CN106506527A - A kind of method of the defence connectionless flood attacks of UDP - Google Patents

A kind of method of the defence connectionless flood attacks of UDP Download PDF

Info

Publication number
CN106506527A
CN106506527A CN201611102791.4A CN201611102791A CN106506527A CN 106506527 A CN106506527 A CN 106506527A CN 201611102791 A CN201611102791 A CN 201611102791A CN 106506527 A CN106506527 A CN 106506527A
Authority
CN
China
Prior art keywords
daily record
udp
firewall
defence
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611102791.4A
Other languages
Chinese (zh)
Other versions
CN106506527B (en
Inventor
刘勇彬
杨松
季统凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
G Cloud Technology Co Ltd
Original Assignee
G Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by G Cloud Technology Co Ltd filed Critical G Cloud Technology Co Ltd
Priority to CN201611102791.4A priority Critical patent/CN106506527B/en
Publication of CN106506527A publication Critical patent/CN106506527A/en
Application granted granted Critical
Publication of CN106506527B publication Critical patent/CN106506527B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to cloud computing administrative skill field, particularly relates to a kind of method of the defence connectionless flood attacks of UDP.The present invention arranges daily record detection cycle, defending against network data packet number first;When having using UDP flood attack instrument target of attack server address, destination server detects visit capacity by software firewall, and access information recorded daily record;Analysis daily record, inverted order are listed in the quantity of giving out a contract for a project of each IP same detection cycle Nei;If beyond defence bag quantity is limited, contrasting IP white lists;If IP is left intact in white list list;If not in white list, automatized script will call software firewall to close IP to IP;If last without departing from defence bag quantity, it is left intact.Method of the present invention low cost, high degree of automation, highly versatile, do not rely on single software firewall.

Description

A kind of method of the defence connectionless flood attacks of UDP
Technical field
The present invention relates to cloud computing administrative skill field, particularly relates to a kind of method of the defence connectionless flood attacks of UDP.
Background technology
With the development of cloud computing, its impact to IT industry, from IT infrastructure field, extend to Hardware and device fabrication, Software Development Platform, software deployment, software marketing, IT services, almost cover all of IT hardware, soft Part, service field.As increasing company begins to use Visualized data centre and cloud service, cloud infrastructure platform to go out New weakness is showed.Cloud computing Denial of Service attack also begin to by originally using mass data stream carried out violence formula attack be changed into Technology sexual assault for base application.In recent years, DDOS attack gimmick and mode are more and more changeable, and wherein UDP is without even Connect flood attack to be relatively difficult to defend, generally in the following ways:
1st, expensive advanced firewall is purchased, UDP flood attacks is defendd by fire wall.
2nd, UDP attack sources are closed using the soft fire wall such as iptables, APF.
There is following drawback in both the above mode:
1st, high cost, general medium-sized and small enterprises will not purchase advanced firewall easily.
2nd, automaticity is low, and iptables, APF can only be found that after Traffic Anomaly by operation maintenance personnel and just close manually, Cannot monitor automatically simultaneously for connectionless attack.
UDP, is the abbreviation of User Datagram Protocol, and Chinese name is User Datagram Protocol, is that OSI refers to mould A kind of connectionless transport layer protocol in type, there is provided towards the simple unreliable information transmission service of affairs;It is IETF RFC 768 is the formal specification of UDP.UDP flood attacks, also known as UDP flood attacks or UDP flood attacks (English:UDP Flood Attack) be the denial of service attacks for causing base what main frame one kind;UDP is a kind of connectionless agreement, and it need not Connection is set up come transmission data with any program.When attacker randomly to victim system port send UDP message bag when Wait, it is possible to there occurs UDP flood attacks.
Content of the invention
Present invention solves the technical problem that being to provide a kind of method of the defence connectionless flood attacks of UDP, solve now The deficiency of defence method, provides a kind of i.e. saving hardware cost, and effectively UDP for infrastructure cloud platform under cloud computing environment Connectionless flood attack solution.
The radix scheme that the present invention solves the above problems is:
Methods described comprises the steps:
Step 1:Daily record detection cycle, defending against network data packet number are set;
Step 2:When having using UDP flood attack instrument target of attack server address, destination server passes through software Fire wall detects visit capacity, and access information recorded daily record;
Step 3:Analysis daily record, inverted order are listed in the quantity of giving out a contract for a project of each IP same detection cycle Nei;
Step 4:If beyond defending against network data packet number is limited, contrasting IP white lists;
Step 5:If IP is left intact in white list list;
Step 6:If not in white list, automatized script calls software firewall to close IP to IP;
Step 7:If without departing from defence bag quantity, being left intact.
Described daily record detection cycle, refers to every how long checking network packet daily record;
Described network packet, is the data unit in ICP/IP protocol communications.
Described destination server address refers to that infrastructure cloud platform externally provides the address of service;
Described IP white lists, this refers to be regarded as legal IP address list by cloud platform, are shifted to an earlier date by operation maintenance personnel Typing.
Described software firewall, including iptables, IPCop Firewall, APF software firewall;
Described iptables is the IP packet filtration systems integrated with linux kernel, if linux system is connected to The proxy server of internet or LAN, server or connection LAN and internet, then the system be conducive on linux system more IP packet filtration and firewall configuration are controlled well;
Described IPCop Firewall are the fire wall external members under a Linux, are mainly directed towards family and SOHO (Small Office/Home Office) user;Its interface is very friendly, and is task based access control, and it is located at user job Between region and Internet connections, various information are monitored by some TCP/IP business rules and are managed;
Described APF, refers to Advanced Policy Firewall, the software firewall under Linux environment;Using The iptables rules of linux system acquiescence.
Method of the present invention low cost, it is only necessary to which one configures not high security proxy server and can just complete UDP floods The filtration that water is attacked;Method of the present invention high degree of automation, by daily record detection mode, automatized script completes UDP attacks Detection and defence;Method of the present invention highly versatile, does not rely on single software firewall.
Description of the drawings
The present invention is further described below in conjunction with the accompanying drawings:
Fig. 1 is the flow chart of the present invention;
Fig. 2 is the technical schematic diagram of the present invention.
Specific embodiment
Embodiments of the present invention have multiple, will be embodied as based on iptables fire walls mode under Linux here Journey is as follows:
As shown in figure 1, process is as follows:
Step 1:Daily record detection cycle, defending against network data packet number are set.
#vi/uer/local/udpflood.conf
#NO_OF_CONNECTIONS=600//defending against network data packet number
#CHECK_CYCLE=60//detection cycle, unit s
Step 2:Using UDP flood attack instrument target of attack server address.
Here instrument adopts LOIC, is a kind of submerged instrument, can produce substantial amounts of flow.
Step 3:Destination server detects visit capacity by software firewall, and access information recorded daily record.
A rule is added inside iptables fire walls, the access log of all UDP is recorded:
#-A INPUT-p UDP-j LOG-log-prefix′UDP-DDOS:′--log-ip-options
Step 4:Analysis daily record, inverted order are listed in the quantity of giving out a contract for a project of each IP same detection cycle Nei.
Analysis core script is as follows:
First parameter is the quantity of bag, is followed by the IP for sending bag
Step 5:If beyond defending against network data packet number is limited, contrasting IP white lists.
Step 6:If IP is left intact in white list list.
Core function is as follows:
Step 7:If not in white list, automatized script will call software firewall to close IP to IP.
Step 8:If without departing from defence bag quantity, being left intact.

Claims (5)

1. a kind of method of the defence connectionless flood attacks of UDP, it is characterised in that:Methods described comprises the steps:
Step 1:Daily record detection cycle, defending against network data packet number are set;
Step 2:When having using UDP flood attack instrument target of attack server address, destination server is prevented fires by software Wall detects visit capacity, and access information recorded daily record;
Step 3:Analysis daily record, inverted order are listed in the quantity of giving out a contract for a project of each IP same detection cycle Nei;
Step 4:If beyond defending against network data packet number is limited, contrasting IP white lists;
Step 5:If IP is left intact in white list list;
Step 6:If not in white list, automatized script calls software firewall to close IP to IP;
Step 7:If without departing from defence bag quantity, being left intact.
2. method according to claim 1, it is characterised in that:
Described daily record detection cycle, refers to every how long checking network packet daily record;
Described network packet, is the data unit in ICP/IP protocol communications.
3. method according to claim 1, it is characterised in that:Described destination server address refers to infrastructure cloud platform The address of service is externally provided;
Described IP white lists, this refers to be regarded as legal IP address list by cloud platform, shift to an earlier date typing by operation maintenance personnel.
4. method according to claim 2, it is characterised in that:Described destination server address refers to infrastructure cloud platform The address of service is externally provided;
Described IP white lists, this refers to be regarded as legal IP address list by cloud platform, shift to an earlier date typing by operation maintenance personnel.
5. the method according to any one of Claims 1-4, it is characterised in that:
Described software firewall, including iptables, IPCop Firewall, APF software firewall;
Described iptables is the IP packet filtration systems integrated with linux kernel, if linux system is connected to Yin Te The proxy server of net or LAN, server or connection LAN and internet, then the system be conducive on linux system preferably Control IP packet filtrations and firewall configuration;
Described IPCop Firewall are the fire wall external members under a Linux, are mainly directed towards family and SOHO user;Its boundary Face is very friendly, and is task based access control, and it is located between user job region and Internet connections, by some TCP/ IP operation rule is monitored to various information and manages;
Described APF, is the software firewall under Linux environment;The iptables rules that is given tacit consent to using linux system.
CN201611102791.4A 2016-12-05 2016-12-05 A method of the defence connectionless flood attack of UDP Active CN106506527B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611102791.4A CN106506527B (en) 2016-12-05 2016-12-05 A method of the defence connectionless flood attack of UDP

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611102791.4A CN106506527B (en) 2016-12-05 2016-12-05 A method of the defence connectionless flood attack of UDP

Publications (2)

Publication Number Publication Date
CN106506527A true CN106506527A (en) 2017-03-15
CN106506527B CN106506527B (en) 2019-06-21

Family

ID=58330453

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611102791.4A Active CN106506527B (en) 2016-12-05 2016-12-05 A method of the defence connectionless flood attack of UDP

Country Status (1)

Country Link
CN (1) CN106506527B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171867A (en) * 2017-06-30 2017-09-15 环球智达科技(北京)有限公司 The guard system of ddos attack
CN107454065A (en) * 2017-07-12 2017-12-08 北京神州绿盟信息安全科技股份有限公司 A kind of means of defence and device of UDP Flood attacks
CN109831465A (en) * 2019-04-12 2019-05-31 重庆天蓬网络有限公司 A kind of invasion detection method based on big data log analysis
CN109962927A (en) * 2019-04-17 2019-07-02 杭州安恒信息技术股份有限公司 Based on the anti-attack method for threatening information
CN111669371A (en) * 2020-05-18 2020-09-15 深圳供电局有限公司 Network attack restoration system and method suitable for power network
CN113852640A (en) * 2021-09-29 2021-12-28 上海市大数据股份有限公司 Network security automatic defense system based on RPA
CN114760152A (en) * 2022-06-14 2022-07-15 湖南警察学院 Cloud data center virtualization node network security early warning method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN103957205A (en) * 2014-04-25 2014-07-30 国家电网公司 Trojan horse detection method based on terminal traffic
CN104363230A (en) * 2014-11-14 2015-02-18 山东乾云启创信息科技有限公司 Method for preventing flood attacks in desktop virtualization
CN106161333A (en) * 2015-03-24 2016-11-23 华为技术有限公司 DDOS attack means of defence based on SDN, Apparatus and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN103957205A (en) * 2014-04-25 2014-07-30 国家电网公司 Trojan horse detection method based on terminal traffic
CN104363230A (en) * 2014-11-14 2015-02-18 山东乾云启创信息科技有限公司 Method for preventing flood attacks in desktop virtualization
CN106161333A (en) * 2015-03-24 2016-11-23 华为技术有限公司 DDOS attack means of defence based on SDN, Apparatus and system

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171867A (en) * 2017-06-30 2017-09-15 环球智达科技(北京)有限公司 The guard system of ddos attack
CN107454065A (en) * 2017-07-12 2017-12-08 北京神州绿盟信息安全科技股份有限公司 A kind of means of defence and device of UDP Flood attacks
CN107454065B (en) * 2017-07-12 2020-07-10 北京神州绿盟信息安全科技股份有限公司 Method and device for protecting UDP Flood attack
CN109831465A (en) * 2019-04-12 2019-05-31 重庆天蓬网络有限公司 A kind of invasion detection method based on big data log analysis
CN109962927A (en) * 2019-04-17 2019-07-02 杭州安恒信息技术股份有限公司 Based on the anti-attack method for threatening information
CN109962927B (en) * 2019-04-17 2022-01-04 杭州安恒信息技术股份有限公司 Anti-attack method based on threat intelligence
CN111669371A (en) * 2020-05-18 2020-09-15 深圳供电局有限公司 Network attack restoration system and method suitable for power network
CN111669371B (en) * 2020-05-18 2022-09-30 深圳供电局有限公司 Network attack restoration system and method suitable for power network
CN113852640A (en) * 2021-09-29 2021-12-28 上海市大数据股份有限公司 Network security automatic defense system based on RPA
CN113852640B (en) * 2021-09-29 2023-06-09 上海市大数据股份有限公司 Network security automatic defense system based on RPA
CN114760152A (en) * 2022-06-14 2022-07-15 湖南警察学院 Cloud data center virtualization node network security early warning method
CN114760152B (en) * 2022-06-14 2022-08-19 湖南警察学院 Cloud data center virtualization node network security early warning method

Also Published As

Publication number Publication date
CN106506527B (en) 2019-06-21

Similar Documents

Publication Publication Date Title
CN106506527A (en) A kind of method of the defence connectionless flood attacks of UDP
US11050786B2 (en) Coordinated detection and differentiation of denial of service attacks
CN106850637B (en) Abnormal traffic detection method based on traffic white list
WO2012164336A1 (en) Distribution and processing of cyber threat intelligence data in a communications network
Shah et al. The impact and mitigation of ICMP based economic denial of sustainability attack in cloud computing environment using software defined network
KR100822553B1 (en) Stateful and cross-protocol intrusion detection for voice over ip
WO2007003992A2 (en) Method, system & computer program product for discovering characteristics of middleboxes
Mathews et al. A collaborative approach to situational awareness for cybersecurity
Kong et al. Random flow network modeling and simulations for DDoS attack mitigation
Şimşek A new metric for flow‐level filtering of low‐rate DDoS attacks
Shaar et al. DDoS attacks and impacts on various cloud computing components
Singh et al. Performance analysis of agent based distributed defense mechanisms against DDOS attacks
Yadav et al. Firewall: A Vital Constituent of Network Security
Alosaimi et al. Simulation-based study of distributed denial of service attacks prevention in the cloud
Armoogum et al. Survey of practical security frameworks for defending SIP based VoIP systems against DoS/DDoS attacks
Sharma et al. Firewalls: A Study and Its Classification.
Zhang et al. Automatic detection of SIP-aware attacks on VoLTE device
Khirwadkar Defense against network attacks using game theory
Jain et al. Mitigation of denial of service (DoS) attack
Singh et al. Performance analysis of emm an edos mitigation technique in cloud computing environment
Teja et al. Prevention of Attacks and Flow Control of Firewalls
Ibrahim A comprehensive study of distributed denial of service attack with the detection techniques
Alosaimi et al. Simulation-Based Study of Distributed Denial of Service Attacks Counteract in the Cloud Services
Ghafarian et al. An empirical study of security of VoIP system
Giacobe Data fusion in cyber security: first order entity extraction from common cyber data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 523808 19th Floor, Cloud Computing Center, Chinese Academy of Sciences, No. 1 Kehui Road, Songshan Lake Hi-tech Industrial Development Zone, Dongguan City, Guangdong Province

Applicant after: G-Cloud Technology Co., Ltd.

Address before: 523808 No. 14 Building, Songke Garden, Songshan Lake Science and Technology Industrial Park, Dongguan City, Guangdong Province

Applicant before: G-Cloud Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant