CN109120607B - DDoS attack identification method and system - Google Patents

DDoS attack identification method and system Download PDF

Info

Publication number
CN109120607B
CN109120607B CN201810859554.5A CN201810859554A CN109120607B CN 109120607 B CN109120607 B CN 109120607B CN 201810859554 A CN201810859554 A CN 201810859554A CN 109120607 B CN109120607 B CN 109120607B
Authority
CN
China
Prior art keywords
service
pool
user
service entrance
layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810859554.5A
Other languages
Chinese (zh)
Other versions
CN109120607A (en
Inventor
周亚辉
徐东
张�杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xianlaihuyu Network Technology Co ltd
Original Assignee
Beijing Xianlaihuyu Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xianlaihuyu Network Technology Co ltd filed Critical Beijing Xianlaihuyu Network Technology Co ltd
Priority to CN201810859554.5A priority Critical patent/CN109120607B/en
Publication of CN109120607A publication Critical patent/CN109120607A/en
Application granted granted Critical
Publication of CN109120607B publication Critical patent/CN109120607B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application provides a DDoS attack identification method and a system, wherein the identification method comprises the following steps: starting from the first-layer service entrance pool, distributing service entrances corresponding to tokens of the users in the set service entrance pool; judging whether each service entrance in the current layer service entrance pool is available; if not, adding 1 to the number of layers to which the current service entrance pool belongs; judging whether the number of layers added by 1 reaches the preset maximum number of layers of the service inlet pool or not; if yes, continuously allocating a service entrance corresponding to the token for the user with the unavailable service entrance in the last-layer service entrance pool; judging whether a service entrance allocated for a user in a last-layer service entrance pool is available; if not, the user assigned to the unavailable service entry is determined to be a malicious user. According to the method and the device, the malicious user can be accurately and quickly identified, and the protection capability of DDoS attack can be improved.

