[go: up one dir, main page]

CN119652581A - A protection method and device against DDoS attacks - Google Patents

A protection method and device against DDoS attacks Download PDF

Info

Publication number
CN119652581A
CN119652581A CN202411744409.4A CN202411744409A CN119652581A CN 119652581 A CN119652581 A CN 119652581A CN 202411744409 A CN202411744409 A CN 202411744409A CN 119652581 A CN119652581 A CN 119652581A
Authority
CN
China
Prior art keywords
client
target
gateway
determining
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411744409.4A
Other languages
Chinese (zh)
Inventor
智煜徽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Cloud Technology Co Ltd
Original Assignee
China Telecom Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Cloud Technology Co Ltd filed Critical China Telecom Cloud Technology Co Ltd
Priority to CN202411744409.4A priority Critical patent/CN119652581A/en
Publication of CN119652581A publication Critical patent/CN119652581A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明实施例提供了一种针对DDoS攻击的防护方法和装置,确定目标客户端,获取针对所述目标客户端的客户端IP,所述客户端IP具有对应的第一网关信息;当检测到所述DDOS攻击时,基于所述DDOS攻击从所述客户端IP中确定出攻击方IP;生成第二网关信息;将除所述攻击方IP外的其他客户端IP确定为第一目标IP,并将所述第二网关信息发送给所述第一目标IP,以使对应所述第一目标IP的其他客户端基于所述第二网关信息执行业务服务推送,整体提升了针对DDoS攻击防护效率。

The embodiment of the present invention provides a protection method and device against DDoS attacks, which determine a target client, obtain a client IP for the target client, and the client IP has corresponding first gateway information; when the DDOS attack is detected, the attacker IP is determined from the client IP based on the DDOS attack; second gateway information is generated; other client IPs except the attacker IP are determined as first target IPs, and the second gateway information is sent to the first target IP, so that other clients corresponding to the first target IP execute business service push based on the second gateway information, thereby improving the overall protection efficiency against DDoS attacks.

Description

Protection method and device for DDoS attack
Technical Field
The present invention relates to the field of protection technologies for DDoS attacks, and in particular, to a method for protecting against a DDoS attack, a device for protecting against a DDoS attack, an electronic device, and a computer readable storage medium.
Background
DDoS (Distributed Denial of Service) attack, also called distributed denial of service attack, refers to that a plurality of attackers at different positions launch attacks to one or a plurality of targets at the same time, or an attacker controls a plurality of machines at different positions and uses the machines to implement attacks to victims at the same time, aiming at the protection of DDoS attack, the related technology is to screen and clean the flow through a regional-level flow cleaning center. However, the conventional protection method is inefficient, RTO (Recovery Time Objective, recovery time target) is long, and occupies a lot of network bandwidth, resulting in network resource waste and higher cost.
Disclosure of Invention
Embodiments of the present invention provide a protection method, apparatus, electronic device, and computer readable storage medium for DDoS attack, so as to overcome or at least partially solve the above-mentioned problems.
The embodiment of the invention discloses a protection method for DDOS attack, which is characterized by comprising the following steps:
determining a target client, and acquiring a client IP (Internet protocol) aiming at the target client, wherein the client IP is provided with corresponding first gateway information;
When the DDOS attack is detected, determining an attacker IP from the client IP based on the DDOS attack;
Generating second gateway information;
And determining other client end IPs except the attacker IP as a first target IP, and sending the second gateway information to the first target IP so that other client ends corresponding to the first target IP execute business service pushing based on the second gateway information.
The embodiment of the invention also discloses a protection device for DDOS attack, comprising:
The target client determining module is used for determining a target client and acquiring a client IP aiming at the target client, wherein the client IP is provided with corresponding first gateway information;
an aggressor IP determining module, configured to determine, when the DDOS attack is detected, an aggressor IP from the client IP based on the DDOS attack;
The second gateway information generation module is used for generating second gateway information;
and the business service pushing module is used for determining other client end IPs except the attacker IP as a first target IP and sending the second gateway information to the first target IP so that other client ends corresponding to the first target IP execute business service pushing based on the second gateway information.
The embodiment of the invention also discloses electronic equipment, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the method according to the embodiment of the present invention when executing the program stored in the memory.
Embodiments of the present invention also disclose a computer-readable storage medium having instructions stored thereon, which when executed by one or more processors, cause the processors to perform the method according to the embodiments of the present invention.
The embodiment of the invention has the following advantages:
The embodiment of the invention obtains a client IP aiming at a target client by determining the target client, wherein the client IP is provided with corresponding first gateway information, determines an attacker IP from the client IPs based on the DDOS attack when the DDOS attack is detected, generates second gateway information, determines other client IPs except the attacker IP as a first target IP, and sends the second gateway information to the first target IP so that other clients corresponding to the first target IP execute business service pushing based on the second gateway information. Together, a complete DDoS attack protection flow is formed. Through accurate identification of a target client, quick positioning of an attack source, generation of a standby gateway and dynamic switching of traffic, the DDoS attack resistance of the system is effectively improved, and continuity and stability of the service are guaranteed.
The advantages of this solution are mainly represented by the following aspects:
The method has strong pertinence, protects specific clients and improves the protection efficiency.
And the response is rapid, namely after the DDoS attack is detected, the flow switching can be rapidly carried out, and the service interruption time is reduced.
Flexible and extensible, and can be flexibly adjusted according to different service requirements and attack scenes.
Drawings
FIG. 1 is a flow chart of steps of a method for protecting against DDoS attacks provided in an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a service push provided in an embodiment of the present invention;
FIG. 3 is a flow chart of a method for determining a target client according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an embodiment of the present invention that embodies aggressor IP time periods and gateway drift time periods;
Fig. 5 is a flow chart of a gateway drifting method according to an embodiment of the present invention;
fig. 6is a flow chart of another gateway drifting method provided in an embodiment of the present invention;
FIG. 7 is a schematic flow chart of a method for constructing a honeypot mechanism provided in an embodiment of the invention;
FIG. 8 is a block diagram of a guard against DDoS attacks provided in an embodiment of the present invention;
FIG. 9 is a block diagram of the hardware architecture of an electronic device provided in an embodiment of the present invention;
fig. 10 is a schematic diagram of a computer readable medium provided in an embodiment of the invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
In order to enable those skilled in the art to better understand the embodiments of the present invention, the following description is given of technical terms related to the embodiments of the present invention.
The elastic IP (Elastic IP) is a public network IP address which can be flexibly allocated and managed, is an independent IP resource, can be flexibly bound to different cloud servers, and can be replaced at any time.
The honeypot mechanism is an active defense technology in the field of network security. Just like a decoy trap is provided, which is specially used to attract network attackers. Such traps typically appear as one or more disguised systems or network services to entice an attacker to invade and expose their attack methods and intent.
DDoS attack (distributed denial of service attack) is a common network attack mode, and an attacker cooperatively initiates the attack by controlling a large number of computers, so that a target server or a network is overloaded, service interruption is caused, and huge losses are caused for enterprises and individuals. Therefore, protection against DDoS attacks is particularly important, DDoS attacks can cause that websites, application programs and the like cannot be accessed normally, user experience is affected, economic losses are caused, and frequently suffered DDoS attacks can damage brand images of enterprises, so that user trust is reduced, meanwhile, during DDoS attacks, sensitive data leakage is possibly caused due to other types of attacks such as invasion, data stealing and the like, in addition, for enterprises relying on network services, DDoS attacks can cause service interruption, direct economic losses are caused, and an attacker can launch large-scale DDoS attacks only by renting or controlling a large number of botnets, and defenders need to invest a large number of resources and technologies to resist the attacks.
Referring to fig. 1, a step flowchart of a method for protecting against DDoS attack provided in an embodiment of the present invention may specifically include the following steps:
Step 101, determining a target client, and acquiring a client IP (Internet protocol) aiming at the target client, wherein the client IP has corresponding first gateway information;
102, determining an attacker IP from the client IP based on the DDoS attack when the DDoS attack is detected;
Step 103, generating second gateway information;
and 104, determining other client end IPs except the aggressor IP as a first target IP, and sending the second gateway information to the first target IP so that other client ends corresponding to the first target IP execute business service pushing based on the second gateway information.
Referring to fig. 2, fig. 2 is a schematic flow chart of a service push provided in an embodiment of the present invention;
The Internet back office platform of the embodiment of the invention is a micro-service architecture based on cloud technology, the gateway is one of core components of the micro-service architecture, and in practical application, push service has become one of key service capabilities of Internet service.
In a specific implementation, the embodiment of the invention can determine the target client, and acquire the client IP aiming at the target client, wherein the client IP has corresponding first gateway information.
According to the embodiment of the invention, all the clients accessing the first gateway based on the first gateway information can be determined as target clients.
The purpose is as follows:
And (3) definitely protecting the object, namely locking the protection range on a specific client group, and improving the pertinence of protection.
And establishing basic information, namely acquiring the client IP and the first gateway information, and providing basic data for subsequent flow analysis and route switching.
The beneficial effects are that:
The protection efficiency is improved, and the target client can be more intensively protected by reducing the protection range.
And the accidental injury rate is reduced, namely, the flow analysis is only carried out on the target client, so that the interference to other normal users can be reduced.
In a specific implementation, when the DDoS attack is detected, the embodiment of the present invention may determine an aggressor IP from the client IP based on the DDoS attack.
The purpose is as follows:
identifying the attack source, accurately positioning the IP address for launching DDoS attack, and providing basis for subsequent isolation and blocking.
The beneficial effects are that:
the attack traceability is improved, the attack source can be traced, and evidence can be provided for subsequent evidence collection and legal responsibility.
The method provides basis for subsequent protection, accurately identifies the IP of the attacker, and can take protective measures in a targeted manner.
In a specific implementation, the embodiment of the invention can be provided with a first gateway, and can also be configured with a second gateway except the first gateway to serve as a standby gateway, and the embodiment of the invention can generate second gateway information.
The purpose is as follows:
And providing a standby access path, namely generating new gateway information serving as a backup of the original gateway.
The beneficial effects are that:
the fault tolerance of the system is enhanced, namely, when the original gateway is attacked, the original gateway can be quickly switched to the standby gateway, and the continuity of the service is ensured.
In a specific implementation, the embodiment of the invention can determine the other client-side IPs except the aggressor IP as the first target IP, and send the second gateway information to the first target IP, so that the other client-side corresponding to the first target IP performs service pushing based on the second gateway information.
The purpose is as follows:
Isolating the attack traffic, namely separating the attacked client IP from the normal traffic.
And guiding the normal flow, namely guiding the flow of the normal client to the standby gateway, and ensuring the normal operation of the service.
The beneficial effects are that:
and protecting normal users, namely ensuring that clients which are not attacked can normally access services.
And the attack influence is relieved, namely the pressure on the server is relieved by isolating attack traffic.
Aiming at the problem of low protection efficiency of DDOS attack, the embodiment of the invention can quickly lock the attack source by quickly identifying the IP of the attacker, reduce misjudgment time and improve protection efficiency. By guiding normal traffic to the standby gateway, attack traffic can be isolated rapidly, server pressure is reduced, and service response speed is improved.
And aiming at the problem of overlong RTO, a standby access path is provided for a normal user by generating second gateway information. By rapidly switching normal traffic to the standby gateway, service recovery time is shortened.
Aiming at the problem of occupying a large amount of bandwidth, the occupation of network bandwidth is reduced by isolating attack traffic, thereby providing sufficient bandwidth resources for normal service.
Aiming at the problem of higher cost, the scheme of the embodiment of the invention is realized by software, no extra hardware investment is needed, and compared with the traditional hardware firewall and other solutions, the cost is lower.
The embodiment of the invention obtains a client IP aiming at a target client by determining the target client, wherein the client IP has corresponding first gateway information, determines an attacker IP from the client IPs based on the DDOS attack when the DDOS attack is detected, generates second gateway information, determines other client IPs except the attacker IP as a first target IP, and sends the second gateway information to the first target IP so that other clients corresponding to the first target IP execute service pushing based on the second gateway information. Together, a complete DDoS attack protection flow is formed. Through accurate identification of a target client, quick positioning of an attack source, generation of a standby gateway and dynamic switching of traffic, the DDoS attack resistance of the system is effectively improved, and continuity and stability of the service are guaranteed.
The advantages of this solution are mainly represented by the following aspects:
The method has strong pertinence, protects specific clients and improves the protection efficiency.
And the response is rapid, namely after the DDoS attack is detected, the flow switching can be rapidly carried out, and the service interruption time is reduced.
Flexible and extensible, and can be flexibly adjusted according to different service requirements and attack scenes.
Optionally, in order to further improve the security of the system, the embodiment of the invention can also introduce behavior analysis when detecting DDOS attacks, and besides IP addresses, the embodiment of the invention can also combine information such as user behaviors, flow characteristics and the like to carry out comprehensive judgment, thereby improving the accuracy of attack source identification.
Meanwhile, protective equipment can be deployed on multiple layers such as a network edge, a server side and the like, and a multi-layer defense system is constructed.
And the system can be continuously monitored and optimized, and the security evaluation is periodically carried out on the system, so that the loopholes can be timely discovered and repaired.
On the basis of the above embodiments, modified embodiments of the above embodiments are proposed, and it is to be noted here that only the differences from the above embodiments are described in the modified embodiments for the sake of brevity of description.
In an optional embodiment of the invention, the step of determining an aggressor IP from the client IP based on the DDOS attack comprises:
Determining a time node after the DDOS attack is detected;
Determining attacker information collection time according to a preset time period based on the time node;
Recording an abnormal request IP in the client IP based on the aggressor information collection time;
And determining the abnormal request IP as an attacker IP.
The embodiment of the invention can determine the time node after the DDOS attack is detected;
the method aims at determining the accurate time for starting the attack and providing a time reference for subsequent analysis.
The method has the advantage that the attack duration time and various subsequent time windows can be calculated more accurately.
The embodiment of the invention can determine the information collection time of the attacker according to the preset time period based on the time node;
The purpose is to set a reasonable time window for collecting the information of the attacker.
The beneficial effects are that too short a time window can lead to missing some attackers, and too long a time window can introduce too much normal flow. The preset time period needs to be adjusted according to different attack types and network environments.
The embodiment of the invention can record the abnormal request IP in the client IP based on the attacker information collection time;
the method aims at recording all abnormal request IP in a set time window.
The method has the beneficial effects that the abnormal IP is likely to be the IP of an attacker, and provides basis for subsequent isolation and blocking.
The embodiment of the invention can determine the abnormal request IP as an attacker IP.
The purpose is to directly identify the collected abnormal IP as the attacker IP.
The method has the beneficial effects that the positioning process of the attack source is simplified, and the protection efficiency is improved.
The embodiment of the invention determines the time node after the DDOS attack is detected, determines the information collection time of the attacker according to the preset time period based on the time node, records the abnormal request IP in the client IP based on the information collection time of the attacker, determines the abnormal request IP as the attacker, and can quickly lock the attack source after the DDoS attack is detected so as to provide accurate basis for subsequent safeguard measures. The entire process can be regarded as a process of abnormal flow analysis based on a time window.
Furthermore, the embodiment of the invention can determine the judgment standard of the abnormal request, and the judgment standard of the abnormal request needs to comprehensively consider a plurality of factors, such as request frequency, request content, source IP address and the like. The false positive rate can also be determined, and due to the complexity of the network environment, there is inevitably a false positive condition, so that the algorithm and rules need to be continuously optimized.
In practical application, in order to respond to an attack in time, the whole process needs to have higher real-time performance.
The embodiment of the invention can also introduce machine learning, and by utilizing a machine learning model, a more accurate attack characteristic model is established through learning historical attack data, so that the accuracy of attack identification is improved. And by combining with behavior analysis, besides the IP address, the method can also combine with information such as user behavior, flow characteristics and the like to carry out comprehensive judgment, thereby improving the accuracy of attack source identification. The time window can be dynamically adjusted, and the information collection time of the attacker can be dynamically adjusted according to different attack types and network environments, so that the adaptability of the system is improved.
In an alternative embodiment of the present invention, further comprising:
Determining the number of service requests corresponding to the second gateway information;
And when the service request quantity reaches a preset threshold value, reducing the bandwidth corresponding to the first gateway information and improving the bandwidth corresponding to the second gateway information.
In a specific implementation, the implementation of the invention can determine the number of service requests corresponding to the second gateway information;
The method aims at monitoring the traffic situation of the switching to the new gateway and knowing the actual load of the service request.
The method has the beneficial effects that the bandwidth allocation can be dynamically adjusted by monitoring the service request quantity in real time, so that the condition of waste or deficiency of bandwidth resources is avoided.
And when the service request quantity reaches a preset threshold value, reducing the bandwidth corresponding to the first gateway information and improving the bandwidth corresponding to the second gateway information.
The method comprises the steps of setting a triggering condition, triggering bandwidth adjustment when a certain amount of service requests are reached, and dynamically adjusting bandwidth allocation of two gateways according to the change of the amount of the service requests.
The beneficial effects are that:
the preset threshold value can ensure that the service flow can be smoothly transited to a new gateway and simultaneously respond to the increase of the burst flow in time
And the resource utilization rate is improved, namely more bandwidth resources are distributed to the gateway with heavier load, so that resource waste is avoided.
The service quality is ensured, namely, by dynamically adjusting the bandwidth, the normal service can still obtain enough bandwidth resources when the DDoS attack occurs.
The process of adjusting the first gateway and the second gateway can be understood as a dynamic bandwidth allocation process based on load balancing. After detecting the DDoS attack and completing gateway switching, the system continuously monitors the service request amount of the new gateway. Once the requested amount reaches a preset threshold, it indicates that most traffic has transitioned smoothly to the new gateway. At this time, the system will automatically reduce the bandwidth of the original gateway, and allocate more bandwidth resources to the new gateway, so as to cope with the possible traffic peak.
The mechanism of dynamically adjusting bandwidth has the following advantages:
Flexible adaptation and change, namely bandwidth allocation can be adjusted in real time according to the change of the service flow, and the adaptability of the system to emergency events is improved.
Optimizing the utilization rate of resources, namely improving the utilization rate of resources and reducing the cost by distributing bandwidth resources to places where the bandwidth resources are needed.
And the system stability is improved, namely, when DDoS attack occurs, the service continuity can be ensured, and the system stability is improved.
The relation with the overall scheme is that:
This step is tightly coupled with gateway drift and DDoS awareness in the overall scheme. The gateway drift provides the capability of dynamically switching the gateway for the system, and the step further improves the protection effect of the system by monitoring the service request quantity and carrying out fine management on the bandwidth of the gateway.
Further optimization can be achieved by:
Setting a threshold value for the number of service requests, wherein the preset threshold value needs to be adjusted according to specific service scenes and network environments, and the performance of the system is influenced by the fact that the threshold value is too high or too low.
Bandwidth adjustment granularity-bandwidth adjustment granularity affects the response speed of the system, and too fine granularity may lead to frequent bandwidth adjustment and increase the system overhead.
Algorithm optimization more complex algorithms, such as machine learning based algorithms, can be employed to predict traffic flow changes to achieve more accurate bandwidth allocation.
By dynamically adjusting the gateway bandwidth, the flexibility and adaptability of the system can be further improved, and DDoS attacks can be better handled. Meanwhile, a reference is provided for other scenes needing dynamic adjustment of resources.
In an alternative embodiment of the present invention, further comprising:
constructing a honeypot system, wherein the honeypot system comprises a plurality of false business data;
and sending the false service data to the attacker IP.
In a specific implementation, in order to more actively defend DDoS attack, the embodiment of the invention introduces a honeypot mechanism. Specifically, a complete mirror system containing false data is deployed as a honeypot in the business background. This deployment is very convenient thanks to the load balancing nature of the micro-service architecture. Once gateway drift occurs we will direct the attack traffic to the honeypot, returning false traffic responses to the attacker. The 'deep trapping' strategy can continuously attract the attention of an attacker to lead the attacker to focus on the attack to the honeypot, and can also strive for more sufficient time to analyze the attack behavior and take more effective defending measures for us.
Specifically, the honey type and scale may be determined:
And selecting a proper honey pot type according to the target of an attacker and the attack mode. For example, a false Web server may be deployed for Web application attacks, and a database containing false data may be deployed for database attacks.
Scale the size of the honeypot should be matched to the real system to increase its appeal. At the same time, the resource consumption of the honeypot system is also considered.
Preparing false data:
Data type-corresponding dummy data is prepared according to the type of the honeypot. For example, for Web servers, false Web pages, files, etc. may be prepared, and for databases, false database tables and records may be prepared.
The data volume is large enough to attract the interest of an attacker, and care is taken to avoid the system performance degradation caused by the excessive data volume.
Deploying a honeypot system:
independent environment the honeypot system is deployed in an independent network environment to prevent an attacker from attacking the real system through the honeypot.
And load balancing, namely isolating the honeypot system from the real system by utilizing the load balancing characteristic of the micro-service architecture.
And monitoring, namely monitoring the honeypot system in real time and recording all access logs and attack behaviors.
Sending false traffic data to aggressor IP
And forwarding the traffic to the honeypot system according to a preset rule when the attack traffic reaches the gateway.
And generating a response, namely generating a corresponding false response according to the content of the request after the honey system receives the request.
Response return-the generated spurious response is returned to the attacker.
The overall process can be figuratively characterized as setting up a bait, attracting attackers to a secure area, and then observing and analyzing their behavior.
Characteristics of false service data:
Authenticity-spurious data should simulate as much as possible the behavior of a real system to increase its attractiveness.
Diversity-providing multiple types of spurious data to attract different types of attackers.
Dynamic, the false data is updated periodically to prevent being recognized by an attacker.
The reason for sending false traffic data is that:
Attracting the attacker, the false data can attract the attention of the attacker, and lead the attacker to divert the attack emphasis to the honeypot, thereby protecting the real system.
And (3) consuming attacker resources, wherein an attacker consumes a large amount of computing resources and network bandwidth when attacking the honeypot, so that the attack speed is delayed.
And collecting attack information, namely analyzing the attack behaviors of an attacker on the honeypot, so that the attack methods, tools and targets of the attacker can be known, and valuable information is provided for subsequent defense work.
The construction of the honeypot system and the transmission of false data to an attacker are an effective means of actively defending against DDoS attacks. In this way we can direct an attacker to a secure area, protecting our real system. Meanwhile, the system can also continuously perfect the defense system by analyzing the behavior of an attacker.
In an alternative embodiment of the present invention, further comprising:
obtaining the attacked flow corresponding to the attacker IP;
sending the mirror image traffic of the attacked traffic to the honeypot system;
analyzing the mirror image flow based on the honeypot system, and determining a accidentally injured second target IP;
And sending the second gateway information to the second target IP so that the client corresponding to the second target IP executes business service pushing based on the second gateway information.
The purpose of obtaining the attacked flow corresponding to the attacker IP is to accurately separate the attacked flow so as to facilitate subsequent mirroring and analysis.
In a specific implementation, this may be achieved as follows.
Filtering the network traffic according to the determined aggressor IP, and extracting the traffic with all the source IP as the aggressor IP.
Based on feature matching, more accurate traffic screening can be performed in combination with other features (e.g., ports, protocols, packet content, etc.) in addition to IP.
Based on flow analysis, the network flow is subjected to deep analysis by utilizing a flow analysis tool, and an abnormal flow mode is identified, so that the attack flow is determined.
The purpose of sending the mirrored traffic of the attacked traffic to the honeypot system is to copy one copy of the attacked traffic to the honeypot system for further analysis while protecting the real traffic system.
In a specific implementation, this may be achieved as follows.
And the flow mirroring technology is to copy the network flow by using network equipment or software and send a copy to the honeypot system.
Mirror image proportion, namely, the proportion of mirror image flow can be adjusted according to the processing capacity of the honeypot system and the flow depth to be analyzed.
And analyzing the mirror image flow based on the honeypot system, wherein the aim of determining the accidentally injured second target IP is to identify the normal user accidentally injured in the attack process.
In a specific implementation, this may be achieved as follows.
And (3) analyzing the behavior, namely identifying the traffic inconsistent with the normal user behavior by analyzing the traffic received by the honeypot system.
Feature matching, namely matching the data collected by the honeypot system with known normal user behavior features to find out abnormality.
Machine learning, namely modeling flow data by utilizing a machine learning algorithm and automatically identifying abnormal behaviors.
And sending the second gateway information to the second target IP so that the client corresponding to the second target IP performs business service pushing based on the second gateway information, and the purpose of guiding the normal user which is accidentally injured to a standby gateway to recover the normal service of the normal user.
In a specific implementation, this may be achieved as follows.
And (3) protocol encapsulation, namely encapsulating the information of the second gateway into a specific protocol format.
Pushing means information may be pushed to the client in a number of ways, such as HTTP, DNS, UDP.
And the client processes that after receiving the new gateway information, the client updates the configuration of the new gateway information and sends a subsequent request to the new gateway.
Through the steps, the real-time monitoring, analysis and response to the attack flow can be realized. The honeypot system serves as a bait, attracts the attention of an attacker, and simultaneously provides an opportunity for deep analysis of attack behaviors. By identifying the normal user with the accidental injury and guiding the normal user to the standby gateway, the normal access of the user can be effectively protected.
In an alternative embodiment of the present invention, the step of determining the target client includes:
When an access request for an access client is acquired, verifying the identity of the access client based on a verification public key for the access client;
when the identity of the access client is judged to be legal through the verification public key, a server verification token for the access client is generated, and the server verification token is sent to the access client;
and determining the access client with the check token as a target client.
The embodiment of the invention can execute the user authentication and authorization flow when the target client is determined, and is generally used for protecting system resources and preventing unauthorized access. It mainly involves three parts, client (user side), network and authentication server.
The detailed steps are as follows:
1. the client initiates a request:
1.1 a client (user) sends a request to an authentication server indicating that a certain resource or service is desired to be acquired.
2. The authentication server checks:
1.1, after receiving the request, the authentication server verifies the identity of the client. This verification process generally includes:
1.1.1, verifying the public key, wherein the server verifies whether the public key provided by the client is legal or not, so as to ensure that the public key is trusted.
1.1.2, Encrypting the unique user identifier, namely encrypting the unique identifier provided by the client by using the private key of the server to generate a unique server check token.
3. The server returns a token:
And 3.1, the authentication server returns the generated token to the client. This token contains important information about the identity of the user, which is the credential for the subsequent request.
4. Client-side subsequent request:
4.1, the client sends the token to the server together in the subsequent request.
5. The server checks token:
5.1, after receiving the request, the server verifies the legality of the token, including:
and 5.1.1, decrypting the token by using the private key of the server, and obtaining the unique user identification.
And 5.1.2, checking the unique user identifier, namely comparing the decrypted unique user identifier with information in a database of the server by the server to confirm the identity of the user.
And 5.1.3, checking the token validity period, wherein the server checks the token validity period to ensure that the token is not expired.
6. Server authorization:
6.1 if token authentication passes, the server will authorize the client to access the requested resource or service.
Description of each part:
A client is typically a device used by a user, such as a computer, a cell phone, etc.
Network for communication between client and server.
Authentication server, which is responsible for verifying user identity and issuing token.
The purpose of this flow is to ensure that only authenticated users can access the resources of the system. By using token as a credential, unauthorized access can be effectively prevented. Meanwhile, timeliness of the token can also improve safety of the system.
Related concepts:
public key and private key-a pair of keys in an asymmetric encryption algorithm, the public key for encryption and the private key for decryption.
Token, a server check token, contains information such as user identity, and is used for authentication and authorization.
The method for determining the target client has the beneficial effects that:
the security is high, and the security of the data is ensured by using a public key encryption algorithm.
The token can be stored in the client, so that the token is convenient for a user to use in a plurality of applications.
The expandability is strong, and the token content can be customized according to different requirements.
In an optional embodiment of the invention, the second gateway information includes gateway IP information and gateway port information for the second gateway information, and the step of determining other client IPs except the aggressor IP as a first target IP and transmitting the second gateway information to the first target IP includes:
constructing an attacker IP list for displaying the attacker IP;
determining other client verification tokens token and a first target IP which are not in the aggressor IP list based on the aggressor IP list;
and when the identity of the other client is verified to be legal through the other client verification token, sending the gateway IP information and the gateway port information to the other client through the first target IP.
In practical application, gateway drift service is a dynamic load balancing mechanism, and aims to intelligently adjust allocation of system resources according to real-time traffic conditions and security threats. The main functions are as follows:
and (3) attack detection and IP blocking, namely monitoring system flow in real time, and identifying and recording the IP address of an attacker.
And (3) managing the user Token, namely maintaining a database containing all user Token information, and recording the user identity corresponding to each Token and the gateway which is currently allocated.
Dynamic route configuration, namely dynamically adjusting the route of the user request according to the attack condition and the system load, and distributing the user request to different gateways.
Bandwidth adjustment, namely, load balancing is realized by adjusting the bandwidths of different gateways, and more traffic is distributed to the gateway with lighter load.
In a specific implementation, determining the client IP other than the aggressor IP as the first target IP and sending the second gateway information to the first target IP may be implemented as follows.
1. An attacker IP list for showing the attacker IP is constructed, and the aim is to create a list and clearly record all IP addresses participating in the attack.
The specific implementation method is that through analyzing the network flow, all source IP addresses of the attack request are extracted, and the IP addresses are recorded in a list.
2. And determining other clients which are not in the attacker IP list to check the token and the first target IP based on the attacker IP list, wherein the aim is to screen normal clients which do not participate in the attack and acquire authentication information and IP addresses of the normal clients.
The specific implementation method comprises the following steps:
traversing all clients, namely traversing all clients in the system.
Comparing the IP list, namely comparing the IP address of each client with the attacker IP list, and if the client is not in the attacker IP list, considering the client as a normal client.
And acquiring the check token and the IP, namely acquiring the corresponding check token (token) and IP address (namely the first target IP) of the determined normal client. The check token is used to verify the legitimacy of the client identity, and the first target IP is the target for sending new gateway information.
3. When the identity of the other client is verified to be legal through the other client verification token, the gateway IP information and the gateway port information are sent to the other client through the first target IP, and the aim is to push new gateway information to a normal client so that the normal client can be switched to a new gateway.
The specific implementation method comprises the following steps:
And verifying the identity, namely verifying the identity of the client by using the obtained verification token, so as to ensure the operation safety.
Constructing a push message containing the new gateway IP and port information.
And sending the message to the client through the first target IP.
And the client processes that after receiving the message, the client updates the configuration of the message and sends a subsequent request to the new gateway.
Logic carding of whole flow
Identifying the attacker, namely determining the IP address of the attacker by analyzing the network traffic.
And screening normal users, namely comparing all users with the attacker list, and screening the normal users.
Verifying the identity, namely verifying the identity of the normal user by using the verification token.
Pushing new gateway information, namely sending the new gateway information to the normal user passing verification.
Key points and notes
The security of the check token, namely the design and the use of the check token need to ensure the security of the check token and prevent the check token from being counterfeited by an attacker.
Reliability of message transmission, which is to ensure the reliability of message transmission and avoid message loss or tampering.
And updating the configuration of the client, namely, after the client receives new gateway information, updating the configuration in time to ensure the continuity of the service.
Performance optimization-for a large number of clients, consideration needs to be given to how efficiently authentication and message pushing are performed.
Through the steps, the normal client can be rapidly switched, the continuity of the service is ensured, and meanwhile, the safety of the system is improved. The process involves multiple aspects of network flow analysis, identity authentication, message pushing and the like, and the factors of all aspects need to be comprehensively considered to design a high-efficiency and reliable solution.
In order that those skilled in the art will better understand the embodiments of the present invention, an example will be described below.
Referring to fig. 2, fig. 2 is a schematic flow chart of a service push provided in an embodiment of the present invention;
The common internet back office platform is a micro-service architecture based on cloud technology, the gateway is one of core components of the micro-service architecture, and under the rapid development of the mobile terminal, push service has become one of key service capabilities of internet service.
Based on this, the solution mainly involves the following core designs:
Referring to fig. 3, fig. 3 is a flowchart of a method for determining a target client according to an embodiment of the present invention;
1. user identity identification:
mature third party push services, such as APNs of apples, etc., can perform user equipment granularity message pushing. The identifier of the user equipment is usually a token, the token and the message to be pushed are sent to the push service, and the push service can complete message pushing. (industry push service solutions are well established and will not be described in detail here.)
When the client device accesses the network, the token of the client device is sent to the registration login service, and after the service receives the request, a unique identifier is generated for the client, and the identifier is encrypted and returned to the client. Any request from the client will thereafter carry this encrypted information. The gateway will cache the public key for decryption and will decrypt after receiving the request.
The registration login service stores the unique user identification, token and client ip in a database. Thus, after any request carrying encrypted information enters the gateway, the gateway can decrypt and know with the help of the database which device the request comes from.
Referring to fig. 4, fig. 4 is a schematic diagram showing an aggressor IP period and a gateway drift period provided in an embodiment of the present invention;
ddos perception:
The industry has a plurality of network monitoring components which can monitor the use condition of network resources of the system and judge whether the system is currently under attack of DDOS caused by protocol attack, flood attack and the like. The network monitoring component is an attacker information collection time after judging that the network monitoring component is under DDOS attack for a period of time. During this time, the network monitoring component will record the ip of the exception request. When the aggressor information collection time is over, the network monitoring component will send a request to the gateway drift service to complete gateway drift.
Referring to fig. 5 and 6, fig. 5 is a schematic flow chart of a gateway drifting method according to an embodiment of the present invention, and fig. 6 is a schematic flow chart of another gateway drifting method according to an embodiment of the present invention;
3. Gateway drift:
The client is designed with the service capability that the pushed information is received, the information such as the ip, the port and the like of the background gateway is analyzed from the pushed information, and then the service request is carried out, so that the client has the capability of dynamically accessing the service background gateway.
Deploying gateway drift services in the background:
When the aggressor information collection time of the network monitoring component is over, the network monitoring component sends a request carrying an aggressor ip list to the gateway drift service. The functions of the service are mainly two:
One is to dynamically adjust bandwidth resources to different gateways, such as gateway 1 and gateway 2 in fig. 5 share bandwidth resources, and when the gateways of the traffic are switched (e.g. a is switched to b), the bandwidth resources are dynamically adjusted;
Yet another is to send a push request to a third party push service. Specifically, when the gateway drift service receives a request from the gateway, it first parses the aggressor ip list, then finds out the token of all the users not in the aggressor ip list in the database, and sends the information of the ip and the port of the new gateway (such as gateway 2) to the token. When gateway 2 receives more and more service requests, gateway drift service reduces the bandwidth of gateway 1 and allocates main bandwidth resources to gateway 2.
Dynamic adjustment of bandwidth resources between different gateways is one of core capabilities of cloud technologies, and is realized by implementing an elastic IP technology (EIP) based on cloud technologies supported by underlying technologies such as NAT conversion. Generally, cloud manufacturers provide operation and maintenance consoles, API interfaces and other modes to realize adjustment of flexible IP bandwidth resources. The method adopts an API interface mode, namely the gateway drift service realizes real-time adjustment of bandwidth resources by remotely calling an API interface of the cloud platform for adjusting the elastic IP bandwidth resources.
It should be noted that, by ip, the attacker is determined, and there is a possibility of accidental injury. This is determined by the flexible and changeable attack characteristics of the DDOS. Only efforts are made here to guarantee normal service requests.
Referring to fig. 7, fig. 7 is a schematic flow chart of a method for constructing a honeypot mechanism according to an embodiment of the present invention;
4. the honey pot mechanism:
such security policies are too passive if the attacker's request is simply intercepted. Thus a honeypot mechanism is introduced.
In particular, the business background should deploy a complete background service and necessary databases containing false business data as a honeypot system, and the micro-service architecture naturally has the capability of load balancing and multi-instance deployment, so that the method is very easy to achieve. After gateway drift occurs, a false service return packet is returned to an attacker through the gateway 1, so that the attacker considers that the attack is still effective and still deserves continuous attack, and the attacked flow is copied into one part (modern gateways support flow mirroring) and routed to a honeypot system, the system can perform safety-related automatic analysis and manual analysis, and if a normal client with a false injury is found, the system can also send a request to gateway drift service and push a message to the client with the false injury so as to complete gateway drift.
Embodiments of the present solution:
1. developing registration login service, and deploying three instances;
2. developing gateway drift service, and deploying three instances;
3. Deploying a plurality of gateways (wherein some gateways exist in hot standby roles, traffic is not processed at ordinary times, and the traffic is drifted to the gateways after DDOS occurs), binding functions such as elastic IP (Internet protocol) for each gateway, configuring frequency limiting and the like, and developing gateway plug-in by using plug-in technology so that the gateway can send related requests to gateway drift service;
4. Client development, supporting service request through ip, supporting message push and analysis;
5. The honey service instance and the honey system are deployed.
It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the invention.
Referring to fig. 8, a structural block diagram of a protection device for DDoS attack provided in an embodiment of the present invention may specifically include the following modules:
a target client determining module 801, configured to determine a target client, and obtain a client IP for the target client, where the client IP has corresponding first gateway information;
an aggressor IP determination module 802, configured to determine, when the DDOS attack is detected, an aggressor IP from the client IP based on the DDOS attack;
a second gateway information generating module 803, configured to generate second gateway information;
the service pushing module 804 is configured to determine other client IPs except for the aggressor IP as a first target IP, and send the second gateway information to the first target IP, so that other clients corresponding to the first target IP perform service pushing based on the second gateway information.
For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.
In addition, the embodiment of the invention also provides an electronic device, as shown in fig. 9, which comprises a processor 901, a communication interface 902, a memory 903 and a communication bus 904, wherein the processor 901, the communication interface 902 and the memory 903 are in communication with each other through the communication bus 904,
A memory 903 for storing a computer program;
A processor 901, configured to implement the protection method for DDoS attack according to any one of the above embodiments when executing the program stored in the memory 903:
The communication bus mentioned by the above terminal may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, abbreviated as PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated as EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the terminal and other devices.
The memory may include random access memory (Random Access Memory, RAM) or may include non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central Processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a digital signal processor (DIGITAL SIGNAL Processing, DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable gate array (FPGA) or other Programmable logic device, discrete gate or transistor logic device, or discrete hardware components.
In yet another embodiment provided by the present invention, as shown in fig. 10, there is further provided a computer readable storage medium 1001, in which instructions are stored, which when executed on a computer, cause the computer to perform the protection method for DDoS attack described in the above embodiment.
The embodiments of the present invention have been described above with reference to the accompanying drawings, but the present invention is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present invention and the scope of the claims, which are to be protected by the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes various media capable of storing program codes such as a U disk, a mobile hard disk, a ROM, a RAM, a magnetic disk or an optical disk.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1. A method of safeguarding against DDOS attacks, comprising:
determining a target client, and acquiring a client IP (Internet protocol) aiming at the target client, wherein the client IP is provided with corresponding first gateway information;
When the DDOS attack is detected, determining an attacker IP from the client IP based on the DDOS attack;
Generating second gateway information;
And determining other client end IPs except the attacker IP as a first target IP, and sending the second gateway information to the first target IP so that other client ends corresponding to the first target IP execute business service pushing based on the second gateway information.
2. The method of claim 1, wherein the step of determining an aggressor IP from the client IP based on the DDOS attack comprises:
Determining a time node after the DDOS attack is detected;
Determining attacker information collection time according to a preset time period based on the time node;
Recording an abnormal request IP in the client IP based on the aggressor information collection time;
And determining the abnormal request IP as an attacker IP.
3. The method as recited in claim 1, further comprising:
Determining the number of service requests corresponding to the second gateway information;
And when the service request quantity reaches a preset threshold value, reducing the bandwidth corresponding to the first gateway information and improving the bandwidth corresponding to the second gateway information.
4. The method as recited in claim 1, further comprising:
constructing a honeypot system, wherein the honeypot system comprises a plurality of false business data;
and sending the false service data to the attacker IP.
5. The method as recited in claim 4, further comprising:
obtaining the attacked flow corresponding to the attacker IP;
sending the mirror image traffic of the attacked traffic to the honeypot system;
analyzing the mirror image flow based on the honeypot system, and determining a accidentally injured second target IP;
And sending the second gateway information to the second target IP so that the client corresponding to the second target IP executes business service pushing based on the second gateway information.
6. The method of claim 1, wherein the step of determining the target client comprises:
When an access request for an access client is acquired, verifying the identity of the access client based on a verification public key for the access client;
when the identity of the access client is judged to be legal through the verification public key, a server verification token for the access client is generated, and the server verification token is sent to the access client;
and determining the access client with the check token as a target client.
7. The method of claim 1, wherein the second gateway information includes gateway IP information and gateway port information for the second gateway information, and wherein the step of determining other client IPs except the aggressor IP as a first target IP and transmitting the second gateway information to the first target IP comprises:
constructing an attacker IP list for displaying the attacker IP;
determining other client verification tokens token and a first target IP which are not in the aggressor IP list based on the aggressor IP list;
and when the identity of the other client is verified to be legal through the other client verification token, sending the gateway IP information and the gateway port information to the other client through the first target IP.
8. A guard against DDOS attacks, comprising:
The target client determining module is used for determining a target client and acquiring a client IP aiming at the target client, wherein the client IP is provided with corresponding first gateway information;
an aggressor IP determining module, configured to determine, when the DDOS attack is detected, an aggressor IP from the client IP based on the DDOS attack;
The second gateway information generation module is used for generating second gateway information;
and the business service pushing module is used for determining other client end IPs except the attacker IP as a first target IP and sending the second gateway information to the first target IP so that other client ends corresponding to the first target IP execute business service pushing based on the second gateway information.
9. An electronic device comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the method according to any one of claims 1-7 when executing a program stored on a memory.
10. A computer-readable storage medium having instructions stored thereon, which when executed by one or more processors, cause the processors to perform the method of any of claims 1-7.
CN202411744409.4A 2024-11-30 2024-11-30 A protection method and device against DDoS attacks Pending CN119652581A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411744409.4A CN119652581A (en) 2024-11-30 2024-11-30 A protection method and device against DDoS attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411744409.4A CN119652581A (en) 2024-11-30 2024-11-30 A protection method and device against DDoS attacks

Publications (1)

Publication Number Publication Date
CN119652581A true CN119652581A (en) 2025-03-18

Family

ID=94940179

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411744409.4A Pending CN119652581A (en) 2024-11-30 2024-11-30 A protection method and device against DDoS attacks

Country Status (1)

Country Link
CN (1) CN119652581A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101087196A (en) * 2006-12-27 2007-12-12 北京大学 Multi-layer honey network data transmission method and system
CN101909067A (en) * 2010-08-26 2010-12-08 北京天融信科技有限公司 Antivirus method and system for secure gateway cluster
US20120254977A1 (en) * 2009-12-28 2012-10-04 Chengdu Huawei Symantec Technologies Co., Ltd. Method, device, and system for network attack protection
CN105763529A (en) * 2015-12-12 2016-07-13 哈尔滨安天科技股份有限公司 Attack chain obtaining method and system in network environment
CN109495423A (en) * 2017-09-11 2019-03-19 网宿科技股份有限公司 A kind of method and system preventing network attack
KR20190041324A (en) * 2017-10-12 2019-04-22 주식회사 윈스 Apparatus and method for blocking ddos attack
CN113992444A (en) * 2021-12-28 2022-01-28 中孚安全技术有限公司 Network attack traceability and anti-system based on host computer defense
CN117424751A (en) * 2023-12-07 2024-01-19 浙江御安信息技术有限公司 Method and system for detecting and defending network attack based on honeypot
CN118764287A (en) * 2024-07-24 2024-10-11 中国铁道科学研究院集团有限公司 A data security management system and method applied to railway passenger transportation platform

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101087196A (en) * 2006-12-27 2007-12-12 北京大学 Multi-layer honey network data transmission method and system
US20120254977A1 (en) * 2009-12-28 2012-10-04 Chengdu Huawei Symantec Technologies Co., Ltd. Method, device, and system for network attack protection
CN101909067A (en) * 2010-08-26 2010-12-08 北京天融信科技有限公司 Antivirus method and system for secure gateway cluster
CN105763529A (en) * 2015-12-12 2016-07-13 哈尔滨安天科技股份有限公司 Attack chain obtaining method and system in network environment
CN109495423A (en) * 2017-09-11 2019-03-19 网宿科技股份有限公司 A kind of method and system preventing network attack
KR20190041324A (en) * 2017-10-12 2019-04-22 주식회사 윈스 Apparatus and method for blocking ddos attack
CN113992444A (en) * 2021-12-28 2022-01-28 中孚安全技术有限公司 Network attack traceability and anti-system based on host computer defense
CN117424751A (en) * 2023-12-07 2024-01-19 浙江御安信息技术有限公司 Method and system for detecting and defending network attack based on honeypot
CN118764287A (en) * 2024-07-24 2024-10-11 中国铁道科学研究院集团有限公司 A data security management system and method applied to railway passenger transportation platform

Similar Documents

Publication Publication Date Title
US11924170B2 (en) Methods and systems for API deception environment and API traffic control and security
Gupta et al. Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment
Zargar et al. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks
Wu et al. An effective architecture and algorithm for detecting worms with various scan techniques
US20200344246A1 (en) Apparatus, system and method for identifying and mitigating malicious network threats
AU2004282937B2 (en) Policy-based network security management
Schnackengerg et al. Cooperative intrusion traceback and response architecture (CITRA)
US8245300B2 (en) System and method for ARP anti-spoofing security
CN107347047B (en) Attack protection method and device
US20050216956A1 (en) Method and system for authentication event security policy generation
KR101042291B1 (en) DDoS detection / blocking system for DDoS attack and its method
KR101282297B1 (en) The apparatus and method of unity security with transaction pattern analysis and monitoring in network
Iyengar et al. A multilevel thrust filtration defending mechanism against DDoS attacks in cloud computing environment
CN102026199A (en) WiMAX system as well as device and method for defending DDoS attack
Toosarvandani et al. The risk assessment and treatment approach in order to provide LAN security based on ISMS standard
CN119135375B (en) A data access method and device based on software-defined boundaries
Oktivasari et al. Analysis of effectiveness of iptables on web server from slowloris attack
CN119341807A (en) Network attack defense method and system for distributed new energy grid-connected system
CN119155055A (en) Method and system for ensuring credibility and safety of network space
Devi et al. Cloud-based DDoS attack detection and defence system using statistical approach
CN114205169B (en) Network security defense method, device and system
KR100983549B1 (en) System for defending client distribute denial of service and method therefor
CN119652581A (en) A protection method and device against DDoS attacks
Eid et al. Secure double-layered defense against http-ddos attacks
CN119766556B (en) A distributed data security protection system based on Internet of Things nodes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination