[go: up one dir, main page]

CN102457489B - Low-rate DoS (LDoS) attack, detection and defense module - Google Patents

Low-rate DoS (LDoS) attack, detection and defense module Download PDF

Info

Publication number
CN102457489B
CN102457489B CN201010519862.7A CN201010519862A CN102457489B CN 102457489 B CN102457489 B CN 102457489B CN 201010519862 A CN201010519862 A CN 201010519862A CN 102457489 B CN102457489 B CN 102457489B
Authority
CN
China
Prior art keywords
attack
ldos
puppet
attacks
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201010519862.7A
Other languages
Chinese (zh)
Other versions
CN102457489A (en
Inventor
吴志军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin Lingzhi Haoyue Aviation Technology Co ltd
Original Assignee
Civil Aviation University of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Civil Aviation University of China filed Critical Civil Aviation University of China
Priority to CN201010519862.7A priority Critical patent/CN102457489B/en
Publication of CN102457489A publication Critical patent/CN102457489A/en
Application granted granted Critical
Publication of CN102457489B publication Critical patent/CN102457489B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种低速率拒绝服务LDoS攻击、检测和防御模块。低速率拒绝服务LDoS(Low-rate?Denial?of?Service)攻击是一种新型的DoS攻击。它利用TCP的拥塞控制机制。LDoS平均攻击速率较低,能躲避传统的检测方法。本发明首先模拟产生LDoS攻击的周期流量,对攻击性能进行测试。试验表明,LDoS攻击具有隐蔽性强和破坏力大的特点。其次,发明一种基于时间窗统计的检测算法,测试结果表明该方法能够高效的检测LDoS攻击。最后,本发明采用一种基于Flow?tables的“黑白名单”防御方法,结果表明该防御方法可以有效的防御LDoS攻击。使用本发明所提供的技术方案,能实现LDoS攻击,测试攻击效果,并且能够有效的检测和防御LDoS攻击。

The invention discloses a low-rate denial-of-service LDoS attack, detection and defense module. Low-rate Denial of Service LDoS (Low-rate? Denial? of? Service) attack is a new type of DoS attack. It utilizes TCP's congestion control mechanism. The average attack rate of LDoS is low and can evade traditional detection methods. The invention firstly simulates the periodical flow of LDoS attack, and tests the attack performance. Experiments have shown that LDoS attacks are characterized by strong concealment and great destructive power. Secondly, a detection algorithm based on time window statistics is invented. The test results show that this method can efficiently detect LDoS attacks. Finally, the present invention adopts a Flow? The "black and white list" defense method of tables, the results show that this defense method can effectively defend against LDoS attacks. Using the technical solution provided by the invention, LDoS attack can be realized, the attack effect can be tested, and the LDoS attack can be effectively detected and defended.

Description

Low-rate DoS(LDoS)攻击、检测和防御模块Low-rate DoS (LDoS) attack, detection and defense module

技术领域technical field

本发明涉及一种计算机网络安全技术,该系统模拟一种新型的低速率拒绝服务LDoS攻击,测试攻击性能,并对此种攻击进行有效的检测和防御。The invention relates to a computer network security technology. The system simulates a new type of low-rate denial-of-service LDoS attack, tests the attack performance, and effectively detects and defends the attack.

技术背景technical background

拒绝服务(denialofservice,DoS)攻击是目前互联网面临的最大威胁。传统的拒绝服务攻击主要是通过攻击机器发送海量的数据包,消耗目标服务器的网络资源或计算资源,使得用户无法使用服务器资源,以达到拒绝服务的目的,这种方式的攻击称为泛洪式拒绝服务(flooding-basedenialofservice,FDoS)攻击,典型的例子有SYN/ACK泛洪攻击、UDP泛洪攻击、ICMP泛洪攻击等。目前已经有很多针对FDoS攻击的检测和防御方法随着攻击技术的进一步发展,新的拒绝服务攻击层出不穷。LDoS就是其中一种。对于LDoS攻击的研究尚处于起步阶段,但相关研究工作主要出现在近年来一流国际会议上,说明其得到了充分的重视。2003年在计算机网络方面的顶级会议SIGCOMM上,Rice大学的Aleksandar首次提出了针对TCP协议的低速率拒绝服务攻击,主要针对TCP拥塞控制机制的漏洞,文中提出了一种潜在的低速率拒绝服务攻击(Low-RateDenialofService,LDoS)模型,通过准确计算,只需少量攻击数据就可导致受害者端拒绝服务或服务质量的下降。在2004的ICNP以及2005年的INFOCOM上,Guirguis提出了RoQ攻击,其实质也是针对TCP协议中拥塞控制以及路由器队列管理机制中的漏洞,使得特定的路由器的性能发生下降。2005年的NDSS会议上,XiapuLuo又提出了pulsing攻击,原理与LDoS攻击非常相似。2005年,在Internet2的Abilene骨干网上发现了LDoS攻击,LDoS攻击成为现实。Denial of service (DoS) attack is currently the biggest threat facing the Internet. The traditional denial of service attack is mainly to send massive data packets through the attacking machine, consume the network resources or computing resources of the target server, and make the user unable to use the server resources to achieve the purpose of denial of service. This type of attack is called flooding Typical examples of denial-of-service (flooding-based of service, FDoS) attacks include SYN/ACK flood attacks, UDP flood attacks, and ICMP flood attacks. At present, there are already many detection and defense methods for FDoS attacks. With the further development of attack technology, new denial-of-service attacks emerge in an endless stream. LDoS is one of them. Research on LDoS attacks is still in its infancy, but related research work has mainly appeared in first-class international conferences in recent years, indicating that it has received sufficient attention. In 2003, at SIGCOMM, the top conference on computer networks, Aleksandar of Rice University first proposed a low-rate denial-of-service attack against the TCP protocol, mainly targeting the loopholes in the TCP congestion control mechanism. A potential low-rate denial-of-service attack was proposed in the paper (Low-RateDenialofService, LDoS) model, through accurate calculation, only a small amount of attack data can lead to denial of service or a decline in service quality at the victim end. On ICNP in 2004 and INFOCOM in 2005, Guirguis proposed the RoQ attack, which essentially aimed at the loopholes in the congestion control in the TCP protocol and the router queue management mechanism, which made the performance of a specific router degrade. At the NDSS conference in 2005, XiapuLuo proposed the pulsing attack again, the principle of which is very similar to the LDoS attack. In 2005, LDoS attacks were discovered on Internet2's Abilene backbone network, and LDoS attacks became a reality.

LDoS攻击的原理:TCP拥塞控制中的超时重传和AIMD两种机制分开考虑,并将针对TCP协议的LDDoS攻击分为两类:基于超时重传机制的LDDoS攻击和基于AIMD机制的LDDoS攻击。The principle of LDoS attack: The timeout retransmission and AIMD mechanisms in TCP congestion control are considered separately, and the LDDoS attacks against the TCP protocol are divided into two categories: LDDoS attacks based on timeout retransmission mechanism and LDDoS attacks based on AIMD mechanism.

1、基于超时重传机制的LDoS攻击1. LDoS attack based on timeout retransmission mechanism

根据TCP超时重传机制,发送端为发送出去的每个报文段设置一个定时器,如果在收到对该报文的确认之前定时器就超时了,则发送端将其发送窗口Cwnd减为1,然后重新发送此包,并根据指数退避算法将RTO设为原来的q倍(q一般取2),等待应答包的到来,如果重传包仍然超时,则继续重传,直到重传成功或放弃重传;如果重传成功收到应答包,则系统进入慢启动状态。按TCP协议,对于非重传报文段,当发送端收到其ACK时,需要根据其所测得的往返时延RTT更新此链路的RTO,式(2.1)为计算方法:According to the TCP timeout retransmission mechanism, the sender sets a timer for each message segment sent out. If the timer expires before receiving the confirmation of the message, the sender reduces its sending window Cwnd to 1, then resend the packet, and set the RTO to q times the original according to the exponential backoff algorithm (q is generally taken as 2), wait for the arrival of the response packet, if the retransmission packet still times out, continue to retransmit until the retransmission is successful Or give up the retransmission; if the retransmission successfully receives the response packet, the system enters the slow start state. According to the TCP protocol, for a non-retransmission segment, when the sender receives its ACK, it needs to update the RTO of this link according to the measured round-trip delay RTT. Formula (2.1) is the calculation method:

RTO=min{RTOmax,max{RTOmin,SRTT+max(G,4×VRTT)}}RTO=min{RTO max , max{RTO min , SRTT+max(G, 4×VRTT)}}

为了使网络达到接近最优的吞吐率,最小重传时间推荐RTOmin为1s。RTOmax为RTO上限值。G是时钟尺度,SRTT和VRTT分别表示平滑后的往返时延和往返时延的变化。In order to make the network achieve near-optimal throughput, the minimum retransmission time is recommended to be RTO min as 1s. RTO max is the upper limit of RTO. G is the clock scale, and SRTT and VRTT represent the smoothed round-trip delay and the variation of the round-trip delay, respectively.

2、基于AIMD机制的LDDoS攻击2. LDDoS attack based on AIMD mechanism

根据TCP协议,如果TCP发送方进入快恢复,就调用AIMD算法调整拥塞窗口。定义广义AIMD(a,b),a>0,0<b<1。算法如下:当发送方进入快恢复状态时,拥塞窗口从W减小到b×W,然后每隔一个RTT,拥塞窗口增大a,这个过程将一直持续,直到接收到另一个拥塞信号。TCPTahoe,TCPReno等都使用AIMD(1,0.5)。考虑到许多TCP实现时并不是在每收到一个包时就发送一个ACK,而是在收到连续d个包时才发送ACK。于是广义AIMD(a,b)的加法增大修改为:每隔d个RTT,拥塞窗口增大a。这个结论可进一步表述为:每隔1个RTT,拥塞窗口增大a/d。According to the TCP protocol, if the TCP sender enters fast recovery, the AIMD algorithm is called to adjust the congestion window. Define generalized AIMD(a, b), a>0, 0<b<1. The algorithm is as follows: when the sender enters the fast recovery state, the congestion window decreases from W to b×W, and then every other RTT, the congestion window increases by a, and this process will continue until another congestion signal is received. TCPTahoe, TCPReno, etc. all use AIMD(1, 0.5). Considering that many TCP implementations do not send an ACK every time a packet is received, but only send an ACK when d consecutive packets are received. Therefore, the additive increase of the generalized AIMD(a, b) is modified as follows: every d RTTs, the congestion window is increased by a. This conclusion can be further expressed as: every 1 RTT, the congestion window increases a/d.

与基于超时重传机制的LDDoS攻击不同,基于AIMD机制的LDDoS攻击所发出的攻击脉冲强度稍弱,只会引起网络的轻度拥塞,TCP发送方所收到的拥塞信号是3个重复的ACK包,而不是重传计时器超时。根据AIMD算法,当TCP发送方收到3个重复的ACK后会立即重发此包,将其拥塞窗口Cwnd减为b×cwnd(MD算法),然后再按照和式增算法(AI)以线性规律增大窗口。在基于AIMD机制的LDDoS攻击下,链路始终处于AIMD状态下,而不会进入超时重传或慢启动状态,但是其拥塞窗口是不断减小的,系统性能逐步下降,最后拥塞窗口减少到一个极限值并维持在这个极限值左右不变,系统性能达到最差,且无法恢复。Different from the LDDoS attack based on the timeout retransmission mechanism, the attack pulse strength of the LDDoS attack based on the AIMD mechanism is slightly weaker, which will only cause mild network congestion. The congestion signal received by the TCP sender is 3 repeated ACKs packet instead of retransmission timer timeout. According to the AIMD algorithm, when the TCP sender receives 3 repeated ACKs, it will immediately resend the packet, reduce its congestion window Cwnd to b×cwnd (MD algorithm), and then follow the sum-increasing algorithm (AI) to linearly Regularly grow the window. Under the LDDoS attack based on the AIMD mechanism, the link is always in the AIMD state, and will not enter the timeout retransmission or slow start state, but its congestion window is continuously reduced, the system performance is gradually reduced, and finally the congestion window is reduced to one The limit value remains unchanged around this limit value, and the system performance reaches the worst and cannot be recovered.

传统的DoS攻击往往针对某个目标服务器或者某种具体应用,例如针对Web服务器进行SYN攻击会向服务器的80端口发送大量的SYN包等,LDoS攻击可以影响所有通过瓶颈链路的TCP流,其影响更大。根据有关研究,LDoS攻击对于多种版本的TCP协议,包括TCPTahoe、TCPReno、TCPNewReno、TCPSACK等都有很好的攻击效果,其原因是这些版本的TCP协议在设计的时候都没有考虑安全性,容易被攻击制造的短期拥塞所欺骗。同时,瓶颈链路采用不同的队列管理机制,包括Droptail、RED、RED-PD、Choke等,对LDoS攻击的攻击效果影响不大。这些队列管理机制对较长时间尺度的流量进行统计检测,能限制长时间的大流量的异常流,但LDoS攻击只是在很短时间内发送大流量,其平均流量不大,因而容易避开检测和过滤。Traditional DoS attacks are often aimed at a target server or a specific application. For example, a SYN attack on a Web server will send a large number of SYN packets to port 80 of the server. LDoS attacks can affect all TCP flows passing through the bottleneck link. The impact is greater. According to relevant research, LDoS attacks have good attack effects on various versions of TCP protocols, including TCPTahoe, TCPReno, TCPNewReno, TCPSACK, etc. Fooled by the short-term congestion created by the attack. At the same time, bottleneck links adopt different queue management mechanisms, including Droptail, RED, RED-PD, Choke, etc., which have little effect on the attack effect of LDoS attacks. These queue management mechanisms perform statistical detection on traffic on a longer time scale, which can limit the abnormal flow of large traffic for a long time, but LDoS attacks only send large traffic in a short period of time, and the average traffic is not large, so it is easy to avoid detection and filter.

与传统的泛洪式拒绝服务攻击相比,LDoS攻击更为隐蔽。首先,LDoS攻击只是在较短时间拥塞链路,可以使用较小的流量达到相近的攻击目的,意味着黑客不需要控制大量傀儡机器就可以发动攻击,更容易达到攻击的目的。第二,LDoS攻击可以采用多种形式进行攻击,可以使用单台主机发动,也可以采用多台主机联合发动攻击,多台主机发动的攻击可以使得每台攻击主机的攻击流量进一步减少,更容易逃避检测。第三,LDoS攻击只需要造成链路拥塞就可以达到攻击目的,因此它可以使用任何流量,包括TCP流。攻击流混合在正常TCP流中更难被过滤,同时流量的目的地址也可以有所变化,只要流量通过瓶颈链路即可。Compared with traditional flood denial of service attacks, LDoS attacks are more subtle. First, the LDoS attack only congests the link for a short period of time, and can achieve similar attack goals with smaller traffic, which means that hackers can launch attacks without controlling a large number of puppet machines, making it easier to achieve the goal of the attack. Second, LDoS attacks can be carried out in various forms. It can be launched by a single host or jointly launched by multiple hosts. Attacks launched by multiple hosts can further reduce the attack traffic of each attacking host and make it easier Evade detection. Third, an LDoS attack only needs to cause link congestion to achieve its attack purpose, so it can use any traffic, including TCP streams. It is more difficult to filter the attack flow mixed in the normal TCP flow. At the same time, the destination address of the traffic can also be changed, as long as the traffic passes through the bottleneck link.

对于LDoS的检测,传统的检测方法不再适用。YUCHEN,KAIHWANG等提出了基于数字信号处理的检测方法,利用功率谱密度来进行分析。从此基于信号处理的方法成为研究的热点。之后,KaiHwang和Yu-KwongKwok提出了的一种称为HAWK的方法来识别恶意的LDoS攻击流,可是HAWK只适用于源地址单一的攻击。前不久,LUO和CHANG发现当发起攻击后,流入的流量和流出的ACKS流量将会发生很大的变化,根据这种特性他们提出了一种基于小波分析的方法,第一部分,利用DWT(DiscreteWaveletTransform)的方法来检测异常流量,第二部分,利用一种特殊的CUSUM(CumulativeSum)方法来检测变化点。由于基于小波变化的检测结果非常依赖于参数的选择,因此很难选定一个最优的参数来保持一个高的检测率、很低的误报率和漏报率。For LDoS detection, traditional detection methods are no longer applicable. YUCHEN, KAIHWANG et al. proposed a detection method based on digital signal processing, using power spectral density for analysis. Since then, the method based on signal processing has become a research hotspot. Later, KaiHwang and Yu-KwongKwok proposed a method called HAWK to identify malicious LDoS attack flows, but HAWK is only suitable for attacks with a single source address. Not long ago, LUO and CHANG found that when an attack is launched, the incoming traffic and outgoing ACKS traffic will change greatly. According to this characteristic, they proposed a method based on wavelet analysis. In the first part, using DWT (DiscreteWaveletTransform ) method to detect abnormal traffic, the second part uses a special CUSUM (CumulativeSum) method to detect change points. Since the detection results based on wavelet changes are very dependent on the selection of parameters, it is difficult to select an optimal parameter to maintain a high detection rate, low false alarm rate and false negative rate.

目前,无论是国际还是国内,如何有效地防御DoS攻击,保护目标(主机或者服务器)不被攻击已成为一个研究热点和难点。由于LDoS不同于传统的FloodDoS攻击,它具有流量小,很难被现有的检测机制检测到等特点,因此对网络具有更大的威胁性和破坏性。到目前为止,国内对这种攻击方式的研究还相对较少。同时,目前的检测方法都有一定的不足。对于LDoS攻击的防御,目前还没有比较好的防御方法。At present, whether it is international or domestic, how to effectively defend against DoS attacks and protect targets (hosts or servers) from being attacked has become a research focus and difficulty. Because LDoS is different from traditional FloodDoS attacks, it has the characteristics of small traffic and is difficult to be detected by existing detection mechanisms, so it is more threatening and destructive to the network. So far, there are relatively few domestic studies on this attack method. At the same time, the current detection methods have certain deficiencies. For the defense of LDoS attacks, there is no better defense method at present.

发明内容Contents of the invention

为了对LDoS攻击效果、检测和防御方法进行研究,本发明首先研制了LDoS攻击工具,然后采用基于时间窗的检测方法提高检测效率,最后采用基于Flowtables的“黑白名单”方法过滤LDoS攻击,实验结果表明该过滤方法有效。预计LDoS将在未来大规模的爆发,成为黑色产业链的得力工具。从而,本发明有重要的经济价值。In order to study LDoS attack effects, detection and defense methods, the present invention firstly develops LDoS attack tools, then adopts a detection method based on time windows to improve detection efficiency, and finally adopts the "black and white list" method based on Flowtables to filter LDoS attacks, experimental results Indicates that the filtering method is effective. It is expected that LDoS will explode on a large scale in the future and become a powerful tool for the black industry chain. Therefore, the present invention has important economic value.

(1)LDoS攻击及攻击效果测试子系统(1) LDoS attack and attack effect test subsystem

攻击工具主体包含攻击服务端跟攻击客户端,服务端程序先植入被攻占的主机,主要用于接收攻击指令及对目标主机发起LDoS攻击流量,客户端主要功能是设定攻击目标,攻击持续时间,指定发起攻击的主机等一些攻击设置。首先是收集被攻击目标信息,包括确定被攻击目标的IP和其开放的端口号,确定链路带宽。然后按收集到的信息,生成相应参数的攻击流量。测试工具要模拟出正常的流量,分别对HTTP服务的网页响应时间和FTP服务的流量进行测试和比较。攻击效果测试需要模拟正常的用户对服务器进行访问,比较无攻击和有攻击情况下网页响应时间的不同和FTP流量的不同。The main body of the attack tool includes the attack server and the attack client. The server program is first implanted into the captured host, which is mainly used to receive attack instructions and initiate LDoS attack traffic on the target host. The main function of the client is to set the attack target, and the attack continues. time, specify the attack host and other attack settings. The first is to collect the information of the attacked target, including determining the IP of the attacked target and its open port number, and determining the link bandwidth. Then according to the collected information, generate attack traffic with corresponding parameters. The test tool should simulate normal traffic, and test and compare the webpage response time of the HTTP service and the traffic of the FTP service respectively. The attack effect test needs to simulate the normal user's access to the server, and compare the difference between the response time of the web page and the difference of the FTP traffic under the condition of no attack and attack.

(2)LDoS检测子系统(2) LDoS detection subsystem

检测子模块部署在受害端。基于LDoS攻击是周期性的脉冲的事实,以t秒的间隔对受害端流量进行取样,一个时间窗为t’秒,一个判决周期为T秒;每隔t’秒检测一次突变脉冲的个数:在t’秒内按照t采样间隔进行采样,得到一个序列记为:The detection sub-module is deployed on the victim end. Based on the fact that LDoS attacks are periodic pulses, the traffic of the victim is sampled at intervals of t seconds, a time window is t' seconds, and a judgment cycle is T seconds; the number of mutation pulses is detected every t' seconds : Sampling is performed according to the t sampling interval within t' seconds, and a sequence is obtained as:

x(n)(n=0,1,2…k-1),其中k=t’/t;x(n)(n=0, 1, 2...k-1), where k=t'/t;

从x(n)中选择最大值max=x(index),并记录最大值的下标index;如果index=0,判断Select the maximum value max=x(index) from x(n), and record the subscript index of the maximum value; if index=0, judge

max > &PartialD; [ &Sigma; i = 1 2 x ( i ) / 2 ] , 其中是门限系数 max > &PartialD; [ &Sigma; i = 1 2 x ( i ) / 2 ] , in is the threshold coefficient

是否成立。如果成立,则存在突变脉冲;如果index=n-1,判断Whether it is established. If it is established, there is a sudden pulse; if index=n-1, judge

max > &beta; [ &Sigma; i = n - 3 n - 2 x ( i ) / 2 ] , 其中β是门限系数 max > &beta; [ &Sigma; i = no - 3 no - 2 x ( i ) / 2 ] , where β is the threshold coefficient

是否成立。如果成立,则存在突变脉冲;否则,判断Whether it is established. If it is established, there is a mutation pulse; otherwise, judge

max > &lambda; [ ( &Sigma; i = 0 index - 1 x ( i ) + &Sigma; i = index + 1 n - 1 x ( i ) ) / ( n - 1 ) ] , 其中λ门限系数 max > &lambda; [ ( &Sigma; i = 0 index - 1 x ( i ) + &Sigma; i = index + 1 no - 1 x ( i ) ) / ( no - 1 ) ] , where λ threshold coefficient

是否成立。如果成立,则存在突变脉冲;如果存在突变脉冲,则每个时间窗t’后给判决计数器的值C加1;到达判决时间T时,判断在T秒内判决计数器的值是否大于门限M,如果C>M成立,判定攻击发生。Whether it is established. If it is established, then there is a sudden change pulse; if there is a sudden change pulse, then add 1 to the value C of the decision counter after each time window t'; when the decision time T is reached, it is judged whether the value of the decision counter is greater than the threshold M within T seconds, If C>M holds true, it is determined that an attack has occurred.

(3)LDoS防御子系统(3) LDoS defense subsystem

防御子模块包括数据包捕获、数据包分析、数据统计、存储、过滤5个模块。如果检测到网络中可能存在攻击,那么开始分析进入受害端的数据包,把数据包的原、目地址,原、目端口号和协议号作为流量信息,存入“白名单”(正常流表);待判决时刻到来与先前通过学习建立好的“红名单”进行比对,如果这些可疑信息不在“红名单”(可疑流量表)中,那么就可判定是攻击,把这些流转入“黑名单”(攻击流表)。最后过滤模块通过iptables脚本生成器生成过滤规则,再通过内核模块Netfilter在内核对相应的攻击流进行过滤。The defense sub-module includes five modules: packet capture, packet analysis, data statistics, storage, and filtering. If it is detected that there may be an attack in the network, then start to analyze the data packets entering the victim end, and store the original and destination addresses, original and destination port numbers and protocol numbers of the data packets as traffic information and store them in the "white list" (normal flow table) ;When the judgment time comes, compare it with the previously established "red list" through learning. If the suspicious information is not in the "red list" (suspicious flow table), then it can be determined that it is an attack, and these flows will be transferred to the "black list" "(attack flow table). Finally, the filtering module generates filtering rules through the iptables script generator, and then filters the corresponding attack flow in the kernel through the kernel module Netfilter.

附图说明Description of drawings

图1为LDoS攻击模型,(a)表示单源的LDoS攻击流,(b)表示两个半速率的LDoS攻击流。Figure 1 shows the LDoS attack model, (a) represents a single-source LDoS attack flow, and (b) represents two half-rate LDoS attack flows.

图2为本模块所应用的网络拓扑。模块总共包含6台PC机,1台服务器,2个路由器和2个交换机。检测-防御体系位于受害端的上一跳路由。图中路由器为Cisco2621,路由器间的瓶颈带宽100Mbps。其它各设备配置如下表所示:Figure 2 shows the network topology used by this module. The module contains a total of 6 PCs, 1 server, 2 routers and 2 switches. The detection-defense system is located at the last hop route of the victim. The router in the figure is Cisco2621, and the bottleneck bandwidth between routers is 100Mbps. Other equipment configurations are shown in the table below:

机器编号machinary code IP地址IP address 操作系统operating system 控制台console 10.1.20.810.1.20.8 RedHat 9.0Red Hat 9.0 傀儡机1puppet machine 1 10.1.20.14010.1.20.140 Fedora core 4Fedora core 4 傀儡机2puppet machine 2 10.1.20.14110.1.20.141 Fedora core 4Fedora core 4 傀儡机3puppet machine 3 10.1.20.14210.1.20.142 Fedora core 4Fedora core 4 正常用户4normal user 4 10.1.20.15010.1.20.150 Windows XPWindows XP 正常用户5normal user 5 10.1.20.16010.1.20.160 Windows XPWindows XP 服务器server 10.1.10.1210.1.10.12 Fedora core 4Fedora core 4

图3为整个LDoS攻击、检测防御系统的工作流程图。Fig. 3 is a working flow diagram of the entire LDoS attack, detection and defense system.

图4为链路带宽实际测量结果。Figure 4 shows the actual measurement results of the link bandwidth.

图5为HTTP服务中读取页面响应时间变化曲线图。Fig. 5 is a graph showing changes in response time for reading pages in the HTTP service.

图6为FTP服务数据流量变化监测图。Fig. 6 is a monitoring diagram of FTP service data flow change.

图7为基于时间窗的检测方法流程图。Fig. 7 is a flowchart of a detection method based on a time window.

图8为防御子系统结构图。Figure 8 is a structural diagram of the defense subsystem.

图9为Flowtables处理后统计出的攻击流信息。Figure 9 shows the statistics of attack flow information after Flowtables processing.

图10为开启防御系统后,FTP服务流量的统计图。Figure 10 is a statistical chart of FTP service traffic after the defense system is enabled.

具体实施方式Detailed ways

1.采用Nmap对攻击目标10.1.20.100的端口进行扫描,收集相关的信息。扫描发现其开放的端口为7775,于是将端口7775选定为攻击端口。1. Use Nmap to scan the port of the attack target 10.1.20.100 to collect relevant information. The scan found that the open port was 7775, so port 7775 was selected as the attack port.

2.攻击幅度的确定。采用NetIQ公司开发的专用软件IxChariot来测试被目标的最大吞吐量,以确定每个攻击zombie机器发送攻击流量的大小。通过运行IxChariot测试,得到其平均吞吐量约为12.000Mbyts/s(即约100Mbps),如图4所示。2. Determination of attack range. Use the special software IxChariot developed by NetIQ to test the maximum throughput of the target to determine the size of the attack traffic sent by each attacking zombie machine. By running the IxChariot test, the average throughput is about 12.000Mbyts/s (that is, about 100Mbps), as shown in Figure 4.

3.采用3台zombie机器进行攻击,设定每个zombie的攻击幅度为40Mbps。LDoS攻击的具体参数为:脉冲幅值为40Mbps,脉冲持续时间为150ms,脉冲周期为1150ms。3. Use 3 zombie machines to attack, and set the attack rate of each zombie to 40Mbps. The specific parameters of the LDoS attack are: the pulse amplitude is 40Mbps, the pulse duration is 150ms, and the pulse period is 1150ms.

生成攻击流的命令如下:The command to generate the attack flow is as follows:

1)mk_dos_trace.out00100150115050file_name.txt1) mk_dos_trace.out00100150115050file_name.txt

2)cd/usr/site/bin2) cd /usr/site/bin

3)matlab3) matlab

4)a=load(′file_name.txt′)4) a = load('file_name.txt')

其中file_name.txt从第三步中得到。Where file_name.txt is obtained from the third step.

5)pswrite(′test_file.bin′,a)5) pswrite('test_file.bin', a)

得到包含攻击流参数的二进制文件test_file.bin。Get the binary file test_file.bin containing attack flow parameters.

4.控制台将生成的攻击流参数文件植入傀儡机。4. The console implants the generated attack flow parameter file into the puppet machine.

5.采用LoadRunner软件来模拟产生正常流量。在测试中模拟10个用户访问“中国民航大学”的网页,网页大小为52k。开始时期不加入攻击流量,只有正常的http的流量。大约在6:30分钟时发起LDoS攻击,攻击的持续时间约为3分半钟,于10:00分钟结束。记录网页响应时间,如图5所示。从读取页面的响应时间来看:0:00-6:30分钟期间读取页面的响应时间平均大约为1.6秒;7:00-9:30分钟之间读取页面的响应时间则从3.2秒变化到23.8秒;在10:00分钟时刻,当LDoS攻击停止后,读取页面的响应时间从8:30分钟的4.2秒逐渐恢复到平均大约为1.6秒。据统计,读取页面的响应时间平均上升了15.9秒。结果证明LDoS攻击对正常的HTTP服务产生的影响较大。5. Use LoadRunner software to simulate normal flow. In the test, 10 users are simulated to visit the webpage of "Civil Aviation University of China", and the webpage size is 52k. At the beginning, no attack traffic is added, only normal http traffic. The LDoS attack was launched at about 6:30 minutes. The attack lasted for about 3.5 minutes and ended at 10:00 minutes. Record the web page response time, as shown in Figure 5. From the response time of reading the page: the response time of reading the page during 0:00-6:30 minutes is about 1.6 seconds on average; the response time of reading the page between 7:00-9:30 minutes is from 3.2 seconds Seconds changed to 23.8 seconds; at 10:00 minutes, when the LDoS attack stopped, the response time to read the page gradually recovered from 4.2 seconds at 8:30 minutes to an average of about 1.6 seconds. According to statistics, the average response time for reading pages has increased by 15.9 seconds. The results prove that the LDoS attack has a greater impact on normal HTTP services.

6.受害者提供FTP服务,正常用户下载服务器上的一个文件。分别在正常用户端和受害端监测流量变化,如图6所示。在开始阶段没有LDoS攻击,服务器上传流量较高。当加入攻击后,服务器上传流量有个明显的下降,而下载流量增大。6. The victim provides FTP service, and normal users download a file on the server. Traffic changes are monitored on the normal client side and the victim side respectively, as shown in Figure 6. There were no LDoS attacks at the beginning, and the server upload traffic was high. After the attack was added, the upload traffic of the server decreased significantly, while the download traffic increased.

实验结果:选取20次有代表性的实验,结果如下表所示:Experimental results: 20 representative experiments were selected, and the results are shown in the table below:

据统计,在没有LDoS攻击时,客户端正常下载平均流量是5.473M;加入LDoS攻击后,下载流量平均是2.63M。平均下降流量百分比是51.9%。According to statistics, when there is no LDoS attack, the average download traffic of the client is 5.473M; after adding the LDoS attack, the average download traffic is 2.63M. The average drop traffic percentage is 51.9%.

7.发起攻击,在受害端采样,1.2s为时间窗进行数据包个数的统计。采用基于时间窗的检测算法。如果一个时间窗内无突变脉冲,那么将视为正常流量,将正常流量的信息记录到正常流量表,继续检测;如果有突变脉冲,那么将视为可疑流量,将可疑流量信息记录到可疑流量表,同时计数器加1,继续监测;如果在一个判决周期到来,并且计数器的值大于门限值,那么可以确定为有攻击,将可疑流量表中的信息与正常流量表中的信息进行比对,将可疑流量表中有而正常流量表中没有的流量信息记录到攻击流量表。7. Initiate an attack, sample at the victim end, and count the number of data packets in a time window of 1.2s. A time-window-based detection algorithm is used. If there is no abrupt pulse within a time window, it will be regarded as normal traffic, and the normal traffic information will be recorded in the normal flow meter, and the detection will continue; if there is a sudden abrupt pulse, it will be regarded as suspicious traffic, and the suspicious traffic information will be recorded in the suspicious traffic At the same time, the counter increases by 1 and continues to monitor; if a judgment period arrives and the value of the counter is greater than the threshold value, it can be determined that there is an attack, and the information in the suspicious flow table is compared with the information in the normal flow table , record the traffic information in the suspicious traffic table but not in the normal traffic table to the attack traffic table.

检测结果:采样时间长度为200ms、250ms和300ms的3种情况下得到的测试结果如下表所示:Test results: The test results obtained under the three conditions of sampling time length of 200ms, 250ms and 300ms are shown in the following table:

时域采样时间长度Time domain sampling time length 150ms150ms 200ms200ms 250ms250ms 准确率Accuracy 96.5%96.5% 97.1%97.1% 98.3%98.3% 漏报率False negative rate 2.8%2.8% 2.6%2.6% 1.7%1.7% 误报率False alarm rate 2.5%2.5% 2.3%2.3% 1.2%1.2%

时间窗统计检测方法的效率比较高。准确率到达96.5%以上;而漏报率和误报率则小于2.8%以下;另外,采样时间的长度与检测结果关联,采样的时间长度越大,则性能则越好。The efficiency of the time window statistical detection method is relatively high. The accuracy rate reaches over 96.5%; while the false negative rate and false negative rate are less than 2.8%; in addition, the length of the sampling time is related to the detection results, the longer the sampling time, the better the performance.

数据包个数统计主要实现程序:The main implementation program for counting the number of data packets:

tcpstat0.2-s6-o″%n\n″>temp.txttcpstat0.2-s6-o″%n\n″>temp.txt

流量信息分析主要实现程序:Flow information analysis main implementation procedures:

数据库存放的流量信息,主要实现函数:The traffic information stored in the database mainly implements functions:

1)表结构:1) Table structure:

CREATETABLEnormalflows(CREATE TABLE Normalflows(

Idint,Idint,

Saddrchar(20),Saddrchar(20),

Sportchar(10),Sportchar(10),

Daddrchar(20),Daddrchar(20),

Dportchar(10),Dportchar(10),

Protocolint,Protocol,

PRIMARYKEY(Id));PRIMARYKEY(Id));

2)MySQL数据库相关API:2) MySQL database related API:

mysql_init(&mysql);//初始化数据库mysql_init(&mysql);//Initialize the database

mysql_real_connetc(&mysql,”localhost”,”root”,””,”NULL”3306,”/var/lib/mysql/mysql.sock”)mysql_real_connetc(&mysql,"localhost","root","","NULL" 3306,"/var/lib/mysql/mysql.sock")

//连接数据库服务器。//Connect to the database server.

mysql_select_db(&mysql,”netflow”);//连接数据库netflowmysql_select_db(&mysql,"netflow");//Connect to the database netflow

mysql_num_rows()//返回一个结果集合中的行的数量。mysql_num_rows()//Returns the number of rows in a result set.

mysql_real_query()//执行指定为带计数的字符串的SQL查询。mysql_real_query()//Execute the SQL query specified as a string with count.

mysql_real_query(&mysql,str,strlen(str))//执行SQL语句.mysql_real_query(&mysql, str, strlen(str))//Execute SQL statement.

mysql_close(&mysql)//关闭数据库连接.mysql_close(&mysql)//Close the database connection.

检测效果Detection effect

8.在检测到LDoS攻击发生之后,防御子系统开始工作。提取攻击流量表的信息调用iptables脚本生成器,添加相应的过滤规则,丢弃攻击数据包。iptables规则设置:8. After the LDoS attack is detected, the defense subsystem starts to work. Extract the information of the attack traffic table and call the iptables script generator, add corresponding filtering rules, and discard the attack data packets. iptables rule settings:

防御效果:启用和未启用防御机制对比如下表所示:Defense effect: The comparison between enabled and disabled defense mechanisms is shown in the table below:

图10为开启防御后,正常用户端FTP流量的监测图,结果表明,LDDoS检测防御机制可以准确的检测很防御LDDoS攻击,而且保持了较低的漏报和误报率;防御机制保证服务器可以持续稳定的为合法用户提供正常的服务。Figure 10 is the monitoring diagram of normal client FTP traffic after the defense is enabled. The results show that the LDDoS detection and defense mechanism can accurately detect and defend against LDDoS attacks, and maintain a low rate of false negatives and false positives; the defense mechanism ensures that the server can Continuously and stably provide normal services for legitimate users.

Claims (2)

1.LDoS attack, detection and defense module, is characterized in that following three submodules:
(1) LDoS attack submodule;
(2) LDoS attack detection sub-module;
(3) LDoS attack defence submodule;
The feature of each submodule is:
Submodule (1) is LDoS attack instrument, and it comprises attacks service end and attacks client, and serve end program is first implanted by the main frame captured, and is mainly used in receiving and attacks instruction and initiate LDoS attack flow to destination host; Client major function is selected target of attack, setting is attacked the pulse period, is attacked pulse duration and attack pulse strength, be arranged on the function that the client on control desk completes and mainly comprise following content: 1) scan puppet's network, watch current online puppet's main frame, generate the IP listing file of current available puppet's main frame, preserve into text, for routine call; 2) upload the bin file comprising attack parameter to puppet's machine, and notice IP address and the port numbers of target of attack main frame to puppet's machine; 3) set time and duration that puppet machine launches a offensive, instruction of launching a offensive, the service end attack traffic uploading to puppet's machine produces instrument major function and comprises: 1) receive the bin file comprising attack parameter that client sends; 2) receive attack instruction, accurately the moment is attacked in setting; 3) produce corresponding attack traffic according to the bin file received and launch a offensive;
Submodule (2) is LDoS attack detection module, adopt the statistical decision method based on time window, be divided into following step: 1) at the upper hop route monitoring flow of end of being injured, every the interval of t second, flow is sampled, a time window is t ' second, and a judgement cycle is T second; 2) number of the pulse that once suddenlys change is detected second every t ': sample according to the t sampling interval within t ' second, obtain a sequence and be designated as:
X (n) (n=0,1,2 ... k-1), wherein k=t '/t;
From x (n), select maximum max=x (index), and record the subscript index of maximum; If index=0, judge
max > &PartialD; [ &Sigma; i = 1 2 x ( i ) / 2 ] , Wherein it is threshold coefficient
Whether set up; If set up, then there is sudden change pulse; If index=n-1, judge
max > &beta; [ &Sigma; i = n - 3 n - 2 x ( i ) / 2 ] , Wherein β is threshold coefficient
Whether set up; If set up, then there is sudden change pulse; Otherwise, judge
max > &lambda; [ ( &Sigma; i = 0 index - 1 x ( i ) + &Sigma; i = index + 1 n - 1 x ( i ) ) / ( n - 1 ) ] , Wherein λ is threshold coefficient
Whether set up; If set up, then there is sudden change pulse; 3) if there is sudden change pulse, then each time window t ' adds 1 to afterwards the value C of judgement counter; 4) when arriving time decision T, judge whether the value of adjudicating counter within T second is greater than thresholding M, if C > M sets up, judge to attack generation;
Submodule 3) be LDoS attack defense module, defence method uses and filters attack message based on the filtration of FlowTable, filtration basic thought based on FlowTable is the identification list setting up the connection of having set up, when packet filtering, its connection identifier is extracted to the message of process, if this mark belongs to above-mentioned list, then by this message, otherwise abandoned; A connection can by the source of receiving-transmitting sides, order address, source, eye end mouth, and protocol number totally 5 value 104bits is uniquely determined, we it can be used as mark; Or by these 5 value series connection, generate short Hash and make a summary as mark; The mark of the connection of having set up is listed in " Red List ", described Red List represents normal stream table, if at this moment detect in network to there is attack, then first these attack streams are put into " white list ", described white list represents suspicious flow table, then adjudicates after the arrival of holding the whistle time, if now these suspicious flow connect not in " Red List ", just can judge it is attack message, these are circulated into " blacklist ", and described blacklist represents attack stream table.
2. LDoS attack according to claim 1, detection and defense module, it is characterized in that: 1) attack in submodule and set: the IP address of destination host is 10.1.10.100, the IP address of puppet's machine 1 is 10.1.20.140, the IP address of puppet's machine 2 is 10.1.20.150, the IP address of puppet's machine 3 is 10.1.20.160, and destination host port numbers is 7775, and the LDoS attack pulse period is 1150ms, attack pulsewidth is 150ms, and single attack pulse strength is 33Mbps;
Set in detection sub-module: t=200ms, t '=1.2s, T=6s, thresholding C=3, by study setting threshold coefficient β=1.6 and λ=1.8;
In defence submodule, usage data storehouse netflow deposits all flows, and have three tables in database netflow, normalflows deposits normal stream, and suspectflows deposits suspicious flow, and attackflows deposits attack stream; Defence submodule, mainly by writing iptables script generator generating filtering rules, is then being filtered attack stream at kernel by kernel module Netfilter.
CN201010519862.7A 2010-10-26 2010-10-26 Low-rate DoS (LDoS) attack, detection and defense module Active CN102457489B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010519862.7A CN102457489B (en) 2010-10-26 2010-10-26 Low-rate DoS (LDoS) attack, detection and defense module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010519862.7A CN102457489B (en) 2010-10-26 2010-10-26 Low-rate DoS (LDoS) attack, detection and defense module

Publications (2)

Publication Number Publication Date
CN102457489A CN102457489A (en) 2012-05-16
CN102457489B true CN102457489B (en) 2015-11-25

Family

ID=46040155

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010519862.7A Active CN102457489B (en) 2010-10-26 2010-10-26 Low-rate DoS (LDoS) attack, detection and defense module

Country Status (1)

Country Link
CN (1) CN102457489B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110233838A (en) * 2019-06-06 2019-09-13 东软集团股份有限公司 A kind of defence method, device and the equipment of pulsed attack

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104125194A (en) * 2013-04-24 2014-10-29 中国民航大学 LDDoS attack time synchronization and flow convergence method based on cross correlation
CN104125193A (en) * 2013-04-24 2014-10-29 中国民航大学 LDDoS attack detection method based on chaotic Dufing oscillators
CN103281317B (en) * 2013-05-09 2016-06-08 浙江师范大学 A kind of attack testing method of software defined network
CN103546465B (en) * 2013-10-15 2016-10-19 北京交通大学长三角研究院 LDoS attack detection based on traffic period monitoring and defence method
CN103561025B (en) * 2013-11-01 2017-04-12 中国联合网络通信集团有限公司 Method, device and system for detecting DOS attack prevention capacity
CN103916222A (en) * 2014-03-14 2014-07-09 电信科学技术研究院 Method and device for adjusting uplink service transmitting mode
CN104158823B (en) * 2014-09-01 2017-05-10 江南大学 Simulation method oriented to LDoS (Low-rate Denial of Service) and LDDoS (Low-rate Distributed Denial of Service)
CN104253817A (en) * 2014-09-25 2014-12-31 大连梯耐德网络技术有限公司 A FPGA-based network behavior attack method and device
CN105208037B (en) * 2015-10-10 2018-05-08 中国人民解放军信息工程大学 A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection
WO2017063198A1 (en) * 2015-10-16 2017-04-20 华为技术有限公司 Data transmission method, device and system
CN106789831B (en) * 2015-11-19 2020-10-23 阿里巴巴集团控股有限公司 Method and device for identifying network attack
CN105245412B (en) * 2015-11-20 2019-06-14 上海斐讯数据通信技术有限公司 A kind of port flow monitoring method and system, the network equipment
CN106411829A (en) * 2015-12-14 2017-02-15 中国民航大学 LDoS attack detection method based on wavelet energy spectrum and combined neural network
CN105554041B (en) * 2016-03-01 2018-05-25 江苏三棱智慧物联发展股份有限公司 A kind of method for detecting the distributed denial of service attack based on flow table timeout mechanism
CN105897609B (en) * 2016-04-01 2019-04-09 浙江宇视科技有限公司 A method and apparatus for supervising data flow transmission
CN107707513B (en) * 2017-01-10 2019-05-17 北京数安鑫云信息技术有限公司 A kind of method and device of defending against network attacks
CN108199898A (en) * 2018-01-12 2018-06-22 中国民航大学 A kind of method for enhancing LDoS attack efficiency
CN108551448B (en) * 2018-04-12 2020-09-15 盾盟(上海)信息技术有限公司 Distributed denial of service attack detection method
CN109040131B (en) * 2018-09-20 2021-04-27 天津大学 An LDoS attack detection method in SDN environment
CN110012006B (en) * 2019-04-01 2021-03-02 中国民航大学 Low-rate denial of service attack method for CUBIC
CN111769998B (en) * 2019-08-13 2022-07-05 北京京东尚科信息技术有限公司 Method and device for detecting network delay state
CN111444501B (en) * 2020-03-16 2023-04-18 湖南大学 LDoS attack detection method based on combination of Mel cepstrum and semi-space forest
CN111478893B (en) * 2020-04-02 2022-06-28 中核武汉核电运行技术股份有限公司 Detection method for slow HTTP attack
CN112073402B (en) * 2020-08-31 2022-05-27 新华三信息安全技术有限公司 Traffic attack detection method and device
CN112637202B (en) * 2020-12-22 2022-08-12 贵州大学 An LDoS attack detection method based on integrated wavelet transform in SDN environment
CN112788062B (en) * 2021-01-29 2022-03-01 湖南大学 ET-EDR-based LDoS attack detection and mitigation method in SDN
CN113890746B (en) * 2021-08-16 2024-05-07 曙光信息产业(北京)有限公司 Attack traffic identification method, device, equipment and storage medium
WO2025075558A1 (en) 2023-10-02 2025-04-10 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatuses for determining security attacks in core network
CN117097575B (en) * 2023-10-20 2024-01-02 中国民航大学 Low-rate denial of service attack defense method based on cross-layer cooperative strategy

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459519A (en) * 2009-01-08 2009-06-17 西安交通大学 Defense method for flooding-based DoS attack based on network flow
CN101577642A (en) * 2008-05-08 2009-11-11 吴志军 Method for one-step forecasting Kalman filtering detection of LDoS attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008148106A1 (en) * 2007-05-25 2008-12-04 New Jersey Institute Of Technology Proactive test-based differentiation method and system to mitigate low rate dos attacks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577642A (en) * 2008-05-08 2009-11-11 吴志军 Method for one-step forecasting Kalman filtering detection of LDoS attack
CN101459519A (en) * 2009-01-08 2009-06-17 西安交通大学 Defense method for flooding-based DoS attack based on network flow

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《一种针对LDoS攻击的分布式协同检测方法》;何炎祥等;《小型微型计算机系统》;20090315;第30卷(第3期);第2页第3段-第4页第16段 *
《低速率拒绝服务LDoS攻击性能的研究》;吴志军等;《通信学报》;20080625;第29卷(第6期);第2页第2段-第7页第1段 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110233838A (en) * 2019-06-06 2019-09-13 东软集团股份有限公司 A kind of defence method, device and the equipment of pulsed attack
CN110233838B (en) * 2019-06-06 2021-12-17 东软集团股份有限公司 Pulse type attack defense method, device and equipment

Also Published As

Publication number Publication date
CN102457489A (en) 2012-05-16

Similar Documents

Publication Publication Date Title
CN102457489B (en) Low-rate DoS (LDoS) attack, detection and defense module
Zhijun et al. Low-rate DoS attacks, detection, defense, and challenges: A survey
Hu et al. FADM: DDoS flooding attack detection and mitigation system in software-defined networking
Gogoi et al. Packet and flow based network intrusion dataset
Yu et al. Traceback of DDoS attacks using entropy variations
Ellens et al. Flow-based detection of DNS tunnels
Luo et al. Detecting pulsing denial-of-service attacks with nondeterministic attack intervals
Şimşek A new metric for flow‐level filtering of low‐rate DDoS attacks
Rajakumaran et al. Early detection of LDoS attack using SNMP MIBs
CN109995770B (en) LDoS attack detection method based on queue distribution
US20050240780A1 (en) Self-propagating program detector apparatus, method, signals and medium
Luo et al. Optimizing the pulsing denial-of-service attacks
CN104125194A (en) LDDoS attack time synchronization and flow convergence method based on cross correlation
Rajam et al. A novel traceback algorithm for DDoS attack with marking scheme for online system
Li et al. An adaptive approach for defending against DDoS attacks
Mergendahl et al. FR-WARD: Fast retransmit as a wary but ample response to distributed denial-of-service attacks from the Internet of Things
Shevtekar et al. A proactive test based differentiation technique to mitigate low rate DoS attacks
Liu et al. Attack simulation and signature extraction of low-rate DoS
Dillon Peer-to-Peer botnet detection using NetFlow
Tang et al. Traceback-based Bloomfilter IPS in defending SYN flooding attack
Muraleedharan Analysis of TCP flow data for traffic anomaly and scan detection
Wu et al. DDoS: Flood vs. Shrew.
Muraleedharan et al. A flow-based anomaly detection system for slow DDoS attack on HTTP
Chen et al. A rule-based detection mechanism against distributed denial of service attacks
Chan et al. Detecting Pulsing Denial-of-Service Attacks with Nondeterministic Attack Intervals

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20231122

Address after: Room 602, Building C2, Civil Aviation University of China Science and Technology Park, Zone C, Guangxuan Road Aviation Business Center, Dongli District, Tianjin, 300300

Patentee after: TIANJIN LINGZHI HAOYUE AVIATION TECHNOLOGY Co.,Ltd.

Address before: 300300 Tianjin city Dongli District North Road No. 2898

Patentee before: CIVIL AVIATION University OF CHINA

TR01 Transfer of patent right