CN104348794A - Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system - Google Patents

Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system Download PDF

Info

Publication number
CN104348794A
CN104348794A CN201310325923.XA CN201310325923A CN104348794A CN 104348794 A CN104348794 A CN 104348794A CN 201310325923 A CN201310325923 A CN 201310325923A CN 104348794 A CN104348794 A CN 104348794A
Authority
CN
China
Prior art keywords
address
server
attack
source
ddos attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310325923.XA
Other languages
Chinese (zh)
Other versions
CN104348794B (en
Inventor
罗喜军
陈勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tencent Computer Systems Co Ltd
Original Assignee
Shenzhen Tencent Computer Systems Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Tencent Computer Systems Co Ltd filed Critical Shenzhen Tencent Computer Systems Co Ltd
Priority to CN201310325923.XA priority Critical patent/CN104348794B/en
Priority claimed from CN201310325923.XA external-priority patent/CN104348794B/en
Publication of CN104348794A publication Critical patent/CN104348794A/en
Application granted granted Critical
Publication of CN104348794B publication Critical patent/CN104348794B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a network layer DDOS (Distributed Denial of Service) attack source identification method. The method comprises the following steps: when a detection server monitors that a first server is under DDOS attacks, acquiring a DDOS attack packet from the first server, and extracting an attack source IP (Internet Protocol) address in the DDOS attack packet and the TTL (Time to Live) value of the attack source IP address; sending a detection command comprising the attack source IP address to a second server; receiving a detection response packet returned by the second server according to the detection command, and extracting a detection source IP address in the detection response packet and the TTL value of the detection source IP address; and judging whether a difference value between the TTL value of the attack source IP address and the TTL value of the detection source IP address is greater than a preset value or not, if so, determining that the attack source IP address is a forgery IP address, otherwise, determining that the attack source IP address is a real IP address. Moreover, the invention further provides a network layer DDOS attack source identification device and system. By adopting the network layer DDOS attack source identification method, device and system, a network layer DDOS attack source can be identified rapidly and effectively.

Description

Network layer DDOS attack source discrimination, Apparatus and system
Technical field
The present invention relates to computer communication technology field, particularly relate to a kind of network layer DDOS attack source discrimination, Apparatus and system.
Background technology
DOS(Denial of Service, denial of service) attack, refer to a kind of attack causing server cannot provide normal service.Modal dos attack has the network bandwidth to attack and connective attack.Wherein bandwidth is attacked and is referred to impact network with the great traffic, and all available network resource are all consumed totally, finally causes legal user's request to pass through.Connective attack refers to impact server with a large amount of connection requests, and all available operating-system resources are all consumed totally, and final server cannot the request of reprocessing validated user.
DDOS(Distributed Denial of Service, distributed denial of service) attack and refer to by means of client/server technology, multiple client is joined together as Attack Platform, dos attack is started to one or more target.Usually, assailant uses one to steal account number and is arranged on by DDOS primary control program in a client, primary control program carries out communication at Preset Time and the multiple Agents in multiple clients of installing in a large number on the internet, utilize client/server technology, primary control program in seconds activates hundreds and thousands of Agents and makes its offensive attack, thus can improve the power of dos attack exponentially.
By attack institute for network layer DDOS attack can be divided into network layer DDOS(Net-DDOS) attack and App-DDOS attack.Wherein Net-DDOS attacks the leak that mainly make use of existing low layer (comprising IP layer and TCP layer) agreement and carrys out offensive attack, the attack node that typical attack pattern comprises use spoofed IP address sends a large amount of attack packets to destination host, such as: TCP(Transmission Control Protocol, transmission control protocol) grouping, ICMP(Internet Control Messages Protocol, internet letter report control protocol) grouping, UDP(User Datagram Protocol, User Datagram Protoco (UDP)) grouping etc., the three-way handshake of TCP mechanism is utilized to make destination server for safeguarding that a very large semi-open connection list consumes very many CPU(Central Processing Unit, central processing unit) and memory source, finally cause system crash cannot provide service for normal users because of stack overflow.Network layer DDOS attack, based on its protocol characteristic, when not needing to send mass data bag when setting up with server and be reliably connected, makes to there is larger difficulty in attack is traced to the source.The method that current industry is general is by the cooperation with operator, and the source that the egress router of metropolitan area network, backbone network carries out flow is followed the trail of, to determine the true and false of attack source.But, the routing device of operator generally adopts the statistical counting mode based on stream, this statistical counting mode is effective for the DDOS statistics of large discharge, but then invalid for distributed low discharge DDOS attack, effectively cannot track the true attack source of low discharge DDOS attack.
Summary of the invention
In view of this, the invention provides a kind of network layer DDOS attack source discrimination, Apparatus and system, can the true and false in recognition network layer DDOS attack source fast and effectively.
A kind of network layer DDOS attack source discrimination, comprise: detect server when monitoring first server and being subject to DDOS attack, obtain DDOS attack bag from described first server, extract the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address; The probe instructions comprising described attack source IP address is sent to second server, described second server and described first server are in together in a network topology, and described probe instructions is used to indicate described second server and detects described attack source IP address; Receive the probe response packets that described second server returns according to described probe instructions, extract the ttl value of detection source IP address in described probe response packets and described detection source IP address; And judge whether the difference of the ttl value of described attack source IP address and the ttl value of described detection source IP address is greater than preset value, if, then determine that described attack source IP address is the IP address of forging, if not, then determine that described attack source IP address is real IP address.
A kind of network layer DDOS attack source discrimination, comprise: detect server when monitoring first server and being subject to DDOS attack, obtain DDOS attack bag from described first server, extract the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address; Described detection server sends the probe instructions comprising described attack source IP address to second server, described second server and described first server are in together in a network topology, and described probe instructions is used to indicate described second server and detects described attack source IP address; Described second server, according to described probe instructions, detects described attack source IP address, and the terminal corresponding from described attack source IP address obtains probe response packets, and described probe response packets is sent to described detection server; And described detection server extracts the ttl value of detection source IP address in described probe response packets and described detection source IP address, judge whether the difference of the ttl value of described attack source IP address and the ttl value of described detection source IP address is greater than preset value, if, then determine that described attack source IP address is the IP address of forging, if not, then determine that described attack source IP address is real IP address.
A kind of network layer DDOS attack identifing source device, be applied to detection server, it is characterized in that, comprise: DDOS attack bag obtains and analysis module, for when monitoring first server and being subject to DDOS attack, obtain DDOS attack bag from described first server, extract the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address; Probe instructions sending module, the probe instructions that described DDOS attack bag obtains the described attack source IP address obtained with analysis module analysis is comprised for sending to second server, described second server and described first server are in together in a network topology, and described probe instructions is used to indicate described second server and detects described attack source IP address; Probe response packet analysis module, for receiving the probe response packets that described second server returns according to the described probe instructions that described probe instructions sending module sends, extract the ttl value of detection source IP address in described probe response packets and described detection source IP address; Judge module, for judging whether the difference that described DDOS attack bag obtains the ttl value of the described detection source IP address that the ttl value of the described attack source IP address obtained with analysis module analysis and the analysis of described probe response packet analysis module obtain is greater than preset value, if, then determine that described attack source IP address is the IP address of forging, if not, then determine that described attack source IP address is real IP address.
A kind of network layer DDOS attack identifing source system, is characterized in that, comprising: detection server, first server and second server as described in any one in claim 6 to 9; Described first server is used for the request of the acquisition DOOS attack packets sent according to described detection server, and DDOS attack bag is sent to described detection server; Described second server is used for the described probe instructions sent according to described detection server, described attack source IP address is detected, the terminal corresponding from described attack source IP address obtains probe response packets, and described probe response packets is sent to described detection server; Wherein, described second server and described first server are in together in a network topology.
In above-mentioned network layer DDOS attack source discrimination, Apparatus and system, by detecting server when monitoring first server and being subject to DDOS attack, the second server be in same network topology with first server is utilized oppositely to detect DDOS attack source, utilize the characteristic of ttl value simultaneously, by the ttl value that compares the source IP address in the DDOS attack source ttl value with detection source IP address, can the true and false of recognition network layer DDOS attack source IP address fast and effectively.
For above and other object of the present invention, feature and advantage can be become apparent, preferred embodiment cited below particularly, and coordinate institute's accompanying drawings, be described in detail below.
Accompanying drawing explanation
Fig. 1 is the applied environment figure of network layer DDOS attack source discrimination provided by the invention.
The flow chart of the network layer DDOS attack source discrimination that Fig. 2 provides for first embodiment of the invention.
The flow chart of the network layer DDOS attack source discrimination that Fig. 3 provides for second embodiment of the invention.
The flow chart of the network layer DDOS attack source discrimination that Fig. 4 provides for third embodiment of the invention.
The structural representation of the detection server that Fig. 5 provides for fourth embodiment of the invention.
The structural representation of the detection server that Fig. 6 provides for fifth embodiment of the invention.
The schematic diagram of the network layer DDOS attack identifing source system that Fig. 7 provides for sixth embodiment of the invention.
Embodiment
For further setting forth the present invention for the technological means that realizes predetermined goal of the invention and take and effect, below in conjunction with accompanying drawing and preferred embodiment, to according to the specific embodiment of the present invention, structure, feature and effect thereof, be described in detail as follows.
Refer to Fig. 1, be depicted as the applied environment figure of network layer DDOS attack source discrimination provided by the invention.As shown in Figure 1, first server 101, first server 102, detection server 103 are arranged in wireless or cable network, wireless or cable network by this, first server 101 and second server 102 intercom with monitor server 103 phase respectively, and above-mentioned first server 101, first server 102 and detection server 103 form network layer DDOS attack identifing source system 100 together.Understandable, first server 101 also can be the personal computer as client.Attacker's device clusters 200 is the device clusters be made up of multiple stage computer, and attacker's device clusters 200 is also arranged in wireless or cable network, and by this, wireless or cable network starts DDOS attack to first server 101.
First embodiment
Refer to Fig. 2, be depicted as the flow chart of the network layer DDOS attack source discrimination that first embodiment of the invention provides.As shown in Figure 2, what this embodiment described is the handling process detecting server, composition graphs 1, and the network layer DDOS attack source discrimination that the present embodiment provides comprises the following steps:
Step 21, detects server when monitoring first server and being subject to DDOS attack, obtains DDOS attack bag from described first server, extracts the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address.
Particularly, detect server 103 and whether be subject to DDOS(Distributed Denial of Service by the data traffic information monitoring first server monitoring first server 101 in real time, distributed denial of service) attack, when monitoring first server 101 and being subject to DDOS attack, when also namely monitoring first server 101 data traffic exception, such as: occur large discharge hash or first server 101 there are a large amount of TCP(Transmission Control Protocol waited for, transmission control protocol) situation such as connection time, DDOS attack bag is obtained from first server 101, and the DDOS attack bag obtained is analyzed, extract the attack source IP(Internet Protocol in DDOS attack bag, procotol) address, and attack the TTL(Time To Live of source IP address, life span) value.
TTL is a value in IP protocol package, arranged by transmission main frame, circulate with constantly never stopping on IP internet for preventing packet, its initial imagination determines a time range, exceeding this time just abandons bag, due to each router at least will TTL territory subtract one, TTL ordinary representation wrap in be dropped before the router number of most multipotency process.When count 0 time, router determines to abandon this bag, and sends an ICMP(Internet Control Messages Protocol, internet letter report control protocol) message gives initial sender.The initial value normally default value of TTL is the territory of 8 in packet header.
Step 22, send the probe instructions comprising described attack source IP address to second server, described second server and described first server are in together in a network topology.
Particularly, detect server 103 to select and first server 101 is in any station server under identical topological network as second server 102, probe instructions is sent to this second server 102, comprise the attack source IP address comprised in the DDOS attack bag obtained in step 21 in this probe instructions, be used to indicate second server 102 and attack source IP address is detected.
Understandable, based on the characteristic of TTL, first server 101 and second server 102 are under identical topological network, also under namely first server 101 and second server 102 are in same switch, or IP address is contiguous, so just can guarantee that second server 102 has comparativity to the result of detection attacking source IP address, and then guarantee the accuracy of DDOS attack identifing source.
Step 23, receives the probe response packets that described second server returns according to described probe instructions, extracts the ttl value of detection source IP address in described probe response packets and described detection source IP address.
Particularly, detect the probe response packets that server reception second server 102 returns according to probe instructions, analyze and the ttl value of the detection source IP address obtained in this probe response packets and described detection source IP address.
Step 24, judges whether the difference of the ttl value of described attack source IP address and the ttl value of described detection source IP address is greater than preset value.
Particularly, the characteristic of binding operation system ttl value, such as: the initial TTL value of windows operating system is generally 128, the initial TTL value of (SuSE) Linux OS is generally 64, the difference of the ttl value with the ttl value of detection source IP address of attacking source IP address and preset value are compared, judges whether the ttl value attacking source IP address is greater than preset value with the difference of the ttl value of detection source IP address.Preferably, preset value is 5.
Due to the characteristic of the transmission path of ttl value energy effective marker packet, when assailant uses stochastic source to carry out DDOS attack, although employ cook source address to attack, but assailant cannot position relationship between forgery attack main frame and destination host, no matter how assailant forges source IP address, the Attacking Packets come from same attack source will arrive victim by same routed path, therefore the ttl value of source IP address and the true and false in the ttl value identification DDOS attack source of detection source IP address is attacked by contrast, reviewed layer by layer by information table relevant on the router of operator relative in prior art, more efficient.
If so, then step 25 is performed: determine that described attack source IP address is the IP address of forging.
Understandable, because probe response packets is that second server 102 obtains from the terminal of attacking source IP address corresponding, therefore detect source IP address consistent with attack source IP address, the ttl value of detection source IP address is the true ttl value of attack source IP.If the ttl value attacking source IP address is greater than preset value with the difference of the ttl value of detection source IP address, then can confirm that this DDOS attack bag is not send by attacking terminal corresponding to source IP address, attacking source IP address is the IP address of forging.
If not, then step 26 is performed: determine that described attack source IP address is real IP address.
The network layer DDOS attack source discrimination that the embodiment of the present invention provides, by detecting server when monitoring first server and being subject to DDOS attack, the second server be in same network topology with first server is utilized oppositely to detect DDOS attack source, utilize the characteristic of ttl value simultaneously, by the ttl value that compares the source IP address in the DDOS attack source ttl value with detection source IP address, can the true and false of recognition network layer DDOS attack source IP address fast and effectively.
Second embodiment
Refer to Fig. 3, be depicted as the flow chart of the network layer DDOS attack source discrimination that second embodiment of the invention provides.As shown in Figure 3, what this embodiment described is the handling process of first server, composition graphs 1, and the network layer DDOS attack source discrimination that the present embodiment provides comprises the following steps:
Step 31, detects server when monitoring first server and being subject to DDOS attack, sends the request obtaining all DOOS attack packets to described first server.
Step 31 specifically please refer to the corresponding contents of the first embodiment, repeats no more herein.
Step 32, receives all DDOS attack bags that described first server returns according to described request.
Particularly, first server 101, according to the request detecting all DOOS attack packets of acquisition that server 103 sends, starts full dose packet capturing, captures current all DOOS attack packets, and all DOOS attack packets captured are sent to detection server 103.
Step 33, carries out DPI analysis to described all DDOS attack bags, obtains the ttl value of attack source IP address in described all DDOS attack bags and described attack source IP address respectively.
DPI(Deep Packet Inspection, deep packet inspection technical), be a kind of flow detection based on application layer and control technology, briefly also namely packet-by-packet carry out the technology analyzed, detect.DPI detection technique is prior art, repeats no more herein.
Particularly, DPI detection technique is utilized to analyze all DDOS attack bags that the first server 101 received returns because DDOS attack detects server 103, obtain the attack source IP address in all DDOS attack bags and the ttl value attacking source IP address respectively, extract the distribution of attack source and attack ttl value thereof.
Step 34, sends the probe instructions comprising all described attack source IP addresss to second server.
Particularly, detect server 103 to select and first server 101 is in any station server under identical topological network as second server 102, probe instructions is sent to this second server 102, comprise the IP address in all DDOS attack sources of extracting in step 303 in this probe instructions, be used to indicate the IP address of second server 102 to all DDOS attack sources and carry out PING detection successively.
Step 35, receives all probe response packets that described second server returns according to described probe instructions.
Particularly, probe response packets by second server 102 according to probe instructions, when using PING order to detect attack source IP address, obtain from the terminal of attacking source IP address corresponding, second server 102 detects server 103 by being returned to by all probe response packets of PING detection acquisition.
Step 36, carries out DPI analysis to described all probe response packets, extracts the ttl value of attack source IP address in described all probe response packets and described attack source IP address respectively.
Particularly, all probe response packets that detection server 103 pairs of second servers 102 return carry out DPI analysis, extract the attack source IP address in all probe response packets and TTL distribution thereof.
Step 37, judges whether the difference of the ttl value of described attack source IP address and the ttl value of described detection source IP address is greater than preset value.
Particularly, because the attack source IP address with a DDOS attack may have multiple, the detection source IP address of its correspondence also has multiple, detect server 103 one by one the ttl value of the ttl value of multiple attack source IP address each self-corresponding detection source IP address with it to be compared, judge whether the difference of the ttl value of multiple attack source IP address ttl value of each self-corresponding detection source IP address with it is greater than preset value respectively.Preferably, preset value can be 5.
If so, then step 38 is performed: determine that described attack source IP address is the IP address of forging.
Step 38 specifically please refer to the corresponding contents of the first embodiment, repeats no more herein.
If not, then step 39 is performed: determine that described attack source IP address is real IP address.
The network layer DDOS attack source discrimination that the embodiment of the present invention provides, by detecting server when monitoring first server and being subject to DDOS attack, the second server be in same network topology with first server is utilized oppositely to detect DDOS attack source, utilize the characteristic of ttl value simultaneously, by the ttl value that compares the source IP address in the DDOS attack source ttl value with detection source IP address, can the true and false of recognition network layer DDOS attack source IP address fast and effectively.
3rd embodiment
Refer to Fig. 4, be depicted as the flow chart of the network layer DDOS attack source discrimination that third embodiment of the invention provides.As shown in Figure 4, what this embodiment described is the handling process of user terminal, composition graphs 1, and the network layer DDOS attack source discrimination that the present embodiment provides comprises the following steps:
Step 41, detects server when monitoring first server and being subject to DDOS attack, sends DDOS attack bag obtain request to first server.
Particularly, detect server 103 and whether be subject to DDOS(Distributed Denial of Service by the data traffic information monitoring first server monitoring first server 101 in real time, distributed denial of service) attack, when monitoring first server 101 and being subject to DDOS attack, when also namely monitoring first server 101 data traffic exception, such as: occur large discharge hash or first server 101 there are a large amount of TCP(Transmission Control Protocol waited for, transmission control protocol) situation such as connection time, send DDOS attack bag to first server and obtain request, request first server 101 full dose captures DDOS attack bag, and all DDOS attack bags captured are returned to detection server 103.
Step 42, DDOS attack bag according to acquisition acquisition request DDOS attack bag, and is returned to detection server by first server.
Particularly, first server 101 is according to the acquisition request detecting server 103 transmission, and full dose captures the current all DDOS attack bags be subject to, and all DDOS attack bags captured are returned to detection server 103.
Step 43, detects the ttl value that server analysis obtains the attack source IP address in DDOS attack bag and attacks source IP address.
Particularly, all DDOS attack bags that detection server 103 pairs of first servers 101 return carry out DPI(Deep Packet Inspection, deep packet inspection technical) analyze, extract attack source IP address in all DDOS attack bags and the distribution of ttl value of attacking source IP address.
Step 44, detects server and sends the probe instructions comprising and attack source IP address to second server.
Particularly, detect server 103 to select and first server 101 is in any station server under identical topological network as second server 102, probe instructions is sent to this second server 102, comprise the IP address in all DDOS attack sources in this probe instructions, be used to indicate the IP address of second server 102 to all DDOS attack sources and detect successively.
Step 45, second server, according to probe instructions, detects attack source IP address, obtains probe response packets, and probe response packets is sent to detection server from attacking terminal corresponding to source IP address.
In the present embodiment one embodiment, PING detection is carried out, successively to obtain probe response packets in the IP address of second server 102 to all DDOS attack sources.PING is a common communication protocol, belong to ICP/IP protocol (Transmission Control Protocol/Internet Protocol, transmission control protocol/Internet Protocol) a part, generally can be used for checking network ruton and obstructed, PING is by transmission ICMP(Internet Control Messages Protocol, internet letter report control protocol) echo request message is to destination, and whether report receives desired ICMP echo(ICMP Echo Reply).Utilize PING to detect the probe response packets that simply and effectively can obtain and come from and attack source IP address, thus improve the efficiency of DDOS attack identifing source.
In other embodiments of the present embodiment, second server 102 also can utilize other common interconnection network agreements such as Telnet, Traceroute, detects successively the IP address in all DDOS attack sources.
Step 46, detect the ttl value that server extracts the detection source IP address in probe response packets and detects source IP address, judge whether the ttl value attacking source IP address is greater than preset value with the difference of the ttl value of detection source IP address, if, then determine that attacking source IP address is the IP address of forging, if not, then determine that attacking source IP address is real IP address.
Particularly, detect server 103 and first DPI analysis is carried out to all probe response packets that second server 102 returns, extract the attack source IP address in all probe response packets and TTL distribution thereof.Then one by one the ttl value of the ttl value of multiple attack source IP address each self-corresponding detection source IP address with it is compared, judge whether the difference of the ttl value of multiple attack source IP address ttl value of each self-corresponding detection source IP address with it is greater than preset value respectively.Based on the characteristic of ttl value, the difference of the ttl value of the detection source IP address corresponding with it when the ttl value attacking source IP address is greater than preset value (such as: time 5), illustrate that the error of the ttl value of the detection source IP address that the ttl value of attack source IP address is corresponding with it is comparatively large, then can determine that attacking source IP address is the IP address of forging.When the difference of the ttl value of the detection source IP address corresponding with it when the ttl value attacking source IP address is less than or equal to preset value, then can determine that attacking source IP address is real IP address.
The network layer DDOS attack source discrimination that the embodiment of the present invention provides, by detecting server when monitoring first server and being subject to DDOS attack, the second server be in same network topology with first server is utilized oppositely to detect DDOS attack source, utilize the characteristic of ttl value simultaneously, by the ttl value that compares the source IP address in the DDOS attack source ttl value with detection source IP address, can the true and false of recognition network layer DDOS attack source IP address fast and effectively.
4th embodiment
The structural representation of the detection server that Fig. 5 provides for fourth embodiment of the invention.The detection server that the present embodiment provides may be used for the network layer DDOS attack source discrimination realized in the first embodiment.As shown in Figure 5, detect server 50 to comprise: DDOS attack bag obtains and analysis module 51, probe instructions sending module 52, probe response packet analysis module 53, judge module 54.
Wherein, DDOS attack bag obtains with analysis module 51 for when monitoring first server and being subject to DDOS attack, obtain DDOS attack bag from described first server, extract the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address.
Probe instructions sending module 52 obtains for comprising described DDOS attack bag to second server transmission the probe instructions analyzing the described attack source IP address obtained with analysis module 51, described second server and described first server are in together in a network topology, and described probe instructions is used to indicate described second server and detects described attack source IP address.
The probe response packets that probe response packet analysis module 53 returns according to the described probe instructions that described probe instructions sending module sends for receiving described second server, extracts the ttl value of detection source IP address in described probe response packets and described detection source IP address.
Judge module 54 to be analyzed the difference that the ttl value of the described attack source IP address obtained and described probe response packet analysis module 52 analyze the ttl value of the described detection source IP address obtained whether be greater than preset value for being judged that described DDOS attack bag obtains with analysis module 51, if, then determine that described attack source IP address is the IP address of forging, if not, then determine that described attack source IP address is real IP address.
The present embodiment detects the detailed process of each Implement of Function Module function separately of server 50, refers to the particular content of above-mentioned Fig. 1 to middle description embodiment illustrated in fig. 4, repeats no more herein.
The network layer DDOS attack identifing source device that the embodiment of the present invention provides, by when monitoring first server and being subject to DDOS attack, the second server be in same network topology with first server is utilized oppositely to detect DDOS attack source, utilize the characteristic of ttl value simultaneously, by the ttl value that compares the source IP address in the DDOS attack source ttl value with detection source IP address, can the true and false of recognition network layer DDOS attack source IP address fast and effectively.
5th embodiment
The structural representation of the detection server that Fig. 6 provides for fifth embodiment of the invention.The detection server that the present embodiment provides may be used for realizing the network layer DDOS attack source discrimination in the second embodiment and the 3rd embodiment.As shown in Figure 6, detect server 60 to comprise: DDOS attack bag obtains and analysis module 61, probe instructions sending module 62, probe response packet analysis module 63, judge module 64.
Wherein, DDOS attack bag obtains with analysis module 61 for when monitoring first server and being subject to DDOS attack, obtain DDOS attack bag from described first server, extract the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address.Described DDOS attack bag obtains and comprises with analysis module 61: DDOS attack bag obtains request transmitting unit 611, DDOS attack bag receiving element 612, DDOS attack packet analysis unit 613.Wherein DDOS attack bag obtains request transmitting unit 611 for when monitoring first server and being subject to DDOS attack, sends the request obtaining all DOOS attack packets to described first server; All DDOS attack bags that DDOS attack bag receiving element 612 sends according to the request that described DDOS attack bag obtains described acquisition all DOOS attack packets that request transmitting unit 611 sends for receiving described first server.DDOS attack packet analysis unit 613 carries out DPI analysis for the described all DDOS attack bags received described DDOS attack bag receiving element 612, obtains the ttl value of attack source IP address in described all DDOS attack bags and described attack source IP address respectively.
Probe instructions sending module 62 obtains for comprising described DDOS attack bag to second server transmission the probe instructions analyzing the described attack source IP address obtained with analysis module 61, described second server and described first server are in together in a network topology, described probe instructions is used to indicate described second server and detects described attack source IP address, also for sending the probe instructions comprising all described attack source IP addresss to second server, described probe instructions is used to indicate described second server and uses PING order to detect the attack source IP address in described all DDOS attack bags successively.
The probe response packets that probe response packet analysis module 63 returns according to the described probe instructions that described probe instructions sending module 62 sends for receiving described second server, extracts the ttl value of detection source IP address in described probe response packets and described detection source IP address.Described probe response packet analysis module comprises: probe response packets receiving element 631, probe response packet analysis unit 632.Wherein, all probe response packets that probe response packets receiving element 631 returns according to the probe instructions that described probe instructions sending module sends for receiving described second server, described probe response packets by described second server according to described probe instructions, when using PING order to detect described attack source IP address, the terminal corresponding from described attack source IP address obtains.Probe response packet analysis unit 632 carries out DPI analysis for the described all probe response packets received described probe response packets receiving element 631, extracts the ttl value of attack source IP address in described all probe response packets and described attack source IP address respectively.
Judge module 64 to be analyzed the difference that the ttl value of the described attack source IP address obtained and described probe response packet analysis module 63 analyze the ttl value of the described detection source IP address obtained whether be greater than preset value for being judged that described DDOS attack bag obtains with analysis module 62, if, then determine that described attack source IP address is the IP address of forging, if not, then determine that described attack source IP address is real IP address.
The present embodiment detects the detailed process of each Implement of Function Module function separately of server 60, refers to the particular content of above-mentioned Fig. 1 to middle description embodiment illustrated in fig. 4, repeats no more herein.
The network layer DDOS attack identifing source device that the embodiment of the present invention provides, by when monitoring first server and being subject to DDOS attack, the second server be in same network topology with first server is utilized oppositely to detect DDOS attack source, utilize the characteristic of ttl value simultaneously, by the ttl value that compares the source IP address in the DDOS attack source ttl value with detection source IP address, can the true and false of recognition network layer DDOS attack source IP address fast and effectively.
6th embodiment
Refer to Fig. 7, be depicted as the structural representation of the network layer DDOS attack identifing source system that sixth embodiment of the invention provides.As shown in Figure 7, the network layer DDOS attack identifing source system 70 that the present embodiment provides comprises: first server 71, detection server 72 and second server 73.
Wherein, DDOS attack bag, for according to the request detecting the acquisition DOOS attack packets that server 72 sends, sends to and detects server 72 by first server 71.
The concrete structure detecting server 72 with reference to the device of figure 5 embodiment corresponding to Fig. 6, can repeat no more herein.
The probe instructions of second server 73 for sending according to detection server 72, detects attack source IP address, obtains probe response packets, and probe response packets is sent to detection server 72 from attacking terminal corresponding to source IP address.Wherein, second server 73 and first server 71 are in together in a network topology.
In network layer DDOS attack identifing source system in the present embodiment, the detailed process of each device practical function refers to the method for the corresponding embodiment of Fig. 1 to Fig. 4, and the device of the corresponding embodiment of Fig. 5 and Fig. 6, repeats no more herein.
It should be noted that, each embodiment in this specification all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar part mutually see.For device class embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
It should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or device and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or device.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the device comprising described key element and also there is other identical element.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can have been come by hardware, the hardware that also can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
The above, it is only preferred embodiment of the present invention, not any pro forma restriction is done to the present invention, although the present invention discloses as above with preferred embodiment, but and be not used to limit the present invention, any those skilled in the art, do not departing within the scope of technical solution of the present invention, make a little change when the technology contents of above-mentioned announcement can be utilized or be modified to the Equivalent embodiments of equivalent variations, in every case be do not depart from technical solution of the present invention content, according to any simple modification that technical spirit of the present invention is done above embodiment, equivalent variations and modification, all still belong in the scope of technical solution of the present invention.

Claims (10)

1. a network layer DDOS attack source discrimination, is characterized in that, comprising:
Detect server when monitoring first server and being subject to DDOS attack, obtain DDOS attack bag from described first server, extract the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address;
The probe instructions comprising described attack source IP address is sent to second server, described second server and described first server are in together in a network topology, and described probe instructions is used to indicate described second server and detects described attack source IP address;
Receive the probe response packets that described second server returns according to described probe instructions, extract the ttl value of detection source IP address in described probe response packets and described detection source IP address; And
Judge whether the difference of the ttl value of described attack source IP address and the ttl value of described detection source IP address is greater than preset value, if so, then determine that described attack source IP address is the IP address of forging, if not, then determine that described attack source IP address is real IP address.
2. method according to claim 1, it is characterized in that, described detection server is when monitoring first server and being subject to DDOS attack, DDOS attack bag is obtained from described first server, extract the step of the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address, comprising:
Detect server when monitoring first server and being subject to DDOS attack, send the request obtaining all DOOS attack packets to described first server;
Receive all DDOS attack bags that described first server returns according to described request;
DPI analysis is carried out to described all DDOS attack bags;
Obtain the ttl value of attack source IP address in described all DDOS attack bags and described attack source IP address respectively.
3. method according to claim 2, is characterized in that, the described step comprising the probe instructions of described attack source IP address to second server transmission, comprising:
Send the probe instructions comprising all described attack source IP addresss to second server, described probe instructions is used to indicate described second server and uses PING order to detect the attack source IP address in described all DDOS attack bags successively.
4. method according to claim 3, it is characterized in that, the probe response packets that the described second server of described reception returns according to described probe instructions, extract the step of the ttl value of detection source IP address in described probe response packets and described detection source IP address, comprising:
Receive all probe response packets that described second server returns according to described probe instructions, described probe response packets by described second server according to described probe instructions, when using PING order to detect described attack source IP address, the terminal corresponding from described attack source IP address obtains;
DPI analysis is carried out to described all probe response packets;
Extract the ttl value of attack source IP address in described all probe response packets and described attack source IP address respectively.
5. a network layer DDOS attack source discrimination, is characterized in that, comprising:
Detect server when monitoring first server and being subject to DDOS attack, obtain DDOS attack bag from described first server, extract the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address;
Described detection server sends the probe instructions comprising described attack source IP address to second server, described second server and described first server are in together in a network topology, and described probe instructions is used to indicate described second server and detects described attack source IP address;
Described second server, according to described probe instructions, detects described attack source IP address, and the terminal corresponding from described attack source IP address obtains probe response packets, and described probe response packets is sent to described detection server; And
Described detection server extracts the ttl value of detection source IP address in described probe response packets and described detection source IP address, judge whether the difference of the ttl value of described attack source IP address and the ttl value of described detection source IP address is greater than preset value, if, then determine that described attack source IP address is the IP address of forging, if not, then determine that described attack source IP address is real IP address.
6. a network layer DDOS attack identifing source device, is applied to detection server, it is characterized in that, comprising:
DDOS attack bag obtains and analysis module, for when monitoring first server and being subject to DDOS attack, obtains DDOS attack bag from described first server, extracts the ttl value of attack source IP address in described DDOS attack bag and described attack source IP address;
Probe instructions sending module, the probe instructions that described DDOS attack bag obtains the described attack source IP address obtained with analysis module analysis is comprised for sending to second server, described second server and described first server are in together in a network topology, and described probe instructions is used to indicate described second server and detects described attack source IP address;
Probe response packet analysis module, for receiving the probe response packets that described second server returns according to the described probe instructions that described probe instructions sending module sends, extract the ttl value of detection source IP address in described probe response packets and described detection source IP address;
Judge module, for judging whether the difference that described DDOS attack bag obtains the ttl value of the described detection source IP address that the ttl value of the described attack source IP address obtained with analysis module analysis and the analysis of described probe response packet analysis module obtain is greater than preset value, if, then determine that described attack source IP address is the IP address of forging, if not, then determine that described attack source IP address is real IP address.
7. device according to claim 6, described DDOS attack bag obtains and comprises with analysis module:
DDOS attack bag obtains request transmitting unit, for when monitoring first server and being subject to DDOS attack, sends the request obtaining all DOOS attack packets to described first server;
DDOS attack bag receiving element, for receiving all DDOS attack bags that described first server sends according to the request that described DDOS attack bag obtains described acquisition all DOOS attack packets that request transmitting unit sends;
DDOS attack packet analysis unit, carries out DPI analysis for the described all DDOS attack bags received described DDOS attack bag receiving element, obtains the ttl value of attack source IP address in described all DDOS attack bags and described attack source IP address respectively.
8. device according to claim 7, it is characterized in that, described probe instructions sending module is used for sending to second server the probe instructions comprising all described attack source IP addresss, and described probe instructions is used to indicate described second server and uses PING order to detect the attack source IP address in described all DDOS attack bags successively.
9. device according to claim 8, is characterized in that, described probe response packet analysis module comprises:
Probe response packets receiving element, for receiving all probe response packets that described second server returns according to the probe instructions that described probe instructions sending module sends, described probe response packets by described second server according to described probe instructions, when using PING order to detect described attack source IP address, the terminal corresponding from described attack source IP address obtains;
Probe response packet analysis unit, carries out DPI analysis for the described all probe response packets received described probe response packets receiving element, extracts the ttl value of attack source IP address in described all probe response packets and described attack source IP address respectively.
10. a network layer DDOS attack identifing source system, is characterized in that, comprising: detection server, first server and second server as described in any one in claim 6 to 9;
Described first server is used for the request of the acquisition DOOS attack packets sent according to described detection server, and DDOS attack bag is sent to described detection server;
Described second server is used for the described probe instructions sent according to described detection server, described attack source IP address is detected, the terminal corresponding from described attack source IP address obtains probe response packets, and described probe response packets is sent to described detection server;
Wherein, described second server and described first server are in together in a network topology.
CN201310325923.XA 2013-07-30 Network layer DDOS attack source discrimination, apparatus and system Active CN104348794B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310325923.XA CN104348794B (en) 2013-07-30 Network layer DDOS attack source discrimination, apparatus and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310325923.XA CN104348794B (en) 2013-07-30 Network layer DDOS attack source discrimination, apparatus and system

Publications (2)

Publication Number Publication Date
CN104348794A true CN104348794A (en) 2015-02-11
CN104348794B CN104348794B (en) 2019-07-16

Family

ID=

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105025028A (en) * 2015-07-28 2015-11-04 中国工程物理研究院计算机应用研究所 IP black hole discovering method based on flow analysis
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
CN105577669A (en) * 2015-12-25 2016-05-11 北京神州绿盟信息安全科技股份有限公司 Method and device for identifying false source attack
CN106357660A (en) * 2016-09-29 2017-01-25 广州华多网络科技有限公司 Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system
CN106357692A (en) * 2016-11-08 2017-01-25 广州华多网络科技有限公司 IP address access method and forged source attack resistance method, device and server
CN106470187A (en) * 2015-08-17 2017-03-01 中兴通讯股份有限公司 Prevent dos attack methods, devices and systems
CN106790062A (en) * 2016-12-20 2017-05-31 国家电网公司 A kind of method for detecting abnormality and system based on the polymerization of inverse dns nailing attribute
CN107018116A (en) * 2016-01-27 2017-08-04 阿里巴巴集团控股有限公司 Method, device and the server of monitoring traffic in network
CN107948175A (en) * 2017-11-24 2018-04-20 成都知道创宇信息技术有限公司 A kind of method of identification DDoS reflections amplification attack
WO2019222927A1 (en) * 2018-05-22 2019-11-28 Nokia Shanghai Bell Co., Ltd. Attack source tracing in sfc overlay network
CN110661819A (en) * 2019-10-31 2020-01-07 杭州世导通讯有限公司 DDOS (distributed denial of service) prevention system
CN110753014A (en) * 2018-07-23 2020-02-04 哈尔滨安天科技集团股份有限公司 Threat perception method, equipment and device based on flow forwarding and storage medium
CN114301694A (en) * 2021-12-29 2022-04-08 赛尔网络有限公司 Network abnormal flow analysis method, device, equipment and medium
CN114584401A (en) * 2022-05-06 2022-06-03 国家计算机网络与信息安全管理中心江苏分中心 Tracing system and method for large-scale network attack
CN114826741A (en) * 2022-04-27 2022-07-29 新华三信息安全技术有限公司 Attack monitoring system and attack monitoring method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003019404A1 (en) * 2001-08-30 2003-03-06 Riverhead Networks Inc. Protecting against distributed denial of service attacks
CN1954545A (en) * 2003-03-03 2007-04-25 思科技术公司 Using TCP to authenticate IP source addresses
CN101383812A (en) * 2007-09-03 2009-03-11 电子科技大学 IP spoofing DDoS attack defense method based on active IP record
CN101582833A (en) * 2008-05-15 2009-11-18 成都市华为赛门铁克科技有限公司 Method and device for processing spoofed IP data packet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003019404A1 (en) * 2001-08-30 2003-03-06 Riverhead Networks Inc. Protecting against distributed denial of service attacks
CN1954545A (en) * 2003-03-03 2007-04-25 思科技术公司 Using TCP to authenticate IP source addresses
CN101383812A (en) * 2007-09-03 2009-03-11 电子科技大学 IP spoofing DDoS attack defense method based on active IP record
CN101582833A (en) * 2008-05-15 2009-11-18 成都市华为赛门铁克科技有限公司 Method and device for processing spoofed IP data packet

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHENG JIN,ET AL: ""Hop-count filtering:an effective defense against spoofed DDoS traffic"", 《CCS "03 PROCEEDINGS OF THE 10TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY》 *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105025028B (en) * 2015-07-28 2018-07-24 中国工程物理研究院计算机应用研究所 The black holes IP based on flow analysis find method
CN105025028A (en) * 2015-07-28 2015-11-04 中国工程物理研究院计算机应用研究所 IP black hole discovering method based on flow analysis
CN106470187A (en) * 2015-08-17 2017-03-01 中兴通讯股份有限公司 Prevent dos attack methods, devices and systems
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
CN105577669A (en) * 2015-12-25 2016-05-11 北京神州绿盟信息安全科技股份有限公司 Method and device for identifying false source attack
CN105577669B (en) * 2015-12-25 2018-09-21 北京神州绿盟信息安全科技股份有限公司 A kind of method and device of the false source attack of identification
CN107018116A (en) * 2016-01-27 2017-08-04 阿里巴巴集团控股有限公司 Method, device and the server of monitoring traffic in network
CN106357660A (en) * 2016-09-29 2017-01-25 广州华多网络科技有限公司 Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system
CN106357660B (en) * 2016-09-29 2023-04-18 广州华多网络科技有限公司 Method and device for detecting forged source IP in DDOS defense system
CN106357692A (en) * 2016-11-08 2017-01-25 广州华多网络科技有限公司 IP address access method and forged source attack resistance method, device and server
CN106790062A (en) * 2016-12-20 2017-05-31 国家电网公司 A kind of method for detecting abnormality and system based on the polymerization of inverse dns nailing attribute
CN106790062B (en) * 2016-12-20 2020-05-08 国家电网公司 Anomaly detection method and system based on reverse DNS query attribute aggregation
CN107948175A (en) * 2017-11-24 2018-04-20 成都知道创宇信息技术有限公司 A kind of method of identification DDoS reflections amplification attack
WO2019222927A1 (en) * 2018-05-22 2019-11-28 Nokia Shanghai Bell Co., Ltd. Attack source tracing in sfc overlay network
EP3797497A4 (en) * 2018-05-22 2021-12-08 Nokia Technologies Oy Attack source tracing in sfc overlay network
US11991186B2 (en) 2018-05-22 2024-05-21 Nokia Technologies Oy Attack source tracing in SFC overlay network
CN110753014A (en) * 2018-07-23 2020-02-04 哈尔滨安天科技集团股份有限公司 Threat perception method, equipment and device based on flow forwarding and storage medium
CN110753014B (en) * 2018-07-23 2022-01-11 安天科技集团股份有限公司 Threat perception method, equipment and device based on flow forwarding and storage medium
CN110661819A (en) * 2019-10-31 2020-01-07 杭州世导通讯有限公司 DDOS (distributed denial of service) prevention system
CN114301694B (en) * 2021-12-29 2024-03-15 赛尔网络有限公司 Network abnormal flow analysis method, device, equipment and medium
CN114301694A (en) * 2021-12-29 2022-04-08 赛尔网络有限公司 Network abnormal flow analysis method, device, equipment and medium
CN114826741A (en) * 2022-04-27 2022-07-29 新华三信息安全技术有限公司 Attack monitoring system and attack monitoring method
CN114826741B (en) * 2022-04-27 2024-02-09 新华三信息安全技术有限公司 Attack monitoring system and attack monitoring method
CN114584401B (en) * 2022-05-06 2022-07-12 国家计算机网络与信息安全管理中心江苏分中心 Tracing system and method for large-scale network attack
CN114584401A (en) * 2022-05-06 2022-06-03 国家计算机网络与信息安全管理中心江苏分中心 Tracing system and method for large-scale network attack

Similar Documents

Publication Publication Date Title
CN105099821B (en) Method and device for monitoring flow in virtual environment based on cloud
CN103607399B (en) Private IP network network safety monitoring system and method based on darknet
US8966627B2 (en) Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session
KR101280910B1 (en) Two-stage intrusion detection system for high speed packet process using network processor and method thereof
KR102088299B1 (en) Apparatus and method for detecting drdos
CN102487339B (en) Attack preventing method for network equipment and device
US8634717B2 (en) DDoS attack detection and defense apparatus and method using packet data
Chapade et al. Securing cloud servers against flooding based DDoS attacks
US20140189867A1 (en) DDoS ATTACK PROCESSING APPARATUS AND METHOD IN OPENFLOW SWITCH
Sanmorino et al. DDoS attack detection method and mitigation using pattern of the flow
CN104488229A (en) Network traffic processing system
US9800593B2 (en) Controller for software defined networking and method of detecting attacker
US20220263823A1 (en) Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium
CN105812318A (en) Method, controller and system for preventing attack in network
CN106534068A (en) Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system
CN106357660A (en) Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system
CN105577669B (en) A kind of method and device of the false source attack of identification
CN107864110B (en) Botnet main control terminal detection method and device
KR20200109875A (en) Harmful ip determining method
WO2009064114A2 (en) Protection method and system for distributed denial of service attack
KR101211147B1 (en) System for network inspection and providing method thereof
KR20130009130A (en) Apparatus and method for dealing with zombie pc and ddos
RU2531878C1 (en) Method of detection of computer attacks in information and telecommunication network
CN107018116A (en) Method, device and the server of monitoring traffic in network
Patil et al. Port scanning based model to detect Malicious TCP traffic and mitigate its impact in SDN

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant