CN113037716A - Attack defense method based on content distribution network - Google Patents
Attack defense method based on content distribution network Download PDFInfo
- Publication number
- CN113037716A CN113037716A CN202110178012.3A CN202110178012A CN113037716A CN 113037716 A CN113037716 A CN 113037716A CN 202110178012 A CN202110178012 A CN 202110178012A CN 113037716 A CN113037716 A CN 113037716A
- Authority
- CN
- China
- Prior art keywords
- link
- protection
- threshold value
- standby
- distribution network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses an attack defense method based on a content distribution network, which comprises the following steps: setting n edge nodes in a content distribution network; determining the number of high-protection groups according to the number of links, and establishing high-protection clusters, wherein each high-protection group comprises n high-protection IPs; after the domain name is resolved to a content distribution network, setting a request number and a bandwidth threshold value at each edge node and each link of the content distribution network, and performing exception handling when at least one of the request number and the flow of a certain edge node exceeds the threshold value; after the high-protection cluster is cut in, the request number and the flow of each high-protection IP of the high-protection cluster are respectively monitored, and meanwhile, the request number and the flow of the affected edge nodes, links and IPs in the content distribution network are monitored; the invention can solve the problems of over-high attack resource consumption and even large-scale paralysis of the CDN and the problems of over-long time delay and network congestion of a common high-protection system.
Description
Technical Field
The invention relates to the field of network security, in particular to an attack defense method based on a content distribution network.
Background
Cdn (content Delivery network), i.e., a content Delivery network. By the platform, the content of the source station can be quickly and stably distributed to the node closest to the user, the response speed and the success rate of access are improved, and access delay caused by regional distribution, server performance, bandwidth problems and the like is solved. The CDN can hide the real position of the user source station from the outside, but a conventional CDN network does not have a capability of defending against a large-traffic attack, and often faces problems that an attack cannot be positioned, an attack node can only be stopped, and the like, which affects platform stability.
Ddos (distributed Denial Of Service attach), namely, a distributed Denial Of Service attack, is a distributed collaborative large-scale attack manner, in which an attacker uses a large number Of proxy servers to send a large number Of forged Service request data packets to a target host, thereby consuming a large number Of system resources Of the other party, and causing the target host to be unable to provide services normally to the outside. The main attack object is a website server and is Web network layer denial of service attack.
In a CC Attack (Challenge Collapsar attach), which is a type of the above-mentioned DDoS Attack, an attacker consumes a large amount of system resources of the other side by controlling some proxy hosts to continuously send a large amount of forged service request data packets, thereby causing system crash. Mainly aiming at Web pages, the method is used for Web application layer denial of service attack.
Aiming at DDoS and CC attacks, the high-protection IP is a more effective defense system at present, all public network traffic flows through the high-protection machine room, attack traffic is cleaned and filtered on the high-protection IP, and normal access traffic is returned to a source station IP in a port protocol forwarding mode. But access latency and instability problems are greater due to the higher cost of highly protected resources and the almost no content acceleration effect. Therefore, the research of the safety protection system based on content acceleration has more important significance at present.
Disclosure of Invention
The invention provides an attack defense method based on a content delivery network, which can solve the problems of over-high attack resource consumption and even large-scale paralysis of a CDN (content delivery network) and the problems of over-long time delay and network congestion of a common high-protection system.
An attack defense method based on a content distribution network comprises the following steps:
1) setting n edge nodes in a content distribution network;
2) determining the number of high-protection groups according to the number of links, and establishing high-protection clusters, wherein each high-protection group comprises n high-protection IPs;
3) after the domain name is resolved to a content distribution network, setting a request number (QPS) and a threshold value of bandwidth at each edge node and link of the content distribution network, and performing exception handling when at least one of the request number and the flow of a certain edge node exceeds the threshold value;
4) after the high-protection cluster is cut in, the request number and the flow of each high-protection IP of the high-protection cluster are respectively monitored, and meanwhile, the request number and the flow of the affected edge nodes, links and IPs in the content distribution network are monitored;
in step 1), each edge node includes m IPs, where m is set according to the number and type of clients, and m IPs correspond to m links.
In the step 2), the high defense refers to a single high defense server with defense more than 50G.
In step 3), the exception handling specifically includes:
when at least one of the request number and the flow of a certain edge node exceeds a threshold value, replacing the edge node by a standby node with the same IP number, continuously monitoring the request number and the flow of the standby node, if the request number of the standby node still exceeds the threshold value, performing domain name resolution to switch into a high-protection cluster, and if the request number of the standby node does not exceed the threshold value, formally replacing the primary edge node and the IP thereof by the standby node and the IP thereof, performing black hole blocking processing on the primary edge node, and then converting the primary edge node into a standby resource;
when at least one of the request number and the flow of a certain IP exceeds a threshold value, the standby link is used for integrally replacing the link where the IP is located, the request number and the flow of the standby link are continuously monitored, if the request number of the standby link still exceeds the threshold value, domain name resolution is switched into the high-protection cluster, if the request number of the standby link does not exceed the threshold value, the standby link and the IP thereof are formally replaced, the link where the original IP is located is subjected to black hole sealing treatment, and then the link is converted into standby resources;
when at least one of the request number and the flow of a certain link exceeds a threshold value, the link is replaced by a standby link as a whole, the request number and the flow of the standby link are continuously monitored, if the request number of the standby link still exceeds the threshold value, domain name resolution is switched into the high-protection cluster, if the request number of the standby link does not exceed the threshold value, the standby link and IP thereof are formally replaced, black hole blocking processing is carried out on the original link, and then the original link is converted into standby resources;
in step 3), domain name resolution is switched into a high-defense cluster, and the method specifically comprises the following steps:
one link corresponds to one high-defense group, the domain name resolution of the same link is switched to the IP of the same high-defense group, a plurality of domain names of one IP are resolved in the content distribution network, and the domain names are resolved to one high-defense IP in the high-defense cluster.
In step 4), when the number of requests and the flow of the high-protection IP are lower than the threshold value and the number of requests and the flow of the affected edge node, link and IP are lower than the threshold value, switching the analysis on the high-protection IP back to the link where the analysis is located before the attack of the content distribution network occurs, and when the number of requests and the flow of the high-protection IP are lower than the threshold value and the number of requests and the flow of the affected edge node, link and IP are higher than or equal to the threshold value, switching the analysis on the high-protection IP back to the standby link in the content distribution network;
and when the request number and the flow of the high-protection IP are higher than or equal to the threshold value, analyzing and keeping the current high-protection IP, and performing attack flow cleaning.
An attack defense method based on a content distribution network comprises the following steps:
1) and accessing the service to the CDN cluster, and distributing high-protection IP for the CDN cluster at the cleaning center.
2) And each edge node of the CDN cluster is provided with a detection and cleaning device, the flow is firstly detected and cleaned, then the flow returns to the source through the CDN system, before reaching the source station, the attack on the application layer is firstly filtered through the cloud WAF node, and finally the flow reaches the client source station.
3) During the period that the service is analyzed to the CDN cluster, after the service is accessed for the first time, the source station caches the data to the corresponding edge node, and then the user accesses the edge node cache closest to the user in the CDN cluster to obtain the source station data, so that the CDN cluster accelerates the content.
4) When the edge node detects the attack, the corresponding service and other services of the same link affected by the attack are automatically and respectively analyzed and switched to the corresponding high-protection IP for cleaning and filtering, and at the moment, the edge node continuously detects the attack condition.
5) And after the edge nodes, the high-protection IP uplink flow and the request number are all restored to the normal range, and after the attack is stopped, automatically switching the analysis back to the edge nodes corresponding to the CDN cluster.
And grouping the domain names according to the service types according to the access CDN cluster to form a plurality of links, and scheduling the domain names and the link services to the special cleaning node when large-scale DDoS attack occurs.
And distributing high-protection IPs for the domain names in the cleaning center, grouping the high-protection IPs of the special cleaning nodes according to the service types, wherein the number of the IPs in each group is consistent with the number of the domain names accessed by the CDN single link.
After detecting the attack, the CDN edge node parses and schedules the corresponding service and other services affected by the attack on the same link to a high defense IP, which is characterized in that a specific scheduling method needs to be determined according to an attack range and characteristics, and if the attack only affects a single node or IP, the node is scheduled to a standby node or a standby link and then observed. If the attack continuously affects the domain name on the standby resource at the moment, then the domain name of the affected link is analyzed and scheduled to the corresponding high-protection IP for cleaning according to the service type and the high-protection IP grouping rule.
After the attack is stopped, the analysis is automatically switched back to the edge node corresponding to the CDN cluster, and the method is characterized in that if the high-protection IP, the original CDN link and the node attack are stopped, the data is recovered to be normal, and the original link and the edge node can be automatically scheduled back; and if the high-protection IP data falls back to the normal range, stopping the attack, and continuing the attack of the original link or the edge node, scheduling the domain name on the high-protection IP to the standby resource until the original link is recovered to be normal.
A security attack prevention System (SCDN) based on intelligent scheduling and content distribution network, comprising:
1) the CDN node mainly provides acceleration capability and data monitoring capability. And grouping the IP of the edge CDN nodes to form a plurality of links, configuring a plurality of different protection default rules in each link according to the service type of the user, placing similar customers in the same link, and sharing the default protection rules. When the user service is analyzed on the CDN cluster, the normal use of CDN functions such as acceleration, caching, access control and the like can be ensured.
2) The special cleaning node provides main attack defense capability, provides high-defense IP, groups the special cleaning node, and configures different protection default rules according to the user service type (same as the above) and the user service scale.
3) The CDN edge node monitors data such as flow, bandwidth and requests in real time daily and also configures small-scale local cleaning protection capability.
4) And the CDN edge node triggers a defense mechanism according to the monitoring condition and judges the attacked range according to each domain name, each link and each node performance.
5) If the attacked object is a certain node or IP, the standby node and the IP group (i.e. the new link) are replaced.
6) If data such as flow and request of a certain link are abnormal and exceed a set threshold value of a default protection rule, domain name analysis of a link user is automatically dispatched to a large-scale special cleaning node closest to a source station from an edge node, the user is analyzed to different high-protection IPs corresponding to a group according to types, detection, cleaning and filtering are carried out respectively, and meanwhile, the original CDN cluster link is continuously monitored.
7) And when the data of the special cleaning node and the original CDN cluster link fall back to a normal range, automatically scheduling and restoring the user analysis to the original link.
8) If the data of the original CDN cluster link is not normal after the special cleaning node is cleaned, the user analysis is automatically scheduled to the standby link of the CDN cluster, and the analysis is automatically recovered to the original link after the data is normal.
Compared with the prior art, the invention has the following advantages:
the invention can completely provide content acceleration capability and real-time monitoring under the condition of no attack, quickly trigger a defense mechanism during small-scale attack, and simultaneously carry out CDN acceleration and cleaning protection under the condition of not needing manual switching analysis.
When large-scale attack is faced, the method can screen the attacked object or range in time, automatically isolate the attacked object or range from normal service and dispatch the attacked object or range to a special cleaning center for effective defense, and automatically recover the normal CDN cluster at the first time when the attack is finished.
Drawings
Fig. 1 is a flow chart of a method for performing security protection based on a content distribution network according to the present invention.
Fig. 2 is a schematic diagram of a CDN cluster node of the present invention, where a cluster has n nodes, and each node has m IPs.
Fig. 3 is a schematic diagram of CDN cluster links according to the present invention, where the IP corresponds to the IP number in fig. 2. That is, in fig. 2, each node takes one IP to form one link, and each node has m IPs, that is, m links can be formed.
FIG. 4 is a schematic diagram of the high-protection IP packet of the dedicated cleaning cluster according to the present invention, wherein the IP corresponds to the IP in FIG. 3 one-to-one. When the attack happens, the domain name resolution of the IP of the same link is switched to the same group of high-protection IP, a plurality of domain names of the same IP are resolved originally, and the same high-protection IP is resolved at the moment.
Fig. 5 is a schematic diagram of a security system against attacks (SCDN) of the content distribution network of the present invention.
Detailed Description
As shown in fig. 1 to 4, an attack defense method based on a content distribution network includes the following steps:
1) setting n edge nodes in a content distribution network;
each edge node comprises m IPs, wherein m is set according to the number and the type of clients, and the m IPs correspond to m links;
2) determining the number of high-protection groups according to the number of links, and establishing high-protection clusters, wherein each high-protection group comprises n high-protection IPs;
the high defense refers to the single defense of more than 50G.
3) After the domain name is resolved to a content distribution network, setting a request number QPS and a bandwidth threshold value at each edge node and link of the content distribution network, and performing exception handling when at least one of the request number and the flow of a certain edge node exceeds the threshold value;
the exception handling specifically comprises:
when at least one of the request number and the flow of a certain edge node exceeds a threshold value, replacing the edge node by a standby node with the same IP number, continuously monitoring the request number and the flow of the standby node, if the request number of the standby node still exceeds the threshold value, performing domain name resolution to switch into a high-protection cluster, and if the request number of the standby node does not exceed the threshold value, formally replacing the primary edge node and the IP thereof by the standby node and the IP thereof, performing black hole blocking processing on the primary edge node, and then converting the primary edge node into a standby resource;
when at least one of the request number and the flow of a certain IP exceeds a threshold value, the standby link is used for integrally replacing the link where the IP is located, the request number and the flow of the standby link are continuously monitored, if the request number of the standby link still exceeds the threshold value, domain name resolution is switched into the high-protection cluster, if the request number of the standby link does not exceed the threshold value, the standby link and the IP thereof are formally replaced, the link where the original IP is located is subjected to black hole sealing treatment, and then the link is converted into standby resources;
when at least one of the request number and the flow of a certain link exceeds a threshold value, the link is replaced by a standby link as a whole, the request number and the flow of the standby link are continuously monitored, if the request number of the standby link still exceeds the threshold value, domain name resolution is switched into the high-protection cluster, if the request number of the standby link does not exceed the threshold value, the standby link and IP thereof are formally replaced, black hole blocking processing is carried out on the original link, and then the original link is converted into standby resources;
the domain name resolution cut-in high defense cluster specifically comprises:
one link corresponds to one high-defense group, the domain name resolution of the same link is switched to the IP of the same high-defense group, a plurality of domain names of one IP are resolved in the content distribution network, and the domain names are resolved to one high-defense IP in the high-defense cluster.
4) After the high-protection cluster is cut in, the request number and the flow of each high-protection IP of the high-protection cluster are respectively monitored, and meanwhile, the request number and the flow of the affected edge nodes, links and IPs in the content distribution network are monitored;
when the request number and the flow of the high-protection IP are lower than the threshold value and the request number and the flow of the influenced edge node, link and IP are lower than the threshold value, switching the analysis on the high-protection IP back to the link where the analysis is located before the attack of the content distribution network occurs, and when the request number and the flow of the high-protection IP are lower than the threshold value and the request number and the flow of the influenced edge node, link and IP are higher than or equal to the threshold value, switching the analysis on the high-protection IP back to a standby link in the content distribution network;
and when the request number and the flow of the high-protection IP are higher than or equal to the threshold value, analyzing and keeping the current high-protection IP, and performing attack flow cleaning.
As shown in fig. 1, the method for performing security protection based on a content distribution network of the present invention is a security attack prevention System (SCDN) based on an intelligent scheduling and content distribution network, comprising the following steps:
A) as shown in fig. 2 and 3, one IP is taken from each node of the CDN cluster to form a link. The IP in each link uses a set of protection default rules including request number, traffic threshold, etc.
B) As shown in fig. 4, the high-protection IP packets of the dedicated cleaning cluster are grouped, each group corresponds to one link of fig. 3, and the protection rule is set according to the attack characteristics by referring to the threshold configured on the original link.
C) And the user accesses the SCDN cluster through domain name resolution. And under the normal non-attack condition, analyzing the data to different links of each edge node of the front-end CDN cluster. The link assignment is differentiated according to the domain name service type and the protocol type.
D) And the CDN cluster provides CDN services such as near acceleration and the like for the domain name and simultaneously monitors data such as flow, bandwidth and requests in real time.
E) When the attack occurs, a defense mechanism is triggered according to the monitoring condition, and the domain name and the IP range of the attacked domain name and IP range are judged according to the data expression of each domain name, each link and each node.
F) And determining a scheduling mode according to the attack scale and range.
G) If the attacked object is a certain node or IP of the CDN cluster, the standby node or IP group (namely the attacked link) is replaced, and monitoring is continued, if the attack scale is within the defense capability of the CDN node and the attack is not transferred to the standby node, black hole blocking processing is carried out on the original node and the link, and the original node and the link are converted into the standby node and the link after a period of time.
H) If the attack scale in G) exceeds the range of the node capability, or the attack continues to follow the standby node and the link, all domain name resolutions on the affected link need to be completely scheduled to the special cleaning cluster. The concrete way refers to the description of I) -L) aiming at the link attack.
I) If a certain link is attacked and all the IP on the link is abnormal, the domain name resolution of the link is completely dispatched to a high-protection IP group corresponding to the protection rule in the large-scale special cleaning node of the corresponding link, and the domain names belonging to the same user or similar service types are resolved to the same high-protection IP for protection according to the service type of the user.
J) In the attack defense process, the CDN cluster link keeps monitoring. When the defense of the special cleaning cluster is finished and the attack is stopped, whether the domain name resolution is recovered to the state before the attack is determined according to the condition of the original link.
K) If the original link attack is stopped, analyzing and scheduling the original link, and recovering normal content acceleration.
L) if the attack of the original link is not stopped, analyzing and scheduling the original link to the standby link until the original link is recovered to be normal.
As shown in fig. 5, a security system against attacks (SCDN) based on intelligent scheduling and content distribution network includes the following contents:
setting n edge nodes in a content distribution network; determining the number of high-protection groups according to the number of links, and establishing high-protection clusters, wherein each high-protection group comprises n high-protection IPs; each edge node comprises m IPs, wherein m is set according to the number and the type of clients, and the m IPs correspond to m links;
a) the CDN node mainly provides acceleration capability and data monitoring capability. And grouping the IP of the edge CDN nodes to form a plurality of links, configuring a plurality of different protection default rules in each link according to the service type of the user, placing similar customers in the same link, and sharing the default protection rules. When the user service is analyzed on the CDN cluster, the normal use of CDN functions such as acceleration, caching, access control and the like can be ensured.
b) The special cleaning node provides main attack defense capability, provides high-defense IP, groups the special cleaning node, and configures different protection default rules according to the user service type (same as the above) and the user service scale.
c) The CDN edge node monitors data such as flow, bandwidth and requests in real time daily and also configures small-scale local cleaning protection capability.
d) And the CDN edge node triggers a defense mechanism according to the monitoring condition and judges the attacked range according to each domain name, each link and each node performance.
e) If the attacked object is a certain node or IP, the standby node and the IP group (i.e. the new link) are replaced.
f) If data such as flow and request of a certain link are abnormal and exceed a set threshold value of a default protection rule, domain name analysis of a link user is automatically dispatched to a large-scale special cleaning node closest to a source station from an edge node, the user is analyzed to different high-protection IPs corresponding to a group according to types, detection, cleaning and filtering are carried out respectively, and meanwhile, the original CDN cluster link is continuously monitored.
7) And when the data of the special cleaning node and the original CDN cluster link fall back to a normal range, automatically scheduling and restoring the user analysis to the original link.
8) If the data of the original CDN cluster link is not normal after the special cleaning node is cleaned, the user analysis is automatically scheduled to the standby link of the CDN cluster, and the analysis is automatically recovered to the original link after the data is normal.
Claims (5)
1. An attack defense method based on a content distribution network is characterized by comprising the following steps:
1) setting n edge nodes in a content distribution network;
2) determining the number of high-protection groups according to the number of links, and establishing high-protection clusters, wherein each high-protection group comprises n high-protection IPs;
3) after the domain name is resolved to a content distribution network, setting a request number and a bandwidth threshold value at each edge node and each link of the content distribution network, and performing exception handling when at least one of the request number and the flow of a certain edge node exceeds the threshold value;
4) and after the high-protection cluster is cut in, the request number and the flow of each high-protection IP of the high-protection cluster are respectively monitored, and meanwhile, the request number and the flow of the edge nodes, links and the IPs which are influenced in the content distribution network are monitored.
2. The attack defense method based on the content distribution network according to claim 1, characterized in that in step 1), each edge node comprises m IPs, and m IPs correspond to m links.
3. The attack defense method based on the content distribution network according to claim 1, wherein in the step 3), the exception handling specifically comprises:
when at least one of the request number and the flow of a certain edge node exceeds a threshold value, replacing the edge node by a standby node with the same IP number, continuously monitoring the request number and the flow of the standby node, if the request number of the standby node still exceeds the threshold value, performing domain name resolution to switch into a high-protection cluster, and if the request number of the standby node does not exceed the threshold value, formally replacing the primary edge node and the IP thereof by the standby node and the IP thereof, performing black hole blocking processing on the primary edge node, and then converting the primary edge node into a standby resource;
when at least one of the request number and the flow of a certain IP exceeds a threshold value, the standby link is used for integrally replacing the link where the IP is located, the request number and the flow of the standby link are continuously monitored, if the request number of the standby link still exceeds the threshold value, domain name resolution is switched into the high-protection cluster, if the request number of the standby link does not exceed the threshold value, the standby link and the IP thereof are formally replaced, the link where the original IP is located is subjected to black hole sealing treatment, and then the link is converted into standby resources;
when at least one of the request number and the flow of a certain link exceeds a threshold value, the link is replaced by the whole standby link, the request number and the flow of the standby link are continuously monitored, if the request number of the standby link still exceeds the threshold value, domain name resolution is switched into the high-protection cluster, if the request number of the standby link does not exceed the threshold value, the standby link and IP thereof are formally replaced, black hole blocking processing is carried out on the original link, and then the original link is converted into standby resources.
4. The attack defense method based on the content distribution network according to claim 3, wherein domain name resolution is switched into the high defense cluster, specifically comprising:
one link corresponds to one high-defense group, the domain name resolution of the same link is switched to the IP of the same high-defense group, a plurality of domain names of one IP are resolved in the content distribution network, and the domain names are resolved to one high-defense IP in the high-defense cluster.
5. The attack defense method based on the content distribution network according to claim 1, wherein in step 4), when the number of requests and the traffic of the high-defense IP are lower than the threshold value and the number of requests and the traffic of the affected edge node, link and IP are lower than the threshold value, the resolution of the high-defense IP is switched back to the link where the resolution is located before the attack of the content distribution network occurs, and when the number of requests and the traffic of the high-defense IP are lower than the threshold value and the number of requests and the traffic of the affected edge node, link and IP are higher than or equal to the threshold value, the resolution of the high-defense IP is switched back to the backup link in the content distribution network;
and when the request number and the flow of the high-protection IP are higher than or equal to the threshold value, analyzing and keeping the current high-protection IP, and performing attack flow cleaning.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110178012.3A CN113037716B (en) | 2021-02-07 | 2021-02-07 | Attack defense method based on content distribution network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110178012.3A CN113037716B (en) | 2021-02-07 | 2021-02-07 | Attack defense method based on content distribution network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113037716A true CN113037716A (en) | 2021-06-25 |
| CN113037716B CN113037716B (en) | 2021-12-21 |
Family
ID=76460839
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110178012.3A Active CN113037716B (en) | 2021-02-07 | 2021-02-07 | Attack defense method based on content distribution network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113037716B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113489739A (en) * | 2021-07-16 | 2021-10-08 | 北京顶象技术有限公司 | Service stability method and device for resisting DDoS attack based on CDN |
| CN113905058A (en) * | 2021-10-18 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | WAF and DDoS high-protection-based protection method, device and medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
| CN103023924A (en) * | 2012-12-31 | 2013-04-03 | 网宿科技股份有限公司 | Content distribution network based DDoS (distributed denial of service) attack protecting method and content distribution network based DDoS attack protecting system for cloud distribution platform |
| CN104079557A (en) * | 2014-05-22 | 2014-10-01 | 汉柏科技有限公司 | CC attack protection method and device |
| US20150326602A1 (en) * | 2014-05-09 | 2015-11-12 | Unisys Corporation | Clean-up of un-reassembled data fragments |
| CN107517195A (en) * | 2016-06-17 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of content distributing network seat offence domain name |
| CN109218250A (en) * | 2017-06-29 | 2019-01-15 | 北京多点在线科技有限公司 | DDOS defence method and system based on failure Autonomic Migration Framework system |
| CN110753022A (en) * | 2018-07-24 | 2020-02-04 | 上海来三网络科技有限公司 | DDOS large-traffic defense architecture |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
-
2021
- 2021-02-07 CN CN202110178012.3A patent/CN113037716B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
| CN103023924A (en) * | 2012-12-31 | 2013-04-03 | 网宿科技股份有限公司 | Content distribution network based DDoS (distributed denial of service) attack protecting method and content distribution network based DDoS attack protecting system for cloud distribution platform |
| US20150326602A1 (en) * | 2014-05-09 | 2015-11-12 | Unisys Corporation | Clean-up of un-reassembled data fragments |
| CN104079557A (en) * | 2014-05-22 | 2014-10-01 | 汉柏科技有限公司 | CC attack protection method and device |
| CN107517195A (en) * | 2016-06-17 | 2017-12-26 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus of content distributing network seat offence domain name |
| CN109218250A (en) * | 2017-06-29 | 2019-01-15 | 北京多点在线科技有限公司 | DDOS defence method and system based on failure Autonomic Migration Framework system |
| CN110753022A (en) * | 2018-07-24 | 2020-02-04 | 上海来三网络科技有限公司 | DDOS large-traffic defense architecture |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113489739A (en) * | 2021-07-16 | 2021-10-08 | 北京顶象技术有限公司 | Service stability method and device for resisting DDoS attack based on CDN |
| CN113489739B (en) * | 2021-07-16 | 2024-03-08 | 北京顶象技术有限公司 | CDN-based service stability method and device for resisting DDoS attack |
| CN113905058A (en) * | 2021-10-18 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | WAF and DDoS high-protection-based protection method, device and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113037716B (en) | 2021-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
| CN111385235B (en) | DDoS attack defense system and method based on dynamic transformation | |
| US20160182542A1 (en) | Denial of service and other resource exhaustion defense and mitigation using transition tracking | |
| Kalkan et al. | SDNScore: A statistical defense mechanism against DDoS attacks in SDN environment | |
| US20130254872A1 (en) | System and method for mitigating a denial of service attack using cloud computing | |
| RU2480937C2 (en) | System and method of reducing false responses when detecting network attack | |
| CN113037716B (en) | Attack defense method based on content distribution network | |
| WO2017088397A1 (en) | Ddos attack protection method and system for cdn server group | |
| Schaelicke et al. | SPANIDS: a scalable network intrusion detection loadbalancer | |
| Bailey et al. | Data reduction for the scalable automated analysis of distributed darknet traffic | |
| CN108092940B (en) | DNS protection method and related equipment | |
| CN101616131A (en) | A kind of method of defensing attack of Arp virus | |
| EP1595193B1 (en) | Detecting and protecting against worm traffic on a network | |
| Abaid et al. | MalwareMonitor: An SDN-based framework for securing large networks | |
| CN102882894A (en) | Method and device for identifying attack | |
| KR20120072992A (en) | System and method for botnet detection using traffic analysis of non-ideal domain name system | |
| TWI657681B (en) | Analysis method of network flow and system | |
| Geneiatakis et al. | A multilayer overlay network architecture for enhancing IP services availability against DoS | |
| RU2576488C1 (en) | METHOD OF CONSTRUCTING DATA NETWORKS WITH HIGH LEVEL OF SECURITY FROM DDoS ATTACKS | |
| CN114172881A (en) | Network security verification method, device and system based on prediction | |
| Lee et al. | Duo: software defined intrusion tolerant system using dual cluster | |
| Perlegos | DoS defense in structured peer-to-peer networks | |
| KR101224994B1 (en) | System for analyzing of botnet detection information and method thereof | |
| KR101025502B1 (en) | Network based detection and response system and method of irc and http botnet | |
| KR20110074028A (en) | Apparatus for preventing distributed denial of service attack creation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |