WO2018108052A1 - 一种DDoS攻击的防御方法、系统及相关设备 - Google Patents

一种DDoS攻击的防御方法、系统及相关设备 Download PDF

Info

Publication number
WO2018108052A1
WO2018108052A1 PCT/CN2017/115494 CN2017115494W WO2018108052A1 WO 2018108052 A1 WO2018108052 A1 WO 2018108052A1 CN 2017115494 W CN2017115494 W CN 2017115494W WO 2018108052 A1 WO2018108052 A1 WO 2018108052A1
Authority
WO
WIPO (PCT)
Prior art keywords
ddos
blocking
alarm data
ddos attack
service traffic
Prior art date
Application number
PCT/CN2017/115494
Other languages
English (en)
French (fr)
Inventor
陈虎
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018108052A1 publication Critical patent/WO2018108052A1/zh
Priority to US16/372,113 priority Critical patent/US10771501B2/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of Internet technologies, and in particular, to a DDoS attack defense method, system, related device, and computer storage medium.
  • DDoS Distributed Denial of Service
  • DDOS Distributed Denial of Service
  • the most basic DDOS attack methods include: using reasonable service requests to occupy too many service resources, so that legitimate users can not get the response of the service, or send large packets blocked in a short time.
  • the upstream communication link of the Internet Data Center (IDC) has led to a significant reduction in available bandwidth, resulting in a sharp drop in normal traffic, thereby achieving the goal of denial of service. Therefore, how to defend against DDoS attacks in a timely manner has become an urgent problem to be solved.
  • the embodiment of the invention provides a defense method and system for a DDoS attack, a related device, and a computer storage medium, which can improve the timeliness and flexibility of defending against DDoS attacks.
  • a first aspect of the embodiments of the present invention provides a defense method for a DDoS attack, including:
  • the distributed denial of service DDoS blocking device receives the DDoS attack alarm data sent by the DDoS detection device, and the DDoS attack alarm data is obtained by parsing the service traffic flowing into the equipment room by the DDoS detecting device.
  • the DDoS blocking device matches the DDoS attack alarm data with the DDoS blocking rule to obtain a blocking strategy for the service traffic corresponding to the DDoS attack alarm data.
  • the DDoS blocking device blocks the service traffic corresponding to the DDoS attack alarm data according to the blocking policy.
  • a second aspect of the embodiments of the present invention provides a defense method for a DDoS attack, including:
  • the DDoS detection device obtains the traffic flowing into the equipment room.
  • the DDoS detection device parses the service traffic to obtain DDoS attack alarm data.
  • the DDoS detection device sends the DDoS attack alarm data to the DDoS blocking device, so that the DDoS blocking device determines a blocking strategy for the traffic flow corresponding to the DDoS attack alarm data according to the DDoS blocking rule, and according to The blocking policy blocks the service traffic corresponding to the DDoS attack alarm data.
  • a third aspect of the embodiments of the present invention provides a DDoS blocking device, including:
  • the receiving module is configured to receive the DDoS attack alarm data sent by the DDoS detection device, where the DDoS attack alarm data is obtained by parsing the service traffic flowing into the equipment room by the DDoS detection device.
  • the obtaining module is configured to match the DDoS attack alarm data with the DDoS blocking rule to obtain a blocking strategy for the service traffic corresponding to the DDoS attack alarm data.
  • the blocking module is configured to block the service traffic corresponding to the DDoS attack alarm data according to the blocking policy.
  • a fourth aspect of the embodiments of the present invention provides a DDoS detection device, including:
  • the acquisition module is used to obtain the traffic flowing into the equipment room.
  • the parsing module is configured to parse the service traffic to obtain DDoS attack alarm data.
  • a sending module configured to send the DDoS attack alarm data to the DDoS blocking device, so that the DDoS blocking device determines a blocking policy for the service traffic corresponding to the DDoS attack alarm data according to the DDoS blocking rule, and according to The blocking policy blocks the service traffic corresponding to the DDoS attack alarm data.
  • a fifth aspect of the embodiments of the present invention provides a defense system for a DDoS attack, comprising: the DDoS blocking device according to the above third aspect, and the DDoS detecting device according to the fourth aspect.
  • a sixth aspect of the embodiments of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute the defense method of the DDoS attack.
  • the DDoS blocking device receives the DDoS attack alarm data sent by the DDoS detecting device, and the DDoS attacking alarm data is obtained by the DDoS detecting device by parsing the service traffic flowing into the equipment room, and the DDoS blocking device alarms the DDoS attack.
  • the data is matched with the DDoS blocking rule to obtain a blocking policy for the service traffic corresponding to the DDoS attack alarm data, and then the service traffic corresponding to the DDoS attack alarm data is blocked according to the blocking policy, thereby improving the DDoS attack. Timeliness and flexibility in defense.
  • FIG. 1 is a schematic structural diagram of a defense system for a DDoS attack according to an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a method for defending a DDoS attack according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a DDoS blocking device according to an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of another DDoS blocking device according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a DDoS detecting apparatus according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of another DDoS detecting apparatus according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of a defense system for a DDoS attack according to an embodiment of the present invention.
  • FIG. 1 is a schematic structural diagram of a defense system for a DDoS attack according to an embodiment of the present invention.
  • the architecture of the defense system for the DDoS attack described in this embodiment includes: a client, an operator, a computer room, a DDoS detection cluster, and a DDoS blocking system, where:
  • the operator may specifically be an Internet Service Provider (ISP).
  • ISP Internet Service Provider
  • the equipment room includes at least a router/switch and a service server.
  • the router may be an ingress router of the equipment room, such as a Tencent Internet Exchange (TIX).
  • the switch may be a core switch of the equipment room, such as an external network core (Wan Core, WC).
  • the DDoS detection cluster can be deployed at the entrance of the equipment room to perform bypass real-time image analysis on the traffic flowing into the equipment room.
  • the DDoS blocking system is used to implement the blocking of service traffic according to the monitoring and analysis result of the DDoS detection cluster for service traffic.
  • the service traffic from the client reaches the entrance of the equipment room through the carrier network, and is forwarded to the service server by the network equipment such as the ingress router or the core switch of the equipment room.
  • the service traffic can pass through the optical splitter.
  • the device mirrors the service traffic in real time and sends it to the DDoS detection cluster.
  • the DDoS detection cluster parses the service traffic packet by packet according to the specification of the network protocol stack, and extracts the data from DDoS. Attack data packets, and generate DDoS attack alarm data, and send DDoS attack alarm data to the DDoS blocking system for processing.
  • the DDoS blocking system uses the DDoS blocking rule to block the DDoS attack alarm data, including notification.
  • the equipment ingress router or the core switch in the equipment room discards the service traffic corresponding to the DDoS attack alarm data, and does not forward the traffic to the other network equipment/service servers in the equipment room, or the joint service provider reaches the service traffic corresponding to the DDoS attack alarm data.
  • the device room is discarded before the device is discarded.
  • the service traffic corresponding to the DDoS attack alarm data is discarded on the router of the backbone network (such as the provincial backbone network).
  • FIG. 2 is a schematic flowchart of a method for defending a DDoS attack according to an embodiment of the present invention.
  • the defense method of the DDoS attack described in this embodiment includes:
  • the DDoS detection device obtains service traffic flowing into the equipment room.
  • the DDoS detection device can be deployed at the entrance of the equipment room, and multiple DDoS detection devices can be deployed to form a DDoS detection cluster.
  • the service traffic when the service traffic reaches the equipment room, the service traffic can be mirrored to the DDoS detection device in real time through the optical splitter.
  • the DDoS detection device parses the service traffic to obtain DDoS attack alarm data.
  • the DDoS detection device parses the service traffic packet by packet according to the specification of the network protocol stack, extracts the data packet from the DDoS attack, and aggregates the DDoS attack alarm data.
  • the DDoS attack alarm data may include: attack time, Attack type, destination Internet Protocol (IP), attack location (such as the attacked equipment room, carrier), and corresponding traffic volume.
  • the network protocol stack may include: Transmission Control Protocol (TCP)/IP, User Datagram Protocol (UDP), and the like.
  • the DDoS detection device sends the DDoS attack alarm data to a DDoS blocking device.
  • the DDoS blocking device receives the DDoS attack alarm data.
  • the DDoS blocking device corresponds to the DDoS blocking system.
  • the DDoS detection device and the DDoS blocking device may also be set.
  • DDoS detection and DDoS blocking are integrated into the same device for implementation.
  • the DDoS blocking device matches the DDoS attack alarm data with the DDoS blocking rule, and obtains a blocking policy for the service traffic corresponding to the DDoS attack alarm data.
  • the corresponding blocking threshold can be set according to the type of the client. If the traffic of the DDoS attack reaches or exceeds the blocking threshold, the customer's ongoing service is seriously threatened.
  • the blocking threshold can be specifically characterized by bandwidth, such as megabits per second Mbps. It can be the default blocking threshold for ordinary customers. The average customer can also distinguish between large customers and small customers according to the number of customers. Large customers and small customers can respectively have default blocking thresholds for special customers (such as VIP customers).
  • the Border Gateway Protocol can set its blocking threshold separately to implement the customization of the blocking threshold. For example, the blocking threshold is set according to the bandwidth purchased by the customer. Of course, it is also possible to allow an ordinary customer to apply for a separate setting of its blocking threshold, or to set its blocking threshold separately by paying.
  • the security room can set a security threshold according to the bandwidth usage. If the service traffic of the DDoS attack reaches or exceeds the security threshold, the stability of the cloud platform corresponding to the equipment room is seriously threatened.
  • the blocking strategy may include blocking type, blocking position, destination IP, etc.
  • the blocking type includes notifying the machine room to perform blocking and the joint operator to perform blocking, and the blocking position is the machine room to be blocked, and the operator's exit.
  • the DDoS blocking device may perform the blocking determination based on the destination IP address corresponding to the DDoS attack alarm data, and specifically includes: the DDoS blocking device determines the client type corresponding to the destination IP of the DDoS attack alarm data, and obtains the corresponding type of the client type. Block the threshold. If it is a special customer, obtain the corresponding blocking threshold from the cloud platform.
  • the DDoS blocking device compares the traffic of the destination IP with the blocking threshold and the security threshold of the equipment room. If the service traffic of the destination IP is greater than or equal to the blocking threshold and is less than the security threshold of the equipment room, the customer's ongoing service is affected. A serious threat, the DDoS blocking device determines that the blocking policy for the service traffic corresponding to the DDoS attack alarm data is to notify the equipment room to block the traffic of the destination IP.
  • the service traffic of the destination IP is greater than or equal to the security threshold of the equipment room, it indicates that the currently attacked client has a serious impact on the services of other clients, that is, the stability of the cloud platform corresponding to the equipment room is affected. Serious threat, at this time DDoS blocking equipment to determine the needle
  • the blocking policy of the service traffic corresponding to the DDoS attack alarm data is that the joint service provider blocks the service traffic of the destination IP, that is, the service traffic of the destination IP is discarded before reaching the equipment room.
  • the DDoS blocking device will notify the DDoS attack received this time.
  • the data is not processed to avoid the abnormality of the DDoS blocking system caused by the blocking of the traffic of the non-DDoS attack, so as to ensure the stability and reliability of the DDoS blocking system.
  • the DDoS blocking device can perform the blocking determination based on the exit of the equipment room operator, and the operator for the connection of the equipment room sets the corresponding blocking threshold according to the bandwidth utilization situation, and the traffic flow of the DDoS attack flows through an operator's exit. If the occlusion threshold of the carrier is severely affected, the stability of the cloud platform corresponding to the equipment room is seriously threatened. Specifically, it includes: exporting to any one of the operators in the equipment room, and assuming that the target carrier is exported, the DDoS blocking device obtains multiple destination IPs corresponding to the DDoS attack alarm data with the same alarm time, and the service flow of the multiple destination IP addresses.
  • the blocking device obtains the customer type and the service traffic size corresponding to the plurality of destination IPs, and the customer type includes the customer priority, the payment status, etc., and then blocks the priority ranking according to factors such as customer priority, payment status, and service traffic size. And selecting a preset number of destination IPs with a higher priority to block, so as to determine the destination IP to be blocked from the multiple destination IPs, and determine the service traffic corresponding to the DDoS attack alarm data.
  • the blocking strategy is to block the service traffic of the blocked destination IP address, and the traffic flow of the destination IP to be blocked. The amount is discarded before reaching the machine room.
  • the DDoS blocking device blocks the service traffic corresponding to the DDoS attack alarm data according to the blocking policy.
  • the DDoS blocking device performs the blocking operation according to the blocking type, the blocking position, the destination IP and the like included in the blocking strategy, including: when the blocking type is to notify the equipment room to perform blocking, the DDoS blocking device passes the sealing The blocking interface sends a blocking command carrying the information such as the blocking position and the destination IP address to the ingress router or the core switch of the equipment room, so that the ingress router or the core switch of the equipment room.
  • the service traffic of the destination IP is discarded at the blocking location; when the blocking type is blocked by the joint operator, the DDoS blocking device invokes the blocking interface provided by the operator, and the destination IP or the to-be-served according to the blocking location
  • the traffic of the blocked destination IP is discarded before reaching the equipment room, for example, the traffic is discarded on the router of the provincial backbone network.
  • the DDoS blocking device can push the blocking result (including the blocking time, the type of traffic and the size of the traffic, etc.) to the customer, so that the customer can know the blocking situation in time and the related affected. The business is adjusted in a timely manner.
  • the customer can also choose whether to open the blocking result push service, and only receive the blocking result of the specified plug type.
  • the DDoS plugging device can also push the abnormality of the plugging (such as the failure of the plugging) to the operation and maintenance platform, so that the operation and maintenance personnel can grasp the abnormality of the plugging in time and follow up the processing in time to further ensure the DDoS blocking. System reliability and stability.
  • the DDoS detection device parses the service traffic flowing into the equipment room to obtain the DDoS attack alarm data, and sends the DDoS attack alarm data to the DDoS blocking device, and the DDoS blocking device binds the DDoS attack alarm data and the DDoS blocking rule.
  • the matching is performed to obtain the blocking policy for the service traffic corresponding to the DDoS attack alarm data, and then the traffic corresponding to the DDoS attack alarm data is blocked according to the blocking policy, thereby improving the timeliness of defending the DDoS attack. And flexibility to increase the robustness of the cloud platform.
  • FIG. 3 is a schematic structural diagram of a DDoS blocking device according to an embodiment of the present invention.
  • the DDoS blocking device described in this embodiment includes:
  • the receiving module 301 is configured to receive DDoS attack alarm data sent by the DDoS detection device, where the DDoS attack alarm data is obtained by parsing the service traffic flowing into the equipment room by the DDoS detection device.
  • the obtaining module 302 is configured to match the DDoS attack alarm data with the DDoS blocking rule to obtain a blocking policy for the service traffic corresponding to the DDoS attack alarm data.
  • the blocking module 303 is configured to block the service traffic corresponding to the DDoS attack alarm data according to the blocking policy.
  • the obtaining module 302 includes:
  • the obtaining unit 3020 is configured to determine a destination corresponding to the destination IP address of the DDoS attack alarm data.
  • the user type obtains the blocking threshold corresponding to the customer type.
  • the comparing unit 3021 is configured to compare the service traffic of the destination IP with the blocking threshold and the security threshold of the equipment room.
  • the determining unit 3022 is configured to: if the service traffic of the destination IP is greater than or equal to the blocking threshold, and is less than the security threshold, determine a blocking policy for the service traffic corresponding to the DDoS attack alarm data as a notification station.
  • the equipment room blocks the traffic of the destination IP.
  • the determining unit 3022 is further configured to determine, if the service traffic of the destination IP is greater than or equal to the security threshold, a blocking policy for the service traffic corresponding to the DDoS attack alert data. Blocking the traffic of the destination IP for the joint operator.
  • the acquiring unit 3020 is configured to obtain, for the target operator exit of the equipment room, multiple destination IPs corresponding to the DDoS attack alarm data with the same alarm time, where the target operator exit is Any of the operator outlets included in the equipment room.
  • the comparing unit 3021 is configured to compare a sum of service flows of the plurality of destination IPs with a blocking threshold corresponding to the target operator.
  • the determining unit 3022 is configured to: if the sum of the traffic flows of the multiple destination IPs is greater than or equal to the blocking threshold, according to the customer type and the service traffic size corresponding to the multiple destination IPs, The destination IP to be blocked is determined among the plurality of destination IPs.
  • the determining unit 3022 is further configured to determine that the blocking policy for the service traffic corresponding to the DDoS attack alarm data is that the joint operator blocks the service traffic of the destination IP to be blocked.
  • the DDoS blocking device receives the DDoS attack alarm data sent by the DDoS detecting device, and the DDoS attacking alarm data is obtained by the DDoS detecting device by parsing the service traffic flowing into the equipment room, and the DDoS blocking device alarms the DDoS attack.
  • the data is matched with the DDoS blocking rule to obtain a blocking policy for the service traffic corresponding to the DDoS attack alarm data, and then the service traffic corresponding to the DDoS attack alarm data is further according to the blocking policy.
  • Row blocking can improve the timeliness and flexibility of defense against DDoS attacks, thereby improving the robustness of the cloud platform.
  • FIG. 4 is a schematic structural diagram of another DDoS blocking device according to an embodiment of the present invention.
  • the DDoS blocking device described in this embodiment includes: a processor 401, a network interface 402, and a memory 403.
  • the processor 401, the network interface 402, and the memory 403 can be connected through a bus or other manners.
  • the embodiment of the present invention takes a bus connection as an example.
  • the processor 401 (or Central Processing Unit (CPU)) is a computing core and a control core of the DDoS blocking device.
  • the network interface 402 can optionally include a standard wired interface, a wireless interface (such as WI-FI, a mobile communication interface, etc.), and is controlled by the processor 401 for transmitting and receiving data.
  • the memory 403 (Memory) is a memory device of the DDoS blocking device for storing programs and data. It can be understood that the memory 403 herein may be a high-speed RAM memory, or may be a non-volatile memory, such as at least one disk memory; optionally, at least one of the processors 401 may be located away from the foregoing processor 401. Storage device.
  • the memory 403 provides a storage space for storing an operating system and executable program code of the DDoS blocking device, which may include, but is not limited to, a Windows system (an operating system), a Linux (an operating system) system, and the like. The invention is not limited thereto.
  • the processor 401 performs the following operations by running the executable program code in the memory 403:
  • the network interface 402 is configured to receive the DDoS attack alarm data sent by the DDoS detection device, where the DDoS attack alarm data is obtained by parsing the service traffic flowing into the equipment room by the DDoS detection device.
  • the processor 401 is configured to match the DDoS attack alarm data with the DDoS blocking rule to obtain a blocking policy for the service traffic corresponding to the DDoS attack alarm data.
  • the processor 401 is further configured to block the service traffic corresponding to the DDoS attack alarm data according to the blocking policy.
  • the processor 401 is specifically configured to:
  • determining a blocking policy for the service traffic corresponding to the DDoS attack alarm data is to notify the computer room of the purpose IP traffic is blocked.
  • the processor 401 is further configured to: if the service traffic of the destination IP is greater than or equal to the security threshold, determine a service traffic corresponding to the DDoS attack alarm data.
  • the blocking policy is for the joint operator to block the traffic of the destination IP.
  • the processor 401 is specifically configured to:
  • a plurality of destination IPs corresponding to the DDoS attack alarm data with the same alarm time are obtained, and the target operator export is any one of the operator outlets included in the equipment room.
  • the multiple destination IPs are determined. The destination IP of the block.
  • the blocking policy for determining the service traffic corresponding to the DDoS attack alarm data is that the joint operator blocks the service traffic of the destination IP to be blocked.
  • the processor 401, the network interface 402, and the memory 403, which are described in the embodiments of the present invention, may be implemented in the defense method of the DDoS attack provided by the embodiment of the present invention, and may also be implemented in the embodiment of the present invention.
  • An implementation manner described in a DDoS blocking device is provided, and details are not described herein again.
  • the DDoS blocking device receives the DDoS attack alarm data sent by the DDoS detecting device, and the DDoS attacking alarm data is obtained by the DDoS detecting device by parsing the service traffic flowing into the equipment room, and the DDoS blocking device alarms the DDoS attack.
  • the data is matched with the DDoS blocking rule to obtain a blocking policy for the service traffic corresponding to the DDoS attack alarm data, and then the service traffic corresponding to the DDoS attack alarm data is further according to the blocking policy.
  • Row blocking can improve the timeliness and flexibility of defense against DDoS attacks, thereby improving the robustness of the cloud platform.
  • FIG. 5 is a schematic structural diagram of a DDoS detecting apparatus according to an embodiment of the present invention.
  • the DDoS detection device described in this embodiment includes:
  • the obtaining module 501 is configured to obtain service traffic flowing into the equipment room.
  • the parsing module 502 is configured to parse the service traffic to obtain DDoS attack alarm data.
  • the sending module 503 is configured to send the DDoS attack alarm data to the DDoS blocking device, so that the DDoS blocking device determines a blocking strategy for the service traffic corresponding to the DDoS attack alarm data according to the DDoS blocking rule, and The service traffic corresponding to the DDoS attack alarm data is blocked according to the blocking policy.
  • the parsing module 502 is specifically configured to:
  • the DDoS detection device parses the service traffic flowing into the equipment room to obtain the DDoS attack alarm data, and sends the DDoS attack alarm data to the DDoS blocking device, so that the DDoS blocking device determines the DDoS attack according to the DDoS blocking rule.
  • the blocking policy of the service traffic corresponding to the alarm data, and blocking the service traffic corresponding to the DDoS attack alarm data according to the blocking policy thereby improving the timeliness and flexibility of defending the DDoS attack, thereby improving the cloud platform. Robustness.
  • FIG. 6 is a schematic structural diagram of another DDoS detecting apparatus according to an embodiment of the present invention.
  • the DDoS detection device described in this embodiment includes: a processor 601, a network interface 602, and a memory 603.
  • the processor 601, the network interface 602, and the memory 603 can be connected by using a bus or other manners.
  • the processor 601 (or Central Processing Unit (CPU) It is the computing core and control core of DDoS detection equipment.
  • the network interface 602 can optionally include a standard wired interface, a wireless interface (such as WI-FI, a mobile communication interface, etc.), and is controlled by the processor 601 for transmitting and receiving data.
  • the memory 603 (Memory) is a memory device of the DDoS detecting device for storing programs and data. It can be understood that the memory 603 herein may be a high-speed RAM memory, or may be a non-volatile memory, such as at least one disk memory; optionally, at least one of the processors 601 located away from the foregoing processor 601. Storage device.
  • the memory 603 provides a storage space, which stores an operating system and executable program code of the DDoS detecting device, and may include, but is not limited to, a Windows system (an operating system), a Linux (an operating system) system, and the like. The invention is not limited thereto.
  • the processor 601 performs the following operations by running the executable program code in the memory 603:
  • the network interface 602 is configured to obtain service traffic flowing into the equipment room.
  • the processor 601 is configured to parse the service traffic to obtain DDoS attack alarm data.
  • the network interface 602 is further configured to send the DDoS attack alarm data to the DDoS blocking device, so that the DDoS blocking device determines the blocking of the service traffic corresponding to the DDoS attack alarm data according to the DDoS blocking rule.
  • the policy is to block the service traffic corresponding to the DDoS attack alarm data according to the blocking policy.
  • the processor 601 is specifically configured to:
  • the processor 601, the network interface 602, and the memory 603, which are described in the embodiments of the present invention, may be implemented in the defense method of the DDoS attack provided by the embodiment of the present invention, and may also be implemented in the embodiment of the present invention.
  • An implementation manner described in a DDoS detection device is provided, and details are not described herein again.
  • the DDoS detection device parses the service traffic flowing into the equipment room to obtain the DDoS attack alarm data, and sends the DDoS attack alarm data to the DDoS blocking device, so that the DDoS blocking device determines the DDoS attack according to the DDoS blocking rule.
  • the blocking policy of the service traffic corresponding to the alarm data, and blocking the service traffic corresponding to the DDoS attack alarm data according to the blocking policy thereby improving the timeliness and flexibility of defending against DDoS attacks. Thereby improving the robustness of the cloud platform.
  • FIG. 7 is a schematic structural diagram of a defense system for a DDoS attack according to an embodiment of the present invention.
  • the defense system for the DDoS attack described in this embodiment includes: a DDoS detection device 701 and a DDoS blocking device 702, where:
  • the DDoS detection device 701 is configured to obtain service traffic flowing into the equipment room.
  • the DDoS detection device 701 is further configured to parse the service traffic to obtain DDoS attack alarm data.
  • the DDoS detection device 701 is further configured to send the DDoS attack alarm data to the DDoS blocking device 702.
  • the DDoS blocking device 702 is configured to receive the DDoS attack alarm data.
  • the DDoS blocking device 702 is further configured to match the DDoS attack alarm data with the DDoS blocking rule to obtain a blocking policy for the service traffic corresponding to the DDoS attack alarm data.
  • the DDoS blocking device 702 is further configured to block the service traffic corresponding to the DDoS attack alarm data according to the blocking policy.
  • DDoS detection device 701 and the DDoS blocking device 702 of the present embodiment may be specifically implemented according to the method in the foregoing method embodiment.
  • specific implementation process reference may be made to the related description of the foregoing method embodiment, where Let me repeat.
  • the DDoS detection device parses the service traffic flowing into the equipment room to obtain the DDoS attack alarm data, and sends the DDoS attack alarm data to the DDoS blocking device, and the DDoS blocking device binds the DDoS attack alarm data and the DDoS blocking rule.
  • the matching is performed to obtain the blocking policy for the service traffic corresponding to the DDoS attack alarm data, and then the traffic corresponding to the DDoS attack alarm data is blocked according to the blocking policy, thereby improving the timeliness of defending the DDoS attack. And flexibility to increase the robustness of the cloud platform.
  • a computer storage medium of an embodiment of the invention may be a memory comprising a computer program executable by a processor of the data processing apparatus to perform the steps of the method of the previous embodiments.
  • the computer storage medium may be FRAM, ROM, PROM, EPROM, A memory such as an EEPROM, a Flash Memory, a magnetic surface memory, an optical disk, or a CD-ROM; or a device including one or any combination of the above memories, such as a mobile phone, a computer, a tablet device, a personal digital assistant, or the like.
  • the computer readable storage medium having stored thereon a computer program that, when executed by the processor, performs the steps of a defense method of a DDoS attack as follows.
  • the computer program is located on the side of the DDoS blocking device and, when executed by the processor, executes:
  • the distributed denial of service DDoS blocking device receives the DDoS attack alarm data sent by the DDoS detection device, and the DDoS attack alarm data is obtained by parsing the service traffic flowing into the equipment room by the DDoS detecting device;
  • the DDoS blocking device matches the DDoS attack alarm data with the DDoS blocking rule to obtain a blocking strategy for the service traffic corresponding to the DDoS attack alarm data;
  • the DDoS blocking device blocks the service traffic corresponding to the DDoS attack alarm data according to the blocking policy.
  • the computer program is located on the DDoS blocking device side, and when executed by the processor, further executes:
  • the DDoS blocking device compares the service traffic of the destination IP with the blocking threshold and the security threshold of the equipment room;
  • the DDoS blocking device determines that the blocking policy for the traffic corresponding to the DDoS attack alarm data is a notification station.
  • the equipment room blocks the traffic of the destination IP.
  • the computer program is located on the DDoS blocking device side, and when executed by the processor, further executes:
  • the DDoS blocking device determines that the blocking policy for the service traffic corresponding to the DDoS attack alarm data is the service of the joint operator to the destination IP. The flow is blocked.
  • the computer program is located on the DDoS blocking device side, and when executed by the processor, further executes:
  • the DDoS blocking device obtains a plurality of destination IPs corresponding to the DDoS attack alarm data with the same alarm time for the target carrier exit of the equipment room, and the sum of the service flows of the multiple destination IPs and the target operator Comparing the corresponding blocking thresholds, where the target operator outlet is any one of the operator outlets included in the equipment room;
  • the DDoS blocking device if the sum of the traffic flows of the multiple destination IPs is greater than or equal to the blocking threshold, the DDoS blocking device according to the customer type and service traffic size corresponding to the multiple destination IPs, from the multiple Determining the destination IP to be blocked in the destination IP;
  • the blocking policy of the DDoS blocking device for determining the service traffic corresponding to the DDoS attack alarm data is that the joint operator blocks the service traffic of the destination IP to be blocked.
  • the computer program is located on the DDoS detection device side and, when executed by the processor, executes:
  • the DDoS detection device obtains the traffic flow into the equipment room
  • the DDoS detection device parses the service traffic to obtain DDoS attack alarm data
  • the DDoS detection device sends the DDoS attack alarm data to the DDoS blocking device, so that the DDoS blocking device determines a blocking strategy for the traffic flow corresponding to the DDoS attack alarm data according to the DDoS blocking rule, and according to The blocking strategy is as described
  • the service traffic corresponding to the DDoS attack alarm data is blocked.
  • the computer program is located on the DDoS detection device side, and when executed by the processor, further executes:
  • the DDoS detection device parses the service packet according to the specification of the network protocol stack, and generates DDoS attack alarm data.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
  • the DDoS blocking device receives the DDoS attack alarm data sent by the DDoS detecting device, and the DDoS attacking alarm data is obtained by the DDoS detecting device by parsing the service traffic flowing into the equipment room, and the DDoS blocking device alarms the DDoS attack.
  • the data is matched with the DDoS blocking rule to obtain a blocking policy for the service traffic corresponding to the DDoS attack alarm data, and then the service traffic corresponding to the DDoS attack alarm data is blocked according to the blocking policy, thereby improving the DDoS attack. Timeliness and flexibility in defense.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明实施例提供了一种DDoS攻击的防御方法、系统及相关设备、计算机存储介质,其中一种DDoS攻击的防御方法包括:DDoS封堵设备接收DDoS检测设备发送的DDoS攻击告警数据,将该DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对该DDoS攻击告警数据对应的业务流量的封堵策略,并根据该封堵策略对该DDoS攻击告警数据对应的业务流量进行封堵。

Description

一种DDoS攻击的防御方法、系统及相关设备
相关申请的交叉引用
本申请基于申请号为201611159749.6、申请日为2016年12月15日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。
技术领域
本发明涉及互联网技术领域,尤其涉及一种DDoS攻击的防御方法、系统及相关设备、计算机存储介质。
背景技术
分布式拒绝服务(Distributed Denial of Service,DDoS)即为:利用分布式的客户端,向服务提供者发起大量看似合法的请求,消耗或者长期占用大量资源,从而达到拒绝服务的目的。DDOS的攻击方式有很多种,最基本的DDOS攻击方式包括:利用合理的服务请求来占用过多的服务资源,从而使合法用户无法得到服务的响应,或者,通过短时间内发送海量数据包阻塞互联网数据中心(Internet Data Center,IDC)的上游通信链路,导致可用带宽大幅减小,造成正常业务流量陡降,从而达到拒绝服务的目的。因此,如何对DDoS攻击进行及时地防御已成为亟待解决的问题。
发明内容
本发明实施例提供了一种DDoS攻击的防御方法、系统及相关设备、计算机存储介质,可以提高对DDoS攻击进行防御时的及时性和灵活性。
本发明实施例第一方面提供了一种DDoS攻击的防御方法,包括:
分布式拒绝服务DDoS封堵设备接收DDoS检测设备发送的DDoS攻击告警数据,所述DDoS攻击告警数据由所述DDoS检测设备通过对流入机房的业务流量进行解析得到。
所述DDoS封堵设备将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略。
所述DDoS封堵设备根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
本发明实施例第二方面提供了一种DDoS攻击的防御方法,包括:
DDoS检测设备获取流入机房的业务流量。
所述DDoS检测设备对所述业务流量进行解析得到DDoS攻击告警数据。
所述DDoS检测设备向DDoS封堵设备发送所述DDoS攻击告警数据,以使得所述DDoS封堵设备根据DDoS封堵规则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略,并根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
本发明实施例第三方面提供了一种DDoS封堵设备,包括:
接收模块,用于接收DDoS检测设备发送的DDoS攻击告警数据,所述DDoS攻击告警数据由所述DDoS检测设备通过对流入机房的业务流量进行解析得到。
获取模块,用于将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略。
封堵模块,用于根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
本发明实施例第四方面提供了一种DDoS检测设备,包括:
获取模块,用于获取流入机房的业务流量。
解析模块,用于对所述业务流量进行解析得到DDoS攻击告警数据。
发送模块,用于向DDoS封堵设备发送所述DDoS攻击告警数据,以使得所述DDoS封堵设备根据DDoS封堵规则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略,并根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
本发明实施例第五方面提供了一种DDoS攻击的防御系统,包括:上述第三方面所述的DDoS封堵设备和上述第四方面所述的DDoS检测设备。
本发明实施例第六方面提供了一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行上述DDoS攻击的防御方法。
本发明实施例中,DDoS封堵设备接收DDoS检测设备发送的DDoS攻击告警数据,该DDoS攻击告警数据由DDoS检测设备通过对流入机房的业务流量进行解析得到,DDoS封堵设备将该DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对该DDoS攻击告警数据对应的业务流量的封堵策略,进而根据该封堵策略对该DDoS攻击告警数据对应的业务流量进行封堵,可以提高对DDoS攻击进行防御时的及时性和灵活性。
附图说明
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是本发明实施例提供的一种DDoS攻击的防御系统的架构示意图;
图2是本发明实施例提供的一种DDoS攻击的防御方法的流程示意图;
图3是本发明实施例提供的一种DDoS封堵设备的结构示意图;
图4是本发明实施例提供的另一种DDoS封堵设备的结构示意图;
图5是本发明实施例提供的一种DDoS检测设备的结构示意图;
图6是本发明实施例提供的另一种DDoS检测设备的结构示意图;
图7是本发明实施例提供的一种DDoS攻击的防御系统的结构示意图。
具体实施方式
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。
请参阅图1,为本发明实施例提供的一种DDoS攻击的防御系统的架构示意图。本实施例中所描述的DDoS攻击的防御系统的架构,包括:客户端、运营商、机房、DDoS检测集群和DDoS封堵系统,其中:
运营商具体可以是互联网服务提供商(Internet Service Provider,ISP)。
机房至少包括路由器/交换机和业务服务器,路由器具体可以是机房的入口路由器,例如腾讯公网交换平台(Tencent Internet Exchange,TIX),交换机具体可以是机房的核心交换机,例如外网核心(Wan Core,WC)。
DDoS检测集群具体可以部署在机房入口处,用于对流入机房的业务流量进行旁路实时镜像分析。
DDoS封堵系统用于根据DDoS检测集群对业务流量的监测分析结果实施业务流量的封堵。
具体实现中,来自客户端的业务流量通过运营商网络到达机房入口,由机房入口路由器或者核心交换机等网络设备转发给业务服务器,同时业务流量在到达机房入口路由器或者核心交换机时,可以通过分光器等设备实时地将业务流量镜像一份并发送给DDoS检测集群,DDoS检测集群按照网络协议栈的规范对业务流量进行逐个数据包的解析,提取出来自DDoS 攻击的数据包,并汇总生成DDoS攻击告警数据,将DDoS攻击告警数据发送给DDoS封堵系统进行处理,DDoS封堵系统利用制定的DDoS封堵规则对DDoS攻击告警数据进行封堵判定,包括通知机房中的机房入口路由器或者核心交换机将DDoS攻击告警数据对应的业务流量丢弃,而不向机房内的其它网络设备/业务服务器转发,或者,联合运营商将DDoS攻击告警数据对应的业务流量在达到机房之前丢弃,例如在骨干网(如省级骨干网)的路由器上将DDoS攻击告警数据对应的业务流量丢弃。
请参阅图2,为本发明实施例提供的一种DDoS攻击的防御方法的流程示意图。本实施例中所描述的DDoS攻击的防御方法,包括:
201、DDoS检测设备获取流入机房的业务流量。
其中,DDoS检测设备一般可以部署在机房入口处,并可以部署多个DDoS检测设备组成DDoS检测集群。
具体实现中,业务流量达到机房的同时,可以通过分光器实时地将业务流量镜像一份给到DDoS检测设备。
202、所述DDoS检测设备对所述业务流量进行解析得到DDoS攻击告警数据。
具体实现中,DDoS检测设备按照网络协议栈的规范对业务流量进行逐个数据包的解析,提取出来自DDoS攻击的数据包,并汇总生成DDoS攻击告警数据,DDoS攻击告警数据可以包括:攻击时间、攻击类型、目的互联网协议(Internet Protocol,IP)、攻击位置(如攻击的机房、运营商)、对应的业务流量大小。网络协议栈可以包括:传输控制协议(Transmission Control Protocol,TCP)/IP,用户数据报协议(User Datagram Protocol,UDP)等。
203、所述DDoS检测设备向DDoS封堵设备发送所述DDoS攻击告警数据。
204、所述DDoS封堵设备接收所述DDoS攻击告警数据。
其中,DDoS封堵设备对应构成DDoS封堵系统。
在一些可行的实施方式中,DDoS检测设备和DDoS封堵设备也可以集 成部署,即将DDoS检测和DDoS封堵集成到同一台设备上实施。
205、所述DDoS封堵设备将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略。
其中,可以根据客户类型设置相应的封堵阈值,如果进行DDoS攻击的业务流量达到或超过该封堵阈值,则表明客户正在进行的业务受到严重威胁。封堵阈值具体可以用带宽表征,例如兆比特每秒Mbps。可以是普通客户对应默认的封堵阈值,普通客户中还可以根据客户的用户数量区分大客户和小客户,大客户和小客户可以分别对应有默认的封堵阈值,对于特殊客户(如VIP客户、边界网关协议(Border Gateway Protocol,BGP)高防客户)可以单独设置其封堵阈值,实现封堵阈值的个性化定制,例如根据客户购买的带宽设置其封堵阈值。当然,也可以允许普通客户申请单独设置其封堵阈值,或者通过付费实现单独设置其封堵阈值。此外,机房可以根据其带宽利用情况设置一安全阈值,如果进行DDoS攻击的业务流量达到或超过该安全阈值,则表明机房对应的云平台的稳定性受到严重威胁。封堵策略可以包括封堵类型、封堵位置、目的IP等,封堵类型包括通知机房执行封堵和联合运营商执行封堵,封堵位置即待封堵的机房、运营商出口等。
具体实现中,DDoS封堵设备可以基于DDoS攻击告警数据对应的目的IP进行封堵判定,具体包括:DDoS封堵设备确定DDoS攻击告警数据的目的IP对应的客户类型,获取该客户类型对应的封堵阈值,如果是特殊客户,则从云平台获取相应的封堵阈值。DDoS封堵设备将目的IP的业务流量与封堵阈值和机房的安全阈值进行比较,如果目的IP的业务流量大于或等于封堵阈值,且小于机房的安全阈值,则表明客户正在进行的业务受到严重威胁,DDoS封堵设备确定针对DDoS攻击告警数据对应的业务流量的封堵策略为通知机房对目的IP的业务流量进行封堵。
在本发明实施例一实施方式中,如果目的IP的业务流量大于或等于机房的安全阈值,则表明当前被攻击客户会对其它客户的业务造成严重影响,即机房对应的云平台的稳定性受到严重威胁,此时DDoS封堵设备确定针 对DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对目的IP的业务流量进行封堵,即将目的IP的业务流量在达到机房之前丢弃。
在一些可行的实施方式中,针对需单独设置封堵阈值的客户,如果DDoS封堵设备从云平台无法获取到相对应的封堵阈值,则DDoS封堵设备对本次接收到的DDoS攻击告警数据不作处理,以避免出现对非DDoS攻击的业务流量进行封堵而引起DDoS封堵系统出现运行异常等情况,以保证DDoS封堵系统的稳定性和可靠性。
同时,DDoS封堵设备可以基于机房运营商出口进行封堵判定,针对机房连接的运营商分别根据其带宽利用情况设置相应的封堵阈值,如果流经一运营商出口进行DDoS攻击的业务流量达到或超过该运营商对应的封堵阈值,表明通过该运营商的业务受到严重影响,此时认为机房对应的云平台的稳定性受到严重威胁。具体包括:针对机房的任意一个运营商出口,假设针对其中的目标运营商出口,DDoS封堵设备获取告警时间相同的DDoS攻击告警数据对应的多个目的IP,将该多个目的IP的业务流量的和与目标运营商对应的封堵阈值进行比较,如果该多个目的IP的业务流量的和大于或等于该封堵阈值,则表明机房对应的云平台的稳定性受到严重威胁,此时DDoS封堵设备获取该多个目的IP分别对应的客户类型和业务流量大小,客户类型包括客户优先级、付费情况等,再根据客户优先级、付费情况、业务流量大小等因素进行封堵优先级排名,选取封堵优先级较高的预设数量的目的IP进行封堵,从而从该多个目的IP中确定出了待封堵的目的IP,并且确定针对DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对待封堵的目的IP的业务流量进行封堵,即将待封堵的目的IP的业务流量在达到机房之前丢弃。
206、所述DDoS封堵设备根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
具体实现中,DDoS封堵设备根据封堵策略包括的封堵类型、封堵位置、目的IP等信息执行封堵操作,包括:封堵类型为通知机房执行封堵时,DDoS封堵设备通过封堵接口向机房的入口路由器或者核心交换机下发携带封堵位置、目的IP等信息的封堵指令,从而机房的入口路由器或者核心交换机 将该封堵位置处目的IP的业务流量丢弃;封堵类型为联合运营商执行封堵时,DDoS封堵设备调用运营商提供的封堵接口,根据该封堵位置将该目的IP或者该待封堵的目的IP的业务流量在达到机房之前丢弃,例如在省级骨干网的路由器上将业务流量丢弃。
在一些可行的实施方式中,DDoS封堵设备可以将封堵结果(包括封堵时间、封堵的业务类型和流量大小等)推送给客户,便于客户及时获知封堵情况,以及对相关受影响的业务进行及时调整。当然,客户也可以选择是否开通封堵结果推送业务,以及只接收指定的封堵类型的封堵结果。此外,DDoS封堵设备还可以将封堵出现异常(例如封堵失败)的情况推送给运维平台,便于运维人员及时掌握封堵异常的情况,并及时跟进处理,进一步保证DDoS封堵系统的可靠性和稳定性。
本发明实施例中,DDoS检测设备对流入机房的业务流量进行解析得到DDoS攻击告警数据,并向DDoS封堵设备发送DDoS攻击告警数据,DDoS封堵设备将该DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对该DDoS攻击告警数据对应的业务流量的封堵策略,进而根据该封堵策略对该DDoS攻击告警数据对应的业务流量进行封堵,可以提高对DDoS攻击进行防御时的及时性和灵活性,从而提高云平台的鲁棒性。
请参阅图3,为本发明实施例提供的一种DDoS封堵设备的结构示意图。本实施例中所描述的DDoS封堵设备,包括:
接收模块301,用于接收DDoS检测设备发送的DDoS攻击告警数据,所述DDoS攻击告警数据由所述DDoS检测设备通过对流入机房的业务流量进行解析得到。
获取模块302,用于将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略。
封堵模块303,用于根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
在一些可行的实施方式中,所述获取模块302包括:
获取单元3020,用于确定所述DDoS攻击告警数据的目的IP对应的客 户类型,获取所述客户类型对应的封堵阈值。
比较单元3021,用于将所述目的IP的业务流量与所述封堵阈值和所述机房的安全阈值进行比较。
确定单元3022,用于若所述目的IP的业务流量大于或等于所述封堵阈值,且小于所述安全阈值,则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为通知所述机房对所述目的IP的业务流量进行封堵。
在一些可行的实施方式中,所述确定单元3022,还用于若所述目的IP的业务流量大于或等于所述安全阈值,则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述目的IP的业务流量进行封堵。
在一些可行的实施方式中,所述获取单元3020,用于针对所述机房的目标运营商出口,获取告警时间相同的DDoS攻击告警数据对应的多个目的IP,所述目标运营商出口为所述机房包括的运营商出口中的任意一个。
所述比较单元3021,用于将所述多个目的IP的业务流量的和与所述目标运营商对应的封堵阈值进行比较。
所述确定单元3022,用于若所述多个目的IP的业务流量的和大于或等于所述封堵阈值,则根据所述多个目的IP分别对应的客户类型和业务流量大小,从所述多个目的IP中确定出待封堵的目的IP。
所述确定单元3022,还用于确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述待封堵的目的IP的业务流量进行封堵。
可以理解的是,本实施例的DDoS封堵设备的各功能模块、单元的功能可根据上述方法实施例中的方法具体实现,其具体实现过程可以参照上述方法实施例的相关描述,此处不再赘述。
本发明实施例中,DDoS封堵设备接收DDoS检测设备发送的DDoS攻击告警数据,该DDoS攻击告警数据由DDoS检测设备通过对流入机房的业务流量进行解析得到,DDoS封堵设备将该DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对该DDoS攻击告警数据对应的业务流量的封堵策略,进而根据该封堵策略对该DDoS攻击告警数据对应的业务流量进 行封堵,可以提高对DDoS攻击进行防御时的及时性和灵活性,从而提高云平台的鲁棒性。
请参阅图4,为本发明实施例提供的另一种DDoS封堵设备的结构示意图。本实施例中所描述的DDoS封堵设备,包括:处理器401、网络接口402及存储器403。其中,处理器401、网络接口402及存储器403可通过总线或其他方式连接,本发明实施例以通过总线连接为例。
其中,处理器401(或称中央处理器(Central Processing Unit,CPU))是DDoS封堵设备的计算核心以及控制核心。网络接口402可选的可以包括标准的有线接口、无线接口(如WI-FI、移动通信接口等),受处理器401的控制用于收发数据。存储器403(Memory)是DDoS封堵设备的记忆设备,用于存放程序和数据。可以理解的是,此处的存储器403可以是高速RAM存储器,也可以是非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器;可选的还可以是至少一个位于远离前述处理器401的存储装置。存储器403提供存储空间,该存储空间存储了DDoS封堵设备的操作系统和可执行程序代码,可包括但不限于:Windows系统(一种操作系统)、Linux(一种操作系统)系统等等,本发明对此并不作限定。
在本发明实施例中,处理器401通过运行存储器403中的可执行程序代码,执行如下操作:
网络接口402,用于接收DDoS检测设备发送的DDoS攻击告警数据,所述DDoS攻击告警数据由所述DDoS检测设备通过对流入机房的业务流量进行解析得到。
处理器401,用于将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略。
所述处理器401,还用于根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
在一些可行的实施方式中,所述处理器401,具体用于:
确定所述DDoS攻击告警数据的目的IP对应的客户类型,获取所述客户类型对应的封堵阈值。
将所述目的IP的业务流量与所述封堵阈值和所述机房的安全阈值进行比较。
若所述目的IP的业务流量大于或等于所述封堵阈值,且小于所述安全阈值,则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为通知所述机房对所述目的IP的业务流量进行封堵。
在一些可行的实施方式中,所述处理器401,具体还用于:若所述目的IP的业务流量大于或等于所述安全阈值,则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述目的IP的业务流量进行封堵。
在一些可行的实施方式中,所述处理器401,具体用于:
针对所述机房的目标运营商出口,获取告警时间相同的DDoS攻击告警数据对应的多个目的IP,所述目标运营商出口为所述机房包括的运营商出口中的任意一个。
将所述多个目的IP的业务流量的和与所述目标运营商对应的封堵阈值进行比较。
若所述多个目的IP的业务流量的和大于或等于所述封堵阈值,则根据所述多个目的IP分别对应的客户类型和业务流量大小,从所述多个目的IP中确定出待封堵的目的IP。
确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述待封堵的目的IP的业务流量进行封堵。
具体实现中,本发明实施例中所描述的处理器401、网络接口402及存储器403可执行本发明实施例提供的一种DDoS攻击的防御方法中所描述实现方式,也可执行本发明实施例提供的一种DDoS封堵设备中所描述的实现方式,在此不再赘述。
本发明实施例中,DDoS封堵设备接收DDoS检测设备发送的DDoS攻击告警数据,该DDoS攻击告警数据由DDoS检测设备通过对流入机房的业务流量进行解析得到,DDoS封堵设备将该DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对该DDoS攻击告警数据对应的业务流量的封堵策略,进而根据该封堵策略对该DDoS攻击告警数据对应的业务流量进 行封堵,可以提高对DDoS攻击进行防御时的及时性和灵活性,从而提高云平台的鲁棒性。
请参阅图5,为本发明实施例提供的一种DDoS检测设备的结构示意图。本实施例中所描述的DDoS检测设备,包括:
获取模块501,用于获取流入机房的业务流量。
解析模块502,用于对所述业务流量进行解析得到DDoS攻击告警数据。
发送模块503,用于向DDoS封堵设备发送所述DDoS攻击告警数据,以使得所述DDoS封堵设备根据DDoS封堵规则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略,并根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
在一些可行的实施方式中,所述解析模块502,具体用于:
根据网络协议栈的规范对所述业务流量进行数据包的解析,生成DDoS攻击告警数据。
可以理解的是,本实施例的DDoS检测设备的各功能模块、单元的功能可根据上述方法实施例中的方法具体实现,其具体实现过程可以参照上述方法实施例的相关描述,此处不再赘述。
本发明实施例中,DDoS检测设备对流入机房的业务流量进行解析得到DDoS攻击告警数据,并向DDoS封堵设备发送DDoS攻击告警数据,使得DDoS封堵设备根据DDoS封堵规则确定针对该DDoS攻击告警数据对应的业务流量的封堵策略,并根据该封堵策略对该DDoS攻击告警数据对应的业务流量进行封堵,可以提高对DDoS攻击进行防御时的及时性和灵活性,从而提高云平台的鲁棒性。
请参阅图6,为本发明实施例提供的另一种DDoS检测设备的结构示意图。本实施例中所描述的DDoS检测设备,包括:处理器601、网络接口602及存储器603。其中,处理器601、网络接口602及存储器603可通过总线或其他方式连接,本发明实施例以通过总线连接为例。
其中,处理器601(或称中央处理器(Central Processing Unit,CPU)) 是DDoS检测设备的计算核心以及控制核心。网络接口602可选的可以包括标准的有线接口、无线接口(如WI-FI、移动通信接口等),受处理器601的控制用于收发数据。存储器603(Memory)是DDoS检测设备的记忆设备,用于存放程序和数据。可以理解的是,此处的存储器603可以是高速RAM存储器,也可以是非不稳定的存储器(non-volatile memory),例如至少一个磁盘存储器;可选的还可以是至少一个位于远离前述处理器601的存储装置。存储器603提供存储空间,该存储空间存储了DDoS检测设备的操作系统和可执行程序代码,可包括但不限于:Windows系统(一种操作系统)、Linux(一种操作系统)系统等等,本发明对此并不作限定。
在本发明实施例中,处理器601通过运行存储器603中的可执行程序代码,执行如下操作:
网络接口602,用于获取流入机房的业务流量。
处理器601,用于对所述业务流量进行解析得到DDoS攻击告警数据。
所述网络接口602,还用于向DDoS封堵设备发送所述DDoS攻击告警数据,以使得所述DDoS封堵设备根据DDoS封堵规则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略,并根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
在一些可行的实施方式中,所述处理器601,具体用于:
根据网络协议栈的规范对所述业务流量进行数据包的解析,生成DDoS攻击告警数据。
具体实现中,本发明实施例中所描述的处理器601、网络接口602及存储器603可执行本发明实施例提供的一种DDoS攻击的防御方法中所描述实现方式,也可执行本发明实施例提供的一种DDoS检测设备中所描述的实现方式,在此不再赘述。
本发明实施例中,DDoS检测设备对流入机房的业务流量进行解析得到DDoS攻击告警数据,并向DDoS封堵设备发送DDoS攻击告警数据,使得DDoS封堵设备根据DDoS封堵规则确定针对该DDoS攻击告警数据对应的业务流量的封堵策略,并根据该封堵策略对该DDoS攻击告警数据对应的业务流量进行封堵,可以提高对DDoS攻击进行防御时的及时性和灵活性, 从而提高云平台的鲁棒性。
请参阅图7,为本发明实施例提供的一种DDoS攻击的防御系统的结构示意图。本实施例中所描述的DDoS攻击的防御系统,包括:DDoS检测设备701和DDoS封堵设备702,其中:
DDoS检测设备701,用于获取流入机房的业务流量。
所述DDoS检测设备701,还用于对所述业务流量进行解析得到DDoS攻击告警数据。
所述DDoS检测设备701,还用于向DDoS封堵设备702发送所述DDoS攻击告警数据。
所述DDoS封堵设备702,用于接收所述DDoS攻击告警数据。
所述DDoS封堵设备702,还用于将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略。
所述DDoS封堵设备702,还用于根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
可以理解的是,本实施例的DDoS检测设备701和DDoS封堵设备702的功能可根据上述方法实施例中的方法具体实现,其具体实现过程可以参照上述方法实施例的相关描述,此处不再赘述。
本发明实施例中,DDoS检测设备对流入机房的业务流量进行解析得到DDoS攻击告警数据,并向DDoS封堵设备发送DDoS攻击告警数据,DDoS封堵设备将该DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对该DDoS攻击告警数据对应的业务流量的封堵策略,进而根据该封堵策略对该DDoS攻击告警数据对应的业务流量进行封堵,可以提高对DDoS攻击进行防御时的及时性和灵活性,从而提高云平台的鲁棒性。
发明实施例的一种计算机存储介质,可以是包括计算机程序的存储器,上述计算机程序可由数据处理装置的处理器执行,以完成前述实施例中方法所述步骤。计算机存储介质可以是FRAM、ROM、PROM、EPROM、 EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器;也可以是包括上述存储器之一或任意组合的各种设备,如移动电话、计算机、平板设备、个人数字助理等。
该计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器运行时,执行如下DDoS攻击的防御方法的步骤。
一实施例中,该计算机程序位于DDoS封堵设备侧,被处理器运行时,执行:
分布式拒绝服务DDoS封堵设备接收DDoS检测设备发送的DDoS攻击告警数据,所述DDoS攻击告警数据由所述DDoS检测设备通过对流入机房的业务流量进行解析得到;
所述DDoS封堵设备将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略;
所述DDoS封堵设备根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
一实施例中,该计算机程序位于DDoS封堵设备侧,被处理器运行时,还执行:
所述DDoS封堵设备确定所述DDoS攻击告警数据的目的互联网协议IP对应的客户类型,获取所述客户类型对应的封堵阈值;
所述DDoS封堵设备将所述目的IP的业务流量与所述封堵阈值和所述机房的安全阈值进行比较;
若所述目的IP的业务流量大于或等于所述封堵阈值,且小于所述安全阈值,则所述DDoS封堵设备确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为通知所述机房对所述目的IP的业务流量进行封堵。
一实施例中,该计算机程序位于DDoS封堵设备侧,被处理器运行时,还执行:
若所述目的IP的业务流量大于或等于所述安全阈值,则所述DDoS封堵设备确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述目的IP的业务流量进行封堵。
一实施例中,该计算机程序位于DDoS封堵设备侧,被处理器运行时,还执行:
所述DDoS封堵设备针对所述机房的目标运营商出口,获取告警时间相同的DDoS攻击告警数据对应的多个目的IP,将所述多个目的IP的业务流量的和与所述目标运营商对应的封堵阈值进行比较,所述目标运营商出口为所述机房包括的运营商出口中的任意一个;
若所述多个目的IP的业务流量的和大于或等于所述封堵阈值,则所述DDoS封堵设备根据所述多个目的IP分别对应的客户类型和业务流量大小,从所述多个目的IP中确定出待封堵的目的IP;
所述DDoS封堵设备确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述待封堵的目的IP的业务流量进行封堵。
一实施例中,该计算机程序位于DDoS检测设备侧,被处理器运行时,执行:
DDoS检测设备获取流入机房的业务流量;
所述DDoS检测设备对所述业务流量进行解析得到DDoS攻击告警数据;
所述DDoS检测设备向DDoS封堵设备发送所述DDoS攻击告警数据,以使得所述DDoS封堵设备根据DDoS封堵规则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略,并根据所述封堵策略对所述 DDoS攻击告警数据对应的业务流量进行封堵。
一实施例中,该计算机程序位于DDoS检测设备侧,被处理器运行时,还执行:
所述DDoS检测设备根据网络协议栈的规范对所述业务流量进行数据包的解析,生成DDoS攻击告警数据。
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。
以上所揭露的仅为本发明一种较佳实施例而已,当然不能以此来限定本发明之权利范围,本领域普通技术人员可以理解实现上述实施例的全部或部分流程,并依本发明权利要求所作的等同变化,仍属于发明所涵盖的范围。
工业实用性
采用本发明实施例,DDoS封堵设备接收DDoS检测设备发送的DDoS攻击告警数据,该DDoS攻击告警数据由DDoS检测设备通过对流入机房的业务流量进行解析得到,DDoS封堵设备将该DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对该DDoS攻击告警数据对应的业务流量的封堵策略,进而根据该封堵策略对该DDoS攻击告警数据对应的业务流量进行封堵,可以提高对DDoS攻击进行防御时的及时性和灵活性。

Claims (14)

  1. 一种DDoS攻击的防御方法,包括:
    分布式拒绝服务DDoS封堵设备接收DDoS检测设备发送的DDoS攻击告警数据,所述DDoS攻击告警数据由所述DDoS检测设备通过对流入机房的业务流量进行解析得到;
    所述DDoS封堵设备将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略;
    所述DDoS封堵设备根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
  2. 根据权利要求1所述的方法,其中,所述DDoS封堵设备将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略,包括:
    所述DDoS封堵设备确定所述DDoS攻击告警数据的目的互联网协议IP对应的客户类型,获取所述客户类型对应的封堵阈值;
    所述DDoS封堵设备将所述目的IP的业务流量与所述封堵阈值和所述机房的安全阈值进行比较;
    若所述目的IP的业务流量大于或等于所述封堵阈值,且小于所述安全阈值,则所述DDoS封堵设备确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为通知所述机房对所述目的IP的业务流量进行封堵。
  3. 根据权利要求2所述的方法,其中,所述方法还包括:
    若所述目的IP的业务流量大于或等于所述安全阈值,则所述DDoS 封堵设备确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述目的IP的业务流量进行封堵。
  4. 根据权利要求1所述的方法,其中,所述DDoS封堵设备将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略,包括:
    所述DDoS封堵设备针对所述机房的目标运营商出口,获取告警时间相同的DDoS攻击告警数据对应的多个目的IP,将所述多个目的IP的业务流量的和与所述目标运营商对应的封堵阈值进行比较,所述目标运营商出口为所述机房包括的运营商出口中的任意一个;
    若所述多个目的IP的业务流量的和大于或等于所述封堵阈值,则所述DDoS封堵设备根据所述多个目的IP分别对应的客户类型和业务流量大小,从所述多个目的IP中确定出待封堵的目的IP;
    所述DDoS封堵设备确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述待封堵的目的IP的业务流量进行封堵。
  5. 一种DDoS攻击的防御方法,包括:
    DDoS检测设备获取流入机房的业务流量;
    所述DDoS检测设备对所述业务流量进行解析得到DDoS攻击告警数据;
    所述DDoS检测设备向DDoS封堵设备发送所述DDoS攻击告警数据,以使得所述DDoS封堵设备根据DDoS封堵规则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略,并根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
  6. 根据权利要求5所述的方法,其中,所述DDoS检测设备对所述业务流量进行解析得到DDoS攻击告警数据,包括:
    所述DDoS检测设备根据网络协议栈的规范对所述业务流量进行数据包的解析,生成DDoS攻击告警数据。
  7. 一种DDoS封堵设备,包括:
    接收模块,用于接收DDoS检测设备发送的DDoS攻击告警数据,所述DDoS攻击告警数据由所述DDoS检测设备通过对流入机房的业务流量进行解析得到;
    获取模块,用于将所述DDoS攻击告警数据与DDoS封堵规则进行匹配,获取针对所述DDoS攻击告警数据对应的业务流量的封堵策略;
    封堵模块,用于根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
  8. 根据权利要求7所述的DDoS封堵设备,其中,所述获取模块包括:
    获取单元,用于确定所述DDoS攻击告警数据的目的IP对应的客户类型,获取所述客户类型对应的封堵阈值;
    比较单元,用于将所述目的IP的业务流量与所述封堵阈值和所述机房的安全阈值进行比较;
    确定单元,用于若所述目的IP的业务流量大于或等于所述封堵阈值,且小于所述安全阈值,则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为通知所述机房对所述目的IP的业务流量进行封堵。
  9. 根据权利要求8所述的DDoS封堵设备,其中,
    所述确定单元,还用于若所述目的IP的业务流量大于或等于所述安 全阈值,则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述目的IP的业务流量进行封堵。
  10. 根据权利要求7所述的DDoS封堵设备,其中,所述获取模块包括:
    获取单元,用于针对所述机房的目标运营商出口,获取告警时间相同的DDoS攻击告警数据对应的多个目的IP,所述目标运营商出口为所述机房包括的运营商出口中的任意一个;
    比较单元,用于将所述多个目的IP的业务流量的和与所述目标运营商对应的封堵阈值进行比较;
    确定单元,用于若所述多个目的IP的业务流量的和大于或等于所述封堵阈值,则根据所述多个目的IP分别对应的客户类型和业务流量大小,从所述多个目的IP中确定出待封堵的目的IP;
    所述确定单元,还用于确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略为联合运营商对所述待封堵的目的IP的业务流量进行封堵。
  11. 一种DDoS检测设备,包括:
    获取模块,用于获取流入机房的业务流量;
    解析模块,用于对所述业务流量进行解析得到DDoS攻击告警数据;
    发送模块,用于向DDoS封堵设备发送所述DDoS攻击告警数据,以使得所述DDoS封堵设备根据DDoS封堵规则确定针对所述DDoS攻击告警数据对应的业务流量的封堵策略,并根据所述封堵策略对所述DDoS攻击告警数据对应的业务流量进行封堵。
  12. 根据权利要求11所述的DDoS检测设备,其中,所述解析模块, 具体用于:
    根据网络协议栈的规范对所述业务流量进行数据包的解析,生成DDoS攻击告警数据。
  13. 一种DDoS攻击的防御系统,包括:如权利要求7~10中任一项所述的DDoS封堵设备和如权利要求11或12所述的DDoS检测设备。
  14. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求1至4、及权利要求5至6任一项所述的DDoS攻击的防御方法。
PCT/CN2017/115494 2016-12-15 2017-12-11 一种DDoS攻击的防御方法、系统及相关设备 WO2018108052A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/372,113 US10771501B2 (en) 2016-12-15 2019-04-01 DDoS attack defense method, system, and related device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611159749.6 2016-12-15
CN201611159749.6A CN108234404B (zh) 2016-12-15 2016-12-15 一种DDoS攻击的防御方法、系统及相关设备

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/372,113 Continuation US10771501B2 (en) 2016-12-15 2019-04-01 DDoS attack defense method, system, and related device

Publications (1)

Publication Number Publication Date
WO2018108052A1 true WO2018108052A1 (zh) 2018-06-21

Family

ID=62557944

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/115494 WO2018108052A1 (zh) 2016-12-15 2017-12-11 一种DDoS攻击的防御方法、系统及相关设备

Country Status (3)

Country Link
US (1) US10771501B2 (zh)
CN (1) CN108234404B (zh)
WO (1) WO2018108052A1 (zh)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109067787B (zh) * 2018-09-21 2019-11-26 腾讯科技(深圳)有限公司 分布式拒绝服务ddos攻击检测方法和装置
CN109194684B (zh) * 2018-10-12 2020-11-20 腾讯科技(深圳)有限公司 一种模拟拒绝服务攻击的方法、装置及计算设备
CN112532412B (zh) * 2019-09-18 2022-12-13 纬联电子科技(中山)有限公司 网络故障检测方法以及网络故障检测装置
CN110933111B (zh) * 2019-12-18 2022-04-26 北京浩瀚深度信息技术股份有限公司 一种基于DPI的DDoS攻击识别方法及装置
CN111786962A (zh) * 2020-06-12 2020-10-16 广州市和昊信息技术有限公司 一种网络安全监控系统
US11405418B2 (en) 2020-06-16 2022-08-02 Bank Of America Corporation Automated distributed denial of service attack detection and prevention
CN114531257A (zh) * 2020-11-05 2022-05-24 中国联合网络通信集团有限公司 一种网络攻击处置方法及装置
CN112968861A (zh) * 2020-12-25 2021-06-15 杨世标 一种DDoS攻击封堵判定方法和系统
CN112583850B (zh) * 2020-12-27 2023-02-24 杭州迪普科技股份有限公司 网络攻击防护方法、装置及系统
CN113965355B (zh) * 2021-09-27 2023-07-28 中盈优创资讯科技有限公司 一种基于soc的非法ip省内网络封堵方法及装置
CN114024739B (zh) * 2021-11-03 2024-02-06 中国联合网络通信集团有限公司 抗DDoS攻击协同防御方法、平台、设备及介质
CN115987639B (zh) * 2022-12-23 2024-04-09 中国联合网络通信集团有限公司 攻击防御方法、装置、电子设备和存储介质
CN117544429B (zh) * 2024-01-10 2024-03-26 腾讯科技(深圳)有限公司 攻击防护方法、装置、电子设备和计算机可读存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022343A (zh) * 2007-03-19 2007-08-22 杭州华为三康技术有限公司 网络入侵检测/抵御系统及方法
CN103561011A (zh) * 2013-10-28 2014-02-05 中国科学院信息工程研究所 一种SDN控制器盲DDoS攻击防护方法及系统
US20140325649A1 (en) * 2013-04-29 2014-10-30 Telefonaktiebolaget L M Ericsson (Publ) Method and system to dynamically detect traffic anomalies in a network
CN106161333A (zh) * 2015-03-24 2016-11-23 华为技术有限公司 基于sdn的ddos攻击防护方法、装置及系统

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9503470B2 (en) * 2002-12-24 2016-11-22 Fred Herz Patents, LLC Distributed agent based model for security monitoring and response
US8255996B2 (en) * 2005-12-30 2012-08-28 Extreme Networks, Inc. Network threat detection and mitigation
JP4571184B2 (ja) * 2006-08-24 2010-10-27 デュアキシズ株式会社 通信管理システム
US20140173731A1 (en) * 2007-07-27 2014-06-19 Redshift Internetworking, Inc. System and Method for Unified Communications Threat Management (UCTM) for Converged Voice, Video and Multi-Media Over IP Flows
US8504504B2 (en) * 2008-09-26 2013-08-06 Oracle America, Inc. System and method for distributed denial of service identification and prevention
US20110083179A1 (en) * 2009-10-07 2011-04-07 Jeffrey Lawson System and method for mitigating a denial of service attack using cloud computing
US20140157405A1 (en) * 2012-12-04 2014-06-05 Bill Joll Cyber Behavior Analysis and Detection Method, System and Architecture
CN104519016B (zh) * 2013-09-29 2018-09-14 中国电信股份有限公司 防火墙自动防御分布式拒绝服务攻击的方法和装置
US9641544B1 (en) * 2015-09-18 2017-05-02 Palo Alto Networks, Inc. Automated insider threat prevention

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022343A (zh) * 2007-03-19 2007-08-22 杭州华为三康技术有限公司 网络入侵检测/抵御系统及方法
US20140325649A1 (en) * 2013-04-29 2014-10-30 Telefonaktiebolaget L M Ericsson (Publ) Method and system to dynamically detect traffic anomalies in a network
CN103561011A (zh) * 2013-10-28 2014-02-05 中国科学院信息工程研究所 一种SDN控制器盲DDoS攻击防护方法及系统
CN106161333A (zh) * 2015-03-24 2016-11-23 华为技术有限公司 基于sdn的ddos攻击防护方法、装置及系统

Also Published As

Publication number Publication date
US10771501B2 (en) 2020-09-08
CN108234404B (zh) 2020-08-25
CN108234404A (zh) 2018-06-29
US20190230118A1 (en) 2019-07-25

Similar Documents

Publication Publication Date Title
WO2018108052A1 (zh) 一种DDoS攻击的防御方法、系统及相关设备
CN108040057B (zh) 适于保障网络安全、网络通信质量的sdn系统的工作方法
US10708146B2 (en) Data driven intent based networking approach using a light weight distributed SDN controller for delivering intelligent consumer experience
US20110138463A1 (en) Method and system for ddos traffic detection and traffic mitigation using flow statistics
CN105991637B (zh) 网络攻击的防护方法和装置
Sanmorino et al. DDoS attack detection method and mitigation using pattern of the flow
CN108737447B (zh) 用户数据报协议流量过滤方法、装置、服务器及存储介质
CN104488229A (zh) 网络业务处理系统
CN107612890B (zh) 一种网络监测方法及系统
US20140380457A1 (en) Adjusting ddos protection
US9641485B1 (en) System and method for out-of-band network firewall
Huang et al. Countering denial-of-service attacks using congestion triggered packet sampling and filtering
CN108616488B (zh) 一种攻击的防御方法及防御设备
TW201124876A (en) System and method for guarding against dispersive blocking attacks
Chi et al. Design and implementation of cloud platform intrusion prevention system based on SDN
CN108667829A (zh) 一种网络攻击的防护方法、装置及存储介质
Ombase et al. DoS attack mitigation using rule based and anomaly based techniques in software defined networking
Jeyanthi et al. RQA based approach to detect and prevent DDoS attacks in VoIP networks
Mohammadi et al. Practical extensions to countermeasure dos attacks in software defined networking
KR100733830B1 (ko) 광대역 네트워크에서의 분산 서비스 거부 공격 탐지 및대응 방법
JP2006067078A (ja) ネットワークシステムおよび攻撃防御方法
CN109889552A (zh) 电力营销终端异常流量监控方法、系统及电力营销系统
CN102546387B (zh) 一种数据报文的处理方法、装置及系统
Anchit et al. Investigation of UDP Bot flooding attack
Thang et al. Synflood spoofed source DDoS attack defense based on packet ID anomaly detection with bloom filter

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17880311

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17880311

Country of ref document: EP

Kind code of ref document: A1