CN102457489B - Low-rate DoS (LDoS) attack, detection and defense module - Google Patents
Low-rate DoS (LDoS) attack, detection and defense module Download PDFInfo
- Publication number
- CN102457489B CN102457489B CN201010519862.7A CN201010519862A CN102457489B CN 102457489 B CN102457489 B CN 102457489B CN 201010519862 A CN201010519862 A CN 201010519862A CN 102457489 B CN102457489 B CN 102457489B
- Authority
- CN
- China
- Prior art keywords
- attack
- ldos
- puppet
- submodule
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 25
- 230000007123 defense Effects 0.000 title claims abstract description 9
- 238000000034 method Methods 0.000 claims abstract description 18
- 230000008859 change Effects 0.000 claims description 16
- 238000001914 filtration Methods 0.000 claims description 9
- 238000005070 sampling Methods 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 abstract description 17
- 230000007246 mechanism Effects 0.000 abstract description 15
- 238000004422 calculation algorithm Methods 0.000 abstract description 9
- 230000000694 effects Effects 0.000 abstract description 7
- 230000001066 destructive effect Effects 0.000 abstract 1
- 230000004044 response Effects 0.000 description 10
- 230000005540 biological transmission Effects 0.000 description 8
- 238000011160 research Methods 0.000 description 4
- 230000016571 aggressive behavior Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 230000007423 decrease Effects 0.000 description 3
- 230000008260 defense mechanism Effects 0.000 description 3
- 238000006424 Flood reaction Methods 0.000 description 2
- 230000000875 corresponding effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000009897 systematic effect Effects 0.000 description 2
- ZEFNOZRLAWVAQF-UHFFFAOYSA-N Dinitolmide Chemical group CC1=C(C(N)=O)C=C([N+]([O-])=O)C=C1[N+]([O-])=O ZEFNOZRLAWVAQF-UHFFFAOYSA-N 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000003595 spectral effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of low rate denial of service LDoS attack, detection and defense module.Low rate denial of service LDoS (Low-rate? Denial? of? Service) attacking is a kind of novel DoS attack.It utilizes the congestion control mechanism of TCP.LDoS average attack rate is lower, can hide traditional detection method.First the present invention simulates the cycle flow producing LDoS attack, tests attack performance.Test shows, LDoS attack has by force disguised and that destructive power is large feature.Secondly, invent a kind of detection algorithm based on time window statistics, test result shows that the method can detect LDoS attack efficiently.Finally, does the present invention adopt a kind of based on Flow? " black and white lists " defence method of tables, result shows that this defence method effectively can defend LDoS attack.Use technical scheme provided by the present invention, can LDoS attack be realized, test attack effect, and can effectively detect and defend LDoS attack.
Description
Technical field
The present invention relates to a kind of computer network security technology, a kind of novel low rate denial of service LDoS attack of this system simulation, test attack performance, and this kind of attack is effectively detected and defends.
Technical background
It is the biggest threat that current the Internet faces that denial of service (denialofservice, DoS) is attacked.Traditional Denial of Service attack mainly sends the packet of magnanimity by attacking machine, consume Internet resources or the computational resource of destination server, user is made to use server resource, to reach the object of denial of service, the attack of this mode is called the formula denial of service (flooding-basedenialofservice that floods, FDoS) attack, typical example has SYN/ACK extensive aggression, UDP extensive aggression, ICMP extensive aggression etc.Had the detection of much attacking for FDoS and defence method further developing along with attack technology at present, new Denial of Service attack emerges in an endless stream.LDoS is exactly wherein a kind of.Research for LDoS attack is still in the starting stage, but correlative study work mainly appears in first-class international conference in recent years, illustrates that it obtains sufficient attention.On top-level meeting SIGCOMM in computer network in 2003, the Aleksandar of rice university proposes the low-speed denial of service attack for Transmission Control Protocol first, mainly for the leak of TCP congestion control mechanism, a kind of potential low-speed denial of service attack (Low-RateDenialofService is proposed in literary composition, LDoS) model, by accurate calculating, only need a small amount of data of attacking that victim just can be caused to hold the decline of denial of service or service quality.On the INFOCOM of the ICNP 2004 and 2005 year, Guirguis proposes RoQ and attacks, and its essence is also for the leak in congestion control in Transmission Control Protocol and Router Queuing Management Mechanisms, and the performance of specific router is declined.In the NDSS meeting of 2005, XiapuLuo also been proposed pulsing attack, principle and LDoS attack closely similar.2005, the Abilene backbone network of Internet2 has found LDoS attack, and LDoS attack became a reality.
The principle of LDoS attack: the Retransmission timeout in TCP congestion control and AIMD two kinds of mechanism are separately considered, and the LDDoS attack for Transmission Control Protocol is divided into two classes: attack based on the LDDoS attack of Retransmission timeout mechanism and the LDDoS based on AIMD mechanism.
1, based on the LDoS attack of Retransmission timeout mechanism
According to TCP Retransmission timeout mechanism, transmitting terminal is that each message segment sent arranges a timer, if timer is just overtime before receiving the confirmation to this message, then its send window Cwnd is kept to 1 by transmitting terminal, then resends this bag, and according to exponential backoff algorithm, RTO is set to original q doubly (q generally gets 2), the arrival of wait acknowledge bag, if retransmission packet is still overtime, then continue to retransmit, until retransmit success or abandon retransmitting; Successfully receive response packet if retransmitted, then system enters slow turn-on state.By Transmission Control Protocol, for non-re-transmission message segment, when transmitting terminal receives its ACK, need the round-trip delay RTT measured by it to upgrade the RTO of this link, formula (2.1) is computational methods:
RTO=min{RTO
max,max{RTO
min,SRTT+max(G,4×VRTT)}}
In order to make network reach close to optimum throughput, the minimum retransmission time recommends RTO
minfor 1s.RTO
maxfor RTO higher limit.G is clock yardstick, SRTT and VRTT represents the change of the round-trip delay smoothly and round-trip delay respectively.
2, the LDDoS based on AIMD mechanism attacks
According to Transmission Control Protocol, if TCP transmit leg enters fast recovery, just call AIMD algorithm adjustment congestion window.Definition broad sense AIMD (a, b), a > 0,0 < b < 1.Algorithm is as follows: when transmit leg enter return to form soon time, congestion window is reduced to b × W from W, then every a RTT, congestion window increase a, this process will continue always, until receive another congestion signal.TCPTahoe, TCPReno etc. use AIMD (1,0.5).Consider that many TCP just send an ACK when often receiving a bag, but receiving continuous d Bao Shicai transmission ACK.Be revised as so the addition of broad sense AIMD (a, b) increases: every d RTT, congestion window increases a.This conclusion can be expressed as further: every 1 RTT, and congestion window increases a/d.
Attack different from the LDDoS based on Retransmission timeout mechanism, it is slightly weak that LDDoS based on AIMD mechanism attacks the attack pulse strength sent, only can cause the severe congestion of network, the congestion signal that TCP transmit leg receives is 3 ACK bags repeated, instead of re-transmission timer time-out.According to AIMD algorithm, this bag can be retransmitted immediately after TCP transmit leg receives 3 ACK repeated, its congestion window Cwnd is kept to b × cwnd (MD algorithm), and then increase window according to increasing algorithm (AI) with formula with linear rule.Under the LDDoS based on AIMD mechanism attacks, under link is in AIMD state all the time, and Retransmission timeout or slow turn-on state can not be entered, but its congestion window is ever-reduced, systematic function progressively declines, last congestion window reduces to a limiting value and to maintain this limiting value left and right constant, and systematic function reaches the poorest, and cannot recover.
Traditional DoS attack is often for certain destination server or certain embody rule, such as carry out ssyn attack for Web server and can send a large amount of SYN bags etc. to 80 ports of server, LDoS attack can affect all TCP flow by bottleneck link, and its impact is larger.According to relevant research, LDoS attack is for the Transmission Control Protocol of miscellaneous editions, comprise TCPTahoe, TCPReno, TCPNewReno, TCPSACK etc. and have good attack effect, its reason be these versions Transmission Control Protocol design in all do not consider fail safe, easily by attack manufacture short-term congested cheat.Meanwhile, bottleneck link adopts different queue management mechanisms, comprises Droptail, RED, RED-PD, Choke etc., little on the attack effect impact of LDoS attack.These queue management mechanisms carry out statistic mixed-state to the flow of long period yardstick, can limit the exception stream of long large discharge, but LDoS attack just sends large discharge within very short time, and its average discharge is little, thus easily avoid detecting and filtering.
Compared with the traditional formula that floods Denial of Service attack, LDoS attack is more hidden.First, LDoS attack is just at short period congestion link, and the attack object that less flow can be used to reach close, meaning that hacker does not need to control a large amount of puppet's machine just can offensive attack, more easily reaches the object of attack.Second, LDoS attack can adopt various ways to attack, and separate unit main frame can be used to start, and multiple host also can be adopted to combine offensive attack, the attack traffic that the attack that multiple host starts can make every platform attack main frame reduces further, more easily escapes detection.3rd, LDoS attack only needs to cause link congestion just can reach attack object, and therefore it can use any flow, comprises TCP flow.Attack stream is blended in more difficult in normal TCP flow being filtered, and the destination address of flow also can change, to some extent as long as flow is by bottleneck link simultaneously.
For the detection of LDoS, traditional detection method is no longer applicable.YUCHEN, KAIHWANG etc. propose the detection method based on Digital Signal Processing, utilize power spectral density to analyze.From then on the focus of research is become based on the method for signal transacting.Afterwards, the method for a kind of HAWK of being called that KaiHwang and Yu-KwongKwok proposes identifies the LDoS attack stream of malice, but HAWK is only applicable to the single attack of source address.Not long ago, LUO and CHANG finds after launching a offensive, the flow flowed into and the ACKS flow of outflow will change a lot, according to this characteristic, they propose a kind of method based on wavelet analysis, Part I, utilize the method for DWT (DiscreteWaveletTransform) to detect abnormal flow, Part II, utilize a kind of special CUSUM (CumulativeSum) method to carry out change detected point.Because the testing result based on Wavelet transformation depends on the selection of parameter very much, be therefore difficult to a selected optimum parameter and keep high verification and measurement ratio, very low rate of false alarm and a rate of failing to report.
At present, no matter be international or domestic, how effectively attack to the DoS of defense, containment objective (main frame or server) is not attacked becomes a study hotspot and difficult point.Attack because LDoS is different from traditional FloodDoS, it is little that it has flow, is difficult to by features such as existing testing mechanism detect, therefore has larger menace and destructiveness to network.Up to the present, the domestic research to this attack pattern is also relatively less.Meanwhile, current detection method has certain deficiency.For the defence of LDoS attack, also there is no reasonable defence method at present.
Summary of the invention
In order to study LDoS attack effect, detection and defence method, first the present invention have developed LDoS attack instrument, then the detection method based on time window is adopted to improve detection efficiency, finally adopt " black and white lists " method based on Flowtables to filter LDoS attack, experimental result shows that this filter method is effective.Estimate that LDoS will break out on a large scale in future, become the useful tool of Dark Industry Link.Thus the present invention has important economic worth.
(1) LDoS attack and attack effect test subsystems
Attack tool main body comprises attacks service end with attacking client, serve end program is first implanted by the main frame captured, be mainly used in receiving and attack instruction and LDoS attack flow is initiated to destination host, client major function is setting target of attack, attack the duration, specify some attacks such as the main frame of launching a offensive to arrange.First be collect by target of attack information, comprise and determine, by the IP of target of attack and its open port numbers, to determine link bandwidth.Then by the information collected, the attack traffic of relevant parameter is generated.Testing tool will simulate normal flow, tests and compares respectively to the webpage response time of HTTP service and the flow of FTP service.Attack effect test needs to simulate normal user and conducts interviews to server, compares nothing attack and the difference of webpage response time and the difference of ftp flow amount under having attack condition.
(2) LDoS detection subsystem
Detection sub-module is deployed in end of being injured.Based on the fact that LDoS attack is periodic pulse, sample end flow of being injured with the interval of t second, a time window is t ' second, and a judgement cycle is T second; The number of the pulse that once suddenlys change is detected second: sample according to the t sampling interval within t ' second, obtain a sequence and be designated as every t ':
X (n) (n=0,1,2 ... k-1), wherein k=t '/t;
From x (n), select maximum max=x (index), and record the subscript index of maximum; If index=0, judge
Whether set up.If set up, then there is sudden change pulse; If index=n-1, judge
Whether set up.If set up, then there is sudden change pulse; Otherwise, judge
Whether set up.If set up, then there is sudden change pulse; If there is sudden change pulse, then each time window t ' adds 1 to afterwards the value C of judgement counter; When arriving time decision T, judge whether the value of adjudicating counter within T second is greater than thresholding M, if C > M sets up, judge to attack generation.
(3) LDoS defends subsystem
Defence submodule comprises packet capture, data packet analysis, data statistics, storage, filtration 5 modules.If detect in network to there is attack, so start to analyze the packet entering end of being injured, former, the order address of packet, former, eye end slogan and protocol number as flow information, stored in " white list " (normal stream table); Wait that adjudicating " Red List " that the moment arrives and previously passed study establishes compares, if these suspicious informations are not in " Red List " (suspicious flow scale), so just can judge it is attack, these are circulated into " blacklist " (attack stream table).Last filtering module by iptables script generator generating filtering rules, then is checked corresponding attack stream by kernel module Netfilter filter interior.
Accompanying drawing explanation
Fig. 1 is LDoS attack model, and (a) represents the LDoS attack stream in single source, and (b) represents the LDoS attack stream of two half rates.
The network topology that Fig. 2 applies for this module.Module comprises 6 PCs altogether, 1 station server, 2 routers and 2 switches.Detection-defense system is positioned at the upper hop route of end of being injured.In figure, router is Cisco2621, the bottleneck bandwidth 100Mbps between router.Other each Equipments Setting is as shown in the table:
| Identification number | IP address | Operating system |
| Control desk | 10.1.20.8 | RedHat 9.0 |
| Puppet's machine 1 | 10.1.20.140 | Fedora core 4 |
| Puppet's machine 2 | 10.1.20.141 | Fedora core 4 |
| Puppet's machine 3 | 10.1.20.142 | Fedora core 4 |
| Normal users 4 | 10.1.20.150 | Windows XP |
| Normal users 5 | 10.1.20.160 | Windows XP |
| Server | 10.1.10.12 | Fedora core 4 |
Fig. 3 is whole LDoS attack, the workflow diagram detecting system of defense.
Fig. 4 is link bandwidth actual measured results.
Fig. 5 reads page response time changing curve figure in HTTP service.
Fig. 6 is FTP service data changes in flow rate surveillance map.
Fig. 7 is the detection method flow chart based on time window.
Fig. 8 is defence subsystem structure figure.
Fig. 9 is the attack stream information counted after Flowtables process.
Figure 10 is after opening system of defense, the statistical chart of FTP flow of services.
Embodiment
1. adopt the port of Nmap to target of attack 10.1.20.100 to scan, collect relevant information.Its open port of scanning discovery is 7775, so port 7775 is chosen to be attacked port.
2. attack the determination of amplitude.The special-purpose software IxChariot of NetIQ company exploitation is adopted to test by the maximum throughput of target, to determine that each attack zombie machine sends the size of attack traffic.By running IxChariot test, obtaining its average throughput and being about 12.000Mbyts/s (i.e. about 100Mbps), as shown in Figure 4.
3. adopt 3 zombie machines to attack, the attack amplitude setting each zombie is 40Mbps.The design parameter of LDoS attack is: pulse amplitude is 40Mbps, and the pulse duration is 150ms, and the pulse period is 1150ms.
The order generating attack stream is as follows:
1)mk_dos_trace.out00100150115050file_name.txt
2)cd/usr/site/bin
3)matlab
4)a=load(′file_name.txt′)
Wherein file_name.txt obtains from the 3rd step.
5)pswrite(′test_file.bin′,a)
Obtain the binary file test_file.bin comprising attack stream parameter.
4. the attack stream Parameter File generated is implanted puppet's machine by control desk.
5. adopt LoadRunner software to simulate generation normal discharge.Simulate the webpage of 10 users's access " Civil Aviation University of China " in testing, webpage size is 52k.Beginning does not add attack traffic period, only has the flow of normal http.When 6:30 minute, initiate LDoS attack greatly, the duration of attack is about 3 points of halfs, terminates in 10:00 minute.The record webpage response time, as shown in Figure 5.Response time from reading the page: the response time that 0:00-6:30 minute period read the page is on average approximately 1.6 seconds; The response time of reading the page between 7:00-9:30 minute then changed to 23.8 seconds from 3.2 seconds; 10:00 minute moment, after LDoS attack stops, the response time of reading the page is on average approximately 1.6 seconds from 8:30 minute return to gradually for 4.2 seconds.According to statistics, the response time of reading the page on average rises 15.9 seconds.Result proves that the impact that LDoS attack produces normal HTTP service is larger.
6. victim provides FTP to serve, a file in normal users download server.Respectively in normal users end and end monitoring changes in flow rate of being injured, as shown in Figure 6.Do not have LDoS attack in the incipient stage, it is higher that server uploads flow.After adding attack, server uploads flow a significantly decline, and downloading flow increases.
Experimental result: choose 20 representational experiments, result is as shown in the table:
According to statistics, when not having LDoS attack, it is 5.473M that client normally downloads average discharge; After adding LDoS attack, downloading flow is on average 2.63M.Average decline flow percentage is 51.9%.
7. launch a offensive, in end sampling of being injured, 1.2s is the statistics that time window carries out packet number.Adopt the detection algorithm based on time window.If without sudden change pulse in a time window, so will normal discharge be considered as, the information of normal discharge is recorded to normal stream scale, continue to detect; If there is sudden change pulse, so will be considered as suspicious traffic, suspicious traffic information is recorded to suspicious flow scale, and unison counter adds 1, continues monitoring; If arrived a judgement cycle, and the value of counter is greater than threshold value, so attack can be defined as, information in information in suspicious flow scale and normal stream scale compared, the flow information do not had having in suspicious flow scale in normal stream scale is recorded to attack stream scale.
Testing result: sampling time length is that the test result obtained in 3 kinds of situations of 200ms, 250ms and 300ms is as shown in the table:
| Time-domain sampling time span | 150ms | 200ms | 250ms |
| Accuracy rate | 96.5% | 97.1% | 98.3% |
| Rate of failing to report | 2.8% | 2.6% | 1.7% |
| Rate of false alarm | 2.5% | 2.3% | 1.2% |
The efficiency comparison of time window statistical detection method is high.Accuracy rate arrives more than 96.5%; Rate of failing to report and rate of false alarm are then less than less than 2.8%; In addition, the length in sampling time associates with testing result, and the time span of sampling is larger, then performance is then better.
Packet number statistics mainly realizes program:
tcpstat0.2-s6-o″%n\n″>temp.txt
Flow information analysis mainly realizes program:
The flow information that database is deposited, main measure for fulfill:
1) list structure:
CREATETABLEnormalflows(
Idint,
Saddrchar(20),
Sportchar(10),
Daddrchar(20),
Dportchar(10),
Protocolint,
PRIMARYKEY(Id));
2) MySQL database is correlated with API:
Mysql_init (& mysql); // initialization data storehouse
mysql_real_connetc(&mysql,”localhost”,”root”,””,”NULL”3306,”/var/lib/mysql/mysql.sock”)
// connection data storehouse server.
Mysql_select_db (& mysql, " netflow "); // connection data storehouse netflow
The quantity of mysql_num_rows () // the return row in a results set.
The SQL query of the character string of band counting is appointed as in mysql_real_query () // execution.
Mysql_real_query (& mysql, str, strlen (str)) // execution SQL statement.
Mysql_close (& mysql) // closedown DataBase combining.
Detection results
8., after detecting that LDoS attack occurs, defence subsystem is started working.The information of extracting attack flowmeter calls iptables script generator, adds corresponding filtering rule, abandons Attacking Packets.Iptables rule is arranged:
Protection effect: enable with the contrast of not enabled defense mechanism as shown in the table:
Figure 10 is after opening defence, the surveillance map of normal users end ftp flow amount, and result shows, LDDoS detects defense mechanism can detect very defence LDDoS attack accurately, and maintains lower failing to report and rate of false alarm; Defense mechanism Deterministic service device can be continual and steady provide normal service for validated user.
Claims (2)
1.LDoS attack, detection and defense module, is characterized in that following three submodules:
(1) LDoS attack submodule;
(2) LDoS attack detection sub-module;
(3) LDoS attack defence submodule;
The feature of each submodule is:
Submodule (1) is LDoS attack instrument, and it comprises attacks service end and attacks client, and serve end program is first implanted by the main frame captured, and is mainly used in receiving and attacks instruction and initiate LDoS attack flow to destination host; Client major function is selected target of attack, setting is attacked the pulse period, is attacked pulse duration and attack pulse strength, be arranged on the function that the client on control desk completes and mainly comprise following content: 1) scan puppet's network, watch current online puppet's main frame, generate the IP listing file of current available puppet's main frame, preserve into text, for routine call; 2) upload the bin file comprising attack parameter to puppet's machine, and notice IP address and the port numbers of target of attack main frame to puppet's machine; 3) set time and duration that puppet machine launches a offensive, instruction of launching a offensive, the service end attack traffic uploading to puppet's machine produces instrument major function and comprises: 1) receive the bin file comprising attack parameter that client sends; 2) receive attack instruction, accurately the moment is attacked in setting; 3) produce corresponding attack traffic according to the bin file received and launch a offensive;
Submodule (2) is LDoS attack detection module, adopt the statistical decision method based on time window, be divided into following step: 1) at the upper hop route monitoring flow of end of being injured, every the interval of t second, flow is sampled, a time window is t ' second, and a judgement cycle is T second; 2) number of the pulse that once suddenlys change is detected second every t ': sample according to the t sampling interval within t ' second, obtain a sequence and be designated as:
X (n) (n=0,1,2 ... k-1), wherein k=t '/t;
From x (n), select maximum max=x (index), and record the subscript index of maximum; If index=0, judge
Whether set up; If set up, then there is sudden change pulse; If index=n-1, judge
Whether set up; If set up, then there is sudden change pulse; Otherwise, judge
Whether set up; If set up, then there is sudden change pulse; 3) if there is sudden change pulse, then each time window t ' adds 1 to afterwards the value C of judgement counter; 4) when arriving time decision T, judge whether the value of adjudicating counter within T second is greater than thresholding M, if C > M sets up, judge to attack generation;
Submodule 3) be LDoS attack defense module, defence method uses and filters attack message based on the filtration of FlowTable, filtration basic thought based on FlowTable is the identification list setting up the connection of having set up, when packet filtering, its connection identifier is extracted to the message of process, if this mark belongs to above-mentioned list, then by this message, otherwise abandoned; A connection can by the source of receiving-transmitting sides, order address, source, eye end mouth, and protocol number totally 5 value 104bits is uniquely determined, we it can be used as mark; Or by these 5 value series connection, generate short Hash and make a summary as mark; The mark of the connection of having set up is listed in " Red List ", described Red List represents normal stream table, if at this moment detect in network to there is attack, then first these attack streams are put into " white list ", described white list represents suspicious flow table, then adjudicates after the arrival of holding the whistle time, if now these suspicious flow connect not in " Red List ", just can judge it is attack message, these are circulated into " blacklist ", and described blacklist represents attack stream table.
2. LDoS attack according to claim 1, detection and defense module, it is characterized in that: 1) attack in submodule and set: the IP address of destination host is 10.1.10.100, the IP address of puppet's machine 1 is 10.1.20.140, the IP address of puppet's machine 2 is 10.1.20.150, the IP address of puppet's machine 3 is 10.1.20.160, and destination host port numbers is 7775, and the LDoS attack pulse period is 1150ms, attack pulsewidth is 150ms, and single attack pulse strength is 33Mbps;
Set in detection sub-module: t=200ms, t '=1.2s, T=6s, thresholding C=3, by study setting threshold coefficient
β=1.6 and λ=1.8;
In defence submodule, usage data storehouse netflow deposits all flows, and have three tables in database netflow, normalflows deposits normal stream, and suspectflows deposits suspicious flow, and attackflows deposits attack stream; Defence submodule, mainly by writing iptables script generator generating filtering rules, is then being filtered attack stream at kernel by kernel module Netfilter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010519862.7A CN102457489B (en) | 2010-10-26 | 2010-10-26 | Low-rate DoS (LDoS) attack, detection and defense module |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010519862.7A CN102457489B (en) | 2010-10-26 | 2010-10-26 | Low-rate DoS (LDoS) attack, detection and defense module |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102457489A CN102457489A (en) | 2012-05-16 |
| CN102457489B true CN102457489B (en) | 2015-11-25 |
Family
ID=46040155
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010519862.7A Active CN102457489B (en) | 2010-10-26 | 2010-10-26 | Low-rate DoS (LDoS) attack, detection and defense module |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102457489B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110233838A (en) * | 2019-06-06 | 2019-09-13 | 东软集团股份有限公司 | A kind of defence method, device and the equipment of pulsed attack |
Families Citing this family (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125193A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | LDDoS attack detection method based on chaotic Dufing oscillators |
| CN104125194A (en) * | 2013-04-24 | 2014-10-29 | 中国民航大学 | LDDoS attack time synchronization and flow convergence method based on cross correlation |
| CN103281317B (en) * | 2013-05-09 | 2016-06-08 | 浙江师范大学 | A kind of attack testing method of software defined network |
| CN103546465B (en) * | 2013-10-15 | 2016-10-19 | 北京交通大学长三角研究院 | LDoS attack detection based on traffic period monitoring and defence method |
| CN103561025B (en) * | 2013-11-01 | 2017-04-12 | 中国联合网络通信集团有限公司 | Method, device and system for detecting DOS attack prevention capacity |
| CN103916222A (en) * | 2014-03-14 | 2014-07-09 | 电信科学技术研究院 | Method and device for adjusting uplink service transmitting mode |
| CN104158823B (en) * | 2014-09-01 | 2017-05-10 | 江南大学 | Simulation method oriented to LDoS (Low-rate Denial of Service) and LDDoS (Low-rate Distributed Denial of Service) |
| CN104253817A (en) * | 2014-09-25 | 2014-12-31 | 大连梯耐德网络技术有限公司 | FPGA (field programmable gate array)-based network behavior attack method and FPGA-based network behavior attack device |
| CN105208037B (en) * | 2015-10-10 | 2018-05-08 | 中国人民解放军信息工程大学 | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection |
| CN107005538B (en) * | 2015-10-16 | 2020-06-30 | 德正远(青岛)新能源科技有限公司 | Data transmission method, device and system |
| CN106789831B (en) * | 2015-11-19 | 2020-10-23 | 阿里巴巴集团控股有限公司 | Method and device for identifying network attack |
| CN105245412B (en) * | 2015-11-20 | 2019-06-14 | 上海斐讯数据通信技术有限公司 | A kind of port flow monitoring method and system, the network equipment |
| CN106411829A (en) * | 2015-12-14 | 2017-02-15 | 中国民航大学 | LDoS attack detection method based on wavelet energy spectrum and combined neural network |
| CN105554041B (en) * | 2016-03-01 | 2018-05-25 | 江苏三棱智慧物联发展股份有限公司 | A kind of method for detecting the distributed denial of service attack based on flow table timeout mechanism |
| CN105897609B (en) * | 2016-04-01 | 2019-04-09 | 浙江宇视科技有限公司 | A kind of method and apparatus for supervising data stream transmitting |
| CN107707513B (en) * | 2017-01-10 | 2019-05-17 | 北京数安鑫云信息技术有限公司 | A kind of method and device of defending against network attacks |
| CN108199898A (en) * | 2018-01-12 | 2018-06-22 | 中国民航大学 | A kind of method for enhancing LDoS attack efficiency |
| CN108551448B (en) * | 2018-04-12 | 2020-09-15 | 盾盟(上海)信息技术有限公司 | Distributed denial of service attack detection method |
| CN109040131B (en) * | 2018-09-20 | 2021-04-27 | 天津大学 | LDoS attack detection method in SDN environment |
| CN110012006B (en) * | 2019-04-01 | 2021-03-02 | 中国民航大学 | Low-rate denial of service attack method for CUBIC |
| CN111769998B (en) * | 2019-08-13 | 2022-07-05 | 北京京东尚科信息技术有限公司 | Method and device for detecting network delay state |
| CN111444501B (en) * | 2020-03-16 | 2023-04-18 | 湖南大学 | LDoS attack detection method based on combination of Mel cepstrum and semi-space forest |
| CN111478893B (en) * | 2020-04-02 | 2022-06-28 | 中核武汉核电运行技术股份有限公司 | Detection method for slow HTTP attack |
| CN112073402B (en) * | 2020-08-31 | 2022-05-27 | 新华三信息安全技术有限公司 | Traffic attack detection method and device |
| CN112637202B (en) * | 2020-12-22 | 2022-08-12 | 贵州大学 | LDoS attack detection method based on integrated wavelet transform in SDN environment |
| CN112788062B (en) * | 2021-01-29 | 2022-03-01 | 湖南大学 | ET-EDR-based LDoS attack detection and mitigation method in SDN |
| CN113890746B (en) * | 2021-08-16 | 2024-05-07 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
| CN117097575B (en) * | 2023-10-20 | 2024-01-02 | 中国民航大学 | Low-rate denial of service attack defense method based on cross-layer cooperative strategy |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459519A (en) * | 2009-01-08 | 2009-06-17 | 西安交通大学 | Defense method for flooding-based DoS attack based on network flow |
| CN101577642A (en) * | 2008-05-08 | 2009-11-11 | 吴志军 | Method for one-step forecasting Kalman filtering detection of LDoS attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008148099A1 (en) * | 2007-05-25 | 2008-12-04 | New Jersey Institute Of Technology | Method and system to mitigate low rate denial of service (dos) attacks |
-
2010
- 2010-10-26 CN CN201010519862.7A patent/CN102457489B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101577642A (en) * | 2008-05-08 | 2009-11-11 | 吴志军 | Method for one-step forecasting Kalman filtering detection of LDoS attack |
| CN101459519A (en) * | 2009-01-08 | 2009-06-17 | 西安交通大学 | Defense method for flooding-based DoS attack based on network flow |
Non-Patent Citations (2)
| Title |
|---|
| 《一种针对LDoS攻击的分布式协同检测方法》;何炎祥等;《小型微型计算机系统》;20090315;第30卷(第3期);第2页第3段-第4页第16段 * |
| 《低速率拒绝服务LDoS攻击性能的研究》;吴志军等;《通信学报》;20080625;第29卷(第6期);第2页第2段-第7页第1段 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110233838A (en) * | 2019-06-06 | 2019-09-13 | 东软集团股份有限公司 | A kind of defence method, device and the equipment of pulsed attack |
| CN110233838B (en) * | 2019-06-06 | 2021-12-17 | 东软集团股份有限公司 | Pulse type attack defense method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102457489A (en) | 2012-05-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102457489B (en) | Low-rate DoS (LDoS) attack, detection and defense module | |
| US11700275B2 (en) | Detection of malware and malicious applications | |
| Cui et al. | SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks | |
| Wu et al. | DDoS detection and traceback with decision tree and grey relational analysis | |
| AU2003229456B2 (en) | Network bandwidth anomaly detector apparatus and method for detecting network attacks using correlation function | |
| Sharma et al. | Simulating attacks for RPL and generating multi-class dataset for supervised machine learning | |
| CN104618377A (en) | NetFlow based botnet network detection system and detection method | |
| CN110166480A (en) | A kind of analysis method and device of data packet | |
| Luo et al. | Detecting pulsing denial-of-service attacks with nondeterministic attack intervals | |
| Lin et al. | MECPASS: Distributed denial of service defense architecture for mobile networks | |
| CN104158823B (en) | Simulation method oriented to LDoS (Low-rate Denial of Service) and LDDoS (Low-rate Distributed Denial of Service) | |
| Şimşek | A new metric for flow‐level filtering of low‐rate DDoS attacks | |
| Rajakumaran et al. | Early detection of LDoS attack using SNMP MIBs | |
| US20080046549A1 (en) | Methods and systems for passive information discovery using lomb periodogram processing | |
| Ioulianou et al. | Ml-based detection of rank and blackhole attacks in RPL networks | |
| Bala et al. | Quality based Bottom-up-Detection and Prevention Techniques for DDOS in MANET | |
| Yi et al. | Performance analysis of mobile ad hoc networks under flooding attacks | |
| Zhan et al. | Adaptive detection method for Packet-In message injection attack in SDN | |
| Kaur et al. | A novel multi scale approach for detecting high bandwidth aggregates in network traffic | |
| Mergendahl et al. | FR-WARD: Fast retransmit as a wary but ample response to distributed denial-of-service attacks from the Internet of Things | |
| Nashat et al. | Router based detection for low-rate agents of DDoS attack | |
| Salami et al. | Development of Internet Protocol Traceback Scheme for Detection of Denial-of-Service Attack | |
| Tseung et al. | Forensic-Aware Anti-DDoS Device | |
| Zhanikeev et al. | Anomaly identification based on flow analysis | |
| TW201828147A (en) | Telegram clearing method and apparatus solving the technical problem of lower clearing efficiency of a clearing device due to a pre-configured policy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231122 Address after: Room 602, Building C2, Civil Aviation University of China Science and Technology Park, Zone C, Guangxuan Road Aviation Business Center, Dongli District, Tianjin, 300300 Patentee after: TIANJIN LINGZHI HAOYUE AVIATION TECHNOLOGY Co.,Ltd. Address before: 300300 Tianjin city Dongli District North Road No. 2898 Patentee before: CIVIL AVIATION University OF CHINA |