CN113923027A - Traffic suppression method for reflective DDoS attack and related device - Google Patents
Traffic suppression method for reflective DDoS attack and related device Download PDFInfo
- Publication number
- CN113923027A CN113923027A CN202111181763.7A CN202111181763A CN113923027A CN 113923027 A CN113923027 A CN 113923027A CN 202111181763 A CN202111181763 A CN 202111181763A CN 113923027 A CN113923027 A CN 113923027A
- Authority
- CN
- China
- Prior art keywords
- traffic
- distributed
- information
- filtering rule
- preset filtering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000001629 suppression Effects 0.000 title claims abstract description 27
- 238000001914 filtration Methods 0.000 claims abstract description 71
- 238000004590 computer program Methods 0.000 claims description 7
- 230000001681 protective effect Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000004140 cleaning Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 4
- 230000007123 defense Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- KKIMDKMETPPURN-UHFFFAOYSA-N 1-(3-(trifluoromethyl)phenyl)piperazine Chemical compound FC(F)(F)C1=CC=CC(N2CCNCC2)=C1 KKIMDKMETPPURN-UHFFFAOYSA-N 0.000 description 1
- 101000826116 Homo sapiens Single-stranded DNA-binding protein 3 Proteins 0.000 description 1
- 102100023008 Single-stranded DNA-binding protein 3 Human genes 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000003321 amplification Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a traffic suppression method and a related device for a reflection-type DDoS attack, wherein the traffic suppression method for the reflection-type DDoS attack is applied to a backbone network or a metropolitan area network at an operator side, and comprises the following steps: firstly, when receiving traffic information to be distributed sent by an open server, judging whether the traffic information to be distributed meets a preset filtering rule; wherein, the information of the traffic to be distributed includes: protocol, source port information and destination IP address; if the preset filtering rule is met, determining the traffic to be distributed as attack traffic, and discarding the traffic to be distributed; if the preset filtering rule is not met, determining that the traffic to be distributed is normal traffic, and normally sending the traffic to be distributed to the target IP address. Therefore, the purposes of identifying and filtering the reflection-type DDoS attack at the operator side and reducing the pressure of the enterprise local network and the protective equipment are achieved.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to a traffic suppression method for reflective DDoS attacks and a related device.
Background
Ddos (distributed Denial of service) attacks refer to distributed Denial of service attacks, which utilize a sufficient number of puppet computers to generate a huge number of attack data packets to implement DoS attacks on one or more targets on a network, thereby exhausting resources of the victim target and forcing the target to lose the capability of providing normal services. One of the reflective DDoS attacks is a DDoS attack that uses some open servers of services on the internet to respond to a request forged by an attacker, thereby reflecting attack traffic to a victim address and hiding an attack source.
The existing reflection-type DDoS attack defense mode is generally post-defense, namely, the attack can be detected after the attack occurs, then the protection action is implemented, and certain service influence is caused by the fact that the attack flow is leaked in a delay response time.
In addition, most defense devices are deployed in an enterprise network, and only the attack traffic cleaning in the bandwidth can be realized under the condition that the attack traffic exceeds the line bandwidth, the problem that an internet entrance is blocked by the attack traffic is not helped, a normal service request of a client cannot reach a server, and the attack still achieves the effect of service denial actually.
Disclosure of Invention
In view of this, the present application provides a traffic suppression method and a related apparatus for reflective DDoS attacks, which can identify and filter the reflective DDoS attacks at the operator side, and reduce the pressure on the local network and the protection device of the enterprise.
The first aspect of the present application provides a traffic suppression method for a reflective DDoS attack, which is applied to an operator-side backbone network or a metropolitan area network, and includes:
receiving information of traffic to be distributed sent by an open server; wherein, the information of the traffic to be distributed includes: protocol, source port information and destination IP address;
judging whether the information of the flow to be distributed meets a preset filtering rule or not;
if the information of the traffic to be distributed meets the preset filtering rule, determining the traffic to be distributed as attack traffic, and discarding the traffic to be distributed;
if the traffic information to be distributed does not meet the preset filtering rule, determining that the traffic to be distributed is normal traffic, and normally sending the traffic to be distributed to the target IP address.
