CN107547561B - Method and device for carrying out DDOS attack protection processing - Google Patents
Method and device for carrying out DDOS attack protection processing Download PDFInfo
- Publication number
- CN107547561B CN107547561B CN201710874985.4A CN201710874985A CN107547561B CN 107547561 B CN107547561 B CN 107547561B CN 201710874985 A CN201710874985 A CN 201710874985A CN 107547561 B CN107547561 B CN 107547561B
- Authority
- CN
- China
- Prior art keywords
- parameter
- threshold
- connection number
- value
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method and a device for DDOS attack protection processing, belonging to the technical field of communication. The method comprises the following steps: acquiring a parameter value of an operating parameter of target equipment; adjusting the current connection number new rate threshold of the target device according to the parameter values of the operation parameters, the preset first operation parameter threshold and the preset adjustment strategy of the connection number new rate threshold; and establishing a rate threshold value according to the adjusted connection number, and performing distributed denial of service (DDOS) attack protection processing on the target equipment. By adopting the invention, the accuracy of setting the new rate threshold of the connection number can be improved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for performing DDOS attack protection processing.
Background
In a communication network, a DDoS (Distributed Denial of Service) attack is a common attack mode. In DDoS attack, a plurality of computers are combined to serve as an attack platform and continuously send a connection request to target equipment, so that bandwidth resources or system resources of the target equipment are exhausted, and great harm is brought to the target equipment.
At present, the main means for implementing DDoS attack prevention is to set a connection number new rate threshold in a security device (such as a firewall device) of a network to limit a new connection speed with a target device. The connection types to be limited are UDP (User Datagram Protocol), ICMP (Internet Control message Protocol), TCP (Transmission Control Protocol), and the like. The specific protection process is as follows: in unit time, after the security device receives a connection request with a destination address as a target device, determining the number of the connection requests with the destination address as the target device received in the unit time, and judging whether the number is greater than a preset connection number to establish a rate threshold, if so, discarding the connection request; if not, the connection request is forwarded. However, the rate threshold is established by the number of connections based on experience of technicians, and the accuracy of establishing the rate threshold is low.
Disclosure of Invention
The embodiment of the invention aims to provide a method and a device for carrying out DDOS attack protection processing, so as to improve the accuracy of setting a new rate threshold of a connection number. The specific technical scheme is as follows:
in a first aspect, a method for performing DDOS attack protection processing is provided, where the method includes:
acquiring a parameter value of an operating parameter of target equipment;
adjusting the current connection number new rate threshold of the target device according to the parameter values of the operation parameters, the preset first operation parameter threshold and the preset adjustment strategy of the connection number new rate threshold;
and establishing a rate threshold value according to the adjusted connection number, and performing distributed denial of service (DDOS) attack protection processing on the target equipment.
In a second aspect, an apparatus for performing DDOS attack protection processing is provided, the apparatus comprising:
the acquisition module is used for acquiring the parameter value of the operating parameter of the target equipment;
the adjusting module is used for adjusting the current connection number new rate threshold of the target device according to the parameter value of the operating parameter, the preset first operating parameter threshold and the preset adjusting strategy of the connection number new rate threshold;
and the protection module is used for establishing a rate threshold according to the adjusted connection number and carrying out distributed denial of service (DDOS) attack protection processing on the target equipment.
In a third aspect, a security device is provided, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any one of claims 1 to 5 when executing a program stored in the memory.
In the embodiment of the invention, the parameter value of the operation parameter of the target device is obtained, the new speed threshold value of the current connection number of the target device is adjusted according to the parameter value of the operation parameter, the preset first operation parameter threshold value and the preset adjustment strategy of the new speed threshold value of the connection number, and the distributed denial of service DDOS attack protection processing is carried out on the target device according to the adjusted new speed threshold value of the connection number. Based on the scheme, the new speed threshold of the connection number of the target equipment can be adjusted according to the load capacity of the target equipment, and different new speed thresholds of the connection number can be set for different target equipment, so that the accuracy of setting the new speed threshold of the connection number is improved.
Of course, it is not necessary for any product or method of practicing the invention to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a system framework diagram provided by an embodiment of the present invention;
fig. 2 is a flowchart of a method for performing DDOS attack protection processing according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for performing DDOS attack protection processing according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for performing DDOS attack protection processing according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a security device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a method for carrying out DDOS attack protection processing, which can be applied to security equipment, such as firewall equipment. The security device can establish connection with a plurality of devices (which can be called target devices) needing security protection, and the target devices can be servers; the security device may also establish a connection with a user device that needs to access the target device. As shown in fig. 1, a system framework diagram provided for this embodiment includes a security device FireWall, a Server1 (Server 1), a Server2 (Server 2), a PC (personal computer1, PC 1)1, and a PC2, where the PC1 and the PC2 may be user devices accessing the Server1 and the Server2, and the accessed traffic is forwarded to the Server after being subjected to FireWall security filtering, so that the FireWall can continuously perform security protection on the Server1 and the Server 2.
As shown in fig. 2, the method for performing DDOS attack protection processing may include:
In implementation, the secure device may store an identifier of a target device that needs to be secured, such as an IP (Internet Protocol) address of the target device, in advance, and the identifier of the target device may be configured by a technician. The safety device can periodically acquire the parameter values of the operating parameters of the target device in the operating process. The operation parameter may be a parameter for reflecting an operation state of the target device, such as a bandwidth utilization rate, a Central Processing Unit (CPU) utilization rate, or a memory utilization rate. The manner in which the safety device obtains the parameter value of the operating parameter may be various, and this embodiment provides two feasible manners, specifically as follows:
in the first mode, when the preset period is reached, the security device may send an operation state acquisition request to the target device, and then receive a parameter value of an operation parameter sent by the target device.
In implementation, the security device may store a sending period (i.e., a preset period) of the operation status obtaining request in advance, where the preset period is also an adjustment period of the connection number new rate threshold. The security device may send an operation state acquisition request to the target device when the preset period is reached. A designated plug-in (which may be referred to as a health detection plug-in) may be installed in the target device, and the health detection plug-in may be used to obtain a parameter value of an operating parameter of the device, such as a bandwidth utilization rate, a CPU utilization rate, or a memory utilization rate of the target device. The health detection plug-in can also monitor a running state acquisition request sent by the security device. Therefore, after the target device receives the operation state acquisition request, the target device can acquire the parameter value of the local current operation parameter through the health detection plug-in, and then send the acquired parameter value of the operation parameter to the safety device, and the safety device can receive the parameter value of the operation parameter sent by the target device.
And in the second mode, the safety equipment can receive the parameter values of the operating parameters periodically reported by the target equipment.
In implementation, the target device may store a transmission period (i.e., a preset period) of a parameter value of the operating parameter, where the preset period is also an adjustment period of the connection number new rate threshold. When the preset period is reached, the target device may obtain a parameter value of the current operating parameter through the locally installed health detection plug-in, and then may send the obtained parameter value of the operating parameter to the security device, and the security device may receive the parameter value of the operating parameter sent by the target device.
In implementation, a threshold corresponding to an operating parameter (i.e., a first operating parameter threshold) may be pre-stored in the safety device, where the first operating parameter threshold may reflect an upper usage limit of a bandwidth resource and/or a system resource of the target device, and the first operating parameter threshold may be set by a technician, and the first operating parameter threshold may be a percentage. After the security device obtains the parameter value of the operating parameter of the target device, the new speed threshold of the current connection number of the target device can be adjusted according to the parameter value of the operating parameter, the first operating parameter threshold and an adjustment strategy of the new speed threshold of the preset connection number. It should be noted that the security device may store an initial value of the new rate threshold of the connection number, and the initial value may be set by a technician according to experience. The target device may continuously adjust the initial value according to the method provided by the embodiment of the present invention during the operation process. Correspondingly, the new speed threshold of the current connection number may be an initial value, or may be a new speed threshold of the connection number adjusted last time. The security device can establish a rate threshold value according to the current connection number and perform DDOS attack protection processing on the target device.
Optionally, the policy for adjusting the new rate threshold for the connection number may be as follows: if the parameter value of the operation parameter is larger than a preset first operation parameter threshold value, reducing a new speed threshold value of the current connection number of the target equipment; and if the parameter value of the operation parameter is smaller than the pre-stored first operation parameter threshold value, increasing a new speed threshold value of the connection number according to the current protection state of the DDOS attack of the target equipment and the parameter value of the operation parameter.
In implementation, after the security device obtains a parameter value of an operating parameter of the target device, the parameter value of the operating parameter may be compared with a preset first operating parameter threshold, if the parameter value of the operating parameter is greater than the preset first operating parameter threshold, it indicates that the current access pressure of the target device is too large, the current connection number new rate threshold is set to be higher, and the security device may reduce the current connection number new rate threshold of the target device according to a reduction strategy of the preset connection number new rate threshold; if the parameter value of the operation parameter is smaller than the prestored first operation parameter threshold, it indicates that the current access pressure of the target device is not too large, and the current connection number new rate threshold is not set to be too high, the security device can further determine whether to increase the connection number new rate threshold according to the current protection state of DDOS attack of the target device and the parameter value of the operation parameter, if so, the current connection number new rate threshold of the target device can be increased according to the preset strategy for increasing the connection number new rate threshold, and the specific determination process will be described in detail later.
It should be noted that the policy for decreasing the connection number new rate threshold and the policy for increasing the connection number new rate threshold may be set by a technician, and this embodiment is not limited. For example, an adjustment coefficient of the new rate threshold of the connection number may be set, for example, 10%, and when the new rate threshold of the connection number needs to be increased, the new rate threshold of the current connection number may be increased by 10%; when the new rate threshold of the number of connections needs to be reduced, the current new rate threshold of the number of connections can be reduced by 10%. For another example, the adjustment coefficient may be determined according to an absolute value of a difference between the parameter value of the operating parameter and the first operating parameter threshold, and the corresponding relationship between the absolute value of the difference and the adjustment coefficient may be stored in the safety device, where the larger the absolute value is, the larger the adjustment coefficient is. Therefore, when the access pressure of the target equipment is higher, the newly established speed threshold value of the connection number can be greatly reduced, so that the target equipment is prevented from being overloaded; when the access pressure of the target device is low, the connection number can be greatly increased, and a new speed threshold value is established, so that the resource utilization rate of the target device is increased.
Optionally, the number of the operation parameters may be multiple, and if an operation parameter of which a parameter value is greater than a corresponding first operation parameter threshold exists in the multiple operation parameters, the new rate threshold of the current connection number of the target device is reduced; and if the parameter values of the plurality of operation parameters are all smaller than the corresponding first operation parameter threshold, increasing the new speed threshold of the current connection number of the target equipment according to the protection state of the current DDOS attack of the target equipment and the parameter values of the operation parameters.
In an implementation, the number of the operating parameters may be multiple, and accordingly, a technician may set different thresholds (i.e., the first operating parameter threshold) for the same operating parameter, that is, the first operating parameter threshold may also be multiple. In this embodiment, the operation parameters including bandwidth utilization, CPU utilization, and memory utilization are taken as examples for description, and other cases are similar to the above. The security device may store a threshold of bandwidth utilization, a threshold of CPU utilization, and a threshold of memory utilization, respectively. These thresholds may be set by a technician. The security device can obtain the bandwidth utilization rate, the CPU utilization rate and the memory utilization rate of the target device, then the obtained bandwidth utilization rate, the CPU utilization rate and the memory utilization rate are respectively compared with corresponding threshold values, if any one of the bandwidth utilization rate, the CPU utilization rate and the memory utilization rate of the target device exceeds the corresponding threshold value, the current access pressure of the target device is too large, the current connection number new rate threshold value is set to be higher, and the security device can reduce the current connection number new rate threshold value according to a reduction strategy of a preset connection number new rate threshold value. If the bandwidth utilization rate, the CPU utilization rate and the memory utilization rate of the target device are all smaller than the corresponding threshold values, it is indicated that the current access pressure of the target device is not too large, the current connection number new rate threshold value is not set to be higher, and the security device can further judge whether the connection number new rate threshold value needs to be increased according to the current protection state of the DDOS attack of the target device and the parameter values of the operation parameters.
In addition, for the case that the number of the operation parameters may be multiple, the manner of determining whether the access pressure of the target device is too high may be various, for example, it may be determined whether multiple operation parameters exist, and whether a preset number of operation parameters are greater than the corresponding first operation parameter threshold; or, it may be determined whether an average value of parameter values of the multiple operating parameters is greater than a corresponding first operating parameter threshold, which is not limited in this embodiment.
Optionally, if the parameter value of the operating parameter is smaller than the first operating parameter threshold stored in advance, the security device may further determine whether to increase the connection number to establish the rate threshold, and the corresponding processing procedure may be as follows: and if the current DDOS attack protection state is open and the parameter value of the operation parameter is smaller than a preset second operation parameter threshold, increasing the connection number new rate threshold, wherein the second operation parameter threshold is smaller than the first operation parameter threshold.
Wherein the second operating parameter threshold is less than the first operating parameter threshold, for example, the second operating parameter threshold may be 90% of the first operating parameter threshold.
In implementation, if the security device determines that the parameter value of the operating parameter is smaller than the first operating parameter threshold stored in advance, the security device may obtain the protection state of the current DDOS attack of the target device, where the protection state of the DDOS attack may be on or off. When the protection state of DDOS attack is open, the number of connection requests with the destination address as the target equipment received in unit time is explained, and is larger than the current connection number to establish a rate threshold; when the protection state of DDOS attack is closed, the number of the connection requests with the destination address as the target equipment received in unit time is explained to be smaller than the current number of the connection requests and a new speed threshold is established. If the protection state of the current DDOS attack is on, the security device may further determine whether a parameter value of the operating parameter is smaller than a preset second operating parameter threshold, and if so, it indicates that the security device has discarded the connection request exceeding the new rate threshold of the connection number in the unit time, but the current access pressure of the target device is not very large, that is, the current rate threshold of the connection number is low, and the security device may increase the new rate threshold of the current connection number of the target device according to an increase policy of the new rate threshold of the preset connection number.
If the protection state of the current DDOS attack is closed, or if the protection state of the current DDOS attack is open, but the parameter value of the operation parameter is greater than the preset second operation parameter threshold value, the current connection number newly-built rate threshold value is appropriate, and the safety equipment keeps the current connection number newly-built rate threshold value unchanged without processing.
And step 203, establishing a rate threshold according to the adjusted connection number, and performing DDOS attack protection processing on the target device.
In implementation, the security device may store the adjusted new rate threshold for the number of connections. After receiving a connection request (which may be referred to as a target connection request) with a destination address as a target device, determining the number of received target connection requests in a unit time to which a current time point belongs, and determining whether the number is greater than a new rate threshold of the connection number, if so, discarding the currently received target connection request; if not, the target connection request is forwarded to the target equipment according to the destination address in the target connection request.
An embodiment of the present invention further provides an example of a method for performing DDOS attack protection processing, and as shown in fig. 3, the example may include:
If so, step 304 is performed, and if not, step 305 is performed.
And step 304, reducing the current connection number new rate threshold of the target equipment according to a reduction strategy of the preset connection number new rate threshold.
If so, step 306 is performed, and if not, the process ends.
If so, it ends, and if not, step 307 is performed.
And 307, increasing the current connection number new rate threshold of the target device according to a preset strategy for increasing the connection number new rate threshold.
In the embodiment of the invention, the parameter value of the operation parameter of the target device is obtained, the new speed threshold value of the current connection number of the target device is adjusted according to the parameter value of the operation parameter, the preset first operation parameter threshold value and the preset adjustment strategy of the new speed threshold value of the connection number, and the distributed denial of service DDOS attack protection processing is carried out on the target device according to the adjusted new speed threshold value of the connection number. Based on the scheme, the new speed threshold of the connection number of the target equipment can be adjusted according to the load capacity of the target equipment, and different new speed thresholds of the connection number can be set for different target equipment, so that the accuracy of setting the new speed threshold of the connection number is improved.
Based on the same technical concept, an embodiment of the present invention further provides an apparatus for performing DDOS attack protection processing, as shown in fig. 4, the apparatus includes:
an obtaining module 410, configured to obtain a parameter value of an operating parameter of a target device;
an adjusting module 420, configured to adjust a new rate threshold of the current connection number of the target device according to an adjustment policy of the parameter value of the operating parameter, a preset first operating parameter threshold, and a preset new rate threshold of the connection number;
and the protection module 430 is configured to establish a rate threshold according to the adjusted connection number, and perform distributed denial of service (DDOS) attack protection processing on the target device.
Optionally, the adjusting module 420 is specifically configured to:
if the parameter value of the operating parameter is larger than a preset first operating parameter threshold, reducing a new speed threshold of the current connection number of the target equipment;
and if the parameter value of the operation parameter is smaller than a first operation parameter threshold value which is stored in advance, increasing the new speed threshold value of the connection number according to the current protection state of the DDOS attack of the target equipment and the parameter value of the operation parameter.
Optionally, the adjusting module 420 is specifically configured to:
and if the protection state of the current DDOS attack is started and the parameter value of the operation parameter is smaller than a preset second operation parameter threshold value, increasing the new speed threshold value of the connection number, wherein the second operation parameter threshold value is smaller than the first operation parameter threshold value.
Optionally, the number of the operating parameters is multiple, and the adjusting module 420 is specifically configured to:
and if the operating parameters with the parameter values larger than the corresponding first operating parameter threshold exist in the plurality of operating parameters, reducing the new speed threshold of the current connection number of the target equipment.
The adjusting module 420 is specifically configured to:
and if the parameter values of the plurality of operation parameters are all smaller than the corresponding first operation parameter threshold, increasing the current connection number of the target equipment to establish a new speed threshold according to the current DDOS attack protection state of the target equipment and the parameter values of the operation parameters.
Optionally, the obtaining module 410 is specifically configured to:
when a preset period is reached, sending an operation state acquisition request to target equipment;
and receiving the parameter value of the operating parameter sent by the target equipment.
In the embodiment of the invention, the parameter value of the operation parameter of the target device is obtained, the new speed threshold value of the current connection number of the target device is adjusted according to the parameter value of the operation parameter, the preset first operation parameter threshold value and the preset adjustment strategy of the new speed threshold value of the connection number, and the distributed denial of service DDOS attack protection processing is carried out on the target device according to the adjusted new speed threshold value of the connection number. Based on the scheme, the new speed threshold of the connection number of the target equipment can be adjusted according to the load capacity of the target equipment, and different new speed thresholds of the connection number can be set for different target equipment, so that the accuracy of setting the new speed threshold of the connection number is improved.
The embodiment of the present invention further provides a security device, as shown in fig. 5, which includes a processor 501, a communication interface 502, a memory 503 and a communication bus 504, wherein the processor 501, the communication interface 502 and the memory 503 complete mutual communication through the communication bus 504,
a memory 503 for storing a computer program;
a processor 501, configured to execute the program stored in the memory 503, so that the security device performs the following steps, including:
acquiring a parameter value of an operating parameter of target equipment;
adjusting the current connection number new rate threshold of the target device according to the parameter values of the operation parameters, the preset first operation parameter threshold and the preset adjustment strategy of the connection number new rate threshold;
and establishing a rate threshold value according to the adjusted connection number, and performing distributed denial of service (DDOS) attack protection processing on the target equipment.
Optionally, the adjusting the current connection number new rate threshold of the target device according to the parameter value of the operating parameter, the preset first operating parameter threshold, and the preset adjustment policy of the connection number new rate threshold includes:
if the parameter value of the operating parameter is larger than a preset first operating parameter threshold, reducing a new speed threshold of the current connection number of the target equipment;
and if the parameter value of the operation parameter is smaller than a first operation parameter threshold value which is stored in advance, increasing the new speed threshold value of the connection number according to the current protection state of the DDOS attack of the target equipment and the parameter value of the operation parameter.
Optionally, the increasing the new connection rate threshold according to the current protection state of the DDOS attack of the target device and the parameter value of the operation parameter includes:
and if the protection state of the current DDOS attack is started and the parameter value of the operation parameter is smaller than a preset second operation parameter threshold value, increasing the new speed threshold value of the connection number, wherein the second operation parameter threshold value is smaller than the first operation parameter threshold value.
Optionally, the number of the operating parameters is multiple, and if the parameter value of the operating parameter is greater than a preset first operating parameter threshold, reducing a new rate threshold of the current connection number of the target device includes:
and if the operating parameters with the parameter values larger than the corresponding first operating parameter threshold exist in the plurality of operating parameters, reducing the new speed threshold of the current connection number of the target equipment.
If the parameter value of the operating parameter is smaller than a first operating parameter threshold value stored in advance, increasing the connection number new rate threshold value according to the current protection state of the DDOS attack of the target device and the parameter value of the operating parameter, including:
and if the parameter values of the plurality of operation parameters are all smaller than the corresponding first operation parameter threshold, increasing the current connection number of the target equipment to establish a new speed threshold according to the current DDOS attack protection state of the target equipment and the parameter values of the operation parameters.
Optionally, the obtaining of the parameter value of the operating parameter of the target device includes:
when a preset period is reached, sending an operation state acquisition request to target equipment;
and receiving the parameter value of the operating parameter sent by the target equipment.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a network Processor (Ne word Processor, NP), and the like; the integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In the embodiment of the invention, the parameter value of the operation parameter of the target device is obtained, the new speed threshold value of the current connection number of the target device is adjusted according to the parameter value of the operation parameter, the preset first operation parameter threshold value and the preset adjustment strategy of the new speed threshold value of the connection number, and the distributed denial of service DDOS attack protection processing is carried out on the target device according to the adjusted new speed threshold value of the connection number. Based on the scheme, the new speed threshold of the connection number of the target equipment can be adjusted according to the load capacity of the target equipment, and different new speed thresholds of the connection number can be set for different target equipment, so that the accuracy of setting the new speed threshold of the connection number is improved.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (9)
1. A method for performing DDOS attack protection processing, the method comprising:
acquiring a parameter value of an operating parameter of target equipment;
adjusting the current connection number new rate threshold of the target device according to the parameter values of the operation parameters, the preset first operation parameter threshold and the preset adjustment strategy of the connection number new rate threshold;
establishing a rate threshold value according to the adjusted connection number, and performing distributed denial of service (DDOS) attack protection processing on the target equipment;
the adjusting the current connection number new rate threshold of the target device according to the parameter value of the operating parameter, the preset first operating parameter threshold and the preset adjustment strategy of the connection number new rate threshold includes:
if the parameter value of the operating parameter is larger than a preset first operating parameter threshold, reducing a new speed threshold of the current connection number of the target equipment;
and if the parameter value of the operation parameter is smaller than a first operation parameter threshold value which is stored in advance, increasing the new speed threshold value of the connection number according to the current protection state of the DDOS attack of the target equipment and the parameter value of the operation parameter.
2. The method of claim 1, wherein the increasing the connection number new rate threshold according to the protection state of the current DDOS attack of the target device and the parameter value of the operation parameter comprises:
and if the protection state of the current DDOS attack is started and the parameter value of the operation parameter is smaller than a preset second operation parameter threshold value, increasing the new speed threshold value of the connection number, wherein the second operation parameter threshold value is smaller than the first operation parameter threshold value.
3. The method of claim 1, wherein the number of the operating parameters is plural, and the step of decreasing the new rate threshold of the current number of connections of the target device if the parameter value of the operating parameter is greater than the preset first operating parameter threshold comprises:
if the operating parameters with the parameter values larger than the corresponding first operating parameter threshold exist in the plurality of operating parameters, reducing a new speed threshold of the current connection number of the target equipment;
if the parameter value of the operating parameter is smaller than a first operating parameter threshold value stored in advance, increasing the connection number new rate threshold value according to the current protection state of the DDOS attack of the target device and the parameter value of the operating parameter, including:
and if the parameter values of the plurality of operation parameters are all smaller than the corresponding first operation parameter threshold, increasing the current connection number of the target equipment to establish a new speed threshold according to the current DDOS attack protection state of the target equipment and the parameter values of the operation parameters.
4. The method of claim 1, wherein the obtaining parameter values for the operating parameters of the target device comprises:
when a preset period is reached, sending an operation state acquisition request to target equipment;
and receiving the parameter value of the operating parameter sent by the target equipment.
5. An apparatus for performing DDOS attack protection processing, the apparatus comprising:
the acquisition module is used for acquiring the parameter value of the operating parameter of the target equipment;
the adjusting module is used for adjusting the current connection number new rate threshold of the target device according to the parameter value of the operating parameter, the preset first operating parameter threshold and the preset adjusting strategy of the connection number new rate threshold;
the protection module is used for establishing a rate threshold value according to the adjusted connection number and carrying out distributed denial of service (DDOS) attack protection processing on the target equipment;
the adjusting module is specifically configured to:
if the parameter value of the operating parameter is larger than a preset first operating parameter threshold, reducing a new speed threshold of the current connection number of the target equipment;
and if the parameter value of the operation parameter is smaller than a first operation parameter threshold value which is stored in advance, increasing the new speed threshold value of the connection number according to the current protection state of the DDOS attack of the target equipment and the parameter value of the operation parameter.
6. The apparatus of claim 5, wherein the adjustment module is specifically configured to:
and if the protection state of the current DDOS attack is started and the parameter value of the operation parameter is smaller than a preset second operation parameter threshold value, increasing the new speed threshold value of the connection number, wherein the second operation parameter threshold value is smaller than the first operation parameter threshold value.
7. The apparatus according to claim 5, wherein the number of operating parameters is plural, and the adjusting module is specifically configured to:
if the operating parameters with the parameter values larger than the corresponding first operating parameter threshold exist in the plurality of operating parameters, reducing a new speed threshold of the current connection number of the target equipment;
the adjusting module is specifically configured to:
and if the parameter values of the plurality of operation parameters are all smaller than the corresponding first operation parameter threshold, increasing the current connection number of the target equipment to establish a new speed threshold according to the current DDOS attack protection state of the target equipment and the parameter values of the operation parameters.
8. The apparatus of claim 5, wherein the obtaining module is specifically configured to:
when a preset period is reached, sending an operation state acquisition request to target equipment;
and receiving the parameter value of the operating parameter sent by the target equipment.
9. The safety equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 4 when executing a program stored in the memory.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710874985.4A CN107547561B (en) | 2017-09-25 | 2017-09-25 | Method and device for carrying out DDOS attack protection processing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710874985.4A CN107547561B (en) | 2017-09-25 | 2017-09-25 | Method and device for carrying out DDOS attack protection processing |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107547561A CN107547561A (en) | 2018-01-05 |
CN107547561B true CN107547561B (en) | 2020-10-30 |
Family
ID=60963350
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710874985.4A Active CN107547561B (en) | 2017-09-25 | 2017-09-25 | Method and device for carrying out DDOS attack protection processing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107547561B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108282492B (en) * | 2018-02-28 | 2021-02-23 | 新华三信息安全技术有限公司 | Threshold determination method, device, equipment and storage medium |
CN109150890A (en) * | 2018-09-05 | 2019-01-04 | 杭州迪普科技股份有限公司 | The means of defence and relevant device of newly-built connection attack |
CN110519248B (en) * | 2019-08-19 | 2020-11-24 | 光通天下网络科技股份有限公司 | Method and device for DDoS attack judgment and flow cleaning and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101060531A (en) * | 2007-05-17 | 2007-10-24 | 华为技术有限公司 | A method and device for avoiding the attack of network equipment |
CN104125213A (en) * | 2014-06-18 | 2014-10-29 | 汉柏科技有限公司 | Distributed denial of service DDOS attack resisting method and device for firewall |
WO2017131975A1 (en) * | 2016-01-25 | 2017-08-03 | Acalvio Technologies, Inc. | Detecting security threats by combining deception mechanisms and data science |
CN107196820A (en) * | 2017-05-24 | 2017-09-22 | 上海海斯科网络科技有限公司 | A kind of switch performance method of testing, apparatus and system |
-
2017
- 2017-09-25 CN CN201710874985.4A patent/CN107547561B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101060531A (en) * | 2007-05-17 | 2007-10-24 | 华为技术有限公司 | A method and device for avoiding the attack of network equipment |
CN104125213A (en) * | 2014-06-18 | 2014-10-29 | 汉柏科技有限公司 | Distributed denial of service DDOS attack resisting method and device for firewall |
WO2017131975A1 (en) * | 2016-01-25 | 2017-08-03 | Acalvio Technologies, Inc. | Detecting security threats by combining deception mechanisms and data science |
CN107196820A (en) * | 2017-05-24 | 2017-09-22 | 上海海斯科网络科技有限公司 | A kind of switch performance method of testing, apparatus and system |
Also Published As
Publication number | Publication date |
---|---|
CN107547561A (en) | 2018-01-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9288218B2 (en) | Securing an accessible computer system | |
US10771501B2 (en) | DDoS attack defense method, system, and related device | |
CN108173812B (en) | Method, device, storage medium and equipment for preventing network attack | |
CN108768942B (en) | DDoS attack detection method and detection device based on self-adaptive threshold | |
CN107547561B (en) | Method and device for carrying out DDOS attack protection processing | |
JP2004507978A (en) | System and method for countering denial of service attacks on network nodes | |
CN108183950A (en) | A kind of network equipment establishes the method and device of connection | |
US20210185083A1 (en) | Packet fingerprinting for enhanced distributed denial of service protection | |
WO2020199686A1 (en) | Method and system for providing edge service, and computing device | |
US20220329609A1 (en) | Network Security Protection Method and Protection Device | |
CN110191104A (en) | A kind of method and device of security protection | |
CN104967632B (en) | Webpage abnormal data processing method, data server and system | |
CN106230741A (en) | A kind of method and apparatus that message is carried out speed limit | |
CN107454065B (en) | Method and device for protecting UDP Flood attack | |
EP2109282B1 (en) | Method and system for mitigation of distributed denial of service attacks based on IP neighbourhood density estimation | |
CN109462586A (en) | Flow monitoring method, device and execute server | |
US20090164659A1 (en) | Communication system allowing reduction in congestion by restricting communication | |
CN109889470B (en) | Method and system for defending DDoS attack based on router | |
CN105848149B (en) | Security authentication method for wireless local area network | |
EP3139568B1 (en) | Access control device and authentication control method | |
CN110661722B (en) | Flow control method and device | |
CN110417615B (en) | Check switch control method, device and equipment and computer readable storage medium | |
CN101854333B (en) | Method and device for detecting incomplete session attack | |
CN108471427B (en) | Method and device for defending attack | |
CN113872949B (en) | Address resolution protocol response method and related device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |