CN114039763A - Distributed denial of service attack defense method and device and server - Google Patents

Distributed denial of service attack defense method and device and server Download PDF

Info

Publication number
CN114039763A
CN114039763A CN202111300246.7A CN202111300246A CN114039763A CN 114039763 A CN114039763 A CN 114039763A CN 202111300246 A CN202111300246 A CN 202111300246A CN 114039763 A CN114039763 A CN 114039763A
Authority
CN
China
Prior art keywords
type
data packet
storage module
abnormal data
prestored
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202111300246.7A
Other languages
Chinese (zh)
Inventor
徐顺格
范渊
黄进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202111300246.7A priority Critical patent/CN114039763A/en
Publication of CN114039763A publication Critical patent/CN114039763A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The scheme includes that network flow in a current period of a target host is obtained firstly, after the network flow reaches a corresponding threshold value, whether the type of a data packet in the current period is the same as the type of an abnormal data packet prestored in a storage module is judged, if yes, the data packet is intercepted, if not, whether the type of the data packet is the type of a newly added abnormal data packet is judged again, and if yes, the data packet is intercepted. According to the scheme, the initial judgment is carried out through the threshold value of the network flow, the data packets with the same type as the abnormal data packets which are once appeared in the current period are directly intercepted after the corresponding threshold value is reached, and the subsequent judgment is carried out on the data packets with different types, so that the identification efficiency and the identification accuracy of the target host machine on the distributed denial of service attack are improved in the judgment process, and the safety of the target host machine is also improved.

Description

Distributed denial of service attack defense method and device and server
Technical Field
The invention relates to the defense field, in particular to a defense method, a defense device and a server for distributed denial of service attacks.
Background
The basic principle of the distributed denial of service attack is that a large number of invalid data packets are sent to a target host, so that a large number of network resources of the target host are occupied, the target host cannot respond to legal requests of legal users, and normal services are provided. At present, no mature defense scheme for distributed denial of service attacks exists in the prior art, and therefore, how to provide a defense scheme with high efficiency and accuracy for ensuring the normal work of a target host is a problem that needs to be solved by technical personnel in the field.
Disclosure of Invention
The invention aims to provide a defense method, a defense device and a defense server for distributed denial of service attack.
In order to solve the technical problem, the invention provides a defense method for a distributed denial of service attack, which comprises the following steps:
acquiring network flow of a target host in a current period;
if the network flow reaches the network flow threshold of the target host, judging whether the type of the data packet with the current period is the same as the type of the abnormal data packet prestored in the storage module;
if the type of the data packet in the current period is the same as the type of the abnormal data packet prestored in the storage module, intercepting the data packet with the type being the same as the type of the abnormal data packet prestored in the storage module;
if the type of the data packet with the current period is different from the type of the abnormal data packet prestored in the storage module, judging whether the type of the data packet with the type different from the type of the abnormal data packet prestored in the storage module is the type of the newly added abnormal data packet;
and if the type of the newly added abnormal data packet is the type of the newly added abnormal data packet, intercepting the data packet with the type different from the type of the abnormal data packet prestored in the storage module.
Preferably, the acquiring the network traffic of the target host in the current period includes:
capturing a data packet in the current period of the target host through a network packet capturing tool;
and calculating the sum of the capacities of the data packets in the current period to obtain the network flow in the current period.
Preferably, the determining whether the type of the data packet existing in the current period is the same as the type of the abnormal data packet pre-stored in the storage module includes:
extracting the header characteristic information of the data packet of the current period;
judging whether the header characteristic information of the abnormal data packet prestored in the storage module comprises the header characteristic information of the data packet of the current period or not;
if yes, judging that the type of the data packet with the current period is the same as the type of the abnormal data packet prestored in the storage module;
if not, the type of the data packet with the current period is judged to be different from the type of the abnormal data packet prestored in the storage module.
Preferably, the determining whether the type of the data packet with the type different from the type of the abnormal data packet prestored in the storage module is the type of the newly added abnormal data packet includes:
judging whether a preset number of packets exist in the data packets with the types different from the types of the abnormal data packets prestored in the storage module, wherein the packets are data packets with the capacity smaller than a preset value;
if so, judging that the types of the data packets with the types different from the types of the abnormal data packets prestored in the storage module are the types of the newly added abnormal data packets;
if not, judging that the type of the data packet with the type different from the type of the abnormal data packet prestored in the storage module is not the type of the newly added abnormal data packet.
Preferably, before determining that the types of the data packets with the types different from the types of the abnormal data packets prestored in the storage module are all the types of the newly added abnormal data packets, the method further includes:
sending an identification question to the user;
if no reply is received within a preset time period or an error reply based on the identification problem of the user is received, a step of judging that the types of the data packets with the types different from the types of the abnormal data packets prestored in the storage module are the types of newly added abnormal data packets is carried out;
and if the correct reply of the user based on the identification problem is received within a preset time period, judging that the type of the data packet with the type different from that of the abnormal data packet prestored in the storage module is not the type of the newly added abnormal data packet.
Preferably, before sending the identification question to the user, the method further includes:
and sending attack prompt information to a prompt module.
Preferably, the identification question is sent to the user, including:
the graphical passcode is sent to the user.
Preferably, if the type of the newly added abnormal data packet is the type of the newly added abnormal data packet, after intercepting a data packet whose type is different from the type of the abnormal data packet prestored in the storage module, the method further includes:
and storing the intercepted data packet to the storage module.
In order to solve the above technical problem, the present invention further provides a distributed defense apparatus for denial of service attack, including:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the method for defending against a distributed denial of service attack described above.
In order to solve the technical problem, the invention also provides a server which comprises the defense device for the distributed denial of service attack.
The scheme includes that network flow in a current period of a target host is obtained firstly, after the network flow reaches a corresponding threshold value, whether the type of a data packet in the current period is the same as the type of an abnormal data packet prestored in a storage module is judged, if yes, the data packet is intercepted, if not, whether the type of the data packet is the type of a newly added abnormal data packet is judged again, and if yes, the data packet is intercepted. According to the scheme, the initial judgment is carried out through the threshold value of the network flow, the data packets with the same type as the abnormal data packets which are once appeared in the current period are directly intercepted after the corresponding threshold value is reached, and the subsequent judgment is carried out on the data packets with different types, so that the identification efficiency and the identification accuracy of the target host machine on the distributed denial of service attack are improved in the judgment process, and the safety of the target host machine is also improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed in the prior art and the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
FIG. 1 is a schematic flow chart of a defense method for a distributed denial of service attack according to the present invention;
fig. 2 is a schematic structural diagram of a distributed denial of service attack defense apparatus provided in the present invention.
Detailed Description
The core of the invention is to provide a defense method, a device and a server for the distributed denial of service attack, the scheme increases the identification efficiency and the identification accuracy of the target host for the distributed denial of service attack, and also increases the security of the target host.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a defense method for a distributed denial of service attack, which is provided by the present invention, and the method includes:
s11: acquiring network flow of a target host in a current period;
s12: if the network flow reaches the network flow threshold of the target host, judging whether the type of the data packet with the current period is the same as the type of the abnormal data packet prestored in the storage module, if so, entering S13, and if not, entering S14;
s13: intercepting data packets with the same type as the abnormal data packets prestored in the storage module;
s14: judging whether the type of the data packet with the type different from the type of the abnormal data packet prestored in the storage module is the type of the newly added abnormal data packet or not, if so, entering S15;
s15: and intercepting the data packet with the type different from the type of the abnormal data packet prestored in the storage module.
Considering that the identification efficiency and the identification accuracy of the target host to the distributed denial of service attack are low in the prior art, the method and the system perform preliminary judgment through the threshold value of the network flow in the current period of the target host, directly intercept the data packets with the same type as the abnormal data packets which are once appeared in the current period after the threshold value is reached, and perform subsequent judgment on the data packets with different types, thereby increasing the identification efficiency and the identification accuracy of the target host to the distributed denial of service attack through the judgment process.
Specifically, the network traffic of the target host is periodically acquired to realize real-time monitoring of the network traffic, and the length of the period is determined according to an actual situation, which is not particularly limited herein.
It should be noted that there are three cases for the type of the data packet in the current period, where the case is one: all the abnormal data packets are the same as the abnormal data packets prestored in the storage module in type; case two: part of the abnormal data packets are the same as the type of the abnormal data packets prestored in the storage module; case three: all different from the type of abnormal data packet prestored in the storage module. When the determination of step S12 is performed, as long as there is an abnormal packet of the same type as the abnormal packet pre-stored in the storage module, the abnormal packet of the same type is intercepted, which includes a case one and a case two; if the types of the abnormal data packets are different from the types of the abnormal data packets prestored in the storage module, subsequent judgment is carried out on the data packets with different types, and the situations comprise a second situation and a third situation.
In summary, the present application provides a distributed defense method for denial of service attack, the method first obtains a network traffic of a target host in a current period, determines whether a type of a data packet of the current period is the same as a type of an abnormal data packet pre-stored in a storage module after the network traffic reaches a corresponding threshold, intercepts the data packet if the type of the data packet is the same as the type of the abnormal data packet pre-stored in the storage module, determines whether the type of the data packet is the type of a newly added abnormal data packet again if the type of the data packet is different from the type of the newly added abnormal data packet, and intercepts the data packet if the type of the data packet is the same as the type of the newly added abnormal data packet. According to the scheme, the initial judgment is carried out through the threshold value of the network flow, the data packets with the same type as the abnormal data packets which are once appeared in the current period are directly intercepted after the corresponding threshold value is reached, and the subsequent judgment is carried out on the data packets with different types, so that the identification efficiency and the identification accuracy of the target host machine on the distributed denial of service attack are improved in the judgment process, and the safety of the target host machine is also improved.
On the basis of the above-described embodiment:
as a preferred embodiment, acquiring network traffic of the target host in the current period includes:
capturing a data packet in the current period of the target host through a network packet capturing tool;
and calculating the sum of the capacities of the data packets in the current period to obtain the network flow in the current period.
In this embodiment, the network traffic of the target host in the current period is calculated through the data packet, specifically, the network packet capturing tool may adopt network packet analysis software, which is not particularly limited herein; the data packets captured by the network packet capturing tool can be converted into log files and then stored into a Hadoop Distributed File System (HDFS), so that the storage problem before calculation of a large flow can be solved, and calculation of the large flow can be conveniently dealt with.
Meanwhile, the sum of the capacity of the data packets in the current period can be calculated through a large-data-in-Flock analysis and calculation engine, and any stream data program is executed by the large-data-in-Flock analysis and calculation engine in a data parallel and pipeline mode, so that the calculation efficiency can be improved.
In sum, the data packets in the current period are captured first, and then the flow in the current period is calculated through the sum of the capacities of the data packets, so that the extraction and calculation of the flow are more conveniently realized.
As a preferred embodiment, the determining whether the type of the packet in the current period is the same as the type of the abnormal packet pre-stored in the storage module includes:
extracting the header characteristic information of the data packet of the current period;
judging whether the header characteristic information of the abnormal data packet prestored in the storage module comprises the header characteristic information of the data packet in the current period or not;
if yes, judging that the type of the data packet with the current period is the same as the type of the abnormal data packet prestored in the storage module;
if not, the type of the data packet with the current period is judged to be different from the type of the abnormal data packet prestored in the storage module.
In this embodiment, the data packets having the same type as the pre-stored abnormal data packets are directly intercepted by judging whether the type of the data packet having the current period is the same as the type of the abnormal data packet pre-stored in the storage module, so that the efficiency of identifying the distributed denial of service attack is improved.
Specifically, the type of the data packet is distinguished through the header characteristic information of the data packet, and each data packet is sequentially judged in the judging process; the type of the abnormal data packet prestored in the storage module can be the type of the data packet of the existing distributed denial of service attack.
In summary, by the judgment of the embodiment, the data packets with the same type as the data packets of the existing distributed denial of service attack are intercepted quickly, and the identification efficiency and the identification accuracy of the distributed denial of service attack are improved.
As a preferred embodiment, the determining whether the type of the data packet having the different type from the type of the abnormal data packet prestored in the storage module is the type of the newly added abnormal data packet includes:
judging whether a preset number of packets exist in the data packets with the types different from the types of the abnormal data packets prestored in the storage module, wherein the packets are data packets with the capacity smaller than the preset value;
if so, judging that the types of the data packets with the types different from the types of the abnormal data packets prestored in the storage module are the types of the newly added abnormal data packets;
if not, judging that the type of the data packet with the type different from the type of the abnormal data packet prestored in the storage module is not the type of the newly added abnormal data packet.
In this embodiment, by determining whether the type of the data packet, the type of which is different from the type of the abnormal data packet prestored in the storage module, is the type of the newly added abnormal data packet, the type of which is determined to be the type of the newly added abnormal data packet, is intercepted, so that the security of the target host is improved.
Specifically, according to the change rule of the network traffic, when the traffic sharply increases, it may be determined that the probability of the existence of the preset number of packets is relatively high, and meanwhile, the size of the preset value of the capacity of the packet is determined according to the actual situation, which is not particularly limited herein; when the preset number of packets exist, the data packets with the types different from the types of the abnormal data packets prestored in the storage module are intercepted, and the types of the data packets are judged to be the types of the newly added abnormal data packets, because the attack form of the distributed denial of service attack is a large number of packets.
In conclusion, the type of the abnormal data packet newly added for the distributed denial of service attack is judged by the existence of the small packets with the preset number, so that the safety of the target host is improved.
As a preferred embodiment, before determining that the types of the packets with the types different from the types of the abnormal packets prestored in the storage module are all the types of the newly added abnormal packets, the method further includes:
sending an identification question to the user;
if no reply is received or an error reply based on the identification problem of the user is received within a preset time period, a step of judging that the types of the data packets with the types different from the types of the abnormal data packets prestored in the storage module are the types of the newly added abnormal data packets is carried out;
and if a correct reply of the user based on the identification problem is received in a preset time period, judging that the type of the data packet with the type different from that of the abnormal data packet prestored in the storage module is not the type of the newly added abnormal data packet.
In this embodiment, before the determination types are all the types of the newly added abnormal data packets, the user transmission identification problem is determined again, so as to prevent erroneous determination.
Specifically, if the target host is attacked by the distributed denial of service, if the sent identification problem is that a reply cannot be received, the newly added abnormal data packet is determined to be intercepted; if the legal user sends an error reply, the new abnormal data packet is also determined to be newly added at the moment, and interception is carried out; and only when a correct reply is received, the newly added abnormal data packet is not judged, and the access is allowed. Meanwhile, the preset time here is determined according to the actual situation and is not particularly limited.
In conclusion, the judgment is carried out again by sending the identification problem, so that the probability of misjudgment is reduced, and the access of a legal user is guaranteed.
As a preferred embodiment, before sending the identification question to the user, the method further includes:
and sending attack prompt information to a prompt module.
In the embodiment, before the identification problem is sent to the user, attack prompt information is also sent to the prompt module to perform early warning, so that the safety of the target host is improved.
As a preferred embodiment, sending an identification question to a user includes:
the graphical passcode is sent to the user.
In this embodiment, the identification problem sent to the user is the graphical verification code, and the re-judgment is performed through the graphical verification code, so as to prevent the erroneous judgment. Identification issues herein include, but are not limited to, graphical verification codes.
As a preferred embodiment, if the type of the newly added abnormal data packet is the type of the newly added abnormal data packet, after intercepting a data packet whose type is different from the type of the abnormal data packet prestored in the storage module, the method further includes:
and storing the intercepted data packet to a storage module.
In this embodiment, the intercepted data packets, including the data packet whose determination type is the type of the newly added abnormal data packet and the data packet whose determination type is the same as the type of the abnormal data packet prestored in the storage module, are all stored in the storage module, so that when the target host is attacked again, the data packet whose type is the same as the type of the existing abnormal data packet in the storage module can be quickly removed, and the identification efficiency and the identification accuracy for the distributed denial of service attack are improved.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a distributed denial of service attack defense apparatus provided in the present invention, the distributed denial of service attack defense apparatus includes:
a memory 1 for storing a computer program;
a processor 2 for executing a computer program for implementing the steps of the above-described method of defending against a distributed denial of service attack.
For an introduction of the distributed denial of service attack defense apparatus provided in the present application, please refer to the above embodiments, which are not described herein again.
The application also provides a server which comprises a defense device for the distributed denial of service attack.
For the introduction of a server provided in the present application, please refer to the above embodiments, which are not described herein again.
It should be noted that, in the present specification, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A method for defending against a distributed denial of service attack, comprising:
acquiring network flow of a target host in a current period;
if the network flow reaches the network flow threshold of the target host, judging whether the type of the data packet with the current period is the same as the type of the abnormal data packet prestored in the storage module;
if the type of the data packet in the current period is the same as the type of the abnormal data packet prestored in the storage module, intercepting the data packet with the type being the same as the type of the abnormal data packet prestored in the storage module;
if the type of the data packet with the current period is different from the type of the abnormal data packet prestored in the storage module, judging whether the type of the data packet with the type different from the type of the abnormal data packet prestored in the storage module is the type of the newly added abnormal data packet;
and if the type of the newly added abnormal data packet is the type of the newly added abnormal data packet, intercepting the data packet with the type different from the type of the abnormal data packet prestored in the storage module.
2. The method of defending against a distributed denial of service attack as set forth in claim 1, wherein obtaining network traffic for a current period of a target host comprises:
capturing a data packet in the current period of the target host through a network packet capturing tool;
and calculating the sum of the capacities of the data packets in the current period to obtain the network flow in the current period.
3. The method for defending against distributed denial of service attack as set forth in claim 1, wherein the step of determining whether the type of the packet existing in the current period is the same as the type of the abnormal packet pre-stored in the storage module comprises the steps of:
extracting the header characteristic information of the data packet of the current period;
judging whether the header characteristic information of the abnormal data packet prestored in the storage module comprises the header characteristic information of the data packet of the current period or not;
if yes, judging that the type of the data packet with the current period is the same as the type of the abnormal data packet prestored in the storage module;
if not, the type of the data packet with the current period is judged to be different from the type of the abnormal data packet prestored in the storage module.
4. The method for defending against distributed denial of service attack as set forth in claim 1, wherein the determining whether the type of the data packet having a different type from the type of the abnormal data packet pre-stored in the storage module is the type of the newly added abnormal data packet comprises:
judging whether a preset number of packets exist in the data packets with the types different from the types of the abnormal data packets prestored in the storage module, wherein the packets are data packets with the capacity smaller than a preset value;
if so, judging that the types of the data packets with the types different from the types of the abnormal data packets prestored in the storage module are the types of the newly added abnormal data packets;
if not, judging that the type of the data packet with the type different from the type of the abnormal data packet prestored in the storage module is not the type of the newly added abnormal data packet.
5. The method for defending against distributed denial of service attack as set forth in claim 4, wherein before determining that the types of the packets having the different types from the types of the abnormal packets prestored in the storage module are all the types of the newly added abnormal packets, the method further comprises:
sending an identification question to the user;
if no reply is received within a preset time period or an error reply based on the identification problem of the user is received, a step of judging that the types of the data packets with the types different from the types of the abnormal data packets prestored in the storage module are the types of newly added abnormal data packets is carried out;
and if the correct reply of the user based on the identification problem is received within a preset time period, judging that the type of the data packet with the type different from that of the abnormal data packet prestored in the storage module is not the type of the newly added abnormal data packet.
6. The method of defending against a distributed denial of service attack as set forth in claim 5, wherein prior to sending the identification problem to the user, further comprising:
and sending attack prompt information to a prompt module.
7. The method of defending against a distributed denial of service attack as set forth in claim 5, wherein sending an identification question to a user comprises:
the graphical passcode is sent to the user.
8. The method for defending against distributed denial of service attack as set forth in any of the preceding claims 1 to 7, wherein if the type of the newly added abnormal packet is, after intercepting a packet whose type is different from the type of the abnormal packet pre-stored in the storage module, further comprising:
and storing the intercepted data packet to the storage module.
9. A distributed denial of service attack defense apparatus, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the method for defending against a distributed denial of service attack as described in any of the above 1 to 8.
10. A server, characterized in that it comprises a defense arrangement against distributed denial of service attacks according to claim 9.
CN202111300246.7A 2021-11-04 2021-11-04 Distributed denial of service attack defense method and device and server Withdrawn CN114039763A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111300246.7A CN114039763A (en) 2021-11-04 2021-11-04 Distributed denial of service attack defense method and device and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111300246.7A CN114039763A (en) 2021-11-04 2021-11-04 Distributed denial of service attack defense method and device and server

Publications (1)

Publication Number Publication Date
CN114039763A true CN114039763A (en) 2022-02-11

Family

ID=80142809

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111300246.7A Withdrawn CN114039763A (en) 2021-11-04 2021-11-04 Distributed denial of service attack defense method and device and server

Country Status (1)

Country Link
CN (1) CN114039763A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101001242A (en) * 2006-01-10 2007-07-18 中兴通讯股份有限公司 Method of network equipment invaded detection
CN107302534A (en) * 2017-06-21 2017-10-27 广东工业大学 A kind of DDoS network attack detecting methods and device based on big data platform
WO2021088372A1 (en) * 2019-11-04 2021-05-14 重庆邮电大学 Neural network-based ddos detection method and system in sdn network
CN113037687A (en) * 2019-12-24 2021-06-25 中移物联网有限公司 Flow identification method and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101001242A (en) * 2006-01-10 2007-07-18 中兴通讯股份有限公司 Method of network equipment invaded detection
CN107302534A (en) * 2017-06-21 2017-10-27 广东工业大学 A kind of DDoS network attack detecting methods and device based on big data platform
WO2021088372A1 (en) * 2019-11-04 2021-05-14 重庆邮电大学 Neural network-based ddos detection method and system in sdn network
CN113037687A (en) * 2019-12-24 2021-06-25 中移物联网有限公司 Flow identification method and electronic equipment

Similar Documents

Publication Publication Date Title
CN109951500B (en) Network attack detection method and device
CN109194680B (en) Network attack identification method, device and equipment
KR100862187B1 (en) A Method and a Device for Network-Based Internet Worm Detection With The Vulnerability Analysis and Attack Modeling
CN109922072B (en) Distributed denial of service attack detection method and device
CN110417778B (en) Access request processing method and device
CN110730195B (en) Data processing method and device and computer readable storage medium
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
CN111641658A (en) Request intercepting method, device, equipment and readable storage medium
CN106330944B (en) Malicious system vulnerability scanner identification method and device
CN112291258B (en) Gateway risk control method and device
CN111726364B (en) Host intrusion prevention method, system and related device
CN112953917B (en) Network attack source identification method and device, computer equipment and storage medium
CN111835737B (en) WEB attack protection method based on automatic learning and related equipment thereof
CN111327615A (en) CC attack protection method and system
CN110858831B (en) Safety protection method and device and safety protection equipment
JP2018073140A (en) Network monitoring device, program and method
CN111953635B (en) Interface request processing method and computer-readable storage medium
CN113660216B (en) Password attack detection method, device, electronic device and storage medium
RU2647616C1 (en) Method of detecting brute force attack on web service
CN111740999A (en) DDOS attack identification method, system and related device
CN108833410B (en) Protection method and system for HTTP Flood attack
CN111949363A (en) Service access management method, computer equipment, storage medium and system
CN114039763A (en) Distributed denial of service attack defense method and device and server
CN114928452B (en) Access request verification method, device, storage medium and server
CN113765914B (en) CC attack protection method, system, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20220211