CN106506527B - A method of the defence connectionless flood attack of UDP - Google Patents

A method of the defence connectionless flood attack of UDP Download PDF

Info

Publication number
CN106506527B
CN106506527B CN201611102791.4A CN201611102791A CN106506527B CN 106506527 B CN106506527 B CN 106506527B CN 201611102791 A CN201611102791 A CN 201611102791A CN 106506527 B CN106506527 B CN 106506527B
Authority
CN
China
Prior art keywords
firewall
log
white list
udp
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611102791.4A
Other languages
Chinese (zh)
Other versions
CN106506527A (en
Inventor
刘勇彬
杨松
季统凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
G Cloud Technology Co Ltd
Original Assignee
G Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by G Cloud Technology Co Ltd filed Critical G Cloud Technology Co Ltd
Priority to CN201611102791.4A priority Critical patent/CN106506527B/en
Publication of CN106506527A publication Critical patent/CN106506527A/en
Application granted granted Critical
Publication of CN106506527B publication Critical patent/CN106506527B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to cloud computing administrative skill fields, particularly relate to a kind of method for defending the connectionless flood attack of UDP.Log detection cycle, defending against network data packet number is arranged in the present invention first;When having using UDP flood attack tool target of attack server address, destination server detects amount of access by software firewall, and log is recorded in access information;Log is analyzed, inverted order is listed in the quantity of giving out a contract for a project of each IP in same detection cycle;If comparing IP white list beyond limitation defence packet quantity;If IP is in white list, without any processing;If IP is not in white list, automatized script will call software firewall to close IP;It is without any processing if last without departing from defence packet quantity.Method of the invention is at low cost, high degree of automation, versatile, independent of single software firewall.

Description

A method of the defence connectionless flood attack of UDP
Technical field
The present invention relates to cloud computing administrative skill fields, particularly relate to a kind of method for defending the connectionless flood attack of UDP.
Background technique
With the development of cloud computing, the influence to IT industry extends to from IT infrastructure field All IT hardware, soft is almost covered in hardware and device fabrication, Software Development Platform, software deployment, software marketing, IT service Part, service field.As more and more companies begin to use Visualized data centre and cloud service, cloud infrastructure platform goes out New weakness is showed.Cloud computing Denial of Service attack also starts to be changed by carrying out the attack of violence formula using mass data stream originally For the technology sexual assault of base application.In recent years, DDOS attack gimmick and mode are more and more changeable, and wherein UDP is without even It connects flood attack to be relatively difficult to defend, generallys use following manner:
1, the expensive advanced firewall of buying defends UDP flood attack by firewall.
2, the attack source UDP is closed using the soft firewall such as iptables, APF.
Both the above mode suffers from the drawback that
1, at high cost, general medium-sized and small enterprises will not purchase advanced firewall easily.
2, the degree of automation is low, and iptables, APF are just closed manually after can only having found Traffic Anomaly by operation maintenance personnel, It can not be monitored automatically simultaneously for connectionless attack.
UDP is the abbreviation of User Datagram Protocol, and Chinese name is User Datagram Protocol, is OSI with reference to mould A kind of connectionless transport layer protocol in type provides the simple unreliable information transmission service towards affairs;It is IETF RFC 768 be the formal specification of UDP.UDP flood attack, also known as UDP flood attack or UDP flood attack (English: UDP Flood It Attack) is the one kind for leading to the denial of service attacks of Intrusion Detection based on host;UDP is a kind of connectionless agreement, and it is not needed Connection is established with any program to transmit data.When attacker randomly to the port of victim system send UDP message packet when It waits, it is possible to UDP flood attack have occurred.
Summary of the invention
Present invention solves the technical problem that being to provide a kind of method for defending the connectionless flood attack of UDP, solve present The deficiency of defence method provides a kind of i.e. saving hardware cost, and effective UDP for infrastructure cloud platform under cloud computing environment Connectionless flood attack solution.
The radix scheme that the present invention solves the above problems is:
Described method includes following steps:
Step 1: setting log detection cycle, defending against network data packet number;
Step 2: when having using UDP flood attack tool target of attack server address, destination server passes through software Firewall detects amount of access, and log is recorded in access information;
Step 3: analysis log, inverted order are listed in the quantity of giving out a contract for a project of each IP in same detection cycle;
Step 4: if comparing IP white list beyond limitation defending against network data packet number;
Step 5: without any processing if IP is in white list;
Step 6: if IP is not in white list, automatized script calls software firewall to close IP;
Step 7: if without departing from defence packet quantity, it is without any processing.
The log detection cycle refers to every how long checking network packet log;
The network packet is the data unit in ICP/IP protocol communications.
The destination server address refers to that infrastructure cloud platform externally provides the address of service;
The IP white list is shifted to an earlier date this refers to be regarded as legal IP address list by cloud platform by operation maintenance personnel Typing.
The software firewall, including iptables, IPCop Firewall, APF software firewall;
The iptables is the IP packet filtration system integrated with linux kernel, if linux system is connected to Internet or LAN, server or the proxy server for connecting LAN and internet, then the system is conducive on linux system more IP packet filtration and firewall configuration are controlled well;
The IPCop Firewall is the firewall external member under a Linux, is mainly directed towards family and SOHO (Small Office/Home Office) user;Its interface is very friendly, and is task based access control, it is located at user job Between region and Internet connection, various information are monitored and are managed by some TCP/IP business rules;
The APF refers to Advanced Policy Firewall, the software firewall under Linux environment;Using The iptables rule of linux system default.
Method of the invention is at low cost, it is only necessary to which a configuration can complete UDP flood not high security proxy server The filtering of water attack;Method high degree of automation of the invention, by log detection mode, automatized script completes UDP attack Detection and defence;Method of the invention is versatile, independent of single software firewall.
Detailed description of the invention
The following further describes the present invention with reference to the drawings:
Fig. 1 is flow chart of the invention;
Fig. 2 is technical schematic diagram of the invention.
Specific embodiment
There are many embodiments of the present invention, will be embodied here based on iptables firewall mode under Linux Journey is as follows:
As shown in Figure 1, process is as follows:
Step 1: setting log detection cycle, defending against network data packet number.
#vi/uer/local/udpflood.conf
#NO_OF_CONNECTIONS=600//defending against network data packet number
#CHECK_CYCLE=60//detection cycle, unit s
Step 2: utilizing UDP flood attack tool target of attack server address.
Here tool uses LOIC, is a kind of submerged tool, can generate a large amount of flow.
Step 3: destination server detects amount of access by software firewall, and log is recorded in access information.
A rule is added inside iptables firewall, records the access log of all UDP:
#-A INPUT-p UDP-j LOG-log-prefix ' UDP-DDOS: ' -- log-ip-options
Step 4: analysis log, inverted order are listed in the quantity of giving out a contract for a project of each IP in same detection cycle.
It is as follows to analyze core script:
First parameter is the quantity of packet, is followed by the IP for sending packet
Step 5: if comparing IP white list beyond limitation defending against network data packet number.
Step 6: without any processing if IP is in white list.
Core function is as follows:
Step 7: if IP is not in white list, automatized script will call software firewall to close IP.
Step 8: if without departing from defence packet quantity, it is without any processing.

Claims (5)

1. a kind of method for defending the connectionless flood attack of UDP, it is characterised in that: described method includes following steps:
Step 1: setting log detection cycle, defending against network data packet number;
Step 2: when having using UDP flood attack tool target of attack server address, destination server is prevented fires by software Wall detects amount of access, and log is recorded in access information;
Step 3: analysis log, inverted order are listed in the quantity of giving out a contract for a project of each IP in same detection cycle;
Step 4: if comparing IP white list beyond limitation defending against network data packet number;
Step 5: without any processing if IP is in white list;
Step 6: if IP is not in white list, automatized script calls software firewall to close IP;
Step 7: if without departing from defending against network data packet number, it is without any processing.
2. according to the method described in claim 1, it is characterized by:
The log detection cycle refers to every how long checking network packet log;
The network packet is the data unit in ICP/IP protocol communications.
3. according to the method described in claim 1, it is characterized by: the destination server address refers to infrastructure cloud platform The address of service is externally provided;
The IP white list shifts to an earlier date typing by operation maintenance personnel this refers to be regarded as legal IP address list by cloud platform.
4. according to the method described in claim 2, it is characterized by: the destination server address refers to infrastructure cloud platform The address of service is externally provided;
The IP white list shifts to an earlier date typing by operation maintenance personnel this refers to be regarded as legal IP address list by cloud platform.
5. method according to any one of claims 1 to 4, it is characterised in that:
The software firewall, including iptables, IPCop Firewall, APF software firewall;
The iptables is the IP packet filtration system integrated with linux kernel, if linux system is connected to Yin Te Net or LAN, server or the proxy server for connecting LAN and internet, then the system is conducive on linux system preferably Control IP packet filtration and firewall configuration;
The IPCop Firewall is the firewall external member under a Linux, is mainly directed towards family and SOHO user;Its boundary Face is very friendly, and is task based access control, it is located between user job region and Internet connection, passes through some TCP/ IP operation rule is monitored and manages to various information;
The APF is the software firewall under Linux environment;Using the iptables rule of linux system default.
CN201611102791.4A 2016-12-05 2016-12-05 A method of the defence connectionless flood attack of UDP Active CN106506527B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611102791.4A CN106506527B (en) 2016-12-05 2016-12-05 A method of the defence connectionless flood attack of UDP

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611102791.4A CN106506527B (en) 2016-12-05 2016-12-05 A method of the defence connectionless flood attack of UDP

Publications (2)

Publication Number Publication Date
CN106506527A CN106506527A (en) 2017-03-15
CN106506527B true CN106506527B (en) 2019-06-21

Family

ID=58330453

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611102791.4A Active CN106506527B (en) 2016-12-05 2016-12-05 A method of the defence connectionless flood attack of UDP

Country Status (1)

Country Link
CN (1) CN106506527B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107171867A (en) * 2017-06-30 2017-09-15 环球智达科技(北京)有限公司 The guard system of ddos attack
CN107454065B (en) * 2017-07-12 2020-07-10 北京神州绿盟信息安全科技股份有限公司 Method and device for protecting UDP Flood attack
CN109831465B (en) * 2019-04-12 2020-07-10 重庆天蓬网络有限公司 Website intrusion detection method based on big data log analysis
CN109962927B (en) * 2019-04-17 2022-01-04 杭州安恒信息技术股份有限公司 Anti-attack method based on threat intelligence
CN111669371B (en) * 2020-05-18 2022-09-30 深圳供电局有限公司 Network attack restoration system and method suitable for power network
CN113852640B (en) * 2021-09-29 2023-06-09 上海市大数据股份有限公司 Network security automatic defense system based on RPA
CN114760152B (en) * 2022-06-14 2022-08-19 湖南警察学院 Cloud data center virtualization node network security early warning method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN103957205A (en) * 2014-04-25 2014-07-30 国家电网公司 Trojan horse detection method based on terminal traffic
CN104363230A (en) * 2014-11-14 2015-02-18 山东乾云启创信息科技有限公司 Method for preventing flood attacks in desktop virtualization
CN106161333A (en) * 2015-03-24 2016-11-23 华为技术有限公司 DDOS attack means of defence based on SDN, Apparatus and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN103957205A (en) * 2014-04-25 2014-07-30 国家电网公司 Trojan horse detection method based on terminal traffic
CN104363230A (en) * 2014-11-14 2015-02-18 山东乾云启创信息科技有限公司 Method for preventing flood attacks in desktop virtualization
CN106161333A (en) * 2015-03-24 2016-11-23 华为技术有限公司 DDOS attack means of defence based on SDN, Apparatus and system

Also Published As

Publication number Publication date
CN106506527A (en) 2017-03-15

Similar Documents

Publication Publication Date Title
CN106506527B (en) A method of the defence connectionless flood attack of UDP
Masdari et al. A survey and taxonomy of DoS attacks in cloud computing
CN104767748B (en) Opc server security protection system
CN106850637B (en) Abnormal traffic detection method based on traffic white list
Korniyenko et al. Research of information protection system of corporate network based on GNS3
Cambiaso et al. Slowcomm: Design, development and performance evaluation of a new slow DoS attack
JP7045050B2 (en) Communication monitoring system and communication monitoring method
Naik et al. Enhancing windows firewall security using fuzzy reasoning
CN102891855B (en) Method and device for securely processing network data streams
Naik et al. Fuzzy reasoning based windows firewall for preventing denial of service attack
Cambiaso et al. Mobile executions of slow DoS attacks
Srinivasa et al. Interaction matters: a comprehensive analysis and a dataset of hybrid IoT/OT honeypots
Shaar et al. DDoS attacks and impacts on various cloud computing components
Saad et al. A study on detecting ICMPv6 flooding attack based on IDS
Etxezarreta et al. Low delay network attributes randomization to proactively mitigate reconnaissance attacks in industrial control systems
Kong et al. Random flow network modeling and simulations for DDoS attack mitigation
KR101887544B1 (en) Sdn-based network-attacks blocking system for micro server management system protection
Ovaz Akpinar et al. Development of the ECAT preprocessor with the trust communication approach
Sharma et al. Packet filtering using IP tables in Linux
Chen et al. Effective allied network security system based on designed scheme with conditional legitimate probability against distributed network attacks and intrusions
Yadav et al. Firewall: A Vital Constituent of Network Security
Gao et al. Detecting DOS/DDOS attacks under IPv6
Pranggono et al. Intrusion detection systems for critical infrastructure
Armoogum et al. Survey of practical security frameworks for defending SIP based VoIP systems against DoS/DDoS attacks
Sharma et al. Firewalls: A Study and Its Classification.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 523808 19th Floor, Cloud Computing Center, Chinese Academy of Sciences, No. 1 Kehui Road, Songshan Lake Hi-tech Industrial Development Zone, Dongguan City, Guangdong Province

Applicant after: G-Cloud Technology Co., Ltd.

Address before: 523808 No. 14 Building, Songke Garden, Songshan Lake Science and Technology Industrial Park, Dongguan City, Guangdong Province

Applicant before: G-Cloud Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant