CN106656967A - UDP FLOOD attack cleaning method and system - Google Patents

UDP FLOOD attack cleaning method and system Download PDF

Info

Publication number
CN106656967A
CN106656967A CN201610885390.4A CN201610885390A CN106656967A CN 106656967 A CN106656967 A CN 106656967A CN 201610885390 A CN201610885390 A CN 201610885390A CN 106656967 A CN106656967 A CN 106656967A
Authority
CN
China
Prior art keywords
message
port
udp
load contents
conversely
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610885390.4A
Other languages
Chinese (zh)
Other versions
CN106656967B (en
Inventor
梁润强
史伟
黄劲聪
关志来
丘树杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Ruijiang Cloud Computing Co Ltd
Guangdong Eflycloud Computing Co Ltd
Original Assignee
Guangdong Ruijiang Cloud Computing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Ruijiang Cloud Computing Co Ltd filed Critical Guangdong Ruijiang Cloud Computing Co Ltd
Priority to CN201610885390.4A priority Critical patent/CN106656967B/en
Publication of CN106656967A publication Critical patent/CN106656967A/en
Application granted granted Critical
Publication of CN106656967B publication Critical patent/CN106656967B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a UDP FLOOD attack cleaning method and system. Novel reflective attack traffic can be accurately discovered and filtered by statistics of the port message frequency of a preset specific port, and the conventional UDP attack traffic can be accurately identified by statistics of the real check code frequency of the load content and taking features of the previous 16 bytes of the load content. Fragment traffic generated by the UDP attack can be further filtered on the basis of accurately identifying new and old UDP traffic. Compared with the conventional traffic limiting mode, the performance loss caused by statistics of a large number of message features can be eliminated, even tens of Gbps of traffic can still be easily handled and thus the eliminating effect can be greatly enhanced. The UDP FLOOD attack cleaning method and system can be widely applied to UDP attack defense.

Description

Cleaning method and system that a kind of UDP FLOOD are attacked
Technical field
The present invention relates to Computer network technical field, more particularly to a kind of cleaning methods attacked of UDP FLOOD and it is System.
Background technology
Denial of Service attack(DoS, Denial of Service)Refer to and exhausted by attack net using various service requests The system resource of network, so that the request of validated user cannot be processed by attacking network.And with the rise of Botnet, while Because attack method is simple, it is larger to affect, be difficult to the features such as tracing, distributed denial of service attack is caused again(DDoS, Distributed Denial of Service)Obtain quick growth and increasingly spread unchecked.The corpse net of thousands of main frame compositions Network is the bandwidth and main frame needed for ddos attack is provided, and huge attack and network traffics is defined, to by attack net Network causes greatly harm.
The safety faced with operators such as the continuous improvement and development of ddos attack technology, ISP, ICP, IDC and operation Challenge is also on the increase, and operator must be detected and added before DDoS threatens impact key business and application to flow To clean, it is ensured that the operation of network normal table and the normal development of business.Meanwhile, to the detection of ddos attack flow and clear Washing can also become a kind of value-added service that operator provides the user, to obtain more preferable user satisfaction.
And various ddos attack modes, and it is maximum with the harm of UDP_FLOOD, UDP is attacked and is tended to manufacture huge Attack traffic, the server that not only strong influence is attacked, in some instances it may even be possible to which the transmission network for making operator is paralysed, and causes disaster The loss of property, so must effectively cleaning treatment UDP FLOOD attack traffics.
Current UDP FLOOD attack cleaning method typically two kinds, and the first uses the mode of UDP message flow limitations;Its Two is, by accounting message feature, to filter big measure feature identical message.
Both the above method has obvious shortcoming, and the first uses the mode of current limliting, can be normal UDP messages Filter out, actually due to huge, the relatively small normal discharge of attack traffic, under current-limiting mode, may not quilt Normal through this kind of mode is only used for ensureing the not under fire impact of flow of other adjacent servers;And second utilizes report The means of literary feature carry out filtering packets, and first message characteristic is counted can greatly affect process performance, and what feature field was extracted More all can strong influence cleaning accuracy rate with less.
It is all new reflection-type attack traffic that UDP FLOOD commonplace at present are attacked, in the carrier of this flow Hold typically all than more random, to deal with new legacy UDP FLOOD and attack, the means of an accounting message feature are no longer suitable for.
The content of the invention
In order to solve above-mentioned technical problem, it is an object of the invention to provide one kind can accurately find and filter UDP attack streams Cleaning method and system that a kind of UDP FLOOD of amount are attacked.
The technical solution used in the present invention is:
The cleaning method that a kind of UDP FLOOD are attacked, comprises the following steps:
A, default particular detection port is initialized;
B, when message is received, whether the type for judging the message is UDP messages, if so, then execution step C;Conversely, then putting The capable message;
C, the source address for obtaining the message, source port, target port and message checking code;
D, the source address according to the message, source port, target port and message checking code, calculate the load contents of the message Check code;
E, according to the load contents check code of the message, so as to carry out traditional UDP attack detecting, and the message by detecting is held Row step F;Conversely, being then marked and execution step G to load contents detection state;
F, according to default particular detection port, carry out novel trans emitting UDP attack detecting to message, and to the report by detection Literary execution step G;Conversely, execution step G again after being then marked to Port detecting state;
G, judge that whether load contents detection state or Port detecting state are to need to filter, if so, then abandon the message;Conversely, Mutation UDP attack detectings are then carried out, and to message execution step H by detection;
H, burst detection is carried out to the message, and the message by detecting is let pass.
The further improvement of the cleaning method attacked as a kind of described UDP FLOOD, step E includes:
E1, according to the load contents check code of the message, frequency statistics is carried out to load contents, obtain load contents frequency;
E2, the load contents frequency is judged whether more than default load contents frequency threshold, if so, then detect load contents Status indication is to need to filter, and execution step G;Conversely, then execution step F.
The further improvement of the cleaning method attacked as a kind of described UDP FLOOD, step F includes:
F1, message frequencies statistics is carried out to default particular detection port, obtain port message frequencies;
F2, port message frequencies are judged whether more than default port frequency threshold value, if so, then by Port detecting status indication be Need to filter, and execution step G;Conversely, then direct execution step G.
The further improvement of the cleaning method attacked as a kind of described UDP FLOOD, described mutation UDP attacks inspection Survey, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
The further improvement of the cleaning method attacked as a kind of described UDP FLOOD, step H includes:
Whether H1, the type for judging the message are burst, if so, then execution step H2;Conversely, then the source address of the message is deposited Enter and let pass in record and the message of letting pass;
H2, judge the source address of the message whether in record of letting pass, the message of if so, letting pass;Conversely, then abandoning the message.
Another technical scheme of the present invention is:
The purging system that a kind of UDP FLOOD are attacked, including:
Port initialization unit, for initializing to default particular detection port;
UDP judging units, for when message is received, judging whether the type of the message is UDP messages, is if so, then performed Information acquisition unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, calculating Go out the load contents check code of the message;
Traditional attack detecting unit, for according to the load contents check code of the message, so as to carry out traditional UDP attack detecting, And reflection-type attack detecting unit is performed to the message by detection;Conversely, being then marked simultaneously to load contents detection state Perform and filter judging unit;
Reflection-type attack detecting unit, attacks for according to default particular detection port, carrying out novel trans emitting UDP to message Detection, and filtration judging unit is performed to the message by detection;Conversely, performing again after being then marked to Port detecting state Filter judging unit;
Judging unit is filtered, for judging whether load contents detection state or Port detecting state are to need to filter, and are if so, then lost Abandon the message;Conversely, then carrying out mutation UDP attack detectings, and burst detector unit is performed to the message by detection;
Burst detector unit, for carrying out burst detection to the message, and lets pass to the message by detecting.
The further improvement of the purging system attacked as a kind of described UDP FLOOD, traditional attack detecting list Unit includes:
Load contents frequency statistics unit, for according to the load contents check code of the message, load contents to be entered with line frequency system Meter, obtains load contents frequency;
Load contents frequency judging unit, for judging the load contents frequency whether more than default load contents frequency threshold Value, if so, then by load contents detection status indication to need to filter, and performs filtration judging unit;Conversely, then performing reflection-type Attack detecting unit.
The further improvement of the purging system attacked as a kind of described UDP FLOOD, the reflection-type attack detecting Unit includes:
Port message frequencies statistic unit, for carrying out message frequencies statistics to default particular detection port, obtains port report Literary frequency;
Port message frequencies judging unit, for judging whether port message frequencies are more than default port frequency threshold value, if so, Then by Port detecting status indication to need to filter, and perform filtration judging unit;Conversely, then directly perform filtering judging unit.
The further improvement of the purging system attacked as a kind of described UDP FLOOD, described mutation UDP attacks inspection Survey, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
The further improvement of the purging system attacked as a kind of described UDP FLOOD, the burst detector unit bag Include:
Burst judging unit, for judging whether the type of the message is burst, if so, then execution step H2;Conversely, then should The source address of message is stored in clearance record and the message of letting pass;
Source address judging unit, for judging the source address of the message whether in record of letting pass, the message of if so, letting pass;Instead It, then abandon the message.
The invention has the beneficial effects as follows:
The port message frequency that the cleaning method and system that a kind of UDP FLOOD of the present invention are attacked passes through the default particular port of statistics Rate, can accurately find and filter novel trans emitting attack traffic, and by count load contents true verification code frequency and Feature 16 byte before load contents is taken, traditional UDP attack traffics can be accurately identified.The present invention is accurately differentiating new On the basis of old UDP flow amount, further filter UDP and attack produced burst flow, compare traditional current-limiting mode, the present invention The performance loss for going that in large quantities accounting message characteristic strip comes can be exempted, even if in the face of the flow of tens of Gbps, similarly can be light Pine reply, greatly improves elimination effect.
Description of the drawings
The specific embodiment of the present invention is described further below in conjunction with the accompanying drawings:
The step of Fig. 1 is a kind of cleaning method of UDP FLOOD attacks of the invention flow chart;
The step of Fig. 2 is traditional attack detecting in the cleaning method that a kind of UDP FLOOD of the invention are attacked flow chart;
The step of Fig. 3 is reflection-type attack detecting in the cleaning method that a kind of UDP FLOOD of the invention are attacked flow chart;
Fig. 4 is the step of burst is detected in the cleaning method that a kind of UDP FLOOD of the invention are attacked flow chart;
Fig. 5 is the block diagram of the purging system that a kind of UDP FLOOD of the invention are attacked.
Specific embodiment
With reference to Fig. 1, the cleaning method that a kind of UDP FLOOD of the invention are attacked is comprised the following steps:
A, default particular detection port is initialized;
B, when message is received, whether the type for judging the message is UDP messages, if so, then execution step C;Conversely, then putting The capable message;
C, the source address for obtaining the message, source port, target port and message checking code;
D, the source address according to the message, source port, target port and message checking code, calculate the load contents of the message Check code;
E, according to the load contents check code of the message, so as to carry out traditional UDP attack detecting, and the message by detecting is held Row step F;Conversely, being then marked and execution step G to load contents detection state;
F, according to default particular detection port, carry out novel trans emitting UDP attack detecting to message, and to the report by detection Literary execution step G;Conversely, execution step G again after being then marked to Port detecting state;
G, judge that whether load contents detection state or Port detecting state are to need to filter, if so, then abandon the message;Conversely, Mutation UDP attack detectings are then carried out, and to message execution step H by detection;
H, burst detection is carried out to the message, and the message by detecting is let pass.
With reference to Fig. 2, it is further used as preferred embodiment, step E includes:
E1, according to the load contents check code of the message, frequency statistics is carried out to load contents, obtain load contents frequency;
E2, the load contents frequency is judged whether more than default load contents frequency threshold, if so, then detect load contents Status indication is to need to filter, and execution step G;Conversely, then execution step F.
With reference to Fig. 3, it is further used as preferred embodiment, step F includes:
F1, message frequencies statistics is carried out to default particular detection port, obtain port message frequencies;
F2, port message frequencies are judged whether more than default port frequency threshold value, if so, then by Port detecting status indication be Need to filter, and execution step G;Conversely, then direct execution step G.
It is further used as preferred embodiment, described mutation UDP attack detectings, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
With reference to Fig. 4, it is further used as preferred embodiment, step H includes:
Whether H1, the type for judging the message are burst, if so, then execution step H2;Conversely, then the source address of the message is deposited Enter and let pass in record and the message of letting pass;
H2, judge the source address of the message whether in record of letting pass, the message of if so, letting pass;Conversely, then abandoning the message.
Wherein, easily produce IP fragmentation because some UDP FLOOD are attacked, because IP fragmentation does not have UDP heading words Section, the normal source address that this method is let pass by record, clearance fragment message is selected with this, and reaching being capable of thoroughly cleaning UDP The purpose of FLOOD attack traffics.
In the embodiment of the present invention, default load contents frequency threshold is set to 100, and default port frequency threshold value is set to 100, then specific embodiment is as follows:
S1, set up global array reply_sport, and initialize default particular detection port reply_sport [53, 1900,123,19,520,5353,17,137,138,139,111,161,69] value is 1;
S2, global array sport_count, check_count of foundation, accept_ip, drop_sport, drop_check;
S3, when message is received, whether the type for judging the message is UDP messages, if so, then execution step S4;Conversely, then Let pass the message;
S4, taking-up message source address sip, source port sport, target port dport, check code check;
S5, the source address according to the message, source port, target port and message checking code, calculate as follows message screen Cover the load contents check code after source address, source port and target port:
sum=0, o1=sip>>16, o2=sip&0xffff;
sum += (ntohs(o1) + ntohs(o2) + (~ntohs(0) & 0xffff) + (~ntohs(0) & 0xffff));
sum += (ntohs(sport) + (~(0) & 0xffff));
sum += (ntohs(dport) + (~(0) & 0xffff));
sum += check;
sum = (sum & 0xffff) + (sum >> 16);
Sum is the load contents check code for finally obtaining;
S6, according to the load contents check code of the message, frequency statistics is carried out to load contents, obtain load contents frequency Check_count [sum], and judge whether to meet check_count [sum]>100, then load contents detection state drop_ Check [check]=1, and execution step S8;
S7, judge whether to meet reply_sport [sport]=1, if then showing that it is default particular detection port, then hold Mouth message frequencies sport_count [sport] ++, if port message frequencies sport_count [sport] for finally obtaining> 100, then Port detecting state drop_sport [sport]=1;
If S8, Port detecting state drop_sport [sport] or load contents detection state drop_check [check] are 1, Then abandon the message;Conversely, then execution step S9
S9, according to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:1st byte=2nd Byte, the 1st~2 byte=the 3rd~4 byte, the 1st~4 byte=the 5th~8 byte, the 1st~8 byte=the 9th~16 byte, meet Four conditions of the above, then abandon the message;Conversely, then execution step S10;
Whether S10, the type for judging the message are burst, and the source address of the message is not in record of letting pass, i.e. the source address Release status accept_ip [sip] not be 1, then abandon the message;Conversely, then by the release status accept_ of the source address Ip [sip] is set to 1, and the message of letting pass.
With reference to Fig. 5, the purging system that a kind of UDP FLOOD of the invention are attacked, including:
Port initialization unit, for initializing to default particular detection port;
UDP judging units, for when message is received, judging whether the type of the message is UDP messages, is if so, then performed Information acquisition unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, calculating Go out the load contents check code of the message;
Traditional attack detecting unit, for according to the load contents check code of the message, so as to carry out traditional UDP attack detecting, And reflection-type attack detecting unit is performed to the message by detection;Conversely, being then marked simultaneously to load contents detection state Perform and filter judging unit;
Reflection-type attack detecting unit, attacks for according to default particular detection port, carrying out novel trans emitting UDP to message Detection, and filtration judging unit is performed to the message by detection;Conversely, performing again after being then marked to Port detecting state Filter judging unit;
Judging unit is filtered, for judging whether load contents detection state or Port detecting state are to need to filter, and are if so, then lost Abandon the message;Conversely, then carrying out mutation UDP attack detectings, and burst detector unit is performed to the message by detection;
Burst detector unit, for carrying out burst detection to the message, and lets pass to the message by detecting.
It is further used as preferred embodiment, traditional attack detecting unit includes:
Load contents frequency statistics unit, for according to the load contents check code of the message, load contents to be entered with line frequency system Meter, obtains load contents frequency;
Load contents frequency judging unit, for judging the load contents frequency whether more than default load contents frequency threshold Value, if so, then by load contents detection status indication to need to filter, and performs filtration judging unit;Conversely, then performing reflection-type Attack detecting unit.
It is further used as preferred embodiment, the reflection-type attack detecting unit includes:
Port message frequencies statistic unit, for carrying out message frequencies statistics to default particular detection port, obtains port report Literary frequency;
Port message frequencies judging unit, for judging whether port message frequencies are more than default port frequency threshold value, if so, Then by Port detecting status indication to need to filter, and perform filtration judging unit;Conversely, then directly perform filtering judging unit.
It is further used as preferred embodiment, described mutation UDP attack detectings, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
It is further used as preferred embodiment, the burst detector unit includes:
Burst judging unit, for judging whether the type of the message is burst, if so, then execution step H2;Conversely, then should The source address of message is stored in clearance record and the message of letting pass;
Source address judging unit, for judging the source address of the message whether in record of letting pass, the message of if so, letting pass;Instead It, then abandon the message.
From the foregoing it can be that the cleaning method and system of a kind of UDP FLOOD attacks of the invention are by counting default The port message frequencies of particular port, can accurately find and filter novel trans emitting attack traffic, and by statistics load Hold true verification code frequency and take feature 16 byte before load contents, traditional UDP attack traffics can be accurately identified. The present invention filters UDP and attacks produced burst flow on the basis of new and old UDP flow amount is accurately differentiated, further, compares Traditional current-limiting mode, the present invention can exempt the performance loss for going that in large quantities accounting message characteristic strip comes, even if in the face of tens of The flow of Gbps, similarly can easily tackle, and greatly improve elimination effect.
It is more than that the preferable enforcement to the present invention is illustrated, but the invention is not limited to the enforcement Example, those of ordinary skill in the art can also make a variety of equivalent variations on the premise of without prejudice to spirit of the invention or replace Change, the deformation or replacement of these equivalents are all contained in the application claim limited range.

Claims (10)

1. the cleaning method that a kind of UDP FLOOD are attacked, it is characterised in that comprise the following steps:
A, default particular detection port is initialized;
B, when message is received, whether the type for judging the message is UDP messages, if so, then execution step C;Conversely, then putting The capable message;
C, the source address for obtaining the message, source port, target port and message checking code;
D, the source address according to the message, source port, target port and message checking code, calculate the load contents of the message Check code;
E, according to the load contents check code of the message, so as to carry out traditional UDP attack detecting, and the message by detecting is held Row step F;Conversely, being then marked and execution step G to load contents detection state;
F, according to default particular detection port, carry out novel trans emitting UDP attack detecting to message, and to the report by detection Literary execution step G;Conversely, execution step G again after being then marked to Port detecting state;
G, judge that whether load contents detection state or Port detecting state are to need to filter, if so, then abandon the message;Conversely, Mutation UDP attack detectings are then carried out, and to message execution step H by detection;
H, burst detection is carried out to the message, and the message by detecting is let pass.
2. the cleaning method that a kind of UDP FLOOD according to claim 1 are attacked, it is characterised in that:The step E bag Include:
E1, according to the load contents check code of the message, frequency statistics is carried out to load contents, obtain load contents frequency;
E2, the load contents frequency is judged whether more than default load contents frequency threshold, if so, then detect load contents Status indication is to need to filter, and execution step G;Conversely, then execution step F.
3. the cleaning method that a kind of UDP FLOOD according to claim 1 are attacked, it is characterised in that:The step F bag Include:
F1, message frequencies statistics is carried out to default particular detection port, obtain port message frequencies;
F2, port message frequencies are judged whether more than default port frequency threshold value, if so, then by Port detecting status indication be Need to filter, and execution step G;Conversely, then direct execution step G.
4. the cleaning method that a kind of UDP FLOOD according to claim 1 are attacked, it is characterised in that:Described mutation UDP Attack detecting, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
5. the cleaning method that a kind of UDP FLOOD according to claim 1 are attacked, it is characterised in that:The step H bag Include:
Whether H1, the type for judging the message are burst, if so, then execution step H2;Conversely, then the source address of the message is deposited Enter and let pass in record and the message of letting pass;
H2, judge the source address of the message whether in record of letting pass, the message of if so, letting pass;Conversely, then abandoning the message.
6. the purging system that a kind of UDP FLOOD are attacked, it is characterised in that include:
Port initialization unit, for initializing to default particular detection port;
UDP judging units, for when message is received, judging whether the type of the message is UDP messages, is if so, then performed Information acquisition unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, calculating Go out the load contents check code of the message;
Traditional attack detecting unit, for according to the load contents check code of the message, so as to carry out traditional UDP attack detecting, And reflection-type attack detecting unit is performed to the message by detection;Conversely, being then marked simultaneously to load contents detection state Perform and filter judging unit;
Reflection-type attack detecting unit, attacks for according to default particular detection port, carrying out novel trans emitting UDP to message Detection, and filtration judging unit is performed to the message by detection;Conversely, performing again after being then marked to Port detecting state Filter judging unit;
Judging unit is filtered, for judging whether load contents detection state or Port detecting state are to need to filter, and are if so, then lost Abandon the message;Conversely, then carrying out mutation UDP attack detectings, and burst detector unit is performed to the message by detection;
Burst detector unit, for carrying out burst detection to the message, and lets pass to the message by detecting.
7. the purging system that a kind of UDP FLOOD according to claim 6 are attacked, it is characterised in that:The tradition is attacked Detector unit includes:
Load contents frequency statistics unit, for according to the load contents check code of the message, load contents to be entered with line frequency system Meter, obtains load contents frequency;
Load contents frequency judging unit, for judging the load contents frequency whether more than default load contents frequency threshold Value, if so, then by load contents detection status indication to need to filter, and performs filtration judging unit;Conversely, then performing reflection-type Attack detecting unit.
8. the purging system that a kind of UDP FLOOD according to claim 6 are attacked, it is characterised in that:The reflection-type is attacked Hitting detector unit includes:
Port message frequencies statistic unit, for carrying out message frequencies statistics to default particular detection port, obtains port report Literary frequency;
Port message frequencies judging unit, for judging whether port message frequencies are more than default port frequency threshold value, if so, Then by Port detecting status indication to need to filter, and perform filtration judging unit;Conversely, then directly perform filtering judging unit.
9. the purging system that a kind of UDP FLOOD according to claim 6 are attacked, it is characterised in that:Described mutation UDP Attack detecting, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
10. the purging system that a kind of UDP FLOOD according to claim 6 are attacked, it is characterised in that:The burst detection Unit includes:
Burst judging unit, for judging whether the type of the message is burst, if so, then execution step H2;Conversely, then should The source address of message is stored in clearance record and the message of letting pass;
Source address judging unit, for judging the source address of the message whether in record of letting pass, the message of if so, letting pass;Instead It, then abandon the message.
CN201610885390.4A 2016-10-09 2016-10-09 A kind of cleaning method and system of UDP FLOOD attack Active CN106656967B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610885390.4A CN106656967B (en) 2016-10-09 2016-10-09 A kind of cleaning method and system of UDP FLOOD attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610885390.4A CN106656967B (en) 2016-10-09 2016-10-09 A kind of cleaning method and system of UDP FLOOD attack

Publications (2)

Publication Number Publication Date
CN106656967A true CN106656967A (en) 2017-05-10
CN106656967B CN106656967B (en) 2019-11-19

Family

ID=58853844

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610885390.4A Active CN106656967B (en) 2016-10-09 2016-10-09 A kind of cleaning method and system of UDP FLOOD attack

Country Status (1)

Country Link
CN (1) CN106656967B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194680A (en) * 2018-09-27 2019-01-11 腾讯科技(深圳)有限公司 A kind of network attack identification method, device and equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505218A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Detection method and apparatus for attack packet
CN101505219A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
US20120254977A1 (en) * 2009-12-28 2012-10-04 Chengdu Huawei Symantec Technologies Co., Ltd. Method, device, and system for network attack protection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505218A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Detection method and apparatus for attack packet
CN101505219A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
US20120254977A1 (en) * 2009-12-28 2012-10-04 Chengdu Huawei Symantec Technologies Co., Ltd. Method, device, and system for network attack protection

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194680A (en) * 2018-09-27 2019-01-11 腾讯科技(深圳)有限公司 A kind of network attack identification method, device and equipment
CN109194680B (en) * 2018-09-27 2021-02-12 腾讯科技(深圳)有限公司 Network attack identification method, device and equipment

Also Published As

Publication number Publication date
CN106656967B (en) 2019-11-19

Similar Documents

Publication Publication Date Title
US8634717B2 (en) DDoS attack detection and defense apparatus and method using packet data
CN108282497B (en) DDoS attack detection method for SDN control plane
CN103795709B (en) Network security detection method and system
CN105141604B (en) A kind of network security threats detection method and system based on trusted service stream
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
CN101505218B (en) Detection method and apparatus for attack packet
KR101107742B1 (en) SIP Intrusion Detection and Response System for Protecting SIP-based Services
KR101519623B1 (en) DDoS detection apparatus and method, DDoS detection and prevention apparatus for reducing positive false
CN101631026A (en) Method and device for defending against denial-of-service attacks
CN101505219B (en) Method and protecting apparatus for defending denial of service attack
JP2006279930A (en) Method and device for detecting and blocking unauthorized access
CN106850637A (en) A kind of anomalous traffic detection method based on flow white list
CN105282152B (en) A kind of method of abnormal traffic detection
CN106471778A (en) Attack detecting device, attack detection method and attack detecting program
CN108737447A (en) User Datagram Protocol traffic filtering method, apparatus, server and storage medium
JP2007179131A (en) Event detection system, management terminal and program, and event detection method
US20200274902A1 (en) Methods, systems, and computer readable media for dynamically remediating a security system entity
CN113810362A (en) Safety risk detection and disposal system and method thereof
US20200128040A1 (en) Method and system for detecting and mitigating a denial of service attack
CN107864110A (en) Botnet main control end detection method and device
CN107864155A (en) A kind of DDOS attack detection method of high-accuracy
CN104021348B (en) Real-time detection method and system of dormant P2P (Peer to Peer) programs
CN113765849B (en) Abnormal network flow detection method and device
JP2005210601A (en) Intrusion detector
CN106656967A (en) UDP FLOOD attack cleaning method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20170510

Assignee: Guangdong Yaoda Financial Leasing Co., Ltd

Assignor: GUANGDONG EFLYCLOUD COMPUTING Co.,Ltd.

Contract record no.: X2020980005383

Denomination of invention: A cleaning method and system of UDP flood attack

Granted publication date: 20191119

License type: Exclusive License

Record date: 20200826

EE01 Entry into force of recordation of patent licensing contract
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A cleaning method and system of UDP flood attack

Effective date of registration: 20200904

Granted publication date: 20191119

Pledgee: Guangdong Yaoda Financial Leasing Co., Ltd

Pledgor: GUANGDONG EFLYCLOUD COMPUTING Co.,Ltd.

Registration number: Y2020980005729

PE01 Entry into force of the registration of the contract for pledge of patent right