CN107634971B - Method and device for detecting flood attack - Google Patents
Method and device for detecting flood attack Download PDFInfo
- Publication number
- CN107634971B CN107634971B CN201711021069.2A CN201711021069A CN107634971B CN 107634971 B CN107634971 B CN 107634971B CN 201711021069 A CN201711021069 A CN 201711021069A CN 107634971 B CN107634971 B CN 107634971B
- Authority
- CN
- China
- Prior art keywords
- session
- table entry
- user table
- state
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a device for detecting flood attack, which are applied to an access switch of a local area network, and the method comprises the following steps: updating the number of initiated sessions in the user table entry of the user table according to the source IP of the session table entry of the session table; updating the abnormal session number in the user table entry of the user table according to the session state and the session establishment time of the session table entry; periodically traversing the user table, determining whether the number of initiated sessions of each user table entry reaches a preset first threshold value, and determining whether the number of abnormal sessions of each user table entry reaches a preset second threshold value; and if the number of the initiated sessions of the user table entry reaches a first threshold value or the number of the abnormal sessions of the user table entry reaches a second threshold value, determining that the IP address in the user table entry is the IP address of the attack source. According to the method and the device, the access switch is used for checking the attack source of the flood attack, so that the safety and the reliability of the network are improved under the condition that the cost of the local area network is not increased.
Description
Technical Field
The present application relates to the field of security protection, and in particular, to a method and an apparatus for detecting a flood attack.
Background
After viruses are found in devices such as computers or servers in the lan, the viruses often become attack sources in the lan, and send a large amount of attack messages to other computers or servers in the lan, which causes Flood attacks, and the common messages include TCP SYN Flood (Transmission Control Protocol synchronous Flood attack) messages, UDP Flood (User data Protocol Flood attack) messages, and pflood (Internet Control Message Protocol Flood attack) messages. These attack messages may cause a reduction in communication efficiency in the lan, even a network break, and may also cause a server facing an external network in the lan to be disabled and unable to provide services. Therefore, after the flood attack occurs, it is very important to identify the attack source in time and block the attack source.
In the prior art, an attack source is usually detected by a network device of a convergence layer or a core layer, the network device of the convergence layer or the core layer may capture a packet of a message, extract message characteristics (for example, source IP) of the message, analyze the attack message according to the message characteristics, and determine the attack source. However, when the attack packet is forwarded only in the two-layer network, the network device in the convergence layer or the core layer cannot detect the attack packet. In order to solve the above problem, a security device connected to the access switch may be generally deployed, and the security device detects a packet forwarded by the access switch, so as to determine an attack source, which may increase the cost of the local area network.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for detecting a flood attack, which are used to improve the security and reliability of a network without increasing the cost of a local area network.
Specifically, the method is realized through the following technical scheme:
a method for detecting flood attack is applied to an access switch of a local area network, and comprises the following steps:
updating the number of initiated sessions in the user table entry of the preset user table according to the source IP in the quintuple of the session table entry of the preset session table; the session table comprises a mapping relation of a quintuple, a session state and session establishment time, and the user table comprises a mapping relation of an IP address, an initiation session number and an abnormal session number;
updating the abnormal session number in the user table entry of the user table according to the session state and the session establishment time of the session table entry;
periodically traversing the user table, determining whether the number of initiated sessions of each user table entry reaches a preset first threshold value, and determining whether the number of abnormal sessions of each user table entry reaches a preset second threshold value;
and if the number of the initiated sessions of the user table entry reaches the first threshold value or the number of the abnormal sessions of the user table entry reaches the second threshold value, determining that the IP address in the user table entry is the IP address of the attack source.
In the method for detecting a flood attack, the updating the number of initiated sessions in the user table entry of the user table according to the source IP in the quintuple of the session table entry of the session table includes:
newly establishing a session table item, or updating the session table item of the session table;
searching the user table according to a source IP in the quintuple of the session table item, and determining whether a corresponding user table item is searched;
if yes, adding 1 to the number of the initiating sessions in the searched user table entry;
if not, a user table entry is newly established according to the source IP in the quintuple of the session table entry, and the number of the initiated sessions is set to 1.
In the method for detecting a flood attack, the creating a session entry or updating a session entry of a session table includes:
receiving a message and extracting a quintuple of the message;
searching the session table according to the quintuple, and determining whether a corresponding session table item is searched;
if yes, updating the session state in the session table entry; the session state comprises an incomplete state and a complete state, wherein the incomplete state means that the two parties of the session do not communicate with each other, and the complete state means that the two parties of the session communicate with each other;
if not, a session table entry is created based on the quintuple, and the session state in the session table entry is set to be an incomplete state.
In the method for detecting a flood attack, the updating the number of abnormal sessions in the user table entry of the user table according to the session state and the session establishment time of the session table entry includes:
periodically traversing the session table, and sequentially selecting each session table item as a target session table item;
determining whether the target session table item is established to reach a preset state updating duration or not based on the current time and the session establishment time in the target session table item;
if the target session table entry is established to reach the state updating duration, determining whether the session state in the target session table entry is a complete state;
if so, selecting the next session table item as a target session table item;
if not, searching the user table by the source IP in the quintuple of the target session table item, and adding 1 to the number of abnormal sessions in the searched user table item.
In the method of detecting a flood attack, the method further comprises:
and after the IP address of the attack source is determined, discarding the message sent by the attack source.
In the method for detecting a flood attack, the access switch interfaces with a management server, and the method further includes:
after the IP address of the attack source is determined, reporting the user table entry of the attack source to the management server, further confirming that the IP address in the user table entry is the IP address of the attack source of the flood attack by the management server, and issuing a blocking command;
and receiving the blocking command, and discarding the message sent by the attack source.
An apparatus for detecting flood attack, applied to an access switch of a local area network, comprises:
a first updating unit, configured to update the number of initiated sessions in the user table entry of the preset user table according to a source IP in a quintuple of the session table entry of the preset session table; the session table comprises a mapping relation of a quintuple, a session state and session establishment time, and the user table comprises a mapping relation of an IP address, an initiation session number and an abnormal session number;
a second updating unit, configured to update the number of abnormal sessions in the user table entry of the user table according to the session state and the session establishment time of the session table entry;
the detection unit is used for periodically traversing the user table, determining whether the number of the initiated sessions of each user table entry reaches a preset first threshold value, and determining whether the number of the abnormal sessions of each user table entry reaches a preset second threshold value;
and the determining unit is used for determining that the IP address in the user table entry is the IP address of an attack source if the number of the initiated sessions of the user table entry reaches the first threshold or the number of the abnormal sessions of the user table entry reaches the second threshold.
In the apparatus for detecting a flood attack, the first updating unit is further configured to:
newly establishing a session table item, or updating the session table item of the session table;
searching the user table according to a source IP in the quintuple of the session table item, and determining whether a corresponding user table item is searched;
if yes, adding 1 to the number of the initiating sessions in the searched user table entry;
if not, a user table entry is newly established according to the source IP in the quintuple of the session table entry, and the number of the initiated sessions is set to 1.
In the apparatus for detecting a flood attack, the first updating unit is further configured to:
receiving a message and extracting a quintuple of the message;
searching the session table according to the quintuple, and determining whether a corresponding session table item is searched;
if yes, updating the session state in the session table entry; the session state comprises an incomplete state and a complete state, wherein the incomplete state means that the two parties of the session do not communicate with each other, and the complete state means that the two parties of the session communicate with each other;
if not, a session table entry is created based on the quintuple, and the session state in the session table entry is set to be an incomplete state.
In the apparatus for detecting a flood attack, the second updating unit is further configured to:
periodically traversing the session table, and sequentially selecting each session table item as a target session table item;
determining whether the target session table item is established to reach a preset state updating duration or not based on the current time and the session establishment time in the target session table item;
if the target session table entry is established to reach the state updating duration, determining whether the session state in the target session table entry is a complete state;
if so, selecting the next session table item as a target session table item;
if not, searching the user table by the source IP in the quintuple of the target session table item, and adding 1 to the number of abnormal sessions in the searched user table item.
In the apparatus for detecting a flood attack, the apparatus further comprises:
and the discarding unit is used for discarding the message sent by the attack source after the IP address of the attack source is determined.
In the apparatus for detecting a flood attack, the access switch is docked with a management server, and the apparatus further includes:
a reporting unit, configured to report the user table entry of the attack source to the management server after determining the IP address of the attack source, so that the management server further determines that the IP address in the user table entry is the IP address of the attack source of the flood attack and issues a blocking command;
and the receiving unit is used for receiving the blocking command and discarding the message sent by the attack source.
In the technical scheme of the application, under a normal condition, the number of sessions actively initiated by a single terminal device is small, and the number of abnormal sessions in the session initiated by the single terminal device is small, so that an access switch of a local area network determines whether the terminal device corresponding to each user table entry is an attack source of flood attack or not based on the number of initiated sessions and the number of abnormal sessions in the user table entry;
compared with the method for checking the attack source by the network equipment of the convergence layer or the core layer, the method for checking the attack source of the flood attack has the advantages that the access switches can detect the message forwarded only in the two-layer network without increasing the safety equipment, so that the safety and the reliability of the network are improved under the condition of not increasing the cost of the local area network.
Drawings
FIG. 1 is a network architecture diagram of a local area network shown in the present application;
FIG. 2 is a flow chart of a method of detecting flood attacks shown in the present application;
FIG. 3 is a flow chart illustrating one type of updating a session table and a user table as disclosed herein;
FIG. 4 is a flow chart illustrating updating an abnormal session number for a user table;
FIG. 5 is a flow chart illustrating a method for determining an attack source for a flood attack;
fig. 6 is a block diagram of an embodiment of an apparatus for detecting a flood attack shown in the present application;
fig. 7 is a hardware configuration diagram of an apparatus for detecting a flood attack according to the present application.
Detailed Description
In order to make the technical solutions in the embodiments of the present invention better understood and make the above objects, features and advantages of the embodiments of the present invention more comprehensible, the following description of the prior art and the technical solutions in the embodiments of the present invention with reference to the accompanying drawings is provided.
The prior art generally detects attack sources of a flood attack in a local area network by network devices of a convergence layer or a core layer. Referring to fig. 1, a network architecture diagram of a local area network shown in the present application is that, as shown in fig. 1, after a virus occurs in a certain computer in the local area network, the network architecture diagram becomes an attack source and sends a large amount of attack messages to other computers or servers. In this case, the core device of the local area network (i.e. the gateway device in fig. 1) may grab the packet of the packet forwarded on all the access switches, and then extract the packet characteristics of the packet, where the packet characteristics may be the source IP of the packet.
The gateway device can count the occurrence frequency of each source IP, and further takes the source IP with the occurrence frequency exceeding a preset threshold value as the IP address of the computer attacked by the flood. After the IP address of the attack source is determined, the gateway device may issue a blocking command to the access switch that forwards the attack packet, so that the access switch blocks the packet sent by the attack source.
However, if the attack message is not forwarded through three layers, the network device of the core layer cannot detect the attack message. For example, when the computer a in fig. 1 only sends an attack packet to the computer B, the gateway device cannot detect the attack packet, and thus cannot determine the attack source.
In this case, a security device connected to the access switch may be generally deployed, and the security device detects a packet forwarded by the access switch, so as to find an attack source of the flood attack. However, this approach increases the deployment cost of the local area network.
Therefore, in the prior art, the mode of checking the attack source by the network device of the core layer or the convergence layer has defects, and the attack message which is not forwarded by the three layers cannot be detected; however, if the attack source is investigated by deploying a security device connected to the access switch, the deployment cost and maintenance cost of the local area network may increase.
In view of this, the present application provides a method for detecting a flood attack, in which each access switch updates a user table entry of a user table based on a session table entry of a preset session table, then periodically determines whether the number of sessions actively initiated by each computer or server reaches a preset first threshold and whether the number of abnormal sessions initiated by each computer or server reaches a preset second threshold, and determines that a session initiator is an attack source when any index reaches the preset threshold. According to the method and the device, the attack sources of the flood attack are actively detected by each access switch, so that the safety and the reliability of the network can be improved under the condition that the deployment cost and the maintenance cost of the local area network are not increased.
Referring to fig. 2, a flowchart of a method for detecting a flood attack is shown, where the method is applied to an access switch of a local area network, and includes:
step 201: updating the number of initiated sessions in the user table entry of the preset user table according to the source IP in the quintuple of the session table entry of the preset session table; the session table comprises a mapping relation of five tuples, session states and session establishment time, and the user table comprises a mapping relation of IP addresses, session initiation numbers and abnormal session numbers.
Step 202: and updating the abnormal session number in the user table entry of the user table according to the session state and the session establishment time of the session table entry.
Step 203: and periodically traversing the user table, determining whether the number of the initiated sessions of each user table entry reaches a preset first threshold value, and determining whether the number of the abnormal sessions of each user table entry reaches a preset second threshold value.
Step 204: and if the number of the initiated sessions of the user table entry reaches the first threshold value or the number of the abnormal sessions of the user table entry reaches the second threshold value, determining that the IP address in the user table entry is the IP address of the attack source.
In the embodiment of the application, each access switch can be pre-configured with a session table and a user table; the session table is used for recording sessions to which locally processed messages belong, each session table entry comprises a mapping relation of five tuples, a session state, session establishment time and session aging time, and the user table is used for recording the number of sessions actively initiated by each computer or server in the local area network and the number of abnormal sessions, including the mapping relation of IP addresses, the number of initiated sessions and the number of abnormal sessions.
It should be noted that the five-tuple includes a source IP, a destination IP, a protocol number, a source port, and a destination port, and each session entry may include two sets of five-tuples, where the source IP and the source port of one set of five-tuples are the destination IP and the destination port of the other set of five-tuples, respectively. The session state may include an incomplete state and a complete state, and the judgment policy for the session state of sessions of different protocol types is different.
For example, for a session of a TCP protocol, an access switch receives a message carrying SYN, may fill the session state into an incomplete state, and after receiving a message carrying SYN and ACK, may keep the session state unchanged until after receiving a message carrying ACK only (that is, after determining that both parties of the session complete three-way handshake), the session state is updated to a complete state.
For the session of the UDP protocol, the access switch fills the session state into an incomplete state when creating the session entry, and updates the session state into a complete state after receiving the packet carrying another five-tuple of the session (i.e., after determining that the session has bidirectional traffic).
In addition, each access switch may be preconfigured with a state update duration, and subsequently, after the session table entry establishment reaches the state update duration, it may be determined whether the session state in the session table entry is a complete state, and when the session state in the session table entry is not a complete state, it is determined that the session corresponding to the session table entry is an abnormal session. The status update duration may be configured according to an actual network environment, and may be set to 120 seconds, for example.
In this embodiment of the present application, the access switch may update the number of initiated sessions in the user table entry of the user table according to the source IP of the quintuple of the session table entry of the session table.
Specifically, when receiving a message for mutual communication between terminal devices (including a computer and a server) in a local area network, the access switch may create or update a session table entry based on the message, and update a user table.
Referring to fig. 3, which is a flowchart illustrating a method for updating a session table and a user table according to the present application, as shown in fig. 3, after receiving a packet, an access switch may first extract a quintuple of the packet; the message may be sent by a terminal device accessing the access switch, or may be forwarded to the access switch by a network device in a convergence layer or a core layer.
The access switch can search the session table according to the extracted quintuple and determine whether to search the corresponding session table entry. It should be noted that, when the access switch looks up the session table according to the extracted quintuple, the source IP and the destination IP are not distinguished, and the source port and the destination port are not distinguished; therefore, the same session table entry can be found when the session table is searched based on two sets of quintuple with opposite source IP and destination IP and opposite source port and destination port.
On one hand, if the access switch finds the session table entry corresponding to the quintuple, which indicates that the access switch has received the message of the session before, the access switch may update the found session table entry.
Specifically, if the quintuple corresponds to a session of a TCP protocol, the access switch may update the session state based on the content of the SYN field, the ACK field, and the like carried in the packet. In addition, if the five-tuple is not recorded in the session table entry, the five-tuple can be recorded in the session table entry.
If the quintuple corresponds to a session of a UDP protocol, the access switch may determine whether two sets of quintuples in which a source IP and a destination IP are opposite and a source port and a destination port are opposite have been recorded in the session entry, and when the extracted quintuple is not recorded in the session entry, the quintuple may be recorded in the session entry, and determine that bidirectional traffic exists in the session, thereby updating a session state in the session entry to a complete state.
Similarly, if the quintuple corresponds to a session of the ICMP protocol, the access switch may also determine whether two sets of quintuples with opposite source and destination IPs and opposite source and destination ports have been recorded in the session table entry, and when the extracted quintuple has not been recorded in the session table entry, the access switch may record the quintuple in the session table entry and determine that bidirectional traffic exists in the session, thereby updating the session state in the session table entry to a full state.
On the other hand, if the access switch cannot find the session table entry corresponding to the quintuple, the access switch can create a new session table entry, which indicates that the access switch has not received the message of the session before.
Specifically, the access switch may create a session entry based on the quintuple, and fill the current time in the session establishment time, so as to set the session state to an incomplete state.
In practical application, the session state may be filled with a complete state identifier and an incomplete state identifier; for example, the incomplete state flag may be 0, and the complete state flag may be 1.
Further, after a session entry is newly created or a session state is updated, the access switch may search the preconfigured user table according to the source IP in the five-tuple, and determine whether a corresponding user entry is found.
On one hand, if the corresponding user table entry cannot be found, the access switch can newly establish a user table entry according to the source IP in the quintuple and set the number of the initiated sessions in the user table entry to 1;
on the other hand, if the corresponding user table entry is found, the access switch may add 1 to the number of initiated sessions in the user table entry.
In this embodiment of the present application, the access switch may update the number of abnormal sessions in the user table entry of the user table according to the session state and the session establishment time of the session table entry of the session table.
Specifically, the access switch may periodically check a session state of a session initiated by each terminal device, and then determine whether each session entry corresponds to an abnormal session.
Referring to fig. 4, which is a flowchart illustrating the method for updating the number of abnormal sessions of the user according to the present application, as shown in fig. 4, the access switch may periodically traverse the session table, sequentially use each session table entry as a target session table entry, determine a time difference based on the session establishment time and the current time of the target session table entry, and determine whether the time difference reaches the state update duration, and if the time difference reaches the state update duration, may further determine whether the session state in the target session table entry is in a complete state.
On one hand, if the session state in the target session table entry is a complete state, the next session table entry can be continuously used as the target session table entry for checking;
on the other hand, if the session state in the target session entry is not the full state, the user table may be searched according to the source IP in the quintuple of the target session entry, and 1 may be added to the number of abnormal sessions in the searched user entry.
By the measures, the access switch can update the number of abnormal sessions in the session actively initiated by each terminal device in time, so that the attack source of the flood attack can be determined based on the number of abnormal sessions in each user table entry in the follow-up process.
In the embodiment of the application, the access switch may periodically traverse the user table to determine an attack source of the flood attack.
Referring to fig. 5, which is a flowchart illustrating a method for determining an attack source of a flood attack according to the present application, as shown in fig. 5, an access switch may periodically traverse a user table, sequentially use each user table entry as a target user table entry, and then determine whether the number of initiated sessions in the target user table entry reaches a preset first threshold, and whether the number of abnormal sessions in the user table entry reaches a preset second threshold.
On one hand, if any one of the number of initiated sessions and the number of abnormal sessions of the target user table entry reaches a threshold value, the terminal device corresponding to the target user table entry can be determined as an attack source;
on the other hand, if the number of the initiated sessions and the number of the abnormal sessions of the target user entry do not reach the threshold, the next user entry may be continuously checked as the target user entry.
In the embodiment of the application, after determining the attack source of the flood attack, the access switch may discard the message sent by the attack source, so that the attack source cannot continue to attack other terminal devices in the local area network.
In another embodiment of the present application, the access switch may be in butt joint with the management server, and after determining the attack source of the flood attack, the access switch may report the user table entry of the attack source to the management server, so that the management server further confirms that the IP address in the user table entry is the IP address of the attack source of the flood attack.
After receiving the user table entries reported by the access switch, the management server can analyze the number of initiated sessions and the number of abnormal sessions in the user table entries based on the preconfigured screening strategy, thereby more accurately determining the attack source of the flood attack. Such as: the management server can calculate the acceleration rate in unit time according to the number of the initiated sessions in the user table items reported by the access switch for a plurality of times, and determines that the terminal equipment corresponding to the user table items is indeed an attack source under the condition that the number of the initiated sessions reaches a preset threshold value.
After determining the attack source, the management server may issue a blocking command to the access switch reporting the user table entry; wherein the blocking command may carry the IP address of the attack source. The access switch receives the blocking command and can discard the message sent by the attack source.
Through the measures in the embodiment, the attack source can be determined more accurately, and the access switch is prevented from blocking normal communication after misjudgment.
In summary, in the technical solution of the present application, the access switch of the local area network replaces the network device in the convergence layer or the core layer to check the attack source of the flood attack, and since the access switch can detect the traffic of the two-layer network, the omission of the attack packet of the two-layer network by the network device in the convergence layer or the core layer is avoided, and the security device connected to the access switch does not need to be deployed, so that the security and reliability of the network are improved without increasing the deployment cost and the maintenance cost of the local area network.
Corresponding to the embodiment of the method for detecting flood attack, the application also provides an embodiment of a device for detecting flood attack.
Referring to fig. 6, a block diagram of an embodiment of an apparatus for detecting a flood attack is shown in the present application:
as shown in fig. 6, the apparatus 60 for detecting flood attack includes:
a first updating unit 610, configured to update the number of initiated sessions in the user table entry of the preset user table according to the source IP in the quintuple of the session table entry of the preset session table; the session table comprises a mapping relation of five tuples, session states and session establishment time, and the user table comprises a mapping relation of IP addresses, session initiation numbers and abnormal session numbers.
A second updating unit 620, configured to update the number of abnormal sessions in the user table entry of the user table according to the session state and the session establishment time of the session table entry.
The detecting unit 630 is configured to periodically traverse the user table, determine whether the number of initiated sessions of each user table entry reaches a preset first threshold, and determine whether the number of abnormal sessions of each user table entry reaches a preset second threshold.
A determining unit 640, configured to determine that the IP address in the user table entry is the IP address of the attack source if the number of initiated sessions of the user table entry reaches the first threshold or the number of abnormal sessions of the user table entry reaches the second threshold.
In this example, the first updating unit 610 is further configured to:
newly establishing a session table item, or updating the session table item of the session table;
searching the user table according to a source IP in the quintuple of the session table item, and determining whether a corresponding user table item is searched;
if yes, adding 1 to the number of the initiating sessions in the searched user table entry;
if not, a user table entry is newly established according to the source IP in the quintuple of the session table entry, and the number of the initiated sessions is set to 1.
In this example, the first updating unit 610 is further configured to:
receiving a message and extracting a quintuple of the message;
searching the session table according to the quintuple, and determining whether a corresponding session table item is searched;
if yes, updating the session state in the session table entry; the session state comprises an incomplete state and a complete state, wherein the incomplete state means that the two parties of the session do not communicate with each other, and the complete state means that the two parties of the session communicate with each other;
if not, a session table entry is created based on the quintuple, and the session state in the session table entry is set to be an incomplete state.
In this example, the second updating unit 620 is further configured to:
periodically traversing the session table, and sequentially selecting each session table item as a target session table item;
determining whether the target session table item is established to reach a preset state updating duration or not based on the current time and the session establishment time in the target session table item;
if the target session table entry is established to reach the state updating duration, determining whether the session state in the target session table entry is a complete state;
if so, selecting the next session table item as a target session table item;
if not, searching the user table by the source IP in the quintuple of the target session table item, and adding 1 to the number of abnormal sessions in the searched user table item.
In this example, the apparatus further comprises:
a discarding unit 650, configured to discard the packet sent by the attack source after determining the IP address of the attack source.
In this example, the access switch interfaces with a management server, the apparatus further comprising:
a reporting unit 660, configured to report the user table entry of the attack source to the management server after determining the IP address of the attack source, so that the management server further confirms that the IP address in the user table entry is the IP address of the attack source of the flood attack and issues a blocking command.
A receiving unit 670, configured to receive the blocking command, and discard the packet sent by the attack source.
The embodiment of the device for detecting the flood attack can be applied to the access switch. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and as a logical device, the device is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the access switch where the device is located. In terms of hardware, as shown in fig. 7, a hardware structure diagram of an access switch where the apparatus for detecting a flood attack is located according to the present application is shown, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 7, the access switch where the apparatus is located in the embodiment may further include other hardware according to an actual function of the apparatus for detecting a flood attack, which is not described again.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A method for detecting flood attack is applied to an access switch of a local area network, and is characterized by comprising the following steps:
updating the number of initiated sessions in the user table entry of the preset user table according to the source IP in the quintuple of the session table entry of the preset session table; the session table comprises a mapping relation of a quintuple, a session state and session establishment time, and the user table comprises a mapping relation of an IP address, an initiation session number and an abnormal session number;
updating the abnormal session number in the user table entry of the user table according to the session state and the session establishment time of the session table entry;
periodically traversing the user table, determining whether the number of initiated sessions of each user table entry reaches a preset first threshold value, and determining whether the number of abnormal sessions of each user table entry reaches a preset second threshold value;
if the number of the initiated sessions of the user table entry reaches the first threshold value or the number of the abnormal sessions of the user table entry reaches the second threshold value, determining that the IP address in the user table entry is the IP address of an attack source;
the updating the abnormal session number in the user table entry of the user table according to the session state and the session establishment time of the session table entry comprises:
periodically traversing the session table, and sequentially selecting each session table item as a target session table item;
determining whether the target session table item is established to reach a preset state updating duration or not based on the current time and the session establishment time in the target session table item;
if the target session table entry is established to reach the state updating duration, determining whether the session state in the target session table entry is a complete state;
if so, selecting the next session table item as a target session table item;
if not, searching the user table by the source IP in the quintuple of the target session table item, and adding 1 to the number of abnormal sessions in the searched user table item.
2. The method of claim 1, wherein updating the number of originating sessions in the user table entry of the user table according to the source IP in the five-tuple of the session table entry of the session table comprises:
newly establishing a session table item, or updating the session table item of the session table;
searching the user table according to a source IP in the quintuple of the session table item, and determining whether a corresponding user table item is searched;
if yes, adding 1 to the number of the initiating sessions in the searched user table entry;
if not, a user table entry is newly established according to the source IP in the quintuple of the session table entry, and the number of the initiated sessions is set to 1.
3. The method of claim 2, wherein the creating the new session entry or updating the session entry of the session table comprises:
receiving a message and extracting a quintuple of the message;
searching the session table according to the quintuple, and determining whether a corresponding session table item is searched;
if yes, updating the session state in the session table entry; the session state comprises an incomplete state and a complete state, wherein the incomplete state means that the two parties of the session do not communicate with each other, and the complete state means that the two parties of the session communicate with each other;
if not, a session table entry is created based on the quintuple, and the session state in the session table entry is set to be an incomplete state.
4. The method of claim 1, further comprising:
and after the IP address of the attack source is determined, discarding the message sent by the attack source.
5. The method of claim 1, wherein the access switch interfaces with a management server, the method further comprising:
after the IP address of the attack source is determined, reporting the user table entry of the attack source to the management server, further confirming that the IP address in the user table entry is the IP address of the attack source of the flood attack by the management server, and issuing a blocking command;
and receiving the blocking command, and discarding the message sent by the attack source.
6. The utility model provides a device for detect flood attack, is applied to LAN's access switch which characterized in that includes:
a first updating unit, configured to update the number of initiated sessions in the user table entry of the preset user table according to a source IP in a quintuple of the session table entry of the preset session table; the session table comprises a mapping relation of a quintuple, a session state and session establishment time, and the user table comprises a mapping relation of an IP address, an initiation session number and an abnormal session number;
a second updating unit, configured to update the number of abnormal sessions in the user table entry of the user table according to the session state and the session establishment time of the session table entry;
the detection unit is used for periodically traversing the user table, determining whether the number of the initiated sessions of each user table entry reaches a preset first threshold value, and determining whether the number of the abnormal sessions of each user table entry reaches a preset second threshold value;
a determining unit, configured to determine that an IP address in the user table entry is an IP address of an attack source if the number of initiated sessions of the user table entry reaches the first threshold or the number of abnormal sessions of the user table entry reaches the second threshold;
the second updating unit is further configured to:
periodically traversing the session table, and sequentially selecting each session table item as a target session table item;
determining whether the target session table item is established to reach a preset state updating duration or not based on the current time and the session establishment time in the target session table item;
if the target session table entry is established to reach the state updating duration, determining whether the session state in the target session table entry is a complete state;
if so, selecting the next session table item as a target session table item;
if not, searching the user table by the source IP in the quintuple of the target session table item, and adding 1 to the number of abnormal sessions in the searched user table item.
7. The apparatus of claim 6, wherein the first updating unit is further configured to:
newly establishing a session table item, or updating the session table item of the session table;
searching the user table according to a source IP in the quintuple of the session table item, and determining whether a corresponding user table item is searched;
if yes, adding 1 to the number of the initiating sessions in the searched user table entry;
if not, a user table entry is newly established according to the source IP in the quintuple of the session table entry, and the number of the initiated sessions is set to 1.
8. The apparatus of claim 7, wherein the first updating unit is further configured to:
receiving a message and extracting a quintuple of the message;
searching the session table according to the quintuple, and determining whether a corresponding session table item is searched;
if yes, updating the session state in the session table entry; the session state comprises an incomplete state and a complete state, wherein the incomplete state means that the two parties of the session do not communicate with each other, and the complete state means that the two parties of the session communicate with each other;
if not, a session table entry is created based on the quintuple, and the session state in the session table entry is set to be an incomplete state.
9. The apparatus of claim 6, further comprising:
and the discarding unit is used for discarding the message sent by the attack source after the IP address of the attack source is determined.
10. The apparatus of claim 6, wherein the access switch interfaces with a management server, the apparatus further comprising:
a reporting unit, configured to report the user table entry of the attack source to the management server after determining the IP address of the attack source, so that the management server further determines that the IP address in the user table entry is the IP address of the attack source of the flood attack and issues a blocking command;
and the receiving unit is used for receiving the blocking command and discarding the message sent by the attack source.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711021069.2A CN107634971B (en) | 2017-10-26 | 2017-10-26 | Method and device for detecting flood attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711021069.2A CN107634971B (en) | 2017-10-26 | 2017-10-26 | Method and device for detecting flood attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107634971A CN107634971A (en) | 2018-01-26 |
| CN107634971B true CN107634971B (en) | 2020-07-07 |
Family
ID=61106080
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711021069.2A Active CN107634971B (en) | 2017-10-26 | 2017-10-26 | Method and device for detecting flood attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107634971B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110535861B (en) | 2019-08-30 | 2022-01-25 | 杭州迪普信息技术有限公司 | Method and device for counting SYN packet number in SYN attack behavior identification |
| CN112532620A (en) * | 2020-11-26 | 2021-03-19 | 杭州迪普信息技术有限公司 | Session table control method and device |
| CN115633076B (en) * | 2022-12-19 | 2023-03-14 | 亿海蓝(北京)数据技术股份公司 | Session management method and system, readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333080A (en) * | 2011-08-02 | 2012-01-25 | 杭州迪普科技有限公司 | Method and device for preventing message from attacking |
| US9438592B1 (en) * | 2009-10-28 | 2016-09-06 | Aunigma Network Security Group | System and method for providing unified transport and security protocols |
| CN106911724A (en) * | 2017-04-27 | 2017-06-30 | 杭州迪普科技股份有限公司 | A kind of message processing method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465855B (en) * | 2008-12-31 | 2011-11-23 | 中国科学院计算技术研究所 | Method and system for filtrating synchronous extensive aggression |
| US8789173B2 (en) * | 2009-09-03 | 2014-07-22 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
| CN103095584A (en) * | 2013-02-04 | 2013-05-08 | 杭州华三通信技术有限公司 | Message processing method and exchange equipment |
| CN106027551A (en) * | 2016-06-30 | 2016-10-12 | 大连楼兰科技股份有限公司 | Network flooding attack detection, storage and display system and method |
| CN107222462A (en) * | 2017-05-08 | 2017-09-29 | 汕头大学 | A kind of LAN internals attack being automatically positioned of source, partition method |
-
2017
- 2017-10-26 CN CN201711021069.2A patent/CN107634971B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9438592B1 (en) * | 2009-10-28 | 2016-09-06 | Aunigma Network Security Group | System and method for providing unified transport and security protocols |
| CN102333080A (en) * | 2011-08-02 | 2012-01-25 | 杭州迪普科技有限公司 | Method and device for preventing message from attacking |
| CN106911724A (en) * | 2017-04-27 | 2017-06-30 | 杭州迪普科技股份有限公司 | A kind of message processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107634971A (en) | 2018-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108063765B (en) | SDN system suitable for solving network security | |
| US9491189B2 (en) | Revival and redirection of blocked connections for intention inspection in computer networks | |
| TWI528761B (en) | Network traffic processing system | |
| CN101589595B (en) | A containment mechanism for potentially contaminated end systems | |
| CN103609070B (en) | Network flow detection method, system, equipment and controller | |
| EP2991292B1 (en) | Network collaborative defense method, device and system | |
| US20150281085A1 (en) | Method and system of large flow control in communication networks | |
| CN108270722B (en) | Attack behavior detection method and device | |
| CN111371740B (en) | Message flow monitoring method and system and electronic equipment | |
| JP2006352669A (en) | Attack detection/defense system | |
| CN107634971B (en) | Method and device for detecting flood attack | |
| KR101615045B1 (en) | Intelligent security networking system | |
| US8955049B2 (en) | Method and a program for controlling communication of target apparatus | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| US20190319923A1 (en) | Network data control method, system and security protection device | |
| CN112929200A (en) | SDN multi-controller oriented anomaly detection method | |
| CN108881315B (en) | Method and system for detecting and recovering double LSA attack OSPF protocol based on NFV | |
| US9298175B2 (en) | Method for detecting abnormal traffic on control system protocol | |
| CN105850091B (en) | For providing method, border networks device and the IP server of the connection between communication service providers and the IP server for providing service | |
| KR20060103600A (en) | Method and system for isolating the harmful traffic generating host from the network | |
| Thang et al. | Synflood spoofed source DDoS attack defense based on packet ID anomaly detection with bloom filter | |
| KR101914831B1 (en) | SDN to prevent an attack on the host tracking service and controller including the same | |
| Yu et al. | SDNDefender: a comprehensive DDoS defense mechanism using hybrid approaches over software defined networking | |
| US9426262B2 (en) | Transport control protocol sequence number recovery in stateful devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |