CN107770114A - A kind of flood attack detection method of the distributed monitoring of optimization - Google Patents

A kind of flood attack detection method of the distributed monitoring of optimization Download PDF

Info

Publication number
CN107770114A
CN107770114A CN201610668178.2A CN201610668178A CN107770114A CN 107770114 A CN107770114 A CN 107770114A CN 201610668178 A CN201610668178 A CN 201610668178A CN 107770114 A CN107770114 A CN 107770114A
Authority
CN
China
Prior art keywords
hash
monitoring
monitoring modular
cryptographic hash
array
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610668178.2A
Other languages
Chinese (zh)
Inventor
袁兴飚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Taishan Gold Network Technology Co Ltd
Original Assignee
Taishan Gold Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Taishan Gold Network Technology Co Ltd filed Critical Taishan Gold Network Technology Co Ltd
Priority to CN201610668178.2A priority Critical patent/CN107770114A/en
Publication of CN107770114A publication Critical patent/CN107770114A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of flood attack detection method of the distributed monitoring of optimization, including, S1:In server trawl performance bottom, one monitoring modular is set;S2:Monitoring module monitors data message, and IP packets are forwarded or blocked according to monitoring result.S2 further comprises S21:Monitoring modular creates the first Hash array and the second Hash array;S22:Monitoring modular gathers SYN packet informations as the first cryptographic Hash, and is stored into using the first cryptographic Hash as in lower the first Hash of target array;S23:Monitoring modular gathers ack msg package informatin as the second cryptographic Hash, and is stored into using the second cryptographic Hash as in lower the second Hash of target array;S24:The second Hash value and the first cryptographic Hash are compared in monitoring modular retrieval, determine attack source.The present invention is worth to the source address of flood attack by comparing the first cryptographic Hash and the second Hash, and blocks the attack source address extracted from the first Hash array, the stability of effective guarantee network security and server.

Description

A kind of flood attack detection method of the distributed monitoring of optimization
Technical field
The present invention relates to the flood attack detection of flood attack detection field, more particularly to a kind of distributed monitoring of optimization Method.
Background technology
SYN flood attacks (SYN_FLOOD) are that a kind of Denial of Service attack (DOS) being widely known by the people takes with distributed refusal One of mode of business attack (DDos), it makes use of the defects of TCP/IP v4 agreements, the TCP connection requests largely forged are sent, Force and substantial amounts of SYN+ACK reply datas bag is sent in the server end short time, (CPU is completely negative so that server resource exhausts Lotus or low memory).TCP establishment of connections are all since three-way handshake, 1) client can send one comprising synchronous The TCP message of (Synchronize, SYN) mark, the sync message can contain source address, source port, destination address, purpose The information such as port, initial series number;2) server can return to one synchronization of client after the sync message of client is received + confirmation message (Acknowledgment, ACK), the synchronization+confirmation message also contains source address, source port, destination address, The information such as destination interface, initial series number;3) after client receives synchronization+confirmation message, can return again to server one Individual confirmation message, now a TCP connection are completed.After if server sends synchronization+confirmation message, corresponding visitor is not received During the confirmation message at family end, it can constantly be retried in 30s-2min and send synchronization+confirmation message, if do not had always during this The confirmation message for receiving client then abandons this unfinished connection and discharges corresponding system resource.Flood attack makes service Device opens substantial amounts of half-open connection request, normal client's request is not asked.The today quite popularized in internet, The server of networking is allowed stably to run, carrying out the detection work of reply flood attack in time turns into the basic of enterprise network security Demand.At present, the detection method of flood attack is generally sync message quantity in simply accounting message, when same in the unit interval When step message amount is more than threshold value set in advance, determine that server by flood attack.This is only statistics SYN quantity Monitoring mode False Rate it is very big, often count on normal business data packet, affected to regular traffic.
The content of the invention
It is an object of the invention to overcome shortcoming and deficiency of the prior art, there is provided a kind of distributed monitoring of optimization Flood attack detection method.
The present invention is achieved by the following technical solutions:A kind of flood attack detection side of the distributed monitoring of optimization Method, comprise the following steps:
S1:One monitoring modular is set in the trawl performance bottom of each server, the monitoring modular includes IP packets Forwarding module, block module and statistical module;
S2:Unidirectionally monitoring flows into the data message of server network interface card to monitoring modular, and forwards or block according to monitoring result IP packets, step S2 comprise the following steps:
S21:Monitoring modular creates the first Hash array and the second Hash array;
S22:Monitoring modular gathers the SYN packets from internet and extracts SYN packet informations, and packet is believed IP five-tuples in breath carry out seriation and Hash encryption is converted to the first cryptographic Hash, extract the source address in SYN packets Store into using first cryptographic Hash as lower the first Hash of target array;
S23:Monitoring modular gathers the ack msg bag from internet and extracts ack msg package informatin, and in packet IP five-tuples carry out seriation and Hash encryption is converted to the second cryptographic Hash, extract the source address storage in ack msg bag Into using second cryptographic Hash as lower the second Hash of target array;
S24:Monitoring modular retrieves the second cryptographic Hash as the second Hash array index, if there is the second cryptographic Hash and First cryptographic Hash is identical, then is flood attack packet for normal data packet, otherwise, monitoring modular from using the first cryptographic Hash as Attack source address corresponding to being extracted in lower the first Hash of target array, and block the access of the attack source address to server.
Further, the Hash encryption conversion in the step S22 uses md5 encryption algorithm.
Further, in the step S22, the IP five-tuples are the source addresses of SYN packets, source port, destination address, Destination interface, protocol-identifier.
Further, in the step S23, the IP five-tuples are the source address of ack msg bag, source port, destination address, Destination interface, protocol-identifier.
Compared to prior art, the beneficial effects of the invention are as follows:
Trawl performance bottom setting monitoring modular of the invention in each server, distributed deployment monitoring modular are effective Alleviate disposal ability of the gateway to disengaging data flow;Monitoring modular gathers SYN packets and ack msg from internet Bag, the IP five-tuples in SYN packets are configured to unique first cryptographic Hash, construct the IP five-tuples in ack msg bag Into unique second cryptographic Hash, and using the first cryptographic Hash second is used as the subscript of the first Hash array, using the second cryptographic Hash The subscript of Hash array, source data packet address is stored in corresponding lower target the first Hash array and the second Hash array, led to Cross and compare the first cryptographic Hash and after the second cryptographic Hash draws the feature of flood attack, flood attack source can be extracted directly from array Address, the reverse operation time is reduced, improve monitoring modular performance, and can quickly block attack source to access server, effective guarantee The stability of network security and server.
In order to the apparent understanding present invention, preferable embodiment party of the invention is illustrated below with reference to brief description of the drawings Formula.
Brief description of the drawings
Fig. 1 is the network topology schematic diagram of the monitoring modular deployment in the present invention.
Fig. 2 is the flow chart of the present invention.
Fig. 3 is the flow chart of step S2 in Fig. 2.
Embodiment
Please refer to Fig. 1 to Fig. 3, Fig. 1 is the network topology schematic diagram of the monitoring modular deployment in the present invention, and Fig. 2 is The flow chart of the present invention, Fig. 3 is the flow chart of step S2 in Fig. 2.
See Fig. 1 and Fig. 2, a kind of flood attack detection method of the distributed monitoring of optimization, comprise the following steps:
S1:One monitoring modular is set in the trawl performance bottom of each server, the monitoring modular includes IP packets Forwarding module, block module and statistical module, the data for entering monitoring modular are forwarded a packet to server, blocked by forwarding module Module blocks the packet from flood attack client, statistical module monitors and counts the various numbers into the monitoring modular According to bag;
S2:Unidirectionally monitoring flows into the data message of server network interface card to monitoring modular, and forwards or block according to monitoring result IP packets, step S2 comprise the following steps:(see Fig. 3)
S21:Monitoring modular creates the first Hash array and the second Hash array;
S22:Monitoring modular gathers the SYN packets from internet and extracts SYN packet informations, and packet is believed IP five-tuples in breath carry out seriation and Hash encryption is converted to the first cryptographic Hash, extract the source address in SYN packets Store into using first cryptographic Hash as lower the first Hash of target array;
S23:Monitoring modular gathers the ack msg bag from internet and extracts ack msg package informatin, and in packet IP five-tuples carry out seriation and Hash encryption is converted to the second cryptographic Hash, extract the source address storage in ack msg bag Into using second cryptographic Hash as lower the second Hash of target array;
S24:Monitoring modular retrieves the second cryptographic Hash as the second Hash array index, if there is the second cryptographic Hash and First cryptographic Hash is identical, then is flood attack packet for normal data packet, otherwise, monitoring modular from using the first cryptographic Hash as Attack source address corresponding to being extracted in lower the first Hash of target array, and block the access of the attack source address to server.
The flood attack detection method of the distributed monitoring of the optimization of the present invention is initiated to attack according to the feature of flood attack The client hit will not send ack msg bag to carry out response to server, so as to judge flood attack source and block to be somebody's turn to do The packet in source, reach the purpose of protection.
The invention is not limited in above-mentioned embodiment, if the various changes or deformation to the present invention do not depart from the present invention Spirit and scope, if these changes and deformation belong within the scope of the claim and equivalent technologies of the present invention, then this hair It is bright to be also intended to comprising these changes and deformation.

Claims (4)

1. a kind of flood attack detection method of the distributed monitoring of optimization, it is characterised in that comprise the following steps:
S1:One monitoring modular is set in the trawl performance bottom of each server, the monitoring modular includes turning for IP packets Send out module, block module and statistical module;
S2:Unidirectionally monitoring flows into the data message of server network interface card to monitoring modular, and forwards or block IP numbers according to monitoring result According to bag, step S2 comprises the following steps:
S21:Monitoring modular creates the first Hash array and the second Hash array;
S22:Monitoring modular gathers the SYN packets from internet and extracts SYN packet informations, and in packet information IP five-tuples carry out seriation and Hash encryption is converted to the first cryptographic Hash, extract the source address storage in SYN packets Into using first cryptographic Hash as lower the first Hash of target array;
S23:Monitoring modular gathers the ack msg bag from internet and extracts ack msg package informatin, and to the IP in packet Five-tuple carries out seriation and Hash encryption is converted to the second cryptographic Hash, extract the source address in ack msg bag store to Second cryptographic Hash is as in lower the second Hash of target array;
S24:Monitoring modular retrieves the second cryptographic Hash as the second Hash array index, if there is the second cryptographic Hash and first Cryptographic Hash is identical, then is flood attack packet for normal data packet, otherwise, and monitoring modular is used as subscript from using the first cryptographic Hash The first Hash array in extract corresponding to attack source address, and block the access of the attack source address to server.
A kind of 2. flood attack detection method of the distributed monitoring of optimization according to claim 1, it is characterised in that institute State the encryption conversion of the Hash in step S22 and use md5 encryption algorithm.
A kind of 3. flood attack detection method of the distributed monitoring of optimization according to claim 2, it is characterised in that institute State in step S22, the IP five-tuples are the source address of SYN packets, source port, destination address, destination interface, Protocol Standard Know.
A kind of 4. flood attack detection method of the distributed monitoring of optimization according to claim 3, it is characterised in that institute State in step S23, the IP five-tuples are the source address of ack msg bag, source port, destination address, destination interface, Protocol Standard Know.
CN201610668178.2A 2016-08-15 2016-08-15 A kind of flood attack detection method of the distributed monitoring of optimization Pending CN107770114A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610668178.2A CN107770114A (en) 2016-08-15 2016-08-15 A kind of flood attack detection method of the distributed monitoring of optimization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610668178.2A CN107770114A (en) 2016-08-15 2016-08-15 A kind of flood attack detection method of the distributed monitoring of optimization

Publications (1)

Publication Number Publication Date
CN107770114A true CN107770114A (en) 2018-03-06

Family

ID=61259787

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610668178.2A Pending CN107770114A (en) 2016-08-15 2016-08-15 A kind of flood attack detection method of the distributed monitoring of optimization

Country Status (1)

Country Link
CN (1) CN107770114A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707598A (en) * 2009-11-10 2010-05-12 成都市华为赛门铁克科技有限公司 Method, device and system for identifying flood attack
CN101895543A (en) * 2010-07-12 2010-11-24 江苏华丽网络工程有限公司 Method for effectively defending flood attack based on network switching equipment
CN104363230A (en) * 2014-11-14 2015-02-18 山东乾云启创信息科技有限公司 Method for preventing flood attacks in desktop virtualization
CN105119942A (en) * 2015-09-16 2015-12-02 广东睿江科技有限公司 Flood attack detection method
CN105227348A (en) * 2015-08-25 2016-01-06 广东睿江科技有限公司 A kind of Hash storage means based on IP five-tuple

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707598A (en) * 2009-11-10 2010-05-12 成都市华为赛门铁克科技有限公司 Method, device and system for identifying flood attack
CN101895543A (en) * 2010-07-12 2010-11-24 江苏华丽网络工程有限公司 Method for effectively defending flood attack based on network switching equipment
CN104363230A (en) * 2014-11-14 2015-02-18 山东乾云启创信息科技有限公司 Method for preventing flood attacks in desktop virtualization
CN105227348A (en) * 2015-08-25 2016-01-06 广东睿江科技有限公司 A kind of Hash storage means based on IP five-tuple
CN105119942A (en) * 2015-09-16 2015-12-02 广东睿江科技有限公司 Flood attack detection method

Similar Documents

Publication Publication Date Title
US6816910B1 (en) Method and apparatus for limiting network connection resources
US8499146B2 (en) Method and device for preventing network attacks
CN1316369C (en) Secret hashing for SYN/FIN correspondence
US7711790B1 (en) Securing an accessible computer system
US7636305B1 (en) Method and apparatus for monitoring network traffic
CN101800707B (en) Method for establishing stream forwarding list item and data communication equipment
WO2019178966A1 (en) Network attack defense method and apparatus, and computer device and storage medium
CN107770113A (en) A kind of accurate flood attack detection method for determining attack signature
CN110266678B (en) Security attack detection method and device, computer equipment and storage medium
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
CN106487807A (en) A kind of means of defence of domain name mapping and device
CN113347155A (en) Method, system and device for defending ARP spoofing
US7552206B2 (en) Throttling service connections based on network paths
EP1154610A2 (en) Methods and system for defeating TCP Syn flooding attacks
Patil et al. A rate limiting mechanism for defending against flooding based distributed denial of service attack
CN112235329A (en) Method, device and network equipment for identifying authenticity of SYN message
Bala et al. Quality based Bottom-up-Detection and Prevention Techniques for DDOS in MANET
Farhat Protecting TCP services from denial of service attacks
CN107770120A (en) A kind of flood attack detection method of distributed monitoring
CN107770123A (en) A kind of flood attack detection method of central monitoring
CN109729098A (en) Automatically the method for malice port scan is blocked in dns server
CN107770114A (en) A kind of flood attack detection method of the distributed monitoring of optimization
Al-Duwairi et al. Distributed packet pairing for reflector based DDoS attack mitigation
CN107770122A (en) A kind of flood attack detection method of the central monitoring of optimization
Kavisankar et al. CNoA: Challenging Number Approach for uncovering TCP SYN flooding using SYN spoofing attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180306

RJ01 Rejection of invention patent application after publication