CN114629694A - Detection method and related device for distributed denial of service (DDoS) - Google Patents

Detection method and related device for distributed denial of service (DDoS) Download PDF

Info

Publication number
CN114629694A
CN114629694A CN202210187749.6A CN202210187749A CN114629694A CN 114629694 A CN114629694 A CN 114629694A CN 202210187749 A CN202210187749 A CN 202210187749A CN 114629694 A CN114629694 A CN 114629694A
Authority
CN
China
Prior art keywords
ddos
central processing
processing unit
traffic
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210187749.6A
Other languages
Chinese (zh)
Other versions
CN114629694B (en
Inventor
刘紫千
常力元
孙福兴
李金伟
刘长波
陈林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Safety Technology Co Ltd
Original Assignee
Tianyi Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Safety Technology Co Ltd filed Critical Tianyi Safety Technology Co Ltd
Priority to CN202210187749.6A priority Critical patent/CN114629694B/en
Publication of CN114629694A publication Critical patent/CN114629694A/en
Application granted granted Critical
Publication of CN114629694B publication Critical patent/CN114629694B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a method and a related device for detecting distributed denial of service (DDoS). The method is applied to DDoS defense equipment which comprises a first central processing unit and at least one second central processing unit, and comprises the following steps: every other first preset time period, the first central processing unit receives the service traffic reported by each second central processing unit, and performs DDos detection on the summarized service traffic according to a preset DDoS detection mode; the service flow reported by the second central processing unit is the service flow passing through the second central processing unit; the summarized service flow is the service flow flowing through the first central processing unit and the second central processing unit; the above process collects the service flow of each central processing unit, and performs DDoS detection in a unified way. And when detecting that DDoS attack exists, starting DDoS defense for each central processing unit in the equipment so as to reduce the risk of suffering DDoS attack.

Description

Detection method and related device for distributed denial of service (DDoS)
Technical Field
The invention relates to the technical field of information security, in particular to a method and a related device for detecting distributed denial of service (DDoS).
Background
A plurality of Central Processing Units (CPUs) exist in the distributed system, and service traffic is shunted to each CPU after entering the distributed system based on a preset rule. In the related art, each central processing unit in the multi-control system performs threshold detection on the traffic flowing through the central processing unit, determines whether the central processing unit is attacked by Distributed Denial of Service (DDoS) according to a comparison result between the traffic and a preset threshold, and after DDoS detection, only starts DDoS defense for the central processing unit which detects that DDoS attack exists.
Service traffic in the distributed system is shunted, so that the shunted service traffic has DDoS attack but does not exceed a threshold value. Because the detection mode can only open DDoS defense for a central processing unit which detects that DDoS attack exists, if the service flow which has DDoS attack and does not exceed the threshold value passes through the CPU, the DDoS defense cannot be started, and potential safety hazards are caused.
Disclosure of Invention
The invention provides a method and a related device for detecting distributed denial of service (DDoS), which are used for collecting service flow of each central processing unit and then uniformly detecting the DDoS, and starting DDoS defense for all the central processing units when detecting that DDoS attack exists so as to reduce the risk of the DDoS attack.
In a first aspect, an embodiment of the present invention provides a method for detecting a distributed denial of service DDoS, where the method is applied to a DDoS defense device, where the DDoS defense device includes at least one first central processing unit and at least one second central processing unit, and the method includes:
every other first preset time period, the first central processing unit receives the service traffic reported by each second central processing unit, and performs DDos detection on the summarized service traffic according to a preset DDoS detection mode; the service flow reported by the second central processing unit is the service flow passing through the second central processing unit; the summarized service flow is the service flow flowing through the first central processing unit and the second central processing unit;
and if DDoS attack exists in the summarized service flow, starting DDoS defense for the first central processing unit and each second central processing unit.
The DDoS defense device comprises a first central processing unit and at least one second central processing unit. And every other first preset time period, the first central processing unit receives the service traffic reported by the second central processing unit, and performs DDoS detection on the summarized service traffic according to a preset DDoS detection mode, wherein the summarized service traffic is the service traffic flowing through the first central processing unit and the second central processing unit. And if DDoS attack exists in the summarized service flow, starting DDoS defense for the first central processing unit and each second central processing unit. In the above flow, the service flows of the central processing units are collected, and DDoS detection is performed in a unified manner. And when detecting that DDoS attack exists, starting DDoS defense for each central processing unit in the equipment so as to reduce the risk of DDoS attack.
In some possible embodiments, the first central processor and the second central processor are determined based on identification information of the central processors.
The embodiment of the application specifies the first central processing unit and the second central processing unit based on the identification information of the central processing units so as to clearly summarize the service flow of each second central processing unit to the first central processing unit.
In some possible embodiments, performing DDoS detection on the summarized service traffic according to a preset DDoS detection method includes:
determining the data volume of each target flow in the summarized service flow;
and aiming at the data volume of each target flow, determining whether the summarized service flow has DDoS attack or not according to the comparison result of the data volume and the flow threshold value.
According to the embodiment of the application, whether DDoS attack exists in the summarized service flow is determined according to the data volume of each target flow in the summarized service flow, so that the DDoS detection precision is improved.
In some possible embodiments, the target traffic includes at least traffic of a transmission control protocol, a user datagram protocol, a hypertext transfer protocol, and a domain name system packet;
the determining whether the summarized service traffic has DDoS attack according to the comparison result between the data volume and the traffic threshold includes:
if the data volume of the transmission control protocol is larger than a first traffic threshold value, determining that the summarized service traffic has DDoS attack;
if the data volume of the user datagram protocol is larger than a second traffic threshold value, determining that the summarized service traffic has DDoS attack;
if the data volume of the hypertext transfer protocol is larger than a third flow threshold value, determining that the summarized service flow has DDoS attack;
and if the data volume of the domain name system message is larger than a fourth flow threshold value, determining that the summarized service flow has DDoS attack.
The target flow of the embodiment of the application at least comprises flows of a transmission control protocol, a user datagram protocol, a hypertext transmission protocol and a domain name system message, and a corresponding threshold value is set for each target flow, and when DDoS detection is executed, whether DDoS attack exists in summary service flow is determined by detecting whether the data volume of each target flow meets the corresponding flow threshold value, so that the DDoS detection precision is improved.
In some possible embodiments, the method further comprises:
when DDoS detection is carried out on the target traffic, if the target traffic is determined to be a transmission control protocol, the data volume of each target message in the target traffic is respectively detected; the target message comprises at least a SYN, an ACK and a SYN-ACK;
if the data volume of the SYN is larger than a fifth flow threshold value, determining that the summary service flow has DDoS attack;
if the data volume of the ACK is larger than a sixth traffic threshold value, determining that the summarized service traffic has DDoS attack;
and if the data volume of the SYN-ACK is larger than a seventh threshold value, determining that the DDoS attack exists in the summarized service flow.
When the embodiment of the application performs DDoS detection on the transmission control protocol, threshold detection needs to be performed on the data volume of each target message in the transmission control information so as to improve the DDoS detection precision.
In some possible embodiments, if it is detected that a DDoS attack exists in the aggregated service traffic, initiating a DDoS defense for the first central processing unit and each of the second central processing units, including:
determining the flow to be processed in the summarized service flow; the flow to be processed is the target flow of which the data volume is greater than the flow threshold value corresponding to the target flow in all the target flows;
and starting DDoS defense corresponding to the target flow for the first central processing unit and each second central processing unit.
When detecting that a DDoS attack exists in the summarized service traffic, the embodiment of the application starts the DDoS defense corresponding to the target traffic for the first central processing unit and each second central processing unit so as to reduce the risk of the DDoS attack.
In a second aspect, an embodiment of the present application provides a DDoS defense apparatus, where the apparatus includes:
the DDoS detection module is configured to control the first central processing unit to receive the service traffic reported by each second central processing unit every other first preset time period, and perform DDoS detection on the summarized service traffic according to a preset DDoS detection mode; the service flow reported by the second central processing unit is the service flow flowing through the second central processing unit; the summarized service flow is the service flow flowing through the first central processing unit and the second central processing unit;
and the DDoS defense module is configured to execute DDoS defense for the first central processing unit and each second central processing unit if the DDoS attack is detected in the summarized service flow.
In some possible embodiments, the first central processor and the second central processor are determined based on identification information of the central processors.
In some possible embodiments, performing DDoS detection on the aggregated service traffic according to a preset DDoS detection manner is performed, where the DDoS detection module is configured to:
determining the data volume of each target flow in the summarized service flow;
and aiming at the data volume of each target flow, determining whether the summarized service flow has DDoS attack or not according to the comparison result of the data volume and the flow threshold value.
In some possible embodiments, the target traffic includes at least traffic of a transmission control protocol, a user datagram protocol, a hypertext transfer protocol, and a domain name system packet;
executing the comparison result according to the data volume and the flow threshold value to determine whether the summarized service flow has DDoS attack, wherein the DDoS detection module is configured to:
if the data volume of the transmission control protocol is larger than a first traffic threshold value, determining that the summarized service traffic has DDoS attack;
if the data volume of the user datagram protocol is larger than a second traffic threshold value, determining that the summarized service traffic has DDoS attack;
if the data volume of the hypertext transfer protocol is larger than a third flow threshold value, determining that the summarized service flow has DDoS attack;
and if the data volume of the domain name system message is greater than a fourth flow threshold value, determining that the summarized service flow has DDoS attack.
In some possible embodiments, the DDoS detection module is further configured to:
when DDoS detection is carried out on the target traffic, if the target traffic is determined to be a transmission control protocol, the data volume of each target message in the target traffic is respectively detected; the target message comprises at least a SYN, an ACK and a SYN-ACK;
if the data volume of the SYN is larger than a fifth flow threshold value, determining that the summary service flow has DDoS attack;
if the data volume of the ACK is larger than a sixth flow threshold value, determining that DDoS attack exists in the summarized service flow;
and if the data volume of the SYN-ACK is larger than a seventh threshold value, determining that the DDoS attack exists in the summarized service flow.
In some possible embodiments, the performing step, if it is detected that a DDoS attack exists in the aggregated traffic, of enabling DDoS defense for the first central processing unit and each of the second central processing units, includes:
determining the flow to be processed in the summarized service flow; the flow to be processed is the target flow of which the data volume is greater than the flow threshold value corresponding to the target flow in all the target flows;
and starting DDoS defense corresponding to the target flow for the first central processing unit and each second central processing unit.
In a third aspect, an embodiment of the present application further provides a DDoS defense apparatus, including:
a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the instructions to implement any of the methods as provided in the first aspect of the application.
In a fourth aspect, embodiments of the present application further provide a storage medium, where instructions that when executed by a processor of an electronic device enable the electronic device to perform any one of the methods as provided in the first aspect of the present application.
In a fifth aspect, an embodiment of the present application provides a computer program product comprising a computer program that, when executed by a processor, performs any of the methods as provided in the first aspect of the present application.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the embodiments of the present application will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic diagram illustrating a detection method of DDoS in the related art according to an embodiment of the present application;
fig. 2a is a flowchart of a detection method for a distributed denial of service DDoS according to an embodiment of the present application;
fig. 2b is a schematic diagram of a summarized traffic flow according to an embodiment of the present application;
fig. 2c is a schematic diagram illustrating DDoS detection on target traffic according to an embodiment of the present application;
fig. 2d is a schematic diagram illustrating DDoS detection performed on a transmission control protocol according to an embodiment of the present application;
fig. 3 is a block diagram of a DDoS defense apparatus 300 according to an embodiment of the present application;
fig. 4 is a structural diagram of a DDoS defense device 130 according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described in detail and clearly with reference to the accompanying drawings. In the description of the embodiments of the present application, unless otherwise specified, "a face will mean or means, for example, a/B may mean a or B; "and/or" in the text is only an association relationship describing an associated object, and means that three relationships may exist, for example, a and/or B may mean: three cases of a alone, a and B both, and B alone exist, and in addition, "a plurality" means two or more than two in the description of the embodiments of the present application.
In the description of the embodiments of the present application, the term "plurality" means two or more unless otherwise specified, and other terms and the like should be understood similarly, and the preferred embodiments described herein are only for the purpose of illustrating and explaining the present application, and are not intended to limit the present application, and features in the embodiments and examples of the present application may be combined with each other without conflict.
To further illustrate the technical solutions provided by the embodiments of the present application, the following detailed description is made with reference to the accompanying drawings and the detailed description. Although the embodiments of the present application provide method operation steps as shown in the following embodiments or figures, more or fewer operation steps may be included in the method based on conventional or non-inventive labor. In steps where no necessary causal relationship exists logically, the order of execution of the steps is not limited to that provided by the embodiments of the present application. The method can be executed in the order of the embodiments or the method shown in the drawings or in parallel in the actual process or the control device.
In the related art, the DDoS detection method is specifically shown in fig. 1, and for example, there are 3 CPUs, namely CPU1, CPU2, and CPU 3. The distributed system firstly shunts the service traffic to each CPU, i.e. the service traffic 1-3 shown in fig. 1. And then each CPU carries out DDoS detection on the service flow passing through the CPU in a threshold value comparison mode. For example, if only a DDoS attack is detected on traffic flowing through the CPU2, only DDoS defense is enabled for the CPU2, but defense is not enabled for the CPU1 and the CPU 3.
Since the traffic in the distributed system is shunted, there is a case that the shunted traffic has DDoS attack but does not exceed the threshold. Still taking the above fig. 1 as an example, it is assumed that traffic data of DDoS attack exists in the traffic before offloading, and the traffic before offloading is 3000pps (number of messages per second). If the traffic flow to the CPU1 is 1000pps, the traffic flow to the CPU2 is 1500pps, and the traffic flow to the CPU3 is 500 pps. Assuming that the detection threshold of each CPU is 1500pps, only the DDoS attack on the traffic flowing through the CPU2 will be detected. That is, DDoS defense will only be enabled for CPU 2. At this time, the traffic flow passing through the CUP1 and the CPU3 may also have DDoS attacks, but is not detected because the traffic flow is smaller than the detection threshold, thereby causing a security risk.
In order to solve the above problems, the inventive concept of the present application is: and every other first preset time period, the first central processing unit receives the service traffic reported by the second central processing unit, and performs DDoS detection on the summarized service traffic according to a preset DDoS detection mode, wherein the summarized service traffic is the service traffic flowing through the first central processing unit and the second central processing unit. And if detecting that the collected service flow has DDoS attack, starting DDoS defense for the first central processing unit and each second central processing unit in the equipment. In the above flow, the service flows of the central processing units are collected, and DDoS detection is performed in a unified manner. And when detecting that DDoS attack exists, starting DDoS defense for each central processing unit in the equipment so as to reduce the risk of DDoS attack.
A distributed denial of service DDoS method provided in an embodiment of the present application is described in detail below with reference to the accompanying drawings, which are specifically shown in fig. 2a and include the following steps:
step 201: every other first preset time period, the first central processing unit receives the service traffic reported by each second central processing unit, and performs DDos detection on the summarized service traffic according to a preset DDoS detection mode; the service flow reported by the second central processing unit is the service flow flowing through the second central processing unit; the summarized service flow is the service flow flowing through the first central processing unit and the second central processing unit;
the embodiment of the application is used for presetting a first central processing unit aiming at a plurality of central processing units in DDoS defense equipment, and taking the rest central processing units as second processing units. In implementation, the first central processor and the second central processor can be determined according to the identification information of the central processors.
After the first central processing unit and the second central processing units are determined, as shown in fig. 2b specifically, every first preset time period, each second central processing unit is controlled to send the traffic flowing through itself to the first central processing unit, and at this time, the first central processing unit obtains the summarized traffic including the traffic 1 of itself and the traffic (i.e., the traffic 2 and the traffic 3) of each second central processing unit. And then, the first central processing unit carries out DDoS detection on the summarized service flow.
When the method is implemented, the data volume of each target flow in the summarized service flow is determined firstly, and then whether the summarized service flow has DDoS attack or not is determined according to the comparison result of the data volume and the flow threshold value aiming at the data volume of each target flow. Specifically, each central processing unit can perform target traffic statistics on the traffic flowing through the central processing unit, then the second central processing unit sends the statistical result of the central processing unit to the first central processing unit, and the first central processing unit performs classification statistics on the statistical result of the central processing unit and the statistical result of each second central processing unit according to the target traffic.
Specifically, as shown in fig. 2c, the target traffic at least includes traffic of a Transmission Control Protocol (TCP), a User Datagram Protocol (UDP), a HyperText Transfer Protocol (HTTP), and a Domain Name System (DNS).
If the data volume of the transmission control protocol is larger than a first traffic threshold value, determining that the summarized service traffic has DDoS attack; if the data volume of the user datagram protocol is larger than the second traffic threshold, determining that the DDoS attack exists in the summarized service traffic; if the data volume of the hypertext transfer protocol is larger than a third flow threshold value, determining that the summarized service flow has DDoS attack; and if the data volume of the domain name system message is larger than the fourth flow threshold value, determining that the DDoS attack exists in the summarized service flow.
In some possible embodiments, in order to improve the accuracy of DDoS detection, when performing DDoS detection on a target traffic of a transmission control protocol, data volumes of target messages in the transmission control protocol need to be detected respectively. Specifically, as shown in fig. 2d, the target message is a message name in the transmission control protocol, and includes SYN, ACK, and SYN-ACK. When DDoS detection is carried out on the transmission control protocol, if the data volume of SYN in the transmission control protocol is larger than a fifth flow threshold value, DDoS attack exists in the summarized service flow; if the data volume of the ACK is larger than the sixth flow threshold value, determining that the collected service flow has DDoS attack; and if the data volume of the SYN-ACK is larger than a seventh threshold value, determining that the DDoS attack exists in the summarized service flow.
Step 202: and if DDoS attack exists in the summarized service flow, starting DDoS defense for the first central processing unit and each second central processing unit.
During implementation, the traffic to be processed in the summarized service traffic is determined, and the traffic to be processed is the target traffic of which the data volume is greater than the traffic threshold corresponding to the target traffic in each target traffic. And then controlling the first central processing unit and each second central processing unit to start DDoS defense corresponding to the target flow. For example, if there are CPU nos. 1, 2, and 3, the amounts of SYN data flowing through the CPU per unit time are 300pps, 600pps, and 600pps, respectively, and CPU No. 3 is the first CPU, then CPU nos. 1 and 2 will send the traffic data to CPU No. 3 for aggregation, and obtain aggregated traffic of 1500 pps. After the CPU No. 3 collects the flow, whether the target flow of each type exceeds a detection threshold value needs to be judged, and if the target flow of each type exceeds the detection threshold value, a defense processing flow of the corresponding type flow is triggered. For example, a fifth flow threshold for SYN is 1000 pps. Assuming that after traffic is aggregated, the amount of SYN data in the aggregated traffic is 1500pps, then CPU # 3 may determine that the CPU is under SYN attack, and the DDoS device enables a defense against SYN for each CPU.
In the above process, the service flows of the central processing units are collected, and DDoS detection is performed in a unified manner. And when detecting that DDoS attack exists, starting DDoS defense for each central processing unit in the equipment so as to reduce the risk of suffering DDoS attack.
Based on the same inventive concept, an embodiment of the present application further provides a DDoS defense apparatus 300, specifically as shown in fig. 3, the apparatus includes:
the DDoS detection module 301 is configured to control the first central processing unit to receive the service traffic reported by each second central processing unit every other first preset time period, and perform DDoS detection on the summarized service traffic according to a preset DDoS detection mode; the service flow reported by the second central processing unit is the service flow passing through the second central processing unit; the summarized service flow is the service flow flowing through the first central processing unit and the second central processing unit;
a DDoS defense module 302 configured to perform DDoS defense for the first central processing unit and each of the second central processing units if it is detected that the summarized service traffic has a DDoS attack.
In some possible embodiments, the first central processor and the second central processor are determined based on identification information of the central processors.
In some possible embodiments, performing DDoS detection on the aggregated service traffic according to a preset DDoS detection manner is performed, where the DDoS detection module 301 is configured to:
determining the data volume of each target flow in the summarized service flow;
and aiming at the data volume of each target flow, determining whether the summarized service flow has DDoS attack or not according to the comparison result of the data volume and the flow threshold value.
In some possible embodiments, the target traffic includes at least traffic of a transmission control protocol, a user datagram protocol, a hypertext transfer protocol, and a domain name system packet;
executing the comparison result according to the data volume and the traffic threshold to determine whether a DDoS attack exists in the summarized traffic, where the DDoS detection module 301 is configured to:
if the data volume of the transmission control protocol is larger than a first traffic threshold value, determining that the summarized service traffic has DDoS attack;
if the data volume of the user datagram protocol is larger than a second traffic threshold value, determining that the summarized service traffic has DDoS attack;
if the data volume of the hypertext transfer protocol is larger than a third flow threshold value, determining that the summarized service flow has DDoS attack;
and if the data volume of the domain name system message is larger than a fourth flow threshold value, determining that the summarized service flow has DDoS attack.
In some possible embodiments, the DDoS detection module 301 is further configured to:
when DDoS detection is carried out on the target traffic, if the target traffic is determined to be a transmission control protocol, the data volume of each target message in the target traffic is respectively detected; the target message comprises at least a SYN, an ACK and a SYN-ACK;
if the data volume of the SYN is larger than a fifth flow threshold value, determining that the summary service flow has DDoS attack;
if the data volume of the ACK is larger than a sixth traffic threshold value, determining that the summarized service traffic has DDoS attack;
and if the data volume of the SYN-ACK is larger than a seventh threshold value, determining that the DDoS attack exists in the summarized service flow.
In some possible embodiments, performing the DDoS defense for the first central processor and each of the second central processors if detecting that there is a DDoS attack on the aggregated traffic flow, the DDoS defense module 302 is configured to:
determining the flow to be processed in the summarized service flow; the flow to be processed is the target flow of which the data volume is greater than the flow threshold corresponding to the target flow in all the target flows;
and starting DDoS defense corresponding to the target flow for the first central processing unit and each second central processing unit.
A DDoS defense apparatus 130 according to this embodiment of the present application is described below with reference to fig. 4. The DDoS defense apparatus 130 shown in fig. 4 is merely an example, and should not bring any limitations to the function and scope of use of the embodiments of the present application.
As shown in fig. 4, the DDoS defense apparatus 130 is embodied in the form of a general DDoS defense apparatus. Components of the DDoS defense device 130 may include, but are not limited to: the at least one processor 131, the at least one memory 132, and a bus 133 that connects the various system components (including the memory 132 and the processor 131).
Bus 133 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, or a local bus using any of a variety of bus architectures.
The memory 132 may include readable media in the form of volatile memory, such as Random Access Memory (RAM)1321 and/or cache memory 1322, and may further include Read Only Memory (ROM) 1323.
Memory 132 may also include a program/utility 1325 having a set (at least one) of program modules 1324, such program modules 1324 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
The DDoS defense device 130 may also communicate with one or more external devices 134 (e.g., keyboard, pointing device, etc.), with one or more devices that enable a user to interact with the DDoS defense device 130, and/or with any device (e.g., router, modem, etc.) that enables the DDoS defense device 130 to communicate with one or more other DDoS defense devices. Such communication may occur via input/output (I/O) interfaces 135. Also, the DDoS defense device 130 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via a network adapter 136. As shown, the network adapter 136 communicates with other modules for the DDoS defense device 130 over a bus 133. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the DDoS defense device 130, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
In an exemplary embodiment, a computer-readable storage medium comprising instructions, such as the memory 132 comprising instructions, executable by the processor 131 of the apparatus 400 to perform the above-described method is also provided. Alternatively, the computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an exemplary embodiment, a computer program product is also provided, which comprises computer programs/instructions, which when executed by the processor 131, implement a method of detecting a distributed denial of service, DDoS, as provided herein.
In an exemplary embodiment, various aspects of a method for detecting a distributed denial of service DDoS provided by the present application may also be implemented in the form of a program product including program code for causing a computer device to perform the steps in a method for detecting a distributed denial of service DDoS according to various exemplary embodiments of the present application described above in this specification when the program product is run on the computer device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A program product for detection of a distributed denial of service DDoS of embodiments of the present application may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a DDoS defense device. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "for example" programming language or similar programming languages. The program code may execute entirely on the user DDoS defense device, partly on the user device, as a stand-alone software package, partly on the user DDoS defense device and partly on a remote DDoS defense device, or entirely on the remote DDoS defense device or server. In scenarios involving remote DDoS defense devices, the remote DDoS defense devices may be connected to the user DDoS defense device via any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to external DDoS defense devices (e.g., via an internet connection using an internet service provider).
It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more units described above may be embodied in one unit, according to embodiments of the application. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.
Further, while the operations of the methods of the present application are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable image scaling apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable image scaling apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable image scaling apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable image scaling apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A detection method of a distributed denial of service (DDoS) is applied to DDoS defense equipment, wherein the DDoS defense equipment at least comprises a first central processing unit and at least a second central processing unit, and the method comprises the following steps:
every other first preset time period, the first central processing unit receives the service traffic reported by each second central processing unit, and performs DDos detection on the summarized service traffic according to a preset DDoS detection mode; the service flow reported by the second central processing unit is the service flow passing through the second central processing unit; the summarized service flow is the service flow flowing through the first central processing unit and the second central processing unit;
and if DDoS attack exists in the summarized service flow, starting DDoS defense for the first central processing unit and each second central processing unit.
2. The method of claim 1, wherein the first central processor and the second central processor are determined based on identification information of the central processors.
3. The method of claim 1, wherein performing DDoS detection on the aggregated service traffic according to a preset DDoS detection manner comprises:
determining the data volume of each target flow in the summarized service flow;
and aiming at the data volume of each target flow, determining whether the summarized service flow has DDoS attack or not according to the comparison result of the data volume and the flow threshold value.
4. The method of claim 3, wherein the target traffic comprises at least traffic of a transmission control protocol, a user datagram protocol, a hypertext transfer protocol, and a domain name system packet;
the determining whether the summarized service traffic has DDoS attack according to the comparison result between the data volume and the traffic threshold includes:
if the data volume of the transmission control protocol is larger than a first traffic threshold value, determining that the summarized service traffic has DDoS attack;
if the data volume of the user datagram protocol is larger than a second traffic threshold value, determining that the summarized service traffic has DDoS attack;
if the data volume of the hypertext transfer protocol is larger than a third flow threshold value, determining that the summarized service flow has DDoS attack;
and if the data volume of the domain name system message is greater than a fourth flow threshold value, determining that the summarized service flow has DDoS attack.
5. The method of claim 4, further comprising:
when DDoS detection is carried out on the target traffic, if the target traffic is determined to be a transmission control protocol, the data volume of each target message in the target traffic is respectively detected; the target message comprises at least a SYN, an ACK and a SYN-ACK;
if the data volume of the SYN is larger than a fifth flow threshold value, determining that the summary service flow has DDoS attack;
if the data volume of the ACK is larger than a sixth traffic threshold value, determining that the summarized service traffic has DDoS attack;
and if the data volume of the SYN-ACK is larger than a seventh threshold value, determining that the DDoS attack exists in the summarized service flow.
6. The method according to any of claims 1-5, wherein the enabling DDoS defense for the first central processing unit and each of the second central processing units if detecting that a DDoS attack exists on the aggregated traffic comprises:
determining the flow to be processed in the summarized service flow; the flow to be processed is the target flow of which the data volume is greater than the flow threshold value corresponding to the target flow in all the target flows;
and starting DDoS defense corresponding to the target flow for the first central processing unit and each second central processing unit.
7. A DDoS defense apparatus, characterized in that the device comprises:
the DDoS detection module is configured to control the first central processing unit to receive the service traffic reported by each second central processing unit every other first preset time period, and perform DDoS detection on the summarized service traffic according to a preset DDoS detection mode; the service flow reported by the second central processing unit is the service flow passing through the second central processing unit; the summarized service flow is the service flow flowing through the first central processing unit and the second central processing unit;
and the DDoS defense module is configured to execute DDoS defense for the first central processing unit and each second central processing unit if the DDoS attack is detected in the summarized service flow.
8. A DDoS defense apparatus, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory and for executing the steps comprised in the method of any one of claims 1 to 6 in accordance with the obtained program instructions.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a computer, cause the computer to perform the method according to any one of claims 1-6.
10. A computer program product, the computer program product comprising: computer program code which, when run on a computer, causes the computer to perform the method according to any of the preceding claims 1-6.
CN202210187749.6A 2022-02-28 2022-02-28 Distributed denial of service (DDoS) detection method and related device Active CN114629694B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210187749.6A CN114629694B (en) 2022-02-28 2022-02-28 Distributed denial of service (DDoS) detection method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210187749.6A CN114629694B (en) 2022-02-28 2022-02-28 Distributed denial of service (DDoS) detection method and related device

Publications (2)

Publication Number Publication Date
CN114629694A true CN114629694A (en) 2022-06-14
CN114629694B CN114629694B (en) 2024-01-19

Family

ID=81900843

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210187749.6A Active CN114629694B (en) 2022-02-28 2022-02-28 Distributed denial of service (DDoS) detection method and related device

Country Status (1)

Country Link
CN (1) CN114629694B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006050442A (en) * 2004-08-06 2006-02-16 Nippon Telegr & Teleph Corp <Ntt> Traffic monitoring method and system
US20110138463A1 (en) * 2009-12-07 2011-06-09 Electronics And Telecommunications Research Institute Method and system for ddos traffic detection and traffic mitigation using flow statistics
US20120054823A1 (en) * 2010-08-24 2012-03-01 Electronics And Telecommunications Research Institute Automated control method and apparatus of ddos attack prevention policy using the status of cpu and memory
CN102932281A (en) * 2012-10-31 2013-02-13 华为技术有限公司 Method and equipment for dynamic allocation of resources
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN106789954A (en) * 2016-11-30 2017-05-31 杭州迪普科技股份有限公司 A kind of method and apparatus of the DDOS attack identification based on multi -CPU
CN108390856A (en) * 2018-01-12 2018-08-10 北京奇艺世纪科技有限公司 A kind of ddos attack detection method, device and electronic equipment
US10116671B1 (en) * 2017-09-28 2018-10-30 International Business Machines Corporation Distributed denial-of-service attack detection based on shared network flow information
CN109495447A (en) * 2018-10-10 2019-03-19 光通天下网络科技股份有限公司 Data on flows integration method, integrating apparatus and the electronic equipment of distributed DDoS system of defense
US10516695B1 (en) * 2017-09-26 2019-12-24 Amazon Technologies, Inc. Distributed denial of service attack mitigation in service provider systems
CN112615818A (en) * 2015-03-24 2021-04-06 华为技术有限公司 SDN-based DDOS attack protection method, device and system
US20210226988A1 (en) * 2019-12-31 2021-07-22 Radware, Ltd. Techniques for disaggregated detection and mitigation of distributed denial-of-service attacks
CN113518057A (en) * 2020-04-09 2021-10-19 腾讯科技(深圳)有限公司 Detection method and device for distributed denial of service attack and computer equipment thereof

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006050442A (en) * 2004-08-06 2006-02-16 Nippon Telegr & Teleph Corp <Ntt> Traffic monitoring method and system
US20110138463A1 (en) * 2009-12-07 2011-06-09 Electronics And Telecommunications Research Institute Method and system for ddos traffic detection and traffic mitigation using flow statistics
US20120054823A1 (en) * 2010-08-24 2012-03-01 Electronics And Telecommunications Research Institute Automated control method and apparatus of ddos attack prevention policy using the status of cpu and memory
CN102932281A (en) * 2012-10-31 2013-02-13 华为技术有限公司 Method and equipment for dynamic allocation of resources
CN104348811A (en) * 2013-08-05 2015-02-11 深圳市腾讯计算机系统有限公司 Method and device for detecting attack of DDoS (distributed denial of service)
CN112615818A (en) * 2015-03-24 2021-04-06 华为技术有限公司 SDN-based DDOS attack protection method, device and system
CN106789954A (en) * 2016-11-30 2017-05-31 杭州迪普科技股份有限公司 A kind of method and apparatus of the DDOS attack identification based on multi -CPU
US10516695B1 (en) * 2017-09-26 2019-12-24 Amazon Technologies, Inc. Distributed denial of service attack mitigation in service provider systems
US10116671B1 (en) * 2017-09-28 2018-10-30 International Business Machines Corporation Distributed denial-of-service attack detection based on shared network flow information
CN108390856A (en) * 2018-01-12 2018-08-10 北京奇艺世纪科技有限公司 A kind of ddos attack detection method, device and electronic equipment
CN109495447A (en) * 2018-10-10 2019-03-19 光通天下网络科技股份有限公司 Data on flows integration method, integrating apparatus and the electronic equipment of distributed DDoS system of defense
US20210226988A1 (en) * 2019-12-31 2021-07-22 Radware, Ltd. Techniques for disaggregated detection and mitigation of distributed denial-of-service attacks
CN113518057A (en) * 2020-04-09 2021-10-19 腾讯科技(深圳)有限公司 Detection method and device for distributed denial of service attack and computer equipment thereof

Also Published As

Publication number Publication date
CN114629694B (en) 2024-01-19

Similar Documents

Publication Publication Date Title
US9760442B2 (en) Method of delaying checkpoints by inspecting network packets
US8407789B1 (en) Method and system for dynamically optimizing multiple filter/stage security systems
CN109714230B (en) Flow monitoring method and device and computing equipment
CN109309591B (en) Traffic data statistical method, electronic device and storage medium
US12019754B2 (en) Ahead of time application launching for cybersecurity threat intelligence of network security events
EP3188442A1 (en) Detection, prevention, and/or mitigation of dos attacks in publish/subscribe infrastructure
US20140237538A1 (en) Input prediction in a database access control system
CN114090297A (en) Service message processing method and related device
CN111475705A (en) SQ L query-based network service monitoring method, device, equipment and storage medium
US10291730B1 (en) Throttling push notifications using predictive workload modeling
US20060136916A1 (en) Method and apparatus for transaction performance and availability management based on program component monitor plugins and transaction performance monitors
KR102187382B1 (en) Container VirtualOS Integrated Monitoring Operating Methods Based on Cloud Infrastructure
KR102343501B1 (en) Security System for Cloud Service Based on Machine Learning
CN113259429A (en) Session keeping control method, device, computer equipment and medium
JP2019152912A (en) Unauthorized communication handling system and method
WO2015000428A1 (en) Data processing method, server and system
CN114629694A (en) Detection method and related device for distributed denial of service (DDoS)
CN115102781B (en) Network attack processing method, device, electronic equipment and medium
CN111294318A (en) IP address analysis method, device and storage medium for network attack
CN115576698A (en) Network card interrupt aggregation method, device, equipment and medium
CN115412326A (en) Abnormal flow detection method and device, electronic equipment and storage medium
CN112994934B (en) Data interaction method, device and system
US20210084011A1 (en) Hardware acceleration device for string matching and range comparison
CN116827694B (en) Data security detection method and system
CN114389855B (en) Method and device for determining abnormal Internet Protocol (IP) address

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant