CN110213254A - A kind of method and apparatus that Internet protocol IP packet is forged in identification - Google Patents
A kind of method and apparatus that Internet protocol IP packet is forged in identification Download PDFInfo
- Publication number
- CN110213254A CN110213254A CN201910444380.0A CN201910444380A CN110213254A CN 110213254 A CN110213254 A CN 110213254A CN 201910444380 A CN201910444380 A CN 201910444380A CN 110213254 A CN110213254 A CN 110213254A
- Authority
- CN
- China
- Prior art keywords
- packet
- ttl
- value
- source address
- standard value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application involves network safety fileds, more particularly to a kind of method and apparatus that Internet protocol IP packet is forged in identification.This method comprises: determining the life span ttl value in the IP packet received and the source address in the IP packet;The determining ttl value and the corresponding TTL standard value of the source address are compared, wherein the corresponding TTL standard value of the source address learns to obtain in advance in the case where no attack;Judge whether the IP packet is to forge IP packet according to comparison result.The application improves the discrimination for forging IP packet, improves protective capacities.
Description
Technical field
This application involves network safety fileds, forge Internet protocol IP (IP, Internet more particularly to a kind of identification
Protocol) the method and apparatus of message.
Background technique
Network technology and network application are quickly grown, and network security problem becomes more and more important, and referred one
Very high height.Distributed denial of service (DDoS:Distributed Denial of Service) attack refers to by means of visitor
Family/server technology joins together multiple computers as Attack Platform, to one or more target launch DoS attacks, from
And double up the power of Denial of Service attack.
When by ddos attack, there are a large amount of useless IP packets, source address and lifetime value on the server attacked
(TTL, Time To Live) is false.Network congestion is caused, the server attacked can not handle normal request in time, when serious
It will cause the server attacked to crash.In face of ddos attack, the method that the prior art solves is actively to send to attack source hair
Probe data packet, the address of attack source is determined in the response by obtaining attack source, so as to reject the attack source
The data packet that address is sent.Itself the problem is that, reversed detection consumes network bandwidth, and more importantly sends out
The detection packet gone is often abandoned the equipment even having and may be responded by intermediate gateway to be caused reversely to detect failure.One
Denier detection failure, can not determine the source address of attack, and then can not determine which IP packet is the attack message forged, also
Attack message can not be rejected.
In conclusion the technology of DDos attack is solved by the method for the first IP address of determining attack source in the prior art
There are technological deficiencies, can not efficiently solve DDos attack.
Summary of the invention
The embodiment of the present application provides a kind of method and apparatus that Internet protocol IP packet is forged in identification, existing to solve
There is the problem of can not identifying attack message if it cannot determine attack source address in technology.
In a first aspect, the embodiment of the present invention provides a kind of method that Internet protocol IP packet is forged in identification, this method packet
It includes:
Determine the life span ttl value in the IP packet received and the source address in the IP packet;
The determining ttl value and the corresponding TTL standard value of the source address are compared, wherein the source address pair
The TTL standard value answered is learnt to obtain to normal IP packet in advance;
Judge whether the IP packet is to forge IP packet according to comparison result.
The above method has learnt to source address to destination address due to learning in advance to normal IP packet
Message TTL standard value, ttl value is used to indicate that the value of the life span of message, directly utilizes the TTL standard value learnt
The IP packet received is verified, judges whether the IP packet that receives is to forge IP packet, avoids the prior art
It cannot determine the shortcomings that attack source address can not just identify attack message, and protective capacities reduces, improve discrimination, significantly mention
High protective capacities.
In one possible implementation, judge whether the IP packet is to forge IP packet according to comparison result, packet
It includes:
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is greater than scheduled threshold value,
Then the IP packet is to forge IP packet;
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is less than or equal to scheduled
Threshold value, then the IP packet is not to forge IP packet.
The above method verifies IP packet using TTL standard value, is compared with TTL standard value with ttl value,
If error range is small, assert that IP packet is not counterfeit message, if error range is big, assert that IP packet is to forge report
Text only compares the size of two ttl values, implements simple and easy.
In one possible implementation, normal IP packet is learnt to obtain TTL according to the ttl value and in advance
Standard value judges whether the IP packet is before forging IP packet, which comprises
Judge the ttl value of the IP packet whether in preset interval range;
If the ttl value of the message not in preset interval range, judges the IP packet to forge IP packet.
The above method just can recognize that for the message of certain forgeries only with the interval range of TTL, without
It to be verified using TTL standard value, improve recognition efficiency.
In one possible implementation, the corresponding TTL standard value of source address is determined in the following manner:
It is index with the source address, searches institute in the binding relationship table of preset source address and TTL standard value
State the corresponding TTL standard value of source address.
The above method binds source address and TTL standard value, so that it may with finding source according to corresponding binding relationship
The corresponding TTL standard value in location.The corresponding relationship that source address and TTL standard value are recorded by binding relationship table, by the big of complexity
The data of amount are arranged, convenient for searching.
In one possible implementation, the TTL for being learnt to obtain the source address to normal IP packet in advance is marked
Quasi- value, comprising:
Receive multiple normal IP packets that the source address is sent;
For each IP packet, the ttl value of the normal IP packet is obtained;
For each ttl value, the corresponding normal IP packet number of the ttl value is counted;
Select the largest number of ttl values of normal IP packet as TTL standard value corresponding with the source address.
The above method learns normal IP packet in the case where no attack, and the standard value of TTL has been arrived in study.With
The method of maximum probability statistics counts the standard value of TTL, and only quantitative statistical work, technical solution are simple and easy.
Second aspect, the embodiment of the present application also provides the devices that Internet protocol IP packet is forged in a kind of identification, comprising:
Determining module, for determining the life span ttl value in the IP packet received and the source address in the IP packet;
Comparison module, for the ttl value determined and the corresponding TTL standard value of the source address to be compared,
Described in the corresponding TTL standard value of source address in advance normal IP packet is learnt to obtain;
Judge whether the IP packet is to forge IP packet according to comparison result.
In one possible implementation, the comparison module is also used to:
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is greater than scheduled threshold value,
Then the IP packet is to forge IP packet;
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is less than or equal to scheduled
Threshold value, then the IP packet is not to forge IP packet.
The comparison module is according to the ttl value and is learnt to obtain the judgement of TTL standard value in advance to normal IP packet
Whether the IP packet is to be also used to before forging IP packet:
According to the ttl value and in advance normal IP packet is learnt to obtain TTL standard value and judges that the IP packet is
No is before forging IP packet:
Judge the ttl value of the IP packet whether in preset interval range;
If the ttl value of the message not in preset interval range, judges the IP packet to forge IP packet.
In one possible implementation, the comparison module is also used to:
It is index with the source address, searches institute in the binding relationship table of preset source address and TTL standard value
State the corresponding TTL standard value of source address.
In one possible implementation, the comparison module is also used to:
Receive multiple normal IP packets that the source address is sent;
For each normal IP packet, the ttl value of the normal IP packet is obtained;
For each ttl value, the corresponding normal IP packet number of the ttl value is counted;
Select the largest number of ttl values of normal IP packet as TTL standard value corresponding with the source address.
The third aspect, the embodiment of the present application also provides a kind of computer readable storage mediums, are stored thereon with computer
The step of program, the computer program realizes any method in above-mentioned first aspect when being executed by processor.
Second aspect technical effect brought by any one implementation into the third aspect can be found in first aspect
Technical effect brought by corresponding implementation, details are not described herein again.
Detailed description of the invention
Fig. 1 is ddos attack schematic diagram of a scenario;
Fig. 2 is the method flow diagram that IP packet is forged in a kind of identification provided by the embodiments of the present application;
Fig. 3 is that a kind of ttl value of the message provided by the embodiments of the present application in transmit process changes schematic diagram;
Fig. 4 is a kind of ttl value comparison schematic diagram of true and false message provided by the embodiments of the present application;
Fig. 5 is a kind of multipath system schematic from source node to destination node provided by the embodiments of the present application;
Fig. 6 is the method flow diagram that IP packet is forged in another identification provided by the embodiments of the present application;
Fig. 7 is the equipment schematic diagram that IP packet is forged in a kind of identification provided by the embodiments of the present application.
Specific embodiment
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application
In attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only
It is only some embodiments of the present application, instead of all the embodiments.It is not to the detailed description of embodiments herein below
It is intended to limit claimed scope of the present application, but is merely representative of the selected embodiment of the application.Reality based on the application
Apply example, those skilled in the art's every other embodiment obtained without making creative work belongs to
The range of the application protection.
Ddos attack refers to by means of client/server technology, multiple computers is joined together as Attack Platform, to one
A or multiple targets start ddos attack, to double up the power of Denial of Service attack.Distribution referring to figure 1
Formula refusal service DDOS attack schematic diagram;Attacker manipulates multiple puppet's machines and joins together to launch a offensive to a server, often
One puppet's machine all can be to the IP packet for being sent forgery by attack server, due to being that more puppet's machines join together to attack, institute
With forge the quantity of IP packet be it is huge, the power of attack is also very big.
If the server attacked receives DDOS attack, the IP packet largely forged will be received, is unable to
Service is provided for normal users.In order to reduce the extent of damage of ddos attack, the present processes are applied in DDOS safeguard
In, DDOS safeguard can be improved to the discrimination of counterfeit message, to improve protective capacities.
Life span (TTL, Time To Live) value is carried in IP packet, TTL is the abbreviation of Time To Live, should
Field specify IP packet by router abandon before allow by maximum web segment number.TTL is IP packet in computer network
In the maximum hop count that can forward.Ttl field is arranged by the sender of IP packet, in entire forwarding of the IP packet from source to purpose
Every to pass through a router on path, router can all modify this ttl field value, and specific way is that the value of the TTL is subtracted
1, then IP packet is forwarded again.For a message, the base value of the TTL of the message and the TTL arrived at the destination
Final value is determined by the number of the router on network path, and hacker carries out ddos attack, can not change network system
Structure, so whether have attack or the state without attack, after the message issued from source address arrives at the destination location, TTL
Value is often fixed and invariable.So identify counterfeit message with ttl value.
Based on this, present applicant proposes a kind of methods that IP packet is forged in identification, referring to shown in attached drawing 2, this method comprises:
Step S201 determines the ttl value in the IP packet received and the source address in the IP packet;
Wherein, above-mentioned ttl value refers to that IP packet reaches the ttl value after the server in destination address.
When server of the transmission host in destination address in source address sends IP packet, TTL initial value can be set, it should
IP packet is forwarded the server eventually arrived in destination address by multiple routers on path;Intermediate router
When forwarding IP datagram text, TTL can be reduced 1 by router, so ttl value when eventually arriving at destination address, in IP packet
TTL initial value can be less than.
When server in destination address receives IP packet, the ttl value and the message carried in IP packet can be extracted
Source IP address.
The determining ttl value and the corresponding TTL standard value of the source address are compared, wherein institute by step S202
The corresponding TTL standard value of source address is stated in advance normal IP packet to be learnt to obtain;
Wherein, the corresponding TTL standard value of the source address is by being learnt in advance to normal IP packet.On
The normal IP packet stated refers to the IP packet normally sent in the state of no attack.The state of no attack can be supervised by flow
Control is to realize, if Traffic Anomaly, it is determined that be the state attacked, if flow is normal, it is determined that be the shape of no attack
State.TTL standard value can be stored in the server of destination address or be stored in DDOS safeguard.
Step S203 judges whether the IP packet is to forge IP packet according to comparison result.
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is greater than scheduled threshold value,
Then the IP packet is to forge IP packet;
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is less than or equal to scheduled
Threshold value, then the IP packet is not to forge IP packet.
No attack under normal circumstances, various operating systems have respective TTL initial value.Each address is using operation
For system when being sent out normal IP packet, the TTL in each normal IP packet can use a fixed initial value
To fill.It is limited by largely counting the hop count for finding that normal IP packet is passed through, does not exceed TTL initial value,
Otherwise normal IP packet will be dropped.
In the case where there is attack, the TTL initial value for the IP packet that the attack that hacker issues is forged be it is random, it is not solid
It is fixed, without rule.So being difficult to judge whether the message is attack counterfeit message with the TTL initial value of the message.But nothing
By normally without attack the case where IP packet or DDOS attack when the IP packet forged can all worship during routing
Router modifies the agreement of TTL, i.e., IP packet is every passes through a router, and TTL will subtract 1.Exist referring to attached message shown in Fig. 3
Ttl value in transmit process changes schematic diagram;In the attached drawing, when the server in source address sends out an IP packet, it is assumed that
The TTL initial value of the message is 32, and after first router, the ttl value of the IP packet becomes 31, is routed by second
After device, the ttl value of the IP packet has become 30.
For a source address, if the source address has issued the IP packet of a forgery, TTL initial value is to produce at random
Raw, without rule.But under normal circumstances, the TTL initial value for the message which issues is identical.For same
For a path, the hop count from source address to destination address is fixed and invariable, so being sent to target from the same source address
Multiple IP packets of address, the initial value of TTL be it is identical, reach destination address when, ttl value is also identical.Referring to attached drawing 4
Shown in true and false message ttl value comparison schematic diagram;Assuming that the server in source address is controlled by hacker, the message of sending is
The IP packet of forgery, the TTL base value of counterfeit message be it is random, reach destination node after ttl value be also likely to be 5,6,15
Etc. random distributions, it is clear that differ huge with the TTL standard value 30 of normal message, it is possible to know using the ttl value of IP packet
Other counterfeit message.Using the above method of the application, applies in DDoS safeguard or passive detection equipment, can make
It obtains DDoS safeguard or passive detection equipment easily identifies the IP packet that TTL is forged.Scheme is simple and easy, to protection
The performance of equipment influences very small, raising forgery IP packet discrimination.
In order to determine whether server is attacked, flow can be judged.When flow is normal, determine not by
To attack, when Traffic Anomaly, determine that server is under attack.In flow normal condition, when there is no attack,
The standard value of the TTL for the IP packet that study source address issues in advance, when detecting Traffic Anomaly, when determining generation DDOS attack,
With regard to being verified using TTL standard value come the IP packet issued to source address, referring to true and false message ttl value ratio shown in figure 4 above
Compared with schematic diagram, the TTL standard value of normal IP packet is 30, can determine that the IP packet that ttl value is 5 is counterfeit message.
The present processes are simple and easy, small on the influence of the performance of safeguard, can easily identify the IP of forgery
Message, in the prior art, first determine attack source address, then determine attack source address issue message be attack counterfeit message
Thinking compare, the application does not need first to determine attack source address, the application so do not need using reversed Detection Techniques,
The discrimination for forging IP packet can be significantly improved, protective capacities is improved.
Since the hop count on multipath may be different, the ttl value for the normal IP packet having may have micro- with TTL standard value
Small difference, if it will cause erroneous judgements, because different from TTL standard value it is assumed that the IP packet is counterfeit message in order to keep away
Exempt to judge by accident, in one embodiment, judge whether the IP packet is when forging IP packet according to comparison result:
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is greater than scheduled threshold value,
Then the IP packet is to forge IP packet;
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is less than or equal to scheduled
Threshold value, then the IP packet is not to forge IP packet.
Recognition efficiency and the case where judging by accident is avoided in order to balance, in a kind of possible embodiment, method packet
It includes:
Judge the ttl value of the IP packet whether in preset interval range;
If the ttl value of the message not in preset interval range, judges the IP packet to forge IP packet;
If the ttl value of the message in preset interval range, utilizes the ttl value of message and the TTL of source address
Standard value further judges whether the message is counterfeit message:
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is greater than scheduled threshold value,
Then the IP packet is to forge IP packet;
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is less than or equal to scheduled
Threshold value, then the IP packet is not to forge IP packet.
This application involves the sizes of the acquisition modes of the threshold value arrived and value can be realized using various ways, can flexibly set
Meter can flexibly set according to the scene that actual network routes, can also the manually machine learning in smart field
Method obtains, and can also artificially be set.The application does not do specific limitation.
In view of the path from the same source address to destination address is not uniquely, may there is multiple and different roads
Diameter, the hop count between path are different, and might have fine distinction.
Referring to the attached multipath system schematic shown in fig. 5 from source node to destination node, from the IP of source node sending
Message, it is assumed that initial value is 32, and the number of the router on path 1 is 2, hop count 2, so IP packet reaches destination node
Afterwards, ttl value becomes 30;
The number of router on path 2 is 3, hop count 3, so ttl value becomes after IP packet reaches destination node
29;
The number of router on path 3 is 1;Hop count position 1, so ttl value becomes after IP packet reaches destination node
31。
So the application during the comparison of the ttl value of TTL standard value and the IP packet received, devises centainly
Allowance, the error of the ttl value of TTL standard value and the IP packet received is considered as the message not within the scope of scheduled
It is the message forged.If having exceeded scheduled range, being considered as the IP packet is the message forged.
When it is implemented, assuming in normal state, normal IP packet is sent from above-mentioned source node to destination node, normally
The base value of IP packet is 32, and hop count 5, then after normal IP packet reaches destination address, it is statistics that ttl value, which has become 27,27,
The TTL standard value for the source address practised.
If the destination node is 5 from the ttl value that the source node receives an IP packet, the difference with standard value 27 is
22, if threshold value is 5, difference 22 is much larger than threshold value 5, then assert that the IP packet is the message forged, by the packet loss.
Assuming that the ttl value of the IP packet issued from above-mentioned source node is 5, it is assumed that the source node to destination node
TTL standard value is 6, and threshold value 3 then assert that the message is not counterfeit message, which is let pass.
Since above-mentioned the step of being verified using TTL standard value is comparatively laborious, need to make the difference and judge whether with ttl value
Less than threshold value, so can first judge the TTL of IP packet after receiving IP packet to improve the recognition efficiency of counterfeit message
Whether value is in preset interval range;If the ttl value of IP packet in preset interval range, is needed to the IP packet
It is further to be judged;If the ttl value of the message not in preset interval range, judges the IP packet to forge
IP packet;It is generally exactly several substantially stationary values because the TTL base value of message is fixed, such as 32,128,64.According to
The characteristics of network, the hop count from source node to destination node are generally not more than 16, so normal IP packet
The distribution of ttl value be it is regular, be distributed across within specific interval range, rather than dispersedly random distribution, and forge
One of the characteristics of message is exactly that TTL base value is random, is not fixed, so after counterfeit message reaches destination node,
Ttl value is difficult to fall within normal section.
If the ttl value of message not in preset interval range, assert that the IP packet is counterfeit message, which is reported
Text directly abandons, and then alarms, when it is implemented, can also be handled using other modes, for example, safeguard will
The counterfeit message carries out storage analysis etc., and the application does not do specific limitation.
According to artificial experience, the actual section IP packet TTL on network should be TTL=X | [1,32], [32,
64],[96,128],[223,255]}.This reasonable interval can be smaller on Practical Project, for example most of hop counts are 16
Hereinafter, the practical section of so TTL reform into TTL=X | [16,32], [(64-16), 64], [(128-16), 128],
[(255-16), 255] }.Assuming that the ttl value of an IP packet is 40, not in above-mentioned section, then the IP packet is identified as
IP packet is forged, the IP packet is abandoned.
If there is IP packet be counterfeit message, ttl value relatively goes against accepted conventions, only can be distinguished with legal section, and
It does not need to compare TTL standard value again, the above method can be obviously improved the efficiency that IP packet is forged in identification.
Whether the embodiment first judges ttl value in scheduled range, if not falling within scheduled range, assert should
IP packet is exactly counterfeit message, if ttl value has fallen in scheduled range, is yet further judged, with TTL standard value come
It is verified, illustrated below:
Assuming that the TTL standard value of study a to source address is 27 in advance, threshold value 5 in the state of no attack;And
Preset section is TTL={ X | [16,32], [(64-16), 64], [(128-16), 128], [(255-16), 255] };This is pre-
Setting section is above-mentioned according to artificially empirical.It is emphasized that the design in preset section, it can also be according to reality
The actual scene of network system be adjusted flexibly.For example, for network system, if systematic comparison is small, or for one
A network server, if the hop count of node and the server around the server is all fewer, maximum is no more than 2 and jumps, or
Person 1 jumps, then the section is with regard to bigger;If hop count is relatively more, section is with regard to smaller.
If be currently received an IP packet ttl value be 5, first determine whether the ttl value whether in preset section,
The obvious ttl value then assert that the IP packet is the message forged, by the packet loss not within the scope of [16,32].Such as
The ttl value that fruit receives an IP packet is 23, is within the scope of [16,32], then needs further using standard value 27
Judged, the value 23 of the TTL and the difference 4 of TTL standard value 27 are less than threshold value 5, then assert the genuine message of the message.If
The ttl value of one message is 17, although being within the scope of [16,32], is 10 with differing for standard value 27, is greater than
Threshold value 5 then assert that the message is counterfeit message.It by the packet loss, or abandons and alarms, send alarm letter to server
Breath, can play the role of giving warning in advance, and abandon counterfeit message in time and also play raising protective capacities.
Wherein, there are ways to realize for the mode of lookup TTL standard value:
A kind of mode is realized by the way of tabling look-up, and the binding relationship table of IP address and TTL standard value is pre-established, and is come
Binding IP address and TTL standard value.It is index with source IP address when tabling look-up, searches the corresponding TTL standard value of source IP address.
Other than the mode of binding relationship table, the corresponding TTL mark of the IP address can also be found using modes such as lookup algorithms
Quasi- value.
About the learning process of TTL standard value, in one embodiment, TTL standard value is determined with multiple IP packets,
Specifically: obtain the ttl value of each IP packet;
Count the corresponding IP packet number of each ttl value;
Select the largest number of ttl values of IP packet as TTL standard value.
When it is implemented, in the case where no attack, it is assumed that a source address has sent 1000 IP reports to destination address
Text finds that the message number that ttl value is 16 is 950, and the message number that ttl value is 32 is 50 by statistics, then assert should
The TTL standard value of source address to destination address is 16.
The application forges IP packet using ttl value identification, and technical solution is simple and independence is strong, disappears to guard system resource
Consume extremely low, only CPU read operation and numerical value compare operation, and time-consuming write operation is not present.Without under attack condition, IP is reported
The ttl value of text and the reasonable engineering section of hop count and standard value are all to learn to obtain by Statistical Clustering Analysis, this makes
Unused this value of user's scene is dynamic change, so that hacker can not accurately guess.This provides for improved the attack of hacker hardly possiblies
Degree, hides key message in attacking and defending game, is allowed to not fathom.
Furthermore, it is contemplated that the characteristics of ddos attack, together, IP address has area to the distributed centralization of multiple puppet's machines
The characteristics of domain property, centrality.So after the IP address for determining puppet's machine, so that it may assert close with the IP address
IP address be also puppet's machine.When it is implemented, one threshold value of setting is assert after the IP address for the puppet's machine determined
The K address adjacent with the address of puppet's machine is also puppet's machine, or the monitoring and inspection of emphasis are carried out to K adjacent address
It surveys.
In view of the demand to give warning in advance, the anti-ddos attack equipment of the application, due to without attack the case where under
TTL standard value has been arrived through study, so during routine use, once have found counterfeit message, in the early period of attack, or
Person's attack can find attack message and alarm in time at the very start, can play the role of early warning, and abandon attack
Message improves protective capacities, avoids under attack.
Present invention also provides another methods for identifying and forging IP packet, pseudo- referring to attached another identification shown in fig. 6
The method flow diagram of IP packet is made, method includes:
Step S601 receives IP packet and obtains the ttl value of IP packet;
The IP packet received is carried out parsing the source IP address for obtaining the IP packet, ttl value and carries out that this is calculated
The practical calculated value of the TTL base value of sender's operating system of IP packet and current IP packet hop count.
Step S602 judges the ttl value of message whether in preset section, if thened follow the steps in preset section
S603, if not thening follow the steps S605 in preset section;
Wherein, determine that the TTL of IP packet is not to abandon whether in reasonable pre-set interval, be then to enter in next step
Determine.Ttl value by largely counting discovery current operation system has 32,64,128,255 these values, in source IP and purpose
For router number between IP hardly more than 32, the data packet for the operating system that otherwise TTL is 32 can not just reach purpose
Ground.The actual section IP packet TTL so on network should be TTL=X | [1,32], [32,64], [96,128],
[223,255]}.This reasonable interval can be smaller on Practical Project, for example, most of hop counts 16 hereinafter, so TTL
Practical section reform into TTL={ X | [16,32], [(64-16), 64], [(128-16), 128], [(255-16), 255] } its
In, preset section is can be adjusted according to the case where actual system.
Step S606, within a preset range whether the error of the ttl value and TTL standard value that compare the IP packet;
By above-mentioned steps S602 treated IP packet has been filtered out greatly, remainder IP packet into
Enter step S606 processing;
Wherein, TTL standard value can be index tying up in the source address and TTL standard value prestored by the source address of message
Determine to inquire in relation table and obtain;
The ttl value of message and TTL standard value are compared, is just let pass in reasonable error section, is otherwise just alerted and lose
It abandons.
It is emphasized that above-mentioned TTL standard value is as obtained from learning in advance.The process learnt in advance are as follows:
In the state of no attack, ttl value is extracted from normal IP packet and carries out statistical learning.Ttl value is that existing net IP packet reaches
Final ttl value when destination, according to the result of statistics it can be concluded that IP packet is passed through on network from different source addresses
Multiple routers eventually arrive at the ttl value of destination address.Other than ttl value, additionally it is possible to which study obtains source address to target
The hop count of location, when it is implemented, in conjunction with the TTL base value and final ttl value of analyzing the IP packet obtained from operating system, into
The simple signed magnitude arithmetic(al) of row has just obtained the hop count from source address to destination address.Hop count can also be stored in source address and
It is spare as a parameter in the pre-existing relationship table of TTL standard value.If not, executing step S605;If so, executing step
S604;
Step S604, the message of letting pass;
Step S605 abandons the message and alarms.
Based on the same inventive concept, a kind of equipment that IP packet is forged in identification is additionally provided in the embodiment of the present invention, due to
The equipment is the equipment that IP packet is forged in identification provided in an embodiment of the present invention, and the principle that solves the problems, such as of the equipment and the party
Method is similar, therefore the implementation of the equipment may refer to the implementation of method, and overlaps will not be repeated.
It is corresponding with the above method,
Present invention also provides the devices that Internet protocol IP packet is forged in a kind of identification, referring to attached one kind shown in Fig. 7
The equipment schematic diagram of Internet protocol IP packet is forged in identification, which includes:
Determining module 71, for determining in life span ttl value and the IP packet in the IP packet received
Source address;
Comparison module 72, for the ttl value determined and the corresponding TTL standard value of the source address to be compared,
Wherein the corresponding TTL standard value of the source address learns to obtain in advance in the case where no attack;
Judgment module 73 judges whether the IP packet is to forge IP packet according to comparison result.
In one embodiment, judgment module 73 is also used to, if the ttl value and the corresponding TTL of the source address
The absolute value of the difference of standard value is greater than scheduled threshold value, then the IP packet is to forge IP packet;
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is less than or equal to scheduled
Threshold value, then the IP packet is not to forge IP packet.
In one embodiment, judgment module 73 learns in the case where no attack according to the ttl value and in advance
Judge whether the IP packet is to be also used to before forging IP packet to TTL standard value:
Judge the ttl value of the IP packet whether in preset interval range;
If the ttl value of the message not in preset interval range, judges the IP packet to forge IP packet.
It in one embodiment, further include searching module, for determining the corresponding TTL mark of source address in the following manner
Quasi- value:
It is index with the source address, searches institute in the binding relationship table of preset source address and TTL standard value
State the corresponding TTL standard value of source address.
It in one embodiment, further include study module, it is described for being learnt to obtain to normal IP packet in advance
The TTL standard value of source address, is specifically used for:
Receive multiple normal IP packets that the source address is sent;
For each normal IP packet, the ttl value of the normal IP packet is obtained;
For each ttl value, the corresponding normal IP packet number of the ttl value is counted;
Select the largest number of ttl values of IP packet as TTL standard value corresponding with the source address.
This application provides the device that Internet protocol IP packet is forged in a kind of identification, the application does not need first to determine
Source address is attacked, so not needing that the discrimination for forging IP packet can be significantly improved using reversed Detection Techniques, improves protection
Ability.
The embodiment of the present invention also provides a kind of computer-readable non-volatile memory medium, including program code, when described
When program code is run on the computing device, said program code is above-mentioned for making the calculating equipment execute the embodiment of the present invention
The step of method.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application be referring to according to the present processes, equipment (system) and computer program product flow chart and/or
Block diagram describes.It should be understood that each process that can be realized by computer program instructions in flowchart and/or the block diagram and/or
The combination of process and/or box in box and flowchart and/or the block diagram.It can provide these computer program instructions to arrive
General purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor to generate one
Machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for realizing flowing
The device for the function of being specified in journey figure one process or multiple processes and/or block diagrams one box or multiple boxes.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Obviously, those skilled in the art can carry out various modification and variations without departing from the essence of the application to the application
Mind and range.In this way, if these modifications and variations of the application belong to the range of the claim of this application and its equivalent technologies
Within, then the application is also intended to include these modifications and variations.
Claims (10)
1. a kind of method that Internet protocol IP packet is forged in identification, which is characterized in that the described method includes:
Determine the life span ttl value in the IP packet received and the source address in the IP packet;
The determining ttl value and the corresponding TTL standard value of the source address are compared, wherein the source address is corresponding
TTL standard value is learnt to obtain to normal IP packet in advance;
Judge whether the IP packet is to forge IP packet according to comparison result.
2. the method as described in claim 1, which is characterized in that judge whether the IP packet is spoofed IP according to comparison result
Message, comprising:
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is greater than scheduled threshold value, institute
Stating IP packet is to forge IP packet;
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is less than or equal to scheduled threshold value,
Then the IP packet is not to forge IP packet.
3. method according to claim 1 or 2, which is characterized in that carried out according to the ttl value and in advance to normal IP packet
Study obtains TTL standard value and judges whether the IP packet is before forging IP packet, which comprises
Judge the ttl value of the IP packet whether in preset interval range;
If the ttl value of the message not in preset interval range, judges the IP packet to forge IP packet.
4. method according to claim 2, which is characterized in that determine the corresponding TTL standard value of source address in the following manner:
It is index with the source address, searches the source in the binding relationship table of preset source address and TTL standard value
The corresponding TTL standard value in address.
5. the method as described in claim 1, which is characterized in that learnt to obtain the source address in advance to normal IP packet
TTL standard value, comprising:
Receive multiple normal IP packets that the source address is sent;
For each IP packet, the ttl value of the normal IP packet is obtained;
For each ttl value, the corresponding normal IP packet number of the ttl value is counted;
Select the largest number of ttl values of IP packet as TTL standard value corresponding with the source address.
6. the device that Internet protocol IP packet is forged in a kind of identification characterized by comprising determining module connects for determination
The source address in life span ttl value and the IP packet in the IP packet received;
Comparison module, for the ttl value determined and the corresponding TTL standard value of the source address to be compared, wherein institute
The corresponding TTL standard value of source address is stated in advance normal IP packet to be learnt to obtain;
Judge whether the IP packet is to forge IP packet according to comparison result.
7. device as claimed in claim 6, which is characterized in that the comparison module is also used to:
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is greater than scheduled threshold value, institute
Stating IP packet is to forge IP packet;
If the absolute value of the difference of the ttl value and the corresponding TTL standard value of the source address is less than or equal to scheduled threshold value,
Then the IP packet is not to forge IP packet.
8. device as claimed in claims 6 or 7, which is characterized in that the comparison module is according to the ttl value and in advance to just
Normal IP packet is learnt to obtain before TTL standard value judge whether the IP packet is forgery IP packet, is also used to:
According to the ttl value and in advance in the case where no attack study obtain TTL standard value judge the IP packet whether be
Before forgery IP packet:
Judge the ttl value of the IP packet whether in preset interval range;
If the ttl value of the message not in preset interval range, judges the IP packet to forge IP packet.
9. device as claimed in claim 6, which is characterized in that further include searching module, be used for
It is index with the source address, searches the source in the binding relationship table of preset source address and TTL standard value
The corresponding TTL standard value in address.
10. device as claimed in claim 6, which is characterized in that the comparison module is also used to:
Receive multiple normal IP packets that the source address is sent;
For each normal IP packet, the ttl value of the normal IP packet is obtained;
For each ttl value, the corresponding normal IP packet number of the ttl value is counted;
Select the largest number of ttl values of IP packet as TTL standard value corresponding with the source address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910444380.0A CN110213254A (en) | 2019-05-27 | 2019-05-27 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910444380.0A CN110213254A (en) | 2019-05-27 | 2019-05-27 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110213254A true CN110213254A (en) | 2019-09-06 |
Family
ID=67788833
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910444380.0A Pending CN110213254A (en) | 2019-05-27 | 2019-05-27 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110213254A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111212096A (en) * | 2020-01-02 | 2020-05-29 | 杭州圆石网络安全技术有限公司 | Method, device, storage medium and computer for reducing IDC defense cost |
| CN112491651A (en) * | 2020-11-17 | 2021-03-12 | 北京天融信网络安全技术有限公司 | Message matching method and device |
| CN114531270A (en) * | 2021-12-31 | 2022-05-24 | 网络通信与安全紫金山实验室 | Defense method and device for segmented routing label detection |
| CN114785876A (en) * | 2022-04-07 | 2022-07-22 | 湖北天融信网络安全技术有限公司 | Message detection method and device |
| CN114826634A (en) * | 2021-01-28 | 2022-07-29 | 深信服科技股份有限公司 | Message detection method, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| KR20120015784A (en) * | 2010-08-13 | 2012-02-22 | 한국전자통신연구원 | Method and system against distributed denial of service attack |
| CN104125242A (en) * | 2014-08-18 | 2014-10-29 | 北京阅联信息技术有限公司 | Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests |
| CN106357660A (en) * | 2016-09-29 | 2017-01-25 | 广州华多网络科技有限公司 | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system |
| CN106470187A (en) * | 2015-08-17 | 2017-03-01 | 中兴通讯股份有限公司 | Prevent dos attack methods, devices and systems |
| CN106534078A (en) * | 2016-10-19 | 2017-03-22 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for establishing black list |
| CN106534068A (en) * | 2016-09-29 | 2017-03-22 | 广州华多网络科技有限公司 | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system |
| CN108551446A (en) * | 2018-04-08 | 2018-09-18 | 东软集团股份有限公司 | SYN message processing methods, device, fire wall and the storage medium of attack protection |
-
2019
- 2019-05-27 CN CN201910444380.0A patent/CN110213254A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582833A (en) * | 2008-05-15 | 2009-11-18 | 成都市华为赛门铁克科技有限公司 | Method and device for processing spoofed IP data packet |
| KR20120015784A (en) * | 2010-08-13 | 2012-02-22 | 한국전자통신연구원 | Method and system against distributed denial of service attack |
| CN104125242A (en) * | 2014-08-18 | 2014-10-29 | 北京阅联信息技术有限公司 | Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests |
| CN106470187A (en) * | 2015-08-17 | 2017-03-01 | 中兴通讯股份有限公司 | Prevent dos attack methods, devices and systems |
| CN106357660A (en) * | 2016-09-29 | 2017-01-25 | 广州华多网络科技有限公司 | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system |
| CN106534068A (en) * | 2016-09-29 | 2017-03-22 | 广州华多网络科技有限公司 | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system |
| CN106534078A (en) * | 2016-10-19 | 2017-03-22 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for establishing black list |
| CN108551446A (en) * | 2018-04-08 | 2018-09-18 | 东软集团股份有限公司 | SYN message processing methods, device, fire wall and the storage medium of attack protection |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111212096A (en) * | 2020-01-02 | 2020-05-29 | 杭州圆石网络安全技术有限公司 | Method, device, storage medium and computer for reducing IDC defense cost |
| CN111212096B (en) * | 2020-01-02 | 2020-07-28 | 杭州圆石网络安全技术有限公司 | Method, device, storage medium and computer for reducing IDC defense cost |
| CN112491651A (en) * | 2020-11-17 | 2021-03-12 | 北京天融信网络安全技术有限公司 | Message matching method and device |
| CN114826634A (en) * | 2021-01-28 | 2022-07-29 | 深信服科技股份有限公司 | Message detection method, electronic equipment and storage medium |
| CN114531270A (en) * | 2021-12-31 | 2022-05-24 | 网络通信与安全紫金山实验室 | Defense method and device for segmented routing label detection |
| CN114531270B (en) * | 2021-12-31 | 2023-11-03 | 网络通信与安全紫金山实验室 | Defensive method and device for detecting segmented routing labels |
| CN114785876A (en) * | 2022-04-07 | 2022-07-22 | 湖北天融信网络安全技术有限公司 | Message detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110213254A (en) | A kind of method and apparatus that Internet protocol IP packet is forged in identification | |
| US8935785B2 (en) | IP prioritization and scoring system for DDoS detection and mitigation | |
| CN108521408B (en) | Method and device for resisting network attack, computer equipment and storage medium | |
| CN106357660B (en) | Method and device for detecting forged source IP in DDOS defense system | |
| US20150341380A1 (en) | System and method for detecting abnormal behavior of control system | |
| US20040054924A1 (en) | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks | |
| CN106534068B (en) | Method and device for cleaning counterfeit source IP in DDOS defense system | |
| KR102088299B1 (en) | Apparatus and method for detecting drdos | |
| Akilandeswari et al. | Probabilistic neural network based attack traffic classification | |
| CN105577669B (en) | A kind of method and device of the false source attack of identification | |
| CN101378394A (en) | Detection defense method for distributed reject service and network appliance | |
| JPWO2007081023A1 (en) | Traffic analysis / diagnosis device, traffic analysis / diagnosis system, and traffic tracking system | |
| JP2007179131A (en) | Event detection system, management terminal and program, and event detection method | |
| CN106330611A (en) | Anonymous protocol classification method based on statistical feature classification | |
| CN112422554B (en) | Method, device, equipment and storage medium for detecting abnormal traffic external connection | |
| KR102083028B1 (en) | System for detecting network intrusion | |
| Wang et al. | Defending DDoS attacks in software-defined networking based on legitimate source and destination IP address database | |
| RU2531878C1 (en) | Method of detection of computer attacks in information and telecommunication network | |
| US20210234871A1 (en) | Infection-spreading attack detection system and method, and program | |
| Belej | Development of a Technique for Detecting" Distributed Denial-of-Service Attacks" in Security Systems of Wireless Sensor Network | |
| Cucurull et al. | Surviving attacks in challenged networks | |
| Holl | Exploring DDoS defense mechanisms | |
| CN112287252B (en) | Method, device, equipment and storage medium for detecting website domain name hijacking | |
| CN112153027B (en) | Counterfeit behavior identification method, apparatus, device and computer readable storage medium | |
| Putri et al. | Denial of service attack visualization with clustering using K-means algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190906 |