Optionally, the preset filtering rule includes at least one protection information combination; wherein each of the guard information combinations includes: the combination of the relationship among the protocol, the port information and the protected IP address, the judging whether the information of the traffic to be distributed meets the preset filtering rule, includes:
judging whether the protocol of the flow to be distributed, the source port information and the target IP address are matched with the protection information combination in the preset filtering rule or not;
if the protocol, the source port information and the target IP address of the flow to be distributed are judged to be matched with the protection information combination in the preset filtering rule, determining the flow to be distributed as attack flow;
and if the protocol, the source port information and the target IP address of the flow to be distributed are judged to be not matched with all protection information combinations in the preset filtering rule, determining that the flow to be distributed is normal flow.
Optionally, in the traffic suppression method for the reflective DDoS attack, each protection information combination corresponds to one type of reflective attack.
Optionally, in the traffic suppression method for the reflective DDoS attack, an access control list is set on an exchange of the carrier-side backbone network or the metropolitan area network, and the preset filtering rule is added to the access control list.
The second aspect of the present application provides a traffic suppression device for a reflective DDoS attack, which is applied to an operator-side backbone network or a metropolitan area network, and includes:
the receiving unit is used for receiving the information of the traffic to be distributed, which is sent by the open server; wherein, the information of the traffic to be distributed includes: protocol, source port information and destination IP address;
the judging unit is used for judging whether the information of the flow to be distributed meets a preset filtering rule or not;
a determining unit, configured to determine that the traffic to be distributed is an attack traffic and discard the traffic to be distributed if the information of the traffic to be distributed meets a preset filtering rule, which is determined by the determining unit;
the determining unit is further configured to determine that the traffic to be distributed is normal traffic if the determining unit determines that the traffic to be distributed does not meet the preset filtering rule, and normally issue the traffic to be distributed to the target IP address.
Optionally, the preset filtering rule includes at least one protection information combination; wherein each of the guard information combinations includes: the relationship combination of the protocol, the port information and the protected IP address, and the judging unit comprises:
a judging subunit, configured to judge whether the protocol of the traffic to be distributed, the source port information, and the target IP address match a combination of protection information in the preset filtering rule;
wherein the determining unit is configured to:
if the judging subunit judges that the protocol, the source port information and the target IP address of the traffic to be distributed are combined and matched with the protection information in the preset filtering rule, determining that the traffic to be distributed is attack traffic;
and if the judging subunit judges that the protocol, the source port information and the target IP address of the flow to be distributed are not matched with all protection information combinations in the preset filtering rule, determining that the flow to be distributed is normal flow.
Optionally, in the traffic suppression apparatus for the reflective DDoS attack, each of the protection information combinations corresponds to one type of reflective attack.
Optionally, in the traffic suppression device for the reflective DDoS attack, an access control list is set on an exchange of the carrier-side backbone network or the metropolitan area network, and the preset filtering rule is added to the access control list.
A third aspect of the present application provides a server comprising:
one or more processors;
a storage device having one or more programs stored thereon;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement a method of traffic throttling for a reflection-type DDoS attack as described in any of the first aspects.
A fourth aspect of the present application provides a computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements a method of traffic suppression for a reflection-type DDoS attack as set forth in any one of the first aspects.
In view of the above, the present application provides a traffic suppression method for a reflective DDoS attack and a related device, where the traffic suppression method for a reflective DDoS attack is applied to an operator-side backbone network or a metropolitan area network, and includes: firstly, when receiving traffic information to be distributed sent by an open server, judging whether the traffic information to be distributed meets a preset filtering rule; wherein, the information of the traffic to be distributed includes: protocol, source port information and destination IP address; if the information of the traffic to be distributed meets the preset filtering rule, determining the traffic to be distributed as attack traffic, and discarding the traffic to be distributed; if the traffic information to be distributed does not meet the preset filtering rule, determining that the traffic to be distributed is normal traffic, and normally sending the traffic to be distributed to the target IP address. Therefore, the purposes of identifying and filtering the reflection-type DDoS attack at the operator side and reducing the pressure of the enterprise local network and the protective equipment are achieved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a specific flowchart of a traffic throttling method for a reflective DDoS attack according to an embodiment of the present application;
FIG. 2 is a flow chart of a method of filtering traffic to be distributed according to another embodiment of the present application;
fig. 3 is a schematic diagram of a traffic suppression method for a reflective DDoS attack according to another embodiment of the present application;
fig. 4 is a schematic diagram of a traffic suppression apparatus for a reflective DDoS attack according to another embodiment of the present application;
fig. 5 is a schematic diagram of a server implementing a traffic suppression method for a reflective DDoS attack according to another embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first", "second", and the like, referred to in this application, are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence of functions performed by these devices, modules or units, but the terms "include", or any other variation thereof are intended to cover a non-exclusive inclusion, so that a process, method, article, or apparatus that includes a series of elements includes not only those elements but also other elements that are not explicitly listed, or includes elements inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
In 2020, the DDoS attack frequency creates a new history, the increase of the same ratio reaches up to 135%, and the T-level era is formally entered in the aspect of attack flow. However, in the attack technique, UDP Flood, which is mainly a reflection attack, is still an absolute master. The reflection-type DDoS attack does not depend on a huge number of puppet machines, the attack source is not easy to track, and the characteristic of flow amplification enables the reflection-type DDoS attack to obtain a good attack effect with low cost; the UDP reflection-type DDoS attack becomes the most active large-flow DDoS attack type by virtue of the characteristics of no connection, no control and one-to-many.
For a large enterprise, locally deployed anti-DDoS equipment can only cope with DDoS attacks with traffic within internet line bandwidth, and attacks above the bandwidth can be solved by means of traffic cleaning service of an operator.
Therefore, an embodiment of the present application provides a traffic suppression method for a reflection-type DDoS attack, which is applied to an operator-side backbone network or a metropolitan area network, and as shown in fig. 1, specifically includes the following steps:
s101, receiving information of traffic to be distributed sent by the open server.
The information of the traffic to be distributed comprises: protocol, source port information, and destination IP address.
S102, judging whether the information of the flow to be distributed meets a preset filtering rule or not.
Specifically, if it is determined that the information of the traffic to be distributed meets the preset filtering rule, step S103 is executed; and if the traffic information to be distributed does not meet the preset filtering rule, executing the step S104.
In one embodiment of the present application, the preset filtering rule includes at least one protection information combination; wherein each protection information combination comprises: the relationship of the protocol, port information and guarded IP address is combined.
Optionally, in another embodiment of the present application, a reflection attack type may be further assigned to each protection information combination, so that a subsequent technician may quickly find a reason, analyze the reason, and the like.
Since the reflection-type DDoS attack traffic generally has the characteristics of fixed protocol and fixed source port, the source port information of the attack is reflected by the common UDP, as shown in table 1:
| type of reflection attack | Protocol | Source port |
| NTP | UDP | 123 |
| Memcached | UDP | 11211 |
| Chargen | UDP | 19 |
| WS_DISCOVERY | UDP | 3702 |
| QOTD | UDP | 17 |
| TFTP | UDP | 69 |
| CLDAP | UDP | 389 |
| SSDP | UDP | 1900 |
| PORTMAP | UDP | 111 |
| SNMP | UDP | 161 |
TABLE 1
Optionally, in another embodiment of the present application, but not limited to, an access control list may be set on a switch of a backbone network on a carrier side or a metropolitan area network, and a preset filtering rule is added to the access control list, so as to implement and apply the preset filtering rule.
Optionally, in another embodiment of the present application, based on the preset filtering rule, an implementation manner of step S102, as shown in fig. 2, includes:
s201, judging whether the protocol of the flow to be distributed, the source port information and the target IP address are matched with the protection information combination in the preset filtering rule or not.
Specifically, if it is determined that the protocol of the traffic to be distributed, the source port information, and the target IP address match the protection information combination in the preset filtering rule, step S202 is executed; if it is determined that the protocol of the traffic to be distributed, the source port information, and the target IP address are not matched with all protection information combinations in the preset filtering rule, step S203 is executed.
S202, determining the traffic to be distributed as attack traffic.
And S203, determining the flow to be distributed as normal flow.
For example: and matching the protocol, the source port information and the target IP address of the flow to be distributed with the protocol, the source port information and the protected IP address in the protection information combination X in the preset filtering rule successfully, and indicating that the flow to be distributed is attack flow.
And continuing to the above example, if the reflection attack type corresponding to the protection information combination X is QOTD, adding a label of QOTD to the traffic to be distributed so that a subsequent technician can quickly find the reason and analyze the reason.
S103, determining the traffic to be distributed as attack traffic, and discarding the traffic to be distributed.
And S104, determining that the flow to be distributed is normal flow, and normally sending the flow to be distributed to the target IP address.
As shown in fig. 3, an attacker impersonates a victim address forgery request through an open server, and the open server needs to send a response to the victim address, but needs to distribute through an operator server, at this time, the operator-side backbone network or the metropolitan area network matches the response, that is, the traffic to be distributed, through a preset filtering rule, if the matching is successful, it indicates that the traffic is an attack traffic, the traffic is filtered and discarded, if the matching is not successful, the traffic is taken as a normal traffic, the traffic to be distributed is sent to an enterprise internet of things entrance according to a target IP address in the traffic information to be distributed, the traffic is identified and analyzed again through an enterprise DDoS resistant device, and if no abnormality exists, the traffic is sent to a protected system.
The method and the device are suitable for medium and large enterprises with operator safety service, can realize real-time defense and 0 second response, intercept attack traffic outside the enterprise network, do not need to worry about the blockage of the internet entrance by the attack traffic, and do not need manual intervention or implement protection action. For operators and enterprises, the pressure of the flow cleaning equipment is greatly reduced, and the problem that the huge attack flow exceeds the maximum cleaning capacity of hardware equipment or the upper limit of purchased third-party cleaning service does not need to be considered.
The application provides a traffic suppression method aiming at reflection-type DDoS attack, which is applied to a backbone network or a metropolitan area network at an operator side and comprises the following steps: firstly, when receiving traffic information to be distributed sent by an open server, judging whether the traffic information to be distributed meets a preset filtering rule; the information of the traffic to be distributed comprises: protocol, source port information and destination IP address; if the preset filtering rule is met, determining the traffic to be distributed as attack traffic, and discarding the traffic to be distributed; if the preset filtering rule is not met, determining that the traffic to be distributed is normal traffic, and normally sending the traffic to be distributed to the target IP address. Therefore, the purposes of identifying and filtering the reflection-type DDoS attack at the operator side and reducing the pressure of the enterprise local network and the protective equipment are achieved.
Another embodiment of the present application provides a traffic suppression apparatus for a reflective DDoS attack, which is applied to an operator-side backbone network or a metropolitan area network, as shown in fig. 4, and specifically includes:
a receiving unit 401, configured to receive information of traffic to be distributed, where the information is sent by an open server.
The information of the traffic to be distributed comprises: protocol, source port information, and destination IP address.
A determining unit 402, configured to determine whether the information of the traffic to be distributed meets a preset filtering rule.
A determining unit 403, configured to determine that the traffic to be distributed is an attack traffic and discard the traffic to be distributed if the determining unit 402 determines that the information of the traffic to be distributed satisfies the preset filtering rule.
The determining unit 403 is further configured to determine that the traffic to be distributed is a normal traffic if the determining unit 402 determines that the traffic to be distributed does not meet the preset filtering rule, and normally issue the traffic to be distributed to the target IP address.
For a specific working process of the unit disclosed in the above embodiment of the present application, reference may be made to the content of the corresponding method embodiment, as shown in fig. 1, which is not described herein again.
Optionally, in another embodiment of the present application, the preset filtering rule includes at least one protection information combination; wherein each protection information combination comprises: the combination of the relationship between the protocol, the port information, and the protected IP address, and the determining unit 402 in an embodiment includes:
and the judging subunit is used for judging whether the protocol of the flow to be distributed, the source port information and the target IP address are matched with the protection information combination in the preset filtering rule.
Wherein the determining unit 403 is configured to:
and if the judging subunit judges that the protocol, the source port information and the target IP address of the flow to be distributed are combined and matched with the protection information in the preset filtering rule, determining the flow to be distributed as the attack flow.
And if the judging subunit judges that the protocol, the source port information and the target IP address of the flow to be distributed are not matched with all protection information combinations in the preset filtering rule, determining that the flow to be distributed is normal flow.
For a specific working process of the unit disclosed in the above embodiment of the present application, reference may be made to the content of the corresponding method embodiment, as shown in fig. 2, which is not described herein again.
Optionally, in another embodiment of the present application, each protection information combination in the traffic pressure apparatus for the reflection-type DDoS attack corresponds to one reflection attack type.
Optionally, in another embodiment of the present application, in an implementation process of the traffic suppression device for the reflective DDoS attack, an access control list is set on a switch of the carrier-side backbone network or the metropolitan area network, and a preset filtering rule is added to the access control list.
The application provides a flow suppression device to attack of reflection-type DDoS is applied to operator side backbone network or metropolitan area network, includes: firstly, when receiving traffic information to be distributed sent by an open server, a receiving unit 401 determines whether the traffic information to be distributed meets a preset filtering rule by a determining unit 402; the information of the traffic to be distributed comprises: protocol, source port information and destination IP address; if the determining unit 402 determines that the preset filtering rule is satisfied, the determining unit 403 determines that the traffic to be distributed is attack traffic, and discards the traffic to be distributed; if the determining unit 402 determines that the preset filtering rule is not satisfied, the determining unit 403 determines that the traffic to be distributed is normal traffic, and normally issues the traffic to be distributed to the target IP address. Therefore, the purposes of identifying and filtering the reflection-type DDoS attack at the operator side and reducing the pressure of the enterprise local network and the protective equipment are achieved.
Another embodiment of the present application provides a server, as shown in fig. 5, including:
one or more processors 501.
A storage device 502 on which one or more programs are stored.
The one or more programs, when executed by the one or more processors 501, cause the one or more processors 501 to implement a method of traffic throttling for a reflection-type DDoS attack as described in any of the above embodiments.
Another embodiment of the present application provides a computer storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements a traffic suppression method for a reflection-type DDoS attack as described in any one of the above embodiments.
In the above embodiments disclosed in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present disclosure may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part. The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a live broadcast device, or a network device) to execute all or part of the steps of the method according to the embodiments of the present disclosure. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Those skilled in the art can make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A traffic suppression method for a reflection-type DDoS attack is characterized by being applied to a provider-side backbone network or a metropolitan area network and comprising the following steps:
receiving information of traffic to be distributed sent by an open server; wherein, the information of the traffic to be distributed includes: protocol, source port information and destination IP address;
judging whether the information of the flow to be distributed meets a preset filtering rule or not;
if the information of the traffic to be distributed meets the preset filtering rule, determining the traffic to be distributed as attack traffic, and discarding the traffic to be distributed;
if the traffic information to be distributed does not meet the preset filtering rule, determining that the traffic to be distributed is normal traffic, and normally sending the traffic to be distributed to the target IP address.
2. The traffic throttling method according to claim 1, wherein the preset filtering rules comprise at least one protection information combination; wherein each of the guard information combinations includes: the combination of the relationship among the protocol, the port information and the protected IP address, the judging whether the information of the traffic to be distributed meets the preset filtering rule, includes:
judging whether the protocol of the flow to be distributed, the source port information and the target IP address are matched with the protection information combination in the preset filtering rule or not;
if the protocol, the source port information and the target IP address of the flow to be distributed are judged to be matched with the protection information combination in the preset filtering rule, determining the flow to be distributed as attack flow;
and if the protocol, the source port information and the target IP address of the flow to be distributed are judged to be not matched with all protection information combinations in the preset filtering rule, determining that the flow to be distributed is normal flow.
3. The traffic throttling method of claim 2, wherein each of the combinations of protection information corresponds to a type of reflection attack.
4. The traffic throttling method according to claim 1, wherein an access control list is set on a switch of the operator-side backbone network or the metro network, and the preset filtering rule is added in the access control list.
5. A flow suppression device for reflection-type DDoS attack is characterized by being applied to a carrier-side backbone network or a metropolitan area network and comprising the following steps:
the receiving unit is used for receiving the information of the traffic to be distributed, which is sent by the open server; wherein, the information of the traffic to be distributed includes: protocol, source port information and destination IP address;
the judging unit is used for judging whether the information of the flow to be distributed meets a preset filtering rule or not;
a determining unit, configured to determine that the traffic to be distributed is an attack traffic and discard the traffic to be distributed if the information of the traffic to be distributed meets a preset filtering rule, which is determined by the determining unit;
the determining unit is further configured to determine that the traffic to be distributed is normal traffic if the determining unit determines that the traffic to be distributed does not meet the preset filtering rule, and normally issue the traffic to be distributed to the target IP address.
6. The flow throttling arrangement of claim 5, wherein the preset filtering rules include at least one guard information combination; wherein each of the guard information combinations includes: the relationship combination of the protocol, the port information and the protected IP address, and the judging unit comprises:
a judging subunit, configured to judge whether the protocol of the traffic to be distributed, the source port information, and the target IP address match a combination of protection information in the preset filtering rule;
wherein the determining unit is configured to:
if the judging subunit judges that the protocol, the source port information and the target IP address of the traffic to be distributed are combined and matched with the protection information in the preset filtering rule, determining that the traffic to be distributed is attack traffic;
and if the judging subunit judges that the protocol, the source port information and the target IP address of the flow to be distributed are not matched with all protection information combinations in the preset filtering rule, determining that the flow to be distributed is normal flow.
7. The traffic throttle apparatus of claim 6, wherein each of the combinations of protection information corresponds to a type of reflection attack.
8. The traffic throttling apparatus according to claim 5, wherein an access control list is provided on a switch of the carrier-side backbone network or the metro network, and the preset filtering rule is added in the access control list.
9. A server, comprising:
one or more processors;
a storage device having one or more programs stored thereon;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of traffic throttling for a reflection-type DDoS attack as recited in any of claims 1 to 4.
10. A computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements a method of traffic suppression for a reflection-type DDoS attack as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111181763.7A CN113923027A (en) | 2021-10-11 | 2021-10-11 | Traffic suppression method for reflective DDoS attack and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111181763.7A CN113923027A (en) | 2021-10-11 | 2021-10-11 | Traffic suppression method for reflective DDoS attack and related device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113923027A true CN113923027A (en) | 2022-01-11 |
Family
ID=79239013
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111181763.7A Pending CN113923027A (en) | 2021-10-11 | 2021-10-11 | Traffic suppression method for reflective DDoS attack and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113923027A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447996A (en) * | 2008-12-31 | 2009-06-03 | 成都市华为赛门铁克科技有限公司 | Defending method for distributed service-refusing attack and system and device thereof |
| CN107241301A (en) * | 2016-03-29 | 2017-10-10 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defense refloex attack |
| CN109194680A (en) * | 2018-09-27 | 2019-01-11 | 腾讯科技(深圳)有限公司 | A kind of network attack identification method, device and equipment |
| US20190230116A1 (en) * | 2018-01-25 | 2019-07-25 | Charter Communications Operating, Llc | Distributed denial-of-service attack mitigation with reduced latency |
-
2021
- 2021-10-11 CN CN202111181763.7A patent/CN113923027A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447996A (en) * | 2008-12-31 | 2009-06-03 | 成都市华为赛门铁克科技有限公司 | Defending method for distributed service-refusing attack and system and device thereof |
| CN107241301A (en) * | 2016-03-29 | 2017-10-10 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defense refloex attack |
| US20190230116A1 (en) * | 2018-01-25 | 2019-07-25 | Charter Communications Operating, Llc | Distributed denial-of-service attack mitigation with reduced latency |
| CN109194680A (en) * | 2018-09-27 | 2019-01-11 | 腾讯科技(深圳)有限公司 | A kind of network attack identification method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10187422B2 (en) | Mitigation of computer network attacks | |
| KR100942456B1 (en) | Method for detecting and protecting ddos attack by using cloud computing and server thereof | |
| US9043912B2 (en) | Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets | |
| US7512808B2 (en) | Anti-computer viral agent suitable for innoculation of computing devices | |
| US8127356B2 (en) | System, method and program product for detecting unknown computer attacks | |
| KR101217647B1 (en) | Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs | |
| KR100908404B1 (en) | System and method for protecting from distributed denial of service | |
| WO2006071486A1 (en) | Network intrusion prevention | |
| CN109922072B (en) | Distributed denial of service attack detection method and device | |
| WO2018095375A1 (en) | Dns protection method, management device, and domain name server | |
| US10142360B2 (en) | System and method for iteratively updating network attack mitigation countermeasures | |
| US9774611B1 (en) | Dynamically deploying a network traffic filter | |
| KR101268104B1 (en) | Intrusion prevention system and controlling method | |
| Subbulakshmi et al. | A unified approach for detection and prevention of DDoS attacks using enhanced support vector machines and filtering mechanisms | |
| CN113923027A (en) | Traffic suppression method for reflective DDoS attack and related device | |
| KR101343693B1 (en) | Network security system and method for process thereof | |
| US10050937B1 (en) | Reducing impact of network attacks in access networks | |
| KR101230919B1 (en) | Distributed denial of service attack auto protection system and method | |
| CN113014530B (en) | ARP spoofing attack prevention method and system | |
| KR101358794B1 (en) | Distributed denial of service attack protection system and method | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| US9313224B1 (en) | Connectivity protector | |
| JP6851211B2 (en) | Network monitoring system | |
| JP4710889B2 (en) | Attack packet countermeasure system, attack packet countermeasure method, attack packet countermeasure apparatus, and attack packet countermeasure program | |
| CN117240623A (en) | Worm virus blocking system, method and device for guaranteeing service continuity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |