CN106656967B - A kind of cleaning method and system of UDP FLOOD attack - Google Patents

A kind of cleaning method and system of UDP FLOOD attack Download PDF

Info

Publication number
CN106656967B
CN106656967B CN201610885390.4A CN201610885390A CN106656967B CN 106656967 B CN106656967 B CN 106656967B CN 201610885390 A CN201610885390 A CN 201610885390A CN 106656967 B CN106656967 B CN 106656967B
Authority
CN
China
Prior art keywords
message
port
udp
load contents
conversely
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610885390.4A
Other languages
Chinese (zh)
Other versions
CN106656967A (en
Inventor
梁润强
史伟
黄劲聪
关志来
丘树杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Ruijiang Cloud Computing Co Ltd
Original Assignee
Guangdong Ruijiang Cloud Computing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Ruijiang Cloud Computing Co Ltd filed Critical Guangdong Ruijiang Cloud Computing Co Ltd
Priority to CN201610885390.4A priority Critical patent/CN106656967B/en
Publication of CN106656967A publication Critical patent/CN106656967A/en
Application granted granted Critical
Publication of CN106656967B publication Critical patent/CN106656967B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses the port message frequencies that a kind of cleaning method of UDP FLOOD attack and system pass through the preset particular port of statistics, it can accurately find and filter novel trans emitting attack traffic, and by the true verification code frequency of statistics load contents and feature 16 byte before load contents is taken, traditional UDP attack traffic can be accurately identified.The present invention is on the basis of accurately identifying new and old UDP flow amount, further filtering UDP attacks generated fragment flow, compared to traditional current-limiting mode, the present invention can exempt accounting message feature bring performance loss in large quantities, even if in face of the flow of tens of Gbps, it similarly can easily cope with, greatly improve elimination effect.It the composite can be widely applied in UDP attack defending.

Description

A kind of cleaning method and system of UDP FLOOD attack
Technical field
The present invention relates to Computer network technical field more particularly to a kind of UDP FLOOD cleaning method attacked and it is System.
Background technique
Denial of Service attack (DoS, Denial of Service), which refers to, to be exhausted using various service requests by attack net The system resource of network, to make the request that can not be handled legitimate user by attacking network.And with the rise of Botnet, simultaneously Since attack method is simple, be affected, is difficult to the features such as tracing, but make distributed denial of service attack (DDoS, Distributed Denial of Service) it obtains quickly growing and increasingly spreading unchecked.The corpse net of thousands of host compositions Network provides required bandwidth and host for ddos attack, huge attack and network flow is formd, to by attack net Network causes great harm.
With the continuous improvement and development of ddos attack technology, safety and operation that the operators such as ISP, ICP, IDC face Challenge is also increasing, and operator must detect flow and be added before DDoS threatens influence key business and application With cleaning, it is ensured that the operation of network normal table and the normal development of business.Meanwhile to the detection of ddos attack flow and clearly It is a kind of value-added service that user provides that operator can also be become by, which washing, to obtain better user satisfaction.
And a variety of ddos attack modes, and with the harm of UDP_FLOOD maximum, UDP attack tends to manufacture huge Attack traffic, the server that not only strong influence is attacked, in some instances it may even be possible to enable the transmission network of operator paralyse, cause disaster The loss of property, so must effectively cleaning treatment UDP FLOOD attack traffic.
There are two types of current UDP FLOOD attack cleaning method is general, one is using the mode of UDP message flow limitation;Its Second is that filtering the identical message of big measure feature by accounting message feature.
Both the above method has the shortcomings that obvious, the first uses the mode of current limliting, can normal UDP message It filters out, it, may not quilt under current-limiting mode actually due to huge, the relatively small normal discharge of attack traffic Normal through such mode is only used for ensureing the not under fire influence of flow of other adjacent servers;And second utilizes report The means of literary feature carry out filtering packets, and message characteristic, which counts, first can greatly influence process performance, and what feature field extracted Mostly with it is few all can strong influence clean accuracy rate.
Commonplace UDP FLOOD attack at present is all novel reflection-type attack traffic, in the carrier of this flow Hold generally all than more random, to deal with new legacy UDP FLOOD attack, the means of accounting message feature are no longer applicable in.
Summary of the invention
In order to solve the above-mentioned technical problem, it can accurately find the object of the present invention is to provide a kind of and filter UDP attack stream The cleaning method and system of a kind of UDP FLOOD attack of amount.
The technical solution used in the present invention is:
A kind of cleaning method of UDP FLOOD attack, comprising the following steps:
A, preset particular detection port is initialized;
B, when receiving message, judge whether the type of the message is UDP message, if so, thening follow the steps C;Conversely, It then lets pass the message;
C, source address, source port, target port and the message checking code of the message are obtained;
D, according to the source address of the message, source port, target port and message checking code, the load of the message is calculated Content authentication code;
E, according to the load contents check code of the message, to carry out traditional UDP attack detecting, and to the report by detection Text executes step F;Conversely, being then marked to load contents detecting state and executing step G;
F, according to preset particular detection port, novel trans emitting UDP attack detecting is carried out to message, and detect to passing through Message execute step G;Conversely, step G is executed after then port detecting state is marked again;
G, judge whether load contents detecting state or Port detecting state are to need to filter, if so, abandoning the message;Instead It, then carry out mutation UDP attack detecting, and execute step H to by the message of detection;
H, fragment detection is carried out to the message, and let pass to the message by detecting.
As a kind of further improvement of UDP FLOOD cleaning method attacked, the step E includes:
E1, the load contents check code according to the message carry out frequency statistics to load contents, obtain load contents frequency Rate;
E2, judge whether the load contents frequency is greater than preset load contents frequency threshold, if so, by load contents Detecting state is labeled as needing to filter, and executes step G;Conversely, thening follow the steps F.
As a kind of further improvement of UDP FLOOD cleaning method attacked, the step F includes:
F1, message frequencies statistics is carried out to preset particular detection port, obtains port message frequencies;
F2, judge whether port message frequencies are greater than preset port frequency threshold value, if so, by Port detecting state mark Being denoted as needs to filter, and executes step G;Conversely, then directly executing step G.
As a kind of further improvement of UDP FLOOD cleaning method attacked, the mutation UDP attacks inspection It surveys, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
As a kind of further improvement of UDP FLOOD cleaning method attacked, the step H includes:
Whether H1, the type for judging the message are fragment, if so, thening follow the steps H2;Conversely, then by the source of the message Location is stored in record of letting pass and the message of letting pass;
H2, judge the message source address whether let pass record in, if so, the message of letting pass;Conversely, then abandoning the report Text.
It is of the present invention another solution is that
A kind of cleaning system of UDP FLOOD attack, comprising:
Port initialization unit, for being initialized to preset particular detection port;
UDP judging unit, for when receiving message, judging whether the type of the message is UDP message, if so, Execution information acquiring unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, meter Calculate the load contents check code for obtaining the message;
Traditional attack detecting unit, for the load contents check code according to the message, to carry out traditional UDP attack inspection It surveys, and executes reflection-type attack detecting unit to by the message of detection;Conversely, then load contents detecting state is marked And execute filtering judging unit;
Reflection-type attack detecting unit, for carrying out novel trans emitting UDP to message according to preset particular detection port Attack detecting, and filtering judging unit is executed to the message by detection;Conversely, after then port detecting state is marked again Execute filtering judging unit;
Filter judging unit, for judge load contents detecting state or Port detecting state whether be need to filter, if so, Then abandon the message;Conversely, then carrying out mutation UDP attack detecting, and fragment detection unit is executed to by the message of detection;
Fragment detection unit for carrying out fragment detection to the message, and lets pass to the message by detecting.
As a kind of further improvement of UDP FLOOD cleaning system attacked, the tradition attack detecting list Member includes:
Load contents frequency statistics unit carries out frequency to load contents for the load contents check code according to the message Rate statistics, obtains load contents frequency;
Load contents frequency judging unit, for judging whether the load contents frequency is greater than preset load contents frequency Threshold value if so, load contents detecting state is labeled as needing to filter, and executes filtering judging unit;Conversely, then executing reflection Type attack detecting unit.
As a kind of further improvement of UDP FLOOD cleaning system attacked, the reflection-type attack detecting Unit includes:
Port message frequencies statistic unit is held for carrying out message frequencies statistics to preset particular detection port Mouth message frequencies;
Port message frequencies judging unit, for judging whether port message frequencies are greater than preset port frequency threshold value, If so, being to need to filter, and execute filtering judging unit by Port detecting status indication;Conversely, then directly executing filtering judgement Unit.
As a kind of further improvement of UDP FLOOD cleaning system attacked, the mutation UDP attacks inspection It surveys, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
As a kind of further improvement of UDP FLOOD cleaning system attacked, the fragment detection unit packet It includes:
Fragment judging unit, for judging whether the type of the message is fragment, if so, thening follow the steps H2;Conversely, then The deposit of the source address of the message is let pass in record and the message of letting pass;
Source address judging unit, for judge the message source address whether let pass record in, if so, the report of letting pass Text;Conversely, then abandoning the message.
The beneficial effects of the present invention are:
The cleaning method and system of a kind of UDP FLOOD attack of the present invention are reported by counting the port of preset particular port Literary frequency can accurately find and filter novel trans emitting attack traffic, and the true check code frequency for passing through statistics load contents Rate and feature 16 byte before load contents is taken, traditional UDP attack traffic can be accurately identified.The present invention is accurately reflecting On the basis of not new and old UDP flow amount, further filters UDP and attack generated fragment flow, compared to traditional current-limiting mode, originally Invention, which can be exempted, goes accounting message feature bring performance loss in large quantities, even if in face of the flow of tens of Gbps, same energy Enough easily replies, greatly improve elimination effect.
Detailed description of the invention
Specific embodiments of the present invention will be further explained with reference to the accompanying drawing:
Fig. 1 is a kind of step flow chart of the cleaning method of UDP FLOOD attack of the present invention;
Fig. 2 is the step flow chart of traditional attack detecting in a kind of cleaning method of UDP FLOOD attack of the present invention;
Fig. 3 is the step flow chart of reflection-type attack detecting in a kind of cleaning method of UDP FLOOD attack of the present invention;
Fig. 4 is the step flow chart of fragment detection in a kind of cleaning method of UDP FLOOD attack of the present invention;
Fig. 5 is a kind of block diagram of the cleaning system of UDP FLOOD attack of the present invention.
Specific embodiment
With reference to Fig. 1, a kind of cleaning method of UDP FLOOD attack of the present invention, comprising the following steps:
A, preset particular detection port is initialized;
B, when receiving message, judge whether the type of the message is UDP message, if so, thening follow the steps C;Conversely, It then lets pass the message;
C, source address, source port, target port and the message checking code of the message are obtained;
D, according to the source address of the message, source port, target port and message checking code, the load of the message is calculated Content authentication code;
E, according to the load contents check code of the message, to carry out traditional UDP attack detecting, and to the report by detection Text executes step F;Conversely, being then marked to load contents detecting state and executing step G;
F, according to preset particular detection port, novel trans emitting UDP attack detecting is carried out to message, and detect to passing through Message execute step G;Conversely, step G is executed after then port detecting state is marked again;
G, judge whether load contents detecting state or Port detecting state are to need to filter, if so, abandoning the message;Instead It, then carry out mutation UDP attack detecting, and execute step H to by the message of detection;
H, fragment detection is carried out to the message, and let pass to the message by detecting.
With reference to Fig. 2, it is further used as preferred embodiment, the step E includes:
E1, the load contents check code according to the message carry out frequency statistics to load contents, obtain load contents frequency Rate;
E2, judge whether the load contents frequency is greater than preset load contents frequency threshold, if so, by load contents Detecting state is labeled as needing to filter, and executes step G;Conversely, thening follow the steps F.
With reference to Fig. 3, it is further used as preferred embodiment, the step F includes:
F1, message frequencies statistics is carried out to preset particular detection port, obtains port message frequencies;
F2, judge whether port message frequencies are greater than preset port frequency threshold value, if so, by Port detecting state mark Being denoted as needs to filter, and executes step G;Conversely, then directly executing step G.
It is further used as preferred embodiment, the mutation UDP attack detecting, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
With reference to Fig. 4, it is further used as preferred embodiment, the step H includes:
Whether H1, the type for judging the message are fragment, if so, thening follow the steps H2;Conversely, then by the source of the message Location is stored in record of letting pass and the message of letting pass;
H2, judge the message source address whether let pass record in, if so, the message of letting pass;Conversely, then abandoning the report Text.
Wherein, since some UDP FLOOD attack is easy to produce IP fragmentation, because there is no UDP heading words for IP fragmentation Section, the normal source address that this method is let pass by record select clearance fragment message with this, and to reach can thoroughly clean UDP The purpose of FLOOD attack traffic.
In the embodiment of the present invention, preset load contents frequency threshold is set as 100, and preset port frequency threshold value is set as 100, then specific embodiment is as follows:
S1, establish global array reply_sport, and initialize preset particular detection port reply_sport [53, 1900,123,19,520,5353,17,137,138,139,111,161,69] value is 1;
S2, global array sport_count, check_count, accept_ip, drop_sport, drop_ are established check;
S3, when receiving message, judge whether the type of the message is UDP message, if so, thening follow the steps S4;Instead It, then the message of letting pass;
S4, message source address sip, source port sport, target port dport, check code check are taken out;
S5, according to the source address of the message, source port, target port and message checking code, calculate report as follows Load contents check code after text shielding source address, source port and target port:
sum=0, o1=sip>>16, o2=sip&0xffff;
sum += (ntohs(o1) + ntohs(o2) + (~ntohs(0) & 0xffff) + (~ntohs(0) & 0xffff));
sum += (ntohs(sport) + (~(0) & 0xffff));
sum += (ntohs(dport) + (~(0) & 0xffff));
sum += check;
sum = (sum & 0xffff) + (sum >> 16);
Sum is the load contents check code finally obtained;
S6, the load contents check code according to the message carry out frequency statistics to load contents, obtain load contents frequency Check_count [sum], and judge whether to meet check_count [sum] > 100, then load contents detecting state drop_ Check [check]=1, and execute step S8;
S7, judge whether to meet reply_sport [sport]=1, if then showing that it is preset particular detection port, Then port message frequencies sport_count [sport] ++, if the port message frequencies sport_count [sport] finally obtained > 100, then Port detecting state drop_sport [sport]=1;
If S8, Port detecting state drop_sport [sport] or load contents detecting state drop_check [check] It is 1, then abandons the message;Conversely, thening follow the steps S9
S9, according to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions: the 1st byte= 2nd byte, the 1st~2 byte=the 3rd~4 byte, the 1st~4 byte=the 5th~8 byte, the 1st~8 byte=the 9th~16 byte, it is full It is enough four conditions, then abandons the message;Conversely, thening follow the steps S10;
Whether S10, the type for judging the message are fragment, and the source address of the message is in record of letting pass, i.e. the source The release status accept_ip [sip] of address is not 1, then abandons the message;Conversely, then by the release status of the source address Accept_ip [sip] is set as 1, and the message of letting pass.
With reference to Fig. 5, a kind of cleaning system of UDP FLOOD attack of the present invention, comprising:
Port initialization unit, for being initialized to preset particular detection port;
UDP judging unit, for when receiving message, judging whether the type of the message is UDP message, if so, Execution information acquiring unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, meter Calculate the load contents check code for obtaining the message;
Traditional attack detecting unit, for the load contents check code according to the message, to carry out traditional UDP attack inspection It surveys, and executes reflection-type attack detecting unit to by the message of detection;Conversely, then load contents detecting state is marked And execute filtering judging unit;
Reflection-type attack detecting unit, for carrying out novel trans emitting UDP to message according to preset particular detection port Attack detecting, and filtering judging unit is executed to the message by detection;Conversely, after then port detecting state is marked again Execute filtering judging unit;
Filter judging unit, for judge load contents detecting state or Port detecting state whether be need to filter, if so, Then abandon the message;Conversely, then carrying out mutation UDP attack detecting, and fragment detection unit is executed to by the message of detection;
Fragment detection unit for carrying out fragment detection to the message, and lets pass to the message by detecting.
It is further used as preferred embodiment, the tradition attack detecting unit includes:
Load contents frequency statistics unit carries out frequency to load contents for the load contents check code according to the message Rate statistics, obtains load contents frequency;
Load contents frequency judging unit, for judging whether the load contents frequency is greater than preset load contents frequency Threshold value if so, load contents detecting state is labeled as needing to filter, and executes filtering judging unit;Conversely, then executing reflection Type attack detecting unit.
It is further used as preferred embodiment, the reflection-type attack detecting unit includes:
Port message frequencies statistic unit is held for carrying out message frequencies statistics to preset particular detection port Mouth message frequencies;
Port message frequencies judging unit, for judging whether port message frequencies are greater than preset port frequency threshold value, If so, being to need to filter, and execute filtering judging unit by Port detecting status indication;Conversely, then directly executing filtering judgement Unit.
It is further used as preferred embodiment, the mutation UDP attack detecting, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
It is further used as preferred embodiment, the fragment detection unit includes:
Fragment judging unit, for judging whether the type of the message is fragment, if so, thening follow the steps H2;Conversely, then The deposit of the source address of the message is let pass in record and the message of letting pass;
Source address judging unit, for judge the message source address whether let pass record in, if so, the report of letting pass Text;Conversely, then abandoning the message.
From the foregoing it can be that the cleaning method and system of a kind of UDP FLOOD attack of the present invention are by counting preset The port message frequencies of particular port can accurately find and filter novel trans emitting attack traffic, and by statistics load Hold true verification code frequency and take feature 16 byte before load contents, traditional UDP attack traffic can be accurately identified. The present invention further filters UDP and attacks generated fragment flow, compare on the basis of accurately identifying new and old UDP flow amount Traditional current-limiting mode, the present invention can exempt accounting message feature bring performance loss in large quantities, even if in face of tens of The flow of Gbps similarly can be coped with easily, greatly improve elimination effect.
It is to be illustrated to preferable implementation of the invention, but the invention is not limited to the implementation above Example, those skilled in the art can also make various equivalent variations on the premise of without prejudice to spirit of the invention or replace It changes, these equivalent deformations or replacement are all included in the scope defined by the claims of the present application.

Claims (4)

1. a kind of cleaning method of UDP FLOOD attack, which comprises the following steps:
A, preset particular detection port is initialized;
B, when receiving message, judge whether the type of the message is UDP message, if so, thening follow the steps C;Conversely, then putting The row message;
C, source address, source port, target port and the message checking code of the message are obtained;
D, according to the source address of the message, source port, target port and message checking code, the load contents of the message are calculated Check code;
E, according to the load contents check code of the message, to carry out traditional UDP attack detecting, and the message by detecting is held Row step F;Conversely, being then marked to load contents detecting state and executing step G;
F, according to preset particular detection port, novel trans emitting UDP attack detecting is carried out to message, and to the report by detection Text executes step G;Conversely, step G is executed after then port detecting state is marked again;
G, judge whether load contents detecting state or Port detecting state are to need to filter, if so, abandoning the message;Conversely, Mutation UDP attack detecting is then carried out, and executes step H to by the message of detection;
H, fragment detection is carried out to the message, and let pass to the message by detecting;
The step E includes:
E1, the load contents check code according to the message carry out frequency statistics to load contents, obtain load contents frequency;
E2, judge whether the load contents frequency is greater than preset load contents frequency threshold, if so, load contents are detected Status indication is to need to filter, and execute step G;Conversely, thening follow the steps F;
The step F includes:
F1, message frequencies statistics is carried out to preset particular detection port, obtains port message frequencies;Even if
F2, judge whether port message frequencies are greater than preset port frequency threshold value, if so, being by Port detecting status indication It needs to filter, and executes step G;Conversely, then directly executing step G;
The mutation UDP attack detecting, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
2. a kind of cleaning method of UDP FLOOD attack according to claim 1, it is characterised in that: the step H packet It includes:
Whether H1, the type for judging the message are fragment, if so, thening follow the steps H2;Conversely, then the source address of the message is deposited Enter let pass record in and the message of letting pass;
H2, judge the message source address whether let pass record in, if so, the message of letting pass;Conversely, then abandoning the message.
3. a kind of cleaning system of UDP FLOOD attack characterized by comprising port initialization unit, for preset Particular detection port is initialized;
UDP judging unit, for when receiving message, judging whether the type of the message is UDP message, if so, executing Information acquisition unit;Conversely, the message of then letting pass;Information acquisition unit, for obtaining source address, the source port, mesh of the message Mark port and message checking code;
Check code computing unit, for calculating according to the source address of the message, source port, target port and message checking code The load contents check code of the message out;
Traditional attack detecting unit, for the load contents check code according to the message, so that traditional UDP attack detecting is carried out, And reflection-type attack detecting unit is executed to by the message of detection;Conversely, then load contents detecting state is marked simultaneously Execute filtering judging unit;
Reflection-type attack detecting unit, for carrying out novel trans emitting UDP attack to message according to preset particular detection port Detection, and filtering judging unit is executed to the message by detection;Conversely, being executed again after then port detecting state is marked Filter judging unit;Judging unit is filtered, for judging whether load contents detecting state or Port detecting state are to need to filter, If so, abandoning the message;Conversely, then carrying out mutation UDP attack detecting, and it is single to execute fragment detection to the message by detection Member;
Fragment detection unit for carrying out fragment detection to the message, and lets pass to the message by detecting;
It is described tradition attack detecting unit include:
Load contents frequency statistics unit carries out frequency system to load contents for the load contents check code according to the message Meter, obtains load contents frequency;
Load contents frequency judging unit, for judging whether the load contents frequency is greater than preset load contents frequency threshold Value if so, load contents detecting state is labeled as needing to filter, and executes filtering judging unit;Conversely, then executing reflection-type Attack detecting unit;
The reflection-type attack detecting unit includes:
Port message frequencies statistic unit obtains port report for carrying out message frequencies statistics to preset particular detection port Literary frequency;
Port message frequencies judging unit, for judging whether port message frequencies are greater than preset port frequency threshold value, if so, It is then to need to filter, and execute filtering judging unit by Port detecting status indication;Conversely, then directly executing filtering judging unit;
The mutation UDP attack detecting, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
4. a kind of cleaning system of UDP FLOOD attack according to claim 3, it is characterised in that: the fragment detection Unit includes:
Fragment judging unit, for judging whether the type of the message is fragment, if so, thening follow the steps H2;Conversely, then should The source address of message is stored in record of letting pass and the message of letting pass;
Source address judging unit, for judge the message source address whether let pass record in,
If so, the message of letting pass;Conversely, then abandoning the message.
CN201610885390.4A 2016-10-09 2016-10-09 A kind of cleaning method and system of UDP FLOOD attack Active CN106656967B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610885390.4A CN106656967B (en) 2016-10-09 2016-10-09 A kind of cleaning method and system of UDP FLOOD attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610885390.4A CN106656967B (en) 2016-10-09 2016-10-09 A kind of cleaning method and system of UDP FLOOD attack

Publications (2)

Publication Number Publication Date
CN106656967A CN106656967A (en) 2017-05-10
CN106656967B true CN106656967B (en) 2019-11-19

Family

ID=58853844

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610885390.4A Active CN106656967B (en) 2016-10-09 2016-10-09 A kind of cleaning method and system of UDP FLOOD attack

Country Status (1)

Country Link
CN (1) CN106656967B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109194680B (en) * 2018-09-27 2021-02-12 腾讯科技(深圳)有限公司 Network attack identification method, device and equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505219A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
CN101505218A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Detection method and apparatus for attack packet

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102111394B (en) * 2009-12-28 2015-03-11 华为数字技术(成都)有限公司 Network attack protection method, equipment and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101505219A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
CN101505218A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Detection method and apparatus for attack packet

Also Published As

Publication number Publication date
CN106656967A (en) 2017-05-10

Similar Documents

Publication Publication Date Title
KR101574193B1 (en) Apparatus and method for defending DDoS attack
KR101519623B1 (en) DDoS detection apparatus and method, DDoS detection and prevention apparatus for reducing positive false
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
Beverly et al. Understanding the efficacy of deployed internet source address validation filtering
CN103297433B (en) The HTTP Botnet detection method of data flow Network Based and system
US20150341380A1 (en) System and method for detecting abnormal behavior of control system
CN101505219B (en) Method and protecting apparatus for defending denial of service attack
CN104135474B (en) Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree
Gao et al. A dos resilient flow-level intrusion detection approach for high-speed networks
JP2006279930A (en) Method and device for detecting and blocking unauthorized access
JP2007179131A (en) Event detection system, management terminal and program, and event detection method
CN106850637A (en) A kind of anomalous traffic detection method based on flow white list
CN106471778A (en) Attack detecting device, attack detection method and attack detecting program
CN105282152A (en) Abnormal flow detection method
Aizuddin et al. DNS amplification attack detection and mitigation via sFlow with security-centric SDN
Katkar et al. Detection of DoS/DDoS attack against HTTP servers using naive Bayesian
CN105007175A (en) Openflow-based flow depth correlation analysis method and system
CN107864155A (en) A kind of DDOS attack detection method of high-accuracy
CN113810362A (en) Safety risk detection and disposal system and method thereof
CN106656967B (en) A kind of cleaning method and system of UDP FLOOD attack
CN105939328A (en) Method and device for updating network attack feature library
CN107864110A (en) Botnet main control end detection method and device
Hu et al. Adaptive flow aggregation-a new solution for robust flow monitoring under security attacks
CN113765849A (en) Abnormal network traffic detection method and device
CN108521413A (en) A kind of network of Future Information war is resisted and defence method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20170510

Assignee: Guangdong Yaoda Financial Leasing Co., Ltd

Assignor: GUANGDONG EFLYCLOUD COMPUTING Co.,Ltd.

Contract record no.: X2020980005383

Denomination of invention: A cleaning method and system of UDP flood attack

Granted publication date: 20191119

License type: Exclusive License

Record date: 20200826

PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A cleaning method and system of UDP flood attack

Effective date of registration: 20200904

Granted publication date: 20191119

Pledgee: Guangdong Yaoda Financial Leasing Co., Ltd

Pledgor: GUANGDONG EFLYCLOUD COMPUTING Co.,Ltd.

Registration number: Y2020980005729