WO2011075922A1 - Method for detecting distributed denial of service attack - Google Patents

Method for detecting distributed denial of service attack Download PDF

Info

Publication number
WO2011075922A1
WO2011075922A1 PCT/CN2010/000050 CN2010000050W WO2011075922A1 WO 2011075922 A1 WO2011075922 A1 WO 2011075922A1 CN 2010000050 W CN2010000050 W CN 2010000050W WO 2011075922 A1 WO2011075922 A1 WO 2011075922A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
data
network
attack
type
Prior art date
Application number
PCT/CN2010/000050
Other languages
French (fr)
Chinese (zh)
Inventor
安丙春
Original Assignee
北京锐安科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京锐安科技有限公司 filed Critical 北京锐安科技有限公司
Publication of WO2011075922A1 publication Critical patent/WO2011075922A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the invention belongs to the field of computer network security, and particularly relates to a DD0S attack detection method. Background technique
  • Denial of service attacks English Denial of Service (DOS), as an attack on the Internet, has a long history, mainly using the shortcomings of the TCP/IP protocol, exhausting the resources of the network providing the service, resulting in Failure to provide normal services is a malicious attack that is very harmful to the network.
  • Some denial of service attacks consume bandwidth, some consume CPU and memory of network devices, and some cause system crashes.
  • Representative attacks include SYN. Flood, ICMP flood UDP flood, etc.
  • the attack is usually based on a single computer attacking the target, that is, the DOS attack we often say.
  • the current attack technology has developed into the DD0S mode via the DOS mode, that is, multiple units controlled by the unified.
  • a computer using distributed technology, simultaneously initiates a denial of service attack to an attack target, known as a distributed denial of service attack.
  • the present invention aims to provide a DD0S attack detection method, which can detect DD0S attacks in real time.
  • the invention integrates multiple network features of the DD0S attack, and comprehensively analyzes and detects the DD0S attack.
  • a DD0S attack detection method the steps of which are:
  • the packet intercepting module parses the accessed network packet information;
  • the network packet information includes: a packet type, an IP address, and a port;
  • the packet feature statistics module collects statistics on the parsed network packet information, and obtains the total number of packets intercepted per unit time, the number of packets of different types in the network layer, the number of packets of different types in the transport layer, and the application layer are different. The number of packets of the type, the total number of IP addresses of the packets, and the total number of ports;
  • the statistical data processing module calculates the proportion distribution of each type of data packet per unit time in the total number of data packets; 4) The data analysis module calculates the alarm threshold of the network data according to the stored historical data calculated in step 2) and step 3);
  • the data analysis module determines whether the network data value in the current unit time exceeds an alarm threshold of the corresponding network data, and if yes, submits the network data value to the attack analysis module;
  • the attack analysis module generates a test report based on the received network data values.
  • the network packet information further includes a data packet length of each type of data packet; and the data packet feature statistics module performs statistics on the parsed data packet length of each type of data packet.
  • the alarm threshold F of this type of data packet where n is the number of time segments, kn is the weight corresponding to Fn, Q is a multiple factor, and Q>1.
  • the data packet type of the network layer includes: an IP data packet, an ICMP data packet, and an ARP data packet;
  • the data packet type of the transport layer includes: a TCP data packet, a TCPsyn data packet, a TCPsyn-ack data packet, and a UDP packet.
  • the data packet type of the application layer includes: a DNS data packet, an RTP data packet, a QQ data packet, and an HTTP data packet.
  • the detection report is a network attack report, and includes: an attack type, an attack target, an attack source, and an attack scale.
  • attack type includes -
  • the identification method is: the total network traffic exceeds the total traffic alarm threshold, and the UDP packet traffic exceeds the UDP packet traffic alarm threshold, and the ratio of UDP packets to the total number of network packets reaches the UDP packet ratio.
  • Alarm threshold, and the average packet length of the UDP packet is reduced to the UDP packet length alarm threshold, and the average packet length of the UDP packet is reduced to the UDP packet length alarm threshold;
  • the TCPsynfloOT attack type is identified as follows: The total network traffic exceeds the total traffic alarm threshold, and the TCPsyn packet traffic exceeds the TCPsyn packet traffic alarm threshold, and the proportion of TCPsyn packets and TCPsynack packets exceeds the TCPsyn-ACK packet ratio. Alarm threshold, and TCPsyn data The ratio of the total number of packets to the TCP packet exceeds the TCPsyn packet occupancy alarm threshold, and the average length of the TCP packet exceeds the TCP packet length alarm threshold;
  • the identification method is: the total network traffic exceeds the total traffic alarm threshold, and the TCP network traffic exceeds the TCP packet traffic alarm threshold, and the proportion of TCP packets occupying the total number of network packets exceeds the TCP packet occupancy alarm threshold. ;
  • DNS attack type in fact, the other methods are: DNS packet traffic exceeds the DNS packet traffic alarm threshold, and the ratio of DNS packet traffic to total traffic exceeds the DNS traffic percentage alarm threshold.
  • the method for determining the attack size is: first, obtaining the current attack traffic of the corresponding type according to the determined attack type; and then comprehensively comparing the traffic alarm threshold and the historical normal traffic of the type of the data packet to evaluate the current attack type.
  • the scale of the attack is: first, obtaining the current attack traffic of the corresponding type according to the determined attack type; and then comprehensively comparing the traffic alarm threshold and the historical normal traffic of the type of the data packet to evaluate the current attack type. The scale of the attack.
  • the method for determining the attack target is: first, counting the number of data packets sent to the same destination IP address; then ranking the destination IPs in the comparison set, and determining the top IP address as the target to be attacked.
  • the attack source IP is determined by: counting the source IP address of the data packet, and performing high-to-low alignment according to the number of sent data packets, and determining the top IP as the attack source IP.
  • the detection report is a network monitoring daily report, which includes: a line chart of network traffic at different time points on the day; a line chart of proportions of various types of data packets on the day; a cake with an average value of each type of data packets on the day Figure; A line chart of the average length of each type of packet in the network at different points in the day.
  • the system of the present invention is divided into three subsystems, a network data detection subsystem, a network data display subsystem, and an attack alarm subsystem.
  • the main function is responsible for the detection of network data, divided into the following modules:
  • the device is connected to the detected network, and the network data is connected to the detecting device.
  • the module is responsible for parsing the accessed data packet, and the parsing depth may be determined according to network traffic, current device performance, and detection security level, and parsed. The deeper the depth, the higher the performance of the device. The higher the security level, the deeper the depth of detection. According to the above factors, the packet information can be parsed to the network layer, the transport layer, or even the application layer.
  • C Statistics on the number of different types of data packets intercepted in the unit time, including the number of TCP packets, the number of TCPsyn packets, the number of TCPsyn-ack packets, and the number of UDP packets.
  • the obtained data is stored. Save as time as a keyword.
  • the alarm threshold for each time period is calculated based on various data stored in (4) in the history (in the previous year, the first few months, the first few weeks, and the previous few days).
  • the threshold of the UDP packet in the data packet as a percentage of the total packet at a certain time t:
  • the average value F2 of the proportion of UDP packets in the total packet is calculated in the same time period of the days before the (t-a, t+a) period.
  • Q is a value greater than 1
  • the threshold F is set to a multiple of the previously calculated average.
  • a similar method is used to calculate the alarm thresholds for other packets. These threshold data are updated in real time. Once a monitored value exceeds the set threshold, the information is submitted to the Attack Analysis Module.
  • Attack analysis module It mainly analyzes various types of alarm information obtained from the "data analysis module”, and judges the type of attack, the target of the attack, the source of the attack, and the scale of the attack.
  • the traffic of the UDP packet exceeds the UDP packet traffic threshold.
  • the proportion of UDP packets in the entire network packet is increased to the UDP packet occupancy threshold.
  • the average packet length of the UDP packet is reduced to the UDP packet length threshold, which can be judged as a UDP packet attack.
  • the total network traffic exceeds the total traffic threshold.
  • TCPsyn packet traffic exceeds the TCPsyn packet traffic threshold.
  • the ratio of TCPsyn packets to TCPsynack packets exceeds the TCPsyn-ACK packet occupancy threshold.
  • the ratio of TCPsyn packets to the total number of TCP packets exceeds the TCPsyn packet occupancy threshold.
  • the average length of TCP packets exceeds the TCP packet length threshold.
  • the total network traffic exceeds the total traffic threshold.
  • TCP network traffic exceeds the TCP packet traffic threshold.
  • the proportion of TCP packets in the entire network packet exceeds the TCP packet occupancy threshold. Packet traffic for many identifiable application protocols using the TCP protocol does not exceed the threshold.
  • DNS packet traffic exceeds the DNS packet traffic threshold.
  • the attack type determined in a obtain the current attack traffic of the corresponding type, and comprehensively compare the type of data packet. Threshold traffic, and historical normal traffic, to estimate the current attack size of the attack type.
  • the destination IP of these abnormal data packets is counted, the number of data packets sent to the same destination IP address is counted, the destination IPs in the comparative set are ranked, and the top ranked IP is determined as the target of the attack.
  • the source IP address of the abnormal data packet is statistically analyzed, and the highest-to-lowest arrangement is performed according to the number of the transmitted data packets, and the top-ranked IP is determined as the attack source IP.
  • the main function is to automatically generate an analysis report based on the data obtained in the above module.
  • the first type mainly includes a line graph of network traffic at different time points of the day; a line graph of the proportion of various types of data packets; a pie chart of the average of the proportions of various types of data packets on the day; A line chart of the average number of packets of each type in the network at a point in time.
  • the main data source for these charts is the "Network Data Monitoring Module", which displays data in real time on the day. This test report is a routine test report.
  • the cyber attack analysis report Once the system detects that the network is under attack, the system generates the report by analyzing the attack data at that time.
  • the main contents are: The scale of the attack
  • Attack type May be a single attack type, or multiple comprehensive attack types
  • Attack target information including IP address, physical location information, etc.
  • Attack source information including IP address and physical location information. There may be many source IPs in a distributed attack. The IP addresses are sorted according to the attack size of different IP addresses.
  • the data statistically analyzed and saved in the network data detection subsystem is displayed in real time.
  • the form of the display is mainly in the form of a linear graph or a pie chart.
  • the granularity of the display time can be adjusted according to specific conditions, and the granularity can be displayed in minutes or in days and weeks.
  • the display range can also be adjusted according to the actual situation. It can display the data within the current hour or the data of the most recent week or month.
  • the main display contents are: (1) Real-time display of total traffic of network data, in the form of a linear table.
  • the real-time display of other application layer data traffic is in the form of a linear table.
  • the system can select the traffic of various protocols in the network application layer that needs to be monitored in a focused manner according to the specific needs of the user.
  • TCP-syn a pie chart of TCP-syn-ack packets accounting for the total traffic of TCP data.
  • the network data detection subsystem When the network data detection subsystem detects that one or more of the various data indicators of the network exceeds the threshold, the alarm subsystem is activated, and the relevant personnel are reported through the display image, sound, etc., and the monitored network receives the attack at the moment. .
  • the detection report generation module of the network data detection subsystem generates an attack report and submits it to the user.
  • FIG. 3 is a flow chart of the detection method of the present invention. detailed description
  • the bypass detection device detects the network traffic. At this time, due to the large amount of network data, multiple detection devices can be used for distributed detection.
  • the network data stream flows into the "network data detection subsystem".
  • the processing method for the network data stream is shown in Figure 3.
  • the Network Data Display Subsystem displays real-time screens of various data obtained from the Network Data Detection Subsystem to monitor the latest network conditions.
  • the subsystem sends out an alarm message, and at the same time, the "detection report generation module” module generates a network attack analysis report.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for detecting Distributed Denial of Service (DDOS) attack is provided, which is in the field of computer network safety. The method includes: 1) a data packet intercept module resolves the accessed network data packet information; 2) a data packet feature statistics module makes statistics to the resolved network data packet information; 3) a statistics data processing module computes the proportion of each kind of data packets to the total data packets within a unit time interval; 4) a data analysis module computes alarm thresholds of network data according to the stored history data computed in the steps 2) and 3); 5) the data analysis module determines whether the network data value within the current unit time interval exceeds the alarm threshold of corresponding network data, if it does, the data analysis module submits the network data value to an attack analysis module; 6) the attack analysis module generates a detection report based on the received network data value. Compared with the prior art, the present invention integrates the history data of the network transportation, analyses the current network data deeply, and can recognize kinds of DDOS attack.

Description

一种 DDOS攻击检测方法  DDOS attack detection method
技术领域 Technical field
本发明属于计算机网路安全领域, 具体涉及一种 DD0S攻击检测方法。 背景技术  The invention belongs to the field of computer network security, and particularly relates to a DD0S attack detection method. Background technique
拒绝服务攻击, 英文 Denial of Service (DOS), 作为互联网上的一种攻击手段, 已经 有很长的历史了, 主要是利用 TCP/IP协议的缺陷, 将提供服务的网络的资源耗尽, 导 致不能提供正常服务, 是一种对网络危害巨大的恶意攻击, 有些拒绝服务攻击是消耗带 宽, 有些是消耗网络设备的 cpu和内存, 也有一些是导致系统崩溃, 其中具有代表性的 攻击手段包括 SYN flood, ICMP flood UDP flood等。  Denial of service attacks, English Denial of Service (DOS), as an attack on the Internet, has a long history, mainly using the shortcomings of the TCP/IP protocol, exhausting the resources of the network providing the service, resulting in Failure to provide normal services is a malicious attack that is very harmful to the network. Some denial of service attacks consume bandwidth, some consume CPU and memory of network devices, and some cause system crashes. Representative attacks include SYN. Flood, ICMP flood UDP flood, etc.
最初, 攻击一般以单台电脑向目标发起攻击为主, 即我们常说的 DOS攻击, 随着 技术的发展, 现在的攻击技术己经由 DOS模式发展到了 DD0S模式, 即由统一控制的 多台.电脑, 使用分布式技术, 同时向攻击目标发起拒绝服务攻击, 称为分布式拒绝服务 攻击。  Initially, the attack is usually based on a single computer attacking the target, that is, the DOS attack we often say. With the development of technology, the current attack technology has developed into the DD0S mode via the DOS mode, that is, multiple units controlled by the unified. A computer, using distributed technology, simultaneously initiates a denial of service attack to an attack target, known as a distributed denial of service attack.
到目前为止, 还没有一种很好的技术能彻底检测并防御拒绝服务攻击。 发明内容  So far, there is no good technology to thoroughly detect and defend against denial of service attacks. Summary of the invention
针对目前分布式拒绝服务攻击对互联网的威胁, 本发明的目的在于提出一种 DD0S 攻击检测方法, 其可以实时的对 DD0S攻击进行检测。 本发明综合 DD0S攻击的多个 网络特征, 综合分析完成对 DD0S攻击的检测。  In view of the current threat of distributed denial of service attacks on the Internet, the present invention aims to provide a DD0S attack detection method, which can detect DD0S attacks in real time. The invention integrates multiple network features of the DD0S attack, and comprehensively analyzes and detects the DD0S attack.
本发明的技术方案为:  The technical solution of the present invention is:
一种 DD0S攻击检测方法, 其步骤为:  A DD0S attack detection method, the steps of which are:
1 ) 数据包截取模块对接入的网络数据包信息迸行解析; 所述网络数据包信息包括: 数据包类型、 IP地址、 端口;  1) the packet intercepting module parses the accessed network packet information; the network packet information includes: a packet type, an IP address, and a port;
2) 数据包特征统计模块对解析出的网络数据包信息进行统计, 得到单位时间内截获 到的数据包总数、网络层不同类型的数据包数量、传输层不同类型的数据包数量、 应用层不同类型的数据包数量、 数据包的 IP地址总数和端口总数;  2) The packet feature statistics module collects statistics on the parsed network packet information, and obtains the total number of packets intercepted per unit time, the number of packets of different types in the network layer, the number of packets of different types in the transport layer, and the application layer are different. The number of packets of the type, the total number of IP addresses of the packets, and the total number of ports;
3 ) 统计数据处理模块计算出单位时间内各类型数据包占数据包总数的比例分布; 4) 数据分析模块根据存储的步骤 2) 和步骤 3 ) 所计算出的历史数据, 计算 络数 据的报警阈值; 3) The statistical data processing module calculates the proportion distribution of each type of data packet per unit time in the total number of data packets; 4) The data analysis module calculates the alarm threshold of the network data according to the stored historical data calculated in step 2) and step 3);
5 ) 数据分析模块判断当前单位时间内的网络数据值是否超过对应网络数据的报警 阈值, 如果超过则将该网络数据值提交到攻击分析模块;  5) The data analysis module determines whether the network data value in the current unit time exceeds an alarm threshold of the corresponding network data, and if yes, submits the network data value to the attack analysis module;
6 ) 攻击分析模块根据接收到的网络数据值生成检测报告。  6) The attack analysis module generates a test report based on the received network data values.
进一步的, 所述网络数据包信息还包括各种类型数据包的数据包长度; 同时所述数 据包特征统计模块对解析出的各类型数据包的数据包长度进行统计。  Further, the network packet information further includes a data packet length of each type of data packet; and the data packet feature statistics module performs statistics on the parsed data packet length of each type of data packet.
进一步的, 所述统计数据处理模块计算出单位时间内各类型数据包的平均长度。 进一步的, 所述数据分析模块实时更新各类型数据包的报警阈值; 所述报警阈值的 计算方法为: 首先计算某类型数据包某一时刻前后一时间段内该类型数据包占总数据包 比例的平均值 F1 ; 然后计算在该时刻前几天、 前几周和前几月的同一时刻中, 该类型 k F 4- k F -4- k F 数据包占总数据包的比例的平均值 Fn; 最后根据公式 F = £il £2—— ± I£L X Q计算 n Further, the statistical data processing module calculates an average length of each type of data packet per unit time. Further, the data analysis module updates the alarm threshold of each type of data packet in real time; the calculation method of the alarm threshold is: first calculating a ratio of the total data packet of the type of data packet in a time period before and after a certain time of a certain type of data packet The average value of F1; then calculate the average of the proportion of the type of k F 4- k F -4- k F packets in the total packet at the same time in the first few days, the first few weeks and the previous months of the moment. Fn; Finally, calculate n according to the formula F = £il £2 - ± I£L X Q
该类型数据包的报警阈值 F; 其中 n时间段数, kn为 Fn对应的权重, Q为一倍数因子, 且 Q>1。 The alarm threshold F of this type of data packet ; where n is the number of time segments, kn is the weight corresponding to Fn, Q is a multiple factor, and Q>1.
进一步的, 所述网络层的数据包类型包括: IP数据包、 ICMP数据包、 ARP数据包; 所述传输层的数据包类型包括: TCP数据包、 TCPsyn数据包、 TCPsyn-ack数据包、 UDP 数据包; 所述应用层的数据包类型包括: DNS数据包、 RTP数据包、 QQ数据包、 HTTP 数据包。  Further, the data packet type of the network layer includes: an IP data packet, an ICMP data packet, and an ARP data packet; the data packet type of the transport layer includes: a TCP data packet, a TCPsyn data packet, a TCPsyn-ack data packet, and a UDP packet. The data packet type of the application layer includes: a DNS data packet, an RTP data packet, a QQ data packet, and an HTTP data packet.
进一步的, 所述检测报告为网络攻击报告, 其包括: 攻击类型、 攻击目标、 攻击源 头、 攻击规模。  Further, the detection report is a network attack report, and includes: an attack type, an attack target, an attack source, and an attack scale.
进一步的, 所述攻击类型包括- Further, the attack type includes -
1 ) UDPfloor攻击类型,其识别方法为:总的网络流量超过总流量报警阈值,且 UDP 数据包的流量超过 UDP包流量报警阈值,且 UDP数据包占网络数据包总数的比 例达到 UDP包占比报警阈值, 且 UDP数据包的包平均长度减小到设定 UDP包 长报警阈值, 且 UDP数据包的包平均长度减小到设定 UDP包长报警阈值;1) UDPfloor attack type, the identification method is: the total network traffic exceeds the total traffic alarm threshold, and the UDP packet traffic exceeds the UDP packet traffic alarm threshold, and the ratio of UDP packets to the total number of network packets reaches the UDP packet ratio. Alarm threshold, and the average packet length of the UDP packet is reduced to the UDP packet length alarm threshold, and the average packet length of the UDP packet is reduced to the UDP packet length alarm threshold;
2) TCPsynfloOT攻击类型, 其识别方法为: 总的网络流量超过总流量报警阈值, 且 TCPsyn 数据包流量超过 TCPsyn 包流量报警阈值, 且 TCPsyn 数据包和 TCPsynack数据包的比例超过 TCPsyn— ACK包占比报警阈值, 且 TCPsyn数据 包与 TCP数据包总量的比例超过 TCPsyn包占比报警阈值, 且 TCP数据包的平 均长度超过 TCP包长度报警阈值; 2) The TCPsynfloOT attack type is identified as follows: The total network traffic exceeds the total traffic alarm threshold, and the TCPsyn packet traffic exceeds the TCPsyn packet traffic alarm threshold, and the proportion of TCPsyn packets and TCPsynack packets exceeds the TCPsyn-ACK packet ratio. Alarm threshold, and TCPsyn data The ratio of the total number of packets to the TCP packet exceeds the TCPsyn packet occupancy alarm threshold, and the average length of the TCP packet exceeds the TCP packet length alarm threshold;
3 ) TCPfloor攻击类型,其识别方法为:总的网络流量超过总流量报警阈值,且 TCP 网络流量超过 TCP包流量报警阈值, 且 TCP数据包占网络数据包总数的比例超 过 TCP包占比报警阈值;  3) TCPfloor attack type, the identification method is: the total network traffic exceeds the total traffic alarm threshold, and the TCP network traffic exceeds the TCP packet traffic alarm threshold, and the proportion of TCP packets occupying the total number of network packets exceeds the TCP packet occupancy alarm threshold. ;
4) DNS攻击类型, 其实别方法为: DNS数据包流量超过 DNS包流量报警阈值, 且 DNS数据包流量占总流量的比例超过 DNS流量占比报警阈值。  4) DNS attack type, in fact, the other methods are: DNS packet traffic exceeds the DNS packet traffic alarm threshold, and the ratio of DNS packet traffic to total traffic exceeds the DNS traffic percentage alarm threshold.
进一步的, 所述攻击规模的确定方法为: 首先根据确定的攻击类型, 获得对应类型 目前的攻击流量; 然后综合对比该类型数据包的流量报警阈值和历史正常流量, 来评估 出当前该攻击类型的攻击规模。  Further, the method for determining the attack size is: first, obtaining the current attack traffic of the corresponding type according to the determined attack type; and then comprehensively comparing the traffic alarm threshold and the historical normal traffic of the type of the data packet to evaluate the current attack type. The scale of the attack.
进一步的, 所述攻击目标的确定方法为: 首先对发往同一目的 IP地址的数据包个 数进行统计; 然后对比较集中的目的 IP进行排名, 将排名靠前的 IP确定为被攻击的目 标; 所述攻击源 IP的确定方法为: 对数据包的源 IP地址进行统计, 并根据发送数据包 个数进行从高到低的排列, 将排名靠前的 IP确定为攻击源 IP。  Further, the method for determining the attack target is: first, counting the number of data packets sent to the same destination IP address; then ranking the destination IPs in the comparison set, and determining the top IP address as the target to be attacked. The attack source IP is determined by: counting the source IP address of the data packet, and performing high-to-low alignment according to the number of sent data packets, and determining the top IP as the attack source IP.
进一步的, 所述检测报告为网络监测日报, 其包括: 当天不同时间点网络流量的折 线图; 当天各种类型数据包所占比例的折线图; 当天各类型数据包所占比例平均值的饼 状图; 当天不同时间点网络中各类型数据包平均长度的折线图。  Further, the detection report is a network monitoring daily report, which includes: a line chart of network traffic at different time points on the day; a line chart of proportions of various types of data packets on the day; a cake with an average value of each type of data packets on the day Figure; A line chart of the average length of each type of packet in the network at different points in the day.
本发明的系统分为三个子系统, 网络数据检测子系统、 网络数据显示子系统、 攻击 报警子系统。  The system of the present invention is divided into three subsystems, a network data detection subsystem, a network data display subsystem, and an attack alarm subsystem.
1、 网络数据检测子系统  1, network data detection subsystem
主要功能是负责对网路数据的检测的功能, 分为以下模块:  The main function is responsible for the detection of network data, divided into the following modules:
( 1 ) 数据包截取模块。  (1) Packet interception module.
将设备接到被检测网络上, 将网络数据接入检测设备, 该模块负责对接入的数据包 进行解析, 解析深度可以根据网络流量、 当前设备的性能、 以及检测安全等级来决定, 解析的深度越深要求设备性能越高, 安全等级越高需要检测的深度越深。 根据以上因素 可以将数据包信息解析到网络层、 也可以传输层、 甚至可以解析到应用层。  The device is connected to the detected network, and the network data is connected to the detecting device. The module is responsible for parsing the accessed data packet, and the parsing depth may be determined according to network traffic, current device performance, and detection security level, and parsed. The deeper the depth, the higher the performance of the device. The higher the security level, the deeper the depth of detection. According to the above factors, the packet information can be parsed to the network layer, the transport layer, or even the application layer.
(2) 数据包特征统计模块。  (2) Packet feature statistics module.
对解析出的数据包信息进行统计, 具体工作包括:  Statistics on the parsed packet information, including:
A、 对单位时间内截获到的数据包的总数进行统计。 B、 对单位时间内截获到的网络层不同类型的数据包的数量进行统计, 包括 IP数据 包的数量、 ICMP数据包的数量、 ARP等数据包的数量。 A. Statistics on the total number of data packets intercepted per unit time. B. Statistics on the number of different types of data packets intercepted in the network layer per unit time, including the number of IP data packets, the number of ICMP data packets, and the number of data packets such as ARP.
C、 对单位时间内截获到的传输层不同类型的数据包的数量进行统计, 包括 TCP数 据包的数量、 TCPsyn数据包的数量, TCPsyn-ack数据包的数量, UDP数据包的数量。  C. Statistics on the number of different types of data packets intercepted in the unit time, including the number of TCP packets, the number of TCPsyn packets, the number of TCPsyn-ack packets, and the number of UDP packets.
D、 对单位时间内截获到的应用层的不同类型的数据包的数量进行统计, 包括 DNS 数据包、 RTP数据包、 QQ数据包、 HTTP数据包等。  D. Statistics on the number of different types of data packets intercepted in the application layer per unit time, including DNS data packets, RTP data packets, QQ data packets, and HTTP data packets.
E、 对单位时间内截获到的数据包的 IP地址和端口进行计数。  E. Count the IP address and port of the packet intercepted per unit time.
F、 对各种类型数据包的数据包长度进行记录。  F. Record the packet length of each type of data packet.
(3 ) 统计数据处理模块。  (3) Statistical data processing module.
1 ) 计算出单位时间内, 各类型数据包占数据包总数的比例分布。  1) Calculate the proportion distribution of each type of data packet in the total number of data packets per unit time.
2) 计算单位时间内, 各类型数据包的平均长度。  2) Calculate the average length of each type of data packet per unit time.
(4) 数据存储模块  (4) Data storage module
对 (2)、 (3 ) 步骤中, 获得的数据进行存储。 存储时以时间为关键字来保存。 In the steps (2) and (3), the obtained data is stored. Save as time as a keyword.
(5 ) 数据分析模块。 (5) Data analysis module.
根据 (4) 中保存下来的历史 (是指上一年、 前几个月、 前几周、 前几天) 上的各 种数据, 计算出各时间段的报警阈值。  The alarm threshold for each time period is calculated based on various data stored in (4) in the history (in the previous year, the first few months, the first few weeks, and the previous few days).
比如计算数据包中 UDP数据包占总数据包比例在某一时刻 t时的阈值:  For example, to calculate the threshold of the UDP packet in the data packet as a percentage of the total packet at a certain time t:
首先, 可以去数据库中査找该时刻前后一段时间, (t-a, t+a) 这个时间段中, UDP 数据包占总数据包比例的平均值 Fl。  First, you can go to the database to find the time before and after the time. (t-a, t+a) In this time period, the UDP packet accounts for the average value of the total packet ratio Fl.
再计算在该 (t-a, t+a) 时段前几天的同一时时间段中, UDP数据包占总数据包的 比例的平均值 F2。  The average value F2 of the proportion of UDP packets in the total packet is calculated in the same time period of the days before the (t-a, t+a) period.
用类似的方法计算前几周、 前几个月该时刻比例的平均值 Fn。 A similar method is used to calculate the average value Fn of the ratio of the moments in the previous weeks and months.
然后, 为各平均值赋一系列的权值 kl、 k2…… kn。  Then, a series of weights kl, k2, ... kn are assigned to the respective average values.
阈值 Fudp的计算公式是:
Figure imgf000006_0001
The formula for calculating the threshold F udp is:
Figure imgf000006_0001
这里的 Q是一个大于 1的值, 是将阈值 F设为之前计算出来的平均值的一个倍数。 Here, Q is a value greater than 1, and the threshold F is set to a multiple of the previously calculated average.
使用类似的方法计算出其他数据包的报警阈值。 这些阈值数据是实时更新。 一旦某 个监控值超过了设定的阈值, 就会将该信息提交 "攻击分析模块"。  A similar method is used to calculate the alarm thresholds for other packets. These threshold data are updated in real time. Once a monitored value exceeds the set threshold, the information is submitted to the Attack Analysis Module.
(6) 攻击分析模块 主要是对从 "数据分析模块"获得的各种类型的报警信息进行综合的分析, 对攻击 的类型、 攻击目标、 攻击源头、 攻击的规模做出判断。 (6) Attack analysis module It mainly analyzes various types of alarm information obtained from the "data analysis module", and judges the type of attack, the target of the attack, the source of the attack, and the scale of the attack.
a、 判断攻击的类型。  a. Determine the type of attack.
(a) UDPfloor类型攻击识别:  (a) UDPfloor type attack identification:
总的网络流量, 超过总流量阈值。  Total network traffic, exceeding the total traffic threshold.
UDP数据包的流量超过 UDP包流量阈值,  The traffic of the UDP packet exceeds the UDP packet traffic threshold.
UDP数据包占整个网络数据包的比例提高到 UDP包占比阈值。  The proportion of UDP packets in the entire network packet is increased to the UDP packet occupancy threshold.
UDP数据包的包平均长度减小到设定 UDP包长阈值, 可判断是 UDP小 包攻击。  The average packet length of the UDP packet is reduced to the UDP packet length threshold, which can be judged as a UDP packet attack.
(b) TCPsynfloor类型攻击识别  (b) TCPsynfloor type attack identification
总的网络流量超过总流量阈值。  The total network traffic exceeds the total traffic threshold.
TCPsyn数据包流量超过 TCPsyn包流量阈值。  TCPsyn packet traffic exceeds the TCPsyn packet traffic threshold.
TCPsyn数据包和 TCPsynack数据包的比例超过 TCPsyn— ACK包占比阈 值。  The ratio of TCPsyn packets to TCPsynack packets exceeds the TCPsyn-ACK packet occupancy threshold.
TCPsyn数据包与 TCP数据包总量的比例超过 TCPsyn包占比阈值。 The ratio of TCPsyn packets to the total number of TCP packets exceeds the TCPsyn packet occupancy threshold.
TCP数据包的平均长度超过 TCP包长度阈值。 The average length of TCP packets exceeds the TCP packet length threshold.
. (c) TCPfloor类型攻击识别  (c) TCPfloor type attack identification
总的网络流量超过总流量阈值。  The total network traffic exceeds the total traffic threshold.
TCP网络流量超过 TCP包流量阈值。  TCP network traffic exceeds the TCP packet traffic threshold.
TCP数据包占整个网络数据包的比例超过 TCP包占比阈值。 使用 TCP协议的很多可识别的应用协议的数据包流量未超过阀值。 The proportion of TCP packets in the entire network packet exceeds the TCP packet occupancy threshold. Packet traffic for many identifiable application protocols using the TCP protocol does not exceed the threshold.
(d) DNS攻击 (d) DNS attack
DNS数据包流量超过 DNS包流量阈值。  DNS packet traffic exceeds the DNS packet traffic threshold.
DNS数据包流量, 占总流量的比例超过 DNS流量占比阈值。  DNS packet traffic, the proportion of total traffic exceeds the DNS traffic percentage threshold.
网络总流量超过总流量阈值 (攻击严重时会出现)。  The total network traffic exceeds the total traffic threshold (which occurs when the attack is severe).
(e) 根据获取的网络通讯的统计数据, 也可以适当组合分析其他新出现的攻 击类型。 另外在实际环境中, 一次攻击很多时候是由几种类型的攻击组合而成的, 这是 就要根据上面的特征来分别判断。  (e) Based on the statistics of the acquired network communications, other emerging types of attacks can also be analyzed in appropriate combinations. In addition, in the actual environment, an attack is often composed of several types of attacks, which is judged according to the above characteristics.
b、 攻击规模的确定  b. Determination of the scale of the attack
根据 a中确定的攻击类型, 获得对应类型目前的攻击流量, 综合对比该类型数据包 的阈值流量, 和历史正常流量, 来评估出当前该攻击类型的攻击规模。 According to the attack type determined in a, obtain the current attack traffic of the corresponding type, and comprehensively compare the type of data packet. Threshold traffic, and historical normal traffic, to estimate the current attack size of the attack type.
c、 攻击目标分析  c, attack target analysis
对这些异常数据包的目的 IP进行统计, 对发往同一目的 IP地址的数据包个数进行 统计, 对比较集中的目的 IP进行排名, 将排名靠前的 IP确定为被攻击的目标。  The destination IP of these abnormal data packets is counted, the number of data packets sent to the same destination IP address is counted, the destination IPs in the comparative set are ranked, and the top ranked IP is determined as the target of the attack.
d、 攻击源 IP分析  d, attack source IP analysis
对异常数据包的源 IP地址进行统计分析, 并根据发送数据包个数的多少进行从高 到低的排列, 将排名靠前的 IP确定为攻击源 IP。 The source IP address of the abnormal data packet is statistically analyzed, and the highest-to-lowest arrangement is performed according to the number of the transmitted data packets, and the top-ranked IP is determined as the attack source IP.
(7) 检测报告生成模块  (7) Test report generation module
主要功能是根据上面模块中获得的数据, 自动生成分析报告。  The main function is to automatically generate an analysis report based on the data obtained in the above module.
具体的可以生成两种报告:  Specifically, two reports can be generated:
第一种, 网络监测日报, 主要包括当天不同时间点网络流量的折线图; 各种类型的 数据包所占比例的折线图; 当天各类型数据包所占比例平均值的饼状图; 当天不同时间 点网络中各类型数据包平均个数的折线图。 这些图表的主要数据来源是 "网络数据监控 模块", 在当天实时显示的数据。 该检测报告属于日常性的检测报告。  The first type, the network monitoring daily report, mainly includes a line graph of network traffic at different time points of the day; a line graph of the proportion of various types of data packets; a pie chart of the average of the proportions of various types of data packets on the day; A line chart of the average number of packets of each type in the network at a point in time. The main data source for these charts is the "Network Data Monitoring Module", which displays data in real time on the day. This test report is a routine test report.
第二种, 网络攻击分析报告。 一旦系统检测到网络遭到攻击时, 系统通过分析当时 的攻击数据, 生成该报告。  Second, the cyber attack analysis report. Once the system detects that the network is under attack, the system generates the report by analyzing the attack data at that time.
主要内容有: 攻击的规模  The main contents are: The scale of the attack
攻击的变化情况 (攻击流量的增加速度、 持续时间等)  Changes in the attack (increased speed, duration, etc. of the attack traffic)
攻击类型: 可能是单一的攻击类型, 也可能是多种综合的攻击类型  Attack type: May be a single attack type, or multiple comprehensive attack types
攻击目标信息: 包括 IP地址、 物理位置信息等  Attack target information: including IP address, physical location information, etc.
攻击源的信息: 包括 IP地址、 物理位置信息等, 在一次分布式攻击中的源 IP可能 会有很多, 这里会按照不同 IP地址的攻击规模的大小, 对 IP地址进行排序。  Attack source information: including IP address and physical location information. There may be many source IPs in a distributed attack. The IP addresses are sorted according to the attack size of different IP addresses.
2、 网路数据显示子系统 2, network data display subsystem
对网络数据检测子系统中统计分析并保存起来的数据进行实时显示。  The data statistically analyzed and saved in the network data detection subsystem is displayed in real time.
显示的形式主要是线性图、 饼图形式。  The form of the display is mainly in the form of a linear graph or a pie chart.
显示时间的粒度可以根据具体情况调整, 可以以分钟粒度, 也可以以天、 周为显示 粒度。 显示范围也可以根据实际情况调整, 可以显示当前一个小时内的数据, 也可以显 示最近一周或一个月的数据。  The granularity of the display time can be adjusted according to specific conditions, and the granularity can be displayed in minutes or in days and weeks. The display range can also be adjusted according to the actual situation. It can display the data within the current hour or the data of the most recent week or month.
主要显示的内容有: (1) 网络数据总流量的实时显示, 以线性表形式。 The main display contents are: (1) Real-time display of total traffic of network data, in the form of a linear table.
(2) 网络数据中 TCP数据流量的实时显示, 以线性表形式。  (2) Real-time display of TCP data traffic in network data, in the form of a linear table.
(3) 网络数据中 TCP-syn数据流量的实时显示, 以线性表的形式。  (3) Real-time display of TCP-syn data traffic in network data, in the form of a linear table.
(4) 网路数据中 TCP-syn-ack数据流量的实时显示, 以线性表的形式。  (4) Real-time display of TCP-syn-ack data traffic in network data, in the form of a linear table.
(5) 网络数据中 UDP数据流量的实时显示, 以线性表的形式。  (5) Real-time display of UDP data traffic in network data, in the form of a linear table.
(6) 网络数据中 DNS数据流量的实时显示, 以线性表的形式。  (6) Real-time display of DNS data traffic in network data, in the form of a linear table.
(7) 网络数据中 HTTP数据流量的实时显示, 以线性表的形式。  (7) Real-time display of HTTP data traffic in network data, in the form of a linear table.
(8) 网络数据中, 其他应用层数据流量的实时显示, 以线性表的形式。 本系统可 以根据用户的具体关注的需要来由选择的选择需要重点监控的网络应用层中的各种协 议的流量。  (8) In the network data, the real-time display of other application layer data traffic is in the form of a linear table. The system can select the traffic of various protocols in the network application layer that needs to be monitored in a focused manner according to the specific needs of the user.
(9) UDP数据包平均长度的线性表实时显示。  (9) The linear table of the average length of UDP packets is displayed in real time.
(10) TCP数据包平均长度的线性表实时显示。  (10) Real-time display of the linear table of the average length of TCP packets.
(11) UDP、 TCP分别占整个网络流量多少的饼状图  (11) Pie chart of how much UDP and TCP account for the entire network traffic
( 12) TCP-syn, TCP-syn-ack数据包占 TCP数据总流量的饼形图。  (12) TCP-syn, a pie chart of TCP-syn-ack packets accounting for the total traffic of TCP data.
(13) 各种关注的应用层协议所占比例的饼形图。  (13) Pie chart of the proportion of application layer protocols of interest.
3、 攻击报警子系统  3, attack alarm subsystem
当网络数据检测子系统检测到, 网络的各个数据指标中有某个或某几个超过阔值 时, 启动报警子系统, 通过显示器图像、 声音等方式报告相关人员, 此刻所监控网络收 到攻击。 与此同时网络数据检测子系统的检测报告生成模块生成攻击报告提交给用户。 本发明的优点与积极效果:  When the network data detection subsystem detects that one or more of the various data indicators of the network exceeds the threshold, the alarm subsystem is activated, and the relevant personnel are reported through the display image, sound, etc., and the monitored network receives the attack at the moment. . At the same time, the detection report generation module of the network data detection subsystem generates an attack report and submits it to the user. Advantages and positive effects of the present invention:
本发明的分布式攻击检测方法的特点在于:  The distributed attack detection method of the present invention is characterized by:
1、 综合考虑各种网络数据的特征, 对 ddos攻击予以识别。  1. Comprehensively consider the characteristics of various network data to identify ddos attacks.
2、 综合网络传输的历史数据, 对当前的网络数据进行深入分析, 最终对网络是否 受到攻击做出判断。 附图说明  2. Comprehensive data transmission of the network, in-depth analysis of the current network data, and ultimately judge whether the network is attacked. DRAWINGS
图 1、 检测系统部署位置图;  Figure 1. Location map of the detection system deployment;
图 2、 设备结构体;  Figure 2. Equipment structure;
图 3、 本发明的检测方法流程图。 具体实施方式 Figure 3 is a flow chart of the detection method of the present invention. detailed description
下面结合附图和具体实施方式对本发明作进一步详细描述:  The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
1、 以旁路方式将网络流量接入监控设备。  1. Connect network traffic to the monitoring device in bypass mode.
根据保护的目标的不同, 接入的位置可以有以下两种选择。  Depending on the target of protection, there are two options for accessing the location.
( 1 ) 在被保护局域网与外部互联网连接处, 对网络数据进行旁路。  (1) Bypassing the network data at the protected LAN and the external Internet connection.
(2 ) 在省际网络出口处, 旁路检测设备对网络流量进行检测, 这时由于网络数据 量非常大, 可以使用多台检测设备进行分布式检测。  (2) At the exit of the inter-provincial network, the bypass detection device detects the network traffic. At this time, due to the large amount of network data, multiple detection devices can be used for distributed detection.
2、 首先网络数据流流入 "网络数据检测子系统", 对网络数据流的处理方法如图 3 所示- 2. First, the network data stream flows into the "network data detection subsystem". The processing method for the network data stream is shown in Figure 3.
( 1 ) 由 "网络数据检测子系统" 的 "数据包截取模块"子系统对旁路接入的数据 包进行解析。 (1) The packet accessed by the bypass is parsed by the "packet intercept module" subsystem of the "network data detection subsystem".
(2) 由 "数据包特征统计模块"对解析出的各协议数据指标进行统计。  (2) Statistics of each protocol data index parsed by the "packet feature statistics module".
( 3 ) 对统计数据进行进一步的处理。  (3) Further processing of statistical data.
(4) 将获得的数据进行存储, 作为该网络的历史数据。  (4) Store the obtained data as historical data of the network.
( 5 ) 在积累历史数据的基础上对网路数据进一步分析, 计算出各种网络数据的阈 值。  (5) Further analyzing the network data based on the accumulated historical data, and calculating the thresholds of various network data.
( 6 ) 以各网络数据阈值为坐标, 对各类网络监控数据进行监控。  (6) Monitor each type of network monitoring data with the threshold of each network data as the coordinate.
( 7 ) 根据监控到的网络数据生成网络检测分析报告。  (7) Generate a network detection analysis report based on the monitored network data.
3、 "网路数据显示子系统"会对从 "网络数据检测子系统"获得的各种数据进行实 时的屏幕显示, 以便监控人员了解最新的网络情况。  3. The Network Data Display Subsystem displays real-time screens of various data obtained from the Network Data Detection Subsystem to monitor the latest network conditions.
4、 一旦发现出现某些网络数据超出之前计算的对应网络数据阈值, 这一消息就会 传递到 "攻击报警子系统"  4. Once it is found that some network data exceeds the previously calculated corresponding network data threshold, this message will be passed to the "Attack Alarm Subsystem".
由该子系统发出发出报警信息, 与此同时, "检测报告生成模块"模块生成一份网 络攻击分析报告。  The subsystem sends out an alarm message, and at the same time, the "detection report generation module" module generates a network attack analysis report.

Claims

权利要求书 Claim
1. 一种 DDOS攻击检测方法, 其步骤为: 1. A DDOS attack detection method, the steps are:
1) 数据包截取模块对接入的网络数据包信息进行解析; 所述网络数据包信息包括: 数据包类型、 IP地址、 端口;  1) The packet intercepting module parses the accessed network packet information; the network packet information includes: a packet type, an IP address, and a port;
2) 数据包特征统计模块对解析出的网络数据包信息进行统计,得到单位时间内截获 到的数据包总数、网络层不同类型的数据包数量、传输层不同类型的数据包数量、 应用层不同类型的数据包数量、 数据包的 IP地址总数和端口总数;  2) The packet feature statistics module collects statistics on the parsed network packet information, and obtains the total number of packets intercepted per unit time, the number of packets of different types in the network layer, the number of packets of different types in the transport layer, and the application layer are different. The number of packets of the type, the total number of IP addresses of the packets, and the total number of ports;
3) 统计数据处理模块计算出单位时间内各类型数据包占数据包总数的比例分布; 3) The statistical data processing module calculates the proportion distribution of each type of data packet per unit time in the total number of data packets;
4) 数据分析模块根据存储的步骤 2) 和步骤 3 ) 所计算出的历史数据, 计算网络数 据的报警阈值; 4) The data analysis module calculates the alarm threshold of the network data according to the historical data calculated in steps 2) and 3) of the storage;
5) 数据分析模块判断当前单位时间内的网络数据值是否超过对应网络数据的报警 阈值, 如果超过则将该网络数据值提交到攻击分析模块;  5) The data analysis module determines whether the network data value in the current unit time exceeds the alarm threshold of the corresponding network data, and if so, submits the network data value to the attack analysis module;
6) 攻击分析模块根据接收到的网络数据值生成检测报告。  6) The attack analysis module generates a test report based on the received network data values.
2. 如权利要求 1 所述的方法, 其特征在于所述网络数据包信息还包括各种类型数据包 的数据包长度; 同时所述数据包特征统计模块对解析出的各类型数据包的数据包长 度进行统计。  2. The method according to claim 1, wherein the network packet information further includes a packet length of each type of data packet; and the data packet feature statistics module parses the data of each type of data packet. The packet length is counted.
3. 如权利要求 2所述的方法, 其特征在于所述统计数据处理模块计算出单位时间内各 类型数据包的平均长度。  3. The method of claim 2, wherein the statistical data processing module calculates an average length of each type of data packet per unit time.
4. 如权利要求 1所述的方法, 其特征在于所述数据分析模块实时更新各类型数据包的 报警阈值; 所述报警阈值的计算方法为: 首先计算某类型数据包某一时刻前后一时 间段内该类型数据包占总数据包比例的平均值 F1 ; 然后计算在该时刻前几天、 前几 周和前几月的同一时刻中, 该类型数据包占总数据包的比例的平均值 Fn; 最后根据  4. The method according to claim 1, wherein the data analysis module updates an alarm threshold of each type of data packet in real time; the calculation method of the alarm threshold is: first calculating a time before and after a certain type of data packet The average value of this type of data packet in the segment as the average packet ratio F1; then calculate the average of the ratio of the type of data packet to the total data packet at the same time in the first few days, the first few weeks and the previous months of the time. Fn; finally according to
k F + k F - k F  k F + k F - k F
公式 F = il 2—— t LXQ计算该类型数据包的报警阈值 F;其中 n时间段数, Formula F = il 2 - t L X Q calculates the alarm threshold F for this type of packet; where n times,
n  n
kn为 Fn对应的权重, Q为一倍数因子, 且0>1。  Kn is the weight corresponding to Fn, Q is a multiple factor, and 0>1.
5. 如权利要求 4所述的方法, 其特征在于所述网络层的数据包类型包括: IP数据包、 ICMP数据包、 ARP数据包; 所述传输层的数据包类型包括: TCP数据包、 TCPsyn 数据包、 TCPsyn-ack数据包、 UDP数据包; 所述应用层的数据包类型包括: DNS数 据包、 RTP数据包、 QQ数据包、 HTTP数据包。 The method according to claim 4, wherein the data packet type of the network layer comprises: an IP data packet, an ICMP data packet, and an ARP data packet; and the data packet type of the transport layer includes: a TCP data packet, TCPsyn packet, TCPsyn-ack packet, UDP packet; the packet type of the application layer includes: DNS number According to the package, RTP packets, QQ packets, HTTP packets.
6. 如权利要求 1 所述的方法, 其特征在于所述检测报告为网络攻击报告, 其包括: 攻 击类型、 攻击目标、 攻击源头、 攻击规模。  6. The method according to claim 1, wherein the detection report is a network attack report, and includes: an attack type, an attack target, an attack source, and an attack scale.
7. 如权利要求 6所述的方法, 其特征在于所述攻击类型包括:  7. The method of claim 6 wherein the attack type comprises:
1) UDPfloor攻击类型,其识别方法为:总的网络流量超过总流量报警阈值,且 UDP 数据包的流量超过 UDP包流量报警阈值,且 UDP数据包占网络数据包总数的比 例达到 UDP包占比报警阈值, 且 UDP数据包的包平均长度减小到设定 UDP包 长报警阈值, 且 UDP数据包的包平均长度减小到设定 UDP包长报警阈值; 1) UDPfloor attack type, the identification method is: the total network traffic exceeds the total traffic alarm threshold, and the UDP packet traffic exceeds the UDP packet traffic alarm threshold, and the ratio of UDP packets to the total number of network packets reaches the UDP packet ratio. Alarm threshold, and the average packet length of the UDP packet is reduced to the UDP packet length alarm threshold, and the average packet length of the UDP packet is reduced to the UDP packet length alarm threshold;
2) TCPsynfloor攻击类型, 其识别方法为: 总的网络流量超过总流量报警阈值, 且 TCPsyn 数据包流量超过 TCPsyn 包流量报警阈值, 且 TCPsyn 数据包和 TCPsynack数据包的比例超过 TCPsyn— ACK包占比报警阈值, 且 TCPsyn数据 包与 TCP数据包总量的比例超过 TCPsyn包占比报警阈值, 且 TCP数据包的平 均长度超过 TCP包长度报警阈值; 2) The TCPsynfloor attack type is identified as follows: The total network traffic exceeds the total traffic alarm threshold, and the TCPsyn packet traffic exceeds the TCPsyn packet traffic alarm threshold, and the proportion of TCPsyn packets and TCPsynack packets exceeds the TCPsyn-ACK packet ratio. The alarm threshold, and the ratio of the TCPsyn packet to the total amount of the TCP packet exceeds the TCPsyn packet occupancy alarm threshold, and the average length of the TCP packet exceeds the TCP packet length alarm threshold;
3) TCPfloor攻击类型, 其识别方法为: 总的网络流量超过总流量报警阈值, 且 TCP 网络流量超过 TCP包流量报警阈值, 且 TCP数据包占网络数据包总数的比例超 过 TCP包占比报警阈值;  3) The TCPfloor attack type is identified as follows: The total network traffic exceeds the total traffic alarm threshold, and the TCP network traffic exceeds the TCP packet traffic alarm threshold, and the proportion of TCP packets occupying the total number of network packets exceeds the TCP packet occupancy alarm threshold. ;
4) DNS攻击类型, 其实别方法为: DNS数据包流量超过 DNS包流量报警阈值, 且 DNS数据包流量占总流量的比例超过 DNS流量占比报警阈值。  4) DNS attack type, in fact, the other methods are: DNS packet traffic exceeds the DNS packet traffic alarm threshold, and the ratio of DNS packet traffic to total traffic exceeds the DNS traffic percentage alarm threshold.
8. 如权利要求 6所述的方法, 其特征在于所述攻击规模的确定方法为: 首先根据确定 的攻击类型, 获得对应类型目前的攻击流量; 然后综合对比该类型数据包的流量报 警阈值和历史正常流量, 来评估出当前该攻击类型的攻击规模。  The method according to claim 6, wherein the method for determining the attack size is: first obtaining the current attack traffic of the corresponding type according to the determined attack type; and then comprehensively comparing the traffic alarm threshold of the type of the packet and Historical normal traffic, to assess the current size of the attack type of attack.
9. 如权利要求 6所述的方法, 其特征在于所述攻击目标的确定方法为: 首先对发往同 一目的 IP地址的数据包个数进行统计;然后对比较集中的目的 IP进行排名,将排名 靠前的 IP确定为被攻击的目标; 所述攻击源 IP的确定方法为: 对数据包的源 IP地 址进行统计, 并根据发送数据包个数进行从高到低的排列, 将排名靠前的 IP确定为 攻击源 IP。  9. The method according to claim 6, wherein the method for determining the attack target is: first, counting the number of data packets sent to the same destination IP address; and then ranking the destination IPs in the comparison set, The top IP is determined as the target to be attacked; the attack source IP is determined by: counting the source IP address of the data packet, and ranking from high to low according to the number of sent data packets, ranking the ranking The previous IP is determined as the attack source IP.
10. 如权利要求 1所述的方法, 其特征在于所述检测报告为网络监测日报, 其包括: 当 天不同时间点网络流量的折线图; 当天各种类型数据包所占比例的折线图; 当天各 类型数据包所占比例平均值的饼状图; 当天不同时间点网络中各类型数据包平均长 度的折线图。 10. The method according to claim 1, wherein the detection report is a network monitoring daily report, comprising: a line chart of network traffic at different time points on the day; a line chart of proportions of various types of data packets on the day; Each A pie chart of the average of the proportions of type packets; a line chart of the average length of each type of packet in the network at different points in the day.
PCT/CN2010/000050 2009-12-22 2010-01-12 Method for detecting distributed denial of service attack WO2011075922A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2009102434413A CN101741847B (en) 2009-12-22 2009-12-22 Detecting method of DDOS (distributed denial of service) attacks
CN200910243441.3 2009-12-22

Publications (1)

Publication Number Publication Date
WO2011075922A1 true WO2011075922A1 (en) 2011-06-30

Family

ID=42464733

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/000050 WO2011075922A1 (en) 2009-12-22 2010-01-12 Method for detecting distributed denial of service attack

Country Status (2)

Country Link
CN (1) CN101741847B (en)
WO (1) WO2011075922A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911578A (en) * 2015-12-23 2017-06-30 中国移动通信集团公司 The transmission method and equipment of a kind of business datum

Families Citing this family (49)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102123136A (en) * 2010-12-26 2011-07-13 广州大学 Method for identifying DDoS (distributed denial of service) attack flow
CN102394786A (en) * 2011-12-14 2012-03-28 武汉钢铁(集团)公司 Hand-held network protocol and threat analyzer
CN103685168B (en) * 2012-09-07 2016-12-07 中国科学院计算机网络信息中心 A kind of inquiry request method of servicing of DNS recursion server
CN103001958B (en) * 2012-11-27 2016-03-16 北京百度网讯科技有限公司 Abnormal T CP message processing method and device
CN104243408B (en) * 2013-06-14 2017-11-21 中国移动通信集团公司 The method, apparatus and system of message are monitored in domain name resolution service DNS systems
CN104348811B (en) * 2013-08-05 2018-01-26 深圳市腾讯计算机系统有限公司 Detecting method of distributed denial of service attacking and device
CN103888282A (en) * 2013-08-19 2014-06-25 中广核工程有限公司 Network intrusion alarm method and system based on nuclear power plant
CN103561011B (en) * 2013-10-28 2016-09-07 中国科学院信息工程研究所 A kind of SDN controller method and system for preventing blind DDoS attacks on
PL2975801T3 (en) * 2014-07-18 2017-07-31 Deutsche Telekom Ag Method for detecting an attack in a computer network
CN105656848B (en) * 2014-11-13 2020-05-05 腾讯数码(深圳)有限公司 Application layer rapid attack detection method and related device
CN104660459A (en) * 2015-01-15 2015-05-27 北京奥普维尔科技有限公司 FPGA-based system and FPGA-based method for realizing online business scanning of 10 gigabit Ethernet
JP6338010B2 (en) 2015-02-27 2018-06-06 日本電気株式会社 Control apparatus, traffic control method, and computer program
CN106034105A (en) * 2015-03-09 2016-10-19 国家计算机网络与信息安全管理中心 OpenFlow switch and method for processing DDoS attack
CN105119735B (en) * 2015-07-15 2018-07-06 百度在线网络技术(北京)有限公司 A kind of method and apparatus for determining discharge pattern
CN105337966B (en) * 2015-10-16 2018-10-02 中国联合网络通信集团有限公司 For the treating method and apparatus of network attack
CN109714346B (en) * 2015-12-15 2021-06-25 北京奇虎科技有限公司 Searching and killing method and device for back door files
CN105554016A (en) * 2015-12-31 2016-05-04 山石网科通信技术有限公司 Network attack processing method and device
CN105743913B (en) * 2016-03-31 2019-07-09 广州华多网络科技有限公司 The method and apparatus for detecting network attack
CN106027549A (en) * 2016-06-30 2016-10-12 大连楼兰科技股份有限公司 Early warning method and device for address resolution protocol (ARP) flooding attacks in local area network
CN107666383B (en) * 2016-07-29 2021-06-18 阿里巴巴集团控股有限公司 Message processing method and device based on HTTPS (hypertext transfer protocol secure protocol)
CN106330746B (en) * 2016-08-30 2019-04-16 成都科来软件有限公司 The method and device of national flow in a kind of statistics network
CN106375235A (en) * 2016-08-30 2017-02-01 成都科来软件有限公司 Method and device for obtaining specified IP (Internet Protocol) traffic information by statistics
CN107800674A (en) * 2016-09-07 2018-03-13 百度在线网络技术(北京)有限公司 A kind of method and apparatus for being used to detect the attack traffic of distributed denial of service
CN106534068B (en) * 2016-09-29 2023-12-22 广州华多网络科技有限公司 Method and device for cleaning counterfeit source IP in DDOS defense system
CN106411934B (en) * 2016-11-15 2017-11-21 平安科技(深圳)有限公司 DoS/DDoS attack detection methods and device
TWI784938B (en) * 2017-01-24 2022-12-01 香港商阿里巴巴集團服務有限公司 Message cleaning method and device
CN106899608A (en) * 2017-03-21 2017-06-27 杭州迪普科技股份有限公司 A kind of method and device of the attack purpose IP for determining DDOS attack
CN108111476B (en) * 2017-08-08 2021-01-19 西安交大捷普网络科技有限公司 C & C channel detection method
CN107277073A (en) * 2017-08-16 2017-10-20 北京新网数码信息技术有限公司 A kind of method for monitoring network and device
CN107623685B (en) * 2017-09-08 2020-04-07 杭州安恒信息技术股份有限公司 Method and device for rapidly detecting SYN Flood attack
CN107819606A (en) * 2017-09-29 2018-03-20 北京金山安全软件有限公司 Network attack alarm method and device
CN107995046B (en) * 2017-12-20 2021-08-24 北京搜狐新媒体信息技术有限公司 Network alarm analysis method and device and electronic equipment
CN108768942B (en) * 2018-04-20 2020-10-30 武汉绿色网络信息服务有限责任公司 DDoS attack detection method and detection device based on self-adaptive threshold
CN108924127B (en) * 2018-06-29 2020-12-04 新华三信息安全技术有限公司 Method and device for generating flow baseline
CN109005181B (en) * 2018-08-10 2021-07-02 深信服科技股份有限公司 Detection method, system and related components for DNS amplification attack
CN109194661B (en) * 2018-09-13 2021-10-26 网易(杭州)网络有限公司 Network attack alarm threshold configuration method, medium, device and computing equipment
CN111901284B (en) * 2019-05-06 2023-07-21 阿里巴巴集团控股有限公司 Flow control method and system
US11122075B2 (en) * 2019-07-03 2021-09-14 Netflix, Inc. Attack mitigation in a packet-switched network
CN111181910B (en) * 2019-08-12 2021-10-08 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack
CN110519413A (en) * 2019-09-10 2019-11-29 赛尔网络有限公司 Ranking statistics method, apparatus, system and medium based on DNS over QUIC
CN110784458B (en) * 2019-10-21 2023-04-18 新华三信息安全技术有限公司 Flow abnormity detection method and device and network equipment
CN110808994B (en) * 2019-11-11 2022-01-25 杭州安恒信息技术股份有限公司 Method and device for detecting brute force cracking operation and server
CN111431852B (en) * 2020-02-21 2021-06-25 厦门大学 Browser history sniffing method and browser history monitoring method
CN113452651B (en) * 2020-03-24 2022-10-21 百度在线网络技术(北京)有限公司 Network attack detection method, device, equipment and storage medium
CN113518057B (en) * 2020-04-09 2024-03-08 腾讯科技(深圳)有限公司 Method and device for detecting distributed denial of service attack and computer equipment thereof
CN112333168B (en) * 2020-10-27 2023-03-24 杭州安恒信息技术股份有限公司 Attack identification method, device, equipment and computer readable storage medium
CN112491906B (en) * 2020-12-01 2022-07-15 中山职业技术学院 Parallel network intrusion detection system and control method thereof
CN113645624A (en) * 2021-08-25 2021-11-12 广东省高峰科技有限公司 Abnormal network data checking method and device
CN115118464A (en) * 2022-06-10 2022-09-27 深信服科技股份有限公司 Method and device for detecting defect host, electronic equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321171A (en) * 2008-07-04 2008-12-10 北京锐安科技有限公司 Method and apparatus for detecting distributed refusal service attack
CN101355463A (en) * 2008-08-27 2009-01-28 成都市华为赛门铁克科技有限公司 Method, system and equipment for judging network attack

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1156762C (en) * 2001-12-04 2004-07-07 上海复旦光华信息科技股份有限公司 By-pass investigation and remisson method for rejecting service attack
CN101465760A (en) * 2007-12-17 2009-06-24 北京启明星辰信息技术股份有限公司 Method and system for detecting abnegation service aggression
CN101572609A (en) * 2008-04-29 2009-11-04 成都市华为赛门铁克科技有限公司 Method and device for detecting and refusing service attack

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101321171A (en) * 2008-07-04 2008-12-10 北京锐安科技有限公司 Method and apparatus for detecting distributed refusal service attack
CN101355463A (en) * 2008-08-27 2009-01-28 成都市华为赛门铁克科技有限公司 Method, system and equipment for judging network attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911578A (en) * 2015-12-23 2017-06-30 中国移动通信集团公司 The transmission method and equipment of a kind of business datum
CN106911578B (en) * 2015-12-23 2020-09-08 中国移动通信集团公司 Service data transmission method and device

Also Published As

Publication number Publication date
CN101741847A (en) 2010-06-16
CN101741847B (en) 2012-11-07

Similar Documents

Publication Publication Date Title
WO2011075922A1 (en) Method for detecting distributed denial of service attack
US7478429B2 (en) Network overload detection and mitigation system and method
US8001601B2 (en) Method and apparatus for large-scale automated distributed denial of service attack detection
US8438639B2 (en) Apparatus for detecting and filtering application layer DDoS attack of web service
US7865945B2 (en) System and method for detecting and eliminating IP spoofing in a data transmission network
KR101519623B1 (en) DDoS detection apparatus and method, DDoS detection and prevention apparatus for reducing positive false
US8489755B2 (en) Technique of detecting denial of service attacks
US20110107412A1 (en) Apparatus for detecting and filtering ddos attack based on request uri type
CN107623685B (en) Method and device for rapidly detecting SYN Flood attack
CN109561051A (en) Content distributing network safety detection method and system
CN101150586A (en) CC attack prevention method and device
JP2007179131A (en) Event detection system, management terminal and program, and event detection method
CN113518057B (en) Method and device for detecting distributed denial of service attack and computer equipment thereof
JP4324189B2 (en) Abnormal traffic detection method and apparatus and program thereof
Harder et al. Observing internet worm and virus attacks with a small network telescope
KR101061377B1 (en) Distribution based DDoS attack detection and response device
CN106817268B (en) DDOS attack detection method and system
Nashat et al. Router based detection for low-rate agents of DDoS attack
Leu et al. Detecting DoS and DDoS attacks using chi-square
CN114826741B (en) Attack monitoring system and attack monitoring method
Seo et al. Defending DDoS attacks using network traffic analysis and probabilistic packet drop
Kim et al. Network traffic anomaly detection based on ratio and volume analysis
KR20240098602A (en) Methods and devices for detecting ddos attacks on dns servers
Wongvivitkul et al. The effects of filtering malicious traffic under DoS attacks
Kim et al. Method for one packet aggregation to prevent degradation of network's performance

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10838489

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 211112

122 Ep: pct application non-entry in european phase

Ref document number: 10838489

Country of ref document: EP

Kind code of ref document: A1