CN107241304B - Method and device for detecting DDoS attack - Google Patents
Method and device for detecting DDoS attack Download PDFInfo
- Publication number
- CN107241304B CN107241304B CN201610189056.5A CN201610189056A CN107241304B CN 107241304 B CN107241304 B CN 107241304B CN 201610189056 A CN201610189056 A CN 201610189056A CN 107241304 B CN107241304 B CN 107241304B
- Authority
- CN
- China
- Prior art keywords
- destination
- server
- traffic
- flow
- ddos attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present application relates to the field of cloud computing, and in particular, to a method and an apparatus for detecting a DDoS attack. The method is used for carrying out accurate DDoS detection in the cloud computing environment. The method comprises the following steps: the method comprises the steps that a server extracts flow characteristic description information aiming at each target IP from output total flow of the server, matches the flow characteristic description information of each target IP with a preset rule set to obtain a matching result, and determines whether the server has DDoS attack behaviors or not according to the matching result. Therefore, DDoS attack behaviors can be accurately and timely detected in the cloud computing environment, servers in the cloud computing environment can be conveniently and timely prevented, DDoS attacks on other servers belonging to the same cloud computing environment and other hosts outside the cloud computing environment are facilitated, and the overall safety and the operation reliability of the cloud computing environment are guaranteed. Furthermore, the development cost in the early stage and the operation and maintenance cost in the later stage are greatly reduced.
Description
Technical Field
The invention relates to the field of cloud computing, in particular to a DDoS attack detection method and device.
Background
Cloud computing (cloud computing) is an internet-based computing approach by which shared software and hardware resources and information can be provided to computers and other devices on demand.
In a cloud computing environment, one of the most common forms of attack is a Distributed Denial of Service (DDoS) attack. DDoS attacks refer to attacks that a plurality of computers are combined together as an attack platform by means of a client/server technology to launch an attack on one or more targets, thereby exponentially improving the power of denial of service attacks.
Referring to fig. 1, a hacker will typically install a DDoS master program on a computer as an attacker. At a given time, an attacker communicates with a large number of computers, called puppet computers, installed with agents already installed on the Internet through the master program. When the puppet computer cluster receives the attack instruction, it will launch an attack to the attacker. With client/server technology, an attacker can activate several hundreds of puppet operations in a few seconds.
The puppet device is a device remotely controlled by a hacker. They are hacked by a hacker or the hacker may manipulate the puppet machine at will and do anything with the puppet machine because the user is inadvertently implanted with a trojan. The puppet may be a variety of systems, such as windows, linux, unix, etc., and more may be a server of a company, an enterprise, a school, or even a government military.
Aiming at the current DDoS attack, the currently adopted detection scheme is as follows: the system acquires the network mirror flow of the cloud computing environment through methods such as switch port mirror image or light splitting and shunting, the flow of each host in the cloud computing environment is summarized in real time in the network mirror flow, then the system judges whether the size of the network mirror flow is larger than an early warning value, and when the size of the network mirror flow is larger than the early warning value, the host is determined to be attacked by DDoS. And for the IP of the detected host attacked by the DDoS, the detected IP is led to the DDoS cleaning cluster by the flow to clean the flow. Finally, normal flow reinjection is performed.
However, in the prior art, a traffic detection system for acquiring network mirror traffic is generally arranged at an exit of a cloud computer room or an exit connected to an operator, so that an existing DDoS detection scheme can only detect attacks from hosts outside a cloud computing environment on internal hosts.
Disclosure of Invention
The embodiment of the application provides a DDoS attack detection method and device, which are used for carrying out accurate DDoS detection in a cloud computing environment.
The embodiment of the application provides the following specific technical scheme:
a DDoS attack detection method comprises the following steps:
the method comprises the steps that a server respectively extracts flow characteristic description information of each target IP connected with the server on the basis of local total output flow, wherein the flow characteristic description information of one target IP is used for representing the transmission state of the output flow between the one target IP and the server;
the server respectively matches the flow characteristic description information of each target IP with a preset rule set to obtain a matching result;
and the server determines whether the server has DDoS attack behaviors or not according to the matching result.
Optionally, before the server extracts traffic feature description information of each destination IP connected to the server based on the local total output traffic, the method further includes:
the server calculates the size of the local total output flow and determines that the size of the local total output flow reaches a set threshold value.
Optionally, the determining, by the server, that the size of the local total output flow reaches the set threshold includes:
when the server judges that any one of the following statistical parameters reaches a corresponding threshold value, the server determines that the size of the local total output flow reaches a set threshold value:
outputting the number of bits sent to the direction in unit time;
outputting the number of request data packets sent to the output direction in unit time;
outputting the number of http requests sent to the unit time;
and outputting the number of the newly established connections in unit time of the direction.
Optionally, the extracting, by the server, traffic feature description information of each destination IP connected to the server based on the total output traffic includes:
the server extracts one or any combination of the following parameters as corresponding flow characteristic description information respectively aiming at each target IP based on the total output flow:
the output traffic rate of the server to the destination IP;
the server outputs a packet type to the destination IP;
the number of abnormal packets in the output packets of the server to the destination IP.
Optionally, the determining, by the server, whether a DDoS attack behavior exists in the server according to the matching result includes:
and the server determines at least one parameter contained in the flow characteristic description information for determining any one target IP, and determines that the server has a DDoS attack behavior matching success when the total number of the hit rules in the rule set reaches a preset hit threshold.
Optionally, after determining that the server has a DDoS attack behavior, the method further includes:
the server determines a target IP set for which a DDoS attack behavior of the server aims;
and the server discards the traffic or limits the traffic in the output direction of each destination IP in the destination IP set.
Optionally, further comprising:
and when the server detects that the size of the local total output flow is lower than a set threshold value, stopping flow discarding or stopping flow speed limiting in the output direction of each destination IP in the destination IP set.
Optionally, further comprising:
and when the server determines that the traffic characteristic description information of any one destination IP in the destination IP set is not matched with a preset rule set any more, stopping traffic discarding or stopping traffic speed limiting in the output direction of any one destination IP.
A detection apparatus for DDoS attacks, comprising:
an extracting unit, configured to extract traffic feature description information of each destination IP connected to the device based on a local total output traffic, where the traffic feature description information of one destination IP is used to represent a transmission state of output traffic between the one destination IP and the device;
the matching unit is used for respectively matching the traffic characteristic description information of each target IP with a preset rule set to obtain a matching result;
and the processing unit is used for determining whether the DDoS attack behavior exists in the device according to the matching result.
Optionally, before the traffic feature description information of each destination IP connected to the device is extracted based on the local total output traffic, the extracting unit is further configured to:
and calculating the size of the local total output flow, and determining that the size of the local total output flow reaches a set threshold value.
Optionally, when determining that the size of the local total output flow reaches the set threshold, the extracting unit includes:
when any one of the following statistical parameters is judged to reach a corresponding threshold value, the size of the local total output flow is determined to reach a set threshold value:
outputting the number of bits sent to the direction in unit time;
outputting the number of request data packets sent to the output direction in unit time;
outputting the number of http requests sent to the unit time;
and outputting the number of the newly established connections in unit time of the direction.
Optionally, when extracting traffic feature description information of each destination IP connected to the device based on the total output traffic, the extracting unit is configured to:
based on the total output flow, one or any combination of the following parameters is extracted as corresponding flow characteristic description information for each target IP respectively:
an output traffic rate of the device to a destination IP;
an output packet type of the device to destination IP;
the number of abnormal packets in the device-to-destination IP output packets.
Optionally, when the server determines whether a DDoS attack behavior exists in the server according to the matching result, the processing unit is configured to:
determining each parameter contained in the traffic characteristic description information of at least one destination IP, and determining that the server has DDoS attack behaviors when the total number of the rules hit in the rule set reaches a preset hit threshold.
Optionally, after determining that the DDoS attack behavior exists in the apparatus, the processing unit is further configured to:
determining a target IP set for which a DDoS attack behavior of the user is aimed;
and carrying out traffic discarding or traffic speed limiting in the output direction of each destination IP in the destination IP set.
Optionally, the processing unit is further configured to:
and when the size of the local total output flow is detected to be lower than a set threshold value, stopping flow discarding or stopping flow speed limiting in the output direction of each destination IP in the destination IP set.
Optionally, the processing unit is further configured to:
and when determining that the traffic characteristic description information of any one destination IP in the destination IP set is not matched with a preset rule set, stopping traffic discarding or stopping traffic speed limiting in the output direction of the any one destination IP.
The beneficial effect of this application is as follows:
in the embodiment of the application, the server respectively extracts the traffic feature description information for each destination IP from the total output traffic of the server, matches the traffic feature description information of each destination IP with a preset rule set to obtain a matching result, and determines whether the server has a DDoS attack behavior according to the matching result. Therefore, DDoS attack behaviors can be accurately and timely detected in the cloud computing environment, servers in the cloud computing environment can be conveniently and timely prevented, DDoS attacks on other servers belonging to the same cloud computing environment and other hosts outside the cloud computing environment are facilitated, and the overall safety and the operation reliability of the cloud computing environment are guaranteed. Furthermore, the development cost in the early stage and the operation and maintenance cost in the later stage are greatly reduced.
Drawings
FIG. 1 is a diagram illustrating an attacker launching a DDoS attack through a puppet in the prior art;
fig. 2 is a flowchart illustrating a process of detecting a DDoS attack inside a cloud computing environment according to an embodiment of the present application;
fig. 3 is a schematic diagram of a functional structure of a server in the embodiment of the present application.
Detailed Description
In order to perform accurate DDoS detection in a cloud computing environment, in the embodiment of the application, a kernel module is respectively deployed on each server in the cloud computing environment, and the servers can acquire all local flows through the kernel modules installed in the servers, so that the servers can judge whether the servers are hosts initiating DDoS attacks or not by monitoring the flow conditions of the servers.
Preferred embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
When the server is intruded into a puppet computer, the server is often used for DDoS attack, however, in order to facilitate attack initiation, the server usually has a normal service function, and only after receiving an instruction of an attacker, the server initiates an attack inside the cloud computing environment. Therefore, in the embodiment of the application, the kernel module is installed on the server, so that the server can autonomously discover own DDoS attack behaviors, thereby effectively defending, avoiding DDoS attacks on other servers in the same cloud computing environment, and making up the defects of the existing DDoS attack method based on network mirror image flow detection.
Referring to fig. 2, in the embodiment of the present application, a detailed flow of detecting a DDoS attack by a server in a cloud computing environment is as follows:
step 200: the server obtains the local total output flow.
In practical application, a server may locally obtain all output traffic of the server through a deployed kernel module by using a Filter technology or a Hook technology.
In general, once a server is invaded into a puppet computer, it will attack other servers belonging to the same cloud computing environment when receiving an attacker instruction, and therefore the server needs to monitor its output traffic periodically to determine whether it has DDoS attack behavior. Preferably, the statistical period of the server may be set to be less than or equal to 5 s.
Step 201: is the server determining whether the size of the total local output traffic reaches a set threshold? If yes, go to step 202; otherwise, return to step 200.
Step 201 is executed because the operation load of the server is small when the total output flow is calculated, and the operation load of the server is large when the subsequent flow characteristic analysis is performed, so that the load of the server can be reduced by determining that the total output flow reaches the set threshold value and then performing the subsequent flow characteristic analysis. Of course, if the server itself has a strong computing capability, the subsequent traffic characteristic analysis operation may also be directly performed without determining whether the total output traffic reaches the set threshold, and step 201 in this embodiment is only a preferred implementation manner, and is not described herein again.
Further, in step 201, the server may determine that the size of the local total output flow reaches a set threshold when determining that any one of the following statistical parameters reaches a corresponding threshold, where the statistical parameters that may be used include, but are not limited to:
the number of bits transmitted per unit time (e.g., per second) from the output direction (BPS); the number of requested packets (PPS) transmitted in a unit time (e.g., per second) from the egress direction; outputting the number of http requests (QPS) transmitted to the mobile terminal per unit time (e.g., per second); and the number of new connections per unit time (e.g., per second) for the outgoing direction.
When any one of the statistical parameters reaches the corresponding threshold value, the server is indicated to have flow surge in the output direction, which is a precursor of DDoS attack behavior.
Step 202: and the server respectively counts the output flow rate from the local IP to each destination IP.
Specifically, the server may distinguish the total output amount in each destination IP direction from the total output traffic, and then obtain the traffic rate of each destination IP through rate measurement.
Step 203: the server respectively counts the output data packet types from the local IP to each destination IP.
The server may perform a plurality of tasks in parallel, and thus, the types of packets transmitted between different destination IPs may be different, for example, a Transmission Control Protocol (TCP) packet transmitted between the destination IP 1 and a User Datagram Protocol (UDP) packet transmitted between the destination IP 2.
Step 204: and the server respectively counts the number of abnormal data packets in the output data packets from the local IP to each destination IP.
In general, an abnormal packet may be carried in an output packet to each destination IP, and the abnormal packet usually conforms to a corresponding protocol format, but is obviously different from a normal packet, and is a packet rarely appearing in normal traffic.
In general, the abnormal packets are classified into four types:
1. an Internet Control Message Protocol (ICMP) Message with a length exceeding a set length threshold (e.g., 128 bits).
2. UDP messages with repeated payload content.
3. TCP SYN messages without OPTIONs, where SYN represents handshaking signals (syncronous)
4. TCP SYN message carrying payload.
The abnormal data packet is possibly a precursor for DDoS attack.
The server-to-destination IP output traffic rate counted in step 202, the server-to-destination IP output packet type counted in step 203, and the number of abnormal packets in the server-to-destination IP output packet counted in step 204 may be collectively referred to as traffic characteristic description information, and may each describe a transmission state of output traffic between the server and the corresponding destination IP. In practical applications, one statistic or any combination of statistics may be selected for the three types of parameters, and other parameters may also be added for statistics.
Step 205: the server matches the obtained three types of parameters with a preset rule set, and determines whether matching is successful? If yes, go to step 206; otherwise, return to step 200.
Specifically, the server may store a rule set preset and configured by a manager, or may obtain a latest rule set from the server in real time, where the rule set is used to describe characteristics of DDoS attack behaviors, and each rule records behavior characteristics of any one parameter or any combination of parameters in flow characteristic description information when performing DDoS attack.
Then, taking any one destination IP as an example (hereinafter referred to as a destination IP X), when a matching operation is specifically executed, the server may match each parameter recorded in the traffic feature description information corresponding to the destination IP X with each rule in a preset rule set, and record the total number of hit rules, and when it is determined that the total number of hit rules reaches a set hit threshold, it is determined that the destination IP X is successfully matched, that is, the server has a DDoS attack behavior on the destination IP X.
For example, assume that a rule in a rule set includes:
rule 1, syn >0.5& & bps > 1.
The meaning of rule 1 is: the BPS in the output direction of a destination IP is greater than 1Mbps, where the proportion of the handshake Signal (SYN) messages characterizing the newly-established connection is greater than 50%.
Rule 2, qps >1000or pps >5000
The meaning of rule 2 is: QPS of output direction of a destination IP is more than 1000, or PPS of output direction is more than 5000
Rule 3, icmphuge/pps >0.3
The meaning of rule 3 is: the proportion of the abnormal ICMP message (the message length is more than 128 bits) in the output direction of a destination IP accounts for more than 30 percent of all output messages.
Assume that the traffic feature description information corresponding to the destination IP X is: QPS is 2000, and all HTTP request messages hit in rule 2, which indicates that the server has DDoS behavior for the destination IP X
Certainly, the server can perform DDoS attack on multiple destination IPs at the same time, and therefore, the server can screen out a destination IP set (including at least one attacked destination IP) serving as a DDoS attack object by using the matching process.
Step 206: the server determines that DDoS attack behaviors exist in the server.
Therefore, the server can automatically monitor the DDoS in real time, discover the DDoS attack behavior of the server at any time and conveniently and timely intercept the DDoS attack.
Specifically, when DDoS interception is performed, the server determines a destination IP set to which a DDoS attack behavior of the server is directed, and then performs traffic discarding or traffic speed limiting in an output direction of each destination IP in the destination IP set. And aiming at other target IPs which do not belong to the target IP set, the server can normally pass the corresponding output flow, and the service provided for the target IPs is not influenced.
Of course, when the server detects that the total output traffic is restored to the normal value, the traffic drop or the traffic speed limit may be stopped in the output direction of each destination IP in the destination IP set. Alternatively, the server may stop the traffic drop or stop the traffic speed limit in the output direction of any destination IP when it is determined that the traffic profile information of any destination IP in the destination IP set no longer matches the preset rule set.
Based on the above embodiments, referring to fig. 3, in the embodiment of the present application, the detection apparatus (i.e. server) for DDoS attack at least includes an extracting unit 31, a matching unit 32 and a processing unit 33, wherein,
an extracting unit 31, configured to extract traffic feature description information of each destination IP connected to the device based on a local total outgoing traffic, where the traffic feature description information of one destination IP is used to represent a transmission state of the outgoing traffic between the one destination IP and the device;
a matching unit 32, configured to match the traffic feature description information of each destination IP with a preset rule set, respectively, to obtain a matching result;
and the processing unit 33 is configured to determine whether the DDoS attack behavior exists in the apparatus according to the matching result.
Optionally, before the traffic feature description information of each destination IP connected to the device is extracted based on the local total output traffic, the extracting unit 31 is further configured to:
and calculating the size of the local total output flow, and determining that the size of the local total output flow reaches a set threshold value.
Optionally, when determining that the size of the local total output flow reaches the set threshold, the extracting unit 31 includes:
when any one of the following statistical parameters is judged to reach a corresponding threshold value, the size of the local total output flow is determined to reach a set threshold value:
outputting the number of bits sent to the direction in unit time;
outputting the number of request data packets sent to the output direction in unit time;
outputting the number of http requests sent to the unit time;
and outputting the number of the newly established connections in unit time of the direction.
Optionally, when extracting traffic feature description information of each destination IP connected to the device based on the total output traffic, the extracting unit 31 is configured to:
based on the total output flow, one or any combination of the following parameters is extracted as corresponding flow characteristic description information for each target IP respectively:
an output traffic rate of the device to a destination IP;
an output packet type of the device to destination IP;
the number of abnormal packets in the device-to-destination IP output packets.
Optionally, when determining whether the server has a DDoS attack behavior according to the matching result, the processing unit 33 is configured to:
determining each parameter contained in the traffic characteristic description information of at least one destination IP, and determining that the server has DDoS attack behaviors when the total number of the rules hit in the rule set reaches a preset hit threshold.
Optionally, after determining that the DDoS attack behavior exists in the apparatus, the processing unit 33 is further configured to:
determining a target IP set for which a DDoS attack behavior of the user is aimed;
and carrying out traffic discarding or traffic speed limiting in the output direction of each destination IP in the destination IP set.
Optionally, the processing unit 33 is further configured to:
and when the size of the local total output flow is detected to be lower than a set threshold value, stopping flow discarding or stopping flow speed limiting in the output direction of each destination IP in the destination IP set.
The optional processing unit 33 is further configured to:
when determining that the traffic characteristic description information of any one destination IP in the destination IP set is not matched with a preset rule set any more, stopping traffic discarding or stopping traffic speed limit in the output direction of any one destination IP
In summary, in the embodiment of the present application, the server extracts traffic feature description information for each destination IP from the total output traffic of the server, matches the traffic feature description information for each destination IP with a preset rule set, obtains a matching result, and determines whether the server has a DDoS attack behavior according to the matching result. Therefore, DDoS attack behaviors can be accurately and timely detected in the cloud computing environment, servers in the cloud computing environment can be conveniently and timely prevented, DDoS attacks on other servers belonging to the same cloud computing environment and other hosts outside the cloud computing environment are facilitated, and the overall safety and the operation reliability of the cloud computing environment are guaranteed. Furthermore, the development cost in the early stage and the operation and maintenance cost in the later stage are greatly reduced.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.
Claims (16)
1. A distributed denial of service (DDoS) attack detection method is applied to the interior of a cloud computing environment and comprises the following steps:
the method comprises the steps that a server respectively extracts flow characteristic description information of each target IP connected with the server on the basis of local total output flow, wherein the flow characteristic description information of one target IP is used for representing the transmission state of the output flow between the one target IP and the server;
the server respectively matches the flow characteristic description information of each target IP with a preset rule set to obtain a matching result;
the server determines whether the server has a DDoS attack launching behavior according to the matching result;
and when the server determines that the DDoS attack behavior exists, the server determines a target IP set to which the DDoS attack behavior aims, and discards the traffic or limits the traffic in the output direction of each target IP in the target IP set.
2. The method of claim 1, wherein before the server extracts traffic characterization information of each destination IP having a connection with the server based on the local total output traffic, the method further comprises:
the server calculates the size of the local total output flow and determines that the size of the local total output flow reaches a set threshold value.
3. The method of claim 2, wherein the server determining that the size of the local total output traffic reaches a set threshold comprises:
when the server judges that any one of the following statistical parameters reaches a corresponding threshold value, the server determines that the size of the local total output flow reaches a set threshold value:
outputting the number of bits sent to the direction in unit time;
outputting the number of request data packets sent to the output direction in unit time;
outputting the number of http requests sent to the unit time;
and outputting the number of the newly established connections in unit time of the direction.
4. The method of claim 1, wherein extracting, by a server, traffic profile information for each destination IP to which the server has a connection based on the total amount of outgoing traffic, comprises:
the server extracts one or any combination of the following parameters as corresponding flow characteristic description information respectively aiming at each target IP based on the total output flow:
the output traffic rate of the server to the destination IP;
the server outputs a packet type to the destination IP;
the number of abnormal packets in the output packets of the server to the destination IP.
5. The method according to any one of claims 1-4, wherein the server determines whether the DDoS attack behavior exists in the server according to the matching result, comprising:
the server determines each parameter contained in the traffic characteristic description information of at least one destination IP, and determines that the server has DDoS attack behaviors when the total number of the rules hit in the rule set reaches a preset hit threshold.
6. The method of any one of claims 1-4, wherein upon determining that a DDoS attack behavior exists at the server, further comprising:
the server determines a target IP set for which a DDoS attack behavior of the server aims;
and the server discards the traffic or limits the traffic in the output direction of each destination IP in the destination IP set.
7. The method of claim 6, further comprising:
and when the server detects that the size of the local total output flow is lower than a set threshold value, stopping flow discarding or stopping flow speed limiting in the output direction of each destination IP in the destination IP set.
8. The method of claim 6, further comprising:
and when the server determines that the traffic characteristic description information of any one destination IP in the destination IP set is not matched with a preset rule set any more, stopping traffic discarding or stopping traffic speed limiting in the output direction of any one destination IP.
9. The utility model provides a detection apparatus of distributed denial of service DDoS attack which characterized in that, is applied to inside the cloud computing environment, includes:
an extracting unit, configured to extract traffic feature description information of each destination IP connected to the device based on a local total output traffic, where the traffic feature description information of one destination IP is used to represent a transmission state of output traffic between the one destination IP and the device;
the matching unit is used for respectively matching the traffic characteristic description information of each target IP with a preset rule set to obtain a matching result;
and the processing unit is used for determining whether the device has a DDoS attack launching behavior according to the matching result, determining a target IP set to which the DDoS attack behavior of the device aims when the DDoS attack behavior of the device is determined, and discarding the flow or limiting the flow in the output direction of each target IP in the target IP set.
10. The apparatus of claim 9, wherein before extracting traffic characterization information for each destination IP to which the apparatus has a connection based on the local total outgoing traffic, the extracting unit is further configured to:
and calculating the size of the local total output flow, and determining that the size of the local total output flow reaches a set threshold value.
11. The apparatus of claim 10, wherein when determining that the magnitude of the local total output flow reaches a set threshold, the extracting unit comprises:
when any one of the following statistical parameters is judged to reach a corresponding threshold value, the size of the local total output flow is determined to reach a set threshold value:
outputting the number of bits sent to the direction in unit time;
outputting the number of request data packets sent to the output direction in unit time;
outputting the number of http requests sent to the unit time;
and outputting the number of the newly established connections in unit time of the direction.
12. The apparatus according to claim 9, wherein when extracting traffic characterization information of each destination IP to which the apparatus has a connection based on the total output traffic, the extraction unit is configured to:
based on the total output flow, one or any combination of the following parameters is extracted as corresponding flow characteristic description information for each target IP respectively:
an output traffic rate of the device to a destination IP;
an output packet type of the device to destination IP;
the number of abnormal packets in the device-to-destination IP output packets.
13. The apparatus according to any of claims 9-12, wherein when determining whether there is a DDoS attack behavior in the apparatus according to the matching result, the processing unit is configured to:
determining each parameter contained in the traffic characteristic description information of at least one destination IP, and determining that the DDoS attack behavior exists in the device when the total number of the rules hit in the rule set reaches a preset hit threshold.
14. The apparatus of any of claims 9-12, wherein upon determining that the apparatus has DDoS attack behavior, the processing unit is further to:
determining a target IP set for which a DDoS attack behavior of the user is aimed;
and carrying out traffic discarding or traffic speed limiting in the output direction of each destination IP in the destination IP set.
15. The apparatus as recited in claim 14, said processing unit to further:
and when the size of the local total output flow is detected to be lower than a set threshold value, stopping flow discarding or stopping flow speed limiting in the output direction of each destination IP in the destination IP set.
16. The apparatus as recited in claim 14, said processing unit to further:
and when determining that the traffic characteristic description information of any one destination IP in the destination IP set is not matched with a preset rule set, stopping traffic discarding or stopping traffic speed limiting in the output direction of the any one destination IP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610189056.5A CN107241304B (en) | 2016-03-29 | 2016-03-29 | Method and device for detecting DDoS attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610189056.5A CN107241304B (en) | 2016-03-29 | 2016-03-29 | Method and device for detecting DDoS attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107241304A CN107241304A (en) | 2017-10-10 |
| CN107241304B true CN107241304B (en) | 2021-02-02 |
Family
ID=59983922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610189056.5A Active CN107241304B (en) | 2016-03-29 | 2016-03-29 | Method and device for detecting DDoS attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107241304B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110198294B (en) * | 2018-04-11 | 2022-04-12 | 腾讯科技(深圳)有限公司 | Security attack detection method and device |
| CN108958884B (en) * | 2018-06-22 | 2022-02-18 | 郑州云海信息技术有限公司 | Virtual machine management method and related device |
| CN109040064A (en) * | 2018-08-01 | 2018-12-18 | 郑州市景安网络科技股份有限公司 | A kind of server seals and stops method, apparatus, equipment and readable storage medium storing program for executing |
| CN108848196B (en) * | 2018-09-25 | 2021-01-26 | 四川长虹电器股份有限公司 | General service monitoring method based on tcp connection number |
| CN111193689B (en) * | 2018-11-15 | 2022-06-03 | 北京金山云网络技术有限公司 | Network attack processing method and device, electronic equipment and storage medium |
| CN110868393A (en) * | 2019-09-24 | 2020-03-06 | 国网河北省电力有限公司信息通信分公司 | Protection method based on abnormal flow of power grid information system |
| CN113114671B (en) * | 2021-04-12 | 2023-03-24 | 常熟市国瑞科技股份有限公司 | Cloud data security identification and classification method |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047697A (en) * | 2006-03-29 | 2007-10-03 | 华为技术有限公司 | Method and equipment for prevent DDOS offence to web server |
| CN101083563A (en) * | 2007-07-20 | 2007-12-05 | 杭州华三通信技术有限公司 | Method and apparatus for preventing distributed refuse service attack |
| CN101299765A (en) * | 2008-06-19 | 2008-11-05 | 中兴通讯股份有限公司 | Method for defending against DDOS attack |
| CN101414927A (en) * | 2008-11-20 | 2009-04-22 | 浙江大学 | Alarm and response system for inner-mesh network aggression detection |
| CN101505219A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
| CN102045308A (en) * | 2009-10-10 | 2011-05-04 | 中兴通讯股份有限公司 | Method and device for preventing denial of service (DoS) attacks |
| CN102970309A (en) * | 2012-12-25 | 2013-03-13 | 苏州山石网络有限公司 | Detection method, detection device and firewall for zombie host |
| CN103248607A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | IPv4 and IPv6-based detection method and system for denial of service attacks |
| CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
| CN104468554A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Attack detection method and device based on IP and HOST |
| US9124626B2 (en) * | 2013-05-20 | 2015-09-01 | International Business Machines Corporation | Firewall based botnet detection |
| CN105007271A (en) * | 2015-07-17 | 2015-10-28 | 中国科学院信息工程研究所 | Recognition method and system of Botnet launching DDoS (Distribution Denial of Service) attack |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9219744B2 (en) * | 2010-12-08 | 2015-12-22 | At&T Intellectual Property I, L.P. | Mobile botnet mitigation |
| US9088606B2 (en) * | 2012-07-05 | 2015-07-21 | Tenable Network Security, Inc. | System and method for strategic anti-malware monitoring |
-
2016
- 2016-03-29 CN CN201610189056.5A patent/CN107241304B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047697A (en) * | 2006-03-29 | 2007-10-03 | 华为技术有限公司 | Method and equipment for prevent DDOS offence to web server |
| CN101083563A (en) * | 2007-07-20 | 2007-12-05 | 杭州华三通信技术有限公司 | Method and apparatus for preventing distributed refuse service attack |
| CN101299765A (en) * | 2008-06-19 | 2008-11-05 | 中兴通讯股份有限公司 | Method for defending against DDOS attack |
| CN101414927A (en) * | 2008-11-20 | 2009-04-22 | 浙江大学 | Alarm and response system for inner-mesh network aggression detection |
| CN101505219A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
| CN102045308A (en) * | 2009-10-10 | 2011-05-04 | 中兴通讯股份有限公司 | Method and device for preventing denial of service (DoS) attacks |
| CN103248607A (en) * | 2012-02-02 | 2013-08-14 | 哈尔滨安天科技股份有限公司 | IPv4 and IPv6-based detection method and system for denial of service attacks |
| CN102970309A (en) * | 2012-12-25 | 2013-03-13 | 苏州山石网络有限公司 | Detection method, detection device and firewall for zombie host |
| US9124626B2 (en) * | 2013-05-20 | 2015-09-01 | International Business Machines Corporation | Firewall based botnet detection |
| CN103701793A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Method and device for identifying server broiler chicken |
| CN104468554A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Attack detection method and device based on IP and HOST |
| CN105007271A (en) * | 2015-07-17 | 2015-10-28 | 中国科学院信息工程研究所 | Recognition method and system of Botnet launching DDoS (Distribution Denial of Service) attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107241304A (en) | 2017-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107241304B (en) | Method and device for detecting DDoS attack | |
| US11201882B2 (en) | Detection of malicious network activity | |
| CN110495138B (en) | Industrial control system and monitoring method for network security thereof | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| US10728281B2 (en) | Connection control apparatus, connection control method, and connection control program | |
| CN109257326B (en) | Method and device for defending against data stream attack, storage medium and electronic equipment | |
| US10505952B2 (en) | Attack detection device, attack detection method, and attack detection program | |
| CN107204965B (en) | Method and system for intercepting password cracking behavior | |
| CN107113228B (en) | Control device, border router, control method, and computer-readable storage medium | |
| JP7109391B2 (en) | Unauthorized communication detection device and unauthorized communication detection program | |
| US10749895B2 (en) | Handling network threats | |
| CN109167798A (en) | A kind of household internet of things equipment DDoS detection method based on machine learning | |
| US20120173712A1 (en) | Method and device for identifying p2p application connections | |
| AU2018207582B2 (en) | Method and system for detecting and mitigating a denial of service attack | |
| US20170295193A1 (en) | Adaptive anomaly context description | |
| US10834125B2 (en) | Method for defending against attack, defense device, and computer readable storage medium | |
| CN105577669B (en) | A kind of method and device of the false source attack of identification | |
| CN110113290B (en) | Network attack detection method, device, host and storage medium | |
| CN111049784A (en) | Network attack detection method, device, equipment and storage medium | |
| CN112929376A (en) | Flow data processing method and device, computer equipment and storage medium | |
| CN111049780B (en) | Network attack detection method, device, equipment and storage medium | |
| CN113037785B (en) | Botnet defense method, device and equipment for multi-layer full-period Internet of things equipment | |
| CN114363080A (en) | Monitoring analysis method, device, equipment and storage medium of network terminal | |
| KR20150026345A (en) | Apparatus and method for creating whitelist with network traffic | |
| CN106209867B (en) | Advanced threat defense method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |