CN106254394B - A kind of recording method and device of attack traffic - Google Patents
A kind of recording method and device of attack traffic Download PDFInfo
- Publication number
- CN106254394B CN106254394B CN201610867805.5A CN201610867805A CN106254394B CN 106254394 B CN106254394 B CN 106254394B CN 201610867805 A CN201610867805 A CN 201610867805A CN 106254394 B CN106254394 B CN 106254394B
- Authority
- CN
- China
- Prior art keywords
- flow
- time
- data packet
- sequence
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/02—Capturing of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Abstract
The invention discloses a kind of recording method and devices of attack traffic, to solve ddos attack record redundancy existing in the prior art, and the problem of manual packet capturing causes protection tool protective performance to decline is opened for a long time, the recording method of the attack traffic, include: the first request for receiving the start recording flow that flow detecting and alarm is sent, carries the sequence of data packet that need to be recorded in first request and obtain the first time of the sequence of data packet;According to the size of each data packet of the sequence of data packet, the corresponding flow value of the sequence of data packet is determined;Discharge record frequency is determined according to the flow value and the first time;Server access flow is recorded and stored according to the discharge record frequency determined.
Description
Technical field
The present invention relates to the recording method of computer network security technology field more particularly to a kind of attack traffic and dresses
It sets.
Background technique
DDoS (Distributed Denial of service, distributed denial of service): many dos attack sources are together
It attacks certain server and just constitutes ddos attack, ddos attack is joined multiple computers by means of client/server technology
It is together as Attack Platform, DoS attack is initiated to one or more targets, to double up the prestige of Denial of Service attack
Power.The attack strategies of DDOS lay particular emphasis on by very much " zombie hosts " (by attacker invaded or can indirect utilization host) to
Victim host transmission largely seems legal network packet, to cause network congestion or server resource to exhaust and refusal is caused to take
Business, DDoS are once carried out, and attacking network packet will pour into victim host like as flood, thus the network packet of legitimate user
It floods, causes legitimate user that can not normally access the Internet resources of server.The attack process of DDoS is completely recorded,
Effectively prevention policies can promptly be made when analyzing DDoS flow attacking by facilitating researcher.
The method method that generally uses artificial detection and record of existing record ddos attack flow, when detecting DDoS
When attack, manually opened flow packet capturing, this method can be realized the record to ddos attack flow, but records and deposit in result
In bulk redundancy information, while the certain performance resource of protection tool is occupied, this is because ddos attack server meeting basis is attacked
Effect is hit, constantly adjustment attack pattern, until hitting server paralysed, i.e., a certain attack pattern is due to attack effect during attack
Good reason is there may be for a long time, and when other attack patterns are that may be present due to attack effect is not satisfactory
Between it is very short, if in this case, continual craft packet capturing will lead in packet capturing that there are a large amount of superfluous of same attack
Remaining record, and other attack records are buried in the record of these redundancies, simultaneously because attack time uncertain (possible one
Directly continue, it is also possible to interval sexual assault), if always on craft packet capturing, will affect the protective performance of protection tool.
It can be seen that while how accurately and efficiently recording ddos attack flow, and flow protection tool is not influenced
Protective performance becomes one of the technical problems that are urgent to solve in the prior art.
Summary of the invention
The embodiment of the present invention provides a kind of recording method and device of attack traffic, attacks to solve DDoS in the prior art
Hitting in record, which has bulk redundancy flow information and open packet capturing due to long-time, influences protection tool protective performance.
The embodiment of the present invention provides a kind of recording method of attack traffic, comprising:
The first request of the start recording flow that flow detecting and alarm is sent is received, carrying in first request needs to remember
The sequence of data packet of record and the first time for obtaining the sequence of data packet;
According to the size for each data packet for including in the sequence of data packet, the corresponding stream of the sequence of data packet is determined
Magnitude;
Discharge record frequency is determined according to the flow value and the first time;
Server access flow is recorded and stored according to the discharge record frequency determined.
The embodiment of the present invention provides a kind of recording device of attack traffic, comprising:
Receiving unit, the first request of the start recording flow for receiving the transmission of flow detecting and alarm, described first asks
The sequence of data packet that need to be recorded is carried in asking and obtains the first time of the sequence of data packet;
First determination unit, for the size according to each data packet for including in the sequence of data packet, determine described in
The corresponding flow value of sequence of data packet;
Second determination unit, for determining discharge record frequency according to the flow value and the first time;
Recording unit, for server access flow to be recorded and deposited according to the discharge record frequency determined
Storage.
Beneficial effects of the present invention:
The recording method and device of attack traffic provided in an embodiment of the present invention is only receiving flow detection engine hair
Ability start recording flow after first request of the start recording flow sent, and in record discharge process, not each moment
All record, but the size of each data packet of sequence of data packet according to the need record carried in first request, it determines every
The corresponding flow value of one data packet, then according to the data packet carried in the flow value determined and first request
The first time of sequence determines discharge record frequency, carries out according to the discharge record frequency determined to server access flow
It records and stores, on the one hand discharge record frequency neatly can be determined according to the variation of present flow rate, to reject discharge record
The record of middle redundancy improves discharge record quality, on the other hand due to the flow information without repeating record bulk redundancy, thus
The time for reducing discharge record operation, solving the manual packet capturing of unlatching for a long time leads to asking for protection tool protective performance decline
Topic saves the space of flow storage record simultaneously as eliminating a large amount of redundancy.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the implementation process diagram that flow detection engine provided in an embodiment of the present invention carries out flow detection;
Fig. 2 a is the implementation process diagram of the recording method of attack traffic provided in an embodiment of the present invention;
Fig. 2 b is the implementation stream that discharge record frequency is determined in the recording method of attack traffic provided in an embodiment of the present invention
Journey schematic diagram;
Fig. 3 is that flow in discharge record engine memory is deleted in the recording method of attack traffic provided in an embodiment of the present invention
The first method of record;
Fig. 4 is that flow in discharge record engine memory is deleted in the recording method of attack traffic provided in an embodiment of the present invention
The second method of record;
Fig. 5 is the structural schematic diagram of the recording device of attack traffic provided in an embodiment of the present invention.
Specific embodiment
The embodiment of the invention provides a kind of recording method and devices of attack traffic, exist in the prior art to solve
Ddos attack record redundancy, and open the problem of manual packet capturing causes protection tool protective performance to decline for a long time, save
The memory space that discharge record occupies.
Below in conjunction with Figure of description, preferred embodiment of the present invention will be described, it should be understood that described herein
Preferred embodiment only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention, and in the absence of conflict, this hair
The feature in embodiment and embodiment in bright can be combined with each other.
In the embodiment of the present invention, flow detection is carried out by flow detection engine, is detecting the visit of unit time server
Ask that notice discharge record engine is recorded when flow is more than preset threshold, it should be noted that flow detection engine used
It is that the continuous mode of timing detects server access flow.I.e. flow detection engine is according to the preset period to server
Flowing of access is detected, and when reaching in each flow detection period, flow detection engine was counted in the unit time at current time
Server access flow, specifically, what flow detection engine detection service device received within the unit time in current detection period
The corresponding flow value of sequence of data packet (i.e. server receive the sum of size of all data packets for including in sequence of data packet with
The ratio in period).Flow detection engine judges the sequence of data packet pair received in the current detection cycle service device unit time
Whether the flow value answered is more than preset threshold, if being more than, discharge record engine is notified to record server access flow.
Since flow detection engine and discharge record engine are parallel independently operated, flow detection engine detection data packets
The operation of flow has no effect on discharge record engine record server access flow, if flow detection engine is in current detection week
When phase judges that the corresponding flow value of the sequence of data packet received in the server unit time is no more than preset threshold, illustrate to take
Device flowing of access be engaged in preset threshold range, still, flow detection engine may be when a upper detection cycle judges unit
Between server flowing of access be more than preset threshold and notify discharge record engine start record, therefore, when it is implemented, flow
When the corresponding flow value of sequence of data packet that detecting and alarm judges that unit time server receives is no more than preset threshold,
It also needs further to judge whether discharge record engine starts, if starting, flow detection engine notifies discharge record engine
Stop recording, if do not started, flow detection engine when next detection cycle reaches, then to server access flow into
Row detection, so recycles, so that discharge record engine starts according to the notice of flow detection engine or stop recording server
Flowing of access.And for discharge record engine, the start recording server access stream under the triggering of flow detection engine
Amount, until receiving the signal that flow detection engine stops recording server access flow.Start recording clothes are being received again
The signal of business device flowing of access starts starting record, until receiving the signal stopping for stopping recording server access flow again
Record so recycles.
Embodiment one,
As shown in Figure 1, carrying out the implementing procedure signal of flow detection for flow detection engine provided in an embodiment of the present invention
Figure, may comprise steps of:
S11, when detection cycle reaches, each number in the sequence of data packet that flow detection engine is received according to server
According to the size of packet, the corresponding flow value of sequence of data packet is determined, then calculate the flow value of access server in the unit time.
When it is implemented, flow detection engine is in detection cycle finish time statistical server in detection cycle start time
The size of the entire packet received in detection cycle unit time finish time is received as the current detection period
The corresponding flow value of the sequence of data packet arrived.
S12, the corresponding flow value of sequence of data packet for judging that current detection period unit time server receives are
No is more than preset threshold, if so, thening follow the steps S13, otherwise, executes step S14.
Flow detection engine receives within the unit time in current detection period according to the server determined in step S11
The corresponding flow value f of sequence of data packetn, it is compared with preset threshold, if obtaining flow value fnMore than preset threshold
When, execute step S13;Otherwise, step S14 is executed.
S13, by the sequence of data packet received in current detection cycle service device and receive the sequence of data packet
One time was sent to discharge record engine.
In step s 13, flow detection engine by sequence of data packet that the current detection period receives and receives the number
According to the first time t of packet sequencenIt is sent to discharge record engine, subsequent discharge record process is executed by discharge record engine.
It should be noted that if at the beginning of the data packet sequence that receives of current detection period is classified as the current detection period
The sequence of data packet that server receives is carved, then first time tnAt the beginning of the current detection period;If current detection
The data packet sequence that period receives is classified as the whole numbers received start time in current detection period to detection cycle finish time
According to packet, then first time tnFor the finish time in current detection period.
Preferably, the corresponding flow value of sequence of data packet that flow detection engine can also receive the current detection period
fnIt is sent to discharge record engine together.
S14, flow detection engine judge whether discharge record engine starts, if so, S15 is thened follow the steps, if not,
Then follow the steps S16.
S15, flow detection engine send the signal for stopping recording flow to discharge record engine.
When step S14 judges that discharge record engine records server access flow, due to it is current when
Carve flow detection engine have determined that unit time server flowing of access in preset threshold range, discharge record engine
It does not need again to record this flow, it is therefore desirable to the signal for stopping recording flow is sent to discharge record engine, so that stream
Amount record engine stops recording server access flow after receiving the signal for stopping recording flow.
S16, it detects whether to reach next detection cycle, if so, otherwise executing step S11 continues to execute step S16.
When it is implemented, since ddos attack has intermittence, if flow detection engine is always continuously to clothes
Business device flowing of access is detected, and is sent to discharge record engine and is recorded, and some normal server access streams are caused
Amount is possible to be stored in memory, on the other hand the memory waste that on the one hand will cause discharge record engine also will affect anti-
The protective performance of nurse's tool, therefore, the flow detection engine in the embodiment of the present invention receives server according to some cycles
Sequence of data packet detected, such as every the 10 seconds corresponding stream of sequence of data packet that receives of detection unit time server
Whether magnitude is more than preset threshold, can so alleviate storage pressure, while not influencing the protective performance of protection tool again.
Embodiment two,
It as shown in Figure 2 a, is the implementation process diagram of the recording method of attack traffic provided in an embodiment of the present invention, it can
With the following steps are included:
S21, the first request for receiving the start recording flow that flow detecting and alarm is sent.
It should be noted that first request is that flow detection engine detects that server access flow is more than preset threshold
When send.
Wherein, when carrying the sequence of data packet that need to be recorded in the first request and obtain the first of the sequence of data packet
Between.
S22, according to the size of each data packet of sequence of data packet, determine the corresponding flow value of sequence of data packet.
When it is implemented, discharge record engine can be according to the data after receiving the sequence of data packet for needing to record
The size for each data packet that packet sequence includes, determines the total size of the sequence of data packet, the data thus received
The corresponding flow value of packet sequence.
Preferably, if the corresponding flow value of the sequence of data packet is carried in the first request, when it is implemented, can also
Not execute step S22, the corresponding flow value of sequence of data packet received directly is obtained from the first request.
S23, according to the corresponding flow value of sequence of data packet and obtain the sequence of data packet first time determine flow remember
Record frequency.
S24, server access flow is recorded and stored according to the discharge record frequency determined.
When it is implemented, flow detection engine can record server access according to format described in table 1 in step S24
Flow, wherein may include following field in table 1: the time of sequence of data packet is received (corresponding in the embodiment of the present invention
At the first time), sequence of data packet and the corresponding flow value of sequence of data packet.
Table 1
Receive the time of sequence of data packet | Sequence of data packet | Corresponding flow value |
T1 | B1、B2、B3…… | 2M |
…… | …… | …… |
When it is implemented, can determine discharge record frequency according to method shown in Fig. 2 b in step S23, may include with
Lower step:
S231, respectively the server access flow in the rate and unit time of determining record server access flow.
Wherein, the rate of discharge record engine record server access flow can use vcIt indicates, it can be according to pre-
If the total bytes that discharge record engine records in duration determine.
When it is implemented, can determine the server access flow in the unit time according to following formula:Wherein:
Difference of the Δ B between preset maximum stream flow threshold value and the flow value determined;
Reach the difference between the second time and the first time of the maximum stream flow threshold value according to Δ t, wherein
What the flow value determined according to second time measured in advance with the first time for receiving the sequence of data packet.
Wherein, preset maximum stream flow threshold value can be the maximum stream flow or maximum bandwidth that server can bear, and be denoted as
Bmax, the embodiment of the present invention is with the corresponding flow value of sequence of data packet that the current detection period receives for fcWith receive the number
According to the first time t of packet sequencecFor be illustrated, then Δ B=Bmax-fc。
When determining Δ t, need to determine to reach first the second time t of the maximum stream flow threshold valuemax, preferably, this
In inventive embodiments, second time can be determined according to following formula:Wherein:
tmaxFor second time;
BmaxFor preset maximum stream flow threshold value;
σcFor the corresponding flow value of sequence of data packet received according to the current detection period and receive the data packet sequence
The correction factor that the first time of column is determined.
When it is implemented, determine the second time formula in, due to the trend of ddos attack be it is unstable, generally opening
Normal distribution is presented when the beginning, tends to be steady over time, until occupying the bandwidth of whole network, causes normally to access nothing
Method is responded, therefore establishes the model of ddos attack flow shown in following formula:
Discharge record engine is according to the corresponding flow value f of sequence of data packet that the current detection period receivescWith receive
The first time value of the sequence of data packet is tc, using the model of ddos attack flow, can derive the calculating of correction factor
Formula are as follows:
According to the correction factor σ determinedcWith maximum stream flow threshold value BmaxT can be utilizedmaxCalculation formula determine
Reach maximum stream flow threshold value BmaxThe second time tmax, then can be obtained by the value of Δ t: Δ t=tmax-tc。
So far, according to the Δ B determined and the Δ t determined, so that it may determine the server access in the unit time
Flow:
The ratio of S232, the rate for determining record server access flow and server access flow are the discharge record
Frequency.
According to step S231, so that it may determine the discharge record frequency of discharge record engine:It needs
Bright is, if it is determined that the server access flow and/or server access flow volume change values gone out in the unit time is zero, then really
The fixed discharge record frequency is preset fixed frequency, is denoted as fconst, server access flow value become cancellation be understood that
Are as follows: when the discharge record frequency that discharge record engine is determined according to step S231 is recorded, within the current detection period
It was found that current record reception to the corresponding flow value of sequence of data packet and previous moment record the data packet received
When the corresponding flow value of sequence is identical, discharge record engine determines that server access flow value becomes cancellation, then discharge record draws
It holds up and server access flow is recorded according to preset fixed frequency, wherein the preset fixed frequency can be according to current
The self-settinies such as performance, the network environment of protection tool.
When it is implemented, the discharge record frequency determined according to step S232, discharge record engine can be according to these
Discharge record frequency records and stores server access flow, flows it is thus achieved that can be accessed according to current server
The variation tendency of amount, it is dynamic to change discharge record frequency.
Preferably, when it is implemented, in order to alleviate the memory pressure of discharge record engine, it is provided in an embodiment of the present invention to attack
It hits in the recording method of flow, it is further comprising the steps of: in stop recording flow for receiving the transmission of flow detection engine
When two requests, server access flow is stopped recording, wherein the second request is that flow detection engine detects that the unit time for oral administration
It is sent when business device flowing of access is no more than preset threshold.Based on this, discharge record engine is not necessarily to always to server access stream
Amount is recorded, and the memory of discharge record engine is saved, to improve the protective performance of protection tool.
When it is implemented, since the memory of discharge record engine is limited, as discharge record engine visits server
The record for asking flow causes the memory of discharge record engine to reach its storage cap, in order to avoid flow detection engine memory overflows
Out, in the embodiment of the present invention, the memory of discharge record engine can also be optimized, the embodiment of the invention provides two kinds of sides
Method deletes discharge record in discharge record engine memory, introduces it individually below.
Method one,
Fig. 3 is the first method of discharge record in deletion discharge record engine memory provided in an embodiment of the present invention, can
With the following steps are included:
S31, statistic record data packet sequence number of columns.
When it is implemented, according to the data recorded in table 1 therefore the corresponding sequence of data packet of every a line can count
The data recording number that table 1 includes measures the data packet sequence number of columns of record.
S32, if it exceeds present count magnitude, then delete preset time range according to the time sequencing for obtaining sequence of data packet
Interior sequence of data packet.
When it is implemented, after the quantity of the sequence of data packet of step S31 statistics overwriting, by its with present count magnitude into
Row compares, if it exceeds present count magnitude, illustrates that current memory headroom residue is smaller or has expired, due to ddos attack point attack
Among starting, attacking and attack terminates three periods, in attack beginning and connects two period of beam, and attack traffic is respectively compared less,
Interlude is attacked, attack is more frequent, and ddos attack is not especially big in attack interim changes in flow rate, if by
This time the flow of ddos attack is all stored into memory, can occupy biggish memory headroom, therefore, the data that can will be received
Packet sequence is ranked up sequentially in time, deletes the discharge record in preset time range, this preset time range can be
This time interlude range of ddos attack, the invention does not limit this.For example, the discharge record time recorded in memory
It is divided into for t0、t1、t2、t3、t4And t5, corresponding flow value is L0、L1、L2、L3、L4And L5, and meet t0< t1< t2< t3< t4
< t5And L0< L1< L2< L3< L4< L5, traffic management module judge data packet number be more than present count magnitude when, look for
To the t for being in interlude range2、t3The sequence of data packet that reception arrives, and the moment corresponding sequence of data packet is deleted,
Or when the corresponding flow value of the discharge record recorded in memory is identical, then traffic management engine is deleted corresponding in discharge record
The identical sequence of data packet of flow value, it is of course also possible to use other method deletes the stream in discharge record engine memory
Amount record, the invention does not limit this.
Method two,
Fig. 4 is the second method of discharge record in deletion discharge record engine memory provided in an embodiment of the present invention, can
With the following steps are included:
S41, statistic record sequence of data packet occupy memory space.
When it is implemented, can obtain what record sequence of data packet occupied according to the corresponding flow value of each sequence of data packet
Memory space.
If the occupied memory space of sequence of data packet of S42, record is more than default memory threshold, according to acquisition number
The sequence of data packet in preset time range is deleted according to the time sequencing of packet sequence.
When it is implemented, the implementation of step S42 can delete discharge record engine memory according to step S32 similar method
In discharge record, details are not described herein.
The recording method of attack traffic provided in an embodiment of the present invention is only receiving opening for flow detection engine transmission
Ability start recording flow after first request of beginning record flow, and in record discharge process, not each moment all records,
And after receiving the first request of the start recording flow of flow detection engine transmission, according to the need carried in first request
The size of each data packet of the sequence of data packet of record determines the corresponding flow value of each data packet, and then basis is determined
The flow value and first request in first time of the sequence of data packet for carrying, determine discharge record frequency, press
Server access flow is recorded and stored according to the discharge record frequency determined, on the one hand, can neatly basis work as
The variation of preceding flow changes discharge record frequency, for reducing the record for repeating flow, on the other hand, according to discharge record frequency
Rate, controls the start and stop of discharge record, to reduce influence of the discharge record engine to protective performance, while decreasing redundancy stream
Information is measured to the occupancy of memory, improves the quality of DDos attack traffic record.
Embodiment three,
Based on the same inventive concept, a kind of recording device of attack traffic is additionally provided in the embodiment of the present invention, due to upper
State that the principle that device solves the problems, such as is similar to the recording method of attack traffic, therefore the implementation of above-mentioned apparatus may refer to method
Implement, overlaps will not be repeated.
As shown in figure 5, the structural schematic diagram of the recording device for attack traffic provided in an embodiment of the present invention, comprising: connect
Receive unit 50, the first determination unit 51, the second determination unit 52 and recording unit 53, in which:
Receiving unit 50, the first request of the start recording flow for receiving the transmission of flow detecting and alarm, described first
The sequence of data packet that need to be recorded is carried in request and obtains the first time of the sequence of data packet;
When it is implemented, first request is that the flow detection engine detects unit time server access stream
What amount was sent when being more than preset threshold.
First determination unit 51 determines institute for the size according to each data packet for including in the sequence of data packet
State the corresponding flow value of sequence of data packet;
Second determination unit 52, for determining discharge record frequency according to the flow value and the first time;
Recording unit 53, for being recorded simultaneously according to the discharge record frequency determined to server access flow
Storage.
When it is implemented, second determination unit 52, specifically includes the first determining module and the second determining module,
In:
First determining module, the server in rate and unit time for determining record server access flow respectively
Flowing of access;
Second determining module, the ratio for the determining rate for recording server access flow and server access flow are
The discharge record frequency.
When it is implemented, first determining module, specifically for determining the service in the unit time according to following formula
Device flowing of access:Wherein:
Difference of the Δ B between preset maximum stream flow threshold value and the flow value;
Reach the difference between the second time and the first time of the maximum stream flow threshold value according to Δ t, wherein
Second time is predicted to obtain according to the flow value and the first time.
First determining module, specifically for determining second time according to following formula:Wherein:
tmaxFor second time;
BmaxFor preset maximum stream flow threshold value;
σcFor the correction factor determined according to the flow value and first time.
First determining module is specifically used for according to the flow value and the first time according to following formula
Determine σc:Wherein:
Specifically, second determining module, if determining the clothes in the unit time specifically for the first determining module
Business device flowing of access and/or server access flow volume change values are zero, it is determined that the discharge record frequency is preset fixation
Frequency.
When it is implemented, described device, further includes control unit 54, in which:
Control unit 54, in the second request for stopping recording flow for receiving the flow detection engine transmission
When, stop recording server access flow, wherein second request is that the flow detection engine detected in the unit time
It is sent when server access flow is no more than preset threshold.
When it is implemented, described device, further includes: the first statistic unit 55 and first deletes unit 56, in which:
First statistic unit 55, the data packet sequence number of columns for statistic record;
First deletes unit 56, if the data packet sequence number of columns for 55 statistic record of the first statistic unit is more than default
Quantitative value then deletes the sequence of data packet in preset time range according to the time sequencing for obtaining sequence of data packet.
When it is implemented, described device, further includes: the second statistic unit 57 and second deletes unit 58, in which:
Second statistic unit 57, the occupied memory space of sequence of data packet for statistic record;
Second deletes unit 58, if the occupied memory space of sequence of data packet for the second statistic unit 57 record
More than default memory threshold, then the data packet sequence in preset time range is deleted according to the time sequencing for obtaining sequence of data packet
Column.
For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, exist
Implement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.For example, this
The recording device for the attack traffic that inventive embodiments three provide can be set in discharge record engine, complete by discharge record engine
The record of pairs of server access flow.
Recording method, device and the discharge record engine of attack traffic provided in an embodiment of the present invention, discharge record engine
After receiving the first request of the start recording flow of flow detection engine transmission, need to remember according to what is carried in first request
The size of each data packet of the sequence of data packet of record determines the corresponding flow value of each data packet, and then basis is determined
The first time of the sequence of data packet carried in the flow value and first request, determine discharge record frequency, according to
The discharge record frequency determined records and stores server access flow, on the one hand, can be neatly according to current
The variation of flow changes discharge record frequency, for reducing the record for repeating flow, another aspect, and according to discharge record frequency,
The start and stop for controlling discharge record, to reduce influence of the discharge record engine to protective performance, while decreasing redundant flow
Information improves the quality of DDos attack traffic record to the occupancy of memory.
The recording device of attack traffic provided by embodiments herein can be realized by a computer program.This field skill
Art personnel are it should be appreciated that above-mentioned module division mode is only one of numerous module division modes, if be divided into
Other modules or non-division module all should be in the protection scopes of the application as long as the record of attack traffic has above-mentioned function
Within.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (16)
1. a kind of recording method of attack traffic characterized by comprising
The first request of the start recording flow that flow detecting and alarm is sent is received, carries and need to record in first request
Sequence of data packet and the first time for obtaining the sequence of data packet;
According to the size for each data packet for including in the sequence of data packet, the corresponding flow of the sequence of data packet is determined
Value;
Discharge record frequency is determined according to the flow value and the first time, comprising: determines record server access respectively
Server access flow in the rate and unit time of flow;The rate and server for determining record server access flow are visited
The ratio for asking flow is the discharge record frequency;And if unit time server flowing of access and/or server are visited
Ask that flow volume change values are zero, it is determined that the discharge record frequency is preset fixed frequency;
Server access flow is recorded and stored according to the discharge record frequency determined.
2. the method as described in claim 1, which is characterized in that first request is that the flow detection engine detects list
What position time server flowing of access was sent when being more than preset threshold.
3. the method as described in claim 1, which is characterized in that further include:
When receiving the second request for stopping recording flow that the flow detection engine is sent, server access is stopped recording
Flow, wherein second request is that the flow detection engine detects that unit time server flowing of access is no more than
It is sent when preset threshold.
4. the method as described in claim 1, which is characterized in that determine the server access in the unit time according to following formula
Flow:Wherein:
Difference of the Δ B between preset maximum stream flow threshold value and the flow value;
Δ t is the difference reached between the second time and the first time of the maximum stream flow threshold value, wherein described second
Time is predicted to obtain according to the flow value and the first time.
5. method as claimed in claim 4, which is characterized in that determine second time according to following formula:Wherein:
tmaxFor second time;
BmaxFor preset maximum stream flow threshold value;
σcFor the correction factor determined according to the flow value and first time.
6. method as claimed in claim 5, which is characterized in that true according to following formula according to the flow value and first time
Determine σc:Wherein:
tcFor the first time;
fcFor the flow value.
7. the method as described in claim 1, which is characterized in that further include:
The data packet sequence number of columns of statistic record;
If it exceeds present count magnitude, then delete the data in preset time range according to the time sequencing for obtaining sequence of data packet
Packet sequence.
8. the method as described in claim 1, which is characterized in that further include:
The occupied memory space of the sequence of data packet of statistic record;
If the occupied memory space of sequence of data packet of record is more than default memory threshold, according to acquisition sequence of data packet
Time sequencing delete preset time range in sequence of data packet.
9. a kind of recording device of attack traffic characterized by comprising
Receiving unit is requested for receiving the first of start recording flow of the transmission of flow detecting and alarm, in first request
It carries the sequence of data packet that need to be recorded and obtains the first time of the sequence of data packet;
First determination unit determines the data for the size according to each data packet for including in the sequence of data packet
The corresponding flow value of packet sequence;
Second determination unit, for determining discharge record frequency according to the flow value and the first time, described second really
Order member, specifically includes: the first determining module, in the rate and unit time for determining record server access flow respectively
Server access flow;Second determining module, for determining the rate and server access stream of record server access flow
The ratio of amount is the discharge record frequency;And second determining module, it is determined if being specifically used for the first determining module
The server access flow in the unit time and/or server access flow volume change values are zero out, it is determined that the discharge record
Frequency is preset fixed frequency;
Recording unit, for being recorded and stored according to the discharge record frequency determined to server access flow.
10. device as claimed in claim 9, which is characterized in that first request is that the flow detection engine detects
What unit time server flowing of access was sent when being more than preset threshold.
11. device as claimed in claim 9, which is characterized in that further include:
Control unit, for stopping when receiving the second request for stopping recording flow that the flow detection engine is sent
Record server access flow, wherein second request is that the flow detection engine detects unit time server
It is sent when flowing of access is no more than preset threshold.
12. device as claimed in claim 9, which is characterized in that first determining module is specifically used for according to following formula
Determine the server access flow in the unit time:Wherein:
Difference of the Δ B between preset maximum stream flow threshold value and the flow value;
Reach the difference between the second time and the first time of the maximum stream flow threshold value according to Δ t, wherein described
Second time was predicted to obtain according to the flow value and the first time.
13. device as claimed in claim 12, which is characterized in that first determining module is specifically used for according to following public affairs
Formula determines second time:Wherein:
tmaxFor second time;
BmaxFor preset maximum stream flow threshold value;
σcFor the correction factor determined according to the flow value and first time.
14. device as claimed in claim 13, which is characterized in that first determining module is specifically used for according to the institute
Stating flow value and the first time according to following formula determines σc:Wherein:
tcFor the first time;
fcFor the flow value.
15. device as claimed in claim 9, which is characterized in that further include:
First statistic unit, the data packet sequence number of columns for statistic record;
First deletes unit, if the data packet sequence number of columns for the first statistic unit statistic record is more than present count magnitude,
The sequence of data packet in preset time range is then deleted according to the time sequencing for obtaining sequence of data packet.
16. device as claimed in claim 9, which is characterized in that further include:
Second statistic unit, the occupied memory space of sequence of data packet for statistic record;
Second deletes unit, if the occupied memory space of sequence of data packet for the second statistic unit record is more than default
Memory threshold then deletes the sequence of data packet in preset time range according to the time sequencing for obtaining sequence of data packet.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610867805.5A CN106254394B (en) | 2016-09-29 | 2016-09-29 | A kind of recording method and device of attack traffic |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610867805.5A CN106254394B (en) | 2016-09-29 | 2016-09-29 | A kind of recording method and device of attack traffic |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106254394A CN106254394A (en) | 2016-12-21 |
CN106254394B true CN106254394B (en) | 2019-07-02 |
Family
ID=57611203
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610867805.5A Active CN106254394B (en) | 2016-09-29 | 2016-09-29 | A kind of recording method and device of attack traffic |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106254394B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108234516B (en) * | 2018-01-26 | 2021-01-26 | 北京安博通科技股份有限公司 | Method and device for detecting network flooding attack |
CN110213118B (en) * | 2018-02-28 | 2021-04-06 | 中航光电科技股份有限公司 | FC network system and flow control method thereof |
CN111510418A (en) * | 2019-01-31 | 2020-08-07 | 上海旺链信息科技有限公司 | Block chain link point structure safety guarantee method, guarantee system and storage medium |
CN113364752B (en) * | 2021-05-27 | 2023-04-18 | 鹏城实验室 | Flow abnormity detection method, detection equipment and computer readable storage medium |
CN115118529B (en) * | 2022-08-29 | 2022-11-29 | 广州弘日恒天光电技术有限公司 | Data transmission method based on block chain |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105681211A (en) * | 2015-12-31 | 2016-06-15 | 北京安天电子设备有限公司 | Traffic recording method and system based on information extraction |
CN105763561A (en) * | 2016-04-15 | 2016-07-13 | 杭州华三通信技术有限公司 | Attack defense method and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050278779A1 (en) * | 2004-05-25 | 2005-12-15 | Lucent Technologies Inc. | System and method for identifying the source of a denial-of-service attack |
-
2016
- 2016-09-29 CN CN201610867805.5A patent/CN106254394B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105681211A (en) * | 2015-12-31 | 2016-06-15 | 北京安天电子设备有限公司 | Traffic recording method and system based on information extraction |
CN105763561A (en) * | 2016-04-15 | 2016-07-13 | 杭州华三通信技术有限公司 | Attack defense method and device |
Also Published As
Publication number | Publication date |
---|---|
CN106254394A (en) | 2016-12-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106254394B (en) | A kind of recording method and device of attack traffic | |
US11122067B2 (en) | Methods for detecting and mitigating malicious network behavior and devices thereof | |
JP7157222B2 (en) | Session security split and application profiler | |
CN104113519B (en) | Network attack detecting method and its device | |
TWI609285B (en) | Human-machine recognition method and corresponding human-machine recognition system | |
US8117655B2 (en) | Detecting anomalous web proxy activity | |
CN107770132B (en) | Method and device for detecting algorithmically generated domain name | |
CN113347156B (en) | Intelligent flow confusion method and system for website fingerprint defense and computer storage medium | |
JP2019523584A (en) | Network attack prevention system and method | |
CN108737447A (en) | User Datagram Protocol traffic filtering method, apparatus, server and storage medium | |
US7991919B2 (en) | Device, method and system for detecting unwanted conversational media session | |
US20190104174A1 (en) | Load processing method and apparatus | |
WO2017016454A1 (en) | Method and device for preventing ddos attack | |
CN106713495A (en) | Uploading method and apparatus, access method and apparatus, and access system of IP geographic position | |
CN102075535B (en) | Distributed denial-of-service attack filter method and system for application layer | |
WO2018177847A1 (en) | Distributed denial of service analysis | |
CN108600145A (en) | A kind of method and device of determining ddos attack equipment | |
Liu et al. | A clusterized firewall framework for cloud computing | |
CN111478860A (en) | Network control method, device, equipment and machine readable storage medium | |
CN109246157A (en) | A kind of HTTP requests at a slow speed the association detection method of dos attack | |
JP6681917B2 (en) | Image synthesizing method and apparatus, instant communication method, and image synthesizing server | |
US9781130B1 (en) | Managing policies | |
CN109194692A (en) | Prevent the method that network is attacked | |
CN115037528B (en) | Abnormal flow detection method and device | |
CN115913784B (en) | Network attack defense system, method and device and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder | ||
CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Co-patentee after: NSFOCUS TECHNOLOGIES Inc. Patentee after: NSFOCUS Technologies Group Co.,Ltd. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Co-patentee before: NSFOCUS TECHNOLOGIES Inc. Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. |