201223214 六、發明說明: 【發明所屬之技術領域】 本發明有關於一種網路安全之防護,尤指一種針對分散式阻 斷服務(distributed denial of service ; DDoS)攻擊進行阻擋之 網路駭客攻擊迴避方法。 【先前技術】 隨著網際網路(internet)的蓬勃發展,網路使用越來越普及 化,有很多事情都不用出門,就可以在網路輕鬆搞定,過去需要 的文件流程或是本人親自辦理的手續,都可以藉由網路來完成, 目剛透過網路買賣股票、訂購機票與車票,或是網路的訂購商品 等等,都是常常被利用的。 網路上的安全問題一直是很重要的課題,網路安全除了傳送 資料被截取外,還有可能就是癱瘓網路,使得網路的服務(Service) 中斷服務,造成網路使用者無法使用網路服務,而使提供服務的 業者受到損失,例如股票市場在交易的時間,撮合交易的主機因 為網路被癱瘓而無法服務時,成千上萬的股票交易將瞬間中斷撮 合,這種損失將難以估計,而習知常見的癱瘓網路攻擊方式為分 散式阻斷服務(distributed denial of service ; DDoS)攻擊,該 攻擊大約可以分為三個階段: 第一階段為確定攻擊的目標,鎖定目標的網際位址(Ip)或是 網址,確認目標網際位址(IP)所提供的網路類型,例如:網頁主 機(Web Server)、檔案主機(FTP SERVER)、郵件主機(Email 201223214201223214 VI. Description of the Invention: [Technical Field] The present invention relates to a network security protection, and more particularly to a network hacker attack against a distributed denial of service (DDoS) attack. Avoidance method. [Prior Art] With the rapid development of the Internet, the use of the Internet has become more and more popular, and there are many things that do not need to go out. It can be easily done on the Internet. The file process that was needed in the past or I personally handle it. The procedures can be completed by the Internet, and the company is often used to buy and sell stocks, order tickets and tickets, or order goods on the Internet. The security problem on the Internet has always been an important issue. In addition to the interception of data transmission, network security may also be the network, causing the network service (Service) to be interrupted, causing network users to use the network. Service, and the service provider suffers losses. For example, when the stock market is in the transaction time, when the host of the matching transaction is unable to serve due to the network being smashed, thousands of stock transactions will be instantaneously interrupted, and this loss will be difficult. It is estimated that the common cyber attack method is a distributed denial of service (DDoS) attack, which can be divided into three phases: The first phase is to determine the target of the attack and lock the target. The Internet address (Ip) or the URL confirms the type of network provided by the target Internet address (IP), such as: Web Host, Web SERVER, and Mail Host (Email 201223214)
Server)等等。 第二階段為攻擊前的準備階段,因為要從很多地方發起攻 擊,所以事前就撰寫木馬程式植入要發起攻擊的電腦令,發起攻 擊時,這些被植入木馬的電腦,就會向目標網際位址(Ip)發送大 量的封包。 第二階段為實際攻擊階段,此時被植入木馬的電腦,開始送 出大里的封包傳送給目標,這巨大的流量與封包數會瞬間把目標 φ 的頻寬佔滿,使服務主機的服務癱瘓,達到攻擊的目的。 其中,排除分散式阻斷服務(distributed denial 〇f service ; DDoS)攻擊方法主要是尋找出攻擊服務主機的電腦(網際 位址IP) ’並以防火牆進行阻檔,直到網路流量回復正常,但詳觀 上述習知結構雜發覺其尚存㈣許不足之處,當服務主機發現 受到攻擊時,該服務主機皆呈現網路癱瘓之情況,該靡疾時間與 排除攻擊的時間相同,讓服務主機長時間無法提供網路服務,將 籲 k成服務主機嚴重的損失,又該服務主機與外部網路之間僅使用 一條IPS線路進行連線,當受到攻擊時該ips線路為主要阻塞之 位置’令服務主機無法控制於IPS線路另一端之防火牆進行阻擔, 是故造成防堵難度提高,使分散式阻斷服務(distributed denial of service ; DDoS)持續的時間延長。 有4a於此’本發明人於多年從事相·品之製造開發與設計 經驗’針對上述之目標,詳加設計與審慎㈣後終得一確具實 用性之本發明。Server) and so on. The second stage is the pre-attack preparation stage. Because the attack is to be launched from many places, the Trojan is implanted in advance to implant a computer command to launch an attack. When the attack is launched, the computer that is implanted with the Trojan will go to the target Internet. The address (Ip) sends a large number of packets. The second stage is the actual attack stage. At this time, the computer that is implanted in the Trojan starts to send the packets from Dali to the target. This huge amount of traffic and packets will instantly fill the bandwidth of the target φ, so that the service host services 瘫痪, to achieve the purpose of the attack. Among them, the method of eliminating the distributed denial 〇f service (DDoS) attack is mainly to find the computer (internet address IP) of the attack service host and block it with the firewall until the network traffic returns to normal, but Looking at the above-mentioned conventional structure, it still has four (4) shortcomings. When the service host finds that it is attacked, the service host presents a network situation. The time of the dysentery is the same as the time for eliminating the attack, so that the service host If the network service cannot be provided for a long time, it will be a serious loss to the service host, and the service host and the external network use only one IPS line to connect. When the attack is attacked, the ips line is the main blocking position. The service host can't control the firewall at the other end of the IPS line to block, which makes the anti-blocking difficulty increase, and the distributed denial of service (DDoS) is extended for a long time. There are 4a here. The inventor has been engaged in the manufacturing development and design experience of phase products for many years. In view of the above objectives, the design and the prudence (4) are detailed and the invention is practical.
LSI 4 201223214 【發明内容】 上』之技術問題在於針對現有技術存在的 上述缺失,拯供一種網路駭客攻擊迴避方法。 本發明駐要目的在於,該服務錢係記錄封包(Pac㈣ 内容’並依據封包變化量與流量變化量ΔΜ的變化得知是否 遭受分散式阻斷服務(distributed denial of service ; 攻 擊,再利用連線等級區分進行有條件的阻擋,防止服務主機遭受 攻擊的瞬間產生完全癱叙情況,藉此降低服務主機因秦 • 成之損失。 ' 本發明的次要目的在於,該服務主機係以封包内容、封包 變化量ΛΡ及流量變化量進行預判,藉此能提早獲知是否該 控制流量與啟動防禦機制,防止突然受到網路攻擊後會因為網路 癱疾而無法控衡火牆進行阻擋,俾財效_分散式阻斷服務 (distributed denial of service ; DDoS)攻擊。 本發明的另一目的在於,該原網路設備於網際網路與路由 φ 器之間另設置有前端防火牆,並由前端防火牆以一獨立線路連線 至服務主機,該獨立線路僅提供服務主機控制前端防火牆使用, 故月b不受分散式阻斷服務(distributed denial of service;DDoS) 攻擊的影響’讓服務主機能直接控制前端防火牆對攻擊進行阻 擋’藉此達到有效阻檔之效益。 本發明的又一目的在於,利用封包(Packet)内容的蒐集與 3己錄’有助於加速找尋發動分散式阻斷服務(distributed denial of service ; DDoS)攻擊的侵害網際位址(IP),藉此提前排除網路 201223214 攻擊,即能有效縮短服務主機的癱瘓時間。 其他目的、優點和本發明的新賴特性將從以下詳細的 描述與相關的附圖更加顯明。 【實施方式】 為使貝審查委員對本發明之目的、特徵及功效能夠有更進 -步之瞭解與認識,以下贿配合【赋鮮說明】槪如后: 先睛由第1 ®與第2 ®所稍之,—種網絲客攻擊迴避方 •法,主要針對分散式阻斷服務(distributed denial of service ; DDoS)攻擊it猶護n鹏賴(⑻包含有網關路(〖I)、路 由器(12) 4方火牆(13)及服務主機⑽,該服務主機(⑷與路由 器(12)之間設有雜火牆⑽,且以路由^⑽端連線該網際網 路(11) X於原網路没備(1〇)處增設有一前端防火牆(2〇)、一獨 立線路⑻及-内部線路(22),該前端防火牆(20)設置於原網路 設備⑽之路由器⑽與網際網路(11)之間,該獨立線路(21)用 • 以連接前端防火牆⑽與服務主機(14),而内部線路(22)連接於 服務主機(14)與防火牆(13)之間’當受到攻擊時該服務主機(⑷ 經由獨立祕(21)對前端防火牆⑽)發送崎連線等級較低之命 7藉此縮短服務主機(14)被癱瘓的時間,同步經由内部線路(μ) 控制防火牆⑽阻擋可能來至内部網路(15)之攻擊,進而減少分 散式阻斷服務(distributed denial of service ; DDos)攻擊所造 成的損失,其實施步驟為·· 步驟一、服務主機(14)由網際網路(11)端蒐集連線資料並分析 201223214 封包(Packet)内容,該封包(Packet)内容包括有來源網際位址 (IP)、來源連接埠(PORT)、目的網際位址(IP)及目的連接璋 (PORT),又該蒐集資料軟體為MGTP監控工具,該封包(packet)内 容更包括有網路協定(Protocol); 步驟一、檢查來源網際位址(IP)、來源連接埠(p〇RT)、目的 網際位址(IP)及目的連接埠(PORT)是否為正常連線,並記錄來源 網際位址(IP); • 步驟三、依照網際位址(IP)的連線頻率及用戶權限區分連線 等級,該連線等級共區分為五個等級’第一級為總是(A1_)連 線的位址、第二級為時常(Usually)連接的網際位址(Ip)、第三級 為經常(Often)連線的網際位址⑽、第四級為有時(—Μ·) 連線的網際位址(ip)及第五級為從不(Never)連線的網際位址 (IP),而猶料級區分亦可鎌伽者需求特機,上述區 分為本發明其中一種較佳的連線等級區分方式; 釀轉四、定時更新連線等級中的網際位址(IP)資料; γ驟五刀析封包(packet)内容判斷是否為分散式阻斷服務 (distributed denial of service ; DD〇s)攻擊,藉此達到預判之 效果; 步驟’、類似封包(packet)異常過多時進行流量過滤並啟動 防禦機制,該流量計算方式主要採用封包變化量與流量變化 量ΔΜ ’該封包變化量△卜⑼讲υ,該流量變化量△ Μ Μ(Τ) Μ(Τ 1) ’其中τ為時間之表示,又該網路流量正常狀態下 7 201223214 該封包變化量ΛΡ與流量變化量ΛΜ皆在10%以下,而封包變化量 △ Ρ與流量變化量ΔΜ大於11 %時認定為受到網路攻擊,藉此達到 偵測之功能,另該封包變化量ΛΡ與流量變化量ΛΜ皆可做為變 化性的設定更改; 步驟七、依據流量狀況逐步阻擋連線等級較低之網際位址 (IP) ’使連線等級較高之網際位址(IP)可正常使用,藉此縮短連 線等級較高之網際位址(IP)的服務中斷時間,依據該連線等級的 φ 阻擋規則’第五級於流量大於60%時拒絕該區段網際位址(IP)的連 線,第四級於流量大於70%時拒絕該區段網際位址(IP)的連線,第 三級於流量大於80%時拒絕該區段網際位址(ip)的連線,第二級於 流量大於90°/。時拒絕該區段網際位址(ip)的連線,第一級不管流量 大小皆不中斷該區段網際位址(IP)的連線,藉此延後網路被攻擊 產生癱瘓的時間’其中’上述連線等級之流量比率為預設值,使 用者能依據需求自行調整中斷服務的流量比率,進而提高網路防 # 護之效能; 步驟八、尋找有異常封包(Packet)的侵害網際位址(IP)並進 行排除’即能解除分散式阻斷服務(distributed denial of service ; DDoS)攻擊。 再進一步說明該内部網路(15)之防禦機制,由於分散式阻斷 服務(distributed denial of serviCe ; DDoS)亦可能由内部網路 05)發起攻擊,是故本發明内部亦可運用層級方式進行區分,而 該内部網路(15)可區分為貴賓(νιρ)、使用者(USER)及遊客(GUSET)[s] 8 201223214 三個等級,同樣依據封包變化量ΔΡ與流量變化量δμ之偵測, 當流量超過預設值時,再以服務主機⑽經由内部線路⑽ 防火牆(13)錢設定的連線等級逐—巾斷連線,藉此延後網路被 攻擊產生癱瘓的時間。 再配合第3圖所示觀之,本發明於前端防火牆⑽與服務主 機(14)之間裝設有-控制主機⑽,該控制主機(3〇)以内部線路 (22)連接防火牆⑽與服務主機⑽,又該控制主機⑽以獨立 籲線路(21)連接至前端防火牆⑽,有鏗於多數服務主機⑽不具 有變更設定之魏’是故另設置有㈣主機⑽,該控制主 機(30)進行流量偵測與預設值變更,更能控制防火赌⑽與前端 防火牆(20)進行阻擋,藉此有提高偵測、統計與防護之速度,更 月b於服務主機(14)党到網路攻擊產生延遲時,不受影響的進行防 禦機制。 藉上述具體實施例之結構,可得到下述之效益:(一)該服務 鲁主機(14)係記錄封包(Packet)内容,並依據封包變化量Ap與流 量變化量ΔΜ的變化得知是否遭受分散式阻斷服務(distributed denial of service ; DDoS)攻擊,再利用連線等級區分進行有條 件的阻擋,防止服務主機(14)遭受攻擊的瞬間產生完全癱瘓之情 況,藉此降低服務主機(14)因癱瘓所造成之損失;(二)該服務主 機(14)係以封包内容、封包變化量ap及流量變化量am進行預 判’藉此能提早獲知是否該控制流量與啟動防禦機制,防止突然 受到網路攻擊後會因為網路癱瘓而無法控制防火牆(丨3)進行阻 201223214 擋,俾以有效防堵分散式阻斷服務(distributed denial of service ; DDoS)攻擊;(三)該原網路設備(10)於網際網路(ii)與 路由器(12)之間另設置有前端防火牆(20),並由前端防火牆(2〇) 以一獨立線路(21)連線至服務主機(14),該獨立線路(21)僅提供 服務主機(14)控制前端防火牆(20)使用,故能不受分散式阻斷服 務(distributed denial of service ; DDoS)攻擊的影響,讓服務 主機(14)能直接控制前端防火牆(20)對攻擊進行阻擋,藉此達到 • 有效阻擋之效益;(四)利用封包(Packet)内容的蒐集與記錄,有 助於加速找尋發動分散式阻斷服務(distributed denial service ; DDoS)攻擊的侵害網際位址(IP),藉此提前排除網路攻 擊’即能有效縮短服務主機(14)的癱瘓時間。 綜上所述,本發明確實已達突破性之結構設計,而具有改良 之發明内容,同時又__錢上之性與進步性,且本^ 明未見於任何刊物,亦具新賴性,當符合專利法相關法條之規定: .爰紐提峻明專射請,骑柄料委貞授予合法專利 權,至為感禱。 當不能以 圍所作之 唯以上所述者,僅為本發明之一較佳實施例而已, 之限定本剌實叙翻;即纽依本發明申請專利範 均等變化雜飾’皆應仍屬本發料利涵蓋讀圍内。 201223214 【圖式簡單說明】 第1圖 第2圖 第3圖 係本發明之網路骇客攻擊迴避麵之結構示意圖。 係本發明之網路駭客攻擊迴避方法之步驟流程圖。 係本發明之網路駭客攻擊迴避方法之另一結構示意圖。 【主要元件符號說明】 本發明部份: 原網路設備一一(1 〇) 路由器----(12) 服務主機---(14) 前端防火牆一一(20) 内部線路---(22) 控制主機一一一(30) 網際網路---(11) 防火牆----(13) 内部網路---(15) 獨立線路---(21)LSI 4 201223214 [Summary Content] The technical problem of the above is to provide a network hacking attack avoidance method against the above-mentioned shortcomings existing in the prior art. The purpose of the present invention is that the service money records the packet (Pac (4) content' and learns whether it suffers from distributed denial of service (distributed denial of service) according to changes in the amount of packet change and the amount of change in traffic ΔΜ. The level distinction is conditionally blocked to prevent the service host from being attacked at the moment of the attack, thereby reducing the loss of the service host due to Qin·cheng. The secondary purpose of the present invention is that the service host is based on the content of the packet. The packet change amount and the traffic change amount are pre-judged, so that it is possible to know early whether the control flow and the start defense mechanism are prevented, and it is impossible to control the fire wall to block due to the network squad after being suddenly attacked by the network, and the financial effect is prevented. _Distributed denial of service (DDoS) attack. Another object of the present invention is that the original network device is further provided with a front-end firewall between the Internet and the router, and is configured by the front-end firewall. A separate line is connected to the service host, and the independent line only provides the service host to control the front-end firewall, so b is not affected by the distributed denial of service (DDoS) attack 'allowing the service host to directly control the front-end firewall to block the attack' thereby achieving the benefit of effective blocking. Another object of the present invention is The use of packet content collection and 3 records' helps speed up the search for infringing Internet addresses (IP) that launch distributed denial of service (DDoS) attacks, thereby precluding network 201223214 attacks. The other purposes, advantages, and new features of the present invention will be more apparent from the following detailed description and the accompanying drawings. [Embodiment] For the purpose of the present invention, Features and effects can have a more in-depth understanding and understanding, the following bribes with the [representation of fresh instructions], such as: the first eye by the 1 ® and 2 ® slightly, a kind of mesh attack attack avoidance method , mainly for distributed denial of service (DDoS) attacks it is still n Peng Lai ((8) contains gateway road (I), router (12) 4 square fire wall (13) And the service host (10), the service host ((4) and the router (12) are provided with a miscellaneous fire wall (10), and the network (11) X is connected to the original network by the route ^(10) end (1〇) A front-end firewall (2〇), an independent line (8) and an internal line (22) are provided, and the front-end firewall (20) is disposed between the router (10) of the original network device (10) and the Internet (11), the independent line (21) Use to connect the front-end firewall (10) to the service host (14), and the internal line (22) is connected between the service host (14) and the firewall (13) 'When the attack is attacked, the service host ((4) via independent secrets) (21) Send a lower level of life to the front-end firewall (10) 7 to shorten the time that the service host (14) is smashed, and synchronize the firewall (10) via the internal line (μ) to block possible access to the internal network (15) Attacks, which in turn reduce the losses caused by distributed denial of service (DDos) attacks, the implementation steps are: Step one, the service host (14) collects the connection by the Internet (11) end Data and analysis of 201223214 Packet (Packet) content, the packet (Packe t) The content includes the source Internet address (IP), the source port (PORT), the destination internet address (IP), and the destination port (PORT), and the collected data software is the MGTP monitoring tool, the packet (packet) The content further includes a network protocol; Step 1: Check whether the source Internet address (IP), source connection (p〇RT), destination Internet address (IP), and destination port (PORT) are normal connections. Line, and record the source Internet address (IP); • Step 3, according to the Internet address (IP) connection frequency and user rights to distinguish the connection level, the connection level is divided into five levels 'first level is Always (A1_) the address of the connection, the second level is the Usually connected Internet address (Ip), the third level is the frequent (Often) connection of the Internet address (10), and the fourth level is sometimes (—Μ·) The Internet address (ip) and the fifth level of the connection are the Internet addresses (IP) that are never connected (Never), and the different levels of the information can also be used by the Sangha. It is one of the preferred methods for distinguishing the connection levels of the present invention; the transfer of the Internet address (IP) data in the connection level; The content of the packet is judged whether it is a distributed denial of service (DD〇s) attack, thereby achieving the effect of pre-judgment; step ', similar packet (packet) abnormally excessive traffic Filter and start the defense mechanism. The flow calculation method mainly uses the packet change amount and the flow change amount ΔΜ 'the packet change amount △ (9), the flow change amount △ Μ Μ(Τ) Μ(Τ 1) 'where τ is According to the time, the network traffic is normal. 7 201223214 The packet change amount and the flow change amount are both below 10%, and the packet change amount Δ Ρ and the flow change amount ΔΜ are greater than 11%. Attack, in order to achieve the detection function, and the packet change amount and flow change amount can be used as variability setting changes; Step 7. According to the traffic condition, the Internet address (IP) with lower connection level is gradually blocked. ) 'A network address (IP) with a higher connection level can be used normally, thereby shortening the service interruption time of the Internet address (IP) with a higher connection level, according to the connection level φ blocking gauge 'The fifth level rejects the connection of the section's Internet address (IP) when the traffic is greater than 60%, and the fourth level rejects the connection of the section's Internet address (IP) when the traffic is greater than 70%, the third level When the traffic is greater than 80%, the connection of the segment's Internet address (ip) is rejected, and the second level is greater than 90°/. When the network address (ip) of the segment is rejected, the first level does not interrupt the connection of the network address (IP) of the segment regardless of the traffic size, thereby delaying the time when the network is attacked. The traffic ratio of the above-mentioned connection level is a preset value, and the user can adjust the traffic ratio of the interrupt service according to the demand, thereby improving the performance of the network protection; Step 8: Searching for the Internet with an abnormal packet (Packet) Address (IP) and exclusion 'is able to remove the distributed denial of service (DDoS) attack. Further explaining the defense mechanism of the internal network (15), since the distributed denial of serviCe (DDoS) may also be attacked by the internal network 05), the present invention may also be implemented in a hierarchical manner. Differentiate, and the internal network (15) can be divided into three levels: VIP (νιρ), user (USER), and visitor (GUSET)[s] 8 201223214, also based on the packet variation ΔΡ and the flow variation δμ When the traffic exceeds the preset value, the service host (10) disconnects the connection line through the internal line (10) firewall (13) money, thereby delaying the network to be attacked and generating a smashing time. Further, in conjunction with FIG. 3, the present invention is provided with a control host (10) between the front-end firewall (10) and the service host (14), and the control host (3) connects the firewall (10) and the service by internal lines (22). The host (10) and the control host (10) are connected to the front-end firewall (10) by an independent call line (21). In contrast, most service hosts (10) do not have a change setting. Therefore, another (4) host (10) is provided, and the control host (30) Traffic detection and preset value change, more control of fire gambling (10) and front-end firewall (20) blocking, thereby improving the speed of detection, statistics and protection, more monthly b on the service host (14) party to the network When a road attack has a delay, the defense mechanism is not affected. By the structure of the above specific embodiment, the following benefits can be obtained: (1) The service host (14) records the contents of the packet, and learns whether to suffer according to the change of the packet change amount Ap and the flow rate change amount ΔΜ. Distributed denial of service (DDoS) attacks, and then use the connection level to differentiate the conditional blocking, to prevent the service host (14) from being attacked at the moment of complete attack, thereby reducing the service host (14) (2) The service host (14) pre-judges the packet content, the packet change amount ap, and the traffic change amount am, thereby enabling early detection of whether the control traffic and the startup defense mechanism prevent Suddenly after a network attack, the firewall will be unable to control the firewall (丨3) to block the 201223214 block, so as to effectively prevent distributed denial of service (DDoS) attacks; (3) the original network The road device (10) is further provided with a front-end firewall (20) between the Internet (ii) and the router (12), and the front-end firewall (2〇) is a separate line (21). Connected to the service host (14), the independent line (21) only provides the service host (14) to control the use of the front-end firewall (20), so it can be protected from distributed denial of service (DDoS) attacks. The impact allows the service host (14) to directly control the front-end firewall (20) to block the attack, thereby achieving the effectiveness of effective blocking; (4) using the collection and recording of the packet content to help speed up the search and launch Decentralized blocking service (DDoS) attacks infringe the Internet address (IP), thereby eliminating network attacks in advance, can effectively shorten the embarrassing time of the service host (14). In summary, the present invention has indeed achieved a breakthrough structural design, and has improved invention content, and at the same time __ money on the nature and progress, and this is not seen in any publication, but also has new reliance, When complying with the relevant provisions of the Patent Law: . 爰 提 峻 峻 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专 专The above description of the preferred embodiment of the present invention is only a preferred embodiment of the present invention, and the present invention is still limited to the present invention. The issue of the material covers the reading area. 201223214 [Simple diagram of the diagram] Fig. 1 Fig. 2 Fig. 3 is a schematic diagram showing the structure of the network hacker attack avoidance surface of the present invention. A flow chart of the steps of the network hacking attack avoidance method of the present invention. Another structural schematic diagram of the network hacking attack avoidance method of the present invention. [Main component symbol description] Part of the invention: Original network equipment one by one (1 〇) Router----(12) Service host---(14) Front-end firewall one-to-one (20) Internal line---( 22) Control Host One-to-One (30) Internet---(11) Firewall----(13) Internal Network---(15) Independent Line---(21)