CN106656967A - UDP FLOOD attack cleaning method and system - Google Patents
UDP FLOOD attack cleaning method and system Download PDFInfo
- Publication number
- CN106656967A CN106656967A CN201610885390.4A CN201610885390A CN106656967A CN 106656967 A CN106656967 A CN 106656967A CN 201610885390 A CN201610885390 A CN 201610885390A CN 106656967 A CN106656967 A CN 106656967A
- Authority
- CN
- China
- Prior art keywords
- message
- port
- udp
- load contents
- conversely
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a UDP FLOOD attack cleaning method and system. Novel reflective attack traffic can be accurately discovered and filtered by statistics of the port message frequency of a preset specific port, and the conventional UDP attack traffic can be accurately identified by statistics of the real check code frequency of the load content and taking features of the previous 16 bytes of the load content. Fragment traffic generated by the UDP attack can be further filtered on the basis of accurately identifying new and old UDP traffic. Compared with the conventional traffic limiting mode, the performance loss caused by statistics of a large number of message features can be eliminated, even tens of Gbps of traffic can still be easily handled and thus the eliminating effect can be greatly enhanced. The UDP FLOOD attack cleaning method and system can be widely applied to UDP attack defense.
Description
Technical field
The present invention relates to Computer network technical field, more particularly to a kind of cleaning methods attacked of UDP FLOOD and it is
System.
Background technology
Denial of Service attack(DoS, Denial of Service)Refer to and exhausted by attack net using various service requests
The system resource of network, so that the request of validated user cannot be processed by attacking network.And with the rise of Botnet, while
Because attack method is simple, it is larger to affect, be difficult to the features such as tracing, distributed denial of service attack is caused again(DDoS,
Distributed Denial of Service)Obtain quick growth and increasingly spread unchecked.The corpse net of thousands of main frame compositions
Network is the bandwidth and main frame needed for ddos attack is provided, and huge attack and network traffics is defined, to by attack net
Network causes greatly harm.
The safety faced with operators such as the continuous improvement and development of ddos attack technology, ISP, ICP, IDC and operation
Challenge is also on the increase, and operator must be detected and added before DDoS threatens impact key business and application to flow
To clean, it is ensured that the operation of network normal table and the normal development of business.Meanwhile, to the detection of ddos attack flow and clear
Washing can also become a kind of value-added service that operator provides the user, to obtain more preferable user satisfaction.
And various ddos attack modes, and it is maximum with the harm of UDP_FLOOD, UDP is attacked and is tended to manufacture huge
Attack traffic, the server that not only strong influence is attacked, in some instances it may even be possible to which the transmission network for making operator is paralysed, and causes disaster
The loss of property, so must effectively cleaning treatment UDP FLOOD attack traffics.
Current UDP FLOOD attack cleaning method typically two kinds, and the first uses the mode of UDP message flow limitations;Its
Two is, by accounting message feature, to filter big measure feature identical message.
Both the above method has obvious shortcoming, and the first uses the mode of current limliting, can be normal UDP messages
Filter out, actually due to huge, the relatively small normal discharge of attack traffic, under current-limiting mode, may not quilt
Normal through this kind of mode is only used for ensureing the not under fire impact of flow of other adjacent servers;And second utilizes report
The means of literary feature carry out filtering packets, and first message characteristic is counted can greatly affect process performance, and what feature field was extracted
More all can strong influence cleaning accuracy rate with less.
It is all new reflection-type attack traffic that UDP FLOOD commonplace at present are attacked, in the carrier of this flow
Hold typically all than more random, to deal with new legacy UDP FLOOD and attack, the means of an accounting message feature are no longer suitable for.
The content of the invention
In order to solve above-mentioned technical problem, it is an object of the invention to provide one kind can accurately find and filter UDP attack streams
Cleaning method and system that a kind of UDP FLOOD of amount are attacked.
The technical solution used in the present invention is:
The cleaning method that a kind of UDP FLOOD are attacked, comprises the following steps:
A, default particular detection port is initialized;
B, when message is received, whether the type for judging the message is UDP messages, if so, then execution step C;Conversely, then putting
The capable message;
C, the source address for obtaining the message, source port, target port and message checking code;
D, the source address according to the message, source port, target port and message checking code, calculate the load contents of the message
Check code;
E, according to the load contents check code of the message, so as to carry out traditional UDP attack detecting, and the message by detecting is held
Row step F;Conversely, being then marked and execution step G to load contents detection state;
F, according to default particular detection port, carry out novel trans emitting UDP attack detecting to message, and to the report by detection
Literary execution step G;Conversely, execution step G again after being then marked to Port detecting state;
G, judge that whether load contents detection state or Port detecting state are to need to filter, if so, then abandon the message;Conversely,
Mutation UDP attack detectings are then carried out, and to message execution step H by detection;
H, burst detection is carried out to the message, and the message by detecting is let pass.
The further improvement of the cleaning method attacked as a kind of described UDP FLOOD, step E includes:
E1, according to the load contents check code of the message, frequency statistics is carried out to load contents, obtain load contents frequency;
E2, the load contents frequency is judged whether more than default load contents frequency threshold, if so, then detect load contents
Status indication is to need to filter, and execution step G;Conversely, then execution step F.
The further improvement of the cleaning method attacked as a kind of described UDP FLOOD, step F includes:
F1, message frequencies statistics is carried out to default particular detection port, obtain port message frequencies;
F2, port message frequencies are judged whether more than default port frequency threshold value, if so, then by Port detecting status indication be
Need to filter, and execution step G;Conversely, then direct execution step G.
The further improvement of the cleaning method attacked as a kind of described UDP FLOOD, described mutation UDP attacks inspection
Survey, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
The further improvement of the cleaning method attacked as a kind of described UDP FLOOD, step H includes:
Whether H1, the type for judging the message are burst, if so, then execution step H2;Conversely, then the source address of the message is deposited
Enter and let pass in record and the message of letting pass;
H2, judge the source address of the message whether in record of letting pass, the message of if so, letting pass;Conversely, then abandoning the message.
Another technical scheme of the present invention is:
The purging system that a kind of UDP FLOOD are attacked, including:
Port initialization unit, for initializing to default particular detection port;
UDP judging units, for when message is received, judging whether the type of the message is UDP messages, is if so, then performed
Information acquisition unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, calculating
Go out the load contents check code of the message;
Traditional attack detecting unit, for according to the load contents check code of the message, so as to carry out traditional UDP attack detecting,
And reflection-type attack detecting unit is performed to the message by detection;Conversely, being then marked simultaneously to load contents detection state
Perform and filter judging unit;
Reflection-type attack detecting unit, attacks for according to default particular detection port, carrying out novel trans emitting UDP to message
Detection, and filtration judging unit is performed to the message by detection;Conversely, performing again after being then marked to Port detecting state
Filter judging unit;
Judging unit is filtered, for judging whether load contents detection state or Port detecting state are to need to filter, and are if so, then lost
Abandon the message;Conversely, then carrying out mutation UDP attack detectings, and burst detector unit is performed to the message by detection;
Burst detector unit, for carrying out burst detection to the message, and lets pass to the message by detecting.
The further improvement of the purging system attacked as a kind of described UDP FLOOD, traditional attack detecting list
Unit includes:
Load contents frequency statistics unit, for according to the load contents check code of the message, load contents to be entered with line frequency system
Meter, obtains load contents frequency;
Load contents frequency judging unit, for judging the load contents frequency whether more than default load contents frequency threshold
Value, if so, then by load contents detection status indication to need to filter, and performs filtration judging unit;Conversely, then performing reflection-type
Attack detecting unit.
The further improvement of the purging system attacked as a kind of described UDP FLOOD, the reflection-type attack detecting
Unit includes:
Port message frequencies statistic unit, for carrying out message frequencies statistics to default particular detection port, obtains port report
Literary frequency;
Port message frequencies judging unit, for judging whether port message frequencies are more than default port frequency threshold value, if so,
Then by Port detecting status indication to need to filter, and perform filtration judging unit;Conversely, then directly perform filtering judging unit.
The further improvement of the purging system attacked as a kind of described UDP FLOOD, described mutation UDP attacks inspection
Survey, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
The further improvement of the purging system attacked as a kind of described UDP FLOOD, the burst detector unit bag
Include:
Burst judging unit, for judging whether the type of the message is burst, if so, then execution step H2;Conversely, then should
The source address of message is stored in clearance record and the message of letting pass;
Source address judging unit, for judging the source address of the message whether in record of letting pass, the message of if so, letting pass;Instead
It, then abandon the message.
The invention has the beneficial effects as follows:
The port message frequency that the cleaning method and system that a kind of UDP FLOOD of the present invention are attacked passes through the default particular port of statistics
Rate, can accurately find and filter novel trans emitting attack traffic, and by count load contents true verification code frequency and
Feature 16 byte before load contents is taken, traditional UDP attack traffics can be accurately identified.The present invention is accurately differentiating new
On the basis of old UDP flow amount, further filter UDP and attack produced burst flow, compare traditional current-limiting mode, the present invention
The performance loss for going that in large quantities accounting message characteristic strip comes can be exempted, even if in the face of the flow of tens of Gbps, similarly can be light
Pine reply, greatly improves elimination effect.
Description of the drawings
The specific embodiment of the present invention is described further below in conjunction with the accompanying drawings:
The step of Fig. 1 is a kind of cleaning method of UDP FLOOD attacks of the invention flow chart;
The step of Fig. 2 is traditional attack detecting in the cleaning method that a kind of UDP FLOOD of the invention are attacked flow chart;
The step of Fig. 3 is reflection-type attack detecting in the cleaning method that a kind of UDP FLOOD of the invention are attacked flow chart;
Fig. 4 is the step of burst is detected in the cleaning method that a kind of UDP FLOOD of the invention are attacked flow chart;
Fig. 5 is the block diagram of the purging system that a kind of UDP FLOOD of the invention are attacked.
Specific embodiment
With reference to Fig. 1, the cleaning method that a kind of UDP FLOOD of the invention are attacked is comprised the following steps:
A, default particular detection port is initialized;
B, when message is received, whether the type for judging the message is UDP messages, if so, then execution step C;Conversely, then putting
The capable message;
C, the source address for obtaining the message, source port, target port and message checking code;
D, the source address according to the message, source port, target port and message checking code, calculate the load contents of the message
Check code;
E, according to the load contents check code of the message, so as to carry out traditional UDP attack detecting, and the message by detecting is held
Row step F;Conversely, being then marked and execution step G to load contents detection state;
F, according to default particular detection port, carry out novel trans emitting UDP attack detecting to message, and to the report by detection
Literary execution step G;Conversely, execution step G again after being then marked to Port detecting state;
G, judge that whether load contents detection state or Port detecting state are to need to filter, if so, then abandon the message;Conversely,
Mutation UDP attack detectings are then carried out, and to message execution step H by detection;
H, burst detection is carried out to the message, and the message by detecting is let pass.
With reference to Fig. 2, it is further used as preferred embodiment, step E includes:
E1, according to the load contents check code of the message, frequency statistics is carried out to load contents, obtain load contents frequency;
E2, the load contents frequency is judged whether more than default load contents frequency threshold, if so, then detect load contents
Status indication is to need to filter, and execution step G;Conversely, then execution step F.
With reference to Fig. 3, it is further used as preferred embodiment, step F includes:
F1, message frequencies statistics is carried out to default particular detection port, obtain port message frequencies;
F2, port message frequencies are judged whether more than default port frequency threshold value, if so, then by Port detecting status indication be
Need to filter, and execution step G;Conversely, then direct execution step G.
It is further used as preferred embodiment, described mutation UDP attack detectings, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
With reference to Fig. 4, it is further used as preferred embodiment, step H includes:
Whether H1, the type for judging the message are burst, if so, then execution step H2;Conversely, then the source address of the message is deposited
Enter and let pass in record and the message of letting pass;
H2, judge the source address of the message whether in record of letting pass, the message of if so, letting pass;Conversely, then abandoning the message.
Wherein, easily produce IP fragmentation because some UDP FLOOD are attacked, because IP fragmentation does not have UDP heading words
Section, the normal source address that this method is let pass by record, clearance fragment message is selected with this, and reaching being capable of thoroughly cleaning UDP
The purpose of FLOOD attack traffics.
In the embodiment of the present invention, default load contents frequency threshold is set to 100, and default port frequency threshold value is set to
100, then specific embodiment is as follows:
S1, set up global array reply_sport, and initialize default particular detection port reply_sport [53,
1900,123,19,520,5353,17,137,138,139,111,161,69] value is 1;
S2, global array sport_count, check_count of foundation, accept_ip, drop_sport, drop_check;
S3, when message is received, whether the type for judging the message is UDP messages, if so, then execution step S4;Conversely, then
Let pass the message;
S4, taking-up message source address sip, source port sport, target port dport, check code check;
S5, the source address according to the message, source port, target port and message checking code, calculate as follows message screen
Cover the load contents check code after source address, source port and target port:
sum=0, o1=sip>>16, o2=sip&0xffff;
sum += (ntohs(o1) + ntohs(o2) + (~ntohs(0) & 0xffff) + (~ntohs(0) &
0xffff));
sum += (ntohs(sport) + (~(0) & 0xffff));
sum += (ntohs(dport) + (~(0) & 0xffff));
sum += check;
sum = (sum & 0xffff) + (sum >> 16);
Sum is the load contents check code for finally obtaining;
S6, according to the load contents check code of the message, frequency statistics is carried out to load contents, obtain load contents frequency
Check_count [sum], and judge whether to meet check_count [sum]>100, then load contents detection state drop_
Check [check]=1, and execution step S8;
S7, judge whether to meet reply_sport [sport]=1, if then showing that it is default particular detection port, then hold
Mouth message frequencies sport_count [sport] ++, if port message frequencies sport_count [sport] for finally obtaining>
100, then Port detecting state drop_sport [sport]=1;
If S8, Port detecting state drop_sport [sport] or load contents detection state drop_check [check] are 1,
Then abandon the message;Conversely, then execution step S9
S9, according to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:1st byte=2nd
Byte, the 1st~2 byte=the 3rd~4 byte, the 1st~4 byte=the 5th~8 byte, the 1st~8 byte=the 9th~16 byte, meet
Four conditions of the above, then abandon the message;Conversely, then execution step S10;
Whether S10, the type for judging the message are burst, and the source address of the message is not in record of letting pass, i.e. the source address
Release status accept_ip [sip] not be 1, then abandon the message;Conversely, then by the release status accept_ of the source address
Ip [sip] is set to 1, and the message of letting pass.
With reference to Fig. 5, the purging system that a kind of UDP FLOOD of the invention are attacked, including:
Port initialization unit, for initializing to default particular detection port;
UDP judging units, for when message is received, judging whether the type of the message is UDP messages, is if so, then performed
Information acquisition unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, calculating
Go out the load contents check code of the message;
Traditional attack detecting unit, for according to the load contents check code of the message, so as to carry out traditional UDP attack detecting,
And reflection-type attack detecting unit is performed to the message by detection;Conversely, being then marked simultaneously to load contents detection state
Perform and filter judging unit;
Reflection-type attack detecting unit, attacks for according to default particular detection port, carrying out novel trans emitting UDP to message
Detection, and filtration judging unit is performed to the message by detection;Conversely, performing again after being then marked to Port detecting state
Filter judging unit;
Judging unit is filtered, for judging whether load contents detection state or Port detecting state are to need to filter, and are if so, then lost
Abandon the message;Conversely, then carrying out mutation UDP attack detectings, and burst detector unit is performed to the message by detection;
Burst detector unit, for carrying out burst detection to the message, and lets pass to the message by detecting.
It is further used as preferred embodiment, traditional attack detecting unit includes:
Load contents frequency statistics unit, for according to the load contents check code of the message, load contents to be entered with line frequency system
Meter, obtains load contents frequency;
Load contents frequency judging unit, for judging the load contents frequency whether more than default load contents frequency threshold
Value, if so, then by load contents detection status indication to need to filter, and performs filtration judging unit;Conversely, then performing reflection-type
Attack detecting unit.
It is further used as preferred embodiment, the reflection-type attack detecting unit includes:
Port message frequencies statistic unit, for carrying out message frequencies statistics to default particular detection port, obtains port report
Literary frequency;
Port message frequencies judging unit, for judging whether port message frequencies are more than default port frequency threshold value, if so,
Then by Port detecting status indication to need to filter, and perform filtration judging unit;Conversely, then directly perform filtering judging unit.
It is further used as preferred embodiment, described mutation UDP attack detectings, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
It is further used as preferred embodiment, the burst detector unit includes:
Burst judging unit, for judging whether the type of the message is burst, if so, then execution step H2;Conversely, then should
The source address of message is stored in clearance record and the message of letting pass;
Source address judging unit, for judging the source address of the message whether in record of letting pass, the message of if so, letting pass;Instead
It, then abandon the message.
From the foregoing it can be that the cleaning method and system of a kind of UDP FLOOD attacks of the invention are by counting default
The port message frequencies of particular port, can accurately find and filter novel trans emitting attack traffic, and by statistics load
Hold true verification code frequency and take feature 16 byte before load contents, traditional UDP attack traffics can be accurately identified.
The present invention filters UDP and attacks produced burst flow on the basis of new and old UDP flow amount is accurately differentiated, further, compares
Traditional current-limiting mode, the present invention can exempt the performance loss for going that in large quantities accounting message characteristic strip comes, even if in the face of tens of
The flow of Gbps, similarly can easily tackle, and greatly improve elimination effect.
It is more than that the preferable enforcement to the present invention is illustrated, but the invention is not limited to the enforcement
Example, those of ordinary skill in the art can also make a variety of equivalent variations on the premise of without prejudice to spirit of the invention or replace
Change, the deformation or replacement of these equivalents are all contained in the application claim limited range.
Claims (10)
1. the cleaning method that a kind of UDP FLOOD are attacked, it is characterised in that comprise the following steps:
A, default particular detection port is initialized;
B, when message is received, whether the type for judging the message is UDP messages, if so, then execution step C;Conversely, then putting
The capable message;
C, the source address for obtaining the message, source port, target port and message checking code;
D, the source address according to the message, source port, target port and message checking code, calculate the load contents of the message
Check code;
E, according to the load contents check code of the message, so as to carry out traditional UDP attack detecting, and the message by detecting is held
Row step F;Conversely, being then marked and execution step G to load contents detection state;
F, according to default particular detection port, carry out novel trans emitting UDP attack detecting to message, and to the report by detection
Literary execution step G;Conversely, execution step G again after being then marked to Port detecting state;
G, judge that whether load contents detection state or Port detecting state are to need to filter, if so, then abandon the message;Conversely,
Mutation UDP attack detectings are then carried out, and to message execution step H by detection;
H, burst detection is carried out to the message, and the message by detecting is let pass.
2. the cleaning method that a kind of UDP FLOOD according to claim 1 are attacked, it is characterised in that:The step E bag
Include:
E1, according to the load contents check code of the message, frequency statistics is carried out to load contents, obtain load contents frequency;
E2, the load contents frequency is judged whether more than default load contents frequency threshold, if so, then detect load contents
Status indication is to need to filter, and execution step G;Conversely, then execution step F.
3. the cleaning method that a kind of UDP FLOOD according to claim 1 are attacked, it is characterised in that:The step F bag
Include:
F1, message frequencies statistics is carried out to default particular detection port, obtain port message frequencies;
F2, port message frequencies are judged whether more than default port frequency threshold value, if so, then by Port detecting status indication be
Need to filter, and execution step G;Conversely, then direct execution step G.
4. the cleaning method that a kind of UDP FLOOD according to claim 1 are attacked, it is characterised in that:Described mutation UDP
Attack detecting, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
5. the cleaning method that a kind of UDP FLOOD according to claim 1 are attacked, it is characterised in that:The step H bag
Include:
Whether H1, the type for judging the message are burst, if so, then execution step H2;Conversely, then the source address of the message is deposited
Enter and let pass in record and the message of letting pass;
H2, judge the source address of the message whether in record of letting pass, the message of if so, letting pass;Conversely, then abandoning the message.
6. the purging system that a kind of UDP FLOOD are attacked, it is characterised in that include:
Port initialization unit, for initializing to default particular detection port;
UDP judging units, for when message is received, judging whether the type of the message is UDP messages, is if so, then performed
Information acquisition unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, calculating
Go out the load contents check code of the message;
Traditional attack detecting unit, for according to the load contents check code of the message, so as to carry out traditional UDP attack detecting,
And reflection-type attack detecting unit is performed to the message by detection;Conversely, being then marked simultaneously to load contents detection state
Perform and filter judging unit;
Reflection-type attack detecting unit, attacks for according to default particular detection port, carrying out novel trans emitting UDP to message
Detection, and filtration judging unit is performed to the message by detection;Conversely, performing again after being then marked to Port detecting state
Filter judging unit;
Judging unit is filtered, for judging whether load contents detection state or Port detecting state are to need to filter, and are if so, then lost
Abandon the message;Conversely, then carrying out mutation UDP attack detectings, and burst detector unit is performed to the message by detection;
Burst detector unit, for carrying out burst detection to the message, and lets pass to the message by detecting.
7. the purging system that a kind of UDP FLOOD according to claim 6 are attacked, it is characterised in that:The tradition is attacked
Detector unit includes:
Load contents frequency statistics unit, for according to the load contents check code of the message, load contents to be entered with line frequency system
Meter, obtains load contents frequency;
Load contents frequency judging unit, for judging the load contents frequency whether more than default load contents frequency threshold
Value, if so, then by load contents detection status indication to need to filter, and performs filtration judging unit;Conversely, then performing reflection-type
Attack detecting unit.
8. the purging system that a kind of UDP FLOOD according to claim 6 are attacked, it is characterised in that:The reflection-type is attacked
Hitting detector unit includes:
Port message frequencies statistic unit, for carrying out message frequencies statistics to default particular detection port, obtains port report
Literary frequency;
Port message frequencies judging unit, for judging whether port message frequencies are more than default port frequency threshold value, if so,
Then by Port detecting status indication to need to filter, and perform filtration judging unit;Conversely, then directly perform filtering judging unit.
9. the purging system that a kind of UDP FLOOD according to claim 6 are attacked, it is characterised in that:Described mutation UDP
Attack detecting, it is specially:
According to 16 bytes before the load contents of the message, judge whether to be satisfied by following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, the message is then abandoned;Conversely, then the message passes through mutation UDP attack detectings.
10. the purging system that a kind of UDP FLOOD according to claim 6 are attacked, it is characterised in that:The burst detection
Unit includes:
Burst judging unit, for judging whether the type of the message is burst, if so, then execution step H2;Conversely, then should
The source address of message is stored in clearance record and the message of letting pass;
Source address judging unit, for judging the source address of the message whether in record of letting pass, the message of if so, letting pass;Instead
It, then abandon the message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610885390.4A CN106656967B (en) | 2016-10-09 | 2016-10-09 | A kind of cleaning method and system of UDP FLOOD attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610885390.4A CN106656967B (en) | 2016-10-09 | 2016-10-09 | A kind of cleaning method and system of UDP FLOOD attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106656967A true CN106656967A (en) | 2017-05-10 |
| CN106656967B CN106656967B (en) | 2019-11-19 |
Family
ID=58853844
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610885390.4A Active CN106656967B (en) | 2016-10-09 | 2016-10-09 | A kind of cleaning method and system of UDP FLOOD attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106656967B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109194680A (en) * | 2018-09-27 | 2019-01-11 | 腾讯科技(深圳)有限公司 | A kind of network attack identification method, device and equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101505218A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Detection method and apparatus for attack packet |
| CN101505219A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
| US20120254977A1 (en) * | 2009-12-28 | 2012-10-04 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, device, and system for network attack protection |
-
2016
- 2016-10-09 CN CN201610885390.4A patent/CN106656967B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101505218A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Detection method and apparatus for attack packet |
| CN101505219A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
| US20120254977A1 (en) * | 2009-12-28 | 2012-10-04 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, device, and system for network attack protection |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109194680A (en) * | 2018-09-27 | 2019-01-11 | 腾讯科技(深圳)有限公司 | A kind of network attack identification method, device and equipment |
| CN109194680B (en) * | 2018-09-27 | 2021-02-12 | 腾讯科技(深圳)有限公司 | Network attack identification method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106656967B (en) | 2019-11-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8634717B2 (en) | DDoS attack detection and defense apparatus and method using packet data | |
| CN108282497B (en) | DDoS attack detection method for SDN control plane | |
| CN103795709B (en) | Network security detection method and system | |
| CN105141604B (en) | A kind of network security threats detection method and system based on trusted service stream | |
| CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
| US9130982B2 (en) | System and method for real-time reporting of anomalous internet protocol attacks | |
| KR101519623B1 (en) | DDoS detection apparatus and method, DDoS detection and prevention apparatus for reducing positive false | |
| CN101505219B (en) | Method and protecting apparatus for defending denial of service attack | |
| JP2006279930A (en) | Method and device for detecting and blocking unauthorized access | |
| KR20100069410A (en) | Sip intrusion detection and response architecture for protecting sip-based services | |
| CN106850637A (en) | A kind of anomalous traffic detection method based on flow white list | |
| CN105282152B (en) | A kind of method of abnormal traffic detection | |
| US11128670B2 (en) | Methods, systems, and computer readable media for dynamically remediating a security system entity | |
| US11190543B2 (en) | Method and system for detecting and mitigating a denial of service attack | |
| CN106471778A (en) | Attack detecting device, attack detection method and attack detecting program | |
| Udhayan et al. | Statistical segregation method to minimize the false detections during ddos attacks. | |
| JP2007179131A (en) | Event detection system, management terminal and program, and event detection method | |
| CN108737447A (en) | User Datagram Protocol traffic filtering method, apparatus, server and storage medium | |
| CN113810362A (en) | Safety risk detection and disposal system and method thereof | |
| CN107864155A (en) | A kind of DDOS attack detection method of high-accuracy | |
| CN104021348B (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
| CN107864110A (en) | Botnet main control end detection method and device | |
| CN113765849B (en) | Abnormal network flow detection method and device | |
| JP2005210601A (en) | Intrusion detector | |
| CN106656967A (en) | UDP FLOOD attack cleaning method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20170510 Assignee: Guangdong Yaoda Financial Leasing Co., Ltd Assignor: GUANGDONG EFLYCLOUD COMPUTING Co.,Ltd. Contract record no.: X2020980005383 Denomination of invention: A cleaning method and system of UDP flood attack Granted publication date: 20191119 License type: Exclusive License Record date: 20200826 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A cleaning method and system of UDP flood attack Effective date of registration: 20200904 Granted publication date: 20191119 Pledgee: Guangdong Yaoda Financial Leasing Co., Ltd Pledgor: GUANGDONG EFLYCLOUD COMPUTING Co.,Ltd. Registration number: Y2020980005729 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |