CN117375942A - Method and device for preventing DDoS attack based on node cleaning - Google Patents

Method and device for preventing DDoS attack based on node cleaning Download PDF

Info

Publication number
CN117375942A
CN117375942A CN202311386905.2A CN202311386905A CN117375942A CN 117375942 A CN117375942 A CN 117375942A CN 202311386905 A CN202311386905 A CN 202311386905A CN 117375942 A CN117375942 A CN 117375942A
Authority
CN
China
Prior art keywords
network
flow
cleaning
traffic
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311386905.2A
Other languages
Chinese (zh)
Inventor
李俊杰
叶胤
姚巧兰
陈春平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Planning and Designing Institute of Telecommunications Co Ltd
Original Assignee
Guangdong Planning and Designing Institute of Telecommunications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Planning and Designing Institute of Telecommunications Co Ltd filed Critical Guangdong Planning and Designing Institute of Telecommunications Co Ltd
Priority to CN202311386905.2A priority Critical patent/CN117375942A/en
Publication of CN117375942A publication Critical patent/CN117375942A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of network security, and discloses a method and a device for preventing DDoS attack based on node cleaning, wherein the method comprises the following steps: monitoring network traffic information of a protected server, analyzing the network traffic information to obtain network abnormal traffic, acquiring a preset traffic cleaning node set when the magnitude of the network abnormal traffic exceeds a defense threshold corresponding to the protected server, dragging the network abnormal traffic to the traffic cleaning node set, and cleaning the network abnormal traffic through a preset traffic cleaning mode to obtain a network traffic cleaning result, wherein the network traffic cleaning result comprises a first target network abnormal traffic and a first normal access traffic, and reinjecting the first normal access traffic to the protected server according to a preset traffic reinjection route. Therefore, the invention can effectively prevent DDoS attack, improve the prevention accuracy and the prevention efficiency of DDoS attack, and further improve the running stability and the network security of the protected server.

Description

Method and device for preventing DDoS attack based on node cleaning
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for preventing DDoS attack based on node cleaning.
Background
Along with the continuous acceleration of the global digitization process, china also grasps the digitization development opportunity, advances the digitization rapid development in various fields of society, and simultaneously accelerates the extension of network security protection to various industry fields.
DDoS (Distributed Denial of Service ) attack is a widely distributed, large-scale network attack that mainly increases the burden of online services, websites, and web applications through malicious traffic from multiple sources, thus putting them into paralysis. The main means for preventing DDoS attack at present is to monitor the attack flow through hardware equipment and filter the attack flow. However, the protection capability of the means is based on the configuration of hardware, and the current DDoS attack flow is larger and larger, and the accuracy of preventing the DDoS attack by simply relying on hardware equipment is lower, so that the requirements cannot be met. Therefore, it is important to provide a technical scheme capable of improving the accuracy of preventing DDoS attacks and improving network security.
Disclosure of Invention
The invention provides a method and a device for preventing DDoS attack based on node cleaning, which can be beneficial to improving the accuracy of preventing DDoS attack and improving the network security.
In order to solve the technical problem, the first aspect of the present invention discloses a method for preventing DDoS attack based on node cleaning, which comprises the following steps:
monitoring network traffic information of a protected server, and analyzing the network traffic information to obtain network abnormal traffic;
when the magnitude of the abnormal network traffic exceeds a defense threshold corresponding to the protected server, acquiring a preset traffic cleaning node set;
the network abnormal flow is led to the flow cleaning node set, node cleaning is carried out on the network abnormal flow in a preset flow cleaning mode, and a network flow cleaning result is obtained, wherein the network flow cleaning result comprises a first target network abnormal flow and a first normal access flow;
and reinjecting the first normal access flow to the protected server according to a preset flow reinjection route.
In an optional implementation manner, in the first aspect of the present invention, after the node cleaning is performed on the network abnormal traffic by using a preset traffic cleaning manner, the method further includes:
analyzing the network flow cleaning result, and judging whether the first target network abnormal flow reaches a cleaning capacity threshold corresponding to the flow cleaning node set;
When judging that the first target network abnormal flow reaches a cleaning capacity threshold corresponding to the flow cleaning node set, pulling the first normal access flow to a high-security IP machine room, and carrying out IP filtering on the first normal access flow through the high-security IP machine room to obtain an IP filtering result, wherein the IP filtering result comprises a second target network abnormal flow and a second normal access flow;
and forwarding the second normal access flow from the high IP prevention machine room to the protected server in a port protocol forwarding mode.
As an optional implementation manner, in the first aspect of the present invention, before the pulling the first normal access traffic to the high IP-capable machine room, the method further includes:
acquiring a preset domain name configuration rule, wherein the domain name configuration rule comprises a configuration rule between a high-protection IP corresponding to the high-protection IP machine room and a server IP corresponding to the protected server;
establishing a link connection between the high-protection IP machine room and the protected server according to a configuration rule between the high-protection IP corresponding to the high-protection IP machine room and the server IP corresponding to the protected server, and configuring a port protocol between the high-protection IP machine room and the protected server;
The pulling the first normal access traffic to a high security IP machine room includes:
analyzing a service type corresponding to the first normal access flow, wherein the service type comprises a network service type or a non-network service type;
when the service type of the first normal access flow is the network service type, resolving the domain name of the first normal access flow to a high IP (Internet protocol) corresponding to the high IP machine room through the link connection;
and when the service type of the first normal access flow is the non-network service type, replacing the domain name of the first normal access flow with the high IP (Internet protocol) corresponding to the high IP machine room through the link connection.
As an alternative embodiment, in the first aspect of the present invention, the method further includes:
the method comprises the steps that spectroscopic equipment and flow detection equipment are deployed on a preset outlet link, wherein the preset outlet link comprises a cloud resource pool outlet link and/or an Internet data center node outlet link, and the flow detection equipment comprises DDoS-resistant hardware equipment and/or a server cluster;
the analyzing the network traffic information to obtain the network abnormal traffic comprises the following steps:
copying the network flow information to the flow detection equipment through the light splitting equipment, and detecting the network flow information packet by packet through the flow detection equipment to obtain a network flow detection result;
And determining the network abnormal flow according to the network flow detection result, and marking the network abnormal flow to obtain marking information corresponding to the network abnormal flow, wherein the marking information comprises source address information and target address information of the network abnormal flow.
As an optional implementation manner, in the first aspect of the present invention, the set of traffic washing nodes includes an external traffic washing node and an internal traffic washing node, the source address information of the network abnormal traffic includes a source address reputation of the network abnormal traffic, and the destination address information of the network abnormal traffic includes a destination address security level of the network abnormal traffic;
the step of pulling the network abnormal traffic to the traffic cleaning node set and performing node cleaning on the network abnormal traffic in a preset traffic cleaning mode to obtain a network traffic cleaning result, includes:
analyzing source address information of the network abnormal flow, when the source address credit of the network abnormal flow is lower than a preset address credit threshold, pulling the network abnormal flow to the external flow cleaning node, and performing node cleaning on the network abnormal flow through the external flow cleaning node to obtain a first sub-network flow cleaning result;
Analyzing target address information of the first sub-network flow cleaning result, when the target address security level of the first sub-network flow cleaning result is higher than a preset target address security level threshold, pulling the first sub-network flow cleaning result to the internal flow cleaning node, and performing node cleaning on the first sub-network flow cleaning result through the internal flow cleaning node to obtain a network flow cleaning result.
As an alternative embodiment, in the first aspect of the present invention, the method further includes:
acquiring historical network traffic information aiming at the protected server, and determining information characteristics of the historical network traffic information, wherein the information characteristics comprise data packet characteristics and/or stream characteristics;
inputting the historical network flow information into a preset flow model for training, and determining DDoS attack information aiming at the protected server, wherein the DDoS attack information comprises attack position information and/or attack intensity information;
and determining a flow model baseline corresponding to the protected server according to the DDoS attack information, and determining a defense threshold corresponding to the protected server according to the flow model baseline.
In an optional implementation manner, in a first aspect of the present invention, the detecting, by the traffic detection device, the network traffic information by packets to obtain a network traffic detection result includes:
detecting the network flow information packet by packet through the flow detection equipment, and judging whether the network flow information meets a preset DDoS attack judgment rule;
when the network traffic information meets the DDoS attack judgment rule, determining a network traffic abnormality type corresponding to the network traffic information according to the DDoS attack judgment rule;
determining a network flow detection result according to the network flow information and the network flow abnormality type corresponding to the network flow information;
the network traffic anomaly type comprises at least one of a data packet anomaly type, a browser fingerprint anomaly type and a challenge black hole attack type.
The second aspect of the invention discloses a device for preventing DDoS attack based on node cleaning, which comprises:
the monitoring module is used for monitoring network flow information of the protected server and analyzing the network flow information to obtain network abnormal flow;
The first acquisition module is used for acquiring a preset flow cleaning node set when the magnitude of the network abnormal flow exceeds a defense threshold corresponding to the protected server;
the cleaning module is used for leading the network abnormal flow to the flow cleaning node set, and carrying out node cleaning on the network abnormal flow in a preset flow cleaning mode to obtain a network flow cleaning result, wherein the network flow cleaning result comprises a first target network abnormal flow and a first normal access flow;
and the reinjection module is used for reinjecting the normal access flow to the protected server according to a preset flow reinjection route.
As an alternative embodiment, in the second aspect of the present invention, the apparatus further includes:
the analysis module is used for carrying out node cleaning on the network abnormal flow through a preset flow cleaning mode, analyzing the network flow cleaning result after obtaining the network flow cleaning result, and judging whether the first target network abnormal flow reaches a cleaning capacity threshold value corresponding to the flow cleaning node set;
the filtering module is used for pulling the first normal access flow to a high-protection IP machine room when judging that the first target network abnormal flow reaches the cleaning capacity threshold corresponding to the flow cleaning node set, and carrying out IP filtering on the first normal access flow through the high-protection IP machine room to obtain an IP filtering result, wherein the IP filtering result comprises a second target network abnormal flow and a second normal access flow;
And the forwarding module is used for forwarding the second normal access flow from the high-protection IP machine room to the protected server in a port protocol forwarding mode.
As an alternative embodiment, in the second aspect of the present invention, the apparatus further includes:
the second obtaining module is used for obtaining a preset domain name configuration rule before the filtering module pulls the first normal access flow to the high-protection IP machine room, wherein the domain name configuration rule comprises a configuration rule between the high-protection IP corresponding to the high-protection IP machine room and the server IP corresponding to the protected server;
the establishing module is used for establishing link connection between the high-protection IP machine room and the protected server according to configuration rules between the high-protection IP corresponding to the high-protection IP machine room and the server IP corresponding to the protected server, and configuring a port protocol between the high-protection IP machine room and the protected server;
the mode of the filtering module for guiding the first normal access flow to the high-protection IP machine room specifically comprises the following steps:
analyzing a service type corresponding to the first normal access flow, wherein the service type comprises a network service type or a non-network service type;
When the service type of the first normal access flow is the network service type, resolving the domain name of the first normal access flow to a high IP (Internet protocol) corresponding to the high IP machine room through the link connection;
and when the service type of the first normal access flow is the non-network service type, replacing the domain name of the first normal access flow with the high IP (Internet protocol) corresponding to the high IP machine room through the link connection.
As an alternative embodiment, in the second aspect of the present invention, the apparatus further includes:
the deployment module is used for deploying the light splitting equipment and the flow detection equipment at a preset outlet link, wherein the preset outlet link comprises a cloud resource pool outlet link and/or an Internet data center node outlet link, and the flow detection equipment comprises DDoS-resistant hardware equipment and/or a server cluster;
the monitoring module analyzes the network traffic information, and the method for obtaining the network abnormal traffic comprises the following steps:
copying the network flow information to the flow detection equipment through the light splitting equipment, and detecting the network flow information packet by packet through the flow detection equipment to obtain a network flow detection result;
And determining the network abnormal flow according to the network flow detection result, and marking the network abnormal flow to obtain marking information corresponding to the network abnormal flow, wherein the marking information comprises source address information and target address information of the network abnormal flow.
As an optional implementation manner, in the second aspect of the present invention, the set of traffic washing nodes includes an external traffic washing node and an internal traffic washing node, the source address information of the network abnormal traffic includes a source address reputation of the network abnormal traffic, and the destination address information of the network abnormal traffic includes a destination address security level of the network abnormal traffic;
the cleaning module pulls the abnormal network traffic to the traffic cleaning node set, and performs node cleaning on the abnormal network traffic in a preset traffic cleaning mode, wherein the mode for obtaining a network traffic cleaning result specifically comprises the following steps:
analyzing source address information of the network abnormal flow, when the source address credit of the network abnormal flow is lower than a preset address credit threshold, pulling the network abnormal flow to the external flow cleaning node, and performing node cleaning on the network abnormal flow through the external flow cleaning node to obtain a first sub-network flow cleaning result;
Analyzing target address information of the first sub-network flow cleaning result, when the target address security level of the first sub-network flow cleaning result is higher than a preset target address security level threshold, pulling the first sub-network flow cleaning result to the internal flow cleaning node, and performing node cleaning on the first sub-network flow cleaning result through the internal flow cleaning node to obtain a network flow cleaning result.
As an optional implementation manner, in the second aspect of the present invention, the first obtaining module is further configured to obtain historical network traffic information for the protected server, and determine an information feature of the historical network traffic information, where the information feature includes a packet feature and/or a flow feature;
the apparatus further comprises:
the training module is used for inputting the historical network flow information into a preset flow model for training, and determining DDoS attack information aiming at the protected server, wherein the DDoS attack information comprises attack position information and/or attack intensity information;
and the determining module is used for determining a flow model baseline corresponding to the protected server according to the DDoS attack information and determining a defense threshold corresponding to the protected server according to the flow model baseline.
In a second aspect of the present invention, the method for obtaining a network traffic detection result by the monitoring module by detecting the network traffic information packet by packet through the traffic detection device specifically includes:
detecting the network flow information packet by packet through the flow detection equipment, and judging whether the network flow information meets a preset DDoS attack judgment rule;
when the network traffic information meets the DDoS attack judgment rule, determining a network traffic abnormality type corresponding to the network traffic information according to the DDoS attack judgment rule;
determining a network flow detection result according to the network flow information and the network flow abnormality type corresponding to the network flow information;
the network traffic anomaly type comprises at least one of a data packet anomaly type, a browser fingerprint anomaly type and a challenge black hole attack type.
The third aspect of the invention discloses another device for preventing DDoS attack based on node cleaning, which comprises:
a memory storing executable program code;
a processor coupled to the memory;
the processor invokes the executable program code stored in the memory to execute the method for preventing DDoS attack based on node cleaning disclosed in the first aspect of the present invention.
A fourth aspect of the present invention discloses a computer storage medium storing computer instructions that, when invoked, are adapted to perform the method of protecting against DDoS attacks based on node cleaning disclosed in the first aspect of the present invention.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, the network traffic information of the protected server is monitored, the network traffic information is analyzed to obtain the network abnormal traffic, when the magnitude of the network abnormal traffic exceeds the defense threshold corresponding to the protected server, a preset traffic cleaning node set is obtained, the network abnormal traffic is pulled to the traffic cleaning node set, the network abnormal traffic is subjected to node cleaning in a preset traffic cleaning mode, a network traffic cleaning result is obtained, the network traffic cleaning result comprises a first target network abnormal traffic and a first normal access traffic, and the first normal access traffic is reinjected to the protected server according to a preset traffic reinjection route. Therefore, the implementation of the method and the device can judge whether the flow cleaning is needed or not based on the defense threshold, improve the accuracy of cleaning the abnormal flow of the network, simultaneously reduce the occurrence of resource waste, clean the nodes according to the preset flow cleaning nodes, improve the accuracy and the reliability of cleaning the abnormal flow of the network, effectively prevent DDoS attack, improve the prevention accuracy and the prevention efficiency of the DDoS attack, and further improve the running stability and the network safety of the protected server.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a method for preventing DDoS attack based on node cleaning according to an embodiment of the present invention;
FIG. 2 is a flow chart of another method for protecting against DDoS attacks based on node cleaning disclosed in an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a device for preventing DDoS attack based on node cleaning according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another device for protecting against DDoS attack based on node cleaning according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another device for protecting against DDoS attack based on node cleaning according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or article that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or article.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The invention discloses a method and a device for preventing DDoS attack based on node cleaning, which can judge whether flow cleaning is needed based on a defense threshold, improve the accuracy of cleaning abnormal flow of a network, simultaneously reduce the occurrence of resource waste, clean nodes according to preset flow, improve the accuracy and reliability of cleaning abnormal flow of the network, effectively prevent DDoS attack, improve the prevention accuracy and prevention efficiency of DDoS attack, and further improve the running stability and network security of a protected server. The following will describe in detail.
Example 1
Referring to fig. 1, fig. 1 is a flow chart of a method for preventing DDoS attack based on node cleaning according to an embodiment of the present invention. The method for preventing DDoS attack based on node cleaning described in fig. 1 may be applied to a device for preventing DDoS attack based on node cleaning, where the device for preventing DDoS attack based on node cleaning may include a flow regulating device for intelligently regulating network flow and intelligently distributing a cleaning policy, the flow regulating device may include an intelligent server or an intelligent platform, and the intelligent server may include a local server or a cloud server, where embodiments of the present invention are not limited. As shown in fig. 1, the method for protecting against DDoS attack based on node cleaning may include the following operations:
101. and monitoring the network traffic information of the protected server, and analyzing the network traffic information to obtain the network abnormal traffic.
In the embodiment of the present invention, optionally, the protected server may be a network server applied to one or more of financial services, medical information, news institutions, educational systems, network shopping, and the like, where the basic information of the protected server may include one or more of host number, host configuration, performance, network bandwidth, IP address, and whether to use load balancing technology, and the like, the network traffic information may include at least one of network traffic intensity information, network traffic type information, address information corresponding to the network traffic, and the like, and the network abnormal traffic may include at least one of a type of network abnormal traffic, a source IP address of the network abnormal traffic, a target IP address of the network abnormal traffic, a size scale of the network abnormal traffic, and the like.
102. When the magnitude of the abnormal traffic of the network exceeds the corresponding defense threshold value of the protected server, a preset traffic cleaning node set is obtained.
In an embodiment of the present invention, optionally, the step of determining that the size of the network abnormal traffic exceeds the defending threshold corresponding to the protected server may include determining that the average size of the network abnormal traffic exceeds the defending threshold corresponding to the protected server in a preset time period, or the step of determining that the size of the network abnormal traffic exceeds the defending threshold corresponding to the protected server at a certain moment, or the step of determining that the size of the network abnormal traffic exceeds the defending threshold corresponding to the protected server in a preset time period is greater than a preset number of times, for example, the step of determining that the size of the network abnormal traffic exceeds the defending threshold corresponding to the protected server in ten minutes is 6 times, or the step of determining that the size of the network abnormal traffic exceeds the defending threshold corresponding to the protected server in ten minutes is greater than 3 times is performed, that is to obtain a preset traffic cleaning node set, where the traffic cleaning node set may include an external traffic cleaning node and an internal traffic cleaning node, and the external traffic cleaning node includes at least one cleaning node.
103. The network abnormal flow is pulled to a flow cleaning node set, node cleaning is carried out on the network abnormal flow through a preset flow cleaning mode, and a network flow cleaning result is obtained, wherein the network flow cleaning result comprises a first target network abnormal flow and a first normal access flow.
In the embodiment of the present invention, optionally, the network abnormal traffic is pulled to a forwarding value traffic cleaning node set, and then a network traffic cleaning result is obtained by identifying a malicious attack traffic in the network abnormal traffic, where the network traffic cleaning result includes a first target network abnormal traffic and a first normal access traffic, and the malicious attack traffic may be determined by identifying one or more of a source IP address, a destination IP address, a source port number, a destination port number, a protocol type, data packet information, a browser fingerprint, etc. of the network abnormal traffic, so as to obtain the first target network abnormal traffic.
104. And reinjecting the first normal access traffic to the protected server according to a preset traffic reinjection route.
In the embodiment of the present invention, optionally, the traffic reinjection route may include one or more of a dedicated routing channel, a network routing channel, a local protocol routing channel, and the like, where the local protocol routing channel may include a label switching virtual dedicated network or a label distribution protocol tunnel, and the present invention is not limited thereto.
As can be seen, implementing the method for preventing DDoS attack based on node cleaning described in fig. 1 can monitor network traffic information of a protected server, analyze the network traffic information to obtain network abnormal traffic, when the size of the network abnormal traffic exceeds a defense threshold corresponding to the protected server, obtain a preset traffic cleaning node set, pull the network abnormal traffic to the traffic cleaning node set, and perform node cleaning on the network abnormal traffic in a preset traffic cleaning manner to obtain a network traffic cleaning result, where the network traffic cleaning result includes a first target network abnormal traffic and a first normal access traffic, and reinject the first normal access traffic to the protected server according to a preset traffic reinjection route, so that whether traffic cleaning is needed or not can be determined based on the defense threshold, thereby improving accuracy of cleaning the network abnormal traffic, reducing occurrence of resource waste, and performing node cleaning according to the preset traffic cleaning node, improving accuracy and reliability of cleaning the network abnormal traffic, effectively preventing DDoS attack, improving security and security against DDoS attack, and further improving operation stability and security of the protected network.
In an alternative embodiment, the method for protecting against DDoS attacks based on node cleaning may further comprise the following operations:
the method comprises the steps that a light splitting device and a flow detection device are deployed on a preset outlet link, wherein the preset outlet link comprises a cloud resource pool outlet link and/or an Internet data center node outlet link, and the flow detection device comprises a DDoS-resistant hardware device and/or a server cluster;
analyzing the network traffic information to obtain the network abnormal traffic may include the following operations:
copying the network flow information to flow detection equipment through the light splitting equipment, and detecting the network flow information packet by packet through the flow detection equipment to obtain a network flow detection result;
and determining the network abnormal flow according to the network flow detection result, and marking the network abnormal flow to obtain marking information corresponding to the network abnormal flow, wherein the marking information comprises source address information and target address information of the network abnormal flow.
In this alternative embodiment, optionally, the preset egress link may include a cloud resource pool egress link and/or an internet data center node (Internet Data Center, IDC) egress link, and the traffic detection device may include a DDoS-resistant hardware device and/or a server cluster, where the server cluster may include an X86 server cluster, and the embodiment is not limited.
In this optional embodiment, optionally, the optical splitting device may be used to copy the network traffic information to the traffic detection device, where the traffic detection device may be used to detect the network traffic information transmitted by the optical splitting device, specifically, the traffic detection device performs packet-by-packet detection on each piece of optical splitting link data of the optical splitting device to obtain a network traffic detection result, where the network traffic detection result may include anomaly type information of the network anomaly traffic, label information for labeling the network anomaly traffic may include source address information and target address information of the network anomaly traffic, where the source address information may include source address reputation information, that is, whether the source address is a trusted address or an untrusted address, and the target address information may include security level information of the target address, and this embodiment is not limited.
Therefore, according to the implementation of the optional embodiment, the light splitting equipment and the flow detection equipment can be deployed on the preset outlet link, the network flow information is copied to the flow detection equipment through the light splitting equipment, the network flow information is detected packet by packet through the flow detection equipment, the network flow detection result is obtained, the network abnormal flow is determined according to the network flow detection result, the network abnormal flow is marked, the marking information corresponding to the network abnormal flow is obtained, the marking information comprises the source address information and the target address information of the network abnormal flow, the analysis efficiency of the network flow information can be improved through the light splitting equipment and the flow detection equipment, the reliability, the accuracy and the determination efficiency of the determined network abnormal information are improved, and the DDoS attack prevention efficiency is further improved.
In another optional embodiment, the traffic washing node set includes an external traffic washing node and an internal traffic washing node, the source address information of the network abnormal traffic includes a source address reputation of the network abnormal traffic, and the destination address information of the network abnormal traffic includes a destination address security level of the network abnormal traffic;
pulling the abnormal network traffic to a traffic cleaning node set, and cleaning the abnormal network traffic by a preset traffic cleaning mode, wherein the network traffic cleaning result can comprise the following operations:
analyzing source address information of the network abnormal flow, when the source address credit of the network abnormal flow is lower than a preset address credit threshold, pulling the network abnormal flow to an external flow cleaning node, and performing node cleaning on the network abnormal flow through the external flow cleaning node to obtain a first sub-network flow cleaning result;
analyzing target address information of a first sub-network flow cleaning result, when the target address security level of the first sub-network flow cleaning result is higher than a preset target address security level threshold, pulling the first sub-network flow cleaning result to an internal flow cleaning node, and performing node cleaning on the first sub-network flow cleaning result through the internal flow cleaning node to obtain a network flow cleaning result.
In this optional embodiment, optionally, the set of traffic cleansing nodes may include an external traffic cleansing node and an internal traffic cleansing node, where the external traffic cleansing node includes at least one cleansing node, the internal traffic cleansing node includes at least one cleansing node, source address information of the network abnormal traffic may include a source IP address and a source address reputation of the network abnormal traffic, the source address reputation of the network abnormal traffic may be used to indicate a security or a trust degree of a source address of the network abnormal traffic, when the source address reputation of the network abnormal traffic is higher than a preset address reputation threshold, the source address security or the trust degree of the network abnormal traffic is higher, when the source address reputation of the network abnormal traffic is lower than the preset address reputation threshold, the source address security or the trust degree of the network abnormal traffic is lower, and at this time, the network abnormal traffic is pulled to the external traffic cleansing node, and the traffic in which the source address reputation is lower than the preset address reputation threshold is used for cleansing the network abnormal traffic is not limited in this embodiment.
In this optional embodiment, optionally, the target address security level may be used to indicate a security importance level of a server or a network corresponding to the target address, or may be used to indicate a frequency of receiving a DDoS attack by the server or the network corresponding to the target address, and when the target address security level of the first sub-network traffic cleaning result is higher than a preset target address security level threshold, the first sub-network traffic cleaning result is pulled to an internal traffic cleaning node, and node cleaning is performed on the first sub-network traffic cleaning result.
Therefore, when the source address credit of the network abnormal flow is lower than the preset address credit threshold, the network abnormal flow is pulled to an external flow cleaning node, the network abnormal flow is subjected to node cleaning through the external flow cleaning node, a first sub-network flow cleaning result is obtained, the target address information of the first sub-network flow cleaning result is analyzed, when the target address security level of the first sub-network flow cleaning result is higher than the preset target address security level threshold, the first sub-network flow cleaning result is pulled to an internal flow cleaning node, the node cleaning is performed on the first sub-network flow cleaning result through the internal flow cleaning node, the network flow cleaning result is obtained, the network abnormal flow can be subjected to targeted flow cleaning according to the source address information and the target address information of the network abnormal flow, the accuracy and the reliability of the network abnormal flow cleaning are improved, the prevention accuracy and the prevention efficiency of DDoS attack are further improved, and the running stability and the network security of the protected server are improved.
In yet another alternative embodiment, the packet-by-packet detection of the network traffic information by the traffic detection device, to obtain the network traffic detection result may include the following operations:
detecting network flow information packet by packet through flow detection equipment, and judging whether the network flow information meets preset DDoS attack judgment rules or not;
when the network traffic information meets the DDoS attack judgment rule, determining a network traffic abnormality type corresponding to the network traffic information according to the DDoS attack judgment rule;
determining a network flow detection result according to the network flow information and the network flow abnormality type corresponding to the network flow information;
the network traffic anomaly type comprises at least one of a data packet anomaly type, a browser fingerprint anomaly type and a challenge black hole attack type.
In this alternative embodiment, optionally, the DDoS attack determining rule may include one or more of a packet rule, a data flow fingerprint rule, a browser fingerprint rule, an IP address library verification rule, and the like, specifically may include, verifying a packet of network traffic, a data flow, and verifying whether access of the network traffic is a request for forging a browser, verifying whether an IP address of the network traffic is in an IP address white list or an IP address black list, and the network traffic anomaly type may include at least one of a packet anomaly type, a browser fingerprint anomaly type, a challenge black hole attack type, an IP address anomaly type, and the like, where the challenge black hole attack type includes, but is not limited to, actions such as null connection, long connection, slow connection, intentional splitting into small packets, intentional retransmission, playback attack, and no-load connection.
It can be seen that, implementing this alternative embodiment can detect network traffic information packet by packet through the traffic detection device, judge whether network traffic information satisfies preset DDoS attack judgement rule, when network traffic information satisfies DDoS attack judgement rule, confirm the network traffic anomaly type that network traffic information corresponds according to DDoS attack judgement rule, confirm network traffic testing result according to network traffic information and network traffic anomaly type that network traffic information corresponds, can detect network traffic information, confirm network traffic testing result according to the anomaly type of network traffic information, can improve the accuracy and the reliability of network traffic testing result that determines, and can improve the reflection ability of network traffic testing result to network anomaly flow, has improved the accuracy of wasing network anomaly flow, improve the prevention accuracy and the prevention efficiency to DDoS attack, and then improve the running stability and the network security of protected server.
Example two
Referring to fig. 2, fig. 2 is a flow chart of a method for preventing DDoS attack based on node cleaning according to an embodiment of the present invention. The method for preventing DDoS attack based on node cleaning described in fig. 2 may be applied to a device for preventing DDoS attack based on node cleaning, where the device for preventing DDoS attack based on node cleaning may include a flow regulating device for intelligently regulating network flow and intelligently distributing a cleaning policy, the flow regulating device may include an intelligent server or an intelligent platform, and the intelligent server may include a local server or a cloud server, where embodiments of the present invention are not limited. As shown in fig. 2, the method for protecting against DDoS attack based on node cleaning may include the following operations:
201. And monitoring the network traffic information of the protected server, and analyzing the network traffic information to obtain the network abnormal traffic.
202. When the magnitude of the abnormal traffic of the network exceeds the corresponding defense threshold value of the protected server, a preset traffic cleaning node set is obtained.
203. The network abnormal flow is pulled to a flow cleaning node set, node cleaning is carried out on the network abnormal flow through a preset flow cleaning mode, and a network flow cleaning result is obtained, wherein the network flow cleaning result comprises a first target network abnormal flow and a first normal access flow.
In the embodiment of the present invention, for other descriptions of step 201 to step 203, please refer to the detailed descriptions of step 101 to step 103 in the first embodiment, and the description of the embodiment of the present invention is omitted.
204. And analyzing the network flow cleaning result, and judging whether the abnormal flow of the first target network reaches a cleaning capacity threshold corresponding to the flow cleaning node set.
In the embodiment of the present invention, optionally, when the abnormal traffic of the first target network does not reach the cleaning capability threshold corresponding to the traffic cleaning node set, the traffic cleaning node set may complete the cleaning of the abnormal traffic of the network, and when the abnormal traffic of the first target network reaches the cleaning capability threshold corresponding to the traffic cleaning node set, the traffic cleaning node set may just complete the cleaning of the abnormal traffic of the network, or may not complete the cleaning of the abnormal traffic of the network.
205. When judging that the abnormal flow of the first target network reaches the cleaning capacity threshold corresponding to the flow cleaning node set, the first normal access flow is pulled to the high-security IP machine room, and the first normal access flow is subjected to IP filtering through the high-security IP machine room, so that an IP filtering result is obtained, wherein the IP filtering result comprises the abnormal flow of the second target network and the second normal access flow.
In the embodiment of the present invention, optionally, when it is determined that the abnormal traffic of the first target network reaches the cleaning capability threshold corresponding to the traffic cleaning node set, malicious attack traffic that cannot be cleaned by the traffic cleaning node set may exist in the first normal access traffic, and the first normal access traffic may be pulled to the high-security IP machine room by switching the service link of the first normal access traffic to the high-security IP machine room, and IP filtering is performed on the first normal access traffic by the high-security IP machine room.
206. And forwarding the second normal access traffic from the high-security IP machine room to the protected server in a port protocol forwarding mode.
In the embodiment of the invention, optionally, the high-protection IP machine room cleans and filters the malicious attack traffic in the first normal access traffic, and then forwards the second normal access traffic from the high-protection IP machine room to the protected server in a port protocol forwarding manner.
It can be seen that implementing the method for preventing DDoS attack based on node cleaning described in fig. 2 can monitor network traffic information of the protected server, analyze the network traffic information to obtain abnormal network traffic, when the magnitude of the abnormal network traffic exceeds the defense threshold corresponding to the protected server, a preset traffic cleaning node set is obtained, the abnormal network traffic is pulled to the traffic cleaning node set, node cleaning is carried out on abnormal network traffic through a preset traffic cleaning mode to obtain a network traffic cleaning result, wherein the network traffic cleaning result comprises first target network abnormal traffic and first normal access traffic, can effectively prevent DDoS attack, improves the prevention accuracy and the prevention efficiency of the DDoS attack, further improving the running stability of the protected server, analyzing the network flow cleaning result, judging whether the abnormal flow of the first target network reaches the cleaning capacity threshold corresponding to the flow cleaning node set, when judging that the abnormal flow of the first target network reaches the cleaning capacity threshold value corresponding to the flow cleaning node set, the first normal access flow is pulled to the high-protection IP machine room, and performing IP filtering on the first normal access flow through the high IP prevention machine room to obtain an IP filtering result, wherein the IP filtering result comprises a second target network abnormal flow and a second normal access flow, the second normal access flow is forwarded to the protected server from the high IP machine room in a port protocol forwarding mode, and the flow can be filtered for the second time through the high IP machine room, so that the reliability and the accuracy of the obtained normal access flow are improved, the accuracy and the reliability of malicious flow filtering are improved, and the accuracy and the reliability of DDoS attack prevention are further improved.
In an alternative embodiment, the method for protecting against DDoS attacks based on node cleaning may further comprise the following operations before the first normal access traffic is directed to the high IP-capable machine room:
acquiring a preset domain name configuration rule, wherein the domain name configuration rule comprises a configuration rule between a high-protection IP corresponding to a high-protection IP machine room and a server IP corresponding to a protected server;
according to the configuration rule between the high IP computer room corresponding to the high IP computer room and the server IP corresponding to the protected server, establishing the link connection between the high IP computer room and the protected server, and configuring the port protocol between the high IP computer room and the protected server;
the directing of the first normal access traffic to the high security IP machine room may include operations of:
analyzing a service type corresponding to the first normal access flow, wherein the service type comprises a network service type or a non-network service type;
when the service type of the first normal access flow is the network service type, resolving the domain name of the first normal access flow to a high IP (Internet protocol) corresponding to the high IP machine room through link connection;
when the service type of the first normal access flow is a non-network service type, the domain name of the first normal access flow is replaced by the high IP prevention corresponding to the high IP prevention machine room through link connection.
In this optional embodiment, optionally, the domain name configuration rule includes a configuration rule between a high protection IP corresponding to the high protection IP machine room and a server IP corresponding to the protected server, which may be used to establish a link connection between the high protection IP corresponding to the high protection IP machine room and the server IP corresponding to the protected server, and may also be used to configure a port protocol between the high protection IP machine room and the protected server, where this embodiment is not limited.
In this optional embodiment, optionally, the first normal access flow is pulled to the high IP-prevention machine room, that is, the domain name of the first normal access flow is resolved to the high IP-prevention machine room of the high IP-prevention machine room, where the service type corresponding to the first normal access flow may include a network service type or a non-network service type, when the service type corresponding to the first normal access flow is the network service type, the domain name of the first normal access flow is resolved to the high IP-prevention machine room corresponding to the high IP-prevention machine room through the link connection, and when the service type of the first normal access flow is the non-network service type, the domain name of the first normal access flow is replaced to the high IP-prevention machine room corresponding to the high IP-prevention machine room through the link connection, where the embodiment is not limited.
It can be seen that, implementing this optional embodiment can obtain the configuration rule between the high IP corresponding to the high IP machine room and the server IP corresponding to the protected server, according to the configuration rule between the high IP corresponding to the high IP machine room and the server IP corresponding to the protected server, establish the link connection between the high IP machine room and the protected server, and configure the port protocol between the high IP machine room and the protected server, analyze the service type corresponding to the first normal access flow, where the service type includes a network service type or a non-network service type, when the service type of the first normal access flow is a network service type, analyze the domain name of the first normal access flow to the high IP corresponding to the high IP machine room through the link connection, when the service type of the first normal access flow is a non-network service type, replace the domain name of the first normal access flow with the high IP corresponding to the high IP through the link connection, can configure the link connection and the port protocol between the high IP and the server IP, and pull the service type according to the service type of the access flow, thereby improving the accuracy of the subsequent access flow and the reliability of the service type of the different service flows.
In another alternative embodiment, the node-based cleaning method for protecting against DDoS attacks may further include the operations of:
acquiring historical network traffic information aiming at a protected server, and determining information characteristics of the historical network traffic information, wherein the information characteristics comprise data packet characteristics and/or stream characteristics;
the historical network flow information is input into a preset flow model for training, DDoS attack information aiming at a protected server is determined, and the DDoS attack information comprises attack position information and/or attack intensity information;
and determining a flow model baseline corresponding to the protected server according to the DDoS attack information, and determining a defense threshold corresponding to the protected server according to the flow model baseline.
In this optional embodiment, optionally, the historical network traffic information for the protected server may include one or more of a historical traffic type, a historical traffic intensity, a type of an abnormal traffic in the historical traffic, an intensity of an abnormal traffic in the historical traffic, and the like, and the information feature of the historical network traffic information may include a data packet feature and/or a flow feature of the historical network traffic information, where the data packet feature may include one or more of a data packet length, a data packet number, a source address and destination address distribution, a data packet arrival rate, and the like, and the flow feature may include one or more of a traffic, a flow velocity, an average flow velocity, a service duration, and the like, and the embodiment is not limited.
In this optional embodiment, optionally, the DDoS attack information for the protected server may include attack location information and/or attack intensity information, and may further include DDoS attack type information, where a traffic model baseline corresponding to the protected server may be used to reflect large-scale normal traffic and malicious attack traffic in the protected server, for example, during a peak period of access of the website or server, such as when a user product is released or a website is updated, the website or server may flood a large number of new legal users, where updating increases the traffic model baseline to reduce filtering of the new legal users, reduces the occurrence of a situation that prevents the new legal users from accessing the website, and during a valley period of access of the website or server, updates decreases the traffic model baseline, increases DDoS protection capability of the website, and a defense threshold corresponding to the protected server is used to determine whether DDoS protection needs to be opened to the protected server.
Therefore, by implementing the optional embodiment, the historical network flow information aiming at the protected server can be obtained, the information characteristic of the historical network flow information is determined, the historical network flow information is input into a preset flow model for training, the DDoS attack information aiming at the protected server is determined, the flow model base line corresponding to the protected server is determined according to the DDoS attack information, the defending threshold corresponding to the protected server is determined according to the flow model base line, the defending threshold can be determined based on the historical network flow information, the rationality and the reliability of the determined defending threshold are improved, the accuracy of cleaning the abnormal flow of the network based on the defending threshold can be improved, the defending accuracy and the defending efficiency of DDoS attack are improved, and the running stability and the network safety of the protected server are further improved.
Example III
Referring to fig. 3, fig. 3 is a schematic structural diagram of a device for preventing DDoS attack based on node cleaning according to an embodiment of the present invention. The device for preventing DDoS attack based on node cleaning described in fig. 3 may include a flow control device for intelligently controlling network flow and intelligently distributing a cleaning policy, where the flow control device may include an intelligent server or an intelligent platform, and the intelligent server may include a local server or a cloud server, and embodiments of the present invention are not limited. As shown in fig. 3, the node cleaning-based DDoS attack prevention apparatus may include:
the monitoring module 301 is configured to monitor network traffic information of a protected server, and analyze the network traffic information to obtain abnormal network traffic;
the first obtaining module 302 is configured to obtain a preset traffic cleaning node set when the magnitude of the network abnormal traffic exceeds a defense threshold corresponding to the protected server;
the cleaning module 303 is configured to pull the abnormal network traffic to a traffic cleaning node set, and perform node cleaning on the abnormal network traffic by using a preset traffic cleaning manner to obtain a network traffic cleaning result, where the network traffic cleaning result includes a first target abnormal network traffic and a first normal access traffic;
And the reinjection module 304 is configured to reinject the normal access traffic to the protected server according to a preset traffic reinjection route.
As can be seen, implementing the DDoS attack prevention device based on node cleaning described in fig. 3 can monitor network traffic information of a protected server, analyze the network traffic information to obtain network abnormal traffic, when the size of the network abnormal traffic exceeds a defense threshold corresponding to the protected server, obtain a preset traffic cleaning node set, pull the network abnormal traffic to the traffic cleaning node set, and perform node cleaning on the network abnormal traffic in a preset traffic cleaning manner to obtain a network traffic cleaning result, where the network traffic cleaning result includes a first target network abnormal traffic and a first normal access traffic, and reinject the first normal access traffic to the protected server according to a preset traffic reinjection route, so that whether traffic cleaning is needed or not can be determined based on the defense threshold, thereby improving accuracy of cleaning the network abnormal traffic, reducing occurrence of resource waste, and performing node cleaning according to the preset traffic cleaning node, improving accuracy and reliability of cleaning the network abnormal traffic, effectively performing DDoS attack, improving prevention accuracy and prevention efficiency of DDoS attack, and further improving operation stability and security of the protected network.
In an alternative embodiment, as shown in fig. 4, the apparatus for protecting against DDoS attack based on node cleaning may further include:
the analysis module 305 is configured to perform node cleaning on the network abnormal traffic by using a preset traffic cleaning manner in the cleaning module 303, and then analyze the network traffic cleaning result to determine whether the first target network abnormal traffic reaches a cleaning capability threshold corresponding to the traffic cleaning node set;
the filtering module 306 is configured to, when it is determined that the abnormal traffic of the first target network reaches the cleaning capability threshold corresponding to the traffic cleaning node set, draw the first normal access traffic to the high-security IP machine room, and perform IP filtering on the first normal access traffic through the high-security IP machine room, so as to obtain an IP filtering result, where the IP filtering result includes the abnormal traffic of the second target network and the second normal access traffic;
and the forwarding module 307 is configured to forward the second normal access traffic from the high IP protection machine room to the protected server by using a port protocol forwarding manner.
It can be seen that the device for preventing DDoS attack based on node cleaning described in fig. 4 can monitor the network traffic information of the protected server, analyze the network traffic information to obtain the network abnormal traffic, when the magnitude of the abnormal network traffic exceeds the defense threshold corresponding to the protected server, a preset traffic cleaning node set is obtained, the abnormal network traffic is pulled to the traffic cleaning node set, node cleaning is carried out on abnormal network traffic through a preset traffic cleaning mode to obtain a network traffic cleaning result, wherein the network traffic cleaning result comprises first target network abnormal traffic and first normal access traffic, can effectively prevent DDoS attack, improves the prevention accuracy and the prevention efficiency of the DDoS attack, further improving the running stability of the protected server, analyzing the network flow cleaning result, judging whether the abnormal flow of the first target network reaches the cleaning capacity threshold corresponding to the flow cleaning node set, when judging that the abnormal flow of the first target network reaches the cleaning capacity threshold value corresponding to the flow cleaning node set, the first normal access flow is pulled to the high-protection IP machine room, and performing IP filtering on the first normal access flow through the high IP prevention machine room to obtain an IP filtering result, wherein the IP filtering result comprises a second target network abnormal flow and a second normal access flow, the second normal access flow is forwarded to the protected server from the high IP machine room in a port protocol forwarding mode, and the flow can be filtered for the second time through the high IP machine room, so that the reliability and the accuracy of the obtained normal access flow are improved, the accuracy and the reliability of malicious flow filtering are improved, and the accuracy and the reliability of DDoS attack prevention are further improved.
In another alternative embodiment, as shown in fig. 4, the apparatus for protecting against DDoS attack based on node cleaning may further include:
the second obtaining module 308 is configured to obtain a preset domain name configuration rule before the filtering module 306 pulls the first normal access flow to the high security IP machine room, where the domain name configuration rule includes a configuration rule between the high security IP corresponding to the high security IP machine room and the server IP corresponding to the protected server;
the establishing module 309 is configured to establish a link connection between the high-protection IP machine room and the protected server according to a configuration rule between the high-protection IP corresponding to the high-protection IP machine room and the server IP corresponding to the protected server, and configure a port protocol between the high-protection IP machine room and the protected server;
specific ways in which the filtering module 306 directs the first normal access traffic to the high-protection IP machine room include:
analyzing a service type corresponding to the first normal access flow, wherein the service type comprises a network service type or a non-network service type;
when the service type of the first normal access flow is the network service type, resolving the domain name of the first normal access flow to a high IP (Internet protocol) corresponding to the high IP machine room through link connection;
when the service type of the first normal access flow is a non-network service type, the domain name of the first normal access flow is replaced by the high IP prevention corresponding to the high IP prevention machine room through link connection.
As can be seen, implementing the DDoS attack prevention device based on node cleaning as described in fig. 4 can obtain a configuration rule between a high security IP corresponding to a high security IP machine room and a server IP corresponding to a protected server, according to the configuration rule between the high security IP corresponding to the high security IP machine room and the server IP corresponding to the protected server, establish a link connection between the high security IP machine room and the protected server, and configure a port protocol between the high security IP machine room and the protected server, analyze a service type corresponding to a first normal access flow, where the service type includes a network service type or a non-network service type, when the service type of the first normal access flow is the network service type, resolve a domain name of the first normal access flow to the high security IP corresponding to the high security IP machine room through a link connection, when the service type of the first normal access flow is the non-network service type, replace the domain name of the first normal access flow with the high security IP corresponding to the high security IP through the link connection, configure the link connection and the port protocol between the high security IP machine room and the server IP, and pull the service type according to the service type of the access flow, thereby improving the accuracy of the service type after the service type is pulled, and further improving the accuracy of the service type is achieved.
In yet another alternative embodiment, as shown in fig. 4, the node-based cleaning apparatus for protecting against DDoS attack may further include:
a deployment module 310, configured to deploy, at a preset egress link, a spectroscopic device and a traffic detection device, where the preset egress link includes a cloud resource pool egress link and/or an internet data center node egress link, and the traffic detection device includes a DDoS-resistant hardware device and/or a server cluster;
the specific ways of analyzing the network traffic information by the monitoring module 301 to obtain the network abnormal traffic include:
copying the network flow information to flow detection equipment through the light splitting equipment, and detecting the network flow information packet by packet through the flow detection equipment to obtain a network flow detection result;
and determining the network abnormal flow according to the network flow detection result, and marking the network abnormal flow to obtain marking information corresponding to the network abnormal flow, wherein the marking information comprises source address information and target address information of the network abnormal flow.
As can be seen, implementing the device for preventing DDoS attack based on node cleaning described in fig. 4 can deploy a light splitting device and a flow detection device on a preset exit link, copy network flow information to the flow detection device through the light splitting device, perform packet-by-packet detection on the network flow information through the flow detection device to obtain a network flow detection result, determine network abnormal flow according to the network flow detection result, and label the network abnormal flow to obtain label information corresponding to the network abnormal flow, where the label information includes source address information and target address information of the network abnormal flow, and can improve analysis efficiency of the network flow information through the light splitting device and the flow detection device, and meanwhile improve reliability, accuracy and determination efficiency of the determined network abnormal information, thereby improving efficiency of preventing DDoS attack.
In yet another alternative embodiment, as shown in fig. 4, the traffic washing node set includes an external traffic washing node and an internal traffic washing node, the source address information of the network abnormal traffic includes a source address reputation of the network abnormal traffic, and the destination address information of the network abnormal traffic includes a destination address security level of the network abnormal traffic;
the cleaning module 303 pulls the abnormal network traffic to the traffic cleaning node set, and cleans the abnormal network traffic by a preset traffic cleaning mode, and the specific modes for obtaining the network traffic cleaning result include:
analyzing source address information of the network abnormal flow, when the source address credit of the network abnormal flow is lower than a preset address credit threshold, pulling the network abnormal flow to an external flow cleaning node, and performing node cleaning on the network abnormal flow through the external flow cleaning node to obtain a first sub-network flow cleaning result;
analyzing target address information of a first sub-network flow cleaning result, when the target address security level of the first sub-network flow cleaning result is higher than a preset target address security level threshold, pulling the first sub-network flow cleaning result to an internal flow cleaning node, and performing node cleaning on the first sub-network flow cleaning result through the internal flow cleaning node to obtain a network flow cleaning result.
As can be seen, implementing the DDoS attack prevention device based on node cleaning described in fig. 4 can analyze source address information of network abnormal traffic, when the source address reputation of the network abnormal traffic is lower than a preset address reputation threshold, pull the network abnormal traffic to an external traffic cleaning node, and clean the network abnormal traffic through the external traffic cleaning node to obtain a first sub-network traffic cleaning result, analyze target address information of the first sub-network traffic cleaning result, when the target address security level of the first sub-network traffic cleaning result is higher than the preset target address security level threshold, pull the first sub-network traffic cleaning result to an internal traffic cleaning node, and clean the first sub-network traffic cleaning result through the internal traffic cleaning node to obtain a network traffic cleaning result, so as to clean the network abnormal traffic according to the source address information and the target address information of the network abnormal traffic, thereby improving accuracy and reliability of cleaning the network abnormal traffic, further improving the DDoS attack prevention accuracy and prevention efficiency, and improving the running stability and network security of the protected server.
In yet another alternative embodiment, as shown in fig. 4, the first obtaining module 302 is further configured to obtain historical network traffic information for the protected server, and determine information features of the historical network traffic information, where the information features include packet features and/or flow features;
the node cleaning-based DDoS attack prevention device can further comprise:
the training module 311 is configured to input historical network traffic information into a preset traffic model for training, and determine DDoS attack information for the protected server, where the DDoS attack information includes attack location information and/or attack intensity information;
the determining module 312 is configured to determine a flow model baseline corresponding to the protected server according to the DDoS attack information, and determine a defense threshold corresponding to the protected server according to the flow model baseline.
As can be seen, implementing the device for preventing DDoS attack based on node cleaning described in fig. 4 can obtain historical network traffic information for a protected server, determine information characteristics of the historical network traffic information, input the historical network traffic information into a preset traffic model for training, determine DDoS attack information for the protected server, determine a traffic model baseline corresponding to the protected server according to the DDoS attack information, determine a defending threshold corresponding to the protected server according to the traffic model baseline, determine the defending threshold based on the historical network traffic information, and improve rationality and reliability of the determined defending threshold, and meanwhile, improve accuracy and efficiency of preventing DDoS attack on abnormal network traffic based on the defending threshold, thereby improving running stability and network security of the protected server.
In yet another alternative embodiment, as shown in fig. 4, the specific manner in which the monitoring module 301 performs packet-by-packet detection on the network traffic information through the traffic detection device to obtain the network traffic detection result includes:
detecting network flow information packet by packet through flow detection equipment, and judging whether the network flow information meets preset DDoS attack judgment rules or not;
when the network traffic information meets the DDoS attack judgment rule, determining a network traffic abnormality type corresponding to the network traffic information according to the DDoS attack judgment rule;
determining a network flow detection result according to the network flow information and the network flow abnormality type corresponding to the network flow information;
the network traffic anomaly type comprises at least one of a data packet anomaly type, a browser fingerprint anomaly type and a challenge black hole attack type.
As can be seen, the node cleaning and preventing DDoS attack device described in fig. 4 can detect network traffic information packet by packet through the traffic detection device, determine whether the network traffic information meets a preset DDoS attack determination rule, when the network traffic information meets the DDoS attack determination rule, determine a network traffic anomaly type corresponding to the network traffic information according to the DDoS attack determination rule, determine a network traffic detection result according to the network traffic information and the network traffic anomaly type corresponding to the network traffic information, and can detect the network traffic information, determine the network traffic detection result according to the anomaly type of the network traffic information, thereby improving the accuracy and reliability of the determined network traffic detection result, improving the capability of the network traffic detection result to reflect network anomaly traffic, improving the accuracy of cleaning network anomaly traffic, improving the prevention accuracy and prevention efficiency of DDoS attack, and further improving the running stability and network security of the protected server.
Example IV
Referring to fig. 5, fig. 5 is a schematic structural diagram of another apparatus for preventing DDoS attack based on node cleaning according to an embodiment of the present invention. As shown in fig. 5, the node cleaning-based DDoS attack prevention apparatus may include:
a memory 401 storing executable program codes;
a processor 402 coupled with the memory 401;
the processor 402 invokes executable program code stored in the memory 401 to perform the steps in the method for protecting against DDoS attacks based on node cleaning described in the first or second embodiment of the present invention.
Example five
The embodiment of the invention discloses a computer storage medium which stores computer instructions for executing the steps in the method for preventing DDoS attack based on node cleaning described in the first embodiment or the second embodiment of the invention when the computer instructions are called.
Example six
An embodiment of the present invention discloses a computer program product comprising a non-transitory computer readable storage medium storing a computer program, and the computer program is operable to cause a computer to perform the steps of the method for protecting against DDoS attacks based on node cleaning described in embodiment one or embodiment two.
The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above detailed description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product that may be stored in a computer-readable storage medium including Read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), programmable Read-Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), one-time programmable Read-Only Memory (OTPROM), electrically erasable programmable Read-Only Memory (EEPROM), compact disc Read-Only Memory (Compact Disc Read-Only Memory, CD-ROM) or other optical disc Memory, magnetic disc Memory, tape Memory, or any other medium that can be used for computer-readable carrying or storing data.
Finally, it should be noted that: the embodiment of the invention discloses a method and a device for preventing DDoS attack based on node cleaning, which are disclosed as preferred embodiments of the invention, and are only used for illustrating the technical scheme of the invention, but not limiting the technical scheme; although the invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that; the technical scheme recorded in the various embodiments can be modified or part of technical features in the technical scheme can be replaced equivalently; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (10)

1. A method for protecting against DDoS attacks based on node cleaning, the method comprising:
monitoring network traffic information of a protected server, and analyzing the network traffic information to obtain network abnormal traffic;
when the magnitude of the abnormal network traffic exceeds a defense threshold corresponding to the protected server, acquiring a preset traffic cleaning node set;
the network abnormal flow is led to the flow cleaning node set, node cleaning is carried out on the network abnormal flow in a preset flow cleaning mode, and a network flow cleaning result is obtained, wherein the network flow cleaning result comprises a first target network abnormal flow and a first normal access flow;
And reinjecting the first normal access flow to the protected server according to a preset flow reinjection route.
2. The method for preventing DDoS attack based on node cleaning according to claim 1, wherein after the node cleaning is performed on the network abnormal traffic by a preset traffic cleaning manner, the method further comprises:
analyzing the network flow cleaning result, and judging whether the first target network abnormal flow reaches a cleaning capacity threshold corresponding to the flow cleaning node set;
when judging that the first target network abnormal flow reaches a cleaning capacity threshold corresponding to the flow cleaning node set, pulling the first normal access flow to a high-security IP machine room, and carrying out IP filtering on the first normal access flow through the high-security IP machine room to obtain an IP filtering result, wherein the IP filtering result comprises a second target network abnormal flow and a second normal access flow;
and forwarding the second normal access flow from the high IP prevention machine room to the protected server in a port protocol forwarding mode.
3. The method of node-based cleaning against DDoS attacks of claim 2, further comprising, prior to said directing the first normal access traffic to a high security IP machine room:
Acquiring a preset domain name configuration rule, wherein the domain name configuration rule comprises a configuration rule between a high-protection IP corresponding to the high-protection IP machine room and a server IP corresponding to the protected server;
establishing a link connection between the high-protection IP machine room and the protected server according to a configuration rule between the high-protection IP corresponding to the high-protection IP machine room and the server IP corresponding to the protected server, and configuring a port protocol between the high-protection IP machine room and the protected server;
the pulling the first normal access traffic to a high security IP machine room includes:
analyzing a service type corresponding to the first normal access flow, wherein the service type comprises a network service type or a non-network service type;
when the service type of the first normal access flow is the network service type, resolving the domain name of the first normal access flow to a high IP (Internet protocol) corresponding to the high IP machine room through the link connection;
and when the service type of the first normal access flow is the non-network service type, replacing the domain name of the first normal access flow with the high IP (Internet protocol) corresponding to the high IP machine room through the link connection.
4. A method of protecting against DDoS attacks based on node cleaning according to any one of claims 1-3, characterized in that the method further comprises:
the method comprises the steps that spectroscopic equipment and flow detection equipment are deployed on a preset outlet link, wherein the preset outlet link comprises a cloud resource pool outlet link and/or an Internet data center node outlet link, and the flow detection equipment comprises DDoS-resistant hardware equipment and/or a server cluster;
the analyzing the network traffic information to obtain the network abnormal traffic comprises the following steps:
copying the network flow information to the flow detection equipment through the light splitting equipment, and detecting the network flow information packet by packet through the flow detection equipment to obtain a network flow detection result;
and determining the network abnormal flow according to the network flow detection result, and marking the network abnormal flow to obtain marking information corresponding to the network abnormal flow, wherein the marking information comprises source address information and target address information of the network abnormal flow.
5. The method for preventing DDoS attack based on node cleaning of claim 4, wherein the set of traffic cleaning nodes comprises an external traffic cleaning node and an internal traffic cleaning node, the source address information of the network anomaly traffic comprises a source address reputation of the network anomaly traffic, and the destination address information of the network anomaly traffic comprises a destination address security level of the network anomaly traffic;
The step of pulling the network abnormal traffic to the traffic cleaning node set and performing node cleaning on the network abnormal traffic in a preset traffic cleaning mode to obtain a network traffic cleaning result, includes:
analyzing source address information of the network abnormal flow, when the source address credit of the network abnormal flow is lower than a preset address credit threshold, pulling the network abnormal flow to the external flow cleaning node, and performing node cleaning on the network abnormal flow through the external flow cleaning node to obtain a first sub-network flow cleaning result;
analyzing target address information of the first sub-network flow cleaning result, when the target address security level of the first sub-network flow cleaning result is higher than a preset target address security level threshold, pulling the first sub-network flow cleaning result to the internal flow cleaning node, and performing node cleaning on the first sub-network flow cleaning result through the internal flow cleaning node to obtain a network flow cleaning result.
6. A method of protecting against DDoS attacks based on node cleaning according to any one of claims 1-3, characterized in that the method further comprises:
Acquiring historical network traffic information aiming at the protected server, and determining information characteristics of the historical network traffic information, wherein the information characteristics comprise data packet characteristics and/or stream characteristics;
inputting the historical network flow information into a preset flow model for training, and determining DDoS attack information aiming at the protected server, wherein the DDoS attack information comprises attack position information and/or attack intensity information;
and determining a flow model baseline corresponding to the protected server according to the DDoS attack information, and determining a defense threshold corresponding to the protected server according to the flow model baseline.
7. The method for preventing DDoS attack based on node cleaning according to claim 4, wherein the step of performing packet-by-packet detection on the network traffic information by the traffic detection device to obtain a network traffic detection result includes:
detecting the network flow information packet by packet through the flow detection equipment, and judging whether the network flow information meets a preset DDoS attack judgment rule;
when the network traffic information meets the DDoS attack judgment rule, determining a network traffic abnormality type corresponding to the network traffic information according to the DDoS attack judgment rule;
Determining a network flow detection result according to the network flow information and the network flow abnormality type corresponding to the network flow information;
the network traffic anomaly type comprises at least one of a data packet anomaly type, a browser fingerprint anomaly type and a challenge black hole attack type.
8. An apparatus for protecting against DDoS attacks based on node cleaning, the apparatus comprising:
the monitoring module is used for monitoring network flow information of the protected server and analyzing the network flow information to obtain network abnormal flow;
the first acquisition module is used for acquiring a preset flow cleaning node set when the magnitude of the network abnormal flow exceeds a defense threshold corresponding to the protected server;
the cleaning module is used for leading the network abnormal flow to the flow cleaning node set, and carrying out node cleaning on the network abnormal flow in a preset flow cleaning mode to obtain a network flow cleaning result, wherein the network flow cleaning result comprises a first target network abnormal flow and a first normal access flow;
and the reinjection module is used for reinjecting the normal access flow to the protected server according to a preset flow reinjection route.
9. An apparatus for protecting against DDoS attacks based on node cleaning, the apparatus comprising:
a memory storing executable program code;
a processor coupled to the memory;
the processor invokes the executable program code stored in the memory to perform the node-based cleaning method of protecting against DDoS attacks as claimed in any one of claims 1-7.
10. A computer storage medium storing computer instructions which, when invoked, are operable to perform the method of node-based cleaning against DDoS attacks of any one of claims 1-7.
CN202311386905.2A 2023-10-24 2023-10-24 Method and device for preventing DDoS attack based on node cleaning Pending CN117375942A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311386905.2A CN117375942A (en) 2023-10-24 2023-10-24 Method and device for preventing DDoS attack based on node cleaning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311386905.2A CN117375942A (en) 2023-10-24 2023-10-24 Method and device for preventing DDoS attack based on node cleaning

Publications (1)

Publication Number Publication Date
CN117375942A true CN117375942A (en) 2024-01-09

Family

ID=89405537

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311386905.2A Pending CN117375942A (en) 2023-10-24 2023-10-24 Method and device for preventing DDoS attack based on node cleaning

Country Status (1)

Country Link
CN (1) CN117375942A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117857222A (en) * 2024-03-07 2024-04-09 国网江西省电力有限公司电力科学研究院 Dynamic IP-based network dynamic defense system and method for new energy centralized control station

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117857222A (en) * 2024-03-07 2024-04-09 国网江西省电力有限公司电力科学研究院 Dynamic IP-based network dynamic defense system and method for new energy centralized control station

Similar Documents

Publication Publication Date Title
CN111294365B (en) Attack flow protection system, method and device, electronic equipment and storage medium
CN109962891B (en) Method, device and equipment for monitoring cloud security and computer storage medium
US20220067146A1 (en) Adaptive filtering of malware using machine-learning based classification and sandboxing
Hoque et al. An implementation of intrusion detection system using genetic algorithm
CN109962903B (en) Home gateway security monitoring method, device, system and medium
Zou et al. The monitoring and early detection of internet worms
US7260846B2 (en) Intrusion detection system
CN114679338A (en) Network risk assessment method based on network security situation awareness
CN111935061B (en) Industrial control host and network security protection implementation method thereof
Mualfah et al. Network forensics for detecting flooding attack on web server
CN110311927B (en) Data processing method and device, electronic device and medium
CN117375942A (en) Method and device for preventing DDoS attack based on node cleaning
KR20210109292A (en) Big Data Server System for Managing Industrial Field Facilities through Multifunctional Measuring Instruments
CN110401638A (en) Network traffic analysis method and device
Ádám et al. Artificial neural network based IDS
CN117294517A (en) Network security protection method and system for solving abnormal traffic
Hariri et al. Quality-of-protection (QoP)-an online monitoring and self-protection mechanism
KR102377784B1 (en) Network security system that provides security optimization function of internal network
CN116668051A (en) Alarm information processing method, device, program, electronic and medium for attack behavior
Xue et al. Research of worm intrusion detection algorithm based on statistical classification technology
US11128646B1 (en) Apparatus and method for cloud-based accelerated filtering and distributed available compute security processing
Kadam et al. Various approaches for intrusion detection system: an overview
Khajuria et al. Analysis of the ddos defense strategies in cloud computing
KR100870871B1 (en) Access level network securing device and securing system thereof
CN117914573A (en) DDoS attack protection method and device based on multi-stage protection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination