CN111225002B

CN111225002B - Network attack tracing method and device, electronic equipment and storage medium

Info

Publication number: CN111225002B
Application number: CN202010192665.2A
Authority: CN
Inventors: 陈发贵
Original assignee: Shenzhen Tencent Computer Systems Co Ltd
Current assignee: Shenzhen Tencent Computer Systems Co Ltd
Priority date: 2020-03-18
Filing date: 2020-03-18
Publication date: 2022-05-27
Anticipated expiration: 2040-03-18
Also published as: CN111225002A

Abstract

The application relates to the technical field of computer network security, in particular to a network attack tracing method, a network attack tracing device, electronic equipment and a storage medium, which are used for improving the security of network data transmission and storage, wherein the method comprises the following steps: determining the corresponding relation between the network address information of a scanning request sender and the identification information set of the network server according to the response result of each network server in the network server set to the scanning request; when receiving a network attack initiated by an attacker through a target network server in a network server set, acquiring identification information of each target network server; and determining the network address information corresponding to the identification information set combined by the identification information of the target network server as the network address information of the attacker. According to the method and the system, the corresponding relation between the identification information set of the network server and the network address information is established based on the response result of the network server to the scanning request, so that the source tracing of the network address of the attacker is realized.

Description

Network attack tracing method and device, electronic equipment and storage medium

Technical Field

The application relates to the technical field of computer network security, and provides a network attack tracing method and device, electronic equipment and a storage medium.

Background

In a reflective DDoS (Distributed Denial of Service attack), since an attacker does not directly attack a target Service IP (Internet Protocol) address, but uses some servers with open services of the Internet, and uses these servers with open services as a reflection source, the attacker forges the IP address of the attacked party and sends a structured request message to the reflection source, so that the reflection source server sends reply data several times as much as the request message to the IP address of the attacked party after receiving the request message.

In the reflective DDoS attack, the address received by the reflection source is the IP address of the attacked party forged by the attacking party, and the address received by the attacked party is the address of the reflection source, so that the IP address of the attacking party which really initiates the attack cannot be known, and the tracing of the reflective DDoS attack is extremely difficult. At present, no better attack tracing method exists for the reflection-type DDoS attack.

Disclosure of Invention

The embodiment of the application provides a network attack tracing method, a network attack tracing device, electronic equipment and a storage medium, which are used for positioning an IP address of a reflection-type DDoS attacker and improving the security of network data transmission and storage.

The first network attack tracing method provided by the embodiment of the application comprises the following steps:

determining a corresponding relation between network address information of a scanning request sender and an identification information set of a network server according to a response result of each network server in at least one network server set to a scanning request, wherein each identification information set comprises identification information of the network server responding to the scanning request of the same network address information, and each network server selects the scanning request of which the response network address information and the identification information of the network server meet a set matching relation;

when receiving a network attack initiated by an attacker through a target network server in the network server set, acquiring identification information of each target network server;

and according to the corresponding relation, determining the identification information set combined by the identification information of the target network server to correspond to the network address information as the network address information of the attacker.

The second network attack tracing method provided by the embodiment of the application comprises the following steps:

receiving a scanning request sent by a sender, and acquiring network address information of the sender;

when the network address information of the sender and the self identification information meet the set matching relationship, responding to the scanning request;

after receiving an attack request sent by the sender as an attacker, sending back a plurality of data to an attacked party corresponding to the sender network address information in the attack request so as to realize the network attack of the attacker on the attacked party.

The first network attack tracing device provided by the embodiment of the application comprises:

the system comprises a relation establishing unit, a scanning request sending unit and a scanning request receiving unit, wherein the relation establishing unit is used for determining the corresponding relation between the network address information of a scanning request sending party and the identification information sets of the network servers according to the response result of each network server in at least one network server set to the scanning request, each identification information set comprises the identification information of the network server responding to the scanning request of the same network address information, and each network server selects the scanning request which meets the set matching relation between the response network address information and the identification information of the network server;

the identification determining unit is used for acquiring identification information of each target network server when receiving a network attack initiated by an attacker through the target network servers in the network server set;

and the attack tracing unit is used for determining the identification information set combined by the identification information of the target network server as the network address information of the attacker according to the corresponding relation.

Optionally, in the at least one network server set, the number of network servers included in each network server set is the same as the binary coding bit number of the network address information, and the identification information of each network server is a sequencing serial number; and

each network server selects the scanning request which responds that the network address information and the self identification information meet the set matching relationship, and the method comprises the following steps: each network server selects a scanning request corresponding to the sequencing sequence number of the position of the bit with the bit value of 1 in the binary codes of the response network address information; or

And each network server selects the scanning request corresponding to the sequencing sequence number of the position of the bit with the bit value of 0 in the binary codes of the response network address information.

The second network attack tracing device provided by the embodiment of the application comprises:

a receiving unit, configured to receive a scanning request sent by a sender, and acquire network address information of the sender;

the response unit is used for responding the scanning request when the network address information of the sender and the self identification information meet the set matching relationship;

and the reply unit is used for sending back a plurality of data to an attacked party corresponding to the network address information of the sender in the attack request after receiving the attack request sent when the sender is used as the attacker so as to realize the network attack of the attacker on the attacked party.

Optionally, the apparatus further comprises:

and the recording unit is used for generating a network flow log for recording the scanning request based on a response result of the scanning request.

Optionally, the binary encoding number of the network address information is the same as the number of the network servers in the network server set where the network address information is located, the identification information of each network server in the network server set is a sequencing serial number, and the setting of the matching relationship includes:

the sequencing of the position of any bit with the bit value of 1 in the binary code of the network address information of the sender corresponds to the sequencing serial number of the sender; or

The sequencing of the position of any bit with 0 bit value in the binary code of the network address information of the sender corresponds to the sequencing serial number of the sender.

An electronic device provided in an embodiment of the present application includes a processor and a memory, where the memory stores a program code, and when the program code is executed by the processor, the processor is enabled to execute any one of the steps of the above-mentioned cyber attack tracing method.

An embodiment of the present application provides a computer-readable storage medium, which includes a program code, and when the program product runs on an electronic device, the program code is configured to enable the electronic device to execute any of the steps of the foregoing network attack tracing method.

The beneficial effect of this application is as follows:

in the network attack tracing method, the network attack tracing device, the electronic equipment and the storage medium provided by the embodiment of the application, the network server set is set as the attack request and the scanning request of the honeypot to reply the attacker, and the request sent by the attacker is recorded, wherein when the network server as the honeypot responds to the scanning request sent by the attacker, the network server is determined based on the set matching relationship, the network server responds according to whether the network address information of the attacker and the identification information of the attacker meet the set matching relationship, the network addresses of different attackers are different, and the corresponding network servers making the response are different, so that the corresponding relationship between the network address information of the sender of the scanning request and the identification information set of the network server can be established based on the response result of the scanning request, when the attackers receive the attack, the identification information of each target network server is obtained according to the request message sent by the target network server, and then the identification information set formed by the identification information of the target network server is determined, and the network address information corresponding to the identification information set combined with the identification information of the target network server, namely the network address information of the current attacker, can be determined based on the corresponding relation established before, and the network address of the attacker is accurately positioned on the premise of generating the network response data of the network server, so that the safety of network data transmission and storage is ensured.

Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1 is a schematic diagram of a reflective DDoS attack in an embodiment of the present application;

fig. 2 is an alternative schematic diagram of an application scenario in an embodiment of the present application;

fig. 3 is a flowchart of a network attack tracing method in an embodiment of the present application;

fig. 4 is a flowchart of another network attack tracing method in the embodiment of the present application;

fig. 5 is an alternative schematic diagram of a correspondence relationship in an embodiment of the present application;

fig. 6 is an alternative schematic diagram of another correspondence in the embodiment of the present application;

fig. 7 is a timing diagram of a complete method for tracing a network attack in an embodiment of the present application;

fig. 8 is a schematic structural diagram of a network attack tracing apparatus in an embodiment of the present application;

fig. 9 is a schematic structural diagram of a second gateway device in an embodiment of the present application;

fig. 10 is a schematic structural diagram of an electronic device in an embodiment of the present application;

fig. 11 is a schematic diagram of a hardware component of a computing apparatus to which the embodiment of the present application is applied.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the technical solutions of the present application. All other embodiments obtained by a person skilled in the art without any inventive step based on the embodiments described in the present application are within the scope of the protection of the present application.

Some concepts related to the embodiments of the present application are described below.

DDoS: by means of client/server technology, a plurality of computers are combined to serve as an attack platform, DDoS attacks are launched on one or more targets, and accordingly the power of denial of service attacks is improved in a multiplied mode.

Reflective DDoS attacks: is one kind of DDoS attack. The attacking party does not attack the target service IP directly, but utilizes a server which is opened by some special services of the Internet, the server sends a constructed request message to the server with the open service by forging the IP address of the attacked party, and the server sends reply data which is several times as much as the request message to the attacked IP, thereby forming DDoS attack on the latter indirectly. In a reflective attack, an attacker performs IP spoofing using defects or vulnerabilities of a Network Protocol, mainly because many protocols (typically, such as a DNS (Domain Name System) Protocol, an NTP (Network Time Protocol), and an SSDP (Simple Service Discovery Protocol)) do not authenticate a source IP. Meanwhile, in order to achieve a better attack effect, a hacker generally selects a protocol service with an amplification effect (the length of a response message is far greater than that of a request message) to attack. According to the general class of protocols used, it can be classified into UDP (User data gram Protocol) reflection attacks (such as DNS Protocol, NTP Protocol, and SSDP Protocol) and TCP (Transmission Control Protocol) reflection attacks.

The honeypot technology comprises the following steps: the method is essentially a technology for cheating attackers, and the attackers are induced to attack the attackers by arranging hosts, network services or information as decoys, so that the attack behavior can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know the security threats faced by the attackers, and the security protection capability of a real system is enhanced through technical and management means.

A web server is a generic term for a type of server that is disposed in the internet to perform data processing. In the embodiment of the present application, the network server may be a honeypot server, and the honeypot server mainly refers to a computer system that detects and discovers real intrusion events and records valuable aggressor resources by simulating a real computer environment in the computer field.

A sender: the method refers to a party sending a request, and in the embodiment of the application, the sender mainly refers to a server or a network server initiating a reflective DDoS attack. Requests sent by a server initiating a reflection-type DDoS attack to a network server are mainly divided into two types: attack requests and scan requests. When a scanning request is sent to a network server, a network address of a sender is a real IP address of a server initiating a reflective DDoS attack, and when an attack request is sent to the network server, the network address of the sender is not a real IP address of the server initiating the reflective DDoS attack but a forged network address of an attacked party, and the server initiating the reflective DDoS attack can also be called an attacker. After receiving the attack request sent by the attacker, the network server can reply as a sender to the attacked party.

The receiving side: the party receiving the request is referred to, and in the embodiment of the application, the network server and the attacked party belong to the receiving party. When a server initiating a reflection-type DDoS attack sends an attack request or a scanning request to a network server, the network server belongs to a receiving party. When the network server receives an attack request sent by an attacker and replies to the attacked party, the attacked party belongs to a receiving party.

NTP: the protocol is used for synchronizing the time of the computer, can synchronize the computer to a server or a clock source (such as a quartz clock, a Global Positioning System (GPS) and the like), can provide high-precision time correction (the difference between the standard and the Local Area Network (LAN) is less than 1 millisecond, and the difference between the standard and the Local Area Network (WAN) is tens of milliseconds), and can prevent malicious protocol attack through a mode of encryption confirmation. Time is propagated on the level of the NTP server. All servers are classified into different stratums by distance from an external UTC (Coordinated Universal Time) source.

DNS: a distributed database on the Internet as a mutual mapping between domain names and IP addresses enables users to access the Internet more conveniently without remembering IP strings that can be read directly by machines.

SNMP (Simple Network Management Protocol) is composed of a set of standards for Network Management, including an application layer Protocol (application layer Protocol), a database model (database schema), and a set of resource objects.

Broiler chicken: the puppet device is a device that can be remotely controlled by a hacker. Inducing a customer click, such as with a "gray pigeon" or the like, or a computer hacked by a hacker, or a user computer with a hole planted with a trojan horse, the hacker can manipulate it at will and use it to do anything, commonly used as a DDoS attack. In short, the remote computer with the highest management authority may be various systems such as win, Unix/Linux, etc., a server of a company, a server of a website, etc. In the embodiment of the application, the attacker selects the broilers from the network server replying the scanning request through scanning, and then attacks the attacked party through the broilers to realize the reflective DDoS attack, so that in the reflective DDoS attack, the broilers can also be called as the reflection source of the attacker.

Network address: the node is a logical address which the node on the internet has in the network and can be addressed. The IP address is a mode of addressing the host computer on the Internet, and a logical address is allocated to each computer, so that the computers can be identified, and information sharing can be carried out. Common IP addresses are divided into two categories, namely IPv4 and IPv 6. IPv4 employs a 32-bit address length, whereas IPv6 employs a 128-bit address length. The IPV4 has 4 segments of numbers, each segment not exceeding 255 at the maximum. The network address in the embodiment of the present application is described by taking a 32-bit IP address as an example, and the IP address is a 32-bit binary number, which is generally divided into 4 "8-bit binary numbers" (i.e. 4 bytes). IP addresses are typically expressed in the form of (a.b.c.d) "dotted decimal", where a, b, c, d are all decimal integers between 0 and 255. Example (c): the dotted decimal IP address (100.4.5.6), is actually a 32-bit binary number (01100100.00000100.00000101.00000110).

IOT (The Internet of Things, Internet of Things): the intelligent sensing, identifying and managing system is characterized in that any object or process needing monitoring, connection and interaction is collected in real time through various devices and technologies such as various information sensors, radio frequency identification technologies, global positioning systems, infrared sensors, laser scanners and the like, various required information such as sound, light, heat, electricity, mechanics, chemistry, biology, positions and the like is collected, ubiquitous connection of objects and objects, and ubiquitous connection of objects and people are realized through various possible network accesses, and intelligent sensing, identifying and managing of the objects and the processes are realized. The internet of things is an information bearer based on the internet, a traditional telecommunication network and the like, and all common physical objects which can be independently addressed form an interconnected network.

Cloud technology (Cloud technology): the management method is a management technology for unifying series resources such as hardware, software, network and the like in a wide area network or a local area network to realize the calculation, storage, processing and sharing of data. The cloud technology is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied in the cloud computing business model, can form a resource pool, is used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.

In the embodiment of the application, the Cloud internet of things (Cloud IOT) field in the Cloud technology is mainly involved, the Cloud IOT aims to connect information sensed by sensing equipment in the traditional Internet of things and received instructions into the Internet, networking is really realized, mass data storage and operation are realized through the Cloud computing technology, the current operation state of each 'object' is sensed in real time due to the characteristic that the object is connected with the object, a large amount of data information can be generated in the process, the information is gathered, and the useful information is screened from the mass information to be used as decision support for subsequent development, so that the key problems influencing the development of the Internet of things are solved, and the Cloud of the Internet of things based on the Cloud computing and Cloud storage technology also becomes powerful support for the technology and application of the Internet of things.

Along with the internet of things, the internet of things device becomes a common target in large-scale DDOS attack, along with the outbreak of the internet of things, the internet of things device also provides an excellent opportunity for an attacker to invade easily attacked networking devices, particularly a botnet (a networking device network infected by malicious software can be used for sending a large number of requests to a target server). The embodiment of the application provides a method for tracing a reflective DDoS attack, which is used for positioning an IP address of an attacker in the reflective DDoS so as to improve the security of network data transmission and storage.

The following briefly introduces the design concept of the embodiments of the present application:

in the reflective DDoS attack, because an attacker does not directly attack a target service IP, but utilizes some servers opened by special services of the internet, the servers with the open services can serve as a reflection source of the reflective DDoS attacker by forging an IP address of the attacked party and sending a constructed request message to the servers with the open services, and reply data which is several times as much as the request message is sent to the attacked IP.

For example, as shown in fig. 1, a schematic diagram of a reflective DDoS attack provided in this embodiment of the present application is shown, where an IP address of a hacker (an attacker) is 9.9.9.9, when the hacker attacks a server, the hacker forges the IP address of the attacker, that is, 3.3.3.3 is used as a source address, and sends a constructed request message to a server with open service, that is, a reflection source in fig. 1, where the reflection source sends a response message with its own address (1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4) as the source address and the IP address of the attacker (an attack target) as a destination address, and the attack target receives response messages returned by a large number of reflection sources, thereby causing bandwidth congestion.

In the related technology, after acquiring a real broiler chicken IP (Internet protocol) which initiates DDoS attack and is controlled by a hacker, namely a reflection source IP, and acquiring the control right of the real broiler chicken, the DDoS attack is subjected to evidence collection and source tracing. In the reflective DDoS attack, the address received by the reflection source is the address of a forged attacked IP, and the address received by the attacked party is the address of the reflection source, so that the IP which really initiates the attack cannot be known, and thus, for forensics and traceability, no breakthrough exists, and the traceability of the reflective DDoS attack is extremely difficult.

The inventors have realized that before launching a DDoS attack, an attacker needs to know the list of reflection sources that correspond to the port open services. Typically by scanning. For example, a hacker needs to know which servers on the internet have NTP service open before launching an NTP reflection attack. The attacker needs to send an NTP request to an NTP service port corresponding to an IP, and if the server replies a response packet, it can know that the server can be used for initiating NTP reflection attack.

Since the attacker needs to receive the real response packet in the scanning process, the scanning needs to be initiated by the real server address. The real address of the attacker server in the process is the only clue which can be traced, and subsequent tracing activities can be carried out through the real address of the attacker server in the process.

In view of this, embodiments of the present application provide a network attack tracing method, apparatus, electronic device, and storage medium. Based on the honeypot technology, the server which launches the reflection-type DDoS attack is identified and marked, and the subsequent DDoS attack launched by the server is identified, so that the source tracing of the reflection-type DDoS attack is realized. Specifically, replying an attack request and a scanning request of an attacker by deploying honeypots; and then identifying an attack request and a scanning request, establishing a corresponding relation between network address information of an attacker and an identification information set of the network server based on a response result of the network server to the scanning request, and determining the IP of a real server owned by the attacker according to a comparison relation by analyzing the identification information of a target network server when the attacked is received by the attacker, so that the attack tracing is realized by taking the IP as a breach.

In the embodiment of the application, the basic unit of the honeypot can be a network server cluster, the number of the network server clusters is determined according to the set matching relationship, and the hardware configuration and the software version of each network server cluster are completely consistent. The matching relationship is for tracing the network address of the attacker, according to the current network technology, the network address is a 32-bit binary bit, if 32 honeypot servers are adopted, the honeypot servers are numbered according to 0-31, each honeypot server corresponds to a sequencing serial number, which can also be called identification information, and by using the matching relationship between the bit of 0 or 1 in the 32-bit binary bit and the identification information, each honeypot server autonomously determines whether to respond to a scanning request of certain network address information and records the scanning request, so that the corresponding relationship between the network address information and the identification information set of the honeypot servers can be established, and the network address information of the attacker is positioned in the subsequent attack process by using the corresponding relationship, and the network attack tracing is realized.

The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it should be understood that the preferred embodiments described herein are merely for illustrating and explaining the present application, and are not intended to limit the present application, and that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.

Fig. 2 is a schematic view of an application scenario according to an embodiment of the present application. The application scenario diagram includes an attacker 210, a network server 220 and an attacked party 230, the attacker 210 and the network server 220 can communicate with each other through a communication network, and the network server 220 and the attacked party 230 can communicate with each other through the communication network.

In an alternative embodiment, the communication network is a wired network or a wireless network.

In the embodiment of the present application, the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN, big data, and an artificial intelligence platform. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.

In the embodiment of the present application, the attacker 210 may initiate scanning to the network server 220 before an attack, add the network server responding to the scanning request sent by the attacker 210 into the reflection source list according to the scanning result, and then the attacker 210 may initiate an attack to the attacked party 230 through the network server in the reflection source list. The network server may send several times as many reply data as the attack request to the attacked party 230, causing bandwidth congestion.

Referring to fig. 3, an implementation flow chart of a network attack tracing method provided in the embodiment of the present application is applied to a network server, and a specific implementation flow of the method is as follows:

s31: receiving a scanning request sent by a sender, and acquiring network address information of the sender;

s32: when the network address information of the sender and the self identification information meet the set matching relationship, responding to the scanning request;

in the embodiment of the present application, any network server may be designated as a honeypot server, and the network server designated as the honeypot server needs to select to respond to a specific scan request and record the scan request and the response result according to the technical solution provided in the embodiment of the present application in addition to completing its own service processing, so as to generate a network traffic log. And then the attacked party acquires the network flow log, and establishes the corresponding relation between the network address information of the scanning request sender and the identification information set of the network server based on the response result of the network server to the scanning request recorded in the log so as to realize the positioning of the network address information of the attacking party in the subsequent attacking process. In the following description, the honeypot server is mainly used as an example for description, and a plurality of honeypot servers form a set of honeypot. Wherein, can dispose a set of honeypot or a plurality of sets of mutually independent honeypots according to different geographical position or different internet environment in advance to the threat of perception reflection-type DDoS more accurately and comprehensively.

The basic unit of a set of honeypots is a plurality of honeypot servers, namely network servers, with the hardware configuration and the software version completely consistent. The detailed description is mainly given by taking an example that a set of honeypots includes 32 network servers, and the network servers are numbered according to 0-31, so that each network server corresponds to a sequence number, which can also be called identification information.

It should be noted that, the embodiment described above illustrates that a honeypot includes 32 network servers with completely consistent hardware configurations and software versions, which is only an example, and in fact, the number of network servers in the honeypot may be consistent with the binary code bit number of the network address information, and when the IP address 1.1.1.1 is converted into a 64-bit binary code, it is also possible that the honeypot includes 64 network servers with completely consistent hardware configurations and software versions, which is not limited herein.

The network server deployed as the honeypot server in the embodiment of the application is mainly used for replying attack requests and scanning requests of attackers. Therefore, after the network server receives the scanning request sent by the attacker, the network address information of the sender is obtained, and whether to respond or not is determined according to the network address information of the sender.

Specifically, whether the network address information of the sender and the self identification information meet a set matching relationship is judged, and if yes, a scanning request sent by the sender is responded; otherwise, the scanning request sent by the sender is ignored.

In an optional implementation manner, the binary encoding number of the network address information is the same as the number of the network servers in the network server set where the network address information is located, the identification information of each network server in the network server set is a sequence number, and the set matching relationship may be any one of the following:

setting a matching relation I, wherein the sequence of the position of any bit with a bit value of 1 in the binary code of the network address information of the sender corresponds to the sequence number of the sequence of the bit;

that is, for the network server with the sequence number i, when a request with a request address of a.a.a.a.a is received, (2-i) & inet _ ntoa ('a.a.a.a.a') -1, the network server responds to the request, otherwise, the network server ignores.

Where inet _ ntoa () is a programming language (IP address conversion function) and functions to convert a network address into a "." dot-separated character string format.

Suppose that there are 32 network servers in the network server set where the network server is located, and the network servers are sorted according to 0-31, and the sorting serial number i of the network server is 26. The following randomly enumerates several IP addresses for further details:

1) when the IP address of the sender is 1.1.1.1, the binary code converted into 32 bits is:

00000001000000010000000100000001。

assuming that the bits are counted from right to left, the order of the positions of the 32-bit bits is 0 th bit to 31 th bit, wherein the bits with a bit value of 1 are: the 0 th, 8 th, 16 th and 24 th bits from right to left, the corresponding network server sequencing sequence numbers are: network server No. 0, network server No. 8, network server No. 16, network server No. 24.

Since the sequence number of the network server is 26, and the sequence of the position of the bit with the bit value of 1 in the binary code of the network address information of the sender is 0, 8, 16, 24, respectively, which is not corresponding to 26, the network server does not respond to the scanning request sent by the sender with the network address information of 1.1.1.1, and ignores the scanning request.

2) When the sender's IP address is 23.9.7.1, the binary code converted to 32 bits is:

00010111000010010000011100000001。

the bit with a bit value of 1 is: the 0 th, 8 ~ 10 th, 16 th, 19 th, 24 ~ 26 th and 28 th bits from right to left, the corresponding network server sequence number is: no. 0 network server, No. 8 network server, No. 9 network server, No. 10 network server, No. 16 network server, No. 19 network server, No. 24 network server, No. 25 network server, No. 26 network server, No. 28 network server.

Since the network server has a sequence number of 26 and the bit value of the 26 th bit in the binary code of the network address information of the sender is 1, the network server responds to the scan request sent by the sender with network address information of 23.9.7.1.

3) When the sender's IP address is 49.235.7.84, the binary code converted to 32 bits is:

00110001111010110000011101010100。

the bit with a bit value of 1 is: the 2 nd, 4 th, 6 th, 8 th to 10 th, 16 th, 17 th, 19 th, 21 th to 24 th, 28 th and 29 th bits from right to left, the corresponding network server sequencing sequence number is: no. 2 network server, No. 4 network server, No. 6 network server, No. 8 network server, No. 9 network server, No. 10 network server, No. 16 network server, No. 17 network server, No. 19 network server, No. 21 network server, No. 22 network server, No. 23 network server, No. 24 network server, No. 28 network server and No. 29 network server.

Since the network server has a sequence number of 26 and the sequences of the positions of the bits having a bit value of 1 in the binary code of the network address information of the sender are respectively 2, 4, 6, 8, 9, 10, 16, 17, 19, 21, 22, 23, 24, 28, 29, and 26 do not correspond to each other, the network server does not respond to the scan request sent by the sender having network address information of 49.235.7.84 and ignores the scan request.

4) When the sender's IP address is 119.159.246.244, the binary code converted to 32 bits is:

01110111100111111111011011110100。

the bit with a bit value of 1 is: the 2 nd, 4 th to 7 th, 9 th, 10 th, 12 th to 20 th, 23 th to 26 th and 28 th to 30 th bits from right to left, the corresponding network server sequencing sequence number is: no. 2 network server, No. 4 network server, No. 5 network server, No. 6 network server, No. 7 network server, No. 9 network server, No. 10 network server, No. 12 network server, No. 13 network server, No. 14 network server, No. 15 network server, No. 16 network server, No. 17 network server, No. 18 network server, No. 19 network server, No. 20 network server, No. 23 network server, No. 24 network server, No. 25 network server, No. 26 network server, No. 28 network server, No. 29 network server, No. 30 network server.

Setting a matching relation two, wherein the sequence of the position of any bit with 0 in the binary code of the network address information of the sender corresponds to the sequence number of the sequence.

Namely: for the network server with the sequence number i, when a request with a request address of a.a.a.a.a is received, if (2-i) & inet _ ntoa ('a.a.a.a.a') is 0, the network server responds to the request, otherwise, the network server is ignored.

Assuming that the network server has the sequence number i equal to 26, the above embodiments are also exemplified by several IP addresses:

00000001000000010000000100000001。

since the bit value of the 26 th bit in the binary code of the network address information of the sender is 0 and corresponds to the sequencing serial number, the network server responds to the scanning request sent by the sender with the network address information of 1.1.1.1.

00010111000000000000011100000001。

since the bit with the bit value of 0 in the binary code of the network address information of the sender does not include the 26 th bit, that is, the binary code of the network address information does not have the bit corresponding to the sorting sequence number, the network server does not respond to the scan request sent by the sender with the network address information of 23.9.7.1, and ignores the scan request.

00110001111010110000011101010100。

since the bit value of the 26 th bit in the binary code of the network address information of the sender is 0 and corresponds to the sorting number, the network server responds to the scan request sent by the sender whose network address information is 49.235.7.84.

4) When the IP address of the sender is 119.159.246.244, the binary code converted into 32 bits is:

01110111100111111111011011110100。

since the bit with the bit value of 0 in the binary code of the network address information of the sender does not include the 26 th bit, that is, the binary code of the network address information does not have the bit corresponding to the sorting sequence number, the network server does not respond to the scan request sent by the sender with the network address information of 119.159.246.244, and ignores the scan request.

In the above embodiment, based on the set matching relationship between the network address information and the identification information of the network server, the effect that different sets of identification information correspond to different sets of network address information can be achieved, so that the network address information can be marked, so as to identify the network address information of an attacker at a later stage.

It should be noted that the set matching relationship listed in the foregoing embodiment is only an example, and in the embodiment of the present application, any matching relationship between the sender network address information and the identification information is applicable to the embodiment of the present application.

In an alternative embodiment, the network server further needs to generate a network traffic log for recording the scan request based on the response result of the scan request, which may also be referred to as a scan log. That is, the network server generates a record to record the source IP, the destination IP, the sending time of the scan request, whether to send a response message, that is, the log records the network address information of the sender, the network address information of the receiver, the sending time of the request, and the response result of the scan request, whether to respond to the scan request or not during the preset statistical time period. Wherein, the response result indicates whether to respond to the scanning request, that is, whether to send a response message.

For example, if the server with the network address information of 1.1.1.1 of the sender sends a scan request to the network server with the network address information of 6.6.6.6 at time t1, and the rank number of the scan request is 0, the network server responds to the scan request according to the set matching relationship, so that a network traffic log is generated, the network address information of the sender in the log is 1.1.1.1, the network address information of the receiver is 6.6.6.6, the time of sending the request is time t2, and the result of responding to the request is yes, which indicates that the response is made.

In the above embodiment, the network server responds to the scan request sent by the attacker based on the set matching relationship, that is, the network server responds only after determining according to the network address information for sending the scan request, instead of responding to the scan requests sent by all senders, the network addresses of different attackers are different, and the corresponding network servers making responses are also different, so that the server initiating the reflective DDoS attack can be identified and marked by recording the response result of the scan request, so that the subsequent DDoS attack initiated by the server is identified, and the tracing of the reflective DDoS attack is realized.

S33: after receiving an attack request sent by a sender as an attacker, sending back complex data to an attacked party corresponding to the sender network address information in the attack request so as to realize the network attack of the attacker on the attacked party.

In an alternative embodiment, the network server further needs to generate a network traffic log for recording the attack request based on the attack request, which may also be referred to as an attack log, and the log also records the network address information of the sender, the network address information of the receiver, the time of sending the request, and the like.

For example, when an attacker with actual network address information of 1.1.1.1 and network address information of 3, 3, 3, 3 initiates a network attack, the attacker forges the own network address information to 3.3.3.3, sends an attack request to a network server with network address information of 6.6.6.6 at time t2, and the network address information of the sender in the correspondingly generated network traffic log is 3.3.3.3, the network address information of the receiver is 6.6.6.6, and the time of sending the request is time t 2.

After the network server with network address information of 6.6.6.6 receives the attack request, it sends a lot of response messages to the attacked party with network address information of 3.3.3.3, resulting in bandwidth congestion.

In the above embodiment, the attack request and the scanning request of the attacker are replied by deploying the honeypots, so that the network address information of the attacker can be traced back according to the scanning request at a later stage.

Referring to fig. 4, an implementation flow chart of a network attack tracing method provided in the embodiment of the present application is applied to an attacked party, and a specific implementation flow of the method is as follows:

s41: according to the response result of each network server in at least one network server set to the scanning request, determining the corresponding relation between the network address information of a scanning request sender and the identification information sets of the network servers, wherein each identification information set comprises the identification information of the network servers responding to the scanning request of the same network address information, and each network server selects the scanning request which meets the set matching relation between the response network address information and the identification information of the network server.

In the embodiment of the application, when the network server receives the scanning request or the attack request sent by the attacker within the preset statistical time period, a network traffic log is generated, so that when the response result of each network server to the scanning request is obtained, the network traffic log can be obtained through the network traffic log recorded by each network server, wherein the network traffic log is used for recording the request and the response result sent by each sender to the network server within the preset statistical time period, and the request comprises the scanning request and the attack request. From the previous analysis, it can be seen that as long as the attacker server (sender) initiates scanning, the true source address is used, and the source address when initiating a reflection-type DDoS attack is a fake source address. The honeypot can receive the scanning request and the DDoS attack request, so that the scanning request of the attacker server needs to be identified to obtain the real IP of the attacker server, a corresponding relation between the network address information of a sender and the identification information set of the network server is further established, a DDoS attack event is associated with the real IP of the server owned by a hacker, and the tracing evidence obtaining of the reflection-type DDoS attack can be realized.

The specific implementation mode is as follows: acquiring network flow logs recorded by each network server within a preset statistical time period; and screening out a scanning log used for recording the scanning request in the network flow log based on the sending frequency of the request recorded in the network flow log, and further acquiring a response result of the network server recorded in the scanning log to the scanning request.

When the scanning log is screened out from the network traffic log, the scanning log is mainly obtained through the frequency of requests, namely the sending frequency of the requests. Since the scanning only needs to send a small number of requests, it can be determined whether the service is open. DDoS attacks need to be performed continuously, so that network servers are continuously requested, and through packet capture analysis of actual DDoS attacks, the request frequency easily exceeds 50 QPS/min, wherein QPS (Queries-per-second) is a measure of how much traffic a specific query server processes in a specified time.

Therefore, when screening out the scan log for recording the scan request in the network traffic log based on the sending frequency of the request recorded in the network traffic log, an optional implementation manner is as follows:

and obtaining the network flow logs to be analyzed with the same network address information of the sender, and if the sending frequency of the request recorded in the network flow logs to be analyzed is smaller than a preset frequency threshold, determining the network flow logs to be analyzed as scanning logs for recording scanning requests. Otherwise, determining the network flow log to be analyzed as an attack log for recording the attack request.

Assuming a total of 250 network traffic logs within a preset statistical period (1 minute), the preset frequency threshold is 50 qps/min. Firstly, the 250 network traffic logs are obtained, wherein the logs have the same sender network address information, and the logs are used as the traffic logs to be analyzed. And then judging whether the sending frequency of the request recorded in the flow log to be analyzed is less than a preset frequency threshold value.

For example, there are 32 network traffic logs with IP1 as the sender network address information, the sending frequency of the requests recorded in the 32 to-be-analyzed network traffic logs is 32 qps/min, which is lower than the preset frequency threshold, i.e., the number of requests in 1 minute by IP1 does not exceed 50, so the 32 to-be-analyzed network traffic logs can be regarded as the scan logs recording the scan requests.

If there are 32 network traffic logs with sender network address information IP2, IP3, and IP4, these network traffic logs to be analyzed are also scan logs for recording scan requests. The sender network address information of the remaining 90 network traffic logs is IP5, the sending frequency of the requests recorded in the 90 to-be-analyzed network traffic logs is 90 qps/min, which is higher than a preset frequency threshold, that is, the IP5 requests more than 50 times in 1 minute, so that the 90 to-be-analyzed network traffic logs can be regarded as attack logs recording attack requests.

Therefore, the identification set of the network server corresponding to the network address information IP1 can be determined according to the response result of the scanning request recorded in the 32 network traffic logs of which the network address information of the sender is IP 1; the identification sets of the network servers corresponding to the network address information IP2, IP3 and IP4 are determined.

Assume that the network servers corresponding to the network address information of the receiving party in the 32 network traffic logs with the network address information of the sending party being IP1, IP2, IP3 and IP4 are 32 network servers in the same network server set.

When each network server selects to respond to a scanning request with the network address information and the identification information thereof meeting the set matching relationship, the following two selection modes can be specifically adopted, and the two selection modes respectively correspond to the set matching relationship I and the set matching relationship II described above. The mode when the network server selects the response is different, and the corresponding determined identification information sets of the network server are also different, and the two cases are introduced respectively as follows:

and in the first selection mode, each network server selects the scanning request corresponding to the sequencing sequence number of the position of the bit with the bit value of 1 in the binary code of the response network address information. The selection mode corresponds to the set matching relationship.

Assuming that IP1 is 1.1.1.1, the answer result is yes in the 32 scan logs with the sender network address information of 1.1.1.1, that is, there are 4 network servers answering the sender's scan request, and the identification information is 0, 8, 16, and 24, respectively, so that the identification information set corresponding to 1.1.1.1 is {0, 8, 16, 24 }.

Assuming that IP2 is 23.9.7.1, in the 32 network traffic logs with the sender network address information of 23.9.7.1, 10 network servers with yes response result, and the identification information is 0, 8, 9, 10, 16, 19, 24, 25, 26, and 28, respectively, then the identification information set corresponding to 23.9.7.1 is {0, 8, 9, 10, 16, 19, 24, 25, 26, and 28 }.

Assuming that IP3 is 49.235.7.84, if 15 network servers are found as a result of response in the 32 network traffic logs with the sender network address information of 49.235.7.84, and the identification information is 2, 4, 6, 8, 9, 10, 16, 17, 19, 21, 22, 23, 24, 28, and 29, respectively, the identification information set corresponding to 49.235.7.84 is {2, 4, 6, 8, 9, 10, 16, 17, 19, 21, 22, 23, 24, 28, and 29 }.

Assuming that IP4 is 119.159.246.244, if there are 23 network servers with response results in 32 network traffic logs with the sender network address information of 119.159.246.244 and the identification information is 2, 4, 5, 6, 7, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 28, 29, and 30, respectively, the identification information set corresponding to 49.235.7.84 is {2, 4, 5, 6, 7, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 23, 24, 25, 26, 28, 29, and 30 }.

Finally, for the 4 IP addresses, the correspondence between the established network address information and the identification information set is shown in the table in fig. 5, where ID refers to the identification information of the network server, and is 0 to 31 respectively, IP refers to the network address information of the sender, and is the above listed 4 IP addresses respectively, and the network server that wins 1 in the row corresponding to the IP address will make a response to the sender, and if 0 is called, it will not.

And selecting a second selection mode, wherein each network server selects the scanning request corresponding to the sequencing sequence number of the position of the bit with the bit value of 0 in the binary codes of the response network address information, and the selection mode corresponds to the set matching relationship two.

Also taking the four IP addresses listed above as an example, assuming that IP1 is 1.1.1.1, and there are 28 network servers responding to the scanning request of the sender in the 32 scanning logs with sender network address information of 1.1.1.1, and the response results are yes, i.e., there are 1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 10, 21, 22, 23, 25, 26, 27, 28, 29, 30, and 31 identification information, respectively, the identification information set corresponding to 1.1.1.1 is {1, 2, 3, 4, 5, 6, 7, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 10, 21, 22, 23, 25, 26, 27, 28, 29, 30, and 31 }.

Assuming that IP2 is 23.9.7.1, if 22 network servers are found as a result of response in the 32 network traffic logs with the sender network address information of 23.9.7.1 and the identification information is 1, 2, 3, 4, 5, 6, 7, 11, 12, 13, 14, 15, 17, 18, 20, 21, 22, 23, 27, 29, 30, 31, respectively, the set of identification information corresponding to 23.9.7.1 is {1, 2, 3, 4, 5, 6, 7, 11, 12, 13, 14, 15, 17, 18, 20, 21, 22, 23, 27, 29, 30, 31 }.

Assuming that IP3 is 49.235.7.84, if 17 network servers are found as a result of response in the 32 network traffic logs with the sender network address information of 49.235.7.84, and the identification information is 0, 1, 3, 5, 7, 11, 12, 13, 14, 15, 18, 20, 25, 26, 27, 30, and 31, respectively, the set of identification information corresponding to 49.235.7.84 is {0, 1, 3, 5, 7, 11, 12, 13, 14, 15, 18, 20, 25, 26, 27, 30, 31 }.

Assuming that IP4 is 119.159.246.244, in the 32 network traffic logs whose sender network address information is 119.159.246.244, 9 network servers whose response results are yes, and the identification information is 0, 1, 3, 8, 11, 21, 22, 27, and 31, respectively, the set of identification information corresponding to 49.235.7.84 is {0, 1, 3, 8, 11, 21, 22, 27, and 31 }.

Finally, for the 4 IP addresses, the correspondence between the established network address information and the identification information set is shown in the table in fig. 6, where ID refers to the identification information of the network server, and is 0 to 31 respectively, IP refers to the network address information of the sender, and is the above listed 4 IP addresses respectively, and the network server that wins a mark 0 in a row corresponding to the IP address will make a response to the sender, and a mark 1 will not be used.

It should be noted that fig. 5 and fig. 6 are merely examples of correspondence between a few IP addresses and identification information sets of the network server, and when the IP addresses are other IP addresses than the tables shown in the figures, the correspondence between enough IP addresses and identification information sets can be established based on the above manner, which is only an example.

In an alternative embodiment, since packet may be lost during the packet capturing process or the capturing frequency is too low, deploying a single honeypot may result in the failure to accurately identify the IP of the attacker. For example, when the attacker IP is 255.255.255.255, 32 network servers in a set of honeypots actually need to respond to the attacker IP and add the attacker IP into a reflection source list of the honeypots, when packet loss occurs and the like, for example, statistics shows that only 31 honeypots actually respond, the attacker IP determined according to the honeypots may be 255.255.255.254 (the network server sequence number corresponding to the IP address is 1-31) or other IPs instead of 255.255.255.255.255, and at this time, an error occurs in the attacker IP obtained through tracing.

Based on the situation, the embodiment of the application considers deployment of multiple sets of honeypots, and cross comparison is performed on the distribution situation of the IP of the multiple sets of honeypots in the attack source, so that the identification accuracy can be improved, and false alarms caused by packet capturing and packet loss and the like are eliminated.

When a plurality of sets of honeypots are deployed, a plurality of network server sets are correspondingly arranged, identification information in the network server sets corresponds to one another one by one, namely the sequence number of each network server in each network server set is 0-31. When the corresponding relationship between each network address information and the identification information set of the network server is established, firstly, the corresponding relationship is acquired according to each network server set; and then combining the identification information sets corresponding to the same network address information in each corresponding relation to remove repeated identification information.

For example, there are 3 sets of network servers, where the set of network identifiers corresponding to IP1 obtained by the first set of network servers is {0, 8, 16}, the set of network identifiers corresponding to IP1 obtained by the second set of network servers is {0, 8, 16, 24}, and the set of network identifiers corresponding to IP1 obtained by the third set of network servers is {8, 16, 24}, based on the above three correspondence relationships, when determining the set of network identifiers corresponding to IP1, merging and deduplication are needed, first merging to obtain the set of identifiers {0, 0, 8, 8, 8, 16, 16, 16, 24, 24}, and the set of network identifiers obtained after deduplication is {0, 8, 16, 24}, and finally obtaining the set of network identifiers corresponding to IP1 {0, 8, 16, 24 }.

In the above embodiment, the accuracy of the corresponding relationship can be improved by deploying a plurality of network server sets, so that the accuracy of network address positioning is improved, and false alarms caused by packet capturing and packet loss are reduced.

S42: when receiving a network attack initiated by an attacker through a target network server in a network server set, acquiring identification information of each target network server;

s43: and determining the network address information corresponding to the identification information set consisting of the identification information of each target network server as the network address information of the attacker according to the corresponding relation.

Specifically, in the attack process, the source IP in the reply data sent by each target network server, that is, the network address information of each target network server is captured, and the identification information of each target network server is further determined. And then, according to the corresponding relation, determining the network address information corresponding to the identification information set formed by the identification information of each target network server as the network address information of the attacker.

In the embodiment of the present application, scanning initiated by an attacker before an attack adds a network server responding to a scanning request sent by the server of the attacker to the reflection source list, so that when the attacker initiates an attack through the reflection source list, the network server responding appears in an attack source. Therefore, the network address information of the target network server can be captured to determine the identification information of each target network server, for example, the identification information of each network server is 0, 8, 16, 24, respectively, and by looking up the data in the table shown in fig. 5, it can be inferred that the hacker initiated the DDoS attack with the server having the IP address of 1.1.1.1.1.

In the above embodiment, the network address information corresponding to the identification information set composed of the identification information of each target network server is used as the network address information of the attacker, and the tracing of the attacker can be quickly realized through a simple manner.

In the embodiment of the present application, considering that there may be a plurality of attackers attacking through a target network server at the same time, for example, identification information of each network server is 0, 8, 9, 10, 16, 19, 24, 25, 26, 28, and at this time, it is possible to determine a plurality of possible cases of an identification information set that can be formed by identifications of some or all of the target network servers, assuming that there are two kinds of {0, 8, 9, 10, 16, 19, 24, 25, 26, 28} and {0, 8, 16, 24} respectively, and by looking up data in the table shown in fig. 5, it can be inferred that a hacker has initiated a DDoS attack with a server having an IP address of 1.1.1.1.1 and an IP address of 23.9.7.1.

In the embodiment mode, a rapid conversion algorithm is adopted, other data are not depended on, the positioning efficiency is high, and the problems that a reflective DDoS attack has no breakthrough at all and a server under the control of a hacker is not used for obtaining evidence and tracing are solved.

In addition, it should be noted that the honeypot server recited in the embodiment of the present application supports reflection scenarios of various types of protocols, and can be specifically divided into a UDP reflection scenario and a TCP reflection scenario according to the types of protocols, so that the honeypot server has extensibility.

Fig. 7 is a timing chart of a complete method for tracing a network attack in the embodiment of the present application.

The specific implementation flow of the method is as follows:

s71: an attacker sends a scanning request to each network server in a network server set within a preset statistical time period;

s72: the network server in the network server set makes a response to the attacker;

s73: the network server in the network server set generates a network flow log for recording the scanning request according to the response result;

s74: an attacker forges a network address of an attacked party and sends an attack request to a network server in a network server set within a preset statistical time period;

s75: the network server in the network server set responds to the attacked party according to the attack request;

s76: a network server in the network server set generates a network flow log for recording an attack request;

s77: the method comprises the steps that an attacked party obtains network flow logs recorded by each network server in a network server set, identifies scanning logs used for recording scanning requests, and establishes a corresponding relation between network address information of the attacking party and an identification information set of the network servers according to response results of the scanning requests recorded by the scanning logs;

s78: the attack side sends an attack request to a target network server in the network server set;

s79: the target network server in the network server set makes a response to the attacked party according to the attack request;

s710: the attacked party obtains the network address information of the target network server, obtains the identification of the target network server, and determines the identification information combined by the identification information of the target network server to be corresponding to the network address information as the network address information of the attacking party according to the corresponding relation.

It should be noted that there is not necessarily only one attacker and attacker in fig. 7, but there are also a plurality of network servers in the network server set, and the target network server belongs to a network server that can be a reflection source of the attacker in the network server set.

As shown in fig. 8, a schematic structural diagram of a network attack tracing apparatus 800 according to an embodiment of the present application may include:

a relationship establishing unit 801, configured to determine, according to a response result of each network server in at least one network server set to a scanning request, a corresponding relationship between network address information of a scanning request sender and an identification information set of the network server, where each identification information set includes identification information of a network server responding to a scanning request of the same network address information, and each network server selects a scanning request in which a matching relationship between the network address information and its own identification information is set;

an identifier determining unit 802, configured to obtain identifier information of each target network server when receiving a network attack initiated by an attacker through the target network servers in the network server set;

the attack tracing unit 803 is configured to determine, according to the correspondence, network address information corresponding to an identification information set composed of identification information of each target network server as network address information of an attacker.

Optionally, the network server sets include at least two, the identification information in each network server set corresponds to one another, and the relationship establishing unit 801 is specifically configured to:

respectively acquiring corresponding relations according to each network server set;

and combining the identification information sets corresponding to the same network address information in the corresponding relations to remove repeated identification information.

Optionally, the relationship establishing unit 801 is further configured to obtain a response result of each network server to the scanning request in the following manner:

acquiring network flow logs recorded by each network server within a preset statistical time period, wherein the network flow logs are used for recording requests and response results sent by each sender to the network servers within the preset statistical time period, and the requests at least comprise scanning requests;

screening out a scanning log used for recording a scanning request in the network flow log based on the sending frequency of the request recorded in the network flow log;

and acquiring a response result of the network server to the scanning request recorded in the scanning log.

Optionally, the relationship establishing unit 801 is specifically configured to:

acquiring a network flow log to be analyzed, wherein the network address information of a sender is the same;

and if the sending frequency of the request recorded in the network flow log to be analyzed is less than a preset frequency threshold, determining the network flow log to be analyzed as a scanning log for recording the scanning request.

Optionally, in at least one network server set, the number of network servers included in each network server set is the same as the binary coding bit number of the network address information, and the identification information of each network server is a sequencing serial number; and

As shown in fig. 9, a schematic structural diagram of another network attack tracing apparatus 900 according to an embodiment of the present application may include:

a receiving unit 901, configured to receive a scanning request sent by a sender, and acquire network address information of the sender;

a response unit 902, configured to respond to the scan request when the network address information of the sender and the identification information of the sender satisfy a set matching relationship;

a replying unit 903, configured to send back a plurality of data to an attacked party corresponding to the sender network address information in the attack request after receiving the attack request sent when the sender is used as the attacker, so as to implement network attack on the attacked party by the attacker.

Optionally, the apparatus further comprises:

a recording unit 904, configured to generate a network traffic log for recording the scan request based on a response result of the scan request.

Optionally, the setting the matching relationship includes:

For convenience of description, the above parts are separately described as modules (or units) according to functional division. Of course, the functionality of the various modules (or units) may be implemented in the same one or more pieces of software or hardware when implementing the present application.

After introducing the cyber attack tracing method and apparatus according to an exemplary embodiment of the present application, an electronic device according to another exemplary embodiment of the present application is introduced next.

As will be appreciated by one skilled in the art, each aspect of the present application may be embodied as a system, method or program product. Accordingly, each aspect of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.

In some possible implementations, embodiments of the present application further provide an electronic device, and referring to fig. 10, the electronic device 1000 may include at least one processor 1001 and at least one memory 1002. The memory 1002 stores program codes, and when the program codes are executed by the processor 1001, the processor 1001 is enabled to execute the steps of the network attack tracing method according to the various exemplary embodiments of the present application described above in this specification. For example, the processor 1001 may perform the steps as shown in fig. 3 or the steps shown in fig. 4.

In some possible implementations, the present application further provides a computing device, which may include at least one processing unit and at least one storage unit. Wherein the storage unit stores program code which, when executed by the processing unit, causes the processing unit to perform the steps of the service invocation method according to various exemplary embodiments of the present application described above in the present specification. For example, the processing unit may perform the steps as shown in fig. 3 or the steps as shown in fig. 4.

The computing device 110 according to this embodiment of the present application is described below with reference to FIG. 11. The computing device 110 of FIG. 11 is only one example and should not be taken to limit the scope of use or functionality of embodiments of the present application.

As shown in FIG. 11, computing device 110 is in the form of a general purpose computing device. Components of computing device 110 may include, but are not limited to: the at least one processing unit 111, the at least one memory unit 112, and a bus 113 connecting various system components (including the memory unit 112 and the processing unit 111).

Bus 113 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, or a local bus using any of a variety of bus architectures.

The storage unit 112 may include readable media in the form of volatile memory, such as Random Access Memory (RAM)1121 and/or cache storage unit 1122, and may further include Read Only Memory (ROM) 1123.

The storage unit 112 may also include a program/utility 1125 having a set (at least one) of program modules 1124, such program modules 1124 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

The computing device 110 may also communicate with one or more external devices 114 (e.g., keyboard, pointing device, etc.), with one or more devices that enable a user to interact with the computing device 110, and/or with any devices (e.g., router, modem, etc.) that enable the computing device 110 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 115. Also, the computing device 110 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) through the network adapter 116. As shown, the network adapter 116 communicates with other modules for the computing device 110 over the bus 113. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the computing device 110, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, to name a few.

In some possible embodiments, each aspect of the cyber attack tracing method provided by the present application may also be implemented in the form of a program product including program code for causing a computer device to perform the steps in the cyber attack tracing method according to various exemplary embodiments of the present application described above in this specification when the program product runs on the computer device, for example, the computer device may perform the steps as shown in fig. 3 or the steps shown in fig. 4.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product of embodiments of the present application may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a computing device. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a command execution system, apparatus, or device.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A network attack tracing method is characterized by comprising the following steps:

2. The method according to claim 1, wherein the network server sets include at least two network server sets, identification information in each network server set corresponds to one another, and the determining a correspondence between network address information of a sender of the scan request and the identification information sets of the network servers specifically includes:

3. The method of claim 1, wherein the response result of each network server to the scan request is obtained by:

acquiring network flow logs recorded by each network server in a preset statistical time period, wherein the network flow logs are used for recording requests and response results sent by each sender to the network servers in the preset statistical time period, and the requests at least comprise scanning requests;

4. The method as claimed in claim 3, wherein the screening out the scan log for recording the scan request from the network traffic log based on the sending frequency of the request recorded in the network traffic log comprises:

and if the sending frequency of the request recorded in the network flow log to be analyzed is less than a preset frequency threshold, determining that the network flow log to be analyzed is a scanning log for recording a scanning request.

5. The method according to any one of claims 1 to 4, wherein in the at least one network server set, each network server set comprises the same number of network servers as the binary coding bit number of the network address information, and the identification information of each network server is a sorting serial number; and

6. A network attack tracing method is characterized by comprising the following steps:

after receiving an attack request sent when the sender serves as an attacker, sending back complex data to an attacked party corresponding to the sender network address information in the attack request, so that when the attacked party receives a network attack initiated by the attacker through a target network server in at least one network server set, the attacked party obtains identification information of each target network server based on the reply data; according to the corresponding relation between the network address information of the scanning request sender and the identification information set of the network server, determining the identification information set combined by the identification information of the target network server to correspond to the network address information as the network address information of the attacker;

the corresponding relation is determined according to the response result of each network server in the at least one network server set to the received scanning request, and each identification information set comprises the identification information of the network server responding to the scanning request of the same network address information.

7. The method of claim 6, wherein the method further comprises:

and generating a network flow log for recording the scanning request based on a response result of the scanning request.

8. The method according to claim 6 or 7, wherein the number of binary coded bits of the network address information is the same as the number of network servers in a network server set where the network address information is located, the identification information of each network server in the network server set is a sequence number, and the setting of the matching relationship includes:

9. A cyber attack tracing apparatus, comprising:

10. The apparatus according to claim 9, wherein the network server sets include at least two sets, identification information in each network server set corresponds to one another, and the relationship establishing unit is specifically configured to:

11. The apparatus as claimed in claim 9, wherein the relationship establishing unit is further configured to obtain the response result of the respective network server to the scanning request by:

12. The apparatus according to claim 11, wherein the relationship establishing unit is specifically configured to:

13. A cyber attack tracing apparatus, comprising:

the response unit is used for responding to the scanning request when the network address information of the sender and the self identification information meet the set matching relationship;

a reply unit, configured to send reply data back to an attacked party corresponding to sender network address information in an attack request after receiving the attack request sent when the sender serves as an attacker, so that when the attacked party receives a network attack initiated by the attacker through a target network server in at least one network server set, the reply unit obtains identification information of each target network server based on the reply data; according to the corresponding relation between the network address information of the scanning request sender and the identification information set of the network server, determining the identification information set combined by the identification information of the target network server to correspond to the network address information as the network address information of the attacker;

14. An electronic device, comprising a processor and a memory, wherein the memory stores program code which, when executed by the processor, causes the processor to perform the steps of the method of any of claims 1 to 5 or to perform the steps of the method of any of claims 6 to 8.

15. Computer-readable storage medium, characterized in that it comprises program code for causing an electronic device to carry out the steps of the method of any one of claims 1 to 5 or to carry out the steps of the method of any one of claims 6 to 8, when said program product is run on said electronic device.