CN102882880A - Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service - Google Patents
Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service Download PDFInfo
- Publication number
- CN102882880A CN102882880A CN2012103810105A CN201210381010A CN102882880A CN 102882880 A CN102882880 A CN 102882880A CN 2012103810105 A CN2012103810105 A CN 2012103810105A CN 201210381010 A CN201210381010 A CN 201210381010A CN 102882880 A CN102882880 A CN 102882880A
- Authority
- CN
- China
- Prior art keywords
- ddos
- attack
- detection
- data
- dns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a detection method and a detection system of distributed denial of service (DDoS) attack aiming at a domain name server (DNS) service. The detection method comprises the following steps of 1 collecting network data on a protected DNS; 2 calculating total quantity of response packets came back from an outer net and total quantity of request packets sending to the outer net; 3 using a non-parameter self-adaption cumulative sum (CUSUM) method to detect rebound DDoS attack, and turning to a step 5 when the rebound DDoS attack is detected; 4 using the non-parameter self-adaption cumulative sum (CUSUM) method to detect inquiring DDoS attack, and turning to the step 5 when the inquiring DDoS attack is detected; and 5 generating alarm information and raising the alarm when the rebound DDoS attack or the inquiring DDoS attack is detected. The detection method and the detection system can rapidly and efficiently detect whether the rebound DDoS attack or the inquiring DDoS attack occurs at present.
Description
Technical field
The present invention relates to the network security technology field, particularly relate to a kind of detection method and system of the ddos attack for DNS service.
Background technology
DNS (domain name system, domain name system) is one of upper the most key infrastructure of Internet, its Main Function provides the conversion between Hostname and the IP address, thereby ensures the smooth execution of other network application (such as web page browsing, Email).Owing to exist defective at the beginning of the DNS Protocol design and there is the limited shortcoming of query capability in dns server self, DNS becomes the target that the hacker starts distributed refusal to attack again and again in recent years, the critical infrastructures that wherein both comprised the Internet also comprise the authoritative domain name server of each large website, company.Process the network security annual report of Consultation Center, DDoS(Distributed Denial of Service, distributed denial of service according to national computer network emergence technology) attack and become one of maximum security threat that DNS faces.
Ddos attack based on DNS has dual mode, and the one, query formulation is attacked (claiming again the deception formula to attack), and another kind is reflection attack.
Principle and feature based on the inquiry ddos attack of DNS are: the person of casting the first stone sends the attack instruction by one or more control desk numerous puppet's main frames on the network, numerous puppet's main frames DNS request Bao Bingxiang target dns server according to a large amount of false source IP address of the requirement structure of attacking after receiving control desk to attack instruction sends, when many domain names all are mapped to the target dns server, the target dns server can receive that a large amount of webpage connects message, causes its resource exhaustion even system crash and can't respond normal request.These forgery source IP addresss converge before the target dns server and just form ddos attack stream.When server was subjected to attack, it all was " resolving unsuccessfully " that the Attacking Packets of these stochastic cooks is resolved the later as a result overwhelming majority through dns server.And in the normal queries situation, most of nslookups produce in the input of browser address bar or the access of the click on the corresponding web page from the user, and it is that the ratio of wrong domain name is very little.
Principle and feature based on the bounce-back ddos attack of DNS are: the person of casting the first stone sends the attack instruction by one or more control desk numerous puppet's main frames on the network, puppet's main frame is forged the IP address of the DNS that is injured and open in a large number recurrence dns server (perhaps opening recurrence dns resolution device) transmission DNS query requests bag on the Internet after receiving order.Because open recurrence dns server does not carry out the address authenticity verification to the request bag, therefore all can reply.All like this response packets can converge under fire dns server place formation, form DNS bounce-back denial of service stream, stop up the network of the dns server of being injured, and finally form ddos attack.Because DNS Protocol request bag and reply the rule that is surrounded by paired appearance, therefore when DNS bounce-back ddos attack occured, the number of response packet can obviously wrap more than request.
At present, the ddos attack for the DNS service does not also have effective solution.Existing ddos attack detects and defends to satisfy the requirement of DNS service protection; for example; the people such as H.Tsunoda propose to carry out information extraction by the packet that the subtend outer net sends, and according to this information the method for returning bag and verifying are realized detection to general bounce-back ddos attack.The method is simple and effective, what feature should be chosen as information but specifically be applied to when defence DNS rebounds ddos attack, not further elaboration.The people such as Fanglu Guo have proposed to identify the method for forging the address attack packets by the method that communicates with cookie technology and source DNS agency of dns server arranged in front.The method is wrapped in check forgery address has higher accuracy, but shortcoming also clearly, calculates because it will carry out cookie to each bag of receiving, suffers easily the ddos attack based on the cookie checking.
Summary of the invention
Technical problem to be solved by this invention provides a kind of detection method and system of the ddos attack for DNS service, it is by DNS service end data acquisition and analysis, use nonparametric self adaptation CUSUM method to detect, can detect quickly and efficiently current ddos attack or the bounce-back ddos attack whether inquired about, and in time give the alarm.
The present invention solves above-mentioned technical problem by following technical proposals: a kind of detection method of the ddos attack for DNS service is characterized in that it may further comprise the steps:
Step 1 gathers the network data on the protected dns server;
Step 2, to the network data that gathers, calculating is total and total to the request bag of outer net transmission from the response packet that outer net returns, and turns to step 3; Calculate simultaneously the sum of domain name mapping success packet the reply data stream that mails to outer net after the parsing that dns server flows out and the sum of parsing miss data bag, and turn to step 4;
Step 3 uses nonparametric self adaptation CUSUM method to the result of calculation of the step 2 DDOS attack detecting that rebounds, and attacks if detect bounce-back DDOS, then turns to step 5;
Step 4 uses nonparametric self adaptation CUSUM method that the result of calculation of step 2 is inquired about the DDOS attack detecting, attacks if detect inquiry DDOS, then turns to step 5;
Step 5, bounce-back DDOS attacks or the inquiry ddos attack if detect, and then generates warning message and gives the alarm, and comprises the time of origin of ddos attack and the type information of attack in the warning message.
Preferably, described step 3 may further comprise the steps:
Step 3 11: bounce-back DDOS attacks choosing of data flow feature, is the response packet sum that returns from outer net that obtains in the step 2 and the sum of the request bag that sends to outer net;
Step 3 12: the foundation of nonparametric self adaptation CUSUM method sequence model;
Step 3 13: the self adaptation adjustment of threshold value;
Step 3 14: the detection that the DDOS that rebounds attacks.
Preferably, described step 4 may further comprise the steps:
Step 4 11: inquiry DDOS attacks choosing of data flow feature, is in the response packet that obtains in the step 2 sum of packet in the domain name mapping success and failure situation;
Step 4 12: the foundation of nonparametric self adaptation CUSUM method sequence model;
Step 4 13: the self adaptation adjustment of threshold value;
Step 4 14: inquire about the detection that DDOS attacks.
Preferably, the time of origin of ddos attack obtains by the method analysis of the threshold value that sets interval in the described step 5.
The present invention also provides a kind of detection system of the ddos attack for DNS service, it is characterized in that it comprises data processing module, attack detection module and alarm module, wherein:
Described data processing module is connected with a switch ports themselves, is responsible for data acquisition and processing on the dns server, counts the data traffic information in the timeslice;
Described attack detection module connects described data processing module, detects the current DDOS that whether is subject to rebounding of dns server and attacks or inquiry DDOS attack;
Described alarm module connects described attack detection module, and the DDOS that rebounds attacks or inquiry DDOS attacks if detect, and then sends warning, and the time of origin of report attack and the type information of attack.
Preferably, described data processing module comprises data acquisition module and data analysis module, and data acquisition module is for the data message that gathers and obtain on the dns server; Data analysis module is used for the overall access flow on the dns server in timeslice of statistics, calculate the response packet sum that returns from outer net and the request bag sum that sends to outer net, and the flow situation that mails to the response packet of outer net, calculate the sum of domain name mapping success packet in this part response packet and the sum of parsing miss data bag.
Preferably, described attack detection module comprises first detection module and the second detection module, and the current DDOS that whether is subject to rebounding of first detection module test dns server attacks, and whether the second detection module test dns server is current is subject to inquiring about DDOS is attacked; First detection module and the second detection module all use nonparametric self adaptation CUSUM method to detect.
Positive progressive effect of the present invention is: one, the network data flow characteristic information of the present invention's extraction is simple, and the data processing expenditure is little.Two, the present invention's detection of adopting nonparametric self adaptation CUSUM method to attack obtains preferably effect, has realized higher Detection accuracy, can be when DDOS to attack and alarm, and rate of false alarm and the rate of failing to report of system are lower; And can detect the type that concrete DDOS attacks, provide technical support for taking effective defensive measure.Three, the present invention adopts adaptive threshold value to adjust measure, and the present invention can adapt to more complicated network testing environment.
Description of drawings
Fig. 1 is the flow chart of detection method that the present invention is directed to the ddos attack of DNS service.
Fig. 2 is the theory diagram of detection system that the present invention is directed to the ddos attack of DNS service.
Embodiment
Provide preferred embodiment of the present invention below in conjunction with accompanying drawing, to describe technical scheme of the present invention in detail.
Nonparametric self adaptation CUSUM (Cumulative Sum, accumulation and) method is a kind of sequential analysis, at first proposed by the E.S.Page of Cambridge University, it can detect the variation of a statistic processes average.Nonparametric self adaptation CUSUM method is based on this fact: if change generation, the probability distribution of stochastic parameter sequence will change.Usually the CUSUM method needs the parameter model of a random sequence, in order to can monitor sequence with probability density function.But network is a dynamic and complicated entity, and the simulation random sequence is difficulty relatively.But not parameter adaptive CUSUM method is not concrete model, and its main thought is the accumulation value higher than the average level under the normal operation.This method is fit to analyze the data traffic of internet more, and it can monitor stochastic variable in a continuous manner, thereby reaches the purpose of real-time detection.
As shown in Figure 1, the detection method that the present invention is directed to the ddos attack of DNS service may further comprise the steps:
Step 1 gathers the network data on the protected dns server.
From the network data flow of the mirror port acquisition server of dns server end switch, and be deposited in the data file.
Step 2, the packet information of catching as unit processes take timeslice, analyze the data packet flow information in each timeslice, these flow informations comprise the quantity of data query bag, the statistical information of source IP address and purpose IP address, type of data packet (ask or reply) statistical information etc.Detect the flow information of replying respond packet and request bag in the timeslice; And detect and to mail to the reply data stream information of outer net by internal dns server after the parsing of flowing out from dns server, for this part outside response packet, check the value of rear four bit (rcode) in the attribute field of its DNS header, if its value is 0, the domain name mapping failure is described; If its value is 3, the domain name mapping success is described then.
Finish relevant calculating according to detection: to the network data that gathers, calculating is total and total to the request bag of outer net transmission from the response packet that outer net returns, and turns to step 3; Calculate simultaneously the sum of domain name mapping success packet the reply data stream that mails to outer net after the parsing that dns server flows out and the sum of parsing miss data bag, and turn to step 4.
Particularly, default timeslice is 20 seconds in the present embodiment, take 20 seconds as the processed in units network data.
Step 3 uses nonparametric self adaptation CUSUM method to the result of calculation of the step 2 DDOS attack detecting that rebounds, and attacks if detect bounce-back DDOS, then turns to step 5.
(1) bounce-back DDOS attacks choosing of data flow feature, is the response packet sum that returns from outer net that obtains in the step 2 and the sum of the request bag that sends to outer net.
If ans is the response packet that returns from the outer net sum of adding up on the dns server; Ask is the request bag sum to the outer net transmission of adding up on the dns server.Sequence sk[n], and n=0,1,2 ... be the ratio of the interior ans of a timeslice and ask, then sk[n]=ans[n]/ask[n], (n=0,1,2 ...).
(2) foundation of nonparametric self adaptation CUSUM method sequence model.
At first, set up basic series model.
When bounce-back DDOS attack to occur, except sk[n] value increased, the data volume that passes in and out dns server also can be increased sharply, but not the sk[n that attack condition causes] the ratio value increase can't the companion data amount surge.Use is to sk[n] be weighted process as follows: ws[n]=sk[n] * (ans[n]+ask[n]), ws[n] be illustrated in the response and the request data package that obtain in the timeslice and count the weighting ratio.Weighted calculation has been amplified and has been attacked sk[n when occuring] be worth changing and sk[n under normal circumstances] difference that changes, can reduce as far as possible or avoid wrong report.
Secondly, eliminate the network size correlation.
Because sequence ws[n] with the time interval of scale, host number and the sampling of network close relationship is arranged.For reducing the impact of above-mentioned factor, carry out following conversion as shown in the formula (1):
Initialization F[0]=0; Wherein parameter alpha is (0,1) interval custom variable, and in application, parameter alpha should be according to the definition of real network situation, for example according to long-term network traffics image data regulation.Like this, sequence E[n] only relevant with the transmission state of current packet, be one group of stable independently random process.Under normal circumstances, ws[n] and F[n] difference is not too large, E[n] desired value greater than 0 and near 1; When occur attacking, because there are a large amount of attack packets to inject ws[n] can sharply increase, can cause ws[n] and F[n] difference is very large, thereby E[n] value will continue to increase.
Then, transformation model makes it to be applicable to nonparametric self adaptation CUSUM method.
An assumed condition of nonparametric self adaptation CUSUM method is that the random sequence desired value becomes positive number less than 0 when unusual generation is arranged under normal circumstances.Therefore need again conversion, establish MAX and be under normal circumstances E[n] maximum of expectation, obtain after the conversion: E2[n]=E[n]-MAX.Like this E2[n], and n=0,1,2 ... the mean value random sequence that is negative { E2[n] }, occuring in the situation of attacking, E2[n], n=0,1,2 ... suddenly increase and become on the occasion of.
At last, finish the foundation of series model.
Attack for judging whether to occur DNS bounce-back DDOS, the definition recursive function is as shown in the formula (2):
Wherein as y〉y+=y 0 time, get y+=0 when y≤0.Y[n] be exactly to detect the detection sequence that bounce-back DDOS attacks.
(3) the self adaptation value of threshold value.
If n is detected sequence Y[n], corresponding decision threshold is Nn, Nn=(β+1) μ
N-1Wherein β is custom parameter, between [0,1].
Be front n-1 detect sequences y [i] (i=0,1 ..., the average of n-1) using exponent-weighted average to calculate,
, wherein γ is custom parameter, between [0,1].In application, parameter beta and γ also should define according to the real network situation.
(4) detection that DDOS attacks that rebounds.
Will { y[n] } with predefined threshold value Nn relatively, the discriminant function that obtains defining the dns server Traffic Anomaly is as shown in the formula (3):
Formula (3)
Wherein Nn is the threshold value of attack detecting, and dN (y[n]) representative is in the judgement of moment n.If y[n] be not less than Nn, then this value is 1, expression has bounce-back DDOS to attack generation, turns to step 5; Otherwise this value is 0, and the expression network is normal without attacking.
Step 4 uses nonparametric self adaptation CUSUM method that the result of calculation of step 2 is inquired about the DDOS attack detecting, attacks if detect inquiry DDOS, then turns to step 5.
(1) inquiry DDOS attacks choosing of data flow feature, is in the response packet that obtains in the step 2 sum of packet in the domain name mapping success and failure situation.
If tru resolves correct packet sum in the outside response packet on the dns server; If fla is the packet sum of parse error in the outside response packet on the dns server.
(2) foundation of nonparametric self adaptation CUSUM method sequence model.
At first, set up basic series model.
Sequence ft[n], and n=0,1,2 ... be the ratio of the interior fla of a timeslice and tru: ft[n]=fla[n]/tru[n], (n=0,1,2 ...).
Secondly, eliminate the network size correlation.
Because sequence ft[n] with the time interval of scale, host number and the sampling of network close relationship is arranged.For reducing the impact of above-mentioned factor, carry out following conversion as shown in the formula (4):
Initialization M[0]=0; Wherein parameter alpha is (0,1) interval custom variable, and in application, parameter alpha should be according to the definition of real network situation, for example according to long-term network traffics image data regulation.Like this, W[n] will no longer the network size with concrete be relevant, and only relevant with the transmission state of current packet, be one group of stable independently random process.
Then, transformation model makes it to be applicable to nonparametric self adaptation CUSUM method.
If MAX is W[n under normal circumstances] maximum of expectation, establish: W2[n]=W[n]-MAX.Like this W[n], and n=0,1,2 ... random sequence that to have converted a mean value in the situation of not losing statistical property to be negative W2[n] }, occuring in the situation of attacking, W2[n], n=0,1,2 ... suddenly increase and become on the occasion of.
At last, finish the foundation of series model.
For judging whether that inquiry DDOS occurs to be attacked, the definition recursive function is as shown in the formula (5):
Wherein as T〉0 the time, T+=T; When T≤0, get T+=0.T[n] be exactly to detect the detection sequence that inquiry DDOS attacks.
(3) the self adaptation value of threshold value.
If n is detected sequence T[n], corresponding decision threshold is
Wherein β is custom parameter, between [0,1].
Be front n-1 and detect sequence T[i] (i=0,1 ..., the average of n-1) using exponent-weighted average to calculate,
, wherein γ is custom parameter, between [0,1].In application, parameter beta and γ also should define according to the real network situation.
(4) inquire about the detection that DDOS attacks.
Will { T[n] } with predefined threshold value Sn relatively, the discriminant function that obtains defining the dns server Traffic Anomaly is as shown in the formula (6):
Formula (6)
Wherein Sn is the threshold value of attack detecting, and dN (T[n]) representative is in the judgement of moment n.If T[n] be not less than Sn, then this value is 1, expression has inquiry DDOS to attack generation, turns to step 5; Otherwise this value is 0, and the expression network is normal without attacking.
Step 5, bounce-back DDOS attacks or the inquiry ddos attack if detect, and then generates warning message and gives the alarm, and comprises the time of origin of ddos attack and the information such as type of attack in the warning message.Wherein, the type of ddos attack can be learnt by the result of attack detecting in step 3 or the step 4.The time of origin of ddos attack obtains by the method analysis of the threshold value that sets interval, the method statistic below concrete the use:
(1) define two time interval threshold value TMAX(time interval max-thresholds) and TMIN(time interval minimum threshold), and TMAX TMIN;
(2) if the interval T of twice time of fire alarming〉TMAX, think that then twice warning do not have association, ddos attack has namely occured twice, record time of fire alarming twice;
(3) if the interval T<TMIN of twice time of fire alarming then thinks the warning close association twice, think with a ddos attack, only record time of fire alarming for the first time;
(4) if the interval T MIN of twice time of fire alarming<T≤TMAX thinks that then twice warning association is not tight, record the also further observe and decide of time of fire alarming twice;
In order to implement above-described embodiment, the invention allows for a kind of detection system of the ddos attack for DNS service, as described in Figure 2.Fig. 2 has shown the structure chart of the detection system that is used for ddos attack of the embodiment of the invention, this system comprises data processing module, attack detection module and alarm module, data processing module is connected with a switch ports themselves, attack detection module is connected with data processing module, and alarm module is connected with attack detection module.Data processing module is responsible for data acquisition and processing on the dns server, counts the data traffic information in the timeslice, obtains the data message on the dns server and carries out the analysis of data; Attack detection module is attacked for detection of the current DDOS that whether is subject to rebounding of dns server or inquiry DDOS attacks; Alarm module is used for the Output rusults of attack detection module is analyzed, bounce-back DDOS attacks or inquiry DDOS attacks if detect, then send warning, and the time of origin of report attack and the type information of attack, administrative staff can avoid the DDOS attack that dns server is damaged by the respective handling measure.
Wherein data processing module comprises data acquisition module and data analysis module.Data acquisition module is for the data message that gathers and obtain on the dns server, such as type and the quantity of response packet and request bag, the statistical information of source IP address and purpose IP address and the data length of nslookup field etc.Data analysis module is used for the overall access flow on the dns server in timeslice of statistics, calculates the response packet sum that returns from outer net and the request bag sum that sends to outer net; And the flow situation that mails to the response packet of outer net, calculate the sum of domain name mapping success packet in this part response packet and the sum of parsing miss data bag.
Wherein attack detection module is used for the data input after data analysis module is processed, and detects, then the output detections result.Attack detection module comprises first detection module and the second detection module.The current DDOS that whether is subject to rebounding of first detection module test dns server attacks, and whether the second detection module test dns server is current is subject to inquiring about DDOS is attacked.First detection module and the second detection module all use nonparametric self adaptation CUSUM method to detect.
Each functional unit of system can be integrated in the processing module in the embodiment of the invention, also can be that the independent physics of unit exists, and also can be integrated in the module two or more unit.Above-mentioned integrated module can adopt the form of hardware to realize, also can adopt the form of software function module to realize.If described integrated module realizes with the form of software function module and during as independently production marketing or use, also can be stored in the computer read/write memory medium.The above-mentioned storage medium of mentioning can be read-only memory, disk or CD etc.
Above-described only is preferred implementation of the present invention, the invention is not restricted to above embodiment.Be appreciated that other improvement and variation that those skilled in the art directly derive or associate under the prerequisite that does not break away from spirit of the present invention and design, all should think to be included within protection scope of the present invention.
Claims (7)
1. detection method for the ddos attack of DNS service is characterized in that it may further comprise the steps:
Step 1 gathers the network data on the protected dns server;
Step 2, to the network data that gathers, calculating is total and total to the request bag of outer net transmission from the response packet that outer net returns, and turns to step 3; Calculate simultaneously the sum of domain name mapping success packet the reply data stream that mails to outer net after the parsing that dns server flows out and the sum of parsing miss data bag, and turn to step 4;
Step 3 uses nonparametric self adaptation CUSUM method to the result of calculation of the step 2 DDOS attack detecting that rebounds, and attacks if detect bounce-back DDOS, then turns to step 5;
Step 4 uses nonparametric self adaptation CUSUM method that the result of calculation of step 2 is inquired about the DDOS attack detecting, attacks if detect inquiry DDOS, then turns to step 5;
Step 5, bounce-back DDOS attacks or the inquiry ddos attack if detect, and then generates warning message and gives the alarm, and comprises the time of origin of ddos attack and the type information of attack in the warning message.
2. the detection method of the ddos attack for DNS service as claimed in claim 1 is characterized in that described step 3 may further comprise the steps:
Step 3 11: bounce-back DDOS attacks choosing of data flow feature, is the response packet sum that returns from outer net that obtains in the step 2 and the sum of the request bag that sends to outer net;
Step 3 12: the foundation of nonparametric self adaptation CUSUM method sequence model;
Step 3 13: the self adaptation adjustment of threshold value;
Step 3 14: the detection that the DDOS that rebounds attacks.
3. the detection method of the ddos attack for DNS service as claimed in claim 1 is characterized in that described step 4 may further comprise the steps:
Step 4 11: inquiry DDOS attacks choosing of data flow feature, is in the response packet that obtains in the step 2 sum of packet in the domain name mapping success and failure situation;
Step 4 12: the foundation of nonparametric self adaptation CUSUM method sequence model;
Step 4 13: the self adaptation adjustment of threshold value;
Step 4 14: inquire about the detection that DDOS attacks.
4. the detection method of the ddos attack for DNS service as claimed in claim 1 is characterized in that the time of origin of ddos attack obtains by the method analysis of the threshold value that sets interval in the described step 5.
5. the detection system for the ddos attack of DNS service is characterized in that it comprises data processing module, attack detection module and alarm module, wherein:
Described data processing module is connected with a switch ports themselves, is responsible for data acquisition and processing on the dns server, counts the data traffic information in the timeslice;
Described attack detection module connects described data processing module, detects the current DDOS that whether is subject to rebounding of dns server and attacks or inquiry DDOS attack;
Described alarm module connects described attack detection module, and the DDOS that rebounds attacks or inquiry DDOS attacks if detect, and then sends warning, and the time of origin of report attack and the type information of attack.
6. the detection system of the ddos attack for DNS service as claimed in claim 5 is characterized in that described data processing module comprises data acquisition module and data analysis module, and data acquisition module is used for gathering and obtain the data message on the dns server; Data analysis module is used for the overall access flow on the dns server in timeslice of statistics, calculate the response packet sum that returns from outer net and the request bag sum that sends to outer net, and the flow situation that mails to the response packet of outer net, calculate the sum of domain name mapping success packet in this part response packet and the sum of parsing miss data bag.
7. the detection system of the ddos attack for DNS service as claimed in claim 5, it is characterized in that, described attack detection module comprises first detection module and the second detection module, the current DDOS that whether is subject to rebounding of first detection module test dns server attacks, and whether the second detection module test dns server is current is subject to inquiring about DDOS is attacked; First detection module and the second detection module all use nonparametric self adaptation CUSUM method to detect.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012103810105A CN102882880A (en) | 2012-10-10 | 2012-10-10 | Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012103810105A CN102882880A (en) | 2012-10-10 | 2012-10-10 | Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102882880A true CN102882880A (en) | 2013-01-16 |
Family
ID=47484023
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012103810105A Pending CN102882880A (en) | 2012-10-10 | 2012-10-10 | Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102882880A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701794A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for denial of service attack |
| CN104796405A (en) * | 2015-03-18 | 2015-07-22 | 深信服网络科技(深圳)有限公司 | Inverted connection detection method and device |
| CN107231339A (en) * | 2016-03-25 | 2017-10-03 | 阿里巴巴集团控股有限公司 | The detection method and device of a kind of ddos attack |
| CN107562982A (en) * | 2017-07-17 | 2018-01-09 | 西安电子科技大学 | Adaptive alarm gate method and SCADA applications based on CUSUM |
| CN108768942A (en) * | 2018-04-20 | 2018-11-06 | 武汉绿色网络信息服务有限责任公司 | A kind of ddos attack detection method and detection device based on adaptive threshold |
| CN105653928B (en) * | 2016-02-03 | 2018-11-13 | 北京大学 | A kind of refusal service detection method towards big data platform |
| CN109246157A (en) * | 2018-11-16 | 2019-01-18 | 杭州安恒信息技术股份有限公司 | A kind of HTTP requests at a slow speed the association detection method of dos attack |
| CN111510436A (en) * | 2020-03-27 | 2020-08-07 | 黑龙江省网络空间研究中心 | Network security system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101369897A (en) * | 2008-07-31 | 2009-02-18 | 成都市华为赛门铁克科技有限公司 | Method and equipment for detecting network attack |
| US7584507B1 (en) * | 2005-07-29 | 2009-09-01 | Narus, Inc. | Architecture, systems and methods to detect efficiently DoS and DDoS attacks for large scale internet |
-
2012
- 2012-10-10 CN CN2012103810105A patent/CN102882880A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7584507B1 (en) * | 2005-07-29 | 2009-09-01 | Narus, Inc. | Architecture, systems and methods to detect efficiently DoS and DDoS attacks for large scale internet |
| CN101369897A (en) * | 2008-07-31 | 2009-02-18 | 成都市华为赛门铁克科技有限公司 | Method and equipment for detecting network attack |
Non-Patent Citations (7)
| Title |
|---|
| YI ZHANG,等: "A Real-Time DDoS Attack Detection and Prevention System Based on per-IP Traffic Behavioral analysis", 《2010 3RD IEEE INTERNATIONAL CONFERENCE》 * |
| 宗兆伟,等: "基于统计分析和流量控制的DNS分布式拒绝服务攻击的检测及防御", 《2009全国计算机网络与通信学术会议论文集》 * |
| 宗兆伟: "基于流量控制及流重组技术的应用层DDos攻击的检测与防御", 《万方学位论文数据库》 * |
| 康健,等: "CUSUM 算法在DDoS源端检测中的应用", 《计算机应用》 * |
| 欧帅: "DNS拒绝服务攻击的防护系统的研究与设计", 《万方学位论文数据库》 * |
| 步山岳,等: "基于改进CUSUM算法的网络异常流量检测", 《计算机应用研究》 * |
| 步山岳,等: "自适应参数的网络异常流量检测方法", 《北京交通大学学报》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701794A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for denial of service attack |
| CN104796405A (en) * | 2015-03-18 | 2015-07-22 | 深信服网络科技(深圳)有限公司 | Inverted connection detection method and device |
| CN104796405B (en) * | 2015-03-18 | 2019-04-12 | 深信服网络科技(深圳)有限公司 | Rebound connecting detection method and apparatus |
| CN105653928B (en) * | 2016-02-03 | 2018-11-13 | 北京大学 | A kind of refusal service detection method towards big data platform |
| CN107231339A (en) * | 2016-03-25 | 2017-10-03 | 阿里巴巴集团控股有限公司 | The detection method and device of a kind of ddos attack |
| CN107231339B (en) * | 2016-03-25 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Method and device for detecting DDoS attack |
| CN107562982B (en) * | 2017-07-17 | 2020-10-16 | 西安电子科技大学 | CUSUM-based adaptive alarm threshold method and SCADA application |
| CN107562982A (en) * | 2017-07-17 | 2018-01-09 | 西安电子科技大学 | Adaptive alarm gate method and SCADA applications based on CUSUM |
| CN108768942A (en) * | 2018-04-20 | 2018-11-06 | 武汉绿色网络信息服务有限责任公司 | A kind of ddos attack detection method and detection device based on adaptive threshold |
| CN108768942B (en) * | 2018-04-20 | 2020-10-30 | 武汉绿色网络信息服务有限责任公司 | DDoS attack detection method and detection device based on self-adaptive threshold |
| CN109246157A (en) * | 2018-11-16 | 2019-01-18 | 杭州安恒信息技术股份有限公司 | A kind of HTTP requests at a slow speed the association detection method of dos attack |
| CN109246157B (en) * | 2018-11-16 | 2021-03-02 | 杭州安恒信息技术股份有限公司 | Correlation detection method for HTTP slow request DOS attack |
| CN111510436A (en) * | 2020-03-27 | 2020-08-07 | 黑龙江省网络空间研究中心 | Network security system |
| CN111510436B (en) * | 2020-03-27 | 2021-08-10 | 黑龙江省网络空间研究中心 | Network security system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102882880A (en) | Detection method and detection system of distributed denial of service (DDoS) attack aiming at domain name server (DNS) service | |
| CN102438025B (en) | Indirect distributed denial of service attack defense method and system based on Web agency | |
| CN102945340B (en) | information object detection method and system | |
| CN105141598B (en) | APT attack detection method and device based on the detection of malice domain name | |
| Hao et al. | Understanding the domain registration behavior of spammers | |
| US8844034B2 (en) | Method and apparatus for detecting and defending against CC attack | |
| CN109951500A (en) | Network attack detecting method and device | |
| CN105681133B (en) | A method of the detection whether anti-network attack of dns server | |
| CN104506538B (en) | Machine learning type domain name system security defence method and device | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| CN105553974A (en) | Prevention method of HTTP slow attack | |
| CN101741847A (en) | Detecting method of DDOS (distributed denial of service) attacks | |
| CN104022999A (en) | Network data processing method and system based on protocol analysis | |
| CN108683686A (en) | A kind of Stochastic subspace name ddos attack detection method | |
| CN101702660A (en) | Abnormal domain name detection method and system | |
| CN105072119A (en) | Domain name resolution conversation mode analysis-based method and device for detecting malicious domain name | |
| CN105072120A (en) | Method and device for malicious domain name detection based on domain name service state analysis | |
| CN101184094A (en) | Network node scanning detection method and system for LAN environment | |
| Satam et al. | Anomaly Behavior Analysis of DNS Protocol. | |
| CN102984178B (en) | The detection method of data message and device | |
| CN103297433A (en) | HTTP botnet detection method and system based on net data stream | |
| CN101383832A (en) | Challenging black hole attack defense method and device | |
| Xing et al. | Research on the defense against ARP spoofing attacks based on Winpcap | |
| CN110602109A (en) | Application layer DDoS attack detection and defense method based on multi-feature entropy | |
| EP2230797A1 (en) | Detecting network traffic anomalies in a communication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20130116 |