CN106899608A - A kind of method and device of the attack purpose IP for determining DDOS attack - Google Patents

A kind of method and device of the attack purpose IP for determining DDOS attack Download PDF

Info

Publication number
CN106899608A
CN106899608A CN201710170344.0A CN201710170344A CN106899608A CN 106899608 A CN106899608 A CN 106899608A CN 201710170344 A CN201710170344 A CN 201710170344A CN 106899608 A CN106899608 A CN 106899608A
Authority
CN
China
Prior art keywords
flow
attack
abnormal
sorted lists
ddos
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710170344.0A
Other languages
Chinese (zh)
Inventor
佟立超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201710170344.0A priority Critical patent/CN106899608A/en
Publication of CN106899608A publication Critical patent/CN106899608A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of method and device of the attack purpose IP for determining DDOS attack, and methods described includes:Obtain flow sorted lists;The flow sorted lists include the flow between target source IP, several purposes IP and target source IP and each purpose IP, and each flow is ranked up according to uninterrupted;Total flow size is multiplied by according to default coefficient, abnormal flow threshold value is obtained;Judge the maximum stream flow in the flow sorted lists whether less than the abnormal flow threshold value;If, after next flow in the maximum stream flow and the flow sorted lists is carried out adding up successively, whether compare accumulation result less than the abnormal flow threshold value, when accumulation result is not less than the abnormal flow threshold value, the corresponding purpose IP of the accumulation result is defined as to attack purpose IP.Present application addresses correlation technique because being difficult to determine the attack purpose IP of DDOS attack, attack traffic is caused draw or normal business affected problem.

Description

A kind of method and device of the attack purpose IP for determining DDOS attack
Technical field
The application is related to safety protection field, the method and dress of more particularly to a kind of attack purpose IP for determining DDOS attack Put.
Background technology
In DDOS (Distributed Denial of Service, distributed denial of service) attacks, attack source and attack Hit purpose and all there is uncertainty.It is general when being launched a offensive to multiple IP when certain server is turned into puppet's machine by hacker's control Abnormal flow cleaning equipment can draw attack traffic based on purpose IP is attacked.If the attack mesh of abnormal flow cleaning equipment traction IP be more than reality IP under fire, then occur by mistake traction, cause normal flow to be manslaughtered.Accordingly, it is determined that DDOS attack Attack purpose IP for protect DDOS attack for it is extremely important.
In the related art, when there may be the DDOS attack from any attack source IP in network, list to come from The flow of attack source IP, and be ranked up with uninterrupted, flow sorted lists are generated, then according to default fixed number Amount, determines that several purpose IP are to attack purpose IP before flow sorted lists, then the stream of attack purpose IP above-mentioned to access Amount is drawn.
However, above-mentioned default fixed qty may with actual IP discrepancy of quantitys under fire, if fixed qty is less than , then can there is attack traffic and not drawn in IP quantity under fire;If fixed qty can go out more than IP quantity under fire Now draw by mistake, cause normal business to be affected.
The content of the invention
In view of this, the application provides a kind of method and device of the attack purpose IP for determining DDOS attack, is used to solve In correlation technique, because being difficult to determine the attack purpose IP of DDOS attack, attack traffic is caused not drawn or normal business Affected problem.
Specifically, the application is achieved by the following technical solution:
A kind of method of the attack purpose IP for determining DDOS attack, is applied to DDOS safeguards, including:
Obtain flow sorted lists;The flow sorted lists include target source IP, several purposes IP and the mesh Flow between mark source IP and each purpose IP, each flow is ranked up according to uninterrupted;The flow sorted lists also include The corresponding total flow size of the target source IP;
The total flow size is multiplied by according to default coefficient, abnormal flow threshold value is obtained;
Judge the maximum stream flow in the flow sorted lists whether less than the abnormal flow threshold value;If it is, should Next flow in maximum stream flow and the flow sorted lists carry out successively it is cumulative after, whether compare accumulation result less than described Abnormal flow threshold value, it is when accumulation result is not less than the abnormal flow threshold value, the corresponding purpose IP of the accumulation result is true It is set to attack purpose IP.
In the method for the attack purpose IP of the determination DDOS attack, the DDOS safeguards are cleaned with abnormal flow Equipment interconnection;
Methods described also includes:
When it is determined that DDOS attack attack purpose IP after, the attack purpose IP is forwarded to abnormal flow cleaning and is set It is standby, carry out security protection to accessing the flow for attacking purpose IP with by the abnormal flow cleaning equipment.
In the method for the attack purpose IP of the determination DDOS attack, the DDOS safeguards and abnormal traffic detection Equipment interconnection;
The acquisition flow sorted lists, including:
Obtain the flow sorted lists that the abnormal traffic detection equipment is uploaded;The flow sorted lists, including it is described Abnormal traffic detection equipment detect the flow from any IP more than default normal discharge threshold value when, generation comprising with The IP is the list of whole flows of target source IP.
It is described to obtain in the abnormal traffic detection equipment in the method for the attack purpose IP of the determination DDOS attack The flow sorted lists of biography, including:
Receive the flow sorted lists that the abnormal traffic detection device periodically is generated and uploaded.
A kind of device of the attack purpose IP for determining DDOS attack, is applied to DDOS safeguards, including:
Acquiring unit, for obtaining flow sorted lists;The flow sorted lists include target source IP, several purposes Flow between IP and the target source IP and each purpose IP, each flow is ranked up according to uninterrupted;The flow row Sequence table also includes the corresponding total flow sizes of the target source IP;
Computing unit, for being multiplied by the total flow size according to default coefficient, obtains abnormal flow threshold value;
Determining unit, for judging the maximum stream flow in the flow sorted lists whether less than the abnormal flow threshold Value;If it is, by the next flow in the maximum stream flow and the flow sorted lists carry out successively it is cumulative after, relatively more cumulative knot Whether fruit is less than the abnormal flow threshold value, when accumulation result is not less than the abnormal flow threshold value, by the accumulation result Corresponding purpose IP is defined as attacking purpose IP.
In the device of the attack purpose IP of the determination DDOS attack, the DDOS safeguards are cleaned with abnormal flow Equipment interconnection;
Described device also includes:
Retransmission unit, for after the attack purpose IP of DDOS attack is determined, the attack purpose IP being forwarded to described Abnormal flow cleaning equipment, is prevented with carrying out safety to the flow for accessing the attack purpose IP by the abnormal flow cleaning equipment Shield.
In the device of the attack purpose IP of the determination DDOS attack, the DDOS safeguards and abnormal traffic detection Equipment interconnection;
The acquiring unit, is further used for:
Obtain the flow sorted lists that the abnormal traffic detection equipment is uploaded;The flow sorted lists, including it is described Abnormal traffic detection equipment detect the flow from any IP more than default normal discharge threshold value when, generation comprising with The IP is the list of whole flows of target source IP.
In the device of the attack purpose IP of the determination DDOS attack, the acquiring unit is further used for:
Receive the flow sorted lists that the abnormal traffic detection device periodically is generated and uploaded.
In the embodiment of the present application, DDOS safeguards first obtain flow sorted lists when being protected for DDOS attack, Wherein, the flow sorted lists are included between target source IP, several purposes IP and the target source IP and each purpose IP Flow, each flow is ranked up according to uninterrupted;DDOS safeguards can be calculated described in the flow sorted lists The corresponding total flow sizes of target source IP, and the total flow size is multiplied by according to default coefficient, abnormal flow threshold value is obtained, Then judge the maximum stream flow in the flow sorted lists whether less than the abnormal flow threshold value;If it is, by the maximum Next flow in flow and the flow sorted lists carry out successively it is cumulative after, whether compare accumulation result less than the exception Flow threshold, when accumulation result is not less than the abnormal flow threshold value, the corresponding purpose IP of the accumulation result is defined as Attack purpose IP.
DDOS safeguards are based on the abnormal flow threshold value that default coefficient is determined in the corresponding total flows of target source IP;By Very big for DDOS attack flow is with respect to regular traffic flow, DDOS safeguards can be by maximum in flow sorted lists Several flows add up successively, and flow when then acquisition accumulation result is substantially equal with abnormal flow threshold value in accumulation result is corresponding Purpose IP, it is possible to determine above-mentioned purpose IP to attack purpose IP.The technical scheme of the embodiment of the present application, relative to related skill Art determines that attack purpose IP is more flexible according to default fixed qty from flow sorted lists, can determine to greatest extent Purpose IP is attacked, and minimally influences regular traffic.Correlation technique is solved because being difficult to determine the attack of DDOS attack Purpose IP, causes attack traffic not drawn or the affected problem of normal business.
Brief description of the drawings
Fig. 1 is a kind of configuration diagram of the DDOS attack shown in the application;
Fig. 2 is a kind of flow chart of the method for the attack purpose IP of the determination DDOS attack shown in the application;
Fig. 3 is a kind of embodiment block diagram of the device of the attack purpose IP of the determination DDOS attack shown in the application;
Fig. 4 is a kind of hardware structure diagram of the device of the attack purpose IP of the determination DDOS attack shown in the application.
Specific embodiment
In order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and make of the invention real Applying the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to prior art and the present invention Technical scheme in embodiment is described in further detail.
In DDOS attack, all there is uncertainty in attack source and attack purpose.When certain server (or server farm) Turned into puppet's machine by hacker's control, when outwardly multiple IP of network initiate DDOS attack, general abnormal flow cleaning equipment Attack traffic would generally be drawn based on purpose IP is attacked.
It is a kind of configuration diagram of the DDOS attack shown in the application referring to Fig. 1, as illustrated, A saves IDC External IP address is certain server (or server of 1.1.1.1 in (Internet Data Center, Internet data center) Group), there is communication interaction with the B client in districts and cities of B provinces 1.External IP address is the A client of 1.2.3.4 in districts and cities of A provinces 1, together There is communication interaction with B client in sample.
After externally IP turns into puppet's server for the server of 1.1.1.1 is subjected to hacker's control during A saves IDC, the service External IP address is the service server group initiation DDOS attack of 5.5.5.1-5.5.5.5 during device be used to save IDC to B.
The core router that A is saved deploys abnormal traffic detection equipment, abnormal flow cleaning equipment and protection service end.It is different Normal flow testing equipment detects that the flow that source IP is 1.1.1.1 is doubtful outwards when detecting based on same source IP to flow When launching a offensive, flow sorted lists can be generated;The flow sorted lists include the flow with 1.1.1.1 as source IP, flow Arrange from big to small;The flow sorted lists also include the corresponding total flow size of source IP.The flow sorted lists such as table 1 below institute Show:
Table 1
Because attack traffic is bigger than regular traffic flow, can be from the protection service end of abnormal traffic detection equipment interconnection The attack purpose IP that selection in purpose IP above is subjected to DDOS attack is come in the flow sorted lists.
In the related art, protection service end can be based on default fixed qty, be selected from above-mentioned flow sorted lists Several purposes IP is taken as attack purpose IP.For example:Default fixed qty be 5, then protect service end can determine TOP1, This 5 purpose IP of TOP2, TOP3, TOP4 and TOP5 are attack purpose IP.
After it is determined that attacking purpose IP, can attacking purpose IP, to be forwarded to above-mentioned abnormal flow clear for above-mentioned protection service end Equipment is washed, is drawn with the flow that purpose IP is attacked accessing by above-mentioned abnormal flow cleaning equipment.
However, default fixed qty may be different from the IP quantity actually attacked.If default fixed qty More than the IP quantity actually attacked, then above-mentioned abnormal flow cleaning equipment can draw normal service traffics, cause normal Business be affected.
For example:Default fixed qty is 6, then protect service end can determine whether TOP1, TOP2, TOP3, TOP4, TOP5 and This 6 purpose IP of TOP6 are attack purpose IP.Above-mentioned abnormal flow cleaning equipment carries out the flow for accessing the purpose IP of TOP6 After protection, normal service traffics between A client and B client can be drawn, cause the business between A client and B client to be subject to shadow Ring.
On the other hand, if default fixed qty is less than the IP quantity actually attacked, a large amount of attacks can be caused Flow is not drawn by above-mentioned abnormal flow cleaning equipment.
For example:Default fixed qty is 3, then protect service end to can determine whether that TOP1, TOP2 and TOP3 this 3 purpose IP are Attack purpose IP.Above-mentioned abnormal flow cleaning equipment is protected just for the flow for accessing TOP1, TOP2 and TOP3, and is omitted The attack traffic of the purpose IP for TOP4 and TOP5.
And because the attack purpose IP quantity of each DDOS attack may be different, obviously cannot according to default fixed qty Dynamically determine out the purpose IP for being attacked.
It can be seen that, attack purpose IP cannot accurately be determined from flow sorted lists based on default fixed qty;If Can then there is attack traffic and not drawn in fixed qty less than IP quantity under fire;If fixed qty is more than under fire IP quantity, then occur traction by mistake, causes normal business to be affected.
In view of this, in technical scheme, according to the total flow size in above-mentioned flow sorted lists, calculate To abnormal flow threshold value, then the flow in above-mentioned flow sorted lists is added up from big to small, when accumulation result is not small In the abnormal flow threshold value, the corresponding purpose IP of the accumulation result is determined to attack purpose IP.
It is a kind of flow chart of the method for the attack purpose IP of determination DDOS attack shown in the application, the party referring to Fig. 2 Method is applied to DDOS safeguards;The described method comprises the following steps:
Step 201:Obtain flow sorted lists;The flow sorted lists include target source IP, several purposes IP with And the flow between the target source IP and each purpose IP, each flow is ranked up according to uninterrupted;The flow Sorted list Table also includes the corresponding total flow sizes of the target source IP.
Step 202:The total flow size is multiplied by according to default coefficient, abnormal flow threshold value is obtained.
Step 203:Judge the maximum stream flow in the flow sorted lists whether less than the abnormal flow threshold value;If Be, by the next flow in the maximum stream flow and the flow sorted lists carry out successively it is cumulative after, whether compare accumulation result It is when accumulation result is not less than the abnormal flow threshold value, the accumulation result is corresponding less than the abnormal flow threshold value Purpose IP is defined as attacking purpose IP.
Above-mentioned DDOS safeguards, including the protection service end shown in Fig. 1, or the integrated protection service end function road By equipment;For being determined to be subjected to the purpose IP of DDOS attack according to flow sorted lists.The DDOS safeguards and abnormal flow Testing equipment is docked, and receives the flow sorted lists that abnormal traffic detection device periodically is uploaded;The DDOS safeguards with it is different Normal flow cleaning equipment is docked, when the attack purpose IP that the DDOS safeguards will be determined is forwarded to abnormal flow cleaning equipment When, the flow that abnormal flow cleaning equipment can be directed to the above-mentioned attack purpose IP of access is protected.
In the embodiment of the present application, when above-mentioned abnormal traffic detection equipment is detecting the flow from any IP more than pre- If normal discharge threshold value when, the flow sorted lists comprising with the IP as whole flows of target source IP can be generated;The stream Amount sorted lists include the flow between above-mentioned target source IP, several purposes IP and above-mentioned target source IP and each purpose IP, Each flow is ranked up according to uninterrupted;It is upper that the flow sorted lists also include that above-mentioned abnormal traffic detection equipment is calculated State the corresponding total flow sizes of target source IP.
Wherein, above-mentioned normal discharge threshold value can include a default flow number, it is also possible to including a default system The product of number and normal discharge numerical value.For example:If source IP is 10Gbps, normal stream for the normal discharge numerical value of 1.1.1.1 Amount threshold value can be the product 20Gbps of default flow number 15Gbps, or predetermined coefficient 2 and normal discharge numerical value. Above-mentioned normal discharge threshold value is configured according to real network environment.
Still by taking the framework of Fig. 1 as an example, above-mentioned flow sorted lists are as shown in table 2 below:
Table 2
Above-mentioned abnormal traffic detection equipment, can be by above-mentioned flow sorted lists after above-mentioned flow sorted lists are generated Above-mentioned DDOS safeguards are reached, determines that is attacked attacks according to the flow sorted lists with by above-mentioned DDOS safeguards Hit purpose IP.
In a kind of implementation method for showing, above-mentioned abnormal traffic detection equipment can be periodically generated and upload flow Sorted lists are determined in time with by above-mentioned DDOS safeguards to above-mentioned DDOS safeguards according to the flow sorted lists The attack purpose IP attacked in current network conditions.
For example:Above-mentioned abnormal traffic detection equipment can be every 5 minutes by for the stream of the target source IP generations for detecting Amount sorted lists are uploaded to DDOS safeguards.The DDOS safeguards can determine 5 points before this according to the flow sorted lists In clock, the attack purpose IP attacked in network environment.
In DDOS attack, target of attack may change;DDOS safeguards are set by receiving abnormal traffic detection The standby flow sorted lists for periodically uploading, can in time determine the current attack purpose IP for being attacked, and then will attack Purpose IP is forwarded to abnormal flow cleaning equipment.The abnormal flow cleaning equipment receives the current attack purpose IP for being attacked Afterwards, the flow for accessing above-mentioned attack purpose IP can be protected.Therefore, above-mentioned measure effectively increases the anti-of DDOS attack Protect ageing and accuracy.
This application provides a kind of algorithm, the abnormal flow threshold value in the total flow that target source IP sends first is calculated, so After the flow that target source IP is sent to each purpose IP is added up from big to small afterwards, with uninterrupted and abnormal flow threshold after cumulative Value is matched.When the close enough abnormal flow threshold value of the uninterrupted after cumulative, it may be determined that corresponding to accumulation result Purpose IP is the purpose IP for being attacked.It is specifically described below.
In the embodiment of the present application, when above-mentioned DDOS safeguards get the upper of above-mentioned abnormal traffic detection equipment upload After stating flow sorted lists, the corresponding total streams of above-mentioned target source IP in the flow sorted lists can be multiplied by according to default coefficient Amount size, obtains abnormal flow threshold value;The abnormal flow threshold value is used to determine the DDOS attack that above-mentioned target source IP sends out The size of flow.Wherein, above-mentioned default coefficient can be the DDOS attack flow institute that keeper is based on determining in historical record Account for the ratio of total flow;Keeper configures on DDOS safeguards the ratio.DDOS safeguards be based on the ratio with it is upper State the corresponding total flow sizes of target source IP and calculate abnormal flow threshold value.
For example:If the pre-configured coefficient of keeper is the total flow in 0.8, DDOS safeguards calculating 0.8 and table 2 Size, it is 14.8Gbps to obtain abnormal flow threshold value.
In the embodiment of the present application, above-mentioned DDOS safeguards, can be according to upper after above-mentioned abnormal flow threshold value is obtained State abnormal flow threshold value and determine the attack purpose IP attacked in above-mentioned flow sorted lists.
Specifically, whether above-mentioned DDOS safeguards may determine that maximum stream flow in above-mentioned flow sorted lists less than upper State abnormal flow threshold value;If the maximum stream flow is not less than above-mentioned abnormal flow threshold value, maximum stream flow correspondence can be determined Target IP be exactly target of attack IP.
If the maximum stream flow be less than above-mentioned abnormal flow threshold value, above-mentioned DDOS safeguards can by the maximum stream flow with After next flow in above-mentioned flow sorted lists carries out adding up successively, whether compare accumulation result less than above-mentioned abnormal flow threshold Value, when accumulation result is not less than above-mentioned abnormal flow threshold value, the corresponding purpose IP of the accumulation result is defined as to attack mesh IP.
For example:Still with table 2 for flow sorted lists, default coefficient is 0.8, then abnormal flow threshold value is 14.8Gbps. Whether above-mentioned DDOS safeguards judge maximum stream flow less than the abnormal flow threshold value;
Because 5Gbps is less than 14.8Gbps, maximum stream flow can be added up with next flow, 5Gbps adds 4Gbps 9Gbps is obtained, whether compares accumulation result less than the abnormal flow threshold value;
Because 9Gbps is less than 14.8Gbps, can be added up with next flow again, 9Gbps is obtained plus 3Gbps Whether 12Gbps, compare accumulation result less than the abnormal flow threshold value;
Because 12Gbps is less than 14.8Gbps, can be added up with next flow again, 12Gbps is obtained plus 2Gbps Whether 14Gbps, compare accumulation result less than the abnormal flow threshold value;
Because 14Gbps is less than 14.8Gbps, can be added up with next flow again, 14Gbps is obtained plus 1Gbps Whether 15Gbps, compare accumulation result less than the abnormal flow threshold value;
Because 15Gbps is more than 14.8Gbps, above-mentioned DDOS safeguards can determine the corresponding purpose IP of the accumulation result To attack purpose IP, it is this 5 purpose IP of TOP1, TOP2, TOP3, TOP4 and TOP5 to attack purpose IP.
In the embodiment of the present application, above-mentioned DDOS safeguards, can be by above-mentioned attack after attack purpose IP is determined Purpose IP is forwarded to above-mentioned abnormal flow cleaning equipment.After above-mentioned abnormal flow cleaning equipment receives above-mentioned attack purpose IP, The flow that the above-mentioned attack purpose IP of access can be directed to carries out security protection.Wherein, security protection includes carrying out attack traffic Traction.
In a kind of implementation method for showing, DDOS safeguards can be with integrated abnormal traffic detection equipment and abnormal flow The function of cleaning equipment, as shown in Fig. 2 the function of protection service end, abnormal traffic detection equipment and abnormal flow cleaning equipment Can unify to be integrated on A provinces core router.In this case, DDOS safeguards can independently detect abnormal flow, Determine that attacking purpose IP, the flow to accessing above-mentioned attack purpose IP protects.
The application is based on target source IP and generates flow sorted lists, it is then determined that attacked in the flow sorted lists Purpose IP is attacked, and the flow of attack purpose IP above-mentioned to access is protected.In actual applications, it is also possible in test access To any purpose IP flow when, for purpose IP generate flow sorted lists, it is then determined that in the flow sorted lists send out Go out the attack source IP of attack, and then the flow sent to attacking source IP is protected.Such scheme can be according to the application Mode is equally realized, will not be repeated here.
In sum, in the embodiment of the present application, DDOS safeguards obtain flow row when DDOS attack is protected, first Sequence table;The flow sorted lists include target source IP, several purposes IP and the target source IP and each purpose IP it Between flow, each flow is ranked up according to uninterrupted;The flow sorted lists also include that the target source IP is corresponding Total flow size;Then the total flow size is multiplied by according to default coefficient, obtains abnormal flow threshold value;And then judge described Whether the maximum stream flow in flow sorted lists is less than the abnormal flow threshold value;If it is, by the maximum stream flow and the stream After next flow in amount sorted lists carries out adding up successively, compare whether accumulation result is less than the abnormal flow threshold value, directly When being not less than the abnormal flow threshold value to accumulation result, the corresponding purpose IP of accumulation result is defined as to attack purpose IP.
The application is multiplied by total flow size by default coefficient, obtains the exception of abnormal flow size in approximate total flow Flow threshold, and because abnormal flow is more than regular traffic flow, the flow in flow sorted lists is tired out successively from big to small Plus, when accumulation result is not less than the abnormal flow threshold value first, it may be determined that the flow in accumulation result includes all attacks Flow, the corresponding purpose IP of accumulation result is attack purpose IP.Because the application is by comparing abnormal flow threshold value and purpose The accumulation result of the corresponding flows of IP come determine attack purpose IP, therefore compared to correlation technique by default fixed qty stream Determine to attack for purpose IP in amount sorted lists, more accurately;Can be changed in DDOS attack simultaneously, attack purpose IP's After number change, it is still able to dynamically determine out the attack purpose IP for being subjected to DDOS attack.Correlation technique is solved because being difficult to Determine the attack purpose IP of DDOS attack, cause attack traffic not drawn or the affected problem of normal business.
Embodiment with the method for the attack purpose IP that the application determines DDOS attack is corresponding, present invention also provides with In the embodiment of the device for performing above method embodiment.
It is a kind of embodiment block diagram of the device of the attack purpose IP of determination DDOS attack shown in the application referring to Fig. 3:
As shown in figure 3, the device 30 of the attack purpose IP of the determination DDOS attack includes:
Acquiring unit 310, for obtaining flow sorted lists;The flow sorted lists include target source IP, several Flow between purpose IP and the target source IP and each purpose IP, each flow is ranked up according to uninterrupted;The stream Amount sorted lists also include the corresponding total flow sizes of the target source IP.
Computing unit 320, for being multiplied by the total flow size according to default coefficient, obtains abnormal flow threshold value.
Determining unit 330, for judging the maximum stream flow in the flow sorted lists whether less than the abnormal flow Threshold value;If it is, by the next flow in the maximum stream flow and the flow sorted lists carry out successively it is cumulative after, it is relatively more cumulative Whether result is less than the abnormal flow threshold value, when accumulation result is not less than the abnormal flow threshold value, by the cumulative knot Really corresponding purpose IP is defined as attacking purpose IP.
In this example, described device 30 also includes:
Retransmission unit 340, for after the attack purpose IP of DDOS attack is determined, the attack purpose IP being forwarded into institute Abnormal flow cleaning equipment is stated, safety is carried out to accessing the flow for attacking purpose IP with by the abnormal flow cleaning equipment Protection.
In this example, the acquiring unit 310, is further used for:
Obtain the flow sorted lists that the abnormal traffic detection equipment is uploaded;The flow sorted lists, including it is described Abnormal traffic detection equipment detect the flow from any IP more than default normal discharge threshold value when, generation comprising with The IP is the list of whole flows of target source IP.
In this example, the acquiring unit 310, is further used for:
Receive the flow sorted lists that the abnormal traffic detection device periodically is generated and uploaded.
The application determines that the embodiment of the device of the attack purpose IP of DDOS attack can be applied on DDOS safeguards. Device embodiment can be realized by software, it is also possible to be realized by way of hardware or software and hardware combining.It is implemented in software As a example by, it is by non-volatile memories by the processor of DDOS safeguards where it as the device on a logical meaning Corresponding computer program instructions run what is formed in reading internal memory in device.From for hardware view, as shown in figure 4, being this Application determines a kind of hardware structure diagram of the device place DDOS safeguards of the attack purpose IP of DDOS attack, except Fig. 4 institutes Outside the processor, internal memory, network interface and the nonvolatile memory that show, the DDOS protection in embodiment where device sets The actual functional capability of the device of the standby attack purpose IP generally according to the determination DDOS attack, can also include other hardware, to this Repeat no more.
The function of unit and the implementation process of effect correspond to step in specifically referring to the above method in said apparatus Implementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is referring to method reality Apply the part explanation of example.Device embodiment described above is only schematical, wherein described as separating component The unit of explanation can be or may not be physically separate, and the part shown as unit can be or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Selection some or all of module therein is needed to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, is not used to limit the application, all essences in the application Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of the application protection.

Claims (8)

1. a kind of method of the attack purpose IP for determining DDOS attack, is applied to DDOS safeguards, it is characterised in that including:
Obtain flow sorted lists;The flow sorted lists include target source IP, several purposes IP and the target source Flow between IP and each purpose IP, each flow is ranked up according to uninterrupted;The flow sorted lists also include described The corresponding total flow sizes of target source IP;
The total flow size is multiplied by according to default coefficient, abnormal flow threshold value is obtained;
Judge the maximum stream flow in the flow sorted lists whether less than the abnormal flow threshold value;If it is, by the maximum Next flow in flow and the flow sorted lists carry out successively it is cumulative after, whether compare accumulation result less than the exception Flow threshold, when accumulation result is not less than the abnormal flow threshold value, the corresponding purpose IP of the accumulation result is defined as Attack purpose IP.
2. method according to claim 1, it is characterised in that the DDOS safeguards and abnormal flow cleaning equipment pair Connect;
Methods described also includes:
When it is determined that DDOS attack attack purpose IP after, the attack purpose IP is forwarded to the abnormal flow cleaning equipment, With by the abnormal flow cleaning equipment security protection is carried out to accessing the flow for attacking purpose IP.
3. method according to claim 1, it is characterised in that the DDOS safeguards and abnormal traffic detection equipment pair Connect;
The acquisition flow sorted lists, including:
Obtain the flow sorted lists that the abnormal traffic detection equipment is uploaded;The flow sorted lists, including the exception Flow detection device detect the flow from any IP more than default normal discharge threshold value when, generation comprising with the IP It is the list of whole flows of target source IP.
4. method according to claim 3, it is characterised in that the stream that the acquisition abnormal traffic detection equipment is uploaded Amount sorted lists, including:
Receive the flow sorted lists that the abnormal traffic detection device periodically is generated and uploaded.
5. a kind of device of the attack purpose IP for determining DDOS attack, is applied to DDOS safeguards, it is characterised in that including:
Acquiring unit, for obtaining flow sorted lists;The flow sorted lists include target source IP, several purposes IP with And the flow between the target source IP and each purpose IP, each flow is ranked up according to uninterrupted;The flow Sorted list Table also includes the corresponding total flow sizes of the target source IP;
Computing unit, for being multiplied by the total flow size according to default coefficient, obtains abnormal flow threshold value;
Determining unit, for judging the maximum stream flow in the flow sorted lists whether less than the abnormal flow threshold value;Such as Fruit is, by the next flow in the maximum stream flow and the flow sorted lists carry out successively it is cumulative after, comparing accumulation result is It is no less than the abnormal flow threshold value, when accumulation result is not less than the abnormal flow threshold value, by accumulation result correspondence Purpose IP be defined as attacking purpose IP.
6. device according to claim 5, it is characterised in that the DDOS safeguards and abnormal flow cleaning equipment pair Connect;
Described device also includes:
Retransmission unit, for after the attack purpose IP of DDOS attack is determined, the attack purpose IP being forwarded into the exception Flow cleaning equipment, security protection is carried out with by the abnormal flow cleaning equipment to accessing the flow for attacking purpose IP.
7. device according to claim 5, it is characterised in that the DDOS safeguards and abnormal traffic detection equipment pair Connect;
The acquiring unit, is further used for:
Obtain the flow sorted lists that the abnormal traffic detection equipment is uploaded;The flow sorted lists, including the exception Flow detection device detect the flow from any IP more than default normal discharge threshold value when, generation comprising with the IP It is the list of whole flows of target source IP.
8. device according to claim 7, it is characterised in that the acquiring unit, is further used for:
Receive the flow sorted lists that the abnormal traffic detection device periodically is generated and uploaded.
CN201710170344.0A 2017-03-21 2017-03-21 A kind of method and device of the attack purpose IP for determining DDOS attack Pending CN106899608A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710170344.0A CN106899608A (en) 2017-03-21 2017-03-21 A kind of method and device of the attack purpose IP for determining DDOS attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710170344.0A CN106899608A (en) 2017-03-21 2017-03-21 A kind of method and device of the attack purpose IP for determining DDOS attack

Publications (1)

Publication Number Publication Date
CN106899608A true CN106899608A (en) 2017-06-27

Family

ID=59193014

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710170344.0A Pending CN106899608A (en) 2017-03-21 2017-03-21 A kind of method and device of the attack purpose IP for determining DDOS attack

Country Status (1)

Country Link
CN (1) CN106899608A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108063764A (en) * 2017-12-13 2018-05-22 北京搜狐新媒体信息技术有限公司 A kind of network traffics treating method and apparatus
CN110505249A (en) * 2019-09-30 2019-11-26 怀来斯达铭数据有限公司 The recognition methods of ddos attack and device
CN111092849A (en) * 2018-10-24 2020-05-01 中移(杭州)信息技术有限公司 Traffic-based detection method and device for distributed denial of service
CN111224924A (en) * 2018-11-27 2020-06-02 北京金山云网络技术有限公司 Traffic processing method and device, electronic equipment and storage medium
CN111314328A (en) * 2020-02-03 2020-06-19 北京字节跳动网络技术有限公司 Network attack protection method and device, storage medium and electronic equipment
CN111541655A (en) * 2020-04-08 2020-08-14 国家计算机网络与信息安全管理中心 Network abnormal flow detection method, controller and medium
CN112583850A (en) * 2020-12-27 2021-03-30 杭州迪普科技股份有限公司 Network attack protection method, device and system
CN113225340A (en) * 2021-05-07 2021-08-06 北京华云安信息技术有限公司 Attack IP address judgment method, device, equipment and computer readable storage medium
CN113259304A (en) * 2020-02-12 2021-08-13 上海云盾信息技术有限公司 Attack protection method and device based on dynamic adjustment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
CN102271068A (en) * 2011-09-06 2011-12-07 电子科技大学 Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
US20160205134A1 (en) * 2015-01-13 2016-07-14 Level 3 Communications, Llc Isp blacklist feed

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729389A (en) * 2008-10-21 2010-06-09 北京启明星辰信息技术股份有限公司 Flow control device and method based on flow prediction and trusted network address learning
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
CN102271068A (en) * 2011-09-06 2011-12-07 电子科技大学 Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
US20160205134A1 (en) * 2015-01-13 2016-07-14 Level 3 Communications, Llc Isp blacklist feed

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108063764B (en) * 2017-12-13 2021-03-23 北京搜狐新媒体信息技术有限公司 Network traffic processing method and device
CN108063764A (en) * 2017-12-13 2018-05-22 北京搜狐新媒体信息技术有限公司 A kind of network traffics treating method and apparatus
CN111092849B (en) * 2018-10-24 2022-01-25 中移(杭州)信息技术有限公司 Traffic-based detection method and device for distributed denial of service
CN111092849A (en) * 2018-10-24 2020-05-01 中移(杭州)信息技术有限公司 Traffic-based detection method and device for distributed denial of service
CN111224924A (en) * 2018-11-27 2020-06-02 北京金山云网络技术有限公司 Traffic processing method and device, electronic equipment and storage medium
CN111224924B (en) * 2018-11-27 2022-08-05 北京金山云网络技术有限公司 Traffic processing method and device, electronic equipment and storage medium
CN110505249A (en) * 2019-09-30 2019-11-26 怀来斯达铭数据有限公司 The recognition methods of ddos attack and device
CN111314328A (en) * 2020-02-03 2020-06-19 北京字节跳动网络技术有限公司 Network attack protection method and device, storage medium and electronic equipment
CN113259304A (en) * 2020-02-12 2021-08-13 上海云盾信息技术有限公司 Attack protection method and device based on dynamic adjustment
CN113259304B (en) * 2020-02-12 2022-06-03 上海云盾信息技术有限公司 Attack protection method and equipment based on dynamic adjustment
CN111541655A (en) * 2020-04-08 2020-08-14 国家计算机网络与信息安全管理中心 Network abnormal flow detection method, controller and medium
CN112583850A (en) * 2020-12-27 2021-03-30 杭州迪普科技股份有限公司 Network attack protection method, device and system
CN112583850B (en) * 2020-12-27 2023-02-24 杭州迪普科技股份有限公司 Network attack protection method, device and system
CN113225340A (en) * 2021-05-07 2021-08-06 北京华云安信息技术有限公司 Attack IP address judgment method, device, equipment and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN106899608A (en) A kind of method and device of the attack purpose IP for determining DDOS attack
Agrawal et al. Defense mechanisms against DDoS attacks in a cloud computing environment: State-of-the-art and research challenges
Schuba et al. Analysis of a denial of service attack on TCP
US7499412B2 (en) Active packet content analyzer for communications network
US7260846B2 (en) Intrusion detection system
US9350758B1 (en) Distributed denial of service (DDoS) honeypots
Fu et al. On recognizing virtual honeypots and countermeasures
EP2659647A1 (en) Method for detecting and mitigating denial of service attacks
WO2005099214A1 (en) Method and system for network intrusion detection, related network and computer program product
Büscher et al. Tracking {DDoS} Attacks: Insights into the Business of Disrupting the Web
Sikora et al. On detection and mitigation of slow rate denial of service attacks
Mohammed et al. Honeycyber: Automated signature generation for zero-day polymorphic worms
US9455953B2 (en) Router chip and method of selectively blocking network traffic in a router chip
Luckie et al. Resilience of deployed TCP to blind attacks
Singh et al. Malicious ICMP tunneling: Defense against the vulnerability
CN106911665A (en) A kind of method and system for recognizing malicious code weak passwurd intrusion behavior
US10237287B1 (en) System and method for detecting a malicious activity in a computing environment
CN111901284B (en) Flow control method and system
Prieto et al. Botnet detection based on DNS records and active probing
Bar-Yosef et al. Remote algorithmic complexity attacks against randomized hash tables
Rajam et al. A novel traceback algorithm for DDoS attack with marking scheme for online system
EP2109281A1 (en) Method and system for server-load and bandwidth dependent mitigation of distributed denial of service attacks
CN109302401A (en) Protecting information safety method and device
CN109688088A (en) The anti-escape capability test method of network intrusion protection system, device and test machine
CN110162969B (en) Flow analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170627

RJ01 Rejection of invention patent application after publication