CN110213214A - A kind of attack guarding method, system, device and storage medium - Google Patents
A kind of attack guarding method, system, device and storage medium Download PDFInfo
- Publication number
- CN110213214A CN110213214A CN201810572199.3A CN201810572199A CN110213214A CN 110213214 A CN110213214 A CN 110213214A CN 201810572199 A CN201810572199 A CN 201810572199A CN 110213214 A CN110213214 A CN 110213214A
- Authority
- CN
- China
- Prior art keywords
- protection module
- target
- attack
- service
- protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a kind of distributed denial of service attack means of defence, system, device and storage mediums.The embodiment of the present invention can receive the target routing of Target Protection module publication, and target routing is generated by Target Protection module according to the destination address of distributed denial of service attack;Obtain the precedence information for currently having issued the protection module of routing;According to precedence information, traction path is generated by path termination of Target Protection module;According to traction path, the service traffics for being directed toward target routing are drawn to corresponding protection module and are cleaned.Thus, the program is got up multilayer proofing block coupled in series using traction path, both it had been able to achieve the layered defense of distributed denial of service attack, the filtering of service traffics can be realized by series connection again, the perfect and balancing performance that ensure that distributed denial of service attack guard system allomeric function, improves the integral protection effect of distributed denial of service attack.
Description
Technical field
The present invention relates to fields of communication technology, and in particular to a kind of distributed denial of service attack means of defence, system, dress
It sets and storage medium.
Background technique
With the promotion of network bandwidth, DDoS (Distributed Denial of Service, distributed denial of service)
There is blowout growth in attack traffic.It can include simultaneously various attacks in huge attack traffic to reach attack purpose
Gimmick, such as: conventional reflector attack, connection exhaustion attacks, CC (Challenge Collapsar, Challenging black hole) attack.Tradition
Protectiving scheme mainly computer room entry position dispose a DDoS defensive equipment, network layer simultaneously provide four layers and seven layers
Safeguard function.
In the research and practice process to the prior art, the inventors found that: seven layers of ddos attack defence are logical
Often need to do deep packet analysis and detection, such as characteristic filter, canonical etc., higher relative to four layers of ddos attack defence power consumption,
Resource occupation is more.When four layers and seven layers of DDoS Hybrid Attack occurs, four layers and seven layers are carried out simultaneously if it is same equipment
Ddos attack defence, then the defence of seven layers of ddos attack can consume a large amount of equipment performance, four layers of ddos attacks defence are available
Resource it is less, seriously affected four layers of ddos attack defence performance, cause ddos attack protection effect poor.
Summary of the invention
The embodiment of the present invention provides a kind of distributed denial of service attack means of defence, system, device and storage medium, purport
Promoting distributed denial of service attack protection effect.
The embodiment of the present invention provides a kind of distributed denial of service attack means of defence, comprising:
The target routing of Target Protection module publication is received, the target routing is by the Target Protection module according to distribution
The destination address of formula Denial of Service attack generates;
Obtain the precedence information for currently having issued the protection module of routing;
According to the precedence information, traction path is generated by path termination of the Target Protection module;
According to the traction path, the service traffics for being directed toward the target routing are drawn to corresponding protection module and are carried out
Cleaning.
In some embodiments, described according to the precedence information, it is raw by path termination of the Target Protection module
At traction path, comprising:
According to the precedence information, it is anti-as preamble higher than the protection module of the Target Protection module to obtain priority
Protect module;
According to the priority of the preamble protection module and Target Protection module, using the Target Protection module as path end
Point generates traction path.
In some embodiments, the priority according to the preamble protection module and Target Protection module, with described
Target Protection module is that path termination generates traction path, comprising:
It is anti-to the preamble protection module and target according to the sequence of priority from high to low according to the precedence information
Shield module is ranked up;
According to the sequence, using the preamble protection module of highest priority as path starting point and the Target Protection mould
Block generates traction path as path termination.
It in some embodiments, include one or more sequences in the traction path before the Target Protection module
Preamble protection module, it is described according to the traction path, the service traffics of the target routing will be directed toward to protecting accordingly
Module is cleaned, comprising:
According to the traction path, the service traffics for being directed toward the target routing are drawn to the preamble protection module,
So that the preamble protection module carries out Detection by the method for attack;
It, will according to the traction path if the service traffics are determined as safe traffic by the preamble protection module
The service traffics are drawn to next preamble protection module or the Target Protection module carries out Detection by the method for attack.
In some embodiments, the service traffics are drawn to the Target Protection module and carry out Detection by the method for attack, it
Afterwards further include:
If the service traffics are determined as safe traffic by the Target Protection module, the service traffics Hui Yuan is arrived
The destination address.
In some embodiments, further includes:
If receiving the preamble protection module and/or re-injection stream that Target Protection module returns during Detection by the method for attack
The re-injection flow is then returned to the corresponding client of the service traffics by amount.
In some embodiments, further includes:
Obtain the Detection by the method for attack result of the preamble protection module and/or Target Protection module;
Attack information is obtained according to the Detection by the method for attack interpretation of result, gives the attack information sharing to the traction road
Protection module in diameter.
The embodiment of the present invention also provides a kind of distributed denial of service attack guard system, comprising:
Detection device when for detecting distributed denial of service attack, triggers Target Protection cluster to cleaning interchanger
Target routing is issued, the target routing is raw according to the destination address of distributed denial of service attack by the Target Protection cluster
At;
Interchanger is cleaned, for receiving the target routing of Target Protection cluster publication, the target routing is by the target
Cluster is protected to be generated according to the destination address of distributed denial of service attack;Obtain the excellent of the protection cluster for currently having issued routing
First grade information;According to the precedence information, traction path is generated by path termination of the Target Protection cluster;According to described
Path is drawn, the service traffics for being directed toward the target routing are drawn to corresponding protection cluster and are cleaned;
Cluster is protected, Target Protection cluster is included at least, is routed for being issued to the cleaning interchanger;To the cleaning
The service traffics of exchange machine travel are cleaned.
In some embodiments, the detection device is specifically used for:
When detecting distributed denial of service attack, the destination address attacked is obtained;
According to preset network communication models, the level where the destination address is determined, it will be where the destination address
Level as destination layer;
Using the corresponding protection cluster of destination layer as Target Protection cluster, Xiang Suoshu Target Protection cluster issues routing traction
Instruction is routed with triggering the Target Protection cluster according to the destination address to cleaning interchanger publication target.
In some embodiments, the protection cluster further includes that one or more priority are higher than the Target Protection cluster
Preamble protect cluster:
The preamble protects cluster, carries out Detection by the method for attack for the service traffics to the cleaning exchange machine travel;If
The service traffics are confirmed as safe traffic, then the service traffics are returned to the cleaning interchanger;
The cleaning interchanger is also used to that the service traffics are drawn to next preamble and are prevented according to the traction path
It protects cluster or Target Protection cluster carries out Detection by the method for attack.
In some embodiments, the preamble protection cluster is also used to:
During Detection by the method for attack, if generating re-injection flow according to preset prevention policies, by the re-injection stream
Amount returns to the cleaning interchanger;
The cleaning interchanger is also used to receive the re-injection flow, and the re-injection flow is returned to the service traffics
Corresponding client.
In some embodiments, the Target Protection cluster is specifically used for:
The service traffics of the cleaning exchange machine travel are cleaned;If the service traffics are confirmed as secure flows
The service traffics are then returned to the cleaning interchanger by amount;
The cleaning interchanger is also used to receive the service traffics that the Target Protection cluster returns, by the Business Stream
Hui Yuan is measured to the destination address.
The embodiment of the present invention also provides a kind of distributed denial of service attack protective device, comprising:
Receiving unit, for receiving the target routing of Target Protection module publication, the target routing is prevented by the target
Module is protected to be generated according to the destination address of distributed denial of service attack;
Priority unit, for obtaining the precedence information for currently having issued the protection module of routing;
Path unit, for being generated and being drawn as path termination using the Target Protection module according to the precedence information
Path;
Traction unit, for according to the traction path, the service traffics for being directed toward the target routing to be drawn to accordingly
Protection module cleaned.
The embodiment of the present invention also provides a kind of storage medium, and the storage medium is stored with a plurality of instruction, and described instruction is suitable
It is loaded in processor, to execute in any distributed denial of service attack means of defence provided by the embodiment of the present invention
Step.
The embodiment of the present invention is routed by receiving the target of Target Protection module publication, namely needs host road to be protected
By needing to draw the service traffics cleaned to determine, then, obtaining the priority for currently having issued the protection module of routing
Information, with the protection module being currently running and corresponding priority, and according to precedence information, with Target Protection mould
Block is that path termination generates traction path, according to traction path, the service traffics for being directed toward target routing is drawn to corresponding anti-
Shield module is cleaned.The program can determine traction path according to the priority of the issued routing of protection module of carry, from
And call by the protection module for currently carrying out distributed denial of service attack protection, it is rationally utilized and to be currently running
Protection module cleans the service traffics for being directed toward destination address before Target Protection module, is reached for Target Protection mould
Block filters the purpose of attack traffic flow, alleviates the workload of Target Protection module, reduces the property that Target Protection module occupies
Energy.Single layer attack or Hybrid Attack, protection module, which no matter occurs, to be effectively on the defensive.The program is used and is led as a result,
Diameter lead the way for multilayer proofing block coupled in series, is not only able to achieve the layered defense of distributed denial of service attack, but also string can be passed through
Connection realizes the filtering of service traffics, reduces the workload of high loss protection module, ensure that distributed denial of service attack protects
The perfect and balancing performance of system allomeric function, improves the integral protection effect of distributed denial of service attack.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those skilled in the art, without creative efforts, it can also be obtained according to these attached drawings other attached
Figure.
Fig. 1 a is the schematic diagram of a scenario of information interaction system provided in an embodiment of the present invention;
Fig. 1 b is the flow diagram of distributed denial of service attack means of defence provided in an embodiment of the present invention;
Fig. 2 is distributed denial of service attack security application schematic diagram of a scenario provided in an embodiment of the present invention;
Fig. 3 is distributed denial of service attack guard system structural schematic diagram provided in an embodiment of the present invention;
Fig. 4 is distributed denial of service attack protective device structure schematic diagram provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram of the network equipment provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those skilled in the art's every other implementation obtained without creative efforts
Example, shall fall within the protection scope of the present invention.
The embodiment of the present invention provides a kind of distributed denial of service attack means of defence, system, device and storage medium.
The embodiment of the present invention provides a kind of information interaction system, which includes the distribution of any offer of the embodiment of the present invention
Formula Denial of Service attack protective device, the distributed denial of service attack protective device can integrate in the equipment such as server;
In addition, the system can also include other equipment, for example, client, protection module etc..Client can be terminal or personal meter
The equipment such as calculation machine (PC, Personl Computer).
With reference to Fig. 1 a, the embodiment of the present invention provides a kind of information interaction system, including distributed denial of service attack protection
Device, client and protection module.Wherein, distributed denial of service attack protective device and client pass through network connection, or
It is connected by core router, the service traffics that client is sent is transmitted to distributed denial of service attack by core router
Protective device.Protection module carry includes at least Target Protection module under distributed denial of service attack protective device.
When occurrence and distribution formula Denial of Service attack, Target Protection module is according to the destination address of distributed denial of service attack
Target routing is generated, and is distributed to distributed denial of service attack protective device.Distributed denial of service attack protective device connects
The target routing for receiving the publication of Target Protection module, obtains the precedence information for currently having issued the protection module of routing;Then, root
According to precedence information, traction path is generated by path termination of Target Protection module;In the service traffics for receiving client transmission
When, according to traction path, the service traffics for being directed toward target routing are drawn to corresponding protection module and are cleaned.
The program determines traction path according to the priority of the issued routing of protection module of carry as a result, thus by mesh
The preceding protection module for carrying out distributed denial of service attack protection calls, and the protection mould being currently running rationally is utilized
Block cleans the service traffics for being directed toward destination address before Target Protection module, is reached for Target Protection modular filtration
The purpose of attack traffic flow alleviates the workload of Target Protection module, reduces the performance that Target Protection module occupies.No matter
Single layer attack or Hybrid Attack, protection module, which occurs, to be effectively on the defensive.The program will using traction path as a result,
Multilayer proofing block coupled in series gets up, and has not only been able to achieve the layered defense of distributed denial of service attack, but also can realize industry by series connection
The filtering of business flow reduces the workload of high loss protection module, ensure that distributed denial of service attack guard system is whole
The perfect and balancing performance of function, improves the integral protection effect of distributed denial of service attack.
The example of above-mentioned Fig. 1 a is a system architecture example for realizing the embodiment of the present invention, and the embodiment of the present invention is not
It is limited to system structure shown in above-mentioned Fig. 1 a, is based on the system architecture, proposes each embodiment of the present invention.
In the present embodiment, it will be described from the angle of distributed denial of service attack protective device, which refuses
Exhausted service attack protective device specifically can integrate in the network equipment such as interchanger or server equipment.
The embodiment of the present invention provides a kind of distributed denial of service attack means of defence, comprising: receives Target Protection module
The target of publication routes, and target routing is generated by Target Protection module according to the destination address of distributed denial of service attack;It obtains
Take the precedence information for currently having issued the protection module of routing;According to precedence information, using Target Protection module as path end
Point generates traction path;According to traction path, the service traffics for being directed toward target routing are drawn to corresponding protection module and are carried out
Cleaning.
As shown in Figure 1 b, the detailed process of the distributed denial of service attack means of defence can be such that
101, the target routing of Target Protection module publication is received, target routing is refused by Target Protection module according to distribution
The destination address of exhausted service attack generates.
When occurrence and distribution formula refuses service (Distributed Denial of Service, abbreviation DDoS) attack, inspection
Measurement equipment obtains this business host ip attacked (Internet Protocol, the agreement interconnected between network) address, makees
To need destination address to be protected.
It is then detected that equipment determines Target Protection module according to destination address, routing traction is issued to Target Protection module
Order, triggering Target Protection module are routed to cleaning interchanger publication target.Wherein, detection device can be according to preset network
Traffic model determines the level where destination address, using the level where destination address as destination layer;Then, by destination layer
Corresponding protection module is as Target Protection module.
It should be noted that preset network communication model can be TCP/IP (Transmission Control
Protocol/Internet Protocol, transmission control protocol/Internet Protocol) model, by low layer to it is high-rise successively
Including network interface layer, network layer, transport layer and application layer.Preset network communication model can also be OSI (Open
System Interconnect, Open System Interconnection Reference Model), by low layer to high-rise successively including physical layer, data-link
Road floor, network layer, transport layer, session layer, expression layer and application layer.Certainly, preset network communication model, which can also be, makes by oneself
Adopted network communication model, according to actual needs flexible configuration.Each level of network communication model is preset with corresponding protection
Module, can each level correspond to different protection modules, can also be with the corresponding protection module of multiple levels, specifically can root
According to actual needs flexible configuration.
Detection device determines level of the accessed business host in default network communication model according to destination address, obtains
To destination layer, the corresponding protection module of destination layer is Target Protection module.As an implementation, if accessed business
Host is located at network layer and hereinafter, then detection device determines that Target Protection module is four layers of protection module;If accessed business
Host is located at network layer or more, such as application layer, then detection device determines that Target Protection module is seven layers of protection module, and seven layers anti-
Shield module will usually do deep packet analysis and detection, and performance occupies relatively high.For example, destination address corresponds to business host process
HTTP (HyperText Transfer Protocol, hypertext transfer protocol) business is located at application layer, it is determined that target is anti-
Shield module is seven layers of protection module;Destination address corresponds to business host process TCP connection business, is located at network layer, it is determined that mesh
Mark protection module is four layers of protection module.
Target Protection module obtains destination address after receiving routing traction order, needs to protect according to destination address determination
The Host routes of shield generate target routing.Wherein, target routing can be the network segment comprising destination address, can also only refer to
It, specifically can flexible configuration according to actual needs to destination address.Then, Target Protection module is anti-to distributed denial of service attack
Protection unit issues target routing.
The protection module of multiple levels is mounted under distributed denial of service attack protective device, the protection with each level
Module establishes BGP (Border Gateway Protocol, boundary network management protocol) connection relationship, to be communicated.Distribution is refused
Exhausted service attack protective device receives the target routing of Target Protection module publication, learns and needs that the business of target routing will be directed toward
Flow may be attack traffic, need to be drawn to Target Protection module and cleaned.
102, the precedence information for currently having issued the protection module of routing is obtained.
Wherein, precedence information can be distributed denial of service attack protective device and the protection module of each level is built
It is configured when vertical BGP connection relationship, the protection module priority of low-level is higher than the protection module priority of high-level.Example
Such as, due to the resource of seven layers of protection module, performance occupy it is more, in order to reduce the workload of seven layers of protection module, reduce resource,
Performance loss, preset four layers of protection module priority be higher than seven layers of protection module, make four layers of protection module preferentially to flow into
Row cleaning.
Distributed denial of service attack protective device needs to have issued routing according to the routing determination currently received
Which protection module has, to learn the protection module for currently carrying out flow cleaning, resisting distributed denial of service attack.
Then, the precedence information for the protection module that these have issued routing is obtained.
Wherein, precedence information may include the information such as the specific priority level of protection module.
For example, the protection module for currently having issued routing includes four layers of protection module and seven layers of protection module.Distribution is refused
Exhausted service attack protective device obtains the precedence information of four layers of protection module and seven layers of protection module, obtains four layers of protection module
With the priority of seven layers of protection module.
103, according to precedence information, traction path is generated by path termination of Target Protection module.
Wherein, traction path be the path for cleaning service traffics, include the service traffics protection module that flows through of needs with
And flow through the sequence of each protection module.
Distributed denial of service attack protective device is according to the precedence information of the protection module for having issued routing, according to excellent
First grade sequence generates traction path by path termination of Target Protection module.In some embodiments, step 103 may include:
According to precedence information, obtains priority and be higher than the protection module of Target Protection module as preamble protection module;
According to the priority of preamble protection module and Target Protection module, led by path termination generation of Target Protection module
It leads the way diameter.
Wherein, precedence information includes the protection module priority for currently having issued routing.Distributed denial of service attack
Protective device filters out the protection module that priority is higher than Target Protection module according to precedence information, protects mould as preamble
Block.For example, the protection module for currently having issued routing includes four layers of protection module and seven layers of protection module, Target Protection module are
The priority of seven layers of protection module, four layers of protection module is higher than seven layers of protection module, then distributed denial of service attack protection dress
It sets using four layers of protection module as preamble protection module.
Then, distributed denial of service attack protective device is according to the preferential of preamble protection module and Target Protection module
Grade generates traction path by path termination of Target Protection module.For example, specifically can be such that
According to precedence information, according to the sequence of priority from high to low to preamble protection module and Target Protection module into
Row sequence;
According to sequence, using the preamble protection module of highest priority as path starting point and Target Protection module is as road
Diameter terminal generates traction path.
Wherein, preamble protection module can have multiple or one.
If preamble protection module only has one, distributed denial of service attack protective device is according to precedence information to preceding
After sequence protection module and Target Protection module are ranked up, preamble protection module highest priority, Target Protection module priority
It is minimum.Then, using preamble protection module as path starting point and Target Protection module as path termination generates traction path.
If there are two preamble protection modules or more, distributed denial of service attack protective device is according to precedence information
Each preamble protection module and Target Protection module are ranked up, risen the preamble protection module of highest priority as path
The preamble protection module that point, priority are taken second place as second node in path, and so on, by the target that priority is minimum
Protection module generates traction path as path termination.
It should be noted that if including multiple protection submodules, then root in preamble protection module/or Target Protection module
The position in path is being drawn according to the preset priority of each protection submodule and preamble protection module and Target Protection module,
Each protection submodule is configured in traction path.For example, Target Protection module is seven layers of protection module, including WAP
(Wireless Application Protocol, wireless application communication protocol) protects submodule, CC (Challenge
Collapsar, Challenging black hole) protection submodule etc., then path termination is configured by seven layers of protection module, path termination includes pressing
Submodule etc. is protected according to WAP protection submodule, the CC of priority orders arrangement.
It in some embodiments, will traction if obtaining the protection module that priority is higher than Target Protection module not successfully
Path is configured to Target Protection module.
Distributed denial of service attack protective device configures to obtain traction path as a result,.
104, according to traction path, the service traffics for being directed toward target routing is drawn to corresponding protection module and are carried out clearly
It washes.
Wherein, the service traffics for being directed toward target routing are that destination address and target route identical service traffics or target
Address is located at the service traffics in the network segment of target routing.
Distributed denial of service attack protective device obtains flow access after the flow for receiving core router forwarding
Destination address, if destination address and target route it is identical or in the network segment of target routing, it is determined that this flow is to refer to
The flow routed to target.
Then, this service traffics is drawn to path and risen by distributed denial of service attack protective device according to traction path
Point, is cleaned.
In some embodiments, draw in path includes that preamble of one or more sequences before Target Protection module is anti-
Module is protected, step 104 specifically can be such that
(1) according to traction path, the service traffics for being directed toward target routing are drawn to preamble protection module, so that preamble is anti-
It protects module and carries out Detection by the method for attack.
Service traffics are drawn to path starting point according to traction path by distributed denial of service attack protective device, namely
The protection module of highest priority is cleaned.
Preamble protection module carry out Detection by the method for attack, detection service traffics whether attack traffic, it is, for example, possible to use SYN
The prevention policies such as cookie algorithm, SYN Reset algorithm, TCP message state-detection carry out Detection by the method for attack.
To be currently illustrated by SYN Flood attack, preamble protection module is four layers of protection module, is triggered
SYN cookie algorithm carries out Detection by the method for attack.To the negotiation SYN message of the newly-built connection of TCP, preamble protection module passes through connection
Information calculates a cookie value, and the initial sequence number (seq number) as SYN+ACK message returns to client, such as
Fruit is normal users, can respond the SYN+ACK at this time, and returns to ACK confirmation message.Preamble protection module responds client
The cookie information carried in ACK message carries out message validation, judges whether to be attack traffic.When attacker initiates
When SYN Flood is attacked, since client can not send effective cookie information, it can not be established with preamble protection module
Thus connection, preamble protection module can determine whether this service traffics is attack traffic.
(2) if receiving the re-injection flow that preamble protection module returns during Detection by the method for attack, re-injection flow is returned
Return the corresponding client of service traffics.
For example, preamble protection module is four layers of protection module to be currently illustrated by SYN Flood attack,
It triggers syn cookie algorithm and carries out Detection by the method for attack.Preamble protection module carries out the negotiation SYN message of the newly-built connection of TCP
Intercept process calculates a cookie value by link information, the initial sequence number (seq as SYN+ACK message
Number client) is returned to.The message that preamble protection module needs to return client includes SYN+ACK message, SYN+ACK report
It include this cookie value in text, this SYN+ACK message for returning to client is re-injection flow.
Then distributed denial of service attack protective device is receiving preamble protection module returning for the return of this service traffics
When beam amount, this re-injection flow is returned into the corresponding client of this service traffics, and client is returned according to re-injection flow
Service traffics be drawn to preamble protection module, so as to preamble protection module carry out Detection by the method for attack.
(3) if service traffics are determined as safe traffic by preamble protection module, according to traction path, service traffics are led
It guides to next preamble protection module or Target Protection module carries out Detection by the method for attack.
If preamble protection module detects to obtain this service traffics to be safe traffic, the target routing being directed toward due to service traffics
Corresponding to the protection module of more high-level, it is also necessary to the protection module of more high-level is further detected, therefore, preamble protection
This service traffics is returned to distributed denial of service attack protective device by module.
Distributed denial of service attack protective device receives this traction flow that preamble protection module returns, by this Business Stream
The next node that amount is drawn in traction path: next preamble protection module or Target Protection module carry out Detection by the method for attack.
For example, a client is determined as security client by the detection of preamble protection module, if this client sends industry
It is engaged in flow such as HTTP request, preamble protection module determines that the service traffics of this client are according to information such as the marks of client
This service traffics is then returned to distributed denial of service attack protective device by safe traffic.
Distributed denial of service attack protective device receives this service traffics that preamble protection module returns, then, by this
The next node that service traffics are drawn in traction path: next preamble protection module or Target Protection module are realized from low layer
The protection module of grade is gradually completing cleaning to high-level protection module.
If preamble protection module detects that service traffics are attack traffic, this flow is directly abandoned.
(4) if receiving the re-injection flow that Target Protection module returns during Detection by the method for attack, re-injection flow is returned
Return the corresponding client of service traffics.
It is anti-by identifying code, java script (scripting language) algorithm etc. with Target Protection module for seven layers of protection module
Shield strategy carries out Detection by the method for attack, then Target Protection module carries out after changing packet service traffics, generates re-injection flow, and return to
Distributed denial of service attack protective device.
Then distributed denial of service attack protective device is receiving Target Protection module returning for the return of this service traffics
When beam amount, this re-injection flow is returned into the corresponding client of this service traffics, and client is returned according to re-injection flow
Service traffics be drawn to Target Protection module, so as to Target Protection module carry out Detection by the method for attack.
(5) if service traffics are determined as safe traffic by Target Protection module, by service traffics Hui Yuan to destination address.
If service traffics after Detection by the method for attack, are determined as in path termination Target Protection module by Target Protection module
Safe traffic, then this service traffics is returned to distributed denial of service attack protective device by Target Protection module.
Distributed denial of service attack protective device receives this service traffics that Target Protection module returns, by this Business Stream
Hui Yuan is measured to its destination address, to carry out normal service communication.
For example, a client is determined as security client by the detection of Target Protection module, if this client sends industry
It is engaged in flow such as HTTP request, Target Protection module determines that the service traffics of this client are according to information such as the marks of client
This service traffics is then returned to distributed denial of service attack protective device by safe traffic.
Distributed denial of service attack protective device receives the service traffics that Target Protection module returns, by this service traffics
Hui Yuan carries out frequent service communication to the destination address of its access.
If Target Protection module detects that service traffics are attack traffic, this flow is directly abandoned.
In some embodiments, drawing only includes Target Protection module in path, and step 104 specifically can be such that
The service traffics for being directed toward target routing are drawn to Target Protection module to clean;
If receiving the re-injection flow that Target Protection module returns during Detection by the method for attack, re-injection flow is returned into industry
The corresponding client of business flow;
If service traffics are determined as safe traffic by Target Protection module, by service traffics Hui Yuan to destination address;
If Target Protection module detects that service traffics are attack traffic, this flow is directly abandoned.
In some embodiments, in order to promote the detection efficiency of protection module, in preamble protection module and/or Target Protection
During module carries out Detection by the method for attack, distributed denial of service attack means of defence further include:
Obtain the Detection by the method for attack result of preamble protection module and/or Target Protection module;
Attack information is obtained according to Detection by the method for attack interpretation of result, information sharing will be attacked to the protection mould in traction path
Block.
Specifically, as an implementation, preamble protection module and/or Target Protection module are carried out to service traffics
After Detection by the method for attack, obtain Detection by the method for attack as a result, Detection by the method for attack result indicate service traffics whether attack traffic.Preamble
Detection by the method for attack result is returned to distributed denial of service attack protective device by protection module and/or Target Protection module.
As another embodiment, distributed denial of service attack protective device can according to preamble protection module and/
Or the flow that Target Protection module returns determines Detection by the method for attack result.For example, if receiving the business of Target Protection module return
This service traffics is then safe traffic as Detection by the method for attack result by flow;If not receiving Target Protection within a preset time
This service traffics is then attack traffic as aggressiveness by the service traffics or re-injection flow that module or preamble protection module return
Testing result;If the service traffics discard notification message of preamble protection module or the return of Target Protection module is received, by this industry
Business flow is attack traffic as Detection by the method for attack result.
Distributed denial of service attack protective device is according to Detection by the method for attack as a result, judgement issues the client of service traffics
Whether trusted;If issue service traffics client be it is trusty, can also judge the level of trust of client.Distribution
Formula Denial of Service attack protective device can whether the information such as trusted, level of trust as attack information, be shared using client
To other protection modules in traction path.
For example, preamble protection module is four layers of protection module, Target Protection module is seven layers of protection module, if four layers of protection
Module determines that service traffics are safe traffic, and distributed denial of service attack protective device is determined according to Detection by the method for attack result and sent out
The client of this service traffics is high level trusted client out, then is high level trusted client by this client
Seven layers of protection module are sent to as attack information.Seven layers of protection module are led receiving distributed denial of service attack protective device
After this service traffics drawn, obtaining its corresponding client according to attack information is high level trusted client, then determines
This service traffics is safe traffic, this service traffics is returned to distributed denial of service attack protective device, Hui Yuan to business
The destination address that flow is directed toward, carries out normal service communication.
Thus, it is possible to reduce the repeated work of protection module, reduces resource and performance occupies.
From the foregoing, it will be observed that the embodiment of the present invention is routed by receiving the target of Target Protection module publication, namely need to protect
Host routes, need to draw the service traffics cleaned to determine, then, obtain the protection module for currently having issued routing
Precedence information, with the protection module being currently running and corresponding priority, and according to precedence information, with mesh
Marking protection module is that path termination generates traction path;According to traction path, the service traffics for being directed toward target routing are drawn to
Corresponding protection module is cleaned.The program can be determined according to the priority of the issued routing of protection module of carry and be drawn
Path is rationally utilized just so that the protection module for currently carrying out distributed denial of service attack protection be called
In the protection module of operation, the service traffics for being directed toward destination address are cleaned before Target Protection module, are reached for mesh
The purpose for marking protection module filtering attack traffic flow, alleviates the workload of Target Protection module, reduces Target Protection module
The performance of occupancy.Single layer attack or Hybrid Attack, protection module, which no matter occurs, to be effectively on the defensive.The party as a result,
Case is got up multilayer proofing block coupled in series using traction path, has not only been able to achieve the layered defense of distributed denial of service attack, but also
The filtering that service traffics can be realized by series connection reduces the workload of high loss protection module, ensure that distributed denial of service
The perfect and balancing performance for attacking guard system allomeric function, improves the integral protection effect of distributed denial of service attack.
Citing, is described in further detail by the method according to described in preceding embodiment below.
For example, referring to Fig. 2, in the present embodiment, will be specifically integrated in the distributed denial of service attack protective device
It is illustrated in cleaning interchanger.
In the present embodiment, user's machine sends service traffics as client, carries out service communication to access business machine.
Core router is located at network core, is mainly used for data grouping routing and forwarding, and user's machine namely client are sent to
The service traffics of each business machine are transmitted to corresponding business machine.Protection module includes four layers of DDoS protection cluster and seven layers
DDoS protects cluster.Business machine is used to carry out service communication with client.
Core router is interconnected with cleaning interchanger, and the service traffics full dose of client is transmitted to by core router
Interchanger is cleaned, and is forwarded to its destination address for the service traffics that interchanger returns are cleaned, returning for interchanger return will be cleaned
Beam amount is forwarded to its corresponding user's machine namely client.Clean interchanger and four layers of DDoS protection cluster and seven layers
DDoS protection cluster is interconnected, and establishes BGP connection relationship, in order to clean interchanger to four layers of DDoS protection cluster and/
Or seven layers of DDoS protection cluster draw service traffics, receive four layers of DDoS protection cluster and/or seven layers of DDoS protection cluster return
Service traffics, re-injection flow.
(1) attack traffic
If after user's machine is controlled by attack server, being controlled to business machine and sending attack traffic.
Detection device accesses between user's machine and core router, and duplication is sent to the service traffics of core router,
The modes such as log are flowed by mirror image, light splitting or NetFlow/NetStream/nFlow, service traffics are detected.It is detecting
When to occurrence and distribution formula Denial of Service attack, detection device obtains the destination address attacked;Then, logical according to preset network
Believe model, the level where destination address is determined, using the level where destination address as destination layer;Then, by destination layer pair
The protection module answered is as Target Protection module.
For the present embodiment to be illustrated by distributed denial of service Hybrid Attack, detection device detects generation point
When cloth Denial of Service attack, the multiple business host addresses attacked are obtained as destination address, are determined according to destination address
The business host attacked is located at network layer and application layer.
Then, detection device determines that four layer attacks of distributed denial of service and the mixing of seven layer attacks occur, then to four layers of DDoS
Protection cluster and seven layers of DDoS protection cluster issue routing traction order, and four layers of DDoS protection cluster and seven layers of DDoS protect cluster
After receiving routing traction order, four layers of target routing and seven layers of target are configured according to destination address under attack is corresponding respectively
Routing, and four layers of target routing and seven layers of target routing are distributed to cleaning interchanger respectively.Wherein, the net of four layers of target routing
Section includes at least the business host address that network layer is attacked, and the network segment of seven layers of target routing includes at least what application layer was attacked
Business host address.
Clean interchanger receive Target Protection module publication target routing, target routing by Target Protection module according to divide
The destination address of cloth Denial of Service attack generates.Wherein, Target Protection module is four layers of DDoS protection cluster and seven layers respectively
DDoS protects cluster, and target routing includes that four layers of target routing of four layers of DDoS protection cluster publication and seven layers of DDoS protect cluster
Seven layers of target routing of publication.
Then, cleaning interchanger obtains the precedence information for currently having issued the protection module of routing, that is, obtaining four layers
DDoS protects the precedence information of cluster and seven layers of DDoS protection cluster.Wherein, the priority of four layers of DDoS protection cluster is higher than
Seven layers of DDoS protect cluster.
Then, cleaning interchanger generates traction path by path termination of Target Protection module according to precedence information.
Wherein, if service traffics access the business machine that network layer is attacked, namely four layers of targets routing are directed toward, then target
Protection module is that four layers of DDoS protect cluster, and cleaning interchanger is using four layers of DDoS protection cluster as path termination.Due to not having
Priority is higher than four layers of DDoS protection cluster and the protection module of issued routing, therefore, for being directed toward four layers of target routing
Service traffics, corresponding to traction path only includes four layers of DDoS protection one node of cluster.
If service traffics access the business machine that application layer is attacked, namely seven layers of target of direction route, then Target Protection
Module is that seven layers of DDoS protect cluster, and cleaning interchanger is using seven layers of DDoS protection cluster as path termination.Due to priority height
There are four layers of DDoS protection cluster, then, cleaning exchange in the preamble protection module of seven layers of DDoS protection cluster and issued routing
The corresponding traction path of service traffics that the routing of seven layers of target is directed toward in machine configuration is that " four layers of DDoS protect-seven layers of DDoS of cluster anti-
Protect cluster ".
It should be noted that if being hung in parallel in four layers of DDoS protection cluster or seven layers of DDoS protection cluster including multiple
Clean interchanger on and different types of safeguard, then led according to the priority of each safeguard and its affiliated protection module
Each safeguard is configured in traction path by the position led the way in diameter.For example, seven layers of DDoS protection cluster include parallel carry
It is higher than CC safeguard in the priority of the WAP safeguard and CC safeguard of cleaning interchanger, WAP safeguard, then refers to
Traction path corresponding to the service traffics routed to seven layers of target is that " four layers of DDoS protect cluster-WAP safeguard-CC protection
Equipment ".As a result, the work of flow cleaning is further segmented, the power consumption of high-rise cleaning equipment is reduced, so that load is more equal
Weighing apparatus improves cleaning efficiency.
(2) full dose flow forwards
The flow full dose that received business machine is sent is transmitted to cleaning interchanger by core router, to clean
The service traffics for being directed toward target routing are drawn to protection module and cleaned by interchanger.
(3) service traffics of four layers of target routing and/or the routing of seven layers of target are directed toward in traction
Cleaning interchanger is after the full dose flow for receiving core router forwarding, with obtaining the target of service traffics access
Location.If the destination address of service traffics is four layers of target routing, or in the network segment of four layers of target routing, it is determined that this business
Flow is directed toward four layers of target routing;If the destination address of service traffics is seven layers of target routing, or routed positioned at seven layers of target
In network segment, it is determined that this service traffics is directed toward seven layers of target routing.
Then, cleaning interchanger draws the service traffics for being directed toward four layers of target routing and/or the routing of seven layers of target to four
Layer DDoS protects cluster, is cleaned.
(4) service traffics of re-injection flow and safety are returned
Four layers of DDoS protection cluster receive the service traffics of cleaning exchange machine travel, can be according to preset four layers of protection plan
Slightly carry out Detection by the method for attack.Wherein, four layers of prevention policies include but is not limited to SYN cookie algorithm, SYN Reset algorithm,
TCP message state-detection etc..
For example, four layers of DDoS protection cluster calculate one by link information to the negotiation SYN message of the newly-built connection of TCP
A cookie value, the initial sequence number (seq number) as SYN+ACK message return to user's machine, if it is just common
Family can respond the SYN+ACK at this time, and return to ACK confirmation message.The ACK that four layers of DDoS protection cluster responds user's machine
The cookie information carried in message carries out message validation, judges whether to be attack traffic.When attacker initiates SYN
When Flood is attacked, since user's machine can not send effective cookie information, it can not be built with four layers of DDoS protection cluster
Thus vertical connection, four layers of DDoS protection cluster can determine whether this service traffics is attack traffic.Wherein, four layers of DDoS protection collection
The SYN+ACK message that group returns is re-injection flow, is transmitted to user's machine via cleaning interchanger.
If four layers of DDoS protection cluster judge service traffics for safe traffic, this service traffics is returned into cleaning exchange
Machine.For example, determining one by TCP connection three-way handshake when four layers of DDoS protection cluster carry out the Detection by the method for attack of service traffics
Business machine be it is safe, then can disconnect and be initiated the connection again with the connection of this business machine or latency services machine.When four
When the TCP that layer DDoS protection cluster is received again by the transmission of this business machine creates connection negotiation SYN message, then this Business Stream is determined
Amount is safe traffic, returns to cleaning interchanger.
If four layers of DDoS protection cluster judge that service traffics for attack traffic, directly abandon this flow.
(5) service traffics of seven layers of target routing are directed toward in traction
Wherein, it is that four layers of DDoS protection cluster return, anti-through four layers of DDoS for being directed toward the service traffics of seven layers of target routing
Shield cluster is detected as safe traffic and is directed toward the service traffics of seven layers of target routing.
Cleaning interchanger is after receiving the service traffics that four layers of DDoS protection cluster return, due to for being directed toward seven layers of target
For the service traffics of routing, four layers of DDoS protection cluster are preamble protection module, have done preliminary Detection by the method for attack, therefore,
Even if four layers of DDoS protection cluster judge it for safe traffic, it is desired nonetheless to which seven layers of DDoS protection cluster are further attacked
Property detection.The service traffics for being directed toward the routing of seven layers of target are drawn to seven layers of DDoS and protect cluster by cleaning interchanger, are attacked
Property detection.
(6) service traffics of re-injection flow and safety are returned
Seven layers of DDoS protection cluster receive the service traffics of cleaning exchange machine travel, can be according to preset seven layers of protection plan
Slightly, Detection by the method for attack is carried out.Wherein, seven layers of prevention policies include but is not limited to identifying code, javascript (scripting language) calculation
Method etc..
For example, HTTP Cookie technology cardinal principle is exactly to authenticate HTTP request data according to the specification of http protocol
Whether packet is from a legal client.Service traffics are the GET request that user's machine is sent to business machine URL,
Then seven layers of DDoS protection integrate one redirection message breaking-out of population spikes as re-injection flow, returns and gives business machine, allows kiosk
Device re-requests the destination address redirected.In this redirection message, seven layers of DDoS protection cluster are added to and need to verify
Cookie field, usually there are two types of methods for the addition of this cookie: one is set-cookie field by HTTP
Setting, it is desirable that next HTTP request needs to carry specified cookie field;The other is being added by the rear end URL in redirection
Add a cookie parameter, it is desirable that user accesses this address URL with cookie parameter.When normal user's machine receives
After redirection message, cookie field can be carried as requested and send service traffics again, access the specified address URL.If
If being attack traffic, since business machine can not add specified cookie field access, can be judged as attacking
Flow.Wherein, the redirection message that seven layers of DDoS protection cluster return is re-injection flow, is transmitted to use via cleaning interchanger
Family machine.
If seven layers of DDoS protection cluster judge service traffics for safe traffic, this service traffics is returned into cleaning exchange
Machine.For example, when seven layers of DDoS protection cluster carry out the Detection by the method for attack of service traffics, if user's machine receives redirection message
Afterwards, cookie field is carried as requested and send service traffics again, access the specified address URL, then seven layers of DDoS protection collection
The service traffics that group determines that this business machine is sent again are safe traffic, remove the cookie field of addition, return to cleaning
Interchanger.
If seven layers of DDoS protection cluster judge that service traffics for attack traffic, directly abandon this flow.
(7) re-injection flow and safe traffic Hui Yuan
Cleaning interchanger, will after receiving the re-injection flow that four layers of DDoS protection cluster and seven layers of DDoS protection cluster return
Re-injection flow returns to core router, returns to corresponding business machine by core router.
Cleaning interchanger is after receiving the service traffics that four layers of DDoS protection cluster return, due to for being directed toward four layers of target
For the service traffics of routing, four layers of DDoS protection cluster are path termination, therefore, if four layers of DDoS protection cluster judge it
Detection by the method for attack therefore is completed for safe traffic, testing result is safe traffic, can be transmitted to corresponding business machine
Carry out service communication.The service traffics for being directed toward the routing of four layers of target are returned to core router by cleaning interchanger, by core road
Corresponding business machine is transmitted to by device, realizes the Hui Yuan of service traffics.
Cleaning interchanger is after receiving the service traffics that seven layers of DDoS protection cluster return, due to for being directed toward seven layers of target
For the service traffics of routing, seven layers of DDoS protection cluster are path termination, therefore, if seven layers of DDoS protection cluster judge it
Detection by the method for attack therefore is completed for safe traffic, testing result is safe traffic, can be transmitted to corresponding business machine
Carry out service communication.The service traffics for being directed toward the routing of seven layers of target are returned to core router by cleaning interchanger, by core road
Corresponding business machine is transmitted to by device, realizes the Hui Yuan of service traffics.
(8) flow forwards
Cleaning interchanger is receiving that core router forwards and be not directed toward four layers of targets routing and seven layers of targets routing industry
When business flow, it is transmitted to core router using these service traffics as safe traffic, carries out normal service communication.
(9) flow re-injection
Re-injection flow is returned to corresponding business after receiving the re-injection flow that cleaning interchanger returns by core router
Machine.
(10) safety service flow
Core router forwards these service traffics after receiving the safety service flow that cleaning interchanger returns respectively
To corresponding business machine, service communication is carried out.
(11) business output flow
Business machine is corresponding to the input of corresponding business machine according to the demand of service traffics after receiving service traffics
Flow.
From the foregoing, it will be observed that in the embodiment of the present invention, when by distributed denial of service Hybrid Attack, according to the protection of carry
The priority of the issued routing of module determines traction path, to multi-layer protection module is together in series, by Hybrid Attack stream
Amount carries out series connection layered shaping.The decoupling of multilayer proofing module, ensure that giving full play to for performance, has saved machine cost, simultaneously
Also ensure the integrality of function.Either individually attack or Hybrid Attack scene, the program are all applicable in, and improve distribution
The integral protection effect of formula Denial of Service attack.For a user, it does not need to dispose any functional module, just can solve multilayer
The problem of grade protection, reach noninductive effect.
The embodiment of the present invention also provides a kind of distributed denial of service attack guard system, for example, as shown in figure 3, this kind
Distributed denial of service attack guard system may include: detection device 301, cleaning interchanger 302 and protect cluster 303, such as
Under:
(1) detection device 301:
Detection device 301, when for detecting distributed denial of service attack, triggering Target Protection cluster is exchanged to cleaning
Machine issues target routing, and target routing is generated by Target Protection cluster according to the destination address of distributed denial of service attack.
Detection device 301 accesses between client and core router, and duplication is sent to the service traffics of core router,
The modes such as log are flowed by mirror image, light splitting or NetFlow/NetStream/nFlow, service traffics are detected.
When detecting occurrence and distribution formula Denial of Service attack, detection device 301 specifically can be used for:
When detecting distributed denial of service attack, the destination address attacked is obtained;
According to preset network communication models, the level where destination address is determined, the level where destination address is made
For destination layer;
Using the corresponding protection cluster of destination layer as Target Protection cluster, routing traction is issued to Target Protection cluster and is referred to
It enables, is routed with triggering Target Protection cluster according to destination address to cleaning interchanger publication target.
For example, obtaining the business host attacked if detection device 301 detects occurrence and distribution formula Denial of Service attack
Address, as destination address.If the destination address attacked is located at network layer, using network layer as destination layer, network layer pair
The seven layers of protection cluster answered are as Target Protection cluster.
It is then detected that equipment 301 issues routing traction order to seven layers of protection cluster, triggering Target Protection cluster issues mesh
Mark routing.Wherein, target routing is that seven layers of protection cluster are generated according to the destination address attacked, and includes at least network layer quilt
The business host object address of attack.
(2) interchanger 302 is cleaned:
Interchanger 302 is cleaned, for receiving the target routing of Target Protection cluster publication, target is routed by Target Protection collection
Group generates according to the destination address of distributed denial of service attack;Obtain the priority letter for currently having issued the protection cluster of routing
Breath;According to precedence information, traction path is generated by path termination of Target Protection cluster;According to traction path, mesh will be directed toward
The service traffics of mark routing are drawn to corresponding protection cluster and are cleaned.
The specific embodiment of cleaning interchanger 302 can refer to above-mentioned distributed denial of service attack means of defence and implement
Example, details are not described herein.
(3) cluster 303 is protected:
Cluster 303 is protected, Target Protection cluster is included at least, for issuing routing to cleaning interchanger 302;Cleaning is handed over
The service traffics of 302 tractions of changing planes are cleaned.
Protection cluster 303 hang in the case where clean interchanger 302, it may include the protection cluster of multiple levels, for example, seven layers prevent
Protect cluster, four layers of protection cluster.It can also include the safeguard of more different type of protection in each level protection cluster.When
So, when the scale of protection is less, protection cluster 303 can also be deployed as safeguard, such as seven layers of safeguard, four layers of protection
Equipment, can flexible configuration according to actual needs.
When receiving the routing publication instruction that detection device 301 issues, protection cluster 303 is with obtaining the target attacked
Location generates target routing according to preset prevention policies and destination address, and target routing is distributed to cleaning interchanger 302.
In some embodiments, preset prevention policies be one-to-one protection, then protect cluster 303 using destination address as
Target routing is distributed to cleaning interchanger 302.For example, destination address is 32 Host routes, then protect cluster 303 by this
32 Host routes are distributed to cleaning interchanger 302 as target routing.
In other embodiments, preset prevention policies are one-to-many protection, then protect cluster 303 by destination address
Higher level routing as target route, be distributed to cleaning interchanger 302.For example, the Host routes that destination address is 32, then prevent
24 network segments comprising this 32 Host routes are distributed to cleaning interchanger 302 by shield cluster 303.
Protection cluster 303 cleans service traffics when receiving the service traffics that cleaning interchanger 302 is drawn, real
The defence of existing distributed denial of service attack.
For example, in some embodiments, Hybrid Attack has occurred, protection cluster 303 further includes one or more priority
Preamble higher than Target Protection cluster protects cluster, traction path using the preamble of highest priority protection cluster as path starting point,
And using Target Protection cluster as path termination:
(1) preamble protects cluster, and the service traffics for drawing to cleaning interchanger 302 carry out Detection by the method for attack;If industry
Business flow is confirmed as safe traffic, then service traffics is returned to cleaning interchanger 302;
Interchanger 302 is cleaned, is also used to according to traction path, service traffics are drawn to next preamble protection cluster or mesh
Mark protection cluster carries out Detection by the method for attack.
Draw in path includes preamble protection cluster and Target Protection cluster.Target routing will be directed toward by cleaning interchanger 302
Service traffics be drawn to path starting point first and cleaned.The preamble protection cluster for receiving service traffics carries out service traffics
Detection by the method for attack, specific detection mode can be found in above-mentioned distributed denial of service attack means of defence embodiment, no longer superfluous herein
It states.
If preamble protection cluster determines that service traffics are safe traffic, service traffics are returned into cleaning interchanger 302.Clearly
Wash after interchanger 302 receives service traffics, service traffics be drawn to the next node in traction path: preamble protect cluster or
Target Protection cluster.
If preamble protection cluster determines that service traffics are attack traffic, discarding traffic flow.
In some embodiments, preamble protects cluster, is also used to obtain and be attacked according to Detection by the method for attack interpretation of result
Information will attack information sharing to other protection modules in traction path.For example, if preamble protection cluster after testing, is sentenced
A disconnected client is high-level client trusty, then using the reliable information of this client as attack information, shares to
Other preambles protection cluster and/or the Target Protection cluster in path are drawn, the workload of other protection clusters in path is reduced,
To reduce resource occupation and performance loss.
(2) preamble protects cluster, is also used to during Detection by the method for attack, if being generated back according to preset prevention policies
Re-injection flow is then returned to cleaning interchanger 302 by beam amount;
Interchanger 302 is cleaned, is also used to be received back beam amount, re-injection flow is returned into the corresponding client of service traffics.
For example, preamble protection cluster is four layers of protection cluster, four layers of prevention policies include but is not limited to that SYNcookie is calculated
Method, SYN Reset algorithm, TCP message state-detection etc..
To be currently illustrated by SYN Flood attack, it is four layers of protection cluster that preamble, which protects cluster, is triggered
SYN cookie algorithm carries out Detection by the method for attack.To the negotiation SYN message of the newly-built connection of TCP, preamble protection cluster passes through connection
Information calculates a cookie value, and the initial sequence number (seq number) as SYN+ACK message returns to client, such as
Fruit is normal users, can respond the SYN+ACK at this time, and returns to ACK confirmation message.Preamble protection module responds client
The cookie information carried in ACK message carries out message validation, judges whether to be attack traffic.Wherein, preamble is anti-
Protecting the SYN+ACK message that cluster generates is re-injection flow.
(3) Target Protection cluster is cleaned specifically for the service traffics drawn to cleaning interchanger 302;If business
Flow is confirmed as safe traffic, then service traffics is returned to cleaning interchanger 302;
Interchanger 302 is cleaned, is also used to receive the service traffics of Target Protection cluster return, by service traffics Hui Yuan to mesh
Mark address.
The Target Protection cluster for receiving service traffics carries out Detection by the method for attack to service traffics, and specific detection mode can be found in
Above-mentioned distributed denial of service attack means of defence embodiment, details are not described herein.
If Target Protection cluster determines that service traffics are safe traffic, service traffics are returned into cleaning interchanger 302.Clearly
It washes after interchanger 302 receives service traffics, by service traffics Hui Yuan to destination address, so that business host and client carry out just
Normal service communication.
If Target Protection cluster determines that service traffics are attack traffic, discarding traffic flow.
In some embodiments, Target Protection cluster is also used to obtain and be attacked according to Detection by the method for attack interpretation of result
Information will attack information sharing to other protection modules in traction path.For example, if Target Protection cluster after testing, is sentenced
A disconnected client is high-level client trusty, then using the reliable information of this client as attack information, shares to
The preamble drawn in path protects cluster, reduces the workload of preamble protection cluster.
(4) Target Protection cluster is also used to during Detection by the method for attack, if being generated back according to preset prevention policies
Re-injection flow is then returned to cleaning interchanger 302 by beam amount.
For example, Target Protection cluster is seven layers of protection cluster, seven layers of prevention policies include but is not limited to identifying code, java
Script (scripting language) algorithm etc..
Service traffics are the GET request that client is sent to business machine URL, then one weight of Target Protection collection population spikes
Orienting message breaking-out is re-injection flow, and business machine is given in return, and kiosk device is allowed to re-request the destination address redirected.?
In this redirection message, Target Protection cluster is added to the cookie field for needing to verify.When normal client receives
After redirection message, cookie field can be carried as requested and send service traffics again, access the specified address URL.Wherein,
The redirection message that Target Protection cluster returns is re-injection flow, is transmitted to client via cleaning interchanger 302.
From the foregoing, it will be observed that by the detection attack of detection device 301 in the embodiment of the present invention, and detecting distributed refusal clothes
When business attack, triggering Target Protection module publication target routing, its Business Stream for being cleaned of notice cleaning interchanger 302
Which amount has.The target routing that interchanger 302 receives the publication of Target Protection module is cleaned, needs Host routes to be protected to determine
And it needs to draw the service traffics cleaned;Then, the precedence information for currently having issued the protection module of routing is obtained,
With the protection module being currently running and corresponding priority, and according to precedence information, it is with Target Protection module
Path termination generates traction path;According to traction path, the service traffics for being directed toward target routing are drawn to corresponding protection mould
Block is cleaned.It protects cluster 303 to issue target routing to cleaning interchanger 302, and receives the industry that cleaning interchanger 302 is drawn
Business flow is cleaned, and by the safe traffic Hui Yuan after cleaning to business machine, completes the distributed defence for stopping service attack.
Multilayer proofing cluster is together in series by the program using traction path, and the multilayer for being both able to achieve distributed denial of service attack is anti-
It is imperial, and the filtering of service traffics can be realized by series connection, single layer attack or Hybrid Attack no matter occurs, protection cluster can have
Effect is on the defensive.The program reduces the workload of high loss protection module as a result, ensure that distributed denial of service attack is anti-
The perfect and balancing performance of protecting system allomeric function, improves the integral protection effect of distributed denial of service attack.
In order to better implement above method, the embodiment of the present invention also provides a kind of distributed denial of service attack protection dress
It sets, which, which specifically can integrate, such as cleans interchanger in the network equipment or server is set
In standby.
For example, as shown in figure 4, the distributed denial of service attack protective device may include receiving unit 401, priority
Unit 402, path unit 403 and traction unit 404, as follows:
(1) receiving unit 401:
Receiving unit 401, for receiving the target routing of Target Protection module publication, target is routed by Target Protection module
It is generated according to the destination address of distributed denial of service attack;
When occurrence and distribution formula refuses service (Distributed Denial of Service, abbreviation DDoS) attack, inspection
Measurement equipment obtains this business host ip attacked (Internet Protocol, the agreement interconnected between network) address, makees
To need destination address to be protected.
It is then detected that equipment determines Target Protection module according to destination address, routing traction is issued to Target Protection module
Order, triggering Target Protection module are routed to cleaning interchanger publication target.Wherein, detection device can be according to preset network
Traffic model determines the level where destination address, using the level where destination address as destination layer;Then, by destination layer
Corresponding protection module is as Target Protection module.
It should be noted that preset network communication model can be TCP/IP (Transmission
ControlProtocol/Internet Protocol, transmission control protocol/Internet Protocol) model, by low layer to height
Layer successively includes network interface layer, network layer, transport layer and application layer.Preset network communication model can also be OSI (Open
System Interconnect, Open System Interconnection Reference Model), by low layer to high-rise successively including physical layer, data-link
Road floor, network layer, transport layer, session layer, expression layer and application layer.Certainly, preset network communication model, which can also be, makes by oneself
Adopted network communication model, according to actual needs flexible configuration.Each level of network communication model is preset with corresponding protection
Module, can each level correspond to different protection modules, can also be with the corresponding protection module of multiple levels, specifically can root
According to actual needs flexible configuration.
Detection device determines level of the accessed business host in default network communication model according to destination address, obtains
To destination layer, the corresponding protection module of destination layer is Target Protection module.As an implementation, if accessed business
Host is located at network layer and hereinafter, then detection device determines that Target Protection module is four layers of protection module;If accessed business
Host is located at network layer or more, such as application layer, then detection device determines that Target Protection module is seven layers of protection module, and seven layers anti-
Shield module will usually do deep packet analysis and detection, and performance occupies relatively high.For example, destination address corresponds to business host process
HTTP (HyperTextTransfer Protocol, hypertext transfer protocol) business is located at application layer, it is determined that Target Protection
Module is seven layers of protection module;Destination address corresponds to business host process TCP connection business, is located at network layer, it is determined that target
Protection module is four layers of protection module.
Target Protection module obtains destination address after receiving routing traction order, needs to protect according to destination address determination
The Host routes of shield generate target routing.Wherein, target routing can be the network segment comprising destination address, can also only refer to
It, specifically can flexible configuration according to actual needs to destination address.Then, Target Protection module is anti-to distributed denial of service attack
Protection unit issues target routing.
The protection module of multiple levels is mounted under distributed denial of service attack protective device, the protection with each level
Module establishes BGP (Border Gateway Protocol, boundary network management protocol) connection relationship, to be communicated.Receiving unit
401 receive the target routing of Target Protection module publication, learn and need the service traffics of target routing are directed toward to be attack
Flow needs to be drawn to Target Protection module and is cleaned.
(2) priority unit 402:
Priority unit 402, for obtaining the precedence information for currently having issued the protection module of routing.
Wherein, precedence information can be distributed denial of service attack protective device and the protection module of each level is built
It is configured when vertical BGP connection relationship, the protection module priority of low-level is higher than the protection module priority of high-level.Example
Such as, due to the resource of seven layers of protection module, performance occupy it is more, in order to reduce the workload of seven layers of protection module, reduce resource,
Performance loss, preset four layers of protection module priority be higher than seven layers of protection module, make four layers of protection module preferentially to flow into
Row cleaning.
Priority unit 402 needs to determine which the protection module for having issued routing has according to the routing currently received
A bit, to learn the protection module for currently carrying out flow cleaning, resisting distributed denial of service attack.Then, this is obtained
The precedence information of the protection module of routing has been issued a bit.
Wherein, precedence information may include the information such as the specific priority level of protection module.
For example, the protection module for currently having issued routing includes four layers of protection module and seven layers of protection module.Priority list
Member 402 obtains the precedence information of four layers of protection module and seven layers of protection module, obtains four layers of protection module and seven layers of protection mould
The priority of block.
(3) path unit 403:
Path unit 403, for generating traction path by path termination of Target Protection module according to precedence information.
Wherein, traction path be the path for cleaning service traffics, include the service traffics protection module that flows through of needs with
And flow through the sequence of each protection module.
Path unit 403 is according to the precedence information of the protection module for having issued routing, according to priority ranking, with target
Protection module is that path termination generates traction path.In some embodiments, path unit 403 may include screening subelement and
Configure subelement:
Subelement is screened, for obtaining the protection module work that priority is higher than Target Protection module according to precedence information
For preamble protection module;
Subelement is configured, for the priority according to preamble protection module and Target Protection module, with Target Protection module
Traction path is generated for path termination.
Wherein, precedence information includes the protection module priority for currently having issued routing.Subelement is screened according to preferential
Grade information filters out the protection module that priority is higher than Target Protection module, as preamble protection module.For example, currently having sent out
Cloth routing protection module include four layers of protection module and seven layers of protection module, Target Protection module be seven layers of protection module, four
The priority of layer protection module is higher than seven layers of protection module, then screens subelement for four layers of protection module as preamble and protect mould
Block.
Then, subelement is configured according to the priority of preamble protection module and Target Protection module, with Target Protection module
Traction path is generated for path termination.For example, specifically can be such that
According to precedence information, according to the sequence of priority from high to low to preamble protection module and Target Protection module into
Row sequence;
According to sequence, using the preamble protection module of highest priority as path starting point and Target Protection module is as road
Diameter terminal generates traction path.
Wherein, preamble protection module can have multiple or one.
If preamble protection module only has one, subelement is configured according to precedence information to preamble protection module and target
After protection module is ranked up, preamble protection module highest priority, Target Protection module priority is minimum.Then, preamble is prevented
Module is protected as path starting point and Target Protection module generates as path termination and draws path.
If there are two preamble protection modules or more, subelement is configured according to precedence information to each preamble protection module
It is ranked up with Target Protection module, before the preamble protection module of highest priority is taken second place as path starting point, priority
Sequence protection module as second node in path, and so on, using the minimum Target Protection module of priority as path
Terminal generates traction path.
It should be noted that if including multiple protection submodules in preamble protection module/or Target Protection module, then match
Subelement is set according to the preset priority of each protection submodule and preamble protection module and Target Protection module in traction path
In position, by each protection submodule be configured to traction path in.For example, Target Protection module is seven layers of protection module, wherein
Submodule, CC are protected including WAP (Wireless Application Protocol, wireless application communication protocol)
(Challenge Collapsar, Challenging black hole) protects submodule etc., then configures path termination, road for seven layers of protection module
Diameter terminal includes protecting submodule etc. according to WAP protection submodule, the CC of priority orders arrangement.
In some embodiments, if obtaining the protection module that priority is higher than Target Protection module not successfully, son is configured
Unit is configured to Target Protection module for path is drawn.
The configuration of path unit 403 obtains traction path as a result,.
(4) traction unit 404:
Traction unit 404, for according to traction path, the service traffics for being directed toward target routing to be drawn to corresponding protection
Module is cleaned.
Wherein, the service traffics for being directed toward target routing are that destination address and target route identical service traffics or target
Address is located at the service traffics in the network segment of target routing.
Traction unit 404 obtains the destination address of flow access, if mesh after the flow for receiving core router forwarding
Mark address and target route it is identical or positioned at target routing network segment in, it is determined that this flow be directed toward target route stream
Amount.
Then, this service traffics is drawn to path starting point, is cleaned by traction unit 404 according to traction path.
In some embodiments, draw in path includes that preamble of one or more sequences before Target Protection module is anti-
Protect module, traction unit may include the first traction subelement, second traction subelement, return source subelement, re-injection subelement and
Shared subelement:
(1) first traction subelement, for according to traction path, the service traffics for being directed toward target routing to be drawn to preamble
Protection module, so that preamble protection module carries out Detection by the method for attack.
First traction subelement is drawn to path starting point namely highest priority according to traction path, by service traffics
Protection module is cleaned.
Preamble protection module carry out Detection by the method for attack, detection service traffics whether attack traffic, it is, for example, possible to use SYN
The prevention policies such as cookie algorithm, SYN Reset algorithm, TCP message state-detection carry out Detection by the method for attack.Specific embodiment party
Formula can refer to above-mentioned distributed denial of service attack means of defence embodiment or distributed denial of service attack guard system is implemented
Example, details are not described herein.
(2) re-injection subelement, if the re-injection flow returned during Detection by the method for attack for receiving preamble protection module,
Re-injection flow is then returned into the corresponding client of service traffics.
For example, preamble protection module is four layers of protection module to be currently illustrated by SYN Flood attack,
It triggers syn cookie algorithm and carries out Detection by the method for attack.Preamble protection module carries out the negotiation SYN message of the newly-built connection of TCP
Intercept process calculates a cookie value by link information, the initial sequence number (seq as SYN+ACK message
Number client) is returned to.The message that preamble protection module needs to return client includes SYN+ACK message, SYN+ACK report
It include this cookie value in text, this SYN+ACK message for returning to client is re-injection flow.
Then re-injection subelement is when receiving the re-injection flow that preamble protection module is returned for this service traffics, by this re-injection
Flow returns to the corresponding client of this service traffics.
(3) second traction subelements, if being determined as safe traffic by preamble protection module for service traffics, basis is led
It leads the way diameter, service traffics is drawn to next preamble protection module or Target Protection module carries out Detection by the method for attack.
If preamble protection module detects to obtain this service traffics to be safe traffic, the target routing being directed toward due to service traffics
Corresponding to the protection module of more high-level, it is also necessary to the protection module of more high-level is further detected, therefore, preamble protection
This service traffics is returned to distributed denial of service attack protective device by module.
Second traction subelement receives this traction flow that preamble protection module returns, this service traffics is drawn to traction
Next node in path: next preamble protection module or Target Protection module carry out Detection by the method for attack.
For example, a client is determined as security client by the detection of preamble protection module, if this client sends industry
It is engaged in flow such as HTTP request, preamble protection module determines that the service traffics of this client are according to information such as the marks of client
This service traffics is then returned to distributed denial of service attack protective device by safe traffic.
Second traction subelement receives this service traffics that preamble protection module returns and then draws this service traffics
To the next node in traction path: next preamble protection module or Target Protection module realize the protection module from low-level
Cleaning is gradually completing to high-level protection module.
If preamble protection module detects that service traffics are attack traffic, this flow is directly abandoned.
(4) re-injection subelement, if being also used to receive the re-injection stream that Target Protection module returns during Detection by the method for attack
Re-injection flow is then returned to the corresponding client of service traffics by amount.
It is anti-by identifying code, java script (scripting language) algorithm etc. with Target Protection module for seven layers of protection module
Shield strategy carries out Detection by the method for attack, then Target Protection module carries out after changing packet service traffics, generates re-injection flow, and return to
Distributed denial of service attack protective device.
Then re-injection subelement is when receiving the re-injection flow that Target Protection module is returned for this service traffics, by this re-injection
Flow returns to the corresponding client of this service traffics.
(5) source subelement is returned, if being determined as safe traffic by Target Protection module for service traffics, by service traffics
Hui Yuan is to destination address.
If service traffics after Detection by the method for attack, are determined as in path termination Target Protection module by Target Protection module
Safe traffic, then this service traffics is returned to distributed denial of service attack protective device by Target Protection module.
It returns source subelement and receives this service traffics that Target Protection module returns, to its target by this service traffics Hui Yuan
Location, to carry out normal service communication.
For example, a client is determined as security client by the detection of Target Protection module, if this client sends industry
It is engaged in flow such as HTTP request, Target Protection module determines that the service traffics of this client are according to information such as the marks of client
This service traffics is then returned to distributed denial of service attack protective device by safe traffic.
It returns source subelement and receives the service traffics that Target Protection module returns, by this service traffics Hui Yuan to the mesh of its access
Address is marked, frequent service communication is carried out.
If Target Protection module detects that service traffics are attack traffic, this flow is directly abandoned.
In some embodiments, drawing only includes Target Protection module in path, then the first traction subelement will be for that will refer to
The service traffics routed to target are drawn to Target Protection module and are cleaned;If re-injection subelement is for receiving Target Protection mould
Re-injection flow is then returned to the corresponding client of service traffics by the re-injection flow that block returns during Detection by the method for attack;Hui Yuan
If subelement is determined as safe traffic by Target Protection module for service traffics, by service traffics Hui Yuan to destination address;
If Target Protection module detects that service traffics are attack traffic, this flow is directly abandoned.
(6) subelement is shared, for obtaining the Detection by the method for attack result of preamble protection module and/or Target Protection module;
Attack information is obtained according to Detection by the method for attack interpretation of result, information sharing will be attacked to the protection module in traction path.
Specifically, as an implementation, preamble protection module and/or Target Protection module are carried out to service traffics
After Detection by the method for attack, obtain Detection by the method for attack as a result, Detection by the method for attack result indicate service traffics whether attack traffic.Preamble
Detection by the method for attack result is returned to shared subelement by protection module and/or Target Protection module.
As another embodiment, shared subelement can be returned according to preamble protection module and/or Target Protection module
The flow returned determines Detection by the method for attack result.For example, if the service traffics of Target Protection module return are received, by this Business Stream
Amount is safe traffic as Detection by the method for attack result;If not receiving Target Protection module or preamble protection module within a preset time
This service traffics is then attack traffic as Detection by the method for attack result by the service traffics or re-injection flow of return;If before receiving
This service traffics is then attack traffic work by the service traffics discard notification message that sequence protection module or Target Protection module return
For Detection by the method for attack result.
Shared subelement according to Detection by the method for attack as a result, judge sending service traffics client whether trusted;If hair
The client of service traffics is trusty out, then can also judge the level of trust of client.Shared subelement can will be objective
Whether the information such as trusted, level of trust as attack information, share to other protection modules in traction path at family end.
For example, preamble protection module is four layers of protection module, Target Protection module is seven layers of protection module, if four layers of protection
Module determines that service traffics are safe traffic, shares subelement and determines the visitor for issuing this service traffics according to Detection by the method for attack result
Family end is high level trusted client, then is high level trusted client as attack information for this client and sends
To seven layers of protection module.Seven layers of protection module are believed after this service traffics for receiving the traction of the second traction subelement according to attack
It is high level trusted client that breath, which obtains its corresponding client, then determines this service traffics for safe traffic, by this industry
Business flow return gives back to source subelement, and the destination address that Hui Yuan to service traffics is directed toward carries out normal service communication.
Thus, it is possible to reduce the repeated work of grade protection module, reduces resource and performance occupies.
From the foregoing, it will be observed that the embodiment of the present invention receives the target routing of Target Protection module publication by receiving unit 401, come
Determining needs Host routes to be protected and needs to draw the service traffics cleaned;Then, the acquisition of priority unit 402 is worked as
The precedence information of the preceding protection module for having issued routing, with the protection module that is currently running and corresponding preferential
Grade;Path unit 403 generates traction path according to precedence information, by path termination of Target Protection module;Traction unit 404
According to traction path, the service traffics for being directed toward target routing are drawn to corresponding protection module and are cleaned.The program can be with
Traction path is determined according to the priority of the issued routing of the protection module of carry, so that distributed refusal will be carried out currently
Service attack protection protection module call get up, the protection module being currently running rationally is utilized, Target Protection module it
It is preceding that the service traffics for being directed toward destination address are cleaned, it is reached for the purpose of Target Protection modular filtration attack traffic flow,
The workload of Target Protection module is alleviated, the performance that Target Protection module occupies is reduced.Single layer attack no matter occurs or mixes
Attack is closed, protection module can effectively be on the defensive.The program is played multilayer proofing block coupled in series using traction path as a result,
Come, had not only been able to achieve the layered defense of distributed denial of service attack, but also can realize the filtering of service traffics by series connection, and had reduced high
The workload of protection module is lost, ensure that improving for distributed denial of service attack guard system allomeric function is equal with performance
Weighing apparatus, improves the integral protection effect of distributed denial of service attack.
The embodiment of the present invention also provides a kind of network equipment, as shown in figure 5, it illustrates involved in the embodiment of the present invention
The structural schematic diagram of the network equipment, specifically:
The network equipment may include one or more than one processing core processor 501, one or more
The components such as memory 502, power supply 503 and the input unit 505 of computer readable storage medium.Those skilled in the art can manage
It solves, network equipment infrastructure shown in Fig. 5 does not constitute the restriction to the network equipment, may include more more or fewer than illustrating
Component perhaps combines certain components or different component layouts.Wherein:
Processor 501 is the control centre of the network equipment, utilizes various interfaces and connection whole network equipment
Various pieces by running or execute the software program and/or module that are stored in memory 502, and are called and are stored in
Data in reservoir 502 execute the various functions and processing data of the network equipment, to carry out integral monitoring to the network equipment.
Optionally, processor 501 may include one or more processing cores;Preferably, processor 501 can integrate application processor and tune
Demodulation processor processed, wherein the main processing operation system of application processor, user interface and application program etc., modulatedemodulate is mediated
Reason device mainly handles wireless communication.It is understood that above-mentioned modem processor can not also be integrated into processor 501
In.
Memory 502 can be used for storing software program and module, and processor 501 is stored in memory 502 by operation
Software program and module, thereby executing various function application and data processing.Memory 502 can mainly include storage journey
Sequence area and storage data area, wherein storing program area can the (ratio of application program needed for storage program area, at least one function
Such as sound-playing function, image player function) etc.;Storage data area, which can be stored, uses created number according to the network equipment
According to etc..In addition, memory 502 may include high-speed random access memory, it can also include nonvolatile memory, such as extremely
A few disk memory, flush memory device or other volatile solid-state parts.Correspondingly, memory 502 can also wrap
Memory Controller is included, to provide access of the processor 501 to memory 502.
The network equipment further includes the power supply 503 powered to all parts, it is preferred that power supply 503 can pass through power management
System and processor 501 are logically contiguous, to realize management charging, electric discharge and power managed etc. by power-supply management system
Function.Power supply 503 can also include one or more direct current or AC power source, recharging system, power failure monitor
The random components such as circuit, power adapter or inverter, power supply status indicator.
The network equipment may also include input unit 505, which can be used for receiving the number or character of input
Information, and generate keyboard related with user setting and function control, mouse, operating stick, optics or trackball signal
Input.
Although being not shown, the network equipment can also be including display unit etc., and details are not described herein.Specifically in the present embodiment
In, the processor 501 in the network equipment can be corresponding by the process of one or more application program according to following instruction
Executable file be loaded into memory 502, and the application program being stored in memory 502 is run by processor 501,
It is as follows to realize various functions:
The target routing of Target Protection module publication is received, target routing is by Target Protection module according to distribution refusal clothes
The destination address of business attack generates;
Obtain the precedence information for currently having issued the protection module of routing;
According to precedence information, traction path is generated by path termination of Target Protection module;
According to traction path, the service traffics for being directed toward target routing are drawn to corresponding protection module and are cleaned.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, it may refer to the detailed description above with respect to distributed denial of service attack means of defence, details are not described herein again.
It will appreciated by the skilled person that all or part of the steps in the various methods of above-described embodiment can be with
It is completed by instructing, or relevant hardware is controlled by instruction to complete, which can store computer-readable deposits in one
In storage media, and is loaded and executed by processor.
For this purpose, the embodiment of the present invention provides a kind of storage medium, wherein being stored with a plurality of instruction, which can be processed
Device is loaded, to execute the step in any distributed denial of service attack means of defence provided by the embodiment of the present invention
Suddenly.For example, the instruction can execute following steps:
The target routing of Target Protection module publication is received, target routing is by Target Protection module according to distribution refusal clothes
The destination address of business attack generates;
Obtain the precedence information for currently having issued the protection module of routing;
According to precedence information, traction path is generated by path termination of Target Protection module;
According to traction path, the service traffics for being directed toward target routing are drawn to corresponding protection module and are cleaned.
The specific implementation of above each operation can be found in the embodiment of front, and details are not described herein.
Wherein, which may include: read-only memory (ROM, Read Only Memory), random access memory
Body (RAM, Random Access Memory), disk or CD etc..
By the instruction stored in the storage medium, any distribution provided by the embodiment of the present invention can be executed
Step in Denial of Service attack protection, it is thereby achieved that any distributed refusal clothes provided by the embodiment of the present invention
Beneficial effect achieved by business attack guarding method, is detailed in the embodiment of front, details are not described herein.
Be provided for the embodiments of the invention above a kind of distributed denial of service attack means of defence, system, device and
Storage medium is described in detail, and specific case used herein explains the principle of the present invention and embodiment
It states, the above description of the embodiment is only used to help understand the method for the present invention and its core ideas;Meanwhile for this field
Technical staff, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, to sum up, this theory
Bright book content should not be construed as limiting the invention.
Claims (15)
1. a kind of distributed denial of service attack means of defence characterized by comprising
The target routing of Target Protection module publication is received, the target routing is refused by the Target Protection module according to distribution
The destination address of exhausted service attack generates;
Obtain the precedence information for currently having issued the protection module of routing;
According to the precedence information, traction path is generated by path termination of the Target Protection module;
According to the traction path, the service traffics for being directed toward the target routing are drawn to corresponding protection module and are carried out clearly
It washes.
2. the method as described in claim 1, which is characterized in that it is described according to the precedence information, with the Target Protection
Module is that path termination generates traction path, comprising:
According to the precedence information, obtains priority and be higher than the protection module of the Target Protection module as preamble protection mould
Block;
It is raw by path termination of the Target Protection module according to the priority of the preamble protection module and Target Protection module
At traction path.
3. method according to claim 2, which is characterized in that described according to the preamble protection module and Target Protection module
Priority, using the Target Protection module as path termination generate traction path, comprising:
According to the precedence information, according to the sequence of priority from high to low to the preamble protection module and Target Protection mould
Block is ranked up;
According to the sequence, using the preamble protection module of highest priority as path starting point and the Target Protection module is made
For path termination, traction path is generated.
4. the method as described in claim 1, which is characterized in that include one or more sequences in the traction path described
Preamble protection module before Target Protection module, it is described according to the traction path, the business of the target routing will be directed toward
Flow is cleaned to corresponding protection module, comprising:
According to the traction path, the service traffics for being directed toward the target routing are drawn to the preamble protection module, so as to
The preamble protection module carries out Detection by the method for attack;
It, will be described according to the traction path if the service traffics are determined as safe traffic by the preamble protection module
Service traffics are drawn to next preamble protection module or the Target Protection module carries out Detection by the method for attack.
5. method as claimed in claim 4, which is characterized in that by the service traffics be drawn to the Target Protection module into
Row Detection by the method for attack, later further include:
If the service traffics are determined as safe traffic by the Target Protection module, by the service traffics Hui Yuan described in
Destination address.
6. method as claimed in claim 4, which is characterized in that further include:
If receiving the preamble protection module and/or re-injection flow that Target Protection module returns during Detection by the method for attack,
The re-injection flow is then returned into the corresponding client of the service traffics.
7. method as claimed in claim 4, which is characterized in that further include:
Obtain the Detection by the method for attack result of the preamble protection module and/or Target Protection module;
Attack information is obtained according to the Detection by the method for attack interpretation of result, by the attack information sharing in the traction path
Protection module.
8. a kind of distributed denial of service attack guard system characterized by comprising
Detection device, when for detecting distributed denial of service attack, triggering Target Protection cluster is issued to cleaning interchanger
Target routing, the target routing are generated by the Target Protection cluster according to the destination address of distributed denial of service attack;
Interchanger is cleaned, for receiving the target routing of Target Protection cluster publication, the target routing is by the Target Protection
Cluster is generated according to the destination address of distributed denial of service attack;Obtain the priority for currently having issued the protection cluster of routing
Information;According to the precedence information, traction path is generated by path termination of the Target Protection cluster;According to the traction
The service traffics for being directed toward the target routing are drawn to corresponding protection cluster and cleaned by path;
Cluster is protected, Target Protection cluster is included at least, is routed for being issued to the cleaning interchanger;The cleaning is exchanged
The service traffics of machine travel are cleaned.
9. system as claimed in claim 8, which is characterized in that the detection device is specifically used for:
When detecting distributed denial of service attack, the destination address attacked is obtained;
According to preset network communication models, the level where the destination address is determined, by the layer where the destination address
Grade is used as destination layer;
Using the corresponding protection cluster of destination layer as Target Protection cluster, Xiang Suoshu Target Protection cluster issues routing traction and refers to
It enables, is routed with triggering the Target Protection cluster according to the destination address to cleaning interchanger publication target.
10. system as claimed in claim 8, which is characterized in that the protection cluster further includes that one or more priority are high
Cluster is protected in the preamble of the Target Protection cluster:
The preamble protects cluster, carries out Detection by the method for attack for the service traffics to the cleaning exchange machine travel;If described
Service traffics are confirmed as safe traffic, then the service traffics are returned to the cleaning interchanger;
The cleaning interchanger, is also used to according to the traction path, and the service traffics are drawn to next preamble protection collection
Group or Target Protection cluster carry out Detection by the method for attack.
11. such as the described in any item systems of claim 8-10, which is characterized in that the Target Protection module is specifically used for:
The service traffics of the cleaning exchange machine travel are cleaned;If the service traffics are confirmed as safe traffic,
The service traffics are returned into the cleaning interchanger;
The cleaning interchanger is also used to receive the service traffics that the Target Protection module returns, the service traffics is returned
Source is to the destination address.
12. a kind of distributed denial of service attack protective device characterized by comprising
Receiving unit, for receiving the target routing of Target Protection module publication, the target routing is by the Target Protection mould
Root tuber is generated according to the destination address of distributed denial of service attack;
Priority unit, for obtaining the precedence information for currently having issued the protection module of routing;
Path unit, for generating traction path by path termination of the Target Protection module according to the precedence information;
Traction unit, for the service traffics for being directed toward the target routing being drawn to corresponding anti-according to the traction path
Shield module is cleaned.
13. device as claimed in claim 12, which is characterized in that the path unit includes that screening subelement and configuration are single
Member:
The screening subelement, for obtaining priority and being higher than the anti-of the Target Protection module according to the precedence information
Module is protected as preamble protection module;
The configuration subelement, for the priority according to the preamble protection module and Target Protection module, with the target
Protection module is that path termination generates traction path.
14. device as claimed in claim 12, which is characterized in that include one or more sequences in the traction path in institute
The preamble protection module before Target Protection module is stated, the traction unit includes that the first traction subelement and the second traction are single
Member:
The first traction subelement, for according to the traction path, the service traffics for being directed toward the target routing to be drawn
To the preamble protection module, so that the preamble protection module carries out Detection by the method for attack;
The second traction subelement, if being determined as safe traffic by the preamble protection module for the service traffics,
According to the traction path, the service traffics are drawn to next preamble protection module or the Target Protection module is attacked
The detection of hitting property.
15. a kind of storage medium, which is characterized in that the storage medium is stored with a plurality of instruction, and described instruction is suitable for processor
It is loaded, the step in 1 to 7 described in any item distributed denial of service attack means of defences is required with perform claim.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810572199.3A CN110213214B (en) | 2018-06-06 | 2018-06-06 | Attack protection method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810572199.3A CN110213214B (en) | 2018-06-06 | 2018-06-06 | Attack protection method, system, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110213214A true CN110213214A (en) | 2019-09-06 |
| CN110213214B CN110213214B (en) | 2021-08-31 |
Family
ID=67779017
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810572199.3A Active CN110213214B (en) | 2018-06-06 | 2018-06-06 | Attack protection method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110213214B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110768975A (en) * | 2019-10-21 | 2020-02-07 | 杭州迪普科技股份有限公司 | Flow cleaning method and device, electronic equipment and machine readable storage medium |
| CN110809004A (en) * | 2019-11-12 | 2020-02-18 | 成都知道创宇信息技术有限公司 | Safety protection method and device, electronic equipment and storage medium |
| CN110830474A (en) * | 2019-11-08 | 2020-02-21 | 中盈优创资讯科技有限公司 | Network attack protection system and method, and flow control device |
| CN111741021A (en) * | 2020-08-03 | 2020-10-02 | 北京翼鸥教育科技有限公司 | Detection and protection system for CC attack access service cluster |
| CN114338066A (en) * | 2020-09-30 | 2022-04-12 | 中移(苏州)软件技术有限公司 | Defense method, system, equipment and storage medium for denial of service attack |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020083175A1 (en) * | 2000-10-17 | 2002-06-27 | Wanwall, Inc. (A Delaware Corporation) | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
| CN101447996A (en) * | 2008-12-31 | 2009-06-03 | 成都市华为赛门铁克科技有限公司 | Defending method for distributed service-refusing attack and system and device thereof |
| CN101616129A (en) * | 2008-06-27 | 2009-12-30 | 成都市华为赛门铁克科技有限公司 | The methods, devices and systems of anti-network attack flow overload protection |
| CN102143143A (en) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | Method and device for defending network attack, and router |
| CN102263788A (en) * | 2011-07-14 | 2011-11-30 | 百度在线网络技术(北京)有限公司 | Method and equipment for defending against denial of service (DDoS) attack to multi-service system |
| CN104539594A (en) * | 2014-12-17 | 2015-04-22 | 南京晓庄学院 | SDN (software defined network) framework, system and working method combining DDoS (distributed denial of service) threat filtering and routing optimization |
| CN106411910A (en) * | 2016-10-18 | 2017-02-15 | 上海优刻得信息科技有限公司 | Defense method and system for distributed denial of service (DDoS) attacks |
-
2018
- 2018-06-06 CN CN201810572199.3A patent/CN110213214B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020083175A1 (en) * | 2000-10-17 | 2002-06-27 | Wanwall, Inc. (A Delaware Corporation) | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
| CN101616129A (en) * | 2008-06-27 | 2009-12-30 | 成都市华为赛门铁克科技有限公司 | The methods, devices and systems of anti-network attack flow overload protection |
| CN101447996A (en) * | 2008-12-31 | 2009-06-03 | 成都市华为赛门铁克科技有限公司 | Defending method for distributed service-refusing attack and system and device thereof |
| CN102143143A (en) * | 2010-10-15 | 2011-08-03 | 华为数字技术有限公司 | Method and device for defending network attack, and router |
| CN102263788A (en) * | 2011-07-14 | 2011-11-30 | 百度在线网络技术(北京)有限公司 | Method and equipment for defending against denial of service (DDoS) attack to multi-service system |
| CN104539594A (en) * | 2014-12-17 | 2015-04-22 | 南京晓庄学院 | SDN (software defined network) framework, system and working method combining DDoS (distributed denial of service) threat filtering and routing optimization |
| CN106411910A (en) * | 2016-10-18 | 2017-02-15 | 上海优刻得信息科技有限公司 | Defense method and system for distributed denial of service (DDoS) attacks |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110768975A (en) * | 2019-10-21 | 2020-02-07 | 杭州迪普科技股份有限公司 | Flow cleaning method and device, electronic equipment and machine readable storage medium |
| CN110768975B (en) * | 2019-10-21 | 2022-05-31 | 杭州迪普科技股份有限公司 | Flow cleaning method and device, electronic equipment and machine readable storage medium |
| CN110830474A (en) * | 2019-11-08 | 2020-02-21 | 中盈优创资讯科技有限公司 | Network attack protection system and method, and flow control device |
| CN110830474B (en) * | 2019-11-08 | 2021-04-06 | 中盈优创资讯科技有限公司 | Network attack protection system and method, and flow control device |
| CN110809004A (en) * | 2019-11-12 | 2020-02-18 | 成都知道创宇信息技术有限公司 | Safety protection method and device, electronic equipment and storage medium |
| CN111741021A (en) * | 2020-08-03 | 2020-10-02 | 北京翼鸥教育科技有限公司 | Detection and protection system for CC attack access service cluster |
| CN114338066A (en) * | 2020-09-30 | 2022-04-12 | 中移(苏州)软件技术有限公司 | Defense method, system, equipment and storage medium for denial of service attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110213214B (en) | 2021-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110213214A (en) | A kind of attack guarding method, system, device and storage medium | |
| US10110485B2 (en) | Techniques for traffic diversion in software defined networks for mitigating denial of service attacks | |
| CN103561011B (en) | A kind of SDN controller method and system for preventing blind DDoS attacks on | |
| US7870611B2 (en) | System method and apparatus for service attack detection on a network | |
| CN103650436B (en) | Service path distribution method, router and business perform entity | |
| US7401355B2 (en) | Firewall load balancing using a single physical device | |
| CN104954367B (en) | A kind of cross-domain ddos attack means of defence of internet omnidirectional | |
| CN101924764B (en) | Large-scale DDoS (Distributed Denial of Service) attack defense system and method based on two-level linkage mechanism | |
| US8645537B2 (en) | Deep packet scan hacker identification | |
| CN100596351C (en) | Firewall method and system based on high-speed network data processing platform | |
| CN107623661A (en) | Block system, the method and device of access request, server | |
| Mahimkar et al. | Game-based analysis of denial-of-service prevention protocols | |
| CN107743109A (en) | Means of defence, control device, processing unit and the system of flow attacking | |
| CN108809847A (en) | Realize the method, apparatus and network system of load balancing | |
| CN101018156A (en) | Method, device and system for preventing the broadband rejection service attack | |
| CN107346259A (en) | A kind of implementation method of Dynamical Deployment security capabilities | |
| CN109995714B (en) | Method, device and system for handling traffic | |
| CN108092940A (en) | The means of defence and relevant device of a kind of DNS | |
| Hsiao et al. | STRIDE: sanctuary trail--refuge from internet DDoS entrapment | |
| CN107493276A (en) | A kind of method and device of network safety prevention | |
| Zhang et al. | Deployment of intrusion prevention system based on software defined networking | |
| Shen et al. | A markov game theoretic data fusion approach for cyber situational awareness | |
| CN106470187A (en) | Prevent dos attack methods, devices and systems | |
| CN113037731A (en) | Network flow control method and system based on SDN architecture and honey network | |
| RU2576488C1 (en) | METHOD OF CONSTRUCTING DATA NETWORKS WITH HIGH LEVEL OF SECURITY FROM DDoS ATTACKS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |