CN106921612A - It was found that the method and device of ddos attack - Google Patents
It was found that the method and device of ddos attack Download PDFInfo
- Publication number
- CN106921612A CN106921612A CN201510990022.1A CN201510990022A CN106921612A CN 106921612 A CN106921612 A CN 106921612A CN 201510990022 A CN201510990022 A CN 201510990022A CN 106921612 A CN106921612 A CN 106921612A
- Authority
- CN
- China
- Prior art keywords
- main frame
- attack
- procotol
- control
- ddos attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
This application provides a kind of method and device for finding ddos attack.Its method includes:Network protocol analysis are carried out to ddos attack program sample, to extract the procotol that the ddos attack program sample is used;Operation is searched on network the main frame of the ddos attack control program based on the procotol, to be defined as controlling the middle control main frame of ddos attack;According to procotol simulation by puppet's machine of middle control host computer control, described attack instruction that main frame assigns to puppet's machine is controlled in each and find to attack to receive.According to the technical scheme of the application, can know that control puppet's machine starts the middle control main frame of ddos attack, and then the real attacker of behind can be associated out.
Description
Technical field
The application is related to ddos attack to defend field, more particularly to a kind of side for finding ddos attack
Method and device.
Background technology
Ddos attack refers to hacker by controlling substantial amounts of puppet's machine, the calculating money of consumption target of attack
Source prevents target for validated user provides service.Existing DDoS systems of defense, mainly protect mesh
The ddos attack of the person of being immune against attacks is marked, and attacker is usually the puppet's machine controlled by hacker, therefore,
Existing DDoS systems of defense, are that cannot know that whom the real attacker of behind is on earth.It is most basic
Ddos attack rational service request is mainly used to take excessive Service Source so that
The response that validated user cannot be serviced.Existing DDoS systems of defense, mainly sentence according to flow
It is disconnected whether to be subject to ddos attack, however, when attacker starts to start ddos attack, due to first
Beginning flow is smaller, it is impossible to accurately determine whether to be attacked in the very first time.
The content of the invention
One purpose of the application is to provide a kind of method and device for finding ddos attack, can obtain
Know that control puppet's machine starts the middle control main frame of ddos attack and its destination host of attack.
According to the one side of the application, there is provided a kind of method of discovery ddos attack, wherein, should
Method is comprised the following steps:
Network protocol analysis are carried out to ddos attack program sample, to extract the ddos attack journey
The procotol that sequence sample is used;
Operation is searched on network the main frame of the ddos attack control program based on the procotol,
To be defined as controlling the middle control main frame of ddos attack;
According to procotol simulation by middle control host computer control puppet's machine, so as to receive it is described each
Middle control main frame instructs to the attack that puppet's machine is assigned and finds to attack.
Alternatively, network protocol analysis are carried out to ddos attack program sample, to extract the DDoS
The step of procotol that attacker sample is used, includes:
Dis-assembling analysis is carried out to the ddos attack program sample, to restore the ddos attack
The procotol used described in program sample.
Alternatively, network protocol analysis are carried out to ddos attack program sample, to extract the DDoS
The step of procotol that attacker sample is used, includes:
The ddos attack program sample is run, is attacked with analyzing the DDoS by packet capturing analysis
The procotol that the program sample of hitting is used.
Alternatively, operation is searched on network has the ddos attack control program based on the procotol
Main frame, be defined as control ddos attack middle control main frame the step of include:
The packet of the procotol is sent to each main frame in network;
Whether the packet that each main frame that detection is received is returned matches with predetermined result;
The main frame that the packet of return is matched with predetermined result is defined as controlling the middle control master of ddos attack
Machine.
Alternatively, according to procotol simulation by the middle puppet's machine for controlling host computer control, to receive
It is described attack instruction that main frame assigns to puppet's machine to be controlled in each and finding the step of attacking includes:
To scan each in control upper wire protocol during main frame sends the procotol, with simulating and receiving
Control puppet's machine of host computer control;
Reception scan each in control main frame at least one assign attack instruction;
By parsing IP address, the IP ground of middle control main frame attacked instruction, extract target of attack
Location and attack type.
Alternatively, according to procotol simulation by the middle puppet's machine for controlling host computer control, to receive
It is described attack instruction that main frame assigns to puppet's machine to be controlled in each and finding the step of attacking also includes:
The heartbeat packet that main frame sends the procotol is controlled in each to described, to maintain with described in each
Control the communication connection of main frame.
Alternatively, the method also includes:Target of attack IP address, the IP of middle control main frame that will be extracted
Address and attack type carry out output display.
According to the another aspect of the application, a kind of device for finding ddos attack is additionally provided, wherein,
The device includes:
Analytic unit, for carrying out network protocol analysis to ddos attack program sample, to extract
State the procotol that ddos attack program sample is used;
Searching unit, has the ddos attack control based on the procotol for searching operation on network
The main frame of processing procedure sequence, to be defined as controlling the middle control main frame of ddos attack;
It was found that unit, the puppet's machine for receiving middle control host computer control according to procotol simulation, so as to
Receive and described attack instruction that main frame assigns to puppet's machine controlled in each and finds to attack.
Alternatively, the analytic unit is further used for:
Dis-assembling analysis is carried out to the ddos attack program sample, to restore the ddos attack
The procotol used described in program sample.
Alternatively, the analytic unit is further used for:
The ddos attack program sample is run, is attacked with analyzing the DDoS by packet capturing analysis
The procotol that the program sample of hitting is used.
Alternatively, the searching unit includes:
Transmitting element, the packet for sending the procotol to each main frame in network;
Detection unit, for detect packet that each main frame for receiving returns whether with predetermined result
Match somebody with somebody;
Determining unit, for being defined as the main frame that the packet of return is matched with predetermined result to control DDoS
The middle control main frame attacked.
Alternatively, the discovery unit includes:
Analogue unit, for scan each in control the association that reaches the standard grade during main frame sends the procotol
View, to simulate the puppet's machine by middle control host computer control;
Receiving unit, for receive scan each in control main frame at least one assign attack instruction;
Resolution unit, for by parse it is described attack instruction, extract target of attack IP address, in
Control the IP address and attack type of main frame.
Alternatively, the discovery unit also includes:
Heartbeat packet transmitting element, for controlling the heartbeat packet that main frame sends the procotol in each to described,
To maintain and the communication connection that main frame is controlled in each.
Alternatively, the device also includes:Output unit, the IP address of the target of attack for that will extract,
The IP address and attack type of middle control main frame carry out output display.
Compared with prior art, embodiments herein has advantages below:
1) existing DDoS systems of defense, can only be known attacked by which puppet's machine, can not
Know the middle control main frame that control puppet's machine is launched a offensive, be also difficult to associate out the real attacker of behind
Whom is.By comparison, the application can know that control puppet's machine starts the middle control main frame of ddos attack,
And then the real attacker of behind can be associated out.
2) the application starts the middle control main frame of ddos attack to be monitored in control puppet's machine, is attacking
The initial time for having fired, it becomes possible to obtain its destination host to be attacked and the attacker for using
Formula.
Brief description of the drawings
The detailed description made to non-limiting example made with reference to the following drawings by reading, this Shen
Other features, objects and advantages please will become more apparent upon:
The flow chart of the method that Fig. 1 is provided for the application one embodiment;
The flow chart of the step of Fig. 2 is the application one embodiment S120;
A kind of flow chart of the implementation method of the step of Fig. 3 is the application one embodiment S130;
The flow chart of the another embodiment of the step of Fig. 4 is the application one embodiment S130;
The schematic device that Fig. 5 is provided for the application one embodiment;
The schematic diagram of searching unit 520 in the device that Fig. 6 is provided for the embodiment of the present application;
A kind of implementation method of discovery unit 530 shows in the device that Fig. 7 is provided for the embodiment of the present application
It is intended to;
The another embodiment of unit 530 is found in the device that Fig. 8 is provided for the embodiment of the present application
Schematic diagram.
Same or analogous reference represents same or analogous part in accompanying drawing.
Specific embodiment
It should be mentioned that some exemplary implementations before exemplary embodiment is discussed in greater detail
Example is described as treatment or the method described as flow chart.Although be described as operations by flow chart
The treatment of order, but many of which operation can be implemented concurrently, concomitantly or simultaneously.
Additionally, the order of operations can be rearranged.The treatment when its operations are completed can be by
Terminate, it is also possible to have the additional step being not included in accompanying drawing.The treatment can correspond to
Method, function, code, subroutine, subprogram etc..
Alleged within a context " computer equipment ", also referred to as " computer ", referring to can be pre- by operation
Determine program or instruction to perform the smart electronicses of the predetermined process process such as numerical computations and/or logical calculated
Equipment, it can include processor and memory, the survival prestored in memory by computing device
Instruct to perform predetermined process process, or book office is performed by hardware such as ASIC, FPGA, DSP
Reason process, or combined by said two devices and to realize.Computer equipment include but is not limited to server,
PC, notebook computer, panel computer, smart mobile phone etc..
The computer equipment includes user equipment and the network equipment.Wherein, the user equipment includes
But it is not limited to computer, smart mobile phone, PDA etc.;The network equipment includes but is not limited to single network
Server, the server group of multiple webserver composition or based on cloud computing (Cloud Computing)
The cloud being made up of a large amount of computers or the webserver, wherein, cloud computing is the one of Distributed Calculation
Kind, a super virtual computer being made up of the computer collection of a group loose couplings.Wherein, it is described
Computer equipment can isolated operation realize the application, also can access network and by with network in its
The application is realized in the interactive operation of his computer equipment.Wherein, the net residing for the computer equipment
Network includes but is not limited to internet, wide area network, Metropolitan Area Network (MAN), LAN, VPN etc..
It should be noted that the user equipment, the network equipment and network etc. are only for example, other show
Computer equipment that is having or being likely to occur from now on or network are such as applicable to the application, should also be included in
Within the application protection domain, and it is incorporated herein by reference.
Method (some of them are illustrated by flow) discussed hereafter can by hardware, software,
Firmware, middleware, microcode, hardware description language or its any combination are implemented.When with software,
When firmware, middleware or microcode are to implement, it is used to implement the program code or code segment of necessary task
Can be stored in machine or computer-readable medium (such as storage medium).(one or more)
Processor can implement necessary task.
Concrete structure disclosed herein and function detail are only representational, and are for describing
The purpose of the exemplary embodiment of the application.But the application can be by many alternative forms come specific
Realize, and be not interpreted as being limited only by the embodiments set forth herein.
Although it should be appreciated that may have been used term " first ", " second " etc. herein to retouch
Unit is stated, but these units should not be limited by these terms.It is only using these terms
In order to a unit and another unit are made a distinction.For example, without departing substantially from exemplary implementation
In the case of the scope of example, first module can be referred to as second unit, and similarly second unit
First module can be referred to as.Term "and/or" used herein above includes that one of them or more is listed
Any and all combination of the associated item for going out.
Term used herein above is not intended to limit exemplary just for the sake of description specific embodiment
Embodiment.Unless the context clearly dictates otherwise, singulative " one " otherwise used herein above,
" one " alsos attempt to include plural number.It is to be further understood that term used herein above " including " and/
Or "comprising" specifies the presence of stated feature, integer, step, operation, unit and/or component,
And do not preclude the presence or addition of one or more other features, integer, step, operation, unit, group
Part and/or its combination.
It should further be mentioned that in some replaces realization modes, the function/action being previously mentioned can be by
Occur according to the order different from being indicated in accompanying drawing.For example, depending on involved function/action,
The two width figures for showing in succession can essentially substantially simultaneously perform or sometimes can be according to opposite
Order is performed.
The application is described in further detail below in conjunction with the accompanying drawings.
Fig. 1 is the discovery ddos attack method flow diagram of the application one embodiment.According to the application
Method 1 at least include step 110, step 120 and step 130.The application can be based on current
The ddos attack program sample that can be got, searches the middle control of the ddos attack of control the type
Main frame and the destination host attacked.
With reference to Fig. 1, in step 110, network protocol analysis are carried out to ddos attack program sample,
To extract the procotol that the ddos attack program sample is used.
The main frame that hacker attacks has security breaches obtains control, and pacifies in every main frame invaded
Dress ddos attack program, wherein, by hacker attacks and the main frame that controls is puppet's machine.Mobilize DDoS
During attack, hacker starts ddos attack by middle these puppet's machines of control host computer control to destination host.
Ddos attack control program is mounted with advance by hacker on middle control main frame, ddos attack control journey
Sequence is used to be communicated with the ddos attack program installed on puppet's machine, to control puppet's machine to target
Main frame initiates ddos attack.Middle control main frame (ddos attack control program) passes through what is made an appointment
Procotol carries out network service with multiple puppets' machine (ddos attack program), so as to puppet's machine
Assign ddos attack instruction.Therefore, middle control master can be analyzed according to ddos attack program sample
The procotol that machine is communicated with puppet's machine.The procotol is included but is not limited to:Upper wire protocol,
Command protocols when heartbeat packet, offensive attack and command protocols when halting attacks.
The specific implementation of step S110 is including but not limited to following two:
(1) dis-assembling analysis is carried out to the ddos attack program sample, to restore the DDoS
The procotol that sample is used.
Specifically, the machine code of the ddos attack program sample is translated into assembly code, according to
The code that the assembly code translated into analyzes the ddos attack program sample process procotol is realized
Logic, so as to restore the procotol that the ddos attack program sample is used.
(2) the ddos attack program sample is run, to analyze the DDoS by packet capturing analysis
The procotol that attacker sample is used.
Specifically, the ddos attack program sample is run on any one main frame, and in operation
Packet capturing analysis is carried out on the main frame of the ddos attack program sample, being analyzed by packet capturing to analyze
The procotol that the ddos attack program sample is used.When carrying out packet capturing analysis, it is possible to use existing
Some packet capturing software.
With reference to Fig. 1, in the step 120, searching to run on network has the DDoS based on the procotol
The main frame of control program is attacked, to be defined as controlling the middle control main frame of ddos attack.
The procotol that middle control main frame passes through to make an appointment carries out network service with multiple puppet's machines, so as to
Assign ddos attack instruction.Therefore, the number of the procotol is sent to each main frame on network
According to bag, and detect whether the packet that each main frame is returned is identical with the desired packet of agreement, can look into
Find the main frame of the ddos attack control program for running the procotol, it is possible to be defined as control
The middle control main frame of ddos attack.
Specifically, the procotol can be input to the scanner program based on procotol detection,
The whole network scanning is carried out according to the procotol by the scanner program, to scan control ddos attack
Middle control main frame.Control can be scanned using scanner program by performing following step S121~S123
The middle control main frame of ddos attack processed, and the IP address list of the middle control main frame for scanning is exported, in case under
Used in one step (step S130).
With reference to Fig. 2, step S120 specifically includes following steps:
Step S121, the packet of the procotol is sent to each main frame in network.
Whether step S122, the packet that each main frame that detection is received is returned matches with predetermined result.
Step S123, is defined as the main frame that the packet of return is matched with predetermined result control DDoS and attacks
The middle control main frame for hitting.
The predetermined result is exactly that the desired main frame using the procotol of the procotol is connecing
The response result replied during the packet for receiving the procotol.If the packet that a main frame is returned
Matched with predetermined result, then it represents that the DDoS communicated based on the procotol is run on the main frame
Middle control program, then the main frame can be defined as controlling the middle control main frame of ddos attack.For example, to each
Individual main frame sends packet " aaabbbccc ", and desired reply is " haha ", if certain main frame is returned
That multiple is " haha ", then it is assumed that be the middle control main frame for running the ddos attack control program, conversely,
Then not think it is the middle control main frame for running the ddos attack control program.
With reference to Fig. 1, in step 130, according to procotol simulation by the middle puppet for controlling host computer control
Puppet machine, described control attack instruction that main frame assigns to puppet's machine in each and finds to attack to receive.
With reference to Fig. 3, in a detailed embodiment, step S130 specifically includes following steps:
Step S131, to scan each in control upper wire protocol during main frame sends the procotol,
To simulate the puppet's machine by middle control host computer control.
It is middle control main frame when ddos attack is started, by procotol and its made an appointment control it is many
Platform puppet's machine is communicated, therefore, according to the procotol of the ddos attack program sample for analyzing
With scan each in control main frame and carry out communication and can be modeled to puppet's machine, so as to controlling main frame in each
It is monitored.Specifically, to scan each in control main frame and send reaching the standard grade in the procotol
Agreement, to show that its instruction can be received, so as to the puppet's machine that disguises oneself as.
Step S132, reception scan each in control the attack instruction that at least one of main frame is assigned;
When central control main frame prepares offensive attack, attack instruction can be assigned to each puppet's machine, therefore, mould
The attack instruction that the middle control main frame that the puppet's chance intended receives offensive attack is assigned.
Step S133, is instructed by parsing described attack, extracts the IP address of target of attack, middle control
The IP address and attack type of main frame.
After receiving attack instruction, director data is parsed, target of attack (target can be extracted
Main frame) IP address, the IP address of the middle control main frame of offensive attack and attack type.The attack
Type for example, TCP ssyn attacks, UDP flood attacks (UDP flood attacks), CC attack,
DNS reflections etc..
With reference to Fig. 4, on the basis of above-mentioned specific embodiment, step S130 also includes step S134.
Step S134, the heartbeat packet that main frame sends the procotol is controlled in each to described, with maintain with
The communication connection that main frame is controlled in each.
Heartbeat packet be between client and server according to certain time interval send, it is right for notifying
One customized structure of oneself state of side.In some procotols, it is desirable to by the regular hour
Interval sends heartbeat packet, reports the state of oneself, therefore, if the network of the DDoS for analyzing
Heartbeat packet is included in agreement, is then needed to the heartbeat packet controlled in each during main frame sends the procotol,
So as to without the communication connection that main frame is controlled in maintaining with each when there is ddos attack.Step S134,
Can be performed when the attack instruction that main frame is assigned is controlled in being not received by, to maintain to control main frame with each
Connection.
It should be noted that above-mentioned steps S110, step S120 and step S130 can be performed in same equipment,
Also can be performed in distinct device, for example, can respectively in difference to improve the performance of each step execution
Computer on perform.
Based on above-described embodiment, the present processes can also include the IP ground of the target of attack that will be extracted
The step of location, the IP address of middle control main frame and attack type carry out output display.Can also be by extraction
The IP address (IP address of destination host) of target of attack, the IP address and attack class of middle control main frame
Type is sent to target of attack, so that main frame under attack takes DDoS defensive measures.
Existing DDoS systems of defense, can only be known attacked by which puppet's machine, can not know
The control middle control main frame launched a offensive of puppet's machine, the real attacker for being also difficult to associate out behind is
Who.By comparison, the application can know the middle control main frame that control puppet's machine is launched a offensive, Jin Erke
To associate out the real attacker of behind.The application enters to the middle control main frame for controlling puppet's machine offensive attack
Row monitoring, is attacking the initial time of initiation, it becomes possible to obtain its destination host to be attacked, and
The attack pattern for using.
Based on the inventive concept same with method, the application also provides a kind of device for finding ddos attack.
Fig. 5 show the schematic diagram of device 5 for finding DDoS, and the device includes:
Analytic unit 510, for carrying out network protocol analysis to ddos attack program sample, to extract
Go out the procotol that the ddos attack program sample is used;
Searching unit 520, has the DDoS based on the procotol to attack for searching operation on network
The main frame of control program is hit, to be defined as controlling the middle control main frame of ddos attack;
It was found that unit 530, the puppet's machine for receiving middle control host computer control according to procotol simulation,
Described attack instruction that main frame assigns to puppet's machine is controlled in each and find to attack to receive.
Alternatively, the analytic unit 510 is further used for:
Dis-assembling analysis is carried out to the ddos attack program sample, to restore the ddos attack
The procotol used described in program sample.
Alternatively, the analytic unit 510 is further used for:
The ddos attack program sample is run, is attacked with analyzing the DDoS by packet capturing analysis
The procotol that the program sample of hitting is used.
Fig. 6 is the structural representation of the searching unit 520 according to the application one embodiment.With reference to Fig. 6,
Alternatively, the searching unit 520 includes:
Transmitting element 521, the packet for sending the procotol to each main frame in network;
Detection unit 522, for detect packet that each main frame for receiving returns whether with predetermined knot
Fruit matches;
Determining unit 523, for the main frame that the packet of return is matched with predetermined result to be defined as into control
The middle control main frame of ddos attack.
Fig. 7 is that a kind of structure of specific embodiment of the discovery unit 530 according to the embodiment of the present application is shown
It is intended to.With reference to Fig. 7, the discovery unit 530 includes:
Analogue unit 531, for scan each in control main frame and send in the procotol
Wire protocol, to simulate the puppet's machine by middle control host computer control;
Receiving unit 532, for receive scan each in control main frame at least one attack assigned
Instruction;
Resolution unit 533, for by parse it is described attack instruction, extract target of attack IP address,
The IP address and attack type of middle control main frame.
Fig. 8 is the structural representation of the another embodiment of the discovery unit 530 according to the embodiment of the present application
Figure.With reference to Fig. 8, based on the implementation method shown in Fig. 7, the discovery unit 530 also includes:
Heartbeat packet transmitting element 534, for controlling the heart that main frame sends the procotol in each to described
Bag is jumped, to maintain and the communication connection that main frame is controlled in each.
Alternatively, the device 5 also includes:Output unit, the IP ground of the target of attack for that will extract
Location, the IP address of middle control main frame and attack type carry out output display.
It should be noted that the application can be carried out in the assembly of software and/or software with hardware,
For example, each device of the application can be using application specific integrated circuit (ASIC) or any other is similar hard
Part equipment is realized.In one embodiment, the software program of the application can be by computing device
To realize steps described above or function.Similarly, software program (including the related number of the application
According to structure) can be stored in computer readable recording medium storing program for performing, for example, RAM memory, magnetic
Or CD-ROM driver or floppy disc and similar devices.In addition, some steps or function of the application can be used
Hardware is realized, for example, coordinating so as to perform the circuit of each step or function as with processor.
It is obvious to a person skilled in the art that the application is not limited to the thin of above-mentioned one exemplary embodiment
Section, and in the case of without departing substantially from spirit herein or essential characteristic, can be with other specific
Form realizes the application.Therefore, no matter from the point of view of which point, embodiment all should be regarded as exemplary
, and be nonrestrictive, scope of the present application is limited by appended claims rather than described above
It is fixed, it is intended that all changes fallen in the implication and scope of the equivalency of claim are included
In the application.The right that any reference in claim should not be considered as involved by limitation will
Ask.Furthermore, it is to be understood that " including " word is not excluded for other units or step, odd number is not excluded for plural number.System
The multiple units or device stated in system claim can also pass through software by a unit or device
Or hardware is realized.The first, the second grade word is used for representing title, and is not offered as any specific
Order.
Although above specifically shown and describe exemplary embodiment, those skilled in the art will
Will be appreciated that, in the case of the spirit and scope without departing substantially from claims, in its form and carefully
Section aspect can be varied from.
Claims (14)
1. it is a kind of find ddos attack method, it is characterised in that the method is comprised the following steps:
Network protocol analysis are carried out to ddos attack program sample, to extract the ddos attack journey
The procotol that sequence sample is used;
Operation is searched on network the main frame of the ddos attack control program based on the procotol,
To be defined as controlling the middle control main frame of ddos attack;
According to procotol simulation by middle control host computer control puppet's machine, so as to receive it is described each
Middle control main frame instructs to the attack that puppet's machine is assigned and finds to attack.
2. method according to claim 1, it is characterised in that enter to ddos attack program sample
Row network protocol analysis, to extract the step of the procotol that the ddos attack program sample is used
Suddenly include:
Dis-assembling analysis is carried out to the ddos attack program sample, to restore the ddos attack
The procotol used described in program sample.
3. method according to claim 1, it is characterised in that enter to ddos attack program sample
Row network protocol analysis, to extract the step of the procotol that the ddos attack program sample is used
Suddenly include:
The ddos attack program sample is run, is attacked with analyzing the DDoS by packet capturing analysis
The procotol that the program sample of hitting is used.
4. method according to claim 1, it is characterised in that search operation on network and be based on
The main frame of the ddos attack control program of the procotol, to be defined as in control ddos attack
The step of control main frame, includes:
The packet of the procotol is sent to each main frame in network;
Whether the packet that each main frame that detection is received is returned matches with predetermined result;
The main frame that the packet of return is matched with predetermined result is defined as controlling the middle control master of ddos attack
Machine.
5. method according to claim 1, it is characterised in that received according to procotol simulation
Puppet's machine of middle control host computer control, described the attack that main frame is assigned to puppet's machine is controlled in each to receive
The step of instructing and find attack includes:
To scan each in control upper wire protocol during main frame sends the procotol, with simulating and receiving
Control puppet's machine of host computer control;
Reception scan each in control main frame at least one assign attack instruction;
By parsing IP address, the IP ground of middle control main frame attacked instruction, extract target of attack
Location and attack type.
6. method according to claim 5, it is characterised in that received according to procotol simulation
Puppet's machine of middle control host computer control, described the attack that main frame is assigned to puppet's machine is controlled in each to receive
The step of instructing and find attack also includes:
The heartbeat packet that main frame sends the procotol is controlled in each to described, to maintain with described in each
Control the communication connection of main frame.
7. method according to claim 5, it is characterised in that also include:The attack that will be extracted
Target ip address, the IP address of middle control main frame and attack type carry out output display.
8. it is a kind of find ddos attack device, it is characterised in that the device includes:
Analytic unit, for carrying out network protocol analysis to ddos attack program sample, to extract
State the procotol that ddos attack program sample is used;
Searching unit, has the ddos attack control based on the procotol for searching operation on network
The main frame of processing procedure sequence, to be defined as controlling the middle control main frame of ddos attack;
It was found that unit, the puppet's machine for receiving middle control host computer control according to procotol simulation, so as to
Receive and described attack instruction that main frame assigns to puppet's machine controlled in each and finds to attack.
9. device according to claim 8, it is characterised in that the analytic unit is further used for:
Dis-assembling analysis is carried out to the ddos attack program sample, to restore the ddos attack
The procotol used described in program sample.
10. device according to claim 8, it is characterised in that the analytic unit is further used
In:
The ddos attack program sample is run, is attacked with analyzing the DDoS by packet capturing analysis
The procotol that the program sample of hitting is used.
11. devices according to claim 8, it is characterised in that the searching unit includes:
Transmitting element, the packet for sending the procotol to each main frame in network;
Detection unit, for detect packet that each main frame for receiving returns whether with predetermined result
Match somebody with somebody;
Determining unit, for being defined as the main frame that the packet of return is matched with predetermined result to control DDoS
The middle control main frame attacked.
12. devices according to claim 8, it is characterised in that the discovery unit includes:
Analogue unit, for scan each in control the association that reaches the standard grade during main frame sends the procotol
View, to simulate the puppet's machine by middle control host computer control;
Receiving unit, for receive scan each in control main frame at least one assign attack instruction;
Resolution unit, for by parse it is described attack instruction, extract target of attack IP address, in
Control the IP address and attack type of main frame.
13. devices according to claim 12, it is characterised in that the discovery unit also includes:
Heartbeat packet transmitting element, for controlling the heartbeat packet that main frame sends the procotol in each to described,
To maintain and the communication connection that main frame is controlled in each.
14. devices according to claim 12, it is characterised in that also include:Output unit, uses
IP address, the IP address of middle control main frame and attack type in the target of attack that will be extracted carry out defeated
Go out display.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510990022.1A CN106921612A (en) | 2015-12-24 | 2015-12-24 | It was found that the method and device of ddos attack |
| PCT/CN2016/109604 WO2017107804A1 (en) | 2015-12-24 | 2016-12-13 | Method and device for ddos attack identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510990022.1A CN106921612A (en) | 2015-12-24 | 2015-12-24 | It was found that the method and device of ddos attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106921612A true CN106921612A (en) | 2017-07-04 |
Family
ID=59089090
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510990022.1A Pending CN106921612A (en) | 2015-12-24 | 2015-12-24 | It was found that the method and device of ddos attack |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN106921612A (en) |
| WO (1) | WO2017107804A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108200041A (en) * | 2017-12-28 | 2018-06-22 | 贵阳忆联网络有限公司 | A kind of method and system for protecting DDOS attack |
| CN112398781A (en) * | 2019-08-14 | 2021-02-23 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112261029B (en) * | 2020-10-16 | 2023-05-02 | 北京锐驰信安技术有限公司 | DDoS malicious code detection and tracing method based on cultivation |
| CN113515750B (en) * | 2021-07-22 | 2022-06-28 | 苏州知微安全科技有限公司 | Attack detection method and device under high-speed flow |
| CN114844666B (en) * | 2022-03-16 | 2023-06-06 | 西安交通大学 | Network traffic analysis and reconstruction method and device |
| CN114866347B (en) * | 2022-07-06 | 2022-09-30 | 浙江御安信息技术有限公司 | Network security early warning method for DDoS attack recognition based on artificial intelligence |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101321171A (en) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | Method and apparatus for detecting distributed refusal service attack |
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
| US20130074183A1 (en) * | 2011-09-16 | 2013-03-21 | Electronics And Telecommunications Research Institute | Method and apparatus for defending distributed denial-of-service (ddos) attack through abnormally terminated session |
| CN103997489A (en) * | 2014-05-09 | 2014-08-20 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for recognizing DDoS bot network communication protocol |
-
2015
- 2015-12-24 CN CN201510990022.1A patent/CN106921612A/en active Pending
-
2016
- 2016-12-13 WO PCT/CN2016/109604 patent/WO2017107804A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101321171A (en) * | 2008-07-04 | 2008-12-10 | 北京锐安科技有限公司 | Method and apparatus for detecting distributed refusal service attack |
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| US20130074183A1 (en) * | 2011-09-16 | 2013-03-21 | Electronics And Telecommunications Research Institute | Method and apparatus for defending distributed denial-of-service (ddos) attack through abnormally terminated session |
| CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
| CN103997489A (en) * | 2014-05-09 | 2014-08-20 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for recognizing DDoS bot network communication protocol |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108200041A (en) * | 2017-12-28 | 2018-06-22 | 贵阳忆联网络有限公司 | A kind of method and system for protecting DDOS attack |
| CN112398781A (en) * | 2019-08-14 | 2021-02-23 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
| CN112398781B (en) * | 2019-08-14 | 2022-04-08 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2017107804A1 (en) | 2017-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106921612A (en) | It was found that the method and device of ddos attack | |
| CN109067815B (en) | Attack event tracing analysis method, system, user equipment and storage medium | |
| CN108629180B (en) | Abnormal operation determination method and device, storage medium and electronic device | |
| CN101582833B (en) | Method and device for processing spoofed IP data packet | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| EP3068095B1 (en) | Monitoring apparatus and method | |
| CN107360162B (en) | Network application protection method and device | |
| US10282542B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN107786564B (en) | Attack detection method and system based on threat intelligence and electronic equipment | |
| CN105991628A (en) | Network attack identification method and network attack identification device | |
| KR102271545B1 (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| CN108400955B (en) | Network attack protection method and system | |
| US9866575B2 (en) | Management and distribution of virtual cyber sensors | |
| CN109639744A (en) | A kind of detection method and relevant device in the tunnel DNS | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| CN103701816B (en) | Perform the scan method and scanning means of the server of Denial of Service attack | |
| JP6174520B2 (en) | Malignant communication pattern detection device, malignant communication pattern detection method, and malignant communication pattern detection program | |
| CN111385270A (en) | WAF-based network attack detection method and device | |
| CN106549980A (en) | A kind of malice C&C server determines method and device | |
| CN106789849A (en) | CC attack recognitions method, node and system | |
| CN113496033A (en) | Access behavior recognition method and device and storage medium | |
| CN111084988A (en) | Virtual item generation method and device, storage medium and electronic device | |
| CN113904820A (en) | Network intrusion prevention method, system, computer and readable storage medium | |
| CN109189972A (en) | A kind of target whereabouts determine method, apparatus, equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170704 |
|
| RJ01 | Rejection of invention patent application after publication |