CN102457489A

CN102457489A - Attacking, detecting and defending module for LDoS (Low-rate Denial of Service)

Info

Publication number: CN102457489A
Application number: CN2010105198627A
Authority: CN
Inventors: 吴志军
Original assignee: Civil Aviation University of China
Current assignee: Tianjin Lingzhi Haoyue Aviation Technology Co ltd
Priority date: 2010-10-26
Filing date: 2010-10-26
Publication date: 2012-05-16
Anticipated expiration: 2030-10-26
Also published as: CN102457489B

Abstract

The invention discloses an attacking, detecting and defending module for an LDoS (Low-rate Denial of Service). The LDoS attack is a novel LDoS attack which utilizes a TCP (Transmission Control Protocol) congestion control system. The average attack rate of the LDoS is lower and a traditional detecting method can be avoided. Firstly, a periodic flow for generating the LDoS attack is simulated and an attack property is tested. A test proves that the LDoS attack is characterized by strong hiding property and high damaging power. Secondly, a detecting algorithm based on time window statistics is invented and a test result shows that the method can be used for efficiently detecting the LDoS attack. Lastly, a 'Black and White List' defending method based on Flow Tables is adopted and a result shows that the defending method can be used for efficiently defending the LDoS attack. According to the technical scheme provided by the invention, the LDoS attack and an attack testing effect can be realized and the LDoS attack can be efficiently detected and defended.

Description

Low rate denial of service LDoS attack, detection and defense module

Technical field

The present invention relates to a kind of computer network security technology, a kind of novel low rate denial of service LDoS of this system simulation attacks, and tests attack performance, and attack effectively detects and defends to this kind.

Technical background

(denialofservice, DoS) attacking is the biggest threat that present the Internet faces in denial of service.Traditional Denial of Service attack mainly is through attacking the packet that machine sends magnanimity; Consume the Internet resources or the computational resource of destination server; Make the user can't use server resource, to reach the purpose of denial of service, the attack of this mode is called the formula denial of service that floods (flooding-base denial of service; FDoS) attack, typical example has SYN/ACK extensive aggression, UDP extensive aggression, ICMP extensive aggression etc.A lot of detections of attacking to FDoS and defence method have been arranged at present along with the further developing of attack technology, new Denial of Service attack emerges in an endless stream.LDoS is exactly wherein a kind of.The research of attacking for LDoS still is in the starting stage, but correlative study work mainly appears in the first-class in recent years international conference, explains that it has obtained sufficient attention.2003 on the top-level meeting SIGCOMM aspect the computer network; The Aleksandar of rice university has proposed the low-speed denial of service attack to Transmission Control Protocol first; Be primarily aimed at the leak of TCP congestion control mechanism, proposed a kind of potential low-speed denial of service attack (Low-Rate Denial of Service, LDoS) model in the literary composition; Through accurate calculating, only need a small amount of data of attacking just can cause the victim to hold the decline of denial of service or service quality.On the INFOCOM of the ICNP 2004 and 2005, Guirguis has proposed the RoQ attack, and its essence also is to the leak in congested control in the Transmission Control Protocol and the router queue management mechanism, makes the performance of specific router descend.In the NDSS meeting in 2005, Xiapu Luo has proposed the pulsing attack again, and principle and LDoS attack closely similar.2005, on the Abilene of Internet2 backbone network, found the LDoS attack, LDoS attacks and becomes a reality.

The principle of LDoS attack: two kinds of mechanism of overtime re-transmission in the congested control of TCP and AIMD are separately considered, and will be divided into two types to the LDDoS attack of Transmission Control Protocol: the LDDoS based on overtime retransmission mechanism attacks and attacks based on the machine-processed LDDoS of AIMD.

1, the LDoS based on overtime retransmission mechanism attacks

According to the overtime retransmission mechanism of TCP, transmitting terminal is that each message segment that sends is provided with a timer, if timer is just overtime before receiving the affirmation of this message; Then transmitting terminal is kept to 1 with its send window Cwnd, resends this bag then, and according to exponential backoff algorithm RTO is made as original q doubly (q generally gets 2); The arrival of wait acknowledge bag; If retransmission packet is still overtime, then continue to retransmit, up to retransmitting success or abandoning retransmitting; Successfully receive response packet if retransmit, then system gets into slow starting state.Press Transmission Control Protocol, for non-re-transmission message segment, when transmitting terminal is received its ACK, need upgrade the RTO of this link according to its measured round-trip delay RTT, formula (2.1) is computational methods:

RTO＝min{RTO _max，max{RTO _min，SRTT+max(G，4×VRTT)}}

For network is reached near optimum throughput, the minimum retransmission time is recommended RTO _MinBe 1s.RTO _MaxBe the RTO higher limit.G is the clock yardstick, the round-trip delay after SRTT and VRTT represent smoothly respectively and the variation of round-trip delay.

2, the LDDoS based on AIMD mechanism attacks

According to Transmission Control Protocol,, just call AIMD algorithm adjustment congestion window if the TCP transmit leg gets into fast the recovery.Definition broad sense AIMD (a, b), a＞0,0＜b＜1.Algorithm is following: when the transmit leg entering returned to form soon, congestion window was reduced to b * W from W, and every then congestion window increases a at a distance from a RTT, and this process will continue always, up to receiving another congestion signal.TCP Tahoe, TCP Reno etc. uses AIMD (1,0.5).Consider that many TCP just send an ACK when whenever receiving a bag, but receiving that continuous d Bao Shicai sends ACK.So (a, addition increase b) is revised as: every at a distance from d RTT, congestion window increases a to broad sense AIMD.This conclusion can further be expressed as: every at a distance from 1 RTT, congestion window increases a/d.

Attack different with LDDoS based on overtime retransmission mechanism; Based on the LDDoS of AIMD mechanism attack the attack pulse strength sent slightly a little less than; Only can cause the slightly congested of network, the congestion signal that the TCP transmit leg is received is the ACK bag of 3 repetitions, rather than retransmits timer expired.According to the AIMD algorithm, can retransmit this bag immediately receive the ACK of 3 repetitions when the TCP transmit leg after, its congestion window Cwnd is kept to b * cwnd (MD algorithm), and then increases window with linear rule according to increasing algorithm (AI) with formula.Under the LDDoS based on AIMD mechanism attacks; Link is under the AIMD state all the time, and can not get into overtime re-transmission or slow starting state, but its congestion window is ever-reduced; Systematic function progressively descends; Last congestion window reduces to a limiting value and maintains this limiting value left and right sides constant, and it is the poorest that systematic function reaches, and can't recover.

Traditional DoS attack is often to certain destination server or certain concrete application; For example carry out ssyn attack and can send a large amount of SYN bag etc. to 80 ports of server to Web server; LDoS attacks can influence all TCP streams through bottleneck link, and its influence is bigger.According to relevant research; LDoS attacks the Transmission Control Protocol for multiple version; Comprise that TCPTahoe, TCPReno, TCPNewReno, TCPSACK etc. have good attack effect; Its reason is that the Transmission Control Protocol of these versions is not all considered fail safe in design, is attacked congested deception of short-term of making easily.Simultaneously, bottleneck link adopts different queue management mechanisms, comprises Droptail, RED, RED-PD, Choke etc., and is little to the attack effect influence that LDoS attacks.These queue management mechanisms are added up detection to the flow of long period yardstick, can limit the unusual stream of for a long time big flow, but LDoS attacks the just big flow of transmission in very short time, and its average discharge is little, thereby avoids easily detecting and filtering.

Compare with the traditional formula that floods Denial of Service attack, LDoS attacks more hidden.At first, LDoS attacks just at the short period congestion link, can use less flow to reach close attack purpose, and meaning that the hacker need not control a large amount of puppet's machines just can attack, reaches the purpose of attack more easily.Second; LDoS attacks and can adopt various ways to attack, and can use the separate unit main frame to start, and also can adopt multiple host associating attack; The attack that multiple host starts can be escaped and detect so that the attack traffic of every attack main frame further reduces more easily.The 3rd, LDoS only attacks and need cause link congestion just can reach the attack purpose, so it can use any flow, comprises that TCP flows.Attack stream is blended in the normal TCP stream more that difficulty is filtered, and the destination address of flow also can change to some extent simultaneously, as long as flow is through bottleneck link.

For the detection of LDoS, traditional detection method is no longer suitable.YU CHEN, KAI HWANG etc. has proposed the detection method based on Digital Signal Processing, utilizes power spectral density analysis.From then on become the focus of research based on method for processing signals.Afterwards, the method for a kind of HAWK of being called that Kai Hwang and Yu-Kwong Kwok have proposed is discerned the LDoS attack stream of malice, but HAWK only is applicable to the attack that source address is single.Not long ago; LUO and CHANG find that the ACKS flow of the flow of inflow and outflow will change a lot after launching a offensive, and they have proposed a kind of based on method of wavelet analysis according to this specific character; First; Utilize the method for DWT (Discrete Wavelet Transform) to detect abnormal flow, second portion utilizes a kind of special CUSUM (Cumulative Sum) method to come the change detected point.Because the testing result that changes based on small echo depends on parameters of choice very much, therefore be difficult to a selected best parameter and keep a high verification and measurement ratio, very low rate of false alarm and rate of failing to report.

At present, no matter be the world or domestic, how to defend DoS attack effectively, protection target (main frame or server) is not attacked has become a research focus and difficult point.Because LDoS is different from traditional Flood DoS attack, it is little that it has a flow, is difficult to therefore network is had bigger menace and destructiveness by characteristics such as existing testing mechanism detect.Up to the present, domestic research to this attack pattern is also less relatively.Simultaneously, present detection method all has certain deficiency.For the defence that LDoS attacks, present also good without comparison defence method.

Summary of the invention

For LDoS attack effect, detection and defence method are studied; The present invention has at first developed the LDoS attack tool; Adopt detection method to improve detection efficiency then based on time window; Adopt at last based on " black and white lists " method of Flow tables and filter the LDoS attack, experimental result shows that this filter method is effective.Estimate that LDoS will break out in future on a large scale, become the useful tool of black industrial chain.Thereby the present invention has important economic value.

(1) LDoS attacks and the attack effect test subsystems.

The attack tool main body comprises attacks service end with attacking client; Serve end program is implanted the main frame of being captured earlier; Be mainly used in to receive and attack instruction and destination host is initiated the LDoS attack traffic; The client major function is to set target of attack, attacks the duration, specifies some attacks such as main frame of launching a offensive to be provided with.At first be to collect, comprise and confirm to be confirmed link bandwidth by the IP of target of attack and its open port numbers by target of attack information.By the information of collecting, generate the attack traffic of relevant parameter then.Testing tool will simulate normal flow, and the flow of respectively webpage response time of HTTP service and FTP being served is tested and compared.The attack effect test needs the normal user of simulation that server is conducted interviews, and the different and ftp flow amount of webpage response time is not different under relatively not having attack and attack condition being arranged.

(2) LDoS detection subsystem

Detection subsystem is deployed in the end of being injured.Attacking based on LDoS is the fact of periodic pulse, with the interval of t second the end flow of being injured is taken a sample, and a time window is t ' second, and a judgement cycle is T second; Every number that detected the pulse that once suddenlys change at a distance from t ' second: in t ' second, sample, obtain a sequence and be designated as according to the t sampling interval:

X (n) (n=0,1,2 ... K-1), k=t '/t wherein;

From x (n), select maximum max=x (index), and write down peaked subscript index; If index=0 judges

Max > &PartialD; [Σ_{i = 1}^{2} x (i) / 2],

Wherein It is the thresholding coefficient

Whether set up.If set up, then there is the sudden change pulse; If index=n-1 judges

Max > β [Σ_{i = n - 3}^{n - 2} x (i) / 2],

Wherein β is the thresholding coefficient

Whether set up.If set up, then there is the sudden change pulse; Otherwise, judge

Max > λ [(Σ_{i = 0}^{Index - 2} x (i) + Σ_{i = Index}^{n - 1} x (i)) / (n - 1)],

λ thresholding coefficient wherein

Whether set up.If set up, then there is the sudden change pulse; If there is the sudden change pulse, then each time window t ' back adds 1 for the value C of judgement counter; When arriving time decision T, whether judge the value of adjudicating counter in second,, judge to attack and take place if C＞M sets up greater than thresholding M at T.

(3) LDoS defence subsystem

The defence subsystem comprises packet capture, data packet analysis, data statistics, storage, 5 modules of filtration.Possibly have attack if detect in the network, begin to analyze the packet that gets into the end of being injured so, former, the order address of packet, former, eye end slogan and protocol number deposit " white list " (normal flow table) in as flow information; Wait to adjudicate to arrive constantly and compared through learning to set up good " Red List ",, circulate these into " blacklist " (attack stream table) if these suspicious information not in " Red List " (suspicious flow scale), are to attack with regard to decidable so with previous.Last filtering module generates filtering rule through the iptables script generator, checks corresponding attack stream and filters interior through kernel module Netfilter again.

Description of drawings

Fig. 1 is the LDoS attack model, (a) the LDoS attack stream in the single source of expression, (b) the LDoS attack stream of two half rates of expression.

Fig. 2 is the applied network topology of native system.System comprises 6 PCs altogether, 1 station server, 2 routers and 2 switches.Detection-defense system is positioned at last one of the end of being injured and jumps route.Router is Cisco2621 among the figure, the bottleneck bandwidth 100Mbps between router.Other each equipment disposition is as shown in the table:

Identification number	The IP address	Operating system
			Control desk	10.1.20.8	RedHat?9.0
Puppet's machine 1	10.1.20.140	Fedora?core?4
			Puppet's machine 2	10.1.20.141	Fedora?core?4
Puppet's machine 3	10.1.20.142	Fedora?core?4
			Normal users 4	10.1.20.150	Windows?XP
Normal users 5	10.1.20.160	Windows?XP
			Server	10.1.10.12	Fedora?core?4

Fig. 3 is the workflow diagram that whole LDoS attacked, detected system of defense.

Fig. 4 is the link bandwidth actual measured results.

Fig. 5 is for reading page response time changing curve figure in the HTTP service.

Fig. 6 is a FTP service data changes in flow rate surveillance map.

Fig. 7 is the detection method flow chart based on time window.

Fig. 8 is defence subsystem structure figure.

The attack stream information that Fig. 9 counts after handling for Flow tables.

Figure 10 is after opening system of defense, the statistical chart of FTP flow of services.

Embodiment

1. adopt Nmap that the port of target of attack 10.1.20.100 is scanned, collect relevant information.Its open port of scanning discovery is 7775, so port 7775 is chosen to be attacked port.

2. attack confirming of amplitude.Adopt the special-purpose software IxChariot of NetIQ company exploitation to test, attack the size that the zombie machine sends attack traffic to confirm each by the maximum throughput of target.Through operation IxChariot test, obtain its average throughput and be about 12.000Mbyts/s (promptly about 100Mbps), as shown in Figure 4.

3. adopt 3 zombie machines to attack, the attack amplitude of setting each zombie is 40Mbps.The concrete parameter that LDoS attacks is: pulse amplitude is 40Mbps, and the pulse duration is 150ms, and the pulse period is 1150ms.

The order that generates attack stream is following:

1)mk_dos_trace.out?0?0?100?150?1150?50?file_name.txt

2)cd/usr/site/bin

3)matlab

4)a＝load(′file_name.txt′)

Wherein file_name.txt obtained from the 3rd step.

5)pswrite(′test_file.bin′，a)

Obtain comprising the binary file test_file.bin of attack stream parameter.

4. control desk is implanted puppet's machine with the attack stream Parameter File that generates.

5. adopt LoadRunner software to simulate the generation normal discharge.The webpage of 10 user captures of simulation " Civil Aviation University of China " in test, the webpage size is 52k.Beginning does not add attack traffic period, has only the flow of normal http.In the time of 6:30 minute, initiate LDoS greatly and attack, the duration of attack is about 3 fens halfs, finishes in 10:00 minute.The record webpage response time, as shown in Figure 5.On average be approximately 1.6 seconds from reading the response time of reading the page during the response time of the page: 0:00-6:30 minute; The response time of reading the page between 7:00-9:30 minute then changed to 23.8 seconds from 3.2 seconds; At 10:00 minute constantly, when LDoS attack stop after, the response time of reading the page returns to gradually from 8:30 minute 4.2 seconds and on average is approximately 1.6 seconds.The response time of according to statistics, reading the page has on average risen 15.9 seconds.It is bigger that the result proves that LDoS attacks the influence of normal HTTP service generation.

6. the victim provides FTP service, a file on the normal users Download Server.In the normal users end and the end monitoring changes in flow rate of being injured, as shown in Figure 6 respectively.Do not have LDoS to attack in the incipient stage, it is higher that server is uploaded flow.After adding attack, server is uploaded flow has a significantly decline, and downloading flow increases.

Experimental result: choose 20 representational experiments, the result is as shown in the table:

According to statistics, when not having LDoS to attack, client normal downloading average discharge is 5.473M; After adding the LDoS attack, downloading flow on average is 2.63M.Average decline flow percentage is 51.9%.

7. launch a offensive, in the end sampling of being injured, 1.2s is the statistics that time window carries out the packet number.Employing is based on the detection algorithm of time window.If there is not the sudden change pulse in time window, will be regarded as normal discharge so, the information of normal discharge is recorded the normal flow scale, continue to detect; If the sudden change pulse is arranged, will be regarded as suspicious traffic so, suspicious traffic information is recorded the suspicious flow scale, unison counter adds 1, continues monitoring; If arrive a judgement cycle; And the value of counter is greater than threshold value; Can confirm as attack so; Information in information in the suspicious flow scale and the normal flow scale is compared, the flow information that has in the suspicious flow scale and do not have in the normal flow scale is recorded the attack stream scale.

Testing result: sampling time length is that the test result that obtains under 3 kinds of situation of 200ms, 250ms and 300ms is as shown in the table:

The time-domain sampling time span	150ms	200ms	250ms
				Accuracy rate	96.5％	97.1％	98.3％
Rate of failing to report	2.8％	2.6％	1.7％
				Rate of false alarm	2.5％	2.3％	1.2％

The efficient of time window statistical detection method is than higher.Accuracy rate arrives more than 96.5%; Rate of failing to report and rate of false alarm are then less than below 2.8%; In addition, the length in sampling time is related with testing result, and the time span of sampling is big more, and then performance is then good more.

The packet number is added up main realization program:

tcpstat?0.2-s?6-o″％n\n″＞temp.txt

The flow information analysis mainly realizes program:

Class=displaycodechar*device; / * be used for catching the title * of the network interface of packet/

Pcap_t*p; / * catches the packet handle, most important data structure */

Struct bpf_program fcode; / * BPF filtering code structure */

Device=pcap_lookupdev (errbuf); / * search the equipment * that can catch packet/

P=pcap_open_live (device, 8000,1,500, errbuf); / * the creates and catches handle, prepare to catch */

If/* user is provided with filtercondition, then the compiling and mounting filtering code */

pcap_compile(p，&fcode，filter_string，0，netmask)；

Pcap_setfilter (p ， &fcode); / * gets into circulation, catch repeatedly packet */

for(；；)

if(t＝＝time)

eth＝(struct?libnet_ethernet_hdr*)ptr；

/ * analyzes the ether head, judges the type of data packet comprised, be further processing */

if(eth-＞ether_type＝＝ntohs(ETHERTYPE_IP))

............

if(eth-＞ether_type＝＝ntohs(ETHERTYPE_ARP))

............

}

pcap_close(p)；

The flow information that database is deposited, mainly realize function:

1) list structure:

CREATE?TABLE?normalflows(

Id?int，

Saddr?char(20)，

Sport?char(10)，

Daddr?char(20)，

Dport?char(10)，

Protocol?int，

PRIMARY?KEY(Id))；

2) the relevant API of MySQL database:

Mysql_init (&mysql); // initialization data storehouse

mysql_real_connetc(&mysql，”localhost”，”root”，””，”NULL”3306，”/var/lib/mysql/mysql.sock”)

// connection database server.

Mysql_select_db (&mysql, " netflow "); // connection database netflow

Mysql_num_rows () // the return quantity of a row in the results set.

The SQL query of the character string of band counting is appointed as in mysql_real_query () // execution.

Mysql_real_query (, str, strlen (str)) // the execution SQL statement.

Mysql_close () // closing database connects.

Detect effect

8. after detecting LDoS attack generation, the defence subsystem is started working.Extract the information of attack stream scale and call the iptables script generator, add the corresponding filter rule, abandon the attack packet.The iptables rule is provided with:

#！/bin/sh

echo″filter?the?attack?flows″

echo″1″＞/proc/sys/net/ipv4/ip_forward

exec?3＜attackflows.txt

while?read -u3?t1?t2?t3?t4?t5

do

echo?$t1?$t4

if[$t5-eq?17]

then?iptables-IINPUT-p?udp-s?$t1-d?$t3--dport?$t4-j?DROP

iptables-I?FORWARD-p?udp-s?$t1-d?$t3--dport?$t4-j?DROP

iptables-I?OUTPUT-p?udp-s?$t1-d?$t3--dport?$t4-j?DROP

elif[$t5-eq?6]

then

iptables-I?INPUT-p?tcp-s?$t1--sport?$t2-d?$t3--dport?$t4-j?DROP

iptables-I?FORWARD-p?tcp-s?$t1--sport?$t2-d?$t3--dport?$t4-j?DROP

iptables-I?OUTPUT-p?tcp-s?$t1--sport?$t2-d?$t3--dport?$t4-j?DROP

elif[$t5-eq?1]

then

iptables-I?INPUT-p?icmp-s?$t1-d?$t3?-j?DROP

iptables-I?FORWARD-p?icmp-s?$t1-d?$t3-j?DROP

iptables-I?OUTPUT-P?icmp-s?$t1-d?$t3-j?DROP

fi

done

exec?3＜&-

Protection effect: launch with the contrast of not enabled defense mechanism as shown in the table:

Figure 10 is after opening defence, the surveillance map of normal users end ftp flow amount, and the result shows that LDDoS detection defense mechanism can detect accurately defends LDDoS to attack very much, and has kept lower failing to report and rate of false alarm; What defense mechanism guaranteed that server can be continual and steady provides normal service for validated user.

Claims

1. low rate denial of service LDoS attack, detection and defense module is characterized in that following three sub-module:

(1) LDoS attacks submodule;

(2) LDoS attack detecting submodule;

(3) LDoS attack defending submodule.

2. LDoS attack according to claim 1, detection and defense module, its each submodule is characterised in that:

Wherein: submodule (1) is the LDoS attack tool.It comprises attacks service end and attacks client.Serve end program is implanted the main frame of being captured earlier, is mainly used in to receive to attack instruction and destination host is initiated the LDoS attack traffic; The client major function is selected target of attack, sets and attacks the pulse period, attacks pulse duration and attack pulse strength.The function that is installed in the client completion on the control desk mainly comprises following content: 1) scanning puppet network, watch puppet's main frame of current online, and generate the IP listing file of current available puppet's main frame, preserve into text, supply routine call; 2) upload the bin file that comprises attack parameter for puppet's machine, and announce the IP address and the port numbers of target of attack main frame to puppet's machine; 3) set time and the duration that puppet's machine is launched a offensive, the instruction of launching a offensive.Producing the instrument major function to the service end attack traffic that uploads to puppet's machine comprises: 1) receive the bin file that comprises attack parameter that client is sent; 2) receive the attack instruction, accurately set and attack the moment; 3) produce corresponding attack traffic according to the bin file that receives and launch a offensive.

Submodule (2) is the LDoS attack detection module.Employing is based on the statistical decision method of time window.Be divided into following step: 1) on the end of being injured, one jumping route monitoring flow, takes a sample to flow in every interval at a distance from t second, and a time window is t ' second, and a judgement cycle is T second; 2) every number that detected the pulse that once suddenlys change at a distance from t ' second: in t ' second, sample, obtain a sequence and be designated as according to the t sampling interval:

X (n) (n=0,1,2 ... K-1), k=t '/t wherein;

where?

is the threshold coefficient

wherein β is the thresholding coefficient

be λ thresholding coefficient wherein

Whether set up.If set up, then there is the sudden change pulse; 3) if there is the sudden change pulse, then each time window t ' back adds 1 for the value C of judgement counter; When 4) arriving time decision T, whether judge the value of adjudicating counter in second,, judge to attack and take place if C＞M sets up greater than thresholding M at T.

Submodule (3) is a LDoS attack defending module.Defence method uses and based on the filtration of Flow Table attack message is filtered; Filtration basic thought based on Flow Table is an identification list of setting up the connection of having set up; When packet filtering, to its connection identifier of message extraction of process, if this sign belongs to above-mentioned tabulation; Then pass through this message, otherwise it is abandoned.A connection can be by source, the order address of receiving-transmitting sides, and source, eye end mouth, protocol number totally 5 value 104bits are unique definite, and we can be with it as sign.Perhaps also can these 5 value series connection be generated short Hash summary as sign.The sign of the connection that the present invention will set up is listed in " Red List " (normal flow table); If at this moment detect in the network and possibly have attack; Then earlier put into " white list " (suspicious flow scale) to these attack streams, adjudicate after the arrival of holding the whistle time then, if this moment, these suspicious flow connected not in " Red List "; With regard to decidable is attack message, circulates these into " blacklist " (attack stream table).

3. LDoS attack according to claim 2, detection and defense module; It is characterized in that: 1) attack in the submodule and set: the IP address of destination host is 10.1.10.100; The IP address of puppet's machine 1 is 10.1.20.140; The IP address of puppet's machine 2 is 10.1.20.150, and the IP address of puppet's machine 3 is 10.1.20.160.The destination host port numbers is 7775.It is 1150ms that LDoS attacks the pulse period, and the attack pulsewidth is 150ms, and single attack pulse strength is 33Mbps.Set in the detection sub-module: t=200ms; T '=1.2s; T=6s; Thresholding C=3 sets thresholding coefficient

, β=1.6 and λ=1.8 through study.Use database netflow to deposit all flows in the defence submodule, three tables are arranged, normalflows (depositing normal flow), suspectflows (depositing suspicious flow), attackflows (depositing attack stream) among the database netflow.This module mainly is to generate filtering rule through writing the iptables script generator, is filtering attacking stream at kernel through kernel module Netfilter then.