Description

DDoS attack identification method and system
Technical Field
The application belongs to the technical field of internet, and particularly relates to a DDoS attack identification method and system.
Background
The traditional DoS (Denial of Service) attack mainly adopts a one-to-one mode to attack, and the most basic DoS attack is to use a reasonable Service request to occupy too many Service resources, so that a server cannot process the instruction of a legal user. With the development of computer and network technologies, DDoS (Distribution Denial of Service) attacks are generated on the basis of traditional DoS attacks. DDoS attacks employ a many-to-one approach. DDOS attacks are mainly targeted to servers or large websites. DDOS overburdens the server by submitting a large number of legitimate or fake requests to the server, which run out of resources when the server CPU reaches full load, causing a crash of the response. Once the server crashes, normal access of the user is seriously influenced, and huge economic losses are caused to companies, enterprises and even countries.
In the prior art, some DDoS attack tracing technologies exist, which mainly mark data packets flowing through a router to infer an attack path (a link and a router through which an attack data packet flows) and an attack source (a boundary router from which an attack packet flows), and a technology for identifying a malicious user who initiates DDoS attack does not exist.
Disclosure of Invention
In order to overcome the problems in the related technology at least to a certain extent, the application provides a DDoS attack identification method and a DDoS attack identification system.
According to a first aspect of an embodiment of the present application, the present application provides a DDoS attack identification method, which includes the following steps:
obtaining a token of a user;
setting a plurality of layers of service entrance pools, wherein each layer of service entrance pool is provided with a service entrance;
starting from the first-layer service entrance pool, distributing a service entrance corresponding to the token for each user in the service entrance pool;
judging whether a service entrance distributed for each user in a current layer service entrance pool is available;
if the service entrance corresponding to the user in the service entrance pool of the current layer is unavailable, adding 1 to the layer number of the service entrance pool of the current layer;
judging whether the number of layers added by 1 reaches the preset maximum number of layers of the service inlet pool or not;
if the number of layers after adding 1 reaches the preset maximum number of layers of the service entrance pool, continuously allocating a service entrance corresponding to the token for the user with the unavailable service entrance corresponding to the service entrance in the last layer of service entrance pool;
judging whether a service entrance allocated for a user in a last-layer service entrance pool is available;
and if the service entrance corresponding to the user in the last layer service entrance pool is unavailable, judging that the user distributed to the unavailable service entrance is a malicious user, and finishing the identification of the malicious user for implementing DDoS attack.
Furthermore, the service entrance adopts an IP address, the service entrance pool is an IP address pool, a plurality of IP addresses are arranged in the IP address pool, and the IP addresses in each layer of the IP address pool are provided with numbers corresponding to the IP addresses one by one.
Further, when a service entry corresponding to the token is allocated to each user in the service entry pool, the input token value is converted into a hash value by adopting a hash algorithm, and the service entry corresponding to the same number as the hash value is allocated to the user.
Furthermore, when the service entry corresponding to the token of the user is allocated to the user in each layer of service entry pool, the adopted hashing algorithm is different.
Further, when the service entry uses an IP address, the process of converting the input token value into a hash value by using a hash algorithm is as follows:
respectively converting the last two digits of the token value into corresponding ASCII code values;
summing the ASCII code values corresponding to the last two bits of the token value;
and dividing the obtained sum value by the number of the IP addresses in the corresponding layer IP address pool, and then adding 1 to obtain a hash value.
Further, according to the maximum number of layers of the service entrance pool and the number of service entrances in each layer of service entrance pool, estimating the number of users affected by a single attack by using the following formula: :
Figure GDA0002756658800000031
in the formula, E represents the number of users affected by single attack, N represents the number of all users obtaining the service entrance, i represents the number of layers of the service entrance pool, and x represents the number of layers of the service entrance pooliThe number of service entries owned by the i-th service entry pool is shown, and m is the maximum number of layers of the service entry pool.
According to a second aspect of the embodiments of the present application, the present application further provides an identification system for DDoS attacks, which includes
The acquisition module is used for acquiring a token of a user;
the system comprises a setting module, a service module and a service module, wherein the setting module is used for setting a plurality of layers of service inlet pools, and each layer of service inlet pool is provided with a service inlet;
the distribution module is used for distributing service entrances corresponding to tokens of the users in the service entrance pool from the first-layer service entrance pool;
the first judgment module is used for judging whether the service entrance distributed for each user in the service entrance pool of the current layer is available; if the service entrance corresponding to the user in the current layer service entrance pool is available, judging the user to be a normal user; if the service entrance corresponding to the user in the service entrance pool of the current layer is unavailable, adding 1 to the layer number of the service entrance pool of the current layer;
the second judgment module is used for judging whether the number of layers added by 1 reaches the preset maximum number of layers of the service inlet pool or not; if the number of layers after adding 1 reaches the preset maximum number of layers of the service entrance pool, continuously allocating a service entrance corresponding to the token for the user with the unavailable service entrance corresponding to the service entrance in the last layer of service entrance pool; if the number of layers after adding 1 does not reach the preset maximum number of layers of the service inlet pool, the number of layers is continuously increased, and service inlets are redistributed to users in the service inlet pool of the next layer;
the third judging module is used for judging whether the service entrance allocated for the user in the last-layer service entrance pool is available;
and the identification module is used for identifying malicious users for implementing DDoS attack according to the judgment result of the third judgment module.
Further, the service entrance is an IP address; the service entrance pool is an IP address pool; the IP address pool is provided with a plurality of IP addresses, and the IP addresses in each layer of the IP address pool are provided with numbers in one-to-one correspondence.
Further, the allocation module starts from the first-layer service entry pool, when a service entry corresponding to the token is allocated to each user in the service entry pool, the hash algorithm is adopted to convert the input token value into a hash value, and the service entry corresponding to the number identical to the hash value is used as the service entry of the token user.
Further, when the service entrance adopts an IP address, the first determining module determines whether the IP address is available by detecting whether the IP is connected.
According to the above embodiments of the present application, at least the following advantages are obtained: according to the method, a hierarchical filtering mode is adopted, and normal users and malicious users are gradually distinguished while new service inlets are continuously allocated to the users, so that the normal users can access services through the available service inlets; so that the malicious users are finally identified due to the fact that the services cannot be accessed after the multi-layer screening. According to the method and the device, the multilayer service entrance pool is arranged, under the condition that the old service entrance is attacked and unavailable, a new service entrance is reallocated for the user, the user can be ensured to be rapidly accessed into the available service entrance, and the loss of the number of the users is reduced. The method and the device also have certain disaster tolerance capability, and can prevent service fluctuation caused by single IP fault or network fluctuation.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the scope of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of the specification of the application, illustrate exemplary embodiments of the application and together with the description, serve to explain the principles of the application.
Fig. 1 is a flowchart of an identification method for DDoS attack according to an embodiment of the present application.
Fig. 2 is a second flowchart of a DDoS attack identification method according to the embodiment of the present application.
Fig. 3 is a block diagram of a structure of an identification system for DDoS attack according to an embodiment of the present application.
Fig. 4 is a schematic diagram illustrating an identification system for DDoS attack allocating an IP address to a user according to an embodiment of the present application.
Detailed Description
For the purpose of promoting a clear understanding of the objects, aspects and advantages of the embodiments of the present application, reference will now be made to the accompanying drawings and detailed description, wherein like reference numerals refer to like elements throughout.
The illustrative embodiments and descriptions of the present application are provided to explain the present application and not to limit the present application. Additionally, the same or similar numbered elements/components used in the drawings and the embodiments are used to represent the same or similar parts.
As used herein, "first," "second," …, etc., are not specifically intended to mean in a sequential or chronological order, nor are they intended to limit the application, but merely to distinguish between elements or operations described in the same technical language.
With respect to directional terminology used herein, for example: up, down, left, right, front or rear, etc., are simply directions with reference to the drawings. Accordingly, the directional terminology used is intended to be illustrative and is not intended to be limiting of the present teachings.
As used herein, the terms "comprising," "including," "having," "containing," and the like are open-ended terms that mean including, but not limited to.
As used herein, "and/or" includes any and all combinations of the described items.
References to "plurality" herein include "two" and "more than two"; reference to "multiple sets" herein includes "two sets" and "more than two sets".
As used herein, the terms "substantially", "about" and the like are used to modify any slight variation in quantity or error that does not alter the nature of the variation. Generally, the range of slight variations or errors modified by such terms may be 20% in some embodiments, 10% in some embodiments, 5% in some embodiments, or other values. It should be understood by those skilled in the art that the aforementioned values can be adjusted according to actual needs, and are not limited thereto.
Certain words used to describe the present application are discussed below or elsewhere in this specification to provide additional guidance to those skilled in the art in describing the present application.
As shown in fig. 1, the present application provides a DDoS attack identification method, which includes the following steps:
and S1, obtaining the token of the user.
The user requests to log in at the client using a username and password. And after receiving the request, the server side verifies the user name and the password. After the verification is successful, the server generates a token, and then sends the token to the client. This token is a unique identifier of the user's identity. This identifier typically has an expiration date, for example one day, after which the user needs to log in again to obtain a new token.
The token can be used for reducing the risk of leakage caused by the fact that the user name and the password are transmitted on the network, and can be used conveniently by the user.
And S2, setting a plurality of layers of service entrance pools, wherein each layer of service entrance pool is provided with a service entrance. Wherein, each service entrance is provided with a serial number corresponding to the service entrance one by one.
S3, starting from the first-layer service entry pool, assigning a service entry corresponding to the token to each user in the service entry pool.
And S4, judging whether the service entrance distributed for each user in the current layer service entrance pool is available.
And S5, if the service entrance corresponding to the user in the current layer service entrance pool is unavailable, adding 1 to the layer number of the current service entrance pool.
And S6, judging whether the layer number added by 1 reaches the preset maximum layer number of the service entrance pool.
And S7, if the number of layers after adding 1 reaches the preset maximum number of layers of the service entrance pool, continuously allocating the service entrance corresponding to the token for the user who is unavailable in the service entrance corresponding to the last layer of the service entrance pool in the last layer of the service entrance pool.
And S8, judging whether the service entrance allocated for the user in the last-layer service entrance pool is available.
S9, if the service entrance corresponding to the user in the last layer service entrance pool is unavailable, judging that the user distributed to the unavailable service entrance is a malicious user, and completing the identification of the malicious user for implementing DDoS attack.
In step S2, the service entry is used as an entry for the user to access the network service, and may specifically be an IP address. The service entrance pool is an IP address pool. A plurality of IP addresses are arranged in the IP address pool, and the IP addresses in each layer of IP address pool are provided with serial numbers which are in one-to-one correspondence with the IP addresses.
In step S3, when a service entry corresponding to the token is allocated to each user in the service entry pool, the input token value is converted into a hash value by using a hash algorithm. And the service entry corresponding to the number which is the same as the hash value is the service entry allocated to the token user. The Hash Algorithm may adopt MD5(Message Digest Algorithm 5, fifth edition) Algorithm, SHA256(Secure Hash Algorithm) Algorithm, and the like.
Since the token of the user is unique and stable, and the hash algorithm is also stable, the service entry acquired by the user in the service entry pool each time is also unique and stable. The hash algorithm adopted when the service entrance corresponding to the token of the user is allocated to the user in each layer of service entrance pool is different. And the service entries corresponding to the tokens and allocated to each user in the same layer of service entry pool can be the same or different. Different users cannot know the service entrance of each other.
Specifically, when the service entry adopts an IP address, each IP address in each layer of IP address pool is provided with a one-to-one corresponding number. For example, 50 IP addresses are set in the first layer IP address pool, and the numbers of the IP addresses are 1,2, 3, … …, 49, and 50 in sequence. Let the token value for a user be qxj8skd 0. The token value of the user is transformed into a hash value by using a hash algorithm, which may specifically be as follows:
the last two digits of the token value are converted to corresponding ASCII code values, i.e., d to 100 and 0 to 48, respectively.
The sum of the ASCII code values corresponding to the last two bits of the token value, i.e., 100+ 48-148.
The obtained sum is divided by the number of IP addresses in the IP address pool of the layer, and then 1 is added, that is, 148% 50+1 equals 49, and the hash value is 49.
And taking the IP address with the number of 49 in the IP address pool of the layer as the entrance of the user.
In the step S4, when the service entry uses the IP address, whether the IP address is available is determined by periodically detecting whether the IP address is connected.
In step S5, when the service entry adopts the IP address, the IP address is unavailable, which is generally the network provider such as Tencent and Ali or the network operator such as mobile, Unicom and telecom, which actively stops the network service of the IP address. And if the current IP address is detected to be unavailable, judging that the IP address is unavailable.
Specifically, if a service entrance allocated to a certain user in the first-layer service entrance pool is unavailable, entering a second-layer service entrance pool; if the service entrance allocated to a user in the second layer service entrance pool is still unavailable, entering a third layer service entrance pool; … …, when the service entrance corresponding to each user in the current layer service entrance pool is available, the user accesses the network service through the corresponding service entrance, and the number of layers to which the current service entrance pool belongs is not more than 1.
In the step S6, the maximum number of layers of the service entry pool may be set according to the protection effect that the user desires to achieve, and the protection effect may be quantified as the loss rate of the user. Assuming that three layers of IP address pools exist, the number of the IP addresses in the first layer of IP address pool is x, the number of the IP addresses in the second layer of IP address pool is y, and the number of the IP addresses in the third layer of IP address pool is z, the loss rate of the user can be reduced to 1/(x y z) by adopting the DDoS attack identification method.
Specifically, the number of users affected by a single attack may be estimated according to the maximum number of layers of the service entry pool and the number of service entries in each layer of the service entry pool by using the following formula: :
Figure GDA0002756658800000081
wherein E represents the number of users affected by a single attack, and N represents all the use for obtaining a service entryNumber of users, i represents the number of layers to which the service entry pool belongs, xiThe number of service entries owned by the i-th service entry pool is shown, and m is the maximum number of layers of the service entry pool.
The DDoS attack identification method adopts a hierarchical filtering mode, and can gradually distinguish normal users from malicious users while continuously allocating new IP addresses to the users, so that the normal users can access services through available IP addresses. And finally, the malicious user cannot access the service after multi-layer screening, and cannot acquire the entrance of other users. According to the method and the device, malicious users can be identified while the service entrance is protected.
The method and the device immediately allocate a new IP address to the user under the condition that the old IP address is unavailable. Compared with the prior art, the user acquires the new IP address not by means of domain name resolution but by a separate network service. So that there is no time for the new record to take effect. And network services are not available to some users until the new record is in effect. By adopting the method and the device, the service entrance can still maintain the continuity of the service under the condition of suffering from larger attacks.
In a specific embodiment, as shown in fig. 2, when a service entry adopts an IP address, the DDoS attack identification method of the present application specifically includes the following steps:
and S11, obtaining the token of the user.
S12, setting an IP address pool, a maximum number of layers max-level of the IP address pool, and a number of layers n to which the current IP address pool belongs, where n is 1, 2. And IP addresses are arranged in each layer of IP address pool, and the IP addresses in each layer of IP address pool are provided with serial numbers which are in one-to-one correspondence with the IP addresses.
And S13, starting from the first layer IP address pool, allocating a service entrance corresponding to the token for each user in the nth layer IP address pool.
S14, judging whether the IP address corresponding to each user in the current layer IP address pool is available; if the IP address corresponding to each user in the current layer IP address pool is available, judging that the user corresponding to the available IP address is a normal user, and accessing the network service by the user through the corresponding IP address; and if the IP address corresponding to each user in the current layer IP address pool is unavailable, adding 1 to the layer number n to which the current IP address pool belongs.
And S15, judging whether the layer number added by 1 reaches the maximum layer number max-level of the preset IP address pool. If the number of layers after adding 1 reaches the maximum number of layers max-level of the preset IP address pool, the service entry corresponding to the token is continuously allocated to the user whose service entry in the last-layer service entry pool is unavailable, and the process goes to step S16. And if the number of layers added by 1 does not reach the maximum number of layers max-level of the preset IP address pool, returning to the step S13.
S16, judging whether a service entrance allocated for the user in the last layer service entrance pool is available, if the service entrance corresponding to the user in the last layer service entrance pool is unavailable, judging that the user allocated to the unavailable service entrance is a malicious user, and completing the identification of the malicious user for implementing DDoS attack.
As shown in fig. 3, the present application further provides an identification system for DDoS attack, which includes an obtaining module 1, a setting module 2, a distributing module 3, a first determining module 4, a second determining module 5, a third determining module 6, and an identification module 7. The obtaining module 1 is configured to obtain a token of a user, where the token is a unique identifier of an identity of the user. The setting module 2 is used for setting a plurality of layers of service inlet pools, each layer of service inlet pool is provided with a service inlet, and each service inlet is provided with a serial number corresponding to the service inlet one by one. The allocating module 3 is configured to, starting from the first-layer service entry pool, allocate a service entry corresponding to the token of each user in the service entry pool. The first judging module 4 is configured to judge whether a service entry allocated to each user in the current-layer service entry pool is available, and if a service entry corresponding to a user in the current-layer service entry pool is available, determine that the user is a normal user; and if the service entrance corresponding to the user in the current layer service entrance pool is unavailable, adding 1 to the layer number of the current service entrance pool. The second judging module 5 is configured to judge whether the number of layers added by 1 reaches a preset maximum number of layers of the service entry pool, and if the number of layers added by 1 reaches the preset maximum number of layers of the service entry pool, continue to allocate a service entry corresponding to the token for the user with the unavailable service entry in the last-layer service entry pool; and if the number of layers after the 1 addition does not reach the preset maximum number of layers of the service entrance pool, continuously increasing the number of layers, and reallocating service entrances for the users in the service entrance pool of the next layer. The third judging module 6 is configured to judge whether a service portal allocated for the user in the last-layer service portal pool is available. The identification module 7 is configured to identify a malicious user who implements DDoS attack according to a determination result of the third determination module 6.
In this embodiment, the service entry may specifically be an IP address. The service entrance pool is an IP address pool. A plurality of IP addresses are arranged in the IP address pool, and the IP addresses in each layer of IP address pool are provided with numbers in one-to-one correspondence.
In this embodiment, the allocating module 3, starting from the first-layer service entry pool, when allocating a service entry corresponding to the token to each user in the service entry pool, converts the input token value into a hash value by using a hash algorithm, and takes the service entry corresponding to the same number as the hash value as the service entry of the token user.
In this embodiment, when the first determining module 4 determines whether the service entry allocated to each user in the current-layer service entry pool is available, it determines whether the IP address is available by periodically detecting whether the IP is connected. And if the current IP address is detected to be unavailable, judging that the IP address is unavailable.
In this embodiment, the maximum number of layers of the service entry pool may be set according to the protection effect that the user desires to achieve. Wherein the protection effect can be quantified as the loss rate of the user.
According to the method and the device, whether the service entrance allocated to each user in the current layer service entrance pool is available is judged through the first judging module 4, and a new service entrance is allocated to the user with the unavailable service entrance, so that the service entrance can still maintain the continuity of the service under the condition of large attack, and the number of lost users is reduced. In addition, the method and the device have certain disaster tolerance capability, and can prevent service fluctuation caused by single IP fault or network fluctuation.
Example 1
As shown in fig. 4, three layers of IP address pools are set, 6 IP addresses are set in the first layer of IP address pool, 6 IP addresses are set in the second layer of IP address pool, and 4 IP addresses are set in the third layer of IP address pool. Assume that there are 5 users, among which there are malicious users.
And allocating IP addresses corresponding to tokens of the 5 users in the first layer IP address pool, allocating the IP addresses with the number of 3 to the first to fourth users, and allocating the IP address with the number of 5 to the fifth user. Judging that the IP address with the number of 3 is unavailable and the IP address with the number of 5 is available, if malicious users exist in the first to fourth users, the malicious users enter a second layer IP address pool to wait for continuously allocating new IP addresses; the fifth user is a normal user, which accesses the network service through the IP address numbered 5. And if the layer number 2 of the current IP address pool is less than the preset maximum layer number 3 of the service entrance pool, continuously allocating new IP addresses corresponding to the tokens of the first to fourth users in the second layer IP address pool.
In the second layer IP address pool, the first user is assigned an IP address number 1, the second user is assigned an IP address number 2, and both the third user and the fourth user are assigned an IP address number 4. If the IP addresses numbered 1 and 2 are available and the IP address numbered 4 is unavailable, the first user is a normal user and accesses the network service through the IP address numbered 1; the second user is a normal user and accesses the network service through the IP address with the number of 2; and malicious users exist in the third user and the fourth user, enter the third-layer IP address pool and wait for continuously allocating new IP addresses. And if the layer number 3 of the current IP address pool reaches the preset maximum layer number 3 of the service entrance pool, continuously allocating new IP addresses corresponding to tokens of the third user and the fourth user in the third layer IP address pool.
In the third tier IP address pool, the third user is assigned an IP address number 2 and the fourth user is assigned an IP address number 4. If the IP address with the number of 2 is available and the IP address with the number of 4 is unavailable, the third user is a normal user and accesses the network service through the IP address with the number of 2; the fourth user may be identified as a malicious user.
According to the method and the device, under the condition that the number of layers of the IP address pool and the number of the IP addresses are enough, malicious users can be accurately and quickly identified, and a better protection effect is achieved. Specifically, when the number of users accessing the network service is less than or equal to (number of IP addresses/number of layers of IP address pool)Number of layers of IP address poolAnd in addition, the malicious user can be identified more accurately.
The foregoing is merely an illustrative embodiment of the present application, and any equivalent changes and modifications made by those skilled in the art without departing from the spirit and principles of the present application shall fall within the protection scope of the present application.

Claims (10)

1. A DDoS attack recognition method is characterized by comprising the following steps:
obtaining a token of a user;
setting a plurality of layers of service entrance pools, wherein each layer of service entrance pool is provided with a service entrance;
starting from the first-layer service entrance pool, distributing a service entrance corresponding to the token for each user in the service entrance pool;
judging whether a service entrance distributed for each user in a current layer service entrance pool is available;
if the service entrance corresponding to the user in the service entrance pool of the current layer is unavailable, adding 1 to the layer number of the service entrance pool of the current layer;
judging whether the number of layers added by 1 reaches the preset maximum number of layers of the service inlet pool or not;
if the number of layers after adding 1 reaches the preset maximum number of layers of the service entrance pool, continuously allocating a service entrance corresponding to the token for the user with the unavailable service entrance corresponding to the service entrance in the last layer of service entrance pool;
judging whether a service entrance allocated for a user in a last-layer service entrance pool is available;
and if the service entrance corresponding to the user in the last layer service entrance pool is unavailable, judging that the user distributed to the unavailable service entrance is a malicious user, and finishing the identification of the malicious user for implementing DDoS attack.
2. The identification method according to claim 1, wherein the service entry adopts an IP address, the service entry pool is an IP address pool, a plurality of IP addresses are set in the IP address pool, and the IP addresses in the IP address pool of each layer are provided with numbers corresponding to the IP addresses one to one.
3. The identification method of claim 1, wherein when each user is assigned a service entry corresponding to its token in the service entry pool, the input token value is converted into a hash value using a hash algorithm, and a service entry corresponding to the same number as the hash value is assigned to the user.
4. The identification method of claim 3, wherein the hashing algorithm used is different when assigning the service entry corresponding to the token to the user in each layer of service entry pool.
5. The identification method of claim 3, wherein when the service entry uses an IP address, the process of converting the input token value into a hash value using a hash algorithm is:
respectively converting the last two digits of the token value into corresponding ASCII code values;
summing the ASCII code values corresponding to the last two bits of the token value;
and dividing the obtained sum value by the number of the IP addresses in the corresponding layer IP address pool, and then adding 1 to obtain a hash value.
6. The identification method of claim 1, wherein the number of users affected by a single attack is estimated based on the maximum number of layers of the service entry pool and the number of service entries in each layer of the service entry pool by using the following formula:
Figure FDA0002756658790000021
in the formula, E represents the number of users affected by single attack, N represents the number of all users obtaining the service entrance, i represents the number of layers of the service entrance pool, and x represents the number of layers of the service entrance pooliThe number of service entries owned by the i-th service entry pool is shown, and m is the maximum number of layers of the service entry pool.
7. A DDoS attack recognition system is characterized by comprising
The acquisition module is used for acquiring a token of a user;
the system comprises a setting module, a service module and a service module, wherein the setting module is used for setting a plurality of layers of service inlet pools, and each layer of service inlet pool is provided with a service inlet;
the distribution module is used for distributing service entrances corresponding to tokens of the users in the service entrance pool from the first-layer service entrance pool;
the first judgment module is used for judging whether the service entrance distributed for each user in the service entrance pool of the current layer is available; if the service entrance corresponding to the user in the current layer service entrance pool is available, judging the user to be a normal user; if the service entrance corresponding to the user in the service entrance pool of the current layer is unavailable, adding 1 to the layer number of the service entrance pool of the current layer;
the second judgment module is used for judging whether the number of layers added by 1 reaches the preset maximum number of layers of the service inlet pool or not; if the number of layers after adding 1 reaches the preset maximum number of layers of the service entrance pool, continuously allocating a service entrance corresponding to the token for the user with the unavailable service entrance corresponding to the service entrance in the last layer of service entrance pool; if the number of layers after adding 1 does not reach the preset maximum number of layers of the service inlet pool, the number of layers is continuously increased, and service inlets are redistributed to users in the service inlet pool of the next layer;
the third judging module is used for judging whether the service entrance allocated for the user in the last-layer service entrance pool is available;
and the identification module is used for identifying malicious users for implementing DDoS attack according to the judgment result of the third judgment module.
8. The identification system of claim 7, wherein the service portal is an IP address; the service entrance pool is an IP address pool; the IP address pool is provided with a plurality of IP addresses, and the IP addresses in each layer of the IP address pool are provided with numbers in one-to-one correspondence.
9. The identification system of claim 7, wherein the assignment module starts from the first-layer service entry pool, and when a service entry corresponding to the token is assigned to each user in the service entry pool, the input token value is converted into a hash value by using a hash algorithm, and the service entry corresponding to the same number as the hash value is used as the service entry of the token user.
10. The identification system of claim 7, wherein when the service portal uses an IP address, the first determining module determines whether the IP address is available by detecting whether the IP is connected.
CN201810859554.5A 2018-08-01 2018-08-01 DDoS attack identification method and system Active CN109120607B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810859554.5A CN109120607B (en) 2018-08-01 2018-08-01 DDoS attack identification method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810859554.5A CN109120607B (en) 2018-08-01 2018-08-01 DDoS attack identification method and system

Publications (2)

Publication Number Publication Date
CN109120607A CN109120607A (en) 2019-01-01
CN109120607B true CN109120607B (en) 2021-03-19

Family

ID=64862395

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810859554.5A Active CN109120607B (en) 2018-08-01 2018-08-01 DDoS attack identification method and system

Country Status (1)

Country Link
CN (1) CN109120607B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729568A (en) * 2009-12-11 2010-06-09 北京交通大学 Safety access system and method for guaranteeing source address authenticity by using token mechanism
US8606898B1 (en) * 2007-03-23 2013-12-10 Dhananjay S. Phatak Spread identity communications architecture
CN106941505A (en) * 2017-05-16 2017-07-11 成都迈瑞科科技有限公司 A kind of method and its system of defence ddos attacks
CN107104921A (en) * 2016-02-19 2017-08-29 阿里巴巴集团控股有限公司 Ddos attack defence method and device
CN107277074A (en) * 2017-08-17 2017-10-20 无锡江南影视传播有限公司 A kind of method and apparatus for preventing network attack
CN107819727A (en) * 2016-09-13 2018-03-20 腾讯科技(深圳)有限公司 A kind of network safety protection method and system based on the safe credit worthiness of IP address
CN108063762A (en) * 2017-12-12 2018-05-22 蔡昌菊 A kind of method and system for protecting DDOS attack

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8606898B1 (en) * 2007-03-23 2013-12-10 Dhananjay S. Phatak Spread identity communications architecture
CN101729568A (en) * 2009-12-11 2010-06-09 北京交通大学 Safety access system and method for guaranteeing source address authenticity by using token mechanism
CN107104921A (en) * 2016-02-19 2017-08-29 阿里巴巴集团控股有限公司 Ddos attack defence method and device
CN107819727A (en) * 2016-09-13 2018-03-20 腾讯科技(深圳)有限公司 A kind of network safety protection method and system based on the safe credit worthiness of IP address
CN106941505A (en) * 2017-05-16 2017-07-11 成都迈瑞科科技有限公司 A kind of method and its system of defence ddos attacks
CN107277074A (en) * 2017-08-17 2017-10-20 无锡江南影视传播有限公司 A kind of method and apparatus for preventing network attack
CN108063762A (en) * 2017-12-12 2018-05-22 蔡昌菊 A kind of method and system for protecting DDOS attack

Also Published As

Publication number Publication date
CN109120607A (en) 2019-01-01

Similar Documents

Publication Publication Date Title
RU2707717C2 (en) Mobile authentication in mobile virtual network
US9639678B2 (en) Identity risk score generation and implementation
US8813225B1 (en) Provider-arbitrated mandatory access control policies in cloud computing environments
US7810147B2 (en) Detecting and preventing replay in authentication systems
US9614855B2 (en) System and method for implementing a secure web application entitlement service
CN111698228A (en) System access authority granting method, device, server and storage medium
CN110941844B (en) Authentication method, system, electronic equipment and readable storage medium
US10425419B2 (en) Systems and methods for providing software defined network based dynamic access control in a cloud
US20080005798A1 (en) Hardware platform authentication and multi-purpose validation
CN110971569A (en) Network access authority management method and device and computing equipment
CN114070600A (en) Industrial Internet field identity access control method based on zero trust model
CN110968848B (en) User-based rights management method and device and computing equipment
EP3545451B1 (en) Automatic forwarding of access requests and responses thereto
US11765153B2 (en) Wireless LAN (WLAN) public identity federation trust architecture
US9866587B2 (en) Identifying suspicious activity in a load test
US11956228B2 (en) Method and apparatus for securely managing computer process access to network resources through delegated system credentials
KR20190095067A (en) Method for managing information using merkle tree based on blockchain, server and terminal using the same
CN108712450B (en) Method and system for preventing DDoS attack
CN109120607B (en) DDoS attack identification method and system
CN110727636B (en) Equipment isolation method of system on chip
US20150156078A1 (en) Method and system for dynamically shifting a service
RU2536678C1 (en) Method of authentication of user accounts in grid systems and system for its implementation
CN105653928A (en) Service denial detection method for large data platform
US20230412613A1 (en) System and Method for Providing Secure Network Access to Network-Enabled Devices
CN114760136B (en) Safety early warning system and method based on micro-isolation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant