CN104348794B - Network layer DDOS attack source discrimination, apparatus and system - Google Patents
Network layer DDOS attack source discrimination, apparatus and system Download PDFInfo
- Publication number
- CN104348794B CN104348794B CN201310325923.XA CN201310325923A CN104348794B CN 104348794 B CN104348794 B CN 104348794B CN 201310325923 A CN201310325923 A CN 201310325923A CN 104348794 B CN104348794 B CN 104348794B
- Authority
- CN
- China
- Prior art keywords
- address
- source
- attack
- server
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 claims abstract description 148
- 239000000523 sample Substances 0.000 claims abstract description 136
- 230000004044 response Effects 0.000 claims abstract description 79
- 239000000284 extract Substances 0.000 claims abstract description 22
- 238000004458 analytical method Methods 0.000 claims description 54
- 230000000875 corresponding Effects 0.000 claims description 25
- 230000005540 biological transmission Effects 0.000 claims description 12
- 238000000034 method Methods 0.000 description 15
- 238000005516 engineering process Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000007689 inspection Methods 0.000 description 5
- 235000010384 tocopherol Nutrition 0.000 description 5
- 235000019731 tricalcium phosphate Nutrition 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 238000002592 echocardiography Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006011 modification reaction Methods 0.000 description 2
- 230000001568 sexual Effects 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- XCCTYIAWTASOJW-XVFCMESISA-N Uridine-5'-Diphosphate Chemical compound O[C@@H]1[C@H](O)[C@@H](COP(O)(=O)OP(O)(O)=O)O[C@H]1N1C(=O)NC(=O)C=C1 XCCTYIAWTASOJW-XVFCMESISA-N 0.000 description 1
- 229920001940 conductive polymer Polymers 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000007429 general method Methods 0.000 description 1
- 235000005035 ginseng Nutrition 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 201000002161 intrahepatic cholestasis of pregnancy Diseases 0.000 description 1
- 239000003550 marker Substances 0.000 description 1
- 230000000750 progressive Effects 0.000 description 1
Abstract
The present invention provides a kind of network layer DDOS attack source discrimination, it include: detection service device when monitoring first server by DDOS attack, DDOS attack packet is obtained from first server, extract the attack source IP address in DDOS attack packet and attacks the ttl value of source IP address;The probe instructions comprising attack source IP address are sent to second server;The probe response packet that second server is returned according to probe instructions is received, the detection source IP address in probe response packet is extracted and detects the ttl value of source IP address;And judge to attack whether the ttl value of source IP address and the difference of the ttl value of detection source IP address are greater than preset value, if so, determining that attack source IP address is the IP address forged, if not, it is determined that attack source IP address is true IP address.In addition, the present invention also provides a kind of network layer DDOS attack identifing source apparatus and systems.Above-mentioned network layer DDOS attack source discrimination, apparatus and system can rapidly and efficiently identify network layer DDOS attack source.
Description
Technical field
The present invention relates to computer communication technology field more particularly to a kind of network layer DDOS attack source discriminations, dress
It sets and system.
Background technique
DOS(Denial of Service, refusal service) attack, refer to that one kind can cause server that can not provide normally
The attack of service.The most common dos attack has network bandwidth to attack and is connected to sexual assault.Wherein bandwidth attack refers to greatly to lead to
Traffic impacts network, so that all available network resources are all consumed and totally finally result in legal user's request and can not pass through.
Connection sexual assault, which refers to, impacts server with a large amount of connection request, so that all available operating-system resources are all consumed nearly
To the greatest extent, final server can not reprocess the request of legitimate user.
DDOS(Distributed Denial of Service, distributed denial of service) attack refer to by means of client
End/server technology, multiple client is joined together as Attack Platform, starts dos attack to one or more targets.It is logical
Often, DDOS primary control program is mounted in a client by attacker using a stealing account number, and primary control program is in preset time
It is communicated with multiple broker programs in the multiple client of a large amount of installations on the internet, utilizes client/server skill
Art, primary control program activate hundreds and thousands of secondary broker programs to make its offensive attack in seconds, attack so as to double up DOS
The power hit.
DDOS attack can be divided into network layer DDOS(Net-DDOS by targeted network layer is attacked) attack and
App-DDOS attack.Wherein the leakage of existing low layer (including IP layers and TCP layer) agreement is mainly utilized in Net-DDOS attack
Offensive attack is carried out in hole, and typical attack pattern includes sending a large amount of attacks to destination host using the attack node for forging IP address
Grouping, such as: TCP(Transmission Control Protocol, transmission control protocol) grouping, ICMP(Internet
Control Messages Protocol, internet letter report control protocol) grouping, UDP(User Datagram Protocol,
User Datagram Protocol) grouping etc., keep destination server maintenance one very big half-open using the three-way handshake mechanism of TCP
It puts connection list and consumes very more CPU(Central Processing Unit, central processing unit) and memory source, most
Cause system crash that can not provide service for normal users because of stack overflow eventually.It is special that network layer DDOS attack is based on its agreement
Property, mass data packet is sent in the case where not needing and establishing and be reliably connected with server, so that existing in terms of attack is traced to the source
Biggish difficulty.The general method of industry is by the cooperation with operator, in Metropolitan Area Network (MAN), the egress router of backbone network at present
The upper source tracking for carrying out flow, to determine the true and false of attack source.However, the routing device of operator is generally using based on stream
Statistical counting mode, this statistical counting mode counts effectively, but for distributed small stream the DDOS of big flow
It is then invalid to measure DDOS attack, can not effectively track the true attack source of small flow DDOS attack.
Summary of the invention
In view of this, the present invention provides a kind of network layer DDOS attack source discrimination, apparatus and system, can quickly have
The true and false in effect ground identification network layer DDOS attack source.
A kind of network layer DDOS attack source discrimination, comprising: detection service device monitor first server by
When DDOS attack, DDOS attack packet is obtained from the first server, extracts the attack source IP address in the DDOS attack packet
With the ttl value of the attack source IP address;The probe instructions comprising the attack source IP address are sent to second server, it is described
Second server and the first server are in together in a network topology, and the probe instructions are used to indicate second clothes
Business device detects the attack source IP address;The second server is received to be rung according to the detection that the probe instructions return
It should wrap, extract the ttl value of the detection source IP address and the detection source IP address in the probe response packet;And described in judgement
Whether the difference for attacking the ttl value of source IP address and the ttl value of the detection source IP address is greater than preset value, if so, determining
The attack source IP address is the IP address forged, if not, it is determined that the attack source IP address is true IP address.
A kind of network layer DDOS attack source discrimination, comprising: detection service device monitor first server by
When DDOS attack, DDOS attack packet is obtained from the first server, extracts the attack source IP address in the DDOS attack packet
With the ttl value of the attack source IP address;It includes the attack source IP address that the detection service device is sent to second server
Probe instructions, the second server and the first server be in together in a network topology, and the probe instructions are used
The attack source IP address is detected in the instruction second server;The second server refers to according to the detection
It enables, the attack source IP address is detected, obtain probe response packet from the corresponding terminal of the attack source IP address, and will
The probe response packet is sent to the detection service device;And the detection service device extracts the spy in the probe response packet
The ttl value for surveying source IP address and the detection source IP address judges the ttl value and the detection source IP of the attack source IP address
Whether the difference of the ttl value of address is greater than preset value, if so, determine that the attack source IP address is the IP address forged, if
It is no, it is determined that the attack source IP address is true IP address.
A kind of network layer DDOS attack identifing source device is applied to detection service device characterized by comprising DDOS is attacked
Packet acquisition and analysis module are hit, for being obtained from the first server when monitoring first server by DDOS attack
DDOS attack packet extracts the ttl value of the attack source IP address and the attack source IP address in the DDOS attack packet;Detection refers to
Sending module is enabled, is analyzed described in acquisition for being obtained to second server transmission comprising the DDOS attack packet with analysis module
The probe instructions of source IP address are attacked, the second server and the first server are in together in a network topology, institute
It states probe instructions and is used to indicate the second server and the attack source IP address is detected;Probe response packet analyzes mould
Block, the detection returned for receiving the second server according to the probe instructions that the probe instructions sending module is sent
Response bag extracts the ttl value of the detection source IP address and the detection source IP address in the probe response packet;Judgment module,
For judging that the DDOS attack packet obtains and the ttl value of the attack source IP address of analysis module analysis acquisition and the spy
Whether the difference for surveying the ttl value for the detection source IP address that response packet analysis module analysis obtains is greater than preset value, if so,
Determine that the attack source IP address is the IP address forged, if not, it is determined that the attack source IP address is true IP address.
A kind of network layer DDOS attack identifing source system characterized by comprising such as any one of claim 6 to 9
Detection service device, first server and the second server;The first server is used for according to the detection service
The request for the acquisition DOOS attack package that device is sent, is sent to the detection service device for DDOS attack packet;The second server
The probe instructions for being sent according to the detection service device detect the attack source IP address, attack from described
It hits the corresponding terminal of source IP address and obtains probe response packet, and the probe response packet is sent to the detection service device;Its
In, the second server and the first server are in together in a network topology.
In above-mentioned network layer DDOS attack source discrimination, apparatus and system, monitored by detection service device
When first server is by DDOS attack, using the second server being in first server in same network topology to DDOS
Attack source is reversely detected, at the same using ttl value characteristic, by comparing DDOS attack source source IP address ttl value with
The ttl value for detecting source IP address, can rapidly and efficiently identify the true and false of network layer DDOS attack source IP address.
For above and other objects, features and advantages of the invention can be clearer and more comprehensible, preferred embodiment is cited below particularly,
And cooperate institute's accompanying drawings, it is described in detail below.
Detailed description of the invention
Fig. 1 is the applied environment figure of network layer DDOS attack source discrimination provided by the invention.
Fig. 2 is the flow chart for the network layer DDOS attack source discrimination that first embodiment of the invention provides.
Fig. 3 is the flow chart for the network layer DDOS attack source discrimination that second embodiment of the invention provides.
Fig. 4 is the flow chart for the network layer DDOS attack source discrimination that third embodiment of the invention provides.
Fig. 5 is the structural schematic diagram for the detection service device that fourth embodiment of the invention provides.
Fig. 6 is the structural schematic diagram for the detection service device that fifth embodiment of the invention provides.
Fig. 7 is the schematic diagram for the network layer DDOS attack identifing source system that sixth embodiment of the invention provides.
Specific embodiment
Further to illustrate that the present invention is the technical means and efficacy realizing predetermined goal of the invention and being taken, below in conjunction with
Attached drawing and preferred embodiment, to specific embodiment, structure, feature and its effect according to the present invention, detailed description is as follows.
Referring to Fig. 1, showing the applied environment figure of network layer DDOS attack source discrimination provided by the invention.Such as figure
Shown in 1, first server 101, first server 102, detection service device 103 are located in wirelessly or non-wirelessly network, pass through the nothing
Line or cable network, first server 101 are in communication with each other with monitoring server 103 respectively with second server 102, and above-mentioned first
Server 101, first server 102 and detection service device 103 constitute network layer DDOS attack identifing source system 100 together.
It should be understood that first server 101 is also possible to the personal computer as client.Attacker's device clusters 200 be by
The device clusters that multiple stage computers are constituted, attacker's device clusters 200 also are located in wirelessly or non-wirelessly network, by this it is wireless or
Cable network starts DDOS attack to first server 101.
First embodiment
Referring to Fig. 2, showing the process of the network layer DDOS attack source discrimination of first embodiment of the invention offer
Figure.As shown in Fig. 2, the embodiment describes the process flow of detection service device, and in conjunction with Fig. 1, network provided in this embodiment
Layer DDOS attack source discrimination the following steps are included:
Step 21, detection service device is obtained when monitoring first server by DDOS attack from the first server
DDOS attack packet is taken, the ttl value of the attack source IP address and the attack source IP address in the DDOS attack packet is extracted.
Specifically, the first clothes of data traffic information monitoring that detection service device 103 passes through real time monitoring first server 101
Whether device be engaged in by DDOS(Distributed Denial of Service, distributed denial of service) attack, when monitoring the
When one server 101 is by DDOS attack, namely when monitoring 101 data traffic exception of first server, such as: there is big stream
There is the TCP(Transmission Control Protocol largely waited in amount hash or first server 101, transmits
Control protocol) connection when, from first server 101 obtain DDOS attack packet, and to the DDOS attack packet of acquisition carry out
The attack source IP(Internet Protocol in DDOS attack packet, network protocol are extracted in analysis) address and attack source IP
The TTL(Time To Live of address, life span) value.
TTL is a value in IP agreement packet, is arranged by transmission host, for preventing data packet constantly in the internet IP
On never terminate ground circulation, as soon as initial imagination be determine a time range, be more than this time packet abandon, due to each
Router all at least subtracts one TTL field, and TTL usually indicates to wrap the router number that most multipotency passes through before being dropped.Work as note
When counting to 0, router determines to abandon the packet, and sends an ICMP(Internet Control Messages Protocol,
Internet letter report control protocol) message give initial sender.The initial value of TTL is usually default value, is 8 in packet header
Domain.
Step 22, the probe instructions comprising the attack source IP address, the second server are sent to second server
It is in together in a network topology with the first server.
Specifically, the selection of detection service device 103 is in any one clothes under identical topological network with first server 101
Device be engaged in as second server 102, sends probe instructions to the second server 102, includes in step 21 in the probe instructions
Attack source IP address included in the DDOS attack packet of acquisition, be used to indicate 102 pairs of attack source IP address of second server into
Row detection.
It should be understood that the characteristic based on TTL, first server 101 and second server 102 are in identical topological network
Under network namely first server 101 is under the same interchanger with second server 102 or IP address is neighbouring, such ability
Ensure that the detection result of 102 pairs of second server attack source IP address is comparable, and then ensures DDOS attack identifing source
Accuracy.
Step 23, the probe response packet that the second server is returned according to the probe instructions is received, the spy is extracted
Survey the ttl value of the detection source IP address and the detection source IP address in response bag.
Specifically, detection service device receives the probe response packet that second server 102 is returned according to probe instructions, and analysis is simultaneously
Obtain the ttl value of the detection source IP address and the detection source IP address in the probe response packet.
Step 24, judge it is described attack source IP address ttl value and it is described detection source IP address ttl value difference whether
Greater than preset value.
Specifically, the characteristic of binding operation system ttl value, such as: the initial TTL value of windows operating system is generally
128, the initial TTL value of (SuSE) Linux OS is generally 64, will attack the TTL of the ttl value and detection source IP address of source IP address
The difference of value is compared with preset value, judges that the difference of the ttl value and the ttl value of detection source IP address of attacking source IP address is
It is no to be greater than preset value.Preferably, preset value 5.
Due to the characteristic of the transmission path of ttl value energy effective marker data packet, when attacker carries out DDOS using stochastic source
When attack, although cook source address has been used to be attacked, attacker can not be between forgery attack host and destination host
Positional relationship, regardless of attacker forges source IP address, the Attacking Packets come from the same attack source will be by the same road
Victim is reached by path, therefore DDOS is identified by the ttl value of comparison attack source IP address and the ttl value of detection source IP address
The true and false of attack source, compared with the existing technology in traced layer by layer by relevant information table on the router of operator, more
Efficiently.
If so, thening follow the steps 25: determining that the attack source IP address is the IP address forged.
It should be understood that obtained since probe response packet is second server 102 from the corresponding terminal of attack source IP address,
Therefore detection source IP address is consistent with attack source IP address, and the ttl value for detecting source IP address is the true ttl value of attack source IP.
If the difference for attacking the ttl value of source IP address and the ttl value of detection source IP address is greater than preset value, it can confirm that the DDOS is attacked
Hitting packet is not to be sent by the corresponding terminal of attack source IP address, and attack source IP address is the IP address forged.
If it is not, thening follow the steps 26: determining that the attack source IP address is true IP address.
Network layer DDOS attack source discrimination provided in an embodiment of the present invention is monitoring first by detection service device
When server is by DDOS attack, using the second server being in first server in same network topology to DDOS attack
Source is reversely detected, while using the characteristic of ttl value, ttl value and detection by comparing the source IP address in DDOS attack source
The ttl value of source IP address can rapidly and efficiently identify the true and false of network layer DDOS attack source IP address.
Second embodiment
Referring to Fig. 3, showing the process of the network layer DDOS attack source discrimination of second embodiment of the invention offer
Figure.As shown in figure 3, the embodiment describes the process flow of first server, and in conjunction with Fig. 1, network provided in this embodiment
Layer DDOS attack source discrimination the following steps are included:
Step 31, detection service device is when monitoring first server by DDOS attack, Xiang Suoshu first server hair
Send the request for obtaining all DOOS attack packages.
Step 31 specifically please refers to the corresponding contents of first embodiment, and details are not described herein again.
Step 32, all DDOS attack packets that the first server is returned according to the request are received.
Specifically, the request for all DOOS attack packages of acquisition that first server 101 is sent according to detection service device 103,
Start full dose packet capturing, the current all DOOS attack packages of crawl, and all DOOS attack packages of crawl are sent to detection clothes
Business device 103.
Step 33, DPI analysis is carried out to all DDOS attack packets, is obtained in all DDOS attack packets respectively
Attack the ttl value of source IP address and the attack source IP address.
DPI(Deep Packet Inspection, deep packet inspection technical), it is a kind of flow detection based on application layer
And control technology, the technology briefly namely packet-by-packet analyzed, detected.DPI detection technique is the prior art, herein no longer
It repeats.
Specifically, due to DDOS attack detection service device 103 using DPI detection technique to the first server received
The 101 all DDOS attack packets returned are analyzed, and are obtained attack source IP address in all DDOS attack packets respectively and are attacked
The ttl value for hitting source IP address extracts attack source and its attacks the distribution of ttl value.
Step 34, the probe instructions comprising all attack source IP address are sent to second server.
Specifically, the selection of detection service device 103 is in any one clothes under identical topological network with first server 101
Device be engaged in as second server 102, sends probe instructions to the second server 102, includes in step 303 in the probe instructions
The IP address in all DDOS attack sources extracted is used to indicate second server 102 to the IP in all DDOS attack sources
Location successively carries out PING detection.
Step 35, all probe response packets that the second server is returned according to the probe instructions are received.
Specifically, probe response packet by second server 102 according to probe instructions, to attack source IP using PING order
It when location is detected, is obtained from the corresponding terminal of attack source IP address, second server 102 will be detected by PING to be owned
Probe response packet return to detection service device 103.
Step 36, DPI analysis is carried out to all probe response packets, is extracted in all probe response packets respectively
Attack the ttl value of source IP address and the attack source IP address.
Specifically, detection service device 103 carries out DPI analysis to all probe response packets that second server 102 returns,
Extract the attack source IP address in all probe response packets and its TTL distribution.
Step 37, judge it is described attack source IP address ttl value and it is described detection source IP address ttl value difference whether
Greater than preset value.
Specifically, since the attack source IP address with a DDOS attack may have multiple, corresponding detection source IP
Location also has multiple, and detection service device 103 is one by one by the ttl values and its corresponding detection source IP of multiple attack source IP address
The ttl value of location is compared, and judges the ttl value and its corresponding detection source IP address of multiple attack source IP address respectively
Whether the difference of ttl value is greater than preset value.Preferably, preset value can be 5.
If so, thening follow the steps 38: determining that the attack source IP address is the IP address forged.
Step 38 specifically please refers to the corresponding contents of first embodiment, and details are not described herein again.
If it is not, thening follow the steps 39: determining that the attack source IP address is true IP address.
Network layer DDOS attack source discrimination provided in an embodiment of the present invention is monitoring first by detection service device
When server is by DDOS attack, using the second server being in first server in same network topology to DDOS attack
Source is reversely detected, while using the characteristic of ttl value, ttl value and detection by comparing the source IP address in DDOS attack source
The ttl value of source IP address can rapidly and efficiently identify the true and false of network layer DDOS attack source IP address.
3rd embodiment
Referring to Fig. 4, showing the process of the network layer DDOS attack source discrimination of third embodiment of the invention offer
Figure.As shown in figure 4, the embodiment describes the process flow of user terminal, and in conjunction with Fig. 1, network layer provided in this embodiment
DDOS attack source discrimination the following steps are included:
Step 41, detection service device is sent when monitoring first server by DDOS attack to first server
DDOS attack packet acquisition request.
Specifically, the first clothes of data traffic information monitoring that detection service device 103 passes through real time monitoring first server 101
Whether device be engaged in by DDOS(Distributed Denial of Service, distributed denial of service) attack, when monitoring the
When one server 101 is by DDOS attack, namely when monitoring 101 data traffic exception of first server, such as: there is big stream
There is the TCP(Transmission Control Protocol largely waited in amount hash or first server 101, transmits
Control protocol) when connection, DDOS attack packet acquisition request is sent to first server, request first server 101 is complete
Amount crawl DDOS attack packet, and all DDOS attack packets of crawl are returned into detection service device 103.
Step 42, first server obtains DDOS attack packet according to acquisition request, and DDOS attack packet is returned to detection
Server.
Specifically, the acquisition request that first server 101 is sent according to detection service device 103, full dose crawl currently by
All DDOS attack packets, and all DDOS attack packets of crawl are returned into detection service device 103.
Step 43, the analysis of detection service device obtains the attack source IP address in DDOS attack packet and attacks source IP address
Ttl value.
Specifically, detection service device 103 carries out DPI(Deep to all DDOS attack packets that first server 101 returns
Packet Inspection, deep packet inspection technical) analysis, extract attack source IP address in all DDOS attack packets with
Attack the distribution of the ttl value of source IP address.
Step 44, detection service device sends the probe instructions comprising attack source IP address to second server.
Specifically, the selection of detection service device 103 is in any one clothes under identical topological network with first server 101
Device be engaged in as second server 102, sends probe instructions to the second server 102, includes all in the probe instructions
The IP address in DDOS attack source is used to indicate second server 102 and successively visits to the IP address in all DDOS attack sources
It surveys.
Step 45, second server detects attack source IP address according to probe instructions, from attack source IP address pair
The terminal answered obtains probe response packet, and probe response packet is sent to detection service device.
In one specific embodiment of the present embodiment, second server 102 to the IP address in all DDOS attack sources according to
Secondary progress PING detection, to obtain probe response packet.PING is a common communication protocol, belongs to ICP/IP protocol
(Transmission Control Protocol/Internet Protocol, transmission control protocol/Internet Protocol)
A part, be typically used for detection network it is logical with it is obstructed, PING passes through one ICMP(Internet Control of transmission
Messages Protocol, internet letter report control protocol) echo request message is to destination, and whether report receives and wish
The ICMP echo(ICMP Echo Reply of prestige).It can effectively simply be obtained from attack source IP using PING detection
The probe response packet of location, to improve the efficiency of DDOS attack identifing source.
In other specific embodiments of the present embodiment, Telnet, Traceroute etc. is can also be used in second server 102
Other common interconnection network agreements successively detect the IP address in all DDOS attack sources.
Step 46, detection service device extracts the detection source IP address in probe response packet and detects the ttl value of source IP address,
Judge whether the difference for the ttl value attacked the ttl value of source IP address and detect source IP address is greater than preset value, if so, determining
Attack source IP address is the IP address forged, if not, it is determined that attack source IP address is true IP address.
Specifically, detection service device 103 carries out DPI to all probe response packets that second server 102 returns first
Analysis extracts the attack source IP address in all probe response packets and its TTL distribution.Then one by one by multiple attack source IP
The ttl value of address is compared with the ttl value of its corresponding detection source IP address, judges multiple attack source IP address respectively
Ttl value and the difference of ttl value of its corresponding detection source IP address whether be greater than preset value.Characteristic based on ttl value,
When attack source IP address ttl value it is corresponding detection source IP address ttl value difference be greater than preset value (such as: when 5),
Illustrate that the error of the ttl value of the corresponding detection source IP address of the ttl value for attacking source IP address is larger, then can determine attack source
IP address is the IP address forged.When the difference of the ttl value of the corresponding detection source IP address of the ttl value of attack source IP address
When less than or equal to preset value, then it can determine that attack source IP address is true IP address.
Network layer DDOS attack source discrimination provided in an embodiment of the present invention is monitoring first by detection service device
When server is by DDOS attack, using the second server being in first server in same network topology to DDOS attack
Source is reversely detected, while using the characteristic of ttl value, ttl value and detection by comparing the source IP address in DDOS attack source
The ttl value of source IP address can rapidly and efficiently identify the true and false of network layer DDOS attack source IP address.
Fourth embodiment
Fig. 5 is the structural schematic diagram for the detection service device that fourth embodiment of the invention provides.Detection provided in this embodiment
Server can be used to implement the network layer DDOS attack source discrimination in first embodiment.As shown in figure 5, detection service device
50 include: DDOS attack packet obtain with analysis module 51, probe instructions sending module 52, probe response packet analysis module 53, sentence
Disconnected module 54.
Wherein, DDOS attack packet, which is obtained, is used for analysis module 51 when monitoring first server by DDOS attack,
DDOS attack packet is obtained from the first server, extracts the attack source IP address in the DDOS attack packet and the attack source
The ttl value of IP address.
Probe instructions sending module 52 is used to send to second server and obtains comprising the DDOS attack packet and analyze mould
The probe instructions for the attack source IP address that the analysis of block 51 obtains, the second server are in together with the first server
In one network topology, the probe instructions are used to indicate the second server and detect to the attack source IP address.
Probe response packet analysis module 53 is sent out for receiving the second server according to the probe instructions sending module
The probe response packet that the probe instructions sent return extracts the detection source IP address in the probe response packet and the detection
The ttl value of source IP address.
Judgment module 54 is used to judge that the DDOS attack packet to obtain the attack source obtained with the analysis of analysis module 51
The difference of the ttl value for the detection source IP address that the ttl value of IP address and the probe response packet analysis module 52 analysis obtain
Whether value is greater than preset value, if so, determining that the attack source IP address is the IP address forged, if not, it is determined that described to attack
Hitting source IP address is true IP address.
The detailed process of the respective function of each Implement of Function Module of the present embodiment detection service device 50, refers to above-mentioned Fig. 1
To particular content described in embodiment illustrated in fig. 4, details are not described herein again.
Network layer DDOS attack identifing source device provided in an embodiment of the present invention, by monitor first server by
When DDOS attack, DDOS attack source is carried out using the second server being in first server in same network topology reversed
Detection, while using the characteristic of ttl value, by comparing the ttl value and detection source IP address of the source IP address in DDOS attack source
Ttl value can rapidly and efficiently identify the true and false of network layer DDOS attack source IP address.
5th embodiment
Fig. 6 is the structural schematic diagram for the detection service device that fifth embodiment of the invention provides.Detection provided in this embodiment
Server can be used to implement the network layer DDOS attack source discrimination in second embodiment and 3rd embodiment.Such as Fig. 6 institute
Show, detection service device 60 includes: that DDOS attack packet obtains and analysis module 61, probe instructions sending module 62, probe response packet
Analysis module 63, judgment module 64.
Wherein, DDOS attack packet, which is obtained, is used for analysis module 61 when monitoring first server by DDOS attack,
DDOS attack packet is obtained from the first server, extracts the attack source IP address in the DDOS attack packet and the attack source
The ttl value of IP address.It includes: DDOS attack packet acquisition request transmission unit that the DDOS attack packet, which is obtained with analysis module 61,
611, DDOS attack packet receiving unit 612, DDOS attack packet analysis unit 613.Wherein DDOS attack packet acquisition request sends single
Member 611 is for when monitoring first server by DDOS attack, Xiang Suoshu first server to send all DOOS of acquisition and attacks
Hit the request of packet;DDOS attack packet receiving unit 612 is obtained for receiving the first server according to the DDOS attack packet
All DDOS attack packets that the request for all DOOS attack packages of the acquisition that request transmitting unit 611 is sent is sent.DDOS is attacked
It hits packet analysis unit 613 and carries out DPI for all DDOS attack packets received to the DDOS attack packet receiving unit 612
Analysis obtains the ttl value of the attack source IP address and the attack source IP address in all DDOS attack packets respectively.
Probe instructions sending module 62 is used to send to second server and obtains comprising the DDOS attack packet and analyze mould
The probe instructions for the attack source IP address that the analysis of block 61 obtains, the second server are in together with the first server
In one network topology, the probe instructions are used to indicate the second server and detect to the attack source IP address,
It is also used to send the probe instructions comprising all attack source IP address to second server, the probe instructions are used to indicate
The second server successively detects the attack source IP address in all DDOS attack packets using PING order.
Probe response packet analysis module 63 is for receiving the second server according to the probe instructions sending module 62
The probe response packet that the probe instructions sent return extracts the detection source IP address in the probe response packet and the spy
Survey the ttl value of source IP address.The probe response packet analysis module includes: probe response packet receiving unit 631, probe response packet
Analytical unit 632.Wherein, probe response packet receiving unit 631 is for receiving the second server according to the probe instructions
Sending module send probe instructions return all probe response packets, the probe response packet by the second server according to
The probe instructions, it is corresponding from the attack source IP address when being detected using PING order to the attack source IP address
Terminal obtain.Probe response packet analysis unit 632 is for received to the probe response packet receiving unit 631 described all
Probe response packet carries out DPI analysis, extracts the attack source IP address in all probe response packets and the attack source respectively
The ttl value of IP address.
Judgment module 64 is used to judge that the DDOS attack packet to obtain the attack source obtained with the analysis of analysis module 62
The difference of the ttl value for the detection source IP address that the ttl value of IP address and the probe response packet analysis module 63 analysis obtain
Whether value is greater than preset value, if so, determining that the attack source IP address is the IP address forged, if not, it is determined that described to attack
Hitting source IP address is true IP address.
The detailed process of the respective function of each Implement of Function Module of the present embodiment detection service device 60, refers to above-mentioned Fig. 1
To particular content described in embodiment illustrated in fig. 4, details are not described herein again.
Network layer DDOS attack identifing source device provided in an embodiment of the present invention, by monitor first server by
When DDOS attack, DDOS attack source is carried out using the second server being in first server in same network topology reversed
Detection, while using the characteristic of ttl value, by comparing the ttl value and detection source IP address of the source IP address in DDOS attack source
Ttl value can rapidly and efficiently identify the true and false of network layer DDOS attack source IP address.
Sixth embodiment
Referring to Fig. 7, showing the structure of the network layer DDOS attack identifing source system of sixth embodiment of the invention offer
Schematic diagram.As shown in fig. 7, network layer DDOS attack identifing source system 70 provided in this embodiment includes: first server 71, inspection
Survey server 72 and second server 73.
Wherein, the request for the acquisition DOOS attack package that first server 71 is used to be sent according to detection service device 72, will
DDOS attack packet is sent to detection service device 72.
The specific structure of detection service device 72 can refer to the device of Fig. 5 Yu Fig. 6 corresponding embodiment, and details are not described herein again.
Second server 73 is used for the probe instructions sent according to detection service device 72, visits to attack source IP address
It surveys, obtains probe response packet from the corresponding terminal of attack source IP address, and probe response packet is sent to detection service device 72.Its
In, second server 73 and first server 71 are in together in a network topology.
Each device realizes that the detailed process of function please refers in network layer DDOS attack identifing source system in the present embodiment
The method and Fig. 5 of Fig. 1 to Fig. 4 corresponding embodiment and the device of Fig. 6 corresponding embodiment, details are not described herein again.
It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weight
Point explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other.
For device class embodiment, since it is basically similar to the method embodiment, so being described relatively simple, related place ginseng
See the part explanation of embodiment of the method.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that process, method, article or device including a series of elements are not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or device
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or device including the element.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The above described is only a preferred embodiment of the present invention, be not intended to limit the present invention in any form, though
So the present invention has been disclosed as a preferred embodiment, and however, it is not intended to limit the invention, any technology people for being familiar with this profession
Member, without departing from the scope of the present invention, when the technology contents using the disclosure above are modified or are modified
It is right according to the technical essence of the invention for the equivalent embodiment of equivalent variations, but without departing from the technical solutions of the present invention
Any simple modification, equivalent change and modification made by above embodiments, all of which are still within the scope of the technical scheme of the invention.
Claims (8)
1. a kind of network layer DDOS attack source discrimination characterized by comprising
Detection service device obtains DDOS attack when monitoring first server by DDOS attack, from the first server
Packet extracts the ttl value of the attack source IP address and the attack source IP address in the DDOS attack packet;
The probe instructions comprising the attack source IP address are sent to second server, the second server is by the detection
Server selection is in any one server in a network topology, the probe instructions together with the first server
It is used to indicate the second server and successively the attack source IP address in all DDOS attack packets is visited using PING order
It surveys;
The probe response packet that the second server is returned according to the probe instructions is received, is extracted in the probe response packet
The ttl value of source IP address and the detection source IP address is detected, the probe response packet is as the second server according to
Probe instructions, when being detected using PING order to the attack source IP address, from the attack source IP address corresponding end
End obtains;The detection source IP address is consistent with the attack source IP address, and the ttl value of the detection source IP address is described attacks
Hit the true ttl value of source IP;And
Judge whether the ttl value of the attack source IP address and the difference of the ttl value of the detection source IP address are greater than preset value,
If so, determining that the attack source IP address is the IP address forged, if not, it is determined that the attack source IP address is true
IP address.
2. the method according to claim 1, wherein the detection service device monitor first server by
When DDOS attack, DDOS attack packet is obtained from the first server, extracts the attack source IP address in the DDOS attack packet
The step of with the ttl value for attacking source IP address, comprising:
When monitoring first server by DDOS attack, Xiang Suoshu first server sends to obtain to be owned detection service device
The request of DOOS attack package;
Receive all DDOS attack packets that the first server is returned according to the request;
DPI analysis is carried out to all DDOS attack packets;
The ttl value of the attack source IP address and the attack source IP address in all DDOS attack packets is obtained respectively.
3. according to the method described in claim 2, it is characterized in that, the reception second server refers to according to the detection
The probe response packet returned is enabled, the TTL of the detection source IP address and the detection source IP address in the probe response packet is extracted
The step of value, comprising:
Receive all probe response packets that the second server is returned according to the probe instructions;
DPI analysis is carried out to all probe response packets;
The ttl value of the attack source IP address and the attack source IP address in all probe response packets is extracted respectively.
4. a kind of network layer DDOS attack source discrimination characterized by comprising
Detection service device obtains DDOS attack when monitoring first server by DDOS attack, from the first server
Packet extracts the ttl value of the attack source IP address and the attack source IP address in the DDOS attack packet;
The detection service device sends the probe instructions comprising the attack source IP address, the second service to second server
Device is any one service being in together in a network topology with the first server by detection service device selection
Device, the probe instructions are used to indicate the second server using PING order successively to the attack in all DDOS attack packets
Source IP address is detected;
The second server detects the attack source IP address according to the probe instructions, from the attack source IP
The corresponding terminal in address obtains probe response packet, and the probe response packet is sent to the detection service device, the detection
Response bag, according to the probe instructions, detects the attack source IP address using PING order by the second server
When, it is obtained from the corresponding terminal of the attack source IP address;The detection source IP address is consistent with the attack source IP address, institute
The ttl value for stating detection source IP address is the true ttl value of the attack source IP;And
The detection service device extracts the TTL of detection source IP address and the detection source IP address in the probe response packet
Value, judges whether the ttl value of the attack source IP address and the difference of the ttl value of the detection source IP address are greater than preset value,
If so, determining that the attack source IP address is the IP address forged, if not, it is determined that the attack source IP address is true
IP address.
5. a kind of network layer DDOS attack identifing source device is applied to detection service device characterized by comprising
DDOS attack packet obtains and analysis module, for when monitoring first server by DDOS attack, from described first
Server obtains DDOS attack packet, extracts attack source IP address and the attack source IP address in the DDOS attack packet
Ttl value;
Probe instructions sending module is analyzed for sending to obtain comprising the DDOS attack packet to second server with analysis module
Obtain the attack source IP address probe instructions, the second server be by the detection service device selection with it is described
First server is in any one server in a network topology together, and the probe instructions are used to indicate second clothes
Business device successively detects the attack source IP address in all DDOS attack packets using PING order;
Probe response packet analysis module, the institute sent for receiving the second server according to the probe instructions sending module
The probe response packet for stating probe instructions return, with extracting detection source IP address and the detection source IP in the probe response packet
The ttl value of location, the probe response packet, according to the probe instructions, are attacked using PING order to described by the second server
When hitting source IP address and being detected, obtained from the corresponding terminal of the attack source IP address;The detection source IP address with it is described
Attack source IP address is consistent, and the ttl value of the detection source IP address is the true ttl value of the attack source IP;
Judgment module, for judging that the DDOS attack packet obtains the attack source IP address obtained with analysis module analysis
Whether the difference of the ttl value for the detection source IP address that ttl value is obtained with probe response packet analysis module analysis is greater than
Preset value, if so, determining that the attack source IP address is the IP address forged, if not, it is determined that the attack source IP address
For true IP address.
6. device according to claim 5, the DDOS attack packet, which is obtained with analysis module, includes:
DDOS attack packet acquisition request transmission unit, for when monitoring first server by DDOS attack, Xiang Suoshu
One server sends the request for obtaining all DOOS attack packages;
DDOS attack packet receiving unit sends list according to the DDOS attack packet acquisition request for receiving the first server
All DDOS attack packets that the request for all DOOS attack packages of the acquisition that member is sent is sent;
DDOS attack packet analysis unit, for all DDOS attack packets received to the DDOS attack packet receiving unit into
Row DPI analysis obtains the TTL of the attack source IP address and the attack source IP address in all DDOS attack packets respectively
Value.
7. device according to claim 6, which is characterized in that the probe response packet analysis module includes:
Probe response packet receiving unit, the spy sent for receiving the second server according to the probe instructions sending module
Survey all probe response packets that instruction returns;
Probe response packet analysis unit, for all probe response packets received to the probe response packet receiving unit into
The TTL of the attack source IP address and the attack source IP address in all probe response packets is extracted in row DPI analysis respectively
Value.
8. a kind of network layer DDOS attack identifing source system characterized by comprising such as any one of claim 5 to 7 institute
Detection service device, first server and the second server stated;
The request for the acquisition DOOS attack package that the first server is used to be sent according to the detection service device, by DDOS attack
Packet is sent to the detection service device;
The second server is used for the probe instructions sent according to the detection service device, to the attack source IP address
It is detected, obtains probe response packet from the corresponding terminal of the attack source IP address, and the probe response packet is sent to
The detection service device;
Wherein, the second server and the first server are in together in a network topology.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310325923.XA CN104348794B (en) | 2013-07-30 | Network layer DDOS attack source discrimination, apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310325923.XA CN104348794B (en) | 2013-07-30 | Network layer DDOS attack source discrimination, apparatus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104348794A CN104348794A (en) | 2015-02-11 |
| CN104348794B true CN104348794B (en) | 2019-07-16 |
Family
ID=
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1954545A (en) * | 2003-03-03 | 2007-04-25 | 思科技术公司 | Using TCP to authenticate IP source addresses |
| CN101383812A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | IP spoofing DDoS attack defense method based on active IP record |
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1954545A (en) * | 2003-03-03 | 2007-04-25 | 思科技术公司 | Using TCP to authenticate IP source addresses |
| CN101383812A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | IP spoofing DDoS attack defense method based on active IP record |
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
Non-Patent Citations (1)
| Title |
|---|
| "Hop-count filtering:an effective defense against spoofed DDoS traffic";Cheng Jin,et al;《CCS "03 Proceedings of the 10th ACM conference on Computer and communications security》;20031030;第1-2部分,图1 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102088299B1 (en) | Apparatus and method for detecting drdos | |
| CN1316369C (en) | Secret hashing for SYN/FIN correspondence | |
| Jin et al. | Hop-count filtering: an effective defense against spoofed DDoS traffic | |
| CN102487339B (en) | Attack preventing method for network equipment and device | |
| KR101280910B1 (en) | Two-stage intrusion detection system for high speed packet process using network processor and method thereof | |
| US7301899B2 (en) | Prevention of bandwidth congestion in a denial of service or other internet-based attack | |
| Chapade et al. | Securing cloud servers against flooding based DDoS attacks | |
| US20120159623A1 (en) | Method and apparatus for monitoring and processing dns query traffic | |
| KR20130017333A (en) | Attack decision system of slow distributed denial of service based application layer and method of the same | |
| JP6435695B2 (en) | Controller and its attacker detection method | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| CN102984178B (en) | The detection method of data message and device | |
| CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
| CN110166480A (en) | A kind of analysis method and device of data packet | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| CN106534068A (en) | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system | |
| Robinson et al. | Evaluation of mitigation methods for distributed denial of service attacks | |
| CN106357660A (en) | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system | |
| JP2004356915A (en) | System and apparatus for information processing, program, and method for detecting abnormality of communication through communication network | |
| CN101888296A (en) | Method, device, equipment and system for detecting shadow user | |
| KR20200109875A (en) | Harmful ip determining method | |
| Bala et al. | Quality based Bottom-up-Detection and Prevention Techniques for DDOS in MANET | |
| CN104348794B (en) | Network layer DDOS attack source discrimination, apparatus and system | |
| Maheshwari et al. | Mitigation of ddos attacks using probability based distributed hop count filtering and round trip time | |
| CN107018116A (en) | Method, device and the server of monitoring traffic in network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |