CN107948175A - A kind of method of identification DDoS reflections amplification attack - Google Patents

A kind of method of identification DDoS reflections amplification attack Download PDF

Info

Publication number
CN107948175A
CN107948175A CN201711249037.8A CN201711249037A CN107948175A CN 107948175 A CN107948175 A CN 107948175A CN 201711249037 A CN201711249037 A CN 201711249037A CN 107948175 A CN107948175 A CN 107948175A
Authority
CN
China
Prior art keywords
address
request
message
ttl
extracted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711249037.8A
Other languages
Chinese (zh)
Inventor
陈海洋
叶兴
张文宇
郑斌
王猛
刘东凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Zhidaochuangyu Information Technology Co Ltd
Original Assignee
Chengdu Zhidaochuangyu Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Zhidaochuangyu Information Technology Co Ltd filed Critical Chengdu Zhidaochuangyu Information Technology Co Ltd
Publication of CN107948175A publication Critical patent/CN107948175A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of method of identification DDoS reflection amplification attacks, including:After amplifier receives request message, source IP address and ttl value in the IP heads of message are extracted;The IP address of extraction is judged, if the IP address in blacklist, directly abandons the request;If TTL and request content not in blacklist, are saved in caching by the IP address of extraction by the IP address for keyword in a manner of HASH;With the IP address of extraction address as a purpose, TCP connection request messages are sent to any one port of the address;Await a response message, and does respective handling and contrast, identification DDoS reflection amplification attacks according to back message.The present invention in amplifier checking request message, identification and Exception Filter by asking, so as to fulfill the protection to victim.

Description

A kind of method of identification DDoS reflections amplification attack
Technical field
The present invention relates to ddos attack to protect field, particularly a kind of method of identification DDoS reflections amplification attack.
Background technology
Reflection attack belongs to ddos attack, and attacker's (broiler chicken) launches a offensive not directly to victim's (destination host), and It is the request message that source IP (it is victim IP to forge) is forged by being sent to the server (amplifier) opened, then by putting Big device is reflected to victim.Usually, the data volume of request is much smaller than the data volume that amplifier is responded, so as to produce amplification Effect.
The existing technology for reflection attack mainly asks threshold value to limit by the unit interval.Its there are it is following not Foot:1st, identification is inaccurate, cannot be distinguished by normal request and illegal request.2nd, defence is of high cost, when being identified at victim end, Flow has arrived at victim, and having resulted in attack influences the bandwidth resources confrontation, it is necessary to enough.
Amplifier:Amplifier, open port provides the host of public network service on public network, usually asks flow Much smaller than response flow, such as DNS, NTP etc..
Reflection attack:Attacker (Attacker, actual conditions in can more be attacked using puppet's machine) is not direct Attack bag is issued victim, but pretends to be victim to give out a contract for a project to amplifier (Amplifiers), it is then anti-again by amplifier Penetrate to victim.
DDoS:Distributed denial of service (Distributed Denial of Service) attack refers to by means of client/clothes Be engaged in device technology, multiple computers are joined together as Attack Platform, ddos attack is started to one or more targets, from into The power of Denial of Service attack is improved again.
The content of the invention
The technical problems to be solved by the invention are to provide a kind of method of identification DDoS reflections amplification attack, by putting Big device checking request message, identifies and Exception Filter is asked, so as to fulfill the protection to victim.
In order to solve the above technical problems, the technical solution adopted by the present invention is:
A kind of method of identification DDoS reflections amplification attack, comprises the following steps:
Step 1:After amplifier receives request message, source IP address and ttl value (Time in the IP heads of message are extracted To Live, life span, specifies data packet to allow the network segment quantity passed through before being abandoned by router);
Step 2:The IP address extracted in judgment step 1, if the IP address in blacklist, directly abandons the request;
Step 3:If the IP address in step 1 is keyword by TTL and request using the IP address not in blacklist Content is saved in caching in a manner of HASH;
Step 4:With the IP address extracted in step 1 address as a purpose, TCP is sent to any one port of the address Connection request message;
Step 5:The back message of waiting step 4, following steps are performed after receiving back message:
1) IP and TTL in the IP heads of back message are extracted;
If 2) back message is SYN+ACK messages, sends RST messages and close the TCP connections of step 4 initiation;If return It is RST messages to answer message, then directly closes locality connection;
3) IP extracted according to step 1) searches corresponding TTL and request content from the caching of step 3;
4) contrast the ttl value that step 1) and step 3) obtain, if equal, for normal request, and according to step 3) please Content is asked normally to be responded;If unequal, for illegal request, ignore the request, and the IP is added into interim blacklist, prohibit The only request subsequently using the IP as source address;
5) keyword and corresponding TTL and request content of the IP is deleted from the caching of step 3.
Compared with prior art, the beneficial effects of the invention are as follows:It can be blocked in the request that amplifier catchs the exception in advance Amplification attack is reflected, the influence to victim's (target of attack host) is preferably minimized.
Embodiment
Below by embodiment, the present invention is described in further detail.The present invention is by amplifier (Amplifier) TTL of checking request message, judges whether request message is the invalid packet forged, if then abandoning to ask Message is sought, no longer sends back message to victim.Details are as follows:
1st, after amplifier receives request message, source IP address and ttl value in the IP heads of message are extracted.
2nd, the IP address that judgment step 1 is extracted, if the IP address in blacklist, directly abandons the request.
It is key (keyword) by TTL and request using the IP address if the 3, the IP address of step 1 is not in blacklist Content is saved in caching in a manner of HASH (Hash);
4th, the IP address extracted with step 1 as a purpose ask by address, any one port transmission TCP connections to the address Seek message;
5th, the back message of waiting step 4, following steps are performed after receiving back message:
A, the IP and TTL in the IP heads of back message are extracted;
If b, back message is SYN+ACK messages, sends RST messages and close the TCP connections of step 4 initiation;
If c, back message is RST messages, locality connection is directly closed;
D, corresponding TTL and request content are searched from the caching of step 1 according to the step a IP extracted;
E, the ttl value that step a and step d are obtained is contrasted, if equal, for normal request, and in the request according to step d Appearance is normally responded;
If f, unequal, for illegal request, ignore the request, and the IP added into interim blacklist, forbid subsequently with The IP is the request of source address;
G, the key and corresponding TTL and request content of the IP is deleted from the caching of step 3.
In the present invention, after illegal request is identified, the source IP address of request is really the IP address of victim, at this time will It, which adds blacklist, to have a certain impact, and can replace blacklist mode by way of limiting the IP access frequencys.

Claims (1)

  1. A kind of 1. method of identification DDoS reflections amplification attack, it is characterised in that comprise the following steps:
    Step 1:After amplifier receives request message, source IP address and ttl value in the IP heads of message are extracted;
    Step 2:The IP address extracted in judgment step 1, if the IP address in blacklist, directly abandons the request;
    Step 3:If the IP address in step 1 is keyword by TTL and request content using the IP address not in blacklist It is saved in a manner of HASH in caching;
    Step 4:With the IP address extracted in step 1 address as a purpose, TCP connections are sent to any one port of the address Request message;
    Step 5:The back message of waiting step 4, following steps are performed after receiving back message:
    1) IP and TTL in the IP heads of back message are extracted;
    If 2) back message is SYN+ACK messages, sends RST messages and close the TCP connections of step 4 initiation;If respond report Text is RST messages, then directly closes locality connection;
    3) IP extracted according to step 1) searches corresponding TTL and request content from the caching of step 3;
    4) ttl value that step 1) and step 3) obtain is contrasted, if equal, for normal request, and according in the request of step 3) Appearance is normally responded;If unequal, for illegal request, ignore the request, and the IP is added into interim blacklist, after forbidding The continuous request using the IP as source address;
    5) keyword and corresponding TTL and request content of the IP is deleted from the caching of step 3.
CN201711249037.8A 2017-11-24 2017-12-01 A kind of method of identification DDoS reflections amplification attack Pending CN107948175A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711190524 2017-11-24
CN2017111905241 2017-11-24

Publications (1)

Publication Number Publication Date
CN107948175A true CN107948175A (en) 2018-04-20

Family

ID=61948271

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711249037.8A Pending CN107948175A (en) 2017-11-24 2017-12-01 A kind of method of identification DDoS reflections amplification attack

Country Status (1)

Country Link
CN (1) CN107948175A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737447A (en) * 2018-06-22 2018-11-02 腾讯科技(深圳)有限公司 User Datagram Protocol traffic filtering method, apparatus, server and storage medium
CN110365658A (en) * 2019-06-25 2019-10-22 深圳市腾讯计算机系统有限公司 A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136917A (en) * 2007-07-12 2008-03-05 中兴通讯股份有限公司 Transmission control protocol blocking module and soft switch method
CN101582833A (en) * 2008-05-15 2009-11-18 成都市华为赛门铁克科技有限公司 Method and device for processing spoofed IP data packet
CN101958883A (en) * 2010-03-26 2011-01-26 湘潭大学 Bloom Filter and open-source kernel-based method for defensing SYN Flood attack
CN104184749A (en) * 2014-09-15 2014-12-03 上海斐讯数据通信技术有限公司 SDN network access method and system
CN104348794A (en) * 2013-07-30 2015-02-11 深圳市腾讯计算机系统有限公司 Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136917A (en) * 2007-07-12 2008-03-05 中兴通讯股份有限公司 Transmission control protocol blocking module and soft switch method
CN101582833A (en) * 2008-05-15 2009-11-18 成都市华为赛门铁克科技有限公司 Method and device for processing spoofed IP data packet
CN101958883A (en) * 2010-03-26 2011-01-26 湘潭大学 Bloom Filter and open-source kernel-based method for defensing SYN Flood attack
CN104348794A (en) * 2013-07-30 2015-02-11 深圳市腾讯计算机系统有限公司 Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system
CN104184749A (en) * 2014-09-15 2014-12-03 上海斐讯数据通信技术有限公司 SDN network access method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
曹玥等: "基于DDOS的TCP_SYN攻击与防范", 《电子科技》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737447A (en) * 2018-06-22 2018-11-02 腾讯科技(深圳)有限公司 User Datagram Protocol traffic filtering method, apparatus, server and storage medium
CN108737447B (en) * 2018-06-22 2020-07-17 腾讯科技(深圳)有限公司 User datagram protocol flow filtering method, device, server and storage medium
CN110365658A (en) * 2019-06-25 2019-10-22 深圳市腾讯计算机系统有限公司 A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium
CN110365658B (en) * 2019-06-25 2022-04-19 深圳市腾讯计算机系统有限公司 Reflection attack protection and flow cleaning method, device, equipment and medium

Similar Documents

Publication Publication Date Title
US9123027B2 (en) Social engineering protection appliance
KR101219796B1 (en) Apparatus and Method for protecting DDoS
WO2006039529A2 (en) Network overload detection and mitigation system and method
CN103916389A (en) Method for preventing HttpFlood attack and firewall
CN109587167B (en) Message processing method and device
CN101180826A (en) Upper-level protocol authentication
CN113179280B (en) Deception defense method and device based on malicious code external connection behaviors and electronic equipment
CN105939337A (en) DNS cache poisoning protection method and device
CN110266650B (en) Identification method of Conpot industrial control honeypot
CN106487807A (en) A kind of means of defence of domain name mapping and device
CN108270722A (en) A kind of attack detection method and device
Gao et al. A machine learning based approach for detecting DRDoS attacks and its performance evaluation
CN108881233A (en) anti-attack processing method, device, equipment and storage medium
US20210099468A1 (en) Inception of suspicious network traffic for enhanced network security
CN107911219A (en) A kind of anti-CC methods of API based on key signature
CN107948175A (en) A kind of method of identification DDoS reflections amplification attack
Devi et al. Detection of DDoS attack using optimized hop count filtering technique
Xiao et al. A novel approach to detecting DDoS attacks at an early stage
Singh et al. Present Status of Distributed Denial of service (DDoS) attacks in internet world
Goutam The problem of attribution in cyber security
Safa et al. A collaborative defense mechanism against SYN flooding attacks in IP networks
JP2006331015A (en) Server device protection system
CN105491179A (en) Solution for coping with reflection amplification attacks of domain name system (DNS) server
CN110831009B (en) Wireless AP test method and test system for preventing wireless DOS attack
CN112235329A (en) Method, device and network equipment for identifying authenticity of SYN message

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180420