CN1350231A - By-pass investigation and remisson method for rejecting service attack - Google Patents
By-pass investigation and remisson method for rejecting service attack Download PDFInfo
- Publication number
- CN1350231A CN1350231A CN 01139036 CN01139036A CN1350231A CN 1350231 A CN1350231 A CN 1350231A CN 01139036 CN01139036 CN 01139036 CN 01139036 A CN01139036 A CN 01139036A CN 1350231 A CN1350231 A CN 1350231A
- Authority
- CN
- China
- Prior art keywords
- record
- network
- destination
- data
- data communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The method for by-pass detection of rejection service and attack and relief includes the folloiwng steps: a. setting network card into detection mode from general mode and fetching data communication information broadcasting in network for network card equipment number; b. making protocal analysis of fetched data information, and creating record list according to source address, destination address, source port and destination port; c. according to fetched network data packet updating record list and accumulating and counting; d. seeking record whose count exceeeds allowable maximum number in record list and in a certin period of time; 3. according to the sought record list sensing data package of data communicatino end to source address main machine by the main machine disguised into destination address; f. at the same time, sending data packet of data communication end to destination main machine by main machine disguised into destination address; and g. removing said record from said recording list set.
Description
Technical field: what the present invention relates to is a kind of method of network security protection, and the particularly a kind of detecting of bypass type Denial of Service attack and the method for alleviation belong to networking technology area.
Background technology: along with the develop rapidly of Internet, when the river rises the boat goes up for network economy, and more and more e-business networks stand in rise.The high speed development of Internet has quickened global exchange of technology, has accelerated the paces that human history is advanced, and hacking technique is also propagated with diffusion along with having quickened its development simultaneously.The assault instrument of increasing hacking technique and point-and-shoot is distributed on each website arbitrarily.The employed means of assault at present are varied, and the most effective, what be difficult to defend most is Denial of Service attack, in recent years, each comprises that greatly the famous website of Yahoo, Amazon all suffered Denial of Service attack the world, and therefore stopping business reaching tens hours, not only caused enormous economic loss, and the confidence of ecommerce formed quite serious shade for people, serious obstruction the development of network economy.More sad and dreary is many professional security websites Denial of Service attack also often can only be awkward feel simply helpless, stand and reached tens hours even the website paralysis of hundreds of hour.Find by literature search: the Valentin Razmov of the Computer Engineering Dept. of Washington, DC university describes the type of Denial of Service attack and the method for strick precaution in detail in his " Denial of Service Attacks and How to Defend Against Them " this article, it mainly is partial to passive defence, for example: strengthen main frame safety precaution, make up fire wall and use appropriate firewall policy, set up authentication mechanism of network host or the like; The active defence method that can adopt when also having some under attack is looked into or the like such as: host address counter.Realizing attack to computer network services by consuming limited resource for computer system, cause the response that stops of host services, also is one of present common attack means.
Summary of the invention: the objective of the invention is to not enough and common attack means at prior art, a kind of method of detecting and alleviation of bypass type Denial of Service attack is provided effectively, this system's prevention method more possesses initiative, and when being attacked, main frame possesses very strong actual combat meaning, can win valuable time for the network management personnel, carry out present each side condition work less than manual intervention, thereby safe operation that can our network of better guarantee, do not paralyse because of the attack in the external world, guaranteed to rely on the miscellaneous service normal operation of network, loss has been dropped to minimum.Realize attack by consuming limited resource for computer system to computer network services, cause the response that stops of host services, the difficulty of its detection and defence mainly is, the moment of the mode of attack when attacking is to determine that basically its behavior is an attack.Reason is that the attacker is personation Lawful access user, and the main frame of providing services on the Internet is sent a large amount of services request (I need service.).Because the initial period in the request service does not need to authenticate, therefore, main frame just must be from the part of telling of limited resource for computer system, be this request service specially, and the services request of a large amount of rubbish will take the overwhelming majority of resource of computer system until all, so this computer system can only will not respond normal, legal users under the restriction of resource, finally causes denial of service.
Concrete grammar is:
A, network interface card is arranged to listen mode by general modfel, from network card equipment number, reads the data communication information of broadcasting in the network;
B, the data message that reads is carried out protocal analysis, set up record sheet according to source address, destination address, source port, destination interface;
The network packet that c, basis read is upgraded record sheet, and stored count;
D, search in the certain hour section, the record sheet inside counting surpasses the record that allows maximum number;
The record sheet that e, basis are found, the main frame of the destination address that disguises oneself as sends the packet that data communication finishes toward the source address main frame;
F, simultaneously, the source address that disguises oneself as main frame sends the packet that data communication finishes toward destination host;
G, from the set of this record sheet, remove this record.
The present invention has substantive distinguishing features and marked improvement, under the situation of the normal operation that does not influence computer network services, has fundamentally solved the difficult problem that is difficult to defend most during Denial of Service attack is taken precautions against; This thinking can also be applied to the similar field of other principles, the transplanting of realization technology on the field.
Description of drawings: Fig. 1 schematic flow sheet of the present invention
Detecting that Fig. 2 the present invention attacks and alleviation synoptic diagram
Specific implementation method: as shown in Figure 1 and Figure 2, be example with the representative synchronization flooding attacks, narration is to its detecting and alleviation process.Flooding attacks is a kind of typical attack means of serving at based on the network of ICP/IP protocol synchronously, and its ultimate principle is to be based on the basic process in the network service of ICP/IP protocol:
1, the user end to server end sends the synchronization request packet;
2, server end returns the response data bag to this synchronization request, and the packet requirement of this time of initialization services request and maintenance connection;
3, client receives this packet, begins to send the real requests of packets of data of band actual request content;
4, server end provides service for concrete services request.
More than concise and to the point narration a webserver model based on ICP/IP protocol, the generation of flooding attacks is just in the phase one synchronously, the assailant forges a large amount of synchronization request packets, make server after receiving this packet, from system resource, distribute necessary part and come these services request are replied.After this class rubbish request reached certain limit, the relevant resource of computer system was depleted, such as: port, thread, internal memory or the like.By intercepting and the network data reduction, in a specified time, the visitor does not send real effective service request, will be confirmed as the assailant; Behind the identification assailant, send the response data bag that the band RST of D to B and D to C indicates respectively, end two sides' subsequent response respectively, stop this service process.Adopt the data bypass formula to intercept technology, intercept the data stream of transmission over networks; According to the feature of attacking, network data flow is reduced and characteristic matching, attack with identification; The record attacker with by the attacker, and alleviation, the deception of the success that the attacker is implemented to attack to being attacked by the attacker.
Claims (1)
1, the method for a kind of detecting of bypass type Denial of Service attack and alleviation is characterized in that concrete grammar is:
A, network interface card is arranged to listen mode by general modfel, from network card equipment number, reads the data communication information of broadcasting in the network;
B, the data message that reads is carried out protocal analysis, set up record sheet according to source address, destination address, source port, destination interface;
The network packet that c, basis read is upgraded record sheet, and stored count;
D, search in the certain hour section, the record sheet inside counting surpasses the record that allows maximum number;
The record sheet that e, basis are found, the main frame of the destination address that disguises oneself as sends the packet that data communication finishes toward the source address main frame;
F, simultaneously, the source address that disguises oneself as main frame sends the packet that data communication finishes toward destination host;
G, from the set of this record sheet, remove this record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011390360A CN1156762C (en) | 2001-12-04 | 2001-12-04 | By-pass investigation and remisson method for rejecting service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011390360A CN1156762C (en) | 2001-12-04 | 2001-12-04 | By-pass investigation and remisson method for rejecting service attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1350231A true CN1350231A (en) | 2002-05-22 |
| CN1156762C CN1156762C (en) | 2004-07-07 |
Family
ID=4674967
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011390360A Expired - Fee Related CN1156762C (en) | 2001-12-04 | 2001-12-04 | By-pass investigation and remisson method for rejecting service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1156762C (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1297101C (en) * | 2003-07-08 | 2007-01-24 | 国际商业机器公司 | Technique of detecting denial of service attacks |
| CN100361452C (en) * | 2004-04-15 | 2008-01-09 | 国际商业机器公司 | Method and device for server denial of service shield |
| CN100388667C (en) * | 2004-08-27 | 2008-05-14 | 株式会社Ntt都科摩 | Client terminal, service providing device, and service discovery method |
| CN100411344C (en) * | 2004-01-19 | 2008-08-13 | 南京大学 | Web server load control method for resisting rejection service attack |
| CN100448203C (en) * | 2005-06-24 | 2008-12-31 | 国际商业机器公司 | System and method for identifying and preventing malicious intrusions |
| CN100466510C (en) * | 2003-04-30 | 2009-03-04 | 华为技术有限公司 | A method for preventing network address translation (NAT) device from being attacked by network user |
| CN101369897B (en) * | 2008-07-31 | 2011-04-20 | 成都市华为赛门铁克科技有限公司 | Method and equipment for detecting network attack |
| CN101184094B (en) * | 2007-12-06 | 2011-07-27 | 北京启明星辰信息技术股份有限公司 | Network node scanning detection method and system for LAN environment |
| CN101667947B (en) * | 2008-09-04 | 2011-11-30 | 鸿富锦精密工业(深圳)有限公司 | Mobile station, basement station and attack detecting method |
| CN102710663A (en) * | 2012-06-21 | 2012-10-03 | 奇智软件(北京)有限公司 | Method and device for obtaining cloud service |
| CN101741847B (en) * | 2009-12-22 | 2012-11-07 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN103150240A (en) * | 2013-03-19 | 2013-06-12 | 天脉聚源(北京)传媒科技有限公司 | Method and system for monitoring application process |
-
2001
- 2001-12-04 CN CNB011390360A patent/CN1156762C/en not_active Expired - Fee Related
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100466510C (en) * | 2003-04-30 | 2009-03-04 | 华为技术有限公司 | A method for preventing network address translation (NAT) device from being attacked by network user |
| CN1297101C (en) * | 2003-07-08 | 2007-01-24 | 国际商业机器公司 | Technique of detecting denial of service attacks |
| CN100411344C (en) * | 2004-01-19 | 2008-08-13 | 南京大学 | Web server load control method for resisting rejection service attack |
| CN100361452C (en) * | 2004-04-15 | 2008-01-09 | 国际商业机器公司 | Method and device for server denial of service shield |
| CN100388667C (en) * | 2004-08-27 | 2008-05-14 | 株式会社Ntt都科摩 | Client terminal, service providing device, and service discovery method |
| CN100448203C (en) * | 2005-06-24 | 2008-12-31 | 国际商业机器公司 | System and method for identifying and preventing malicious intrusions |
| CN101184094B (en) * | 2007-12-06 | 2011-07-27 | 北京启明星辰信息技术股份有限公司 | Network node scanning detection method and system for LAN environment |
| CN101369897B (en) * | 2008-07-31 | 2011-04-20 | 成都市华为赛门铁克科技有限公司 | Method and equipment for detecting network attack |
| CN101667947B (en) * | 2008-09-04 | 2011-11-30 | 鸿富锦精密工业(深圳)有限公司 | Mobile station, basement station and attack detecting method |
| CN101741847B (en) * | 2009-12-22 | 2012-11-07 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN102710663A (en) * | 2012-06-21 | 2012-10-03 | 奇智软件(北京)有限公司 | Method and device for obtaining cloud service |
| CN103150240A (en) * | 2013-03-19 | 2013-06-12 | 天脉聚源(北京)传媒科技有限公司 | Method and system for monitoring application process |
| CN103150240B (en) * | 2013-03-19 | 2015-04-08 | 天脉聚源(北京)传媒科技有限公司 | Method and system for monitoring application process |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1156762C (en) | 2004-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Prasad et al. | An efficient detection of flooding attacks to Internet Threat Monitors (ITM) using entropy variations under low traffic | |
| CN101018121B (en) | Log convergence processing method and convergence processing device | |
| EP1911243B1 (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
| CN1156762C (en) | By-pass investigation and remisson method for rejecting service attack | |
| Gavaskar et al. | Three counter defense mechanism for TCP SYN flooding attacks | |
| EP1911241B9 (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
| EP2731315A1 (en) | Defense against dns dos attack | |
| Alsafi et al. | Idps: An integrated intrusion handling model for cloud | |
| CN102291390A (en) | Method for defending against denial of service attack based on cloud computation platform | |
| Beslin Pajila et al. | Detection of DDoS attack using SDN in IoT: A survey | |
| CN101217547B (en) | A flood request attaching filtering method based on the stateless open source core | |
| US8201250B2 (en) | System and method for controlling abnormal traffic based on fuzzy logic | |
| EP2009864A1 (en) | Method and apparatus for attack prevention | |
| CN105610851A (en) | Method and system for defending distributed denial of service (DDoS) attack | |
| KR20110037645A (en) | Apparatus and method for protecting ddos | |
| CN101547187A (en) | Network attack protection method for broadband access equipment | |
| CN113572730A (en) | Implementation method for actively and automatically trapping honeypots based on web | |
| Yuvaraj et al. | Some investigation on DDOS attack models in mobile networks | |
| Haggerty et al. | DiDDeM: a system for early detection of TCP SYN flood attacks | |
| Haris et al. | Anomaly detection of IP header threats | |
| CN101453363A (en) | Network intrusion detection system | |
| Haris et al. | TCP SYN flood detection based on payload analysis | |
| KR20190007697A (en) | System for detectig time-series improper action on the basis of network bandwidth | |
| Zhang et al. | Analysis of payload based application level network anomaly detection | |
| Gairola et al. | A review on dos and ddos attacks in cloud environment & security solutions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20040707 Termination date: 20131204 |