CN105025028A - IP black hole discovering method based on flow analysis - Google Patents
IP black hole discovering method based on flow analysis Download PDFInfo
- Publication number
- CN105025028A CN105025028A CN201510448680.8A CN201510448680A CN105025028A CN 105025028 A CN105025028 A CN 105025028A CN 201510448680 A CN201510448680 A CN 201510448680A CN 105025028 A CN105025028 A CN 105025028A
- Authority
- CN
- China
- Prior art keywords
- address
- black hole
- record
- target
- field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
Abstract
The invention discloses an IP black hole discovering method based on flow analysis and relates to the technical field of network IP flow analysis. An IP black hole detecting system for analyzing IP network flow is deployed in a network. The IP black hole detecting system is specifically used for registering a state tracking record with three fields for each discovered IP host, and updating the state tracking records of an original IP address and a target IP address after receiving an IP message, and discovering an IP address or an IP sub-network which does not respond in the network by analyzing the state tracking records which are continuously updated. The method of the invention could detect whether any one host in the network is in an IP black hole state in real time and greatly reduces the time delay for discovering the IP black hole, thereby providing a reference method for discovering a network fault in time.
Description
Technical field
The present invention relates to network IP stream component analysis technical field, relate to a kind of IP black hole discover method based on flow analysis or rather.
Background technology
At present, usually there will be some IP addresses without response or IP subnet in a network, these IP addresses often show as and only accept message and do not respond request message.This not only causes the uncertainty of network, also seriously have impact on the service quality of network, therefore, finds out these in time and does not have IP addresses of response or IP subnet (i.e. IP black hole) to be very necessary.For these IP addresses without response or IP subnet, ping method in prior art, is usually used to check its response condition.Although this method uses simple and convenient, also there is certain defect in ping method:
1, because ping method uses icmp packet, if there is the router forbidding icmp packet in network, then the failure of ping method may be caused;
2, destination host for security consideration, may not respond icmp packet, now also can cause ping method cannot be successful;
3, when occurring more without the IP address of response in network, check one by one by the response condition of ping method to these IP, workload is very large, is unfavorable for the management of network.
From above-mentioned analysis, for Timeliness coverage without the IP address responded and IP subnet problem, ping method is not a kind of desirable scheme.
Publication number is CN101179515, and publication date is that the Chinese patent literature on May 14th, 2008 discloses a kind of method suppressing blackhole route, comprising: the enable blackhole route of the network equipment, and create blackhole route information, this blackhole route information comprises object IP address; When this network equipment receives a message, when the source IP address of this message is consistent with the object IP address in described blackhole route information, by this blackhole route information deletion.In the method, the network equipment is after receiving message, inquiry blackhole route table, if there is the blackhole route corresponding with the source IP address of this message in this blackhole route table, can determine that the IP address of the user terminal sending this message enters into force, so in time will in this blackhole route information deletion, thus make to send to the message of this user terminal can trigger ARP detection smoothly, and without the need to wait for this blackhole route ageing time time-out after just trigger.
And for example publication number is 102938769A, publication date is that the Chinese patent literature of 2013-02-20 discloses a kind of Domain-flux Botnet domain name detection method, be the problem utilizing domain-flux technology to position for Botnet and hide, propose the Botnet domain name detection method based on domain name active characteristics.Its method step is as follows: receive and resolve DNS response message, resolves content by the IP of Fixed Time Interval record domain name; Divide into groups to domain name according to second level domain and parsing ip, obtain multiple set of domains, often set comprises one or more domain names; For each set, in set of computations, each domain name occurs to the last time interval occurred, as domain name mapping effective duration from initial; In set of computations, the maximum specific weight of shared total domain name of each duration; According to pre-defined threshold value, export the domain name list using domain-flux technology.
Technique scheme, does not still solve the above-mentioned three kinds of problems adopted existing for ping method.
Summary of the invention
The present invention is intended to for the defect existing for above-mentioned prior art and deficiency, a kind of IP black hole discover method based on flow analysis is provided, this method can in real time in Sampling network any main frame whether be in IP black hole state, greatly reduce IP black hole and find time delay, thus provide a kind of reference method for Timeliness coverage network failure.
The present invention realizes by adopting following technical proposals:
A kind of IP black hole discover method based on flow analysis, it is characterized in that: dispose the IP black hole detection system being used for analyzing IP network traffics in a network, described IP black hole detection system specifically refers to: for the status tracking record that comprises three fields registered by each IP main frame be found, often receive an IP message, all the status tracking record of source IP address and target ip address is upgraded, by the analysis to the status tracking record constantly updated, find in network without the IP address of response or IP subnet.
Described IP black hole detection system is deployed on network key node, can resolve, can follow the tracks of the state information of each flow bag, and can be gone out by flow Packet forwarding again each flow bag through this node.
Three fields of described status tracking record are lastact field respectively, lastpeeract field, syn_unhandled counter: lastact field: record IP main frame sends the time of IP flow bag for the last time; Lastpeeract field: record IP main frame receives the time of IP flow bag for the last time; Syn_unhandled counter: record IP main frame receives SYN request and do not beam back the SYN section that confirms containing the ACK quantity as response.
Concrete grammar is as follows:
1) source IP address inside each flow bag received and target ip address are followed the tracks of;
2) be each IP address registration one bar state track record, comprise three fields, be respectively: lastact field and lastpeeract field, syn_unhandled counter;
3) often receive IP bag, check source IP address and status tracking record corresponding to target ip address, do not find, then add record; Find record, then revise three field values of this record, alteration ruler goes to step 4);
4) IP that transport layer is Transmission Control Protocol is wrapped, makes the following judgment:
If 4-1 contains tcp data load, explanation source IP main frame and Target IP main frame have normal context communication, now revise the status tracking record of source IP address and target ip address respectively: the track record corresponding to source IP address is revised as: lastact field is revised as current time; The track record corresponding to target ip address is revised as: lastpeeract field is revised as current time, syn_unhandled counter clear 0;
4-2 is if SYN request, explanation source IP main frame have issued SYN request to Target IP main frame, now revises the status tracking record of source IP address and target ip address respectively: the track record corresponding to source IP address is revised as: lastact field is revised as current time; The track record corresponding to target ip address is revised as: added up by syn_unhandled counter, then judge whether syn_unhandled Counter Value is greater than 2, if, then get the greater in the lastact field of Target IP track record and lastpeeract field, compare with current time, if more than 30 seconds, judge that target ip address is in IP black hole state.
In this method, other TCP/UDP received is not dealt with.
Compared with prior art, the beneficial effect that reaches of the present invention is as follows:
1, this method is by disposing this IP black hole detection system in a network, and the moment gathers network traffics, analyzes, carry out status tracking record to all source IP addresss and object IP address to each IP flow bag gathered in flow.Receive by statistics Target IP main frame the bag quantity that SYN asks not response, then combine the analysis to status tracking record, and then judge whether Target IP main frame is in black hole state.Compared with prior art, on the one hand, having real-time, is Real-time Collection analysis due to what carry out flow in network, and therefore this method can find those IP main frames without response or IP subnet in network in real time; On the other hand, cost is little, because this method only need in network deploy IP black hole detection system, in Real-time Collection network, flow can analyze the IP address without response in network, do not need other extra equipment, manpower, therefore find that the method in IP black hole compares required cost with other much smaller.
2, in the present invention, by step 1)-4) concrete grammar, particularly register a bar state track record, lastact field and lastpeeract field is comprised in this status tracking record, syn_unhandled counter, and the step 4) adopting this method to specify is the IP bag of Transmission Control Protocol to transport layer, carries out detailed judgement, thus whether the IP address obtained in network is in IP black hole state.Because the present invention uses TCP message, so there is not the defect of ping method existence; The present invention only analyzes in addition, converting flow, does not change flow content, there is no impact to network proper communication, and in other words, the present invention has the transparency.
3, in the present invention, step 2) middle employing three field lastact fields, lastpeeract field, syn_unhandled counter, what lastact field and lastpeeract field were responsible for recording IP main frame enlivens situation online, and the quantity that record object IP main frame receives SYN request is responsible for by syn_unhandled counter.Utilize these three fields can set up an IP black hole decision model.The workflow of IP black hole decision model has been set forth in step 4), when the syn_unhandled counter of target ip address is greater than 2, just the judgement of IP black hole is carried out to target ip address, by the comparison to the last active instances of target ip address and current time, just judge that more than 30 seconds target ip address is in IP black hole state.Can find out, this IP black hole decision model can determine IP black hole simply and effectively.
4, in this method, other TCP/UDP received is not dealt with, system self can be avoided under attack.
Accompanying drawing explanation
Below in conjunction with Figure of description, the present invention is described in further detail, wherein:
Fig. 1 is the data transmission procedure schematic diagram that IP black hole detection system gathers, and for the ease of analyzing, transmitting procedure simplifies.
Embodiment
Major technique foundation of the present invention: use in the communication process of Transmission Control Protocol in transport layer, before transmitting data, all first must set up a connection: request end first sends a SYN section between the two parties; Service end beam back comprise ACK confirm SYN section as response; Last-minute plea end must send an ACK bag confirmed server S YN section.Complete establishment of connection by these three message segments, this process is called three-way handshake.We are not by giving the number quantitative statistics of request bag and the analysis to IP status tracking record of response to receiving SYN request message, that can analyze each IP main frame exactly enlivens situation online, Timeliness coverage those be in the IP main frame of black hole state, remind network manager to process this network failure.
SYN(synchronous) be the handshake that TCP/IP uses when connecting.When setting up the connection of normal TCP network between client and server, first client computer sends a SYN message, and server uses SYN+ACK to reply expression and have received this message, and last client computer responds with ACK message again.Just can set up reliable TCP so between client and server to connect, data just can be transmitted between client and server.ACK (Acknowledgement), i.e. acknowledge character, in data communication, receiving station issues the one transmission class control character of dispatching station.Represent that the data sent have confirmed that reception is errorless.
As preferred forms of the present invention, this programme object finds whether Target IP is in black hole state, and employing method is as follows:
Dispose the IP black hole detection system being used for analyzing IP network traffics in a network, described IP black hole detection system specifically refers to: for the status tracking record that comprises three fields registered by each IP main frame be found, often receive an IP message, all the status tracking record of source IP address and target ip address is upgraded, by the analysis to the status tracking record constantly updated, find in network without the IP address of response or IP subnet.IP black hole detection system is deployed on network key node, can resolve, can follow the tracks of the state information of each flow bag, and can be gone out by flow Packet forwarding again each flow bag through this node.
Concrete grammar is as follows:
1) source IP address inside each flow bag received and target ip address are followed the tracks of;
2) be each IP address registration one bar state track record, comprise three fields, be respectively: lastact field and lastpeeract field, syn_unhandled counter;
3) often receive an IP flow bag, check source IP address and status tracking record corresponding to target ip address, do not find, then add record; Find record, then revise three field values of this record, alteration ruler goes to step 4);
4) IP that transport layer is Transmission Control Protocol is wrapped, makes the following judgment:
If 4-1 contains tcp data load, explanation source IP main frame and Target IP main frame have normal context communication, now revise the status tracking record of source IP address and target ip address respectively: the track record corresponding to source IP address is revised as: lastact field is revised as current time; The track record corresponding to target ip address is revised as: lastpeeract field is revised as current time, syn_unhandled counter clear 0;
4-2 is if SYN request, explanation source IP main frame have issued SYN request to Target IP main frame, now revises the status tracking record of source IP address and target ip address respectively: the track record corresponding to source IP address is revised as: lastact field is revised as current time; The track record corresponding to target ip address is revised as: added up by syn_unhandled counter, then judge whether syn_unhandled Counter Value is greater than 2, if, then get the greater in the lastact field of Target IP track record and lastpeeract field, compare with current time, if more than 30 seconds, judge that target ip address is in IP black hole state.
In this method, for avoiding system self under attack, other TCP/UDP received is not dealt with.
With reference to the data transmission procedure schematic diagram that Figure of description 1, Fig. 1 is the detection system collection of IP black hole, for the ease of analyzing, transmitting procedure simplifies.Fig. 1 IP black hole detection system is at moment t1, t2, t3, t4 collection IP bag 1,2,3,4.And track record renewal process corresponding to source IP address and object IP address is as shown in table 1:
Thus, can find out, this method is by flow in ceaselessly collection network, track record is carried out to the state of each IP address occurred in network IP stream amount bag, moment monitors the packet sending and receiving situation of each IP address, and judges the online activity situation of each IP accordingly, has and can find in real time in network without the IP address of response or IP subnet, and method is simple, and cost is low.
Claims (5)
1. the IP black hole discover method based on flow analysis, it is characterized in that: dispose the IP black hole detection system being used for analyzing IP network traffics in a network, described IP black hole detection system specifically refers to: for the status tracking record that comprises three fields registered by each IP main frame be found, often receive an IP message, all the status tracking record of source IP address and target ip address is upgraded, by the analysis to the status tracking record constantly updated, find in network without the IP address of response or IP subnet.
2. the IP black hole discover method based on flow analysis according to claim 1, is characterized in that: described IP black hole detection system is deployed on network key node.
3. the IP black hole discover method based on flow analysis according to claim 1, is characterized in that: three fields of described status tracking record are lastact field, lastpeeract field, syn_unhandled counter respectively.
4. the IP black hole discover method based on flow analysis according to claim 3, is characterized in that: lastact field: record IP main frame sends the time of IP flow bag for the last time; Lastpeeract field: record IP main frame receives the time of IP flow bag for the last time; Syn_unhandled counter: record IP main frame receives SYN request and do not beam back the SYN section that confirms containing the ACK quantity as response.
5. the IP black hole discover method based on flow analysis according to claim 1, is characterized in that: concrete grammar is as follows:
1) source IP address inside each flow bag received and target ip address are followed the tracks of;
2) be each IP address registration one bar state track record, comprise three fields, be respectively: lastact field and lastpeeract field, syn_unhandled counter;
3) often receive IP bag, check source IP address and status tracking record corresponding to target ip address, do not find, then add record; Find record, then revise three field values of this record, alteration ruler goes to step 4);
4) IP that transport layer is Transmission Control Protocol is wrapped, makes the following judgment:
If 4-1 contains tcp data load, explanation source IP main frame and Target IP main frame have normal context communication, now revise the status tracking record of source IP address and target ip address respectively: the track record corresponding to source IP address is revised as: lastact field is revised as current time; The track record corresponding to target ip address is revised as: lastpeeract field is revised as current time, syn_unhandled counter clear 0;
4-2 is if SYN request, explanation source IP main frame have issued SYN request to Target IP main frame, now revises the status tracking record of source IP address and target ip address respectively: the track record corresponding to source IP address is revised as: lastact field is revised as current time; The track record corresponding to target ip address is revised as: added up by syn_unhandled counter, then judge whether syn_unhandled Counter Value is greater than 2, if, then get the greater in the lastact field of Target IP track record and lastpeeract field, compare with current time, if more than 30 seconds, judge that target ip address is in IP black hole state.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510448680.8A CN105025028B (en) | 2015-07-28 | 2015-07-28 | The black holes IP based on flow analysis find method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510448680.8A CN105025028B (en) | 2015-07-28 | 2015-07-28 | The black holes IP based on flow analysis find method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105025028A true CN105025028A (en) | 2015-11-04 |
CN105025028B CN105025028B (en) | 2018-07-24 |
Family
ID=54414732
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510448680.8A Expired - Fee Related CN105025028B (en) | 2015-07-28 | 2015-07-28 | The black holes IP based on flow analysis find method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105025028B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106961414A (en) * | 2016-01-12 | 2017-07-18 | 阿里巴巴集团控股有限公司 | A kind of data processing method based on honey jar, apparatus and system |
CN111835735A (en) * | 2020-06-29 | 2020-10-27 | 新华三信息安全技术有限公司 | Anti-attack method, device, equipment and machine readable storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101179515A (en) * | 2007-12-24 | 2008-05-14 | 杭州华三通信技术有限公司 | Method and device for inhibiting black hole routing |
CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
CN102045300A (en) * | 2009-10-16 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Detecting method, device and system of botnet |
US20110196961A1 (en) * | 2010-02-08 | 2011-08-11 | University Of Electronic Science And Technology Of China | Method for network anomaly detection in a network architecture based on locator/identifier split |
CN102801719A (en) * | 2012-08-08 | 2012-11-28 | 中国人民解放军装备学院 | Method for detecting botnet based on similarity measurement of host flow power spectrum |
CN104348794A (en) * | 2013-07-30 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system |
-
2015
- 2015-07-28 CN CN201510448680.8A patent/CN105025028B/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101179515A (en) * | 2007-12-24 | 2008-05-14 | 杭州华三通信技术有限公司 | Method and device for inhibiting black hole routing |
CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
CN102045300A (en) * | 2009-10-16 | 2011-05-04 | 成都市华为赛门铁克科技有限公司 | Detecting method, device and system of botnet |
US20110196961A1 (en) * | 2010-02-08 | 2011-08-11 | University Of Electronic Science And Technology Of China | Method for network anomaly detection in a network architecture based on locator/identifier split |
CN102801719A (en) * | 2012-08-08 | 2012-11-28 | 中国人民解放军装备学院 | Method for detecting botnet based on similarity measurement of host flow power spectrum |
CN104348794A (en) * | 2013-07-30 | 2015-02-11 | 深圳市腾讯计算机系统有限公司 | Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106961414A (en) * | 2016-01-12 | 2017-07-18 | 阿里巴巴集团控股有限公司 | A kind of data processing method based on honey jar, apparatus and system |
CN111835735A (en) * | 2020-06-29 | 2020-10-27 | 新华三信息安全技术有限公司 | Anti-attack method, device, equipment and machine readable storage medium |
CN111835735B (en) * | 2020-06-29 | 2023-12-29 | 新华三信息安全技术有限公司 | Anti-attack method, device, equipment and machine-readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN105025028B (en) | 2018-07-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
RU2562438C2 (en) | Network system and network management method | |
US9100298B2 (en) | Host visibility as a network service | |
CN100579034C (en) | Method for reporting equipment information, system and device for obtaining equipment information | |
US9167031B2 (en) | Distributed processing system and distributed processing method | |
CN108833149B (en) | Method and system for monitoring network availability and self-healing of express delivery cabinet | |
CN102307119B (en) | Method for discovering probe failure in Internet performance measurement system | |
US7701934B2 (en) | System and method for managing devices within a private network via a public network | |
US11949650B2 (en) | System and method for improving network performance when using secure DNS access schemes | |
JP5233295B2 (en) | COMMUNICATION DEVICE, COMMUNICATION SYSTEM, AND COMMUNICATION METHOD | |
CN105553809B (en) | A kind of STUN tunnel management method and device | |
JP3999785B2 (en) | Communication method | |
US10680930B2 (en) | Method and apparatus for communication in virtual network | |
CN104618491B (en) | A kind of proxy server and data forwarding method | |
CN107659436B (en) | Method and device for preventing service interruption | |
CN103916489B (en) | The many IP of a kind of single domain name domain name analytic method and system | |
CN105025028A (en) | IP black hole discovering method based on flow analysis | |
CN102075588B (en) | Method and system for realizing network address translation (NAT) transversing and equipment | |
CN101404594A (en) | Hot backup performance test method and apparatus, communication equipment | |
US10044590B2 (en) | Method of effective retaining of NAT channel service | |
CN102625332A (en) | Method for detecting network routing | |
US8811233B2 (en) | Topology detection method and topology detection apparatus | |
US20040199579A1 (en) | Collaboration bus apparatus and method | |
WO2016184025A1 (en) | Device management method and apparatus | |
US20160020971A1 (en) | Node information detection apparatus, node information detection method, and program | |
CN103595629A (en) | Rapid gateway switching method and device for hosts in IRDP (ICMP Router Discovery Protocol) network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180724 Termination date: 20210728 |