=0 judges
Whether set up.If set up, then there is the sudden change pulse; If index=n-1 judges
Whether set up.If set up, then there is the sudden change pulse; Otherwise, judge
Whether set up.If set up, then there is the sudden change pulse; 3) if there is the sudden change pulse, then each time window t ' back adds 1 for the value C of judgement counter; When 4) arriving time decision T, whether judge the value of adjudicating counter in second,, judge to attack and take place if C>M sets up greater than thresholding M at T.
Submodule (3) is a LDoS attack defending module.Defence method uses and based on the filtration of Flow Table attack message is filtered; Filtration basic thought based on Flow Table is an identification list of setting up the connection of having set up; When packet filtering, to its connection identifier of message extraction of process, if this sign belongs to above-mentioned tabulation; Then pass through this message, otherwise it is abandoned.A connection can be by source, the order address of receiving-transmitting sides, and source, eye end mouth, protocol number totally 5 value 104bits are unique definite, and we can be with it as sign.Perhaps also can these 5 value series connection be generated short Hash summary as sign.The sign of the connection that the present invention will set up is listed in " Red List " (normal flow table); If at this moment detect in the network and possibly have attack; Then earlier put into " white list " (suspicious flow scale) to these attack streams, adjudicate after the arrival of holding the whistle time then, if this moment, these suspicious flow connected not in " Red List "; With regard to decidable is attack message, circulates these into " blacklist " (attack stream table).
3. LDoS attack according to claim 2, detection and defense module; It is characterized in that: 1) attack in the submodule and set: the IP address of destination host is 10.1.10.100; The IP address of puppet's machine 1 is 10.1.20.140; The IP address of puppet's machine 2 is 10.1.20.150, and the IP address of puppet's machine 3 is 10.1.20.160.The destination host port numbers is 7775.It is 1150ms that LDoS attacks the pulse period, and the attack pulsewidth is 150ms, and single attack pulse strength is 33Mbps.Set in the detection sub-module: t=200ms; T '=1.2s; T=6s; Thresholding C=3 sets thresholding coefficient
, β=1.6 and λ=1.8 through study.Use database netflow to deposit all flows in the defence submodule, three tables are arranged, normalflows (depositing normal flow), suspectflows (depositing suspicious flow), attackflows (depositing attack stream) among the database netflow.This module mainly is to generate filtering rule through writing the iptables script generator, is filtering attacking stream at kernel through kernel module Netfilter then.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010519862.7A CN102457489B (en) | 2010-10-26 | 2010-10-26 | Low-rate DoS (LDoS) attack, detection and defense module |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010519862.7A CN102457489B (en) | 2010-10-26 | 2010-10-26 | Low-rate DoS (LDoS) attack, detection and defense module |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102457489A true CN102457489A (en) | 2012-05-16 |
CN102457489B CN102457489B (en) | 2015-11-25 |
Family
ID=46040155
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201010519862.7A Active CN102457489B (en) | 2010-10-26 | 2010-10-26 | Low-rate DoS (LDoS) attack, detection and defense module |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102457489B (en) |
Cited By (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103281317A (en) * | 2013-05-09 | 2013-09-04 | 浙江师范大学 | Attack testing method for SDN (software defined network) |
CN103546465A (en) * | 2013-10-15 | 2014-01-29 | 北京交通大学长三角研究院 | Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method |
CN103561025A (en) * | 2013-11-01 | 2014-02-05 | 中国联合网络通信集团有限公司 | Method, device and system for detecting DOS attack prevention capacity |
CN103916222A (en) * | 2014-03-14 | 2014-07-09 | 电信科学技术研究院 | Method and device for adjusting uplink service transmitting mode |
CN104125193A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | LDDoS attack detection method based on chaotic Dufing oscillators |
CN104125194A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | LDDoS attack time synchronization and flow convergence method based on cross correlation |
CN104158823A (en) * | 2014-09-01 | 2014-11-19 | 江南大学 | Simulation method oriented to LDoS (Low-rate Denial of Service) and LDDoS (Low-rate Distributed Denial of Service) |
CN104253817A (en) * | 2014-09-25 | 2014-12-31 | 大连梯耐德网络技术有限公司 | FPGA (field programmable gate array)-based network behavior attack method and FPGA-based network behavior attack device |
CN105208037A (en) * | 2015-10-10 | 2015-12-30 | 中国人民解放军信息工程大学 | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection |
CN105245412A (en) * | 2015-11-20 | 2016-01-13 | 上海斐讯数据通信技术有限公司 | Port traffic monitoring method, system and network equipment |
CN105554041A (en) * | 2016-03-01 | 2016-05-04 | 江苏三棱智慧物联发展股份有限公司 | Method for detecting distributed denial-of-service attack based on flow table timeout mechanism |
CN105897609A (en) * | 2016-04-01 | 2016-08-24 | 浙江宇视科技有限公司 | Method and device for monitoring data flow transmission |
CN106411829A (en) * | 2015-12-14 | 2017-02-15 | 中国民航大学 | LDoS attack detection method based on wavelet energy spectrum and combined neural network |
CN106789831A (en) * | 2015-11-19 | 2017-05-31 | 阿里巴巴集团控股有限公司 | The method and apparatus for recognizing network attack |
CN107005538A (en) * | 2015-10-16 | 2017-08-01 | 华为技术有限公司 | The methods, devices and systems of data transfer |
CN107707513A (en) * | 2017-01-10 | 2018-02-16 | 贵州白山云科技有限公司 | The method and device of a kind of defending against network attacks |
CN108199898A (en) * | 2018-01-12 | 2018-06-22 | 中国民航大学 | A kind of method for enhancing LDoS attack efficiency |
CN108551448A (en) * | 2018-04-12 | 2018-09-18 | 盾盟(上海)信息技术有限公司 | A kind of detecting method of distributed denial of service attacking |
CN109040131A (en) * | 2018-09-20 | 2018-12-18 | 天津大学 | A kind of LDoS attack detection method under SDN environment |
CN110012006A (en) * | 2019-04-01 | 2019-07-12 | 中国民航大学 | A kind of low-speed denial of service attack method for CUBIC |
CN111444501A (en) * | 2020-03-16 | 2020-07-24 | 湖南大学 | L DoS attack detection method based on combination of Mel cepstrum and semi-space forest |
CN111478893A (en) * | 2020-04-02 | 2020-07-31 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
CN111769998A (en) * | 2019-08-13 | 2020-10-13 | 北京京东尚科信息技术有限公司 | Method and device for detecting network delay state |
CN112073402A (en) * | 2020-08-31 | 2020-12-11 | 新华三信息安全技术有限公司 | Traffic attack detection method and device |
CN112637202A (en) * | 2020-12-22 | 2021-04-09 | 贵州大学 | LDoS attack detection method based on integrated wavelet transform in SDN environment |
CN112788062A (en) * | 2021-01-29 | 2021-05-11 | 湖南大学 | ET-EDR-based LDoS attack detection and mitigation method in SDN |
CN113890746A (en) * | 2021-08-16 | 2022-01-04 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
CN117097575A (en) * | 2023-10-20 | 2023-11-21 | 中国民航大学 | Low-rate denial of service attack defense method based on cross-layer cooperative strategy |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110233838B (en) * | 2019-06-06 | 2021-12-17 | 东软集团股份有限公司 | Pulse type attack defense method, device and equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080295175A1 (en) * | 2007-05-25 | 2008-11-27 | Nirwan Ansari | PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS |
CN101459519A (en) * | 2009-01-08 | 2009-06-17 | 西安交通大学 | Defense method for flooding-based DoS attack based on network flow |
CN101577642A (en) * | 2008-05-08 | 2009-11-11 | 吴志军 | Method for one-step forecasting Kalman filtering detection of LDoS attack |
-
2010
- 2010-10-26 CN CN201010519862.7A patent/CN102457489B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080295175A1 (en) * | 2007-05-25 | 2008-11-27 | Nirwan Ansari | PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS |
CN101577642A (en) * | 2008-05-08 | 2009-11-11 | 吴志军 | Method for one-step forecasting Kalman filtering detection of LDoS attack |
CN101459519A (en) * | 2009-01-08 | 2009-06-17 | 西安交通大学 | Defense method for flooding-based DoS attack based on network flow |
Non-Patent Citations (2)
Title |
---|
何炎祥等: "《一种针对LDoS攻击的分布式协同检测方法》", 《小型微型计算机系统》, vol. 30, no. 3, 15 March 2009 (2009-03-15) * |
吴志军等: "《低速率拒绝服务LDoS攻击性能的研究》", 《通信学报》, vol. 29, no. 6, 25 June 2008 (2008-06-25) * |
Cited By (46)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104125193A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | LDDoS attack detection method based on chaotic Dufing oscillators |
CN104125194A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | LDDoS attack time synchronization and flow convergence method based on cross correlation |
CN103281317A (en) * | 2013-05-09 | 2013-09-04 | 浙江师范大学 | Attack testing method for SDN (software defined network) |
CN103281317B (en) * | 2013-05-09 | 2016-06-08 | 浙江师范大学 | A kind of attack testing method of software defined network |
CN103546465A (en) * | 2013-10-15 | 2014-01-29 | 北京交通大学长三角研究院 | Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method |
CN103546465B (en) * | 2013-10-15 | 2016-10-19 | 北京交通大学长三角研究院 | LDoS attack detection based on traffic period monitoring and defence method |
CN103561025A (en) * | 2013-11-01 | 2014-02-05 | 中国联合网络通信集团有限公司 | Method, device and system for detecting DOS attack prevention capacity |
CN103561025B (en) * | 2013-11-01 | 2017-04-12 | 中国联合网络通信集团有限公司 | Method, device and system for detecting DOS attack prevention capacity |
CN103916222A (en) * | 2014-03-14 | 2014-07-09 | 电信科学技术研究院 | Method and device for adjusting uplink service transmitting mode |
CN104158823B (en) * | 2014-09-01 | 2017-05-10 | 江南大学 | Simulation method oriented to LDoS (Low-rate Denial of Service) and LDDoS (Low-rate Distributed Denial of Service) |
CN104158823A (en) * | 2014-09-01 | 2014-11-19 | 江南大学 | Simulation method oriented to LDoS (Low-rate Denial of Service) and LDDoS (Low-rate Distributed Denial of Service) |
CN104253817A (en) * | 2014-09-25 | 2014-12-31 | 大连梯耐德网络技术有限公司 | FPGA (field programmable gate array)-based network behavior attack method and FPGA-based network behavior attack device |
CN105208037A (en) * | 2015-10-10 | 2015-12-30 | 中国人民解放军信息工程大学 | DoS/DDoS attack detecting and filtering method based on light-weight intrusion detection |
CN105208037B (en) * | 2015-10-10 | 2018-05-08 | 中国人民解放军信息工程大学 | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection |
CN107005538A (en) * | 2015-10-16 | 2017-08-01 | 华为技术有限公司 | The methods, devices and systems of data transfer |
CN107005538B (en) * | 2015-10-16 | 2020-06-30 | 德正远(青岛)新能源科技有限公司 | Data transmission method, device and system |
CN106789831A (en) * | 2015-11-19 | 2017-05-31 | 阿里巴巴集团控股有限公司 | The method and apparatus for recognizing network attack |
CN106789831B (en) * | 2015-11-19 | 2020-10-23 | 阿里巴巴集团控股有限公司 | Method and device for identifying network attack |
CN105245412B (en) * | 2015-11-20 | 2019-06-14 | 上海斐讯数据通信技术有限公司 | A kind of port flow monitoring method and system, the network equipment |
CN105245412A (en) * | 2015-11-20 | 2016-01-13 | 上海斐讯数据通信技术有限公司 | Port traffic monitoring method, system and network equipment |
CN106411829A (en) * | 2015-12-14 | 2017-02-15 | 中国民航大学 | LDoS attack detection method based on wavelet energy spectrum and combined neural network |
CN105554041A (en) * | 2016-03-01 | 2016-05-04 | 江苏三棱智慧物联发展股份有限公司 | Method for detecting distributed denial-of-service attack based on flow table timeout mechanism |
CN105554041B (en) * | 2016-03-01 | 2018-05-25 | 江苏三棱智慧物联发展股份有限公司 | A kind of method for detecting the distributed denial of service attack based on flow table timeout mechanism |
CN105897609A (en) * | 2016-04-01 | 2016-08-24 | 浙江宇视科技有限公司 | Method and device for monitoring data flow transmission |
CN105897609B (en) * | 2016-04-01 | 2019-04-09 | 浙江宇视科技有限公司 | A kind of method and apparatus for supervising data stream transmitting |
CN107707513A (en) * | 2017-01-10 | 2018-02-16 | 贵州白山云科技有限公司 | The method and device of a kind of defending against network attacks |
CN107707513B (en) * | 2017-01-10 | 2019-05-17 | 北京数安鑫云信息技术有限公司 | A kind of method and device of defending against network attacks |
CN108199898A (en) * | 2018-01-12 | 2018-06-22 | 中国民航大学 | A kind of method for enhancing LDoS attack efficiency |
CN108551448B (en) * | 2018-04-12 | 2020-09-15 | 盾盟(上海)信息技术有限公司 | Distributed denial of service attack detection method |
CN108551448A (en) * | 2018-04-12 | 2018-09-18 | 盾盟(上海)信息技术有限公司 | A kind of detecting method of distributed denial of service attacking |
CN109040131A (en) * | 2018-09-20 | 2018-12-18 | 天津大学 | A kind of LDoS attack detection method under SDN environment |
CN110012006A (en) * | 2019-04-01 | 2019-07-12 | 中国民航大学 | A kind of low-speed denial of service attack method for CUBIC |
CN111769998A (en) * | 2019-08-13 | 2020-10-13 | 北京京东尚科信息技术有限公司 | Method and device for detecting network delay state |
CN111444501A (en) * | 2020-03-16 | 2020-07-24 | 湖南大学 | L DoS attack detection method based on combination of Mel cepstrum and semi-space forest |
CN111444501B (en) * | 2020-03-16 | 2023-04-18 | 湖南大学 | LDoS attack detection method based on combination of Mel cepstrum and semi-space forest |
CN111478893B (en) * | 2020-04-02 | 2022-06-28 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
CN111478893A (en) * | 2020-04-02 | 2020-07-31 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
CN112073402B (en) * | 2020-08-31 | 2022-05-27 | 新华三信息安全技术有限公司 | Traffic attack detection method and device |
CN112073402A (en) * | 2020-08-31 | 2020-12-11 | 新华三信息安全技术有限公司 | Traffic attack detection method and device |
CN112637202A (en) * | 2020-12-22 | 2021-04-09 | 贵州大学 | LDoS attack detection method based on integrated wavelet transform in SDN environment |
CN112637202B (en) * | 2020-12-22 | 2022-08-12 | 贵州大学 | LDoS attack detection method based on integrated wavelet transform in SDN environment |
CN112788062A (en) * | 2021-01-29 | 2021-05-11 | 湖南大学 | ET-EDR-based LDoS attack detection and mitigation method in SDN |
CN113890746A (en) * | 2021-08-16 | 2022-01-04 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
CN113890746B (en) * | 2021-08-16 | 2024-05-07 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
CN117097575A (en) * | 2023-10-20 | 2023-11-21 | 中国民航大学 | Low-rate denial of service attack defense method based on cross-layer cooperative strategy |
CN117097575B (en) * | 2023-10-20 | 2024-01-02 | 中国民航大学 | Low-rate denial of service attack defense method based on cross-layer cooperative strategy |
Also Published As
Publication number | Publication date |
---|---|
CN102457489B (en) | 2015-11-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102457489B (en) | Low-rate DoS (LDoS) attack, detection and defense module | |
Zhijun et al. | Low-rate DoS attacks, detection, defense, and challenges: a survey | |
Luo et al. | On a new class of pulsing denial-of-service attacks and the defense. | |
Hu et al. | FADM: DDoS flooding attack detection and mitigation system in software-defined networking | |
Gogoi et al. | Packet and flow based network intrusion dataset | |
Wu et al. | DDoS detection and traceback with decision tree and grey relational analysis | |
Chen et al. | Power spectrum entropy based detection and mitigation of low-rate DoS attacks | |
CN103281293A (en) | Network flow rate abnormity detection method based on multi-dimension layering relative entropy | |
Khamaiseh et al. | Detecting saturation attacks in sdn via machine learning | |
Luo et al. | Detecting pulsing denial-of-service attacks with nondeterministic attack intervals | |
CN105100017A (en) | LDoS attack detection method based on signal cross correlation | |
CN104158823B (en) | Simulation method oriented to LDoS (Low-rate Denial of Service) and LDDoS (Low-rate Distributed Denial of Service) | |
Zang et al. | Sdn-based in-band ddos detection using ensemble learning algorithm on iot edge | |
Wang et al. | DDoS attacks traffic and Flash Crowds traffic simulation with a hardware test center platform | |
Luo et al. | Optimizing the pulsing denial-of-service attacks | |
CN109995770A (en) | A kind of LDoS attack detection method based on queue distribution | |
Yi et al. | Performance analysis of mobile ad hoc networks under flooding attacks | |
CN104125194A (en) | LDDoS attack time synchronization and flow convergence method based on cross correlation | |
Baiamonte et al. | Detecting 802.11 wireless hosts from remote passive observations | |
Mergendahl et al. | FR-WARD: Fast retransmit as a wary but ample response to distributed denial-of-service attacks from the Internet of Things | |
Zhan et al. | Adaptive detection method for Packet-In message injection attack in SDN | |
Hussain et al. | Distinguishing between single and multi-source attacks using signal processing | |
Hussain | Measurement and spectral analysis of denial of service attacks | |
Jian et al. | Internet worm early detection and response mechanism | |
Lan et al. | A tool for rapid model parameterization and its applications |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20231122 Address after: Room 602, Building C2, Civil Aviation University of China Science and Technology Park, Zone C, Guangxuan Road Aviation Business Center, Dongli District, Tianjin, 300300 Patentee after: TIANJIN LINGZHI HAOYUE AVIATION TECHNOLOGY Co.,Ltd. Address before: 300300 Tianjin city Dongli District North Road No. 2898 Patentee before: CIVIL AVIATION University OF CHINA |
|
TR01 | Transfer of patent right |