CN112804200B - Reflection attack defense method and device, electronic equipment and storage medium - Google Patents

Reflection attack defense method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112804200B
CN112804200B CN202011610721.6A CN202011610721A CN112804200B CN 112804200 B CN112804200 B CN 112804200B CN 202011610721 A CN202011610721 A CN 202011610721A CN 112804200 B CN112804200 B CN 112804200B
Authority
CN
China
Prior art keywords
network communication
session
flow
equipment
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011610721.6A
Other languages
Chinese (zh)
Other versions
CN112804200A (en
Inventor
邹浩
邝必权
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202011610721.6A priority Critical patent/CN112804200B/en
Publication of CN112804200A publication Critical patent/CN112804200A/en
Application granted granted Critical
Publication of CN112804200B publication Critical patent/CN112804200B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a reflection attack defense method, a reflection attack defense device, electronic equipment and a storage medium, and relates to the technical field of network security. The method applied to the cleaning equipment comprises the following steps: mirroring the uplink flow sent to the remote network through the network communication equipment to the cleaning equipment; when linkage information of the detection equipment is received and the traction IP address hits the source IP address of the protection object, the downlink flow is dragged to the cleaning equipment based on the traction IP; establishing a session based on a request message in the uplink flow of the mirror image; on the basis of the conversation, carrying out conversation check on each flow packet of the downlink flow; and sending the normal traffic packet with the normal session check result to the network communication equipment. According to the method, after the IP is dragged to hit the source IP and the reflection attack is determined to occur, the uplink flow is mirrored to the cleaning equipment through a mirroring mode to directly create the session information, synchronization of other equipment is not relied on, reflection defense based on session check is achieved, resource consumption of session creation is reduced, and the problem of mistaken cleaning is avoided.

Description

Reflection attack defense method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a reflection attack defense method, an apparatus, an electronic device, and a storage medium.
Background
The reflection attack, also called reflection amplification attack, is based on the principle that the length or number of the response messages of a server is far larger than the request, and an attacker sends a large amount of request messages to the existing server in the network and sets the source address of the request as the address of an attack target, so that the attack target receives a large amount of response messages, thereby achieving the purpose of network congestion or consumption of attack target resources.
At present, the most effective defense method for the reflection attack is based on a session check mode, namely, the time and the state of a request message are firstly recorded, and when a response message is received, whether the response message is blocked or not is determined by checking the corresponding session state. Of course, the defense method is premised on that the request of normal Service must pass through the DDoS (Distributed Denial of Service Attack) cleaning device, while the request of Attack traffic does not pass through the DDoS cleaning device, which requires that the target to be protected is as close as possible to the DDoS cleaning device, so that the request of Attack traffic cannot pass through the DDoS cleaning device to create a session.
When the anti-DDoS cleaning equipment bypass is deployed, under the default condition, any flow does not pass through the equipment, only when the detection equipment detects an attack, the cleaning equipment is informed, and the downlink flow (the uplink flow is the direction going to the protected target; the downlink flow is the flow sent out from the protected target) is pulled to the equipment for cleaning. In this case, defense can be generally performed only by using simple port identification, or defense modes based on service models (i.e. normal service cannot have such large response traffic). However, the normal response and the abnormal response cannot be distinguished, and the two methods have the defect that false cleaning is easily caused to normal traffic.
Disclosure of Invention
In view of this, an object of the embodiments of the present application is to provide a method and an apparatus for defending against a reflection attack, an electronic device, and a storage medium, so as to solve the problem in the prior art that a false cleaning is easily caused to a normal traffic.
The embodiment of the application provides a reflection attack defense method, which is applied to cleaning equipment, wherein the cleaning equipment is respectively connected with detection equipment and network communication equipment, the detection equipment is also connected with the network communication equipment, a protection object sends uplink flow containing a request message to a far-end network through the network communication equipment, the far-end network sends downlink flow containing a response message to the protection object through the network communication equipment, and the method comprises the following steps: mirroring the upstream traffic sent to the remote network by the network communication device to the cleaning device; when linkage information sent by the detection equipment when the detection equipment determines that a reflection attack exists is received and a traction Internet Protocol (IP) address in the linkage information hits a source IP address of the protection object, the downlink traffic is pulled from the network communication equipment to the cleaning equipment based on the traction IP; establishing a session based on a request message in the uplink flow of the mirror image; based on the session, performing session check for each traffic packet of the downstream traffic; and sending the normal traffic packet with the normal session check result to the network communication equipment so as to enable the normal traffic packet to reach the protection object through the network communication equipment.
In the implementation mode, the uplink flow is mirrored to the cleaning equipment to directly create the session information through the mirroring mode, the synchronization of other equipment is not relied on, and the session information is synchronized without occupying network resources, so that the reflection defense method based on session check is realized in a simple mode, and after the IP hit source IP is pulled to determine that the reflection attack occurs, the uplink flow is mirrored to the cleaning equipment to directly create the session information through the mirroring mode, the effective distinction between the attack flow and the normal flow is realized, the problem of mistaken cleaning is avoided, and the occupancy rate of the reflection attack defense method to the network and the computing resources is reduced.
Optionally, the establishing a session based on the request packet in the uplink traffic includes: and establishing a session based on the five-tuple information of the request message.
In the implementation mode, the session is established through the quintuple information of the request message, so that the abnormal flow message can be accurately determined based on the quintuple information of the session when the subsequent cleaning equipment performs session information check and abnormal flow cleaning, and the cleaning accuracy is improved.
Optionally, the pulling, by the network communication device, the downlink traffic to the cleaning device when receiving the linkage information sent by the detection device when determining that the reflection attack exists includes: receiving the linkage information sent by the detection equipment when the reflection attack is determined to exist; analyzing the linkage information to obtain the traction IP address; and when the traction IP address hits the source address of the protection object, performing dynamic route advertisement to the network communication equipment based on the traction IP address and the attack type so as to draw the downlink traffic to the cleaning equipment.
In the implementation mode, the cleaning equipment carries out downlink flow traction based on the traction IP address and the attack type in the linkage information sent by the detection equipment, so that the detection accuracy of the attack flow is ensured.
Optionally, the session-based session check is performed on each traffic packet of the downstream traffic, and includes: performing quintuple information matching with the session for each flow packet in the downlink flow; and when the quintuple information matched with the current flow packet exists in the session, determining the current flow packet as the normal flow packet.
In the implementation mode, the abnormal traffic packet which is not matched with the quintuple data is cleaned by matching the downlink traffic based on the quintuple information, so that the identification accuracy of the abnormal traffic is improved.
The embodiment of the application further provides a method for defending against reflection attacks, which is applied to detection equipment, wherein the detection equipment is respectively connected with cleaning equipment and network communication equipment, the detection equipment is also connected with the network communication equipment, a protection object sends uplink flow containing a request message to a far-end network through the network communication equipment, the far-end network sends downlink flow containing a response message to the protection object through the network communication equipment, and the method comprises the following steps: mirroring the downlink traffic sent to the protected object by the network communication equipment to the detection equipment; when the mirror image-based downlink flow determines that a reflection attack exists, sending linkage information to the cleaning equipment so that the cleaning equipment pulls the downlink flow to the cleaning equipment based on the traction IP when receiving the linkage information and a traction IP address in the linkage information hits a source IP address of a protection object, so that the cleaning equipment establishes a session based on a request message in the uplink flow of the mirror image, performs session check on each flow packet of the downlink flow based on the session, sends a normal flow packet with a normal session check result to the network communication equipment, and sends the normal flow packet to the protection object through the network communication equipment.
In the implementation mode, the detection device informs the cleaning device through the linkage information after carrying out attack detection on the downlink flow and when finding that the reflection attack exists, so that the cleaning device carries out session establishment and flow cleaning based on quintuple information, thereby realizing the reflection defense method based on session check in a simple mode, avoiding carrying out session establishment on the safety flow which does not need to establish the session, realizing effective detection on the attack flow, reducing the resource occupancy rate, improving the detection accuracy of the reflection attack, and further improving the overall accuracy of the reflection attack defense.
Optionally, before the sending linkage information to the cleaning device when it is determined that the reflection attack exists based on the downstream traffic of the mirror image, the method further includes: determining whether a reflection attack exists in the downlink traffic based on traffic anomaly detection.
In the implementation mode, whether the downlink traffic has the reflection attack or not is determined based on the traffic threshold, so that the accuracy of the detection of the reflection attack is simply and effectively ensured, and the detection efficiency is improved.
The embodiment of the present application further provides a reflection attack defense device, which is applied to a cleaning device, the cleaning device is respectively connected to a detection device and a network communication device, the detection device is further connected to the network communication device, a protection object passes through the network communication device to send uplink traffic containing a request message to a far-end network, the far-end network passes through the network communication device to the protection object send downlink traffic containing a response message, and the device includes: the upstream flow mirroring device is used for mirroring the upstream flow which is sent to the remote network through the network communication equipment to the cleaning equipment; a traction module, configured to, when linkage information sent by the detection device when it is determined that a reflection attack exists is received and a traction internet protocol IP address in the linkage information hits a source IP address of the protection object, pull the downlink traffic from the network communication device to the cleaning device based on the traction IP; a session establishing module, configured to establish a session based on the request packet in the mirrored uplink traffic; a session check module, configured to perform session check on each traffic packet of the downlink traffic based on the session; and the flow reinjection module is used for sending a normal flow packet with a normal session check result to the network communication equipment so as to enable the normal flow packet to reach the protection object through the network communication equipment.
In the implementation mode, the uplink flow is mirrored to the cleaning equipment to directly create the session information in a mirroring mode, the synchronization of other equipment is not required, and the synchronization of the session information with network resources is not required to be occupied, so that the reflection defense method based on session check is realized in a simple mode.
Optionally, the session establishing module is specifically configured to: and establishing a session based on the five-tuple information of the request message.
In the implementation mode, the session is established through the quintuple information of the request message, so that the abnormal flow message can be accurately determined based on the quintuple information of the session when the subsequent cleaning equipment performs session information check and abnormal flow cleaning, and the cleaning accuracy is improved.
Optionally, the linkage information includes the traction IP address and an attack type, and the traction module is specifically configured to: receiving the linkage information sent by the detection equipment when the reflection attack is determined to exist; analyzing the linkage information to obtain the traction IP address; and when the traction IP address hits the source address of the protection object, performing dynamic route advertisement to the network communication equipment based on the traction IP address and the attack type so as to draw the downlink traffic to the cleaning equipment.
In the implementation mode, the cleaning equipment carries out downlink flow traction based on the traction IP address and the attack type in the linkage information sent by the detection equipment, so that the detection accuracy of the attack flow is ensured.
Optionally, the session check module is specifically configured to: performing quintuple information matching with the session for each flow packet in the downlink flow; and when the quintuple information matched with the current flow packet exists in the session, determining the current flow packet as the normal flow packet.
In the implementation mode, the abnormal traffic packet cleaning of the mismatch of quintuple data is realized by matching the downlink traffic based on quintuple information, and the identification accuracy of the abnormal traffic is improved.
The embodiment of the present application further provides a reflection attack defense apparatus, which is applied to a detection device, the detection device is respectively connected to a cleaning device and a network communication device, the detection device is further connected to the network communication device, a protection object passes through the network communication device to send uplink traffic containing a request message to a far-end network, the far-end network passes through the network communication device to the protection object send downlink traffic containing a response message, the apparatus includes: the downlink flow mirror module is used for mirroring the downlink flow sent to the protected object by the network communication equipment to the detection equipment; the linkage information sending module is used for sending linkage information to the cleaning equipment when the mirror image-based downlink flow determines that reflection attack exists, so that the cleaning equipment pulls the downlink flow to the cleaning equipment based on the pull IP when receiving the linkage information and the pull IP address in the linkage information hits the source IP address of the protection object, so that the cleaning equipment establishes a session based on a request message in the mirror image-based uplink flow, performs session check on each flow packet of the downlink flow based on the session, sends a normal flow packet with a normal session check result to the network communication equipment, and sends the normal flow packet to the protection object through the network communication equipment.
In the implementation mode, the detection device informs the cleaning device through the linkage information after carrying out attack detection on the downlink flow and when finding that the reflection attack exists, so that the cleaning device carries out session establishment and flow cleaning based on quintuple information, thereby realizing the reflection defense method based on session check in a simple mode, avoiding carrying out session establishment on the safety flow which does not need to establish the session, realizing effective detection on the attack flow, reducing the resource occupancy rate, improving the detection accuracy of the reflection attack, and further improving the overall accuracy of the reflection attack defense. Optionally, the apparatus for defending against reflection attacks further comprises: and the reflection attack judging module is used for determining whether the downlink flow has the reflection attack or not based on flow abnormity detection.
In the implementation mode, whether the reflection attack exists in the downlink traffic is determined based on the traffic threshold, so that the accuracy of the detection of the reflection attack is simply and effectively ensured, and the detection efficiency is improved.
An embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and the processor executes steps in any one of the above implementation manners when reading and executing the program instructions.
The embodiment of the present application further provides a readable storage medium, in which computer program instructions are stored, and the computer program instructions are read by a processor and executed to perform the steps in any of the above implementation manners.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a reflection attack defense system according to an embodiment of the present disclosure.
Fig. 2 is a schematic flow chart of a method for defending against a reflection attack according to an embodiment of the present disclosure.
Fig. 3 is a schematic flowchart of a session recording step for monitoring traffic according to an embodiment of the present application.
Fig. 4 is a schematic block diagram of a reflection attack defense device applied to a cleaning apparatus according to an embodiment of the present disclosure.
Fig. 5 is a schematic block diagram of a reflection attack defense apparatus applied to a detection device according to an embodiment of the present application.
Icon: 10-reflection attack defense system; 11-a protected object; 12-a switch; 13-a router; 14-a remote network; 15-cleaning the equipment; 16-a detection device; 20-reflection attack defense devices; 21-an upstream traffic mirroring device; 22-a traction module; 23-session establishment module; 24-a session check module; 25-flow reinjection module; 30-reflection attack defense devices; 31-downlink traffic mirror module; 32-linkage information sending module.
Detailed Description
The technical solution in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
The research of the applicant finds that the existing reflection attack defense mode technology based on the DDoS cleaning equipment is difficult to realize, session information is generally required to be established on detection equipment at first and then is synchronized to the cleaning equipment, and the requirements on synchronization timeliness, accuracy and stability are high.
Aiming at the defects that the prior art is high in implementation difficulty, extra burden is brought to a network, and false cleaning is easily caused, a reflection attack defense method is provided, and the defects can be effectively solved. The method comprises the steps of setting up a network connection mode (port mirror image), mirroring uplink flow to cleaning equipment, directly creating session information on the cleaning equipment without depending on other equipment for synchronization, and therefore, a reflection defense method based on session check is achieved, the session information does not need to be synchronized, no resource load influence is caused on a network, meanwhile, attack flow and normal flow can be effectively distinguished, and the problem of mistaken cleaning is avoided.
First, the present embodiment provides a reflection attack defense system 10 for executing a reflection attack defense method, please refer to fig. 1, and fig. 1 is a schematic structural diagram of a reflection attack defense system according to an embodiment of the present disclosure.
The reflection attack defense system 10 is a bypass deployment, and comprises a protection object 11, a network communication device, a remote network 14, a cleaning device 15 and a detection device 16, wherein the protection object 11 is in network connection with the remote network 14 through the network communication device, the flow sent by the protection object 11 is uplink flow, the received flow is downlink flow, the cleaning device 15 is respectively in network connection with the detection device 16 and the network communication device, and the detection device 16 is also in network connection with the network communication device.
Optionally, the network communication device in this implementation may include a switch 12 and a router 13, the protected object 11, the switch 12, the router 13, and the remote network 14 are sequentially connected through a network, the cleaning device 15 is respectively connected to the switch 12 and the router 13 through a network, and the detection device 16 is connected to the router 13 through a network.
Referring to fig. 2, fig. 2 is a schematic flow chart of a reflection attack defense method according to an embodiment of the present application, where the specific steps of the reflection attack defense method may be as follows:
the information flow of the protected object 11 sending the request message to the remote network 14 is S1 → S2 → S3, which is the upstream traffic, and mirrors the upstream traffic to the cleaning device 15 when the upstream traffic passes through the router 13, and the mirrored upstream traffic is shown as P0 in fig. 2.
Mirroring in this implementation refers to copying a packet passing through a specified port (source port or mirror port) to another specified port (destination port or view port). The mirror image can copy the message of the mirror image port to the observation port under the condition of not influencing the normal processing of the message by the equipment.
The information flow of the response packet returned by the remote network 14 to the cleaning device 15 based on the request packet is C1 → C2 → C3, which is downstream traffic, and the downstream traffic is sent to the detection device 16 as it passes through the router 13.
Alternatively, the manner in which the detection device 16 obtains downstream traffic (P1 shown in fig. 2) from the router 13 may be by mirroring or NetFlow-based snooping.
The detection device 16 detects the downstream traffic to determine whether a reflection attack occurs in the downstream traffic, and sends linkage information to the cleaning device 15 when the reflection attack occurs (as shown in P2 in fig. 2).
Alternatively, the linkage information may include a traction IP (Internet Protocol) address and an attack type. The pull IP address is an attacked IP address, and attack types generally include memcached reflection attack, ntp (network Time Protocol) reflection attack, and SSDP (Simple Service Discovery Protocol) reflection attack.
The detection mode of the reflection attack in this embodiment may be an attack detection mode such as Deep Packet analysis (DPI) and Deep/Dynamic Flow Detection (DFI) that uses a machine learning principle, or may be a mode of constructing a Flow model and setting a security threshold or a security baseline.
Optionally, in this embodiment, a traffic model is constructed, and a security threshold is set to perform the detection of the reflection attack. Based on statistical abnormal traffic detection, it is assumed that the current network environment is in a quasi-steady state. The algorithm collects and arranges a large amount of normal flow data in the previous period, sets an initial threshold value by carrying out statistical analysis or data transformation on historical flow data, then calculates downlink flow data of the current network, and judges whether the current network is abnormal or not by comparing the downlink flow data with the initial threshold value. If certain statistic information in the data of the downlink flow of the current network exceeds a corresponding threshold value, the abnormal flow is represented, namely, the reflection attack exists.
The network flow characteristics commonly used in the abnormal flow detection include byte number, packet number, flow count, audit record data, the number of audit events, interval events, quintuple, resource consumption events and the like.
The cleaning device 15 may monitor the linkage information of the detection device 16, analyze a traction IP and an attack type of the linkage information, determine a corresponding network communication device, that is, the router 13, of the device to which the traction IP belongs, that is, the protected object 11 based on the traction IP, then the cleaning device 15 generates a corresponding dynamic route based on the traction IP and the attack type, notifies the dynamic route to the router 13, and pulls a downlink traffic (such as P3 shown in fig. 2) including the reflection attack to the cleaning device 15.
Optionally, in this embodiment, the cleaning device 15 records a session including a downstream traffic of a reflection attack, that is, a monitored traffic, and a specific manner of the recording may refer to fig. 3, where fig. 3 is a schematic flow diagram of a session recording step of a monitored traffic provided in this embodiment of the present application.
And when the source IP of the protection object 11 hits the traction IP and the attack type corresponding to the traction IP contains the reflection attack, the fact that the attack type carried in the linkage message contains the reflection attack is indicated, or the cleaning equipment has reflection defense packet loss statistics, a corresponding session is recorded based on the traction IP, otherwise, the monitored flow is directly discarded.
The cleaning device 15 continuously mirrors the traffic containing the reflection attack in the upstream traffic from the router 13 to the local cleaning device 15, and establishes a session based on the request message therein.
Optionally, in this embodiment, the corresponding session information is recorded based on the five-tuple information of the request packet, and a session is established. Wherein, the quintuple refers to a set composed of five quantities of source IP address, source port, destination IP address, destination port and transport layer protocol.
It should be appreciated that traffic mirrored by the cleaning device 15 from the router 13 will eventually be directly discarded and not forwarded.
The cleaning device 15 performs session check on each traffic packet (response traffic including response packet) in each pulled downlink traffic, and when the traffic packet is determined to be a normal traffic packet (P4 shown in fig. 2) through the session check, the traffic packet is back-injected to the switch 12 and then reaches the protected object 11 through C3, where the response packet received by the protected object 11 is the response packet corresponding to the previously sent request packet; when the traffic packet is determined to be an abnormal traffic packet through the session check, the abnormal traffic packet is directly discarded.
Optionally, in this embodiment, the specific manner of performing session check by the cleaning device 15 may include: aiming at each flow packet in the downlink flow, carrying out quintuple information matching with the session; and when the quintuple information matched with the current flow packet exists in the session, determining the current flow packet as a normal flow packet.
After the downstream traffic is determined by the detection device 16 to be traffic that does not contain a reflection attack, the detection device 16 may send the traffic that does not contain a reflection attack to the protected object 11 directly through the router 13 and the switch 12.
In addition, when the downstream traffic detection device 16 determines that the downstream traffic is the traffic containing the reflection attack, for the previous or current normal upstream traffic, because the cleaning device 15 does not establish the session corresponding to the part of normal upstream traffic, the corresponding downstream traffic cannot be sent to the protected object 11, based on the normal request response rule, the protected object 11 will send the request message to the remote network again for the unresponsive normal upstream traffic, and the upstream traffic that sends the request message again is recorded by the cleaning device 15, so that the response message can be obtained normally by the protected object 11 through the reinjection of the cleaning device 15 in the subsequent traffic cleaning.
In the reflective attack defense method provided by the embodiment, under the condition of bypass deployment, only a networking mode (port mirror image) needs to be modified, the flow with the reflective attack hit by the linkage information is directly mirrored to the cleaning equipment to create the session information, the reflective defense method based on session check is realized in a very simple mode, and the extra network communication and the resource overhead of session establishment are avoided, so that the attack flow and the normal flow can be accurately distinguished, and the mistaken cleaning is avoided.
In order to cooperate with the above-mentioned reflection attack defense method provided by this embodiment, an embodiment of the present application further provides a reflection attack defense device 20 applied to the cleaning device 15, please refer to fig. 4, and fig. 4 is a schematic block diagram of the reflection attack defense device applied to the cleaning device provided by this embodiment of the present application.
The reflection attack defense apparatus 20 includes:
an upstream traffic mirroring device 21, configured to mirror upstream traffic sent to the remote network through the network communication device to the cleaning device;
the traction module 22 is configured to, when linkage information sent by the detection device when it is determined that the reflection attack exists is received and a traction IP address in the linkage information hits a source IP address of the protection object, pull downlink traffic from the network communication device to the cleaning device based on the traction IP;
a session establishing module 23, configured to establish a session based on the request packet in the mirrored uplink traffic;
a session check module 24, configured to perform session check on each traffic packet of the downlink traffic based on a session;
and the traffic reinjection module 25 is configured to send the normal traffic packet with the normal session check result to the network communication device, so that the normal traffic packet reaches the protection object through the network communication device.
Optionally, the session establishing module 23 is specifically configured to: and establishing the session based on the quintuple information of the request message.
Optionally, the linkage information includes a pull internet protocol IP address and an attack type, and the pull module 22 is specifically configured to: receiving linkage information sent by detection equipment when the reflection attack is determined to exist; analyzing the linkage information to obtain a traction IP address and an attack type; dynamic route advertisement is performed to the network communication device based on the towing IP address and the attack type to tow the downstream traffic to the cleaning device.
Optionally, the session check module 24 is specifically configured to: aiming at each flow packet in the downlink flow, carrying out quintuple information matching with the session; and when the quintuple information matched with the current flow packet exists in the session, determining the current flow packet as a normal flow packet.
In order to cooperate with the above-mentioned reflection attack defense method provided in this embodiment, an embodiment of the present application further provides a reflection attack defense device 30 applied to the detection device 16, please refer to fig. 5, and fig. 5 is a schematic block diagram of the reflection attack defense device applied to the detection device provided in this embodiment of the present application.
The reflection attack defense apparatus 30 includes:
a downlink traffic mirroring module 31, configured to mirror downlink traffic sent to the protected object through the network communication device to the detection device;
the linkage information sending module 32 is configured to send linkage information to the cleaning device when it is determined that there is a reflection attack based on the mirrored downlink traffic, so that the cleaning device pulls the downlink traffic from the network communication device to the cleaning device based on the pull IP when receiving the linkage information and the pull IP address in the linkage information hits the source IP address of the protection object, so that the cleaning device establishes a session based on the request packet in the mirrored uplink traffic, performs session check on each traffic packet of the downlink traffic based on the session, sends a normal traffic packet whose session check result is normal to the network communication device, and sends the normal traffic packet to the protection object through the network communication device.
Optionally, the reflection attack defense device 30 further includes: and the reflection attack judgment module is used for determining whether the downlink flow has the reflection attack or not based on the flow abnormity detection.
The embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and when the processor reads and runs the program instructions, the electronic device executes steps in any one of the reflection attack defense methods provided by the present embodiment.
It should be understood that the electronic device may be a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), or other electronic device having a logical computing function.
The embodiment of the application also provides a readable storage medium, wherein the readable storage medium stores computer program instructions, and the computer program instructions are read by a processor and run to execute the steps in the reflection attack defense method.
To sum up, the embodiment of the present application provides a method, an apparatus, an electronic device, and a storage medium for defending against a reflection attack, which are applied to a method for cleaning a device, where the cleaning device is respectively connected to a detection device and a network communication device, the detection device is further connected to the network communication device, a protection object sends an uplink traffic containing a request packet to a far-end network through the network communication device, and the far-end network sends a downlink traffic containing a response packet to the protection object through the network communication device, where the method for applying to the cleaning device includes: mirroring the upstream traffic sent to the remote network by the network communication device to the cleaning device; when linkage information sent by the detection equipment when the detection equipment determines that a reflection attack exists is received and a traction Internet Protocol (IP) address in the linkage information hits a source IP address of the protection object, the downlink traffic is pulled from the network communication equipment to the cleaning equipment based on the traction IP; establishing a session based on a request message in the uplink flow of the mirror image; based on the session, performing session check for each traffic packet of the downstream traffic; and sending the normal traffic packet with the normal session check result to the network communication equipment so as to enable the normal traffic packet to reach the protection object through the network communication equipment.
In the implementation mode, the session information is directly created by mirroring the uplink flow to the cleaning equipment in a mirroring mode, the synchronization of other equipment is not relied on, and the synchronization of the session information of network resources is not occupied, so that the reflection defense method based on session check is realized in a simple mode.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices according to various embodiments of the present application. In this regard, each block in the block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams, and combinations of blocks in the block diagrams, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Therefore, the present embodiment further provides a readable storage medium, in which computer program instructions are stored, and when the computer program instructions are read and executed by a processor, the computer program instructions perform the steps of any of the block data storage methods. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RanDom Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A reflection attack defense method is applied to a cleaning device, the cleaning device is respectively connected with a detection device and a network communication device, the detection device is also connected with the network communication device, a protection object sends uplink flow containing a request message to a far-end network through the network communication device, the far-end network sends downlink flow containing a response message to the protection object through the network communication device, and the method comprises the following steps:
mirroring the upstream traffic sent to the remote network by the network communication device to the cleaning device;
when linkage information sent by the detection equipment when the detection equipment determines that a reflection attack exists is received and a traction Internet Protocol (IP) address in the linkage information hits a source IP address of the protection object, the downlink traffic is pulled from the network communication equipment to the cleaning equipment based on the traction IP;
establishing a session based on a request message in the uplink flow of the mirror image;
based on the session, performing session check for each traffic packet of the downstream traffic;
and sending the normal traffic packet with the normal session check result to the network communication equipment so as to enable the normal traffic packet to reach the protection object through the network communication equipment.
2. The method according to claim 1, wherein the establishing a session based on the request message in the uplink traffic includes:
and establishing a session based on the five-tuple information of the request message.
3. The method of claim 1, wherein the linkage information comprises the towing IP address and an attack type, and wherein towing the downstream traffic from the network communication device to the cleansing device upon receiving the linkage information sent by the detection device upon determining that a reflection attack exists and a towing internet protocol IP address hits a source IP address of the secured object comprises:
receiving the linkage information sent by the detection equipment when the reflection attack is determined to exist;
analyzing the linkage information to obtain the traction IP address;
and when the traction IP address hits the source address of the protection object, performing dynamic route notification to the network communication equipment based on the traction IP address and the attack type so as to draw the downlink traffic to the cleaning equipment.
4. The method of claim 1, wherein performing a session check for each traffic packet of the downstream traffic on a session basis comprises:
aiming at each flow packet in the downlink flow, carrying out five-tuple information matching with the session;
and when the quintuple information matched with the current flow packet exists in the session, determining the current flow packet as the normal flow packet.
5. A reflection attack defense method is applied to a detection device, the detection device is respectively connected with a cleaning device and a network communication device, the detection device is also connected with the network communication device, a protection object sends uplink flow containing a request message to a far-end network through the network communication device, the far-end network sends downlink flow containing a response message to the protection object through the network communication device, and the method comprises the following steps:
mirroring the downlink traffic sent to the protected object by the network communication equipment to the detection equipment;
when the mirror image-based downlink flow determines that a reflection attack exists, sending linkage information to the cleaning equipment so that the cleaning equipment pulls the downlink flow to the cleaning equipment based on the traction IP when receiving the linkage information and a traction IP address in the linkage information hits a source IP address of a protection object, so that the cleaning equipment establishes a session based on a request message in the uplink flow of the mirror image, performs session check on each flow packet of the downlink flow based on the session, sends a normal flow packet with a normal session check result to the network communication equipment, and sends the normal flow packet to the protection object through the network communication equipment.
6. The method of claim 5, wherein prior to sending ganged information to the cleaning device when the mirror-based downstream traffic determines that a reflection attack is present, the method further comprises:
determining whether a reflection attack exists in the downlink traffic based on traffic anomaly detection.
7. A reflection attack defense device is applied to a cleaning device, the cleaning device is respectively connected with a detection device and a network communication device, the detection device is also connected with the network communication device, a protection object sends uplink flow containing a request message to a far-end network through the network communication device, the far-end network sends downlink flow containing a response message to the protection object through the network communication device, and the device comprises:
the upstream flow mirroring device is used for mirroring the upstream flow which is sent to the remote network through the network communication equipment to the cleaning equipment;
a traction module, configured to, when linkage information sent by the detection device when it is determined that a reflection attack exists is received and a traction internet protocol IP address in the linkage information hits a source IP address of the protection object, pull the downlink traffic from the network communication device to the cleaning device based on the traction IP;
a session establishing module, configured to establish a session based on the request packet in the mirrored uplink traffic;
a session check module, configured to perform session check on each traffic packet of the downlink traffic based on the session;
and the flow reinjection module is used for sending a normal flow packet with a normal session check result to the network communication equipment so as to enable the normal flow packet to reach the protection object through the network communication equipment.
8. A reflection attack defense device is applied to a detection device, the detection device is respectively connected with a cleaning device and a network communication device, the detection device is also connected with the network communication device, a protection object sends uplink flow containing a request message to a far-end network through the network communication device, the far-end network sends downlink flow containing a response message to the protection object through the network communication device, and the device comprises:
the downlink flow mirror module is used for mirroring the downlink flow sent to the protected object by the network communication equipment to the detection equipment;
the linkage information sending module is used for sending linkage information to the cleaning equipment when the mirror image-based downlink flow determines that reflection attack exists, so that the cleaning equipment pulls the downlink flow to the cleaning equipment based on the pull IP when receiving the linkage information and the pull IP address in the linkage information hits the source IP address of the protection object, so that the cleaning equipment establishes a session based on a request message in the mirror image-based uplink flow, performs session check on each flow packet of the downlink flow based on the session, sends a normal flow packet with a normal session check result to the network communication equipment, and sends the normal flow packet to the protection object through the network communication equipment.
9. An electronic device, comprising a memory having stored therein program instructions and a processor that, when executed, performs the steps of the method of any one of claims 1-6.
10. A storage medium having stored thereon computer program instructions for executing the steps of the method according to any one of claims 1 to 6 when executed by a processor.
CN202011610721.6A 2020-12-30 2020-12-30 Reflection attack defense method and device, electronic equipment and storage medium Active CN112804200B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011610721.6A CN112804200B (en) 2020-12-30 2020-12-30 Reflection attack defense method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011610721.6A CN112804200B (en) 2020-12-30 2020-12-30 Reflection attack defense method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112804200A CN112804200A (en) 2021-05-14
CN112804200B true CN112804200B (en) 2022-06-24

Family

ID=75804470

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011610721.6A Active CN112804200B (en) 2020-12-30 2020-12-30 Reflection attack defense method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112804200B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309150A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Distributed service attack refusing defense method, apparatus and system
CN107241301A (en) * 2016-03-29 2017-10-10 阿里巴巴集团控股有限公司 The methods, devices and systems of defense refloex attack
CN110365658A (en) * 2019-06-25 2019-10-22 深圳市腾讯计算机***有限公司 A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium
CN110661763A (en) * 2018-06-29 2020-01-07 阿里巴巴集团控股有限公司 DDoS reflection attack defense method, device and equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11206286B2 (en) * 2019-06-04 2021-12-21 Qatar Foundation For Education, Science And Community Development Methods and systems for reducing unwanted data traffic in a computer network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101309150A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Distributed service attack refusing defense method, apparatus and system
CN107241301A (en) * 2016-03-29 2017-10-10 阿里巴巴集团控股有限公司 The methods, devices and systems of defense refloex attack
CN110661763A (en) * 2018-06-29 2020-01-07 阿里巴巴集团控股有限公司 DDoS reflection attack defense method, device and equipment
CN110365658A (en) * 2019-06-25 2019-10-22 深圳市腾讯计算机***有限公司 A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium

Also Published As

Publication number Publication date
CN112804200A (en) 2021-05-14

Similar Documents

Publication Publication Date Title
US8413247B2 (en) Adaptive data collection for root-cause analysis and intrusion detection
US9548961B2 (en) Detecting adverse network conditions for a third-party network site
US11314789B2 (en) System and method for improved anomaly detection using relationship graphs
US8032937B2 (en) Method, apparatus, and computer program product for detecting computer worms in a network
US7779465B2 (en) Distributed peer attack alerting
US11956208B2 (en) Graphical representation of security threats in a network
WO2009005925A2 (en) Automated collection of forensic evidence associated with a network security incident
KR20090087437A (en) Methods and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis
US20230403296A1 (en) Analyses and aggregation of domain behavior for email threat detection by a cyber security system
CN108234486A (en) A kind of network monitoring method and monitoring server
CN108566384B (en) Traffic attack protection method and device, protection server and storage medium
Goutham et al. A Denial of Service Strategy To Orchestrate Stealthy Attack Patterns In Cloud Computing
CN112804200B (en) Reflection attack defense method and device, electronic equipment and storage medium
CA3217707A1 (en) Apparatus and methods for monitoring of data for attack detection and prevention
JP2005316779A (en) Unauthorized access detector, detection rule generation device, detection rule generation method, and detection rule generation program
CN110198298A (en) A kind of information processing method, device and storage medium
US9060021B2 (en) DDoS detection using sensor grid
Dass et al. LIDS: A learning intrusion detection system
CN109598128A (en) A kind of method and device of scanography
Al-Dayil et al. Detecting social media mobile botnets using user activity correlation and artificial immune system
KR20070060869A (en) Method and apparatus for detecting of abnormal packet
CN112134845A (en) Rejection service system
CN112600844A (en) Data security detection method and device, storage medium and electronic equipment
KR100862321B1 (en) Method and apparatus for detecting and blocking network attack without attack signature
US20190149560A1 (en) Malicious relay and jump-system detection using behavioral indicators of actors

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant