CN109218250A - DDOS defence method and system based on failure Autonomic Migration Framework system - Google Patents
DDOS defence method and system based on failure Autonomic Migration Framework system Download PDFInfo
- Publication number
- CN109218250A CN109218250A CN201710514072.1A CN201710514072A CN109218250A CN 109218250 A CN109218250 A CN 109218250A CN 201710514072 A CN201710514072 A CN 201710514072A CN 109218250 A CN109218250 A CN 109218250A
- Authority
- CN
- China
- Prior art keywords
- vip
- ddos
- cluster
- address
- failure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to technical field of network security, and in particular to a kind of DDOS defence method and system based on failure Autonomic Migration Framework system, wherein DDOS defence method includes: to judge that whether each address VIP is by DDOS attack in VIP cluster in domain name mapping;If the determination result is YES, then it will be abandoned by the address VIP of DDOS attack, and flow guided to the address VIP that do not attacked;If judging result be it is no, flow equalization is guided into VIP cluster on each address VIP.Technical solution of the present invention, the avoidance to attack traffic is realized by the technology of Autonomic Migration Framework, attacker attacks generally directed to VIP, VIP by DDOS attack will be abandoned automatically, and normal discharge is guided to other VIP not attacked, to avoiding server from being attacked, the problem of effective solution DDOS attack and significantly reduces cost and use difficulty.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of DDOS defence based on failure Autonomic Migration Framework system
Method and system.
Background technique
With the universal and development of Internet application, everybody increasingly payes attention to user experience, so having in the market very much
DDOS (distributed denial of service attack) product is taken advantage of a situation.Currently, be generally used high anti-IP, behind plus a powerful place
Cluster is managed, the cluster is by the analysis to flow, using technologies such as man-machine identification, abnormality detections, is cleaned to flow, mistake
Filter, clearance legitimate traffic, and shielding or discard processing mode are taken to malicious traffic stream, to realize the protection to DDOS.It is existing
DDOS means of defence disadvantage is more obvious:
It is at high cost: to purchase the DDOS protection service of profession, monthly cost tens of thousands of members easily need to spend tens over a year
Ten thousand, it can't bear the heavy load for small-to-medium business, venture company.
Performance is low: industry common practices be do flow cleaning, filtering, as soon as it is done so that more layers of processing, more one
Layer time loss, finally will affect service response duration, influences user experience.
Have an erroneous judgement: DDOS protection generally has the technologies such as man-machine identification, abnormality detection, although technology relatively at
It is ripe, but still have erroneous judgement, the access of shielded segment real user, lead to that part real user can be accidentally injured, influences user experience.
Summary of the invention
Aiming at the shortcomings existing in the above problems, the present invention provides a kind of DDOS based on failure Autonomic Migration Framework system
Defence method and system.
To achieve the above object, the present invention provides a kind of DDOS defence method based on failure Autonomic Migration Framework system, comprising:
In domain name mapping, judge that whether each address VIP is by DDOS attack in VIP (Virtual IP) cluster;
If the determination result is YES, then it will be abandoned by the address VIP of DDOS attack, and flow will be guided to not attacked
On the address VIP;
If judging result be it is no, flow equalization is guided into the VIP cluster on each address VIP.
Above-mentioned DDOS system of defense, it is described before domain name mapping, further includes:
User requests access to Web (World Wide Web) website or API (Application Programming
Interface) website.
The technical scheme provided by this disclosed embodiment can include the following benefits: by the technology of Autonomic Migration Framework come
Realizing the avoidance to attack traffic, attacker attacks generally directed to VIP, and the VIP by DDOS attack will be abandoned automatically,
And normal discharge is guided to other VIP not attacked, so that server be avoided to be attacked, effective solution DDOS
The problem of attack, simultaneously significantly reduces cost and uses difficulty.
The above-mentioned DDOS defence method based on failure Autonomic Migration Framework system, the VIP each in judging VIP cluster
Whether location is specifically included by DDOS attack:
Using health examination module to each address VIP real-time detection in the VIP cluster.
The above-mentioned DDOS defence method based on failure Autonomic Migration Framework system,
It further include multiple main frames server, the request that each address VIP is forwarded each falls within the host clothes
It is engaged on device.
Technical solution according to a second aspect of the present invention proposes a kind of DDOS system of defense, comprising:
Judging unit, for judging that whether each address VIP is by DDOS attack in VIP cluster in domain name mapping;
First device output unit then will be by DDOS attack when being for the judging result in the judging unit
The address VIP abandons, and flow is guided to the address VIP that do not attacked;
Second device output unit, for the judging result in the judging unit be it is no when, then flow equalization is guided
To each address VIP in the VIP cluster.
The technical scheme provided by this disclosed embodiment can include the following benefits: by the technology of Autonomic Migration Framework come
Realizing the avoidance to attack traffic, attacker attacks generally directed to VIP, and the VIP by DDOS attack will be abandoned automatically,
And normal discharge is guided to other VIP not attacked, so that server be avoided to be attacked, effective solution DDOS
The problem of attack, simultaneously significantly reduces cost and uses difficulty.
Above-mentioned DDOS system of defense, further includes:
Request unit requests access to Web site or API website for user.
Above-mentioned DDOS system of defense,
Health examination unit, for each address VIP real-time detection in the VIP cluster.
Above-mentioned DDOS system of defense,
Converting unit, for requesting to be forwarded to via VIP cluster and form collection by multiple main frames server the user
On a host server in group.
Detailed description of the invention
Fig. 1 is the flow chart one of the DDOS defence method based on failure Autonomic Migration Framework system in one embodiment of the invention.
Fig. 2 is the structural block diagram one of DDOS system of defense in one embodiment of the invention.
Fig. 3 is the flowchart 2 of the DDOS defence method based on failure Autonomic Migration Framework system in one embodiment of the invention.
Fig. 4 is the structural block diagram two of DDOS system of defense in one embodiment of the invention.
Specific embodiment
The present invention is described in further detail below by specific embodiment combination attached drawing.
As shown in Figure 1, the DDOS defence method based on failure Autonomic Migration Framework system, comprising:
Step S1, in domain name mapping, judge that whether each address VIP is by DDOS attack in VIP cluster;
Step S2, if the determination result is YES, then will by the address VIP of DDOS attack abandon, and by flow guide to not by
On the address VIP of attack;
If step S3, judging result is no, flow equalization is guided into VIP cluster on each address VIP.
DDOS defence method according to an embodiment of the present invention based on failure Autonomic Migration Framework system, using the skill of Autonomic Migration Framework
Art realizes the avoidance to attack traffic, and attacker attacks generally directed to VIP, and the VIP by DDOS attack will quilt automatically
It abandons, and normal discharge is guided to other VIP not attacked, so that server is avoided to be attacked, effective solution
The problem of DDOS attack, simultaneously significantly reduces cost and uses difficulty.
In addition, the DDOS defence method based on failure Autonomic Migration Framework system provided according to that above embodiment of the present invention also has
There is following technical characteristic:
In the above-mentioned technical solutions, before domain name mapping, further includes: user requests access to Web site or API website.
In the technical scheme, user accesses Web site or API website and sends access request, is convenient in next step
Operation.
In the above-mentioned technical solutions, it is preferred that whether each address VIP is specific by DDOS attack in judging VIP cluster
It include: using health examination module to each address VIP real-time detection in VIP cluster.
In the technical scheme, real-time detection is carried out to the address VIP each in VIP cluster by health examination module, visited
Measure the availability that each address VIP can service, discovery failure VIP masks the address VIP attacked at once, not by flow
It gets on failure VIP.
Further, it is also possible to real-time detection be carried out to the address VIP each in VIP cluster using detection module, with health examination
Functions of modules is identical.
In the technical scheme, the agreement that IP is interconnected between networks is namely that computer network interconnection is led to
The agreement of letter and design.In the internet, it is that all computer networks that can make to connect on the net realize one be in communication with each other
Set rule is, it is specified that the rule that computer should abide by when being communicated on the internet.The department of computer science of any producer's production
System interconnects as long as abiding by IP agreement with internet.IP address has uniqueness, according to the difference of user's property,
Multiclass can be divided into.In addition, there are also enter protection, intellectual property, the meanings such as pointer register by IP.
It in the above-mentioned technical solutions, further include multiple main frames server, the request that each address VIP is forwarded each falls within one
On platform host server.
In the technical scheme, host server is really to provide the clusters of machines of service to user, is turned every time via VIP
The request of hair can all be eventually fallen on a host server, and aforesaid operations are based on host server.
As shown in figure 3,
101: user accesses Web site/API request.
102: intelligent DNS can according to availability detection result, by the getting on VIP cluster of flow equalization (Virtual IP,
That is virtual IP address).
102-1: availability detection needs a health examination module, real-time detection to realize timely failure transfer
The availability of each VIP service of VIP cluster, discovery failure VIP are masked at once, are no longer got to flow on failure VIP.
103:VIP cluster is the core of the program, in order to share attack traffic, so using VIP cluster, accordingly even when portion
Divide VIP to be attacked, can still keep other VIP available, still can provide service to user.Each DNS (domain name of user
System) analysis request, it is eventually resolved on a VIP.
104:RealServer (host) cluster is really to provide the clusters of machines of service to user, every time via VIP points
The request of hair can all be eventually fallen on a RealServer server.
As shown in Fig. 2, embodiment according to a second aspect of the present invention, proposes a kind of DDOS system of defense, comprising: judgement
Unit, for judging that whether each address VIP is by DDOS attack in VIP cluster in domain name mapping;First device output is single
Member, for the judging result in judging unit be when, then will by the address VIP of DDOS attack abandon, and by flow guide to
On the address VIP that do not attacked;Second device output unit, for the judging result in judging unit be it is no when, then by flow
Equilibrium guidance is into VIP cluster on each address VIP.
DDOS system of defense according to an embodiment of the present invention, returns attack traffic to realize using the technology of Autonomic Migration Framework
It keeps away, attacker attacks generally directed to VIP, and the VIP by DDOS attack will be abandoned automatically, and normal discharge is guided
To on other VIP not attacked, so that server be avoided to be attacked, drop the problem of effective solution DDOS attack and substantially
Low cost and use difficulty.
In addition, the DDOS system of defense provided according to that above embodiment of the present invention also has following technical characteristic:
In the above-described embodiments, further includes: request unit requests access to Web site or API website for user.
In the technical scheme, user accesses Web site or API website and sends access request, is convenient in next step
Operation.
In the above-mentioned technical solutions, health examination unit, for each address VIP real-time detection in VIP cluster.
In the technical scheme, real-time detection is carried out to the address VIP each in VIP cluster by health examination module, visited
Measure the availability that each address VIP can service, discovery failure VIP masks the address VIP attacked at once, not by flow
It gets on failure VIP.
Further, it is also possible to real-time detection be carried out to the address VIP each in VIP cluster using detection module, with health examination
Functions of modules is identical.
In the above-mentioned technical solutions, converting unit is forwarded to multiple main frames service via VIP cluster for requesting user
On device.
In the above-mentioned technical solutions, further includes: multiple main frames server, the request that each address VIP is forwarded are each fallen within
On one host server.
In the technical scheme, host server is really to provide the clusters of machines of service to user, is turned every time via VIP
The request of hair can all be eventually fallen on a host server, and aforesaid operations are based on host server.
As shown in figure 4, product mainly consists of three parts.
Intelligent DNS parsing: load balancing and availability mainly detect two submodules, the former realizes flow equalization
It gets on VIP below, the latter is used for as detecting VIP service fault caused by the reasons such as attack, and timely notification payload is balanced, negative
Balanced realization is carried only on the normal VIP of the flow service of getting to, and ignores the abnormal VIP of service automatically.
VIP cluster: the core of scheme, for dispersing flow, large area service paralysis, can will be attacked when avoiding being attacked
Impaired flow is hit to minimize.Can the VIP of pre-configured backup abandon the VIP that is attacked when attack traffic is come, open
With spare VIP, attacker is allowed to come back after a vain attempt.In order to improve availability, the program has load balancing and availability detection, two sons
Module realizes, one for the availability inspection to RealServer, one is used for flow equalization, while automatic shield failure
RealServer。
RealServer cluster: this belongs to basic guarantee module, if none RealServer cluster, not only
DDOS attack, slightly a little bigger normal discharge, it is possible to RealServer be played paralysis, DDOS protection is not known where to begin then.It should
Module is used for the handling capacity of the service of improving itself, provides possibility for DDOS protection.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field
For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair
Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.
Claims (8)
1. a kind of DDOS defence method based on failure Autonomic Migration Framework system characterized by comprising
In domain name mapping, judge that whether each address VIP is by DDOS attack in VIP cluster;
If the determination result is YES, then it will be abandoned by the address VIP of DDOS attack, and flow guided to the VIP not attacked
On location;
If judging result be it is no, flow equalization is guided into the VIP cluster on each address VIP.
2. the DDOS defence method according to claim 1 based on failure Autonomic Migration Framework system, which is characterized in that it is described
Before domain name mapping, further includes:
User requests access to Web site or API website.
3. the DDOS defence method according to claim 1 based on failure Autonomic Migration Framework system, which is characterized in that it is described
Judge whether each address VIP is specifically included by DDOS attack in VIP cluster:
Using health examination module to each address VIP real-time detection in the VIP cluster.
4. the DDOS defence method according to claim 1-3 based on failure Autonomic Migration Framework system, feature exist
In:
It further include multiple main frames server, the request that each address VIP is forwarded each falls within the host server
On.
5. a kind of DDOS system of defense characterized by comprising
Judging unit, for judging that whether each address VIP is by DDOS attack in VIP cluster in domain name mapping;
First device output unit then will by the VIP of DDOS attack when being for the judging result in the judging unit
Location abandons, and flow is guided to the address VIP that do not attacked;
Second device output unit, for the judging result in the judging unit be it is no when, then flow equalization is guided to institute
It states in VIP cluster on each address VIP.
6. DDOS system of defense according to claim 5, which is characterized in that further include:
Request unit requests access to Web site or API website for user.
7. DDOS system of defense according to claim 5, it is characterised in that:
Health examination unit, for each address VIP real-time detection in the VIP cluster.
8. according to the described in any item DDOS systems of defense of claim 5-7, it is characterised in that:
Converting unit, for requesting to be forwarded to via VIP cluster by the formed cluster of multiple main frames server the user
A host server on.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710514072.1A CN109218250A (en) | 2017-06-29 | 2017-06-29 | DDOS defence method and system based on failure Autonomic Migration Framework system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710514072.1A CN109218250A (en) | 2017-06-29 | 2017-06-29 | DDOS defence method and system based on failure Autonomic Migration Framework system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109218250A true CN109218250A (en) | 2019-01-15 |
Family
ID=64976455
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710514072.1A Pending CN109218250A (en) | 2017-06-29 | 2017-06-29 | DDOS defence method and system based on failure Autonomic Migration Framework system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109218250A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110012038A (en) * | 2019-05-29 | 2019-07-12 | 中国人民解放军战略支援部队信息工程大学 | A kind of network attack defence method and system |
CN112165495A (en) * | 2020-10-13 | 2021-01-01 | 北京计算机技术及应用研究所 | DDoS attack prevention method and device based on super-fusion architecture and super-fusion cluster |
CN113037716A (en) * | 2021-02-07 | 2021-06-25 | 杭州又拍云科技有限公司 | Attack defense method based on content distribution network |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1812344A (en) * | 2006-03-09 | 2006-08-02 | 杭州华为三康技术有限公司 | Method and system for realizing load balancing |
CN101640620A (en) * | 2009-09-01 | 2010-02-03 | 杭州华三通信技术有限公司 | Method and device for health detection for equalized equipment |
WO2012011070A1 (en) * | 2010-07-21 | 2012-01-26 | Seculert Ltd. | Network protection system and method |
CN106210147A (en) * | 2016-09-13 | 2016-12-07 | 郑州云海信息技术有限公司 | A kind of load-balancing method based on poll and device |
CN106302313A (en) * | 2015-05-14 | 2017-01-04 | 阿里巴巴集团控股有限公司 | DDoS defence method based on dispatching patcher and DDoS system of defense |
CN106411910A (en) * | 2016-10-18 | 2017-02-15 | 上海优刻得信息科技有限公司 | Defense method and system for distributed denial of service (DDoS) attacks |
US20170111389A1 (en) * | 2015-10-18 | 2017-04-20 | NxLabs Limited | Method and system for protecting domain name system servers against distributed denial of service attacks |
-
2017
- 2017-06-29 CN CN201710514072.1A patent/CN109218250A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1812344A (en) * | 2006-03-09 | 2006-08-02 | 杭州华为三康技术有限公司 | Method and system for realizing load balancing |
CN101640620A (en) * | 2009-09-01 | 2010-02-03 | 杭州华三通信技术有限公司 | Method and device for health detection for equalized equipment |
WO2012011070A1 (en) * | 2010-07-21 | 2012-01-26 | Seculert Ltd. | Network protection system and method |
CN106302313A (en) * | 2015-05-14 | 2017-01-04 | 阿里巴巴集团控股有限公司 | DDoS defence method based on dispatching patcher and DDoS system of defense |
US20170111389A1 (en) * | 2015-10-18 | 2017-04-20 | NxLabs Limited | Method and system for protecting domain name system servers against distributed denial of service attacks |
CN106210147A (en) * | 2016-09-13 | 2016-12-07 | 郑州云海信息技术有限公司 | A kind of load-balancing method based on poll and device |
CN106411910A (en) * | 2016-10-18 | 2017-02-15 | 上海优刻得信息科技有限公司 | Defense method and system for distributed denial of service (DDoS) attacks |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110012038A (en) * | 2019-05-29 | 2019-07-12 | 中国人民解放军战略支援部队信息工程大学 | A kind of network attack defence method and system |
CN112165495A (en) * | 2020-10-13 | 2021-01-01 | 北京计算机技术及应用研究所 | DDoS attack prevention method and device based on super-fusion architecture and super-fusion cluster |
CN113037716A (en) * | 2021-02-07 | 2021-06-25 | 杭州又拍云科技有限公司 | Attack defense method based on content distribution network |
CN113037716B (en) * | 2021-02-07 | 2021-12-21 | 杭州又拍云科技有限公司 | Attack defense method based on content distribution network |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3304824B1 (en) | Policy-driven compliance | |
EP3270564B1 (en) | Distributed security provisioning | |
US9984241B2 (en) | Method, apparatus, and system for data protection | |
KR100800370B1 (en) | Network attack signature generation | |
CN109962903A (en) | A kind of home gateway method for safety monitoring, device, system and medium | |
CN105282169A (en) | DDoS attack warning method and system based on SDN controller threshold | |
CN104509034A (en) | Pattern consolidation to identify malicious activity | |
WO2016191232A1 (en) | Mitigation of computer network attacks | |
WO2020171410A1 (en) | Method, apparatus and computer program for collecting data from multiple domains | |
CN106850647B (en) | Malicious domain name detection algorithm based on DNS request period | |
CN103297433A (en) | HTTP botnet detection method and system based on net data stream | |
TWI492090B (en) | System and method for guarding against dispersive blocking attacks | |
CN109218250A (en) | DDOS defence method and system based on failure Autonomic Migration Framework system | |
Somani et al. | DDoS victim service containment to minimize the internal collateral damages in cloud computing | |
CN110896386A (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
CN107426132A (en) | The detection method and device of network attack | |
Suthar et al. | A signature-based botnet (emotet) detection mechanism | |
Sultana et al. | Detecting and preventing ip spoofing and local area network denial (land) attack for cloud computing with the modification of hop count filtering (hcf) mechanism | |
Li et al. | A hierarchical mobile‐agent‐based security operation center | |
TW201815142A (en) | Method for detecting domain flux botnets through proxy server logs capable of detecting hostile networks that do not belong to websites of the normal application program or CDN connection | |
Jin et al. | Mitigating HTTP GET Flooding attacks through modified NetFPGA reference router | |
Leu et al. | A DoS/DDoS attack detection system using chi-square statistic approach | |
US20220394059A1 (en) | Lightweight tuned ddos protection | |
Tang | Vulnerability evaluation of multimedia subsystem based on complex network | |
TWI772832B (en) | Information security blind spot detection system and method for normal network behavior |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190115 |
|
RJ01 | Rejection of invention patent application after publication |