WO2015078388A1 - 针对拒绝服务攻击的处理方法及装置 - Google Patents

针对拒绝服务攻击的处理方法及装置 Download PDF

Info

Publication number
WO2015078388A1
WO2015078388A1 PCT/CN2014/092388 CN2014092388W WO2015078388A1 WO 2015078388 A1 WO2015078388 A1 WO 2015078388A1 CN 2014092388 W CN2014092388 W CN 2014092388W WO 2015078388 A1 WO2015078388 A1 WO 2015078388A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
website
attacked
denial
attack
Prior art date
Application number
PCT/CN2014/092388
Other languages
English (en)
French (fr)
Inventor
何振科
赵武
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2015078388A1 publication Critical patent/WO2015078388A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates to the field of internet technologies, and in particular, to a processing method and apparatus for a denial of service attack.
  • DoS Denial Of Service
  • the present invention has been made in order to provide a processing method and corresponding apparatus for a denial of service attack that overcomes the above problems or at least partially solves or alleviates the above problems.
  • a processing method for a denial of service attack including: determining that a first server is subjected to a denial of service attack; acquiring a plurality of websites located on the first server, in the plurality of websites Determining the attacked website and/or the website that is not attacked separately; parsing the domain name of the attacked website to an IP (Internet Protocol) address corresponding to the second server, and the second server is anti-attack server.
  • IP Internet Protocol
  • a processing apparatus for a denial of service attack including:
  • a detecting module configured to determine that the first server is subjected to a denial of service attack
  • a determining module configured to acquire a plurality of websites located on the first server, and determine, in the plurality of websites, the attacked website and/or the website that is not attacked;
  • a modification module configured to resolve the domain name of the attacked website to an IP address corresponding to the second server, where the second server is an anti-attack server.
  • a computer program comprising computer readable code, when the computer readable code is run on a computing device, causing the computing device to perform according to any of the above Handling methods for denial of service attacks.
  • a computer readable medium wherein the computer program described above is stored.
  • the embodiment of the present invention acquires a plurality of websites located on the first server, and determines, in the plurality of websites, the attacked website and/or the website that is not attacked, Parsing the domain name of the attacked website to the IP address corresponding to the second server against the attack. Therefore, the present invention can transfer the access traffic when the first server initiates the denial of service attack to the anti-attack server, which not only ensures the legitimate user access to the website that has not been attacked, but also ensures that the legitimate user is affected. Access to the attacked website. Therefore, the present invention can solve the problem that a legitimate user request cannot be passed due to lack of network system resources caused by the DOS attack on the first server.
  • FIG. 1 is a schematic flowchart of a processing method for a denial of service attack according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a method for processing a denial of service attack according to another embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a processing method for a denial of service attack according to another embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a processing apparatus for a denial of service attack according to an embodiment of the present invention.
  • Figure 5 is a schematic block diagram of a computing device for performing a processing method for a denial of service attack in accordance with the present invention
  • Fig. 6 schematically shows a storage unit for holding or carrying program code implementing a processing method for a denial of service attack according to the present invention.
  • FIG. 1 is a schematic flowchart of a method for processing a denial of service attack according to an embodiment of the present invention. As shown in FIG. 1 , the method in this embodiment includes at least 101 to 103 below.
  • a service platform (such as a website protection server) that provides protection for a website may determine whether the first server is subjected to a denial of service attack, wherein the service provided by the service platform specifically includes a website firewall, DOS protection, and intelligence. Services such as the Domain Name System (DNS).
  • DNS Domain Name System
  • the step 101 may be implemented in multiple manners, such as detecting a system resource occupancy rate or a network bandwidth usage rate of the first server, and the following two methods are detailed. Introduction.
  • Method 1 The method for detecting the system resource occupancy rate of the first server.
  • the website protection server determines that the first server is subjected to a denial of service attack when the system resource occupancy rate of the first server exceeds a first predetermined threshold, wherein the first predetermined threshold may be that the first server is configured according to its own hardware. If the current system resource occupancy rate of the first server exceeds 80%, it can be determined that the first server is subjected to a denial of service attack.
  • Manner 2 The method for detecting the network bandwidth occupancy of the first server.
  • the website protection server determines that the first server is subjected to a denial of service attack when the network bandwidth usage of the first server exceeds a second predetermined threshold, wherein the second predetermined threshold may be the first server according to the network operator.
  • the ratio of the pre-set network bandwidth usage threshold (such as 100%) between the contracted network bandwidths. If the current network bandwidth usage of the first server exceeds 100% of the contracted network bandwidth, the first server may be determined to be subjected to a denial of service attack. .
  • the first server when the first server is subjected to a traffic attack, it may find that connecting to the first server by using a remote terminal may fail. Or, use the Netstat-na command on the first server, assuming there is A large number of SYN_RECEIVED, TIME_WAIT, FIN_WAIT_1 and other states exist, and ESTABLISHED is rare, it can be determined that the first server is suffering from a denial of service attack such as resource exhaustion. Alternatively, the first server may count whether the frequency of receiving a certain type of attack packet is greater than a preset threshold, and if it is greater, the attack occurs. Alternatively, the first server may analyze whether the received packet has the characteristics of the attack packet to determine whether an attack occurs. Alternatively, the first server may extract the traffic characteristics under normal conditions, and then detect the current traffic characteristics in real time, and compare them with the characteristics of the normal traffic. If there is a significant difference, it may indicate that the traffic may be attacked.
  • the first server stores a plurality of websites, wherein each website corresponds to a domain name.
  • the website protection server may parse the domain name of the website according to the domain name in the access request.
  • the website protection server is provided with a correspondence between the domain name of the plurality of websites and the IP address of the first server.
  • the website protection server may obtain the domain names of the multiple websites according to the preset correspondence between the domain name of the plurality of websites and the IP address of the first server, and The websites that are determined to be attacked and/or the websites that are not attacked are respectively determined in the plurality of websites, and the specific implementation includes:
  • Detecting the traffic of the packet initiated by each of the multiple websites determining whether the packet traffic exceeds the traffic threshold corresponding to the website, and if yes, determining that the website is attacked, otherwise determining the website Not attacked.
  • the website protection server can resolve the domain name of the attacked website to the anti-attack.
  • the IP address corresponding to the attacked second server that is, the correspondence between the domain name and the IP address of the website in the DNS is modified, and the correspondence between the original website domain name and the IP address of the first server is modified to the website domain name and the first The correspondence between the IP addresses of the two servers.
  • the first server is pre-configured in the website protection server. The correspondence between the IP address (such as 192.168.1.100) and the IP address of the second server against the attack (such as 192.168.1.200).
  • the second server against attacks for example, has sufficient network bandwidth guarantee, high-configuration hardware features, and enhances the operating system's TCP/IP stack to at least effectively combat 100,000 attack packets per second.
  • FIG. 2 is a schematic flowchart of a processing method for a denial of service attack according to another embodiment of the present invention. As shown in FIG. 2, after step 103, the following 104 is further included.
  • the access traffic in the first server cannot be immediately decreased, so that the legitimate user can be normal.
  • Access to all sites on the first server can be done by means of an alternate server.
  • the website protection server is pre-configured with an alternate server, and the priority of each of the backup servers may be different.
  • the domain name of the website that is not attacked may be resolved to the IP address corresponding to the third server of the high priority.
  • the website protection server is pre-configured with a correspondence between the IP address of the first server and the IP address of the standby server, wherein there may be multiple standby servers, and the priority of each standby server may be different.
  • the high-priority third server in this embodiment may be a first standby server with high priority, with sufficient network bandwidth guarantee, high configuration hardware features, and enhanced operating system TCP. /IP stack.
  • FIG. 3 is a needle according to still another embodiment of the present invention.
  • a schematic flowchart of a processing method for a denial of service attack, as shown in FIG. 3, further includes the following 105 after step 103.
  • attack source tracking technology can be used to quickly find the real location of the attacker (such as the attacker's IP address).
  • the attacker usually forges the source IP address, and the routing of the data packet has strong disorder.
  • each data packet must pass through the attacker to the target device (the first server in this embodiment). Route forwarding between the two. Therefore, the attack path can be reconstructed by marking or recording the forwarded data packet through the router.
  • a log-based tracking technique Hash-based
  • edge-based probability can be used.
  • PPM Packet Marking Technology
  • the tracking technology for the log recording and the probabilistic packet marking technology based on the edge can be the prior art, which is not limited by the present invention.
  • the IP address of the attacker is added to the blacklist to be blocked. Therefore, when the access request initiated by the IP address in the blacklist is detected to the first server, the access request may be restricted, and the DOS attack on the first server may be prevented.
  • the method further includes: when it is determined that the first server is no longer subject to a denial of service attack, and determining that the attacked website is no longer attacked, The domain name resolution of the attacked website is re-parsed from the IP address corresponding to the second server to the IP address corresponding to the first server.
  • the website protection server may modify the correspondence between the website domain name and the IP address in the DNS. Re-parse the domain name of the attacked website to the IP address corresponding to the first server.
  • the method further includes: when it is determined that the first server is not subjected to a denial of service attack, the domain name resolution of the website that is not attacked is corresponding to the third server.
  • the IP address is re-parsed to the IP address corresponding to the first server.
  • the embodiment of the present invention acquires a plurality of websites located on the first server, and determines, in the plurality of websites, the attacked website and/or the website that is not attacked, Parsing the domain name of the attacked website to the IP address corresponding to the second server against the attack.
  • the invention can transfer the access traffic when the first server initiates the denial of service attack to the anti-attack server, and not only ensures the legitimate user to the website that has not been attacked. Access, but also to ensure that legitimate users have access to the attacked website. Therefore, the present invention can solve the problem that a legitimate user request cannot be passed due to lack of network system resources caused by the DOS attack on the first server.
  • the IP address of the attacker that initiates the denial of service attack on the first server is obtained, and the IP address of the attacker is added to the blacklist to be masked, so that the IP address pair in the blacklist is subsequently detected.
  • the access request may be restricted, and the DOS attack on the first server may be prevented.
  • FIG. 4 is a schematic structural diagram of a processing apparatus for a denial of service attack according to an embodiment of the present invention. As shown in FIG. 4, the method includes:
  • the detecting module 41 is configured to determine that the first server is subjected to a denial of service attack
  • a determining module 42 configured to acquire a plurality of websites located on the first server, and determine, in the plurality of websites, the attacked website and/or the website that is not attacked;
  • the modification module 43 is configured to resolve the domain name of the attacked website to an IP address corresponding to the second server, where the second server is an anti-attack server.
  • the modifying module 43 is further configured to parse the domain name of the website that is not attacked to an IP address corresponding to the third server, where the third server is a high priority server.
  • the detecting module 41 is configured to determine that the first server is determined when the system resource occupancy rate of the first server exceeds a first predetermined threshold or the network bandwidth occupancy of the first server exceeds a second predetermined threshold. A denial of service attack.
  • the determining module 42 is configured to detect, respectively, the packet traffic initiated by each of the multiple websites, and determine whether the packet traffic exceeds a traffic threshold corresponding to the website, and if yes, determine The website is attacked, otherwise it is determined that the website is not attacked.
  • the modification module 43 is further configured to obtain an IP address of an attacker that initiates a denial of service attack on the first server, and add the IP address of the attacker to the blacklist for screening.
  • the modifying module 43 is further configured to: when determining that the first server is not subjected to a denial of service attack, and determining that the attacked website is no longer attacked, parsing the domain name of the attacked website from the Resolving the IP address corresponding to the second server to the IP address corresponding to the first server;
  • the modifying module 43 is further configured to: when it is determined that the first server is not subjected to a denial of service attack, re-parse the domain name resolution of the website that is not attacked from the IP address corresponding to the third server to the first The IP address corresponding to the server.
  • the embodiment of the present invention acquires a plurality of websites located on the first server, and determines, in the plurality of websites, the attacked website and/or the website that is not attacked, Parsing the domain name of the attacked website to the IP address corresponding to the second server against the attack.
  • the invention can transfer the access traffic when the first server initiates the denial of service attack to the anti-attack server, which not only ensures the legitimate user access to the website that has not been attacked, but also ensures the legitimate user to the attacked website. access. Therefore, the present invention can solve the problem that a legitimate user request cannot be passed due to lack of network system resources caused by the DOS attack on the first server.
  • the IP address of the attacker that initiates the denial of service attack on the first server is obtained, and the IP address of the attacker is added to the blacklist to be masked, so that the IP address pair in the blacklist is subsequently detected.
  • the access request may be restricted, and the DOS attack on the first server may be prevented.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the instructions including companion All of the features disclosed in the claims, the abstract and the drawings, and all processes or units of any of the methods or devices disclosed herein are combined.
  • Each feature disclosed in this specification including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the processing device for denial of service attacks in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 5 illustrates a computing device that can implement a processing method for a denial of service attack in accordance with the present invention.
  • the computing device conventionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520.
  • the memory 520 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above.
  • storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such computer program products are typically portable or fixed storage units as described with reference to FIG.
  • the storage unit may have storage segments, storage spaces, and the like that are similarly arranged to memory 520 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 531', i.e., may be processor by, for example, 510 Read code that, when executed by a computing device, causes the computing device to perform various steps in the methods described above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种针对拒绝服务攻击的处理方法及装置,该方法包括:确定第一服务器受到拒绝服务攻击;获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站;将所述受到攻击的网站的域名解析至第二服务器对应的IP地址,所述第二服务器为抗攻击的服务器。本发明能够解决由于DOS攻击造成的网络系统资源的匮乏而导致的合法的用户请求无法通过的问题。

Description

针对拒绝服务攻击的处理方法及装置 技术领域
本发明涉及互联网络技术领域,尤其涉及一种针对拒绝服务攻击的处理方法及装置。
背景技术
拒绝服务(Denial Of Service,DoS)攻击几乎是从互联网络的诞生以来,就伴随着互联网络的发展而一直存在也不断发展和升级。DoS是指故意的攻击网络协议实现的缺陷或直接通过野蛮手段残忍地耗尽被攻击对象的资源,目的是让目标计算机或网络无法提供正常的服务或资源访问,使目标系统服务资源停止响应甚至崩溃,这些服务资源包括网络带宽、文件系统空间容量、开放的进程或者允许的连接。这种DoS攻击会导致网络系统资源的匮乏,无论计算机的处理速度多快、内存容量多大、网络带宽的速度多快都无法避免这种攻击带来的后果,最终导致合法的用户请求无法通过。
发明内容
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决或者减缓上述问题的针对拒绝服务攻击的处理方法和相应的装置。
根据本发明的一个方面,提供了一种针对拒绝服务攻击的处理方法,包括:确定第一服务器受到拒绝服务攻击;获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站;将所述受到攻击的网站的域名解析至第二服务器对应的IP(Internet Protocol,网际协议)地址,所述第二服务器为抗攻击的服务器。
根据本发明的另一个方面,提供了一种针对拒绝服务攻击的处理装置,包括:
检测模块,用于确定第一服务器受到拒绝服务攻击;
确定模块,用于获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站;
修改模块,用于将所述受到攻击的网站的域名解析至第二服务器对应的IP地址,所述第二服务器为抗攻击的服务器。
根据本发明的又一个方面,提供了一种计算机程序,其包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据上文任一个所述的针对拒绝服务攻击的处理方法。
根据本发明的再一个方面,提供了一种计算机可读介质,其中存储了上述的计算机程序。
本发明的有益效果为:
本发明实施例在确定第一服务器受到拒绝服务攻击时,获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站,将所述受到攻击的网站的域名解析至抗攻击的第二服务器对应的IP地址。由此可知,本发明可以将对第一服务器发起拒绝服务攻击时的访问流量转移到抗攻击的服务器上,不仅保证了合法用户对没有受到攻击的网站的访问,而且也保证了合法用户对受到攻击的网站的访问。因此,本发明能够解决在第一服务器遭受DOS攻击时造成的网络系统资源的匮乏而导致的合法的用户请求无法通过的问题。
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。
附图说明
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:
图1为本发明一实施例提供的针对拒绝服务攻击的处理方法的流程示意图;
图2为本发明另一实施例提供的针对拒绝服务攻击的处理方法的流程示意图;
图3为本发明又一实施例提供的针对拒绝服务攻击的处理方法的流程示意图;
图4为本发明一实施例提供的针对拒绝服务攻击的处理装置的结构示意图;
图5示意性地示出了用于执行根据本发明的针对拒绝服务攻击的处理方法的计算设备的框图;以及
图6示意性地示出了用于保持或者携带实现根据本发明的针对拒绝服务攻击的处理方法的程序代码的存储单元。
具体实施方式
下面结合附图和具体的实施方式对本发明作进一步的描述。
图1为本发明一实施例提供的针对拒绝服务攻击的处理方法的流程示意图,如图1所述,本实施例的方法包括以下至少101至103。
101、确定第一服务器受到拒绝服务攻击。
举例来说,本发明实施例中,为网站提供保护的服务平台(如网站保护服务器)可以确定第一服务器是否受到拒绝服务攻击,其中,服务平台提供的服务具体包括网站防火墙、DOS保护、智能域名解析系统(Domain Name System,DNS)等服务。
在本发明的一种可选的实施方式中,步骤101可以采用多种方式来实现,如检测第一服务器的系统资源占用率或网络带宽占用率的方式,下面对这两种方式进行详细介绍。
方式一、检测第一服务器的系统资源占用率的方式。在该方式中,网站保护服务器检测到第一服务器的系统资源占用率超过第一预定阈值时,确定第一服务器受到拒绝服务攻击,其中,第一预定阈值可以是第一服务器根据自身的硬件配置参数预先设置的系统资源占用率的比例阈值(如80%),假设第一服务器当前的系统资源占用率超过80%,则可以确定第一服务器受到拒绝服务攻击。
方式二、检测第一服务器的网络带宽占用率的方式。在该方式中,网站保护服务器检测到第一服务器的网络带宽占用率超过第二预定阈值时,确定第一服务器受到拒绝服务攻击,其中,第二预定阈值可以是第一服务器根据与网络运营商之间的签约网络带宽预先设置的网络带宽占用率的比例阈值(如100%),假设第一服务器当前的网络带宽占用率超过签约网络带宽的100%,则可以确定第一服务器受到拒绝服务攻击。
在实际应用中,当第一服务器遭受流量攻击时,会发现利用远程终端连接第一服务器会失败。或者,在第一服务器上使用Netstat-na命令,假设有 大量的SYN_RECEIVED、TIME_WAIT、FIN_WAIT_1等状态存在,而ESTABLISHED很少,则可判定第一服务器是遭受了资源耗尽等拒绝服务攻击。或者,第一服务器可以统计接收的某一类攻击报文的频度是否大于预先设置的阀值,若大于则表示攻击发生。又或者,第一服务器可以分析接收的报文是否具有攻击报文的特征,来判断是否有攻击发生。或者,第一服务器可以对正常情况下的流量特征进行提取,然后实时检测当前的流量特征,与正常流量的特征进行对比,若有明显差异,则表明可能受到了攻击。
102、获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站。
举例来说,第一服务器中存放有多个网站,其中,每个网站对应一个域名,当用户对网站发起访问请求时,网站保护服务器可以根据访问请求中的域名,将该网站的域名解析到第一服务器对应的IP地址,为此,网站保护服务器中设置有上述多个网站的域名与第一服务器的IP地址之间的对应关系。
在本发明的一种可选的实施方式中,网站保护服务器根据预设的多个网站的域名与第一服务器的IP地址之间的对应关系,可以分别获取多个网站的域名,并在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站,具体实现时包括:
分别检测对所述多个网站中的每一个网站发起的报文流量,判断所述报文流量是否超过所述网站对应的流量阈值,若是,则确定所述网站受到攻击,否则确定所述网站没有受到攻击。
在实际应用中,也可以通过Ping命令来测试网站是否遭受攻击,假设发现Ping超时或丢包严重,则该网站可能遭受了流量攻击。
103、将所述受到攻击的网站的域名解析至第二服务器对应的IP地址,所述第二服务器为抗攻击的服务器。
当第一服务器遭受攻击时,为了保证合法用户可以正常访问位于第一服务器上的所有网站(包括受到攻击的网站),本实施例中,网站保护服务器可以将受到攻击的网站的域名解析到抗攻击的第二服务器对应的IP地址,也就是说,修改DNS中网站域名和IP地址之间的对应关系,将原先网站域名和第一服务器的IP地址之间的对应关系修改为网站域名和第二服务器的IP地址之间的对应关系。为此,网站保护服务器中预先设置有第一服务器的 IP地址(如192.168.1.100)与抗攻击的第二服务器的IP地址之间的对应关系(如192.168.1.200)。
这里抗攻击的第二服务器例如具有充足的网络带宽保证,高配置的硬件特征的,增强操作系统的TCP/IP栈,至少能够有效对抗每秒10万个攻击包。
在本发明的一种可选的实施方式中,图2为本发明另一实施例提供的针对拒绝服务攻击的处理方法的流程示意图,如图2所示,步骤103之后还包括以下104。
104、将所述没有受到攻击的网站的域名解析至第三服务器对应的IP地址,所述第三服务器为高优先级服务器。
在实际应用中,当第一服务器受到攻击时,尽管将受到攻击的网站的域名解析至第二服务器对应的IP地址,然而第一服务器中的访问流量不能立即得到下降,为了保证合法用户可以正常访问位于第一服务器上的所有网站(包括没有受到攻击的网站),可以采用备用服务器的方式。例如网站保护服务器预先设置有备用的服务器,每个备用服务器的优先级可以不相同,优选的,可以将没有受到攻击的网站的域名解析至高优先级的第三服务器对应的IP地址。
为此,网站保护服务器中预先设置有第一服务器的IP地址与备用的服务器的IP地址之间的对应关系,其中,备用的服务器可以有多个,每个备用的服务器的优先级可以是不同的,如表1所示的第一服务器与备用的服务器之间的对应关系:
Figure PCTCN2014092388-appb-000001
其中,如表1所示,本实施例高优先级的第三服务器可以是具有高优先级的第一备用服务器,具有充足的网络带宽保证,高配置的硬件特征的,增强的操作系统的TCP/IP栈。
在本发明的一种可选的实施方式中,图3为本发明又一实施例提供的针 对拒绝服务攻击的处理方法的流程示意图,如图3所示,步骤103之后还包括以下105。
105、获取对第一服务器发起拒绝服务攻击的攻击方的IP地址,将所述攻击方的IP地址加入黑名单进行屏蔽。
举例来说,可以使用攻击源追踪定位技术快速找出攻击方真实位置(如攻击方的IP地址)。在实际应用中,攻击方通常伪造源IP地址,且数据包的路由既有很强的无序性,但是,每个数据包都必须经过从攻击方到目标机(本实施例的第一服务器)之间的路由转发,因此,通过路由器对转发数据包进行标记或记录,即可实现攻击路径的重构,具体例如可以采用基于日志记录的追踪技术(Hash-based)和基于边采用的概率包标记技术(PPM)。关于日志记录的追踪技术和基于边采用的概率包标记技术可以是现有技术,本发明对此不作限定。
之后,将攻击方的IP地址加入黑名单进行屏蔽。以便后续在检测到黑名单中的IP地址对第一服务器发起的访问请求时可以对该该访问请求进行限制,可以预防对第一服务器的DOS攻击。
在本发明的一种可选的实施方式中,步骤103之后还包括:当确定所述第一服务器不再受到拒绝服务攻击,且确定所述受到攻击的网站不再被攻击时,将所述受到攻击的网站的域名解析从所述第二服务器对应的IP地址重新解析至所述第一服务器对应的IP地址。
举例来说,当确定所述第一服务器不再受到拒绝服务攻击,且确定所述受到攻击的网站不再被攻击时,网站保护服务器可以修改DNS中网站域名和IP地址之间的对应关系,将受到攻击的网站的域名重新解析到第一服务器对应的IP地址。
在本发明的一种可选的实施方式中,步骤104之后还包括:当确定所述第一服务器没有受到拒绝服务攻击,将所述没有受到攻击的网站的域名解析从所述第三服务器对应的IP地址重新解析至所述第一服务器对应的IP地址。
本发明实施例在确定第一服务器受到拒绝服务攻击时,获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站,将所述受到攻击的网站的域名解析至抗攻击的第二服务器对应的IP地址。本发明可以将对第一服务器发起拒绝服务攻击时的访问流量转移到抗攻击的服务器上,不仅保证了合法用户对没有受到攻击的网站 的访问,而且也保证了合法用户对受到攻击的网站的访问。因此,本发明能够解决在第一服务器遭受DOS攻击时造成的网络系统资源的匮乏而导致的合法的用户请求无法通过的问题。
进一步地,本发明实施例通过获取对第一服务器发起拒绝服务攻击的攻击方的IP地址,将所述攻击方的IP地址加入黑名单进行屏蔽,以便后续在检测到黑名单中的IP地址对第一服务器发起的访问请求时可以对该访问请求进行限制,可以预防对第一服务器的DOS攻击。
图4为本发明一实施例提供的针对拒绝服务攻击的处理装置的结构示意图,如图4所示,包括:
检测模块41,用于确定第一服务器受到拒绝服务攻击;
确定模块42,用于获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站;
修改模块43,用于将所述受到攻击的网站的域名解析至第二服务器对应的IP地址,所述第二服务器为抗攻击的服务器。
其中:所述修改模块43,还用于将所述没有受到攻击的网站的域名解析至第三服务器对应的IP地址,所述第三服务器为高优先级服务器。
其中:所述检测模块41,具体用于检测到所述第一服务器的系统资源占用率超过第一预定阈值或所述第一服务器的网络带宽占用率超过第二预定阈值时,确定第一服务器受到拒绝服务攻击。
其中:所述确定模块42,具体用于分别检测对所述多个网站中的每一个网站发起的报文流量,判断所述报文流量是否超过所述网站对应的流量阈值,若是,则确定所述网站受到攻击,否则确定所述网站没有受到攻击。
其中:所述修改模块43,还用于获取对第一服务器发起拒绝服务攻击的攻击方的IP地址,将所述攻击方的IP地址加入黑名单进行屏蔽。
其中:所述修改模块43,还用于在确定所述第一服务器没有受到拒绝服务攻击,且确定所述受到攻击的网站不再被攻击时,将所述受到攻击的网站的域名解析从所述第二服务器对应的IP地址重新解析至所述第一服务器对应的IP地址;
所述修改模块43,还用于当确定所述第一服务器没有受到拒绝服务攻击,将所述没有受到攻击的网站的域名解析从所述第三服务器对应的IP地址重新解析至所述第一服务器对应的IP地址。
本发明实施例在确定第一服务器受到拒绝服务攻击时,获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站,将所述受到攻击的网站的域名解析至抗攻击的第二服务器对应的IP地址。本发明可以将对第一服务器发起拒绝服务攻击时的访问流量转移到抗攻击的服务器上,不仅保证了合法用户对没有受到攻击的网站的访问,而且也保证了合法用户对受到攻击的网站的访问。因此,本发明能够解决在第一服务器遭受DOS攻击时造成的网络系统资源的匮乏而导致的合法的用户请求无法通过的问题。
进一步地,本发明实施例通过获取对第一服务器发起拒绝服务攻击的攻击方的IP地址,将所述攻击方的IP地址加入黑名单进行屏蔽,以便后续在检测到黑名单中的IP地址对第一服务器发起的访问请求时可以对该访问请求进行限制,可以预防对第一服务器的DOS攻击。
本领域的技术人员应当理解,本发明的方案同样适用于处理分布式拒绝服务(DDoS,Distributed Denial of Service)攻击,其原理和步骤与针对拒绝服务攻击的处理相同,在此不再赘述。
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴 随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的针对拒绝服务攻击的处理装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。
例如,图5示出了可以实现根据本发明的针对拒绝服务攻击的处理方法的计算设备。该计算设备传统上包括处理器510和以存储器520形式的计算机程序产品或者计算机可读介质。存储器520可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器520具有用于执行上述方法中的任何方法步骤的程序代码531的存储空间530。例如,用于程序代码的存储空间530可以包括分别用于实现上面的方法中的各种步骤的各个程序代码531。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图6所述的便携式或者固定存储单元。该存储单元可以具有与图5的计算设备中的存储器520类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括计算机可读代码531’,即可以由例如诸如510之类的处理器 读取的代码,这些代码当由计算设备运行时,导致该计算设备执行上面所描述的方法中的各个步骤。
本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全指同一个实施例。
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。
此外,还应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围,对本发明所做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。

Claims (14)

  1. 一种针对拒绝服务攻击的处理方法,其包括:
    确定第一服务器受到拒绝服务攻击;
    获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站;
    将所述受到攻击的网站的域名解析至第二服务器对应的IP地址,所述第二服务器为抗攻击的服务器。
  2. 根据权利要求1所述的方法,其中,还包括:
    将所述没有受到攻击的网站的域名解析至第三服务器对应的IP地址,所述第三服务器为高优先级服务器。
  3. 根据权利要求1所述的方法,其中,所述确定第一服务器受到拒绝服务攻击,包括:
    检测到所述第一服务器的系统资源占用率超过第一预定阈值或所述第一服务器的网络带宽占用率超过第二预定阈值时,确定第一服务器受到拒绝服务攻击。
  4. 根据权利要求1所述的方法,其中,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站,包括:
    分别检测对所述多个网站中的每一个网站发起的报文流量,判断所述报文流量是否超过所述网站对应的流量阈值,若是,则确定所述网站受到攻击,否则确定所述网站没有受到攻击。
  5. 根据权利要求1-4任一项所述的方法,其中,还包括:
    获取对第一服务器发起拒绝服务攻击的攻击方的IP地址,将所述攻击方的IP地址加入黑名单进行屏蔽。
  6. 根据权利要求1或2所述的方法,其中,还包括:
    当确定所述第一服务器不再受到拒绝服务攻击,且确定所述受到攻击的网站不再被攻击时,将所述受到攻击的网站的域名解析从所述第二服务器对应的IP地址重新解析至所述第一服务器对应的IP地址;
    当确定所述第一服务器没有受到拒绝服务攻击,将所述没有受到攻击的网站的域名解析从所述第三服务器对应的IP地址重新解析至所述第一服务器对应的IP地址。
  7. 一种针对拒绝服务攻击的处理装置,其包括:
    检测模块,用于确定第一服务器受到拒绝服务攻击;
    确定模块,用于获取位于所述第一服务器上的多个网站,在所述多个网站中分别确定受到攻击的网站和/或没有受到攻击的网站;
    修改模块,用于将所述受到攻击的网站的域名解析至第二服务器对应的IP地址,所述第二服务器为抗攻击的服务器。
  8. 根据权利要求7所述的装置,其中:
    所述修改模块,还用于将所述没有受到攻击的网站的域名解析至第三服务器对应的IP地址,所述第三服务器为高优先级服务器。
  9. 根据权利要求7所述的装置,其中:
    所述检测模块,具体用于检测到所述第一服务器的系统资源占用率超过第一预定阈值或所述第一服务器的网络带宽占用率超过第二预定阈值时,确定第一服务器受到拒绝服务攻击。
  10. 根据权利要求7所述的装置,其中:
    所述确定模块,具体用于分别检测对所述多个网站中的每一个网站发起的报文流量,判断所述报文流量是否超过所述网站对应的流量阈值,若是,则确定所述网站受到攻击,否则确定所述网站没有受到攻击。
  11. 根据权利要求7-10任一项所述的装置,其中:
    所述修改模块,还用于获取对第一服务器发起拒绝服务攻击的攻击方的IP地址,将所述攻击方的IP地址加入黑名单进行屏蔽。
  12. 根据权利要求7或8所述的装置,其中:
    所述修改模块,还用于在确定所述第一服务器没有受到拒绝服务攻击,且确定所述受到攻击的网站不再被攻击时,将所述受到攻击的网站的域名解析从所述第二服务器对应的IP地址重新解析至所述第一服务器对应的IP地址;
    所述修改模块,还用于当确定所述第一服务器没有受到拒绝服务攻击,将所述没有受到攻击的网站的域名解析从所述第三服务器对应的IP地址重新解析至所述第一服务器对应的IP地址。
  13. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据权利要求1至6中的任一项所述的针对拒绝服务攻击的处理方法。
  14. 一种计算机可读介质,其中存储了如权利要求13所述的计算机程序。
PCT/CN2014/092388 2013-11-29 2014-11-27 针对拒绝服务攻击的处理方法及装置 WO2015078388A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310631219.7 2013-11-29
CN201310631219.7A CN103618718B (zh) 2013-11-29 2013-11-29 针对拒绝服务攻击的处理方法及装置

Publications (1)

Publication Number Publication Date
WO2015078388A1 true WO2015078388A1 (zh) 2015-06-04

Family

ID=50169422

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/092388 WO2015078388A1 (zh) 2013-11-29 2014-11-27 针对拒绝服务攻击的处理方法及装置

Country Status (2)

Country Link
CN (1) CN103618718B (zh)
WO (1) WO2015078388A1 (zh)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789882A (zh) * 2016-11-18 2017-05-31 汉柏科技有限公司 一种域名请求攻击的防御方法及系统
CN111510459A (zh) * 2020-04-24 2020-08-07 太仓红码软件技术有限公司 一种基于时钟信号的网络攻击防御系统
CN113301001A (zh) * 2020-04-07 2021-08-24 阿里巴巴集团控股有限公司 攻击者确定方法、装置、计算设备和介质
CN113573317A (zh) * 2021-07-29 2021-10-29 咪咕文化科技有限公司 网络奇异系统在卫星系统中的滤波器设计方法及装置
CN113660214A (zh) * 2021-07-26 2021-11-16 杭州安恒信息技术股份有限公司 一种Web服务器的防护方法
CN114584491A (zh) * 2022-04-21 2022-06-03 腾讯科技(深圳)有限公司 检测方法、装置、存储介质、设备及程序产品
CN114785876A (zh) * 2022-04-07 2022-07-22 湖北天融信网络安全技术有限公司 报文检测方法及装置

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618718B (zh) * 2013-11-29 2016-09-21 北京奇虎科技有限公司 针对拒绝服务攻击的处理方法及装置
CN106302313B (zh) * 2015-05-14 2019-10-08 阿里巴巴集团控股有限公司 基于调度系统的DDoS防御方法和DDoS防御系统
CN107154915A (zh) * 2016-03-02 2017-09-12 阿里巴巴集团控股有限公司 防御分布式拒绝服务DDoS攻击的方法、装置及系统
CN106411934B (zh) * 2016-11-15 2017-11-21 平安科技(深圳)有限公司 DoS/DDoS攻击检测方法和装置
CN108092940B (zh) * 2016-11-23 2020-04-17 贵州白山云科技股份有限公司 一种dns的防护方法及相关设备
CN107734080B (zh) * 2017-10-09 2020-09-04 厦门二五八网络科技集团股份有限公司 多用户域名解析及域名服务器迁移的方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1669009A (zh) * 2002-07-29 2005-09-14 国际商业机器公司 用于改善内容分发网络对分布式拒绝服务攻击的适应力的方法和设备
CN101127649A (zh) * 2007-09-30 2008-02-20 华为技术有限公司 一种防御网络攻击的方法和系统
CN101394285A (zh) * 2007-09-17 2009-03-25 国际商业机器公司 用于服务器在广播风暴或拒绝服务攻击期间切换到备用服务器的设备、系统和方法
CN103618718A (zh) * 2013-11-29 2014-03-05 北京奇虎科技有限公司 针对拒绝服务攻击的处理方法及装置

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2520496C (en) * 2003-04-09 2010-01-19 Riverhead Networks, Inc. Selective diversion and injection of communication traffic
KR100900491B1 (ko) * 2008-12-02 2009-06-03 (주)씨디네트웍스 분산 서비스 거부 공격의 차단 방법 및 장치
CN101572701B (zh) * 2009-02-10 2013-11-20 中科信息安全共性技术国家工程研究中心有限公司 针对DNS服务器的抗DDoS安全网关系统
CN102655493A (zh) * 2011-03-01 2012-09-05 国基电子(上海)有限公司 用户端设备及其防止攻击的方法
CN102291390B (zh) * 2011-07-14 2014-06-04 南京邮电大学 一种基于云计算平台的防御拒绝服务攻击的方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1669009A (zh) * 2002-07-29 2005-09-14 国际商业机器公司 用于改善内容分发网络对分布式拒绝服务攻击的适应力的方法和设备
CN101394285A (zh) * 2007-09-17 2009-03-25 国际商业机器公司 用于服务器在广播风暴或拒绝服务攻击期间切换到备用服务器的设备、系统和方法
CN101127649A (zh) * 2007-09-30 2008-02-20 华为技术有限公司 一种防御网络攻击的方法和系统
CN103618718A (zh) * 2013-11-29 2014-03-05 北京奇虎科技有限公司 针对拒绝服务攻击的处理方法及装置

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789882A (zh) * 2016-11-18 2017-05-31 汉柏科技有限公司 一种域名请求攻击的防御方法及系统
CN113301001A (zh) * 2020-04-07 2021-08-24 阿里巴巴集团控股有限公司 攻击者确定方法、装置、计算设备和介质
CN113301001B (zh) * 2020-04-07 2023-05-23 阿里巴巴集团控股有限公司 攻击者确定方法、装置、计算设备和介质
CN111510459A (zh) * 2020-04-24 2020-08-07 太仓红码软件技术有限公司 一种基于时钟信号的网络攻击防御系统
CN113660214A (zh) * 2021-07-26 2021-11-16 杭州安恒信息技术股份有限公司 一种Web服务器的防护方法
CN113660214B (zh) * 2021-07-26 2023-02-28 杭州安恒信息技术股份有限公司 一种Web服务器的防护方法
CN113573317A (zh) * 2021-07-29 2021-10-29 咪咕文化科技有限公司 网络奇异系统在卫星系统中的滤波器设计方法及装置
CN114785876A (zh) * 2022-04-07 2022-07-22 湖北天融信网络安全技术有限公司 报文检测方法及装置
CN114785876B (zh) * 2022-04-07 2024-06-11 湖北天融信网络安全技术有限公司 报文检测方法及装置
CN114584491A (zh) * 2022-04-21 2022-06-03 腾讯科技(深圳)有限公司 检测方法、装置、存储介质、设备及程序产品
CN114584491B (zh) * 2022-04-21 2023-09-08 腾讯科技(深圳)有限公司 检测方法、装置、存储介质及设备

Also Published As

Publication number Publication date
CN103618718B (zh) 2016-09-21
CN103618718A (zh) 2014-03-05

Similar Documents

Publication Publication Date Title
WO2015078388A1 (zh) 针对拒绝服务攻击的处理方法及装置
US8661522B2 (en) Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
US10038715B1 (en) Identifying and mitigating denial of service (DoS) attacks
US9843590B1 (en) Method and apparatus for causing a delay in processing requests for internet resources received from client devices
US10097520B2 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
US9813451B2 (en) Apparatus and method for detecting cyber attacks from communication sources
US9912678B2 (en) Techniques for automatically mitigating denial of service attacks via attack pattern matching
US10270792B1 (en) Methods for detecting malicious smart bots to improve network security and devices thereof
CN106534051B (zh) 一种针对访问请求的处理方法和装置
US9398027B2 (en) Data detecting method and apparatus for firewall
CN109194680B (zh) 一种网络攻击识别方法、装置及设备
US10547636B2 (en) Method and system for detecting and mitigating denial-of-service attacks
US11165817B2 (en) Mitigation of network denial of service attacks using IP location services
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
KR20130014226A (ko) 공격 트래픽 형태별 특성에 따른 dns 플러딩 공격 탐지 방법
US20170111390A1 (en) Method circuits devices systems and functionally associated computer executable code for detecting and mitigating denial of service attack directed on or through a radio access network
JP5980968B2 (ja) 情報処理装置、情報処理方法及びプログラム
WO2020037781A1 (zh) 一种实现服务器防攻击方法及装置
US12041079B2 (en) Detecting patterns in network traffic responses for mitigating DDOS attacks
US10142360B2 (en) System and method for iteratively updating network attack mitigation countermeasures
US9680950B1 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
CN105634660A (zh) 数据包检测方法及系统
KR101593897B1 (ko) 방화벽, ids 또는 ips를 우회하는 네트워크 스캔 방법
CN113765849B (zh) 一种异常网络流量检测方法和装置
JP6497782B2 (ja) 試験装置、試験方法および試験プログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14866320

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14866320

Country of ref document: EP

Kind code of ref document: A1