CN107634971A - A kind of method and device for detecting flood attack - Google Patents

A kind of method and device for detecting flood attack Download PDF

Info

Publication number
CN107634971A
CN107634971A CN201711021069.2A CN201711021069A CN107634971A CN 107634971 A CN107634971 A CN 107634971A CN 201711021069 A CN201711021069 A CN 201711021069A CN 107634971 A CN107634971 A CN 107634971A
Authority
CN
China
Prior art keywords
session
user
list item
entry
tuple
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711021069.2A
Other languages
Chinese (zh)
Other versions
CN107634971B (en
Inventor
杜剑锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201711021069.2A priority Critical patent/CN107634971B/en
Publication of CN107634971A publication Critical patent/CN107634971A/en
Application granted granted Critical
Publication of CN107634971B publication Critical patent/CN107634971B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of method and device for detecting flood attack, and applied to the access switch of LAN, this method includes:The initiation session number in user's list item of user's table is updated according to the source IP of the session entry of conversational list;According to the abnormal session number in user's list item of the session status of the session entry of conversational list and session establishment time renewal user's table;Periodicity traverse user table, determines whether the initiation session number of each user's list item reaches default first threshold, and, determine whether the abnormal session number of each user's list item reaches default Second Threshold;If the initiation session number of user's list item reaches first threshold or the abnormal session number of user's list item reaches Second Threshold, the IP address that the IP address in user's list item is attack source is determined.The application is investigated the attack source of flood attack by access switch, and the safety and reliability of network is improved in the case where not increasing LAN cost.

Description

A kind of method and device for detecting flood attack
Technical field
The application is related to safety protection field, more particularly to a kind of method and device for detecting flood attack.
Background technology
In the equipment such as computer or server in LAN after virus, often as the attack source in LAN, to The other computers of LAN or server send a large amount of attack messages, cause flood attack, common are TCP SYN Flood (Transmission Control Protocol Synchronize Flood, transmission control protocol synchronous flood attack) is reported Text, UDP Flood (User Datagram Protocol Flood, User Datagram Protocol flood attack) messages and ICMP Flood (Internet Control Message Protocol Flood, Internet Control Message Protocol flood attack) message etc..This A little attack messages can cause communication efficiency in LAN to decline, or even suspension, it is also possible to make the service of LAN inside-out net Device is paralysed, and can not provide service.Therefore, after there is flood attack, attack source is identified in time, and blocking ten is carried out to attack source Divide important.
In the prior art, attack source, convergence-level or core layer are generally detected by the network equipment of convergence-level or core layer The network equipment can to message carry out packet capturing, then extract message message characteristic (such as:Source IP), it is then special according to message Sign analyzes attack message, and then determines attack source.However, when attack message only forwarded in double layer network, convergence-level or The network equipment of core layer can not detect attack message.Connect to solve the above problems, can generally dispose with access switch The safety means connect, by the message of safety means detection access switch forwarding, so that it is determined that attack source, this can improve local again The cost of net.
The content of the invention
In view of this, the application provide it is a kind of detect flood attack method and device, for do not increase LAN into In the case of this, the safety and reliability of network is improved.
Specifically, the application is achieved by the following technical solution:
A kind of method for detecting flood attack, applied to the access switch of LAN, including:
Source IP in the five-tuple of the session entry of default conversational list updates user's list item of default user's table In initiation session number;Wherein, the conversational list includes the mapping relations of five-tuple, session status and session establishment time, institute Stating user's table includes IP address, initiates the mapping relations of session number and abnormal session number;
The user of user's table is updated according to the session status of the session entry of the conversational list and session establishment time The abnormal session number in list item;
User's table periodically is traveled through, determines whether the initiation session number of each user's list item reaches default first threshold Value, and, determine whether the abnormal session number of each user's list item reaches default Second Threshold;
If the initiation session number of user's list item reaches the abnormal meeting of the first threshold or user's list item Words number reaches the Second Threshold, determines the IP address that the IP address in user's list item is attack source.
In the method for the detection flood attack, the source IP in the five-tuple according to the session entry of conversational list is more Initiation session number in user's list item of new user's table, including:
Newly-built session entry, or, update the session entry of conversational list;
Source IP in the five-tuple of the session entry searches user's table, it is determined whether finds corresponding use Family list item;
If it is, the initiation session number in the user's list item found is added 1;
If not, the newly-built user's list item of source IP in the five-tuple of the session entry, and by the initiation session Number is set to 1.
In the method for the detection flood attack, the newly-built session entry, or, update the conversational list of conversational list , including:
Receive message and extract the five-tuple of message;
The conversational list is searched according to the five-tuple, it is determined whether find corresponding session entry;
If it is, update the session status in the session entry;Wherein, the session status include non-complete state and Complete state, the non-complete state refer to session both sides and not yet communicated, and it is mutual that the complete state refers to session both sides Communication;
If not, being based on the newly-built session entry of the five-tuple, and the session status in the session entry is set to not Complete state.
In the method for the detection flood attack, the session status of the session entry according to the conversational list and meeting The abnormal session number in user's list item of settling time renewal user's table is talked about, including:
The conversational list periodically is traveled through, elects each session entry as target session list item successively;
Determine that the target session list item is based on the session establishment time in current time and the target session list item No established reaches default state renewal duration;
If the target session list item, which has been established, reaches the state renewal duration, determine in the target session list item Session status whether be complete state;
If it is, elect next session entry as target session list item;
If not, the source IP in the five-tuple of the target session list item is searched into user's table, the use that will be found Abnormal session number in the list item of family adds 1.
In the method for the detection flood attack, methods described also includes:
After the IP address for determining the attack source, the message sent to the attack source abandons.
In the method for the detection flood attack, the access switch docks with management server, and methods described is also Including:
After the IP address for determining the attack source, user's list item of the attack source is reported into the management server, To further confirm that IP address of the IP address in user's list item as the attack source of flood attack by the management server And issue blocking order;
Receive described block to order, the message for sending the attack source abandons.
A kind of device for detecting flood attack, applied to the access switch of LAN, including:
First updating block, it is default for the source IP renewal in the five-tuple of the session entry according to default conversational list Initiation session number in user's list item of user's table;Wherein, when the conversational list includes five-tuple, session status and session establishment Between mapping relations, user's table includes IP address, initiates the mapping relations of session number and abnormal session number;
Second updating block, session status and session establishment time for the session entry according to the conversational list update The abnormal session number in user's list item of user's table;
Detection unit, for periodically traveling through user's table, determine whether the initiation session number of each user's list item reaches Default first threshold, and, determine whether the abnormal session number of each user's list item reaches default Second Threshold;
Determining unit, if the initiation session number for user's list item reaches the first threshold or the user The abnormal session number of list item reaches the Second Threshold, determines the IP address that the IP address in user's list item is attack source.
In the device of the detection flood attack, first updating block, it is further used for:
Newly-built session entry, or, update the session entry of conversational list;
Source IP in the five-tuple of the session entry searches user's table, it is determined whether finds corresponding use Family list item;
If it is, the initiation session number in the user's list item found is added 1;
If not, the newly-built user's list item of source IP in the five-tuple of the session entry, and by the initiation session Number is set to 1.
In the device of the detection flood attack, first updating block, it is further used for:
Receive message and extract the five-tuple of message;
The conversational list is searched according to the five-tuple, it is determined whether find corresponding session entry;
If it is, update the session status in the session entry;Wherein, the session status include non-complete state and Complete state, the non-complete state refer to session both sides and not yet communicated, and it is mutual that the complete state refers to session both sides Communication;
If not, being based on the newly-built session entry of the five-tuple, and the session status in the session entry is set to not Complete state.
In the device of the detection flood attack, second updating block, it is further used for:
The conversational list periodically is traveled through, elects each session entry as target session list item successively;
Determine that the target session list item is based on the session establishment time in current time and the target session list item No established reaches default state renewal duration;
If the target session list item, which has been established, reaches the state renewal duration, determine in the target session list item Session status whether be complete state;
If it is, elect next session entry as target session list item;
If not, the source IP in the five-tuple of the target session list item is searched into user's table, the use that will be found Abnormal session number in the list item of family adds 1.
In the device of the detection flood attack, described device also includes:
Discarding unit, after the IP address for determining the attack source, the message sent to the attack source abandons.
In the device of the detection flood attack, the access switch docks with management server, and described device is also Including:
Reporting unit, after the IP address for determining the attack source, user's list item of the attack source is reported into institute Management server is stated, to further confirm that IP address the attacking as flood attack in user's list item by the management server Hit the IP address in source and issue blocking order;
Receiving unit, ordered for receiving described block, the message sent to the attack source abandons.
In technical scheme, because under normal circumstances, the session number that single terminal equipment is actively initiated is less, The quantity of abnormal session is also few in the session that single terminal equipment is initiated, and therefore, the access switch of LAN is with user's table Initiation session number and abnormal session number in are foundation, determine whether terminal device is flood attack corresponding to each user's list item Attack source;
The work for the attack source for investigating flood attack is transferred to the access switch of LAN to complete by the application, compared to by For the network equipment of convergence-level or core layer investigation attack source, each access switch can be detected only in double layer network forwarding Message, and safety means need not be increased, so as to improve the security of network in the case where not increasing LAN cost and can By property.
Brief description of the drawings
Fig. 1 is a kind of network architecture diagram of LAN shown in the application;
Fig. 2 is a kind of flow chart of the method for detection flood attack shown in the application;
Fig. 3 is the flow chart of a kind of the renewal conversational list and user's table shown in the application;
Fig. 4 is a kind of flow chart of the abnormal session number of renewal user table shown in the application;
Fig. 5 is a kind of flow chart of the attack source of determination flood attack shown in the application;
Fig. 6 is a kind of embodiment block diagram of the device of detection flood attack shown in the application;
Fig. 7 is a kind of hardware structure diagram of the device of detection flood attack shown in the application.
Embodiment
In order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and make of the invention real Apply the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to prior art and the present invention Technical scheme in embodiment is described in further detail.
Prior art is generally detected the attack source of the flood attack in LAN by the network equipment of convergence-level or core layer. It is a kind of network architecture diagram of LAN shown in the application referring to Fig. 1, as shown in figure 1, when a certain calculating in LAN In machine after virus, turn into attack source and send a large amount of attack messages to other computers or server.In this case, LAN Nucleus equipment (i.e. gateway device in Fig. 1) packet capturing, Ran Houti can be carried out to the message that is forwarded on all access switch The message characteristic of message is taken, wherein, message characteristic can be the source IP of message.
Gateway device can count the number that each source IP occurs, and then exceed the source IP of default threshold value with the number of appearance For the IP address of the computer of flood attack.It is determined that after the IP address of attack source, gateway device can be to forwarding attack report The access switch of text issues blocking order, is blocked with the message sent by access switch to attack source.
If however, attack message and without three layers of forwarding, the network equipment of core layer can not detect attack message. For example when the computer A in Fig. 1 only sends attack message to computer B, gateway device can not just detect attack message, And then attack source can not be determined.
In this case, the safety means being connected with access switch can be generally disposed, by safety means to access The message of interchanger forwarding is detected, so as to investigate out the attack source of flood attack.However, this mode adds LAN Lower deployment cost.
It can be seen that in the prior art, the mode existing defects of attack source, nothing are investigated by the network equipment of core layer or convergence-level Method detects the attack message without three layers of forwarding;And if attacked by disposing the safety means being connected with access switch investigation Source is hit, then can increase the lower deployment cost and maintenance cost of LAN.
In view of this, the application provides a kind of method for detecting flood attack, and default meeting is based on by each access switch User's list item of session entry renewal user's table of table is talked about, then periodically judges the meeting that each computer or server are actively initiated Whether the quantity of words reaches default first threshold and each computer or whether the abnormal session number of server reaches default Second Threshold, and determine that session setup side is attack source when any index reaches default threshold value.The application is handed over by each access The attack source of active detecting of changing planes flood attack, so as to not increase the situation of LAN lower deployment cost and maintenance cost Under, improve the safety and reliability of network.
Referring to Fig. 2, for a kind of flow chart of the method for detection flood attack shown in the application, methods described is applied to office The access switch of domain net, including:
Step 201:Source IP in the five-tuple of the session entry of default conversational list updates default user's table Initiation session number in user's list item;Wherein, the conversational list includes the mapping of five-tuple, session status and session establishment time Relation, user's table include IP address, initiate the mapping relations of session number and abnormal session number.
Step 202:The user is updated according to the session status of the session entry of the conversational list and session establishment time The abnormal session number in user's list item of table.
Step 203:User's table periodically is traveled through, determines whether the initiation session number of each user's list item reaches default First threshold, and, determine whether the abnormal session number of each user's list item reaches default Second Threshold.
Step 204:If the initiation session number of user's list item reaches the first threshold or user's list item Abnormal session number reach the Second Threshold, determine the IP address that IP address in user's list item is attack source.
In the embodiment of the present application, each access switch can be with pre-configured conversational list and user's table;Wherein, conversational list is used for The session belonging to the message of processing locality is recorded, every session entry includes five-tuple, session status, session establishment time and meeting The mapping relations of ageing time are talked about, user's table is used for the number for recording the session that each computer or server are actively initiated in LAN Amount and the quantity of abnormal session, including IP address, the mapping relations for initiating session number and abnormal session number.
It is pointed out that five-tuple includes source IP, purpose IP, protocol number, source port and destination interface, every conversational list Item can include two groups of five-tuples, the source IP and source port of one of which five-tuple be respectively another group of five-tuple purpose IP with Destination interface.Session status can include non-complete state and complete state, the session shape of the session for different agreement type The determination strategy of state is different.
For example for the session of Transmission Control Protocol, access switch receives the message for carrying SYN, can be by session shape State is filled out as non-complete state, after the message for receiving carrying SYN and ACK, session status can be kept constant, until receiving only After carrying ACK message (after namely determining that session both sides complete three-way handshake), it will speech phase is updated to complete state.
And for the session of udp protocol, access switch fills out session status to be not complete when creating session entry Total state, after the message for another group of five-tuple for carrying session is received (after namely determining that session has bidirectional traffics), Session status is updated to complete state.
In addition, on each access switch duration can be updated with pre-configured state, it can subsequently establish and reach in session entry Judge whether the session status in session entry is complete state after above-mentioned state renewal duration, and the session in session entry When state is not complete state, it is abnormal session to determine session corresponding to the session entry.Above-mentioned state renewal duration can root Factually internet environment is configured, such as, it could be arranged to 120 seconds.
In the embodiment of the present application, access switch can be according to the source IP of the five-tuple of the session entry of above-mentioned conversational list Update the initiation session number in user's list item of above-mentioned user's table.
Specifically, access switch is being received in LAN between each terminal device (including computer and server) mutually During the message communicated, message can be based on and create or update session entry, and update user's table.
Referring to Fig. 3, it is the flow chart of a kind of the renewal conversational list and user's table shown in the application, as shown in figure 3, accessing friendship Change planes after receiving message, the five-tuple of message can be extracted first;Wherein, above-mentioned message can be that the above-mentioned access of access exchanges The terminal device of machine the is sent or network equipment of convergence-level or core layer is forwarded to above-mentioned access switch.
Access switch can search above-mentioned conversational list according to the five-tuple extracted, it is determined whether corresponding to finding Session entry.It is pointed out that access switch is according to the five-tuple that extracts when searching conversational list, and source IP is not differentiated between With purpose IP, source port and destination interface are not differentiated between yet;Therefore, based on source IP and purpose IP be opposite, source port and destination Two groups of opposite five-tuples of mouth can find same session entry when searching conversational list.
On the one hand, if access switch find above-mentioned five-tuple corresponding to session entry, illustrate access switch this Before have been received by the message of the session, access switch can update the session entry found.
Specifically, if corresponding to above-mentioned five-tuple being the session of Transmission Control Protocol, access switch can be based on above-mentioned message The content update session status such as the SYN fields of carrying, ACK fields.In addition, if above-mentioned five yuan are not yet recorded in session entry Group, then above-mentioned five-tuple can be recorded in above-mentioned session entry.
If being the session of udp protocol corresponding to above-mentioned five-tuple, access switch can be determined in above-mentioned session entry Whether recorded two groups of source IPs and the five-tuple that purpose IP is opposite, source port and destination interface are opposite, when above-mentioned session entry In not yet record the above-mentioned five-tuple extracted, above-mentioned five-tuple can be recorded in above-mentioned session entry, and determine the meeting There are bidirectional traffics in words, so as to which the session status in above-mentioned session entry is updated into complete state.
Similarly, if being the session of ICMP agreements corresponding to above-mentioned five-tuple, access switch can equally determine Whether recorded two groups of source IPs and the five-tuple that purpose IP is opposite, source port and destination interface are opposite are stated in session entry, when The above-mentioned five-tuple extracted is not yet recorded in above-mentioned session entry, above-mentioned five-tuple can be recorded above-mentioned session entry In, and determine that the session has bidirectional traffics, so as to which the session status in above-mentioned session entry is updated into complete state.
On the other hand, if access switch can not find above-mentioned five-tuple corresponding to session entry, illustrate access hand over Change planes and not previously receive the message of the session, access switch can be with newly-built session entry.
Specifically, access switch can be based on the newly-built session entry of above-mentioned five-tuple, and be filled out in session establishment time Enter the current time, it will non-complete state is set in speech phase.
In actual applications, what is inserted in session status can be complete state mark and non-complete state mark;Such as Non- complete state mark can be 0, and complete state mark can be 1.
Further, access switch, can be according to above-mentioned five-tuple after newly-built session entry or renewal session status In source IP search pre-configured above-mentioned user's table, it is determined whether user's list item corresponding to finding.
On the one hand, if user's list item corresponding to can not finding, access switch can be according in above-mentioned five-tuple The newly-built user's list item of source IP, and the initiation session number in above-mentioned user's list item is set to 1;
On the other hand, if user's list item corresponding to finding, access switch can be by the hair in above-mentioned user's list item Play session number and add 1.
In the embodiment of the present application, the session status and meeting that access switch can be according to the session entry of above-mentioned conversational list Talk about the abnormal session number in user's list item of the above-mentioned user's table of settling time renewal.
Specifically, the session status for the session that access switch can be initiated with each terminal device of periodic test, then really Whether it is abnormal session corresponding to fixed each session entry.
It is a kind of flow chart of the abnormal session number of renewal user shown in the application, as shown in figure 4, access referring to Fig. 4 Interchanger can periodically travel through conversational list, successively using each session entry as target session list item, be then based on the target meeting The session establishment time and current time for talking about list item determine the time difference, and when judging whether the time difference reaches the renewal of above-mentioned state It is long, if the time difference reaches above-mentioned state renewal duration, the session status in the target session list item can be determined whether Whether it is complete state.
On the one hand, if the session status in the target session list item is complete state, can continue next meeting Words list item is checked as target session list item;
On the other hand, can be according to the target if the session status in the target session list item is not complete state Source IP in the five-tuple of session entry searches above-mentioned user's table, and the abnormal session number in user's list item of lookup is added into 1.
By the measure, access switch can upgrade in time abnormal session in the session that each terminal device is actively initiated Quantity, in order to subsequently determine the attack source of flood attack based on the abnormal session number in each user's list item.
In the embodiment of the present application, access switch can periodicity traverse user table, determine the attack source of flood attack.
It is a kind of flow chart of the attack source of determination flood attack shown in the application, as shown in figure 5, access referring to Fig. 5 Interchanger can periodicity traverse user table, successively using each user's list item as targeted customer's list item, it is then determined that the target use Whether the initiation session number in the list item of family reaches default first threshold, and, whether the abnormal session number in user's list item Reach default Second Threshold.
On the one hand, if the initiation session number and abnormal session number of targeted customer's list item have any one to reach threshold value, It is attack source that terminal device corresponding to targeted customer's list item, which can then be determined,;
On the other hand, can if the initiation session number and abnormal session number of targeted customer's list item are all not up to threshold value To continue to be checked next user's list item as targeted customer's list item.
In the embodiment of the present application, access switch, can be to above-mentioned attack source it is determined that behind the attack source of flood attack The message of transmission carries out discard processing so that other terminal devices that above-mentioned attack source can not continue in local area network cause to attack Hit.
In another embodiment of the application, access switch can dock with management server, it is determined that flood attack Behind attack source, access switch can report user's list item of attack source to management server, with further by management server Confirm IP address of the IP address in user's list item for the attack source of flood attack.
, can be based on pre-configured screening strategy point after management server receives user's list item that access switch reports The initiation session number in user's list item and abnormal session number are analysed, so as to more accurately determine the attack source of flood attack.Such as:Pipe Managing server can be according in the initiation session number unit of account time in user's list item that access switch reports several times Speedup, and in the case where increasing number and reaching default threshold value, it is attack source really to determine terminal device corresponding to user's list item.
Management server can order it is determined that behind attack source to reporting the access switch of above-mentioned user's list item to issue blocking Order;Wherein, the blocking order can carry the IP address of attack source.Access switch receives blocking order, can be to above-mentioned The message that attack source is sent is abandoned.
By the measure in above-described embodiment, attack source can be more accurately determined, avoids access switch after erroneous judgement Block proper communication.
In summary, in technical scheme, the access switch of LAN replaces the net of convergence-level or core layer Network equipment investigates the attack source of flood attack, because access switch can detect the flow of double layer network, avoids and passes through remittance The omission of poly layer or core layer network device to the attack message of double layer network, and be connected without deployment with access switch Safety means, so as in the case where not increasing LAN lower deployment cost and maintenance cost, improve the security of network and reliable Property.
Corresponding with the embodiment of the method for foregoing detection flood attack, present invention also provides the dress of detection flood attack The embodiment put.
Referring to Fig. 6, for a kind of embodiment block diagram of the device of detection flood attack shown in the application:
As shown in fig. 6, the device 60 of the detection flood attack includes:
First updating block 610, it is pre- for the source IP renewal in the five-tuple of the session entry according to default conversational list If user's table user's list item in initiation session number;Wherein, the conversational list is built including five-tuple, session status and session Mapping relations between immediately, user's table include IP address, initiate the mapping relations of session number and abnormal session number.
Second updating block 620, session status and session establishment time for the session entry according to the conversational list Update the abnormal session number in user's list item of user's table.
Detection unit 630, for periodically traveling through user's table, determine whether the initiation session number of each user's list item reaches To default first threshold, and, determine whether the abnormal session number of each user's list item reaches default Second Threshold.
Determining unit 640, if the initiation session number for user's list item reaches the first threshold or described The abnormal session number of user's list item reaches the Second Threshold, with determining the IP that the IP address in user's list item is attack source Location.
In this example, first updating block 610, is further used for:
Newly-built session entry, or, update the session entry of conversational list;
Source IP in the five-tuple of the session entry searches user's table, it is determined whether finds corresponding use Family list item;
If it is, the initiation session number in the user's list item found is added 1;
If not, the newly-built user's list item of source IP in the five-tuple of the session entry, and by the initiation session Number is set to 1.
In this example, first updating block 610, is further used for:
Receive message and extract the five-tuple of message;
The conversational list is searched according to the five-tuple, it is determined whether find corresponding session entry;
If it is, update the session status in the session entry;Wherein, the session status include non-complete state and Complete state, the non-complete state refer to session both sides and not yet communicated, and it is mutual that the complete state refers to session both sides Communication;
If not, being based on the newly-built session entry of the five-tuple, and the session status in the session entry is set to not Complete state.
In this example, second updating block 620, is further used for:
The conversational list periodically is traveled through, elects each session entry as target session list item successively;
Determine that the target session list item is based on the session establishment time in current time and the target session list item No established reaches default state renewal duration;
If the target session list item, which has been established, reaches the state renewal duration, determine in the target session list item Session status whether be complete state;
If it is, elect next session entry as target session list item;
If not, the source IP in the five-tuple of the target session list item is searched into user's table, the use that will be found Abnormal session number in the list item of family adds 1.
In this example, described device also includes:
Discarding unit 650, after the IP address for determining the attack source, the message sent to the attack source is lost Abandon.
In this example, the access switch docks with management server, and described device also includes:
Reporting unit 660, after the IP address for determining the attack source, user's list item of the attack source is reported to The management server, to further confirm that the IP address in user's list item as flood attack by the management server The IP address of attack source simultaneously issues blocking order.
Receiving unit 670, ordered for receiving described block, the message sent to the attack source abandons.
The embodiment that the application detects the device of flood attack can be applied on access switch.Device embodiment can be with Realized, can also be realized by way of hardware or software and hardware combining by software.Exemplified by implemented in software, patrolled as one Device in volume meaning, it is by corresponding computer journey in nonvolatile memory by the processor of access switch where it Sequence instruction reads what operation in internal memory was formed.For hardware view, as shown in fig. 7, detecting flood attack for the application A kind of hardware structure diagram of access switch where device, except the processor shown in Fig. 7, internal memory, network interface and it is non-easily Outside the property lost memory, the reality of access switch in embodiment where device generally according to the device of the detection flood attack Function, other hardware can also be included, this is repeated no more.
The function of unit and the implementation process of effect specifically refer to and step are corresponded in the above method in said apparatus Implementation process, it will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component The unit of explanation can be or may not be physically separate, can be as the part that unit is shown or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not limiting the application, all essences in the application God any modification, equivalent substitution and improvements done etc., should be included within the scope of the application protection with principle.

Claims (12)

1. a kind of method for detecting flood attack, the access switch applied to LAN, it is characterised in that including:
Source IP in the five-tuple of the session entry of default conversational list is updated in user's list item of default user's table Initiate session number;Wherein, the conversational list includes the mapping relations of five-tuple, session status and session establishment time, the use Family table includes IP address, initiates the mapping relations of session number and abnormal session number;
User's list item of user's table is updated according to the session status of the session entry of the conversational list and session establishment time In the abnormal session number;
User's table periodically is traveled through, determines whether the initiation session number of each user's list item reaches default first threshold, with And determine whether the abnormal session number of each user's list item reaches default Second Threshold;
If the initiation session number of user's list item reaches the first threshold or the abnormal session number of user's list item Reach the Second Threshold, determine the IP address that the IP address in user's list item is attack source.
2. according to the method for claim 1, it is characterised in that in the five-tuple according to the session entry of conversational list Initiation session number in user's list item of source IP renewal user's table, including:
Newly-built session entry, or, update the session entry of conversational list;
Source IP in the five-tuple of the session entry searches user's table, it is determined whether user's table corresponding to finding ;
If it is, the initiation session number in the user's list item found is added 1;
If not, the newly-built user's list item of source IP in the five-tuple of the session entry, and the initiation session number is put For 1.
3. according to the method for claim 2, it is characterised in that the newly-built session entry, or, update the meeting of conversational list List item is talked about, including:
Receive message and extract the five-tuple of message;
The conversational list is searched according to the five-tuple, it is determined whether find corresponding session entry;
If it is, update the session status in the session entry;Wherein, the session status include non-complete state and completely State, the non-complete state refer to session both sides and not yet communicated, and the complete state refers to session both sides and communicated;
If not, be based on the newly-built session entry of the five-tuple, and the session status in the session entry is set to incomplete State.
4. according to the method for claim 3, it is characterised in that the session shape of the session entry according to the conversational list State and session establishment time update the abnormal session number in user's list item of user's table, including:
The conversational list periodically is traveled through, elects each session entry as target session list item successively;
Whether the target session list item is determined based on the session establishment time in current time and the target session list item Foundation reaches default state renewal duration;
If the target session list item, which has been established, reaches the state renewal duration, the meeting in the target session list item is determined Whether speech phase is complete state;
If it is, elect next session entry as target session list item;
If not, the source IP in the five-tuple of the target session list item is searched into user's table, the user's table that will be found Abnormal session number in adds 1.
5. according to the method for claim 1, it is characterised in that methods described also includes:
After the IP address for determining the attack source, the message sent to the attack source abandons.
6. according to the method for claim 1, it is characterised in that the access switch docks with management server, described Method also includes:
After the IP address for determining the attack source, user's list item of the attack source is reported into the management server, with by The management server further confirm that IP address in user's list item for the IP address of the attack source of flood attack and under Hair blocks order;
Receive described block to order, the message for sending the attack source abandons.
7. a kind of device for detecting flood attack, the access switch applied to LAN, it is characterised in that including:
First updating block, update default user for the source IP in the five-tuple of the session entry according to default conversational list Initiation session number in user's list item of table;Wherein, the conversational list includes five-tuple, session status and session establishment time Mapping relations, user's table include IP address, initiate the mapping relations of session number and abnormal session number;
Second updating block, for described in session status and the session establishment time renewal of the session entry according to the conversational list The abnormal session number in user's list item of user's table;
Detection unit, for periodically traveling through user's table, determine whether the initiation session number of each user's list item reaches default First threshold, and, determine whether the abnormal session number of each user's list item reaches default Second Threshold;
Determining unit, if the initiation session number for user's list item reaches the first threshold or user's list item Abnormal session number reach the Second Threshold, determine the IP address that IP address in user's list item is attack source.
8. device according to claim 7, it is characterised in that first updating block, be further used for:
Newly-built session entry, or, update the session entry of conversational list;
Source IP in the five-tuple of the session entry searches user's table, it is determined whether user's table corresponding to finding ;
If it is, the initiation session number in the user's list item found is added 1;
If not, the newly-built user's list item of source IP in the five-tuple of the session entry, and the initiation session number is put For 1.
9. device according to claim 8, it is characterised in that first updating block, be further used for:
Receive message and extract the five-tuple of message;
The conversational list is searched according to the five-tuple, it is determined whether find corresponding session entry;
If it is, update the session status in the session entry;Wherein, the session status include non-complete state and completely State, the non-complete state refer to session both sides and not yet communicated, and the complete state refers to session both sides and communicated;
If not, be based on the newly-built session entry of the five-tuple, and the session status in the session entry is set to incomplete State.
10. device according to claim 9, it is characterised in that second updating block, be further used for:
The conversational list periodically is traveled through, elects each session entry as target session list item successively;
Whether the target session list item is determined based on the session establishment time in current time and the target session list item Foundation reaches default state renewal duration;
If the target session list item, which has been established, reaches the state renewal duration, the meeting in the target session list item is determined Whether speech phase is complete state;
If it is, elect next session entry as target session list item;
If not, the source IP in the five-tuple of the target session list item is searched into user's table, the user's table that will be found Abnormal session number in adds 1.
11. device according to claim 7, it is characterised in that described device also includes:
Discarding unit, after the IP address for determining the attack source, the message sent to the attack source abandons.
12. device according to claim 7, it is characterised in that the access switch docks with management server, described Device also includes:
Reporting unit, after the IP address for determining the attack source, user's list item of the attack source is reported into the pipe Server is managed, to further confirm that attack source of the IP address in user's list item as flood attack by the management server IP address and issue blocking order;
Receiving unit, ordered for receiving described block, the message sent to the attack source abandons.
CN201711021069.2A 2017-10-26 2017-10-26 Method and device for detecting flood attack Active CN107634971B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711021069.2A CN107634971B (en) 2017-10-26 2017-10-26 Method and device for detecting flood attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711021069.2A CN107634971B (en) 2017-10-26 2017-10-26 Method and device for detecting flood attack

Publications (2)

Publication Number Publication Date
CN107634971A true CN107634971A (en) 2018-01-26
CN107634971B CN107634971B (en) 2020-07-07

Family

ID=61106080

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711021069.2A Active CN107634971B (en) 2017-10-26 2017-10-26 Method and device for detecting flood attack

Country Status (1)

Country Link
CN (1) CN107634971B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535861A (en) * 2019-08-30 2019-12-03 杭州迪普信息技术有限公司 It is a kind of to identify the method and device that SYN packet quantity is counted in ssyn attack behavior
CN112532620A (en) * 2020-11-26 2021-03-19 杭州迪普信息技术有限公司 Session table control method and device
CN115633076A (en) * 2022-12-19 2023-01-20 亿海蓝(北京)数据技术股份公司 Session management method and system, readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465855A (en) * 2008-12-31 2009-06-24 中国科学院计算技术研究所 Method and system for filtrating synchronous extensive aggression
CN102333080A (en) * 2011-08-02 2012-01-25 杭州迪普科技有限公司 Method and device for preventing message from attacking
CN103095584A (en) * 2013-02-04 2013-05-08 杭州华三通信技术有限公司 Message processing method and exchange equipment
US8789173B2 (en) * 2009-09-03 2014-07-22 Juniper Networks, Inc. Protecting against distributed network flood attacks
US9438592B1 (en) * 2009-10-28 2016-09-06 Aunigma Network Security Group System and method for providing unified transport and security protocols
CN106027551A (en) * 2016-06-30 2016-10-12 大连楼兰科技股份有限公司 Network flooding attack detection, storage and display system and method
CN106911724A (en) * 2017-04-27 2017-06-30 杭州迪普科技股份有限公司 A kind of message processing method and device
CN107222462A (en) * 2017-05-08 2017-09-29 汕头大学 A kind of LAN internals attack being automatically positioned of source, partition method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465855A (en) * 2008-12-31 2009-06-24 中国科学院计算技术研究所 Method and system for filtrating synchronous extensive aggression
US8789173B2 (en) * 2009-09-03 2014-07-22 Juniper Networks, Inc. Protecting against distributed network flood attacks
US9438592B1 (en) * 2009-10-28 2016-09-06 Aunigma Network Security Group System and method for providing unified transport and security protocols
CN102333080A (en) * 2011-08-02 2012-01-25 杭州迪普科技有限公司 Method and device for preventing message from attacking
CN103095584A (en) * 2013-02-04 2013-05-08 杭州华三通信技术有限公司 Message processing method and exchange equipment
CN106027551A (en) * 2016-06-30 2016-10-12 大连楼兰科技股份有限公司 Network flooding attack detection, storage and display system and method
CN106911724A (en) * 2017-04-27 2017-06-30 杭州迪普科技股份有限公司 A kind of message processing method and device
CN107222462A (en) * 2017-05-08 2017-09-29 汕头大学 A kind of LAN internals attack being automatically positioned of source, partition method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535861A (en) * 2019-08-30 2019-12-03 杭州迪普信息技术有限公司 It is a kind of to identify the method and device that SYN packet quantity is counted in ssyn attack behavior
CN110535861B (en) * 2019-08-30 2022-01-25 杭州迪普信息技术有限公司 Method and device for counting SYN packet number in SYN attack behavior identification
US11677769B2 (en) 2019-08-30 2023-06-13 Hangzhou Dptech Technologies Co., Ltd. Counting SYN packets
CN112532620A (en) * 2020-11-26 2021-03-19 杭州迪普信息技术有限公司 Session table control method and device
CN115633076A (en) * 2022-12-19 2023-01-20 亿海蓝(北京)数据技术股份公司 Session management method and system, readable storage medium
CN115633076B (en) * 2022-12-19 2023-03-14 亿海蓝(北京)数据技术股份公司 Session management method and system, readable storage medium

Also Published As

Publication number Publication date
CN107634971B (en) 2020-07-07

Similar Documents

Publication Publication Date Title
CN108063765B (en) SDN system suitable for solving network security
CN104580168B (en) A kind of processing method of Attacking Packets, apparatus and system
Chen et al. Measuring TCP round-trip time in the data plane
EP3222005B1 (en) Passive performance measurement for inline service chaining
US8397284B2 (en) Detection of distributed denial of service attacks in autonomous system domains
CN104247332B (en) Handle the method and system of the flow on the communication between virtual machine and network
CN100514921C (en) Network flow abnormal detecting method and system
CN101505230B (en) Event triggered traceroute for optimized routing in a computer network
CN108234235A (en) For the method for data monitoring, the network equipment and computer readable storage medium
US7898966B1 (en) Discard interface for diffusing network attacks
Tammaro et al. Exploiting packet‐sampling measurements for traffic characterization and classification
EP3198822A1 (en) Computer network packet flow controller
CN107979607A (en) Suitable for the network architecture and its method of work of the software definition of network security
CN107634971A (en) A kind of method and device for detecting flood attack
CN107800626A (en) Processing method, device and the equipment of data message
Hubballi et al. An event based technique for detecting spoofed IP packets
CN106101088B (en) The method of cleaning equipment, detection device, routing device and prevention DNS attack
CN107135185A (en) A kind of attack processing method, equipment and system
JP5178573B2 (en) Communication system and communication method
Bonola et al. StreaMon: A data-plane programming abstraction for software-defined stream monitoring
CN107018116A (en) Method, device and the server of monitoring traffic in network
CN105939288A (en) Session control method and device
CN102315962B (en) Method for detecting MTU (Maximum Transmission Unit) of Ethernet and maintenance end point
CN113259387B (en) Method for preventing honeypot from being controlled to jump board machine based on virtual exchange
Csikor et al. End-host driven troubleshooting architecture for software-defined networking

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant