CN107395554A - The defence processing method and processing device of flow attacking - Google Patents
The defence processing method and processing device of flow attacking Download PDFInfo
- Publication number
- CN107395554A CN107395554A CN201610327224.2A CN201610327224A CN107395554A CN 107395554 A CN107395554 A CN 107395554A CN 201610327224 A CN201610327224 A CN 201610327224A CN 107395554 A CN107395554 A CN 107395554A
- Authority
- CN
- China
- Prior art keywords
- terminal
- bandwidth
- group
- remaining
- mentioned
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses a kind of defence processing method and processing device of flow attacking.Wherein, this method includes:Obtain the summation of the current data transfer rate of predetermined quantity terminal in same group;The remaining bandwidth of the group is calculated according to the bandwidth for the group allocation and the summation;Specified threshold is adjusted according to the remaining bandwidth, wherein, the specified threshold is used to trigger issues blackhole route for the designated terminal in the group.
Description
Technical field
The present invention relates to network safety filed, in particular to a kind of defence processing method and processing device of flow attacking.
Background technology
At present, it is more and more for the situation of quantity flow attacking, for example, distributed denial of service (Distributed
Denial of Service, referred to as DDoS) attack principle be to find by the resource bottleneck of attacker, pass through consumption
The mode of resource reaches by the disabled purpose of attacker's business.At present in Internet service, server CPU, internal memory,
Bandwidth, database are all likely to become resource bottleneck.Typically, since bandwidth cost is very high, for the DDoS of bandwidth
Attack, is than more serious attack pattern to cloud computing service platform.
When attack traffic exceedes the tolerance range of business side, in order to not influence same group (such as same computer room)
Other business, business side are shielded by way of issuing blackhole route in the operator network by attack IP visit sometimes
Ask, all DDoS flows are abandoned in backbone network.The black hole strategy of generally use is at present:Rule of thumb to each
IP sets a fixed black hole threshold value (such as 2Gbps), when under fire flow exceedes threshold value to an IP, issue
To the blackhole route of the IP.Simple black hole threshold value is arranged on cloud computer room and does not produce expected protection DDoS effects.
The content of the invention
The embodiment of the present application provides a kind of defence processing method and processing device of flow attacking, so that at least solve can not be abundant
Reasonably utilize the technical problem of resource.
According to the one side of the embodiment of the present application, there is provided a kind of defence processing method of flow attacking, including:Obtain
Take the summation of the message transmission rate of predetermined quantity terminal in same group;According to the bandwidth for the group allocation and institute
Summation is stated, calculates the remaining bandwidth of the group;Specified threshold is adjusted according to the remaining bandwidth, wherein, the finger
Determine threshold value be used for trigger be the group in designated terminal issue blackhole route.
According to the another aspect of the embodiment of the present application, a kind of defence processing unit of flow attacking is additionally provided, including:
Processing module, for obtaining the summation of the current data transfer rate of predetermined quantity terminal in same group, and according to
Bandwidth and the summation for the group allocation calculate the remaining bandwidth of the group;Adjusting module, for according to institute
Remaining bandwidth adjustment specified threshold is stated, wherein, the specified threshold is used to trigger the designated terminal hair in the group
Cloth blackhole route.
In the embodiment of the present application, by the way of being adjusted in real time to specified threshold according to the remaining bandwidth in group,
It is thereby achieved that black hole threshold value is adjusted flexibly, so as to sufficiently and reasonably utilize resource, and then solve can not
Sufficiently and reasonably utilize the technical problem of resource.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, this hair
Bright schematic description and description is used to explain the present invention, does not form inappropriate limitation of the present invention.In accompanying drawing
In:
Fig. 1 is a kind of hardware configuration frame of the terminal of the defence processing method of flow attacking of the embodiment of the present application
Figure;
Fig. 2 is the schematic flow sheet according to a kind of defence processing method of optional flow attacking of the embodiment of the present application;
Fig. 3 is according to a kind of optional black hole threshold value of the embodiment of the present application and the relation schematic diagram of waterline;
Fig. 4 is the structured flowchart according to a kind of defence processing unit of optional flow attacking of the embodiment of the present application;
Fig. 5 is the structured flowchart according to a kind of optional terminal of the embodiment of the present application.
Embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment
The only embodiment of a present invention part, rather than whole embodiments.Based on the embodiment in the present invention, ability
The every other embodiment that domain those of ordinary skill is obtained under the premise of creative work is not made, should all belong to
The scope of protection of the invention.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, "
Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that this
The data that sample uses can exchange in the appropriate case, so as to embodiments of the invention described herein can with except
Here the order beyond those for illustrating or describing is implemented.In addition, term " comprising " and " having " and they
Any deformation, it is intended that cover it is non-exclusive include, for example, containing the process of series of steps or unit, side
Method, system, product or equipment are not necessarily limited to those steps clearly listed or unit, but may include unclear
It is that ground is listed or for the intrinsic other steps of these processes, method, product or equipment or unit.
For ease of understanding, now technical term involved in the embodiment of the present application is summarized as follows:
Ddos attack:Refer to by means of client/server technology, multiple computers joined together as Attack Platform,
Ddos attack is started to one or more targets, so as to exponentially improve the power of Denial of Service attack.Generally, attack
Person installs DDoS primary control programs on a computer, will be with largely acting on behalf of journey in the time primary control program of a setting
Sequence is communicated, and Agent is had been installed within multiple computers on internet (Internet).Agent is received
To instruction when with regard to offensive attack.Using client/server technology, primary control program can activate hundreds and thousands of times in seconds
The operation of Agent.
Flow cleaning:DDoS flow cleanings system includes flow detection, three parts of flow cleaning and monitoring management.Stream
The rogue attacks flow hidden in detection device detection network traffics is measured, finds to notify after attacking and activate protection to set in time
The standby cleaning for carrying out flow;Flow cleaning equipment is by the traffic purification product of specialty, by suspicious traffic from primitive network
The identification and stripping that malicious traffic stream is carried out on purification product are redirected in path, the legitimate traffic restored is recycled into original
Goal systems is transmitted in network, the forward-path of other legitimate traffics is unaffected;Monitoring management system is clear to flow
Wash system equipment carry out centralized management configuration, show real-time traffic, alarm event, status information monitoring, in time it is defeated
The form such as outflow analysis report and attack protection report.
Blackhole route:By all unrelated route suctions wherein, there are them and come the route without returning, usually admin master
The dynamic route entry established.Some source address being connected to is turned to null0 interfaces by admin, so to system load shadow
Sound is very small.
Cloud computing (cloud computing) environment:It is the increase of the related service based on internet, uses and deliver
The environment (or platform) of pattern, it is usually directed to by internet to provide dynamic easily extension and the often resource of virtualization.
The waterline of flow:The current inbound traffics of group's (computer room) are represented, i.e., currently flow into the total flow (group of group
The summation of the current data transfer rate of terminal in group);
Group:Also known as network group, the group that can be formed for the terminal of the same computer room of access, but not limited to this.
Embodiment 1
According to the embodiment of the present application, additionally provide a kind of embodiment of the method for the defence processing method of flow attacking, it is necessary to
Illustrate, can be in the department of computer science of such as one group computer executable instructions the flow of accompanying drawing illustrates the step of
Performed in system, although also, show logical order in flow charts, in some cases, can be with difference
Shown or described step is performed in order herein.
The embodiment of the method that the embodiment of the present application 1 is provided can be in mobile terminal, terminal or similar fortune
Calculate and performed in device.Exemplified by running on computer terminals, Fig. 1 is a kind of flow attacking of the embodiment of the present application
Defend the hardware block diagram of the terminal of processing method.As shown in figure 1, terminal 10 can include one
(processor 102 can include but is not limited to Micro-processor MCV to individual or multiple (one is only shown in figure) processor 102
Or PLD FPGA etc. processing unit), the memory 104 for data storage and for communicating
The transmitting device 106 of function.It will appreciated by the skilled person that the structure shown in Fig. 1 is only to illustrate, its
The structure of above-mentioned electronic installation is not caused to limit.For example, terminal 10 may also include than shown in Fig. 1 more
More either less components have the configuration different from shown in Fig. 1.
Memory 104 can be used for the software program and module of storage application software, such as the flow in the embodiment of the present application
Programmed instruction/module corresponding to the defence processing method of attack, processor 102 are stored in memory 104 by operation
Interior software program and module, so as to perform various function application and data processing, that is, realize above-mentioned method.
Memory 104 may include high speed random access memory, may also include nonvolatile memory, such as one or more magnetic
Storage device, flash memory or other non-volatile solid state memories.In some instances, memory 104 can enter one
Step includes that relative to the remotely located memory of processor 102, these remote memories network connection to meter can be passed through
Calculation machine terminal 10.The example of above-mentioned network includes but is not limited to internet, intranet, LAN, mobile communication
Net and combinations thereof.
Transmitting device 106 is used to data are received or sent via a network.Above-mentioned network instantiation may include
The wireless network that the communication providerses of terminal 10 provide.In an example, transmitting device 106 includes one
Network adapter (Network Interface Controller, NIC), it can pass through base station and other network equipments
It is connected so as to be communicated with internet.In an example, transmitting device 106 can be radio frequency (Radio
Frequency, RF) module, it is used to wirelessly be communicated with internet.
Under above-mentioned running environment, this application provides the defence processing method of flow attacking as shown in Figure 2.The party
Method can apply to the flow attacking scene such as cloud computer room, by taking cloud computer room as an example:For cloud computer room, due to black hole threshold
Value is fixed, and is identical for the black hole threshold value of different group allocations, i.e., can not be according to the actual feelings of different computer rooms
Condition is adjusted flexibly, for example, the bandwidth of different cloud computer rooms is different, it is small with roomy computer room and bandwidth
It is irrational that computer room, which sets identical black hole threshold value,;Bandwidth for computer room distribution is likely to be what is changed, if black
Hole threshold value keeps constant, it is clear that resource rationally can not be made full use of.In view of the above-mentioned problems, the embodiment of the present application
Corresponding solution is provided, it is described further below.
Fig. 2 is the schematic flow sheet according to a kind of defence processing method of optional flow attacking of the embodiment of the present application.
As shown in Fig. 2 the method comprising the steps of S202-S206, wherein:
Step S202, obtain the summation of the current data transfer rate of predetermined quantity terminal in same group.
Alternatively, the predetermined quantity can flexibly be set according to actual conditions, can be expressed as all ends in group sometimes
The quantity at end, the quantity of part terminal in group can also be expressed as (for example, meeting the terminal of certain condition in group
Quantity).
Step S204, according to the bandwidth for above-mentioned group allocation and the summation, calculate the remaining bandwidth of above-mentioned group.
Alternatively, the calculation of above-mentioned remaining bandwidth has a variety of, such as by for the bandwidth of above-mentioned group allocation and above-mentioned
Summation carries out taking difference operation, obtains the remaining bandwidth of above-mentioned group;It is (also known as more than needed with the remaining bandwidth of computer floor
Bandwidth) exemplified by:The waterline of flow is the current inbound traffics x of computer room, a width of bandwidth of computer room band, therefore, machine
Have more than needed bandwidth in room, you can for resisting the total amount of flow attacking be (bandwidth-x).
Step S206, specified threshold is adjusted according to above-mentioned remaining bandwidth, wherein, the specified threshold is used to trigger to be above-mentioned
Designated terminal issue blackhole route in group.
Wherein,, can be by remaining bandwidth and specified threshold rationally to utilize resource when being adjusted to specified threshold
Contextual definition be positive correlation, i.e. specified threshold increases with the increase of remaining bandwidth, with the reduction of remaining bandwidth
And reduce, correspondingly, then it is adjusted when being adjusted to specified threshold according to the two relation:Above-mentioned
When remaining bandwidth increases, increase above-mentioned specified threshold;When above-mentioned remaining bandwidth reduces, reduce above-mentioned specified threshold.
It should be noted that above-mentioned specified threshold can be black hole threshold value.
Alternatively, implemented below form can be shown as by " issuing blackhole route for the designated terminal in above-mentioned group ":Will
The destination address or port that the designated terminal is connected to point to null0 interfaces.
Further, realize have in the way of the adjustment that both positive correlations carry out specified threshold it is a variety of, such as can
To establish the corresponding relation list of a remaining bandwidth and specified threshold, and remaining bandwidth and specified threshold are according to taking
The order of value from big to small is arranged.Remaining bandwidth element in list can be a span, i.e., current surplus
When remaining bandwidth falls into a specified span, then the specified threshold now determined is specified corresponding to the specified span
Threshold value.It is specific as shown in table 1.
Table 1
Remaining bandwidth (unit Gbps) | Specified threshold (unit Gbps) |
70-80 | 3 |
60-50 | 2 |
40-30 | 1 |
Specified threshold can certainly be determined using other modes, such as:According to above-mentioned remaining bandwidth and above-mentioned predetermined number
Amount, targets threshold is obtained, then adjust above-mentioned specified threshold according to the targets threshold.
Wherein, the acquisition modes of targets threshold have a variety of, in one alternate embodiment, can obtain in such a way
Take targets threshold:Threshold=(1/a) * (bandwidth-x)/IPnum, wherein, Threshold is represented
Above-mentioned targets threshold, a are the constant more than 0 and less than 1, and bandwidth is expressed as the bandwidth of above-mentioned group allocation,
X represents above-mentioned summation, and (bandwidth-x) represents above-mentioned remaining bandwidth, and IPnum represents that predetermined quantity (can be
The quantity of all terminals);Above-mentioned specified threshold is adjusted according to above-mentioned targets threshold.
Alternatively, a is ratio set in advance, and the ratio is used to represent to be made a reservation for by shared by the terminal of flow attacking
The ratio (can be the ratio of total number of terminals in group) of quantity terminal.A value can be according to experimental result or statistics
As a result determine.
Below in conjunction with the determination mode for illustrating specified threshold exemplified by the flow attacking scene of computer room:
The IP sums of computer room are IPnum, big in the IP accountings for the attack that cloud computer room is frequently subjected to according to statistics
It is approximately 1/N, it is assumed that these IP are attacked simultaneously under extreme case, then the IP sums attacked are IPnum/N.
Therefore, it can be deduced that the calculation formula of black hole threshold value:
Threshold=N* (bandwidth-x)/IPnum, wherein, N value determines according to actual conditions,
Such as can be using value as 50,100,150,200,300,400 etc.;X represents to flow into the inbound traffics of computer room.
Statistical result it is possible to further the peak value of the normal inbound traffics according to certain amount user determines black hole threshold value
Minimum value, such as:
According to data statistics, the 99.9% normal inbound traffics peak value of user is both less than 1Gbps, now using 1Gbps as can
With the minimum black hole threshold value of tolerance, the black hole threshold value calculated can not be less than 1Gbps.Therefore, complete black hole threshold
Value calculation formula is:
Threshold=(300* (bandwidth-x)/IPnum)>1(300*(bandwidth–x)
/IPnum):1, that is, eliminate the black hole threshold value less than 1Gbps.
For ease of understanding that black hole threshold value and waterline (flow into the inbound traffics x of computer room, that is, flow into each terminal of computer room
Message transmission rate sum) relation, with bandwidth 100Gbps computer room, computer room has from 10000 IP address
Quantity flow exemplified by, then different waterlines and the relation of black hole threshold value are as shown in Figure 3.
In the alternative embodiment of the application, when flowing into the flow of group's (such as computer room) apparently higher than normal value
When, only reduce black hole threshold value and be not met by requiring, therefore, to be further ensured that the stability of group service, may be used also
Blackhole route is classified as with the route of the terminal (or IP address) to accessing group, that is, carries out blackhole route processing.Specifically
Ground, it can be accomplished by the following way, but not limited to this:Obtain the bandwidth of above-mentioned predetermined quantity terminal in above-mentioned group
Occupancy, wherein, above-mentioned bandwidth usage is the current data transfer rate of above-mentioned predetermined quantity terminal in above-mentioned group
Summation with for above-mentioned group allocation bandwidth ratio;When above-mentioned bandwidth usage is more than predetermined threshold value, gradually increase
Add the terminal quantity for issuing above-mentioned blackhole route, until above-mentioned bandwidth usage is less than above-mentioned predetermined threshold value.
Wherein, for " gradually the terminal quantity of above-mentioned blackhole route is issued in increase, until above-mentioned bandwidth usage is less than
The implementation of the process of above-mentioned predetermined threshold value " has quantity that are a variety of, such as increasing the terminal of issue blackhole route one by one,
Or blackhole route is issued for the low terminal of priority according to pre-set priority, then increase step by step again.
In the alternative embodiment of the application, it can also be accomplished by the following way:To above-mentioned predetermined quantity terminal
According to above-mentioned current data transfer rate from being ranked up to small order greatly;For the route of M terminal in the top
Above-mentioned blackhole route is issued, and detects the ratio of the bandwidth usage after renewal;Wherein, the bandwidth after above-mentioned renewal accounts for
It is with rate:The message transmission rate sum of remaining terminal in above-mentioned predetermined quantity terminal in addition to above-mentioned M terminal with
The ratio of above-mentioned bandwidth;It is M terminal in the top when above-mentioned bandwidth usage is still greater than above-mentioned Second Threshold
Above-mentioned blackhole route is issued, wherein, M<N.So, due to be mass for terminal issue blackhole route, therefore,
The efficiency of flow attacking defence can be improved.
By taking computer room flow as an example, when computer room flow is apparently higher than normal value, only turning down black hole threshold value can not clearly expire
The requirement of sufficient computer room stability, it is therefore desirable to have emergent means to ensure the stability of cloud computer room.A stream can be set
Waterline dangerous values are measured, such as can be 80%.When flow waterline is more than 70%, the IP of computer room inbound traffics is entered
Address carries out the IP address of ranking, first black hole TOP10, and can see reduce waterline, otherwise further black hole TOP20
IP address, by that analogy, until waterline be less than 80%.
To sum up shown, the embodiment of the present application realizes following beneficial effect:The embodiment of the present application no longer gives each IP address
One fixed threshold value is set, but calculates and adjust automatically the black hole threshold value of group according to bandwidth and flow waterline,
When flow reaches certain waterline, the IP that every flow exceedes this threshold value can be by black hole.Monitor the water level of flow
Line, black hole threshold value is calculated and adjusted automatically according to amount of bandwidth more than needed;When computer room flow waterline is for than relatively hazardous
When high-order, ranked according to IP flows and carry out blackhole route processing.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as to a system
The combination of actions of row, but those skilled in the art should know, the application is not limited by described sequence of movement
System, because according to the application, some steps can use other orders or carry out simultaneously.Secondly, art technology
Personnel should also know that embodiment described in this description belongs to preferred embodiment, involved action and module
Not necessarily necessary to the application.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but
The former is more preferably embodiment in many cases.Based on such understanding, technical scheme substantially or
Say that the part to be contributed to prior art can be embodied in the form of software product, the computer software product is deposited
Storage is in a storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions are causing a station terminal
Equipment (can be mobile phone, computer, server, or network equipment etc.) is performed described in each embodiment of the present invention
Method.
Embodiment 2
According to the embodiment of the present application, a kind of device for being used to implement the defence processing method of above-mentioned flow attacking is additionally provided,
As shown in figure 4, the device includes:
Processing module 40, for obtaining the summation of the current data transfer rate of predetermined quantity terminal in same group, with
And according to the bandwidth for the group allocation and the summation, calculate the remaining bandwidth of the group;" group " herein
Implication can be to access the group that the terminal of same computer room be formed, but not limited to this.
Adjusting module 42, for adjusting specified threshold according to above-mentioned remaining bandwidth, wherein, above-mentioned specified threshold is used to touch
Send out and issue blackhole route for the designated terminal in above-mentioned group.
By taking the remaining bandwidth (bandwidth also known as more than needed) of computer floor as an example:The waterline of flow is currently entering for computer room
Flow x, a width of bandwidth of computer room band, therefore, computer room is had more than needed bandwidth, you can for the total of resistance flow attacking
Amount is (bandwidth-x).
Wherein,, can be by remaining bandwidth and black hole threshold value rationally to utilize resource when being adjusted to black hole threshold value
Contextual definition be positive correlation, i.e. black hole threshold value increases with the increase of remaining bandwidth, with the reduction of remaining bandwidth
And reduce.Based on above-mentioned principle, in the alternative embodiment of the application, adjusting module 42, it is additionally operable to above-mentioned
When remaining bandwidth increases, increase above-mentioned black hole threshold value;When above-mentioned remaining bandwidth reduces, reduce above-mentioned black hole threshold value.
Alternatively, adjusting module 42, it is additionally operable to, according to above-mentioned remaining bandwidth and above-mentioned predetermined quantity, obtain targets threshold;
And adjust above-mentioned specified threshold according to above-mentioned targets threshold.Alternatively, targets threshold is obtained in such a way;
Threshold=(1/a) * (bandwidth-x)/IPnum, wherein, Threshold represents above-mentioned target threshold
Value, a are the constant more than 0 and less than 1, and bandwidth is expressed as the bandwidth of above-mentioned group allocation, and x represents above-mentioned
Summation, IPnum represent the number (can be the quantity of all terminals in group) of predetermined quantity terminal in group;And
Above-mentioned black hole threshold value is adjusted according to above-mentioned targets threshold.Alternatively, a is ratio set in advance, and the ratio is used for table
Show by shared by the terminal of flow attacking in group total number of terminals ratio.A value can according to experimental result or
Statistical result determines.
Below in conjunction with the determination mode for illustrating black hole threshold value exemplified by the flow attacking scene of computer room:The IP sums of computer room are
IPnum, it is about 1/N in the IP accountings for the attack that cloud computer room is frequently subjected to, it is assumed that extreme feelings according to statistics
These IP are attacked simultaneously under condition, then the IP sums attacked are IPnum/N.Therefore, it can be deduced that black
The calculation formula of hole threshold value:
Threshold=N* (bandwidth-x)/IPnum, wherein, N value determines according to actual conditions,
Such as can be using value as 50,100,150,200,300,400 etc..
In the alternative embodiment of the application, adjusting module 42, it is additionally operable to obtain above-mentioned predetermined number in above-mentioned group
The bandwidth usage of terminal is measured, wherein, above-mentioned bandwidth usage is the current of above-mentioned predetermined quantity terminal in above-mentioned group
The ratio of the summation of message transmission rate and the bandwidth for above-mentioned group allocation;It is more than default threshold in above-mentioned bandwidth usage
During value, the terminal quantity of above-mentioned blackhole route is issued in gradually increase, until above-mentioned bandwidth usage is less than above-mentioned default threshold
Value.
Wherein, for " gradually the terminal quantity of above-mentioned blackhole route is issued in increase, until above-mentioned ratio is less than above-mentioned pre-
If the implementation of the process of threshold value " has quantity that are a variety of, such as increasing the terminal of issue blackhole route one by one, or
It is that the low terminal of priority issues blackhole route according to pre-set priority, then increases step by step again.At one of the application
In alternative embodiment, it can be realized by the following functions of adjusting module 42:
Adjusting module 42, it is additionally operable to the predetermined quantity terminal according to the current data transfer rate from greatly to small
Order is ranked up;The blackhole route is issued for the route of M terminal in the top, and detects the band after renewal
The ratio of wide occupancy;Wherein, the bandwidth usage after the renewal is:The M is removed in the predetermined quantity terminal
The message transmission rate sum of remaining terminal outside individual terminal and the ratio of the bandwidth;In the bandwidth usage still
During more than the Second Threshold, the blackhole route is issued for M terminal in the top, wherein, M<N.
It is alternatively possible to black hole threshold value is determined according to the statistical result of the peak value of the normal inbound traffics of certain amount user
Minimum value, such as:According to data statistics, the 99.9% normal inbound traffics peak value of user is both less than 1Gbps, now by 1Gbps
As the minimum black hole threshold value that can be tolerated, the black hole threshold value calculated can not be less than 1Gbps.Therefore, completely
Black hole threshold calculations formula is:
Threshold=(300* (bandwidth-x)/IPnum)>1(300*(bandwidth–x)
/IPnum):1, that is, eliminate the black hole threshold value less than 1Gbps.
, can be with for the latter it should be noted that above-mentioned modules can be realized by software or hardware
Show as following form, but not limited to this:Processing module 40 and adjusting module 42 are respectively positioned at first processor and the
In two processors;Or processing module 40 and adjusting module 42 are located in same processor.
It should be noted that the preferred embodiment scheme in the present embodiment may refer to the associated description in embodiment 1,
Here is omitted.
Embodiment 3
Embodiments herein can provide a kind of terminal, and the terminal can be in terminal group
Any one computer terminal.Alternatively, in the present embodiment, above computer terminal can also replace with
The terminal devices such as mobile terminal.
Alternatively, in the present embodiment, above computer terminal can be located in multiple network equipments of computer network
At least one network equipment.
In the present embodiment, above computer terminal can be with following steps in the defence processing method of traffic attack
Program code:Obtain the summation of the message transmission rate of predetermined quantity terminal in same group;Divide according to for the group
The bandwidth and the summation matched somebody with somebody, calculate the remaining bandwidth of the group;Specified threshold is adjusted according to the remaining bandwidth,
Wherein, the predetermined threshold value is used to trigger issues blackhole route for the designated terminal in the group.
Alternatively, Fig. 5 is the structured flowchart according to a kind of optional terminal of the embodiment of the present application.Such as Fig. 5
Shown, terminal A can include:One or more (one is only shown in figure) processors 51, memory
53 and the transmitting device 55 that is connected with Website server.
Wherein, memory 53 can be used for storage software program and module, such as the flow attacking in the embodiment of the present application
Programmed instruction/module corresponding to treating method and apparatus is defendd, processor 51 is stored in memory 53 by operation
Software program and module, so as to perform various function application and data processing, that is, realize above-mentioned flow attacking
Defend processing method.Memory 53 may include high speed random access memory, can also include nonvolatile memory, such as one
Individual or multiple magnetic storage devices, flash memory or other non-volatile solid state memories.In some instances, deposit
Reservoir 53 can further comprise passing through relative to the remotely located memory of processor 51, these remote memories
Network connection is to terminal A.The example of above-mentioned network includes but is not limited to internet, intranet, LAN, shifting
Dynamic communication network and combinations thereof.
Above-mentioned transmitting device 55 is used to data are received or sent via a network.Above-mentioned network instantiation can
Including cable network and wireless network.In an example, transmitting device 55 includes a network adapter (Network
Interface Controller, NIC), its can be connected by netting twine with other network equipments with router so as to
Internet or LAN are communicated.In an example, transmitting device 55 be radio frequency (Radio Frequency,
RF) module, it is used to wirelessly be communicated with internet.
Wherein, specifically, memory 53 is used for information, the Yi Jiying for storing deliberate action condition and default access user
Use program.
Processor 51 can call the information and application program that memory 53 stores by transmitting device, following to perform
Step:Obtain the summation of the message transmission rate of predetermined quantity terminal in same group;According to for the group allocation
Bandwidth and the summation, calculate the remaining bandwidth of the group;Specified threshold is adjusted according to the remaining bandwidth, wherein,
The predetermined threshold value is used to trigger issues blackhole route for the designated terminal in the group.
Alternatively, above-mentioned processor 51 can also carry out the program code of following steps:When the remaining bandwidth increases,
Increase the black hole threshold value;When the remaining bandwidth reduces, reduce the black hole threshold value.
Alternatively, above-mentioned processor 51 can also carry out the program code of following steps:According to the remaining bandwidth and institute
Predetermined quantity is stated, obtains targets threshold;The specified threshold is adjusted according to the targets threshold.
Alternatively, above-mentioned processor 51 can also carry out the program code of following steps:Obtain described pre- in the group
The bandwidth usage of fixed number amount terminal, wherein, the bandwidth usage is the predetermined quantity terminal in the group
The ratio of the summation of current data transfer rate and the bandwidth for the group allocation;It is more than in the bandwidth usage pre-
If during threshold value, the terminal quantity of the blackhole route is issued in gradually increase, until the bandwidth usage is less than described pre-
If threshold value.
Alternatively, above-mentioned processor 51 can also carry out the program code of following steps:The predetermined quantity terminal is pressed
According to the current data transfer rate from being ranked up to small order greatly;Sent out for the route of M terminal in the top
Blackhole route described in cloth, and detect the ratio of the bandwidth usage after renewal;Wherein, the bandwidth occupancy after the renewal
Rate is:The message transmission rate sum of remaining terminal in the predetermined quantity terminal in addition to the M terminal and institute
State the ratio of bandwidth;When the bandwidth usage is still greater than the Second Threshold, sent out for M terminal in the top
Blackhole route described in cloth, wherein, M<N.
It will appreciated by the skilled person that the structure shown in Fig. 5 is only to illustrate, terminal can also be
Smart mobile phone (such as Android phone, iOS mobile phones), tablet personal computer, applause computer and mobile internet device
The terminal device such as (Mobile Internet Devices, MID), PAD.Fig. 5 its not to above-mentioned electronic installation
Structure causes to limit.For example, terminal A may also include the component more or less than shown in Fig. 5 (such as
Network interface, display device etc.), or there is the configuration different from shown in Fig. 5.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can be with
Completed by program come command terminal device-dependent hardware, the program can be stored in a computer-readable storage medium
In matter, storage medium can include:Flash disk, read-only storage (Read-Only Memory, ROM), deposit at random
Take device (Random Access Memory, RAM), disk or CD etc..
Embodiment 4
Embodiments herein additionally provides a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium
It can be used for preserving the program code performed by the defence processing method for the flow attacking that above-described embodiment 1 is provided.
Alternatively, in the present embodiment, above-mentioned storage medium can be located in computer network Computer terminal group
In any one terminal, or in any one mobile terminal in mobile terminal group.
Alternatively, in the present embodiment, storage medium is arranged to the program code that storage is used to perform following steps:
Obtain the summation of the current data transfer rate for the predetermined quantity terminal for belonging to same group;By for the group allocation
Bandwidth and the summation carry out taking difference operation, obtain the remaining bandwidth of the group;Adjusted according to the remaining bandwidth black
Hole threshold value, wherein, the black hole threshold value is used to trigger issues blackhole route for the designated terminal in above-mentioned group.
Herein it should be noted that any one in above computer terminal group can be with Website server and scanner
Correspondence is established, scanner can be with the value order of the weblications performed of php in scanning computer terminal.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment
The part of detailed description, it may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed client, others can be passed through
Mode is realized.Wherein, device embodiment described above is only schematical, such as the division of the unit,
Only a kind of division of logic function, can there are other dividing mode, such as multiple units or component when actually realizing
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, institute
Display or the mutual coupling discussed or direct-coupling or communication connection can be by some interfaces, unit or mould
The INDIRECT COUPLING of block or communication connection, can be electrical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to
On multiple NEs.Some or all of unit therein can be selected to realize the present embodiment according to the actual needs
The purpose of scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.It is above-mentioned integrated
Unit can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit realized in the form of SFU software functional unit and as independent production marketing or in use,
It can be stored in a computer read/write memory medium.Based on such understanding, technical scheme essence
On all or part of the part that is contributed in other words to prior art or the technical scheme can be with software product
Form is embodied, and the computer software product is stored in a storage medium, including some instructions are causing one
Platform computer equipment (can be personal computer, server or network equipment etc.) performs each embodiment institute of the present invention
State all or part of step of method.And foregoing storage medium includes:USB flash disk, read-only storage (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD
Etc. it is various can be with the medium of store program codes.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these are improved and profit
Decorations also should be regarded as protection scope of the present invention.
Claims (11)
- A kind of 1. defence processing method of flow attacking, it is characterised in that including:Obtain the summation of the message transmission rate of predetermined quantity terminal in same group;According to the bandwidth for the group allocation and the summation, the remaining bandwidth of the group is calculated;Specified threshold is adjusted according to the remaining bandwidth, wherein, it is the group that the specified threshold, which is used to trigger, In designated terminal issue blackhole route.
- 2. according to the method for claim 1, it is characterised in that adjust specified threshold, bag according to the remaining bandwidth Include:When the remaining bandwidth increases, increase the specified threshold;When the remaining bandwidth reduces, reduce The specified threshold.
- 3. according to the method for claim 1, it is characterised in that adjust specified threshold, bag according to the remaining bandwidth Include:According to the remaining bandwidth and the predetermined quantity, targets threshold is obtained;The specified threshold is adjusted according to the targets threshold.
- 4. according to the method in any one of claims 1 to 3, it is characterised in that methods described also includes:The bandwidth usage of the predetermined quantity terminal in the group is obtained, wherein, the bandwidth usage is The summation of the current data transfer rate of the predetermined quantity terminal and the band for the group allocation in the group Wide ratio;When the bandwidth usage is more than predetermined threshold value, the terminal quantity of the blackhole route is issued in gradually increase, Until the bandwidth usage is less than the predetermined threshold value.
- 5. according to the method for claim 4, it is characterised in that gradually the number of terminals of the blackhole route is issued in increase Amount, until the bandwidth usage is less than the predetermined threshold value, including:To the predetermined quantity terminal according to the current data transfer rate from being ranked up to small order greatly;The blackhole route is issued for the route of M terminal in the top, and detects the bandwidth occupancy after renewal The ratio of rate;Wherein, the bandwidth usage after the renewal is:Except the M in the predetermined quantity terminal The message transmission rate sum of remaining terminal outside terminal and the ratio of the bandwidth;When the bandwidth usage is still greater than the predetermined threshold value, for described in M terminal issue in the top Blackhole route, wherein, M<N.
- 6. according to the method for claim 1, it is characterised in that be the designated terminal issue black hole road in the group By, including:Null0 interfaces are pointed in the destination address that the designated terminal is connected to or port.
- A kind of 7. defence processing unit of flow attacking, it is characterised in that including:Processing module, for obtaining the summation of the current data transfer rate of predetermined quantity terminal in same group, And according to the bandwidth for the group allocation and the summation, calculate the remaining bandwidth of the group;Adjusting module, for adjusting specified threshold according to the remaining bandwidth, wherein, the specified threshold is used for Trigger and issue blackhole route for the designated terminal in the group.
- 8. device according to claim 7, it is characterised in that the adjusting module, be additionally operable in the tape remaining During width increase, increase the specified threshold;When the remaining bandwidth reduces, reduce the specified threshold.
- 9. device according to claim 7, it is characterised in that the adjusting module, be additionally operable to according to the residue Bandwidth and the predetermined quantity, obtain targets threshold;And adjust the specified threshold according to the targets threshold.
- 10. the device according to any one of claim 7 to 9, it is characterised in that the adjusting module, be additionally operable to The bandwidth usage of the predetermined quantity terminal in the group is obtained, wherein, the bandwidth usage is described The summation of the current data transfer rate of the predetermined quantity terminal and the bandwidth for the group allocation in group Ratio;When the bandwidth usage is more than predetermined threshold value, the number of terminals of the blackhole route is issued in gradually increase Amount, until the bandwidth usage is less than the predetermined threshold value.
- 11. device according to claim 10, it is characterised in that the adjusting module, be additionally operable to the predetermined number Amount terminal is according to the current data transfer rate from being ranked up to small order greatly;For M in the top The route of terminal issues the blackhole route, and detects the ratio of the bandwidth usage after renewal;Wherein, it is described Bandwidth usage after renewal is:Remaining terminal in the predetermined quantity terminal in addition to the M terminal The ratio of message transmission rate sum and the bandwidth;When the bandwidth usage is still greater than the predetermined threshold value, The blackhole route is issued for M terminal in the top, wherein, M<N.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610327224.2A CN107395554B (en) | 2016-05-17 | 2016-05-17 | Method and device for defending and processing flow attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610327224.2A CN107395554B (en) | 2016-05-17 | 2016-05-17 | Method and device for defending and processing flow attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107395554A true CN107395554A (en) | 2017-11-24 |
CN107395554B CN107395554B (en) | 2021-03-09 |
Family
ID=60338795
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610327224.2A Active CN107395554B (en) | 2016-05-17 | 2016-05-17 | Method and device for defending and processing flow attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107395554B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108965263A (en) * | 2018-06-26 | 2018-12-07 | 新华三技术有限公司 | Network attack defence method and device |
CN114124419A (en) * | 2020-08-27 | 2022-03-01 | 北京秦淮数据有限公司 | DDOS attack defense method and device |
CN114338705A (en) * | 2021-11-24 | 2022-04-12 | 阿里巴巴(中国)有限公司 | Resource water level control method, device and medium for content delivery network CDN node |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102244898A (en) * | 2010-05-14 | 2011-11-16 | 华为技术有限公司 | Group-based traffic control method, equipment and system |
CN103685315A (en) * | 2013-12-30 | 2014-03-26 | 曙光云计算技术有限公司 | Method and device for defending denial of service attack |
US20160036843A1 (en) * | 2014-08-01 | 2016-02-04 | Honeywell International Inc. | Connected home system with cyber security monitoring |
-
2016
- 2016-05-17 CN CN201610327224.2A patent/CN107395554B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102244898A (en) * | 2010-05-14 | 2011-11-16 | 华为技术有限公司 | Group-based traffic control method, equipment and system |
CN103685315A (en) * | 2013-12-30 | 2014-03-26 | 曙光云计算技术有限公司 | Method and device for defending denial of service attack |
US20160036843A1 (en) * | 2014-08-01 | 2016-02-04 | Honeywell International Inc. | Connected home system with cyber security monitoring |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108965263A (en) * | 2018-06-26 | 2018-12-07 | 新华三技术有限公司 | Network attack defence method and device |
CN108965263B (en) * | 2018-06-26 | 2021-06-08 | 新华三技术有限公司 | Network attack defense method and device |
CN114124419A (en) * | 2020-08-27 | 2022-03-01 | 北京秦淮数据有限公司 | DDOS attack defense method and device |
CN114338705A (en) * | 2021-11-24 | 2022-04-12 | 阿里巴巴(中国)有限公司 | Resource water level control method, device and medium for content delivery network CDN node |
CN114338705B (en) * | 2021-11-24 | 2023-12-01 | 阿里巴巴(中国)有限公司 | Resource water level control method, equipment and medium for CDN node of content delivery network |
Also Published As
Publication number | Publication date |
---|---|
CN107395554B (en) | 2021-03-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11153336B2 (en) | Network security analysis for smart appliances | |
Dao et al. | Securing heterogeneous IoT with intelligent DDoS attack behavior learning | |
CN104967588B (en) | Protection method, apparatus and system for distributed denial of service DDoS (distributed denial of service) attack | |
CN106921666B (en) | DDoS attack defense system and method based on cooperative theory | |
CN108234404B (en) | Defense method, system and related equipment for DDoS attack | |
CN104219218B (en) | A kind of method and device of active safety defence | |
CN107623663A (en) | Handle the method and device of network traffics | |
CN105991637B (en) | The means of defence and device of network attack | |
Baig et al. | Controlled access to cloud resources for mitigating Economic Denial of Sustainability (EDoS) attacks | |
US20130283373A1 (en) | Techniques for separating the processing of clients' traffic to different zones | |
CN107135187A (en) | Preventing control method, the apparatus and system of network attack | |
US20140298399A1 (en) | Apparatus and method for detecting anomality sign in controll system | |
CN103561011A (en) | Method and system for preventing blind DDoS attacks on SDN controllers | |
CN106357685A (en) | Method and device for defending distributed denial of service attack | |
CN101018156A (en) | Method, device and system for preventing the broadband rejection service attack | |
CN101286996A (en) | Storm attack resisting method and apparatus | |
CN107645478A (en) | Network attack defending system, method and device | |
CN108183950A (en) | A kind of network equipment establishes the method and device of connection | |
CN108092940B (en) | DNS protection method and related equipment | |
CN107346259A (en) | A kind of implementation method of Dynamical Deployment security capabilities | |
CN107395554A (en) | The defence processing method and processing device of flow attacking | |
CN109587156A (en) | Abnormal network access connection identification and blocking-up method, system, medium and equipment | |
CN107154915A (en) | The method of defending distributed refusal service DDoS attack, apparatus and system | |
CN108028828A (en) | A kind of distributed denial of service ddos attack detection method and relevant device | |
CN104160735B (en) | Send out message processing method, transponder, message processor, message handling system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |