CN107770114A - A kind of flood attack detection method of the distributed monitoring of optimization - Google Patents
A kind of flood attack detection method of the distributed monitoring of optimization Download PDFInfo
- Publication number
- CN107770114A CN107770114A CN201610668178.2A CN201610668178A CN107770114A CN 107770114 A CN107770114 A CN 107770114A CN 201610668178 A CN201610668178 A CN 201610668178A CN 107770114 A CN107770114 A CN 107770114A
- Authority
- CN
- China
- Prior art keywords
- hash
- monitoring
- monitoring modular
- cryptographic hash
- array
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of flood attack detection method of the distributed monitoring of optimization, including, S1:In server trawl performance bottom, one monitoring modular is set;S2:Monitoring module monitors data message, and IP packets are forwarded or blocked according to monitoring result.S2 further comprises S21:Monitoring modular creates the first Hash array and the second Hash array;S22:Monitoring modular gathers SYN packet informations as the first cryptographic Hash, and is stored into using the first cryptographic Hash as in lower the first Hash of target array;S23:Monitoring modular gathers ack msg package informatin as the second cryptographic Hash, and is stored into using the second cryptographic Hash as in lower the second Hash of target array;S24:The second Hash value and the first cryptographic Hash are compared in monitoring modular retrieval, determine attack source.The present invention is worth to the source address of flood attack by comparing the first cryptographic Hash and the second Hash, and blocks the attack source address extracted from the first Hash array, the stability of effective guarantee network security and server.
Description
Technical field
The present invention relates to the flood attack detection of flood attack detection field, more particularly to a kind of distributed monitoring of optimization
Method.
Background technology
SYN flood attacks (SYN_FLOOD) are that a kind of Denial of Service attack (DOS) being widely known by the people takes with distributed refusal
One of mode of business attack (DDos), it makes use of the defects of TCP/IP v4 agreements, the TCP connection requests largely forged are sent,
Force and substantial amounts of SYN+ACK reply datas bag is sent in the server end short time, (CPU is completely negative so that server resource exhausts
Lotus or low memory).TCP establishment of connections are all since three-way handshake, 1) client can send one comprising synchronous
The TCP message of (Synchronize, SYN) mark, the sync message can contain source address, source port, destination address, purpose
The information such as port, initial series number;2) server can return to one synchronization of client after the sync message of client is received
+ confirmation message (Acknowledgment, ACK), the synchronization+confirmation message also contains source address, source port, destination address,
The information such as destination interface, initial series number;3) after client receives synchronization+confirmation message, can return again to server one
Individual confirmation message, now a TCP connection are completed.After if server sends synchronization+confirmation message, corresponding visitor is not received
During the confirmation message at family end, it can constantly be retried in 30s-2min and send synchronization+confirmation message, if do not had always during this
The confirmation message for receiving client then abandons this unfinished connection and discharges corresponding system resource.Flood attack makes service
Device opens substantial amounts of half-open connection request, normal client's request is not asked.The today quite popularized in internet,
The server of networking is allowed stably to run, carrying out the detection work of reply flood attack in time turns into the basic of enterprise network security
Demand.At present, the detection method of flood attack is generally sync message quantity in simply accounting message, when same in the unit interval
When step message amount is more than threshold value set in advance, determine that server by flood attack.This is only statistics SYN quantity
Monitoring mode False Rate it is very big, often count on normal business data packet, affected to regular traffic.
The content of the invention
It is an object of the invention to overcome shortcoming and deficiency of the prior art, there is provided a kind of distributed monitoring of optimization
Flood attack detection method.
The present invention is achieved by the following technical solutions:A kind of flood attack detection side of the distributed monitoring of optimization
Method, comprise the following steps:
S1:One monitoring modular is set in the trawl performance bottom of each server, the monitoring modular includes IP packets
Forwarding module, block module and statistical module;
S2:Unidirectionally monitoring flows into the data message of server network interface card to monitoring modular, and forwards or block according to monitoring result
IP packets, step S2 comprise the following steps:
S21:Monitoring modular creates the first Hash array and the second Hash array;
S22:Monitoring modular gathers the SYN packets from internet and extracts SYN packet informations, and packet is believed
IP five-tuples in breath carry out seriation and Hash encryption is converted to the first cryptographic Hash, extract the source address in SYN packets
Store into using first cryptographic Hash as lower the first Hash of target array;
S23:Monitoring modular gathers the ack msg bag from internet and extracts ack msg package informatin, and in packet
IP five-tuples carry out seriation and Hash encryption is converted to the second cryptographic Hash, extract the source address storage in ack msg bag
Into using second cryptographic Hash as lower the second Hash of target array;
S24:Monitoring modular retrieves the second cryptographic Hash as the second Hash array index, if there is the second cryptographic Hash and
First cryptographic Hash is identical, then is flood attack packet for normal data packet, otherwise, monitoring modular from using the first cryptographic Hash as
Attack source address corresponding to being extracted in lower the first Hash of target array, and block the access of the attack source address to server.
Further, the Hash encryption conversion in the step S22 uses md5 encryption algorithm.
Further, in the step S22, the IP five-tuples are the source addresses of SYN packets, source port, destination address,
Destination interface, protocol-identifier.
Further, in the step S23, the IP five-tuples are the source address of ack msg bag, source port, destination address,
Destination interface, protocol-identifier.
Compared to prior art, the beneficial effects of the invention are as follows:
Trawl performance bottom setting monitoring modular of the invention in each server, distributed deployment monitoring modular are effective
Alleviate disposal ability of the gateway to disengaging data flow;Monitoring modular gathers SYN packets and ack msg from internet
Bag, the IP five-tuples in SYN packets are configured to unique first cryptographic Hash, construct the IP five-tuples in ack msg bag
Into unique second cryptographic Hash, and using the first cryptographic Hash second is used as the subscript of the first Hash array, using the second cryptographic Hash
The subscript of Hash array, source data packet address is stored in corresponding lower target the first Hash array and the second Hash array, led to
Cross and compare the first cryptographic Hash and after the second cryptographic Hash draws the feature of flood attack, flood attack source can be extracted directly from array
Address, the reverse operation time is reduced, improve monitoring modular performance, and can quickly block attack source to access server, effective guarantee
The stability of network security and server.
In order to the apparent understanding present invention, preferable embodiment party of the invention is illustrated below with reference to brief description of the drawings
Formula.
Brief description of the drawings
Fig. 1 is the network topology schematic diagram of the monitoring modular deployment in the present invention.
Fig. 2 is the flow chart of the present invention.
Fig. 3 is the flow chart of step S2 in Fig. 2.
Embodiment
Please refer to Fig. 1 to Fig. 3, Fig. 1 is the network topology schematic diagram of the monitoring modular deployment in the present invention, and Fig. 2 is
The flow chart of the present invention, Fig. 3 is the flow chart of step S2 in Fig. 2.
See Fig. 1 and Fig. 2, a kind of flood attack detection method of the distributed monitoring of optimization, comprise the following steps:
S1:One monitoring modular is set in the trawl performance bottom of each server, the monitoring modular includes IP packets
Forwarding module, block module and statistical module, the data for entering monitoring modular are forwarded a packet to server, blocked by forwarding module
Module blocks the packet from flood attack client, statistical module monitors and counts the various numbers into the monitoring modular
According to bag;
S2:Unidirectionally monitoring flows into the data message of server network interface card to monitoring modular, and forwards or block according to monitoring result
IP packets, step S2 comprise the following steps:(see Fig. 3)
S21:Monitoring modular creates the first Hash array and the second Hash array;
S22:Monitoring modular gathers the SYN packets from internet and extracts SYN packet informations, and packet is believed
IP five-tuples in breath carry out seriation and Hash encryption is converted to the first cryptographic Hash, extract the source address in SYN packets
Store into using first cryptographic Hash as lower the first Hash of target array;
S23:Monitoring modular gathers the ack msg bag from internet and extracts ack msg package informatin, and in packet
IP five-tuples carry out seriation and Hash encryption is converted to the second cryptographic Hash, extract the source address storage in ack msg bag
Into using second cryptographic Hash as lower the second Hash of target array;
S24:Monitoring modular retrieves the second cryptographic Hash as the second Hash array index, if there is the second cryptographic Hash and
First cryptographic Hash is identical, then is flood attack packet for normal data packet, otherwise, monitoring modular from using the first cryptographic Hash as
Attack source address corresponding to being extracted in lower the first Hash of target array, and block the access of the attack source address to server.
The flood attack detection method of the distributed monitoring of the optimization of the present invention is initiated to attack according to the feature of flood attack
The client hit will not send ack msg bag to carry out response to server, so as to judge flood attack source and block to be somebody's turn to do
The packet in source, reach the purpose of protection.
The invention is not limited in above-mentioned embodiment, if the various changes or deformation to the present invention do not depart from the present invention
Spirit and scope, if these changes and deformation belong within the scope of the claim and equivalent technologies of the present invention, then this hair
It is bright to be also intended to comprising these changes and deformation.
Claims (4)
1. a kind of flood attack detection method of the distributed monitoring of optimization, it is characterised in that comprise the following steps:
S1:One monitoring modular is set in the trawl performance bottom of each server, the monitoring modular includes turning for IP packets
Send out module, block module and statistical module;
S2:Unidirectionally monitoring flows into the data message of server network interface card to monitoring modular, and forwards or block IP numbers according to monitoring result
According to bag, step S2 comprises the following steps:
S21:Monitoring modular creates the first Hash array and the second Hash array;
S22:Monitoring modular gathers the SYN packets from internet and extracts SYN packet informations, and in packet information
IP five-tuples carry out seriation and Hash encryption is converted to the first cryptographic Hash, extract the source address storage in SYN packets
Into using first cryptographic Hash as lower the first Hash of target array;
S23:Monitoring modular gathers the ack msg bag from internet and extracts ack msg package informatin, and to the IP in packet
Five-tuple carries out seriation and Hash encryption is converted to the second cryptographic Hash, extract the source address in ack msg bag store to
Second cryptographic Hash is as in lower the second Hash of target array;
S24:Monitoring modular retrieves the second cryptographic Hash as the second Hash array index, if there is the second cryptographic Hash and first
Cryptographic Hash is identical, then is flood attack packet for normal data packet, otherwise, and monitoring modular is used as subscript from using the first cryptographic Hash
The first Hash array in extract corresponding to attack source address, and block the access of the attack source address to server.
A kind of 2. flood attack detection method of the distributed monitoring of optimization according to claim 1, it is characterised in that institute
State the encryption conversion of the Hash in step S22 and use md5 encryption algorithm.
A kind of 3. flood attack detection method of the distributed monitoring of optimization according to claim 2, it is characterised in that institute
State in step S22, the IP five-tuples are the source address of SYN packets, source port, destination address, destination interface, Protocol Standard
Know.
A kind of 4. flood attack detection method of the distributed monitoring of optimization according to claim 3, it is characterised in that institute
State in step S23, the IP five-tuples are the source address of ack msg bag, source port, destination address, destination interface, Protocol Standard
Know.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610668178.2A CN107770114A (en) | 2016-08-15 | 2016-08-15 | A kind of flood attack detection method of the distributed monitoring of optimization |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610668178.2A CN107770114A (en) | 2016-08-15 | 2016-08-15 | A kind of flood attack detection method of the distributed monitoring of optimization |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107770114A true CN107770114A (en) | 2018-03-06 |
Family
ID=61259787
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610668178.2A Pending CN107770114A (en) | 2016-08-15 | 2016-08-15 | A kind of flood attack detection method of the distributed monitoring of optimization |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107770114A (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101707598A (en) * | 2009-11-10 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Method, device and system for identifying flood attack |
CN101895543A (en) * | 2010-07-12 | 2010-11-24 | 江苏华丽网络工程有限公司 | Method for effectively defending flood attack based on network switching equipment |
CN104363230A (en) * | 2014-11-14 | 2015-02-18 | 山东乾云启创信息科技有限公司 | Method for preventing flood attacks in desktop virtualization |
CN105119942A (en) * | 2015-09-16 | 2015-12-02 | 广东睿江科技有限公司 | Flood attack detection method |
CN105227348A (en) * | 2015-08-25 | 2016-01-06 | 广东睿江科技有限公司 | A kind of Hash storage means based on IP five-tuple |
-
2016
- 2016-08-15 CN CN201610668178.2A patent/CN107770114A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101707598A (en) * | 2009-11-10 | 2010-05-12 | 成都市华为赛门铁克科技有限公司 | Method, device and system for identifying flood attack |
CN101895543A (en) * | 2010-07-12 | 2010-11-24 | 江苏华丽网络工程有限公司 | Method for effectively defending flood attack based on network switching equipment |
CN104363230A (en) * | 2014-11-14 | 2015-02-18 | 山东乾云启创信息科技有限公司 | Method for preventing flood attacks in desktop virtualization |
CN105227348A (en) * | 2015-08-25 | 2016-01-06 | 广东睿江科技有限公司 | A kind of Hash storage means based on IP five-tuple |
CN105119942A (en) * | 2015-09-16 | 2015-12-02 | 广东睿江科技有限公司 | Flood attack detection method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6816910B1 (en) | Method and apparatus for limiting network connection resources | |
US8499146B2 (en) | Method and device for preventing network attacks | |
CN1316369C (en) | Secret hashing for SYN/FIN correspondence | |
US7711790B1 (en) | Securing an accessible computer system | |
US7636305B1 (en) | Method and apparatus for monitoring network traffic | |
CN101800707B (en) | Method for establishing stream forwarding list item and data communication equipment | |
WO2019178966A1 (en) | Network attack defense method and apparatus, and computer device and storage medium | |
CN107770113A (en) | A kind of accurate flood attack detection method for determining attack signature | |
CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
Kavisankar et al. | A mitigation model for TCP SYN flooding with IP spoofing | |
CN106487807A (en) | A kind of means of defence of domain name mapping and device | |
CN113347155A (en) | Method, system and device for defending ARP spoofing | |
US7552206B2 (en) | Throttling service connections based on network paths | |
EP1154610A2 (en) | Methods and system for defeating TCP Syn flooding attacks | |
Patil et al. | A rate limiting mechanism for defending against flooding based distributed denial of service attack | |
CN112235329A (en) | Method, device and network equipment for identifying authenticity of SYN message | |
Bala et al. | Quality based Bottom-up-Detection and Prevention Techniques for DDOS in MANET | |
Farhat | Protecting TCP services from denial of service attacks | |
CN107770120A (en) | A kind of flood attack detection method of distributed monitoring | |
CN107770123A (en) | A kind of flood attack detection method of central monitoring | |
CN109729098A (en) | Automatically the method for malice port scan is blocked in dns server | |
CN107770114A (en) | A kind of flood attack detection method of the distributed monitoring of optimization | |
Al-Duwairi et al. | Distributed packet pairing for reflector based DDoS attack mitigation | |
CN107770122A (en) | A kind of flood attack detection method of the central monitoring of optimization | |
Kavisankar et al. | CNoA: Challenging Number Approach for uncovering TCP SYN flooding using SYN spoofing attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180306 |
|
RJ01 | Rejection of invention patent application after publication |