CN108234516B - Method and device for detecting network flooding attack - Google Patents

Method and device for detecting network flooding attack Download PDF

Info

Publication number
CN108234516B
CN108234516B CN201810075474.0A CN201810075474A CN108234516B CN 108234516 B CN108234516 B CN 108234516B CN 201810075474 A CN201810075474 A CN 201810075474A CN 108234516 B CN108234516 B CN 108234516B
Authority
CN
China
Prior art keywords
server
detected
value
tcp connection
maximum frequency
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810075474.0A
Other languages
Chinese (zh)
Other versions
CN108234516A (en
Inventor
曾祥禄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Abt Networks Co ltd
Original Assignee
Beijing Abt Networks Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Abt Networks Co ltd filed Critical Beijing Abt Networks Co ltd
Priority to CN201810075474.0A priority Critical patent/CN108234516B/en
Publication of CN108234516A publication Critical patent/CN108234516A/en
Application granted granted Critical
Publication of CN108234516B publication Critical patent/CN108234516B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a method and a device for checking network flooding attacks, relates to the technical field of computer networks, and aims to solve the problem that threshold configuration is inaccurate in the flooding attack detection process in the prior art. The method comprises the following steps: setting detection starting parameters, wherein the detection starting parameters comprise a network Interconnection Protocol (IP) address of a server to be detected and a preset protection threshold value; according to the IP address, counting the maximum frequency value of the TCP connection established by the server to be detected within the preset learning time, wherein the maximum frequency value is the maximum value of the TCP connection established within the preset period; calculating a detection threshold value of the server to be detected according to the maximum frequency value; according to a preset period, counting the real-time frequency of the TCP connection established by the server to be detected; judging whether the real-time frequency is greater than a detection threshold value; and if so, determining that the server to be detected has flooding attack. The method and the device are mainly applied to the process of preventing the network flooding attack.

Description

Method and device for detecting network flooding attack
Technical Field
The present application relates to the field of computer network technologies, and in particular, to a method and an apparatus for detecting a network flooding attack.
Background
Computer networks typically include a collection of interconnected computing devices that exchange data and share resources, including web servers, database servers, file servers, routers, printers, end-user computers, and other devices. In order to provide a common foundation and standard framework for heterogeneous computer interconnections and to provide a common reference for maintaining the consistency and compatibility of the relevant standards, an Open Systems Interconnection (OSI) reference model has been devised. The OSI model is a communication function layered model established for realizing open system interconnection, and comprises from low to high: a physical layer, a data link layer, a network layer, a transport layer, a session layer, a presentation layer, and an application layer. The various devices may execute a number of different services and communication protocols to enable communication between different network devices. Each service and communication protocol exposes the network to different security vulnerabilities.
Malicious users implement network attacks at various layers of the OSI reference model. Network attacks common at the fourth layer of the OSI reference model include: a handshake signal SYN flood, an acknowledgement character ACK flood, and a reset RST flood. SYN flooding, using the characteristics of three-way handshake of TCP protocol, an attacker sends TCP SYN, which is the first data packet in the TCP three-way handshake, and after the server returns ACK, the attacker does not reconfirm the TCP SYN, and the TCP connection is in a suspended state, namely a so-called half-connection state, and the server repeatedly sends ACK to the attacker if the server does not receive reconfirmation. This is more wasteful of server resources. An attacker sends a very large number of such TCP connections to the server, and since each TCP connection cannot complete three handshakes, on the server, these TCP connections consume CPU and memory due to the suspended state, and finally the server may crash, and thus cannot provide services for normal users.
In order to prevent the attack of malicious users, a Web firewall is the first line of defense for information security. With the rapid update of network technologies, new hacker technologies are also emerging, which brings challenges to traditional rule firewalls. Traditional web intrusion detection techniques intercept intrusion accesses by maintaining a set of rules. On one hand, hard rules are easily bypassed in the presence of flexible hackers; on the other hand, the water resistance and water rise of the attack and defense, the construction and maintenance threshold of the defense rule is high, and the cost is high. The traditional network flooding attack detection mode is as follows: the administrator configures a threshold value according to experience, and when the connection in the network exceeds the configured threshold value, the attack is considered to be an attack, which requires the administrator to have rich experience and to know the current network traffic, and once the network topology changes, whether the threshold value configuration is accurate or not can be questioned.
Disclosure of Invention
The application provides a method and a device for detecting a network flooding attack, which aim to solve the problem that threshold configuration is inaccurate in the detection process of the flooding attack in the prior art.
In a first aspect, the present application provides a method for detecting a network flooding attack, where the method includes: setting detection starting parameters, wherein the detection starting parameters comprise a network Interconnection Protocol (IP) address of a server to be detected and a preset protection threshold value; according to the IP address, counting the maximum frequency value of the TCP connection established by the server to be detected within preset learning time, wherein the maximum frequency value is the maximum value of the TCP connection established within a preset period; calculating a detection threshold value of the server to be detected according to the maximum frequency value; according to the preset period, counting the real-time frequency of the TCP connection established by the server to be detected; judging whether the real-time frequency is greater than the detection threshold value; and if so, determining that the server to be detected has flooding attack.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the calculating a detection threshold of the server to be detected according to the maximum frequency value includes: determining the detection threshold as the maximum frequency value.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the calculating a detection threshold of the server to be detected according to the maximum frequency value includes: judging whether the preset protection threshold value is smaller than the maximum frequency value; if the judgment result is yes, determining the maximum frequency value as the detection threshold value; if the judgment result is negative, calculating the flow deviation between the preset protection threshold value and the maximum frequency value; and determining the detection threshold value as the sum of the maximum frequency value and the flow deviation of a preset proportion.
With reference to the first aspect, in a third possible implementation manner of the first aspect, after determining that the server to be detected has a flooding attack, the method further includes: and generating alarm information.
With reference to the second aspect, in a fourth possible implementation manner of the second aspect, after determining that the server to be detected has a flooding attack, the method further includes: acquiring a TCP connection corresponding to the real-time frequency; starting a cookie checking mechanism, and checking the TCP connection corresponding to the real-time frequency; if the verification is successful, determining that the TCP connection corresponding to the real-time frequency is normal connection; if the check fails, determining the TCP connection corresponding to the real-time frequency as an attack source; and freezing the attack source, and forbidding the attack source to access the Internet.
In a second aspect, the present application further provides a device for detecting a network flooding attack, where the device includes a module configured to perform the method steps in various implementations of the first aspect.
In a third aspect, the present application further provides an apparatus, comprising: a processor and a memory; the processor may execute the programs or instructions stored in the memory to implement the method for detecting a network flooding attack in various implementations of the first aspect.
In a fourth aspect, the present application further provides a storage medium, where the computer storage medium may store a program, and when the program is executed, the program may implement some or all of the steps in the embodiments of the network flooding attack detection method provided in the present application.
According to the method and the device for detecting the network flooding attack, firstly, a detection starting parameter is set, then the maximum frequency value of the TCP connection established by the server to be detected in the preset learning time is counted, then the detection threshold value is calculated according to the maximum frequency value, then the real-time frequency of the TCP connection is counted, and if the real-time frequency is larger than the detection threshold value, the server to be detected is determined to have the flooding attack. Compared with the prior art, the detection threshold value set by the method changes along with the change of the maximum frequency value for establishing the TCP connection in the statistical preset learning time, can adapt to different network topologies, intelligently cope with the change of the network environment, improve the accuracy of sharing detection, and reduce the customer complaints caused by the fact that the user surfs the internet by mistakenly freezing. Meanwhile, the number of the terminals can be accurately identified, and greater flexibility is provided for managing and controlling shared internet users.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a flowchart of a method for detecting a network flooding attack according to the present application;
FIG. 2 is a flowchart of a method for calculating a detection threshold of a server to be detected according to the present application;
fig. 3 is a flowchart of another method for detecting a network flooding attack provided by the present application;
fig. 4 is a block diagram illustrating a detection apparatus for network flooding attack according to the present application;
FIG. 5 is a block diagram of a computing unit according to the present application;
fig. 6 is a block diagram of another apparatus for detecting a network flooding attack provided in the present application.
Detailed Description
In order to detect the network flooding attack on the server, the detection device needs to be accessed into the network to be detected, and the detection device can be accessed from a bypass access or a serial access,
bypassing or serially accessing a detection device to a network to be detected
Referring to fig. 1, a flowchart of a method for detecting a network flooding attack is provided. As shown in fig. 1, the method includes:
101. and setting detection starting parameters.
The detection starting parameters comprise the internet protocol IP address of the server to be detected and a preset protection threshold value. And the IP address is used for selecting the server to be detected and detecting the network flooding attack aiming at the server to be detected. The preset protection threshold is selected before the network flooding attack is detected, is a selected empirical value and is also a general value. The preset protection threshold is not a specific threshold for the server to be detected and is not necessarily adapted to the current network environment.
102. And counting the maximum frequency value of the TCP connection established by the server to be detected within the preset learning time according to the IP address.
In order to enable the detection of the network flooding attack to be adjusted along with the change of a network environment, the maximum frequency value of the TCP connection established by a server to be detected is counted in preset learning time, and the maximum frequency value is used as a basis for judging the flooding attack, wherein the maximum frequency value is the maximum value of the TCP connection established in a preset period. The learning process of the maximum frequency value is actually a self-learning process, and self-adaptive adjustment is carried out according to the result of the self-learning process.
The preset learning time is a certain selected fixed value, and can be started for timing when the computer is started for the first time, or started for timing every time when the computer is started, or continuously and repeatedly timed by taking the preset learning time as a period. In the embodiment of the present application, the time for starting the timing of the preset learning time is not limited. The preset learning time can also be manually stopped and manually started by the user. Illustratively, the preset learning time is selected to be 8 hours.
In the statistical process, if the maximum frequency value is greater than the preset protection threshold value, alarm information is generated to prompt a user to reset the preset protection threshold value, or the connection between the server and the internet is directly stopped. By the scheme, the server to be detected always detects the network flooding attack after being started, and the phenomenon of missing detection caused by determining a proper detection threshold value is avoided.
103. And calculating a detection threshold value of the server to be detected according to the maximum frequency value.
And the detection threshold is a basis for judging whether the server to be detected is attacked by flooding. The size of the detection threshold is calculated according to the maximum frequency value, that is, the detection threshold is changed along with the change of the number of the TCP connections established by the server to be detected. The calculation formula can be preset to calculate the detection threshold, and the preset calculation formula can be related to the topology structure of the network where the server to be detected is located, the service object of the server to be detected, and the number of terminals in connection with the server to be detected. Illustratively, a simple computational method determines the detection threshold as the maximum frequency value.
104. And according to a preset period, counting the real-time frequency of the TCP connection established by the server to be detected.
The real-time frequency is the frequency of the TCP connection established by the server to be detected according to the statistics of the preset period. The statistical period of the real-time frequency is the same as the statistical period corresponding to the maximum frequency value. This step is similar to the method described in step 102 of fig. 1.
105. And judging whether the real-time frequency is greater than a detection threshold value.
The real-time frequency is compared with a detection threshold value, and the measurement units of the real-time frequency and the detection threshold value need to be unified before comparison.
106. And if so, determining that the server to be detected has flooding attack.
According to the method and the device for detecting the network flooding attack, firstly, a detection starting parameter is set, then the maximum frequency value of the TCP connection established by the server to be detected in the preset learning time is counted, then the detection threshold value is calculated according to the maximum frequency value, then the real-time frequency of the TCP connection is counted, and if the real-time frequency is larger than the detection threshold value, the server to be detected is determined to have the flooding attack. Compared with the prior art, the detection threshold value set by the method changes along with the change of the maximum frequency value for establishing the TCP connection in the statistical preset learning time, can adapt to different network topologies, intelligently cope with the change of the network environment, improve the accuracy of sharing detection, and reduce the customer complaints caused by the fact that the user surfs the internet by mistakenly freezing. Meanwhile, the number of the terminals can be accurately identified, and greater flexibility is provided for managing and controlling shared internet users.
Referring to fig. 2, a flowchart of a method for calculating a detection threshold of a server to be detected is provided. On the basis of the method shown in fig. 1, the method shown in fig. 2 comprises:
201. and judging whether the preset protection threshold value is smaller than the maximum frequency value.
The threshold protection threshold is set according to experience, is a reference for judging whether the server to be detected is attacked by flooding, and is not necessarily applicable to a network where the server to be detected is located. In order to obtain a judgment reference more conforming to the actual network, the preset protection threshold value and the maximum frequency value need to be compared for further calculation,
202. and if the judgment result is yes, determining the maximum frequency value as the detection threshold value.
203. If the judgment result is negative, calculating the flow deviation between the preset protection threshold value and the maximum frequency value.
204. And determining the detection threshold value as the sum of the maximum frequency value and the flow deviation of the preset proportion.
That is, the detection threshold is obtained by summing the flow rate deviation of the preset proportion on the basis of the maximum frequency value. Illustratively, the maximum frequency value is 100, the flow deviation is 50, the preset ratio is 0.2, and the size of the detection threshold is 100+50 ÷ 0.2 ═ 110.
On the basis of the method shown in fig. 1, as shown in fig. 3, after determining that the flooding attack occurs to the server to be detected, the method further includes: and generating alarm information. And the warning information is used for prompting the user of the server to be detected that flooding attack has occurred so as to take emergency measures and prevent hackers from damaging the server to be detected and the terminal connected with the server to be detected.
Referring to fig. 3, a flowchart of another method for detecting a network flooding attack is provided. On the basis of the method shown in fig. 1, as shown in fig. 3, after determining that the flooding attack occurs to the server to be detected, the method further includes:
301. and acquiring the TCP connection corresponding to the real-time frequency.
Since the flooding attack is detected according to the establishment frequency of the TCP connection, even if the frequency of the TCP connection is too high, the TCP connection corresponding to the real-time frequency needs to be determined again. The real-time frequency corresponding TCP connection includes all the TCP connections established in the period to which the real-time frequency belongs.
302. And starting a cookie checking mechanism to check the TCP connection corresponding to the real-time frequency.
Cookie is a technology that enables a web server to store small amounts of data to or read data from a client's hard disk or memory. Cookies are a very small text file placed on your hard disk by a Web server when you browse a Web site, and can record your user ID, password, browsed Web page, dwell time, etc. When you go to the website again, the website can read Cookies to obtain relevant information of you, and then corresponding actions can be made, such as displaying a welcome slogan on a page, or allowing you to log in directly without inputting an ID or a password, and the like. And the cookie checking mechanism is used for checking whether the TCP connection corresponding to the real-time frequency is in the cookie record.
303. And if the verification is successful, determining that the TCP connection corresponding to the real-time frequency is normal connection.
The real-time frequency corresponding TCP connection is recorded in the cookie record, which shows that the connection is established before the statistical real-time frequency and no flooding attack occurs, i.e. the connection is a normal connection.
304. And if the verification fails, determining the TCP connection corresponding to the real-time frequency as an attack source.
The TCP connection corresponding to the real-time frequency is not in the cookie record, which shows that the connection is not established before the notified real-time frequency, so that the TCP connection corresponding to the real-time frequency can be determined as an attack source.
305. And freezing the attack source and forbidding the attack source to access the Internet.
In order to prevent the influence of the attack source on the server to be detected from further expanding, a method for freezing the attack source is adopted, namely the attack source is prohibited from accessing the Internet.
Referring to fig. 4, a block diagram of a detection apparatus for network flooding attack is provided in the present application; referring to fig. 5, a block diagram of a computing unit provided in the present application is shown; referring to fig. 6, a block diagram of another apparatus for detecting a network flooding attack is provided. As a specific implementation of the method shown in fig. 1-3, as shown in fig. 4, the apparatus comprises:
a setting unit 41, configured to set a detection start parameter, where the detection start parameter includes a network interconnection protocol IP address of a server to be detected and a preset protection threshold;
the first counting unit 42 is configured to count a maximum frequency value of the TCP connection established by the server to be detected within a preset learning time according to the IP address, where the maximum frequency value is a maximum value of the TCP connection established within a preset period;
a calculating unit 43, configured to calculate a detection threshold of the server to be detected according to the maximum frequency value;
the second statistical unit 44 is configured to count a real-time frequency of the TCP connection established by the server to be detected according to a preset period;
a judging unit 45, configured to judge whether the real-time frequency is greater than a detection threshold;
and the determining unit 46 is configured to determine that the server to be detected has a flooding attack if the determination result is yes.
Further, a calculation unit 43 for:
and determining the detection threshold value as the maximum frequency value.
Further, as shown in fig. 5, the calculating unit 43 includes:
a judging module 431, configured to judge whether the preset protection threshold is smaller than the maximum frequency value;
a determining module 432, configured to determine the maximum frequency value as the detection threshold if the determination result is yes;
a calculating module 433, configured to calculate a flow deviation between a preset protection threshold and a maximum frequency value if the determination result is negative;
the determining module 432 is further configured to determine the detection threshold as a sum of the maximum frequency value and a preset proportional flow deviation.
Further, as shown in fig. 6, the apparatus further includes:
and the generating unit 47 is configured to generate warning information after determining that the server to be detected has a flooding attack.
Further, as shown in fig. 6, the apparatus further includes:
the acquiring unit 48 is configured to acquire a TCP connection corresponding to a real-time frequency after determining that a flooding attack occurs to the server to be detected;
the starting unit 49 is used for starting a cookie checking mechanism and checking the TCP connection corresponding to the real-time frequency;
a determining unit 410, configured to determine that a TCP connection corresponding to the real-time frequency is a normal connection if the verification is successful;
the determining unit 410 is further configured to determine, if the checking fails, that the TCP connection corresponding to the real-time frequency is an attack source;
and the freezing unit 411 is used for freezing the attack source and forbidding the attack source to access the internet.
According to the method and the device for detecting the network flooding attack, firstly, a detection starting parameter is set, then the maximum frequency value of the TCP connection established by the server to be detected in the preset learning time is counted, then the detection threshold value is calculated according to the maximum frequency value, then the real-time frequency of the TCP connection is counted, and if the real-time frequency is larger than the detection threshold value, the server to be detected is determined to have the flooding attack. Compared with the prior art, the detection threshold value set by the method changes along with the change of the maximum frequency value for establishing the TCP connection in the statistical preset learning time, can adapt to different network topologies, intelligently cope with the change of the network environment, improve the accuracy of sharing detection, and reduce the customer complaints caused by the fact that the user surfs the internet by mistakenly freezing. Meanwhile, the number of the terminals can be accurately identified, and greater flexibility is provided for managing and controlling shared internet users.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and when the program is executed, the program may include some or all of the steps in each embodiment of the network flooding attack detection method provided by the present invention. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments in this specification may be referred to each other. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is simple, and the relevant points can be referred to the description in the method embodiment.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (4)

1. A method for detecting a network flooding attack, the method comprising:
setting detection starting parameters, wherein the detection starting parameters comprise a network Interconnection Protocol (IP) address of a server to be detected and a preset protection threshold value;
according to the IP address, counting the maximum frequency value of the TCP connection established by the server to be detected within preset learning time, wherein the maximum frequency value is the maximum value of the TCP connection established within a preset period;
calculating a detection threshold value of the server to be detected according to the maximum frequency value;
the calculating the detection threshold value of the server to be detected according to the maximum frequency value includes:
judging whether the preset protection threshold value is smaller than the maximum frequency value;
if the judgment result is yes, determining the maximum frequency value as the detection threshold value;
if the judgment result is negative, calculating the flow deviation between the preset protection threshold value and the maximum frequency value;
determining the detection threshold value as the sum of the maximum frequency value and the flow deviation of a preset proportion;
according to the preset period, counting the real-time frequency of the TCP connection established by the server to be detected;
judging whether the real-time frequency is greater than the detection threshold value;
if the judgment result is yes, determining that the server to be detected has flooding attack;
the method further comprises the following steps:
generating alarm information;
acquiring a TCP connection corresponding to the real-time frequency;
starting a cookie checking mechanism, and checking the TCP connection corresponding to the real-time frequency;
if the verification is successful, determining that the TCP connection corresponding to the real-time frequency is normal connection;
if the check fails, determining the TCP connection corresponding to the real-time frequency as an attack source;
and freezing the attack source, and forbidding the attack source to access the Internet.
2. The method of claim 1, wherein the calculating the detection threshold of the server to be detected according to the maximum frequency value comprises:
determining the detection threshold as the maximum frequency value.
3. An apparatus for detecting a network flooding attack, the apparatus comprising:
the device comprises a setting unit, a detection starting unit and a processing unit, wherein the setting unit is used for setting detection starting parameters which comprise the Internet Protocol (IP) address of a server to be detected and a preset protection threshold value;
the first counting unit is used for counting the maximum frequency value of the TCP connection established by the server to be detected within the preset learning time according to the IP address, wherein the maximum frequency value is the maximum value of the TCP connection established within the preset period;
the calculating unit is used for calculating a detection threshold value of the server to be detected according to the maximum frequency value;
the calculation unit includes:
the judging module is used for judging whether the preset protection threshold value is smaller than the maximum frequency value;
a determining module, configured to determine, if the determination result is yes, that the maximum frequency value is the detection threshold;
the calculation module is used for calculating the flow deviation between the preset protection threshold value and the maximum frequency value if the judgment result is negative;
the determining module is further configured to determine that the detection threshold is a sum of the maximum frequency value and the flow deviation of a preset proportion;
the second statistical unit is used for counting the real-time frequency of the TCP connection established by the server to be detected according to the preset period;
the judging unit is used for judging whether the real-time frequency is greater than the detection threshold value;
the determining unit is used for determining that the server to be detected has flooding attack if the judging result is yes;
the device further comprises:
the generating unit is used for generating alarm information after the server to be detected is determined to have flood attack;
the acquiring unit is used for acquiring the TCP connection corresponding to the real-time frequency after the server to be detected is determined to be subjected to flooding attack;
the starting unit is used for starting a cookie checking mechanism and checking the TCP connection corresponding to the real-time frequency;
a determining unit, configured to determine that the TCP connection corresponding to the real-time frequency is a normal connection if the verification is successful;
the determining unit is further configured to determine, if the checking fails, that the TCP connection corresponding to the real-time frequency is an attack source;
and the freezing unit is used for freezing the attack source and forbidding the attack source to access the Internet.
4. The apparatus of claim 3, wherein the computing unit is to:
determining the detection threshold as the maximum frequency value.
CN201810075474.0A 2018-01-26 2018-01-26 Method and device for detecting network flooding attack Active CN108234516B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810075474.0A CN108234516B (en) 2018-01-26 2018-01-26 Method and device for detecting network flooding attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810075474.0A CN108234516B (en) 2018-01-26 2018-01-26 Method and device for detecting network flooding attack

Publications (2)

Publication Number Publication Date
CN108234516A CN108234516A (en) 2018-06-29
CN108234516B true CN108234516B (en) 2021-01-26

Family

ID=62668942

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810075474.0A Active CN108234516B (en) 2018-01-26 2018-01-26 Method and device for detecting network flooding attack

Country Status (1)

Country Link
CN (1) CN108234516B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109302378B (en) * 2018-07-13 2021-01-05 哈尔滨工程大学 SDN network DDoS attack detection method
CN110912904B (en) * 2019-11-27 2021-07-02 腾讯科技(深圳)有限公司 Malicious device identification method and device, storage medium and computer device
US11444961B2 (en) * 2019-12-20 2022-09-13 Intel Corporation Active attack detection in autonomous vehicle networks
CN113890746B (en) * 2021-08-16 2024-05-07 曙光信息产业(北京)有限公司 Attack traffic identification method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101013973A (en) * 2007-02-09 2007-08-08 华为技术有限公司 Network element state detecting method and network management equipment
CN101282209A (en) * 2008-05-13 2008-10-08 杭州华三通信技术有限公司 Method and apparatus for preventing DNS request message from flooding attack
CN106254394A (en) * 2016-09-29 2016-12-21 北京神州绿盟信息安全科技股份有限公司 A kind of recording method and device of attack traffic

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594269B (en) * 2009-06-29 2012-05-02 成都市华为赛门铁克科技有限公司 Method, device and gateway device for detecting abnormal connection
EP2790382B1 (en) * 2012-09-17 2017-05-03 Huawei Technologies Co., Ltd. Protection method and device against attacks
CN102882895A (en) * 2012-10-31 2013-01-16 杭州迪普科技有限公司 Method and device for identifying message attack
CN103546486A (en) * 2013-11-04 2014-01-29 北京荣之联科技股份有限公司 SYN Cookie source authentication method and device for preventing DDOS attack
CN105577608B (en) * 2014-10-08 2020-02-07 腾讯科技(深圳)有限公司 Network attack behavior detection method and device
CN105591832B (en) * 2014-11-13 2019-12-10 腾讯数码(天津)有限公司 application layer slow attack detection method and related device
CN105939361B (en) * 2016-06-23 2019-06-07 杭州迪普科技股份有限公司 Defend the method and device of CC attack
CN106685930B (en) * 2016-12-06 2020-03-31 深信服科技股份有限公司 Method and device for processing transmission control protocol options
CN107612937B (en) * 2017-10-26 2019-11-26 武汉理工大学 Detection and defence method under a kind of SDN network to DHCP extensive aggression

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101013973A (en) * 2007-02-09 2007-08-08 华为技术有限公司 Network element state detecting method and network management equipment
CN101282209A (en) * 2008-05-13 2008-10-08 杭州华三通信技术有限公司 Method and apparatus for preventing DNS request message from flooding attack
CN106254394A (en) * 2016-09-29 2016-12-21 北京神州绿盟信息安全科技股份有限公司 A kind of recording method and device of attack traffic

Also Published As

Publication number Publication date
CN108234516A (en) 2018-06-29

Similar Documents

Publication Publication Date Title
US11050786B2 (en) Coordinated detection and differentiation of denial of service attacks
JP6957675B2 (en) Network attack protection system and method
Cambiaso et al. Slow DoS attacks: definition and categorisation
CN105577608B (en) Network attack behavior detection method and device
CN108234516B (en) Method and device for detecting network flooding attack
CN108353079B (en) Detection of cyber threats against cloud-based applications
WO2018095192A1 (en) Method and system for website attack detection and prevention
CN107211016B (en) Session security partitioning and application profiler
US8516595B2 (en) Method and system for estimating the reliability of blacklists of botnet-infected computers
US9282116B1 (en) System and method for preventing DOS attacks utilizing invalid transaction statistics
Agrawal et al. Defense schemes for variants of distributed denial-of-service (DDoS) attacks in cloud computing: A survey
EP2661049A2 (en) System and method for malware detection
Huang et al. A DDoS mitigation system with multi-stage detection and text-based turing testing in cloud computing
US10326794B2 (en) Anycast-based spoofed traffic detection and mitigation
CN109040140A (en) A kind of attack detection method and device at a slow speed
Arafat et al. A practical approach and mitigation techniques on application layer DDoS attack in web server
CN110933069A (en) Network protection method, device and storage medium
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
Boteanu et al. A comprehensive study of queue management as a DoS counter-measure
Chiu et al. Detection and defense of DDoS attack and flash events by using Shannon entropy
CN113765914B (en) CC attack protection method, system, computer equipment and readable storage medium
Khirwadkar Defense against network attacks using game theory
Gupta et al. Profile and back off based distributed NIDS in cloud
CN108600209A (en) A kind of information processing method and device
CN109787969B (en) Host identity validity detection method and device and identity detection equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant