TWI711284B - Method for processing a distributed denial-of-service attack - Google Patents
Method for processing a distributed denial-of-service attack Download PDFInfo
- Publication number
- TWI711284B TWI711284B TW108123845A TW108123845A TWI711284B TW I711284 B TWI711284 B TW I711284B TW 108123845 A TW108123845 A TW 108123845A TW 108123845 A TW108123845 A TW 108123845A TW I711284 B TWI711284 B TW I711284B
- Authority
- TW
- Taiwan
- Prior art keywords
- time
- processing
- processor
- distributed denial
- error
- Prior art date
Links
Images
Abstract
Description
本發明係關於一種網路攻擊處理方法,特別是一種分散式阻斷服務攻擊的處理方法。 The present invention relates to a method for processing network attacks, especially a method for processing distributed denial of service attacks.
隨著電腦網路的快速發展,網站平台已成為企業經營品牌以及電子商務獲利的重要管道。若網路平台遭受駭客攻擊而造成網路平台無法提供服務,將造成難以估計的損失。 With the rapid development of computer networks, website platforms have become an important channel for companies to manage brands and make e-commerce profits. If the network platform is attacked by hackers and the network platform cannot provide services, it will cause unpredictable losses.
分散式阻斷服務攻擊(簡稱DDos攻擊)為目前針對網路平台最盛行的網路攻擊行為之一,DDos攻擊乃是透過網路上的一台或多台電腦同時對網路平台主機發送多個封包,使得網站平台主機同一時間所接收的封包流量遠超過網路平台主機的頻寬,達到阻斷網路平台所提供的服務的目的。目前網站平台主機對於DDos攻擊的防禦方法主要是偵測封包的流量,當外部請求端對網站平台主機發出的封包的流量大於網路平台主機的頻寬時,則視為外部請求端進行DDos攻擊而將外部請求端加以阻斷。然而僅僅透過封包之流量作為判斷外部請求端是否進行屬DDos攻擊仍有許多漏洞,不但沒有效阻斷惡意使用者,反而還阻擋了善意使用者。 Distributed denial of service attack (DDos attack for short) is currently one of the most prevalent cyber attacks against network platforms. DDos attacks use one or more computers on the network to simultaneously send multiple Packets make the packet traffic received by the website platform host at the same time far exceed the bandwidth of the network platform host, achieving the purpose of blocking the services provided by the network platform. At present, the main defense method of the website platform host against DDos attacks is to detect the traffic of the packet. When the traffic of the packet sent by the external requesting end to the website platform host is greater than the bandwidth of the network platform host, it is regarded as the external requesting end carrying out a DDos attack. The external requesting end is blocked. However, there are still many loopholes in judging whether the external requesting end is performing a DDos attack only by using the traffic of the packet. Not only does it fail to block malicious users, but it also blocks well-meaning users.
有鑑於此,在實務上確實需要一種改良的分散式阻斷服務攻擊的處理方法,至少可解決以上缺失 In view of this, there is indeed a need for an improved decentralized denial of service attack processing method in practice, which can at least solve the above shortcomings
本發明在於提供一種分散式阻斷服務攻擊的處理方法,確保網路平台可持續提供網路服務以及提高判斷網路平台是否遭受分散式阻斷服務攻擊的準確率。 The present invention is to provide a method for processing distributed denial of service attacks to ensure that the network platform can continuously provide network services and improve the accuracy of judging whether the network platform is subject to distributed denial of service attacks.
