CN107395554B - Method and device for defending and processing flow attack - Google Patents
Method and device for defending and processing flow attack Download PDFInfo
- Publication number
- CN107395554B CN107395554B CN201610327224.2A CN201610327224A CN107395554B CN 107395554 B CN107395554 B CN 107395554B CN 201610327224 A CN201610327224 A CN 201610327224A CN 107395554 B CN107395554 B CN 107395554B
- Authority
- CN
- China
- Prior art keywords
- bandwidth
- terminals
- group
- black hole
- sum
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method and a device for defending and processing flow attack. Wherein, the method comprises the following steps: acquiring the sum of the current data transmission rates of a preset number of terminals in the same group; calculating a remaining bandwidth of the group from the bandwidth allocated to the group and the sum; and adjusting a designated threshold according to the residual bandwidth, wherein the designated threshold is used for triggering the issuing of the black hole route for the designated terminal in the group.
Description
Technical Field
The invention relates to the field of network security, in particular to a method and a device for defending and processing flow attack.
Background
At present, the situation of a number of traffic attacks is increasing, for example, the principle of a Distributed Denial of Service (DDoS) attack is to find a resource bottleneck of an attacker, and achieve the purpose that the Service of the attacker is unavailable by consuming resources. In the current internet service, a server CPU, a memory, a bandwidth, a database and the like can become resource bottlenecks. Generally, due to high bandwidth cost, a DDoS attack on bandwidth is a relatively serious attack mode on a cloud computing service platform.
When the attack traffic exceeds the bearing range of the service party, in order not to affect other services in the same group (for example, the same computer room), the service party sometimes shields the access of the attacked IP by issuing a black hole route in the operator network, and discards all DDoS traffic in the backbone network. The black hole strategy that is currently commonly employed is: each IP is empirically set with a fixed black hole threshold (e.g., 2Gbps) and black hole routes to an IP are issued when the attacked traffic for that IP exceeds the threshold. Simple black hole threshold setting does not produce the expected DDoS protection effect in the cloud computer room.
Disclosure of Invention
The embodiment of the application provides a method and a device for defending and processing flow attack, which at least solve the technical problem that resources cannot be fully and reasonably utilized.
According to an aspect of the embodiments of the present application, a method for defending against traffic attacks is provided, including: acquiring the sum of the data transmission rates of a predetermined number of terminals in the same group; calculating the remaining bandwidth of the group according to the bandwidth allocated to the group and the sum; and adjusting a designated threshold according to the residual bandwidth, wherein the designated threshold is used for triggering the issuing of the black hole route for the designated terminal in the group.
According to another aspect of the embodiments of the present application, there is also provided a device for defending against traffic attacks, including: the processing module is used for obtaining the sum of the current data transmission rates of a preset number of terminals in the same group and calculating the residual bandwidth of the group according to the bandwidth allocated to the group and the sum; and the adjusting module is used for adjusting a specified threshold according to the residual bandwidth, wherein the specified threshold is used for triggering the release of the black hole route for the specified terminal in the group.
In the embodiment of the application, the method of adjusting the designated threshold in real time according to the residual bandwidth in the group is adopted, so that the flexible adjustment of the black hole threshold is realized, the resources can be fully and reasonably utilized, and the technical problem that the resources cannot be fully and reasonably utilized is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of a hardware structure of a computer terminal of a method for defending against traffic attacks according to an embodiment of the present application;
fig. 2 is a schematic flowchart of an alternative method for defending against traffic attacks according to an embodiment of the present application;
FIG. 3 is a diagram illustrating an alternative relationship between a black hole threshold and a water line according to an embodiment of the present application;
fig. 4 is a block diagram of an alternative traffic attack defense processing apparatus according to an embodiment of the present application;
fig. 5 is a block diagram of an alternative computer terminal according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For ease of understanding, the technical terms referred to in the embodiments of the present application will now be briefly described as follows:
DDoS attack: by means of client/server technology, a plurality of computers are combined to serve as an attack platform, DDoS attacks are launched on one or more targets, and accordingly the power of denial of service attacks is improved in a multiplied mode. Typically, an attacker installs a DDoS master on one computer, and at a set time the master will communicate with a number of agents that have been installed on multiple computers on the Internet (Internet). The agent, upon receiving the instruction, launches an attack. With client/server technology, the host can activate hundreds or thousands of runs of agents in a few seconds.
Flow cleaning, namely a DDoS flow cleaning system comprises three parts of flow detection, flow cleaning and monitoring management. The flow detection equipment detects the hidden illegal attack flow in the network flow, and timely informs and activates the protection equipment to clean the flow after the attack is found; the flow cleaning equipment redirects suspicious flow from an original network path to the cleaning product through a professional flow cleaning product to identify and strip malicious flow, the recovered legal flow is reinjected into the original network and forwarded to a target system, and forwarding paths of other legal flows are not affected; the monitoring management system performs centralized management configuration on the equipment of the flow cleaning system, displays real-time flow, alarms, monitors state information, and outputs reports such as flow analysis reports and attack protection reports in time.
Black hole routing: all the irrelevant routes are absorbed into it, and there are routes with loops, which are generally routing entries actively established by admin. admin diverts a source address received to the null0 interface, which has very little effect on system load.
Cloud computing (cloud computing) environment: is an environment (or platform) for the augmentation, usage, and delivery patterns of internet-based related services, and generally involves providing dynamically scalable and often virtualized resources over the internet.
Water line of flow: representing the current incoming flow of the group (machine room), i.e. the total current incoming flow into the group (the sum of the current data transmission rates of the terminals in the group);
group (2): also called network group, it can be a group of terminals accessing the same machine room, but is not limited thereto.
Example 1
There is also provided, in accordance with an embodiment of the present application, a method embodiment of a method for defending against a traffic attack, the steps illustrated in the flowchart of the figure being executable on a computer system, such as a set of computer executable instructions, and although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be executed in an order different than that illustrated or described herein.
The method provided by the embodiment 1 of the present application can be executed in a mobile terminal, a computer terminal or a similar computing device. Taking an example of running on a computer terminal, fig. 1 is a hardware structure block diagram of a computer terminal of a method for defending against a traffic attack according to an embodiment of the present application. As shown in fig. 1, the computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission device 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be configured to store software programs and modules of application software, such as program instructions/modules corresponding to the method for defending against traffic attacks in the embodiment of the present application, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Under the operating environment, the application provides a method for defending against traffic attacks as shown in fig. 2. The method can be applied to flow attack scenes such as a cloud computer room, and takes the cloud computer room as an example: for the cloud computer rooms, because the black hole threshold is fixed and the black hole thresholds allocated to different groups are the same, the black hole thresholds cannot be flexibly adjusted according to the actual conditions of different computer rooms, for example, the bandwidths of different cloud computer rooms are different, and it is unreasonable for a computer room with a large bandwidth and a computer room with a small bandwidth to set the same black hole threshold; the bandwidth allocated to the computer room may be changed, and if the black hole threshold remains unchanged, it is obvious that resources cannot be reasonably and fully utilized. In view of the above problems, embodiments of the present application provide corresponding solutions, which are described in detail below.
Fig. 2 is a schematic flowchart of an optional defense processing method against traffic attacks according to an embodiment of the present application. As shown in fig. 2, the method comprises steps S202-S206, wherein:
step S202, obtain the sum of the current data transmission rates of the predetermined number of terminals in the same group.
Alternatively, the predetermined number may be flexibly set according to actual situations, and may sometimes be represented as the number of all terminals in the group, or may also be represented as the number of some terminals in the group (for example, the number of terminals meeting a certain condition in the group).
Step S204, calculating the residual bandwidth of the group according to the bandwidth allocated to the group and the sum.
Optionally, there are various ways to calculate the remaining bandwidth, for example, the remaining bandwidth of the group is obtained by performing a difference operation on the bandwidth allocated to the group and the sum; take the remaining bandwidth (also called spare bandwidth) of the computer room as an example: the water level line of the flow is the current inflow x of the machine room, and the bandwidth of the machine room is bandwidth, so that the surplus bandwidth of the machine room, namely the total amount which can be used for resisting the flow attack, is (bandwidth-x).
Step S206, adjusting the appointed threshold value according to the residual bandwidth, wherein the appointed threshold value is used for triggering the appointed terminals in the group to issue black hole routes.
When the designated threshold is adjusted, in order to reasonably utilize resources, the relationship between the remaining bandwidth and the designated threshold may be defined as a positive relationship, that is, the designated threshold increases with the increase of the remaining bandwidth and decreases with the decrease of the remaining bandwidth, and accordingly, when the designated threshold is adjusted, the adjustment is performed according to the relationship between the remaining bandwidth and the designated threshold: increasing the specified threshold when the remaining bandwidth increases; when the remaining bandwidth decreases, the prescribed threshold is decreased.
It should be noted that the specified threshold may be a black hole threshold.
Optionally, "issue black hole routing for the specified terminal in the group" may be expressed in the following implementation form: and directing the destination address or port connected by the specified terminal to a null0 interface.
Further, there are various ways to adjust the specified threshold according to the positive correlation between the two, for example, a corresponding relationship list of the remaining bandwidth and the specified threshold may be established, and the remaining bandwidth and the specified threshold are arranged in the order of the values from large to small. The remaining bandwidth element in the list may be a value range, that is, when the current remaining bandwidth falls into an assigned value range, the specified threshold determined at this time is the specified threshold corresponding to the assigned value range. Specifically, the results are shown in Table 1.
TABLE 1
| Residual bandwidth (Unit Gbps) | Specified threshold (Unit Gbps) |
| 70-80 | 3 |
| 60-50 | 2 |
| 40-30 | 1 |
Of course, other ways of determining the specified threshold may be used, such as: and acquiring a target threshold according to the residual bandwidth and the preset quantity, and then adjusting the specified threshold according to the target threshold.
The target threshold may be obtained in a variety of manners, and in an optional embodiment, the target threshold may be obtained in the following manner: (1/a) (bandwidth-x)/IPnum, where Threshold represents the target Threshold, a is a constant greater than 0 and less than 1, bandwidth represents the allocated bandwidth for the group, x represents the sum, (bandwidth-x) represents the remaining bandwidth, and IPnum represents a predetermined number (which may be the number of all terminals); and adjusting the designated threshold value according to the target threshold value.
Optionally, a is a preset proportion, and the proportion is used to indicate the proportion of the terminal under traffic attack to the predetermined number of terminals (which may be the proportion of the total number of terminals in the group). The value of a can be determined according to experimental results or statistical results.
The determination mode of the specified threshold is described below by taking a traffic attack scene of a computer room as an example:
the total number of IPnum of the computer room is IPnum, according to statistical data, the ratio of the IP frequently attacked in the cloud computer room is about 1/N, and assuming that the IPs are attacked at the same time in extreme cases, the total number of the attacked IP is IPnum/N.
Therefore, a calculation formula of the black hole threshold value can be obtained:
the value of N is determined according to actual conditions, and may be, for example, 50, 100, 150, 200, 300, 400, and the like; x represents the incoming flow into the room.
Further, the minimum value of the black hole threshold may be determined according to the statistical result of the peak value of the normal inflow rates of a certain number of users, for example:
according to data statistics, the peak value of the normal incoming flow of 99.9% of users is smaller than 1Gbps, at the moment, 1Gbps is taken as the minimum tolerable black hole threshold value, and the calculated black hole threshold value cannot be smaller than 1 Gbps. Thus, the complete black hole threshold calculation formula is:
threshold ═ (300 ═ bandwidth-x)/IPnum) > 1? (300: (bandwidth-x)/IPnum): 1, i.e., black hole thresholds less than 1Gbps are excluded.
To facilitate understanding of the relationship between the black hole threshold and the water line (i.e. the incoming traffic x flowing into the room, i.e. the sum of the data transmission rates of the terminals flowing into the room), taking the room with a bandwidth of 100Gbps and the room having the number traffic from 10000 IP addresses as an example, the relationship between different water lines and the black hole threshold is shown in fig. 3.
In an optional embodiment of the present application, when the traffic flowing into the group (e.g. a machine room) is significantly higher than a normal value, only reducing the black hole threshold value does not meet the requirement, and therefore, to further ensure the stability of the group service, the routing of the terminal (or the IP address) accessing the group may also be classified as black hole routing, that is, black hole routing processing is performed. Specifically, this may be achieved by, but is not limited to: acquiring the bandwidth occupancy rate of the predetermined number of terminals in the group, wherein the bandwidth occupancy rate is the ratio of the sum of the current data transmission rates of the predetermined number of terminals in the group to the bandwidth allocated to the group; and gradually increasing the number of terminals issuing the black hole route when the bandwidth occupancy rate is greater than a preset threshold value until the bandwidth occupancy rate is less than the preset threshold value.
The number of the terminals issuing the black hole routes is gradually increased until the bandwidth occupancy rate is smaller than the preset threshold, and the number of the terminals issuing the black hole routes is gradually increased, for example, the number of the terminals issuing the black hole routes is increased one by one, or the terminals issuing the black hole routes with a low priority according to a preset priority, and then the black hole routes are gradually increased.
In an alternative embodiment of the present application, the following may also be implemented: sequencing the terminals with the preset number according to the sequence of the current data transmission rate from large to small; issuing the black hole routes for routes of M terminals which are ranked at the top, and detecting the ratio of the updated bandwidth occupancy rate; wherein the updated bandwidth occupancy rate is: a ratio of a sum of data transmission rates of the remaining terminals excluding the M terminals among the predetermined number of terminals to the bandwidth; and when the bandwidth occupancy rate is still greater than the second threshold value, issuing the black hole routes for M terminals at the front rank, wherein M is less than N. In this way, the black hole routes are issued to the terminals in batch, so that the efficiency of defending against the traffic attack can be improved.
Taking the flow of the machine room as an example, when the flow of the machine room is obviously higher than a normal value, the requirement on the stability of the machine room can not be met obviously only by reducing the black hole threshold value, so that an emergency means is required to ensure the stability of the cloud machine room. A flow water line hazard value may be set, which may be 80%, for example. When the flow water level line is larger than 70%, the IP addresses of the machine room inflow are ranked, firstly, the IP address of the TOP10 with a black hole is judged whether the water level line can be lowered, otherwise, the IP address of the TOP20 with a black hole is further judged, and the like is repeated until the water level line is lower than 80%.
To sum up, the embodiment of the present application achieves the following beneficial effects: according to the embodiment of the application, a fixed threshold is not set for each IP address, the black hole threshold of the group is automatically calculated and adjusted according to the bandwidth and the flow water level line, and when the flow reaches a certain water level line, all the IP with the flow exceeding the threshold is subjected to black hole. Monitoring the water level line of the flow, and automatically calculating and adjusting the black hole threshold according to the surplus bandwidth; and when the flow water level line of the machine room is at a dangerous high level, performing black hole routing processing according to IP flow ranking.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
According to an embodiment of the present application, there is also provided an apparatus for implementing the method for defending against traffic attacks, as shown in fig. 4, the apparatus includes:
a processing module 40, configured to obtain a sum of current data transmission rates of a predetermined number of terminals in the same group, and calculate a remaining bandwidth of the group according to a bandwidth allocated to the group and the sum; the term "group" herein may mean a group of terminals accessing the same equipment room, but is not limited thereto.
And an adjusting module 42, configured to adjust a specified threshold according to the remaining bandwidth, where the specified threshold is used to trigger issuing a black hole route to a specified terminal in the group.
Take the remaining bandwidth (also called spare bandwidth) of the computer room as an example: the water level line of the flow is the current inflow x of the machine room, and the bandwidth of the machine room is bandwidth, so that the surplus bandwidth of the machine room, namely the total amount which can be used for resisting the flow attack, is (bandwidth-x).
When the black hole threshold is adjusted, in order to reasonably utilize resources, the relationship between the remaining bandwidth and the black hole threshold may be defined as a positive correlation, that is, the black hole threshold increases with the increase of the remaining bandwidth and decreases with the decrease of the remaining bandwidth. Based on the foregoing principle, in an optional embodiment of the present application, the adjusting module 42 is further configured to increase the black hole threshold when the remaining bandwidth increases; decreasing the black hole threshold when the remaining bandwidth decreases.
Optionally, the adjusting module 42 is further configured to obtain a target threshold according to the remaining bandwidth and the predetermined number; and adjusting the specified threshold value according to the target threshold value. Optionally, the target threshold is obtained as follows; (1/a) (bandwidth-x)/IPnum, where Threshold represents the target Threshold, a is a constant greater than 0 and less than 1, bandwidth represents the bandwidth allocated to the group, x represents the sum, and IPnum represents the number of terminals in the group (which may be the number of all terminals in the group); and adjusting the black hole threshold value according to the target threshold value. Optionally, a is a preset proportion, and the proportion is used for indicating the proportion of the total number of terminals in the group occupied by the terminals under traffic attack. The value of a can be determined according to experimental results or statistical results.
The determination method of the black hole threshold is described below by taking a traffic attack scene of a machine room as an example: the total number of IPnum of the computer room is IPnum, according to statistical data, the ratio of the IP frequently attacked in the cloud computer room is about 1/N, and assuming that the IPs are attacked at the same time in extreme cases, the total number of the attacked IP is IPnum/N. Therefore, a calculation formula of the black hole threshold value can be obtained:
the value of N is determined according to actual conditions, and may be, for example, 50, 100, 150, 200, 300, 400, and the like.
In an optional embodiment of the present application, the adjusting module 42 is further configured to obtain a bandwidth occupancy rate of the predetermined number of terminals in the group, where the bandwidth occupancy rate is a ratio of a sum of current data transmission rates of the predetermined number of terminals in the group to a bandwidth allocated to the group; and gradually increasing the number of terminals issuing the black hole route when the bandwidth occupancy rate is greater than a preset threshold value until the bandwidth occupancy rate is less than the preset threshold value.
The number of the terminals issuing the black hole routes is gradually increased until the ratio is smaller than the preset threshold, and the number of the terminals issuing the black hole routes is gradually increased, for example, the number of the terminals issuing the black hole routes is increased one by one, or the black hole routes are issued by the terminals having a lower priority according to a preset priority, and then the black hole routes are increased step by step. In an alternative embodiment of the present application, the following functions of the adjustment module 42 may be implemented:
the adjusting module 42 is further configured to sort the predetermined number of terminals in order from the largest to the smallest of the current data transmission rates; issuing the black hole routes for routes of M terminals which are ranked at the top, and detecting the ratio of the updated bandwidth occupancy rate; wherein the updated bandwidth occupancy is: the ratio of the sum of the data transmission rates of the other terminals except the M terminals in the preset number of terminals to the bandwidth; and when the bandwidth occupancy rate is still larger than the second threshold value, issuing the black hole routes for M terminals at the front rank, wherein M is less than N.
Alternatively, the minimum value of the black hole threshold may be determined according to the statistical result of the peak value of the normal inflow rate of a certain number of users, for example: according to data statistics, the peak value of the normal incoming flow of 99.9% of users is smaller than 1Gbps, at the moment, 1Gbps is taken as the minimum tolerable black hole threshold value, and the calculated black hole threshold value cannot be smaller than 1 Gbps. Thus, the complete black hole threshold calculation formula is:
threshold ═ (300 ═ bandwidth-x)/IPnum) > 1? (300: (bandwidth-x)/IPnum): 1, i.e., black hole thresholds less than 1Gbps are excluded.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following forms may be presented, but are not limited to this: the processing module 40 and the adjustment module 42 are located in the first processor and the second processor, respectively; alternatively, the processing module 40 and the adjustment module 42 are located in the same processor.
It should be noted that, for a preferred embodiment in this embodiment, reference may be made to the relevant description in embodiment 1, and details are not described here again.
Example 3
The embodiment of the application can provide a computer terminal, and the computer terminal can be any one computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.
Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.
In this embodiment, the computer terminal may execute the program code of the following steps in the method for defending against traffic attacks: acquiring the sum of the data transmission rates of a predetermined number of terminals in the same group; calculating the remaining bandwidth of the group according to the bandwidth allocated to the group and the sum; and adjusting an appointed threshold value according to the residual bandwidth, wherein the preset threshold value is used for triggering the appointed terminals in the group to issue black hole routes.
Optionally, fig. 5 is a block diagram of an alternative computer terminal according to an embodiment of the present application. As shown in fig. 5, the computer terminal a may include: one or more processors 51 (only one shown), a memory 53, and a transmission device 55 connected to the web server.
The memory 53 may be configured to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for processing traffic attack defense in the embodiment of the present application, and the processor 51 executes various functional applications and data processing by running the software programs and modules stored in the memory 53, that is, implements the method for processing traffic attack defense. The memory 53 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 53 may further include memory located remotely from the processor 51, which may be connected to terminal a via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 55 is used for receiving or transmitting data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 55 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 55 is a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
Specifically, the memory 53 is used for storing preset action conditions, information of preset authorized users, and application programs.
The processor 51 may call the information and applications stored in the memory 53 through the transmission device to perform the following steps: acquiring the sum of the data transmission rates of a predetermined number of terminals in the same group; calculating the remaining bandwidth of the group according to the bandwidth allocated to the group and the sum; and adjusting an appointed threshold value according to the residual bandwidth, wherein the preset threshold value is used for triggering the appointed terminals in the group to issue black hole routes.
Optionally, the processor 51 may further execute program codes of the following steps: increasing the black hole threshold when the residual bandwidth increases; decreasing the black hole threshold when the remaining bandwidth decreases.
Optionally, the processor 51 may further execute program codes of the following steps: acquiring a target threshold according to the residual bandwidth and the preset quantity; and adjusting the specified threshold value according to the target threshold value.
Optionally, the processor 51 may further execute program codes of the following steps: acquiring the bandwidth occupancy rate of the preset number of terminals in the group, wherein the bandwidth occupancy rate is the ratio of the sum of the current data transmission rates of the preset number of terminals in the group to the bandwidth allocated to the group; and when the bandwidth occupancy rate is greater than a preset threshold value, gradually increasing the number of terminals issuing the black hole route until the bandwidth occupancy rate is less than the preset threshold value.
Optionally, the processor 51 may further execute program codes of the following steps: sequencing the terminals with the preset number according to the sequence of the current data transmission rate from large to small; issuing the black hole routes for routes of M terminals which are ranked at the top, and detecting the ratio of the updated bandwidth occupancy rate; wherein the updated bandwidth occupancy is: the ratio of the sum of the data transmission rates of the other terminals except the M terminals in the preset number of terminals to the bandwidth; and when the bandwidth occupancy rate is still larger than the second threshold value, issuing the black hole routes for M terminals at the front rank, wherein M is less than N.
It can be understood by those skilled in the art that the structure shown in fig. 5 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 5 is a diagram illustrating a structure of the electronic device. For example, the computer terminal a may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 5, or have a different configuration than shown in fig. 5.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Example 4
Embodiments of the present application also provide a storage medium. Optionally, in this embodiment, the storage medium may be configured to store a program code executed by the method for defending against traffic attacks provided in embodiment 1.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: acquiring the sum of the current data transmission rates of a preset number of terminals belonging to the same group; performing difference operation on the bandwidth allocated to the group and the sum to obtain the residual bandwidth of the group; and adjusting a black hole threshold according to the residual bandwidth, wherein the black hole threshold is used for triggering the release of a black hole route for the appointed terminal in the group.
It should be noted here that any one of the computer terminal groups may establish a communication relationship with the web server and the scanner, and the scanner may scan the value commands of the web application executed by the php on the computer terminal.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (11)
1. A defense processing method for flow attack is characterized by comprising the following steps:
acquiring the sum of the data transmission rates of a predetermined number of terminals in the same group;
calculating the remaining bandwidth of the group according to the bandwidth allocated to the group and the sum;
and adjusting a designated threshold according to the residual bandwidth, wherein the designated threshold is used for triggering the issuing of the black hole route for the designated terminal in the group.
2. The method of claim 1, wherein adjusting the specified threshold according to the remaining bandwidth comprises:
increasing the specified threshold when the remaining bandwidth increases; decreasing the specified threshold when the remaining bandwidth decreases.
3. The method of claim 1, wherein adjusting the specified threshold according to the remaining bandwidth comprises:
acquiring a target threshold according to the residual bandwidth and the preset quantity;
and adjusting the specified threshold value according to the target threshold value.
4. The method according to any one of claims 1 to 3, further comprising:
acquiring the bandwidth occupancy rate of the preset number of terminals in the group, wherein the bandwidth occupancy rate is the ratio of the sum of the current data transmission rates of the preset number of terminals in the group to the bandwidth allocated to the group;
and when the bandwidth occupancy rate is greater than a preset threshold value, gradually increasing the number of terminals issuing the black hole route until the bandwidth occupancy rate is less than the preset threshold value.
5. The method of claim 4, wherein gradually increasing the number of terminals issuing the black hole route until the bandwidth occupancy is less than the preset threshold comprises:
sequencing the terminals with the preset number according to the sequence of the current data transmission rate from large to small;
issuing the black hole routes for routes of M terminals which are ranked at the top, and detecting the ratio of the updated bandwidth occupancy rate; wherein the updated bandwidth occupancy is: the ratio of the sum of the data transmission rates of the other terminals except the M terminals in the preset number of terminals to the bandwidth;
and when the bandwidth occupancy rate is still greater than the preset threshold value, issuing the black hole routes for M terminals which are ranked at the top in the rest terminals, wherein M is less than the preset number.
6. The method of claim 1, wherein issuing black hole routes for designated terminals in the group comprises: and directing the destination address or port connected by the specified terminal to a null0 interface.
7. A device for processing a defense against a traffic attack, comprising:
the processing module is used for obtaining the sum of the current data transmission rates of a preset number of terminals in the same group and calculating the residual bandwidth of the group according to the bandwidth allocated to the group and the sum;
and the adjusting module is used for adjusting a specified threshold according to the residual bandwidth, wherein the specified threshold is used for triggering the release of the black hole route for the specified terminal in the group.
8. The apparatus of claim 7, wherein the adjusting module is further configured to increase the specified threshold when the remaining bandwidth increases; decreasing the specified threshold when the remaining bandwidth decreases.
9. The apparatus of claim 7, wherein the adjusting module is further configured to obtain a target threshold according to the remaining bandwidth and the predetermined amount; and adjusting the specified threshold value according to the target threshold value.
10. The apparatus according to any one of claims 7 to 9, wherein the adjusting module is further configured to obtain a bandwidth occupancy of the predetermined number of terminals in the group, where the bandwidth occupancy is a ratio of a sum of current data transmission rates of the predetermined number of terminals in the group to a bandwidth allocated to the group; and when the bandwidth occupancy rate is greater than a preset threshold value, gradually increasing the number of terminals issuing the black hole route until the bandwidth occupancy rate is less than the preset threshold value.
11. The apparatus of claim 10, wherein the adjusting module is further configured to sort the predetermined number of terminals in order of the current data transmission rate from large to small; issuing the black hole routes for routes of M terminals which are ranked at the top, and detecting the ratio of the updated bandwidth occupancy rate; wherein the updated bandwidth occupancy is: the ratio of the sum of the data transmission rates of the other terminals except the M terminals in the preset number of terminals to the bandwidth; and when the bandwidth occupancy rate is still greater than the preset threshold value, issuing the black hole routes for M terminals which are ranked at the top in the rest terminals, wherein M is less than the preset number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610327224.2A CN107395554B (en) | 2016-05-17 | 2016-05-17 | Method and device for defending and processing flow attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610327224.2A CN107395554B (en) | 2016-05-17 | 2016-05-17 | Method and device for defending and processing flow attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107395554A CN107395554A (en) | 2017-11-24 |
| CN107395554B true CN107395554B (en) | 2021-03-09 |
Family
ID=60338795
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610327224.2A Active CN107395554B (en) | 2016-05-17 | 2016-05-17 | Method and device for defending and processing flow attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107395554B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108965263B (en) * | 2018-06-26 | 2021-06-08 | 新华三技术有限公司 | Network attack defense method and device |
| CN114124419A (en) * | 2020-08-27 | 2022-03-01 | 北京秦淮数据有限公司 | DDOS attack defense method and device |
| CN114338705B (en) * | 2021-11-24 | 2023-12-01 | 阿里巴巴(中国)有限公司 | Resource water level control method, equipment and medium for CDN node of content delivery network |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102244898A (en) * | 2010-05-14 | 2011-11-16 | 华为技术有限公司 | Group-based traffic control method, equipment and system |
| CN103685315A (en) * | 2013-12-30 | 2014-03-26 | 曙光云计算技术有限公司 | Method and device for defending denial of service attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160036843A1 (en) * | 2014-08-01 | 2016-02-04 | Honeywell International Inc. | Connected home system with cyber security monitoring |
-
2016
- 2016-05-17 CN CN201610327224.2A patent/CN107395554B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102244898A (en) * | 2010-05-14 | 2011-11-16 | 华为技术有限公司 | Group-based traffic control method, equipment and system |
| CN103685315A (en) * | 2013-12-30 | 2014-03-26 | 曙光云计算技术有限公司 | Method and device for defending denial of service attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107395554A (en) | 2017-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10958677B2 (en) | Risk identification for unlabeled threats in network traffic | |
| US10355949B2 (en) | Behavioral network intelligence system and method thereof | |
| CN105577608B (en) | Network attack behavior detection method and device | |
| CN108234404B (en) | Defense method, system and related equipment for DDoS attack | |
| EP2889798B1 (en) | Method and apparatus for improving network security | |
| Shawahna et al. | EDoS-ADS: An enhanced mitigation technique against economic denial of sustainability (EDoS) attacks | |
| CN107426241B (en) | Network security protection method and device | |
| CN106656989B (en) | Flow monitoring method and terminal | |
| CN109787827B (en) | CDN network monitoring method and device | |
| CN108092940B (en) | DNS protection method and related equipment | |
| CN107395554B (en) | Method and device for defending and processing flow attack | |
| CN105991617B (en) | Computer-implemented system and method for selecting a secure path using network scoring | |
| CN106357685A (en) | Method and device for defending distributed denial of service attack | |
| TW201804757A (en) | Network attack defense system and method | |
| CN108028828B (en) | Distributed denial of service (DDoS) attack detection method and related equipment | |
| CN106936799B (en) | Message cleaning method and device | |
| CN107733867B (en) | Botnet discovery and protection method, system and storage medium | |
| CN107346259A (en) | A kind of implementation method of Dynamical Deployment security capabilities | |
| CN103812750A (en) | Message receiving and sending protecting system and method for CPU of data communication equipment | |
| Al-Haidari et al. | Performance modeling and analysis of the EDoS-shield mitigation | |
| EP3266174B1 (en) | Uplink port oversubscription determination | |
| CN108322354B (en) | Method and device for identifying running-stealing flow account | |
| CN109347762B (en) | Cross-region outlet flow allocation method and device, computer equipment and storage medium | |
| CN107995199A (en) | The port speed constraint method and device of the network equipment | |
| CN111901284B (en) | Flow control method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |