CN114205096A - DDOS attack defense method and device - Google Patents
DDOS attack defense method and device Download PDFInfo
- Publication number
- CN114205096A CN114205096A CN202010880440.6A CN202010880440A CN114205096A CN 114205096 A CN114205096 A CN 114205096A CN 202010880440 A CN202010880440 A CN 202010880440A CN 114205096 A CN114205096 A CN 114205096A
- Authority
- CN
- China
- Prior art keywords
- target
- target source
- source
- ddos attack
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 65
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000003860 storage Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000007789 sealing Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The application provides a DDOS attack defense method and a device, and the method comprises the following steps: acquiring network state data; the network state data comprises at least one target source IP, at least one target IP, flow between each target source IP and each target IP, total flow corresponding to each target source IP and total flow corresponding to each target IP; judging whether the total flow corresponding to each target source IP is in a preset safety interval or not; and when determining that the total flow corresponding to any target source IP is not in a preset safety interval, determining that the target source is a DDOS attack source, and establishing a black hole route according to the target source IP so as to block the target source IP. According to the DDOS attack defense method provided by the scheme, whether each target source is a DDOS attack source or not is detected in real time according to the total traffic corresponding to each target source IP, and the black hole route is established for the determined DDOS attack source so as to block the DDOS attack source in time, so that the DDOS attack defense efficiency is improved, and a foundation is laid for improving the security of a network environment.
Description
Technical Field
The invention relates to the field of network security, in particular to a DDOS attack defense method and device.
Background
At present, with the development of internet technology, the dependence degree of production and life on the internet is increasingly improved, and the requirement of network security is particularly highlighted. Distributed Denial of Service (DDOS) attacks refer to a malicious network behavior in which one or more attackers control a large number of computers as attack sources and send a large amount of data to a target, thereby finally causing the target to be paralyzed.
In the prior art, DDOS attacks are generally defended by adding a firewall against DDOS, increasing bandwidth, purchasing traffic cleaning services of an operator, and the like.
However, when the existing technology is used to defend against DDOS, when it is determined that the current network is attacked by DDOS, an operator needs to manually adopt a sealing IP or apply for blocking by an operator, and the processing efficiency is low. Therefore, a DDOS attack defense method with high defense efficiency is urgently needed, and has important significance for improving network security.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to overcome the defect of low DDOS attack defense efficiency in the prior art, thereby providing a DDOS attack defense method and apparatus.
A first aspect of the present application provides a DDOS attack defense method, including:
acquiring network state data; the network state data comprises at least one target source IP, at least one target IP, flow between each target source IP and each target IP, total flow corresponding to each target source IP and total flow corresponding to each target IP;
judging whether the total flow corresponding to each target source IP is in a preset safety interval or not;
when the total flow corresponding to any target source IP is determined not to be in a preset safety interval, determining that the target source is a DDOS attack source, and establishing a black hole route according to the target source IP so as to block the target source IP.
Optionally, the method further includes:
determining the maximum destination IP corresponding to each target source IP according to the flow between each target source IP and each destination IP; wherein the maximum destination IP is a destination IP with the maximum traffic between the target source IP and the destination IP;
and determining the safety interval according to the total flow corresponding to the maximum destination IP.
Optionally, the determining the safety interval according to the total flow corresponding to the maximum destination IP includes:
determining the maximum value of the safety interval by calculating the product of the total flow corresponding to the maximum target IP and a preset upper limit proportion;
determining the minimum value of the safety interval by calculating the product of the total flow corresponding to the maximum target IP and a preset lower limit proportion;
and determining the safety interval according to the maximum value of the safety interval and the minimum value of the safety interval.
Optionally, the determining that the target source is a DDOS attack source includes:
counting the times that the total flow corresponding to each target source IP is not in a preset safety interval in a preset time period, and determining that the target source is a DDOS attack source when the times reach a preset threshold value.
Optionally, after determining that the target source is a DDOS attack source, the method further includes:
and generating alarm information according to the target source IP and the flow between the target source IP and each target IP.
Optionally, the method further includes:
and sending the alarm information to prompt an operator that the target source is a DDOS attack source.
A second aspect of the present application provides a DDOS attack defense apparatus, including: the system comprises an acquisition module, a judgment module and a defense module;
the acquisition module is used for acquiring network state data; the network state data comprises at least one target source IP, at least one target IP, flow between each target source IP and each target IP, total flow corresponding to each target source IP and total flow corresponding to each target IP;
the judging module is used for judging whether the total flow corresponding to each target source IP is in a preset safety interval or not;
the defense module is used for determining that the target source is a DDOS attack source when determining that the total flow corresponding to any target source IP is not in a preset safety interval, and establishing a black hole route according to the target source IP so as to block the target source IP.
Optionally, the determining module is further configured to:
determining the maximum destination IP corresponding to each target source IP according to the flow between each target source IP and each destination IP; wherein the maximum destination IP is a destination IP with the maximum traffic between the target source IP and the destination IP; and determining the safety interval according to the total flow corresponding to the maximum destination IP.
Optionally, the determining module is specifically configured to:
determining the maximum value of the safety interval by calculating the product of the total flow corresponding to the maximum target IP and a preset upper limit proportion;
determining the minimum value of the safety interval by calculating the product of the total flow corresponding to the maximum target IP and a preset lower limit proportion;
and determining the safety interval according to the maximum value of the safety interval and the minimum value of the safety interval.
Optionally, the defense module is specifically configured to: counting the times that the total flow corresponding to each target source IP is not in a preset safety interval in a preset time period, and determining that the target source is a DDOS attack source when the times reach a preset threshold value.
Optionally, the defense module is further configured to: and generating alarm information according to the target source IP and the flow between the target source IP and each target IP.
Optionally, the defense module is further configured to: and sending the alarm information to prompt an operator that the target source is a DDOS attack source.
A third aspect of the present application provides an electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes computer-executable instructions stored by the memory to cause the at least one processor to perform the method as set forth in the first aspect above and in various possible designs of the first aspect.
A fourth aspect of the present application provides a storage medium containing computer-executable instructions for performing a method as set forth in the first aspect above and in various possible designs of the first aspect when executed by a computer processor.
This application technical scheme has following advantage:
according to the DDOS attack defense method and device, network state data are obtained; the network state data comprises at least one target source IP, at least one target IP, flow between each target source IP and each target IP, total flow corresponding to each target source IP and total flow corresponding to each target IP; judging whether the total flow corresponding to each target source IP is in a preset safety interval or not; and when determining that the total flow corresponding to any target source IP is not in a preset safety interval, determining that the target source is a DDOS attack source, and establishing a black hole route according to the target source IP so as to block the target source IP. According to the DDOS attack defense method provided by the scheme, whether each target source is a DDOS attack source or not is detected in real time according to the total traffic corresponding to each target source IP, and the black hole route is established for the determined DDOS attack source so as to block the DDOS attack source in time, so that the DDOS attack defense efficiency is improved, and a foundation is laid for improving the security of a network environment.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic structural diagram of a DDOS attack defense system based on an embodiment of the present application;
fig. 2 is a schematic flowchart of a DDOS attack defense method provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a DDOS attack defense apparatus provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, DDOS attacks are generally defended by adding anti-DDOS firewalls, increasing bandwidth, purchasing traffic cleaning services of operators and the like. However, when the existing technology is used to defend against DDOS, when it is determined that the current network is attacked by DDOS, an operator needs to manually adopt a sealing IP or apply for blocking by an operator, and the processing efficiency is low.
In order to solve the above problems, the DDOS attack defense method and apparatus provided in the embodiments of the present application obtain network state data; the network state data comprises at least one target source IP, at least one target IP, flow between each target source IP and each target IP, total flow corresponding to each target source IP and total flow corresponding to each target IP; judging whether the total flow corresponding to each target source IP is in a preset safety interval or not; and when determining that the total flow corresponding to any target source IP is not in a preset safety interval, determining that the target source is a DDOS attack source, and establishing a black hole route according to the target source IP so as to block the target source IP. According to the DDOS attack defense method provided by the scheme, whether each target source is a DDOS attack source or not is detected in real time according to the total traffic corresponding to each target source IP, and the black hole route is established for the determined DDOS attack source so as to block the DDOS attack source in time, so that the DDOS attack defense efficiency is improved, and a foundation is laid for improving the security of a network environment.
The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.
First, the structure of the DDOS attack defense system based on the present application will be described:
the DDOS attack defense method and device provided by the embodiment of the application are suitable for detecting and defending DDOS attack sources in a network environment. As shown in fig. 1, a schematic diagram of a DDOS attack defense system based on an embodiment of the present application mainly includes at least one client, at least one server, and an electronic device for performing DDOS attack defense. Specifically, the electronic device obtains a target source IP corresponding to each client and a total traffic corresponding to each target source IP at least one client; acquiring a target IP corresponding to each server and total flow corresponding to each target IP at least one server; and meanwhile, the flow between each target source IP and each target IP is also acquired, the DDOS attack source is detected according to the acquired related data, and a corresponding black hole route is established for the determined DDOS attack source so as to block the attack source in time.
The embodiment of the application provides a DDOS attack defense method, which is used for solving the technical problem of low DDOS attack defense efficiency in the prior art. The execution subject of the embodiment of the application is an electronic device, such as a server, a desktop computer, a notebook computer, a tablet computer, and other electronic devices that can be used for performing DDOS attack defense.
As shown in fig. 2, a schematic flow chart of a DDOS attack defense method provided in an embodiment of the present application is shown, where the method includes:
The network state data comprises at least one target source IP, at least one target IP, the flow between each target source IP and each target IP, the total flow corresponding to each target source IP and the total flow corresponding to each target IP.
It should be explained that the safety interval may be set by an operator according to related technical experience, and the embodiment of the present application is not limited.
Specifically, in an embodiment, because of diversity of network environments, in order to improve the universality of the DDOS attack defense method provided in the embodiment of the present application and improve the accuracy of the DDOS attack identification result, the maximum destination IP corresponding to each target source IP may be determined according to the traffic between each target source IP and each destination IP; the maximum destination IP is the destination IP with the maximum flow with the target source IP; and determining a safety interval according to the total flow corresponding to the maximum destination IP.
Further, the maximum value of the safety interval can be determined by calculating the product of the total flow corresponding to the maximum destination IP and a preset upper limit proportion; determining the minimum value of the safety interval by calculating the product of the total flow corresponding to the maximum target IP and a preset lower limit proportion; and determining the safety interval according to the maximum value of the safety interval and the minimum value of the safety interval.
The upper limit proportion and the lower limit proportion may be set according to actual conditions of each device in the current network environment, and the embodiment of the present application is not limited.
Exemplarily, when a switch is arranged in a network environment, sflow is configured on the switch, and an sflow message is sent to an sflow-rt traction server (electronic device); the switch establishes an EBGP neighbor with sflow-rt and configures the next hop on the switch for static routing to 192.0.2.1 as null 0. Configuring a single ip bps and pps security interval on a sflow-rt blackhole plug-in, when the situation that the ip security interval exceeds the preset security interval is detected, the blackhole plug-in generates a black hole route corresponding to the ip on a server, the next hop of the black hole route is forced to be 192.0.2.1, the black hole route is redistributed into a BGP protocol at the same time, the switch learns that the next hop of the ip route from the sflow-rt is declared to be 192.0.2.1, and the black hole route of 192.0.2.1 is overlapped to block a DDOS attack source in time.
Specifically, in an embodiment, in order to further improve the accuracy of the DDOS attack source identification result, the number of times that the total traffic corresponding to each target source IP is not in the preset safety interval in the preset time period may be counted, and when the number of times reaches the preset threshold, the target source is determined to be the DDOS attack source.
Specifically, the DDOS attack defense method provided by the embodiment of the present application performs DDOS attack defense according to a preset defense period (preset time period). When the number of times that a certain target source is not in the preset safety interval in a defense period reaches a preset threshold value, the target source is determined to be a DDOS attack source, and the accuracy of the identification result of the DDOS attack source is improved. The preset threshold may be set according to an actual situation of the network environment, and the embodiment of the present application is not limited.
Specifically, in an embodiment, after determining that the target source is a DDOS attack source, alarm information may be generated according to the target source IP and traffic between the target source IP and each destination IP.
Further, alarm information is sent out for prompting the operator that the target source is a DDOS attack source.
The alarm information may be reported in a manner of instrument display, or may be reported in a manner of a warning light or a warning sound, an email, a short message, or the like, and the embodiment of the present application is not limited.
Specifically, in an embodiment, the DDOS attack type, the attack level, and the attack event may be detected according to the determined network state data corresponding to the DDOS attack source, and a corresponding detection result may be generated, and the corresponding detection result may be sent while sending the alarm information.
According to the DDOS attack defense method provided by the embodiment of the application, network state data is obtained; the network state data comprises at least one target source IP, at least one target IP, flow between each target source IP and each target IP, total flow corresponding to each target source IP and total flow corresponding to each target IP; judging whether the total flow corresponding to each target source IP is in a preset safety interval or not; and when determining that the total flow corresponding to any target source IP is not in a preset safety interval, determining that the target source is a DDOS attack source, and establishing a black hole route according to the target source IP so as to block the target source IP. According to the DDOS attack defense method provided by the scheme, whether each target source is a DDOS attack source or not is detected in real time according to the total traffic corresponding to each target source IP, and the black hole route is established for the determined DDOS attack source so as to block the DDOS attack source in time, so that the DDOS attack defense efficiency is improved, and a foundation is laid for improving the security of a network environment.
The embodiment of the application provides a DDOS attack defense device, which is used for solving the technical problem of low DDOS attack defense efficiency in the prior art. As shown in fig. 3, a schematic structural diagram of a DDOS attack defense apparatus provided in an embodiment of the present application is shown, where the apparatus 30 includes: the system comprises an acquisition module 301, a judgment module 302 and a defense module 303;
the acquiring module 301 is configured to acquire network state data; the network state data comprises at least one target source IP, at least one target IP, flow between each target source IP and each target IP, total flow corresponding to each target source IP and total flow corresponding to each target IP; a judging module 302, configured to judge whether a total traffic corresponding to each target source IP is in a preset safety interval; the defense module 303 is configured to determine that the target source is a DDOS attack source when it is determined that the total traffic corresponding to any target source IP is not in the preset security interval, and establish a black hole route according to the target source IP to block the target source IP.
Specifically, in an embodiment, the determining module 302 is further configured to:
determining the maximum destination IP corresponding to each target source IP according to the flow between each target source IP and each destination IP; the maximum destination IP is the destination IP with the maximum flow with the target source IP; and determining a safety interval according to the total flow corresponding to the maximum destination IP.
Specifically, in an embodiment, the determining module 302 is specifically configured to:
determining the maximum value of the safety interval by calculating the product of the total flow corresponding to the maximum target IP and a preset upper limit proportion;
determining the minimum value of the safety interval by calculating the product of the total flow corresponding to the maximum target IP and a preset lower limit proportion;
and determining the safety interval according to the maximum value of the safety interval and the minimum value of the safety interval.
Specifically, in an embodiment, the defense module 303 is specifically configured to: counting the times that the total flow corresponding to each target source IP is not in a preset safety interval in a preset time period, and determining that the target source is a DDOS attack source when the times reach a preset threshold value.
Specifically, in one embodiment, the defense module 303 is further configured to: and generating alarm information according to the target source IP and the flow between the target source IP and each target IP.
Specifically, in one embodiment, the defense module 303 is further configured to: and sending alarm information for prompting an operator that the target source is a DDOS attack source.
The DDOS attack defense device provided in the embodiment of the present application is configured to execute the DDOS attack defense method provided in the above embodiment, and an implementation manner of the DDOS attack defense device is the same as a principle, and is not described in detail again.
The embodiment of the application also provides electronic equipment which is used for executing the method provided by the embodiment.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device 40 includes: at least one processor 41 and memory 42;
wherein execution of the memory-stored computer-executable instructions by the at least one processor causes the at least one processor to perform the instructions of the method as in any one of the preceding embodiments.
The electronic device provided in the embodiment of the present application is configured to execute the DDOS attack defense method provided in the above embodiment, and an implementation manner and a principle thereof are the same and are not described again.
The embodiment of the present application provides a storage medium containing computer executable instructions, where the storage medium stores computer processor execution instructions, and when the processor executes the computer execution instructions, the method provided in any one of the above embodiments is implemented.
The storage medium containing the computer executable instructions of the embodiment of the present application may be used to store the computer executable instructions of the DDOS attack defense method provided in the foregoing embodiment, and an implementation manner and a principle thereof are the same and are not described again.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (10)
1. A DDOS attack defense method is characterized by comprising the following steps:
acquiring network state data; the network state data comprises at least one target source IP, at least one target IP, flow between each target source IP and each target IP, total flow corresponding to each target source IP and total flow corresponding to each target IP;
judging whether the total flow corresponding to each target source IP is in a preset safety interval or not;
when the total flow corresponding to any target source IP is determined not to be in a preset safety interval, determining that the target source is a DDOS attack source, and establishing a black hole route according to the target source IP so as to block the target source IP.
2. A DDOS attack defense method according to claim 1, further comprising:
determining the maximum destination IP corresponding to each target source IP according to the flow between each target source IP and each destination IP; wherein the maximum destination IP is a destination IP with the maximum traffic between the target source IP and the destination IP;
and determining the safety interval according to the total flow corresponding to the maximum destination IP.
3. A DDOS attack defense method according to claim 2, wherein said determining said security interval according to a total traffic corresponding to said maximum destination IP comprises:
determining the maximum value of the safety interval by calculating the product of the total flow corresponding to the maximum target IP and a preset upper limit proportion;
determining the minimum value of the safety interval by calculating the product of the total flow corresponding to the maximum target IP and a preset lower limit proportion;
and determining the safety interval according to the maximum value of the safety interval and the minimum value of the safety interval.
4. A DDOS attack defense method according to claim 1, wherein said determining that said target source is a DDOS attack source comprises:
counting the times that the total flow corresponding to each target source IP is not in a preset safety interval in a preset time period, and determining that the target source is a DDOS attack source when the times reach a preset threshold value.
5. A DDOS attack defense method according to claim 1, wherein after determining that the target source is a DDOS attack source, the method further comprises:
and generating alarm information according to the target source IP and the flow between the target source IP and each target IP.
6. A DDOS attack defense method according to claim 5, characterized in that the method further comprises:
and sending the alarm information to prompt an operator that the target source is a DDOS attack source.
7. A DDOS attack defense apparatus, comprising: the system comprises an acquisition module, a judgment module and a defense module;
the acquisition module is used for acquiring network state data; the network state data comprises at least one target source IP, at least one target IP, flow between each target source IP and each target IP, total flow corresponding to each target source IP and total flow corresponding to each target IP;
the judging module is used for judging whether the total flow corresponding to each target source IP is in a preset safety interval or not;
the defense module is used for determining that the target source is a DDOS attack source when determining that the total flow corresponding to any target source IP is not in a preset safety interval, and establishing a black hole route according to the target source IP so as to block the target source IP.
8. A DDOS attack defense apparatus according to claim 7, wherein said determining module is further configured to:
determining the maximum destination IP corresponding to each target source IP according to the flow between each target source IP and each destination IP; wherein the maximum destination IP is a destination IP with the maximum traffic between the target source IP and the destination IP; and determining the safety interval according to the total flow corresponding to the maximum destination IP.
9. An electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing the computer-executable instructions stored by the memory causes the at least one processor to perform the method of any one of claims 1-6.
10. A storage medium containing computer-executable instructions for performing the method of any one of claims 1-6 when executed by a computer processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010880440.6A CN114205096A (en) | 2020-08-27 | 2020-08-27 | DDOS attack defense method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010880440.6A CN114205096A (en) | 2020-08-27 | 2020-08-27 | DDOS attack defense method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114205096A true CN114205096A (en) | 2022-03-18 |
Family
ID=80644135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010880440.6A Pending CN114205096A (en) | 2020-08-27 | 2020-08-27 | DDOS attack defense method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114205096A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701795A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for attack source of denial of service attack |
| CN103795590A (en) * | 2013-12-30 | 2014-05-14 | 北京天融信软件有限公司 | Calculation method of network traffic detection threshold |
| US20160337397A1 (en) * | 2015-05-15 | 2016-11-17 | Alibaba Group Holding Limited | Method and device for defending against network attacks |
| CN108322417A (en) * | 2017-01-16 | 2018-07-24 | 阿里巴巴集团控股有限公司 | Processing method, device and system and the safety equipment of network attack |
| CN109495423A (en) * | 2017-09-11 | 2019-03-19 | 网宿科技股份有限公司 | A kind of method and system preventing network attack |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
-
2020
- 2020-08-27 CN CN202010880440.6A patent/CN114205096A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103701795A (en) * | 2013-12-20 | 2014-04-02 | 北京奇虎科技有限公司 | Identification method and device for attack source of denial of service attack |
| CN103795590A (en) * | 2013-12-30 | 2014-05-14 | 北京天融信软件有限公司 | Calculation method of network traffic detection threshold |
| US20160337397A1 (en) * | 2015-05-15 | 2016-11-17 | Alibaba Group Holding Limited | Method and device for defending against network attacks |
| CN108322417A (en) * | 2017-01-16 | 2018-07-24 | 阿里巴巴集团控股有限公司 | Processing method, device and system and the safety equipment of network attack |
| CN109495423A (en) * | 2017-09-11 | 2019-03-19 | 网宿科技股份有限公司 | A kind of method and system preventing network attack |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11418538B2 (en) | Method, apparatus, and system to map network reachability | |
| US9124626B2 (en) | Firewall based botnet detection | |
| US8881281B1 (en) | Application and network abuse detection with adaptive mitigation utilizing multi-modal intelligence data | |
| CN106850637B (en) | Abnormal traffic detection method based on traffic white list | |
| US11888882B2 (en) | Network traffic correlation engine | |
| JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
| US10652259B2 (en) | Information processing apparatus, method and medium for classifying unauthorized activity | |
| Pomorova et al. | Multi-agent based approach for botnet detection in a corporate area network using fuzzy logic | |
| Thakur et al. | Detection and Prevention of Botnets and malware in an enterprise network | |
| Bouyeddou et al. | Detection of smurf flooding attacks using Kullback-Leibler-based scheme | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| ES2922817T3 (en) | Network security analysis for smart home appliances | |
| CN110061998B (en) | Attack defense method and device | |
| CN113037785B (en) | Botnet defense method, device and equipment for multi-layer full-period Internet of things equipment | |
| Dzurenda et al. | Network protection against DDoS attacks | |
| Asha et al. | Analysis on botnet detection techniques | |
| US10205738B2 (en) | Advanced persistent threat mitigation | |
| EP4178159A1 (en) | Privacy preserving malicious network activity detection and mitigation | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN114205096A (en) | DDOS attack defense method and device | |
| JP2018098727A (en) | Service system, communication program, and communication method | |
| CN114124419A (en) | DDOS attack defense method and device | |
| Ramprasath et al. | Virtual Guard Against DDoS Attack for IoT Network Using Supervised Learning Method | |
| Song et al. | Collaborative defense mechanism using statistical detection method against DDoS attacks | |
| CN113542302B (en) | Attack interference method, device, gateway and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |