CN106254394B - A kind of recording method and device of attack traffic - Google Patents

A kind of recording method and device of attack traffic Download PDF

Info

Publication number
CN106254394B
CN106254394B CN201610867805.5A CN201610867805A CN106254394B CN 106254394 B CN106254394 B CN 106254394B CN 201610867805 A CN201610867805 A CN 201610867805A CN 106254394 B CN106254394 B CN 106254394B
Authority
CN
China
Prior art keywords
flow
time
data packet
sequence
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610867805.5A
Other languages
Chinese (zh)
Other versions
CN106254394A (en
Inventor
刘文辉
樊宇
张磊
何坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201610867805.5A priority Critical patent/CN106254394B/en
Publication of CN106254394A publication Critical patent/CN106254394A/en
Application granted granted Critical
Publication of CN106254394B publication Critical patent/CN106254394B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

The invention discloses a kind of recording method and devices of attack traffic, to solve ddos attack record redundancy existing in the prior art, and the problem of manual packet capturing causes protection tool protective performance to decline is opened for a long time, the recording method of the attack traffic, include: the first request for receiving the start recording flow that flow detecting and alarm is sent, carries the sequence of data packet that need to be recorded in first request and obtain the first time of the sequence of data packet;According to the size of each data packet of the sequence of data packet, the corresponding flow value of the sequence of data packet is determined;Discharge record frequency is determined according to the flow value and the first time;Server access flow is recorded and stored according to the discharge record frequency determined.

Description

A kind of recording method and device of attack traffic
Technical field
The present invention relates to the recording method of computer network security technology field more particularly to a kind of attack traffic and dresses It sets.
Background technique
DDoS (Distributed Denial of service, distributed denial of service): many dos attack sources are together It attacks certain server and just constitutes ddos attack, ddos attack is joined multiple computers by means of client/server technology It is together as Attack Platform, DoS attack is initiated to one or more targets, to double up the prestige of Denial of Service attack Power.The attack strategies of DDOS lay particular emphasis on by very much " zombie hosts " (by attacker invaded or can indirect utilization host) to Victim host transmission largely seems legal network packet, to cause network congestion or server resource to exhaust and refusal is caused to take Business, DDoS are once carried out, and attacking network packet will pour into victim host like as flood, thus the network packet of legitimate user It floods, causes legitimate user that can not normally access the Internet resources of server.The attack process of DDoS is completely recorded, Effectively prevention policies can promptly be made when analyzing DDoS flow attacking by facilitating researcher.
The method method that generally uses artificial detection and record of existing record ddos attack flow, when detecting DDoS When attack, manually opened flow packet capturing, this method can be realized the record to ddos attack flow, but records and deposit in result In bulk redundancy information, while the certain performance resource of protection tool is occupied, this is because ddos attack server meeting basis is attacked Effect is hit, constantly adjustment attack pattern, until hitting server paralysed, i.e., a certain attack pattern is due to attack effect during attack Good reason is there may be for a long time, and when other attack patterns are that may be present due to attack effect is not satisfactory Between it is very short, if in this case, continual craft packet capturing will lead in packet capturing that there are a large amount of superfluous of same attack Remaining record, and other attack records are buried in the record of these redundancies, simultaneously because attack time uncertain (possible one Directly continue, it is also possible to interval sexual assault), if always on craft packet capturing, will affect the protective performance of protection tool.
It can be seen that while how accurately and efficiently recording ddos attack flow, and flow protection tool is not influenced Protective performance becomes one of the technical problems that are urgent to solve in the prior art.
Summary of the invention
The embodiment of the present invention provides a kind of recording method and device of attack traffic, attacks to solve DDoS in the prior art Hitting in record, which has bulk redundancy flow information and open packet capturing due to long-time, influences protection tool protective performance.
The embodiment of the present invention provides a kind of recording method of attack traffic, comprising:
The first request of the start recording flow that flow detecting and alarm is sent is received, carrying in first request needs to remember The sequence of data packet of record and the first time for obtaining the sequence of data packet;
According to the size for each data packet for including in the sequence of data packet, the corresponding stream of the sequence of data packet is determined Magnitude;
Discharge record frequency is determined according to the flow value and the first time;
Server access flow is recorded and stored according to the discharge record frequency determined.
The embodiment of the present invention provides a kind of recording device of attack traffic, comprising:
Receiving unit, the first request of the start recording flow for receiving the transmission of flow detecting and alarm, described first asks The sequence of data packet that need to be recorded is carried in asking and obtains the first time of the sequence of data packet;
First determination unit, for the size according to each data packet for including in the sequence of data packet, determine described in The corresponding flow value of sequence of data packet;
Second determination unit, for determining discharge record frequency according to the flow value and the first time;
Recording unit, for server access flow to be recorded and deposited according to the discharge record frequency determined Storage.
Beneficial effects of the present invention:
The recording method and device of attack traffic provided in an embodiment of the present invention is only receiving flow detection engine hair Ability start recording flow after first request of the start recording flow sent, and in record discharge process, not each moment All record, but the size of each data packet of sequence of data packet according to the need record carried in first request, it determines every The corresponding flow value of one data packet, then according to the data packet carried in the flow value determined and first request The first time of sequence determines discharge record frequency, carries out according to the discharge record frequency determined to server access flow It records and stores, on the one hand discharge record frequency neatly can be determined according to the variation of present flow rate, to reject discharge record The record of middle redundancy improves discharge record quality, on the other hand due to the flow information without repeating record bulk redundancy, thus The time for reducing discharge record operation, solving the manual packet capturing of unlatching for a long time leads to asking for protection tool protective performance decline Topic saves the space of flow storage record simultaneously as eliminating a large amount of redundancy.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the implementation process diagram that flow detection engine provided in an embodiment of the present invention carries out flow detection;
Fig. 2 a is the implementation process diagram of the recording method of attack traffic provided in an embodiment of the present invention;
Fig. 2 b is the implementation stream that discharge record frequency is determined in the recording method of attack traffic provided in an embodiment of the present invention Journey schematic diagram;
Fig. 3 is that flow in discharge record engine memory is deleted in the recording method of attack traffic provided in an embodiment of the present invention The first method of record;
Fig. 4 is that flow in discharge record engine memory is deleted in the recording method of attack traffic provided in an embodiment of the present invention The second method of record;
Fig. 5 is the structural schematic diagram of the recording device of attack traffic provided in an embodiment of the present invention.
Specific embodiment
The embodiment of the invention provides a kind of recording method and devices of attack traffic, exist in the prior art to solve Ddos attack record redundancy, and open the problem of manual packet capturing causes protection tool protective performance to decline for a long time, save The memory space that discharge record occupies.
Below in conjunction with Figure of description, preferred embodiment of the present invention will be described, it should be understood that described herein Preferred embodiment only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention, and in the absence of conflict, this hair The feature in embodiment and embodiment in bright can be combined with each other.
In the embodiment of the present invention, flow detection is carried out by flow detection engine, is detecting the visit of unit time server Ask that notice discharge record engine is recorded when flow is more than preset threshold, it should be noted that flow detection engine used It is that the continuous mode of timing detects server access flow.I.e. flow detection engine is according to the preset period to server Flowing of access is detected, and when reaching in each flow detection period, flow detection engine was counted in the unit time at current time Server access flow, specifically, what flow detection engine detection service device received within the unit time in current detection period The corresponding flow value of sequence of data packet (i.e. server receive the sum of size of all data packets for including in sequence of data packet with The ratio in period).Flow detection engine judges the sequence of data packet pair received in the current detection cycle service device unit time Whether the flow value answered is more than preset threshold, if being more than, discharge record engine is notified to record server access flow.
Since flow detection engine and discharge record engine are parallel independently operated, flow detection engine detection data packets The operation of flow has no effect on discharge record engine record server access flow, if flow detection engine is in current detection week When phase judges that the corresponding flow value of the sequence of data packet received in the server unit time is no more than preset threshold, illustrate to take Device flowing of access be engaged in preset threshold range, still, flow detection engine may be when a upper detection cycle judges unit Between server flowing of access be more than preset threshold and notify discharge record engine start record, therefore, when it is implemented, flow When the corresponding flow value of sequence of data packet that detecting and alarm judges that unit time server receives is no more than preset threshold, It also needs further to judge whether discharge record engine starts, if starting, flow detection engine notifies discharge record engine Stop recording, if do not started, flow detection engine when next detection cycle reaches, then to server access flow into Row detection, so recycles, so that discharge record engine starts according to the notice of flow detection engine or stop recording server Flowing of access.And for discharge record engine, the start recording server access stream under the triggering of flow detection engine Amount, until receiving the signal that flow detection engine stops recording server access flow.Start recording clothes are being received again The signal of business device flowing of access starts starting record, until receiving the signal stopping for stopping recording server access flow again Record so recycles.
Embodiment one,
As shown in Figure 1, carrying out the implementing procedure signal of flow detection for flow detection engine provided in an embodiment of the present invention Figure, may comprise steps of:
S11, when detection cycle reaches, each number in the sequence of data packet that flow detection engine is received according to server According to the size of packet, the corresponding flow value of sequence of data packet is determined, then calculate the flow value of access server in the unit time.
When it is implemented, flow detection engine is in detection cycle finish time statistical server in detection cycle start time The size of the entire packet received in detection cycle unit time finish time is received as the current detection period The corresponding flow value of the sequence of data packet arrived.
S12, the corresponding flow value of sequence of data packet for judging that current detection period unit time server receives are No is more than preset threshold, if so, thening follow the steps S13, otherwise, executes step S14.
Flow detection engine receives within the unit time in current detection period according to the server determined in step S11 The corresponding flow value f of sequence of data packetn, it is compared with preset threshold, if obtaining flow value fnMore than preset threshold When, execute step S13;Otherwise, step S14 is executed.
S13, by the sequence of data packet received in current detection cycle service device and receive the sequence of data packet One time was sent to discharge record engine.
In step s 13, flow detection engine by sequence of data packet that the current detection period receives and receives the number According to the first time t of packet sequencenIt is sent to discharge record engine, subsequent discharge record process is executed by discharge record engine.
It should be noted that if at the beginning of the data packet sequence that receives of current detection period is classified as the current detection period The sequence of data packet that server receives is carved, then first time tnAt the beginning of the current detection period;If current detection The data packet sequence that period receives is classified as the whole numbers received start time in current detection period to detection cycle finish time According to packet, then first time tnFor the finish time in current detection period.
Preferably, the corresponding flow value of sequence of data packet that flow detection engine can also receive the current detection period fnIt is sent to discharge record engine together.
S14, flow detection engine judge whether discharge record engine starts, if so, S15 is thened follow the steps, if not, Then follow the steps S16.
S15, flow detection engine send the signal for stopping recording flow to discharge record engine.
When step S14 judges that discharge record engine records server access flow, due to it is current when Carve flow detection engine have determined that unit time server flowing of access in preset threshold range, discharge record engine It does not need again to record this flow, it is therefore desirable to the signal for stopping recording flow is sent to discharge record engine, so that stream Amount record engine stops recording server access flow after receiving the signal for stopping recording flow.
S16, it detects whether to reach next detection cycle, if so, otherwise executing step S11 continues to execute step S16.
When it is implemented, since ddos attack has intermittence, if flow detection engine is always continuously to clothes Business device flowing of access is detected, and is sent to discharge record engine and is recorded, and some normal server access streams are caused Amount is possible to be stored in memory, on the other hand the memory waste that on the one hand will cause discharge record engine also will affect anti- The protective performance of nurse's tool, therefore, the flow detection engine in the embodiment of the present invention receives server according to some cycles Sequence of data packet detected, such as every the 10 seconds corresponding stream of sequence of data packet that receives of detection unit time server Whether magnitude is more than preset threshold, can so alleviate storage pressure, while not influencing the protective performance of protection tool again.
Embodiment two,
It as shown in Figure 2 a, is the implementation process diagram of the recording method of attack traffic provided in an embodiment of the present invention, it can With the following steps are included:
S21, the first request for receiving the start recording flow that flow detecting and alarm is sent.
It should be noted that first request is that flow detection engine detects that server access flow is more than preset threshold When send.
Wherein, when carrying the sequence of data packet that need to be recorded in the first request and obtain the first of the sequence of data packet Between.
S22, according to the size of each data packet of sequence of data packet, determine the corresponding flow value of sequence of data packet.
When it is implemented, discharge record engine can be according to the data after receiving the sequence of data packet for needing to record The size for each data packet that packet sequence includes, determines the total size of the sequence of data packet, the data thus received The corresponding flow value of packet sequence.
Preferably, if the corresponding flow value of the sequence of data packet is carried in the first request, when it is implemented, can also Not execute step S22, the corresponding flow value of sequence of data packet received directly is obtained from the first request.
S23, according to the corresponding flow value of sequence of data packet and obtain the sequence of data packet first time determine flow remember Record frequency.
S24, server access flow is recorded and stored according to the discharge record frequency determined.
When it is implemented, flow detection engine can record server access according to format described in table 1 in step S24 Flow, wherein may include following field in table 1: the time of sequence of data packet is received (corresponding in the embodiment of the present invention At the first time), sequence of data packet and the corresponding flow value of sequence of data packet.
Table 1
Receive the time of sequence of data packet Sequence of data packet Corresponding flow value
T1 B1、B2、B3…… 2M
…… …… ……
When it is implemented, can determine discharge record frequency according to method shown in Fig. 2 b in step S23, may include with Lower step:
S231, respectively the server access flow in the rate and unit time of determining record server access flow.
Wherein, the rate of discharge record engine record server access flow can use vcIt indicates, it can be according to pre- If the total bytes that discharge record engine records in duration determine.
When it is implemented, can determine the server access flow in the unit time according to following formula:Wherein:
Difference of the Δ B between preset maximum stream flow threshold value and the flow value determined;
Reach the difference between the second time and the first time of the maximum stream flow threshold value according to Δ t, wherein What the flow value determined according to second time measured in advance with the first time for receiving the sequence of data packet.
Wherein, preset maximum stream flow threshold value can be the maximum stream flow or maximum bandwidth that server can bear, and be denoted as Bmax, the embodiment of the present invention is with the corresponding flow value of sequence of data packet that the current detection period receives for fcWith receive the number According to the first time t of packet sequencecFor be illustrated, then Δ B=Bmax-fc
When determining Δ t, need to determine to reach first the second time t of the maximum stream flow threshold valuemax, preferably, this In inventive embodiments, second time can be determined according to following formula:Wherein:
tmaxFor second time;
BmaxFor preset maximum stream flow threshold value;
σcFor the corresponding flow value of sequence of data packet received according to the current detection period and receive the data packet sequence The correction factor that the first time of column is determined.
When it is implemented, determine the second time formula in, due to the trend of ddos attack be it is unstable, generally opening Normal distribution is presented when the beginning, tends to be steady over time, until occupying the bandwidth of whole network, causes normally to access nothing Method is responded, therefore establishes the model of ddos attack flow shown in following formula:
Discharge record engine is according to the corresponding flow value f of sequence of data packet that the current detection period receivescWith receive The first time value of the sequence of data packet is tc, using the model of ddos attack flow, can derive the calculating of correction factor Formula are as follows:
According to the correction factor σ determinedcWith maximum stream flow threshold value BmaxT can be utilizedmaxCalculation formula determine Reach maximum stream flow threshold value BmaxThe second time tmax, then can be obtained by the value of Δ t: Δ t=tmax-tc
So far, according to the Δ B determined and the Δ t determined, so that it may determine the server access in the unit time Flow:
The ratio of S232, the rate for determining record server access flow and server access flow are the discharge record Frequency.
According to step S231, so that it may determine the discharge record frequency of discharge record engine:It needs Bright is, if it is determined that the server access flow and/or server access flow volume change values gone out in the unit time is zero, then really The fixed discharge record frequency is preset fixed frequency, is denoted as fconst, server access flow value become cancellation be understood that Are as follows: when the discharge record frequency that discharge record engine is determined according to step S231 is recorded, within the current detection period It was found that current record reception to the corresponding flow value of sequence of data packet and previous moment record the data packet received When the corresponding flow value of sequence is identical, discharge record engine determines that server access flow value becomes cancellation, then discharge record draws It holds up and server access flow is recorded according to preset fixed frequency, wherein the preset fixed frequency can be according to current The self-settinies such as performance, the network environment of protection tool.
When it is implemented, the discharge record frequency determined according to step S232, discharge record engine can be according to these Discharge record frequency records and stores server access flow, flows it is thus achieved that can be accessed according to current server The variation tendency of amount, it is dynamic to change discharge record frequency.
Preferably, when it is implemented, in order to alleviate the memory pressure of discharge record engine, it is provided in an embodiment of the present invention to attack It hits in the recording method of flow, it is further comprising the steps of: in stop recording flow for receiving the transmission of flow detection engine When two requests, server access flow is stopped recording, wherein the second request is that flow detection engine detects that the unit time for oral administration It is sent when business device flowing of access is no more than preset threshold.Based on this, discharge record engine is not necessarily to always to server access stream Amount is recorded, and the memory of discharge record engine is saved, to improve the protective performance of protection tool.
When it is implemented, since the memory of discharge record engine is limited, as discharge record engine visits server The record for asking flow causes the memory of discharge record engine to reach its storage cap, in order to avoid flow detection engine memory overflows Out, in the embodiment of the present invention, the memory of discharge record engine can also be optimized, the embodiment of the invention provides two kinds of sides Method deletes discharge record in discharge record engine memory, introduces it individually below.
Method one,
Fig. 3 is the first method of discharge record in deletion discharge record engine memory provided in an embodiment of the present invention, can With the following steps are included:
S31, statistic record data packet sequence number of columns.
When it is implemented, according to the data recorded in table 1 therefore the corresponding sequence of data packet of every a line can count The data recording number that table 1 includes measures the data packet sequence number of columns of record.
S32, if it exceeds present count magnitude, then delete preset time range according to the time sequencing for obtaining sequence of data packet Interior sequence of data packet.
When it is implemented, after the quantity of the sequence of data packet of step S31 statistics overwriting, by its with present count magnitude into Row compares, if it exceeds present count magnitude, illustrates that current memory headroom residue is smaller or has expired, due to ddos attack point attack Among starting, attacking and attack terminates three periods, in attack beginning and connects two period of beam, and attack traffic is respectively compared less, Interlude is attacked, attack is more frequent, and ddos attack is not especially big in attack interim changes in flow rate, if by This time the flow of ddos attack is all stored into memory, can occupy biggish memory headroom, therefore, the data that can will be received Packet sequence is ranked up sequentially in time, deletes the discharge record in preset time range, this preset time range can be This time interlude range of ddos attack, the invention does not limit this.For example, the discharge record time recorded in memory It is divided into for t0、t1、t2、t3、t4And t5, corresponding flow value is L0、L1、L2、L3、L4And L5, and meet t0< t1< t2< t3< t4 < t5And L0< L1< L2< L3< L4< L5, traffic management module judge data packet number be more than present count magnitude when, look for To the t for being in interlude range2、t3The sequence of data packet that reception arrives, and the moment corresponding sequence of data packet is deleted, Or when the corresponding flow value of the discharge record recorded in memory is identical, then traffic management engine is deleted corresponding in discharge record The identical sequence of data packet of flow value, it is of course also possible to use other method deletes the stream in discharge record engine memory Amount record, the invention does not limit this.
Method two,
Fig. 4 is the second method of discharge record in deletion discharge record engine memory provided in an embodiment of the present invention, can With the following steps are included:
S41, statistic record sequence of data packet occupy memory space.
When it is implemented, can obtain what record sequence of data packet occupied according to the corresponding flow value of each sequence of data packet Memory space.
If the occupied memory space of sequence of data packet of S42, record is more than default memory threshold, according to acquisition number The sequence of data packet in preset time range is deleted according to the time sequencing of packet sequence.
When it is implemented, the implementation of step S42 can delete discharge record engine memory according to step S32 similar method In discharge record, details are not described herein.
The recording method of attack traffic provided in an embodiment of the present invention is only receiving opening for flow detection engine transmission Ability start recording flow after first request of beginning record flow, and in record discharge process, not each moment all records, And after receiving the first request of the start recording flow of flow detection engine transmission, according to the need carried in first request The size of each data packet of the sequence of data packet of record determines the corresponding flow value of each data packet, and then basis is determined The flow value and first request in first time of the sequence of data packet for carrying, determine discharge record frequency, press Server access flow is recorded and stored according to the discharge record frequency determined, on the one hand, can neatly basis work as The variation of preceding flow changes discharge record frequency, for reducing the record for repeating flow, on the other hand, according to discharge record frequency Rate, controls the start and stop of discharge record, to reduce influence of the discharge record engine to protective performance, while decreasing redundancy stream Information is measured to the occupancy of memory, improves the quality of DDos attack traffic record.
Embodiment three,
Based on the same inventive concept, a kind of recording device of attack traffic is additionally provided in the embodiment of the present invention, due to upper State that the principle that device solves the problems, such as is similar to the recording method of attack traffic, therefore the implementation of above-mentioned apparatus may refer to method Implement, overlaps will not be repeated.
As shown in figure 5, the structural schematic diagram of the recording device for attack traffic provided in an embodiment of the present invention, comprising: connect Receive unit 50, the first determination unit 51, the second determination unit 52 and recording unit 53, in which:
Receiving unit 50, the first request of the start recording flow for receiving the transmission of flow detecting and alarm, described first The sequence of data packet that need to be recorded is carried in request and obtains the first time of the sequence of data packet;
When it is implemented, first request is that the flow detection engine detects unit time server access stream What amount was sent when being more than preset threshold.
First determination unit 51 determines institute for the size according to each data packet for including in the sequence of data packet State the corresponding flow value of sequence of data packet;
Second determination unit 52, for determining discharge record frequency according to the flow value and the first time;
Recording unit 53, for being recorded simultaneously according to the discharge record frequency determined to server access flow Storage.
When it is implemented, second determination unit 52, specifically includes the first determining module and the second determining module, In:
First determining module, the server in rate and unit time for determining record server access flow respectively Flowing of access;
Second determining module, the ratio for the determining rate for recording server access flow and server access flow are The discharge record frequency.
When it is implemented, first determining module, specifically for determining the service in the unit time according to following formula Device flowing of access:Wherein:
Difference of the Δ B between preset maximum stream flow threshold value and the flow value;
Reach the difference between the second time and the first time of the maximum stream flow threshold value according to Δ t, wherein Second time is predicted to obtain according to the flow value and the first time.
First determining module, specifically for determining second time according to following formula:Wherein:
tmaxFor second time;
BmaxFor preset maximum stream flow threshold value;
σcFor the correction factor determined according to the flow value and first time.
First determining module is specifically used for according to the flow value and the first time according to following formula Determine σc:Wherein:
Specifically, second determining module, if determining the clothes in the unit time specifically for the first determining module Business device flowing of access and/or server access flow volume change values are zero, it is determined that the discharge record frequency is preset fixation Frequency.
When it is implemented, described device, further includes control unit 54, in which:
Control unit 54, in the second request for stopping recording flow for receiving the flow detection engine transmission When, stop recording server access flow, wherein second request is that the flow detection engine detected in the unit time It is sent when server access flow is no more than preset threshold.
When it is implemented, described device, further includes: the first statistic unit 55 and first deletes unit 56, in which:
First statistic unit 55, the data packet sequence number of columns for statistic record;
First deletes unit 56, if the data packet sequence number of columns for 55 statistic record of the first statistic unit is more than default Quantitative value then deletes the sequence of data packet in preset time range according to the time sequencing for obtaining sequence of data packet.
When it is implemented, described device, further includes: the second statistic unit 57 and second deletes unit 58, in which:
Second statistic unit 57, the occupied memory space of sequence of data packet for statistic record;
Second deletes unit 58, if the occupied memory space of sequence of data packet for the second statistic unit 57 record More than default memory threshold, then the data packet sequence in preset time range is deleted according to the time sequencing for obtaining sequence of data packet Column.
For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, exist Implement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.For example, this The recording device for the attack traffic that inventive embodiments three provide can be set in discharge record engine, complete by discharge record engine The record of pairs of server access flow.
Recording method, device and the discharge record engine of attack traffic provided in an embodiment of the present invention, discharge record engine After receiving the first request of the start recording flow of flow detection engine transmission, need to remember according to what is carried in first request The size of each data packet of the sequence of data packet of record determines the corresponding flow value of each data packet, and then basis is determined The first time of the sequence of data packet carried in the flow value and first request, determine discharge record frequency, according to The discharge record frequency determined records and stores server access flow, on the one hand, can be neatly according to current The variation of flow changes discharge record frequency, for reducing the record for repeating flow, another aspect, and according to discharge record frequency, The start and stop for controlling discharge record, to reduce influence of the discharge record engine to protective performance, while decreasing redundant flow Information improves the quality of DDos attack traffic record to the occupancy of memory.
The recording device of attack traffic provided by embodiments herein can be realized by a computer program.This field skill Art personnel are it should be appreciated that above-mentioned module division mode is only one of numerous module division modes, if be divided into Other modules or non-division module all should be in the protection scopes of the application as long as the record of attack traffic has above-mentioned function Within.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (16)

1. a kind of recording method of attack traffic characterized by comprising
The first request of the start recording flow that flow detecting and alarm is sent is received, carries and need to record in first request Sequence of data packet and the first time for obtaining the sequence of data packet;
According to the size for each data packet for including in the sequence of data packet, the corresponding flow of the sequence of data packet is determined Value;
Discharge record frequency is determined according to the flow value and the first time, comprising: determines record server access respectively Server access flow in the rate and unit time of flow;The rate and server for determining record server access flow are visited The ratio for asking flow is the discharge record frequency;And if unit time server flowing of access and/or server are visited Ask that flow volume change values are zero, it is determined that the discharge record frequency is preset fixed frequency;
Server access flow is recorded and stored according to the discharge record frequency determined.
2. the method as described in claim 1, which is characterized in that first request is that the flow detection engine detects list What position time server flowing of access was sent when being more than preset threshold.
3. the method as described in claim 1, which is characterized in that further include:
When receiving the second request for stopping recording flow that the flow detection engine is sent, server access is stopped recording Flow, wherein second request is that the flow detection engine detects that unit time server flowing of access is no more than It is sent when preset threshold.
4. the method as described in claim 1, which is characterized in that determine the server access in the unit time according to following formula Flow:Wherein:
Difference of the Δ B between preset maximum stream flow threshold value and the flow value;
Δ t is the difference reached between the second time and the first time of the maximum stream flow threshold value, wherein described second Time is predicted to obtain according to the flow value and the first time.
5. method as claimed in claim 4, which is characterized in that determine second time according to following formula:Wherein:
tmaxFor second time;
BmaxFor preset maximum stream flow threshold value;
σcFor the correction factor determined according to the flow value and first time.
6. method as claimed in claim 5, which is characterized in that true according to following formula according to the flow value and first time Determine σc:Wherein:
tcFor the first time;
fcFor the flow value.
7. the method as described in claim 1, which is characterized in that further include:
The data packet sequence number of columns of statistic record;
If it exceeds present count magnitude, then delete the data in preset time range according to the time sequencing for obtaining sequence of data packet Packet sequence.
8. the method as described in claim 1, which is characterized in that further include:
The occupied memory space of the sequence of data packet of statistic record;
If the occupied memory space of sequence of data packet of record is more than default memory threshold, according to acquisition sequence of data packet Time sequencing delete preset time range in sequence of data packet.
9. a kind of recording device of attack traffic characterized by comprising
Receiving unit is requested for receiving the first of start recording flow of the transmission of flow detecting and alarm, in first request It carries the sequence of data packet that need to be recorded and obtains the first time of the sequence of data packet;
First determination unit determines the data for the size according to each data packet for including in the sequence of data packet The corresponding flow value of packet sequence;
Second determination unit, for determining discharge record frequency according to the flow value and the first time, described second really Order member, specifically includes: the first determining module, in the rate and unit time for determining record server access flow respectively Server access flow;Second determining module, for determining the rate and server access stream of record server access flow The ratio of amount is the discharge record frequency;And second determining module, it is determined if being specifically used for the first determining module The server access flow in the unit time and/or server access flow volume change values are zero out, it is determined that the discharge record Frequency is preset fixed frequency;
Recording unit, for being recorded and stored according to the discharge record frequency determined to server access flow.
10. device as claimed in claim 9, which is characterized in that first request is that the flow detection engine detects What unit time server flowing of access was sent when being more than preset threshold.
11. device as claimed in claim 9, which is characterized in that further include:
Control unit, for stopping when receiving the second request for stopping recording flow that the flow detection engine is sent Record server access flow, wherein second request is that the flow detection engine detects unit time server It is sent when flowing of access is no more than preset threshold.
12. device as claimed in claim 9, which is characterized in that first determining module is specifically used for according to following formula Determine the server access flow in the unit time:Wherein:
Difference of the Δ B between preset maximum stream flow threshold value and the flow value;
Reach the difference between the second time and the first time of the maximum stream flow threshold value according to Δ t, wherein described Second time was predicted to obtain according to the flow value and the first time.
13. device as claimed in claim 12, which is characterized in that first determining module is specifically used for according to following public affairs Formula determines second time:Wherein:
tmaxFor second time;
BmaxFor preset maximum stream flow threshold value;
σcFor the correction factor determined according to the flow value and first time.
14. device as claimed in claim 13, which is characterized in that first determining module is specifically used for according to the institute Stating flow value and the first time according to following formula determines σc:Wherein:
tcFor the first time;
fcFor the flow value.
15. device as claimed in claim 9, which is characterized in that further include:
First statistic unit, the data packet sequence number of columns for statistic record;
First deletes unit, if the data packet sequence number of columns for the first statistic unit statistic record is more than present count magnitude, The sequence of data packet in preset time range is then deleted according to the time sequencing for obtaining sequence of data packet.
16. device as claimed in claim 9, which is characterized in that further include:
Second statistic unit, the occupied memory space of sequence of data packet for statistic record;
Second deletes unit, if the occupied memory space of sequence of data packet for the second statistic unit record is more than default Memory threshold then deletes the sequence of data packet in preset time range according to the time sequencing for obtaining sequence of data packet.
CN201610867805.5A 2016-09-29 2016-09-29 A kind of recording method and device of attack traffic Active CN106254394B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610867805.5A CN106254394B (en) 2016-09-29 2016-09-29 A kind of recording method and device of attack traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610867805.5A CN106254394B (en) 2016-09-29 2016-09-29 A kind of recording method and device of attack traffic

Publications (2)

Publication Number Publication Date
CN106254394A CN106254394A (en) 2016-12-21
CN106254394B true CN106254394B (en) 2019-07-02

Family

ID=57611203

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610867805.5A Active CN106254394B (en) 2016-09-29 2016-09-29 A kind of recording method and device of attack traffic

Country Status (1)

Country Link
CN (1) CN106254394B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234516B (en) * 2018-01-26 2021-01-26 北京安博通科技股份有限公司 Method and device for detecting network flooding attack
CN110213118B (en) * 2018-02-28 2021-04-06 中航光电科技股份有限公司 FC network system and flow control method thereof
CN111510418A (en) * 2019-01-31 2020-08-07 上海旺链信息科技有限公司 Block chain link point structure safety guarantee method, guarantee system and storage medium
CN113364752B (en) * 2021-05-27 2023-04-18 鹏城实验室 Flow abnormity detection method, detection equipment and computer readable storage medium
CN115118529B (en) * 2022-08-29 2022-11-29 广州弘日恒天光电技术有限公司 Data transmission method based on block chain

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681211A (en) * 2015-12-31 2016-06-15 北京安天电子设备有限公司 Traffic recording method and system based on information extraction
CN105763561A (en) * 2016-04-15 2016-07-13 杭州华三通信技术有限公司 Attack defense method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050278779A1 (en) * 2004-05-25 2005-12-15 Lucent Technologies Inc. System and method for identifying the source of a denial-of-service attack

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105681211A (en) * 2015-12-31 2016-06-15 北京安天电子设备有限公司 Traffic recording method and system based on information extraction
CN105763561A (en) * 2016-04-15 2016-07-13 杭州华三通信技术有限公司 Attack defense method and device

Also Published As

Publication number Publication date
CN106254394A (en) 2016-12-21

Similar Documents

Publication Publication Date Title
CN106254394B (en) A kind of recording method and device of attack traffic
US11122067B2 (en) Methods for detecting and mitigating malicious network behavior and devices thereof
JP7157222B2 (en) Session security split and application profiler
CN104113519B (en) Network attack detecting method and its device
TWI609285B (en) Human-machine recognition method and corresponding human-machine recognition system
US8117655B2 (en) Detecting anomalous web proxy activity
CN107770132B (en) Method and device for detecting algorithmically generated domain name
CN113347156B (en) Intelligent flow confusion method and system for website fingerprint defense and computer storage medium
JP2019523584A (en) Network attack prevention system and method
CN108737447A (en) User Datagram Protocol traffic filtering method, apparatus, server and storage medium
US7991919B2 (en) Device, method and system for detecting unwanted conversational media session
US20190104174A1 (en) Load processing method and apparatus
WO2017016454A1 (en) Method and device for preventing ddos attack
CN106713495A (en) Uploading method and apparatus, access method and apparatus, and access system of IP geographic position
CN102075535B (en) Distributed denial-of-service attack filter method and system for application layer
WO2018177847A1 (en) Distributed denial of service analysis
CN108600145A (en) A kind of method and device of determining ddos attack equipment
Liu et al. A clusterized firewall framework for cloud computing
CN111478860A (en) Network control method, device, equipment and machine readable storage medium
CN109246157A (en) A kind of HTTP requests at a slow speed the association detection method of dos attack
JP6681917B2 (en) Image synthesizing method and apparatus, instant communication method, and image synthesizing server
US9781130B1 (en) Managing policies
CN109194692A (en) Prevent the method that network is attacked
CN115037528B (en) Abnormal flow detection method and device
CN115913784B (en) Network attack defense system, method and device and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Co-patentee after: NSFOCUS TECHNOLOGIES Inc.

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Co-patentee before: NSFOCUS TECHNOLOGIES Inc.

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.