CN115412300A - DDoS attack detection method based on edge firewall - Google Patents

DDoS attack detection method based on edge firewall Download PDF

Info

Publication number
CN115412300A
CN115412300A CN202210922135.8A CN202210922135A CN115412300A CN 115412300 A CN115412300 A CN 115412300A CN 202210922135 A CN202210922135 A CN 202210922135A CN 115412300 A CN115412300 A CN 115412300A
Authority
CN
China
Prior art keywords
attack
flow
edge
udp
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210922135.8A
Other languages
Chinese (zh)
Inventor
温震宇
洪榛
雷自辉
黄圣豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Technology ZJUT
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN202210922135.8A priority Critical patent/CN115412300A/en
Publication of CN115412300A publication Critical patent/CN115412300A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A DDoS attack detection method based on threshold value utilization soft routing, first establish general typical DDoS attack model, including ICMP attack, TCP attack, UDP attack, HTTP attack four major categories; arranging a router, a host and a service environment; attacking the damaged server by using a plurality of attacking hosts, and simultaneously carrying out corresponding multiple accesses on the server by the normally accessed users; when the algorithm is not started, the normal host accesses the server, and the request response rate and the access success rate of legal flow are checked; after the algorithm is started, different detection means are given according to different types of flow discrimination, malicious flow is detected, then shielding or filtering is carried out, a normal host is made to access the server, and the request response rate and the access success rate of legal flow are checked. The invention is a light-weight edge firewall, can save cost and has higher flexibility under the condition that the defense effect is similar to that of the traditional defense system.

Description

DDoS attack detection method based on edge firewall
Technical Field
The invention relates to the field of computer network security, in particular to a DDoS attack detection method based on an edge firewall.
Background
Distributed denial of service (DDoS) attacks have long been a long-standing threat and have long been one of the types of attacks that have not been completely addressed. The situation becomes more severe as more and more defense mechanisms are low-level internet of things (IoT) devices are networked. The size and diversity of DDoS attacks has increased dramatically over the past few years, with many attacks often becoming headline news. Recent survey reports show that some modern wars can paralyze opponent servers by DDoS attacks, the attack means is complex, and the attack effect is remarkable due to the fact that IP is changeable. These attacks are also rapidly evolving, taking advantage of new or mixed attacks.
One of the most widely deployed DDoS defense systems today is the use of a traffic clearing center. However, most of the devices deployed in a traffic clearinghouse in an edge firewall are expensive and proprietary hardware devices. While these middleboxes provide high performance, they tend to be inflexible in terms of function, capacity and placement. Thus, whenever a new attack vector appears, its corresponding defense requires upgrading the middlebox. In addition to the lack of agility, hardware upgrades can also bring significant economic costs.
DDoS attacks are common for small businesses or homes, most of which are forced to use a clean-up center to filter traffic due to the difficulty of local devices to withstand large-scale distributed large-traffic requests. However, when the traffic cleanup center is requested to be used, the traffic needs to pass through the cleanup center and then return to the local, which is very reluctant for privacy of some customers and for top-down of enterprises, that is, important data of the traffic cleanup center is easily leaked to the traffic cleanup center. Moreover, due to insufficient negotiation force, huge economic pressure is caused to small-sized enterprises. Switches and routers inside the enterprise do not have the traffic filtering function, and a traffic cleaning center has to be used when the enterprise is subjected to large-scale attacks. It is highly desirable to provide a local, low-power consumption method for malicious traffic detection, which allows developers to change policies based on recent attacks.
Disclosure of Invention
Aiming at the defects that the edge devices and routers of the current small enterprises and families can not resist dynamic and variable DDoS attacks, and some important confidential data are unwilling to pass through a flow clearing center, the invention provides a DDoS attack detection method based on an edge firewall, which has good local performance, low power consumption and flexible upgrade,
the technical scheme adopted by the invention for solving the technical problem is as follows:
the invention discloses a DDoS attack detection method based on an edge firewall, which comprises the following steps:
(1) Establishing a general typical DDoS attack model;
(2) Arranging an edge firewall system environment, and connecting a plurality of attacking hosts, victim servers and normally accessed user hosts;
(3) Arranging detection and filtering algorithms of corresponding attacks in the edge firewall, and flexibly setting opening and closing algorithms, wherein the detection and the closing algorithms comprise four categories of ICMP (Internet control protocol) attack, TCP (transmission control protocol) attack, UDP (user datagram protocol) attack and HTTP (hyper text transport protocol) attack and specific attack types under the four categories;
(4) Using a plurality of attack hosts to attack a victim server, and simultaneously carrying out corresponding multiple accesses on the server by a user who normally accesses;
(5) When the algorithm is not started, the normal host accesses the server, and the request response rate and the access success rate of legal flow are checked;
(6) After the algorithm is started, the algorithm can detect malicious traffic and then shield or filter the malicious traffic, and then a normal host accesses the server to check the request response rate and the access success rate of the legal traffic.
Further, step 1 specifically includes:
step 11, acquiring an IP address of a victim server and ports of TCP service, UDP service and HTTP service, wherein the IP address and the corresponding port number of the victim server are necessarily public because the victim server needs to provide service;
and step 12, arranging Attack programs of ICMP Flood and Smurf attach under ICMP type Attack in a plurality of Attack hosts, wherein the Smurf attach Attack belongs to reflection type Attack, IP addresses need to be forged as victim hosts, and the more hosts are connected in the same local area network, the better the Attack effect is. Setting an IP address in a corresponding program, and preparing ICMP Flood or Smurf attach Attack;
and step 13, arranging attack programs of SYN Flow, ACK Flow, FIN/RST Flow and Elephath Flow under TCP type attack in the plurality of attack hosts. Where the Elephant Flood is simulated using iperf, which requires opening iperf service and setting ports at the server. Setting IP address and port of TCP service in corresponding program, and preparing SYN Flow, ACK Flow, FIN/RST Flow and Elephan Flow attack.
Step 14, arranging Attack programs of UDP flow, DNS Amplification attach, SNMP Amplification attach, SSDP DDoS attach and NTP Amplification attach under UDP type Attack in a plurality of Attack hosts, wherein except UDP flow, other attacks are all reflection Amplification attacks, a source IP needs to be forged to be an IP of a victim host, and the UDP flow is unreliable transmission and does not need handshaking, so that the UDP Attack can also be simulated by using an iperf program. And finally, setting an IP address and a port of TCP service in a corresponding program, and preparing UDP flow, DNS Amplification attach, SNMP Amplification attach, SSDP DDoS attach and NTP Amplification attach.
And step 15, arranging the HTTP Flood attack program under the HTTP type attack in the plurality of attack hosts. Setting an IP address in a corresponding program, and preparing HTTP Flood attack;
further, the process of the edge firewall system arrangement described in step 2 is as follows:
the routers in small enterprises or homes are mostly common hard routers, the switch is a large switch, and the large switch and the common routers have the main functions of forwarding data and finding links and networks. Therefore, the algorithm arranged on the system consumes high memory, CPU and power, the attack is not as severe as that of a large company in small scenes such as small enterprises and families, and resources are consumed without reason when the attack defense is completed by using a route and a switch similar to the large company. The edge server provides a user with access to the network and communication functions with other server devices, and is typically a group of servers that perform a single function, typically an edge firewall.
The edge firewall has relatively low power, performance and cost due to its single function. Lightweight devices connected in small businesses and homes are sufficient in performance including cameras, voice assistants, smart homes, and the like. If the traditional DDoS arrangement and defense method is used, a large number of high-performance routers or switches need to be arranged, which obviously does not meet the defense requirements of light-weight edge equipment. For lightweight edge devices, edge firewalls are fully capable of defending against this level of DDoS attacks. The edge firewall uses an OpenWrt system, and the OpenWrt project is a Linux operating system for embedded devices and is commonly used on a router. As an introduction embedded Linux operating system, openWrt is highly modularized and automatic, occupies a small space, and has powerful network components. The OpenWrt system has small space expansibility and strong expansibility on the premise of meeting the flow detection. After the OpenWrt system is configured on the edge firewall, all other routers, switches and the like which need to be connected with the edge device are connected to the edge firewall, and all data packets are detected by the firewall algorithm and then enter the edge device.
Because the attack is carried out and the flow of the server is large, the router is connected to a gigabit optical port, and the rest attack hosts are connected to a gigabit network port.
Further, step 3 specifically includes:
step 31, deploying a TCP related detection algorithm in the edge firewall.
In step 311, the attack mode is single for SYN Flood, and sending the same SYN is easily determined to be abnormal by the edge firewall with low power consumption. This is done by first keeping track of the number of open TCP sessions per source IP every 5 seconds, which is achieved by calculating syn and ack. Based on the statistics of the previous epoch, if one source IP has much more syn than ack, we mark its future packets as an attack and can drop them. If a source IP does not have an asymmetry between the SYN and ACK, we mark it as benign and let its packets pass. Otherwise, we flag it as an error condition, which is handed over to the traditional SYN cookie to handle.
In step 312, for ACK Flood, as above, if the ACK of multiple source IPs is received without the corresponding SYN, it is determined as malicious traffic, and the malicious traffic can be easily determined as malicious information only by the ACK without the SYN system, so that the malicious traffic can also be processed by the low-power-consumption edge device, and at this time, the advantage of the edge firewall with a single function is multiplied.
Step 313, for the FIN/RST Flood, if the FIN or RST packets of multiple source IPs are received but no SYN is sent out, the system determines the flow as malicious flow, and the system is simply subjected to more FIN or RST packets of the same source, so that the system can easily determine the flow as malicious flow, and the performance requirement is low.
In step 314, for the elepthhat Flow attack, in order to detect very large flows from some source IP addresses, for this attack, since small enterprise and home edge devices are unlikely to suffer from huge traffic, their detection performance is not too high, and the edge firewall can be competent. We can first calculate the number of bytes sent every 5 seconds per stream. During the last period, if the total byte number of a flow exceeds a threshold value, the flow is temporarily determined as suspicious flow, and if the total byte number of the flow exceeds the threshold value during the next period, the flow is determined as malicious flow.
Step 32, deploying a UDP correlation detection algorithm in the edge firewall.
In step 321, in the edge device, the probability of actively querying the DNS server is relatively small, and the performance of the device itself is not too high, so the performance requirement on the router or the edge firewall is relatively low, and when a large number of DNS servers are accessed, the system can be processed in the following manner efficiently and conveniently. In DNS Amplification attach, the attacking host requests many DNS queries using the IP of a number of spoofed protected servers, resulting in a large amount of response traffic, overwhelming the bandwidth of the victim server. In order to resist the attack, DNS queries of all victim servers are tracked firstly, only if the DNS queries of the victim servers correspond to each other within one hour, the flow is judged to be legal, if other DNS queries enter the network, suspicious flow is temporarily determined, and if the DNS queries enter the network again within seconds, malicious flow is judged.
In step 322, for UDP Flood, the UDP traffic received by the edge device is very small under normal conditions, so that the abnormal access traffic can be detected only with low consumption of the edge firewall. We track the number of UDP packets per source IP every 5 seconds as follows. During the last period, if one source IP sends abnormal UDP packets and marks the abnormal UDP packets as suspicious traffic, and if the abnormal UDP packets are sent during the next period, the traffic is judged to be malicious traffic. According to the UDP flow attack, due to the characteristic that the UDP flow attack does not need to be connected in advance, the attack seems to be capable of sending huge flow and causing larger influence, but for edge equipment of small enterprises and families, the performance of the attack is not enough to process a large amount of flow, so that large-flow transmission between the equipment is avoided, the threshold value of an edge firewall can be correspondingly reduced, and defense can be achieved with low power consumption.
Step 33, deploying HTTP related detection algorithms in the edge firewall. In HTTP Flood, each attacking host generates a large number of legitimate HTTP requests and sends them to the victim server, which easily overloads the victim server, making the service unavailable. To mitigate this attack, one simple approach is to track the number of HTTP requests per source IP. If the number of previous client sessions exceeds the threshold value, the flow is judged to be malicious flow, and the sender can access the flow after inputting the verification code. Otherwise, the flow is judged to be legal flow. Since edge devices are rarely used as servers, a large number of HTTP traffic accesses are catastrophic for the edge device. However, for the edge firewall, only a lower threshold needs to be set, so that a larger detection can be realized, and the misjudgment rate is low.
At step 34, an ICMP related detection algorithm is deployed in the edge firewall, and for ICMP Flood and Smurf attach, we track the number of ICMP packets per source IP every 5 seconds. In the last period, if one source IP sends an ICMP packet with a large number of exceptions, the ICMP packet is directly marked as malicious traffic, and because the number of ICMP packets is limited, the ICMP packet can be directly determined as an attack. If a large number of ICMP format messages enter the intranet from outside, they can be detected by using a lower threshold, and the performance and power of the edge firewall can be satisfied.
The working principle of the invention is (analyzing the reason for the advantages of the invention): the traditional defense of DDoS attack is threshold deletion, but the traditional deployment defense system is directed at devices with large own traffic. With the development of the internet of things, more and more lightweight edge devices are emerging. These lightweight devices no longer require overly expensive traditional deployment means. According to the method, the threshold correlation algorithm is deployed by using the lightweight soft routing of the edge firewall, and the algorithm is optimized properly, so that the algorithm can be better deployed on the edge firewall.
The invention has the advantages that: the light-weight edge firewall has the advantages that the cost is saved, the cost is lower, and the flexibility is higher under the condition that the defense effect is similar to that of a traditional defense system. This patent lets more and more lightweight internet devices really have their own independent defense system.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The invention will be further explained with reference to the drawings,
referring to fig. 1, a DDoS attack detection method based on an edge firewall includes the following steps:
(1) Establishing a general typical DDoS attack model;
(2) Arranging an edge firewall environment, and connecting a plurality of attacking hosts, victim servers and normally accessed user hosts;
(3) Arranging detection and filtering algorithms of corresponding attacks in the edge firewall, and flexibly setting opening and closing algorithms, wherein the detection and filtering algorithms comprise four categories of ICMP attack, TCP attack, UDP attack and HTTP attack and specifically subdivided attack types under the four categories;
(4) Using a plurality of attack hosts to attack a victim server, and simultaneously carrying out corresponding multiple accesses on the server by a user who normally accesses;
(5) When the algorithm is not started, the normal host accesses the server, and the request response rate and the access success rate of legal flow are checked;
(6) After the algorithm is started, the algorithm can detect malicious traffic and then carries out shielding or filtering, and then a normal host accesses the server to check the request response rate and the access success rate of the legal traffic.
The step (1) specifically comprises the following steps:
step 11, acquiring an IP address of a victim server and ports of TCP service, UDP service and HTTP service, wherein the IP address and the corresponding port number of the victim server are necessarily public because the victim server needs to provide service;
and step 12, arranging Attack programs of ICMP Flood and Smurf attach under ICMP type Attack in a plurality of Attack hosts, wherein the Smurf attach Attack belongs to reflection type Attack, IP addresses need to be forged as victim hosts, and the more hosts are connected in the same local area network, the better the Attack effect is. Setting an IP address in a corresponding program, and preparing ICMP Flood or Smurf attach Attack;
and step 13, arranging attack programs of SYN Flow, ACK Flow, FIN/RST Flow and Elephath Flow under TCP type attack in the plurality of attack hosts. Where the Elephant Flood is simulated using iperf, which requires opening iperf service and setting ports at the server. Setting IP address and TCP service port in corresponding program, and preparing SYN Flow, ACK Flow, FIN/RST Flow and Elephat Flow attack.
Step 14, arranging Attack programs of UDP Flood, DNS Amplification Attack, SNMP Amplification Attack, SSDP DDoS Attack and NTP Amplification Attack under UDP type Attack in a plurality of Attack hosts, wherein except UDP Flood, the rest attacks are all reflection Amplification attacks, source IP needs to be forged to be a victim server IP, and because UDP Flood is unreliable transmission and does not need handshaking, the UDP Flood can also be simulated by using an iperf program. And finally, setting an IP address and a port of TCP service in a corresponding program, and preparing UDP flow, DNS Amplification attach, SNMP Amplification attach, SSDP DDoS attach and NTP Amplification attach attacks.
And step 15, arranging the HTTP Flood attack program under the HTTP type attack in the plurality of attack hosts. Setting an IP address in a corresponding program, and preparing HTTP Flood attack;
still further, the process of step 2 is as follows:
the edge firewall uses an OpenWrt system, and the OpenWrt project is a Linux operating system for embedded devices and is commonly used on a router. As an introduction embedded Linux operating system, openWrt is highly modularized and automatic, occupies a small space, and has powerful network components. The OpenWrt system has small space and strong expansibility on the premise of meeting the flow detection. Since the attack is carried out and the flow of the server is large, the router is connected to a gigabit optical port, and the rest attack hosts are connected to a gigabit network port.
Further, the process of step 3 is as follows:
step 31, deploying a TCP related detection algorithm in the edge firewall.
In step 311, the attack mode is single for SYN Flood, and sending the same SYN is easily determined to be abnormal by the edge firewall with low power consumption. This is done by first tracking the number of open TCP sessions per source IP every 5 seconds, by calculating syn and ack. Based on the statistics of the previous epoch, if one source IP has much more syn than ack, we mark its future packets as an attack and can drop them. If a source IP does not have an asymmetry between the SYN and ACK, we mark it as benign and let its packets pass. Otherwise, we flag it as an error condition, which is handed over to the traditional SYN cookie to handle.
In step 312, for ACK Flood, as above, if the ACK of multiple source IPs is received without the corresponding SYN, it is determined as malicious traffic, and the malicious traffic can be easily determined as malicious information only by the ACK without the SYN system, so that the malicious traffic can also be processed by the low-power-consumption edge device, and at this time, the advantage of the edge firewall with a single function is multiplied.
Step 313, for the FIN/RST Flood, if the FIN or RST packets of multiple source IPs are received but no SYN is sent out, the system determines the flow as malicious flow, and the system is simply subjected to more FIN or RST packets of the same source, so that the system can easily determine the flow as malicious flow, and the performance requirement is low.
In step 314, for the elepthhat Flow attack, in order to detect very large flows from some source IP addresses, for this attack, since small enterprise and home edge devices are unlikely to be subjected to huge amount of traffic, the detection performance is not too high, and the edge firewall is adequate. We can first calculate the number of bytes sent every 5 seconds per stream. During the last period, if the total byte number of a flow exceeds a threshold value, the flow is temporarily determined as suspicious flow, and if the total byte number of the flow exceeds the threshold value during the next period, the flow is determined as malicious flow.
Step 32, deploying a UDP correlation detection algorithm in the edge firewall.
In step 321, in the edge device, the probability of actively querying the DNS server is relatively small, and the performance of the device itself is not too high, so the performance requirement on the router or the edge firewall is relatively low, and when a large number of DNS servers are accessed, the system can process in the following manner efficiently and conveniently. In DNS Amplification attach, the attacking host requests many DNS queries using the IP of a number of spoofed protected servers, resulting in a large amount of response traffic, overwhelming the bandwidth of the victim server. In order to resist the attack, DNS queries of all victim servers are tracked firstly, only if the DNS queries of the victim servers correspond to each other within one hour, the flow is judged to be legal, if other DNS queries enter the network, suspicious flow is temporarily determined, and if the DNS queries enter the network again within seconds, malicious flow is judged.
In step 322, for UDP Flood, the UDP traffic received by the edge device is very small under normal conditions, so that the abnormal access traffic can be detected only with low consumption of the edge firewall. We track the number of UDP packets per source IP every 5 seconds as follows. During the last period, if one source IP sends abnormal UDP packets and marks the abnormal UDP packets as suspicious traffic, and if the abnormal UDP packets are sent during the next period, the traffic is judged to be malicious traffic. According to the UDP flow attack, due to the characteristic that the UDP flow attack does not need to be connected in advance, the attack seems to be capable of sending huge flow and causing larger influence, but for edge equipment of small enterprises and families, the performance of the attack is not enough to process a large amount of flow, so that large-flow transmission between the equipment is avoided, the threshold value of an edge firewall can be correspondingly reduced, and defense can be achieved with low power consumption.
Step 33, deploying HTTP-related detection algorithms in the edge firewall. In HTTP Flood, each attacking host generates a large number of legitimate HTTP requests and sends them to the victim server, which easily overloads the victim server, making the service unavailable. To mitigate this attack, one simple approach is to track the number of HTTP requests per source IP. If the number of previous client sessions exceeds the threshold value, the flow is judged to be malicious flow, and the sender can access the flow after inputting the verification code. Otherwise, the flow is judged to be legal flow. Since edge devices are rarely used as servers, a large number of HTTP traffic accesses are catastrophic for the edge device. However, for the edge firewall, only a lower threshold needs to be set, so that a larger detection can be realized, and the misjudgment rate is low.
At step 34, an ICMP related detection algorithm is deployed in the edge firewall, and for ICMP Flood and Smurf attach, we track the number of ICMP packets per source IP every 5 seconds. In the last period, if one source IP sends an ICMP packet with a large number of exceptions, the ICMP packet is directly marked as malicious traffic, and because the number of ICMP packets is limited, the ICMP packet can be directly determined as an attack. If a large number of ICMP format messages are present outside and enter the intranet, they can be detected by using a lower threshold, and the performance and power of the edge firewall can be satisfied.

Claims (5)

1. A DDoS attack detection method based on an edge firewall comprises the following steps:
(1) Establishing a general typical DDoS attack model;
(2) Arranging an edge firewall system environment, and connecting a plurality of attack hosts, victim servers and normally accessed user hosts;
(3) Arranging detection and filtering algorithms of corresponding attacks in the edge firewall, and flexibly setting opening and closing algorithms, wherein the detection and filtering algorithms comprise four categories of ICMP attack, TCP attack, UDP attack and HTTP attack and specific attack types under the four categories;
(4) Attacking the damaged server by using a plurality of attacking hosts, and simultaneously enabling users who normally access to the server to correspondingly access the server in various ways;
(5) When the algorithm is not started, the normal host accesses the server, and the request response rate and the access success rate of legal flow are checked;
(6) After the algorithm is started, the algorithm can detect malicious traffic and then shield or filter the malicious traffic, and then a normal host accesses the server to check the request response rate and the access success rate of the legal traffic.
2. The DDoS attack detection method based on an edge firewall according to claim 1, characterized in that: the step 1 specifically comprises the following steps:
step 11, acquiring an IP address of a victim server and ports of TCP service, UDP service and HTTP service; since the victim server needs to provide services, its IP address and corresponding port number must be public;
step 12, arranging Attack programs of ICMP Flood and Smurf attach under ICMP type Attack in a plurality of Attack hosts; the Smurf attach Attack belongs to a reflection type Attack, an IP address needs to be forged as a victim host, and the more connected hosts in the same local area network, the better the Attack effect is; finally, an IP address is set in a corresponding program, and ICMP Flood or Smurf attach Attack is prepared;
step 13, arranging attack programs of SYN Flow, ACK Flow, FIN/RST Flow and Elephath Flow under TCP type attack in a plurality of attack hosts, wherein the Elephath Flow uses iperf to simulate, and the Ipperf service needs to be opened and a port needs to be set at a server; setting an IP address and a port of TCP service in a corresponding program, and preparing SYN Flow, ACK Flow, FIN/RST Flow and Elephan Flow attacks;
step 14, arranging Attack programs of UDP Flood, DNS Amplification attach, SNMP Amplification attach, SSDP DDoS attach and NTP Amplification attach under UDP type Attack in a plurality of Attack hosts, wherein except UDP Flood, other attacks are all reflection Amplification attacks, and a source IP needs to be forged as an IP of a victim host; because UDP Flood is unreliable transmission and does not need handshaking, the UDP attack can be simulated by using an iperf program; finally, setting an IP address and a port of TCP service in a corresponding program, and preparing UDP Flood, DNS Amplification attach, SNMP Amplification attach, SSDP DDoS attach and NTP Amplification attach for Attack;
step 15, arranging HTTP Flood attack programs under HTTP type attacks in a plurality of attack hosts; and setting an IP address in a corresponding program and preparing HTTP Flood attack.
3. The DDoS attack detection method based on the edge firewall according to claim 1, characterized in that: the process of arranging the edge firewall system in the step 2 is as follows:
the edge firewall uses an OpenWrt system; after the OpenWrt system is configured on the edge firewall, connecting all other routers, switches and the like which need to be connected with edge equipment to the edge firewall; all data packets are detected by the algorithm of the firewall and then enter the edge device;
and connecting the damaged host equipment at a gigabit optical port, and connecting the rest attacking hosts at the gigabit optical port.
4. The DDoS attack detection method based on an edge firewall according to claim 1, characterized in that: the step 3 specifically comprises:
step 31, deploying a detection algorithm related to TCP in an edge firewall;
step 311, for SYN Flood, the attack mode is single, and sending the same SYN is easily determined as abnormal by the edge firewall with low power consumption; the method is carried out by firstly tracking the number of open TCP sessions of each source IP every 5 seconds, which is realized by calculating syn and ack; if the syn of one source IP is much more than the ack according to the statistical data of the last period, marking the future data packets as attack and discarding the data packets; if a source IP does not have an asymmetry between the SYN and ACK, it is marked as benign and its packets are passed; otherwise, it is marked as an error condition, which is handed over to the traditional SYN cookie to handle;
step 312, for ACK Flood, as above, if the ACK of multiple source IPs is received without the corresponding SYN, it is determined as malicious traffic, and it can be easily determined as malicious information only by the ACK without the SYN system, so it can also be processed by the low-power-consumption edge device, and the advantage of the edge firewall with single function is multiplied at this time;
step 313, for the FIN/RST Flood, if the FIN or RST data packets of multiple source IPs are received but no SYN is sent out correspondingly, the FIN/RST Flood is determined to be a malicious flow, and the FIN/RST data packets are simply received by more FIN or RST data packets of the same source IPs, the system can be easily determined to be the malicious flow, and the performance requirement is low;
step 314, for the elepthat Flow attack, in order to detect a very large Flow from some source IP addresses, for this attack, since the small enterprise and home edge devices are unlikely to receive a huge amount of traffic, the detection performance is not too high, and the edge firewall is adequate; firstly, calculating the number of bytes sent every 5 seconds of each stream; during the last period, if the total byte number of a flow exceeds a threshold value, the flow is temporarily judged to be suspicious, and if the total byte number of the flow exceeds the threshold value during the next period, the flow is judged to be malicious flow;
step 32, deploying a UDP related detection algorithm in the edge firewall;
step 321, in the edge device, the probability of actively querying the DNS server is relatively small, and the performance of the device itself is not too high, so the performance requirement on the router or the edge firewall is relatively low, and when a large number of DNS servers are accessed, the system is processed in the following manner efficiently and conveniently; in DNS Amplification attach, the attacking host requests many DNS queries using a large number of spoofed protected server IPs, resulting in a large amount of response traffic, overwhelming the victim server's bandwidth; in order to resist the attack, firstly, DNS queries of all victim servers are tracked, only the DNS queries of the victim servers within one hour are judged to be legal flow, if other DNS queries enter the network, suspicious flow is temporarily determined, and if the victim servers enter the network again within seconds of passing through the DNS, malicious flow is judged;
step 322, for UDP Flood, the UDP traffic received by the edge device is very small under normal conditions, so the abnormal access traffic can be detected only with low consumption of the edge firewall; tracking the number of UDP packets per source IP every 5 seconds as follows; during the last period, if one source IP sends UDP packets with more exceptions, the source IP is marked as suspicious flow, and if the source IP sends UDP packets with more exceptions during the next period, the source IP is judged to be malicious flow; according to the UDP flow attack, due to the characteristic that the UDP flow attack does not need to be connected in advance, the attack seems to be capable of sending huge flow and causing larger influence, but for edge equipment of small enterprises and families, the performance of the UDP flow attack is not enough to process a large amount of flow, so that the large-flow transmission between the equipment is avoided, and the threshold value of an edge firewall can be correspondingly reduced, so that the defense can be realized with low power consumption;
step 33, deploying an HTTP-related detection algorithm in the edge firewall; in HTTP Flood, each attacking host generates a large number of legitimate HTTP requests and sends them to the victim server, which easily overloads the victim server, making the service unavailable; to mitigate this attack, one simple approach is to track the number of HTTP requests per source IP; if the number of previous client sessions exceeds a threshold value, the client session is judged to be malicious traffic, and the sender can access the client session after inputting the verification code; otherwise, judging the flow to be legal; since edge devices are rarely used as servers, a large number of HTTP traffic accesses are catastrophic for the edge device; however, for the edge firewall, only a lower threshold needs to be set, so that larger detection can be realized, and the misjudgment rate is low;
step 34, deploying an ICMP related detection algorithm in the edge firewall, and tracking the number of ICMP packets of each source IP every 5 seconds for ICMP Flood and Smurf attach; in the last period, if one source IP sends an ICMP packet with a large number of exceptions, the ICMP packet is directly marked as malicious flow, and because the number of ICMP messages is limited, the ICMP packet can be directly judged as an attack; if a large number of ICMP format messages enter the intranet from outside, they can be detected by using a lower threshold, and the performance and power of the edge firewall can be satisfied.
5. The DDoS attack detection method based on an edge firewall according to claim 1, characterized in that: the OpenWrt in step 2 uses an instruction of linux, and a python and C + + algorithm can be input to the instruction to implement detection.
CN202210922135.8A 2022-08-02 2022-08-02 DDoS attack detection method based on edge firewall Pending CN115412300A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210922135.8A CN115412300A (en) 2022-08-02 2022-08-02 DDoS attack detection method based on edge firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210922135.8A CN115412300A (en) 2022-08-02 2022-08-02 DDoS attack detection method based on edge firewall

Publications (1)

Publication Number Publication Date
CN115412300A true CN115412300A (en) 2022-11-29

Family

ID=84159820

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210922135.8A Pending CN115412300A (en) 2022-08-02 2022-08-02 DDoS attack detection method based on edge firewall

Country Status (1)

Country Link
CN (1) CN115412300A (en)

Similar Documents

Publication Publication Date Title
Rahman et al. DDoS attacks detection and mitigation in SDN using machine learning
CN101589595B (en) A containment mechanism for potentially contaminated end systems
Dayal et al. Research trends in security and DDoS in SDN
US9584531B2 (en) Out-of band IP traceback using IP packets
US6973040B1 (en) Method of maintaining lists of network characteristics
Luo et al. Preventing distributed denial-of-service flooding attacks with dynamic path identifiers
Ambrosin et al. Lineswitch: Efficiently managing switch flow in software-defined networking while effectively tackling dos attacks
US7921462B2 (en) Identifying a distributed denial of service (DDOS) attack within a network and defending against such an attack
US20040148520A1 (en) Mitigating denial of service attacks
US8387144B2 (en) Network amplification attack mitigation
US20090172803A1 (en) Method and apparatus for incrementally deploying ingress filtering on the internet
Mittal et al. A review of DDOS attack and its countermeasures in TCP based networks
Wu et al. Fmd: A DoS mitigation scheme based on flow migration in software‐defined networking
Wang et al. Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks
Al-Duwairi et al. ISDSDN: mitigating SYN flood attacks in software defined networks
Mopari et al. Detection and defense against DDoS attack with IP spoofing
US8281400B1 (en) Systems and methods for identifying sources of network attacks
Gurusamy et al. Detection and mitigation of UDP flooding attack in a multicontroller software defined network using secure flow management model
CN115412300A (en) DDoS attack detection method based on edge firewall
Muthurajkumar et al. UDP flooding attack detection using entropy in software-defined networking
US20030037260A1 (en) Heuristic profiler for packet screening
Deri et al. Practical network security: experiences with ntop
US20230396648A1 (en) Detecting ddos attacks by correlating inbound and outbound network traffic information
Hamadeh et al. Packet marking for traceback of illegal content distribution
Abdullahi et al. Impact Analysis and Features for DDOS Attacks Detection in SDN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination