CN110213214B - Attack protection method, system, device and storage medium - Google Patents
Attack protection method, system, device and storage medium Download PDFInfo
- Publication number
- CN110213214B CN110213214B CN201810572199.3A CN201810572199A CN110213214B CN 110213214 B CN110213214 B CN 110213214B CN 201810572199 A CN201810572199 A CN 201810572199A CN 110213214 B CN110213214 B CN 110213214B
- Authority
- CN
- China
- Prior art keywords
- target
- protection module
- protection
- service
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a distributed denial of service attack protection method, a system, a device and a storage medium. The embodiment of the invention can receive the target route issued by the target protection module, and the target route is generated by the target protection module according to the target address of the distributed denial of service attack; acquiring priority information of a protection module of a current issued route; generating a traction path by taking the target protection module as a path terminal point according to the priority information; and according to the traction path, the service flow pointing to the target route is drawn to the corresponding protection module for cleaning. Therefore, the scheme adopts the traction path to connect the plurality of layers of protection modules in series, not only can realize the multi-layer defense of the distributed denial of service attack, but also can realize the filtering of the service flow through the series connection, thereby ensuring the perfection of the whole function and the balanced performance of the distributed denial of service attack protection system and improving the whole protection effect of the distributed denial of service attack.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, a system, an apparatus, and a storage medium for protecting against a distributed denial of service attack.
Background
With the increase of network bandwidth, the flow of DDoS (Distributed Denial of Service) attack has a blowout type increase. In order to achieve the purpose of attack, a huge attack traffic contains various attack methods at the same time, for example: common reflection attacks, connection exhaustion attacks, CC (Challenge black hole) attacks. The traditional protection scheme is mainly that a DDoS defense device is deployed at the entrance of a machine room, and four-layer and seven-layer protection functions are provided at a network layer.
During the course of research and practice on the prior art, the inventors of the present invention found that: the seven-layer DDoS attack defense generally needs deep packet analysis and detection, such as feature filtering, regularization and the like, and has higher power consumption and more resource occupation compared with the four-layer DDoS attack defense. When four-layer and seven-layer DDoS mixed attack occurs, if the same equipment simultaneously performs four-layer and seven-layer DDoS attack defense, the seven-layer DDoS attack defense can consume a large amount of equipment performance, available resources for the four-layer DDoS attack defense are few, the performance of the four-layer DDoS attack defense is seriously influenced, and the DDoS attack defense effect is poor.
Disclosure of Invention
The embodiment of the invention provides a method, a system, a device and a storage medium for protecting distributed denial of service attack, aiming at improving the protection effect of the distributed denial of service attack.
The embodiment of the invention provides a distributed denial of service attack protection method, which comprises the following steps:
receiving a target route issued by a target protection module, wherein the target route is generated by the target protection module according to a target address of the distributed denial of service attack;
acquiring priority information of a protection module of a current issued route;
generating a traction path by taking the target protection module as a path terminal according to the priority information;
and according to the traction path, the service flow pointing to the target route is pulled to a corresponding protection module for cleaning.
In some embodiments, the generating a traction path with the target protection module as a path end point according to the priority information includes:
according to the priority information, acquiring a protection module with priority higher than that of the target protection module as a preorder protection module;
and generating a traction path by taking the target protection module as a path terminal according to the priorities of the preamble protection module and the target protection module.
In some embodiments, the generating a traction path with the target guard module as a path end point according to the priorities of the preamble guard module and the target guard module includes:
sequencing the preorder protection module and the target protection module according to the priority information and the sequence from high priority to low priority;
and according to the sequence, taking the preamble protection module with the highest priority as a path starting point and the target protection module as a path end point to generate a traction path.
In some embodiments, the step of cleaning the traffic flow directed to the target route to the corresponding protection module according to the pull path includes:
according to the traction path, the service flow pointing to the target route is pulled to the preorder protection module so that the preorder protection module can carry out attack detection;
and if the service flow is determined to be safe flow by the preamble protection module, the service flow is dragged to the next preamble protection module or the target protection module for attack detection according to the traction path.
In some embodiments, the pulling the traffic to the target protection module for attack detection further includes:
and if the service flow is determined to be safe flow by the target protection module, returning the service flow to the target address.
In some embodiments, further comprising:
and if receiving the reinjection flow returned by the preamble protection module and/or the target protection module in the process of detecting the aggressiveness, returning the reinjection flow to the client corresponding to the service flow.
In some embodiments, further comprising:
acquiring an attack detection result of the preamble protection module and/or the target protection module;
and analyzing according to the detection result of the aggressivity to obtain attack information, and sharing the attack information to a protection module in the traction path.
The embodiment of the present invention further provides a distributed denial of service attack protection system, including:
the detection device is used for triggering the target protection cluster to issue a target route to the cleaning switch when detecting the distributed denial of service attack, wherein the target route is generated by the target protection cluster according to a target address of the distributed denial of service attack;
the cleaning switch is used for receiving a target route issued by a target protection cluster, and the target route is generated by the target protection cluster according to a target address of the distributed denial of service attack; acquiring priority information of a protection cluster of a current issued route; generating a traction path by taking the target protection cluster as a path end point according to the priority information; according to the traction path, the service flow pointing to the target route is pulled to a corresponding protection cluster for cleaning;
the protection cluster at least comprises a target protection cluster and is used for issuing a route to the cleaning switch; and cleaning the service flow drawn by the cleaning exchanger.
In some embodiments, the detection device is specifically configured to:
when detecting the distributed denial of service attack, acquiring an attacked target address;
determining the hierarchy of the target address according to a preset network communication model, and taking the hierarchy of the target address as a target layer;
taking a protection cluster corresponding to a target layer as a target protection cluster, and issuing a route traction instruction to the target protection cluster to trigger the target protection cluster to issue a target route to a cleaning switch according to the target address.
In some embodiments, the guard cluster further comprises one or more preceding guard clusters having a priority higher than the target guard cluster:
the preorder protection cluster is used for carrying out aggressive detection on the service flow dragged by the cleaning exchanger; if the service flow is determined to be safe flow, returning the service flow to the cleaning switch;
and the cleaning switch is also used for dragging the service flow to the next preorder protection cluster or the target protection cluster for attack detection according to the dragging path.
In some embodiments, the preamble protection cluster is further configured to:
in the process of detecting the aggressiveness, if the reinjection flow is generated according to a preset protection strategy, returning the reinjection flow to the cleaning switch;
and the cleaning switch is also used for receiving the reinjection flow and returning the reinjection flow to the client corresponding to the service flow.
In some embodiments, the target guard cluster is specifically configured to:
cleaning the service flow drawn by the cleaning exchanger; if the service flow is determined to be safe flow, returning the service flow to the cleaning switch;
and the cleaning switch is also used for receiving the service flow returned by the target protection cluster and returning the service flow to the source of the target address.
An embodiment of the present invention further provides a distributed denial of service attack protection device, including:
the receiving unit is used for receiving a target route issued by a target protection module, and the target route is generated by the target protection module according to a target address of the distributed denial of service attack;
the priority unit is used for acquiring the priority information of the protection module of the current issued route;
the path unit is used for generating a traction path by taking the target protection module as a path terminal point according to the priority information;
and the traction unit is used for drawing the service flow pointing to the target route to a corresponding protection module for cleaning according to the traction path.
The embodiment of the present invention further provides a storage medium, where multiple instructions are stored in the storage medium, and the instructions are suitable for being loaded by a processor to execute the steps in any distributed denial of service attack protection method provided in the embodiment of the present invention.
The embodiment of the invention determines the service flow needing to be dragged for cleaning by receiving the target route issued by the target protection module, namely the host route needing to be protected, then obtains the priority information of the protection module of the current issued route to obtain the protection module which is currently running and the corresponding priority, generates a dragging path by taking the target protection module as a path terminal according to the priority information, and drags the service flow pointing to the target route to the corresponding protection module for cleaning according to the dragging path. The scheme can determine the traction path according to the priority of the route issued by the mounted protection module, so that the protection module which is performing distributed denial of service attack protection at present is called, the running protection module is reasonably utilized, the service flow pointing to the target address is cleaned before the target protection module, the purpose of filtering the attack service flow for the target protection module is achieved, the workload of the target protection module is reduced, and the performance occupied by the target protection module is reduced. The protection module can effectively defend whether single-layer attack or mixed attack occurs. Therefore, the scheme adopts the traction path to connect the multiple layers of protection modules in series, not only can realize the multiple layers of defense of the distributed denial of service attack, but also can realize the filtering of service flow through the series connection, thereby reducing the workload of the high-loss protection module, ensuring the perfection of the overall function and the performance balance of the distributed denial of service attack protection system, and improving the overall protection effect of the distributed denial of service attack.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1a is a schematic view of a scene of an information interaction system according to an embodiment of the present invention;
fig. 1b is a schematic flowchart of a distributed denial of service attack protection method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an application scenario for distributed denial of service attack protection provided by an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a distributed denial of service attack protection system according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a distributed denial of service attack protection apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a network device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a distributed denial of service attack protection method, a system, a device and a storage medium.
The embodiment of the invention provides an information interaction system, which comprises any one of the distributed denial of service attack protection devices provided by the embodiment of the invention, wherein the distributed denial of service attack protection device can be integrated in equipment such as a server and the like; in addition, the system may also include other devices, such as clients, guard modules, and the like. The client may be a terminal or a Personal Computer (PC) or the like.
Referring to fig. 1a, an embodiment of the present invention provides an information interaction system, which includes a distributed denial of service attack protection apparatus, a client, and a protection module. The distributed denial of service attack protection device is connected with the client through a network or a core router, and the core router forwards the service flow sent by the client to the distributed denial of service attack protection device. The protection module is mounted under the distributed denial of service attack protection device and at least comprises a target protection module.
When the distributed denial of service attack occurs, the target protection module generates a target route according to a target address of the distributed denial of service attack and distributes the target route to the distributed denial of service attack protection device. The distributed denial of service attack protection device receives a target route issued by a target protection module and acquires priority information of the protection module of the current issued route; then, generating a traction path by taking the target protection module as a path end point according to the priority information; and when receiving the service flow sent by the client, drawing the service flow pointing to the target route to a corresponding protection module for cleaning according to the drawing path.
Therefore, the traction path is determined according to the priority of the route issued by the mounted protection module, so that the protection module which is performing distributed denial of service attack protection at present is called, the running protection module is reasonably utilized, the service flow pointing to the target address is cleaned before the target protection module, the purpose of filtering the attack service flow for the target protection module is achieved, the workload of the target protection module is reduced, and the performance occupied by the target protection module is reduced. The protection module can effectively defend whether single-layer attack or mixed attack occurs. Therefore, the scheme adopts the traction path to connect the multiple layers of protection modules in series, not only can realize the multiple layers of defense of the distributed denial of service attack, but also can realize the filtering of service flow through the series connection, thereby reducing the workload of the high-loss protection module, ensuring the perfection of the overall function and the performance balance of the distributed denial of service attack protection system, and improving the overall protection effect of the distributed denial of service attack.
The above example of fig. 1a is only an example of a system architecture for implementing the embodiment of the present invention, and the embodiment of the present invention is not limited to the system architecture shown in fig. 1a, and various embodiments of the present invention are proposed based on the system architecture.
In this embodiment, a description will be made from the perspective of a distributed denial of service attack prevention apparatus, which may be specifically integrated in a network device, such as a switch or a server.
The embodiment of the invention provides a distributed denial of service attack protection method, which comprises the following steps: receiving a target route issued by a target protection module, wherein the target route is generated by the target protection module according to a target address of the distributed denial of service attack; acquiring priority information of a protection module of a current issued route; generating a traction path by taking the target protection module as a path terminal point according to the priority information; and according to the traction path, the service flow pointing to the target route is drawn to the corresponding protection module for cleaning.
As shown in fig. 1b, the specific flow of the distributed denial of service attack protection method may be as follows:
101. and receiving the target route issued by the target protection module, wherein the target route is generated by the target protection module according to the target address of the distributed denial of service attack.
When a Distributed Denial of Service (DDoS) attack occurs, the detection device obtains an IP (Internet Protocol ) address of a Service host under attack, which is used as a target address to be protected.
And then, the detection equipment determines a target protection module according to the target address, issues a route traction command to the target protection module, and triggers the target protection module to issue the target route to the cleaning switch. The detection equipment can determine the hierarchy of the target address according to a preset network communication model, and the hierarchy of the target address is used as a target layer; and then, taking the protection module corresponding to the target layer as a target protection module.
It should be noted that the preset network communication model may be a TCP/IP (Transmission Control Protocol/Internet Protocol ) model, and sequentially includes a network interface layer, a network layer, a Transmission layer, and an application layer from a lower layer to a higher layer. The preset network communication model may also be an Open System Interconnection (OSI) model, which includes a physical layer, a data link layer, a network layer, a transport layer, a session layer, a presentation layer, and an application layer from a lower layer to a higher layer. Of course, the preset network communication model can also be a user-defined network communication model and can be flexibly configured according to actual needs. The network communication model is characterized in that a corresponding protection module is preset in each hierarchy, each hierarchy can correspond to different protection modules, a plurality of hierarchies can correspond to one protection module, and the network communication model can be flexibly configured according to actual needs.
The detection equipment determines the level of the accessed service host in a preset network communication model according to the target address to obtain a target layer, and the protection module corresponding to the target layer is the target protection module. As an implementation manner, if the accessed service host is located at or below the network layer, the detection device determines that the target protection module is a four-layer protection module; if the accessed service host is located above a network layer, for example, an application layer, the detection device determines that the target protection module is a seven-layer protection module, and the seven-layer protection module generally needs to perform deep packet analysis and detection, so that the performance occupation is relatively high. For example, the target address corresponds to a service host to process HTTP (HyperText Transfer Protocol) service, and is located in an application layer, the target protection module is determined to be a seven-layer protection module; and the target address corresponds to the service host to process the TCP connection service, and if the target address is positioned in the network layer, the target protection module is determined to be a four-layer protection module.
And the target protection module acquires a target address after receiving the route traction command, determines a host route needing to be protected according to the target address and generates a target route. The target route may be a network segment including a target address, or may only point to the target address, and may be flexibly configured according to actual needs. The target defending module then issues the target route to the distributed denial of service attack defending device.
A plurality of levels of protection modules are hung under the distributed denial of service attack protection device, and BGP (Border Gateway Protocol) connection relationships are established with the protection modules of the respective levels to perform communication. The distributed denial of service attack protection device receives the target route issued by the target protection module, and learns that the service flow which points to the target route may be attack flow which needs to be dragged to the target protection module for cleaning.
102. And acquiring the priority information of the protection module of the current issued route.
The priority information may be configured when the BGP connection relationship is established between the distributed denial of service attack protection device and the protection modules of each hierarchy, where the priority of the protection module of a low hierarchy is higher than the priority of the protection module of a high hierarchy. For example, because the resources and the performance of the seven-layer protection module occupy more, in order to reduce the workload of the seven-layer protection module and reduce the resource and the performance loss, the priority of the four-layer protection module is preset to be higher than that of the seven-layer protection module, so that the four-layer protection module preferentially cleans the flow.
The distributed denial of service attack protection device needs to determine which protection modules of the issued route are available according to the currently received route, so as to know the protection modules which are currently carrying out flow cleaning and resisting the distributed denial of service attack. Priority information for the protection modules for these issued routes is then obtained.
The priority information may include information such as a specific priority level of the protection module.
For example, the guard modules of currently issued routes include a four-layer guard module and a seven-layer guard module. The distributed denial of service attack protection device obtains priority information of the four-layer protection module and the seven-layer protection module to obtain the priority of the four-layer protection module and the seven-layer protection module.
103. And generating a traction path by taking the target protection module as a path end point according to the priority information.
The traction path is a path for cleaning the service flow and comprises protection modules through which the service flow needs to flow and a sequence of flowing through the protection modules.
The distributed denial of service attack protection device generates a traction path by taking the target protection module as a path terminal according to the priority information of the protection module of the issued route and the priority sequence. In some embodiments, step 103 may comprise:
according to the priority information, acquiring a protection module with priority higher than that of the target protection module as a preorder protection module;
and generating a traction path by taking the target protection module as a path terminal according to the priorities of the preorder protection module and the target protection module.
The priority information comprises the priority of the protection module of the current issued route. And the distributed denial of service attack protection device screens out a protection module with the priority higher than that of the target protection module as a preorder protection module according to the priority information. For example, the protection module of the currently issued route includes a four-layer protection module and a seven-layer protection module, the target protection module is the seven-layer protection module, and the priority of the four-layer protection module is higher than that of the seven-layer protection module, so that the distributed denial of service attack protection device uses the four-layer protection module as the preamble protection module.
And then, the distributed denial of service attack protection device generates a traction path by taking the target protection module as a path terminal according to the priorities of the preorder protection module and the target protection module. For example, the following may be specifically mentioned:
sequencing the preorder protection module and the target protection module according to the priority information and the sequence from high to low;
and according to the sequencing, taking the preamble protection module with the highest priority as a path starting point and the target protection module as a path end point to generate a traction path.
There may be more than one or one preamble protection module.
If only one preamble protection module is provided, after the distributed denial of service attack protection device sequences the preamble protection module and the target protection module according to the priority information, the priority of the preamble protection module is the highest, and the priority of the target protection module is the lowest. Then, the preorder protection module is used as a path starting point, and the target protection module is used as a path end point to generate a traction path.
If the number of the preamble protection modules is two or more, the distributed denial of service attack protection device sequences all the preamble protection modules and the target protection modules according to priority information, takes the preamble protection module with the highest priority as a path starting point, takes the preamble protection module with the second priority as a second node in the path, and so on, takes the target protection module with the lowest priority as a path end point to generate a traction path.
It should be noted that, if the preamble protection module and/or the target protection module includes a plurality of protection sub-modules, each protection sub-module is configured in the traction path according to a priority preset by each protection sub-module and positions of the preamble protection module and the target protection module in the traction path. For example, the target protection module is a seven-layer protection module, which includes a WAP (Wireless Application Protocol) protection sub-module, a CC (Challenge black hole) protection sub-module, and the like, and the seven-layer protection module is configured as a path end point, where the path end point includes the WAP protection sub-module, the CC protection sub-module, and the like arranged according to a priority order.
In some embodiments, if a guard module with priority over the target guard module is not successfully acquired, the tow path is configured as the target guard module.
Thus, the distributed denial of service attack prevention device configuration results in a trailed path.
104. And according to the traction path, the service flow pointing to the target route is drawn to the corresponding protection module for cleaning.
The service flow pointing to the target route is the service flow with the same target address as the target route, or the service flow with the target address located in the network segment of the target route.
The distributed denial of service attack protection device acquires a target address of flow access after receiving flow forwarded by the core router, and if the target address is the same as the target route or is positioned in a network segment of the target route, the flow is determined to be the flow pointing to the target route.
Then, the distributed denial of service attack protection device pulls the traffic flow to the starting point of the path according to the pulling path, and the traffic flow is cleaned.
In some embodiments, the pull path includes one or more preamble protection modules ordered before the target protection module, and step 104 may specifically be as follows:
(1) and according to the traction path, the service flow pointing to the target route is pulled to the preamble protection module so that the preamble protection module can carry out attack detection.
The distributed denial of service attack protection device draws the service flow to the starting point of the path according to the drawing path, namely the protection module with the highest priority is cleaned.
The preamble protection module performs an aggressive detection to detect whether the traffic flow attacks the traffic flow, for example, the aggressive detection may be performed by using a protection policy such as a SYN cookie algorithm, a SYN Reset algorithm, and a TCP message state detection.
For example, the preamble protection module is a four-layer protection module, and triggers the SYN cookie algorithm to perform the attack detection. For the negotiation SYN message of TCP newly-built connection, the preamble protection module calculates a cookie value through the connection information, and returns the cookie value as the initial sequence number (seq number) of the SYN + ACK message to the client, if the message is a normal user, the SYN + ACK message is responded at the moment, and an ACK confirmation message is returned. The preorder protection module confirms the message validity to the cookie information carried in the ACK message responded by the client and judges whether the message is the attack flow. When an attacker launches a SYN Flood attack, the client cannot establish connection with the preamble protection module because the client cannot send effective cookie information, and the preamble protection module can judge whether the service flow is attack flow.
(2) And if receiving the reinjection flow returned by the preamble protection module in the process of detecting the aggressiveness, returning the reinjection flow to the client corresponding to the service flow.
For example, as illustrated by the current attack of SYN Flood, the preamble protection module is a four-layer protection module, and triggers the SYN cookie algorithm to perform attack detection. The preamble protection module intercepts the negotiation SYN message of TCP newly-built connection, calculates a cookie value through the connection information, and returns the cookie value as the initial sequence number (seq number) of the SYN + ACK message to the client. The message that the preamble protection module needs to return to the client includes a SYN + ACK message, the SYN + ACK message includes the cookie value, and the SYN + ACK message that returns to the client is the reinjection flow.
When receiving the reinjection flow returned by the preamble protection module for the service flow, the distributed denial of service attack protection device returns the reinjection flow to the client corresponding to the service flow, and pulls the service flow returned by the client according to the reinjection flow to the preamble protection module, so that the preamble protection module performs attack detection.
(3) And if the service flow is determined to be safe flow by the preamble protection module, the service flow is dragged to the next preamble protection module or the target protection module according to the traction path to carry out attack detection.
If the preamble protection module detects that the service flow is safe, the target route pointed by the service flow corresponds to a higher-level protection module, and the higher-level protection module is required to perform further detection, so that the preamble protection module returns the service flow to the distributed denial of service attack protection device.
The distributed denial of service attack protection device receives the traction flow returned by the preamble protection module, and draws the service flow to the next node in the traction path: and the next preamble protection module or the target protection module carries out attack detection.
For example, a client is already detected by the preamble protection module and determined as a secure client, and if the client sends a traffic, such as an HTTP request, and the preamble protection module determines that the traffic of the client is secure traffic according to information, such as an identifier of the client, the traffic is returned to the distributed denial of service attack protection device.
The distributed denial of service attack protection device receives the service flow returned by the preamble protection module, and then draws the service flow to the next node in the drawing path: and the next preorder protection module or the target protection module realizes that the cleaning work is gradually completed from the low-level protection module to the high-level protection module.
If the preamble protection module detects that the service traffic is attack traffic, the traffic is directly discarded.
(4) And if receiving the reinjection flow returned by the target protection module in the process of the offensiveness detection, returning the reinjection flow to the client corresponding to the service flow.
And taking the target protection module as a seven-layer protection module, and carrying out attack detection through protection strategies such as verification codes, java script (scripting language) algorithms and the like, so that the target protection module generates reinjection flow after carrying out packet change on the service flow and returns the reinjection flow to the distributed denial of service attack protection device.
When receiving the reinjection flow returned by the target protection module aiming at the service flow, the distributed denial of service attack protection device returns the reinjection flow to the client corresponding to the service flow, and pulls the service flow returned by the client according to the reinjection flow to the target protection module, so that the target protection module can carry out attack detection.
(5) And if the service flow is determined to be safe flow by the target protection module, returning the service flow to the target address.
And if the service flow is determined to be safe flow by the target protection module after the target protection module at the path end point is subjected to the aggressive detection, the target protection module returns the service flow to the distributed denial of service attack protection device.
The distributed denial of service attack protection device receives the service flow returned by the target protection module, and returns the service flow to the target address of the target protection module to carry out normal service communication.
For example, a client is detected by the target protection module and determined as a secure client, and if the client sends a traffic flow, such as an HTTP request, and the target protection module determines that the traffic flow of the client is a secure traffic flow according to information such as an identifier of the client, the traffic flow is returned to the distributed denial of service attack protection device.
The distributed denial of service attack protection device receives the service flow returned by the target protection module, returns the service flow to the accessed target address, and performs frequent service communication.
And if the target protection module detects that the service flow is attack flow, directly discarding the flow.
In some embodiments, the traction path includes only the target protection module, and step 104 may specifically be as follows:
the service flow pointing to the target route is pulled to a target protection module for cleaning;
if receiving the reinjection flow returned by the target protection module in the process of the offensive detection, returning the reinjection flow to the client corresponding to the service flow;
if the service flow is determined to be safe flow by the target protection module, returning the service flow to the target address;
and if the target protection module detects that the service flow is attack flow, directly discarding the flow.
In some embodiments, in order to improve the detection efficiency of the protection module, in the process of performing the attack detection by the early-order protection module and/or the target protection module, the distributed denial of service attack protection method further includes:
acquiring an aggressive detection result of the preorder protection module and/or the target protection module;
and analyzing according to the result of the attack detection to obtain attack information, and sharing the attack information to a protection module in the traction path.
Specifically, as an implementation manner, after performing the aggressive detection on the traffic, the preamble protection module and/or the target protection module obtains an aggressive detection result, and the aggressive detection result indicates whether the traffic attacks the traffic. And the preamble protection module and/or the target protection module returns the attack detection result to the distributed denial of service attack protection device.
In another embodiment, the distributed denial of service attack prevention apparatus may determine the result of the attack detection according to the traffic returned by the preamble protection module and/or the target protection module. For example, if a service flow returned by the target protection module is received, the service flow is taken as a safety flow as an aggressive detection result; if the service flow or the reinjection flow returned by the target protection module or the preorder protection module is not received within the preset time, taking the service flow as an attack detection result; and if a service flow discarding notification message returned by the preamble protection module or the target protection module is received, taking the service flow as an attack detection result.
The distributed denial of service attack protection device judges whether the client sending the service flow is reliable or not according to the detection result of the aggressivity; if the client sending the service flow is trustable, the trust level of the client can be judged. The distributed denial of service attack protection device can share information such as whether the client is trusted, trust level and the like as attack information to other protection modules in the traction path.
For example, the preamble protection module is a four-layer protection module, the target protection module is a seven-layer protection module, and if the four-layer protection module determines that the traffic is safe traffic, the distributed denial of service attack protection device determines that the client sending the traffic is a high-level trusted client according to the result of the attack detection, and sends the client which is the high-level trusted client as attack information to the seven-layer protection module. And after receiving the service flow dragged by the distributed denial of service attack protection device, the seven-layer protection module obtains that the corresponding client is a high-level trusted client according to the attack information, judges that the service flow is safe, returns the service flow to the distributed denial of service attack protection device, and returns the service flow to the target address pointed by the service flow to perform normal service communication.
Therefore, the repeated work of the protection module can be reduced, and the occupation of resources and performance is reduced.
As can be seen from the above, in the embodiment of the present invention, the traffic flow that needs to be pulled for cleaning is determined by receiving the target route issued by the target protection module, that is, the host route that needs to be protected, then, the priority information of the protection module of the currently issued route is obtained to obtain the currently running protection module and the corresponding priority, and according to the priority information, the target protection module is used as the route endpoint to generate the pulling route; and according to the traction path, the service flow pointing to the target route is drawn to the corresponding protection module for cleaning. The scheme can determine the traction path according to the priority of the route issued by the mounted protection module, so that the protection module which is performing distributed denial of service attack protection at present is called, the running protection module is reasonably utilized, the service flow pointing to the target address is cleaned before the target protection module, the purpose of filtering the attack service flow for the target protection module is achieved, the workload of the target protection module is reduced, and the performance occupied by the target protection module is reduced. The protection module can effectively defend whether single-layer attack or mixed attack occurs. Therefore, the scheme adopts the traction path to connect the multiple layers of protection modules in series, not only can realize the multiple layers of defense of the distributed denial of service attack, but also can realize the filtering of service flow through the series connection, thereby reducing the workload of the high-loss protection module, ensuring the perfection of the overall function and the performance balance of the distributed denial of service attack protection system, and improving the overall protection effect of the distributed denial of service attack.
The method according to the preceding embodiment is illustrated in further detail below by way of example.
For example, referring to fig. 2, in the present embodiment, the distributed denial of service attack prevention apparatus will be specifically integrated in a cleaning switch.
In this embodiment, the user machine serves as a client to send service traffic to access the service machine for service communication. The core router is located in the core of the network, and is mainly used for routing and forwarding data packets, and forwarding service traffic sent by a user machine, that is, a client, to each service machine to the corresponding service machine. The protection module comprises a four-layer DDoS protection cluster and a seven-layer DDoS protection cluster. The business machine is used for business communication with the client.
The core router is interconnected with the cleaning switch, forwards the full amount of the service flow of the client to the cleaning switch, forwards the service flow returned by the cleaning switch to the target address of the cleaning switch, and forwards the reinjection flow returned by the cleaning switch to the corresponding user machine, namely the client. The cleaning switch is interconnected with the four-layer DDoS protection cluster and the seven-layer DDoS protection cluster, and a BGP connection relation is established so that the cleaning switch can pull service traffic to the four-layer DDoS protection cluster and/or the seven-layer DDoS protection cluster and receive the service traffic and the reinjection traffic returned by the four-layer DDoS protection cluster and/or the seven-layer DDoS protection cluster.
Attack traffic
And if the user machine is controlled by the attack server, the user machine is controlled to send attack traffic to the service machine.
The detection device is accessed between the user machine and the core router, copies the service flow sent to the core router, and detects the service flow through mirror image, light splitting or NetFlow/NetStream/nFlow flow log and other modes. When detecting that the distributed denial of service attack occurs, the detection equipment acquires an attacked target address; then, determining the hierarchy of the target address according to a preset network communication model, and taking the hierarchy of the target address as a target layer; and then, taking the protection module corresponding to the target layer as a target protection module.
In this embodiment, a hybrid attack of distributed denial of service is taken as an example, and when detecting that a distributed denial of service attack occurs, the detection device obtains addresses of a plurality of attacked service hosts as target addresses, and determines that the attacked service hosts are located in a network layer and an application layer respectively according to the target addresses.
Then, the detection device determines that the distributed denial of service four-layer attack and seven-layer attack are mixed, then sends a route traction command to the four-layer DDoS protection cluster and the seven-layer DDoS protection cluster, after receiving the route traction command, the four-layer DDoS protection cluster and the seven-layer DDoS protection cluster respectively configure four-layer target routes and seven-layer target routes according to the attacked target addresses, and respectively issue the four-layer target routes and seven-layer target routes to the cleaning switch. The network segment of the four-layer target route at least comprises the address of the attacked service host of the network layer, and the network segment of the seven-layer target route at least comprises the address of the attacked service host of the application layer.
The cleaning switch receives a target route issued by the target protection module, and the target route is generated by the target protection module according to a target address of the distributed denial of service attack. The target protection module is respectively a four-layer DDoS protection cluster and a seven-layer DDoS protection cluster, and the target route comprises a four-layer target route issued by the four-layer DDoS protection cluster and a seven-layer target route issued by the seven-layer DDoS protection cluster.
Then, the cleaning switch acquires the priority information of the protection module of the current issued route, namely, the priority information of the four-layer DDoS protection cluster and the seven-layer DDoS protection cluster. The priority of the four-layer DDoS protection cluster is higher than that of the seven-layer DDoS protection cluster.
And then, the cleaning switch generates a traction path by taking the target protection module as a path end point according to the priority information.
If the service flow accesses a service machine which is attacked by the network layer, namely, the service machine points to a four-layer target route, the target protection module is a four-layer DDoS protection cluster, and the cleaning switch takes the four-layer DDoS protection cluster as a path terminal. Because there is no protection module which has a priority higher than that of the four-layer DDoS protection cluster and has issued the route, for the service traffic pointing to the four-layer target route, the corresponding traction path only includes one node of the four-layer DDoS protection cluster.
If the service flow accesses the service machine which is attacked by the application layer, namely the service machine points to the seven-layer target route, the target protection module is a seven-layer DDoS protection cluster, and the cleaning switch takes the seven-layer DDoS protection cluster as a path terminal. Because the priority is higher than the seven-layer DDoS protection cluster and the preorder protection module which has issued the route has a four-layer DDoS protection cluster, the cleaning switch configures a traction path corresponding to the service flow pointing to the seven-layer target route as a 'four-layer DDoS protection cluster-seven-layer DDoS protection cluster'.
It should be noted that, if a plurality of protective devices of different types are hung on the cleaning switch in parallel in the four-layer DDoS protection cluster or the seven-layer DDoS protection cluster, each protective device is configured in the traction path according to the priority of each protective device and the position of the protective module to which the protective device belongs in the traction path. For example, a seven-layer DDoS protection cluster includes a WAP protection device and a CC protection device mounted in parallel on a cleaning switch, where the priority of the WAP protection device is higher than that of the CC protection device, and a traction path corresponding to a service traffic directed to a seven-layer target route is "four-layer DDoS protection cluster-WAP protection device-CC protection device". Therefore, the work of flow cleaning is further subdivided, the power consumption of high-rise cleaning equipment is reduced, the load is more balanced, and the cleaning efficiency is improved.
(II) full traffic forwarding
The core router forwards the received traffic volume sent by the service machine to the cleaning switch, so that the cleaning switch pulls the traffic volume pointing to the target route to the protection module for cleaning.
(III) TRACTION OF TRAFFIC DIRECTING TO FOUR-LAYER AND/OR SEVEN-LAYER TARGET ROUTES
And the cleaning switch acquires a target address accessed by the service flow after receiving the full flow forwarded by the core router. If the target address of the service flow is a four-layer target route or is positioned in a network segment of the four-layer target route, determining that the service flow points to the four-layer target route; and if the target address of the service flow is the seven-layer target route or is positioned in the network segment of the seven-layer target route, determining that the service flow points to the seven-layer target route.
And then, the cleaning switch pulls the service flow pointing to the four-layer target route and/or the seven-layer target route to the four-layer DDoS protection cluster for cleaning.
(IV) Return-to-reinjection traffic and secure traffic
The four-layer DDoS protection cluster receives the service flow dragged by the cleaning switch and can carry out aggressive detection according to a preset four-layer protection strategy. The four-layer protection policy includes, but is not limited to, SYN cookie algorithm, SYN Reset algorithm, TCP message state detection, and the like.
For example, for a negotiation SYN message of a newly-established connection of TCP, the four-layer DDoS protection cluster calculates a cookie value through connection information, and returns the cookie value as an initial sequence number (seq number) of a SYN + ACK message to the user machine, and if the user is a normal user, the user responds to the SYN + ACK and returns an ACK confirmation message. The four-layer DDoS protection cluster confirms the message validity by cookie information carried in an ACK message responded by a user machine and judges whether the message is attack traffic or not. When an attacker launches a SYN Flood attack, the user machine cannot send effective cookie information, so that connection with the four-layer DDoS protection cluster cannot be established, and the four-layer DDoS protection cluster can judge whether the service flow is the attack flow. The SYN + ACK message returned by the four-layer DDoS protection cluster is the reinjection flow and is forwarded to the user machine through the cleaning switch.
And if the four-layer DDoS protection cluster judges that the service flow is safe, returning the service flow to the cleaning switch. For example, when a four-layer DDoS protection cluster performs an aggressive detection of a service traffic, if a service machine is determined to be safe by TCP connection through three handshakes, the connection with the service machine may be disconnected or the service machine may be waited to initiate a connection again. When the four-layer DDoS protection cluster receives a TCP newly-built connection negotiation SYN message sent by the service machine again, the service flow is judged to be safe flow, and the safe flow is returned to the cleaning switch.
If the four-layer DDoS protection cluster judges that the service traffic is attack traffic, the traffic is directly discarded.
(V) traffic flow directed to seven-layer target route is pulled
The service traffic pointing to the seven-layer target route is the service traffic returned by the four-layer DDoS protection cluster, detected as safe traffic by the four-layer DDoS protection cluster, and pointing to the seven-layer target route.
After the cleaning switch receives the service traffic returned by the four-layer DDoS protection cluster, the four-layer DDoS protection cluster is a preorder protection module for the service traffic pointing to the seven-layer target route, and preliminary attack detection is performed, so that even if the four-layer DDoS protection cluster judges that the four-layer DDoS protection cluster is safe traffic, the seven-layer DDoS protection cluster is still required to perform further attack detection. And the cleaning switch pulls the service flow pointing to the seven-layer target route to the seven-layer DDoS protection cluster to carry out aggressive detection.
(VI) Return-to-reinjection traffic and secure traffic
The seven-layer DDoS protection cluster receives the service flow dragged by the cleaning switch and can carry out aggressive detection according to a preset seven-layer protection strategy. The seven-layer protection policy includes, but is not limited to, a verification code, a javascript (scripting language) algorithm, and the like.
For example, the main principle of HTTP Cookie technology is to authenticate HTTP request packets to a legitimate client according to the specification of the HTTP protocol. And if the service flow is a GET request sent to a URL of the service machine by the user machine, constructing a redirection message attack as reinjection flow by the seven-layer DDoS protection cluster, returning the redirection message attack to the service machine, and enabling the service machine to re-request the redirected target address. In this redirection message, the seven-layer DDoS protection cluster adds a cookie field to be verified, and this cookie addition has two general methods: one is set through a set-cookie field of an HTTP header, and requires that the next HTTP request needs to carry a specified cookie field; and the other is to require the user to access the URL address with the cookie parameter by adding a cookie parameter at the back end of the redirected URL. And after the normal user machine receives the redirection message, the normal user machine carries the cookie field to send the service flow again according to the requirement, and accesses the appointed URL address. If the traffic is attack traffic, the service machine can not add the specified cookie field for access, and therefore the traffic can be determined as the attack traffic. Wherein, the redirection message returned by the seven-layer DDoS protection cluster is the reinjection flow, and is forwarded to the user machine through the cleaning switch.
And if the service flow is judged to be safe flow by the seven-layer DDoS protection cluster, returning the service flow to the cleaning switch. For example, when the seven-layer DDoS protection cluster performs the attack detection of the service traffic, if the user machine receives the redirection packet and then retransmits the service traffic carrying the cookie field as required and accesses the specified URL address, the seven-layer DDoS protection cluster determines that the service traffic retransmitted by the service machine is safe traffic, removes the added cookie field, and returns the safe traffic to the cleaning switch.
If the service flow is judged to be attack flow by the seven-layer DDoS protection cluster, the flow is directly discarded.
(VII) reinjection flow and safety flow source
After receiving the reinjection flows returned by the four-layer DDoS protection cluster and the seven-layer DDoS protection cluster, the cleaning switch returns the reinjection flows to the core router, and the core router returns the reinjection flows to the corresponding service machine.
After the cleaning switch receives the service traffic returned by the four-layer DDoS protection cluster, because the four-layer DDoS protection cluster is a path end point for the service traffic pointing to the four-layer target route, if the four-layer DDoS protection cluster judges that the service traffic is safe traffic, the aggressive detection is completed, and the detection result is safe traffic and can be forwarded to a corresponding service machine for service communication. The cleaning exchanger returns the service flow pointing to the four-layer target route to the core router, and the core router forwards the service flow to the corresponding service machine, so that the return source of the service flow is realized.
After the cleaning exchanger receives the service traffic returned by the seven-layer DDoS protection cluster, the seven-layer DDoS protection cluster is a path end point for the service traffic pointing to the seven-layer target route, so if the seven-layer DDoS protection cluster judges that the service traffic is safe traffic, the offensive detection is finished, and the detection result is safe traffic and can be forwarded to a corresponding service machine for service communication. The cleaning exchanger returns the service flow pointing to the seven-layer target route to the core router, and the core router forwards the service flow to the corresponding service machine, so that the return source of the service flow is realized.
(eight) traffic forwarding
When receiving the service flows which are forwarded by the core router and do not point to the four-layer target route and the seven-layer target route, the cleaning switch forwards the service flows serving as safe flows to the core router for normal service communication.
(nine) flow reinjection
And after receiving the reinjection flow returned by the cleaning switch, the core router returns the reinjection flow to the corresponding service machine.
(ten) secure traffic flow
And after receiving the safety service flow returned by the cleaning switch, the core router respectively forwards the service flow to the corresponding service machines for service communication.
(eleven) traffic outgoing flow
After receiving the service flow, the service machine inputs corresponding flow to the corresponding service machine according to the requirement of the service flow.
As can be seen from the above, in the embodiment of the present invention, when a distributed denial of service hybrid attack is received, a pulling path is determined according to the priority of a route issued by a mounted protection module, so that multiple layers of protection modules are connected in series, and the hybrid attack traffic is processed in series and in layers. The decoupling of the multilayer protection module ensures the full play of the performance, saves the machine cost and simultaneously ensures the integrity of the function. The scheme is applicable to both single attack and mixed attack scenes, and the overall protection effect of the distributed denial of service attack is improved. For a user, the problem of multi-level protection can be solved without deploying any functional module, and a non-inductive effect is achieved.
An embodiment of the present invention further provides a distributed denial of service attack protection system, for example, as shown in fig. 3, the distributed denial of service attack protection system may include: detection device 301, cleaning switch 302, and protection cluster 303, as follows:
detection device 301:
the detection device 301 is configured to trigger the target protection cluster to issue a target route to the cleaning switch when detecting the distributed denial of service attack, where the target route is generated by the target protection cluster according to a target address of the distributed denial of service attack.
The detection device 301 is connected between the client and the core router, copies the traffic sent to the core router, and detects the traffic by means of mirroring, light splitting, or NetFlow/NetStream/nFlow flow log.
When detecting that a distributed denial of service attack occurs, the detection device 301 may specifically be configured to:
when detecting the distributed denial of service attack, acquiring an attacked target address;
determining the level of the target address according to a preset network communication model, and taking the level of the target address as a target layer;
and taking the protection cluster corresponding to the target layer as a target protection cluster, and issuing a route traction instruction to the target protection cluster so as to trigger the target protection cluster to issue a target route to the cleaning switch according to the target address.
For example, if the detection device 301 detects that a distributed denial of service attack occurs, the address of the attacked service host is obtained as the target address. And if the attacked target address is positioned on the network layer, taking the network layer as the target layer, and taking the seven-layer protection cluster corresponding to the network layer as the target protection cluster.
Then, the detection device 301 issues a route pulling command to the seven-layer protection cluster, and triggers the target protection cluster to issue the target route. The target route is generated by the seven-layer protection cluster according to the attacked target address, and at least comprises the target address of the attacked service host of the network layer.
(II) Wash exchanger 302:
the cleaning switch 302 is used for receiving a target route issued by the target protection cluster, and the target route is generated by the target protection cluster according to a target address of the distributed denial of service attack; acquiring priority information of a protection cluster of a current issued route; generating a traction path by taking the target protection cluster as a path end point according to the priority information; and according to the traction path, the service flow pointing to the target route is drawn to the corresponding protection cluster for cleaning.
For a specific implementation of the cleaning switch 302, reference may be made to the above described embodiment of the distributed denial of service attack protection method, which is not described herein again.
(III) protection Cluster 303:
a protection cluster 303, including at least a target protection cluster, for issuing a route to the cleaning switch 302; traffic drawn by the cleansing switch 302 is cleansed.
The protection cluster 303 is suspended under the wash switch 302 and may include multiple levels of protection clusters, such as a seven-level protection cluster, a four-level protection cluster. The protection cluster of each level can also comprise a plurality of protection devices with different protection types. Certainly, when the protection scale is small, the protection cluster 303 may also be deployed as a protection device, for example, a seven-layer protection device and a four-layer protection device, and may be flexibly configured according to actual needs.
When receiving a route issuing instruction issued by the detection device 301, the protection cluster 303 obtains an attacked target address, generates a target route according to a preset protection policy and the target address, and issues the target route to the cleaning switch 302.
In some embodiments, if the preset protection policy is one-to-one protection, the protection cluster 303 issues the target address to the cleansing switch 302 as a target route. For example, if the destination address is a 32-bit host route, then guard cluster 303 issues the 32-bit host route as the destination route to flush switch 302.
In other embodiments, if the preset protection policy is one-to-many protection, the protection cluster 303 issues the upper-level route of the target address to the cleansing switch 302 as the target route. For example, if the destination address is a 32-bit host route, then guard cluster 303 issues the 24-bit segment containing the 32-bit host route as the destination route to flush switch 302.
When receiving the service traffic drawn by the cleaning switch 302, the protection cluster 303 cleans the service traffic, and implements defense of distributed denial of service attack.
For example, in some embodiments, where a hybrid attack occurs, the guard cluster 303 further includes one or more preamble guard clusters having a higher priority than the target guard cluster, and the pull path starts with the preamble guard cluster having the highest priority and ends with the target guard cluster:
(1) the preorder protection cluster is used for carrying out aggressive detection on the service flow dragged by the cleaning exchanger 302; if the traffic is determined to be safe, the traffic is returned to the cleaning switch 302;
the cleaning switch 302 is further configured to pull the traffic to the next preamble protection cluster or the target protection cluster for performing the attack detection according to the pulling path.
The traction path comprises a preamble protection cluster and a target protection cluster. The cleansing switch 302 first pulls traffic directed to the target route to the beginning of the path for cleansing. The preamble protection cluster receiving the service traffic performs the attack detection on the service traffic, and the specific detection method may refer to the above embodiment of the distributed denial of service attack protection method, which is not described herein again.
If the preamble protection cluster determines that the service traffic is safe, the service traffic is returned to the cleaning switch 302. After receiving the traffic, the cleansing switch 302 pulls the traffic to the next node of the pulling path: a preamble protection cluster or a target protection cluster.
And if the preamble protection cluster determines that the service traffic is attack traffic, discarding the service traffic.
In some embodiments, the preamble protection cluster is further configured to obtain attack information obtained according to analysis of an offensiveness detection result, and share the attack information with other protection modules in the traction path. For example, if the preamble protection cluster is detected, and it is determined that a client is a high-level trusted client, the trusted information of the client is used as attack information and is shared to other preamble protection clusters and/or target protection clusters in the pull path, so as to reduce the workload of other protection clusters in the pull path, thereby reducing resource occupation and performance loss.
(2) The preamble protection cluster is further configured to, in an aggressive detection process, return the reinjection flow to the cleaning switch 302 if the reinjection flow is generated according to a preset protection policy;
the cleaning switch 302 is further configured to receive the reinjection traffic, and return the reinjection traffic to the client corresponding to the service traffic.
For example, the preamble protection cluster is a four-layer protection cluster, and the four-layer protection policy includes, but is not limited to, a SYNcookie algorithm, a SYN Reset algorithm, TCP message state detection, and the like.
For example, the preamble protection cluster is a four-layer protection cluster, and a SYN cookie algorithm is triggered to perform attack detection. For the negotiation SYN message of TCP newly-built connection, the preamble protection cluster calculates a cookie value through the connection information, and returns the cookie value as the initial sequence number (seq number) of the SYN + ACK message to the client, if the message is a normal user, the SYN + ACK message is responded at the moment, and an ACK confirmation message is returned. The preorder protection module confirms the message validity to the cookie information carried in the ACK message responded by the client and judges whether the message is the attack flow. Wherein, the SYN + ACK message generated by the preamble protection cluster is the reinjection flow.
(3) The target protection cluster is specifically used for cleaning the service flow drawn by the cleaning switch 302; if the traffic is determined to be safe, the traffic is returned to the cleaning switch 302;
the cleaning switch 302 is further configured to receive the service traffic returned by the target protection cluster, and return the service traffic to the source to the target address.
The target protection cluster that receives the service traffic performs the attack detection on the service traffic, and the specific detection method may refer to the above embodiment of the distributed denial of service attack protection method, which is not described herein again.
If the target protection cluster determines that the service traffic is safe, the service traffic is returned to the cleaning switch 302. After receiving the service traffic, the cleansing switch 302 returns the service traffic back to the destination address, so that the service host and the client perform normal service communication.
And if the target protection cluster determines that the service traffic is attack traffic, discarding the service traffic.
In some embodiments, the target protection cluster is further configured to obtain attack information obtained according to analysis of the offensiveness detection result, and share the attack information with other protection modules in the traction path. For example, if the target protection cluster is detected, and a client is judged to be a high-level trusted client, the trusted information of the client is used as attack information and shared to the preamble protection cluster in the traction path, so that the workload of the preamble protection cluster is reduced.
(4) The target protection cluster is further configured to, in an aggressive detection process, return the reinjection flow to the cleaning switch 302 if the reinjection flow is generated according to a preset protection policy.
For example, the target protection cluster is a seven-layer protection cluster, and the seven-layer protection policy includes, but is not limited to, a verification code, a java script (scripting language) algorithm, and the like.
And if the service flow is a GET request sent to a URL of the service machine by the client, constructing a redirection message attack as reinjection flow by the target protection cluster, returning the redirection message attack to the service machine, and enabling the service machine to request a redirected target address again. In this redirect message, the target guard cluster adds a cookie field that needs to be authenticated. And after the normal client receives the redirection message, the normal client carries the cookie field to send the service flow again according to the requirement, and accesses the specified URL address. The redirection packet returned by the target protection cluster is the reinjection flow, and is forwarded to the client via the cleansing switch 302.
As can be seen from the above, in the embodiment of the present invention, the detection device 301 detects an attack, and when a distributed denial of service attack is detected, the target protection module is triggered to issue a target route, so as to notify the cleaning switch 302 of which traffic flow that needs to be cleaned is. The cleaning switch 302 receives a target route issued by a target protection module to determine a host route needing to be protected and a service flow needing to be pulled for cleaning; then, acquiring priority information of the protection module of the current issued route to acquire the protection module which is currently running and corresponding priority, and generating a traction path by taking the target protection module as a path terminal according to the priority information; and according to the traction path, the service flow pointing to the target route is drawn to the corresponding protection module for cleaning. The protection cluster 303 issues a target route to the cleaning switch 302, receives the service traffic drawn by the cleaning switch 302 for cleaning, and returns the cleaned safe traffic to the service machine to complete the defense of the distributed service stopping attack. The scheme adopts the traction path to connect the multilayer protection clusters in series, not only can realize multilayer defense of distributed denial of service attack, but also can realize filtering of service flow through series connection, and the protection clusters can effectively defend no matter single-layer attack or mixed attack occurs. Therefore, the scheme reduces the workload of the high-loss protection module, ensures the perfection and performance balance of the overall function of the distributed denial of service attack protection system, and improves the overall protection effect of the distributed denial of service attack.
In order to better implement the above method, an embodiment of the present invention further provides a distributed denial of service attack protecting apparatus, where the distributed denial of service attack protecting apparatus may be specifically integrated in a network device, such as a cleaning switch or a server.
For example, as shown in fig. 4, the distributed denial of service attack prevention apparatus may include a receiving unit 401, a priority unit 402, a path unit 403, and a pulling unit 404, as follows:
reception unit 401:
a receiving unit 401, configured to receive a target route issued by a target protection module, where the target route is generated by the target protection module according to a target address of a distributed denial of service attack;
when a Distributed Denial of Service (DDoS) attack occurs, the detection device obtains an IP (Internet Protocol ) address of a Service host under attack, which is used as a target address to be protected.
And then, the detection equipment determines a target protection module according to the target address, issues a route traction command to the target protection module, and triggers the target protection module to issue the target route to the cleaning switch. The detection equipment can determine the hierarchy of the target address according to a preset network communication model, and the hierarchy of the target address is used as a target layer; and then, taking the protection module corresponding to the target layer as a target protection module.
It should be noted that the preset network communication model may be a TCP/IP (Transmission control Protocol/Internet Protocol ) model, and sequentially includes a network interface layer, a network layer, a Transmission layer, and an application layer from a lower layer to a higher layer. The preset network communication model may also be an Open System Interconnection (OSI) model, which includes a physical layer, a data link layer, a network layer, a transport layer, a session layer, a presentation layer, and an application layer from a lower layer to a higher layer. Of course, the preset network communication model can also be a user-defined network communication model and can be flexibly configured according to actual needs. The network communication model is characterized in that a corresponding protection module is preset in each hierarchy, each hierarchy can correspond to different protection modules, a plurality of hierarchies can correspond to one protection module, and the network communication model can be flexibly configured according to actual needs.
The detection equipment determines the level of the accessed service host in a preset network communication model according to the target address to obtain a target layer, and the protection module corresponding to the target layer is the target protection module. As an implementation manner, if the accessed service host is located at or below the network layer, the detection device determines that the target protection module is a four-layer protection module; if the accessed service host is located above a network layer, for example, an application layer, the detection device determines that the target protection module is a seven-layer protection module, and the seven-layer protection module generally needs to perform deep packet analysis and detection, so that the performance occupation is relatively high. For example, the target address corresponds to a service host to process HTTP (hypertext transfer Protocol) service, and if the target address is located in an application layer, the target protection module is determined to be a seven-layer protection module; and the target address corresponds to the service host to process the TCP connection service, and if the target address is positioned in the network layer, the target protection module is determined to be a four-layer protection module.
And the target protection module acquires a target address after receiving the route traction command, determines a host route needing to be protected according to the target address and generates a target route. The target route may be a network segment including a target address, or may only point to the target address, and may be flexibly configured according to actual needs. The target defending module then issues the target route to the distributed denial of service attack defending device.
A plurality of levels of protection modules are hung under the distributed denial of service attack protection device, and BGP (Border Gateway Protocol) connection relationships are established with the protection modules of the respective levels to perform communication. The receiving unit 401 receives the target route issued by the target protection module, and learns that the service traffic that needs to be directed to the target route may be attack traffic and needs to be pulled to the target protection module for cleaning.
Priority unit 402:
a priority unit 402, configured to obtain priority information of a protection module of a currently issued route.
The priority information may be configured when the BGP connection relationship is established between the distributed denial of service attack protection device and the protection modules of each hierarchy, where the priority of the protection module of a low hierarchy is higher than the priority of the protection module of a high hierarchy. For example, because the resources and the performance of the seven-layer protection module occupy more, in order to reduce the workload of the seven-layer protection module and reduce the resource and the performance loss, the priority of the four-layer protection module is preset to be higher than that of the seven-layer protection module, so that the four-layer protection module preferentially cleans the flow.
The priority unit 402 needs to determine what protection modules of the issued route are according to the currently received route, so as to know the protection modules which are currently performing traffic cleaning and defending against the distributed denial of service attack. Priority information for the protection modules for these issued routes is then obtained.
The priority information may include information such as a specific priority level of the protection module.
For example, the guard modules of currently issued routes include a four-layer guard module and a seven-layer guard module. The priority unit 402 obtains priority information of the four-layer protection module and the seven-layer protection module to obtain priorities of the four-layer protection module and the seven-layer protection module.
Path (three) unit 403:
and a path unit 403, configured to generate a traction path with the target protection module as a path end point according to the priority information.
The traction path is a path for cleaning the service flow and comprises protection modules through which the service flow needs to flow and a sequence of flowing through the protection modules.
The path unit 403 generates a pull path by using the target protection module as a path end point according to the priority information of the protection modules of the issued routes and the priority sequence. In some embodiments, path unit 403 may include a screening subunit and a configuration subunit:
the screening subunit is used for acquiring a protection module with the priority higher than that of the target protection module as a preorder protection module according to the priority information;
and the configuration subunit is used for generating a traction path by taking the target protection module as a path endpoint according to the priorities of the preorder protection module and the target protection module.
The priority information comprises the priority of the protection module of the current issued route. And the screening subunit screens out the protection module with the priority higher than that of the target protection module as a preorder protection module according to the priority information. For example, the protection module of the currently issued route includes a four-layer protection module and a seven-layer protection module, the target protection module is the seven-layer protection module, and the priority of the four-layer protection module is higher than that of the seven-layer protection module, and then the screening subunit takes the four-layer protection module as the preamble protection module.
And then, the configuration subunit generates a traction path by taking the target protection module as a path endpoint according to the priorities of the preorder protection module and the target protection module. For example, the following may be specifically mentioned:
sequencing the preorder protection module and the target protection module according to the priority information and the sequence from high to low;
and according to the sequencing, taking the preamble protection module with the highest priority as a path starting point and the target protection module as a path end point to generate a traction path.
There may be more than one or one preamble protection module.
If only one preorder protection module is arranged, the configuration subunit sequences the preorder protection module and the target protection module according to the priority information, wherein the preorder protection module has the highest priority, and the target protection module has the lowest priority. Then, the preorder protection module is used as a path starting point, and the target protection module is used as a path end point to generate a traction path.
If the number of the preamble protection modules is two or more, the configuration subunit sequences the preamble protection modules and the target protection modules according to the priority information, takes the preamble protection module with the highest priority as a path starting point and the preamble protection module with the second priority as a second node in the path, and so on, takes the target protection module with the lowest priority as a path end point to generate a traction path.
It should be noted that, if the preamble protection module and/or the target protection module includes a plurality of protection sub-modules, the configuration subunit configures each protection sub-module into the traction path according to the preset priority of each protection sub-module and the positions of the preamble protection module and the target protection module in the traction path. For example, the target protection module is a seven-layer protection module, which includes a WAP (Wireless Application Protocol) protection sub-module, a CC (Challenge black hole) protection sub-module, and the like, and the seven-layer protection module is configured as a path end point, where the path end point includes the WAP protection sub-module, the CC protection sub-module, and the like arranged according to a priority order.
In some embodiments, the configuration subunit configures the haul path as the target protection module if the protection module with a higher priority than the target protection module is not successfully acquired.
Thereby, the path unit 403 is configured to obtain a traction path.
(iv) traction unit 404:
and the pulling unit 404 is configured to pull the service traffic directed to the target route to a corresponding protection module for cleaning according to the pulling path.
The service flow pointing to the target route is the service flow with the same target address as the target route, or the service flow with the target address located in the network segment of the target route.
After receiving the traffic forwarded by the core router, the traction unit 404 obtains a destination address of the traffic access, and if the destination address is the same as the destination route or is located in a network segment of the destination route, determines that the traffic is the traffic directed to the destination route.
Then, the pulling unit 404 pulls the traffic to the starting point of the path according to the pulling path, and performs cleaning.
In some embodiments, the traction path includes one or more preamble protection modules sequenced before the target protection module, and the traction unit may include a first traction subunit, a second traction subunit, a source return subunit, and a sharing subunit:
(1) and the first traction subunit is used for drawing the service flow pointing to the target route to the preamble protection module according to the traction path so that the preamble protection module can carry out attack detection.
The first traction subunit draws the service flow to the starting point of the path according to the traction path, namely the protection module with the highest priority is cleaned.
The preamble protection module performs an aggressive detection to detect whether the traffic flow attacks the traffic flow, for example, the aggressive detection may be performed by using a protection policy such as a SYN cookie algorithm, a SYN Reset algorithm, and a TCP message state detection. The specific implementation manner may refer to the embodiment of the distributed denial of service attack protection method or the embodiment of the distributed denial of service attack protection system, which is not described herein again.
(2) And the reinjection subunit is used for returning the reinjection flow to the client corresponding to the service flow if the reinjection flow returned by the preamble protection module in the attack detection process is received.
For example, as illustrated by the current attack of SYN Flood, the preamble protection module is a four-layer protection module, and triggers the SYN cookie algorithm to perform attack detection. The preamble protection module intercepts the negotiation SYN message of TCP newly-built connection, calculates a cookie value through the connection information, and returns the cookie value as the initial sequence number (seq number) of the SYN + ACK message to the client. The message that the preamble protection module needs to return to the client includes a SYN + ACK message, the SYN + ACK message includes the cookie value, and the SYN + ACK message that returns to the client is the reinjection flow.
The reinjection subunit returns the reinjection traffic to the client corresponding to the service traffic when receiving the reinjection traffic returned by the preamble protection module for the service traffic.
(3) And the second traction subunit is used for drawing the service flow to the next preorder protection module or the target protection module for attack detection according to the traction path if the service flow is determined as the safe flow by the preorder protection module.
If the preamble protection module detects that the service flow is safe, the target route pointed by the service flow corresponds to a higher-level protection module, and the higher-level protection module is required to perform further detection, so that the preamble protection module returns the service flow to the distributed denial of service attack protection device.
The second traction subunit receives the traction flow returned by the preamble protection module, and draws the service flow to the next node in the traction path: and the next preamble protection module or the target protection module carries out attack detection.
For example, a client is already detected by the preamble protection module and determined as a secure client, and if the client sends a traffic, such as an HTTP request, and the preamble protection module determines that the traffic of the client is secure traffic according to information, such as an identifier of the client, the traffic is returned to the distributed denial of service attack protection device.
The second traction subunit receives the service flow returned by the preamble protection module, and then, the service flow is guided to the next node in the traction path: and the next preorder protection module or the target protection module realizes that the cleaning work is gradually completed from the low-level protection module to the high-level protection module.
If the preamble protection module detects that the service traffic is attack traffic, the traffic is directly discarded.
(4) And the reinjection subunit is further configured to return the reinjection traffic to the client corresponding to the service traffic if the reinjection traffic returned by the target protection module in the process of the offensiveness detection is received.
And taking the target protection module as a seven-layer protection module, and carrying out attack detection through protection strategies such as verification codes, java script (scripting language) algorithms and the like, so that the target protection module generates reinjection flow after carrying out packet change on the service flow and returns the reinjection flow to the distributed denial of service attack protection device.
And when receiving the reinjection traffic returned by the target protection module for the service traffic, the reinjection subunit returns the reinjection traffic to the client corresponding to the service traffic.
(5) And the source returning subunit is used for returning the service flow to the target address if the service flow is determined to be the safe flow by the target protection module.
And if the service flow is determined to be safe flow by the target protection module after the target protection module at the path end point is subjected to the aggressive detection, the target protection module returns the service flow to the distributed denial of service attack protection device.
The source returning subunit receives the service flow returned by the target protection module, and returns the service flow to the source of the target address of the target protection module so as to perform normal service communication.
For example, a client is detected by the target protection module and determined as a secure client, and if the client sends a traffic flow, such as an HTTP request, and the target protection module determines that the traffic flow of the client is a secure traffic flow according to information such as an identifier of the client, the traffic flow is returned to the distributed denial of service attack protection device.
The source returning subunit receives the service flow returned by the target protection module, and returns the service flow to the accessed target address to perform frequent service communication.
And if the target protection module detects that the service flow is attack flow, directly discarding the flow.
In some embodiments, the first pulling subunit is configured to pull the traffic flow directed to the target route to the target protection module for cleaning; the reinjection subunit is used for returning the reinjection flow to the client corresponding to the service flow if the reinjection flow returned by the target protection module in the process of the attack detection is received; the source returning subunit is used for returning the service traffic to the target address if the service traffic is determined to be safe traffic by the target protection module; and if the target protection module detects that the service flow is attack flow, directly discarding the flow.
(6) The shared subunit is used for acquiring the attack detection result of the preorder protection module and/or the target protection module; and analyzing according to the result of the attack detection to obtain attack information, and sharing the attack information to a protection module in the traction path.
Specifically, as an implementation manner, after performing the aggressive detection on the traffic, the preamble protection module and/or the target protection module obtains an aggressive detection result, and the aggressive detection result indicates whether the traffic attacks the traffic. And the preamble protection module and/or the target protection module returns the attack detection result to the sharing subunit.
In another embodiment, the shared subunit may determine the result of the attack detection according to the traffic returned by the preamble protection module and/or the target protection module. For example, if a service flow returned by the target protection module is received, the service flow is taken as a safety flow as an aggressive detection result; if the service flow or the reinjection flow returned by the target protection module or the preorder protection module is not received within the preset time, taking the service flow as an attack detection result; and if a service flow discarding notification message returned by the preamble protection module or the target protection module is received, taking the service flow as an attack detection result.
The sharing subunit judges whether the client sending the service traffic is reliable or not according to the detection result of the aggressivity; if the client sending the service flow is trustable, the trust level of the client can be judged. The sharing subunit can share the information of whether the client is trusted, the trust level and the like as attack information to other protection modules in the traction path.
For example, the preamble protection module is a four-layer protection module, the target protection module is a seven-layer protection module, and if the four-layer protection module determines that the service traffic is the secure traffic, and the sharing subunit determines that the client sending the service traffic is the high-level trusted client according to the result of the offensiveness detection, the client which is the high-level trusted client is sent to the seven-layer protection module as the attack information. And after receiving the service flow dragged by the second traction subunit, the seven-layer protection module obtains a high-level trusted client corresponding to the client according to the attack information, judges the service flow to be safe flow, returns the service flow to the source return subunit, returns the source return to a target address pointed by the service flow, and performs normal service communication.
Therefore, the repeated work of the level protection module can be reduced, and the resource and performance occupation can be reduced.
As can be seen from the above, in the embodiment of the present invention, the receiving unit 401 receives the target route issued by the target protection module, so as to determine the host route that needs to be protected and the service traffic that needs to be pulled for cleaning; then, the priority unit 402 obtains the priority information of the protection module of the currently issued route to obtain the currently running protection module and the corresponding priority; the path unit 403 generates a traction path by using the target protection module as a path end point according to the priority information; the pulling unit 404 pulls the traffic flow directed to the target route to the corresponding protection module for cleaning according to the pulling path. The scheme can determine the traction path according to the priority of the route issued by the mounted protection module, so that the protection module which is performing distributed denial of service attack protection at present is called, the running protection module is reasonably utilized, the service flow pointing to the target address is cleaned before the target protection module, the purpose of filtering the attack service flow for the target protection module is achieved, the workload of the target protection module is reduced, and the performance occupied by the target protection module is reduced. The protection module can effectively defend whether single-layer attack or mixed attack occurs. Therefore, the scheme adopts the traction path to connect the multiple layers of protection modules in series, not only can realize the multiple layers of defense of the distributed denial of service attack, but also can realize the filtering of service flow through the series connection, thereby reducing the workload of the high-loss protection module, ensuring the perfection of the overall function and the performance balance of the distributed denial of service attack protection system, and improving the overall protection effect of the distributed denial of service attack.
An embodiment of the present invention further provides a network device, as shown in fig. 5, which shows a schematic structural diagram of the network device according to the embodiment of the present invention, specifically:
the network device may include components such as a processor 501 of one or more processing cores, memory 502 of one or more computer-readable storage media, a power supply 503, and an input unit 505. Those skilled in the art will appreciate that the network device architecture shown in fig. 5 does not constitute a limitation of network devices and may include more or fewer components than shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 501 is a control center of the network device, connects various parts of the entire network device by using various interfaces and lines, and performs various functions of the network device and processes data by running or executing software programs and/or modules stored in the memory 502 and calling data stored in the memory 502, thereby performing overall monitoring of the network device. Optionally, processor 501 may include one or more processing cores; preferably, the processor 501 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 501.
The memory 502 may be used to store software programs and modules, and the processor 501 executes various functional applications and data processing by operating the software programs and modules stored in the memory 502. The memory 502 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to use of the network device, and the like. Further, the memory 502 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 502 may also include a memory controller to provide the processor 501 with access to the memory 502.
The network device further comprises a power supply 503 for supplying power to each component, and preferably, the power supply 503 may be logically connected to the processor 501 through a power management system, so that functions of managing charging, discharging, power consumption, and the like are realized through the power management system. The power supply 503 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
The network device may further include an input unit 505, and the input unit 505 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the network device may further include a display unit and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 501 in the network device loads the executable file corresponding to the process of one or more application programs into the memory 502 according to the following instructions, and the processor 501 runs the application program stored in the memory 502, so as to implement various functions as follows:
receiving a target route issued by a target protection module, wherein the target route is generated by the target protection module according to a target address of the distributed denial of service attack;
acquiring priority information of a protection module of a current issued route;
generating a traction path by taking the target protection module as a path terminal point according to the priority information;
and according to the traction path, the service flow pointing to the target route is drawn to the corresponding protection module for cleaning.
In the foregoing embodiments, the descriptions of the embodiments have respective emphasis, and a part that is not described in detail in a certain embodiment may refer to the above detailed description of the distributed denial of service attack protection method, which is not described herein again.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.
To this end, the embodiment of the present invention provides a storage medium, in which a plurality of instructions are stored, where the instructions can be loaded by a processor to execute the steps in any one of the distributed denial of service attack protection methods provided by the embodiments of the present invention. For example, the instructions may perform the steps of:
receiving a target route issued by a target protection module, wherein the target route is generated by the target protection module according to a target address of the distributed denial of service attack;
acquiring priority information of a protection module of a current issued route;
generating a traction path by taking the target protection module as a path terminal point according to the priority information;
and according to the traction path, the service flow pointing to the target route is drawn to the corresponding protection module for cleaning.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Wherein the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the storage medium may execute steps in any distributed denial of service attack protection provided by the embodiment of the present invention, beneficial effects that can be achieved by any distributed denial of service attack protection method provided by the embodiment of the present invention may be achieved, which are described in detail in the foregoing embodiments and will not be described herein again.
The distributed denial of service attack protection method, system, apparatus and storage medium provided by the embodiments of the present invention are described in detail above, and a specific example is applied in this document to explain the principle and implementation manner of the present invention, and the description of the above embodiments is only used to help understand the method and core ideas of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (15)
1. A distributed denial of service attack protection method, comprising:
receiving a target route issued by a target protection module, wherein the target route is generated by the target protection module according to a target address of the distributed denial of service attack, the target protection module is a protection module corresponding to a hierarchy where the target address is located in a preset network communication model, and the target route is issued to a cleaning switch by triggering the target protection module when the distributed denial of service attack is detected;
acquiring priority information of a protection module of a current issued route;
generating a traction path by taking the target protection module as a path terminal according to the priority information;
and according to the traction path, the service flow pointing to the target route is pulled to a corresponding protection module for cleaning.
2. The method of claim 1, wherein generating a haul path with the target protection module as a path end point according to the priority information comprises:
according to the priority information, acquiring a protection module with priority higher than that of the target protection module as a preorder protection module;
and generating a traction path by taking the target protection module as a path terminal according to the priorities of the preamble protection module and the target protection module.
3. The method of claim 2, wherein generating a tow path with the target guard module as a path end point according to priorities of the preamble guard module and the target guard module comprises:
sequencing the preorder protection module and the target protection module according to the priority information and the sequence from high priority to low priority;
and according to the sequence, taking the preamble protection module with the highest priority as a path starting point and the target protection module as a path end point to generate a traction path.
4. The method of claim 1, wherein the pull path includes one or more pre-order guard modules sequenced before the target guard module, and wherein the flushing traffic directed to the target route to the corresponding guard module according to the pull path comprises:
according to the traction path, the service flow pointing to the target route is pulled to the preorder protection module so that the preorder protection module can carry out attack detection;
and if the service flow is determined to be safe flow by the preamble protection module, the service flow is dragged to the next preamble protection module or the target protection module for attack detection according to the traction path.
5. The method of claim 4, wherein the traffic is pulled to the target guard module for offensiveness detection, and thereafter further comprising:
and if the service flow is determined to be safe flow by the target protection module, returning the service flow to the target address.
6. The method of claim 4, further comprising:
and if receiving the reinjection flow returned by the preamble protection module and/or the target protection module in the process of detecting the aggressiveness, returning the reinjection flow to the client corresponding to the service flow.
7. The method of claim 4, further comprising:
acquiring an attack detection result of the preamble protection module and/or the target protection module;
and analyzing according to the detection result of the aggressivity to obtain attack information, and sharing the attack information to a protection module in the traction path.
8. A distributed denial of service attack protection system, comprising:
the detection device is used for triggering a target protection cluster to issue a target route to the cleaning switch when detecting the distributed denial of service attack, wherein the target route is generated by the target protection cluster according to a target address of the distributed denial of service attack, and the target protection cluster is a protection module corresponding to a layer where the target address is located in a preset network communication model;
the cleaning switch is used for receiving a target route issued by a target protection cluster, and the target route is generated by the target protection cluster according to a target address of the distributed denial of service attack; acquiring priority information of a protection cluster of a current issued route; generating a traction path by taking the target protection cluster as a path end point according to the priority information; according to the traction path, the service flow pointing to the target route is pulled to a corresponding protection cluster for cleaning;
the protection cluster at least comprises a target protection cluster and is used for issuing a route to the cleaning switch; and cleaning the service flow drawn by the cleaning exchanger.
9. The system of claim 8, wherein the detection device is specifically configured to:
when detecting the distributed denial of service attack, acquiring an attacked target address;
determining the hierarchy of the target address according to a preset network communication model, and taking the hierarchy of the target address as a target layer;
taking a protection cluster corresponding to a target layer as a target protection cluster, and issuing a route traction instruction to the target protection cluster to trigger the target protection cluster to issue a target route to a cleaning switch according to the target address.
10. The system of claim 8, wherein the guard cluster further comprises one or more preceding guard clusters having priority over the target guard cluster:
the preorder protection cluster is used for carrying out aggressive detection on the service flow dragged by the cleaning exchanger; if the service flow is determined to be safe flow, returning the service flow to the cleaning switch;
and the cleaning switch is also used for dragging the service flow to the next preorder protection cluster or the target protection cluster for attack detection according to the dragging path.
11. The system of any one of claims 8-10, wherein the object guard module is specifically to:
cleaning the service flow drawn by the cleaning exchanger; if the service flow is determined to be safe flow, returning the service flow to the cleaning switch;
and the cleaning switch is also used for receiving the service flow returned by the target protection module and returning the service flow to the source of the target address.
12. A distributed denial of service attack shield apparatus, comprising:
the system comprises a receiving unit, a cleaning switch and a target protection module, wherein the receiving unit is used for receiving a target route issued by the target protection module, the target route is generated by the target protection module according to a target address of the distributed denial of service attack, the target protection module is a protection module corresponding to a layer where the target address is located in a preset network communication model, and the target route is issued to the cleaning switch by triggering the target protection module when the distributed denial of service attack is detected;
the priority unit is used for acquiring the priority information of the protection module of the current issued route;
the path unit is used for generating a traction path by taking the target protection module as a path terminal point according to the priority information;
and the traction unit is used for drawing the service flow pointing to the target route to a corresponding protection module for cleaning according to the traction path.
13. The apparatus of claim 12, wherein the path unit comprises a screening subunit and a configuration subunit:
the screening subunit is configured to obtain, according to the priority information, a protection module with a priority higher than that of the target protection module as a preamble protection module;
and the configuration subunit is used for generating a traction path by taking the target protection module as a path endpoint according to the priorities of the preorder protection module and the target protection module.
14. The apparatus of claim 12, wherein the traction path includes one or more preamble protection modules sequenced prior to the target protection module, the traction unit including a first traction sub-unit and a second traction sub-unit:
the first traction subunit is configured to, according to the traction path, pull the traffic flow that points to the target route to the preamble protection module, so that the preamble protection module performs attack detection;
and the second traction subunit is configured to, if the service traffic is determined to be a safe traffic by the preamble protection module, traction the service traffic to a next preamble protection module or the target protection module for performing an offensive detection according to the traction path.
15. A storage medium storing instructions adapted to be loaded by a processor to perform the steps of the distributed denial of service attack prevention method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810572199.3A CN110213214B (en) | 2018-06-06 | 2018-06-06 | Attack protection method, system, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810572199.3A CN110213214B (en) | 2018-06-06 | 2018-06-06 | Attack protection method, system, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110213214A CN110213214A (en) | 2019-09-06 |
| CN110213214B true CN110213214B (en) | 2021-08-31 |
Family
ID=67779017
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810572199.3A Active CN110213214B (en) | 2018-06-06 | 2018-06-06 | Attack protection method, system, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110213214B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110768975B (en) * | 2019-10-21 | 2022-05-31 | 杭州迪普科技股份有限公司 | Flow cleaning method and device, electronic equipment and machine readable storage medium |
| CN110830474B (en) * | 2019-11-08 | 2021-04-06 | 中盈优创资讯科技有限公司 | Network attack protection system and method, and flow control device |
| CN110809004A (en) * | 2019-11-12 | 2020-02-18 | 成都知道创宇信息技术有限公司 | Safety protection method and device, electronic equipment and storage medium |
| CN111741021B (en) * | 2020-08-03 | 2020-11-24 | 北京翼鸥教育科技有限公司 | Detection and protection system for CC attack access service cluster |
| CN114338066A (en) * | 2020-09-30 | 2022-04-12 | 中移(苏州)软件技术有限公司 | Defense method, system, equipment and storage medium for denial of service attack |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7707305B2 (en) * | 2000-10-17 | 2010-04-27 | Cisco Technology, Inc. | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
| CN101616129B (en) * | 2008-06-27 | 2012-11-21 | 成都市华为赛门铁克科技有限公司 | Method, device and system for network attack defense and traffic overload protection |
| CN101447996B (en) * | 2008-12-31 | 2012-08-29 | 成都市华为赛门铁克科技有限公司 | Defending method for distributed service-refusing attack and system and device thereof |
| CN102143143B (en) * | 2010-10-15 | 2014-11-05 | 北京华为数字技术有限公司 | Method and device for defending network attack, and router |
| CN102263788B (en) * | 2011-07-14 | 2014-06-04 | 百度在线网络技术(北京)有限公司 | Method and equipment for defending against denial of service (DDoS) attack to multi-service system |
| CN108063765B (en) * | 2014-12-17 | 2021-07-16 | 南昌理工学院 | SDN system suitable for solving network security |
| CN106411910B (en) * | 2016-10-18 | 2019-04-05 | 优刻得科技股份有限公司 | A kind of defence method and system of distributed denial of service attack |
-
2018
- 2018-06-06 CN CN201810572199.3A patent/CN110213214B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110213214A (en) | 2019-09-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110213214B (en) | Attack protection method, system, device and storage medium | |
| CN110113435B (en) | Method and equipment for cleaning flow | |
| US8955093B2 (en) | Cooperative network security inspection | |
| WO2016150253A1 (en) | Sdn-based ddos attack prevention method, device and system | |
| CN107743109B (en) | Protection method, control device, processing device and system for flow attack | |
| US20140143854A1 (en) | Load balancing among a cluster of firewall security devices | |
| WO2018108052A1 (en) | Ddos attack defense method, system and related equipment | |
| Khanna et al. | Adaptive selective verification: An efficient adaptive countermeasure to thwart dos attacks | |
| CN109995714B (en) | Method, device and system for handling traffic | |
| US10868792B2 (en) | Configuration of sub-interfaces to enable communication with external network devices | |
| US10795912B2 (en) | Synchronizing a forwarding database within a high-availability cluster | |
| CN105812318A (en) | Method, controller and system for preventing attack in network | |
| CN108667829B (en) | Network attack protection method, device and storage medium | |
| Chinnaraju et al. | Grey Hole Attack Detection and Prevention Methods in Wireless Sensor Networks. | |
| Park et al. | Dynamic virtual network honeypot | |
| RU2576488C1 (en) | METHOD OF CONSTRUCTING DATA NETWORKS WITH HIGH LEVEL OF SECURITY FROM DDoS ATTACKS | |
| CN106357661B (en) | A kind of distributed refusal service attack defending method based on interchanger rotation | |
| JP2006067078A (en) | Network system and attack defense method | |
| CN114745142B (en) | Abnormal flow processing method and device, computer equipment and storage medium | |
| CN112994941B (en) | Method and device for deploying anti-DDoS cloud host and anti-DDoS attack protection system | |
| CN114598698B (en) | Data transmission method and device, electronic equipment and computer storage medium | |
| US9912575B2 (en) | Routing network traffic packets through a shared inline tool | |
| Chatterjee | Design and development of a framework to mitigate dos/ddos attacks using iptables firewall | |
| Nguyen et al. | Distributed defense of distributed DoS using pushback and communicate mechanism | |
| US7729289B2 (en) | Method, system and computer program product for routing information across firewalls |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |