CN108769055A - A kind of falseness source IP detection method and device - Google Patents

A kind of falseness source IP detection method and device Download PDF

Info

Publication number
CN108769055A
CN108769055A CN201810615608.3A CN201810615608A CN108769055A CN 108769055 A CN108769055 A CN 108769055A CN 201810615608 A CN201810615608 A CN 201810615608A CN 108769055 A CN108769055 A CN 108769055A
Authority
CN
China
Prior art keywords
source
netflow
target source
routing device
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810615608.3A
Other languages
Chinese (zh)
Inventor
苗宇
陈景妹
陈鑫
杨海
任佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201810615608.3A priority Critical patent/CN108769055A/en
Publication of CN108769055A publication Critical patent/CN108769055A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of false source IP detection method and device, the method includes:The Netflow transmitted in routing device is obtained, identifies the corresponding target source IP of the Netflow;For the target source IP recognized, judge in routing table with the presence or absence of using the target source IP as the reverse route of purpose IP;If not, determining that the target source IP is false source IP.Due in embodiments of the present invention, the Netflow transmitted according to routing device, identify the corresponding target source IP of Netflow, and for the target source IP recognized, when judging in routing table there is no using target source IP as the reverse route of purpose IP, it determines that target source IP is false source IP, realizes the detection to false source IP, provide a kind of detection scheme of false source IP.

Description

A kind of falseness source IP detection method and device
Technical field
The present invention relates to technical field of network security more particularly to a kind of false source IP detection method and device.
Background technology
Distributed denial of service (Distributed Denial of Service, DDoS) attack, which refers to, sets multiple terminals It is standby to join together as Attack Platform, to one or more target device offensive attack, to double up refusal service The power of attack, wherein the terminal device can be the equipment such as PC, the target device can be the equipment such as server.DDoS Attacking most basic attack method is, sends a large amount of rational service request simultaneously using multiple terminal devices, occupies target The vast resources of equipment causes target device that can not provide normal service.
Botnet is a kind of conventional means for carrying out ddos attack, is referred to using one or more communication means, will be a large amount of Terminal device infect bot program, between controller and infected terminal device formed one can one-to-many control net Network.Controller is started by sending the infected terminal device of control instruction control to infected terminal device to target device Ddos attack.Terminal device in existing network is easy to be infected by bot program, to be controlled, starts to target device Ddos attack, and when starting ddos attack, terminal device mostly escapes tracking using false source IP, such as true source IP is Beijing, infected terminal device can use the source IP offensive attack in a false Shanghai City.Therefore how to detect Whether source IP is false source IP, is had great importance to the protection and tracking of ddos attack.
However be difficult to whether be that false source IP is detected to source IP in the prior art, therefore it is badly in need of a kind of false source IP Detection scheme.
Invention content
The present invention provides a kind of false source IP detection method and device, to realize the detection to false source IP.
In a first aspect, the invention discloses a kind of false source IP detection method, the method includes:
The Netflow transmitted in routing device is obtained, identifies the corresponding target source IP of the Netflow;
For the target source IP recognized, judge in routing table with the presence or absence of using the target source IP as the reversed of purpose IP Routing;
If not, determining that the target source IP is false source IP.
Further, the corresponding target source IP of the identification Netflow include:
Identify the corresponding destination IPs of the Netflow, it is corresponding current to obtain the destination IP by the routing device Flow, and judge whether the present flow rate is more than the flow threshold of setting;
If so, will source IP corresponding with the destination IP as target source IP.
Further, if existed using the target source IP as the reverse route of purpose IP in routing table, the method is also Including:
According to the corresponding Netflow of the target source IP, the corresponding input interfaces of the target source IP are identified;
According to the routing table, the corresponding upper hop interface of the input interface is searched, and using the target source IP as mesh IP when, the corresponding next-hop interface of the input interface;And judge the corresponding upper hop interface of the input interface, and with institute When to state target source IP be purpose IP, whether the corresponding next-hop interface of the input interface is identical;
If not, determining that the target source IP is falseness IP.
Further, it is described judge in routing table with the presence or absence of using the target source IP as the reverse route of purpose IP it Before, the method further includes:
By Simple Network Management Protocol SNMP, the routing table in the routing device is obtained.
Further, the method further includes:
By the corresponding Netflow of the falseness source IP, identify that the corresponding transmission information of the false source IP is simultaneously shown.
Further, the Netflow transmitted in routing device that obtains is to obtain the uplink transmitted in routing device Netflow。
Further, the method further includes:
The speed limit instruction that the information comprising the false source IP is sent to the routing device indicates the routing device limit Make the corresponding flow of the false source IP;Or,
The discarding instruction that the information comprising the false source IP is sent to the routing device, indicates that the routing device is lost Abandon the corresponding flow of the false source IP;Or,
The flow transmitted in the routing device is drawn, the corresponding flow of falseness source IP described in the flow is cleaned, and Flow after cleaning is recycled into the routing device.
Second aspect, the invention discloses a kind of false source IP detection device, described device includes:
It obtains identification module and identifies the corresponding mesh of the Netflow for obtaining the Netflow transmitted in routing device Mark source IP;
First judgment module, for for the target source IP recognized, judging in routing table with the presence or absence of with the target Source IP is the reverse route of purpose IP, and when the judgment result is No, triggers determining module;
Determining module, for determining that the target source IP is false source IP.
Further, the acquisition identification module is specifically used for identifying the corresponding destination IPs of the Netflow, passes through institute It states routing device and obtains the corresponding present flow rate of the destination IP, and judge whether the present flow rate is more than the flow threshold of setting Value;If so, will source IP corresponding with the destination IP as target source IP.
Further, described device further includes:
Second judgment module corresponds to if the judging result for the first judgment module is yes according to the target source IP Netflow, identify the corresponding input interfaces of the target source IP;According to the routing table, searches the input interface and correspond to Upper hop interface, and when using the target source IP as purpose IP, the corresponding next-hop interface of the input interface;And judge institute The corresponding upper hop interface of input interface is stated, when with using the target source IP as purpose IP, the input interface is corresponding next Whether jumper connection mouth is identical;If not, determining that the target source IP is falseness IP.
Further, described device further includes:
Acquisition module, for by Simple Network Management Protocol SNMP, obtaining the routing table in the routing device.
Further, described device further includes:
Display module is obtained, for by the corresponding Netflow of the falseness source IP, identifying that the false source IP is corresponding Transmission information is simultaneously shown.
Further, the Netflow transmitted in routing device that obtains is to obtain the uplink transmitted in routing device Netflow。
Further, described device further includes:
Processing module, the speed limit instruction for sending the information comprising the false source IP to the routing device, instruction The routing device limits the corresponding flow of the false source IP;Or, being sent to the routing device comprising the false source IP Information discarding instruction, indicate that the routing device abandons the corresponding flow of the false source IP;Or, the traction routing is set The flow of standby middle transmission cleans the corresponding flow of falseness source IP described in the flow, and the flow after cleaning is recycled into institute State routing device.
The present invention has the beneficial effect that:
Due in embodiments of the present invention, according to the Netflow that routing device transmits, identifying the corresponding targets of Netflow Source IP, and for the target source IP recognized, there is no using target source IP as the reversed road of purpose IP in judging routing table By when, determine that target source IP is false source IP, realize the detection to false source IP, provide a kind of detection of false source IP Scheme.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Obtain other attached drawings according to these attached drawings.
Fig. 1, which is a kind of application provided by the invention, has the electronic equipment of false source IP detection method to dispose schematic diagram;
Fig. 2 is a kind of false source IP detection process schematic diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of false source IP detection process schematic diagram provided in an embodiment of the present invention;
Fig. 4, which is a kind of application provided in an embodiment of the present invention, has the electronic equipment framework of false source IP detection method to illustrate Figure;
Fig. 5 is a kind of false source IP structure of the detecting device schematic diagram provided in an embodiment of the present invention.
Specific implementation mode
To make the objectives, technical solutions, and advantages of the present invention clearer, make into one below in conjunction with the attached drawing present invention Step ground detailed description, it is clear that described embodiment is only a part of the embodiment of the present invention, rather than whole implementation Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts Every other embodiment, shall fall within the protection scope of the present invention.
Fig. 1, which is a kind of application provided by the invention, has the electronic equipment of false source IP detection method to dispose schematic diagram, electronics Equipment is connect with the routing device of Intranet accessing external network, for obtaining the Netflow transmitted in routing device, and passes through simple net Network management agreement (Simple Network Management Protocol, SNMP) obtains the routing iinformation in routing device, Whether the source IP used the terminal device in network is that false source IP is detected, specific detection process, implementation as described below Example.
Embodiment 1:
Fig. 2 is a kind of false source IP detection process schematic diagram provided in an embodiment of the present invention, which includes:
S201:The Netflow transmitted in routing device is obtained, identifies the corresponding target source IP of the Netflow.
Falseness source IP detection method provided in an embodiment of the present invention is applied to electronic equipment, which can be individual The equipment such as computer (PC), server can also be the equipment such as the gateway with detection function.
Netflow is the one-way data packet stream transmitted between source IP and destination IP at one, is parsed to Netflow, can To obtain the corresponding information of Netflow, the corresponding information of wherein Netflow includes data packet number, byte number, source port, mesh Port, data packet control mark, agreement, source IP, destination IP, data packet receiving time, input interface, output interface, flow The information such as size.
Specifically, electronic equipment obtains the Netflow transmitted in routing device, and identify the corresponding target sources of Netflow IP, in embodiments of the present invention, electronic equipment can be directly using the corresponding source IPs of Netflow as target source IP.
S202:For the target source IP recognized, judge in routing table with the presence or absence of using the target source IP as purpose IP Reverse route;If so, S203 is carried out, if not, carrying out S204.
S203:Determine that the target source IP is real source IP.
S204:Determine that the target source IP is false source IP.
Specifically, if target source IP is real source IP, the destination IP for the data that reception target source IP is sent is corresponding to be set It is standby, response data can be sent to the corresponding equipment of target source IP, can be existed with target in routing device according to target source IP Source IP is the reverse route of purpose IP;If target source IP is false source IP, target source IP is invalid or is mistake IP, receives mesh The corresponding equipment of destination IP for the data that source IP is sent is marked, the corresponding equipment of no normal direction target source IP sends response data or nothing Response data is sent to the corresponding equipment of target source IP by method, and there is no using target source IP as the anti-of purpose IP in routing device To routing.
In embodiments of the present invention, the routing table that routing device is routed, needle are pre-saved in electronic equipment To the target source IP recognized, judge to whether there is using target source IP as the reverse route of purpose IP in routing table, if it is, Determine that the target source IP recognized is real source IP, if it is not, then determining that the target source IP recognized is false source IP, wherein electricity It is excellent that mask-length may be used when in judging routing table with the presence or absence of using target source IP as the reverse route of purpose IP in sub- equipment First matching algorithm searches whether to exist in the routing table using target source IP as the reverse route of purpose IP.
Due in embodiments of the present invention, according to the Netflow that routing device transmits, identifying the corresponding targets of Netflow Source IP, and for the target source IP recognized, there is no using target source IP as the reversed road of purpose IP in judging routing table By when, determine that target source IP only has data transmission, without data receiver, for false source IP, realize the inspection to false source IP It surveys, provides a kind of detection scheme of false source IP.
Embodiment 2:
In order to improve false source IP detection efficiency, on the basis of the above embodiments, in embodiments of the present invention, the knowledge The corresponding target source IP of not described Netflow includes:
Identify the corresponding destination IPs of the Netflow, it is corresponding current to obtain the destination IP by the routing device Flow, and judge whether the present flow rate is more than the flow threshold of setting;
If so, will source IP corresponding with the destination IP as target source IP.
When carrying out ddos attack to target device, terminal device can send a large amount of messages to target device, and target is made to set The standby a large amount of messages sent to terminal device respond, to occupy a large amount of resource of target device so that target device can not Normal service is provided for legal terminal device, therefore when there are ddos attack, by routing device to the mesh attacked The flow that marking device is sent can significantly rise.
In embodiments of the present invention, destination IP one flow threshold of unified setting can be directed to, can also according to there is no When ddos attack, flow threshold is respectively set for each destination IP in the maximum stream flow that each destination IP is carried by routing device Value.Specifically, the corresponding destination IPs of electronic equipment identification Netflow, it is corresponding current to obtain the destination IP by routing device Flow, judges whether present flow rate is more than the flow threshold of setting, if it is, illustrating that the corresponding equipment of the destination IP may be by To ddos attack, by the corresponding source IPs of the corresponding Netflow of the destination IP, as target source IP.
Preferably, in embodiments of the present invention, electronic equipment can also record each according to the Netflow of acquisition The corresponding source IPs of Netflow and destination IP, if it is determined that the corresponding present flow rate of a certain destination IP is more than the flow threshold of setting, Electronic equipment can also regard all source IPs corresponding with the destination IP as target source IP.In addition, in embodiments of the present invention, Sync message flow (SYN FLOOD), confirmation message flow (ACK FLOOD) that destination IP receives etc. can also be directed to respectively Flow threshold is set, when SYN FLOODd and/or the ACK FLOOD that destination IP receives are more than corresponding flow threshold, together Sample regard the corresponding all source IPs of the destination IP as target source IP.
Preferably, in order to reduce the occupancy to electronic equipment process resource, in embodiments of the present invention, electronic equipment can Only to obtain the uplink Netflow transmitted in routing device, in present flow rate corresponding by routing device acquisition destination IP, Only obtain the current uplink traffic transmitted to destination IP by routing device.
Embodiment 3:
In order to improve the accuracy of false source IP detection, on the basis of the various embodiments described above, in embodiments of the present invention, If existed using the target source IP as the reverse route of purpose IP in routing table, the method further includes:
According to the corresponding Netflow of the target source IP, the corresponding input interfaces of the target source IP are identified;
According to the routing table, the corresponding upper hop interface of the input interface is searched, and using the target source IP as mesh IP when, the corresponding next-hop interface of the input interface;And judge the corresponding upper hop interface of the input interface, and with institute When to state target source IP be purpose IP, whether the corresponding next-hop interface of the input interface is identical;
If not, determining that the target source IP is falseness IP.
In embodiments of the present invention, electronic equipment can be obtained the routing table in routing device and be saved in certainly by SNMP In the database of body;Preferably, in order to reduce the occupancy to resource in electronic equipment, electronic equipment can grabbing by SNMP Take (get) method obtain routing device in Route Selection (ipCidrRouteTable) information, only by the destination IP of acquisition, cover Code, next-hop interface are combined as routing table and are saved in the database of itself.
Specifically, if existed using target source IP as the reverse route of purpose IP in routing table, illustrate that target source IP is deposited In sending and receiving for data, electronic equipment obtains input corresponding with target source IP according to the corresponding Netflow of target source IP Interface, and by searching for routing table, when the corresponding upper hop interface of acquisition input interface and target source IP are purpose IP, institute The corresponding next-hop interface of input interface is stated, and judges the corresponding upper hop interface of input interface, is with the target source IP When destination IP, whether the corresponding next-hop interface of the input interface is identical, if identical, illustrates target source IP and target source Sending and receiving there are data between the corresponding destination IPs of IP, if it is different, then illustrating IP pairs of target source IP and the target source Between the destination IP answered, only exists target source IP and sent to the data of the corresponding destination IPs of target source IP, target source IP connects The data received are not that the corresponding destination IPs of target source IP are sent, and the corresponding destination IPs of target source IP can not send out data Target source IP is given, determines that target source IP is falseness IP.
Embodiment 4:
On the basis of the various embodiments described above, for the ease of the tracking to the corresponding equipment of false source IP, in above-mentioned each reality On the basis of applying example, in embodiments of the present invention, the method further includes:
By the corresponding Netflow of the falseness source IP, identify that the corresponding transmission information of the false source IP is simultaneously shown.
Specifically, identifying that the corresponding input of the falseness source IP connects from the corresponding Netflow of false source IP in electronic equipment Mouth, destination interface, uninterrupted etc. transmit information.Convenient for the identification to the corresponding equipment of false source IP, such as:It can be by defeated The corresponding equipment of the false source IP of incoming interface positioning.
Fig. 3 is a kind of false source IP detection process schematic diagram provided in an embodiment of the present invention, which includes:
S301:Obtain the Netflow transmitted in routing device.
S302:Identify the corresponding destination IPs of the Netflow, it is corresponding to obtain the destination IP by the routing device Present flow rate, and judge whether the present flow rate is more than the flow threshold of setting;If so, S303 is carried out, if it is not, then knot Beam.
S303:Will source IP corresponding with the destination IP as target source IP, judge in routing table with the presence or absence of with described Target source IP is the reverse route of purpose IP;If so, S304 is carried out, if not, carrying out S307.
S304:According to the corresponding Netflow of the target source IP, the corresponding input interfaces of the target source IP are identified;Root According to the routing table, the corresponding upper hop interface of the input interface is searched, and when using the target source IP as purpose IP, it is described The corresponding next-hop interface of input interface.
S305:Judge the corresponding upper hop interface of the input interface, it is described when with using the target source IP as purpose IP Whether the corresponding next-hop interface of input interface is identical, if so, S306 is carried out, if not, carrying out S307.
S306:Determine that the target source IP is real source IP.
S307:Determine that the target source IP is falseness IP, by the falseness corresponding Netflow of source IP, described in identification The corresponding transmission information of false source IP is simultaneously shown.
In addition, falseness IP carries out ddos attack in order to prevent, on the basis of the various embodiments described above, in the embodiment of the present invention In, the method further includes:
The speed limit instruction that the information comprising the false source IP is sent to the routing device indicates the routing device limit Make the corresponding flow of the false source IP;Or,
The discarding instruction that the information comprising the false source IP is sent to the routing device, indicates that the routing device is lost Abandon the corresponding flow of the false source IP;Or,
The flow transmitted in the routing device is drawn, the corresponding flow of falseness source IP described in the flow is cleaned, and Flow after cleaning is recycled into the routing device.
Specifically, electronic equipment after detecting false source IP, can send the letter for including false source IP to routing device The speed limit of breath instructs, the corresponding flow of the false source IP of instruction router device limitation, such as by the corresponding Flow Limit of false source IP It is made as 0.5m/s, prevents ddos attack;Preferably, electronic equipment can also send the information for including false source IP to routing device Discarding instruction, instruction routing device abandons the corresponding flow of false source IP, prevents ddos attack;In addition, electronic equipment may be used also To draw the flow transmitted in routing device to itself, the corresponding flow of falseness source IP in the flow is cleaned, and will be after cleaning Flow be recycled into routing device, prevent ddos attack.
Fig. 4, which is a kind of application provided in an embodiment of the present invention, has the electronic equipment framework of false source IP detection method to illustrate Operating system is connect by figure as shown in figure 4, hardware abstraction layer provides the connecting interface between hardware and operating system with hardware It carries out providing running environment for the data service of electronic equipment;In data business layer, electronic equipment provides attack detecting, flow system The functions such as meter, the acquisition of Netflow data, routing management, the acquisition of SNMP data, data service, data storage, configuration management, In, user can realize configuration management to electronic equipment by adjusting the configuration of electronic equipment, specifically, electronic equipment can be with By SNMP, the routing table in routing device and storage, the uplink Netflow that acquisition routing device is sent, identification are obtained The corresponding destination IPs of Netflow obtain the corresponding present flow rate of destination IP by routing device, and corresponding current in destination IP When flow is more than the flow threshold of setting, determine that there are ddos attacks, using the corresponding source IP of destination IP as target source IP, to mesh Whether mark source IP is that false source IP is detected, and by the corresponding Netflow of the falseness source IP, identifies the false source IP Corresponding transmission information is simultaneously shown;In addition electronic equipment can also provide data service by management interface, pass through Web system Web Services platforms can call the information of the false source IP stored in electronic equipment, the corresponding transmission letter of such as falseness source IP Breath, the report for generating false source IP are shown.
Embodiment 5:
Fig. 5 is a kind of false source IP structure of the detecting device schematic diagram provided in an embodiment of the present invention, which includes:
It obtains identification module 51 and identifies that the Netflow is corresponding for obtaining the Netflow transmitted in routing device Target source IP;
First judgment module 52, for for the target source IP recognized, judging in routing table with the presence or absence of with the mesh The reverse route that source IP is purpose IP is marked, and when the judgment result is No, triggers determining module;
Determining module 53, for determining that the target source IP is false source IP.
The acquisition identification module 51 is specifically used for identifying the corresponding destination IPs of the Netflow, be set by the routing It is standby to obtain the corresponding present flow rate of the destination IP, and judge whether the present flow rate is more than the flow threshold of setting;If Be, will source IP corresponding with the destination IP as target source IP.
Described device further includes:
Second judgment module 54, if the judging result for the first judgment module is yes, according to IP pairs of the target source The Netflow answered identifies the corresponding input interfaces of the target source IP;According to the routing table, the input interface pair is searched The next-hop interface answered, and when using the target source IP as purpose IP, connect by the target of next-hop interface of the input interface Mouthful;And judge whether the corresponding next-hop interface of the input interface and the target interface are identical;If it is judged that be it is no, Trigger determining module.
Described device further includes:
Acquisition module 55, for by Simple Network Management Protocol SNMP, obtaining the routing table in the routing device.
Described device further includes:
Display module 56 is obtained, for by the corresponding Netflow of the falseness source IP, identifying that the false source IP corresponds to Transmission information and show.
Wherein, the Netflow transmitted in routing device that obtains is to obtain the uplink transmitted in routing device Netflow。
Described device further includes:
Processing module 57, the speed limit instruction for sending the information comprising the false source IP to the routing device, refers to Show the corresponding flow of the routing device limitation falseness source IP;Or, being sent to the routing device comprising the false source The discarding of the information of IP instructs, and indicates that the routing device abandons the corresponding flow of the false source IP;Or, drawing the routing The flow transmitted in equipment cleans the corresponding flow of falseness source IP described in the flow, and the flow after cleaning is recycled into The routing device.
The invention discloses a kind of false source IP detection method and device, the method includes:It obtains and is passed in routing device Defeated Netflow identifies the corresponding target source IP of the Netflow;For the target source IP recognized, judge be in routing table It is no to exist using the target source IP as the reverse route of purpose IP;If not, determining that the target source IP is false source IP.Due to In embodiments of the present invention, the corresponding target source IP of the Netflow transmitted according to routing device, identification Netflow, and for knowledge The target source IP being clipped to determines the mesh when in judging routing table there is no using target source IP as the reverse route of purpose IP It is false source IP to mark source IP, realizes the detection to false source IP, provides a kind of detection scheme of false source IP.
For systems/devices embodiment, since it is substantially similar to the method embodiment, so the comparison of description is simple Single, the relevent part can refer to the partial explaination of embodiments of method.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, the application can be used in one or more wherein include computer usable program code computer The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The application is with reference to method, the flow of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although the preferred embodiment of the application has been described, created once a person skilled in the art knows basic Property concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the application range.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art God and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (14)

1. a kind of falseness source IP detection method, which is characterized in that the method includes:
The Netflow transmitted in routing device is obtained, identifies the corresponding target source IP of the Netflow;
For the target source IP recognized, judge in routing table with the presence or absence of using the target source IP as the reversed road of purpose IP By;
If not, determining that the target source IP is false source IP.
2. the method as described in claim 1, which is characterized in that described to identify that the corresponding target source IP of the Netflow include:
It identifies the corresponding destination IPs of the Netflow, the corresponding present flow rate of the destination IP is obtained by the routing device, And judge whether the present flow rate is more than the flow threshold of setting;
If so, will source IP corresponding with the destination IP as target source IP.
3. the method as described in claim 1, which is characterized in that if existed using the target source IP as purpose IP in routing table Reverse route, the method further includes:
According to the corresponding Netflow of the target source IP, the corresponding input interfaces of the target source IP are identified;
According to the routing table, the corresponding upper hop interface of the input interface is searched, and using the target source IP as purpose IP When, the corresponding next-hop interface of the input interface;And judge the corresponding upper hop interface of the input interface, and with the mesh When to mark source IP be purpose IP, whether the corresponding next-hop interface of the input interface is identical;
If not, determining that the target source IP is falseness IP.
4. the method as described in claim 1, which is characterized in that with the presence or absence of with the target source IP in the judgement routing table Before reverse route for purpose IP, the method further includes:
By Simple Network Management Protocol SNMP, the routing table in the routing device is obtained.
5. the method as described in claim 1 or 3, which is characterized in that the method further includes:
By the corresponding Netflow of the falseness source IP, identify that the corresponding transmission information of the false source IP is simultaneously shown.
6. the method as described in claim 1, which is characterized in that the Netflow transmitted in routing device that obtains is to obtain The uplink Netflow transmitted in routing device.
7. the method as described in claim 1, which is characterized in that the method further includes:
The speed limit instruction that the information comprising the false source IP is sent to the routing device indicates routing device limitation institute State the corresponding flow of false source IP;Or,
The discarding instruction that the information comprising the false source IP is sent to the routing device, indicates that the routing device abandons institute State the corresponding flow of false source IP;Or,
The flow transmitted in the routing device is drawn, cleans the corresponding flow of falseness source IP described in the flow, and will be clear Flow after washing is recycled into the routing device.
8. a kind of falseness source IP detection device, which is characterized in that described device includes:
It obtains identification module and identifies the corresponding target sources of the Netflow for obtaining the Netflow transmitted in routing device IP;
First judgment module, for for the target source IP recognized, judging in routing table with the presence or absence of with the target source IP For the reverse route of purpose IP, and when the judgment result is No, determining module is triggered;
Determining module, for determining that the target source IP is false source IP.
9. device as claimed in claim 8, which is characterized in that the acquisition identification module is specifically used for described in identification The corresponding destination IPs of Netflow obtain the corresponding present flow rate of the destination IP by the routing device, and work as described in judgement Whether preceding flow is more than the flow threshold of setting;If so, will source IP corresponding with the destination IP as target source IP.
10. device as claimed in claim 8, which is characterized in that described device further includes:
Second judgment module, it is corresponding according to the target source IP if the judging result for the first judgment module is yes Netflow identifies the corresponding input interfaces of the target source IP;According to the routing table, it is corresponding to search the input interface Upper hop interface, and when using the target source IP as purpose IP, the corresponding next-hop interface of the input interface;And described in judging The corresponding upper hop interface of input interface, when with using the target source IP as purpose IP, the corresponding next-hop of the input interface Whether interface is identical;If not, determining that the target source IP is falseness IP.
11. device as claimed in claim 8, which is characterized in that described device further includes:
Acquisition module, for by Simple Network Management Protocol SNMP, obtaining the routing table in the routing device.
12. the device as described in claim 8 or 10, which is characterized in that described device further includes:
Display module is obtained, for by the corresponding Netflow of the falseness source IP, identifying the corresponding transmission of the false source IP Information is simultaneously shown.
13. device as claimed in claim 8, which is characterized in that the Netflow transmitted in routing device that obtains is to obtain The uplink Netflow transmitted in routing device.
14. device as claimed in claim 8, which is characterized in that described device further includes:
Processing module, the speed limit for sending the information comprising the false source IP to the routing device instructs, described in instruction The corresponding flow of the routing device limitation falseness source IP;Or, sending the letter for including the false source IP to the routing device The discarding of breath instructs, and indicates that the routing device abandons the corresponding flow of the false source IP;Or, drawing in the routing device The flow of transmission cleans the corresponding flow of falseness source IP described in the flow, and the flow after cleaning is recycled into the road By equipment.
CN201810615608.3A 2018-06-14 2018-06-14 A kind of falseness source IP detection method and device Pending CN108769055A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810615608.3A CN108769055A (en) 2018-06-14 2018-06-14 A kind of falseness source IP detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810615608.3A CN108769055A (en) 2018-06-14 2018-06-14 A kind of falseness source IP detection method and device

Publications (1)

Publication Number Publication Date
CN108769055A true CN108769055A (en) 2018-11-06

Family

ID=64022432

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810615608.3A Pending CN108769055A (en) 2018-06-14 2018-06-14 A kind of falseness source IP detection method and device

Country Status (1)

Country Link
CN (1) CN108769055A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109951445A (en) * 2019-01-29 2019-06-28 上海嘉韦思信息技术有限公司 Network security settlement of insurance claim appraisal procedure and system
CN114006734A (en) * 2021-10-11 2022-02-01 中盈优创资讯科技有限公司 Method and device for analyzing false source address of flow in metropolitan area network

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020166063A1 (en) * 2001-03-01 2002-11-07 Cyber Operations, Llc System and method for anti-network terrorism
CN1567900A (en) * 2003-07-06 2005-01-19 华为技术有限公司 A method for implementing message forwarding control in routing equipment
CN101110668A (en) * 2006-07-21 2008-01-23 中国移动通信集团公司 Method for tracing to secondary layer switch port
CN101340293A (en) * 2008-08-12 2009-01-07 杭州华三通信技术有限公司 Packet safety detection method and device
CN101753637A (en) * 2009-12-17 2010-06-23 北京星网锐捷网络技术有限公司 Method and network address translation device preventing network attacks
CN103873441A (en) * 2012-12-12 2014-06-18 中国电信股份有限公司 Firewall safety rule optimization method and device thereof
CN106534068A (en) * 2016-09-29 2017-03-22 广州华多网络科技有限公司 Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system
CN107864110A (en) * 2016-09-22 2018-03-30 中国电信股份有限公司 Botnet main control end detection method and device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020166063A1 (en) * 2001-03-01 2002-11-07 Cyber Operations, Llc System and method for anti-network terrorism
CN1567900A (en) * 2003-07-06 2005-01-19 华为技术有限公司 A method for implementing message forwarding control in routing equipment
CN101110668A (en) * 2006-07-21 2008-01-23 中国移动通信集团公司 Method for tracing to secondary layer switch port
CN101340293A (en) * 2008-08-12 2009-01-07 杭州华三通信技术有限公司 Packet safety detection method and device
CN101753637A (en) * 2009-12-17 2010-06-23 北京星网锐捷网络技术有限公司 Method and network address translation device preventing network attacks
CN103873441A (en) * 2012-12-12 2014-06-18 中国电信股份有限公司 Firewall safety rule optimization method and device thereof
CN107864110A (en) * 2016-09-22 2018-03-30 中国电信股份有限公司 Botnet main control end detection method and device
CN106534068A (en) * 2016-09-29 2017-03-22 广州华多网络科技有限公司 Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109951445A (en) * 2019-01-29 2019-06-28 上海嘉韦思信息技术有限公司 Network security settlement of insurance claim appraisal procedure and system
CN114006734A (en) * 2021-10-11 2022-02-01 中盈优创资讯科技有限公司 Method and device for analyzing false source address of flow in metropolitan area network
CN114006734B (en) * 2021-10-11 2023-07-25 中盈优创资讯科技有限公司 Method and device for analyzing false source address of routing flow of metropolitan area network

Similar Documents

Publication Publication Date Title
CN101175078B (en) Identification of potential network threats using a distributed threshold random walk
CN108063765B (en) SDN system suitable for solving network security
US8949459B1 (en) Methods and apparatus for distributed backbone internet DDOS mitigation via transit providers
KR101270041B1 (en) System and method for detecting arp spoofing
CN103609070B (en) Network flow detection method, system, equipment and controller
CN108737447B (en) User datagram protocol flow filtering method, device, server and storage medium
US20050278779A1 (en) System and method for identifying the source of a denial-of-service attack
CN103607399A (en) Special IP network safety monitor system and method based on hidden network
JP2007235341A (en) Apparatus and network system for performing protection against anomalous communication
KR100996288B1 (en) A method for neutralizing the ARP spoofing attack by using counterfeit MAC addresses
US20060224886A1 (en) System for finding potential origins of spoofed internet protocol attack traffic
CN105577669B (en) A kind of method and device of the false source attack of identification
CN105812318B (en) For preventing method, controller and the system of attack in a network
CN103840976B (en) Communication means, light device and the network equipment
CN108810008B (en) Transmission control protocol flow filtering method, device, server and storage medium
CN102801738A (en) Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
RU2475836C1 (en) Method for protection of computer networks
WO2011032321A1 (en) Data forwarding method, data processing method, system and device thereof
CN112995040B (en) Message path tracing method and device based on equipment identification calculation
CN102137073B (en) Method and access equipment for preventing imitating internet protocol (IP) address to attack
CN103916288A (en) Botnet detection method and system on basis of gateway and local
CN101330409B (en) Method and system for detecting network loophole
CN108769055A (en) A kind of falseness source IP detection method and device
CN101997830B (en) Distributed intrusion detection method, device and system
CN107222403A (en) A kind of data transmission method, system and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181106