CN105119942B - A kind of flood attack detection method - Google Patents
A kind of flood attack detection method Download PDFInfo
- Publication number
- CN105119942B CN105119942B CN201510590034.5A CN201510590034A CN105119942B CN 105119942 B CN105119942 B CN 105119942B CN 201510590034 A CN201510590034 A CN 201510590034A CN 105119942 B CN105119942 B CN 105119942B
- Authority
- CN
- China
- Prior art keywords
- message
- sync message
- count value
- hash
- sync
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a kind of flood attack detection method, this method includes:When receiving sync message, the message characteristic of the sync message is extracted;The identical sync message of message characteristic is subjected to accumulated counts, as count value;When receiving the confirmation message of the sync message, the count value is subtracted 1;When first count value is more than predetermined threshold value, judge by flood attack.The embodiment of the present invention improves the accuracy rate of flood attack detection by using said program, mitigates the work load of administrator, and improve by the stability of protection server.
Description
Technical field
The present invention relates to flood attack detection field more particularly to a kind of flood attack detection methods.
Background technology
SYN flood attacks (SYN_FLOOD) are that a kind of well-known Denial of Service attack (DOS) and distributed refusal take
One of the mode of business attack (DDos), this is a kind of TCP connection request that using Transmission Control Protocol defect, transmission is largely forged, to
So that by the attack pattern of attacker's resource exhaustion (CPU at full capacity or low memory).When TCP connection is established, client can be sent out
Send a TCP message for including synchronous (Synchronize, SYN) mark, sync message can indicate the port that client uses with
And the initial sequence number of TCP connection;Server is after receiving the sync message of client, after the request for receiving client, can return
Give client one synchronization+confirmation message, wherein confirming (Acknowledgment, ACK), TCP serial numbers are increased by one at this time;Work as visitor
After family termination receives synchronization+confirmation message, one confirmation message of server can be returned to, TCP sequence number is increased by one at this time, one
TCP connection is completed.After if server sends out synchronization+confirmation message, when not receiving the confirmation message of corresponding client, meeting
Retry send synchronization+confirmation message, and wait for a period of time (about 30s-2min) abandon this unfinished connection afterwards.Flood
Attack is exactly that server has received largely unfinished connection request, makes normal client's request that can not ask.Allow service
Device is steadily run, and detects that flood attack becomes the most important thing in time.
Currently, the detection method of flood attack is generally sync message quantity in simply accounting message, work as sync message
When quantity is more than preset threshold value, determine that server by flood attack.Such statistical False Rate is very big, and
False Rate is just likely to that administrator is made to ignore the attack warning information that its inspection then goes out greatly, is easy for making really to attack so organic
It can be at.
Invention content
In view of this, the embodiment of the present invention provides a kind of flood attack detection method, attacked with solving flood in the prior art
Hit the detection prodigious technical problem of False Rate.
An embodiment of the present invention provides a kind of flood attack detection methods, including:
When receiving sync message, the message characteristic of the sync message is extracted;
The identical sync message of message characteristic is subjected to accumulated counts, as count value;
When receiving the confirmation message of the sync message, the count value is subtracted 1;
When first count value is more than predetermined threshold value, judge by flood attack.
A kind of flood attack detection method provided in an embodiment of the present invention, it is special by the message for extracting the sync message received
Sign, and accumulated counts are carried out to the identical sync message of message characteristic, when receiving confirmation message corresponding with sync message,
Show that connection is established, count value is subtracted 1 at this time.When count value is more than predetermined threshold value, judge by flood attack.By using
Above-mentioned flood attack detection method can improve the accuracy rate of flood attack detection, to mitigate the work load of administrator simultaneously
And it can greatly improve by the stability of protection server.
Description of the drawings
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, of the invention other
Feature, objects and advantages will become more apparent upon:
Fig. 1 is a kind of flow chart for flood attack detection method that the embodiment of the present invention one provides;
Fig. 2 is a kind of flow chart of flood attack detection method provided by Embodiment 2 of the present invention.
Specific implementation mode
The present invention is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched
The specific embodiment stated is used only for explaining the present invention rather than limitation of the invention.It also should be noted that in order to just
In description, only some but not all contents related to the present invention are shown in the drawings.
Embodiment one
Fig. 1 is a kind of flow chart for flood attack detection method that the embodiment of the present invention one provides.The method of the present embodiment
The server of detection specifically for to(for) flood attack.The method of the present embodiment can be held by server flood attack detection device
Row, which can be realized by software and/or hardware, be integrated in the server of detectable flood attack.As shown in Figure 1, should
Method includes:
S101, when receiving sync message, extract the message characteristic of the sync message.
In the present embodiment, sync message is the message sent with user orientation server, and expression initiates number with user orientation server
According to connection.Message characteristic can be source port, target port, source address, destination address and the protocol type of message.
Illustratively, when server receives the sync message of user's transmission, the message for extracting the sync message is special
Sign.It can be the mode that a kind of message characteristic of extraction or a variety of message characteristics of extraction combine to extract message characteristic.Preferably extract
The destination address of sync message.
S102, the identical sync message of message characteristic is subjected to accumulated counts, as count value.
Illustratively, the sync message with same characteristic features is carried out accumulated counts by server, as count value.It is preferred that
For accumulated counts will be carried out with the sync message of same target address, as count value.Method of counting can be setting Hash
Array is counted, or setting counting module is counted.Preferably counted using Hash array.By message spy
It levies identical sync message and carries out accumulated counts, can also include first judging whether the message characteristic of sync message has existed clothes
It is engaged in device, and if it exists, can then carry out accumulated counts to the sync message of identical message characteristic;If being not present, can first obtain
The message characteristic of sync message is taken, and message characteristic is stored into server.Preferably, first judge that the message of sync message is special
Whether sign has existed in the first Hash array, and if it exists, cumulative meter can be then carried out to the sync message of identical message characteristic
Number;If being not present, the message characteristic of sync message can be first obtained, and message characteristic is stored into the first Hash array.
S103, when receiving the confirmation message of the sync message, the count value is subtracted 1.
Illustratively, confirmation message is to send the sync message of connection request with user orientation server and receive server feedback
Afterwards, a message for indicating to confirm connection is sent to server.Server is established with the user and is taken after receiving confirmation message
Business connection.
Illustratively, after server receives confirmation message corresponding with sync message, show server and user
Between establish normal connection, so that it may to subtract 1 by the count value for recording identical sync message feature.Server judges sync message phase
The mode for the confirmation message answered can be to be combined by a kind of message characteristic or various features of sync message and confirmation message
Mode is judged.Preferably, with extracting the source port of sync message and confirmation message, target port, source address, target respectively
The mode that location and protocol type (IP five-tuples) combine is judged.Specifically combined method can be:By sync message and confirmation
The source port of message, target port, source address, destination address and protocol type carry out Hash calculation, according to Hash calculation value into
Row judges;By the source port of sync message, target port, source address, destination address and protocol type respectively with confirmation message
Target port, source port, destination address, source address and protocol type are compared according to ad hoc fashion.Preferably, it is reported synchronous
The source port of text and confirmation message, target port, source address, destination address and protocol type carry out Hash calculation and obtain Hash
Value, when the cryptographic Hash of sync message is identical as the cryptographic Hash of confirmation message, show to receive is corresponding with the sync message
Confirmation message, i.e. user and server establish normal connection, and the count value for counting identical sync message feature at this time subtracts 1.
Illustratively, the side cryptographic Hash of sync message that server receives being compared with the cryptographic Hash of confirmation message
Method is preferably:The second Hash array is created, and the ident value of the second Hash array is set as the first preset value, the first preset value can
To be set according to actual conditions.After obtaining sync message cryptographic Hash, corresponding sync message is searched in the second Hash array and is breathed out
Uncommon value, and corresponding Hash array ident value is become into the second preset value, the second preset value can also be set according to actual conditions.
After obtaining the cryptographic Hash of confirmation message, corresponding cryptographic Hash is searched in the second Hash array, and judge the Hash found
It is worth whether corresponding ident value is the second preset value, if the second preset value, shows have sync message that confirmation message is waited for confirm
Connection, then establish the connection between relative users and server, and subtract 1 by the count value for counting sync message, corresponding to incite somebody to action
The ident value of second Hash array is changed to the first preset value.If after obtaining the cryptographic Hash of confirmation message, corresponding second Hash
The ident value of array is the first preset value, shows that no sync message waits for confirmation message to confirm connection, then do not establish user with
Connection between server.
S104, when first count value be more than predetermined threshold value when, judge by flood attack.
Illustratively, when the first count value for counting identical sync message feature is more than predetermined threshold value, judge server
By flood attack.Predetermined threshold value can be set according to actual conditions.
A kind of flood attack detection method that the embodiment of the present invention one provides, by the message for extracting the sync message received
Feature, and accumulated counts are carried out to the identical sync message of message characteristic, when receiving confirmation message corresponding with sync message
When, show that server is established with user and connect, and count value is subtracted 1, when count value is more than predetermined threshold value, judges by flood
Attack.By using above-mentioned flood attack detection technique, the accuracy rate of flood attack detection can be improved, to mitigate administrator
Work load and can greatly improve by the stability of protection server.
Embodiment two
Fig. 2 is a kind of flow chart of flood attack detection method, and the present embodiment is a preferable example, is specifically included:
S201, the first Hash array and the second Hash array are created.
Illustratively, the first Hash array is created, H is named as, for recording the sync message with same target address
Message amount.The second Hash array is created, S is named as, the connection status for storing sync message initializes the second Hash
The ident value of array is 0.
S202, judge whether type of message is sync message.
Illustratively, judge whether the type of message received is sync message, if sync message, then executes S203;If
It is no, then execute S208.
S203, the destination address for extracting sync message, and are stored into the first Hash array, when destination address
When storing in the first Hash array, the count value of the first Hash array is added 1.
S204, the source port for extracting sync message, target port, source address, destination address and protocol type carry out Hash
It calculates, obtains sync message cryptographic Hash.
S205, corresponding cryptographic Hash is searched in the second Hash array according to sync message cryptographic Hash, corresponding second is breathed out
The ident value of uncommon array becomes 1.
Illustratively, according to sync message cryptographic Hash, corresponding cryptographic Hash is searched in the second Hash array, by the Hash
Being worth corresponding ident value becomes 1, indicates to send being initiated the connection with user orientation server for sync message.
S206, judge whether the count value of the first Hash array is more than preset value.
Illustratively, preset value is set according to specific actual conditions.Judge whether the count value of the first Hash array is more than
Preset value, if so, executing S207;If it is not, then showing that server is normal, continues to execute S202.
S207, alarm target address are by flood attack.
Illustratively, when the count value of the first Hash array is more than preset value, show there are a large amount of destination addresses identical
The sync message for not setting up connection is sent in server, and server judges by flood attack.
S208, judge whether current message type is confirmation message.
Illustratively, if the type of message received is confirmation message, S209 is executed;If it is not, then executing S202.
S209, the source port for extracting confirmation message, target port, source address, destination address and protocol type carry out Hash
It calculates, obtains confirmation message cryptographic Hash.
S210, corresponding cryptographic Hash is searched in the second Hash array according to confirmation message cryptographic Hash, and judges corresponding mark
Whether knowledge value is 1.
Illustratively, according to confirmation message cryptographic Hash, corresponding cryptographic Hash is searched in the second Hash array, and judging should
Whether the corresponding ident value of cryptographic Hash is 1.If ident value is 1, then it represents that there is sync message that the confirmation message is waited for be attached,
Step S211 is executed at this time;If ident value is 0, then it represents that no sync message waits for the confirmation message to be attached, and holds at this time
Row step S202.
S211, the count value of the first Hash array is subtracted 1, the ident value of the second Hash array is become 0.
Illustratively, the count value of the first Hash array is subtracted 1, it is primary indicates that the sync message of same destination address is established
Normal connection.The ident value of second Hash array is become 0, indicates to receive confirmation message corresponding with sync message, service
Device establishes normal connection.After executing this step, cycle executes S202.
Second embodiment of the present invention provides a kind of specific embodiments of flood attack detection method.Using recording synchronism message
Destination address, and calculating sync message and confirmation message five-tuple cryptographic Hash confirm the method connected, detect whether by flood
Water is attacked.By using above-mentioned flood attack detection technique, the accuracy rate of flood attack detection can be improved, to mitigate management
Member work load and can greatly improve by the stability of protection server.
Note that above are only presently preferred embodiments of the present invention and institute's application technology principle.It will be appreciated by those skilled in the art that
The present invention is not limited to specific embodiments described here, can carry out for a person skilled in the art it is various it is apparent variation,
It readjusts and substitutes without departing from protection scope of the present invention.Therefore, although being carried out to the present invention by above example
It is described in further detail, but the present invention is not limited only to above example, without departing from the inventive concept, also
May include other more equivalent embodiments, and the scope of the present invention is determined by scope of the appended claims.
Claims (4)
1. a kind of flood attack detection method, which is characterized in that including:
When receiving sync message, the message characteristic of the sync message is extracted;
The identical sync message of message characteristic is subjected to accumulated counts, as count value, wherein the message characteristic is message
Source port, target port, source address, destination address and protocol type;
When receiving the confirmation message of the sync message, the count value is subtracted 1, wherein judge the sync message phase
The mode for the confirmation message answered is to be combined by a kind of message characteristic or various features of the sync message and confirmation message
Mode is judged;
When the first count value is more than predetermined threshold value, judge by flood attack.
2. according to the method described in claim 1, it is characterized in that, the identical sync message of message characteristic is carried out cumulative meter
It counts, includes as count value:
The identical sync message of destination address is subjected to accumulated counts, as the count value.
3. according to the method described in claim 2, it is characterized in that, the identical sync message of message characteristic is carried out cumulative meter
It counts, includes as count value:
Judge in the first Hash array whether the existing message characteristic, if it is not, then the message characteristic is stored to first
Hash array, if so, the count value for corresponding to the message characteristic in the first Hash array is added 1.
4. according to the method described in claim 3, it is characterized in that,
Further include:
Protocol type, source port, source address, target port and the destination address of the sync message are extracted, and carries out Hash meter
It calculates, obtains the first cryptographic Hash of the sync message;
Search first cryptographic Hash in the second Hash array, and by the corresponding ident value of first cryptographic Hash from initial
First preset value is changed to the second preset value;
Correspondingly, when receiving the confirmation message of the sync message, the count value is subtracted 1 and is specifically included:
When receiving confirmation message, protocol type, source port, source address, target port and the mesh of the confirmation message are extracted
Address is marked, and carries out Hash calculation, obtains the second cryptographic Hash of the confirmation message;
Second cryptographic Hash is searched in the second Hash array, and judges that second cryptographic Hash found is corresponding
Whether ident value is the second preset value, if so, subtracting 1 by the count value, and the ident value is changed to the first preset value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510590034.5A CN105119942B (en) | 2015-09-16 | 2015-09-16 | A kind of flood attack detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510590034.5A CN105119942B (en) | 2015-09-16 | 2015-09-16 | A kind of flood attack detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105119942A CN105119942A (en) | 2015-12-02 |
| CN105119942B true CN105119942B (en) | 2018-11-06 |
Family
ID=54667830
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510590034.5A Active CN105119942B (en) | 2015-09-16 | 2015-09-16 | A kind of flood attack detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105119942B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107770113A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of accurate flood attack detection method for determining attack signature |
| CN107770123A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of central monitoring |
| CN107770122A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of the central monitoring of optimization |
| CN107770114A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of the distributed monitoring of optimization |
| CN107770120A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of distributed monitoring |
| CN106357641B (en) * | 2016-09-18 | 2019-10-22 | 中国科学院信息工程研究所 | The defence method and device of interest packet flood attack in a kind of content center network |
| CN107864156B (en) * | 2017-12-18 | 2020-06-23 | 东软集团股份有限公司 | SYN attack defense method and device and storage medium |
| CN110166408B (en) * | 2018-02-13 | 2022-09-06 | 北京京东尚科信息技术有限公司 | Method, device and system for defending flood attack |
| CN108471427B (en) * | 2018-06-27 | 2021-03-19 | 新华三信息安全技术有限公司 | Method and device for defending attack |
| CN108810008B (en) * | 2018-06-28 | 2020-06-30 | 腾讯科技(深圳)有限公司 | Transmission control protocol flow filtering method, device, server and storage medium |
| CN111756713B (en) * | 2020-06-15 | 2022-12-27 | Oppo广东移动通信有限公司 | Network attack identification method and device, computer equipment and medium |
| CN113709105B (en) * | 2021-07-20 | 2023-08-29 | 深圳市风云实业有限公司 | SYN Flood attack detection method based on counting type bloom filter |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601591A (en) * | 2015-02-02 | 2015-05-06 | 中国人民解放军国防科学技术大学 | Detection method of network attack source organization |
| CN104811420A (en) * | 2014-01-23 | 2015-07-29 | 腾讯数码(天津)有限公司 | Method and apparatus for preventing distributed denial of service (DDoS) attacks |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175013B (en) * | 2006-11-03 | 2012-07-04 | 飞塔公司 | Refused service attack protection method, network system and proxy server |
| CN101267313B (en) * | 2008-04-23 | 2010-10-27 | 成都市华为赛门铁克科技有限公司 | Flooding attack detection method and detection device |
| CN101572609A (en) * | 2008-04-29 | 2009-11-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting and refusing service attack |
| KR101574193B1 (en) * | 2010-12-13 | 2015-12-11 | 한국전자통신연구원 | Apparatus and method for defending DDoS attack |
| CN104378369A (en) * | 2014-11-11 | 2015-02-25 | 上海斐讯数据通信技术有限公司 | Wireless flooding attack prevention method |
-
2015
- 2015-09-16 CN CN201510590034.5A patent/CN105119942B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104811420A (en) * | 2014-01-23 | 2015-07-29 | 腾讯数码(天津)有限公司 | Method and apparatus for preventing distributed denial of service (DDoS) attacks |
| CN104601591A (en) * | 2015-02-02 | 2015-05-06 | 中国人民解放军国防科学技术大学 | Detection method of network attack source organization |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105119942A (en) | 2015-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105119942B (en) | A kind of flood attack detection method | |
| TWI439095B (en) | Detection methods and devices of network attack | |
| CN107454037B (en) | Network attack identification method and system | |
| CN101582833B (en) | Method and device for processing spoofed IP data packet | |
| CN109889547B (en) | Abnormal network equipment detection method and device | |
| CN106453215B (en) | A kind of defence method of network attack, apparatus and system | |
| CN103347016A (en) | Attack defense method | |
| EP3068095A2 (en) | Monitoring apparatus and method | |
| RU2003112059A (en) | PROTECTIVE INFRASTRUCTURE AND METHOD FOR PROTOCOL FOR PERMISSION OF EQUAL NAMES (PNRP) | |
| CN107864128B (en) | Network behavior based scanning detection method and device and readable storage medium | |
| CN105407096B (en) | Message data detection method based on flow management | |
| CN103281320A (en) | Website icon matching-based detection method for brand counterfeit websites | |
| CN105282152B (en) | A kind of method of abnormal traffic detection | |
| JP6174520B2 (en) | Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program | |
| CN105577669B (en) | A kind of method and device of the false source attack of identification | |
| CN104348808B (en) | The method and apparatus of Dialog processing | |
| EP3316550A1 (en) | Network monitoring device and method | |
| CN105635044B (en) | Information synchronization method and device | |
| JP5286018B2 (en) | Information processing apparatus, program, and recording medium | |
| CN107770113A (en) | A kind of accurate flood attack detection method for determining attack signature | |
| CN110012076B (en) | Connection establishing method and device | |
| JP5607513B2 (en) | Detection device, detection method, and detection program | |
| CN103096321B (en) | A kind of method and apparatus for detection of malicious server | |
| CN106302859A (en) | The response of a kind of DNSSEC negative response and processing method | |
| CN105939321A (en) | DNS (Domain Name System) attack detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 705-708, room two, No. 121, north south of the Five Ridges Avenue, Chancheng District, Guangdong, Foshan, 528000 Applicant after: GUANGDONG RUIJIANG CLOUD COMPUTING CO., LTD. Address before: Chancheng District of Guangdong city of Foshan province south of the Five Ridges 528000 Avenue North 121 East International A District Office 7-8 Applicant before: Guangdong Efly Network Co., Ltd. |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20151202 Assignee: Guangdong Yaoda Financial Leasing Co., Ltd Assignor: GUANGDONG EFLYCLOUD COMPUTING Co.,Ltd. Contract record no.: X2020980005383 Denomination of invention: A flood attack detection method Granted publication date: 20181106 License type: Exclusive License Record date: 20200826 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A flood attack detection method Effective date of registration: 20200904 Granted publication date: 20181106 Pledgee: Guangdong Yaoda Financial Leasing Co., Ltd Pledgor: GUANGDONG EFLYCLOUD COMPUTING Co.,Ltd. Registration number: Y2020980005729 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |