CN110519248A - Ddos attack determines and the method, apparatus and electronic equipment of flow cleaning - Google Patents

Ddos attack determines and the method, apparatus and electronic equipment of flow cleaning Download PDF

Info

Publication number
CN110519248A
CN110519248A CN201910763609.7A CN201910763609A CN110519248A CN 110519248 A CN110519248 A CN 110519248A CN 201910763609 A CN201910763609 A CN 201910763609A CN 110519248 A CN110519248 A CN 110519248A
Authority
CN
China
Prior art keywords
ddos attack
syn
server
time
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910763609.7A
Other languages
Chinese (zh)
Other versions
CN110519248B (en
Inventor
段吉瑞
徐文强
吴沛钊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangtong World Network Technology Co Ltd
Original Assignee
Guangtong World Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangtong World Network Technology Co Ltd filed Critical Guangtong World Network Technology Co Ltd
Priority to CN201910763609.7A priority Critical patent/CN110519248B/en
Publication of CN110519248A publication Critical patent/CN110519248A/en
Application granted granted Critical
Publication of CN110519248B publication Critical patent/CN110519248B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides ddos attack judgement and the method, apparatus and electronic equipment of flow cleaning, wherein the described method includes: judging the ddos attack time started;When judging by ddos attack, traffic differentiation processing and flow cleaning are carried out.The technical program, which is used as the detection of ddos attack flow according to server newly-increased session connection number threshold value per second and session connection threshold value, to be judged a little, when value is more than setting value, is judged the point to attack starting point, is triggered defence policies.More traditional threshold detection method, the detection method energy more accurate time for judging ddos attack and starting, and cleaning strategy of the invention is the effect for continuing and linking up, and passes through and controls junction curve, guarantee the continuously available of server, rather than is all abandoned in maximum junction newly-built.

Description

Ddos attack determines and the method, apparatus and electronic equipment of flow cleaning
Technical field
The present invention relates to network safety filed more particularly to ddos attack judgement and the method, apparatus and electricity of flow cleaning Sub- equipment.
Background technique
Ddos attack is a kind of Denial of Service attack of special shape based on DoS attack, is a kind of distributed, big rule The attack pattern of mould consumes its network bandwidth and system resource, to make by sending a large amount of network request to server Stop providing proper network service or even delay machine at server.It nowadays, is to be based on for most of detection method of ddos attack The detection of threshold value.
Existing ddos attack time started judgment method is often to be based solely on the threshold value of session connection number, when session connects It connects and counts to up to after threshold value, judge that attack starts, triggering defence rule.This method has the judgement of attack time started certain stagnant Property afterwards usually just triggers defence policies after ddos attack initiates a period of time, and defence policies are not based on credit worthiness and are drawn Point, all flows are uniformly cleaned, there is higher False Rate, are easy to influence the use of regular traffic.
Term is explained:
Ddos attack: ddos attack refers to the Botnet formed by means of a large amount of broiler chicken, puppet's machine to some service or industry Business carries out the extensive Denial of Service attack of distributed collaboration, it is prevented to influence user's use from providing normal service, and And cause huge economic loss.Ddos attack is by itself some defect using network protocol and operating system, by disappearing Target network bandwidth or system resource are consumed, leads to its service block etc. to achieve the goal.
As shown in Figure 1, the process of TCP connection are as follows:
TCP establishes connection, three-way handshake:
1.client:syn
2.server:syn+ack
3.client ack
TCP is disconnected, and is waved for four times:
1.client fin
2.server:ack
3.server:fin
4.client:ack
SYN Flood:SYN Flood is a kind of using TCP own protocol defect, is asked by sending a large amount of TCP connection It asks, so that target resource exhausts, so that the attack pattern of normal service can not be provided.Attacker is a large amount of by sending to server SYN request packet, but do not respond server transmission SYN+ACK response message, thus cause server vast resources block, from And normal data packet can not be responded, cause its network service crashes.
Summary of the invention
In view of the deficiencies of the prior art, the present invention provides ddos attack judgement and the method, apparatus and electricity of flow cleaning Sub- equipment, wherein the ddos attack determines and the method for flow cleaning, comprising:
Judge the ddos attack time started;
When judging by ddos attack, traffic differentiation processing and flow cleaning are carried out.
The judgement ddos attack time started, comprising:
Step a1 sets moment T1When, the session connection number of server is S1, next second at the time of is denoted as T2, moment T2Clothes The session connection number of business device is S2
Step a2 is sentenced based on newly-increased session connection quantity or session connection amount threshold per second as judgment basis The disconnected ddos attack time started triggers corresponding defence policies after obtaining ddos attack start time.
In step a2, it is described based on newly-increased session connection quantity per second as judgment basis, judge that ddos attack starts Time, comprising: set the threshold value of newly-increased session connection number per second as UT, work as S2-S1> UTWhen, judge moment T1It is opened for ddos attack Begin the moment, and in time point T2Corresponding defence policies are triggered, i.e. progress traffic differentiation processing and flow cleaning.
In step a2, the U of the threshold value of the newly-increased session connection number per secondTCalculation method are as follows:
To client, business newly-built session connection number per second is acquired under normal circumstances, obtains set U={ Ui| i=1,2, 3 ... }, wherein UiIndicate that i-th second newly-built session number, the maximum value in set U are denoted as Umax, obtain threshold value UT=α Umax, wherein α is tactful stringency, and by client definition, (general value is 1 to value, as, is taken maximum newly-increased as firing level in history Value is more than that history is maximum newly-increased, then determines that attack starts), range is (0.1, ∞).
In step a2, the dialogue-based connection amount threshold judges the ddos attack time started as judgment basis, packet It includes: if being unsatisfactory for S2-S1> UT, whether determining server session connection number be greater than threshold value Sv, if it does, triggering is corresponding Defence policies, i.e. progress traffic differentiation processing and flow cleaning, Sv=q*Slimit, SlimitIndicate the maximum that server can bear Connection number, q are weight parameters, and general value is 0.8.
It is described when judging by ddos attack, carry out traffic differentiation processing and flow cleaning, wherein the carry out flow Differentiation processing, comprising: obtain T1The IP set IP of moment connection serverlist1={ IPi| i=1,2,3 ... }, IPiIndicate T1When Carve i-th of IP address of connection server;When ddos attack starts, server has increased session connection newly, at this time connection service The IP collection of device is combined into IPlist2={ IPn| n=1,2,3 ... }, IPnIndicate n-th of ddos attack start time connection server IP address rejects IPlist2In the IP that containslist1In IP, obtain one group of new IP collection and be denoted as IPA, set wherein IPlist1It is Normal users IP address collection before ddos attack generation, IPAIt is the suspicious user IP address collection after attack occurs, is defendd in triggering After strategy, preferentially to IPAIn IP address carry out flow cleaning.
The carry out flow cleaning, comprising:
The carry out flow cleaning, comprising:
Step b1 sets reasonable value Sp, SpMeet: Slimit≥Sp> Sv
Step b2, for any time tnSession connection number scale be Sn, obtain any time tnRedundancy value CnAre as follows:
Cn=Slimit-Sn
Step b3, tolerance session growth factor are μ, and the value range of μ is (0,1), then any time tnTolerance session Increased number PnMax are as follows:
If: Cn> Slimit*f
PnMax=μ Cn+Slimit* f,
Otherwise:
PnMax=μ Cn,
The value of parameter f is set by the user, by tnThe session number of subsequent time is denoted as Sn+1, then If Sn+1> Sn, then μn> μn+1, μnIndicate the tolerance session growth factor at n-th second;
According to the actual situation, suitable numerical value is selected in range, and (under general scene, f 0.001 sentenced at n-th second It is disconnected to be attacked, it is normally set up minimum 5 seconds and reaches Slimit, avoid instantaneously reaching, Cn/ 5=Pn, therefore μ is in starting point 0.2, behind can with CnBecome smaller and is incremented by that (in subsequent some derivation algorithms, setting u is a fixed value, but practical u is Can become smaller with Cn and become smaller), derivation can obtain:
((t-1)/t^(j+1))*Cn+Slimit* f=Pn+ j,
As, setting is expected to reach the time t of maximum point, obtains u=1/t), then:
Sn+1max=Sn+μCn+Slimit*f≥Sp
Sn+1maxIndicate the maximum number of connections of subsequent time tolerance;
Step b4, statistics set IPlist1In the quantity Z of SYN packet that sends of all IP obtain average value by Z divided by i SYN_Mode, then the SYN number SYN_Number during server normal use are as follows:
SYN_Number=SYN_Mode ± Q,
Wherein Q is stringency, and Q is (0,10) by user's sets itself, the value range of Q;
Step b5, server priority connects the IP that SYN packet number is equal to SYN_Mode, when server and SYN packet number are equal to After the IP of SYN_Mode establishes connection, then preferentially the IP with SYN packet number equal to SYN_Mode-Q establishes connection, after connection The session connection number of server is still below the maximum number of connections S of subsequent time tolerancen+1When max, then with SYN packet number in SYN_ Mode to the IP between SYN_Mode+Q establishes connection, until tending to the maximum number of connections S of subsequent time tolerancen+1Max, then this When abandon other SYN data packets;
Step b6, works as Sn< SvAnd Pnmax< UT, terminate defence policies.
The present invention also provides ddos attack judgement and the devices of flow cleaning, including ddos attack judgment module and defence Policy module;
Wherein, the ddos attack judgment module, is used for, and judges the ddos attack time started;
The defence policies module, is used for, and when ddos attack judgment module judges by ddos attack, carries out flow area Divide processing and flow cleaning.
In device of the present invention, further, the ddos attack judgment module is used for, judges that ddos attack starts Time, comprising: step a1 sets moment T1When, the session connection number of server is S1, next second at the time of is denoted as T2, moment T2 The session connection number of server is S2
Step a2 is sentenced based on newly-increased session connection quantity or session connection amount threshold per second as judgment basis The disconnected ddos attack time started triggers corresponding defence policies after obtaining ddos attack start time.
It is further, described based on newly-increased session connection quantity conduct per second in step a2 in device of the present invention Judgment basis judges the ddos attack time started, comprising: sets the threshold value of newly-increased session connection number per second as UT, work as S2-S1> UTWhen, judge moment T1For ddos attack start time, and in time point T2Corresponding defence policies are triggered, i.e. progress flow area Divide processing and flow cleaning.
In device of the present invention, further, in step a2, the U of the threshold value of the newly-increased session connection number per secondT's Calculation method are as follows:
To client, business newly-built session connection number per second is acquired under normal circumstances, obtains set U={ Ui| i=1,2, 3 ... }, wherein UiIndicate that i-th second newly-built session number, the maximum value in set U are denoted as Umax, obtain threshold value UT=α Umax, wherein α is tactful stringency, and by client definition, (general value is 1 to value, as, is taken maximum newly-increased as firing level in history Value is more than that history is maximum newly-increased, then determines that attack starts), range is (0.1, ∞).
In device of the present invention, further, in step a2, the dialogue-based connection amount threshold as judge according to According to judging the ddos attack time started, comprising: if being unsatisfactory for S2-S1> UT, whether determining server session connection number be greater than Threshold value Sv, if it does, triggering corresponding defence policies, that is, carry out traffic differentiation processing and flow cleaning, Sv=q*Slimit, SlimitIndicate the maximum number of connections that server can bear, q is weight parameter, and general value is 0.8.
In device of the present invention, further, the defence policies module is used for, when ddos attack judgment module is sentenced When breaking by ddos attack, traffic differentiation processing and flow cleaning are carried out, wherein the progress traffic differentiation processing, comprising: obtain Take T1The IP set IP of moment connection serverlist1={ IPi| i=1,2,3 ... }, IPiIndicate T1Moment connects the i-th of server A IP address;When ddos attack starts, server has increased session connection newly, and the IP collection for connecting server at this time is combined into IPlist2 ={ IPn| n=1,2,3 ... }, IPnN-th of IP address for indicating ddos attack start time connection server, rejects IPlist2In The IP containedlist1In IP, obtain one group of new IP collection and be denoted as IPA, set wherein IPlist1It is normal before ddos attack occurs IP address collection, IPAIt is the suspicious user IP address collection after attack occurs, after triggering defence policies, preferentially to IPAIn IP address carries out flow cleaning.
In device of the present invention, further, the carry out flow cleaning, comprising:
Step b1 sets reasonable value Sp, SpMeet: Slimit> Sp> Sv
Step b2, for any time tnSession connection number scale be Sn, obtain any time tnRedundancy value CnAre as follows:
Cn=Slimit-Sn
Step b3, tolerance session growth factor are μ, and the value range of μ is (0,1), then any time tnTolerance session Increased number PnMax are as follows:
If: Cn> Slimit*f
PnMax=μ Cn+Slimit* f,
Otherwise:
PnMax=μ Cn,
The value of parameter f is set by the user, by tnThe session number of subsequent time is denoted as Sn+1, then If Sn+1> Sn, then μn> μn+1, μnIndicate the tolerance session growth factor at n-th second;
According to the actual situation, suitable numerical value is selected in range, then:
Sn+1max=Sn+μCn+Slimit*f≥Sp
Sn+1maxIndicate the maximum number of connections of subsequent time tolerance;
Step b4, statistics set IPlist1In the quantity Z of SYN packet that sends of all IP obtain average value by Z divided by i SYN_Mode, then the SYN number SYN_Number during server normal use are as follows:
SYN_Number=SYN_Mode ± Q,
Wherein Q is stringency, and Q is (0,10) by user's sets itself, the value range of Q;
Step b5, server priority connects the IP that SYN packet number is equal to SYN_Mode, when server and SYN packet number are equal to After the IP of SYN_Mode establishes connection, then preferentially the IP with SYN packet number equal to SYN_Mode-Q establishes connection, after connection The session connection number of server is still below the maximum number of connections S of subsequent time tolerancen+1When max, then with SYN packet number in SYN_ Mode to the IP between SYN_Mode+Q establishes connection, until tending to the maximum number of connections S of subsequent time tolerancen+1Max, then this When abandon other SYN data packets;
Step b6, works as Sn< SvAnd Pnmax< UT, terminate defence policies.
The present invention also provides a kind of electronic equipment, comprising: processor and memory are stored with meter in the memory Calculation machine program instruction, it is as described above that the computer program instructions execute the processor Ddos attack determine and flow cleaning method.
The method of the present invention can accurate judgement attack the time started, and after can guarantee that attack starts, the user before attacking Be not affected (the attack purpose of attacker is often the user before influencing attack), the mixed traffic after attacking, most The reservation of the guarantee normal discharge of limits and the cleaning of malicious traffic stream.
The utility model has the advantages that normal for flow, but server connections gradually reach the scene of load, the method for the present invention and Device can guarantee the continuously available of server, and according to first available principle first, weed out the superfluous connection flowed into below, visitor Family can expand server-side load according to this scene.
For Attack Scenarios, the method for the present invention and the attack of device energy accurate judgement start, and dynamic adjustment allows to flow in real time Enter the value of connection, divide mixed traffic and normal discharge, policing action only is carried out to mixed traffic, before both can guarantee the attack moment Client be not affected, and can guarantee the continuously available of server-side, and be not based on blacklist and connection intermediate value value nearby Characteristic ensure that low misplacement.
Detailed description of the invention
The present invention is done with reference to the accompanying drawings and detailed description and is further illustrated, of the invention is above-mentioned And/or otherwise advantage will become apparent.
Fig. 1 is TCP three-way handshake and four figures that wave.
Fig. 2 is the rate of rise and redundancy value relation schematic diagram for tolerating session connection quantity.
Fig. 3 is that tolerance increases response curve figure.
Fig. 4 is the process schematic of preferential attachment.
Fig. 5 is electronic equipment architecture diagram provided by the invention.
Fig. 6 is the device architecture figure of ddos attack judgement provided by the invention and flow cleaning.
Specific embodiment
For the detection method of ddos attack, traditional ddos attack detection is the inspection for being based solely on session connection number threshold value It surveys, i.e., after the session connection number of server reaches a certain specific threshold value, defensive equipment strategy is triggered, to all-network flow It cleans etc..Detection foundation server per second newly-increased session connection number threshold of the technical program for ddos attack flow Value and session connection threshold value, which are used as, to be judged a little, when value is more than setting value, judges the point to attack starting point, triggering is defendd Strategy.More traditional threshold detection method, the time for judging ddos attack and starting which can be more accurate.
After being judged as that ddos attack starts, credit worthiness differentiation is carried out to flow.Attack the moment start before session all mark It is denoted as benign, credit worthiness is higher, and the session after attacking the moment is all labeled as suspicious session, and credit worthiness is lower.Plan is defendd in triggering After slightly, according to credit worthiness, the flow of lower credit worthiness is cleaned.Its cleaning strategy Behavior-based control and its feature, right When ddos attack flow is cleaned, it can guarantee that the user for establishing connection in server is unaffected.
The technical program is mainly made of three parts, and respectively accurate judgement is attacked the time started, traffic differentiation processing And flow cleaning.By these three steps, it can preferably slow down impact of the ddos attack to business, keep the stabilization of business Property.
At the beginning of judging ddos attack, the technical program is based on newly-increased session connection quantity and session per second Amount threshold is connected as judgment basis.When based on newly-increased session connection quantity per second, a certain moment is set as T1, at this time The session connection number of holding is S1, next second at the time of is denoted as T2, the session connection number at the moment is S2, set newly-increased meeting per second The threshold value for talking about connection number is UT, work as S2-S1> UTWhen, judge moment T1For ddos attack start time, and in time point T2Triggering Corresponding defence policies.Wherein to client, business newly-built session connection number per second is acquired under normal circumstances, can obtain integrating as U ={ Ui| i=1,2,3 ... }, wherein maximum value is denoted as Umax.Obtain threshold value UT=α Umax, wherein α is tactful stringency, value by Client definition, range are (1, ∞).
The dialogue-based connection amount threshold judges the ddos attack time started, comprising: if not as judgment basis Meet S2-S1> UT, whether determining server session connection number be greater than threshold value Sv, if it does, corresponding defence policies are triggered, Carry out traffic differentiation processing and flow cleaning, Sv=q*Slimit, SlimitIndicate the maximum number of connections that server can bear, q It is weight parameter, general value is 0.8.
By using the method that dialogue-based connection quantity and increment combine judgement, can be defendd in more reasonable time trigger Rule and policy.
Obtain T1The IP set IP of moment connection serverlist1={ IPi| i=1,2,3 ... }, IPiIndicate T1Moment connection I-th of IP address of server;When ddos attack starts, server has increased session connection newly, connects the IP of server at this time Collection is combined into IPlist2={ IPn| n=1,2,3 ... }, IPnIndicate n-th of IP address of ddos attack start time connection server, Reject IPlist2In the IP that containslist1In IP, obtain one group of new IP collection and be denoted as IPA, set wherein IPlist1It is ddos attack Normal users IP address collection before generation, IPAIt is the suspicious user IP address collection after attack occurs, after triggering defence policies, Preferentially to IPAIn IP address carry out flow identification and cleaning.
After triggering defence policies, if session connection number at this time is S3, the time is denoted as t1.According to IP credit worthiness and its behavior Flow cleaning is carried out with feature.For the availability for keeping server-side, the session connection number that server-side should be made to connect is consistently less than it The max-session connection number that can bear.If the session maximum number of connections that can bear is Slimit, to avoid session connection from counting to Up to critical point, reasonable value S is takenp, and Slimit> Sp> Sv.For any time tn, there is session connection number Sn, obtain its redundancy value For Cn=Slimit-Sn, tolerance session growth factor is μ, and the value range of μ is (0,1), and general value is 0.3, then any time tnTolerance session increased number PnMax are as follows:
If: Cn> Slimit*f
PnMax=μ Cn+Slimit* f,
Otherwise:
PnMax=μ Cn,
For tolerating the rate of rise of session connection quantity, should be positively correlated with redundancy value.Its schematic diagram as shown in Fig. 2, The value of parameter f is set by the user, and f is usually 0.001, by tnThe session number of subsequent time is denoted as Sn+1, thenIf Sn+1> Sn, then μn> μn+1, μnIndicate the tolerance session growth factor at n-th second;
According to the actual situation, suitable numerical value is selected in range, then:
Sn+1max=Sn+μCn+Slimit*f≥Sp
Sn+1maxThe maximum number of connections for indicating subsequent time tolerance, it is as shown in Figure 3 to obtain response curve figure.Wherein, when t is Between, S is the overall connection number of server-side.Expansion derives the relationship of S and t herein:
μ1=1/t1, μ2=1/t2,
Sn+1=Sn+Pn+Slimit*f;
Sn+jeSn+j-1+Pn+j-1=Sn+Pn+Pn+1+..+Pn+j-1+Slimit* f*j=Sn+μCn(1+(1-μ)+…+(1-μ)^j- 1)+Slimit* f*j=Sn+μCn(sum (1- μ) ^i, i=0toj-1)+Slimit* f*j,
Wherein, t1 is i.e. tolerance μ under first strategy1When allow reach connection maximum value time;T2 is second The lower i.e. tolerance μ of strategy2When allow reach connection maximum value time;
If: as n=0, Sn=0, then Cn=Slimit, it can obtain:
Y=Slimit(f*x+ μ * (sum (1- μ) ^I, i=0 to x-1)), as under by policy control, y is at the x moment Connection number;
Verifying formula accuracy: S is setlimitIt is the time for allowing to reach maximum value for 5000, f=0.001, μ=1/t, t, When t is bigger, then tolerance is smaller, and control flow that can be tightened up enters, so that reaching the time lag of maximum value.
First tolerance μ1Under strategy, the contiguous function of server-side is y1, second tolerance μ2Under strategy, server-side Contiguous function be y2;
As t=5 and t=10, in the influence for not considering f*x (because this prefix value is not influenced by strategy, for comparing nothing With), y1=5000* (0.2* (sum 0.8^i, i=0 to x)) is obtained,
Y2=5000* (0.1* (sum 0.9^i, i=0 to x)),
In x=1, there are y1=1800, y2=950 respectively,
In x=3, there are y1=2952, y2=1719 respectively,
In x=6, there are y1=3951, y2=2608 respectively,
It can be seen that tolerance u is smaller, increment is smaller;
It can be seen that increment is smaller as connection number increases.
Wherein μ1> μ2, when tolerance growth factor is smaller, the growth of session connection number more tends towards stability, and user can be according to reality Situation selects suitable numerical value in range.
For flow cleaning rule, pass through the SYN during its user's normal use of vocational study.According to IPlist1={ IPi| I=1,2,3 ... } quantity for the SYN packet that all IP of statistics are sent, taking-up mode are set as SYN_Mode.So during normal use SYN number be exactly SYN_Number=SYN_Mode ± Q.This Q is stringency.Q is by user's sets itself, the value range of Q For (0,10).
As shown in figure 4, the principle of preferential attachment is, average value SYN_Mode, preferential attachment SYN are obtained according to business statistics Packet number is equal to the IP of SYN_Mode.After the IP with SYN_Number=SYN_Mode establishes connection, preferentially and SYN_Number The IP of=SYN_Mode-Q establishes connection, and session connection number is still below tolerance growth S after connectionn+1When, then with SYN_ The IP of Mode to SYN_Mode+Q establishes connection, until tending to tolerance increasing value Sn+1, then other SYN data packets are abandoned at this time.Root Customer flow and machine flow can be preferably distinguished from its traffic behavior according to the cleaning rule, guarantee user is normal as far as possible It uses.
The newly-built connection session for controlling each second in the above manner ensure that when triggering any after defence policies It carves, there is connection session number Sn< Sp, and SnIn sustainable growth.To reach in server service when by ddos attack Device remains to provide service to the normal users for having built up session, ensure that the availability of server.After triggering defence policies, when Sn< SvWhen, terminate defence policies, otherwise will continue defence policies.
The present invention also provides ddos attack judgement and the devices 100 of flow cleaning, as shown in fig. 6, including ddos attack Judgment module 101 and defence policies module 102;
Wherein, the ddos attack judgment module 101, is used for, and judges the ddos attack time started;
The defence policies module 102, is used for, and when ddos attack judgment module judges by ddos attack, is flowed Amount distinguishes processing and flow cleaning.
In device of the present invention, further, the ddos attack judgment module is used for, judges that ddos attack starts Time, comprising: step a1 sets moment T1When, the session connection number of server is S1, next second at the time of is denoted as T2, moment T2 The session connection number of server is S2
Step a2 is sentenced based on newly-increased session connection quantity or session connection amount threshold per second as judgment basis The disconnected ddos attack time started triggers corresponding defence policies after obtaining ddos attack start time.
It is further, described based on newly-increased session connection quantity conduct per second in step a2 in device of the present invention Judgment basis judges the ddos attack time started, comprising: sets the threshold value of newly-increased session connection number per second as UT, work as S2-S1> UTWhen, judge moment T1For ddos attack start time, and in time point T2Corresponding defence policies are triggered, i.e. progress flow area Divide processing and flow cleaning.
In device of the present invention, further, in step a2, the U of the threshold value of the newly-increased session connection number per secondT's Calculation method are as follows:
To client, business newly-built session connection number per second is acquired under normal circumstances, obtains set U={ Ui| i=1,2, 3 ... }, wherein UiIndicate that i-th second newly-built session number, the maximum value in set U are denoted as Umax, obtain threshold value UT=α Umax, wherein α is tactful stringency, and by client definition, (general value is 1 to value, as, is taken maximum newly-increased as firing level in history Value is more than that history is maximum newly-increased, then determines that attack starts), range is (0.1, ∞).
In device of the present invention, further, in step a2, the dialogue-based connection amount threshold as judge according to According to judging the ddos attack time started, comprising: if being unsatisfactory for S2-S1> UT, whether determining server session connection number be greater than Threshold value Sv, if it does, triggering corresponding defence policies, that is, carry out traffic differentiation processing and flow cleaning, Sv=q*Slimit, SlimitIndicate the maximum number of connections that server can bear, q is weight parameter, and general value is 0.8.
In device of the present invention, further, the defence policies module is used for, when ddos attack judgment module is sentenced When breaking by ddos attack, traffic differentiation processing and flow cleaning are carried out, wherein the progress traffic differentiation processing, comprising: obtain Take T1The IP set IP of moment connection serverlist1={ IPi| i=1,2,3 ... }, IPiIndicate T1Moment connects the i-th of server A IP address;When ddos attack starts, server has increased session connection newly, and the IP collection for connecting server at this time is combined into IPlist2 ={ IPn| n=1,2,3 ... }, IPnN-th of IP address for indicating ddos attack start time connection server, rejects IPlist2In The IP containedlist1In IP, obtain one group of new IP collection and be denoted as IPA, set wherein IPlist1It is normal before ddos attack occurs IP address collection, IPAIt is the suspicious user IP address collection after attack occurs, after triggering defence policies, preferentially to IPAIn IP address carries out flow cleaning.
In device of the present invention, further, the carry out flow cleaning, comprising:
Step b1 sets reasonable value Sp, SpMeet: Slimit> Sp> Sv
Step b2, for any time tnSession connection number scale be Sn, obtain any time tnRedundancy value CnAre as follows:
Cn=Slimit-Sn
Step b3, tolerance session growth factor are μ, and the value range of μ is (0,1), then any time tnTolerance session Increased number PnMax are as follows:
If: Cn> Slimit*f
PnMax=μ Cn+Slimit* f,
Otherwise:
PnMax=μ Cn,
The value of parameter f is set by the user, by tnThe session number of subsequent time is denoted as Sn+1, then If Sn+1> Sn, then μn> μn+1, μnIndicate the tolerance session growth factor at n-th second;
According to the actual situation, suitable numerical value is selected in range, then:
Sn+1max=Sn+μCn+Slimit*f≥Sp
Sn+1maxIndicate the maximum number of connections of subsequent time tolerance;
Step b4, statistics set IPlist1In the quantity Z of SYN packet that sends of all IP obtain average value by Z divided by i SYN_Mode, then the SYN number SYN_Number during server normal use are as follows:
SYN_Number=SYN_Mode ± Q,
Wherein Q is stringency, and Q is (0,10) by user's sets itself, the value range of Q;
Step b5, server priority connects the IP that SYN packet number is equal to SYN_Mode, when server and SYN packet number are equal to After the IP of SYN_Mode establishes connection, then preferentially the IP with SYN packet number equal to SYN_Mode-Q establishes connection, after connection The session connection number of server is still below the maximum number of connections S of subsequent time tolerancen+1When max, then with SYN packet number in SYN_ Mode to the IP between SYN_Mode+Q establishes connection, until tending to the maximum number of connections S of subsequent time tolerancen+1Max, then this When abandon other SYN data packets;
Step b6, works as Sn< SvAnd Pnmax< UT, terminate defence policies.
As described above, may be implemented according to the judgement of the ddos attack of the embodiment of the present application and the device of flow cleaning each In kind terminal device, such as the server of distributed computing system.In one example, it is attacked according to the DDoS of the embodiment of the present application The device for hitting judgement and flow cleaning can be used as a software module and/or hardware module and be integrated into the terminal device In.For example, the ddos attack determines and the device of flow cleaning can be a software in the operating system of the terminal device Module, or can be and be directed to the application program that the terminal device is developed;Certainly, ddos attack judgement and flow The device of cleaning equally can be one of numerous hardware modules of the terminal device.
Alternatively, in another example, which determines and the device of flow cleaning is also possible to terminal device Discrete terminal device, and the ddos attack determines and the device of flow cleaning can be connected by wired and or wireless network It is connected to the terminal device, and transmits interactive information according to the data format of agreement.
As shown in figure 5, the application also provides a kind of electronic equipment 10, comprising:
One or more processors 11 and memory 12, processor 11 can be central processing unit (CPU) or have The processing unit of data-handling capacity and/or the other forms of instruction execution capability, and can control in electronic equipment 10 Other assemblies are to execute desired function.
Memory 12 may include one or more computer program products, and the computer program product may include each The computer readable storage medium of kind form, such as volatile memory and/or nonvolatile memory.The volatile storage Device for example may include random access memory (RAM) and/or cache memory (cache) etc..It is described non-volatile to deposit Reservoir for example may include read-only memory (ROM), hard disk, flash memory etc..It can be deposited on the computer readable storage medium One or more computer program instructions are stored up, processor 11 can run described program instruction, to realize this Shen described above The ddos attack of each embodiment please determines and the method and/or other desired functions of flow cleaning.
In one example, electronic equipment 10 can also include input unit 13 and output device 14, these components pass through The interconnection of bindiny mechanism's (not shown) of bus system and/or other forms.
For example, the input unit 13 can be keyboard, mouse etc..
The output device 14 can be output to the outside various information, the method including ddos attack judgement and flow cleaning As a result etc..The output device 14 may include such as display, loudspeaker, printer and communication network and its be connected Remote output devices etc..
Certainly, to put it more simply, illustrating only some in the electronic equipment 10 component related with the application, province in Fig. 3 The component of such as bus, input/output interface etc. is omited.
According to the another aspect of the application, a kind of computer readable storage medium is also provided, is stored thereon with computer journey Sequence instruction is operable to execute ddos attack as described above and sentence when the computer program instructions are executed by a computing apparatus Fixed and flow cleaning method.
Embodiment
In the present embodiment, following scene being set: having server A, maximum load connection number is 5000 (Slimit=5000), Sv =0.9*Slimit=4500;
After accessing the protection of apparatus of the present invention, and under normal scene (it sets 10 seconds, reaches 5000 from 0, then it is per second newly-increased It is 500, then using 500 as the IP just accessed initial decision, is no more than 500, is then judged as normal scene, is learned out when below Value, then the strategy is abandoned, and the strategy is only for 1 hour before the IP that has just accessed), learn 1 hour, obtains the SYN of all IP transmissions The number average SYN_Mode=50 of packet, obtains Smax=2500, Umax=400;Server-side connects during Smax is study Maximum value.Umax increases the maximum value of connection number newly during being study;
In Attack Scenarios:
Second second session connection number S2=4000, first second session connection number S1=3000, UT=a*Umax, a are logical It often takes 1, S2-S1 > 1*Umax, 4000-3000 > 400 (Pn > Umax), newly-increased connection number when Pn is indicated n-th second;
Attack starts at this time, is demarcated as normal discharge to the connection before S1, and S2 and flow calibration later are mixed traffic;
It is cleaned for mixed traffic, the newly-increased of third second permission is connected as P3max=0.3*1000+0.001*5000 =305, the SYN number SYN_Number during server normal use are as follows:
SYN_Number=SYN_Mode ± Q=50,
If in the mixed traffic of third second each IP since the 2nd second to the connection number of the n-th (current) second the case where are as follows:
IP1=1, IP2=1, IP3=1, IP4=10,
IP5=40, IP6=30, IP7=60, IP8=70, IP9=200, IP10=500, IP11=1000,
Then, P3=IP5=40, P3=IP5+IP7=100, P3=IP5+IP7+IP6=130.P3=130+IP8= 200.P3=200+IP1+IP2+IP3+IP4=213
IP1 indicates some single source IP of client, such as address is 1.1.1.1;
IP2 similarly, can be expressed as some single source IP that address is 1.1.1.2;
The connection number P3 of third second is 213, is less than P3MAX, and P3MAX indicates that the maximum that the third second allows increases connection number newly;
The connection number of expected third second are as follows: IP1+..+IP11=1913 is greater than Umax, is then in for the 4th second and attacks The stage is hit, to stop defence policies:
1、Sn< 4500;
2, connection number < Umax expected from Pn;
Under normal scene, if triggering Sn> Sv, then according to above-mentioned strategy, until Sn< Sv
The present invention provides ddos attack judgement and the method, apparatus and electronic equipment of flow cleaning, implement the skill There are many method and approach of art scheme, the above is only a preferred embodiment of the present invention, it is noted that this technology is led For the those of ordinary skill in domain, various improvements and modifications may be made without departing from the principle of the present invention, these Improvements and modifications also should be regarded as protection scope of the present invention.The available prior art of each component part being not known in the present embodiment It is realized.

Claims (15)

  1. The method of 1.DDoS attacks results decision and flow cleaning characterized by comprising
    Judge the ddos attack time started;
    When judging by ddos attack, traffic differentiation processing and flow cleaning are carried out.
  2. 2. the method according to claim 1, wherein the judgement ddos attack time started, comprising:
    Step a1 sets moment T1When, the session connection number of server is S1, next second at the time of is denoted as T2, moment T2Server Session connection number be S2
    Step a2, based on newly-increased session connection quantity or session connection amount threshold per second as judgment basis, judgement The ddos attack time started triggers corresponding defence policies after obtaining ddos attack start time.
  3. 3. described based on newly-increased session connection per second according to the method described in claim 2, it is characterized in that, in step a2 Quantity judges the ddos attack time started as judgment basis, comprising: sets the threshold value of newly-increased session connection number per second as UT, Work as S2-S1> UTWhen, judge moment T1For ddos attack start time, and in time point T2Trigger corresponding defence policies, i.e., into The processing of row traffic differentiation and flow cleaning.
  4. 4. according to the method described in claim 3, it is characterized in that, in step a2, the threshold of the newly-increased session connection number per second Value UTCalculation method are as follows:
    To client, business newly-built session connection number per second is acquired under normal circumstances, obtains set U={ Ui| i=1,2,3 ... }, Wherein, UiIndicate that i-th second newly-built session number, the maximum value in set U are denoted as Umax, obtain threshold value UT=α Umax, wherein α is plan Slightly stringency, for value by client definition, range is (0.1, ∞).
  5. 5. according to the method described in claim 4, it is characterized in that, the dialogue-based connection amount threshold is made in step a2 For judgment basis, the ddos attack time started is judged, comprising: if being unsatisfactory for S2-S1> UT, determining server session connection number Whether threshold value S is greater thanv, if it does, triggering corresponding defence policies, that is, carry out traffic differentiation processing and flow cleaning, Sv=q* Slimit, SlimitIndicate the maximum number of connections that server can bear, q is weight parameter.
  6. 6. according to the method described in claim 5, it is characterized in that, described when judging by ddos attack, progress flow area Divide processing and flow cleaning, wherein the progress traffic differentiation processing, comprising: obtain T1Moment connects the IP set of server IPlist1={ IPi| i=1,2,3 ... }, IPiIndicate T1I-th of IP address of moment connection server;When ddos attack starts, Server has increased session connection newly, and the IP collection for connecting server at this time is combined into IPlist2={ IPn| n=1,2,3 ... }, IPnIt indicates Ddos attack start time connects n-th of IP address of server, rejects IPlist2In the IP that containslist1In IP, obtain one The new IP collection of group is denoted as IPA, set wherein IPlist1It is the normal users IP address collection before ddos attack occurs, IPAIt is attack hair Suspicious user IP address collection after life, after triggering defence policies, preferentially to IPAIn IP address carry out flow cleaning.
  7. 7. according to the method described in claim 6, it is characterized in that, the carry out flow cleaning, comprising:
    Step b1 sets reasonable value Sp, SpMeet: Slimit≥Sp>Sv
    Step b2, for any time tnSession connection number scale be Sn, obtain any time tnRedundancy value CnAre as follows:
    Cn=Slimit-Sn
    Step b3, tolerance session growth factor are μ, and the value range of μ is (0,1), then any time tnTolerance session increased numbers Measure PnMax are as follows:
    If: Cn>Slimit*f
    PnMax=μ Cn+Slimit* f,
    Otherwise:
    PnMax=μ Cn,
    The value of parameter f is set by the user, by tnThe session number of subsequent time is denoted as Sn+1, then Such as Fruit, Sn+1>Sn, then μnn+1, μnIndicate the tolerance session growth factor at n-th second;
    According to the actual situation, suitable numerical value is selected in range, then:
    Sn+1max=Sn+μCn+Slimit*f≥Sp
    Sn+1maxIndicate the maximum number of connections of subsequent time tolerance;
    Step b4, statistics set IPlist1In the quantity Z of SYN packet that sends of all IP obtain average value SYN_ by Z divided by i Mode, then the SYN number SYN_Number during server normal use are as follows:
    SYN_Number=SYN_Mode ± Q,
    Wherein Q is stringency, and Q is (0,10) by user's sets itself, the value range of Q;
    Step b5, server priority connect the IP that SYN packet number is equal to SYN_Mode, when server and SYN packet number are equal to SYN_ After the IP of Mode establishes connection, then preferentially the IP with SYN packet number equal to SYN_Mode-Q establishes connection, services after connection The session connection number of device is still below the maximum number of connections S of subsequent time tolerancen+1When max, then with SYN packet number SYN_Mode extremely IP between SYN_Mode+Q establishes connection, until tending to the maximum number of connections S of subsequent time tolerancen+1Max is then abandoned at this time Other SYN data packets;
    Step b6, works as Sn<SvAnd Pnmax<UT, terminate defence policies.
  8. The device of 8.DDoS attacks results decision and flow cleaning, which is characterized in that including ddos attack judgment module and defence policies Module;
    Wherein, the ddos attack judgment module, is used for, and judges the ddos attack time started;
    The defence policies module, is used for, and when ddos attack judgment module judges by ddos attack, carries out at traffic differentiation Reason and flow cleaning.
  9. 9. device according to claim 8, which is characterized in that the ddos attack judgment module is used for, judges that DDoS is attacked Hit the time started, comprising: step a1 sets moment T1When, the session connection number of server is S1, next second at the time of is denoted as T2, Moment T2The session connection number of server is S2
    Step a2, based on newly-increased session connection quantity or session connection amount threshold per second as judgment basis, judgement The ddos attack time started triggers corresponding defence policies after obtaining ddos attack start time.
  10. 10. device according to claim 9, which is characterized in that described based on newly-increased session connection per second in step a2 Quantity judges the ddos attack time started as judgment basis, comprising: sets the threshold value of newly-increased session connection number per second as UT, Work as S2-S1> UTWhen, judge moment T1For ddos attack start time, and in time point T2Trigger corresponding defence policies, i.e., into The processing of row traffic differentiation and flow cleaning.
  11. 11. device according to claim 10, which is characterized in that in step a2, the newly-increased session connection number per second Threshold value UTCalculation method are as follows:
    To client, business newly-built session connection number per second is acquired under normal circumstances, obtains set U={ Ui| i=1,2,3 ... }, Wherein, UiIndicate that i-th second newly-built session number, the maximum value in set U are denoted as Umax, obtain threshold value UT=α Umax, wherein α is plan Slightly stringency, for value by client definition, range is (0.1, ∞).
  12. 12. device according to claim 11, which is characterized in that in step a2, the dialogue-based connection amount threshold As judgment basis, the ddos attack time started is judged, comprising: if being unsatisfactory for S2-S1> UT, determining server session connection Whether number is greater than threshold value Sv, if it does, triggering corresponding defence policies, that is, carry out traffic differentiation processing and flow cleaning, Sv= q*Slimit, SlimitIndicate the maximum number of connections that server can bear, q is weight parameter.
  13. 13. device according to claim 12, which is characterized in that the defence policies module is used for, when ddos attack is sentenced When disconnected module is judged by ddos attack, traffic differentiation processing and flow cleaning are carried out, wherein at the progress traffic differentiation Reason, comprising: obtain T1The IP set IP of moment connection serverlist1={ IPi| i=1,2,3 ... }, IPiIndicate T1Moment connection I-th of IP address of server;When ddos attack starts, server has increased session connection newly, connects the IP of server at this time Collection is combined into IPlist2={ IPn| n=1,2,3 ... }, IPnIndicate n-th of IP address of ddos attack start time connection server, Reject IPlist2In the IP that containslist1In IP, obtain one group of new IP collection and be denoted as IPA, set wherein IPlist1It is ddos attack Normal users IP address collection before generation, IPAIt is the suspicious user IP address collection after attack occurs, after triggering defence policies, Preferentially to IPAIn IP address carry out flow cleaning.
  14. 14. device according to claim 13, which is characterized in that the carry out flow cleaning, comprising:
    Step b1 sets reasonable value Sp, SpMeet: Slimit>Sp>Sv
    Step b2, for any time tnSession connection number scale be Sn, obtain any time tnRedundancy value CnAre as follows:
    Cn=Slimit-Sn;
    Step b3, tolerance session growth factor are μ, and the value range of μ is (0,1), then any time tnTolerance session increased numbers Measure PnMax are as follows:
    If: Cn>Slimit*f
    PnMax=μ Cn+Slimit* f,
    Otherwise:
    PnMax=μ Cn,
    The value of parameter f is set by the user, by tnThe session number of subsequent time is denoted as Sn+1, then Such as Fruit, Sn+1>Sn, then μnn+1, μnIndicate the tolerance session growth factor at n-th second;
    According to the actual situation, suitable numerical value is selected in range, then:
    Sn+1 max=Sn+μCn+Slimit*f≥Sp
    Sn+1 maxIndicate the maximum number of connections of subsequent time tolerance;
    Step b4, statistics set IPlist1In the quantity Z of SYN packet that sends of all IP obtain average value SYN_ by Z divided by i Mode, then the SYN number SYN_Number during server normal use are as follows:
    SYN_Number=SYN_Mode ± Q,
    Wherein Q is stringency, and Q is (0,10) by user's sets itself, the value range of Q;
    Step b5, server priority connect the IP that SYN packet number is equal to SYN_Mode, when server and SYN packet number are equal to SYN_ After the IP of Mode establishes connection, then preferentially the IP with SYN packet number equal to SYN_Mode-Q establishes connection, services after connection The session connection number of device is still below the maximum number of connections S of subsequent time tolerancen+1When max, then with SYN packet number SYN_Mode extremely IP between SYN_Mode+Q establishes connection, until tending to the maximum number of connections S of subsequent time tolerancen+1Max is then abandoned at this time Other SYN data packets;
    Step b6, works as Sn<SvAnd Pnmax<UT, terminate defence policies.
  15. 15. a kind of electronic equipment characterized by comprising processor and memory are stored with computer in the memory Program instruction, the computer program instructions make the processor execute such as claim 1- when being run by the processor 8 described in any item ddos attacks determine and the method for flow cleaning.
CN201910763609.7A 2019-08-19 2019-08-19 Method and device for DDoS attack judgment and flow cleaning and electronic equipment Expired - Fee Related CN110519248B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910763609.7A CN110519248B (en) 2019-08-19 2019-08-19 Method and device for DDoS attack judgment and flow cleaning and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910763609.7A CN110519248B (en) 2019-08-19 2019-08-19 Method and device for DDoS attack judgment and flow cleaning and electronic equipment

Publications (2)

Publication Number Publication Date
CN110519248A true CN110519248A (en) 2019-11-29
CN110519248B CN110519248B (en) 2020-11-24

Family

ID=68625732

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910763609.7A Expired - Fee Related CN110519248B (en) 2019-08-19 2019-08-19 Method and device for DDoS attack judgment and flow cleaning and electronic equipment

Country Status (1)

Country Link
CN (1) CN110519248B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112422513A (en) * 2020-10-26 2021-02-26 浙江大学 Anomaly detection and attack initiator analysis system based on network traffic message
CN112532620A (en) * 2020-11-26 2021-03-19 杭州迪普信息技术有限公司 Session table control method and device
CN112804230A (en) * 2020-05-12 2021-05-14 上海有孚智数云创数字科技有限公司 Monitoring method, system, equipment and storage medium for distributed denial of service attack

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102761485A (en) * 2012-07-06 2012-10-31 汉柏科技有限公司 Method and system for processing connections by network equipment
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
US8966627B2 (en) * 2011-09-16 2015-02-24 Electronics And Telecommunications Research Institute Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session
CN105471835A (en) * 2015-08-03 2016-04-06 汉柏科技有限公司 Method and system for improving processing performance of firewall
CN106411947A (en) * 2016-11-24 2017-02-15 广州华多网络科技有限公司 Real-time threshold adaptive flow early warning method and device thereof
US20170078312A1 (en) * 2015-09-15 2017-03-16 Fujitsu Limited Method and apparatus for monitoring network
CN107547561A (en) * 2017-09-25 2018-01-05 新华三信息安全技术有限公司 A kind of method and device for carrying out DDOS attack protective treatment
CN109150890A (en) * 2018-09-05 2019-01-04 杭州迪普科技股份有限公司 The means of defence and relevant device of newly-built connection attack
CN109831461A (en) * 2019-03-29 2019-05-31 新华三信息安全技术有限公司 A kind of distributed denial of service ddos attack defence method and device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102891829A (en) * 2011-07-18 2013-01-23 航天信息股份有限公司 Method and system for detecting and defending distributed denial of service attack
US8966627B2 (en) * 2011-09-16 2015-02-24 Electronics And Telecommunications Research Institute Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session
CN102761485A (en) * 2012-07-06 2012-10-31 汉柏科技有限公司 Method and system for processing connections by network equipment
CN105471835A (en) * 2015-08-03 2016-04-06 汉柏科技有限公司 Method and system for improving processing performance of firewall
US20170078312A1 (en) * 2015-09-15 2017-03-16 Fujitsu Limited Method and apparatus for monitoring network
CN106411947A (en) * 2016-11-24 2017-02-15 广州华多网络科技有限公司 Real-time threshold adaptive flow early warning method and device thereof
CN107547561A (en) * 2017-09-25 2018-01-05 新华三信息安全技术有限公司 A kind of method and device for carrying out DDOS attack protective treatment
CN109150890A (en) * 2018-09-05 2019-01-04 杭州迪普科技股份有限公司 The means of defence and relevant device of newly-built connection attack
CN109831461A (en) * 2019-03-29 2019-05-31 新华三信息安全技术有限公司 A kind of distributed denial of service ddos attack defence method and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112804230A (en) * 2020-05-12 2021-05-14 上海有孚智数云创数字科技有限公司 Monitoring method, system, equipment and storage medium for distributed denial of service attack
CN112804230B (en) * 2020-05-12 2023-01-24 上海有孚智数云创数字科技有限公司 Monitoring method, system, equipment and storage medium for distributed denial of service attack
CN112422513A (en) * 2020-10-26 2021-02-26 浙江大学 Anomaly detection and attack initiator analysis system based on network traffic message
CN112532620A (en) * 2020-11-26 2021-03-19 杭州迪普信息技术有限公司 Session table control method and device

Also Published As

Publication number Publication date
CN110519248B (en) 2020-11-24

Similar Documents

Publication Publication Date Title
US11122067B2 (en) Methods for detecting and mitigating malicious network behavior and devices thereof
Ranjan et al. DDoS-Resilient Scheduling to Counter Application Layer Attacks Under Imperfect Detection.
Wang et al. Mitigating bandwidth-exhaustion attacks using congestion puzzles
CN110519248A (en) Ddos attack determines and the method, apparatus and electronic equipment of flow cleaning
Mankins et al. Mitigating distributed denial of service attacks with dynamic resource pricing
Shawahna et al. EDoS-ADS: An enhanced mitigation technique against economic denial of sustainability (EDoS) attacks
Yu et al. Mitigating application layer distributed denial of service attacks via effective trust management
Yu et al. A detection and offense mechanism to defend against application layer DDoS attacks
CN107426230B (en) Server scheduling method, apparatus, system, storage medium and equipment
CN109327426A (en) A kind of firewall attack defense method
CN107623663A (en) Handle the method and device of network traffics
CN106411828B (en) The method, apparatus and system of quantization defence result
CN105812318B (en) For preventing method, controller and the system of attack in a network
CN107517200B (en) Malicious crawler defense strategy selection method for Web server
CN115065564B (en) Access control method based on zero trust mechanism
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
CN108234516B (en) Method and device for detecting network flooding attack
Natu et al. Fine-grained capabilities for flooding DDoS defense using client reputations
Lu et al. STOP: A service oriented internet purification against link flooding attacks
Varre et al. A secured botnet prevention mechanism for HTTP flooding based DDoS attack
Agrawal et al. A proactive defense method for the stealthy EDoS attacks in a cloud environment
Hsiao et al. Constructing an ARP attack detection system with SNMP traffic data mining
CN106470193A (en) A kind of anti-DoS of DNS recursion server, the method and device of ddos attack
Park et al. Analysis of slow read dos attack and countermeasures
Chen et al. A novel DDoS attack defending framework with minimized bilateral damages

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20201124

CF01 Termination of patent right due to non-payment of annual fee