CN107241304A - A kind of detection method and device of DDos attacks - Google Patents

A kind of detection method and device of DDos attacks Download PDF

Info

Publication number
CN107241304A
CN107241304A CN201610189056.5A CN201610189056A CN107241304A CN 107241304 A CN107241304 A CN 107241304A CN 201610189056 A CN201610189056 A CN 201610189056A CN 107241304 A CN107241304 A CN 107241304A
Authority
CN
China
Prior art keywords
server
traffic characteristic
description information
characteristic description
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610189056.5A
Other languages
Chinese (zh)
Other versions
CN107241304B (en
Inventor
张钊
胡闽
程行峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610189056.5A priority Critical patent/CN107241304B/en
Publication of CN107241304A publication Critical patent/CN107241304A/en
Application granted granted Critical
Publication of CN107241304B publication Critical patent/CN107241304B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application is related to field of cloud calculation, more particularly to a kind of detection method and device of DDos attacks.Inside cloud computing environment, to carry out accurate DDos detections.This method is:Server extracts the traffic characteristic description information for each purpose IP respectively from the output total flow of itself, the traffic characteristic description information of each purpose IP is matched with default rule set again, obtain matching result, and according to matching result, determine that the server whether there is DDos attacks.So, can be inside cloud computing environment, accurately and timely detect DDos attacks, it is easy to prevent the server inside cloud computing environment in time, to belonging to other servers of cloud computing environment together and the DDos of other main frames outside cloud computing environment being attacked, the overall security and operational reliability of cloud computing environment have been ensured.Further, the development cost of early stage and the O&M cost in later stage have been greatly reduced.

Description

A kind of detection method and device of DDos attacks
Technical field
The present invention relates to field of cloud calculation, more particularly to a kind of detection method and device of DDos attacks.
Background technology
Cloud computing (cloud computing) is a kind of calculation based on internet, in this way, Shared software and hardware resources and information can be supplied to computer and other equipment on demand.
In cloud computing environment, one of most common attack form is distributed denial of service (Distributed Denial of Service, DDoS) attack.So-called ddos attack, that is, refer to by means of client/server Technology, multiple computers are joined together as Attack Platform, to one or more target offensive attacks, from And exponentially improve the power of Denial of Service attack.
As shown in fig.1, under normal circumstances, DDoS primary control programs can be arranged on a computer by hacker On be used as attacker.In the time of a setting, attacker can be by primary control program with being largely provided with agency The computer communication of program, and Agent has been installed within many computers on Internet, these Computer is referred to as puppet's machine.Puppet's machine cluster will be to being started to attack when receiving attack instruction by attacker Hit.Using client/server technology, attacker can activate the operation of hundreds and thousands of puppet's machines in seconds.
Wherein, above-mentioned puppet's machine is by the machine of hacker's remote control.They by hacker break through or due to User's imprudence has been implanted wooden horse, and hacker arbitrarily puppeteer's machine and can do anything using puppet's machine Feelings.Puppet's machine can be various systems, such as windows, linux, unix, more can be a company, The server of even government force of enterprise, school.
Attacked for current DDos, the detection scheme used at present is as follows:System passes through switch ports themselves The method such as mirror image or light splitting shunting is got in the Network Mirror flow of cloud computing environment, the Network Mirror flow The flow of each main frame in System cloud computing environment, then, system judges Network Mirror flow Size whether be more than early warning value, it is determined that more than early warning value when, it is determined that main frame receive DDos attack. And for the IP of the main frame by ddos attack detected, it will DDoS cleaning clusters are guided to by flow and entered Row flow cleaning.Finally, then normal discharge re-injection is carried out.
However, under prior art, the flow quantity detecting system for obtaining Network Mirror flow is generally located on cloud computer room Exit or the exit for connecting operator, therefore, current DDos detection schemes are only capable of detecting Attack of the main frame to internal host outside cloud computing environment, further, since being carried out to this partial discharge The complexity of mirror image is very high, so there is presently no effective solution.
The content of the invention
The embodiment of the present application provides a kind of detection method and device of DDos attacks, in cloud computing environment Inside, carries out accurate DDos detections.
The concrete technical scheme that the embodiment of the present application is provided is as follows:
A kind of detection method of DDos attacks, including:
Server is extracted each in the presence of what is be connected with the server respectively based on local output total flow Individual purpose IP traffic characteristic description information, wherein, purpose IP traffic characteristic description information is used In the transmission state for characterizing the output flow between one purpose IP and the server;
The server is respectively by the traffic characteristic description information and default rule of each purpose IP Set is matched, and obtains matching result;
The server determines that the server whether there is DDos attacks according to matching result.
Optionally, server is extracted there is company with the server respectively based on local output total flow Before each purpose IP connect traffic characteristic description information, further comprise:
Server calculates the size of local output total flow, and determines that the size of local output total flow reaches To given threshold.
Optionally, server determines that the size of local output total flow reaches given threshold, including:
When server judges that any one following statistical parameter reaches respective threshold, it is determined that local output is always flowed The size of amount reaches given threshold:
The bit number sent in the outbound course unit interval;
The request data package number sent in the outbound course unit interval;
The http request number sent in the outbound course unit interval;
Newly-built linking number in the outbound course unit interval.
Optionally, server is based on the output total flow, extracts every in the presence of what is be connected with the server One purpose IP traffic characteristic description information, including:
The server is based on the output total flow, extracts following ginseng for each purpose IP respectively One kind or any combination in number are used as corresponding traffic characteristic description information:
Output flow speed of the server to purpose IP;
Output data Packet type of the server to purpose IP;
The number of server abnormal data bag into purpose IP output data packet.
Optionally, the server determines that the server is attacked with the presence or absence of DDos according to matching result Behavior, including:
The server determines the traffic characteristic description information of any one purpose IP described at least one determination In the parameters that include, the regular total number hit in the regular collection reaches default hit During thresholding, determine to there is DDos attacks by the server that the match is successful.
Optionally, determine that the server is present after DDos attacks, further comprise:
The server determines the targeted purpose IP set of the DDos attacks of itself;
Each purpose IP of the server in purpose IP set outbound course carries out flow and lost Abandon or carry out Limit Rate.
Optionally, further comprise:
When the size that the server detects local output total flow is less than given threshold, in the purpose The outbound course of each purpose IP in IP set, stops flow and abandons or stop Limit Rate.
Optionally, further comprise:
The server determines the traffic characteristic description letter of any one purpose IP in the purpose IP set When breath is no longer matched with default rule set, stream is stopped in the outbound course of any one purpose IP Amount abandons or stopped Limit Rate.
A kind of detection means of DDos attacks, including:
Extraction unit, is connected for based on local output total flow, extracting to exist with described device respectively Each purpose IP traffic characteristic description information, wherein, purpose IP traffic characteristic description letter Breath, the transmission state for characterizing the output flow between one purpose IP and described device;
Matching unit, for respectively by the traffic characteristic description information of each purpose IP with it is default Regular collection is matched, and obtains matching result;
Processing unit, for according to matching result, determining that described device whether there is DDos attacks.
Optionally, based on local output total flow, extract respectively each in the presence of what is be connected with described device Before individual purpose IP traffic characteristic description information, the extraction unit is further used for:
The size of local output total flow is calculated, and determines that the size of local output total flow reaches setting Threshold value.
Optionally, it is determined that when the size of local output total flow reaches given threshold, the extraction unit bag Include:
When judging that any one following statistical parameter reaches respective threshold, it is determined that local output total flow is big It is small to reach given threshold:
The bit number sent in the outbound course unit interval;
The request data package number sent in the outbound course unit interval;
The http request number sent in the outbound course unit interval;
Newly-built linking number in the outbound course unit interval.
Optionally, based on the output total flow, extract and there is each purpose being connected with described device During IP traffic characteristic description information, the extraction unit is used for:
Based on the output total flow, one kind in following parameter is extracted for each purpose IP respectively Or any combination is used as corresponding traffic characteristic description information:
Output flow speed of the described device to purpose IP;
Output data Packet type of the described device to purpose IP;
The number of described device abnormal data bag into purpose IP output data packet.
Optionally, server determines that the server whether there is DDos attacks according to matching result When, the processing unit is used for:
The parameters included in the traffic characteristic description information for determining at least one purpose IP, in the rule The regular total number hit in then gathering, when reaching default hit thresholding, determines that the server is present DDos attacks.
Optionally, determine that described device is present after DDos attacks, the processing unit is further used for:
Determine the targeted purpose IP set of the DDos attacks of itself;
The outbound course of each purpose IP in purpose IP set carries out flow discarding or progress Limit Rate.
Optionally, the processing unit is further used for:
When the size for detecting local output total flow is less than given threshold, in purpose IP set Each purpose IP outbound course, stop flow abandon or stop Limit Rate.
Optionally, the processing unit is further used for:
Determine the traffic characteristic description information of any one purpose IP in purpose IP set with it is default When regular collection is no longer matched, stop flow discarding in the outbound course of any one purpose IP or stop Only Limit Rate.
The application has the beneficial effect that:
In the embodiment of the present application, server extracts and is directed to each purpose respectively from the output total flow of itself IP traffic characteristic description information, then by the traffic characteristic description information of each purpose IP with presetting Regular collection matched, obtain matching result, and according to matching result, determine that the server is It is no to there is DDos attacks.So, DDos can accurately and timely be detected inside cloud computing environment Attack, be easy in time prevent cloud computing environment inside server, to belong to together cloud computing environment other Server and the DDos attacks to other main frames outside cloud computing environment, have ensured cloud computing environment Overall security and operational reliability.Further, development cost and the later stage of early stage have been greatly reduced O&M cost.
Brief description of the drawings
Fig. 1 starts ddos attack schematic diagram for attacker under prior art by puppet's machine;
Fig. 2 carries out overhaul flow chart to be attacked in the embodiment of the present application inside cloud computing environment DDos;
Fig. 3 is server capability structural representation in the embodiment of the present application.
Embodiment
In order to inside cloud computing environment, carry out in accurate DDos detections, the embodiment of the present application, in cloud A kernel module is disposed on each server inside computing environment respectively, server can be by itself The kernel module of installation obtains local whole flows, and so, server can be by monitoring the stream of itself Amount situation, judges whether itself is the main frame for initiating DDos attacks.
Further description is made to the application preferred embodiment below in conjunction with the accompanying drawings.
After server turns into puppet's machine by invasion, ddos attack is often used in, however, in order to It is easy to launch a offensive, server is generally also provided with normal service function, is simply receiving the finger of attacker After order, then launch a offensive inside cloud computing environment.Therefore, in the embodiment of the present application, pacify on the server Kernel module is filled, makes server independently to find the DDos attacks of itself, so as to effectively carry out Defence, it is to avoid ddos attack to belonging to other servers in cloud computing environment together, compensate for existing base In the deficiency of Network Mirror flow detection ddos attack method.
As shown in fig.2, in the embodiment of the present application, the server inside cloud computing environment is attacked to DDos Hit the detailed process detected as follows:
Step 200:Server obtains local output total flow.
In practical application, server locally by a kernel module of deployment, can use Filter skills Whole output flows of art or Hook the technical limit spacings server.
Under normal circumstances, server turns into after puppet's machine Yi Dan by invasion, can be when receiving attacker's instruction Other servers for belonging to same cloud computing environment are attacked again, therefore, server is needed periodically to certainly The output flow of body is monitored, to judge whether itself DDos attacks occurs.Preferably, can So that the measurement period of server to be set smaller than to be equal to 5s.
Step 201:Server judges whether the size of local output total flow reaches given thresholdIf so, Then perform step 202;Otherwise, return to step 200.
Why step 201 is performed, when being because of output total flow size is calculated, the operating load of server It is smaller, and when subsequently carrying out traffic characteristics analysis, the operating load of server is larger, accordingly, it is determined that output The size of total flow is reached after given threshold, then carries out follow-up traffic characteristics analysis, can mitigate server Load.Certainly, can also be without judging that output is total if server has powerful computing capability in itself Whether flow very much not reaches given threshold, and directly performs follow-up traffic characteristics analysis operation, this implementation Step 201 is only a kind of preferably embodiment in example, be will not be repeated here.
Further, when performing step 201, server can judge any one following statistical parameter When reaching respective threshold, it is determined that the size of local output total flow reaches given threshold, wherein it is possible to adopt Statistical parameter including but not limited to:
The bit number (BPS) that (e.g., kind per second) is transmitted in the outbound course unit interval;Outbound course list The request data package number (PPS) of (e.g., each second) transmission in the time of position;In the outbound course unit interval The http request number (QPS) of (e.g., each second) transmission;And in the outbound course unit interval (e.g., Each second) newly-built linking number.
Any one above-mentioned statistical parameter reaches respective threshold, all illustrates that server occurs in that stream in outbound course Amount is increased sharply, and this is the tendency that there is DDos attacks.
Step 202:Server counts the output flow speed for locally arriving each purpose IP respectively.
Specifically, server can be in output total flow, the output for distinguishing each purpose IP directions is total Amount, then through-rate measurement, you can to obtain each purpose IP flow rate.
Step 203:Server counts the output data Packet type for locally arriving each purpose IP respectively.
Server can perform multiple tasks parallel, therefore, the data transmitted between different purpose IP The type of bag can be different, for example, that transmitted between purpose IP 1 is transmission control protocol (Transmission Control Protocol, TCP) that transmitted between packet, and purpose IP 2 is UDP User Datagram Protocol, UDP) packet.
Step 204:Server counts the local abnormal data into each purpose IP output data packet respectively The number of bag.
Under normal circumstances, abnormal data bag may be carried into each purpose IP output data packet, So-called abnormal data bag is typically compliant with corresponding protocol format, but but exists compared with general data bag bright Aobvious difference, is the packet seldom occurred in normal discharge.
Under normal circumstances, above-mentioned abnormal data is surrounded by with four kinds:
1st, length exceedes the internet control message protocol (Internet of setting length threshold (e.g., 128 bit) Control Message Protocol, ICMP) message.
2nd, the UDP messages that payload content is repeated.
3rd, the TCP SYN messages without OPTION options, wherein, SYN characterizes handshake (synchronous)
4th, the TCP SYN messages of payload are carried.
There is abnormal data bag, it may be possible to carry out the tendency of DDos attacks.
The server counted in above-mentioned steps 202 is united into purpose IP output flow speed, step 203 The server of meter is to purpose IP output data Packet type, and the server counted in step 204 is to mesh IP output data packet in abnormal data bag number, may be collectively referred to as traffic characteristic description information, The transmission state of output flow between server and corresponding purpose IP can be described.In practical application, Above-mentioned three classes parameter can choose a statistics, can also choose any combination statistics, can also add other Parameter is counted, in the present embodiment, is only illustrated so that above three parameter is counted as an example, This is repeated no more.
Step 205:Server is matched the above-mentioned three classes parameter of acquisition with default rule set, is sentenced It is disconnected that whether the match is successfulIf so, then performing step 206;Otherwise, return to step 200.
Specifically, server can preserve the regular collection of administrative staff's preset configuration, can also be from service End obtains newest regular collection in real time, and the regular collection is used for the feature for describing DDos attacks, often Record has any one parameter or arbitrary parameter in traffic characteristic description information to combine and existed in one rule Carry out behavioral characteristic during DDos attacks.
So, by taking any one purpose IP as an example (hereinafter referred to as purpose IP X), matching operation is specifically being performed When, the parameters that server will can be recorded in the corresponding traffic characteristic description informations of purpose IP X, respectively Matched with each rule in default rule set, and record the regular total number of hit, when It is determined that when the regular total number of hit reaches the hit thresholding of setting, determining that the match is successful by purpose IP X, i.e., There is DDos attacks to purpose IP X in server.
For example, it is assumed that the rule in regular collection includes:
Rule 1, syn>0.5&&bps>1.
Rule 1 implication be:The BPS of one purpose IP outbound course is more than 1Mbps, wherein, characterize new The ratio for building handshake (synchronous, SYN) message of connection is more than 50%.
Rule 2, qps>1000or pps>5000
Rule 2 implication be:The QPS of one purpose IP outbound course be more than 1000, or, outbound course PPS be more than 5000
Rule 3, icmphuge/pps>0.3
Rule 3 implication be:(message length is more than 128 to the abnormal icmp packet of one purpose IP outbound course Bit) ratio of all outgoing messages is accounted for more than 30%.
It is assumed that the corresponding traffic characteristic description informations of purpose IP X are:QPS=2000, and all HTTP Request message, has hit above-mentioned regular 2, then illustrates that server has DDoS behaviors to purpose IP X
Certainly, server can carry out DDos attacks to multiple purpose IP simultaneously, and therefore, server can lead to Matching process is crossed, itself is filtered out as the purpose IP set of DDos objects of attack and (includes at least one quilt The purpose IP of attack).
Step 206:Server determines itself there is DDos attacks.
So, server just can carry out autonomous monitoring in real time to itself, and the DDos attacks of itself are found at any time Behavior, is easy to carry out DDos attack interceptions in time.
Specifically, when carrying out DDos interceptions, server can determine whether the DDos attacks institute pin of itself To purpose IP set, then, the purpose IP set in each purpose IP outbound course carry out Flow abandons or carried out Limit Rate.And for being not belonging to the other purposes IP of above-mentioned purpose IP set, Server can normally let pass corresponding output flow, do not interfere with and provide service for these purposes IP.
Certainly, can be in above-mentioned purpose IP when server, which detects output total flow, returns to normal value The outbound course of each purpose IP in set, stops flow and abandons or stop Limit Rate.Or, Server can also be it is determined that the traffic characteristic of any one purpose IP in above-mentioned purpose IP set describes letter When breath is no longer matched with default rule set, flow is stopped in any one purpose IP outbound course Abandon or stop Limit Rate.
Based on above-described embodiment, as shown in fig.3, in the embodiment of the present application, the detection dress of DDos attacks Putting (i.e. server) at least includes extraction unit 31, matching unit 32 and processing unit 33, wherein,
Extraction unit 31, connects for based on local output total flow, extracting to exist with described device respectively Each purpose IP connect traffic characteristic description information, wherein, purpose IP traffic characteristic description Information, the transmission state for characterizing the output flow between one purpose IP and described device;
Matching unit 32, for respectively by the traffic characteristic description information of each purpose IP with presetting Regular collection matched, obtain matching result;
Processing unit 33, for according to matching result, determining that described device whether there is DDos attacks.
Optionally, based on local output total flow, extract respectively each in the presence of what is be connected with described device Before individual purpose IP traffic characteristic description information, extraction unit 31 is further used for:
The size of local output total flow is calculated, and determines that the size of local output total flow reaches setting Threshold value.
Optionally, it is determined that when the size of local output total flow reaches given threshold, extraction unit 31 is wrapped Include:
When judging that any one following statistical parameter reaches respective threshold, it is determined that local output total flow is big It is small to reach given threshold:
The bit number sent in the outbound course unit interval;
The request data package number sent in the outbound course unit interval;
The http request number sent in the outbound course unit interval;
Newly-built linking number in the outbound course unit interval.
Optionally, based on the output total flow, extract and there is each purpose being connected with described device During IP traffic characteristic description information, extraction unit 31 is used for:
Based on the output total flow, one kind in following parameter is extracted for each purpose IP respectively Or any combination is used as corresponding traffic characteristic description information:
Output flow speed of the described device to purpose IP;
Output data Packet type of the described device to purpose IP;
The number of described device abnormal data bag into purpose IP output data packet.
Optionally, according to matching result, when determining that the server whether there is DDos attacks, place Reason unit 33 is used for:
The parameters included in the traffic characteristic description information for determining at least one purpose IP, in the rule The regular total number hit in then gathering, when reaching default hit thresholding, determines that the server is present DDos attacks.
Optionally, determine that described device is present after DDos attacks, processing unit 33 is further used for:
Determine the targeted purpose IP set of the DDos attacks of itself;
The outbound course of each purpose IP in purpose IP set carries out flow discarding or progress Limit Rate.
Optionally, processing unit 33 is further used for:
When the size for detecting local output total flow is less than given threshold, in purpose IP set Each purpose IP outbound course, stop flow abandon or stop Limit Rate.
Optional processing unit 33 is further used for:
Determine the traffic characteristic description information of any one purpose IP in purpose IP set with it is default When regular collection is no longer matched, stop flow discarding in the outbound course of any one purpose IP or stop Only Limit Rate
In summary, in the embodiment of the present application, server is extracted and is directed to respectively from the output total flow of itself Each purpose IP traffic characteristic description information, then the traffic characteristic of each purpose IP is described Information is matched with default rule set, obtains matching result, and according to matching result, determine institute Server is stated with the presence or absence of DDos attacks.So, can be inside cloud computing environment, accurately and timely Ground detects DDos attacks, is easy to prevent the server inside cloud computing environment in time, to belonging to cloud together Other servers of computing environment and the DDos attacks to other main frames outside cloud computing environment, are ensured The overall security and operational reliability of cloud computing environment.Further, it has been greatly reduced opening for early stage Send out cost and the O&M cost in later stage.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or meter Calculation machine program product.Therefore, the present invention can be using complete hardware embodiment, complete software embodiment or knot The form of embodiment in terms of conjunction software and hardware.Wherein wrapped one or more moreover, the present invention can be used Containing computer usable program code computer-usable storage medium (include but is not limited to magnetic disk storage, CD-ROM, optical memory etc.) on the form of computer program product implemented.
The present invention is with reference to the production of method according to embodiments of the present invention, equipment (system) and computer program The flow chart and/or block diagram of product is described.It should be understood that can by computer program instructions implementation process figure and / or each flow and/or square frame in block diagram and the flow in flow chart and/or block diagram and/ Or the combination of square frame.These computer program instructions can be provided to all-purpose computer, special-purpose computer, insertion Formula processor or the processor of other programmable data processing devices are to produce a machine so that pass through and calculate The instruction of the computing device of machine or other programmable data processing devices is produced for realizing in flow chart one The device for the function of being specified in individual flow or multiple flows and/or one square frame of block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or the processing of other programmable datas to set In the standby computer-readable memory worked in a specific way so that be stored in the computer-readable memory Instruction produce include the manufacture of command device, the command device realization in one flow or multiple of flow chart The function of being specified in one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices, made Obtain and perform series of operation steps on computer or other programmable devices to produce computer implemented place Reason, so that the instruction performed on computer or other programmable devices is provided for realizing in flow chart one The step of function of being specified in flow or multiple flows and/or one square frame of block diagram or multiple square frames.
Although having been described for the preferred embodiment of the application, those skilled in the art once know base This creative concept, then can make other change and modification to these embodiments.So, appended right will Ask and be intended to be construed to include preferred embodiment and fall into having altered and changing for the application scope.
Obviously, those skilled in the art can carry out various changes and modification without de- to the embodiment of the present application From the spirit and scope of the embodiment of the present application.So, if these modifications and variations category of the embodiment of the present application Within the scope of the application claim and its equivalent technologies, then the application be also intended to comprising these change and Including modification.

Claims (16)

1. a kind of detection method of distributed denial of service DDos attacks, it is characterised in that including:
Server is extracted each in the presence of what is be connected with the server respectively based on local output total flow Individual purpose IP traffic characteristic description information, wherein, purpose IP traffic characteristic description information is used In the transmission state for characterizing the output flow between one purpose IP and the server;
The server is respectively by the traffic characteristic description information and default rule of each purpose IP Set is matched, and obtains matching result;
The server determines that the server whether there is DDos attacks according to matching result.
2. the method as described in claim 1, it is characterised in that server is always flowed based on local output Amount, extracts the traffic characteristic description information that there is each purpose IP being connected with the server respectively Before, further comprise:
Server calculates the size of local output total flow, and determines that the size of local output total flow reaches To given threshold.
3. method as claimed in claim 2, it is characterised in that server determines that local output is always flowed The size of amount reaches given threshold, including:
When server judges that any one following statistical parameter reaches respective threshold, it is determined that local output is always flowed The size of amount reaches given threshold:
The bit number sent in the outbound course unit interval;
The request data package number sent in the outbound course unit interval;
The http request number sent in the outbound course unit interval;
Newly-built linking number in the outbound course unit interval.
4. the method as described in claim 1, it is characterised in that server is based on the output total flow, The traffic characteristic description information that there is each purpose IP being connected with the server is extracted, including:
The server is based on the output total flow, extracts following ginseng for each purpose IP respectively One kind or any combination in number are used as corresponding traffic characteristic description information:
Output flow speed of the server to purpose IP;
Output data Packet type of the server to purpose IP;
The number of server abnormal data bag into purpose IP output data packet.
5. the method as described in claim any one of 1-4, it is characterised in that the server according to With result, determine that the server whether there is DDos attacks, including:
The server determines the parameters included at least one purpose IP traffic characteristic description information, The regular total number hit in the regular collection, when reaching default hit thresholding, determines the clothes There is DDos attacks in business device.
6. the method as described in claim any one of 1-4, it is characterised in that determine that the server is deposited After DDos attacks, further comprise:
The server determines the targeted purpose IP set of the DDos attacks of itself;
Each purpose IP of the server in purpose IP set outbound course carries out flow and lost Abandon or carry out Limit Rate.
7. method as claimed in claim 6, it is characterised in that further comprise:
When the size that the server detects local output total flow is less than given threshold, in the purpose The outbound course of each purpose IP in IP set, stops flow and abandons or stop Limit Rate.
8. method as claimed in claim 6, it is characterised in that further comprise:
The server determines the traffic characteristic description letter of any one purpose IP in the purpose IP set When breath is no longer matched with default rule set, stream is stopped in the outbound course of any one purpose IP Amount abandons or stopped Limit Rate.
9. a kind of detection means of distributed denial of service DDos attacks, it is characterised in that including:
Extraction unit, is connected for based on local output total flow, extracting to exist with described device respectively Each purpose IP traffic characteristic description information, wherein, purpose IP traffic characteristic description letter Breath, the transmission state for characterizing the output flow between one purpose IP and described device;
Matching unit, for respectively by the traffic characteristic description information of each purpose IP with it is default Regular collection is matched, and obtains matching result;
Processing unit, for according to matching result, determining that described device whether there is DDos attacks.
10. device as claimed in claim 9, it is characterised in that based on local output total flow, point Before indescribably taking-up is with described device in the presence of the traffic characteristic description information for each purpose IP being connected, institute Extraction unit is stated to be further used for:
The size of local output total flow is calculated, and determines that the size of local output total flow reaches setting Threshold value.
11. device as claimed in claim 10, it is characterised in that it is determined that local output total flow When size reaches given threshold, the extraction unit includes:
When judging that any one following statistical parameter reaches respective threshold, it is determined that local output total flow is big It is small to reach given threshold:
The bit number sent in the outbound course unit interval;
The request data package number sent in the outbound course unit interval;
The http request number sent in the outbound course unit interval;
Newly-built linking number in the outbound course unit interval.
12. device as claimed in claim 9, it is characterised in that based on the output total flow, is extracted When going out the traffic characteristic description information that there is each purpose IP being connected with described device, the extraction list Member is used for:
Based on the output total flow, one kind in following parameter is extracted for each purpose IP respectively Or any combination is used as corresponding traffic characteristic description information:
Output flow speed of the described device to purpose IP;
Output data Packet type of the described device to purpose IP;
The number of described device abnormal data bag into purpose IP output data packet.
13. the device as described in claim any one of 9-12, it is characterised in that according to matching result, When determining that described device whether there is DDos attacks, the processing unit is used for:
The parameters included in the traffic characteristic description information for determining at least one purpose IP, in the rule The regular total number hit in then gathering, when reaching default hit thresholding, determines that described device is present DDos attacks.
14. the device as described in claim any one of 9-12, it is characterised in that determine that described device is deposited After DDos attacks, the processing unit is further used for:
Determine the targeted purpose IP set of the DDos attacks of itself;
The outbound course of each purpose IP in purpose IP set carries out flow discarding or progress Limit Rate.
15. device as claimed in claim 14, it is characterised in that the processing unit is further used for:
When the size for detecting local output total flow is less than given threshold, in purpose IP set Each purpose IP outbound course, stop flow abandon or stop Limit Rate.
16. device as claimed in claim 14, it is characterised in that the processing unit is further used for:
Determine the traffic characteristic description information of any one purpose IP in purpose IP set with it is default When regular collection is no longer matched, stop flow discarding in the outbound course of any one purpose IP or stop Only Limit Rate.
CN201610189056.5A 2016-03-29 2016-03-29 Method and device for detecting DDoS attack Active CN107241304B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610189056.5A CN107241304B (en) 2016-03-29 2016-03-29 Method and device for detecting DDoS attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610189056.5A CN107241304B (en) 2016-03-29 2016-03-29 Method and device for detecting DDoS attack

Publications (2)

Publication Number Publication Date
CN107241304A true CN107241304A (en) 2017-10-10
CN107241304B CN107241304B (en) 2021-02-02

Family

ID=59983922

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610189056.5A Active CN107241304B (en) 2016-03-29 2016-03-29 Method and device for detecting DDoS attack

Country Status (1)

Country Link
CN (1) CN107241304B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108848196A (en) * 2018-09-25 2018-11-20 四川长虹电器股份有限公司 A kind of method for monitoring communication service based on tcp connection number
CN108958884A (en) * 2018-06-22 2018-12-07 郑州云海信息技术有限公司 A kind of method and relevant apparatus of Virtual Machine Manager
CN109040064A (en) * 2018-08-01 2018-12-18 郑州市景安网络科技股份有限公司 A kind of server seals and stops method, apparatus, equipment and readable storage medium storing program for executing
CN110198294A (en) * 2018-04-11 2019-09-03 腾讯科技(深圳)有限公司 Security attack detection method and device
CN111193689A (en) * 2018-11-15 2020-05-22 北京金山云网络技术有限公司 Network attack processing method and device, electronic equipment and storage medium
WO2021057225A1 (en) * 2019-09-24 2021-04-01 国网河北省电力有限公司信息通信分公司 Protection method based on abnormal traffic of grid information system
CN113114671A (en) * 2021-04-12 2021-07-13 常熟市国瑞科技股份有限公司 Cloud data security identification and classification method

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047697A (en) * 2006-03-29 2007-10-03 华为技术有限公司 Method and equipment for prevent DDOS offence to web server
CN101083563A (en) * 2007-07-20 2007-12-05 杭州华三通信技术有限公司 Method and apparatus for preventing distributed refuse service attack
CN101299765A (en) * 2008-06-19 2008-11-05 中兴通讯股份有限公司 Method for defending against DDOS attack
CN101414927A (en) * 2008-11-20 2009-04-22 浙江大学 Alarm and response system for inner-mesh network aggression detection
CN101505219A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
CN102045308A (en) * 2009-10-10 2011-05-04 中兴通讯股份有限公司 Method and device for preventing denial of service (DoS) attacks
CN102970309A (en) * 2012-12-25 2013-03-13 苏州山石网络有限公司 Detection method, detection device and firewall for zombie host
CN103248607A (en) * 2012-02-02 2013-08-14 哈尔滨安天科技股份有限公司 IPv4 and IPv6-based detection method and system for denial of service attacks
CN103701793A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Method and device for identifying server broiler chicken
CN104468554A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Attack detection method and device based on IP and HOST
US9124626B2 (en) * 2013-05-20 2015-09-01 International Business Machines Corporation Firewall based botnet detection
US20150281259A1 (en) * 2012-07-05 2015-10-01 Tenable Network Security, Inc. System and method for strategic anti-malware monitoring
CN105007271A (en) * 2015-07-17 2015-10-28 中国科学院信息工程研究所 Recognition method and system of Botnet launching DDoS (Distribution Denial of Service) attack
US20160065596A1 (en) * 2010-12-08 2016-03-03 At&T Intellectual Property I, L.P. Mobile botnet mitigation

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101047697A (en) * 2006-03-29 2007-10-03 华为技术有限公司 Method and equipment for prevent DDOS offence to web server
CN101083563A (en) * 2007-07-20 2007-12-05 杭州华三通信技术有限公司 Method and apparatus for preventing distributed refuse service attack
CN101299765A (en) * 2008-06-19 2008-11-05 中兴通讯股份有限公司 Method for defending against DDOS attack
CN101414927A (en) * 2008-11-20 2009-04-22 浙江大学 Alarm and response system for inner-mesh network aggression detection
CN101505219A (en) * 2009-03-18 2009-08-12 杭州华三通信技术有限公司 Method and protecting apparatus for defending denial of service attack
CN102045308A (en) * 2009-10-10 2011-05-04 中兴通讯股份有限公司 Method and device for preventing denial of service (DoS) attacks
US20160065596A1 (en) * 2010-12-08 2016-03-03 At&T Intellectual Property I, L.P. Mobile botnet mitigation
CN103248607A (en) * 2012-02-02 2013-08-14 哈尔滨安天科技股份有限公司 IPv4 and IPv6-based detection method and system for denial of service attacks
US20150281259A1 (en) * 2012-07-05 2015-10-01 Tenable Network Security, Inc. System and method for strategic anti-malware monitoring
CN102970309A (en) * 2012-12-25 2013-03-13 苏州山石网络有限公司 Detection method, detection device and firewall for zombie host
US9124626B2 (en) * 2013-05-20 2015-09-01 International Business Machines Corporation Firewall based botnet detection
CN103701793A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Method and device for identifying server broiler chicken
CN104468554A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Attack detection method and device based on IP and HOST
CN105007271A (en) * 2015-07-17 2015-10-28 中国科学院信息工程研究所 Recognition method and system of Botnet launching DDoS (Distribution Denial of Service) attack

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110198294A (en) * 2018-04-11 2019-09-03 腾讯科技(深圳)有限公司 Security attack detection method and device
CN110198294B (en) * 2018-04-11 2022-04-12 腾讯科技(深圳)有限公司 Security attack detection method and device
CN108958884A (en) * 2018-06-22 2018-12-07 郑州云海信息技术有限公司 A kind of method and relevant apparatus of Virtual Machine Manager
CN108958884B (en) * 2018-06-22 2022-02-18 郑州云海信息技术有限公司 Virtual machine management method and related device
CN109040064A (en) * 2018-08-01 2018-12-18 郑州市景安网络科技股份有限公司 A kind of server seals and stops method, apparatus, equipment and readable storage medium storing program for executing
CN108848196A (en) * 2018-09-25 2018-11-20 四川长虹电器股份有限公司 A kind of method for monitoring communication service based on tcp connection number
CN108848196B (en) * 2018-09-25 2021-01-26 四川长虹电器股份有限公司 General service monitoring method based on tcp connection number
CN111193689A (en) * 2018-11-15 2020-05-22 北京金山云网络技术有限公司 Network attack processing method and device, electronic equipment and storage medium
CN111193689B (en) * 2018-11-15 2022-06-03 北京金山云网络技术有限公司 Network attack processing method and device, electronic equipment and storage medium
WO2021057225A1 (en) * 2019-09-24 2021-04-01 国网河北省电力有限公司信息通信分公司 Protection method based on abnormal traffic of grid information system
CN113114671A (en) * 2021-04-12 2021-07-13 常熟市国瑞科技股份有限公司 Cloud data security identification and classification method

Also Published As

Publication number Publication date
CN107241304B (en) 2021-02-02

Similar Documents

Publication Publication Date Title
CN107241304A (en) A kind of detection method and device of DDos attacks
US11201882B2 (en) Detection of malicious network activity
Ponomarev et al. Industrial control system network intrusion detection by telemetry analysis
CN105991637B (en) The means of defence and device of network attack
CN109194680B (en) Network attack identification method, device and equipment
WO2018108052A1 (en) Ddos attack defense method, system and related equipment
CN104488229A (en) Network traffic processing system
CN103873463A (en) Multistage filter firewall system and multistage filter method
CN111935172A (en) Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium
CN111147513A (en) Transverse moving attack path determination method in honey net based on attack behavior analysis
CN109617931A (en) A kind of the ddos attack defence method and system of defense of SDN controller
CN105577669B (en) A kind of method and device of the false source attack of identification
CN109309591B (en) Traffic data statistical method, electronic device and storage medium
CN110381041B (en) Distributed denial of service attack situation detection method and device
CN107204965B (en) Method and system for intercepting password cracking behavior
CN109617868A (en) A kind of detection method of DDOS attack, device and detection service device
CN110149319A (en) The method for tracing and device, storage medium, electronic device of APT tissue
CN111641591A (en) Cloud service security defense method, device, equipment and medium
CN109800571A (en) Event-handling method and device and storage medium and electronic device
CN107454068B (en) Honey net safety situation perception method combining immune hazard theory
CN110113290A (en) Detection method, device, host and the storage medium of network attack
CN111859374A (en) Method, device and system for detecting social engineering attack event
CN114584351A (en) Monitoring method, monitoring device, electronic equipment and storage medium
CN108040075B (en) APT attack detection system
CN114363080A (en) Monitoring analysis method, device, equipment and storage medium of network terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant