CN105610851A - Method and system for defending distributed denial of service (DDoS) attack - Google Patents
Method and system for defending distributed denial of service (DDoS) attack Download PDFInfo
- Publication number
- CN105610851A CN105610851A CN201610024274.3A CN201610024274A CN105610851A CN 105610851 A CN105610851 A CN 105610851A CN 201610024274 A CN201610024274 A CN 201610024274A CN 105610851 A CN105610851 A CN 105610851A
- Authority
- CN
- China
- Prior art keywords
- denial
- speed
- attack
- ddos
- service attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method and a system for defending a distributed denial of service attack. The method comprises the following steps: detecting an IP address of an access network within a set time slice, comparing the detected IP address with a legal IP address which is allowed to be accessed and saved in a legal IP record set of a database, and determining an increasing rate of a number of new IP addresses within unit time; and executing further operation according to the increasing rate of the new IP addresses within the unit time: executing an attack-free processing way, and normally providing services; executing a processing way under a feeler flooding DDoS attack; or executing a processing way under a formal flooding DDoS attack. Through adoption of the method and the system, defensive power can be dynamically adjusted according to an attack type of a hacker, so that an attack source of the hacker is directly denied.
Description
Technical field
The application relates to network security technology field, specifically, relates to a kind of defending distributed refusal clothesThe method and system that business is attacked.
Background technology
Distributed denial of service attack (DistributedDenialofService, DDoS) is network securityOne of significant threat. This attack once made in the world the website of the famous ecommerce of several families provider (asYahoo, eBay, Amazon etc.) paralysing reaches even a couple of days a few hours, has caused huge economyLoss. Denial of Service attack is very easy to initiate, and needs to have certain technology base unlike other is attackedPlinth.
The basic reason that Denial of Service attack is easily implemented is the fragility of ICP/IP protocol. TCP/IP associationView is the foundation stone of internet, and it is according to making for designing in colony open and that trust each other,In realization, make every effort to efficiency, and do not consider that safety factor is (as data authentication, integrality, security servicesDeng). For example, network congestion is controlled at TCP layer and realizes, and can only implement to control at terminal node,This just makes a large amount of messages can unfettered ground incoming terminal node; Router can be only according to destinationLocation determines route, and user can change arbitrarily source IP address, causes false address attack (IPSpoofing)Easily implement, Denial of Service attack utilizes this weakness just, makes the true source of Denial of Service attackThe identification that is difficult to tracking, Denial of Service attack message is extremely difficult.
Traditional Denial of Service attack is attacked a target from an attack source, can be easily according to streamAmount is identified. But in recent years, Denial of Service attack has developed into simultaneously from one of multiple attack sources attackThe form of target, i.e. distributed denial of service attack. The feature that DDoS presents and normal access to netwoksPeak is closely similar, and particularly assailant adopts forgery, change at random message source IP address, becomes at randomChange the ways such as attack message content, make the attack signature of DDoS be difficult to extract, the position difficulty of attack sourceTo determine.
Patent CN102891829A discloses a kind of method of detection and defending distributed denial of service attackAnd system, by the judgement of the message amount to accesses network in setting-up time and IP address, if be judged to beWhile flooding DDoS Denial of Service attack, shutoff is carried out in illegal IP address. But this of prior artThere is following shortcoming in the scheme of kind:
The first, such scheme is recognizing after assault, only shutoff is carried out in illegal IP address, noFurther operate. If but hacker tests attack, feel out the defence of destination serverMode, then adjusts attack pattern for the defense mechanism testing out, and will make preventing in such schemeImperial mode lost efficacy.
The second,, when the speed increasing when illegal IP exceedes the speed of server shutoff, still can cause serviceThe device machine of delaying.
Three, the server in such scheme is refused illegal IP in accepting new IP access,Because visit capacity is large, when a large ripple attack source is attacked server, server may not yet comeAnd refusal has just been delayed machine.
Summary of the invention
In view of this, technical problems to be solved in this application have been to provide a kind of defending distributed refusal clothesThe method and system that business is attacked, can dynamically adjust phylactic power defensive power according to hacker's attack type, thereby directlyRefusal hacker's attack source.
In order to solve the problems of the technologies described above, the application has following technical scheme:
A method for defending distributed denial of service attack, is characterized in that, comprising:
Detect the IP address of accesses network in setting-up time sheet, and by the IP address and the database that detectLegal IP record set in the legal allowance access IP address of preserving compare, determine in the unit interval newIP number of addresses is advanced the speed;
Carry out further operation according to the new IP number of addresses situation of advancing the speed in the unit interval:
When new IP number of addresses in the described unit interval is advanced the speed while being less than the First Speed threshold value of setting,Judge not under attackly, carry out processing mode time not under attack, service is normally provided;
When new IP number of addresses in the described unit interval advance the speed be greater than setting First Speed threshold value andWhile being less than the second speed threshold value of setting, be judged to be to be subject to the exploratory DDoS of flooding Denial of Service attack,Execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack;
When new advancing the speed of IP number of addresses in the described unit interval is greater than the second speed threshold value of settingTime, be judged to be to be subject to the formal property DDoS Denial of Service attack that floods, carry out being subject to formal property and floodingThe processing mode of DDoS Denial of Service attack.
Preferably, wherein:
Described execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack, is further:
Record the address of new IP, and advance the speed and be less than described of setting in described new IP number of addressesWhen one threshold speed, the described new IP address of record is shielded.
Preferably, wherein:
Described execution is subject to the flood processing mode of DDoS Denial of Service attack of formal property, is further:
Suspend all external services, record and shield new IP address.
Preferably, wherein:
In the time that advancing the speed of described new IP number of addresses is less than the described second speed threshold value of setting, recoverAll external services.
Preferably, wherein:
If new IP number of addresses is advanced the speed and is dropped to the First Speed threshold of described setting in the described unit intervalBelow value, and newly IP number of addresses no longer increases, and the amount of special access also no longer increases, and continuing providesExternally service.
Preferably, wherein:
Described First Speed threshold value and described second speed threshold value are dynamic value.
Preferably, wherein:
In the time being subject to the exploratory DDoS of flooding Denial of Service attack, according to the exploratory DDoS refusal that floodsIn service attack process, the amount of special access is dynamically adjusted described First Speed threshold value;
In the time being subject to formal property and flooding DDoS Denial of Service attack, add up respectively the exploratory DDoS of floodingIn Denial of Service attack process and the flood special access in DDoS Denial of Service attack process of formal propertyAmount, dynamically adjusts described second speed threshold value according to the contrast situation of special access amount in two processes.
Preferably, wherein:
At all exploratory DDoS of flooding Denial of Service attacks and the formal property DDoS Denial of Service attack that floodsHit after end, empty institute's shielded IP address list.
A system that realizes the defending distributed denial of service attack of said method, is characterized in that, bagDraw together:
Detection module: for detection of the IP address of accesses network in setting-up time sheet, and by the IP detectingComparing in the legal allowance access IP address of preserving in the legal IP record set of address and database, determinesIn unit interval, new IP number of addresses is advanced the speed;
Attack processing module: for carry out according to the new IP number of addresses situation of advancing the speed in the unit interval intoSingle stepping:
When new IP number of addresses in the described unit interval is advanced the speed while being less than the First Speed threshold value of setting,Judge not under attackly, carry out processing mode time not under attack, service is normally provided;
When new IP number of addresses in the described unit interval advance the speed be greater than setting First Speed threshold value andWhile being less than the second speed threshold value of setting, be judged to be to be subject to the exploratory DDoS of flooding Denial of Service attack,Execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack;
When new advancing the speed of IP number of addresses in the described unit interval is greater than the second speed threshold value of settingTime, be judged to be to be subject to the formal property DDoS Denial of Service attack that floods, carry out being subject to formal property and floodingThe processing mode of DDoS Denial of Service attack.
Preferably, wherein:
Described execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack, is further:Record the address of new IP, and advance the speed and be less than described first speed of setting in described new IP number of addressesWhen degree threshold value, the described new IP of record is shielded;
Described execution is subject to the flood processing mode of DDoS Denial of Service attack of formal property, is further:Suspend all external services, record and shield new IP address.
Compared with prior art, the method and system described in the application, has reached following effect:
The first, the method and system of defending distributed denial of service attack of the present invention, can be according to unit timeThe situation that interior new IP number of addresses is advanced the speed, selectively out of service, server is seemed frequentlyNumerous machine of delaying, but actual be to utilize handle up access IP by these IP shielding of quality time, thereby can be because ofFor being slower than malice IP newly-increased speed, shielding speed causes the server machine of really delaying.
The second, the method and system of defending distributed denial of service attack of the present invention, in feelings out of serviceUnder condition, can also record malice IP and malice IP is shielded, thereby server can be because of attack speed mistakeHave little time soon shielding and the machine of delaying.
Three, the method and system of defending distributed denial of service attack of the present invention, can be according to unit timeIn the new IP number of addresses situation of advancing the speed, identify exploratory extensive aggression and formal property extensive aggression,And then take different countermeasures.
Four, the method and system of defending distributed denial of service attack of the present invention, can be according to attacking feelingsCondition is dynamically adjusted First Speed threshold value and second speed threshold value, and within the unit interval, new IP number of addresses increasesWhen speed is greater than second speed threshold value, initiatively out of service, Resume service during lower than second speed threshold value,Therefore can tackle flexibly processing according to attack type.
Five, the method and system of defending distributed denial of service attack of the present invention, can be at any time, with no pressureThe IP address list of power emptying conductively-closed, thus the computer of being attacked by control and participate in still can normally be connectedReceive server.
Brief description of the drawings
Accompanying drawing described herein is used to provide further understanding of the present application, forms of the applicationPoint, the application's schematic description and description is used for explaining the application, does not form the application'sImproper restriction. In the accompanying drawings:
Fig. 1 is the method flow schematic diagram of described a kind of defending distributed denial of service attack of the present invention;
Fig. 2 is the formation signal of the system of described a kind of defending distributed denial of service attack of the present inventionFigure.
Detailed description of the invention
Censure specific components as used some vocabulary in the middle of description and claim. This area skillArt personnel should understand, and hardware manufacturer may be called same assembly with different nouns. This explanationBook and claim are not used as distinguishing the mode of assembly with the difference of title, but with assembly in functionOn difference be used as distinguish criterion. As mentioned " bag in the middle of in description and claim in the whole textContaining " be an open language, therefore should be construed to " comprise but be not limited to ". " roughly " refer to receivableIn error range, those skilled in the art can solve the technical problem within the scope of certain error, baseOriginally reach described technique effect. In addition, " couple " word and comprise directly any and electrical coupling indirectly at thisCatcher section. Therefore, be coupled to one second device if describe a first device in literary composition, represent described firstDevice can directly be electrically coupled to described second device, by other devices or couple means indirectly electricityProperty be coupled to described second device. Description subsequent descriptions is to implement the application's preferred embodiments, soDescribed description is to illustrate that the application's rule is object, not in order to limit the application's scope.The application's protection domain is when being as the criterion depending on the claims person of defining.
Embodiment 1
Shown in Figure 1 is method concrete of a kind of defending distributed denial of service attack described in the applicationEmbodiment, comprising:
The IP address of accesses network in step 101, detection setting-up time sheet, and by the IP address detectingCompare with the legal allowance access IP address of preserving in the legal IP record set of database, determine unitIn time, new IP number of addresses is advanced the speed;
Step 102, carry out further operation according to the situation of advancing the speed of new IP number of addresses in the unit interval:
When new IP number of addresses in the described unit interval is advanced the speed while being less than the First Speed threshold value of setting,Judge not under attackly, carry out processing mode time not under attack, service is normally provided;
When new IP number of addresses in the described unit interval advance the speed be greater than setting First Speed threshold value andWhile being less than the second speed threshold value of setting, be judged to be to be subject to the exploratory DDoS of flooding Denial of Service attack,Execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack;
When new advancing the speed of IP number of addresses in the described unit interval is greater than the second speed threshold value of settingTime, be judged to be to be subject to the formal property DDoS Denial of Service attack that floods, carry out being subject to formal property and floodingThe processing mode of DDoS Denial of Service attack.
In above-mentioned steps 102, carry out the processing mode that is subject to the exploratory DDoS of flooding Denial of Service attack,Be further: record the address of new IP, and advance the speed and be less than setting in described new IP number of addressesWhen described First Speed threshold value, the described new IP of record is shielded.
Hacker before formal property extensive aggression, can sound out carrying out, and sounds out in attack process generally notCan make the server machine of delaying. This is because hacker's attack source is not unlimited, if sound out attack processIn just use a large amount of attack sources, can be serviced device shielding many, cause unnecessary loss. Therefore, originallyFirst Speed threshold value is set in invention, advances the speed and is greater than the described First Speed of setting when new IP number of addressesWhen threshold value, judge and be subject to exploratory extensive aggression, in the time suffering exploratory extensive aggression, do not do anyInitiative Defense, but open attack source detecting function, the IP address in attacking soundd out in record, and in examinationVisit while end and shield, thereby can in the time that formal attack arrives, alleviate a part of pressure. In addition,One threshold speed is dynamic value, and in the time suffering exploratory extensive aggression, analytical attack type, according to attackType definite threshold, if special access is more, chooses higher value by First Speed threshold value, if specialDifferent access is less, gets smaller value.
In above-mentioned steps 102, carry out and be subject to the flood processing mode of DDoS Denial of Service attack of formal property,Be further: suspend all external services, record and shield new IP address. Further, described newAdvancing the speed while being less than the described second speed threshold value of setting of IP number of addresses, recovers all external services.
The present invention also arranges second speed threshold value, withdraws for of short duration pass in the time being subject to formal property extensive aggressionBusiness. When attacking advancing the speed of IP quantity while exceeding second speed threshold value, of short durationly stop all services. TemporarilyAfter withdrawing business, shield by the attack IP of log recording immediately with all strength, although service time-out, but still can record newThe attack IP address increasing, only accepts the interview but service is not provided, and will increase attack IP simultaneously newly and include screen inCover category. In the time that challenging dose is very large, newly-increased to attack IP too many, and server is write daily record and read daily record and shieldingSpeed can lag behind attack, therefore needs a process. During this period of time, because serve when time-outThese attack sources can also record and shield by serviced device, and therefore assailant will waste a large amount of attack sources, andDo not make servers go down, just got of short duration service in return and suspended. Attack the same of IP address in shieldingTime, according to the contrast situation of special access amount in exploratory extensive aggression and formal property extensive aggression process,Dynamically adjust the size of second speed threshold value. If special access amount is identical in two processes, do not adjustThe size of two threshold speeds; If special access amount is greater than exploratory flooding and attacks in formal property extensive aggression processHit special access amount in process, turning down second speed threshold value; Otherwise, tune up. IP is shieldedProcess in, attack the quantity of IP and also can change, advancing the speed of IP quantity to be attacked is reduced toWhen second speed threshold value is following, the capable normal service on one side of server is born while attack on one side, more extensiveMultiple service. Be reduced to the no longer increase below of First Speed threshold value, special access if attack the quantity of IPAmount also no longer increases, and continues to provide service; Again increase if attack IP, according to estimate of situation,Execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack or is subject to formal property floodingThe processing mode of DDoS Denial of Service attack.
By the way, server has formed taking intermittence and has temporarily stopped service as cost, constantly handle upAttack the rhythm of IP shielding, finally because the attack source that assailant utilizes is limited, and masked instituteSome attack IP.
At all exploratory DDoS of flooding Denial of Service attacks and the formal property DDoS Denial of Service attack that floodsHit after end, empty institute's shielded IP address list, thereby make Recall attack source be able to positive frequentationAsk server.
Special access in the present invention at least comprises ARP attack, ICMP attack and based on application layer protocolAttack. When special access is ARP while attacking, access to netwoks need to be known access and accessed both sidesIP address and MAC Address, it is exactly that visitor uses false IP and MAC Address that ARP attacks, and makesInterviewee can not find visitor while replying, be therefore busy with processing this abnormal and cannot respond new outsideAsk, this just allows destination server network loss communication capacity. In the time that special access is ICMP attack,Assailant accesses magnanimity target, and by the source address server that will attack that disguises oneself as, makes accessed seaMeasure target all to this server acknowledge, thereby cause paralysis, can be considered a kind of bounce-back attack, a little less than attackBut disguised strong. Attacking based on application layer protocol, for example, can be to utilize the host-host protocol of Email to permitBeing permitted relaying sends in a large number spam and attacks.
The attack source of considering extensive aggression is limited, and extensive aggression belongs to measure victory, attackSource does not possess senior hacker's technical ability, can only accept hacker and control, and takes unified general behavior, therefore,The present invention by refusal source mode stop the attack of attack source, thereby extensive aggression is diminished untilServer can bear.
In the method for defending distributed denial of service attack of the present invention, face all types of according to server in advanceThe adaptability to changes of attacking is set up threshold range, makes server can be according to attacking against each other when state in being attackedHit the analysis result of type and dynamically adjust threshold value. Attacked and attack source IP number of addresses is advanced the speedWhile being greater than second speed threshold value, initiatively cut off service, only record is attacked IP address and service is not provided, completePower shielding attack source, and can constantly adjusted threshold value by attack process. When attack source IP number of addresses increasesRate of acceleration is less than Resume service after defined threshold, and prepares again at any time shielding out of service and attack IP, fromAnd formation handling up to attack source IP.
Embodiment 2
On the basis of embodiment 1, the present invention also provides a kind of above-described embodiment 1 method of can realizingThe system of defending distributed denial of service attack, this system comprises:
Detection module 10: for detection of the IP address of accesses network in setting-up time sheet, and will detectThe legal IP record set of IP address and database in the legal allowance access IP address of preserving compare,Determine that in the unit interval, new IP number of addresses is advanced the speed;
Attack processing module 20: for holding according to the new IP number of addresses situation of advancing the speed in the unit intervalThe single stepping of advancing:
When new IP number of addresses in the described unit interval is advanced the speed while being less than the First Speed threshold value of setting,Judge not under attackly, carry out processing mode time not under attack, service is normally provided;
When new IP number of addresses in the described unit interval advance the speed be greater than setting First Speed threshold value andWhile being less than the second speed threshold value of setting, be judged to be to be subject to the exploratory DDoS of flooding Denial of Service attack,Execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack;
When new advancing the speed of IP number of addresses in the described unit interval is greater than the second speed threshold value of settingTime, be judged to be to be subject to the formal property DDoS Denial of Service attack that floods, carry out being subject to formal property and floodingThe processing mode of DDoS Denial of Service attack.
In said system, carry out the processing mode that is subject to the exploratory DDoS of flooding Denial of Service attack, enterOne step is: record the address of new IP, and advance the speed and be less than the institute of setting in described new IP number of addressesWhile stating First Speed threshold value, the described new IP of record is shielded; Execution is subject to the formal property DDoS that floodsThe processing mode of Denial of Service attack, is further: suspend all external services, record and shield new IPAddress.
Known by above each embodiment, the beneficial effect that the application exists is:
The first, the method and system of defending distributed denial of service attack of the present invention, can be according to unit timeThe situation that interior new IP number of addresses is advanced the speed, selectively out of service, server is seemed frequentlyNumerous machine of delaying, but actual be to utilize handle up access IP by these IP shielding of quality time, thereby can be because ofFor being slower than malice IP newly-increased speed, shielding speed causes the server machine of really delaying.
The second, the method and system of defending distributed denial of service attack of the present invention, in feelings out of serviceUnder condition, can also record malice IP and malice IP is shielded, thereby server can be because of attack speed mistakeHave little time soon shielding and the machine of delaying.
Three, the method and system of defending distributed denial of service attack of the present invention, can be according to unit timeIn the new IP number of addresses situation of advancing the speed, identify exploratory extensive aggression and formal property extensive aggression,And then take different countermeasures.
Four, the method and system of defending distributed denial of service attack of the present invention, can be according to attacking feelingsCondition is dynamically adjusted First Speed threshold value and second speed threshold value, and within the unit interval, new IP number of addresses increasesWhen speed is greater than second speed threshold value, initiatively out of service, Resume service during lower than second speed threshold value,Therefore can tackle flexibly processing according to attack type.
Five, the method and system of defending distributed denial of service attack of the present invention, can be at any time, with no pressureThe IP address list of power emptying conductively-closed, thus the computer of being attacked by control and participate in still can normally be connectedReceive server.
Those skilled in the art should understand, the application's embodiment can be provided as method, device orComputer program. Therefore, the application can adopt complete hardware implementation example, completely implement software example,Or in conjunction with the form of the embodiment of software and hardware aspect. And the application can adopt one or moreThe computer-usable storage medium that wherein includes computer usable program code (includes but not limited to diskMemory, CD-ROM, optical memory etc.) form of the upper computer program of implementing.
Above-mentioned explanation illustrates and has described some preferred embodiments of the application, but as previously mentioned, should manageSeparate the application and be not limited to disclosed form herein, should not regard the eliminating to other embodiment as,And can be used for various other combinations, amendment and environment, and can be in invention contemplated scope described herein,Technology or knowledge by above-mentioned instruction or association area are changed. Change and those skilled in the art carry outThe spirit and scope moving and variation does not depart from the application, all should be in the protection of the application's claimsIn scope.
Claims (10)
1. a method for defending distributed denial of service attack, is characterized in that, comprising:
Detect the IP address of accesses network in setting-up time sheet, and by the IP address and the database that detectLegal IP record set in the legal allowance access IP address of preserving compare, determine in the unit interval newIP number of addresses is advanced the speed;
Carry out further operation according to the new IP number of addresses situation of advancing the speed in the unit interval:
When new IP number of addresses in the described unit interval is advanced the speed while being less than the First Speed threshold value of setting,Judge not under attackly, carry out processing mode time not under attack, service is normally provided;
When new IP number of addresses in the described unit interval advance the speed be greater than setting First Speed threshold value andWhile being less than the second speed threshold value of setting, be judged to be to be subject to the exploratory DDoS of flooding Denial of Service attack,Execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack;
When new advancing the speed of IP number of addresses in the described unit interval is greater than the second speed threshold value of settingTime, be judged to be to be subject to the formal property DDoS Denial of Service attack that floods, carry out being subject to formal property and floodingThe processing mode of DDoS Denial of Service attack.
2. the method for defending distributed denial of service attack according to claim 1, is characterized in that,
Described execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack, is further:
Record the address of new IP, and advance the speed and be less than described of setting in described new IP number of addressesWhen one threshold speed, the described new IP address of record is shielded.
3. the method for defending distributed denial of service attack according to claim 1, is characterized in that,
Described execution is subject to the flood processing mode of DDoS Denial of Service attack of formal property, is further:
Suspend all external services, record and shield new IP address.
4. the method for defending distributed denial of service attack according to claim 3, is characterized in that,Further comprise:
In the time that advancing the speed of described new IP number of addresses is less than the described second speed threshold value of setting, recoverAll external services.
5. the method for defending distributed denial of service attack according to claim 4, is characterized in that,Further comprise:
If new IP number of addresses is advanced the speed and is dropped to the First Speed threshold of described setting in the described unit intervalBelow value, and newly IP number of addresses no longer increases, and the amount of special access also no longer increases, and continuing providesExternally service.
6. according to the method for arbitrary described defending distributed denial of service attack of claim 1~5, its spyLevy and be,
Described First Speed threshold value and described second speed threshold value are dynamic value.
7. the method for defending distributed denial of service attack according to claim 6, is characterized in that,
In the time being subject to the exploratory DDoS of flooding Denial of Service attack, according to the exploratory DDoS refusal that floodsIn service attack process, the amount of special access is dynamically adjusted described First Speed threshold value;
In the time being subject to formal property and flooding DDoS Denial of Service attack, add up respectively the exploratory DDoS of floodingIn Denial of Service attack process and the flood special access in DDoS Denial of Service attack process of formal propertyAmount, dynamically adjusts described second speed threshold value according to the contrast situation of special access amount in two processes.
8. according to the method for arbitrary described defending distributed denial of service attack of claim 1~5, its spyLevy and be, further comprise:
At all exploratory DDoS of flooding Denial of Service attacks and the formal property DDoS Denial of Service attack that floodsHit after end, empty institute's shielded IP address list.
9. a defending distributed denial of service attack of realizing arbitrary described method of claim 1~8System, is characterized in that, comprising:
Detection module: for detection of the IP address of accesses network in setting-up time sheet, and by the IP detectingComparing in the legal allowance access IP address of preserving in the legal IP record set of address and database, determinesIn unit interval, new IP number of addresses is advanced the speed;
Attack processing module: for carry out according to the new IP number of addresses situation of advancing the speed in the unit interval intoSingle stepping:
When new IP number of addresses in the described unit interval is advanced the speed while being less than the First Speed threshold value of setting,Judge not under attackly, carry out processing mode time not under attack, service is normally provided;
When new IP number of addresses in the described unit interval advance the speed be greater than setting First Speed threshold value andWhile being less than the second speed threshold value of setting, be judged to be to be subject to the exploratory DDoS of flooding Denial of Service attack,Execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack;
When new advancing the speed of IP number of addresses in the described unit interval is greater than the second speed threshold value of settingTime, be judged to be to be subject to the formal property DDoS Denial of Service attack that floods, carry out being subject to formal property and floodingThe processing mode of DDoS Denial of Service attack.
10. the system of defending distributed denial of service attack according to claim 9, is characterized in that,
Described execution is subject to the processing mode of the exploratory DDoS of flooding Denial of Service attack, is further:Record the address of new IP, and advance the speed and be less than described first speed of setting in described new IP number of addressesWhen degree threshold value, the described new IP of record is shielded;
Described execution is subject to the flood processing mode of DDoS Denial of Service attack of formal property, is further:Suspend all external services, record and shield new IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610024274.3A CN105610851B (en) | 2016-01-14 | 2016-01-14 | The method and system of defending distributed denial of service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610024274.3A CN105610851B (en) | 2016-01-14 | 2016-01-14 | The method and system of defending distributed denial of service attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105610851A true CN105610851A (en) | 2016-05-25 |
| CN105610851B CN105610851B (en) | 2018-11-09 |
Family
ID=55990389
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610024274.3A Active CN105610851B (en) | 2016-01-14 | 2016-01-14 | The method and system of defending distributed denial of service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105610851B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106357692A (en) * | 2016-11-08 | 2017-01-25 | 广州华多网络科技有限公司 | IP address access method and forged source attack resistance method, device and server |
| CN107493282A (en) * | 2017-08-16 | 2017-12-19 | 北京新网数码信息技术有限公司 | A kind of processing method and processing device of Scattered Attack |
| CN107612937A (en) * | 2017-10-26 | 2018-01-19 | 武汉理工大学 | Detection to DHCP extensive aggressions and defence method under a kind of SDN |
| CN108390870A (en) * | 2018-02-09 | 2018-08-10 | 北京天融信网络安全技术有限公司 | A kind of method, apparatus of defending against network attacks, storage medium and equipment |
| CN110858831A (en) * | 2018-08-22 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Safety protection method and device and safety protection equipment |
| CN111107069A (en) * | 2019-12-09 | 2020-05-05 | 烽火通信科技股份有限公司 | DoS attack protection method and device |
| CN112261019A (en) * | 2020-10-13 | 2021-01-22 | 中移(杭州)信息技术有限公司 | Distributed denial of service attack detection method, device and storage medium |
| CN112367311A (en) * | 2020-10-30 | 2021-02-12 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, equipment and storage medium |
| CN114326382A (en) * | 2021-11-16 | 2022-04-12 | 山东师范大学 | Adaptive elastic tracking control method and system with spoofing attack |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060229022A1 (en) * | 2005-03-30 | 2006-10-12 | Tian Bu | Detection of power-drain denial-of-service attacks in wireless networks |
| CN101505219A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
| CN101980506A (en) * | 2010-10-29 | 2011-02-23 | 北京航空航天大学 | Flow characteristic analysis-based distributed intrusion detection method |
| CN102281295A (en) * | 2011-08-06 | 2011-12-14 | 黑龙江大学 | Method for easing distributed denial of service attacks |
| CN102801738A (en) * | 2012-08-30 | 2012-11-28 | 中国人民解放军国防科学技术大学 | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices |
| CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
| CN103916387A (en) * | 2014-03-18 | 2014-07-09 | 汉柏科技有限公司 | DDOS attack protection method and system |
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
-
2016
- 2016-01-14 CN CN201610024274.3A patent/CN105610851B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060229022A1 (en) * | 2005-03-30 | 2006-10-12 | Tian Bu | Detection of power-drain denial-of-service attacks in wireless networks |
| CN101505219A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
| CN101980506A (en) * | 2010-10-29 | 2011-02-23 | 北京航空航天大学 | Flow characteristic analysis-based distributed intrusion detection method |
| CN102891829A (en) * | 2011-07-18 | 2013-01-23 | 航天信息股份有限公司 | Method and system for detecting and defending distributed denial of service attack |
| CN102281295A (en) * | 2011-08-06 | 2011-12-14 | 黑龙江大学 | Method for easing distributed denial of service attacks |
| CN102801738A (en) * | 2012-08-30 | 2012-11-28 | 中国人民解放军国防科学技术大学 | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices |
| CN103916387A (en) * | 2014-03-18 | 2014-07-09 | 汉柏科技有限公司 | DDOS attack protection method and system |
| CN103957195A (en) * | 2014-04-04 | 2014-07-30 | 上海聚流软件科技有限公司 | DNS system and defense method and device for DNS attack |
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
Non-Patent Citations (3)
| Title |
|---|
| 严有日: "基于DDOS 攻击机理的分析与防范", 《廊坊师范学院学报(自然科学版)2009 年12 月第9 卷第6 期》 * |
| 倪晓霞, 刘嘉勇, 吴少华: "一种基于UDP-Flood 攻击的检测和防御模型研究", 《成都信息工程学院学报 第24卷第1期2009年2月》 * |
| 卫 瑜,曾凡平,蒋 凡: "基于相似度分析的分布式拒绝服务攻击检测系统", 《计 算 机 辅 助 工 程 第14 卷 第2 期 2005 年6 月》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106357692A (en) * | 2016-11-08 | 2017-01-25 | 广州华多网络科技有限公司 | IP address access method and forged source attack resistance method, device and server |
| CN107493282A (en) * | 2017-08-16 | 2017-12-19 | 北京新网数码信息技术有限公司 | A kind of processing method and processing device of Scattered Attack |
| CN107493282B (en) * | 2017-08-16 | 2020-01-21 | 北京新网数码信息技术有限公司 | Distributed attack processing method and device |
| CN107612937A (en) * | 2017-10-26 | 2018-01-19 | 武汉理工大学 | Detection to DHCP extensive aggressions and defence method under a kind of SDN |
| CN107612937B (en) * | 2017-10-26 | 2019-11-26 | 武汉理工大学 | Detection and defence method under a kind of SDN network to DHCP extensive aggression |
| CN108390870A (en) * | 2018-02-09 | 2018-08-10 | 北京天融信网络安全技术有限公司 | A kind of method, apparatus of defending against network attacks, storage medium and equipment |
| CN110858831A (en) * | 2018-08-22 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Safety protection method and device and safety protection equipment |
| CN111107069A (en) * | 2019-12-09 | 2020-05-05 | 烽火通信科技股份有限公司 | DoS attack protection method and device |
| CN112261019A (en) * | 2020-10-13 | 2021-01-22 | 中移(杭州)信息技术有限公司 | Distributed denial of service attack detection method, device and storage medium |
| CN112367311A (en) * | 2020-10-30 | 2021-02-12 | 中移(杭州)信息技术有限公司 | DDoS attack detection method, device, equipment and storage medium |
| CN114326382A (en) * | 2021-11-16 | 2022-04-12 | 山东师范大学 | Adaptive elastic tracking control method and system with spoofing attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105610851B (en) | 2018-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105610851A (en) | Method and system for defending distributed denial of service (DDoS) attack | |
| US10542006B2 (en) | Network security based on redirection of questionable network access | |
| EP2715522B1 (en) | Using dns communications to filter domain names | |
| EP3588898A1 (en) | Defense against apt attack | |
| CN110245491B (en) | Network attack type determination method and device, memory and processor | |
| EP2147390B1 (en) | Detection of adversaries through collection and correlation of assessments | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| US10135785B2 (en) | Network security system to intercept inline domain name system requests | |
| Cheema et al. | [Retracted] Prevention Techniques against Distributed Denial of Service Attacks in Heterogeneous Networks: A Systematic Review | |
| CN101888329B (en) | Address resolution protocol (ARP) message processing method, device and access equipment | |
| CN110266673B (en) | Security policy optimization processing method and device based on big data | |
| Kaur et al. | Botnet and botnet detection techniques in cyber realm | |
| Arora et al. | Denial-of-service (dos) attack and botnet: Network analysis, research tactics, and mitigation | |
| Teng et al. | A cooperative intrusion detection model for cloud computing networks | |
| KR101593897B1 (en) | Network scan method for circumventing firewall, IDS or IPS | |
| CN114500026A (en) | Network traffic processing method, device and storage medium | |
| Shamsolmoali et al. | C2DF: High rate DDOS filtering method in cloud computing | |
| Aziz et al. | Distributed Denial of Service Attacks on Cloud Computing Environment | |
| Nelson et al. | Social engineering for security attacks | |
| Boggs et al. | Discovery of emergent malicious campaigns in cellular networks | |
| CN113709130A (en) | Risk identification method and device based on honeypot system | |
| Kang et al. | Whitelist generation technique for industrial firewall in SCADA networks | |
| Rodrigues et al. | Design and implementation of a low-cost low interaction IDS/IPS system using virtual honeypot approach | |
| Dandotiya et al. | A Secure Detection Framework for ARP, DHCP, and DoS Attacks on Kali Linux | |
| Fosić et al. | VPN network protection by IDS system implementation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |