CN102420825B - Network attack defense and detection method and system thereof - Google Patents
Network attack defense and detection method and system thereof Download PDFInfo
- Publication number
- CN102420825B CN102420825B CN201110391968.8A CN201110391968A CN102420825B CN 102420825 B CN102420825 B CN 102420825B CN 201110391968 A CN201110391968 A CN 201110391968A CN 102420825 B CN102420825 B CN 102420825B
- Authority
- CN
- China
- Prior art keywords
- flow
- host apparatus
- abnormal flow
- networking system
- subject
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network attack defense and detection method and a system thereof. The method comprises the following steps: a first main device determines a first present abnormal flow of the first main device; when the first present abnormal flow is larger than or equal to a first flow threshold and is less than a second flow threshold, the first main device transmits an abnormal flow which is obtained through deducting a third flow threshold from the first present abnormal flow to a second main device; the second main device determines a second present abnormal flow of the second main device, and the second present abnormal flow comprises the abnormal flow transmitted by the first main device; when the second present abnormal flow is larger than a fourth flow threshold, that a dual module hot spare networking system is under flow attack is determined, and when the second present abnormal flow is less than the fourth flow threshold, that the dual module hot spare networking system is not under the flow attack is determined. By employing a scheme provided in an embodiment of the invention, accuracy of the main devices to carry out network attack defense and detection is raised.
Description
Technical field
The present invention relates to the field of information security technology in field of computer technology, relate in particular to a kind of network attack defence detection method and system.
Background technology
Current network security threat is day by day serious, and fire compartment wall, as the first line of defence of network safety prevention, can effectively be resisted the various attacks such as scanning is spied upon, denial of service, the normal operation of protection internal network and system.For the risk of avoiding fire compartment wall Single Point of Faliure to cause network to interrupt, conventionally promote the reliability of network by two-node cluster hot backup networking technology.Carry out interconnecting by private line between two firewall boxs of two-node cluster hot backup networking; This private line is synchronous for session entry, specifically two equipment session entry is separately backuped to respectively to the other side.In the time of a device fails, flow can be switched to rapidly another equipment, and because another equipment exists the session entry backing up, the flow after therefore switching can continue to process, guarantee can not be interrupted.
Two-node cluster hot backup networking technology specifically can be divided into again active-standby mode (Active-Standby) and main holotype (Active-Active).Active-standby mode refers to that host apparatus processes whole business, and stand-by equipment only backups.Main holotype refers to that two equipment are all host apparatus and process business, backups each other again simultaneously, and in the time that wherein a host apparatus breaks down, another host apparatus continues to process whole business.Therefore, main holotype is carried out flow load sharing in fact exactly on the basis of active-standby mode, to improve a kind of networking application of utilization rate of equipment and installations.
Figure 1 shows that two master firewall equipment adopt main holotype to carry out two-node cluster hot backup networking schematic diagram, wherein, the processing of the exchanging visit service traffics between user terminal and server, between the first master firewall equipment and the second master firewall equipment, carry out load balancing, two master firewall equipment complete the service traffics processing of self separately, and mutually to the other side's backup session list item.
In prior art, in firewall box side, for stable, efficient, the service traffics through self are processed, will be carried out network attack defense detection, for example, for scanning spy upon, SYN FLOOD attacks and the flow attacking mode such as FLOW FLOOD attack is carried out attack defending detection, specifically can preset flow threshold, in the time that abnormal flow reaches this flow threshold, represent to be subject to flow attacking, in the time that abnormal flow does not reach this flow threshold, represent not to be subject to flow attacking.
At present, in two-node cluster hot backup networking system, two host apparatus independently carry out separately to the defense detection of network attack, for example, flow threshold based on identical on two host apparatus detects, the half of default flow threshold when this flow threshold can be processed whole service traffics for a host apparatus of use, so, when on exception flow of network process load balancing to two host apparatus, while independently carrying out respectively attack defending detection by two host apparatus, may be due to load balancing unbalanced, there is the abnormal flow that First host apparatus receives, the situation of the abnormal flow receiving much larger than second host apparatus, and First host apparatus is determined detection under attack based on flow threshold, second host apparatus determined detection not under attack based on flow threshold, but, the abnormal flow that now two host apparatus receive and value, may not reach this flow threshold and, be that actual conditions are not for being subject to flow attacking, testing result and actual conditions are not inconsistent, cause the inaccurate of testing result.
And when in two host apparatus when a host apparatus fault, another host apparatus will be shared whole loads, now detect based on this flow threshold, also will cause the inaccurate of testing result.
Summary of the invention
The embodiment of the present invention provides a kind of network attack defence detection method and system, carries out the inaccurate problem of network attack defense detection in order to solve host apparatus in the two-node cluster hot backup networking system of the main holotype of employing existing in prior art.
The embodiment of the present invention provides a kind of network attack defence detection method, comprising:
The first host apparatus is determined the first current abnormal flow of self; And
In the time that described the first current abnormal flow is more than or equal to first flow threshold value and is less than the second flow threshold, the abnormal flow of the 3rd flow threshold will be exceeded in described the first current abnormal flow, be transferred to the second host apparatus, described the second flow threshold is greater than described first flow threshold value, described the 3rd flow threshold is that described first flow threshold value deducts the difference of adjusting threshold value, and described the second host apparatus and described the first host apparatus are two host apparatus in two-node cluster hot backup networking system;
Described the second host apparatus is determined the second current abnormal flow of self, and described the second current abnormal flow comprises the abnormal flow of described the first host apparatus transmission; And
In the time that described the second current abnormal flow is more than or equal to the 4th flow threshold, determine that described two-node cluster hot backup networking system is subject to flow attacking, and in the time that described the second current abnormal flow is less than described the 4th flow threshold, determine that described two-node cluster hot backup networking system is not subject to flow attacking, described the 4th flow threshold be described first flow threshold value add the above adjust threshold value and value.
The embodiment of the present invention also provides a kind of network attack defense detection system, comprising: the first host apparatus in two-node cluster hot backup networking system and the second host apparatus, wherein:
Described the first host apparatus, for determining the first current abnormal flow of self; And in the time that described the first current abnormal flow is more than or equal to first flow threshold value and is less than the second flow threshold, the abnormal flow of the 3rd flow threshold will be exceeded in described the first current abnormal flow, be transferred to the second host apparatus, described the second flow threshold is greater than described first flow threshold value, and described the 3rd flow threshold is that described first flow threshold value deducts the difference of adjusting threshold value;
Described the second host apparatus, for determining the second current abnormal flow of self, described the second current abnormal flow comprises the abnormal flow of described the first host apparatus transmission; And in the time that described the second current abnormal flow is more than or equal to the 4th flow threshold, determine that described two-node cluster hot backup networking system is subject to flow attacking, and in the time that described the second current abnormal flow is less than described the 4th flow threshold, determine that described two-node cluster hot backup networking system is not subject to flow attacking, described the 4th flow threshold be described first flow threshold value add the above adjust threshold value and value.
Beneficial effect of the present invention comprises:
In the method that the embodiment of the present invention provides, in the time that the first current abnormal flow of the first host apparatus is more than or equal to first flow threshold value and is less than the second flow threshold, the abnormal flow of the 3rd flow threshold will be exceeded in the first current abnormal flow, be transferred to the second host apparatus, the second host apparatus determines now whether the second current abnormal flow of self is more than or equal to the 4th flow threshold, if determine that result is for being more than or equal to, determine that this two-node cluster hot backup networking system is subject to flow attacking, if determine that result is for being less than, determine that this two-node cluster hot backup networking system is not subject to flow attacking.Therefrom known, due to 2 times for first flow threshold value with value of the 3rd flow threshold and the 4th flow threshold, when determining while being subject to flow attacking, the abnormal flow of two host apparatus be more than or equal to 2 times of first flow threshold value with value, be that essence is to carry out attack defending detection according to the abnormal flow of two host apparatus with value, therefore, compared to existing technology in every host apparatus scheme that independently abnormal flow based on self carries out attack defending detection, improved the accuracy of testing result.
Accompanying drawing explanation
Fig. 1 is that two master firewall equipment adopt main holotype to carry out the schematic diagram of two-node cluster hot backup networking;
The flow chart of the network attack defence detection method that Fig. 2 provides for the embodiment of the present invention;
The flow chart that Fig. 3 is the network attack defence detection method that provides in the embodiment of the present invention 1;
The structural representation that Fig. 4 is the network attack defense detection system that provides in the embodiment of the present invention 2.
Embodiment
Adopt host apparatus in the two-node cluster hot backup networking system of main holotype to carry out the accuracy implementation of network attack defense detection in order to provide to improve, the embodiment of the present invention provides a kind of network attack defence detection method and system, below in conjunction with Figure of description, the preferred embodiments of the present invention are described, be to be understood that, preferred embodiment described herein only, for description and interpretation the present invention, is not intended to limit the present invention.And in the situation that not conflicting, the feature in embodiment and embodiment in the application can combine mutually.
The embodiment of the present invention provides a kind of network attack defence detection method, as shown in Figure 2, comprising:
Step S201, the first host apparatus are determined the first current abnormal flow of self.
Step S202, in the time that the first current abnormal flow is more than or equal to first flow threshold value and is less than the second flow threshold, the first host apparatus will exceed the abnormal flow of the 3rd flow threshold in the first current abnormal flow, be transferred to the second host apparatus, the second flow threshold is greater than first flow threshold value, the 3rd flow threshold is that first flow threshold value deducts the difference of adjusting threshold value, and the second host apparatus and the first host apparatus are two host apparatus in two-node cluster hot backup networking system.
Step S203, the second host apparatus are determined the second current abnormal flow of self, and the second current abnormal flow comprises the abnormal flow of the first host apparatus transmission.
Step S204, in the time that the second current abnormal flow is more than or equal to the 4th flow threshold, determine that this two-node cluster hot backup networking system is subject to flow attacking, and in the time that the second current abnormal flow is less than the 4th flow threshold, determine that this two-node cluster hot backup networking system is not subject to flow attacking, the 4th flow threshold is that first flow threshold value adds this adjustment threshold value and value.
Preferably, before the first host apparatus determines whether the first current abnormal flow is more than or equal to first flow threshold value, also comprise: the first host apparatus determines that the second host apparatus is in normal condition; Be that above-mentioned steps S201 is to the performed attack defending detection method of step S204, to carry out during in normal operating conditions at the second host apparatus, corresponding, if the second host apparatus is in abnormality, adopt following steps to carry out attack defending and detect, specifically comprise:
The first host apparatus determines whether the first current abnormal flow is more than or equal to the second flow threshold;
If be more than or equal to, the first host apparatus determines that this two-node cluster hot backup networking system is subject to flow attacking;
If be less than, the first host apparatus determines that this two-node cluster hot backup networking system is not subject to flow attacking.
Below in conjunction with accompanying drawing, method provided by the invention and corresponding system are described in detail with specific embodiment.
Embodiment 1:
Figure 3 shows that the embodiment of the present invention 1 provides the flow chart of network attack defence detection method, specifically comprises following treatment step:
The Condition Detection mechanism of the first host apparatus in step S301, two-node cluster hot backup networking system based on default, determines that the second host apparatus in this two-node cluster hot backup networking system, whether in normal condition, for example, detects based on heartbeat detection mechanism.
If in normal condition, enter step S302, if in abnormality, enter step S312.
Step S302, the first host apparatus in the time the second host apparatus being detected in normal condition, determine enter the first attack defending testing mechanism, following steps S303 is to the performed attack defending testing mechanism of step S307.
Step S303, the first host apparatus determine that the current abnormal flow of self is (for ease of distinguishing, the follow-up current abnormal flow by the first host apparatus is called the first current abnormal flow), and judge whether the first current abnormal flow is more than or equal to first flow threshold value, if be less than first flow threshold value, enter step S304, if be more than or equal to first flow threshold value, enter step S305.
In this step, in the flow receiving for self, which is abnormal flow, can adopt various abnormal flow decision mechanism of the prior art, is no longer described in detail at this.
In the embodiment of the present invention, can set in advance sense cycle, and in the time that sense cycle arrives, trigger and carry out this step.
Step S304, the first host apparatus determine that this two-node cluster hot backup networking system is not subject to flow attacking.
Step S305, the first host apparatus judge whether the first current abnormal flow is more than or equal to the second flow threshold, if be more than or equal to the second flow threshold, enters step S306, if be less than the second flow threshold, enters step S307.
Wherein, the second flow threshold is greater than first flow threshold value, specifically preferably, the second flow threshold can be set be 2 times of first flow threshold value.
Step S306, the first host apparatus determine that this two-node cluster hot backup networking system is subject to flow attacking.
Step S307, the first host apparatus, by exceeding the abnormal flow of the 3rd flow threshold in the first current abnormal flow, are transferred to the second host apparatus, and wherein, the 3rd flow threshold is that first flow threshold value deducts the difference of adjusting threshold value.
Adjust threshold value and can be set to 0, now essence is in the first current abnormal flow, to exceed the abnormal flow of first flow threshold value, to be transferred to the second host apparatus.
Preferably, arranging and adjusting threshold value is non-zero value, for example, in the time using message transmission quantity per second to characterize flow, can arrange and adjust threshold value is 1, object is for when the first current abnormal flow equals first flow threshold value, can trigger that startup is follow-up combines the handling process of carrying out attack defending detection with the second host apparatus.
Step S308, the second host apparatus, receiving after the abnormal flow of the first host apparatus transmission, determine and enter the second attack defending testing mechanism, and following steps S309 is to the performed attack defending testing mechanism of step S311.
Step S309, the second host apparatus determine that the current abnormal flow of self is (for ease of distinguishing, the follow-up current abnormal flow by the second host apparatus is called the second current abnormal flow), now, the second current abnormal flow comprises the abnormal flow of the first host apparatus transmission, and judge that whether the second current abnormal flow is more than or equal to the 4th flow threshold, if be less than the 4th flow threshold, enters step S310, if be more than or equal to the 4th flow threshold, enter step S311.
Wherein, the 4th flow threshold is that first flow threshold value adds above-mentioned adjustment threshold value and value.
Step S310, the second host apparatus determine that this two-node cluster hot backup networking system is not subject to flow attacking.
Preferably, the result that this step can also detect attack defending is informed the first host apparatus, be specifically as follows, the abnormal flow of the first host apparatus transmission is all returned to the first host apparatus by the second host apparatus, accordingly, the abnormal flow of the second host apparatus passback of the first host apparatus based on receiving is, is transferred to whole abnormal flows of the second host apparatus before, determines that this two-node cluster hot backup networking system is not subject to flow attacking.
Step S311, the second host apparatus determine that this two-node cluster hot backup networking system is subject to flow attacking.
Preferably, the result that this step can also detect attack defending is informed the first host apparatus, is specifically as follows:
The part abnormal flow in the abnormal flow of the first host apparatus transmission is returned to the first host apparatus by the second host apparatus, accordingly, the abnormal flow of the second host apparatus passback of the first host apparatus based on receiving is, be transferred to the part abnormal flow of the second host apparatus before, rather than whole abnormal flows, determine that this two-node cluster hot backup networking system is subject to flow attacking;
Or, can also be:
The second host apparatus is cancelled to the first host apparatus passback abnormal flow, and corresponding, the first host apparatus, in the time not receiving the abnormal flow of the second host apparatus passback, determines that this two-node cluster hot backup networking system is subject to flow attacking.
Step S312, the first host apparatus in the time the second host apparatus being detected in abnormality, determine enter the third attack defending testing mechanism, following steps S313 is to the performed attack defending testing mechanism of step S315.
Step S313, the first host apparatus are determined the first current abnormal flow of self, and judge that whether the first current abnormal flow is more than or equal to the second flow threshold, if be less than the second flow threshold, enters step S314, if be more than or equal to the second flow threshold, enter step S315.
In the third attack defending testing mechanism, because the second host apparatus is in abnormality, all service traffics are processed by the first host apparatus, so now the first host apparatus independently carries out attack defending detection based on the second flow threshold.
Step S314, the first host apparatus determine that this two-node cluster hot backup networking system is not subject to flow attacking.
Step S315, the first host apparatus determine that this two-node cluster hot backup networking system is subject to flow attacking.
In the embodiment of the present invention, above-mentioned the first host apparatus and the second host apparatus can be firewall boxs, can be also other network equipments for the service traffics that receive are processed.
By above-mentioned steps S301-step S315, completed the handling process of the network attack defence detection method of embodiment of the present invention proposition, in above-mentioned handling process, two host apparatus in two-node cluster hot backup networking system, all can carry out above-mentioned three kinds of attack defending testing mechanisms, in the time that opposite end host apparatus is normal, start the handling process that enters the first attack defending testing mechanism, in the time receiving the abnormal flow of opposite end host apparatus transmission, start the handling process that enters the second attack defending testing mechanism, by the handling process of the first and the second attack defending testing mechanism, make in the time carrying out attack defending detection, when determining while being subject to flow attacking, the abnormal flow of two host apparatus be more than or equal to 2 times of first flow threshold value with value, be that essence is to carry out attack defending detection according to the abnormal flow of two host apparatus with value, therefore, every host apparatus scheme that independently abnormal flow based on self carries out attack defending detection compared to existing technology, improve the accuracy of testing result.
And, in the time that opposite end host apparatus is abnormal, start the handling process that enters the third attack defending testing mechanism, only carry out attack defending detection based on the second flow threshold, improve the accuracy of testing result.
The two-node cluster hot backup networking system of the firewall box based on shown in Fig. 1, is described below for example to above-mentioned attack defending detection method:
Suppose that the first master firewall equipment and the second master firewall equipment are in the time carrying out attack defending detection, based on first flow threshold value be 500fps (fps represents the quantity of message transmission per second), the second flow threshold is 1000fps, adjustment threshold value is 1fps, corresponding, the 3rd flow threshold is 499fps, and the 4th flow threshold is 501fps, attack as example take SYN FLOOD, suppose that the transmission rate of the SYN FLOOD attack packets of end side to server side initiation is 1500fps.
When master firewall equipment wherein breaks down and when abnormal, all SYN FLOOD attack packets are by an other master firewall device processes, and attack packets transmission rate 1500fps exceedes the second flow threshold values 1000fps of attack detecting, therefore this master firewall equipment can judge that attack occurs;
In the time that two master firewall equipment are all normal, there are load balancing equilibrium and unbalanced two kinds of situations in attack packets flow, and concrete implementation step is as follows:
Network attack bag flow load is compared with equilibrium situation: as attack packets is respectively 700fps and 800fps at the message transmitting spped rate of the first master firewall equipment and the second master firewall equipment after load balancing;
The first master firewall equipment Inspection reaches first flow threshold values 500fps to attack packets transmission rate, the message flow that exceedes the 3rd flow threshold values 499fps is transferred to the second master firewall equipment by the first master firewall equipment, and transmission rate is 201fps;
The second master firewall equipment is receiving after the abnormal flow of the first master firewall device transmission, now its abnormal flow of sharing comprises 800fps and 201fps, amount to 1001fps, reach first flow threshold value 500fps, therefore the second master firewall equipment now can judge that attack occurs; And can also directly abandon the whole abnormal flows that transmit from host apparatus, and to cancel to the first master firewall equipment passback abnormal flow, the first master firewall equipment, owing to not receiving the abnormal flow of passback, is therefore judged to attack to occur.
Network attack bag load imbalance situation: as attack packets is respectively 1100fps and 400fps at the message transmitting spped rate of the first master firewall equipment and the second master firewall equipment after load balancing;
The first master firewall equipment Inspection attack packets transmission rate reaches the second flow threshold values 1000fps, and therefore the first master firewall equipment can directly judge that attack occurs; The first master firewall equipment can also synchronously be noticed attack detecting result to the second master firewall equipment by existing two-node cluster hot backup networking technology in time simultaneously.
Embodiment 2:
Based on same inventive concept, the network attack defence detection method providing according to the above embodiment of the present invention, correspondingly, the embodiment of the present invention 2 also provides a kind of network attack defense detection system, its structural representation as shown in Figure 4, specifically comprise: the first host apparatus 401 in two-node cluster hot backup networking system and the second host apparatus 402, wherein:
The first host apparatus 401, for determining the first current abnormal flow of self; And in the time that described the first current abnormal flow is more than or equal to first flow threshold value and is less than the second flow threshold, the abnormal flow of described the 3rd flow threshold will be exceeded in described the first current abnormal flow, be transferred to the second host apparatus 402, described the second flow threshold is greater than described first flow threshold value, and described the 3rd flow threshold is that described first flow threshold value deducts the difference of adjusting threshold value;
The second host apparatus 402, for determining the second current abnormal flow of self, described the second current abnormal flow comprises the abnormal flow that described the first host apparatus 401 transmits; And in the time that described the second current abnormal flow is more than or equal to described the 4th flow threshold, determine that described two-node cluster hot backup networking system is subject to flow attacking, and in the time that described the second current abnormal flow is less than described the 4th flow threshold, determine that described two-node cluster hot backup networking system is not subject to flow attacking, described the 4th flow threshold be described first flow threshold value add the above adjust threshold value and value.
Preferably, the second host apparatus 402, also for being subject to after flow attacking in definite described two-node cluster hot backup networking system, part abnormal flow in the abnormal flow that described the first host apparatus 401 is transmitted returns to described the first host apparatus 401, or cancellation returns abnormal flow to described the first host apparatus 401; And be not subject to after flow attacking in definite described two-node networking system, the abnormal flow that described the first host apparatus 401 is transmitted all returns to described the first host apparatus 401;
The first host apparatus 401, also in the time receiving the described part abnormal flow that described the second host apparatus 402 returns, or while not receiving the flow that described the second host apparatus 402 returns, determines that described two-node cluster hot backup networking system is subject to flow attacking; And in the time receiving whole abnormal flow that described the second host apparatus 402 returns, determine that described two-node cluster hot backup networking system is not subject to flow attacking.
Preferably, the first host apparatus 401, also in the time that described the first current abnormal flow is less than described first flow threshold value, determines that described two-node cluster hot backup networking system is not subject to flow attacking.
Preferably, the first host apparatus 401, also in the time that described the first current abnormal flow is more than or equal to described the second flow threshold, determines that described two-node cluster hot backup networking system is subject to flow attacking.
Preferably, the first host apparatus 401, also, for before being more than or equal to first flow threshold value at definite described the first current abnormal flow, determines that described the second host apparatus is in normal condition.
Preferably, the first host apparatus 401, also, for when definite described the second host apparatus 402 is during in abnormality, determines whether described the first current abnormal flow is more than or equal to described the second flow threshold; If be more than or equal to, determine that described two-node cluster hot backup networking system is subject to flow attacking; If be less than, determine that described two-node cluster hot backup networking system is not subject to flow attacking.
In sum, the scheme that the embodiment of the present invention provides, comprising: the first host apparatus is determined the first current abnormal flow of self; And in the time that the first current abnormal flow is more than or equal to first flow threshold value and is less than the second flow threshold, the first host apparatus will exceed the abnormal flow of the 3rd flow threshold in the first current abnormal flow, be transferred to the second host apparatus, the second flow threshold is greater than first flow threshold value, the 3rd flow threshold is that first flow threshold value deducts the difference of adjusting threshold value, and the second host apparatus and the first host apparatus are two host apparatus in two-node cluster hot backup networking system; And second host apparatus determine that self the second current abnormal flow, the second current abnormal flow comprise the abnormal flow of the first host apparatus transmission; And in the time that the second current abnormal flow is more than or equal to the 4th flow threshold, determine that this two-node cluster hot backup networking system is subject to flow attacking, and in the time that the second current abnormal flow is less than the 4th flow threshold, determine that this two-node cluster hot backup networking system is not subject to flow attacking, the 4th flow threshold is that first flow threshold value adds this adjustment threshold value and value.The scheme that provides of the embodiment of the present invention is provided, improved host apparatus and carry out the accuracy of network attack defense detection.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.
Claims (12)
1. a network attack defence detection method, is characterized in that, comprising:
The first host apparatus is determined the first current abnormal flow of self; And
In the time that described the first current abnormal flow is more than or equal to first flow threshold value and is less than the second flow threshold, the abnormal flow of the 3rd flow threshold will be exceeded in described the first current abnormal flow, be transferred to the second host apparatus, described the second flow threshold is greater than described first flow threshold value, described the 3rd flow threshold is that described first flow threshold value deducts the difference of adjusting threshold value, and described the second host apparatus and described the first host apparatus are two host apparatus in two-node cluster hot backup networking system;
Described the second host apparatus is determined the second current abnormal flow of self, and described the second current abnormal flow comprises the abnormal flow of described the first host apparatus transmission; And
In the time that described the second current abnormal flow is more than or equal to the 4th flow threshold, determine that described two-node cluster hot backup networking system is subject to flow attacking, and in the time that described the second current abnormal flow is less than described the 4th flow threshold, determine that described two-node cluster hot backup networking system is not subject to flow attacking, described the 4th flow threshold be described first flow threshold value add the above adjust threshold value and value.
2. the method for claim 1, is characterized in that, also comprises:
Described the second host apparatus is subject to after flow attacking in definite described two-node cluster hot backup networking system, part abnormal flow in the abnormal flow of described the first host apparatus transmission is returned to described the first host apparatus, or cancel to described the first host apparatus passback abnormal flow;
Described the second host apparatus is not subject to after flow attacking in definite described two-node cluster hot backup networking system, and the abnormal flow of described the first host apparatus transmission is all returned to described the first host apparatus;
Described the first host apparatus, in the time receiving the described part abnormal flow of described the second host apparatus passback, or while not receiving the flow of described the second host apparatus passback, determines that described two-node cluster hot backup networking system is subject to flow attacking;
Described the first host apparatus, in the time receiving whole abnormal flow of described the second host apparatus passback, determines that described two-node cluster hot backup networking system is not subject to flow attacking.
3. the method for claim 1, is characterized in that, also comprises:
In the time that described the first current abnormal flow is less than described first flow threshold value, described the first host apparatus determines that described two-node cluster hot backup networking system is not subject to flow attacking.
4. method as claimed in claim 3, is characterized in that, also comprises:
In the time that described the first current abnormal flow is more than or equal to described the second flow threshold, described the first host apparatus determines that described two-node cluster hot backup networking system is subject to flow attacking.
5. the method for claim 1, is characterized in that, before definite described the first current abnormal flow is more than or equal to first flow threshold value, also comprises:
Described the first host apparatus determines that whether described the second host apparatus is in normal condition, and when definite result be during in normal condition, determine whether described the first current abnormal flow is more than or equal to first flow threshold value.
6. method as claimed in claim 5, is characterized in that, also comprises:
In the time that described the first host apparatus is determined described the second host apparatus in abnormality, described the first host apparatus determines whether described the first current abnormal flow is more than or equal to described the second flow threshold;
If be more than or equal to, described the first host apparatus determines that described two-node cluster hot backup networking system is subject to flow attacking;
If be less than, described the first host apparatus determines that described two-node cluster hot backup networking system is not subject to flow attacking.
7. a network attack defense detection system, is characterized in that, comprising: the first host apparatus in two-node cluster hot backup networking system and the second host apparatus, wherein:
Described the first host apparatus, for determining the first current abnormal flow of self; And in the time that described the first current abnormal flow is more than or equal to first flow threshold value and is less than the second flow threshold, the abnormal flow of the 3rd flow threshold will be exceeded in described the first current abnormal flow, be transferred to the second host apparatus, described the second flow threshold is greater than described first flow threshold value, and described the 3rd flow threshold is that described first flow threshold value deducts the difference of adjusting threshold value;
Described the second host apparatus, for determining the second current abnormal flow of self, described the second current abnormal flow comprises the abnormal flow of described the first host apparatus transmission; And in the time that described the second current abnormal flow is more than or equal to the 4th flow threshold, determine that described two-node cluster hot backup networking system is subject to flow attacking, and in the time that described the second current abnormal flow is less than described the 4th flow threshold, determine that described two-node cluster hot backup networking system is not subject to flow attacking, described the 4th flow threshold be described first flow threshold value add the above adjust threshold value and value.
8. system as claimed in claim 7, it is characterized in that, described the second host apparatus, also for being subject to after flow attacking in definite described two-node cluster hot backup networking system, part abnormal flow in the abnormal flow of described the first host apparatus transmission is returned to described the first host apparatus, or cancel to described the first host apparatus passback abnormal flow; And be not subject to after flow attacking in definite described two-node networking system, the abnormal flow of described the first host apparatus transmission is all returned to described the first host apparatus;
Described the first host apparatus, also in the time receiving the described part abnormal flow of described the second host apparatus passback, or while not receiving the flow of described the second host apparatus passback, determines that described two-node cluster hot backup networking system is subject to flow attacking; And in the time receiving whole abnormal flow of described the second host apparatus passback, determine that described two-node cluster hot backup networking system is not subject to flow attacking.
9. system as claimed in claim 7, is characterized in that, described the first host apparatus, also in the time that described the first current abnormal flow is less than described first flow threshold value, determines that described two-node cluster hot backup networking system is not subject to flow attacking.
10. system as claimed in claim 9, is characterized in that, described the first host apparatus, also in the time that described the first current abnormal flow is more than or equal to described the second flow threshold, determines that described two-node cluster hot backup networking system is subject to flow attacking.
11. systems as claimed in claim 7, it is characterized in that, described the first host apparatus, also for before being more than or equal to first flow threshold value at definite described the first current abnormal flow, determine that whether described the second host apparatus is in normal condition, and when definite result is during in normal condition, determine whether described the first current abnormal flow is more than or equal to first flow threshold value.
12. systems as claimed in claim 11, is characterized in that, described the first host apparatus also, for when definite described the second host apparatus is during in abnormality, determines whether described the first current abnormal flow is more than or equal to described the second flow threshold; If be more than or equal to, determine that described two-node cluster hot backup networking system is subject to flow attacking; If be less than, determine that described two-node cluster hot backup networking system is not subject to flow attacking.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110391968.8A CN102420825B (en) | 2011-11-30 | 2011-11-30 | Network attack defense and detection method and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110391968.8A CN102420825B (en) | 2011-11-30 | 2011-11-30 | Network attack defense and detection method and system thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102420825A CN102420825A (en) | 2012-04-18 |
| CN102420825B true CN102420825B (en) | 2014-07-02 |
Family
ID=45945060
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110391968.8A Active CN102420825B (en) | 2011-11-30 | 2011-11-30 | Network attack defense and detection method and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102420825B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2863583A4 (en) * | 2012-08-31 | 2015-07-29 | Huawei Tech Co Ltd | Method and device for defending bearer attack |
| CN103560907A (en) * | 2013-10-23 | 2014-02-05 | 曙光信息产业(北京)有限公司 | Management method and device for double machine load balancing devices |
| CN106534346B (en) * | 2016-12-07 | 2019-12-10 | 北京奇虎科技有限公司 | Flow control method, device and system based on virtual WAF |
| CN107682341A (en) * | 2017-10-17 | 2018-02-09 | 北京奇安信科技有限公司 | The means of defence and device of CC attacks |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1946077A (en) * | 2005-07-08 | 2007-04-11 | 阿尔卡特公司 | System and method for detecting abnormal traffic based on early notification |
| CN101102323A (en) * | 2007-08-09 | 2008-01-09 | 华为技术有限公司 | Method and device for preventing DOS attack |
| CN101369897A (en) * | 2008-07-31 | 2009-02-18 | 成都市华为赛门铁克科技有限公司 | Method and equipment for detecting network attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101219538B1 (en) * | 2009-07-29 | 2013-01-08 | 한국전자통신연구원 | Apparatus for detecting network attack based on visual data analysis and its method thereof |
-
2011
- 2011-11-30 CN CN201110391968.8A patent/CN102420825B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1946077A (en) * | 2005-07-08 | 2007-04-11 | 阿尔卡特公司 | System and method for detecting abnormal traffic based on early notification |
| CN101102323A (en) * | 2007-08-09 | 2008-01-09 | 华为技术有限公司 | Method and device for preventing DOS attack |
| CN101369897A (en) * | 2008-07-31 | 2009-02-18 | 成都市华为赛门铁克科技有限公司 | Method and equipment for detecting network attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102420825A (en) | 2012-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102420825B (en) | Network attack defense and detection method and system thereof | |
| Sanjab et al. | Smart grid security: Threats, challenges, and solutions | |
| US8233254B2 (en) | Method of ensuring the coordinated arc fault protection in a heirarchial power distribution system | |
| CN106603427A (en) | Method and device for realizing software bypass in firewall | |
| CN110808873B (en) | Method and device for detecting link failure | |
| US20140215609A1 (en) | Monitoring control system | |
| US8880703B2 (en) | Address distribution method, device and system thereof | |
| KR20070036034A (en) | Load interrupter upon lowering of frequency | |
| US20090262790A1 (en) | Method of recovery from active port tx failure in y-cable protected pair | |
| CN103347016A (en) | Attack defense method | |
| CN108092940B (en) | DNS protection method and related equipment | |
| EP2824876A1 (en) | Network system, controller, and load distribution method | |
| JP2007122330A (en) | Cluster fault estimation system | |
| CN105791027B (en) | A kind of detection method of industrial network abnormal interrupt | |
| CN104125213A (en) | Distributed denial of service DDOS attack resisting method and device for firewall | |
| CN102902597A (en) | Chip and method for improving safety of chip | |
| CN105897766A (en) | Virtual network flow security control method and device | |
| US20200136912A1 (en) | Method, Device, and System for Implementing MUX Machine | |
| JP6007988B2 (en) | Standby system apparatus, operational system apparatus, redundant configuration system, and load distribution method | |
| CN101340339A (en) | Wideband access server cluster system and apparatus | |
| CN104394012B (en) | Cluster routers, MPU and its failure determination method, sensing controller | |
| WO2016108627A1 (en) | Dual controller system | |
| CN108667826B (en) | Scheduling device and scheduling method based on four-mode heterogeneous redundant processor | |
| CN109787860A (en) | Two-way conversion link detection method and device | |
| CN107026432B (en) | A kind of method and apparatus inhibiting influence of the compensator to route distance protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |