Summary of the invention
In order to solve the above-mentioned technical problem, it can accurately find the object of the present invention is to provide a kind of and filter UDP attack stream
The cleaning method and system of a kind of UDP FLOOD attack of amount.
The technical solution used in the present invention is:
A kind of cleaning method of UDP FLOOD attack, comprising the following steps:
A, preset particular detection port is initialized;
B, when receiving message, judge whether the type of the message is UDP message, if so, thening follow the steps C;Conversely,
It then lets pass the message;
C, source address, source port, target port and the message checking code of the message are obtained;
D, according to the source address of the message, source port, target port and message checking code, the load of the message is calculated
Content authentication code;
E, according to the load contents check code of the message, to carry out traditional UDP attack detecting, and to the report by detection
Text executes step F;Conversely, being then marked to load contents detecting state and executing step G;
F, according to preset particular detection port, novel trans emitting UDP attack detecting is carried out to message, and detect to passing through
Message execute step G;Conversely, step G is executed after then port detecting state is marked again;
G, judge whether load contents detecting state or Port detecting state are to need to filter, if so, abandoning the message;Instead
It, then carry out mutation UDP attack detecting, and execute step H to by the message of detection;
H, fragment detection is carried out to the message, and let pass to the message by detecting.
As a kind of further improvement of UDP FLOOD cleaning method attacked, the step E includes:
E1, the load contents check code according to the message carry out frequency statistics to load contents, obtain load contents frequency
Rate;
E2, judge whether the load contents frequency is greater than preset load contents frequency threshold, if so, by load contents
Detecting state is labeled as needing to filter, and executes step G;Conversely, thening follow the steps F.
As a kind of further improvement of UDP FLOOD cleaning method attacked, the step F includes:
F1, message frequencies statistics is carried out to preset particular detection port, obtains port message frequencies;
F2, judge whether port message frequencies are greater than preset port frequency threshold value, if so, by Port detecting state mark
Being denoted as needs to filter, and executes step G;Conversely, then directly executing step G.
As a kind of further improvement of UDP FLOOD cleaning method attacked, the mutation UDP attacks inspection
It surveys, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
As a kind of further improvement of UDP FLOOD cleaning method attacked, the step H includes:
Whether H1, the type for judging the message are fragment, if so, thening follow the steps H2;Conversely, then by the source of the message
Location is stored in record of letting pass and the message of letting pass;
H2, judge the message source address whether let pass record in, if so, the message of letting pass;Conversely, then abandoning the report
Text.
It is of the present invention another solution is that
A kind of cleaning system of UDP FLOOD attack, comprising:
Port initialization unit, for being initialized to preset particular detection port;
UDP judging unit, for when receiving message, judging whether the type of the message is UDP message, if so,
Execution information acquiring unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, meter
Calculate the load contents check code for obtaining the message;
Traditional attack detecting unit, for the load contents check code according to the message, to carry out traditional UDP attack inspection
It surveys, and executes reflection-type attack detecting unit to by the message of detection;Conversely, then load contents detecting state is marked
And execute filtering judging unit;
Reflection-type attack detecting unit, for carrying out novel trans emitting UDP to message according to preset particular detection port
Attack detecting, and filtering judging unit is executed to the message by detection;Conversely, after then port detecting state is marked again
Execute filtering judging unit;
Filter judging unit, for judge load contents detecting state or Port detecting state whether be need to filter, if so,
Then abandon the message;Conversely, then carrying out mutation UDP attack detecting, and fragment detection unit is executed to by the message of detection;
Fragment detection unit for carrying out fragment detection to the message, and lets pass to the message by detecting.
As a kind of further improvement of UDP FLOOD cleaning system attacked, the tradition attack detecting list
Member includes:
Load contents frequency statistics unit carries out frequency to load contents for the load contents check code according to the message
Rate statistics, obtains load contents frequency;
Load contents frequency judging unit, for judging whether the load contents frequency is greater than preset load contents frequency
Threshold value if so, load contents detecting state is labeled as needing to filter, and executes filtering judging unit;Conversely, then executing reflection
Type attack detecting unit.
As a kind of further improvement of UDP FLOOD cleaning system attacked, the reflection-type attack detecting
Unit includes:
Port message frequencies statistic unit is held for carrying out message frequencies statistics to preset particular detection port
Mouth message frequencies;
Port message frequencies judging unit, for judging whether port message frequencies are greater than preset port frequency threshold value,
If so, being to need to filter, and execute filtering judging unit by Port detecting status indication;Conversely, then directly executing filtering judgement
Unit.
As a kind of further improvement of UDP FLOOD cleaning system attacked, the mutation UDP attacks inspection
It surveys, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
As a kind of further improvement of UDP FLOOD cleaning system attacked, the fragment detection unit packet
It includes:
Fragment judging unit, for judging whether the type of the message is fragment, if so, thening follow the steps H2;Conversely, then
The deposit of the source address of the message is let pass in record and the message of letting pass;
Source address judging unit, for judge the message source address whether let pass record in, if so, the report of letting pass
Text;Conversely, then abandoning the message.
The beneficial effects of the present invention are:
The cleaning method and system of a kind of UDP FLOOD attack of the present invention are reported by counting the port of preset particular port
Literary frequency can accurately find and filter novel trans emitting attack traffic, and the true check code frequency for passing through statistics load contents
Rate and feature 16 byte before load contents is taken, traditional UDP attack traffic can be accurately identified.The present invention is accurately reflecting
On the basis of not new and old UDP flow amount, further filters UDP and attack generated fragment flow, compared to traditional current-limiting mode, originally
Invention, which can be exempted, goes accounting message feature bring performance loss in large quantities, even if in face of the flow of tens of Gbps, same energy
Enough easily replies, greatly improve elimination effect.
Specific embodiment
With reference to Fig. 1, a kind of cleaning method of UDP FLOOD attack of the present invention, comprising the following steps:
A, preset particular detection port is initialized;
B, when receiving message, judge whether the type of the message is UDP message, if so, thening follow the steps C;Conversely,
It then lets pass the message;
C, source address, source port, target port and the message checking code of the message are obtained;
D, according to the source address of the message, source port, target port and message checking code, the load of the message is calculated
Content authentication code;
E, according to the load contents check code of the message, to carry out traditional UDP attack detecting, and to the report by detection
Text executes step F;Conversely, being then marked to load contents detecting state and executing step G;
F, according to preset particular detection port, novel trans emitting UDP attack detecting is carried out to message, and detect to passing through
Message execute step G;Conversely, step G is executed after then port detecting state is marked again;
G, judge whether load contents detecting state or Port detecting state are to need to filter, if so, abandoning the message;Instead
It, then carry out mutation UDP attack detecting, and execute step H to by the message of detection;
H, fragment detection is carried out to the message, and let pass to the message by detecting.
With reference to Fig. 2, it is further used as preferred embodiment, the step E includes:
E1, the load contents check code according to the message carry out frequency statistics to load contents, obtain load contents frequency
Rate;
E2, judge whether the load contents frequency is greater than preset load contents frequency threshold, if so, by load contents
Detecting state is labeled as needing to filter, and executes step G;Conversely, thening follow the steps F.
With reference to Fig. 3, it is further used as preferred embodiment, the step F includes:
F1, message frequencies statistics is carried out to preset particular detection port, obtains port message frequencies;
F2, judge whether port message frequencies are greater than preset port frequency threshold value, if so, by Port detecting state mark
Being denoted as needs to filter, and executes step G;Conversely, then directly executing step G.
It is further used as preferred embodiment, the mutation UDP attack detecting, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
With reference to Fig. 4, it is further used as preferred embodiment, the step H includes:
Whether H1, the type for judging the message are fragment, if so, thening follow the steps H2;Conversely, then by the source of the message
Location is stored in record of letting pass and the message of letting pass;
H2, judge the message source address whether let pass record in, if so, the message of letting pass;Conversely, then abandoning the report
Text.
Wherein, since some UDP FLOOD attack is easy to produce IP fragmentation, because there is no UDP heading words for IP fragmentation
Section, the normal source address that this method is let pass by record select clearance fragment message with this, and to reach can thoroughly clean UDP
The purpose of FLOOD attack traffic.
In the embodiment of the present invention, preset load contents frequency threshold is set as 100, and preset port frequency threshold value is set as
100, then specific embodiment is as follows:
S1, establish global array reply_sport, and initialize preset particular detection port reply_sport [53,
1900,123,19,520,5353,17,137,138,139,111,161,69] value is 1;
S2, global array sport_count, check_count, accept_ip, drop_sport, drop_ are established
check;
S3, when receiving message, judge whether the type of the message is UDP message, if so, thening follow the steps S4;Instead
It, then the message of letting pass;
S4, message source address sip, source port sport, target port dport, check code check are taken out;
S5, according to the source address of the message, source port, target port and message checking code, calculate report as follows
Load contents check code after text shielding source address, source port and target port:
sum=0, o1=sip>>16, o2=sip&0xffff;
sum += (ntohs(o1) + ntohs(o2) + (~ntohs(0) & 0xffff) + (~ntohs(0) &
0xffff));
sum += (ntohs(sport) + (~(0) & 0xffff));
sum += (ntohs(dport) + (~(0) & 0xffff));
sum += check;
sum = (sum & 0xffff) + (sum >> 16);
Sum is the load contents check code finally obtained;
S6, the load contents check code according to the message carry out frequency statistics to load contents, obtain load contents frequency
Check_count [sum], and judge whether to meet check_count [sum] > 100, then load contents detecting state drop_
Check [check]=1, and execute step S8;
S7, judge whether to meet reply_sport [sport]=1, if then showing that it is preset particular detection port,
Then port message frequencies sport_count [sport] ++, if the port message frequencies sport_count [sport] finally obtained
> 100, then Port detecting state drop_sport [sport]=1;
If S8, Port detecting state drop_sport [sport] or load contents detecting state drop_check [check]
It is 1, then abandons the message;Conversely, thening follow the steps S9
S9, according to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions: the 1st byte=
2nd byte, the 1st~2 byte=the 3rd~4 byte, the 1st~4 byte=the 5th~8 byte, the 1st~8 byte=the 9th~16 byte, it is full
It is enough four conditions, then abandons the message;Conversely, thening follow the steps S10;
Whether S10, the type for judging the message are fragment, and the source address of the message is in record of letting pass, i.e. the source
The release status accept_ip [sip] of address is not 1, then abandons the message;Conversely, then by the release status of the source address
Accept_ip [sip] is set as 1, and the message of letting pass.
With reference to Fig. 5, a kind of cleaning system of UDP FLOOD attack of the present invention, comprising:
Port initialization unit, for being initialized to preset particular detection port;
UDP judging unit, for when receiving message, judging whether the type of the message is UDP message, if so,
Execution information acquiring unit;Conversely, the message of then letting pass;
Information acquisition unit, for obtaining source address, source port, target port and the message checking code of the message;
Check code computing unit, for according to the source address of the message, source port, target port and message checking code, meter
Calculate the load contents check code for obtaining the message;
Traditional attack detecting unit, for the load contents check code according to the message, to carry out traditional UDP attack inspection
It surveys, and executes reflection-type attack detecting unit to by the message of detection;Conversely, then load contents detecting state is marked
And execute filtering judging unit;
Reflection-type attack detecting unit, for carrying out novel trans emitting UDP to message according to preset particular detection port
Attack detecting, and filtering judging unit is executed to the message by detection;Conversely, after then port detecting state is marked again
Execute filtering judging unit;
Filter judging unit, for judge load contents detecting state or Port detecting state whether be need to filter, if so,
Then abandon the message;Conversely, then carrying out mutation UDP attack detecting, and fragment detection unit is executed to by the message of detection;
Fragment detection unit for carrying out fragment detection to the message, and lets pass to the message by detecting.
It is further used as preferred embodiment, the tradition attack detecting unit includes:
Load contents frequency statistics unit carries out frequency to load contents for the load contents check code according to the message
Rate statistics, obtains load contents frequency;
Load contents frequency judging unit, for judging whether the load contents frequency is greater than preset load contents frequency
Threshold value if so, load contents detecting state is labeled as needing to filter, and executes filtering judging unit;Conversely, then executing reflection
Type attack detecting unit.
It is further used as preferred embodiment, the reflection-type attack detecting unit includes:
Port message frequencies statistic unit is held for carrying out message frequencies statistics to preset particular detection port
Mouth message frequencies;
Port message frequencies judging unit, for judging whether port message frequencies are greater than preset port frequency threshold value,
If so, being to need to filter, and execute filtering judging unit by Port detecting status indication;Conversely, then directly executing filtering judgement
Unit.
It is further used as preferred embodiment, the mutation UDP attack detecting, specifically:
According to 16 bytes before the load contents of the message, judge whether to be all satisfied following all conditions:
1st byte=the 2nd byte;
1st~2 byte=the 3rd~4 byte;
1st~4 byte=the 5th~8 byte;
1st~8 byte=the 9th~16 byte;
If so, abandoning the message;Conversely, then the message passes through mutation UDP attack detecting.
It is further used as preferred embodiment, the fragment detection unit includes:
Fragment judging unit, for judging whether the type of the message is fragment, if so, thening follow the steps H2;Conversely, then
The deposit of the source address of the message is let pass in record and the message of letting pass;
Source address judging unit, for judge the message source address whether let pass record in, if so, the report of letting pass
Text;Conversely, then abandoning the message.
From the foregoing it can be that the cleaning method and system of a kind of UDP FLOOD attack of the present invention are by counting preset
The port message frequencies of particular port can accurately find and filter novel trans emitting attack traffic, and by statistics load
Hold true verification code frequency and take feature 16 byte before load contents, traditional UDP attack traffic can be accurately identified.
The present invention further filters UDP and attacks generated fragment flow, compare on the basis of accurately identifying new and old UDP flow amount
Traditional current-limiting mode, the present invention can exempt accounting message feature bring performance loss in large quantities, even if in face of tens of
The flow of Gbps similarly can be coped with easily, greatly improve elimination effect.
It is to be illustrated to preferable implementation of the invention, but the invention is not limited to the implementation above
Example, those skilled in the art can also make various equivalent variations on the premise of without prejudice to spirit of the invention or replace
It changes, these equivalent deformations or replacement are all included in the scope defined by the claims of the present application.