依據本發明一實施例所揭露的分散式阻斷服務攻擊的處理方法,包括:以網路介面接收外部請求端於時間區間所發出的數個封包;以處理器偵測網站平台主機對該些封包的多個處理時間;分別輸入該些處理時間至機器學習模型以產生多個模型輸出時間;以處理器分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差百分比,該些時間誤差百分比於該時間區間具有一時間誤差趨勢;以處理器判斷時間誤差趨勢是否屬於持續上升,若時間誤差趨勢屬於持續上升,則進一步以處理器判斷時間區間內時間最晚的該封包所對應的該時間誤差百分比是否大於閾值區間;以及當時間最晚的封包所對應的時間誤差百分比大於閾值區間時,該處理器判定外部請求端對網站平台主機進行分散式阻斷服務攻擊且處理器於時間區間之後對外部請求端執行防禦程序。 According to an embodiment of the present invention, a method for processing a distributed denial of service attack includes: receiving a number of packets sent by an external requesting terminal in a time interval through a network interface; Multiple processing times of the packet; input the processing times to the machine learning model to generate multiple model output times; use the processor to calculate the multiple time error percentages between the model output times and the processing times, the Some time error percentages have a time error trend in the time interval; the processor determines whether the time error trend is a continuous increase. If the time error trend is a continuous increase, the processor is further used to determine the packet location with the latest time in the time interval. Corresponding to whether the percentage of time error is greater than the threshold interval; and when the time error percentage corresponding to the latest packet is greater than the threshold interval, the processor determines that the external requester performs a distributed denial of service attack on the website platform host and the processor After the time interval, the defense program is executed against the external requester.
依據本發明另一實施例所揭露的一種分散式阻斷服務攻擊的處理方法,包括:以網路介面接收外部請求端於時間區間所發出的數個封包;以處理器偵測網站平台主機對該些封包的多個處理時間;分別輸入該些封包的該些處理時間至機器學習模型以產生多個模型輸出時間;分別輸入該些封包的多個實際流量至機器學習模型以產生多個模型輸出流量;以處理器分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差百分比,該些時間誤差百分比於時間區間內具有一時間誤差趨勢;以處理器分別計算該些模型輸出流量與該些實際流量之間的多個流量誤差百分比,該些流量誤差百分比於時間區間內具有一流量誤差趨勢;以處理器判斷時間誤差趨勢與流量誤差趨勢比是否均屬於持續上升,若均屬於持續上升,則進一步以處理器判斷時間區間內時間最晚的封包所對應的時間誤差百分比以及該流量誤差百分比是否均大於閾值區間;以及當時間最晚的封包所對應的時間誤差百分比以及流量誤差百分比均大於閾值區間時,處理器判定外部請求端對網站平台主機進行分散式阻斷服務攻擊且於時間區間之後對外部請求端執行防禦程序。 A method for processing a distributed denial of service attack disclosed according to another embodiment of the present invention includes: receiving a number of packets sent by an external requesting end in a time interval through a network interface; detecting a host pair of a website platform with a processor Multiple processing times of the packets; input the processing times of the packets to the machine learning model to generate multiple model output times; input multiple actual flows of the packets to the machine learning model to generate multiple models Output flow; the processor calculates multiple time error percentages between the output time of the models and the processing time, and the time error percentages have a time error trend in the time interval; the processor calculates the models respectively There are multiple flow error percentages between the output flow and the actual flow. The flow error percentages have a flow error trend in the time interval; the processor determines whether the ratio of the time error trend and the flow error trend is a continuous increase, if If they all belong to a continuous increase, the processor will further determine whether the time error percentage corresponding to the latest packet in the time interval and whether the traffic error percentage is greater than the threshold interval; and the time error percentage corresponding to the latest packet of the current time and When the traffic error percentages are all greater than the threshold interval, the processor determines that the external requesting terminal performs a distributed denial of service attack on the website platform host and executes a defense program on the external requesting terminal after the time interval.
由於惡意的外部請求端可能會以多個虛擬IP多次失敗登入網站平台主機,即使每一次失敗登入的流量都不會很大,也可癱瘓網站平台主機網站,根據上述本發明所揭露的分散式阻斷服務攻擊的多個實施例,判斷網路平台是否遭受分散式阻斷服務攻擊的依據,不僅是網路流量,還包含網站平台主機對於每一封包的處理時間,所以可有效阻斷上述的分散式阻斷服務攻擊。此外,在一些特別的假期之前,經常會出現較大的網路流量,但並非惡意攻擊。依據處理時間以及網路流量作為判斷分散式阻斷服務攻擊的依據,可避免阻擋善意的外部請求端。如此一來,可確保網路平台可持續提供網路服務以及提高判斷網站平台主機是否遭受分散式阻斷服務攻擊的準確率。 Since a malicious external requester may fail to log in to the website platform host with multiple virtual IPs multiple times, even if the traffic of each failed login is not large, it can also paralyze the website platform host website. According to the above-mentioned dispersion disclosed by the present invention There are multiple embodiments of typed denial of service attacks. The basis for judging whether a network platform has suffered a distributed denial of service attack is not only the network traffic, but also the processing time of the website platform host for each packet, so it can be effectively blocked The aforementioned distributed denial of service attack. In addition, before some special holidays, there will often be larger Internet traffic, but it is not a malicious attack. Based on processing time and network traffic as the basis for judging distributed denial of service attacks, it can avoid blocking benign external requesters. In this way, it can ensure that the network platform can continue to provide network services and improve the accuracy of determining whether the website platform host has suffered a distributed denial of service attack.
以上之關於本發明內容之說明及以下之實施方式之說明係用以示範與解釋本發明之精神與原理,並且提供本發明之專利申請範圍更進一步之解釋。 The above description of the content of the present invention and the description of the following embodiments are used to demonstrate and explain the spirit and principle of the present invention and provide a further explanation of the scope of the patent application of the present invention.
100:分散式阻斷服務攻擊處理系統 100: Distributed denial of service attack processing system
10:網路介面 10: Network interface
12:處理器 12: processor
14:記憶體 14: Memory
16:機器學習模型 16: machine learning model
E:外部請求端 E: External request terminal
S:網站平台主機 S: website platform host
圖1係為根據本發明第一實施例所繪示之分散式阻斷服務攻擊的處理系統的功能方塊圖。 FIG. 1 is a functional block diagram of a processing system for a distributed denial of service attack according to the first embodiment of the present invention.
圖2係為根據本發明第一實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 Fig. 2 is a flowchart of a method for processing a distributed denial of service attack according to the first embodiment of the present invention.
圖3係為根據本發明第二實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 FIG. 3 is a flowchart of a method for processing a distributed denial of service attack according to the second embodiment of the present invention.
圖4係為根據本發明第三實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 FIG. 4 is a flowchart of a method for processing a distributed denial of service attack according to the third embodiment of the present invention.
圖5A及圖5B係為根據本發明第四實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 5A and 5B are flowcharts of a method for processing a distributed denial of service attack according to a fourth embodiment of the present invention.
圖6A及圖6B係為根據本發明第五實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖 6A and 6B are flowcharts of a method for processing a distributed denial of service attack according to the fifth embodiment of the present invention
圖7A及圖7B係為根據本發明第六實施例所繪示之分散式阻斷服務攻擊的處理方法的流程圖。 7A and 7B are flowcharts of a method for processing a distributed denial of service attack according to the sixth embodiment of the invention.
以下在實施方式中詳細敘述本發明之詳細特徵以及優點,其內容足以使任何熟習相關技藝者了解本發明之技術內容並據以實施,且根據本說明書所揭露之內容、申請專利範圍及圖式,任何熟習相關技藝者可輕易地理解本發明相關之目的及優點。以下之實施例係進一步詳細說明本發明之觀點,但非以任何觀點限制本發明之範疇。 The detailed features and advantages of the present invention are described in detail in the following embodiments, and the content is sufficient to enable anyone familiar with the relevant art to understand the technical content of the present invention and implement it accordingly, and according to the content disclosed in this specification, the scope of patent application and the drawings Anyone who is familiar with the relevant art can easily understand the related purpose and advantages of the present invention. The following examples further illustrate the viewpoints of the present invention in detail, but do not limit the scope of the present invention by any viewpoint.
圖1為根據本發明第一實施例所繪示之分散式阻斷服務攻擊處理系統的功能方塊圖。如圖1所示,分散式阻斷服務(後簡稱DDos)攻擊處理系統100設於外部請求端E與網路平台主機S之間的連線網路,DDos攻擊處理系統100係為用於判斷用於管理網站的網站平台主機S是否遭受DDos攻擊的特定裝置。DDos攻擊處理系統100包括一網路介面10、一處理器12及一記憶體14,而處理器12電性連接於網路介面10與記憶體14。當外部請求端E經由網路向網路平台主機S持續傳送封包時,所發出的封包會先由DDos處理系統100接收且針對封包進行分析,接著再由DDos攻擊處理系統100將封包輸出至網站平台主機S。以下所述內容均以一個外部請求端E以及一個網站平台主機S作示例,可以理解本發明的DDos攻擊處理系統及處理方法亦可適用於多個外部請求端E及多個網站平台主機S。
FIG. 1 is a functional block diagram of the distributed denial of service attack processing system according to the first embodiment of the present invention. As shown in Figure 1, the distributed denial of service (hereinafter referred to as DDos)
如圖1所示,網路介面10例如包含介於使用者終端與私有網路或公眾網路之間的互接(Interconnection)點、電腦主機上的網路卡、介於公眾交換電話網路(Public Switched Telephone Network)及私有終端間的互接點、或介於兩個網路之間的互接點。處理器12例如包含通用處
理器、數位訊號處理器(DSP)、多個微處理器、與DSP核心相關聯的一個或多個微處理器、控制器、微控制器、專用積體電路(ASIC)、現場可程式設計閘陣列(FPGA)電路或複雜可程式邏輯裝置(CPLD)。記憶體14例如包含隨機存取記憶體(RAM)、唯讀記憶體(ROM)或硬碟。本實施例中,網路介面10為網路卡,處理器12為通用處理器,而記憶體14為RAM。網路介面用於接收外部請求端E所發出的多個封包。處理器12用於偵測網站平台主機S對每一封包的處理時間以及每一封包的實際流量,且將該些處理時間及該些實際流量的資料儲存至記憶體14。記憶體14儲存有機器學習模型16,機器學習模型16用於接收每一封包的處理時間及實際流量的資料。機器學習模型16例如包含自編碼神經網路(Auto encoder)、身心語言程式學(Neuro-Linguistic Programming)、模糊邏輯模型、隱馬爾可夫模型、決策樹、貝氏演算法、條件隨機域或支持向量機。在本實施例中,機器學習模型16為自編碼神經網路(Auto encoder)。
As shown in FIG. 1, the
自編碼神經網路(Auto encoder)在實際使用前,必須預先經過於一預定期間所收集的多筆訓練資料進行訓練,且所收集的訓練資料已驗證都屬於正常網路行為所發送封包。此外所選擇的訓練資料的屬性還必須具備相當程度的代表性與相互關連性,才能針對正常網路行為所發送的封包建立出準確的模型,其中該些訓練資料的屬性例如包含在連續假期的前一週所傳送的封包、於每個月的第一週所傳送的封包、以及每個月的最後一週所傳送的封包、以及每週的星期五所傳送的封包。當自編碼神經網路經過所選定的訓練資料的訓練後,接著以屬於正常網路行為的不同於訓練資料的新資料輸入至自編碼神經網路進行測試,若自編碼神經網路的輸出與輸入之間的誤差百分比小於預設的閾值區間(例如1%~2%)時,表示自編碼神經網路(Auto encoder)訓練成功。 Before actual use, an auto encoder must be trained in advance through multiple pieces of training data collected during a predetermined period, and the collected training data has been verified to belong to packets sent by normal network behavior. In addition, the attributes of the selected training data must also have a considerable degree of representativeness and interrelationship in order to build an accurate model for the packets sent by normal network behavior. The attributes of the training data include, for example, the Packets transmitted in the previous week, packets transmitted in the first week of each month, packets transmitted in the last week of each month, and packets transmitted on Friday of each week. After the self-encoding neural network has been trained with the selected training data, it is then tested with new data that is different from the training data belonging to the normal network behavior. If the output of the self-encoding neural network is When the error percentage between the inputs is less than the preset threshold interval (for example, 1%~2%), it means that the Auto encoder training is successful.
圖2係為根據本發明第一實施例所繪示之DDos攻擊的處理方法的流程圖。如圖2所示,在步驟S201中,以網路介面10接收外部
請求端E於一時間區間向網站平台主機S連續發出的多個封包,該時間區間可相對於網路介面10的效能作適當調整。在步驟S202中,以處理器12偵測網站平台主機S對該些封包的多個處理時間(request time)。在步驟S203中,以處理器12分別輸入該些處理時間至機器學習模型18以產生多個模型輸出時間,在本實施例中,機器學習模型18為自編碼神經網路(Auto encoder)。在步驟S204中,以處理器12分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差。在步驟S205中,以處理器12分別將該些時間誤差除以該些處理時間以求得多個時間誤差百分比,該些時間誤差百分比於時間區間內具有一時間誤差趨勢。在步驟S206中,以處理器12判斷該時間誤差趨勢是否屬於持續上升,若該時間誤差趨勢不屬於持續上升,則進入步驟S207;若該時間誤差趨勢屬於持續上升,則進入步驟S208。在步驟S207中,以處理器12判定外部請求端E對網站平台主機S進行正常網路行為,而允許外部請求端E發送封包至網站平台主機S。在步驟S208中,進一步判斷在時間區間內時間最晚的封包所對應的時間誤差百分比是否大於一閾值區間,其中該閾值區間例如介於1%~2%,若時間最晚的封包所對應的時間誤差百分比未大於閾值區間時,則進入步驟S209;若時間最晚的封包所對應的時間誤差百分比大於閾值區間時,則進入步驟S210。在步驟S209中,以處理器12判定外部請求端E對網站平台主機S進行正常網路行為,而允許外部請求端E發送封包至網站平台主機S。在步驟S210中,以處理器12判定外部請求端E對網站平台主機S進行DDos攻擊,接著進入步驟S211。在步驟S211中,以處理器12於時間區間之後對外部請求端E執行一防禦程序,其中該防禦程序係延遲網站平台主機S對外部請求端E的回應時間。
FIG. 2 is a flowchart of a method for processing a DDos attack according to the first embodiment of the present invention. As shown in FIG. 2, in step S201, the
圖3係為根據本發明第二實施例所繪示之DDos攻擊的處理方法的流程圖。如圖3所示,第二實施例的DDos攻擊的處理方法包括步驟S301至S311,其中步驟S301~S310與第一實施例的步驟S201~S210
相同,差異在於步驟S311中,處理器12對外部請求端E所執行的防禦程序,替換為將網站平台主機S對外部請求端E之處理排序於其他外部請求端之後。詳言之,若網站平台主機S最多可容忍1000個外部請求端同時登入,被處理器12判定為進行DDos攻擊的外部請求端,將被排序在網站平台主機S處理完1000個外部請求端之後,才會對視為進行DDos攻擊的外部請求端進行處理。若有多個外部請求端被視為正進行DDos攻擊,則依據向網站平台主機S發送封包的時間先後進行排隊。
FIG. 3 is a flowchart of the processing method of the DDos attack according to the second embodiment of the present invention. As shown in FIG. 3, the DDos attack processing method of the second embodiment includes steps S301 to S311, wherein steps S301 to S310 are the same as steps S201 to S210 of the first embodiment.
The same, the difference is that in step S311, the defense program executed by the
圖4係為根據本發明第三實施例所繪示之DDos攻擊的處理方法的流程圖。如圖4所示,第三實施例的DDos攻擊的處理方法包括步驟S401至S411,其中步驟S401~S410與第一實施例的步驟S201~S210相同,差異在於步驟S411中,處理器12對外部請求端E所執行的防禦程序,替換為阻擋外部請求項E於時間區間之後對網站平台主機S所發出的封包。
FIG. 4 is a flowchart of the processing method of the DDos attack according to the third embodiment of the present invention. As shown in Figure 4, the DDos attack processing method of the third embodiment includes steps S401 to S411, where steps S401 to S410 are the same as steps S201 to S210 of the first embodiment. The difference is that in step S411, the
圖5A及圖5B係為根據本發明第四實施例所繪示之DDos攻擊的處理方法的流程圖。如圖5A所示,在步驟S501中,以網路介面10接收外部請求端E於一時間區間向網站平台主機S連續發出的多個封包,接著分別執行步驟S502及步驟S503。在步驟S502中,以處理器12偵測網站平台主機S對該些封包的多個處理時間,接著執行步驟S504。在步驟S503中,以處理器12偵測該些封包的多個實際流量,接著執行步驟S505。在步驟S504中,以處理器12分別輸入該些處理時間至機器學習模型18以產生多個模型輸出時間,在本實施例中,機器學習模型18為自編碼神經網路(Auto encoder),接著執行步驟S506。在步驟S505中,以處理器12分別輸入該些實際流量至機器學習模型18以產生多個模型輸出流量,接著執行步驟S507。在步驟S506中,以處理器12分別計算該些模型輸出時間與該些處理時間之間的多個時間誤差,接著執行步驟S508。在步驟S507中,以處理器12分別計算該些模型輸出流量與該些實際流量之間的多個流
量誤差,接著執行步驟S509。在步驟S508中,以處理器12分別將該些時間誤差除以該些處理時間以求得多個時間誤差百分比,其中該些時間誤差百分比於時間區間內具有一時間誤差趨勢,接著執行步驟S510。在步驟S509中,以處理器12分別將該些流量誤差除以該些實際流量以求得多個流量誤差百分比,其中該些流量誤差百分比於時間區間內具有一流量誤差趨勢,接著執行步驟S510。
5A and 5B are flowcharts of the DDos attack processing method according to the fourth embodiment of the present invention. As shown in FIG. 5A, in step S501, the
如圖5B所示,在步驟S510中,以處理器12判斷該時間誤差趨勢以及該流量誤差趨勢是否均屬於持續上升,若該時間誤差趨勢及該流量誤差趨勢並未均屬於持續上升(其中一個未屬於持續上升或均未屬於持續上升),則進入步驟S511;若該時間誤差趨勢以及該流量誤差趨勢均屬於持續上升,則進入步驟S512。在步驟S511中,以處理器12判定外部請求端E對網站平台主機S進行正常網路行為,而允許外部請求端E繼續發送封包至網站平台主機S。
As shown in FIG. 5B, in step S510, the
在步驟S512中,進一步判斷在該時間區間內時間最晚的封包所對應的時間誤差百分比以及流量誤差百分比是否均大於一閾值區間,該閾值區間例如介於1%~2%,若時間最晚的封包所對應的時間誤差百分以及流量誤差百分比並未均大於閾值區間時(其中一個大於閾值區間或均未大於閾值區間),則進入步驟S513;若時間最晚的封包所對應的時間誤差百分以及流量誤差百分比均大於閾值區間時,則進入步驟S514。在步驟S513中,以處理器12判定外部請求端E對網站平台主機S進行正常網路行為,而允許外部請求端E繼續發送封包至網站平台主機S。在步驟S514中,以處理器12判定外部請求端E對網站平台主機S進行DDos攻擊,接著進入步驟S516。在步驟S516中,以處理器12於時間區間之後對外部請求端E執行一防禦程序,其中該防禦程序係延遲網站平台主機S對外部請求端E的回應時間。
In step S512, it is further determined whether the time error percentage and the traffic error percentage corresponding to the packet with the latest time in the time interval are both greater than a threshold interval, for example, the threshold interval is between 1% and 2%. When the time error percentage and the flow error percentage corresponding to the packet of are not both greater than the threshold interval (one of them is greater than the threshold interval or neither is greater than the threshold interval), then go to step S513; if the time error corresponding to the latest packet When both the percentage and the flow error percentage are greater than the threshold interval, step S514 is entered. In step S513, the
圖6A及6B係為根據本發明第五實施例所繪示之DDos攻
擊的處理方法的流程圖。如圖6A及6B所示,第五實施例的DDos攻擊的處理方法包括步驟S601至S616,其中步驟S601~S615與第四實施例的步驟S501~S515相同,差異在於步驟S616中,處理器12對外部請求端E所執行的防禦程序,替換為將網站平台主機S對外部請求端之處理排序於其他外部請求端之後。詳言之,若網站平台主機S最多可容忍1000個外部請求端同時登入,被處理器12判定為正進行DDos攻擊的外部請求端E,將被排序在網站平台主機S處理完1000個的外部請求端之後,才會對進行DDos攻擊的外部請求端進行處理。若有多個外部請求端被視為進行DDos攻擊,則依據這些外部請求端對網站平台主機S發送封包的時間先後進行排隊。
6A and 6B are the DDos attack illustrated in the fifth embodiment of the present invention
A flowchart of how to deal with a click. As shown in Figs. 6A and 6B, the DDos attack processing method of the fifth embodiment includes steps S601 to S616, where steps S601 to S615 are the same as steps S501 to S515 of the fourth embodiment. The difference is that in step S616, the
圖7A及圖7B係為根據本發明第六實施例所繪示之DDos攻擊的處理方法的流程圖。如圖7A及圖7B所示,第六實施例的DDos攻擊的處理方法包括步驟S701至S716,其中步驟S701~S715與第五實施例的步驟S501~S515相同,差異在於步驟S716中,處理器12對外部請求端E所執行的防禦程序,替換為阻擋外部請求項E於時間區間之後對網站平台主機S所發出的封包。
7A and 7B are flowcharts of the processing method of the DDos attack according to the sixth embodiment of the present invention. As shown in FIG. 7A and FIG. 7B, the DDos attack processing method of the sixth embodiment includes steps S701 to S716, wherein steps S701 to S715 are the same as steps S501 to S515 of the fifth embodiment. The difference is that in step S716, the
此外,上述任一實施例中,當處理器12判定外部請求端E進行DDos攻擊之後,更可將外部請求端E的網路位址列入記憶體14所儲存的黑名單資料庫,以利後續之追蹤及分析。
In addition, in any of the above-mentioned embodiments, after the
綜合以上所述,由於惡意的外部請求端可能會以多個虛擬IP多次失敗登入網站平台主機,即使每一次失敗登入的流量都不會很大,也可癱瘓網站平台主機。根據上述本發明所揭露的DDos攻擊的多個實施例,判斷網路平台是否遭受DDos攻擊的依據,不僅是網路流量,還包含網站平台主機對於每一封包的處理時間,所以可有效阻斷上述的DDos攻擊。此外,在一些特別的假期之前,經常會出現較大的網路流量,但並非惡意攻擊。依據處理時間以及網路流量作為判斷DDos攻擊的依據,可避 免阻擋善意的外部請求端。如此一來,可確保網路平台可持續提供網路服務以及提高判斷網站平台主機是否遭受DDos攻擊的準確率。 In summary, since malicious external requesters may fail to log in to the website platform host with multiple virtual IPs multiple times, even if the traffic of each failed login is not large, the website platform host can be paralyzed. According to the multiple embodiments of the DDos attack disclosed in the present invention, the basis for determining whether a network platform is subject to a DDos attack is not only the network traffic, but also the processing time of the website platform host for each packet, so it can be effectively blocked The aforementioned DDos attack. In addition, before some special holidays, there will often be larger Internet traffic, but it is not a malicious attack. Based on processing time and network traffic as the basis for judging DDos attacks, it can be avoided Avoid blocking good-faith external requesters. In this way, it can ensure that the network platform can continue to provide network services and improve the accuracy of determining whether the website platform host has been attacked by DDos.
雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明。在不脫離本發明之精神和範圍內,所為之更動與潤飾,均屬本發明之專利保護範圍。關於本發明所界定之保護範圍請參考所附之申請專利範圍。 Although the present invention is disclosed in the foregoing embodiments, it is not intended to limit the present invention. All changes and modifications made without departing from the spirit and scope of the present invention fall within the scope of patent protection of the present invention. For the scope of protection defined by the present invention, please refer to the attached patent scope.
Claims (15)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108123845A TWI711284B (en) | 2019-07-05 | 2019-07-05 | Method for processing a distributed denial-of-service attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW108123845A TWI711284B (en) | 2019-07-05 | 2019-07-05 | Method for processing a distributed denial-of-service attack |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI711284B true TWI711284B (en) | 2020-11-21 |
TW202103476A TW202103476A (en) | 2021-01-16 |
Family
ID=74202155
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW108123845A TWI711284B (en) | 2019-07-05 | 2019-07-05 | Method for processing a distributed denial-of-service attack |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI711284B (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100370757C (en) * | 2004-07-09 | 2008-02-20 | 国际商业机器公司 | Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack |
CN107800727A (en) * | 2017-12-12 | 2018-03-13 | 蔡昌菊 | A kind of DDoS detection methods |
-
2019
- 2019-07-05 TW TW108123845A patent/TWI711284B/en active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100370757C (en) * | 2004-07-09 | 2008-02-20 | 国际商业机器公司 | Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack |
CN107800727A (en) * | 2017-12-12 | 2018-03-13 | 蔡昌菊 | A kind of DDoS detection methods |
Also Published As
Publication number | Publication date |
---|---|
TW202103476A (en) | 2021-01-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10348739B2 (en) | Automated data risk assessment | |
Thapngam et al. | Discriminating DDoS attack traffic from flash crowd through packet arrival patterns | |
US10284580B2 (en) | Multiple detector methods and systems for defeating low and slow application DDoS attacks | |
US11184387B2 (en) | Network attack defense system and method | |
US9282116B1 (en) | System and method for preventing DOS attacks utilizing invalid transaction statistics | |
Saleh et al. | A novel protective framework for defeating HTTP-based denial of service and distributed denial of service attacks | |
Kalluri et al. | Simulation and impact analysis of denial-of-service attacks on power SCADA | |
US20210099484A1 (en) | Phishing website detection | |
WO2017020712A1 (en) | Method, apparatus and system for quantizing defence result | |
JP7388613B2 (en) | Packet processing method and apparatus, device, and computer readable storage medium | |
TW201242313A (en) | Detecting and mitigating denial of service attacks | |
JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
US20210144172A1 (en) | Early detection of dedicated denial of service attacks through metrics correlation | |
Wiefling et al. | Pump up password security! Evaluating and enhancing risk-based authentication on a real-world large-scale online service | |
CN112839017A (en) | Network attack detection method and device, equipment and storage medium thereof | |
US20220174075A1 (en) | Identifying malicious client network applications based on network request characteristics | |
CN110290122B (en) | Intrusion response strategy generation method and device | |
TWI711284B (en) | Method for processing a distributed denial-of-service attack | |
AU2012260619B2 (en) | Supervised data transfer | |
CN107454069B (en) | Inter-domain routing system mimicry protection method based on AS security alliance | |
TWI717454B (en) | Method, device and system for quantifying defense results | |
CN115037537A (en) | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium | |
US20200067973A1 (en) | Safer Password Manager, Trusted Services, and Anti-Phishing Process | |
Sivabalan et al. | Detecting IoT zombie attacks on web servers | |
AU2007351385B2 (en) | Detecting and interdicting fraudulent activity on a network |