CN114157460A - SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统 - Google Patents

SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统 Download PDF

Info

Publication number
CN114157460A
CN114157460A CN202111381353.7A CN202111381353A CN114157460A CN 114157460 A CN114157460 A CN 114157460A CN 202111381353 A CN202111381353 A CN 202111381353A CN 114157460 A CN114157460 A CN 114157460A
Authority
CN
China
Prior art keywords
vme
socket
addos
input
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111381353.7A
Other languages
English (en)
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Daohebang Guangzhou Electronic Information Technology Co ltd
Original Assignee
Daohebang Guangzhou Electronic Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Daohebang Guangzhou Electronic Information Technology Co ltd filed Critical Daohebang Guangzhou Electronic Information Technology Co ltd
Publication of CN114157460A publication Critical patent/CN114157460A/zh
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/4881Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4418Suspend and resume; Hibernate and awake
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural
    • G06F9/4484Executing subprograms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5016Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5022Mechanisms to release resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Multi Processors (AREA)
  • Computer And Data Communications (AREA)
  • Stored Programmes (AREA)

Abstract

SMG‑VME‑aDDoS是针对DDoS(DDoS攻击,即分布式拒绝服务)的反向防御;一般来说是指攻击者利用“肉鸡”对目标网站在较短的时间内发起大量请求,大规模消耗目标网站的主机资源,让它无法正常服务。本发明从tcp协议解析层通过登入输入合法请求指令进行剖析非法请求并拦截,拦截有效率达95%,提升了CPU利用率,提高了网络带宽的使用效率;本发明基于用于在智慧互联网接口标识化,数据格式化,故有vmeserver在合法连接有一道默认的特征输入口令识别可识别出合法请求,以实现算力共享,安全共享服务。

Description

SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统
技术领域
本发明是为基于TCP/IP 协议的针对服务端发起的DDoS攻击进行拦截,并自动拦截非法的请求。智能拦截请求,并将ip 存入iptables ,实现一次识别智能拦截。拦截过程是在应用层之前进行,很好的保障系统与应用安全。
现有技术大多根据日子行为分析检测,日志行为DDoS攻击已经产生,大企业普遍采用IDS硬件置入路由器之前,该费用昂贵,中小企业普遍承担不起。
本项发明,依赖于SMG-VME可迭代分布式操作系统,具体参国家专利申请号:2021113373306,电子申请案卷编号:364636644,得以继承实现。亦可单独作为核心产品服务模块单独定制算力输出;可以作为安全云服务的核心重要组件服务。
本发明组件小巧,是基于VME可迭代操作系统进行流量入侵清洗。支持异步非阻塞IoSession,同步阻塞BioSession 的socket 入侵检测。
实测可轻易识别并拦截98%DDoS攻击请求.
专利审查:
截至2021-11-06网络搜索暂无同案例
背景技术
随着工业互联网,万物智能互联,分布式计算,大数据推衍发展,超大规模数据的计算与存储摆在面前。本发明主要是研究并行计算引擎,超大规模数据存储与计算而针对性设计出一套可行的框架系统安全防护。对外进行算力输出构建IAAS,SAAS系统。超集团企业共享算力,共享存储。实现超大企业数据格式化,接口标准化为目标,在大数据流量面临着识别非法的入侵请求,网络窥探,自动拒绝服务,减少CPU耗能,减少网络带宽的占用,对入侵的垃圾流量自动拦截。
发明内容
附图说明:
图1是aDDoS反DDoS攻击防御功能图;
标号说明:
1 VMEServer(NIO异步非阻塞服务器)
101 mainJobTimeOnce socket流(BioSession/IoSession)流处理器(入侵检测)
102 socketServer服务器
103 server.onMsgReceive异步消息接收器在此方法侦听消息数据
10301 限时特指指令码输入检测,通过后Msession.set(sid,”dkey”,”1”)写入session
10302 超时:无特征指令输入,Msession.set(sid,”isEND”,”1”)
104 IoSession(非阻塞session)
2 PPGServer(BIO同步阻塞服务器)
201 BioSession阻塞Session
3 socket用户
301 正常用户请求
302 DDoS攻击请求(非法请求)
4 HandlerSHStreamPlayer Shell流处理器
401 setSocket
402 exec()Shell handler执行器(会调shell端口协议处理器执行shell指令操作)
402 close
5 IPHole.saveOnce()通过402检测到10302 DDoS攻击特征码将ip加入黑洞操作系统 iptables
写入成功然后iptables restart
1. 一种DDoS攻击入侵检测技术,其特征如下:
如图1
操作实例:
1.1 VMEServer 图1,2启动,进入run运行态,图1,101 aDDoS线程启动,102 服务端侦听9xxx端口等待socket连接,限时循环等待socket客户端提交数据;
1.2 PPGServer 图1,2 同步启动,PPGServer 侦听8xxx端口;PPGServer 为阻塞连接共享VMEServer.aDDoS 服务;
1.3 Soket用户,图1,3 ,正常用户参图1,301 发起连接请求, 图1,104;在vmeserver.onMsgRecv 图1,103
1.4 基于1.3 vmeserver 连接注册接口实现了保存socket对象操控对象,连接关闭时 q 队列会自动清理. 并设出定应答超时30秒内必须作出正确的输入,否则会被系统拦截;如果正常用户这个时间是比较充裕的.
1.5 onMsgRecv会进行输入特征指令校验图1,30101 ;合法用户校验通过会设dkey非空hash字串,为校验通过
1.6 依据1.4,1.5校验如果校验失败或超时图1,30102;则设定isEND=1写入变量;
系统会主动close客户端socket,结束会话,如果失败到是DoS入侵特征字串,自动收集ip并调,ip黑洞保存在防火墙,并将防火墙重启生效;下次同一ip非法入侵用户将不能进入系统;
1.7 依据1.4 通过的用户socket将进入的socket执行器轮询执行图1,4 网络调度执行器 ,setSocket 图1,401,exec图1,402,执行完毕调close图1,403 关闭socket,并清理q队列,关闭会话内存;
特征总结:
1.1 等待socket连接,限时循环等待socket客户端提交数据;
1.2 正确输入:设dkey 非空字符串 ,非正确输入/超时,设isEND=1 状态变化退出循环;
1.3支持多socket状态监测;
1.4判断socket是否超时并close ;
1.5移除当前超时的socket,q dst ;
1.6服务端主动close客户端连接;
1.7 不存在tcp:timoout 僵尸连接问题;
1.8提高服务器利用率;
1.9主动防御:非法连接自动进黑名单;
1.10跨进程线程共享信号通讯;
1.11 支持阻塞bio,异步非阻塞aio服务通讯;
1.12 基于消息协议连接时进行消息识别并拦截;
1.13 对特征DDoS指令符,自动识别并加入操作系统iptables 防火墙。
.一种基于VME(n)可迭代分布式操作系统进行智能流清洗程序,其特征:
2.1 vme(n)是可迭代的;SMG-VME-aDDoS是vme的一个安全插件,故后者亦是可迭代的,综合所论,每个子节点都是具有aDDoS反DoS安全防护模块。
一种基于VME(n)可迭代分布式操作系统数据格式化,接口标准化安全服务,其特征:
3.1 因vme(n)是可迭代;其输入输出数据是统一模型,即标识化输入,输出; 数据格式化基本要点:即连接建立要喊统一口令,结束要喊统一口令;否则即被拦截;输入请求没有规律,我们从严约束自己,凡是有合法口令的即为正常,反之非法;基于此原理进行有效信息识别;
3.2 因为SMG-VME-aDDoS 是内置vme核心安全模块;
3.3 依据3.1 格式化输入即可找到合法请求特征指令,轻密码模式口令;
3.4 依据3.3 ,即可识别合法用户socket请求;
3.5 依据3.3,3.4 即可排除法识别非法请求,因为非法请求指令无格式化,千差万别;本发明是假设万物系统都是基于vme实现可迭代分布式操作系统的格式化输入指令基础上诞生的新的安全模块;
3.6 依据3.5 相当于重新改写了tcp/ip在接收到增加了安全认证。
现实意义:
SMG-VME-aDDoS是针对DDoS(DDoS 攻击,即分布式拒绝服务)的反向防御;一般来说是指攻击者利用“肉鸡”对目标网站在较短的时间内发起大量请求,大规模消耗目标网站的主机资源,让它无法正常服务。本发明从tcp协议解析层通过登入输入合法请求指令进行剖析非法请求并拦截,拦截有效率达95%,提升了CPU利用率,提高了网络带宽的使用效率;本发明基于用于在智慧互联网接口标识化,数据格式化,故有vmeserver在合法连接有一道默认的特征输入口令识别可识别出合法请求,以实现算力共享,安全共享服务。

Claims (3)

1.一种基于VME(n) DDoS攻击入侵检测技术,其特征如下:
1.1 socket连接,限时循环等待socket客户端提交数据;
1.2 正确输入:设dkey 非空字符串 ,非正确输入/超时,设isEND=1 状态变化退出循环;
1.3支持多socket状态监测;
1.4判断socket是否超时并close;
1.5移除当前超时的socket,q.destroy(sockid) ;
1.6服务端主动close客户端连接;
1.7 不存在tcp:timeout 僵尸连接问题;
1.8提高服务器利用率;
1.9主动防御:非法连接自动进黑名单;
1.10跨进程线程共享信号通讯;
1.11 支持阻塞,非阻塞服务通讯;
1.12 基于消息协议连接时进行消息识别并拦截;
1.13 对特征DDoS指令符,自动识别并加入操作系统iptables 防火墙。
2.一种基于VME(n)可迭代分布式操作系统进行智能流清洗程序,其特征:
2.1 vme(n)是可迭代的;SMG-VME-aDDoS是vme的一个安全插件,故后者亦是可迭代的,综合所论,每个子节点都是具有aDDoS反DoS安全防护模块。
3.一种基于VME(n)可迭代分布式操作系统数据格式化,接口标准化安全服务,其特征:
3.1 因vme(n)是可迭代;其输入输出数据是统一模型,即标识化输入,输出;
3.2 因为SMG-VME-aDDoS 是内置vme核心安全模块;
3.3 依据3.1 格式化输入即可找到合法请求特征指令,轻密码模式口令;
3.4 依据3.3 ,即可识别合法用户socket请求;
3.5 依据3.3,3.4 即可排除法识别非法请求,因为非法请求指令无格式化,千差万别;本发明是基于万物系统都是基于vme实现可迭代分布式操作系统的格式化输入指令基础上诞生的新的安全模块;
3.6 依据3.5 相当于重新改写了tcp/ip在接收到增加了安全认证。
CN202111381353.7A 2021-11-15 2021-11-22 SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统 Pending CN114157460A (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2021113373306 2021-11-15
CN202111337330 2021-11-15

Publications (1)

Publication Number Publication Date
CN114157460A true CN114157460A (zh) 2022-03-08

Family

ID=80390145

Family Applications (5)

Application Number Title Priority Date Filing Date
CN202111375039.8A Pending CN114138898A (zh) 2021-11-15 2021-11-20 Smg-vme-afs可迭代分布式存储系统
CN202111381552.8A Pending CN114138410A (zh) 2021-11-15 2021-11-21 SMG-vmecloneVMOS可迭代虚拟机克隆操作系统
CN202111381353.7A Pending CN114157460A (zh) 2021-11-15 2021-11-22 SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统
CN202111392114.1A Pending CN114281889A (zh) 2021-11-15 2021-11-23 Smg-vme-dsss数据共享切片服务
CN202210154742.4A Pending CN114510335A (zh) 2021-11-15 2022-02-21 Smg-vme可迭代分布式操作系统

Family Applications Before (2)

Application Number Title Priority Date Filing Date
CN202111375039.8A Pending CN114138898A (zh) 2021-11-15 2021-11-20 Smg-vme-afs可迭代分布式存储系统
CN202111381552.8A Pending CN114138410A (zh) 2021-11-15 2021-11-21 SMG-vmecloneVMOS可迭代虚拟机克隆操作系统

Family Applications After (2)

Application Number Title Priority Date Filing Date
CN202111392114.1A Pending CN114281889A (zh) 2021-11-15 2021-11-23 Smg-vme-dsss数据共享切片服务
CN202210154742.4A Pending CN114510335A (zh) 2021-11-15 2022-02-21 Smg-vme可迭代分布式操作系统

Country Status (1)

Country Link
CN (5) CN114138898A (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116094769A (zh) * 2022-12-22 2023-05-09 燕山大学 一种抵御虚假数据注入攻击的港口微电网控制方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040187032A1 (en) * 2001-08-07 2004-09-23 Christoph Gels Method, data carrier, computer system and computer progamme for the identification and defence of attacks in server of network service providers and operators
CN102291390A (zh) * 2011-07-14 2011-12-21 南京邮电大学 一种基于云计算平台的防御拒绝服务攻击的方法
US20140040627A1 (en) * 2012-07-31 2014-02-06 Thomas C. Logan Process and system for strengthening password security
CN109327426A (zh) * 2018-01-11 2019-02-12 白令海 一种防火墙攻击防御方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040187032A1 (en) * 2001-08-07 2004-09-23 Christoph Gels Method, data carrier, computer system and computer progamme for the identification and defence of attacks in server of network service providers and operators
CN102291390A (zh) * 2011-07-14 2011-12-21 南京邮电大学 一种基于云计算平台的防御拒绝服务攻击的方法
US20140040627A1 (en) * 2012-07-31 2014-02-06 Thomas C. Logan Process and system for strengthening password security
CN109327426A (zh) * 2018-01-11 2019-02-12 白令海 一种防火墙攻击防御方法

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116094769A (zh) * 2022-12-22 2023-05-09 燕山大学 一种抵御虚假数据注入攻击的港口微电网控制方法
CN116094769B (zh) * 2022-12-22 2024-03-01 燕山大学 一种抵御虚假数据注入攻击的港口微电网控制方法

Also Published As

Publication number Publication date
CN114138410A (zh) 2022-03-04
CN114281889A (zh) 2022-04-05
CN114510335A (zh) 2022-05-17
CN114138898A (zh) 2022-03-04

Similar Documents

Publication Publication Date Title
WO2021196911A1 (zh) 基于人工智能的网络安全防护方法、装置、电子设备
Lohachab et al. Critical analysis of DDoS—An emerging security threat over IoT networks
EP3111330B1 (en) System and method for verifying and detecting malware
Modi et al. A survey of intrusion detection techniques in cloud
JP6714314B2 (ja) 応答のない発信ネットワークトラフィックの解析を介する感染したネットワークデバイスの検出
EP3108401B1 (en) System and method for detection of malicious hypertext transfer protocol chains
Tushir et al. The impact of dos attacks onresource-constrained iot devices: A study on the mirai attack
CN111565203B (zh) 业务请求的防护方法、装置、系统和计算机设备
US8392993B1 (en) Systems and methods for delaying termination of a process to capture data relating to a potential threat
US11349866B2 (en) Hardware acceleration device for denial-of-service attack identification and mitigation
CN111800401B (zh) 业务报文的防护方法、装置、系统和计算机设备
CN105959313A (zh) 一种防范http代理攻击的方法及装置
CN111327615A (zh) 一种cc攻击防护方法及其系统
CN111314381A (zh) 安全隔离网关
Huang et al. An authentication scheme to defend against UDP DrDoS attacks in 5G networks
CN112165445B (zh) 用于检测网络攻击的方法、装置、存储介质及计算机设备
CN113518064A (zh) 挑战黑洞攻击的防御方法、装置、计算机设备和存储介质
CN114157460A (zh) SMG-VME-aDDoS基于VME-TCP-IP反DDoS攻击防御系统
US10721148B2 (en) System and method for botnet identification
CN111131309A (zh) 分布式拒绝服务检测方法、装置及模型创建方法、装置
WO2020057156A1 (zh) 一种安全管理方法和安全管理装置
WO2013168158A1 (en) Centralized device reputation center
CN107231365B (zh) 一种取证的方法及服务器以及防火墙
Modi et al. Design and implementation of RESTFUL API based model for vulnerability detection and mitigation
CN114726579A (zh) 防御网络攻击的方法、装置、设备、存储介质及程序产品

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination