CN113783884A - Synflood attack protection method, device, equipment and storage medium - Google Patents
Synflood attack protection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN113783884A CN113783884A CN202111087121.0A CN202111087121A CN113783884A CN 113783884 A CN113783884 A CN 113783884A CN 202111087121 A CN202111087121 A CN 202111087121A CN 113783884 A CN113783884 A CN 113783884A
- Authority
- CN
- China
- Prior art keywords
- attack
- target
- network
- real
- traffic data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a synflood attack protection method, a device, equipment and a storage medium, which comprise the following steps: acquiring all real-time traffic data at a preset network position between an attack source and an attack target; the preset network position is any position between the attack source and the attack target except for a network link of a network segment where the attack target is located; determining the target ratio of syn type flow data in all real-time flow data, judging whether the target ratio exceeds a reference ratio, and if so, controlling the flow of all real-time flow data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period. The method and the device find the synflood attack and protect the same in the network segment where the attack flow does not reach the attack target, avoid network blockage at the attack target and provide a stable network environment.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a synflood attack protection method, a device, equipment and a storage medium.
Background
Today, services on the cloud have become a necessary trend due to rapid development of the internet, and many service providers provide services to customers in the form of web, so that the customers can use the services easily and conveniently. But with the potential risk that a vicious commercial competition or extreme organization may launch a DDOS attack on the service on the cloud, putting the service into paralysis or even crashing. Among them, the DDOS attack is a sync flood attack, in which an attacker consumes all available server resources by repeatedly sending an initial connection request syn packet to stop the server from responding to a normal TCP connection request.
Therefore, how to accurately and efficiently identify and protect the synflood attack is a technical problem to be urgently solved by the technical personnel in the field.
Disclosure of Invention
In view of this, the present invention provides a synflood attack protection method, apparatus, device and storage medium, which can find and protect a synflood attack in a network segment where an attack target is not reached by an attack flow, avoid network congestion at the attack target, and provide a robust network environment. The specific scheme is as follows:
a first aspect of the present application provides a synflood attack protection method, including:
acquiring all real-time traffic data at a preset network position between an attack source and an attack target; the preset network position is any position between the attack source and the attack target except for a network link of a network segment where the attack target is located;
determining the target ratio of syn type flow data in all real-time flow data, judging whether the target ratio exceeds a reference ratio, and if so, controlling the flow of all real-time flow data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period.
Optionally, the preset network location is a network entry of a network segment where the attack target is located or in an internet service provider network.
Optionally, before the acquiring all real-time traffic data at the preset network location between the attack source and the attack target, when the preset network location is a network entry of the network segment where the attack target is located, the method further includes:
acquiring all historical traffic data at the network entrance of the network segment where the attack target is located in a historical time period;
performing DDOS cleaning on all historical traffic data to obtain all historical traffic data without attack traffic;
and determining the proportion of syn type traffic data in all the historical traffic data without the attack traffic so as to obtain a reference proportion.
Optionally, the traffic data volume in the historical time period and the traffic data volume in the real-time period in which all the real-time traffic data are obtained are in a positive correlation.
Optionally, when the preset network location is a network entry of the network segment where the attack target is located, the obtaining of all real-time traffic data at the preset network location between the attack source and the attack target includes:
and setting flow monitoring equipment at a network entrance of the network segment where the attack target is located, and acquiring all real-time flow data at the network entrance by using the flow monitoring equipment.
Optionally, the determining a target ratio of syn type traffic data in all the real-time traffic data includes:
counting the target data volume of syn type flow data in all real-time flow data by using the flow monitoring equipment;
and calculating the ratio of the target data volume in all the real-time flow data to obtain the target ratio.
Optionally, the performing flow control on all the real-time flow data includes:
and if the target ratio exceeds the reference ratio, determining the synflood attack flow in all the real-time flow data and carrying out speed-limiting treatment or intercepting treatment on the synflood attack flow.
A second aspect of the present application provides a synflood attack-prevention device, comprising:
the real-time traffic acquisition module is used for acquiring all real-time traffic data at a preset network position between an attack source and an attack target; the preset network position is any position between an attack source and an attack target except for a network link of a network segment where the attack target is located;
the protection module is used for determining the target ratio of syn type traffic data in all real-time traffic data, judging whether the target ratio exceeds a reference ratio, and if so, controlling the flow of all real-time traffic data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period.
A third aspect of the application provides an electronic device comprising a processor and a memory; wherein the memory is used for storing a computer program which is loaded and executed by the processor to implement the aforementioned synflood attack protection method.
A fourth aspect of the present application provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are loaded and executed by a processor, the method for protecting against synflood attacks is implemented.
In the method, all real-time traffic data at a preset network position between an attack source and an attack target are obtained firstly; the preset network position is any position between the attack source and the attack target except for a network link of a network segment where the attack target is located; then determining the target ratio of syn type flow data in all real-time flow data, judging whether the target ratio exceeds a reference ratio, and if so, controlling the flow of all real-time flow data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period. Therefore, the method and the device monitor the real-time flow data of the incoming attack target at the network position far away from the attack target, namely close to the attack source, and find the synflood attack in the network segment where the attack flow does not reach the attack target, so as to avoid network blockage at the attack target. On the basis, the proportion of the syn type traffic data in the real-time traffic data is compared with the proportion of the normal real-time traffic data to perform synflood attack protection, and a stable network environment is provided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a synflood attack protection method provided in the present application;
fig. 2 is a schematic network diagram of a network environment between an attack source and an attack target according to the present application;
FIG. 3 is an example of a reference duty cycle for different time periods provided herein;
fig. 4 is a schematic structural diagram of a synflood attack protection device provided in the present application;
fig. 5 is a structural diagram of a synflood attack protection electronic device provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The synflood attack in the DDOS attack is ubiquitous, and an attacker consumes all available server resources to stop the server from responding to a normal TCP connection request by repeatedly sending an initial connection request syn packet, so that the service is paralyzed or even crashed. In order to overcome the defects, the application provides a synflood attack protection scheme, real-time flow data flowing into an attack target is monitored at a network position far away from the attack target, namely close to an attack source, and a synflood attack is found in a network segment where the attack flow does not reach the attack target, so that network blockage at the attack target is avoided. On the basis, the proportion of the syn type traffic data in the real-time traffic data is compared with the proportion of the normal real-time traffic data to perform synflood attack protection, and a stable network environment is provided.
Fig. 1 is a flowchart of a synflood attack protection method according to an embodiment of the present disclosure. Referring to fig. 1, the method for protecting against synflood attack includes:
s11: acquiring all real-time traffic data at a preset network position between an attack source and an attack target; the preset network position is any position between the attack source and the attack target except for a network link of a network segment where the attack target is located.
In the embodiment, all real-time traffic data at a preset network position between an attack source and an attack target are obtained; the preset network position is any position between the attack source and the attack target except for a network link of a network segment where the attack target is located. Specifically, the preset network location is a network entry of a network segment where the attack target is located or an Internet Service Provider (ISP) network. Meanwhile, a flow monitoring device is arranged at a network entrance of the network segment where the attack target is located, and all real-time flow data at the network entrance are obtained by using the flow monitoring device.
As shown in fig. 2, four network layers are divided between the attack source and the attack target: attack source network, farther upstream ISP network, target network. The synflood attacks are distributed in a real network environment in a funnel shape, and a plurality of puppet machines (attack sources) controlled by an attacker launch attacks at many different positions, which are the upper parts of the funnels, and in contrast, the attacked traffic is finally converged at the bottom parts of the funnels, i.e. the network segments of target hosts (attack targets). The method comprises the steps of carrying out flow monitoring in a target network, if proper filtering measures are not available, the last attack message can be converged to the target network, installing corresponding flow monitoring equipment at this time, judging that a system is attacked by synflood easily and accurately, but protecting the system at the position, wherein the defects are obvious, the interception place is too late, the attack flow is converged in a network segment where the protecting equipment is located, at the moment, flow blockage is generated, protecting is carried out quickly in time, certain time is still needed for processing, the network environment of an upstream network can be disordered, and the forwarding performance of a plurality of upstream networks is wasted. Compared with the method for protecting the network in the position close to the protection equipment, although the attack flow is easier to distinguish, the attack flow already comes to the same network segment of the protection equipment, and the situation of network congestion is easy to occur, the position where the flow monitoring is best to carry out the filtration of the attack data packet or the illegal data packet is carried out in the attack source network, the filtration is carried out at the position, the attack message can be intercepted at the earliest, the influence on other networks can be reduced to the minimum, the efficiency of the whole network segment can be better improved, and because the later filtration function is realized, a large amount of useless messages for attack can be flooded in a plurality of network environments below the other networks for a longer time, and the forwarding function of the network is wasted. However, due to the fact that the attack source is unknown or distributed, it is difficult to monitor the attack in the attack source network unless a large number of puppet machines for attack are all centralized in the same network.
It is more advantageous to comprehensively consider that it is more advantageous to discover that the network attack is earlier found and intercept the attack, and the network attack launched from the attack source is concentrated more downwards and more towards the target host, and monitoring equipment is set at a position closer to the attack source end at a network position far away from the target host as far as possible, that is, equipment capable of monitoring and counting packets is connected to a router corresponding to the network position far away from the target host as far as possible, so that the attack traffic is intercepted earlier, and the situation of network congestion is avoided. Therefore, the embodiment of the application protects the entrance of the ISP network, the target ISP network or the target network farther upstream close to the attack source, and can process the attack flow when the attack flow does not reach the network segment where the protection equipment is located, so that network congestion is reduced, and the running environment of the equipment is more stable. Furthermore, the effect of setting the traffic monitoring device in the upstream ISP network or the target ISP network is more prominent, because the two networks are located closer to the attack source network, the interception time point is earlier, and the network range capable of being protected is larger, the defect is that the cost for deploying the device is correspondingly higher, but the benefit brought is also huge, and the complex attack message in the network environment can be processed earlier, so that a better protection effect is generated on the downstream network environment.
S12: determining the target ratio of syn type flow data in all real-time flow data, judging whether the target ratio exceeds a reference ratio, and if so, controlling the flow of all real-time flow data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period.
In this embodiment, a target ratio of syn-type traffic data in all real-time traffic data is determined, and it is determined whether the target ratio exceeds a reference ratio, and if so, flow control is performed on all real-time traffic data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period. On the basis of step S11, a new device capable of monitoring and counting messages is added to the router as far as possible away from the protective device, a threshold is set according to the proportion of the syn message in the total message under normal conditions, and when the traffic monitoring exceeds the threshold, the attack traffic is processed. The determining process of the target ratio may specifically be to count a target data amount of syn-type traffic data in all the real-time traffic data by using the traffic monitoring device, and then calculate a ratio of the target data amount in all the real-time traffic data to obtain the target ratio. And comparing the target occupation with the reference occupation, if the target occupation exceeds the reference occupation, indicating that synflood attack exists in the real-time traffic data, determining synflood attack traffic in all the real-time traffic data, and performing speed-limiting processing or intercepting processing on the synflood attack traffic. The flow monitoring equipment can count the number of receiving and sending packets and the number of syn packets of a second level of a network interface of a specified network card, when an attack occurs, once the proportion of a corresponding message exceeds a set threshold value under a normal condition, the attack flow is limited or intercepted immediately, and after the attack is intercepted, the attack flow can be effectively prevented from continuing to descend to cause the flow blockage of a network segment of the protective equipment.
Based on the characteristics of DDOS attack, a large amount of attacks are converged on a final target host or a target network segment, and each attack has obvious attack characteristics, such as synflood attack, the number of semi-connections caused by the attack is far more than that in the network segment in a normal state, the number of data packets with the SYN end set to be 1 in one network segment is less than 200 within 1 second under a normal condition, however, the number of the packets can be easily set to be 3000 per second by using the special attack tool and is far more than a normal level, so that the target host or the target network segment can be filled with a large amount of the attack packets in a short time, the resources of a server are quickly exhausted, and the purpose of attack is achieved. Accordingly, however, by using this feature, it is possible to easily detect that a synflood attack has occurred in a network segment, or that a zombie machine has been controlled by a real attacker and attacked to a target host or network segment unconsciously. The attack method can quickly achieve the purpose of attack by simply improving the sending of the attack data packet, but because the attack characteristic is far higher than that of the normal state, an approximate threshold value can be selected according to the characteristic to carry out corresponding protection. Therefore, it is reasonable to set the reference ratio according to the number of packets.
Based on this, in the embodiment of the application, before obtaining the real-time traffic data, all historical traffic data at the network entrance of the network segment where the attack target is located in the historical time period are obtained, then DDOS cleaning is performed on all historical traffic data to obtain all historical traffic data without attack traffic, and the proportion of syn-type traffic data in all historical traffic data without attack traffic is determined to obtain the reference proportion. In order to ensure the accuracy of comparison, the traffic data amount in the historical period and the traffic data amount in the real-time period for acquiring all the real-time traffic data are in a positive correlation relationship, for example, the traffic data in the period a of the previous day is calculated to obtain a ratio as a reference ratio of the period a of the day. It is understood that the condition for the reference occupancy is that all traffic arriving at the server is normal user traffic without any attack traffic (in this embodiment, traffic data after four-layer cleaning is regarded as data without any attack traffic), in which case the syn occupancy in each time slot is as shown in fig. 3. In this embodiment, under the condition that the traffic monitoring device starts source authentication, all synflood attacks are intercepted by the DSLB device, and then, the traffic cleaned by the DSLB device is attack-free. Therefore, the syn ratio of the output interface flow after statistical cleaning can be used as the reference ratio.
As can be seen, in the embodiment of the present application, all real-time traffic data at a preset network position between an attack source and an attack target are obtained first; the preset network position is any position between the attack source and the attack target except for a network link of a network segment where the attack target is located; then determining the target ratio of syn type flow data in all real-time flow data, judging whether the target ratio exceeds a reference ratio, and if so, controlling the flow of all real-time flow data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period. According to the method and the device, the real-time flow data of the incoming attack target is monitored at the network position far away from the attack target, namely close to the attack source, and synflood attack is found in the network segment where the attack flow does not reach the attack target, so that network blockage at the attack target is avoided. On the basis, the proportion of the syn type traffic data in the real-time traffic data is compared with the proportion of the normal real-time traffic data to perform synflood attack protection, and a stable network environment is provided.
Referring to fig. 4, an embodiment of the present application further discloses a synflood attack protecting apparatus, which includes:
the real-time traffic acquiring module 11 is configured to acquire all real-time traffic data at a preset network location between an attack source and an attack target; the preset network position is any position between an attack source and an attack target except for a network link of a network segment where the attack target is located;
the protection module 12 is configured to determine a target proportion of syn-type traffic data in all real-time traffic data, determine whether the target proportion exceeds a reference proportion, and if so, perform traffic control on all real-time traffic data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period.
As can be seen, in the embodiment of the present application, all real-time traffic data at a preset network position between an attack source and an attack target are obtained first; the preset network position is any position between the attack source and the attack target except for a network link of a network segment where the attack target is located; then determining the target ratio of syn type flow data in all real-time flow data, judging whether the target ratio exceeds a reference ratio, and if so, controlling the flow of all real-time flow data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period. According to the method and the device, the real-time flow data of the incoming attack target is monitored at the network position far away from the attack target, namely close to the attack source, and synflood attack is found in the network segment where the attack flow does not reach the attack target, so that network blockage at the attack target is avoided. On the basis, the proportion of the syn type traffic data in the real-time traffic data is compared with the proportion of the normal real-time traffic data to perform synflood attack protection, and a stable network environment is provided.
In some specific embodiments, when the preset network location is a network entrance of a network segment where the attack target is located, the real-time traffic obtaining module 11 is specifically configured to set traffic monitoring equipment at the network entrance of the network segment where the attack target is located, and obtain all real-time traffic data at the network entrance by using the traffic monitoring equipment;
correspondingly, the protection module 12 specifically includes:
the statistical unit is used for utilizing the flow monitoring equipment to count the target data volume of syn type flow data in all real-time flow data;
the calculating unit is used for calculating the ratio of the target data volume in all the real-time flow data to obtain the target ratio;
and the processing unit is used for determining synflood attack flow in all the real-time flow data and carrying out speed limit processing or interception processing on the synflood attack flow if the target ratio exceeds the reference ratio.
In some embodiments, when the preset network location is a network entry of a network segment where the attack target is located, the synflood attack prevention apparatus further includes:
and the reference proportion determining module is used for acquiring all historical traffic data at the network entrance of the network segment where the attack target is located in the historical time period, performing DDOS cleaning on all historical traffic data to obtain all historical traffic data without attack traffic, and determining the proportion of syn type traffic data in all historical traffic data without attack traffic to obtain the reference proportion.
Further, the embodiment of the application also provides electronic equipment. FIG. 5 is a block diagram illustrating an electronic device 20 according to an exemplary embodiment, and the contents of the diagram should not be construed as limiting the scope of use of the present application in any way.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. The memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the synflood attack protection method disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for resource storage, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon may include an operating system 221, a computer program 222, data 223, etc., and the storage may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device and the computer program 222 on the electronic device 20, so as to realize the operation and processing of the mass data 223 in the memory 22 by the processor 21, and may be Windows Server, Netware, Unix, Linux, and the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the synflood attack prevention method performed by the electronic device 20 disclosed in any of the foregoing embodiments. Data 223 may include traffic data collected by electronic device 20.
Further, an embodiment of the present application further discloses a storage medium, where a computer program is stored in the storage medium, and when the computer program is loaded and executed by a processor, the steps of the synflood attack protection method disclosed in any of the foregoing embodiments are implemented.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method, the device, the equipment and the storage medium for protecting the synflood attack provided by the invention are described in detail, a specific example is applied in the description to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A synflood attack protection method is characterized by comprising the following steps:
acquiring all real-time traffic data at a preset network position between an attack source and an attack target; the preset network position is any position between the attack source and the attack target except for a network link of a network segment where the attack target is located;
determining the target ratio of syn type flow data in all real-time flow data, judging whether the target ratio exceeds a reference ratio, and if so, controlling the flow of all real-time flow data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period.
2. A synflood attack protection method according to claim 1, wherein the predetermined network location is a network portal of the network segment in which the attack target is located or in an internet service provider network.
3. The synflood attack protection method according to claim 2, wherein before the obtaining of all real-time traffic data at the preset network location between the attack source and the attack target, when the preset network location is a network entry of the network segment where the attack target is located, further comprising:
acquiring all historical traffic data at the network entrance of the network segment where the attack target is located in a historical time period;
performing DDOS cleaning on all historical traffic data to obtain all historical traffic data without attack traffic;
and determining the proportion of syn type traffic data in all the historical traffic data without the attack traffic so as to obtain a reference proportion.
4. A synflood attack protection method according to claim 3, wherein the traffic data volume in the historical period is in positive correlation with the traffic data volume in the real time period in which all the real time traffic data is obtained.
5. The synflood attack protection method according to claim 2, wherein when the preset network location is a network entry of a network segment where the attack target is located, the obtaining of all real-time traffic data at the preset network location between the attack source and the attack target comprises:
and setting flow monitoring equipment at a network entrance of the network segment where the attack target is located, and acquiring all real-time flow data at the network entrance by using the flow monitoring equipment.
6. A synflood attack protection method according to claim 5, wherein said determining a target proportion of syn-type traffic data in said total real-time traffic data comprises:
counting the target data volume of syn type flow data in all real-time flow data by using the flow monitoring equipment;
and calculating the ratio of the target data volume in all the real-time flow data to obtain the target ratio.
7. A synflood attack protection method according to any of claims 1 to 6, wherein said controlling of said flow of all real-time traffic data comprises:
and if the target ratio exceeds the reference ratio, determining the synflood attack flow in all the real-time flow data and carrying out speed-limiting treatment or intercepting treatment on the synflood attack flow.
8. A synflood attack protection device, comprising:
the real-time traffic acquisition module is used for acquiring all real-time traffic data at a preset network position between an attack source and an attack target; the preset network position is any position between an attack source and an attack target except for a network link of a network segment where the attack target is located;
the protection module is used for determining the target ratio of syn type traffic data in all real-time traffic data, judging whether the target ratio exceeds a reference ratio, and if so, controlling the flow of all real-time traffic data; and the reference proportion is the proportion of syn type traffic data in all historical traffic data without attack traffic at the preset network position in a historical period.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing said computer program to implement a synflood attack protection method as claimed in any of claims 1 to 7.
10. A computer-readable storage medium storing computer-executable instructions which, when loaded and executed by a processor, implement a synflood attack protection method as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111087121.0A CN113783884A (en) | 2021-09-16 | 2021-09-16 | Synflood attack protection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111087121.0A CN113783884A (en) | 2021-09-16 | 2021-09-16 | Synflood attack protection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113783884A true CN113783884A (en) | 2021-12-10 |
Family
ID=78851387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111087121.0A Withdrawn CN113783884A (en) | 2021-09-16 | 2021-09-16 | Synflood attack protection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113783884A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107493276A (en) * | 2017-08-08 | 2017-12-19 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of network safety prevention |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| CN111314328A (en) * | 2020-02-03 | 2020-06-19 | 北京字节跳动网络技术有限公司 | Network attack protection method and device, storage medium and electronic equipment |
| US10986129B1 (en) * | 2019-03-28 | 2021-04-20 | Rapid7, Inc. | Live deployment of deception systems |
-
2021
- 2021-09-16 CN CN202111087121.0A patent/CN113783884A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107493276A (en) * | 2017-08-08 | 2017-12-19 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of network safety prevention |
| US10986129B1 (en) * | 2019-03-28 | 2021-04-20 | Rapid7, Inc. | Live deployment of deception systems |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
| CN111314328A (en) * | 2020-02-03 | 2020-06-19 | 北京字节跳动网络技术有限公司 | Network attack protection method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gkountis et al. | Lightweight algorithm for protecting SDN controller against DDoS attacks | |
| CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
| JP6726331B2 (en) | Systems and methods for regulating access requests | |
| CN104137513B (en) | Attack prevention method and equipment | |
| CN109194680B (en) | Network attack identification method, device and equipment | |
| CN109922072B (en) | Distributed denial of service attack detection method and device | |
| CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| US20170126714A1 (en) | Attack detection device, attack detection method, and attack detection program | |
| CN109040140B (en) | Slow attack detection method and device | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN109657463B (en) | Method and device for defending message flooding attack | |
| CN105577669B (en) | A kind of method and device of the false source attack of identification | |
| CN113518057B (en) | Method and device for detecting distributed denial of service attack and computer equipment thereof | |
| WO2017035717A1 (en) | Distributed denial of service attack detection method and associated device | |
| CN107454065B (en) | Method and device for protecting UDP Flood attack | |
| CN108737344B (en) | Network attack protection method and device | |
| CN112565307B (en) | Method and device for performing entrance management and control on DDoS attack | |
| CN114338120A (en) | Segment scanning attack detection method, device, medium and electronic equipment | |
| Toprak et al. | Detection of DHCP starvation attacks in software defined networks: A case study | |
| CN113783884A (en) | Synflood attack protection method, device, equipment and storage medium | |
| CN106603335B (en) | Private software traffic monitoring method and device | |
| CN106209784B (en) | A kind of data filtering method and device | |
| JP2019140573A (en) | Monitoring system, monitoring method and monitoring program | |
| US7283461B2 (en) | Detection of denial-of-service attacks using frequency domain analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20211210 |