CN114157460A - SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统 - Google Patents
SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统 Download PDFInfo
- Publication number
- CN114157460A CN114157460A CN202111381353.7A CN202111381353A CN114157460A CN 114157460 A CN114157460 A CN 114157460A CN 202111381353 A CN202111381353 A CN 202111381353A CN 114157460 A CN114157460 A CN 114157460A
- Authority
- CN
- China
- Prior art keywords
- vme
- socket
- addos
- input
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 7
- 230000000903 blocking effect Effects 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 6
- 238000000034 method Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000008859 change Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 abstract description 3
- 238000004364 calculation method Methods 0.000 abstract description 3
- 241000287828 Gallus gallus Species 0.000 abstract description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 101001072091 Homo sapiens ProSAAS Proteins 0.000 description 1
- 102100036366 ProSAAS Human genes 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4843—Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
- G06F9/4881—Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
- G06F9/4418—Suspend and resume; Hibernate and awake
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/448—Execution paradigms, e.g. implementations of programming paradigms
- G06F9/4482—Procedural
- G06F9/4484—Executing subprograms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5011—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
- G06F9/5016—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5011—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
- G06F9/5022—Mechanisms to release resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Multi Processors (AREA)
- Computer And Data Communications (AREA)
- Stored Programmes (AREA)
Abstract
SMG‑VME‑aDDoS是针对DDoS(DDoS攻击,即分布式拒绝服务)的反向防御;一般来说是指攻击者利用“肉鸡”对目标网站在较短的时间内发起大量请求,大规模消耗目标网站的主机资源,让它无法正常服务。本发明从tcp协议解析层通过登入输入合法请求指令进行剖析非法请求并拦截,拦截有效率达95%,提升了CPU利用率,提高了网络带宽的使用效率;本发明基于用于在智慧互联网接口标识化,数据格式化,故有vmeserver在合法连接有一道默认的特征输入口令识别可识别出合法请求,以实现算力共享,安全共享服务。
Description
技术领域
本发明是为基于TCP/IP 协议的针对服务端发起的DDoS攻击进行拦截,并自动拦截非法的请求。智能拦截请求,并将ip 存入iptables ,实现一次识别智能拦截。拦截过程是在应用层之前进行,很好的保障系统与应用安全。
现有技术大多根据日子行为分析检测,日志行为DDoS攻击已经产生,大企业普遍采用IDS硬件置入路由器之前,该费用昂贵,中小企业普遍承担不起。
本项发明,依赖于SMG-VME可迭代分布式操作系统,具体参国家专利申请号:2021113373306,电子申请案卷编号:364636644,得以继承实现。亦可单独作为核心产品服务模块单独定制算力输出;可以作为安全云服务的核心重要组件服务。
本发明组件小巧,是基于VME可迭代操作系统进行流量入侵清洗。支持异步非阻塞IoSession,同步阻塞BioSession 的socket 入侵检测。
实测可轻易识别并拦截98%DDoS攻击请求.
专利审查:
截至2021-11-06网络搜索暂无同案例
背景技术
随着工业互联网,万物智能互联,分布式计算,大数据推衍发展,超大规模数据的计算与存储摆在面前。本发明主要是研究并行计算引擎,超大规模数据存储与计算而针对性设计出一套可行的框架系统安全防护。对外进行算力输出构建IAAS,SAAS系统。超集团企业共享算力,共享存储。实现超大企业数据格式化,接口标准化为目标,在大数据流量面临着识别非法的入侵请求,网络窥探,自动拒绝服务,减少CPU耗能,减少网络带宽的占用,对入侵的垃圾流量自动拦截。
发明内容
附图说明:
图1是aDDoS反DDoS攻击防御功能图;
标号说明:
1 VMEServer(NIO异步非阻塞服务器)
101 mainJobTimeOnce socket流(BioSession/IoSession)流处理器(入侵检测)
102 socketServer服务器
103 server.onMsgReceive异步消息接收器在此方法侦听消息数据
10301 限时特指指令码输入检测,通过后Msession.set(sid,”dkey”,”1”)写入session
10302 超时:无特征指令输入,Msession.set(sid,”isEND”,”1”)
104 IoSession(非阻塞session)
2 PPGServer(BIO同步阻塞服务器)
201 BioSession阻塞Session
3 socket用户
301 正常用户请求
302 DDoS攻击请求(非法请求)
4 HandlerSHStreamPlayer Shell流处理器
401 setSocket
402 exec()Shell handler执行器(会调shell端口协议处理器执行shell指令操作)
402 close
5 IPHole.saveOnce()通过402检测到10302 DDoS攻击特征码将ip加入黑洞操作系统 iptables
写入成功然后iptables restart
1. 一种DDoS攻击入侵检测技术,其特征如下:
如图1
操作实例:
1.1 VMEServer 图1,2启动,进入run运行态,图1,101 aDDoS线程启动,102 服务端侦听9xxx端口等待socket连接,限时循环等待socket客户端提交数据;
1.2 PPGServer 图1,2 同步启动,PPGServer 侦听8xxx端口;PPGServer 为阻塞连接共享VMEServer.aDDoS 服务;
1.3 Soket用户,图1,3 ,正常用户参图1,301 发起连接请求, 图1,104;在vmeserver.onMsgRecv 图1,103
1.4 基于1.3 vmeserver 连接注册接口实现了保存socket对象操控对象,连接关闭时 q 队列会自动清理. 并设出定应答超时30秒内必须作出正确的输入,否则会被系统拦截;如果正常用户这个时间是比较充裕的.
1.5 onMsgRecv会进行输入特征指令校验图1,30101 ;合法用户校验通过会设dkey非空hash字串,为校验通过
1.6 依据1.4,1.5校验如果校验失败或超时图1,30102;则设定isEND=1写入变量;
系统会主动close客户端socket,结束会话,如果失败到是DoS入侵特征字串,自动收集ip并调,ip黑洞保存在防火墙,并将防火墙重启生效;下次同一ip非法入侵用户将不能进入系统;
1.7 依据1.4 通过的用户socket将进入的socket执行器轮询执行图1,4 网络调度执行器 ,setSocket 图1,401,exec图1,402,执行完毕调close图1,403 关闭socket,并清理q队列,关闭会话内存;
特征总结:
1.1 等待socket连接,限时循环等待socket客户端提交数据;
1.2 正确输入:设dkey 非空字符串 ,非正确输入/超时,设isEND=1 状态变化退出循环;
1.3支持多socket状态监测;
1.4判断socket是否超时并close ;
1.5移除当前超时的socket,q dst ;
1.6服务端主动close客户端连接;
1.7 不存在tcp:timoout 僵尸连接问题;
1.8提高服务器利用率;
1.9主动防御:非法连接自动进黑名单;
1.10跨进程线程共享信号通讯;
1.11 支持阻塞bio,异步非阻塞aio服务通讯;
1.12 基于消息协议连接时进行消息识别并拦截;
1.13 对特征DDoS指令符,自动识别并加入操作系统iptables 防火墙。
.一种基于VME(n)可迭代分布式操作系统进行智能流清洗程序,其特征:
2.1 vme(n)是可迭代的;SMG-VME-aDDoS是vme的一个安全插件,故后者亦是可迭代的,综合所论,每个子节点都是具有aDDoS反DoS安全防护模块。
一种基于VME(n)可迭代分布式操作系统数据格式化,接口标准化安全服务,其特征:
3.1 因vme(n)是可迭代;其输入输出数据是统一模型,即标识化输入,输出; 数据格式化基本要点:即连接建立要喊统一口令,结束要喊统一口令;否则即被拦截;输入请求没有规律,我们从严约束自己,凡是有合法口令的即为正常,反之非法;基于此原理进行有效信息识别;
3.2 因为SMG-VME-aDDoS 是内置vme核心安全模块;
3.3 依据3.1 格式化输入即可找到合法请求特征指令,轻密码模式口令;
3.4 依据3.3 ,即可识别合法用户socket请求;
3.5 依据3.3,3.4 即可排除法识别非法请求,因为非法请求指令无格式化,千差万别;本发明是假设万物系统都是基于vme实现可迭代分布式操作系统的格式化输入指令基础上诞生的新的安全模块;
3.6 依据3.5 相当于重新改写了tcp/ip在接收到增加了安全认证。
现实意义:
SMG-VME-aDDoS是针对DDoS(DDoS 攻击,即分布式拒绝服务)的反向防御;一般来说是指攻击者利用“肉鸡”对目标网站在较短的时间内发起大量请求,大规模消耗目标网站的主机资源,让它无法正常服务。本发明从tcp协议解析层通过登入输入合法请求指令进行剖析非法请求并拦截,拦截有效率达95%,提升了CPU利用率,提高了网络带宽的使用效率;本发明基于用于在智慧互联网接口标识化,数据格式化,故有vmeserver在合法连接有一道默认的特征输入口令识别可识别出合法请求,以实现算力共享,安全共享服务。
Claims (3)
1.一种基于VME(n) DDoS攻击入侵检测技术,其特征如下:
1.1 socket连接,限时循环等待socket客户端提交数据;
1.2 正确输入:设dkey 非空字符串 ,非正确输入/超时,设isEND=1 状态变化退出循环;
1.3支持多socket状态监测;
1.4判断socket是否超时并close;
1.5移除当前超时的socket,q.destroy(sockid) ;
1.6服务端主动close客户端连接;
1.7 不存在tcp:timeout 僵尸连接问题;
1.8提高服务器利用率;
1.9主动防御:非法连接自动进黑名单;
1.10跨进程线程共享信号通讯;
1.11 支持阻塞,非阻塞服务通讯;
1.12 基于消息协议连接时进行消息识别并拦截;
1.13 对特征DDoS指令符,自动识别并加入操作系统iptables 防火墙。
2.一种基于VME(n)可迭代分布式操作系统进行智能流清洗程序,其特征:
2.1 vme(n)是可迭代的;SMG-VME-aDDoS是vme的一个安全插件,故后者亦是可迭代的,综合所论,每个子节点都是具有aDDoS反DoS安全防护模块。
3.一种基于VME(n)可迭代分布式操作系统数据格式化,接口标准化安全服务,其特征:
3.1 因vme(n)是可迭代;其输入输出数据是统一模型,即标识化输入,输出;
3.2 因为SMG-VME-aDDoS 是内置vme核心安全模块;
3.3 依据3.1 格式化输入即可找到合法请求特征指令,轻密码模式口令;
3.4 依据3.3 ,即可识别合法用户socket请求;
3.5 依据3.3,3.4 即可排除法识别非法请求,因为非法请求指令无格式化,千差万别;本发明是基于万物系统都是基于vme实现可迭代分布式操作系统的格式化输入指令基础上诞生的新的安全模块;
3.6 依据3.5 相当于重新改写了tcp/ip在接收到增加了安全认证。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2021113373306 | 2021-11-15 | ||
CN202111337330 | 2021-11-15 |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114157460A true CN114157460A (zh) | 2022-03-08 |
Family
ID=80390145
Family Applications (5)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111375039.8A Pending CN114138898A (zh) | 2021-11-15 | 2021-11-20 | Smg-vme-afs可迭代分布式存储系统 |
CN202111381552.8A Pending CN114138410A (zh) | 2021-11-15 | 2021-11-21 | SMG-vmecloneVMOS可迭代虚拟机克隆操作系统 |
CN202111381353.7A Pending CN114157460A (zh) | 2021-11-15 | 2021-11-22 | SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统 |
CN202111392114.1A Pending CN114281889A (zh) | 2021-11-15 | 2021-11-23 | Smg-vme-dsss数据共享切片服务 |
CN202210154742.4A Pending CN114510335A (zh) | 2021-11-15 | 2022-02-21 | Smg-vme可迭代分布式操作系统 |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111375039.8A Pending CN114138898A (zh) | 2021-11-15 | 2021-11-20 | Smg-vme-afs可迭代分布式存储系统 |
CN202111381552.8A Pending CN114138410A (zh) | 2021-11-15 | 2021-11-21 | SMG-vmecloneVMOS可迭代虚拟机克隆操作系统 |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111392114.1A Pending CN114281889A (zh) | 2021-11-15 | 2021-11-23 | Smg-vme-dsss数据共享切片服务 |
CN202210154742.4A Pending CN114510335A (zh) | 2021-11-15 | 2022-02-21 | Smg-vme可迭代分布式操作系统 |
Country Status (1)
Country | Link |
---|---|
CN (5) | CN114138898A (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116094769A (zh) * | 2022-12-22 | 2023-05-09 | 燕山大学 | 一种抵御虚假数据注入攻击的港口微电网控制方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040187032A1 (en) * | 2001-08-07 | 2004-09-23 | Christoph Gels | Method, data carrier, computer system and computer progamme for the identification and defence of attacks in server of network service providers and operators |
CN102291390A (zh) * | 2011-07-14 | 2011-12-21 | 南京邮电大学 | 一种基于云计算平台的防御拒绝服务攻击的方法 |
US20140040627A1 (en) * | 2012-07-31 | 2014-02-06 | Thomas C. Logan | Process and system for strengthening password security |
CN109327426A (zh) * | 2018-01-11 | 2019-02-12 | 白令海 | 一种防火墙攻击防御方法 |
-
2021
- 2021-11-20 CN CN202111375039.8A patent/CN114138898A/zh active Pending
- 2021-11-21 CN CN202111381552.8A patent/CN114138410A/zh active Pending
- 2021-11-22 CN CN202111381353.7A patent/CN114157460A/zh active Pending
- 2021-11-23 CN CN202111392114.1A patent/CN114281889A/zh active Pending
-
2022
- 2022-02-21 CN CN202210154742.4A patent/CN114510335A/zh active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040187032A1 (en) * | 2001-08-07 | 2004-09-23 | Christoph Gels | Method, data carrier, computer system and computer progamme for the identification and defence of attacks in server of network service providers and operators |
CN102291390A (zh) * | 2011-07-14 | 2011-12-21 | 南京邮电大学 | 一种基于云计算平台的防御拒绝服务攻击的方法 |
US20140040627A1 (en) * | 2012-07-31 | 2014-02-06 | Thomas C. Logan | Process and system for strengthening password security |
CN109327426A (zh) * | 2018-01-11 | 2019-02-12 | 白令海 | 一种防火墙攻击防御方法 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116094769A (zh) * | 2022-12-22 | 2023-05-09 | 燕山大学 | 一种抵御虚假数据注入攻击的港口微电网控制方法 |
CN116094769B (zh) * | 2022-12-22 | 2024-03-01 | 燕山大学 | 一种抵御虚假数据注入攻击的港口微电网控制方法 |
Also Published As
Publication number | Publication date |
---|---|
CN114138410A (zh) | 2022-03-04 |
CN114281889A (zh) | 2022-04-05 |
CN114510335A (zh) | 2022-05-17 |
CN114138898A (zh) | 2022-03-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021196911A1 (zh) | 基于人工智能的网络安全防护方法、装置、电子设备 | |
Lohachab et al. | Critical analysis of DDoS—An emerging security threat over IoT networks | |
EP3111330B1 (en) | System and method for verifying and detecting malware | |
Modi et al. | A survey of intrusion detection techniques in cloud | |
JP6714314B2 (ja) | 応答のない発信ネットワークトラフィックの解析を介する感染したネットワークデバイスの検出 | |
EP3108401B1 (en) | System and method for detection of malicious hypertext transfer protocol chains | |
Tushir et al. | The impact of dos attacks onresource-constrained iot devices: A study on the mirai attack | |
CN111565203B (zh) | 业务请求的防护方法、装置、系统和计算机设备 | |
US8392993B1 (en) | Systems and methods for delaying termination of a process to capture data relating to a potential threat | |
US11349866B2 (en) | Hardware acceleration device for denial-of-service attack identification and mitigation | |
CN111800401B (zh) | 业务报文的防护方法、装置、系统和计算机设备 | |
CN105959313A (zh) | 一种防范http代理攻击的方法及装置 | |
CN111327615A (zh) | 一种cc攻击防护方法及其系统 | |
CN111314381A (zh) | 安全隔离网关 | |
Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
CN112165445B (zh) | 用于检测网络攻击的方法、装置、存储介质及计算机设备 | |
CN113518064A (zh) | 挑战黑洞攻击的防御方法、装置、计算机设备和存储介质 | |
CN114157460A (zh) | SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统 | |
US10721148B2 (en) | System and method for botnet identification | |
CN111131309A (zh) | 分布式拒绝服务检测方法、装置及模型创建方法、装置 | |
WO2020057156A1 (zh) | 一种安全管理方法和安全管理装置 | |
WO2013168158A1 (en) | Centralized device reputation center | |
CN107231365B (zh) | 一种取证的方法及服务器以及防火墙 | |
Modi et al. | Design and implementation of RESTFUL API based model for vulnerability detection and mitigation | |
CN114726579A (zh) | 防御网络攻击的方法、装置、设备、存储介质及程序产品 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |