CN103561025A - Method, device and system for detecting DOS attack prevention capacity - Google Patents
Method, device and system for detecting DOS attack prevention capacity Download PDFInfo
- Publication number
- CN103561025A CN103561025A CN201310536103.5A CN201310536103A CN103561025A CN 103561025 A CN103561025 A CN 103561025A CN 201310536103 A CN201310536103 A CN 201310536103A CN 103561025 A CN103561025 A CN 103561025A
- Authority
- CN
- China
- Prior art keywords
- gateway device
- measured
- main frame
- public network
- network main
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a method, device and system for detecting DOS attack prevention capacity. The method includes the steps that when a network attack instrument sends a large number of malicious data packets to to-be-detected gateway equipment forbidden for using a ping prevention function, an intranet host connected with the to-be-detected gateway equipment periodically sends ping commands to a public network host through the to-be-detected gateway equipment, and the intranet host judges whether the to-be-detected gateway equipment has the DOS attack prevention capacity or not according to response information sent back by the public network host, and therefore the problem that it is difficult to judge whether gateway equipment has DOS attack prevention capacity or not in the prior art is solved.
Description
Technical field
The present invention relates to field of computer technology, relate in particular to a kind of anti-dos attack ability detection method, device and system.
Background technology
In prior art, Denial of Service attack (Denial of Service, DOS) be mainly to network, to send continuously a large amount of malicious data bags by network attack instrument, to consume the Internet resources such as service time, power system capacity or the network bandwidth of router cpu, reduce network service performance.For example, network attack instrument sends a large amount of malicious data bags continuously to gateway device, and to consume the bandwidth of gateway device, the intranet host that gateway device is connected is difficult to normal online.
At present, in prior art, there is the gateway device that can defend dos attack, yet be difficult in prior art whether gateway device is possessed to anti-dos attack ability, detect, while making user select gateway device, be difficult to understand gateway device and whether possess anti-dos attack ability.
Summary of the invention
The invention provides a kind of anti-dos attack ability detection method, device and system, for solving prior art, be difficult to judge whether gateway device possesses the problem of anti-dos attack ability.
First aspect of the present invention is to provide a kind of anti-dos attack ability detection method, comprising:
When network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, the intranet host that described gateway device to be measured connects periodically sends ping order by described gateway device to be measured to public network main frame;
The response message that described intranet host returns according to described public network main frame judges whether described gateway device to be measured possesses anti-dos attack ability.
Another aspect of the present invention provides a kind of anti-dos attack energy force checking device, comprising:
Sending module, for when network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, periodically sends ping order by described gateway device to be measured to public network main frame;
Judge module, judges for the response message of returning according to described public network main frame whether described gateway device to be measured possesses anti-dos attack ability.
Another aspect of the present invention provides a kind of anti-dos attack energy force detection system, comprising: network attack instrument, gateway device to be measured, public network main frame, and above-mentioned anti-dos attack energy force checking device.
In the present invention, when network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, the intranet host that gateway device to be measured connects periodically sends ping order by gateway device to be measured to public network main frame, and the response message of returning according to public network main frame judges whether gateway device to be measured possesses anti-dos attack ability, thereby while making user select gateway device, can understand gateway device and whether possess anti-dos attack ability, improve user's experience.
Accompanying drawing explanation
Fig. 1 is the flow chart of an embodiment of anti-dos attack ability detection method provided by the invention;
Fig. 2 is the structural representation of an embodiment of intranet host provided by the invention;
Fig. 3 is the structural representation of an embodiment of anti-dos attack energy force detection system provided by the invention.
Embodiment
For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 is the flow chart of an embodiment of anti-dos attack ability detection method provided by the invention, as shown in Figure 1, comprising:
When 101, network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, the intranet host that gateway device to be measured connects periodically sends ping order by gateway device to be measured to public network main frame.
The executive agent of anti-dos attack ability detection method provided by the invention is specifically as follows intranet host, and intranet host can be for being connected with gateway device, and the terminal such as the computer by gateway device accesses network, computer.
Particularly, before network attack instrument sends a large amount of malicious data bags to the gateway device to be measured of forbidding anti-ping function, network attack instrument, public network main frame, gateway device to be measured can first be registered respectively by router in public network server, obtain public network IP address; Network attack instrument sends ping order by router to gateway device to be measured, the response of returning according to gateway device to be measured judges whether the router between network attack instrument and gateway device to be measured can reach, and whether network attack instrument can send packet to gateway device to be measured by this router; Network attack instrument adopts TCP instrument to treat to survey the public network IP address of gateway device to scan, and obtains the open port list in the public network IP address of gateway device to be measured.
Corresponding, network attack instrument sends a large amount of malicious data bags to the gateway device to be measured of the anti-ping function of forbidding, be specifically as follows: network attack instrument sends a large amount of malicious data bags to the open port of the gateway device to be measured of the anti-ping function of forbidding, treat survey gateway device and attack.
102, the response message that intranet host returns according to public network main frame judges whether gateway device to be measured possesses anti-dos attack ability.
Particularly, when network attack instrument sends a large amount of malicious data bags to the gateway device to be measured of forbidding anti-ping function, consume the bandwidth of gateway device to be measured, when the intranet host that causes gateway device to be measured to connect is difficult to normal accesses network, if gateway device to be measured possesses anti-DOS ability, after gateway device to be measured receives a large amount of malicious data bags, obtain the source IP address carrying in packet, when the quantity of the packet from same source IP address surpasses default amount threshold, gateway device to be measured adds blacklist by this source IP address, no longer receive the packet from this source IP address, make normally accesses network of intranet host that gateway device to be measured connects.Therefore, step 102 is specifically as follows: when intranet host does not receive the response message that public network main frame returns in default very first time threshold value, intranet host determines that gateway device to be measured is under attack, and intranet host is difficult to normal accesses network; After gateway device to be measured is under attack, if receive the response message that public network main frame returns in the second default time threshold, normally accesses network of intranet host is described, intranet host determines that gateway device to be measured possesses anti-dos attack ability.
After gateway device to be measured is under attack, if intranet host does not also receive the response command that public network main frame returns in the second default time threshold, illustrate that intranet host is still difficult to normal accesses network, intranet host determines that gateway device to be measured does not possess anti-dos attack ability.
In addition, in order to get rid of the intranet host causing due to normal jam situation, do not receive in time the scene of the response message that public network main frame returns, before step 101, can also comprise: intranet host sends ping order to public network main frame; The response message that intranet host returns according to public network main frame is determined between intranet host and public network main frame can transmit data.
Particularly, intranet host can periodically send ping order to public network main frame, if intranet host can periodically receive the response message that public network main frame returns, between intranet host and public network main frame, can transmit data, i.e. the normal accesses network of intranet host.
In the present embodiment, when network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, the intranet host that gateway device to be measured connects periodically sends ping order by gateway device to be measured to public network main frame, and the response message of returning according to public network main frame judges whether gateway device to be measured possesses anti-dos attack ability, thereby while making user select gateway device, can understand gateway device and whether possess anti-dos attack ability, improve user's experience.
One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each embodiment of the method can complete by the relevant hardware of program command.Aforesaid program can be stored in a computer read/write memory medium.This program, when carrying out, is carried out the step that comprises above-mentioned each embodiment of the method; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.
Fig. 2 is the structural representation of an embodiment of intranet host provided by the invention, and the intranet host in the present embodiment is anti-dos attack energy force checking device, as shown in Figure 2, comprising:
Sending module 21, for when network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, periodically sends ping order by gateway device to be measured to public network main frame;
Particularly, when network attack instrument sends a large amount of malicious data bags to the gateway device to be measured of forbidding anti-ping function, consume the bandwidth of gateway device to be measured, when the intranet host that causes gateway device to be measured to connect is difficult to normal accesses network, if gateway device to be measured possesses anti-DOS ability, after gateway device to be measured receives a large amount of malicious data bags, obtain the source IP address carrying in packet, when the quantity of the packet from same source IP address surpasses default amount threshold, gateway device to be measured adds blacklist by this source IP address, no longer receive the packet from this source IP address, make normally accesses network of intranet host that gateway device to be measured connects.
Therefore, further, judge module 22 specifically for,
While not receiving the response message that public network main frame returns in default very first time threshold value, determine that gateway device to be measured is under attack;
After gateway device to be measured is under attack, if receive the response message that public network main frame returns in the second default time threshold, determine that gateway device to be measured possesses anti-dos attack ability;
After gateway device to be measured is under attack, if do not receive the response message that public network main frame returns in the second default time threshold, determine that gateway device to be measured does not possess anti-dos attack ability.
Again further, in order to get rid of the intranet host causing due to normal jam situation, do not receive in time the scene of the response message that public network main frame returns, sending module 21 also for, before periodically sending ping order by gateway device to be measured to public network main frame at sending module 21, to public network main frame, send ping order;
In the present embodiment, when network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, the intranet host that gateway device to be measured connects periodically sends ping order by gateway device to be measured to public network main frame, and the response message of returning according to public network main frame judges whether gateway device to be measured possesses anti-dos attack ability, thereby while making user select gateway device, can understand gateway device and whether possess anti-dos attack ability, improve user's experience.
Fig. 3 is the structural representation of an embodiment of anti-dos attack energy force detection system provided by the invention, as shown in Figure 3, comprising: network attack instrument 31, gateway device 32 to be measured, public network main frame 33, and intranet host 34.Intranet host 34 in the present embodiment is anti-dos attack energy force checking device.
Wherein, network attack instrument 31 sends a large amount of malicious data bags for the gateway device to be measured 32 to the anti-ping function of forbidding; The intranet host 34 that gateway device 32 to be measured connects periodically sends ping order by gateway device 32 to be measured to public network main frame 33; The response message that intranet host 34 returns according to public network main frame 33 judges whether gateway device 32 to be measured possesses anti-dos attack ability.
Further, intranet host 34 specifically for, while not receiving the response message that public network main frame 33 returns in default very first time threshold value, determine that gateway device 32 to be measured is under attack;
After gateway device 32 to be measured is under attack, if receive the response message that public network main frame 33 returns in the second default time threshold, determine that gateway device 32 to be measured possesses anti-dos attack ability;
After gateway device 32 to be measured is under attack, if do not receive the response message that public network main frame 33 returns in the second default time threshold, determine that gateway device 32 to be measured does not possess anti-dos attack ability.
Again further, in order to get rid of the intranet host causing due to normal jam situation, do not receive in time the scene of the response message that public network main frame returns, intranet host 34 also for, before periodically sending ping order by gateway device 32 to be measured to public network main frame 33 at intranet host 34, to public network main frame 33, send ping order; The response message of returning according to public network main frame 33 is determined between intranet host 34 and public network main frame 33 can transmit data.
In the present embodiment, when network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, the intranet host that gateway device to be measured connects periodically sends ping order by gateway device to be measured to public network main frame, and the response message of returning according to public network main frame judges whether gateway device to be measured possesses anti-dos attack ability, thereby while making user select gateway device, can understand gateway device and whether possess anti-dos attack ability, improve user's experience.
Finally it should be noted that: each embodiment, only in order to technical scheme of the present invention to be described, is not intended to limit above; Although the present invention is had been described in detail with reference to aforementioned each embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or some or all of technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.
Claims (9)
1. an anti-dos attack ability detection method, is characterized in that, comprising:
When network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, the intranet host that described gateway device to be measured connects periodically sends ping order by described gateway device to be measured to public network main frame;
The response message that described intranet host returns according to described public network main frame judges whether described gateway device to be measured possesses anti-dos attack ability.
2. method according to claim 1, is characterized in that, the response message that described intranet host returns according to described public network main frame judges that whether described gateway device to be measured possesses anti-dos attack ability, comprising:
While not receiving the response message that described public network main frame returns in default very first time threshold value, described intranet host determines that described gateway device to be measured is under attack;
After described gateway device to be measured is under attack, if receive the response message that described public network main frame returns in the second default time threshold, described intranet host determines that described gateway device to be measured possesses anti-dos attack ability.
3. method according to claim 2, is characterized in that, described intranet host also comprises after determining that described gateway device to be measured is under attack:
If do not receive the response message that described public network main frame returns in the second default time threshold, described intranet host determines that described gateway device to be measured does not possess anti-dos attack ability.
4. according to the method described in claim 1-3 any one, it is characterized in that, the intranet host that described gateway device to be measured connects also comprises before periodically sending ping order by described gateway device to be measured to public network main frame:
Described intranet host sends ping order to described public network main frame;
The response message that described intranet host returns according to described public network main frame is determined between described intranet host and described public network main frame can transmit data.
5. an anti-dos attack energy force checking device, is characterized in that, comprising:
Sending module, for when network attack instrument sends a large amount of malicious data bag to the gateway device to be measured of forbidding anti-ping function, periodically sends ping order by described gateway device to be measured to public network main frame;
Judge module, judges for the response message of returning according to described public network main frame whether described gateway device to be measured possesses anti-dos attack ability.
6. device according to claim 5, is characterized in that, described judge module specifically for,
While not receiving the response message that described public network main frame returns in default very first time threshold value, determine that described gateway device to be measured is under attack;
After described gateway device to be measured is under attack, if receive the response message that described public network main frame returns in the second default time threshold, determine that described gateway device to be measured possesses anti-dos attack ability.
7. device according to claim 6, is characterized in that, after described judge module determines that described gateway device to be measured is under attack, described judge module also for,
While not receiving the response message that described public network main frame returns in the second default time threshold, determine that described gateway device to be measured does not possess anti-dos attack ability.
8. according to the device described in claim 5-7 any one, it is characterized in that, described sending module also for, before periodically sending ping order by described gateway device to be measured to public network main frame at described sending module, to described public network main frame, send ping order;
Described judge module also for, the response message of returning according to described public network main frame is determined between described intranet host and described public network main frame can transmit data.
9. an anti-dos attack energy force detection system, comprising: network attack instrument, gateway device to be measured, public network main frame, and the anti-dos attack energy force checking device as described in claim 5-8 any one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310536103.5A CN103561025B (en) | 2013-11-01 | 2013-11-01 | Method, device and system for detecting DOS attack prevention capacity |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310536103.5A CN103561025B (en) | 2013-11-01 | 2013-11-01 | Method, device and system for detecting DOS attack prevention capacity |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103561025A true CN103561025A (en) | 2014-02-05 |
| CN103561025B CN103561025B (en) | 2017-04-12 |
Family
ID=50015175
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310536103.5A Active CN103561025B (en) | 2013-11-01 | 2013-11-01 | Method, device and system for detecting DOS attack prevention capacity |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103561025B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106302412A (en) * | 2016-08-05 | 2017-01-04 | 江苏君立华域信息安全技术有限公司 | A kind of intelligent checking system for the test of information system crushing resistance and detection method |
| CN107370636A (en) * | 2016-05-12 | 2017-11-21 | 华为技术有限公司 | Link State determines method and apparatus |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008060009A1 (en) * | 2006-11-13 | 2008-05-22 | Samsung Sds Co., Ltd. | Method for preventing denial of service attacks using transmission control protocol state transition |
| CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
| CN101796774A (en) * | 2007-09-03 | 2010-08-04 | 朗讯科技公司 | Method and system for checking automatically connectivity status of an IP link on IP network |
| CN102457489A (en) * | 2010-10-26 | 2012-05-16 | 中国民航大学 | Attacking, detecting and defending module for LDoS (Low-rate Denial of Service) |
| CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
-
2013
- 2013-11-01 CN CN201310536103.5A patent/CN103561025B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008060009A1 (en) * | 2006-11-13 | 2008-05-22 | Samsung Sds Co., Ltd. | Method for preventing denial of service attacks using transmission control protocol state transition |
| CN101796774A (en) * | 2007-09-03 | 2010-08-04 | 朗讯科技公司 | Method and system for checking automatically connectivity status of an IP link on IP network |
| CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
| CN102457489A (en) * | 2010-10-26 | 2012-05-16 | 中国民航大学 | Attacking, detecting and defending module for LDoS (Low-rate Denial of Service) |
| CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
Non-Patent Citations (1)
| Title |
|---|
| 苏朋,陈性元等: ""层次化的主机抗DoS攻击能力测试方法"", 《计算机工程与设计》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107370636A (en) * | 2016-05-12 | 2017-11-21 | 华为技术有限公司 | Link State determines method and apparatus |
| CN107370636B (en) * | 2016-05-12 | 2021-01-29 | 华为技术有限公司 | Link state determination method and device |
| CN106302412A (en) * | 2016-08-05 | 2017-01-04 | 江苏君立华域信息安全技术有限公司 | A kind of intelligent checking system for the test of information system crushing resistance and detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103561025B (en) | 2017-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11924170B2 (en) | Methods and systems for API deception environment and API traffic control and security | |
| US8844034B2 (en) | Method and apparatus for detecting and defending against CC attack | |
| US10135844B2 (en) | Method, apparatus, and device for detecting e-mail attack | |
| Cambiaso et al. | Slow DoS attacks: definition and categorisation | |
| JP6517819B2 (en) | Method and apparatus for identifying proxy IP address | |
| US9730075B1 (en) | Systems and methods for detecting illegitimate devices on wireless networks | |
| CN103297433B (en) | The HTTP Botnet detection method of data flow Network Based and system | |
| US11316889B2 (en) | Two-stage hash based logic for application layer distributed denial of service (DDoS) attack attribution | |
| KR101272670B1 (en) | Apparatus, method and computer readable recording medium of distinguishing access network of a user terminal | |
| CN101505247A (en) | Detection method and apparatus for number of shared access hosts | |
| CN105049291A (en) | Method for detecting network traffic anomaly | |
| US20120173712A1 (en) | Method and device for identifying p2p application connections | |
| Yen et al. | Browser fingerprinting from coarse traffic summaries: Techniques and implications | |
| Shuaib et al. | Resiliency of smart power meters to common security attacks | |
| CN104065508A (en) | Application service health examination method, device and system | |
| CN112738095A (en) | Method, device, system, storage medium and equipment for detecting illegal external connection | |
| CN102130791B (en) | Method, device and gateway server for detecting agent on gateway server | |
| US10581902B1 (en) | Methods for mitigating distributed denial of service attacks and devices thereof | |
| CN107249136A (en) | Method for connecting network and device | |
| CN103561025A (en) | Method, device and system for detecting DOS attack prevention capacity | |
| Bartos et al. | IFS: Intelligent flow sampling for network security–an adaptive approach | |
| Sahu et al. | Detection of rogue nodes in AMI networks | |
| CN105812324A (en) | Method, device and system for IDC information safety management | |
| CN107066373B (en) | Control processing method and device | |
| JP2023019091A (en) | Communication analysis system, communication analysis method, and computer program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |