[go: up one dir, main page]

CN101834761B - Degradation attack detection and defense method, detection equipment and access equipment - Google Patents

Degradation attack detection and defense method, detection equipment and access equipment Download PDF

Info

Publication number
CN101834761B
CN101834761B CN2010101792442A CN201010179244A CN101834761B CN 101834761 B CN101834761 B CN 101834761B CN 2010101792442 A CN2010101792442 A CN 2010101792442A CN 201010179244 A CN201010179244 A CN 201010179244A CN 101834761 B CN101834761 B CN 101834761B
Authority
CN
China
Prior art keywords
suspicious
degraded
flow
attack flow
roq
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2010101792442A
Other languages
Chinese (zh)
Other versions
CN101834761A (en
Inventor
张波
胡新宇
辛阳
赵玉超
王勇
白媛
覃健诚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhang Qiaozhen
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2010101792442A priority Critical patent/CN101834761B/en
Publication of CN101834761A publication Critical patent/CN101834761A/en
Application granted granted Critical
Publication of CN101834761B publication Critical patent/CN101834761B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a degraded attacking detection and defense method, a detection device and an access device, which relates to degraded attacking defense in a network, and is invented to improve the accuracy of RoQ detection, prevent an attacking message from entering a backbone network and reducing network congestion problems. The degraded attacking detection method comprises: carrying out redetection on a suspicious RoQ flow at a server terminal; and when the suspicious RoQ flow is confirmed to be a RoQ flow by redetection, informing a source terminal to carry out discarding treatment on the RoQ flow. The degraded attacking defense method comprises: utilizing the source terminal to carry out statistics on the follow-up message information of the suspicious RoQ flow so as to obtain statistical information; sending the statistical information to the server terminal so as to confirm the suspicious RoQ flow; receiving information sent by the server terminal for confirming that the suspicious RoQ flow is the RoQ flow; and utilizing the source terminal to carry out discarding treatment on the RoQ flow. The invention is suitable for detecting and defending degraded attacking in the network.

Description

Degradation attack detection and defence method, checkout equipment and access device
Technical field
The present invention relates to the degradation attack defence on the network, particularly the degradation attack detection on the network and defence method, checkout equipment and access device.
Background technology
About RoQ (Reduce of Quality; Degrade) attack; The most general in the world saying is exactly Low-rateDoS (Denial of Service; Denial of service) or Low-rate DDoS (Distributed Denialof Service, distributed denial of service), refer to a kind of attack that is directed to Adaptable System.
Attack the most important thing is the attack to the congested control of TCP (Transmission Control Protocol, transmission control protocol).The congested control of TCP was a kind of method of effectively avoiding link congestion originally, its principle of essence be that transmitting terminal is dynamically adjusted the speed of sending message according to the link congestion situation.When link was unimpeded, transmitting terminal increased the speed of sending message; Otherwise in the time of link congestion, transmitting terminal reduces the speed of sending message, avoids gentle the congested of link of separating with this.Congested control is a kind of mechanism of very effective raising systematic function, but but to attack a kind of possibility is provided.It is exactly to have utilized transmitting terminal when link congestion, to reduce the characteristics of sending message rate that RoQ attacks, and periodically sends instantaneous high-speed message stream, forces system repeatedly to be in unstable state in the recovery process of stable state, thereby causes the rapid decline of systematic function.
This attack can be initiated by an attack source, also can unite initiation (being called DDoS) by a plurality of attack sources.
Square wave model for the RoQ attack shown in Figure 1.Referring to shown in Figure 1, the parameter that RoQ attacks mainly contains the attack cycle T, attacks duration L, attacks amplitude R.Promptly every assailant's transmission rate is R at a distance from the T time, and duration is the attack message stream of L.
This shows, the principal character that RoQ attacks be attack message stream have periodically, at a high speed, characteristic in short-term.The message flow of instantaneous high speed causes link congestion, and system gets into the congested control stage, and transmitting terminal reduces the transmission message rate adaptively.And periodic attack can make system restoration before stable state, get into congestion state once more.RoQ attacks can use very little flow, even is that single attack source just can reach and the same or approaching effect of Flood (flood) attack.
The detection method of existing Denial of Service attack all notes abnormalities through detecting Mean Speed basically.And RoQ attacks because the time is too short, and Mean Speed is low excessively, detects so just successfully escaped existing Denial of Service attack.
Proposed a kind of counting messages according to stream in the prior art and detected the method that RoQ attacks, the stream that will not have RoQ to attack is kept at trusts in the stream table.
The inventor finds the checking measure after the RoQ detection does not have reduction of speed, and only depends on counting messages in realizing process of the present invention; Therefore testing result is inaccurate, and, because testing result is inaccurate; Then be difficult to avoid attack message to carry out backbone network, cause network congestion.
Summary of the invention
The embodiment of the invention provides a kind of degradation attack detection method, can improve the accuracy reduction network congestion that RoQ detects.
For solving the problems of the technologies described above, the embodiment of the invention provides a kind of degradation attack detection method on the one hand, comprising:
At server end message flow is carried out degradation attack stream and detect, when detecting suspicious RoQ stream, will carry out the time period of message information statistics to the subsequent packet of this suspicious RoQ stream and send to the source end;
Receive the subsequent packet statistical information of this suspicious RoQ stream in the said time period of said source end transmission, said suspicious RoQ stream is detected once more according to this statistical information;
When detect confirming that once more said suspicious RoQ stream flows for RoQ, notify said source end that said RoQ is flowed and carry out discard processing.
The embodiment of the invention also provides a kind of degradation attack defence method on the other hand, comprising:
The subsequent packet to suspicious RoQ stream that source end reception server end sends carries out the time period of message information statistics;
The source end is added up the acquisition statistical information to the subsequent packet information of said suspicious RoQ stream in the said time period, and this statistical information is sent so that said suspicious RoQ stream is confirmed to server end;
The said suspicious RoQ stream of the affirmation that the reception server end sends is the information of RoQ stream, and the source end carries out discard processing to said RoQ stream.
The embodiment of the invention also provides a kind of degradation attack checkout equipment on the other hand, comprising:
Receiving element is used for message flow and counting messages information that the reception sources end sends;
Detecting unit, the message flow that is used for that said receiving element is received carry out degradation attack stream and detect, and after detecting suspicious RoQ stream, according to said counting messages information suspicious RoQ stream are detected affirmation once more;
Transmitting element is used for sending processing messages according to the testing result of said detecting unit to said source end.
The embodiment of the invention also provides a kind of access device on the other hand, comprising:
Transmitting element is used for the counting messages information in server end sends message flow and predetermined amount of time;
Receiving element, the subsequent packet to suspicious RoQ stream that is used for the transmission of reception server end carries out the time period of message information statistics;
Processing unit; The subsequent packet that is used in the said time period, suspicious RoQ being flowed carries out the message information statistics; Obtain the counting messages information in the said time period; And suspicious RoQ stream is detected when confirming that said suspicious RoQ stream flows for RoQ once more according to the counting messages information in the said time period at said server end, said RoQ is flowed transmit to be used for discard processing.
Embodiment of the invention access device after server end confirms that suspicious RoQ stream is for RoQ stream, is transmitted to be used for discard processing said RoQ stream.End is realized the defence to RoQ stream in the source like this, can prevent that attack message from getting into backbone network, reduces network congestion.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the square wave model sketch map that RoQ attacks in the prior art;
Fig. 2 is the flow chart of embodiment of the invention degradation attack detection method;
Fig. 3 is the flow chart of embodiment of the invention degradation attack defence method;
Shown in Figure 4ly detect and message flow handling process when confirming that suspicious RoQ stream flows for RoQ for server end;
Shown in Figure 5ly detect and message flow handling process when confirming suspicious RoQ stream for server end for non-RoQ stream;
Shown in Figure 6 is the block diagram of embodiment of the invention degradation attack checkout equipment;
Shown in Figure 7 for the block diagram of another embodiment of degradation attack checkout equipment of the present invention;
Shown in Figure 8 is the block diagram of embodiment of the invention access device;
Shown in Figure 9 for the block diagram of another embodiment of access device of the present invention.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Fig. 2 is the flow chart of embodiment of the invention degradation attack detection method.Referring to shown in Figure 2, embodiment of the invention degradation attack detection method comprises:
S10, at server end message flow is carried out degradation attack RoQ stream and detect, when detecting suspicious RoQ stream, confirm and Xiang Yuanduan sends the time period of the subsequent packet of this suspicious RoQ stream being carried out the message information statistics;
The subsequent packet statistical information of this suspicious RoQ stream in the said time period that S11, the said source of reception end send detects said suspicious RoQ stream according to this statistical information once more;
S12, when when detect confirming that once more said suspicious RoQ stream flows for RoQ, notify said source end that said RoQ is flowed and carry out discard processing.
In the embodiment of the invention degradation attack detection method; After detecting suspicious RoQ stream; The information of the subsequent packet of this suspicious RoQ stream being added up according to the source end detects said suspicious RoQ stream once more; When detect confirming that once more said suspicious RoQ stream flows for RoQ, notify said source end that said RoQ is flowed and carry out discard processing.Can improve the accuracy that RoQ detects like this.
Further; In said step S10; When server end carries out the detection of degradation attack stream to message flow, can the characteristic of message flow be detected, like periodicity, high speed property and the short-time characteristic of detection messages stream; When the characteristic of the characteristic conforms RoQ of detected message flow stream, can confirm that then said message flow to be detected is suspicious RoQ stream.When detecting suspicious RoQ stream; The time period that then will carry out the message information statistics to the subsequent packet of this suspicious RoQ stream sends to the source end; So that the source end carries out Information Statistics to the subsequent packet of suspicious RoQ stream in the said time period, like the quantity of the subsequent packet that obtains the suspicious RoQ stream in the said time period.
Time period that the subsequent packet of will be to this suspicious RoQ stream carries out the message information statistics when the source end sends, can also send the instruction that this suspicious RoQ stream is stamped special tag to the source end.Be convenient to the source end like this and according to this instruction suspicious RoQ stream stamped special tag and make it to distinguish, so that suspicious RoQ stream is defendd targetedly with normal message stream.
Wherein, among the above-mentioned steps S11, according to the subsequent packet statistical information of suspicious RoQ stream said suspicious RoQ stream being detected once more, can be that disclosed method is carried out in the U.S. Patent application of US20080320585 according to publication number.Specifically be said suspicious RoQ stream to be detected once more in the present embodiment, when said message amount reaches predetermined threshold, confirm that then said suspicious RoQ stream flows for real RoQ according to the message amount that the suspicious RoQ in the said time period flows.Certainly, also can said suspicious RoQ stream be detected once more according to the message amount of this suspicious RoQ stream of the response in the said time period.
In above-mentioned steps S12; When detect confirming that once more said suspicious RoQ stream flows for RoQ; Notifying said source end that said RoQ stream is carried out discard processing comprises: when through detecting once more when confirming that said suspicious RoQ stream flow for RoQ, notify said source end to carry out discard processing to flowing at said suspicious RoQ that the said special tag of stamping is confirmed and said RoQ being flowed.Like this can be through message flow being detected at server end, end prevents that to effectively defending through detecting the RoQ attack of confirming attack message from getting into backbone network, reduces network congestion in the source.
When detect confirming that once more said suspicious RoQ stream is not RoQ stream, notify said source end that the said special tag of stamping at said suspicious RoQ stream is cancelled processing.
Fig. 3 is the flow chart of embodiment of the invention degradation attack defence method.Referring to shown in Figure 3, corresponding with above-mentioned degradation attack detection method, the embodiment of the invention provides a kind of degradation attack defence method, comprising:
The subsequent packet to suspicious RoQ stream that S21, source end reception server end send carries out the time period of message information statistics;
S22, source end are added up the acquisition statistical information to the subsequent packet information of said suspicious RoQ stream in the said time period, and this statistical information is sent so that server is confirmed said suspicious RoQ stream to server end;
The said suspicious RoQ stream of the affirmation that S23, source end reception server end send is the information of RoQ stream, and the source end carries out discard processing to said RoQ stream.
The degradation attack defence method that the embodiment of the invention provides, after server end confirmed that suspicious RoQ stream is for RoQ stream, the source end carried out discard processing to said RoQ stream.End is realized the defence to RoQ stream in the source like this, can prevent that attack message from getting into backbone network, reduces network congestion.
In said step S21, when the subsequent packet to suspicious RoQ stream that the reception server end sends carries out the time period of message information statistics, also comprise: what the reception server end sent flows the instruction of stamping special tag to suspicious RoQ;
Said suspicious RoQ stream is stamped special tag, and the suspicious RoQ stream that will have this special tag carries out smoothing processing.Suspicious RoQ stream to having special tag carries out smoothing processing, can prevent that the RoQ erroneous judgement from causing losing of legal message.
In above-mentioned steps S22; In the said time period, the subsequent packet information of said suspicious RoQ stream being added up the acquisition statistical information comprises: in the said time period, the subsequent packet information of said suspicious RoQ stream is added up, obtain the message amount in the said time period.
In above-mentioned steps S23; The said suspicious RoQ stream of the affirmation that said reception server end sends is the information of RoQ stream, and the source end carries out discard processing to said RoQ stream and comprises: the information that added special tag on the said suspicious RoQ stream is confirmed of reception server end transmission; The source end confirms added special tag on the said suspicious RoQ stream, and the RoQ stream that will have a said special tag carries out discard processing.Like this, end can be attacked RoQ and be on the defensive in the source, can prevent that attack message from getting into backbone network, reduces network congestion.
According to embodiment of the invention degradation attack defence method on the other hand, described degradation attack defence method also comprises: what the reception server end sent cancels information processed to added said special tag on the said suspicious RoQ stream; The source end is cancelled added said special tag on the said suspicious RoQ stream, and the message flow after special tag cancelled is stamped common label and normally transmitted.
Below with in the network of being formed by source end and server end to RoQ stream detect with defence be example, embodiment of the invention degradation attack is detected and defence method specifies.In embodiments of the present invention, said source end comprises client, access device and flow management apparatus; Said server end comprises server apparatus and gateway device.
Shown in Figure 4ly detect and message flow handling process when confirming that suspicious RoQ stream flows for RoQ for server end.Referring to shown in Figure 4, said flow process comprises step:
31) client is sent message flow to access device, possibly flow for RoQ in the said message flow;
32) after access device is stamped common label or stamped common label said message flow, said message flow is sent to flow management apparatus;
33) flow management apparatus is transmitted to gateway device with said message flow;
34) gateway device detects said message flow; When detecting said message flow when being suspicious RoQ stream; The instruction that to stamp special tag to this suspicious RoQ stream, and the time period that the subsequent packet of this suspicious RoQ stream carries out the message information statistics sent to said access device;
When detecting said message flow when being non-RoQ stream, said gateway device normally is transmitted to server with said message flow.
35) said access device is according to said instruction of stamping special tag, and said suspicious RoQ stream is stamped special tag, and the suspicious RoQ circulation that will have this special tag is issued flow management apparatus and carried out smoothing processing.
36) said access device was added up the message amount of the subsequent packet of suspicious RoQ stream according to the said time period, and the message amount that will in the said time period, add up sends to gateway device;
37) gateway device detects said suspicious RoQ stream according to said message amount once more, when through detecting once more when confirming that said suspicious RoQ stream flows for RoQ, notifies said access device that the special tag that said RoQ flows is confirmed;
38) access device is confirmed the special tag of said RoQ stream, and the RoQ circulation that will have a said special tag issues flow management apparatus, and said flow management apparatus carries out discard processing to said RoQ stream.
Shown in Figure 5ly detect and message flow handling process when confirming suspicious RoQ stream for server end for non-RoQ stream.Referring to shown in Figure 5, said flow process comprises step:
41) client is sent message flow to access device, possibly flow for RoQ in the said message flow;
42) after access device is stamped common label or stamped common label said message flow, said message flow is sent to flow management apparatus;
43) flow management apparatus is transmitted to gateway device with said message flow;
44) gateway device detects said message flow; When detecting said message flow when being suspicious RoQ stream; The instruction that to stamp special tag to this suspicious RoQ stream, and the time period that the subsequent packet of this suspicious RoQ stream carries out the message information statistics sent to said access device;
When detecting said message flow when being non-RoQ stream, said gateway device normally is transmitted to server with said message flow.
45) said access device is according to said instruction of stamping special tag, and said suspicious RoQ stream is stamped special tag, and the suspicious RoQ circulation that will have this special tag is issued flow management apparatus and carried out smoothing processing.
46) said access device was added up the message amount of the subsequent packet of suspicious RoQ stream according to the said time period, and the message amount that will in the said time period, add up sends to gateway device;
47) gateway device detects said suspicious RoQ stream according to said message amount once more, when through detecting once more when confirming said suspicious RoQ stream for non-RoQ stream, notifies said access device that the special tag of said RoQ stream is cancelled;
48) access device is cancelled the special tag of said RoQ stream, and stamps common label and send to flow management apparatus cancelling message flow after the special tag, and flow management apparatus is normally transmitted the message flow of having stamped common label.
Shown in Figure 6 is the block diagram of embodiment of the invention degradation attack checkout equipment.Referring to shown in Figure 6, the embodiment of the invention also provides a kind of degradation attack checkout equipment 60, is used to realize said method embodiment of the present invention, comprising:
Receiving element 61 is used for message flow and counting messages information that the reception sources end sends;
Detecting unit 62, the message flow that is used for that said receiving element is received carry out degradation attack stream and detect, and according to said counting messages information suspicious RoQ stream are confirmed;
Transmitting element 63 is used for sending processing messages according to the testing result of said detecting unit to said source end.
Embodiment of the invention degradation attack checkout equipment can carry out degradation attack stream to message flow and detect, and when detecting suspicious RoQ stream, can detect affirmation once more to suspicious RoQ stream according to counting messages information.Can improve the accuracy that RoQ detects like this.
Shown in Figure 7 for the block diagram of another embodiment of degradation attack checkout equipment of the present invention.Referring to shown in Figure 7, on Fig. 6 basis, said detecting unit 62 comprises:
Whether first detection module 621, the message flow that is used for that said receiving element is received carry out degradation attack stream and detect, be suspicious RoQ stream to confirm said message flow;
Whether second detection module 622 is used for according to said counting messages information suspicious RoQ stream being detected once more, be RoQ stream to confirm said suspicious RoQ stream.
Shown in Figure 8 is the block diagram of embodiment of the invention access device.Referring to shown in Figure 8, the embodiment of the invention also provides a kind of access device 80,, be used to realize that said method embodiment of the present invention comprises:
Transmitting element 81 is used for the counting messages information in server end sends message flow and predetermined amount of time;
Receiving element 82, the subsequent packet to suspicious RoQ stream that is used for the transmission of reception server end carries out the time period of message information statistics;
Processing unit 83; The subsequent packet that is used in the said time period, suspicious RoQ being flowed carries out the message information statistics; Obtain the counting messages information in the said time period; And suspicious RoQ stream is detected when confirming that said suspicious RoQ stream flows for RoQ once more according to the counting messages information in the said time period at said server end, said RoQ is flowed transmit to be used for discard processing.
Embodiment of the invention access device after server end confirms that suspicious RoQ stream is for RoQ stream, is transmitted to be used for discard processing said RoQ stream.End is realized the defence to RoQ stream in the source like this, can prevent that attack message from getting into backbone network, reduces network congestion.
Shown in Figure 9 for the block diagram of another embodiment of access device of the present invention.With reference to shown in Figure 9, wherein, on Fig. 8 basis, said receiving element 82, the instruction that said special tag is confirmed that suspicious RoQ stream is stamped that instruction and the reception server end of special tag send that is used for also that the reception server end sends.
Said processing unit 83 further comprises:
Special tag processing module 831; Be used for suspicious RoQ being flowed the instruction of stamping special tag according to what said server end sent; Said suspicious RoQ stream is stamped special tag, and said special tag is confirmed according to the instruction that said special tag is confirmed that said receiving element receives;
Module 832 is sent out in circulation, is used for the suspicious RoQ stream of confirming through special tag is transmitted to be used for discard processing.
Further, module 832 is sent out in said circulation, also is used for suspicious RoQ stream is transmitted to be used for smoothing processing.
The above; Be merely embodiment of the present invention, but protection scope of the present invention is not limited thereto, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses; Can expect easily changing or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by said protection range with claim.

Claims (14)

1.一种降质攻击检测方法,其特征在于,包括:1. A degraded attack detection method, characterized in that, comprising: 在服务器端对报文流进行降质攻击流检测,当检测出可疑降质攻击流时,确定并向源端发送对该可疑降质攻击流的后续报文进行报文信息统计的时间段;Perform degraded attack flow detection on the message flow at the server side, and when a suspicious degraded attack flow is detected, determine and send to the source end the time period for performing packet information statistics on subsequent packets of the suspicious degraded attack flow; 接收所述源端发送的在所述时间段内的该可疑降质攻击流的后续报文统计信息,根据该统计信息对所述可疑降质攻击流进行再次检测;receiving subsequent packet statistical information of the suspicious degraded attack flow within the time period sent by the source, and re-detecting the suspicious degraded attack flow according to the statistical information; 当经过再次检测确认所述可疑降质攻击流为降质攻击流时,通知所述源端对所述降质攻击流进行丢弃处理。When the retest confirms that the suspected degraded attack flow is a degraded attack flow, the source end is notified to discard the degraded attack flow. 2.根据权利要求1所述的降质攻击检测方法,其特征在于,在将对该可疑降质攻击流的后续报文进行报文信息统计的时间段向源端发送的同时,还包括:2. The degrading attack detection method according to claim 1, characterized in that, when the subsequent message of the suspicious degrading attack flow is carried out to the source end for the time period of packet information statistics, it also includes: 将对该可疑降质攻击流打上特殊标签的指令向源端发送。Send an instruction to mark the suspicious degraded attack flow with a special label to the source. 3.根据权利要求2所述的降质攻击检测方法,其特征在于,所述当经过再次检测确认所述可疑降质攻击流为降质攻击流时,通知所述源端对所述降质攻击流进行丢弃处理包括:3. The degraded attack detection method according to claim 2, wherein when the re-detection confirms that the suspicious degraded attack flow is a degraded attack flow, the source end is notified of the degraded attack flow. The discarding of attack traffic includes: 当经过再次检测确认所述可疑降质攻击流为降质攻击流时,通知所述源端对在所述可疑降质攻击流打上的所述特殊标签进行确认并对所述降质攻击流进行丢弃处理。When it is confirmed that the suspicious degraded attack flow is a degraded attack flow after re-detection, notify the source to confirm the special label on the suspicious degraded attack flow and perform a check on the degraded attack flow. Discard processing. 4.根据权利要求2所述的降质攻击检测方法,其特征在于,所述方法还包括:4. The degradation attack detection method according to claim 2, wherein the method further comprises: 当确认所述可疑降质攻击流不是降质攻击流时,通知所述源端对在所述可疑降质攻击流打上的所述特殊标签进行撤销处理。When it is confirmed that the suspected degraded attack flow is not a degraded attack flow, the source end is notified to revoke the special label attached to the suspected degraded attack flow. 5.一种降质攻击防御方法,其特征在于,包括:5. A degraded attack defense method, characterized in that, comprising: 源端接收服务器端发送的对可疑降质攻击流的后续报文进行报文信息统计的时间段;The time period during which the source end receives the follow-up packets of suspicious degraded attack flows sent by the server to perform packet information statistics; 源端在所述时间段内对所述可疑降质攻击流的后续报文信息进行统计获得统计信息,并将该统计信息向服务器端发送以对所述可疑降质攻击流进行确认;The source end collects statistics on subsequent message information of the suspicious degraded attack flow within the time period to obtain statistical information, and sends the statistical information to the server to confirm the suspicious degraded attack flow; 接收服务器端发送的确认所述可疑降质攻击流为降质攻击流的信息,源端对所述降质攻击流进行丢弃处理。The source end discards the degraded attack flow after receiving information from the server confirming that the suspicious degraded attack flow is a degraded attack flow. 6.根据权利要求5所述的降质攻击防御方法,其特征在于,在接收服务器端发送的对可疑降质攻击流的后续报文进行报文信息统计的时间段的同时,还包括:6. The degrading attack defense method according to claim 5, characterized in that, while receiving the time period for carrying out message information statistics on the follow-up message of the suspicious degrading attack flow sent by the receiving server, it also includes: 接收服务器端发送的对可疑降质攻击流打上特殊标签的指令;Receive the instruction sent by the server to put a special label on the suspicious degraded attack flow; 对所述可疑降质攻击流打上特殊标签,并将具有该特殊标签的可疑降质攻击流进行平滑处理。Putting a special label on the suspicious degraded attack flow, and smoothing the suspicious degraded attack flow with the special label. 7.根据权利要求5所述的降质攻击防御方法,其特征在于,在所述时间段内对所述可疑降质攻击流的后续报文信息进行统计获得统计信息包括:7. The method for defending against degraded attacks according to claim 5, wherein performing statistics on subsequent message information of the suspicious degraded attack flow within the time period to obtain statistical information includes: 在所述时间段内对所述可疑降质攻击流的后续报文信息进行统计,获得在所述时间段内的报文数量。The subsequent packet information of the suspicious degraded attack flow is counted within the time period to obtain the number of packets within the time period. 8.根据权利要求6所述的降质攻击防御方法,其特征在于,所述接收服务器端发送的确认所述可疑降质攻击流为降质攻击流的信息,源端对所述降质攻击流进行丢弃处理包括:8. The method for defending against degraded attacks according to claim 6, wherein the receiving server sends information confirming that the suspicious degraded attack flow is a degraded attack flow, and the source end is responsible for the degraded attack flow. Flows undergoing discard processing include: 接收服务器端发送的对所述可疑降质攻击流上所加的特殊标签进行确认的信息;receiving information sent by the server to confirm the special tag added to the suspicious degraded attack flow; 源端对所述可疑降质攻击流上所加的特殊标签进行确认,并将带有所述特殊标签的降质攻击流进行丢弃处理。The source side confirms the special label added to the suspicious degraded attack flow, and discards the degraded attack flow with the special label. 9.根据权利要求6所述的降质攻击防御方法,其特征在于,所述方法还包括:9. The degradation attack defense method according to claim 6, wherein the method further comprises: 源端接收服务器端发送的对所述可疑降质攻击流上所加的所述特殊标签进行撤销处理的信息;The source end receives the information sent by the server end to revoke the special tag added to the suspicious degraded attack flow; 源端对所述可疑降质攻击流上所加的所述特殊标签进行撤销,并对特殊标签撤销后的报文流打上普通标签并进行正常转发。The source end revokes the special label added to the suspicious degraded attack flow, and puts a normal label on the packet flow after the special label is revoked, and performs normal forwarding. 10.一种降质攻击检测设备,其特征在于,包括:10. A degradation attack detection device, characterized in that it comprises: 接收单元,用于接收源端发送的报文流及报文统计信息;The receiving unit is used to receive the packet flow and packet statistical information sent by the source; 检测单元,用于对所述接收单元接收到的报文流进行降质攻击流检测,当检测出可疑降质攻击流时,确定并向源端发送对该可疑降质攻击流的后续报文进行报文信息统计的时间段,接收所述源端发送的在所述时间段内的该可疑降质攻击流的后续报文统计信息,根据该统计信息对所述可疑降质攻击流进行再次检测;A detection unit, configured to detect a degraded attack flow on the message flow received by the receiving unit, and determine and send a follow-up message of the suspicious degraded attack flow to the source end when a suspicious degraded attack flow is detected A time period for packet information statistics, receiving subsequent packet statistical information of the suspicious degraded attack flow sent by the source within the time period, and re-performing the suspicious degraded attack flow according to the statistical information detection; 发送单元,用于根据所述检测单元的检测结果向所述源端发送处理消息。A sending unit, configured to send a processing message to the source end according to the detection result of the detection unit. 11.根据权利要求10所述的降质攻击检测设备,其特征在于,所述检测单元包括:11. The degradation attack detection device according to claim 10, wherein the detection unit comprises: 第一检测模块,用于对所述接收单元接收到的报文流进行降质攻击流检测,以确定所述报文流是否为可疑降质攻击流;A first detection module, configured to perform degraded attack flow detection on the message flow received by the receiving unit, so as to determine whether the message flow is a suspicious degraded attack flow; 第二检测模块,用于当检测出可疑降质攻击流时,确定并向源端发送对该可疑降质攻击流的后续报文进行报文信息统计的时间段,接收所述源端发送的在所述时间段内的该可疑降质攻击流的后续报文统计信息,根据所述报文统计信息对可疑降质攻击流进行再次检测,以确认所述可疑降质攻击流是否为降质攻击流。The second detection module is used to determine and send to the source end the time period for performing packet information statistics on subsequent packets of the suspicious degraded attack flow when a suspicious degraded attack flow is detected, and receive the time period sent by the source end Subsequent packet statistical information of the suspicious degraded attack flow within the time period, re-detecting the suspicious degraded attack flow according to the packet statistical information, to confirm whether the suspicious degraded attack flow is degraded attack flow. 12.一种接入设备,其特征在于,包括:12. An access device, characterized in that it comprises: 发送单元,用于向服务器端发送报文流及预定时间段内的报文统计信息;The sending unit is used to send the message stream and the message statistical information within a predetermined time period to the server; 接收单元,用于接收服务器端发送的对可疑降质攻击流的后续报文进行报文信息统计的时间段;The receiving unit is used to receive the time period for performing packet information statistics on subsequent packets of suspicious degraded attack flows sent by the server; 处理单元,用于在所述时间段内对可疑降质攻击流的后续报文进行报文信息统计,获得所述时间段内的报文统计信息,以及在所述服务器端根据所述时间段内的报文统计信息对可疑降质攻击流进行再次检测确定所述可疑降质攻击流为降质攻击流时,对所述降质攻击流进行转发以用于丢弃处理。A processing unit, configured to perform packet information statistics on subsequent packets of the suspicious degraded attack flow within the time period, obtain packet statistics within the time period, and When the packet statistical information in the packet checks again the suspicious degraded attack flow and determines that the suspected degraded attack flow is a degraded attack flow, the degraded attack flow is forwarded for discarding. 13.根据权利要求12所述的接入设备,其特征在于:13. The access device according to claim 12, characterized in that: 所述接收单元,还用于接收服务器端发送的对可疑降质攻击流打上特殊标签的指令,和接收服务器端发送的对所述特殊标签进行确认的指令;The receiving unit is also used to receive an instruction sent by the server to mark the suspicious degraded attack flow with a special label, and receive an instruction sent by the server to confirm the special label; 所述处理单元进一步包括:The processing unit further includes: 特殊标签处理模块,用于根据所述服务器端发送的对可疑降质攻击流打上特殊标签的指令,对所述可疑降质攻击流打上特殊标签,以及根据所述接收单元接收的对所述特殊标签进行确认的指令对所述特殊标签进行确认;A special label processing module, configured to add a special label to the suspicious degraded attack flow according to the instruction of putting a special label on the suspicious degraded attack flow sent by the server, and to add a special label to the suspicious degraded attack flow according to the instruction received by the receiving unit. The instruction to confirm the label confirms the special label; 流转发模块,用于对经过特殊标签确认的可疑降质攻击流进行转发以用于丢弃处理。The flow forwarding module is used to forward the suspicious degraded attack flow confirmed by the special label for discarding. 14.根据权利要求13所述的接入设备,其特征在于:所述流转发模块,还用于对可疑降质攻击流进行转发以用于平滑处理。14. The access device according to claim 13, wherein the flow forwarding module is further configured to forward the suspected degraded attack flow for smooth processing.
CN2010101792442A 2010-05-21 2010-05-21 Degradation attack detection and defense method, detection equipment and access equipment Expired - Fee Related CN101834761B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101792442A CN101834761B (en) 2010-05-21 2010-05-21 Degradation attack detection and defense method, detection equipment and access equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101792442A CN101834761B (en) 2010-05-21 2010-05-21 Degradation attack detection and defense method, detection equipment and access equipment

Publications (2)

Publication Number Publication Date
CN101834761A CN101834761A (en) 2010-09-15
CN101834761B true CN101834761B (en) 2012-02-22

Family

ID=42718697

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101792442A Expired - Fee Related CN101834761B (en) 2010-05-21 2010-05-21 Degradation attack detection and defense method, detection equipment and access equipment

Country Status (1)

Country Link
CN (1) CN101834761B (en)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100369416C (en) * 2005-05-09 2008-02-13 杭州华三通信技术有限公司 Method for detecting flow attacking message characteristic of network equipment
WO2008148106A1 (en) * 2007-05-25 2008-12-04 New Jersey Institute Of Technology Proactive test-based differentiation method and system to mitigate low rate dos attacks
CN101640594B (en) * 2008-07-31 2013-01-23 北京启明星辰信息技术股份有限公司 Method and unit for extracting traffic attack message characteristics on network equipment

Also Published As

Publication number Publication date
CN101834761A (en) 2010-09-15

Similar Documents

Publication Publication Date Title
CN101505218B (en) Detection method and apparatus for attack packet
CN102143143B (en) Method and device for defending network attack, and router
US8819821B2 (en) Proactive test-based differentiation method and system to mitigate low rate DoS attacks
CN105991637B (en) The means of defence and device of network attack
CN105282169B (en) Ddos attack method for early warning based on SDN controller threshold values and its system
CN106416171A (en) A feature information analysis method and device
US20130160122A1 (en) Two-stage intrusion detection system for high-speed packet processing using network processor and method thereof
CN100579003C (en) A method and system for defending against TCP attacks using netflow technology
KR102088299B1 (en) Apparatus and method for detecting drdos
CN101383812A (en) IP spoofing DDoS attack defense method based on active IP records
CN112187793B (en) Protection method and device for ACK Flood attack
CN101621425B (en) Method and device for detecting low-speed denial of service attack
US7478168B2 (en) Device, method and program for band control
CN106657126A (en) Device and method for detecting and defending DDos attack
CN106027497A (en) DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM
WO2016177131A1 (en) Method, apparatus, and system for preventing dos attacks
JP2006115432A5 (en)
KR101209214B1 (en) Denial of Service Prevention Method and Apparatus based on Session State Tracking
CN109936543A (en) ACK Flood attack protection method, device, equipment and medium
Şimşek A new metric for flow‐level filtering of low‐rate DDoS attacks
CN107454065B (en) Method and device for protecting UDP Flood attack
Zhu et al. Research and survey of low-rate denial of service attacks
CN101834761B (en) Degradation attack detection and defense method, detection equipment and access equipment
EP1912402B1 (en) Protection of the data transmission network systems against buffer oversizing attacks
EP1898586A1 (en) Protection for data transmission network systems against SYN flood denial of service attacks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20170713

Address after: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401

Patentee after: Guangdong Gaohang Intellectual Property Operation Co., Ltd.

Address before: 518129 headquarters building of Bantian HUAWEI base, Longgang District, Guangdong, Shenzhen

Patentee before: Huawei Technologies Co., Ltd.

TR01 Transfer of patent right
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Zhang Qiaozhen

Inventor before: Zhang Bo

Inventor before: Hu Xinyu

Inventor before: Xin Yang

Inventor before: Zhao Yuchao

Inventor before: Wang Yong

Inventor before: Bai Yuan

Inventor before: Qin Jiancheng

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20170929

Address after: A group of Lankao County Nan Zhang Zhen Pei Zhai Cun, Henan city 475315

Patentee after: Zhang Qiaozhen

Address before: 510640 Guangdong City, Tianhe District Province, No. five, road, public education building, unit 371-1, unit 2401

Patentee before: Guangdong Gaohang Intellectual Property Operation Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120222

Termination date: 20180521