CN107395554A - The defence processing method and processing device of flow attacking - Google Patents

The defence processing method and processing device of flow attacking Download PDF

Info

Publication number
CN107395554A
CN107395554A CN201610327224.2A CN201610327224A CN107395554A CN 107395554 A CN107395554 A CN 107395554A CN 201610327224 A CN201610327224 A CN 201610327224A CN 107395554 A CN107395554 A CN 107395554A
Authority
CN
China
Prior art keywords
terminal
bandwidth
group
remaining
mentioned
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610327224.2A
Other languages
Chinese (zh)
Other versions
CN107395554B (en
Inventor
李晗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610327224.2A priority Critical patent/CN107395554B/en
Publication of CN107395554A publication Critical patent/CN107395554A/en
Application granted granted Critical
Publication of CN107395554B publication Critical patent/CN107395554B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

This application discloses a kind of defence processing method and processing device of flow attacking.Wherein, this method includes:Obtain the summation of the current data transfer rate of predetermined quantity terminal in same group;The remaining bandwidth of the group is calculated according to the bandwidth for the group allocation and the summation;Specified threshold is adjusted according to the remaining bandwidth, wherein, the specified threshold is used to trigger issues blackhole route for the designated terminal in the group.

Description

The defence processing method and processing device of flow attacking
Technical field
The present invention relates to network safety filed, in particular to a kind of defence processing method and processing device of flow attacking.
Background technology
At present, it is more and more for the situation of quantity flow attacking, for example, distributed denial of service (Distributed Denial of Service, referred to as DDoS) attack principle be to find by the resource bottleneck of attacker, pass through consumption The mode of resource reaches by the disabled purpose of attacker's business.At present in Internet service, server CPU, internal memory, Bandwidth, database are all likely to become resource bottleneck.Typically, since bandwidth cost is very high, for the DDoS of bandwidth Attack, is than more serious attack pattern to cloud computing service platform.
When attack traffic exceedes the tolerance range of business side, in order to not influence same group (such as same computer room) Other business, business side are shielded by way of issuing blackhole route in the operator network by attack IP visit sometimes Ask, all DDoS flows are abandoned in backbone network.The black hole strategy of generally use is at present:Rule of thumb to each IP sets a fixed black hole threshold value (such as 2Gbps), when under fire flow exceedes threshold value to an IP, issue To the blackhole route of the IP.Simple black hole threshold value is arranged on cloud computer room and does not produce expected protection DDoS effects.
The content of the invention
The embodiment of the present application provides a kind of defence processing method and processing device of flow attacking, so that at least solve can not be abundant Reasonably utilize the technical problem of resource.
According to the one side of the embodiment of the present application, there is provided a kind of defence processing method of flow attacking, including:Obtain Take the summation of the message transmission rate of predetermined quantity terminal in same group;According to the bandwidth for the group allocation and institute Summation is stated, calculates the remaining bandwidth of the group;Specified threshold is adjusted according to the remaining bandwidth, wherein, the finger Determine threshold value be used for trigger be the group in designated terminal issue blackhole route.
According to the another aspect of the embodiment of the present application, a kind of defence processing unit of flow attacking is additionally provided, including: Processing module, for obtaining the summation of the current data transfer rate of predetermined quantity terminal in same group, and according to Bandwidth and the summation for the group allocation calculate the remaining bandwidth of the group;Adjusting module, for according to institute Remaining bandwidth adjustment specified threshold is stated, wherein, the specified threshold is used to trigger the designated terminal hair in the group Cloth blackhole route.
In the embodiment of the present application, by the way of being adjusted in real time to specified threshold according to the remaining bandwidth in group, It is thereby achieved that black hole threshold value is adjusted flexibly, so as to sufficiently and reasonably utilize resource, and then solve can not Sufficiently and reasonably utilize the technical problem of resource.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, this hair Bright schematic description and description is used to explain the present invention, does not form inappropriate limitation of the present invention.In accompanying drawing In:
Fig. 1 is a kind of hardware configuration frame of the terminal of the defence processing method of flow attacking of the embodiment of the present application Figure;
Fig. 2 is the schematic flow sheet according to a kind of defence processing method of optional flow attacking of the embodiment of the present application;
Fig. 3 is according to a kind of optional black hole threshold value of the embodiment of the present application and the relation schematic diagram of waterline;
Fig. 4 is the structured flowchart according to a kind of defence processing unit of optional flow attacking of the embodiment of the present application;
Fig. 5 is the structured flowchart according to a kind of optional terminal of the embodiment of the present application.
Embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment The only embodiment of a present invention part, rather than whole embodiments.Based on the embodiment in the present invention, ability The every other embodiment that domain those of ordinary skill is obtained under the premise of creative work is not made, should all belong to The scope of protection of the invention.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, " Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that this The data that sample uses can exchange in the appropriate case, so as to embodiments of the invention described herein can with except Here the order beyond those for illustrating or describing is implemented.In addition, term " comprising " and " having " and they Any deformation, it is intended that cover it is non-exclusive include, for example, containing the process of series of steps or unit, side Method, system, product or equipment are not necessarily limited to those steps clearly listed or unit, but may include unclear It is that ground is listed or for the intrinsic other steps of these processes, method, product or equipment or unit.
For ease of understanding, now technical term involved in the embodiment of the present application is summarized as follows:
Ddos attack:Refer to by means of client/server technology, multiple computers joined together as Attack Platform, Ddos attack is started to one or more targets, so as to exponentially improve the power of Denial of Service attack.Generally, attack Person installs DDoS primary control programs on a computer, will be with largely acting on behalf of journey in the time primary control program of a setting Sequence is communicated, and Agent is had been installed within multiple computers on internet (Internet).Agent is received To instruction when with regard to offensive attack.Using client/server technology, primary control program can activate hundreds and thousands of times in seconds The operation of Agent.
Flow cleaning:DDoS flow cleanings system includes flow detection, three parts of flow cleaning and monitoring management.Stream The rogue attacks flow hidden in detection device detection network traffics is measured, finds to notify after attacking and activate protection to set in time The standby cleaning for carrying out flow;Flow cleaning equipment is by the traffic purification product of specialty, by suspicious traffic from primitive network The identification and stripping that malicious traffic stream is carried out on purification product are redirected in path, the legitimate traffic restored is recycled into original Goal systems is transmitted in network, the forward-path of other legitimate traffics is unaffected;Monitoring management system is clear to flow Wash system equipment carry out centralized management configuration, show real-time traffic, alarm event, status information monitoring, in time it is defeated The form such as outflow analysis report and attack protection report.
Blackhole route:By all unrelated route suctions wherein, there are them and come the route without returning, usually admin master The dynamic route entry established.Some source address being connected to is turned to null0 interfaces by admin, so to system load shadow Sound is very small.
Cloud computing (cloud computing) environment:It is the increase of the related service based on internet, uses and deliver The environment (or platform) of pattern, it is usually directed to by internet to provide dynamic easily extension and the often resource of virtualization.
The waterline of flow:The current inbound traffics of group's (computer room) are represented, i.e., currently flow into the total flow (group of group The summation of the current data transfer rate of terminal in group);
Group:Also known as network group, the group that can be formed for the terminal of the same computer room of access, but not limited to this.
Embodiment 1
According to the embodiment of the present application, additionally provide a kind of embodiment of the method for the defence processing method of flow attacking, it is necessary to Illustrate, can be in the department of computer science of such as one group computer executable instructions the flow of accompanying drawing illustrates the step of Performed in system, although also, show logical order in flow charts, in some cases, can be with difference Shown or described step is performed in order herein.
The embodiment of the method that the embodiment of the present application 1 is provided can be in mobile terminal, terminal or similar fortune Calculate and performed in device.Exemplified by running on computer terminals, Fig. 1 is a kind of flow attacking of the embodiment of the present application Defend the hardware block diagram of the terminal of processing method.As shown in figure 1, terminal 10 can include one (processor 102 can include but is not limited to Micro-processor MCV to individual or multiple (one is only shown in figure) processor 102 Or PLD FPGA etc. processing unit), the memory 104 for data storage and for communicating The transmitting device 106 of function.It will appreciated by the skilled person that the structure shown in Fig. 1 is only to illustrate, its The structure of above-mentioned electronic installation is not caused to limit.For example, terminal 10 may also include than shown in Fig. 1 more More either less components have the configuration different from shown in Fig. 1.
Memory 104 can be used for the software program and module of storage application software, such as the flow in the embodiment of the present application Programmed instruction/module corresponding to the defence processing method of attack, processor 102 are stored in memory 104 by operation Interior software program and module, so as to perform various function application and data processing, that is, realize above-mentioned method. Memory 104 may include high speed random access memory, may also include nonvolatile memory, such as one or more magnetic Storage device, flash memory or other non-volatile solid state memories.In some instances, memory 104 can enter one Step includes that relative to the remotely located memory of processor 102, these remote memories network connection to meter can be passed through Calculation machine terminal 10.The example of above-mentioned network includes but is not limited to internet, intranet, LAN, mobile communication Net and combinations thereof.
Transmitting device 106 is used to data are received or sent via a network.Above-mentioned network instantiation may include The wireless network that the communication providerses of terminal 10 provide.In an example, transmitting device 106 includes one Network adapter (Network Interface Controller, NIC), it can pass through base station and other network equipments It is connected so as to be communicated with internet.In an example, transmitting device 106 can be radio frequency (Radio Frequency, RF) module, it is used to wirelessly be communicated with internet.
Under above-mentioned running environment, this application provides the defence processing method of flow attacking as shown in Figure 2.The party Method can apply to the flow attacking scene such as cloud computer room, by taking cloud computer room as an example:For cloud computer room, due to black hole threshold Value is fixed, and is identical for the black hole threshold value of different group allocations, i.e., can not be according to the actual feelings of different computer rooms Condition is adjusted flexibly, for example, the bandwidth of different cloud computer rooms is different, it is small with roomy computer room and bandwidth It is irrational that computer room, which sets identical black hole threshold value,;Bandwidth for computer room distribution is likely to be what is changed, if black Hole threshold value keeps constant, it is clear that resource rationally can not be made full use of.In view of the above-mentioned problems, the embodiment of the present application Corresponding solution is provided, it is described further below.
Fig. 2 is the schematic flow sheet according to a kind of defence processing method of optional flow attacking of the embodiment of the present application. As shown in Fig. 2 the method comprising the steps of S202-S206, wherein:
Step S202, obtain the summation of the current data transfer rate of predetermined quantity terminal in same group.
Alternatively, the predetermined quantity can flexibly be set according to actual conditions, can be expressed as all ends in group sometimes The quantity at end, the quantity of part terminal in group can also be expressed as (for example, meeting the terminal of certain condition in group Quantity).
Step S204, according to the bandwidth for above-mentioned group allocation and the summation, calculate the remaining bandwidth of above-mentioned group.
Alternatively, the calculation of above-mentioned remaining bandwidth has a variety of, such as by for the bandwidth of above-mentioned group allocation and above-mentioned Summation carries out taking difference operation, obtains the remaining bandwidth of above-mentioned group;It is (also known as more than needed with the remaining bandwidth of computer floor Bandwidth) exemplified by:The waterline of flow is the current inbound traffics x of computer room, a width of bandwidth of computer room band, therefore, machine Have more than needed bandwidth in room, you can for resisting the total amount of flow attacking be (bandwidth-x).
Step S206, specified threshold is adjusted according to above-mentioned remaining bandwidth, wherein, the specified threshold is used to trigger to be above-mentioned Designated terminal issue blackhole route in group.
Wherein,, can be by remaining bandwidth and specified threshold rationally to utilize resource when being adjusted to specified threshold Contextual definition be positive correlation, i.e. specified threshold increases with the increase of remaining bandwidth, with the reduction of remaining bandwidth And reduce, correspondingly, then it is adjusted when being adjusted to specified threshold according to the two relation:Above-mentioned When remaining bandwidth increases, increase above-mentioned specified threshold;When above-mentioned remaining bandwidth reduces, reduce above-mentioned specified threshold.
It should be noted that above-mentioned specified threshold can be black hole threshold value.
Alternatively, implemented below form can be shown as by " issuing blackhole route for the designated terminal in above-mentioned group ":Will The destination address or port that the designated terminal is connected to point to null0 interfaces.
Further, realize have in the way of the adjustment that both positive correlations carry out specified threshold it is a variety of, such as can To establish the corresponding relation list of a remaining bandwidth and specified threshold, and remaining bandwidth and specified threshold are according to taking The order of value from big to small is arranged.Remaining bandwidth element in list can be a span, i.e., current surplus When remaining bandwidth falls into a specified span, then the specified threshold now determined is specified corresponding to the specified span Threshold value.It is specific as shown in table 1.
Table 1
Remaining bandwidth (unit Gbps) Specified threshold (unit Gbps)
70-80 3
60-50 2
40-30 1
Specified threshold can certainly be determined using other modes, such as:According to above-mentioned remaining bandwidth and above-mentioned predetermined number Amount, targets threshold is obtained, then adjust above-mentioned specified threshold according to the targets threshold.
Wherein, the acquisition modes of targets threshold have a variety of, in one alternate embodiment, can obtain in such a way Take targets threshold:Threshold=(1/a) * (bandwidth-x)/IPnum, wherein, Threshold is represented Above-mentioned targets threshold, a are the constant more than 0 and less than 1, and bandwidth is expressed as the bandwidth of above-mentioned group allocation, X represents above-mentioned summation, and (bandwidth-x) represents above-mentioned remaining bandwidth, and IPnum represents that predetermined quantity (can be The quantity of all terminals);Above-mentioned specified threshold is adjusted according to above-mentioned targets threshold.
Alternatively, a is ratio set in advance, and the ratio is used to represent to be made a reservation for by shared by the terminal of flow attacking The ratio (can be the ratio of total number of terminals in group) of quantity terminal.A value can be according to experimental result or statistics As a result determine.
Below in conjunction with the determination mode for illustrating specified threshold exemplified by the flow attacking scene of computer room:
The IP sums of computer room are IPnum, big in the IP accountings for the attack that cloud computer room is frequently subjected to according to statistics It is approximately 1/N, it is assumed that these IP are attacked simultaneously under extreme case, then the IP sums attacked are IPnum/N.
Therefore, it can be deduced that the calculation formula of black hole threshold value:
Threshold=N* (bandwidth-x)/IPnum, wherein, N value determines according to actual conditions, Such as can be using value as 50,100,150,200,300,400 etc.;X represents to flow into the inbound traffics of computer room.
Statistical result it is possible to further the peak value of the normal inbound traffics according to certain amount user determines black hole threshold value Minimum value, such as:
According to data statistics, the 99.9% normal inbound traffics peak value of user is both less than 1Gbps, now using 1Gbps as can With the minimum black hole threshold value of tolerance, the black hole threshold value calculated can not be less than 1Gbps.Therefore, complete black hole threshold Value calculation formula is:
Threshold=(300* (bandwidth-x)/IPnum)>1(300*(bandwidth–x) /IPnum):1, that is, eliminate the black hole threshold value less than 1Gbps.
For ease of understanding that black hole threshold value and waterline (flow into the inbound traffics x of computer room, that is, flow into each terminal of computer room Message transmission rate sum) relation, with bandwidth 100Gbps computer room, computer room has from 10000 IP address Quantity flow exemplified by, then different waterlines and the relation of black hole threshold value are as shown in Figure 3.
In the alternative embodiment of the application, when flowing into the flow of group's (such as computer room) apparently higher than normal value When, only reduce black hole threshold value and be not met by requiring, therefore, to be further ensured that the stability of group service, may be used also Blackhole route is classified as with the route of the terminal (or IP address) to accessing group, that is, carries out blackhole route processing.Specifically Ground, it can be accomplished by the following way, but not limited to this:Obtain the bandwidth of above-mentioned predetermined quantity terminal in above-mentioned group Occupancy, wherein, above-mentioned bandwidth usage is the current data transfer rate of above-mentioned predetermined quantity terminal in above-mentioned group Summation with for above-mentioned group allocation bandwidth ratio;When above-mentioned bandwidth usage is more than predetermined threshold value, gradually increase Add the terminal quantity for issuing above-mentioned blackhole route, until above-mentioned bandwidth usage is less than above-mentioned predetermined threshold value.
Wherein, for " gradually the terminal quantity of above-mentioned blackhole route is issued in increase, until above-mentioned bandwidth usage is less than The implementation of the process of above-mentioned predetermined threshold value " has quantity that are a variety of, such as increasing the terminal of issue blackhole route one by one, Or blackhole route is issued for the low terminal of priority according to pre-set priority, then increase step by step again.
In the alternative embodiment of the application, it can also be accomplished by the following way:To above-mentioned predetermined quantity terminal According to above-mentioned current data transfer rate from being ranked up to small order greatly;For the route of M terminal in the top Above-mentioned blackhole route is issued, and detects the ratio of the bandwidth usage after renewal;Wherein, the bandwidth after above-mentioned renewal accounts for It is with rate:The message transmission rate sum of remaining terminal in above-mentioned predetermined quantity terminal in addition to above-mentioned M terminal with The ratio of above-mentioned bandwidth;It is M terminal in the top when above-mentioned bandwidth usage is still greater than above-mentioned Second Threshold Above-mentioned blackhole route is issued, wherein, M<N.So, due to be mass for terminal issue blackhole route, therefore, The efficiency of flow attacking defence can be improved.
By taking computer room flow as an example, when computer room flow is apparently higher than normal value, only turning down black hole threshold value can not clearly expire The requirement of sufficient computer room stability, it is therefore desirable to have emergent means to ensure the stability of cloud computer room.A stream can be set Waterline dangerous values are measured, such as can be 80%.When flow waterline is more than 70%, the IP of computer room inbound traffics is entered Address carries out the IP address of ranking, first black hole TOP10, and can see reduce waterline, otherwise further black hole TOP20 IP address, by that analogy, until waterline be less than 80%.
To sum up shown, the embodiment of the present application realizes following beneficial effect:The embodiment of the present application no longer gives each IP address One fixed threshold value is set, but calculates and adjust automatically the black hole threshold value of group according to bandwidth and flow waterline, When flow reaches certain waterline, the IP that every flow exceedes this threshold value can be by black hole.Monitor the water level of flow Line, black hole threshold value is calculated and adjusted automatically according to amount of bandwidth more than needed;When computer room flow waterline is for than relatively hazardous When high-order, ranked according to IP flows and carry out blackhole route processing.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as to a system The combination of actions of row, but those skilled in the art should know, the application is not limited by described sequence of movement System, because according to the application, some steps can use other orders or carry out simultaneously.Secondly, art technology Personnel should also know that embodiment described in this description belongs to preferred embodiment, involved action and module Not necessarily necessary to the application.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but The former is more preferably embodiment in many cases.Based on such understanding, technical scheme substantially or Say that the part to be contributed to prior art can be embodied in the form of software product, the computer software product is deposited Storage is in a storage medium (such as ROM/RAM, magnetic disc, CD), including some instructions are causing a station terminal Equipment (can be mobile phone, computer, server, or network equipment etc.) is performed described in each embodiment of the present invention Method.
Embodiment 2
According to the embodiment of the present application, a kind of device for being used to implement the defence processing method of above-mentioned flow attacking is additionally provided, As shown in figure 4, the device includes:
Processing module 40, for obtaining the summation of the current data transfer rate of predetermined quantity terminal in same group, with And according to the bandwidth for the group allocation and the summation, calculate the remaining bandwidth of the group;" group " herein Implication can be to access the group that the terminal of same computer room be formed, but not limited to this.
Adjusting module 42, for adjusting specified threshold according to above-mentioned remaining bandwidth, wherein, above-mentioned specified threshold is used to touch Send out and issue blackhole route for the designated terminal in above-mentioned group.
By taking the remaining bandwidth (bandwidth also known as more than needed) of computer floor as an example:The waterline of flow is currently entering for computer room Flow x, a width of bandwidth of computer room band, therefore, computer room is had more than needed bandwidth, you can for the total of resistance flow attacking Amount is (bandwidth-x).
Wherein,, can be by remaining bandwidth and black hole threshold value rationally to utilize resource when being adjusted to black hole threshold value Contextual definition be positive correlation, i.e. black hole threshold value increases with the increase of remaining bandwidth, with the reduction of remaining bandwidth And reduce.Based on above-mentioned principle, in the alternative embodiment of the application, adjusting module 42, it is additionally operable to above-mentioned When remaining bandwidth increases, increase above-mentioned black hole threshold value;When above-mentioned remaining bandwidth reduces, reduce above-mentioned black hole threshold value.
Alternatively, adjusting module 42, it is additionally operable to, according to above-mentioned remaining bandwidth and above-mentioned predetermined quantity, obtain targets threshold; And adjust above-mentioned specified threshold according to above-mentioned targets threshold.Alternatively, targets threshold is obtained in such a way; Threshold=(1/a) * (bandwidth-x)/IPnum, wherein, Threshold represents above-mentioned target threshold Value, a are the constant more than 0 and less than 1, and bandwidth is expressed as the bandwidth of above-mentioned group allocation, and x represents above-mentioned Summation, IPnum represent the number (can be the quantity of all terminals in group) of predetermined quantity terminal in group;And Above-mentioned black hole threshold value is adjusted according to above-mentioned targets threshold.Alternatively, a is ratio set in advance, and the ratio is used for table Show by shared by the terminal of flow attacking in group total number of terminals ratio.A value can according to experimental result or Statistical result determines.
Below in conjunction with the determination mode for illustrating black hole threshold value exemplified by the flow attacking scene of computer room:The IP sums of computer room are IPnum, it is about 1/N in the IP accountings for the attack that cloud computer room is frequently subjected to, it is assumed that extreme feelings according to statistics These IP are attacked simultaneously under condition, then the IP sums attacked are IPnum/N.Therefore, it can be deduced that black The calculation formula of hole threshold value:
Threshold=N* (bandwidth-x)/IPnum, wherein, N value determines according to actual conditions, Such as can be using value as 50,100,150,200,300,400 etc..
In the alternative embodiment of the application, adjusting module 42, it is additionally operable to obtain above-mentioned predetermined number in above-mentioned group The bandwidth usage of terminal is measured, wherein, above-mentioned bandwidth usage is the current of above-mentioned predetermined quantity terminal in above-mentioned group The ratio of the summation of message transmission rate and the bandwidth for above-mentioned group allocation;It is more than default threshold in above-mentioned bandwidth usage During value, the terminal quantity of above-mentioned blackhole route is issued in gradually increase, until above-mentioned bandwidth usage is less than above-mentioned default threshold Value.
Wherein, for " gradually the terminal quantity of above-mentioned blackhole route is issued in increase, until above-mentioned ratio is less than above-mentioned pre- If the implementation of the process of threshold value " has quantity that are a variety of, such as increasing the terminal of issue blackhole route one by one, or It is that the low terminal of priority issues blackhole route according to pre-set priority, then increases step by step again.At one of the application In alternative embodiment, it can be realized by the following functions of adjusting module 42:
Adjusting module 42, it is additionally operable to the predetermined quantity terminal according to the current data transfer rate from greatly to small Order is ranked up;The blackhole route is issued for the route of M terminal in the top, and detects the band after renewal The ratio of wide occupancy;Wherein, the bandwidth usage after the renewal is:The M is removed in the predetermined quantity terminal The message transmission rate sum of remaining terminal outside individual terminal and the ratio of the bandwidth;In the bandwidth usage still During more than the Second Threshold, the blackhole route is issued for M terminal in the top, wherein, M<N.
It is alternatively possible to black hole threshold value is determined according to the statistical result of the peak value of the normal inbound traffics of certain amount user Minimum value, such as:According to data statistics, the 99.9% normal inbound traffics peak value of user is both less than 1Gbps, now by 1Gbps As the minimum black hole threshold value that can be tolerated, the black hole threshold value calculated can not be less than 1Gbps.Therefore, completely Black hole threshold calculations formula is:
Threshold=(300* (bandwidth-x)/IPnum)>1(300*(bandwidth–x) /IPnum):1, that is, eliminate the black hole threshold value less than 1Gbps.
, can be with for the latter it should be noted that above-mentioned modules can be realized by software or hardware Show as following form, but not limited to this:Processing module 40 and adjusting module 42 are respectively positioned at first processor and the In two processors;Or processing module 40 and adjusting module 42 are located in same processor.
It should be noted that the preferred embodiment scheme in the present embodiment may refer to the associated description in embodiment 1, Here is omitted.
Embodiment 3
Embodiments herein can provide a kind of terminal, and the terminal can be in terminal group Any one computer terminal.Alternatively, in the present embodiment, above computer terminal can also replace with The terminal devices such as mobile terminal.
Alternatively, in the present embodiment, above computer terminal can be located in multiple network equipments of computer network At least one network equipment.
In the present embodiment, above computer terminal can be with following steps in the defence processing method of traffic attack Program code:Obtain the summation of the message transmission rate of predetermined quantity terminal in same group;Divide according to for the group The bandwidth and the summation matched somebody with somebody, calculate the remaining bandwidth of the group;Specified threshold is adjusted according to the remaining bandwidth, Wherein, the predetermined threshold value is used to trigger issues blackhole route for the designated terminal in the group.
Alternatively, Fig. 5 is the structured flowchart according to a kind of optional terminal of the embodiment of the present application.Such as Fig. 5 Shown, terminal A can include:One or more (one is only shown in figure) processors 51, memory 53 and the transmitting device 55 that is connected with Website server.
Wherein, memory 53 can be used for storage software program and module, such as the flow attacking in the embodiment of the present application Programmed instruction/module corresponding to treating method and apparatus is defendd, processor 51 is stored in memory 53 by operation Software program and module, so as to perform various function application and data processing, that is, realize above-mentioned flow attacking Defend processing method.Memory 53 may include high speed random access memory, can also include nonvolatile memory, such as one Individual or multiple magnetic storage devices, flash memory or other non-volatile solid state memories.In some instances, deposit Reservoir 53 can further comprise passing through relative to the remotely located memory of processor 51, these remote memories Network connection is to terminal A.The example of above-mentioned network includes but is not limited to internet, intranet, LAN, shifting Dynamic communication network and combinations thereof.
Above-mentioned transmitting device 55 is used to data are received or sent via a network.Above-mentioned network instantiation can Including cable network and wireless network.In an example, transmitting device 55 includes a network adapter (Network Interface Controller, NIC), its can be connected by netting twine with other network equipments with router so as to Internet or LAN are communicated.In an example, transmitting device 55 be radio frequency (Radio Frequency, RF) module, it is used to wirelessly be communicated with internet.
Wherein, specifically, memory 53 is used for information, the Yi Jiying for storing deliberate action condition and default access user Use program.
Processor 51 can call the information and application program that memory 53 stores by transmitting device, following to perform Step:Obtain the summation of the message transmission rate of predetermined quantity terminal in same group;According to for the group allocation Bandwidth and the summation, calculate the remaining bandwidth of the group;Specified threshold is adjusted according to the remaining bandwidth, wherein, The predetermined threshold value is used to trigger issues blackhole route for the designated terminal in the group.
Alternatively, above-mentioned processor 51 can also carry out the program code of following steps:When the remaining bandwidth increases, Increase the black hole threshold value;When the remaining bandwidth reduces, reduce the black hole threshold value.
Alternatively, above-mentioned processor 51 can also carry out the program code of following steps:According to the remaining bandwidth and institute Predetermined quantity is stated, obtains targets threshold;The specified threshold is adjusted according to the targets threshold.
Alternatively, above-mentioned processor 51 can also carry out the program code of following steps:Obtain described pre- in the group The bandwidth usage of fixed number amount terminal, wherein, the bandwidth usage is the predetermined quantity terminal in the group The ratio of the summation of current data transfer rate and the bandwidth for the group allocation;It is more than in the bandwidth usage pre- If during threshold value, the terminal quantity of the blackhole route is issued in gradually increase, until the bandwidth usage is less than described pre- If threshold value.
Alternatively, above-mentioned processor 51 can also carry out the program code of following steps:The predetermined quantity terminal is pressed According to the current data transfer rate from being ranked up to small order greatly;Sent out for the route of M terminal in the top Blackhole route described in cloth, and detect the ratio of the bandwidth usage after renewal;Wherein, the bandwidth occupancy after the renewal Rate is:The message transmission rate sum of remaining terminal in the predetermined quantity terminal in addition to the M terminal and institute State the ratio of bandwidth;When the bandwidth usage is still greater than the Second Threshold, sent out for M terminal in the top Blackhole route described in cloth, wherein, M<N.
It will appreciated by the skilled person that the structure shown in Fig. 5 is only to illustrate, terminal can also be Smart mobile phone (such as Android phone, iOS mobile phones), tablet personal computer, applause computer and mobile internet device The terminal device such as (Mobile Internet Devices, MID), PAD.Fig. 5 its not to above-mentioned electronic installation Structure causes to limit.For example, terminal A may also include the component more or less than shown in Fig. 5 (such as Network interface, display device etc.), or there is the configuration different from shown in Fig. 5.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can be with Completed by program come command terminal device-dependent hardware, the program can be stored in a computer-readable storage medium In matter, storage medium can include:Flash disk, read-only storage (Read-Only Memory, ROM), deposit at random Take device (Random Access Memory, RAM), disk or CD etc..
Embodiment 4
Embodiments herein additionally provides a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium It can be used for preserving the program code performed by the defence processing method for the flow attacking that above-described embodiment 1 is provided.
Alternatively, in the present embodiment, above-mentioned storage medium can be located in computer network Computer terminal group In any one terminal, or in any one mobile terminal in mobile terminal group.
Alternatively, in the present embodiment, storage medium is arranged to the program code that storage is used to perform following steps: Obtain the summation of the current data transfer rate for the predetermined quantity terminal for belonging to same group;By for the group allocation Bandwidth and the summation carry out taking difference operation, obtain the remaining bandwidth of the group;Adjusted according to the remaining bandwidth black Hole threshold value, wherein, the black hole threshold value is used to trigger issues blackhole route for the designated terminal in above-mentioned group.
Herein it should be noted that any one in above computer terminal group can be with Website server and scanner Correspondence is established, scanner can be with the value order of the weblications performed of php in scanning computer terminal.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment The part of detailed description, it may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed client, others can be passed through Mode is realized.Wherein, device embodiment described above is only schematical, such as the division of the unit, Only a kind of division of logic function, can there are other dividing mode, such as multiple units or component when actually realizing Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, institute Display or the mutual coupling discussed or direct-coupling or communication connection can be by some interfaces, unit or mould The INDIRECT COUPLING of block or communication connection, can be electrical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to On multiple NEs.Some or all of unit therein can be selected to realize the present embodiment according to the actual needs The purpose of scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.It is above-mentioned integrated Unit can both be realized in the form of hardware, can also be realized in the form of SFU software functional unit.
If the integrated unit realized in the form of SFU software functional unit and as independent production marketing or in use, It can be stored in a computer read/write memory medium.Based on such understanding, technical scheme essence On all or part of the part that is contributed in other words to prior art or the technical scheme can be with software product Form is embodied, and the computer software product is stored in a storage medium, including some instructions are causing one Platform computer equipment (can be personal computer, server or network equipment etc.) performs each embodiment institute of the present invention State all or part of step of method.And foregoing storage medium includes:USB flash disk, read-only storage (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD Etc. it is various can be with the medium of store program codes.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these are improved and profit Decorations also should be regarded as protection scope of the present invention.

Claims (11)

  1. A kind of 1. defence processing method of flow attacking, it is characterised in that including:
    Obtain the summation of the message transmission rate of predetermined quantity terminal in same group;
    According to the bandwidth for the group allocation and the summation, the remaining bandwidth of the group is calculated;
    Specified threshold is adjusted according to the remaining bandwidth, wherein, it is the group that the specified threshold, which is used to trigger, In designated terminal issue blackhole route.
  2. 2. according to the method for claim 1, it is characterised in that adjust specified threshold, bag according to the remaining bandwidth Include:
    When the remaining bandwidth increases, increase the specified threshold;When the remaining bandwidth reduces, reduce The specified threshold.
  3. 3. according to the method for claim 1, it is characterised in that adjust specified threshold, bag according to the remaining bandwidth Include:
    According to the remaining bandwidth and the predetermined quantity, targets threshold is obtained;
    The specified threshold is adjusted according to the targets threshold.
  4. 4. according to the method in any one of claims 1 to 3, it is characterised in that methods described also includes:
    The bandwidth usage of the predetermined quantity terminal in the group is obtained, wherein, the bandwidth usage is The summation of the current data transfer rate of the predetermined quantity terminal and the band for the group allocation in the group Wide ratio;
    When the bandwidth usage is more than predetermined threshold value, the terminal quantity of the blackhole route is issued in gradually increase, Until the bandwidth usage is less than the predetermined threshold value.
  5. 5. according to the method for claim 4, it is characterised in that gradually the number of terminals of the blackhole route is issued in increase Amount, until the bandwidth usage is less than the predetermined threshold value, including:
    To the predetermined quantity terminal according to the current data transfer rate from being ranked up to small order greatly;
    The blackhole route is issued for the route of M terminal in the top, and detects the bandwidth occupancy after renewal The ratio of rate;Wherein, the bandwidth usage after the renewal is:Except the M in the predetermined quantity terminal The message transmission rate sum of remaining terminal outside terminal and the ratio of the bandwidth;
    When the bandwidth usage is still greater than the predetermined threshold value, for described in M terminal issue in the top Blackhole route, wherein, M<N.
  6. 6. according to the method for claim 1, it is characterised in that be the designated terminal issue black hole road in the group By, including:Null0 interfaces are pointed in the destination address that the designated terminal is connected to or port.
  7. A kind of 7. defence processing unit of flow attacking, it is characterised in that including:
    Processing module, for obtaining the summation of the current data transfer rate of predetermined quantity terminal in same group, And according to the bandwidth for the group allocation and the summation, calculate the remaining bandwidth of the group;
    Adjusting module, for adjusting specified threshold according to the remaining bandwidth, wherein, the specified threshold is used for Trigger and issue blackhole route for the designated terminal in the group.
  8. 8. device according to claim 7, it is characterised in that the adjusting module, be additionally operable in the tape remaining During width increase, increase the specified threshold;When the remaining bandwidth reduces, reduce the specified threshold.
  9. 9. device according to claim 7, it is characterised in that the adjusting module, be additionally operable to according to the residue Bandwidth and the predetermined quantity, obtain targets threshold;And adjust the specified threshold according to the targets threshold.
  10. 10. the device according to any one of claim 7 to 9, it is characterised in that the adjusting module, be additionally operable to The bandwidth usage of the predetermined quantity terminal in the group is obtained, wherein, the bandwidth usage is described The summation of the current data transfer rate of the predetermined quantity terminal and the bandwidth for the group allocation in group Ratio;When the bandwidth usage is more than predetermined threshold value, the number of terminals of the blackhole route is issued in gradually increase Amount, until the bandwidth usage is less than the predetermined threshold value.
  11. 11. device according to claim 10, it is characterised in that the adjusting module, be additionally operable to the predetermined number Amount terminal is according to the current data transfer rate from being ranked up to small order greatly;For M in the top The route of terminal issues the blackhole route, and detects the ratio of the bandwidth usage after renewal;Wherein, it is described Bandwidth usage after renewal is:Remaining terminal in the predetermined quantity terminal in addition to the M terminal The ratio of message transmission rate sum and the bandwidth;When the bandwidth usage is still greater than the predetermined threshold value, The blackhole route is issued for M terminal in the top, wherein, M<N.
CN201610327224.2A 2016-05-17 2016-05-17 Method and device for defending and processing flow attack Active CN107395554B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610327224.2A CN107395554B (en) 2016-05-17 2016-05-17 Method and device for defending and processing flow attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610327224.2A CN107395554B (en) 2016-05-17 2016-05-17 Method and device for defending and processing flow attack

Publications (2)

Publication Number Publication Date
CN107395554A true CN107395554A (en) 2017-11-24
CN107395554B CN107395554B (en) 2021-03-09

Family

ID=60338795

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610327224.2A Active CN107395554B (en) 2016-05-17 2016-05-17 Method and device for defending and processing flow attack

Country Status (1)

Country Link
CN (1) CN107395554B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965263A (en) * 2018-06-26 2018-12-07 新华三技术有限公司 Network attack defence method and device
CN114124419A (en) * 2020-08-27 2022-03-01 北京秦淮数据有限公司 DDOS attack defense method and device
CN114338705A (en) * 2021-11-24 2022-04-12 阿里巴巴(中国)有限公司 Resource water level control method, device and medium for content delivery network CDN node

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102244898A (en) * 2010-05-14 2011-11-16 华为技术有限公司 Group-based traffic control method, equipment and system
CN103685315A (en) * 2013-12-30 2014-03-26 曙光云计算技术有限公司 Method and device for defending denial of service attack
US20160036843A1 (en) * 2014-08-01 2016-02-04 Honeywell International Inc. Connected home system with cyber security monitoring

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102244898A (en) * 2010-05-14 2011-11-16 华为技术有限公司 Group-based traffic control method, equipment and system
CN103685315A (en) * 2013-12-30 2014-03-26 曙光云计算技术有限公司 Method and device for defending denial of service attack
US20160036843A1 (en) * 2014-08-01 2016-02-04 Honeywell International Inc. Connected home system with cyber security monitoring

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965263A (en) * 2018-06-26 2018-12-07 新华三技术有限公司 Network attack defence method and device
CN108965263B (en) * 2018-06-26 2021-06-08 新华三技术有限公司 Network attack defense method and device
CN114124419A (en) * 2020-08-27 2022-03-01 北京秦淮数据有限公司 DDOS attack defense method and device
CN114338705A (en) * 2021-11-24 2022-04-12 阿里巴巴(中国)有限公司 Resource water level control method, device and medium for content delivery network CDN node
CN114338705B (en) * 2021-11-24 2023-12-01 阿里巴巴(中国)有限公司 Resource water level control method, equipment and medium for CDN node of content delivery network

Also Published As

Publication number Publication date
CN107395554B (en) 2021-03-09

Similar Documents

Publication Publication Date Title
US11153336B2 (en) Network security analysis for smart appliances
Dao et al. Securing heterogeneous IoT with intelligent DDoS attack behavior learning
CN104967588B (en) Protection method, apparatus and system for distributed denial of service DDoS (distributed denial of service) attack
CN106921666B (en) DDoS attack defense system and method based on cooperative theory
CN108234404B (en) Defense method, system and related equipment for DDoS attack
CN104219218B (en) A kind of method and device of active safety defence
CN107623663A (en) Handle the method and device of network traffics
CN105991637B (en) The means of defence and device of network attack
Baig et al. Controlled access to cloud resources for mitigating Economic Denial of Sustainability (EDoS) attacks
US20130283373A1 (en) Techniques for separating the processing of clients&#39; traffic to different zones
CN107135187A (en) Preventing control method, the apparatus and system of network attack
US20140298399A1 (en) Apparatus and method for detecting anomality sign in controll system
CN103561011A (en) Method and system for preventing blind DDoS attacks on SDN controllers
CN106357685A (en) Method and device for defending distributed denial of service attack
CN101018156A (en) Method, device and system for preventing the broadband rejection service attack
CN101286996A (en) Storm attack resisting method and apparatus
CN107645478A (en) Network attack defending system, method and device
CN108183950A (en) A kind of network equipment establishes the method and device of connection
CN108092940B (en) DNS protection method and related equipment
CN107346259A (en) A kind of implementation method of Dynamical Deployment security capabilities
CN107395554A (en) The defence processing method and processing device of flow attacking
CN109587156A (en) Abnormal network access connection identification and blocking-up method, system, medium and equipment
CN107154915A (en) The method of defending distributed refusal service DDoS attack, apparatus and system
CN108028828A (en) A kind of distributed denial of service ddos attack detection method and relevant device
CN104160735B (en) Send out message processing method, transponder, message processor, message handling system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant