CN107770122A - A kind of flood attack detection method of the central monitoring of optimization - Google Patents

A kind of flood attack detection method of the central monitoring of optimization Download PDF

Info

Publication number
CN107770122A
CN107770122A CN201610670213.4A CN201610670213A CN107770122A CN 107770122 A CN107770122 A CN 107770122A CN 201610670213 A CN201610670213 A CN 201610670213A CN 107770122 A CN107770122 A CN 107770122A
Authority
CN
China
Prior art keywords
hash
monitoring device
cryptographic hash
monitoring
array
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610670213.4A
Other languages
Chinese (zh)
Inventor
袁兴飚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Taishan Gold Network Technology Co Ltd
Original Assignee
Taishan Gold Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Taishan Gold Network Technology Co Ltd filed Critical Taishan Gold Network Technology Co Ltd
Priority to CN201610670213.4A priority Critical patent/CN107770122A/en
Publication of CN107770122A publication Critical patent/CN107770122A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of flood attack detection method of the central monitoring of optimization, including, S1:One monitoring device is set at Web portal;S2:Monitoring device Monitoring Data message, and IP packets are forwarded or blocked according to monitoring result.S2 further comprises S21:Monitoring device creates the first Hash array and the second Hash array;S22:Monitoring device gathers SYN packet informations as the first cryptographic Hash, and is stored into using the first cryptographic Hash as in lower the first Hash of target array;S23:Monitoring device gathers ack msg package informatin as the second cryptographic Hash, and is stored into using the second cryptographic Hash as in lower the second Hash of target array;S24:The second Hash value and the first cryptographic Hash are compared in monitoring device retrieval, determine attack source.The present invention is worth to the source address of flood attack by comparing the first cryptographic Hash and the second Hash, and blocks the attack source address extracted from the first Hash array, the stability of effective guarantee network security and server.

Description

A kind of flood attack detection method of the central monitoring of optimization
Technical field
The present invention relates to flood attack detection field, more particularly to a kind of flood attack detection side of the central monitoring of optimization Method.
Background technology
SYN flood attacks (SYN_FLOOD) are that a kind of Denial of Service attack (DOS) being widely known by the people takes with distributed refusal One of mode of business attack (DDos), it makes use of the defects of TCP/IP v4 agreements, the TCP connection requests largely forged are sent, Force and substantial amounts of SYN+ACK reply datas bag is sent in the server end short time, (CPU is completely negative so that server resource exhausts Lotus or low memory).TCP establishment of connections are all since three-way handshake, 1) client can send one comprising synchronous The TCP message of (Synchronize, SYN) mark, the sync message can contain source address, source port, destination address, purpose The information such as port, initial series number;2) server can return to one synchronization of client after the sync message of client is received + confirmation message (Acknowledgment, ACK), the synchronization+confirmation message also contains source address, source port, destination address, The information such as destination interface, initial series number;3) after client receives synchronization+confirmation message, can return again to server one Individual confirmation message, now a TCP connection are completed.After if server sends synchronization+confirmation message, corresponding visitor is not received During the confirmation message at family end, it can constantly be retried in 30s-2min and send synchronization+confirmation message, if do not had always during this The confirmation message for receiving client then abandons this unfinished connection and discharges corresponding system resource.Flood attack makes service Device opens substantial amounts of half-open connection request, normal client's request is not asked.The today quite popularized in internet, The server of networking is allowed stably to run, carrying out the detection work of reply flood attack in time turns into the basic of enterprise network security Demand.At present, the detection method of flood attack is generally sync message quantity in simply accounting message, when same in the unit interval When step message amount is more than threshold value set in advance, determine that server by flood attack.This is only statistics SYN quantity Monitoring mode False Rate it is very big, often count on normal business data packet, affected to regular traffic.
The content of the invention
It is an object of the invention to overcome shortcoming and deficiency of the prior art, there is provided a kind of flood of the central monitoring of optimization Water attack detection method.
The present invention is achieved by the following technical solutions:A kind of flood attack detection method of the central monitoring of optimization, Comprise the following steps:
S1:One monitoring device is set at Web portal, and the monitoring device includes the forwarding module of IP packets, blocks mould Block and statistical module;
S2:The unidirectional data message for flowing into monitoring device of monitoring device monitoring, and IP is forwarded or blocked according to monitoring result Packet, step S2 comprise the following steps:
S21:Monitoring device creates the first Hash array and the second Hash array;
S22:Monitoring device gathers the SYN packets from internet and extracts SYN packet informations, and packet is believed IP five-tuples in breath carry out seriation and Hash encryption is converted to the first cryptographic Hash, extract the source address in SYN packets Store into using first cryptographic Hash as lower the first Hash of target array;
S23:Monitoring device gathers the ack msg bag from internet and extracts ack msg package informatin, and in packet IP five-tuples carry out seriation and Hash encryption is converted to the second cryptographic Hash, extract the source address storage in ack msg bag Into using second cryptographic Hash as lower the second Hash of target array;
S24:Monitoring device retrieves the second cryptographic Hash as the second Hash array index, if there is the second cryptographic Hash and First cryptographic Hash is identical, then is flood attack packet for normal data packet, otherwise, monitoring device from using the first cryptographic Hash as Attack source address corresponding to being extracted in lower the first Hash of target array, and block the access of the attack source address to server.
Further, the Hash encryption conversion in the step S22 uses md5 encryption algorithm.
Further, in the step S22, the IP five-tuples are the source addresses of SYN packets, source port, destination address, Destination interface, protocol-identifier.
Further, in the step S23, the IP five-tuples are the source address of ack msg bag, source port, destination address, Destination interface, protocol-identifier.
Compared to prior art, the beneficial effects of the invention are as follows:
The present invention concentrates deployment monitoring device at Internet portal, is advantageous to concentrated collection and the calculating of data;Monitoring Device gathers SYN packets and ack msg bag from internet, and the IP five-tuples in SYN packets are configured to uniquely First cryptographic Hash, the IP five-tuples in ack msg bag are configured to unique second cryptographic Hash, and is used as using the first cryptographic Hash The subscript of one Hash array, the subscript using the second cryptographic Hash as the second Hash array, source data packet address is stored in correspondingly In lower target the first Hash array and the second Hash array, flood attack is drawn by comparing the first cryptographic Hash and the second cryptographic Hash Feature after, can extract flood attack source address directly from array, reduce the reverse operation time, improve monitoring device performance, And attack source access server can be quickly blocked, the stability of effective guarantee network security and server.
In order to the apparent understanding present invention, preferable embodiment party of the invention is illustrated below with reference to brief description of the drawings Formula.
Brief description of the drawings
Fig. 1 is the network topology schematic diagram of the monitoring device deployment in the present invention.
Fig. 2 is the flow chart of the present invention.
Fig. 3 is the flow chart of step S2 in Fig. 2.
Embodiment
Please refer to Fig. 1 to Fig. 3, Fig. 1 is the network topology schematic diagram of the monitoring device deployment in the present invention, and Fig. 2 is The flow chart of the present invention, Fig. 3 is the flow chart of step S2 in Fig. 2.
See Fig. 1 and Fig. 2, a kind of flood attack detection method of the central monitoring of optimization, comprise the following steps:
S1:One monitoring device is set at Web portal, and the monitoring device includes the forwarding module of IP packets, blocks mould The data for entering monitoring device are forwarded a packet to server, block module to be attacked from flood by block and statistical module, forwarding module Hit the packet blocking of client, statistical module monitors and counts the various packets into the monitoring device;
S2:The unidirectional data message for flowing into monitoring device of monitoring device monitoring, and IP is forwarded or blocked according to monitoring result Packet, step S2 comprise the following steps:(see Fig. 3)
S21:Monitoring device creates the first Hash array and the second Hash array;
S22:Monitoring device gathers the SYN packets from internet and extracts SYN packet informations, and packet is believed IP five-tuples in breath carry out seriation and Hash encryption is converted to the first cryptographic Hash, extract the source address in SYN packets Store into using first cryptographic Hash as lower the first Hash of target array;
S23:Monitoring device gathers the ack msg bag from internet and extracts ack msg package informatin, and in packet IP five-tuples carry out seriation and Hash encryption is converted to the second cryptographic Hash, extract the source address storage in ack msg bag Into using second cryptographic Hash as lower the second Hash of target array;
S24:Monitoring device retrieves the second cryptographic Hash as the second Hash array index, if there is the second cryptographic Hash and First cryptographic Hash is identical, then is flood attack packet for normal data packet, otherwise, monitoring device from using the first cryptographic Hash as Attack source address corresponding to being extracted in lower the first Hash of target array, and block the access of the attack source address to server.
The flood attack detection method of the central monitoring of the optimization of the present invention is launched a offensive according to the feature of flood attack Client will not send ack msg bag to carry out response to server, so as to judge flood attack source and block this come The packet in source, reach the purpose of protection.
The invention is not limited in above-mentioned embodiment, if the various changes or deformation to the present invention do not depart from the present invention Spirit and scope, if these changes and deformation belong within the scope of the claim and equivalent technologies of the present invention, then this hair It is bright to be also intended to comprising these changes and deformation.

Claims (4)

1. a kind of flood attack detection method of the central monitoring of optimization, it is characterised in that comprise the following steps:
S1:One monitoring device is set at Web portal, the forwarding module of the monitoring device including IP packets, block module and Statistical module;
S2:The unidirectional data message for flowing into monitoring device of monitoring device monitoring, and IP data are forwarded or blocked according to monitoring result Bag, step S2 comprise the following steps:
S21:Monitoring device creates the first Hash array and the second Hash array;
S22:Monitoring device gathers the SYN packets from internet and extracts SYN packet informations, and in packet information IP five-tuples carry out seriation and Hash encryption is converted to the first cryptographic Hash, extract the source address storage in SYN packets Into using first cryptographic Hash as lower the first Hash of target array;
S23:Monitoring device gathers the ack msg bag from internet and extracts ack msg package informatin, and to the IP in packet Five-tuple carries out seriation and Hash encryption is converted to the second cryptographic Hash, extract the source address in ack msg bag store to Second cryptographic Hash is as in lower the second Hash of target array;
S24:Monitoring device retrieves the second cryptographic Hash as the second Hash array index, if there is the second cryptographic Hash and first Cryptographic Hash is identical, then is flood attack packet for normal data packet, otherwise, and monitoring device is used as subscript from using the first cryptographic Hash The first Hash array in extract corresponding to attack source address, and block the access of the attack source address to server.
2. the flood attack detection method of the central monitoring of a kind of optimization according to claim 1, it is characterised in that described Hash encryption conversion in step S22 uses md5 encryption algorithm.
3. the flood attack detection method of the central monitoring of a kind of optimization according to claim 2, it is characterised in that described In step S22, the IP five-tuples are the source address of SYN packets, source port, destination address, destination interface, protocol-identifier.
4. the flood attack detection method of the central monitoring of a kind of optimization according to claim 3, it is characterised in that described In step S23, the IP five-tuples are the source address of ack msg bag, source port, destination address, destination interface, protocol-identifier.
CN201610670213.4A 2016-08-15 2016-08-15 A kind of flood attack detection method of the central monitoring of optimization Pending CN107770122A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610670213.4A CN107770122A (en) 2016-08-15 2016-08-15 A kind of flood attack detection method of the central monitoring of optimization

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610670213.4A CN107770122A (en) 2016-08-15 2016-08-15 A kind of flood attack detection method of the central monitoring of optimization

Publications (1)

Publication Number Publication Date
CN107770122A true CN107770122A (en) 2018-03-06

Family

ID=61259876

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610670213.4A Pending CN107770122A (en) 2016-08-15 2016-08-15 A kind of flood attack detection method of the central monitoring of optimization

Country Status (1)

Country Link
CN (1) CN107770122A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1630248A (en) * 2003-12-19 2005-06-22 北京航空航天大学 SYN flooding attack defence method based on connection request authentication
US7058718B2 (en) * 2002-01-15 2006-06-06 International Business Machines Corporation Blended SYN cookies
CN101147376A (en) * 2005-02-04 2008-03-19 诺基亚公司 Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth
CN105119942A (en) * 2015-09-16 2015-12-02 广东睿江科技有限公司 Flood attack detection method
CN106357666A (en) * 2016-10-09 2017-01-25 广东睿江云计算股份有限公司 Method and system for cleaning SYN FLOOD attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7058718B2 (en) * 2002-01-15 2006-06-06 International Business Machines Corporation Blended SYN cookies
CN1630248A (en) * 2003-12-19 2005-06-22 北京航空航天大学 SYN flooding attack defence method based on connection request authentication
CN101147376A (en) * 2005-02-04 2008-03-19 诺基亚公司 Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth
CN105119942A (en) * 2015-09-16 2015-12-02 广东睿江科技有限公司 Flood attack detection method
CN106357666A (en) * 2016-10-09 2017-01-25 广东睿江云计算股份有限公司 Method and system for cleaning SYN FLOOD attack

Similar Documents

Publication Publication Date Title
US7636305B1 (en) Method and apparatus for monitoring network traffic
US6816910B1 (en) Method and apparatus for limiting network connection resources
US8499146B2 (en) Method and device for preventing network attacks
CN100579003C (en) Method and system for preventing TCP attack by utilizing network stream technology
CN107770113A (en) A kind of accurate flood attack detection method for determining attack signature
US20050278779A1 (en) System and method for identifying the source of a denial-of-service attack
US20100095351A1 (en) Method, device for identifying service flows and method, system for protecting against deny of service attack
CN108737447B (en) User datagram protocol flow filtering method, device, server and storage medium
US20180278678A1 (en) System and method for limiting access request
CN110266678B (en) Security attack detection method and device, computer equipment and storage medium
CN101800707A (en) Method for establishing stream forwarding list item and data communication equipment
CN103916379B (en) A kind of CC attack recognition method and system based on high frequency statistics
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
KR20110037645A (en) Apparatus and method for protecting ddos
KR101209214B1 (en) Denial of Service Prevention Method and Apparatus based on Session State Tracking
US7552206B2 (en) Throttling service connections based on network paths
WO2019096104A1 (en) Attack prevention
EP1154610A2 (en) Methods and system for defeating TCP Syn flooding attacks
Patil et al. A rate limiting mechanism for defending against flooding based distributed denial of service attack
CN105491179A (en) Solution for coping with reflection amplification attacks of domain name system (DNS) server
Paruchuri et al. Authenticated autonomous system traceback
CN110198290A (en) A kind of information processing method, unit and storage medium
Farhat Protecting TCP services from denial of service attacks
CN107770123A (en) A kind of flood attack detection method of central monitoring
CN109729098A (en) Automatically the method for malice port scan is blocked in dns server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180306