[go: up one dir, main page]

WO2018130137A1 - Procédé et appareil de défense contre des attaques de réseau, support et dispositif - Google Patents

Procédé et appareil de défense contre des attaques de réseau, support et dispositif Download PDF

Info

Publication number
WO2018130137A1
WO2018130137A1 PCT/CN2018/071892 CN2018071892W WO2018130137A1 WO 2018130137 A1 WO2018130137 A1 WO 2018130137A1 CN 2018071892 W CN2018071892 W CN 2018071892W WO 2018130137 A1 WO2018130137 A1 WO 2018130137A1
Authority
WO
WIPO (PCT)
Prior art keywords
access request
service access
request message
packet
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/071892
Other languages
English (en)
Chinese (zh)
Inventor
丛磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guizhou Baishancloud Technology Co Ltd
Original Assignee
Guizhou Baishancloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=61169428&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=WO2018130137(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Guizhou Baishancloud Technology Co Ltd filed Critical Guizhou Baishancloud Technology Co Ltd
Publication of WO2018130137A1 publication Critical patent/WO2018130137A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the embodiments of the present invention relate to the field of Internet technologies, and in particular, to a method, an apparatus, a medium, and a device for defending against network attacks.
  • Traffic attacks generally refer to Layer 3 (network layer) or Layer 4 (transport layer) attacks.
  • the main purpose is to use IP/TCP (English name: Transmission Control Protocol/ Internet Protocol) Some flaws in the protocol itself, forging source IP to create attack packets to combat traffic to make traffic smash.
  • SYN-flood the most common denial of service attack
  • the attacker fakes TCP handshake.
  • the signal (English full name: SYNCHRONOUS, abbreviation: SYN) package to combat the ingress traffic of the equipment room, so that the normal business package can not be processed, so that the normal business is paralyzed.
  • the 7-layer (application layer) attack generally refers to the CC (Challenge Collapsar) attack, which is mainly for specific attacks against actual services. It can also be regarded as a hypertext transfer protocol (abbreviation: HTTP) attack. For example, the most common one is high. Frequent access to an interface, making the application server anomaly and affecting the business, such as by constructing a request to brush tickets or swipe verification codes, etc., are all within the scope of CC attacks.
  • RST Real-Time Transport Stream
  • RST bounce is a common defense attack.
  • the main principle is that when a user initiates a TCP connection request, the connection request is first rejected by returning the RST packet, and the real user will retry at this time, that is, initiate a second connection request. Then the firewall is released again, but the attacker (such as the program) will not retry, so the interception purpose is achieved.
  • RST rebound has many drawbacks. One of them is that the RST bounce is implemented in the traditional load balancing layer 7 layer interception (that is, directly intercepted in the load balancing program or device), and needs to perform complete HTTP protocol parsing, which requires more consumption. CPU resources.
  • the embodiment of the invention provides a method and a device for defending against network attacks.
  • the interception of attack packets at the kernel layer does not require complete HTTP protocol parsing, and can effectively reduce CPU resources consumed.
  • the service access request message is discarded at the kernel layer.
  • the service access request packet is discarded at the kernel layer, including:
  • the service access request message is discarded at the kernel layer by operating Iptables.
  • the method further includes:
  • the TCP connection corresponding to the service access request packet is released, including:
  • the Iptables is used to change the packet type of the TCP packet corresponding to the TCP connection to the connection reset RST packet to release the TCP connection corresponding to the service access request message.
  • the determining whether the service access request packet is an attack packet includes:
  • Whether the service access request packet is an attack packet is determined according to the feature information of the service access request log.
  • the service access request packet is an attack packet according to the feature information of the service access request log and the currently accessed domain name.
  • the service access request packet is determined to be an attack packet.
  • the method further includes:
  • a warning indication is displayed, and the warning indication is used to indicate that there is currently a network attack, and the first degree of danger level is higher than the second level of danger level.
  • An obtaining module configured to obtain a service access request message
  • a first determining module configured to determine whether the service access request packet obtained by the acquiring module is an attack packet
  • the discarding module is configured to discard the service access request packet at the kernel layer if the first determining module determines that the service access request packet is an attack packet.
  • the discarding module is specifically used to:
  • the service access request message is discarded at the kernel layer by operating Iptables.
  • the device further comprises:
  • the release module is configured to release the TCP connection corresponding to the service access request message after the service layer discards the service access request message by operating the Iptables.
  • the release module is specifically used to:
  • the Iptables is used to change the packet type of the TCP packet corresponding to the TCP connection to the connection reset RST packet to release the TCP connection corresponding to the service access request packet.
  • the first determining module includes:
  • a collection unit configured to collect a service access request log
  • the determining unit is configured to determine, according to the feature information of the service access request log collected by the collecting unit, whether the service access request packet is an attack packet.
  • the determining unit is further configured to:
  • the service access request packet is an attack packet according to the feature information of the service access request log and the currently accessed domain name.
  • the determining unit is specifically used for:
  • the service access request packet is determined to be an attack packet.
  • the device further comprises:
  • a second determining module configured to determine a risk level of the service access request message after the first determining module determines that the service access request message is an attack message
  • a triggering module configured to: when the second determining module determines that the risk level of the service access request message is the first risk level, triggering the discarding module to discard the service access request message at the kernel layer;
  • a display module configured to: when the second determining module determines that the risk level of the service access request message is a second degree of danger level, displaying a warning indication, where the warning indication is used to indicate that a current network attack exists, and the first risk level is higher than the first Two levels of danger.
  • a computer program is stored on the storage medium, and when the program is executed by the processor, the steps of the foregoing method are implemented.
  • a computer device provided by an embodiment of the present invention includes a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor implements the steps of the foregoing method when the program is executed.
  • the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, that is, no large CPU resources are consumed. Can effectively reduce the consumption of CPU resources.
  • FIG. 1 is a schematic flowchart diagram of a method for defending against network attacks according to an embodiment of the present invention
  • FIG. 2 is another schematic flowchart of a method for defending against network attacks according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a system for implementing a defense against a network attack according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of a Storm big data computing platform according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
  • FIG. 6 is another schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
  • FIG. 7 is another schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
  • FIG. 8 is another schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
  • FIG. 1 is a schematic flowchart of an embodiment of a method for defending against a network attack according to an embodiment of the present invention, including:
  • Step 101 Obtain a service access request message.
  • Step 102 Determine whether the service access request packet is an attack packet, and if yes, perform step 103.
  • Step 103 Discard the service access request message at the kernel layer.
  • the service access request packet is obtained, and the service access request packet is determined to be an attack packet, and the service access request packet is determined to be an attack packet.
  • the service access request message is discarded at the kernel layer. It can be seen that, in the embodiment of the present invention, the attack packet is discarded at the kernel layer, and the complete protocol parsing is not required, so that it is not necessary to consume a large amount of CPU resources. Can effectively reduce the consumption of CPU resources.
  • FIG. 2 is a schematic flowchart of another embodiment of a method for defending against network attacks according to an embodiment of the present invention, including:
  • Step 201 Collect a service access request log.
  • the Kafka (Apache Kafka) queue is a high-throughput distributed message queue that records all the action flow data in a website. For example, user web browsing, search, and other user behavior.
  • a data processing framework specifically for handling massive business access request logs, user behavior, and website operations statistics. Collecting business access request logs using Kafka queues has the following characteristics:
  • the disk data structure with time complexity at O(1) to provide message persistence, even for messages exceeding the terabyte (Terabyte) level, can maintain storage stability for a long time.
  • Kafka queues can meet a variety of real-time online and offline processing, as well as low latency and batch throughput performance requirements.
  • the HTTP request is used as an example, and the HTTP access request log can be collected through the Kafka queue.
  • Step 202 Obtain a service access request message.
  • Step 203 Determine, according to the feature information of the service access request log, whether the service access request packet is an attack packet.
  • step 204 is performed.
  • the service access request log is a file for recording information related to the access process, such as the access time and the source IP address of the service access request, for a certain period of time.
  • the HTTP access request packet is an attack message according to the feature information of the HTTP access request log, wherein the HTTP access request log is characterized.
  • Information includes, but is not limited to:
  • the HTTP access record of the request log record can be used to determine the access status of the currently acquired HTTP access request message within a certain period of time. For example, information such as the historical access frequency and the total number of accesses of the HTTP access request message in the preset time period is determined.
  • the preset time period may be set according to the actual application, for example, the preset time period may be within one month, and the like, which is not limited herein.
  • determining whether the service access request packet is an attack packet according to the feature information of the service access request log, specifically:
  • the request time of the service access request log determines the historical access frequency of the service access request message.
  • the service access request message is determined to be an attack message.
  • the preset value can be set according to actual needs, which is not limited herein. It should be noted that whether the foregoing service access request packet is an attack packet is only one of the implementation manners. According to the feature information of the service access request log, it can be determined whether the currently obtained service access request packet is an attack. The message is not limited here.
  • the load balancing server is a control server, and all user service access requests are first sent to the load balancing server, and then the load balancing server specifically allocates the service access request to a certain one according to the actual processing server status. Actually processed in the server.
  • the load balancing server generally only performs load balancing task allocation, but is not a server that actually processes the service access request.
  • Behind the same load balancing server generally corresponds to multiple domain names.
  • Sohu corresponding server load balancing for example, behind a load balancing domain name server is http: //www.sohu.com, i.e.
  • Sohu master there is a http://m.sohu.com, i.e. Sohu's mobile host station has different behaviors for different domain names for the same message, that is, only the same message is allowed to access certain domain names.
  • the feature information of the service access request log and the currently accessed domain name are used to determine whether the service access request message is an attack message.
  • the historical access frequency of the service access request packet is determined, and the domain name currently accessed by the service access request log is determined.
  • the historical access frequency of the service access request packet is greater than a preset value and the current access domain name is a preset domain name,
  • the service access request packet is determined to be an attack packet.
  • the IP packet when the historical access frequency of an IP packet is higher than the preset value, the IP packet is identified as the IP packet of the mobile terminal ( http://m.sohu.com ) that attacks Sohu.
  • the generated service access request cannot pass through the firewall, but the normal access to the Sohu's primary station ( http://m.sohu.com ) is not affected. Therefore, in the embodiment of the present invention, the same IP packet can be used.
  • the behavior of different domain names of the load balancing server is different, that is, the domain name can be used to restrict the behavior of the IP packet.
  • the IP packet is not allowed to access certain domain names behind the same balanced load, instead of being completely disabled. It enhances the diversity of the solution and can effectively reduce the situation that the business corresponding to some domain names cannot be performed normally.
  • Step 204 Discard the service access request message at the kernel layer by operating the Ip table (Iptables).
  • Iptables is a packet processing module inside the core layer of the Linux operating system. It has a network address translation function, specifically a firewall function for modifying packet content and packet filtering.
  • the service access request packet is discarded at the kernel layer by operating the Iptables.
  • the method further includes:
  • the step of discarding the service access request message at the kernel layer is triggered when the risk level of the service access request message is the first degree of danger level;
  • a warning indication is displayed, where the warning indication is used to indicate that there is currently a network attack, wherein the first risk level is higher than the second risk level.
  • the risk level of the attack message may be classified into a first risk level and a second risk level, wherein the risk level of the attack message may be based on some access conditions of the attack message. For example, the historical access frequency, the access path ring repetition degree, and the like are determined, and are not limited herein.
  • the service access request packet is determined by the degree of danger level, and the service access request packet is processed differently according to the risk level of the service access request packet.
  • each attack packet is scored, and the scoring criteria may include historical access frequency, access request time difference, access path loop repeatability, access path dispersion, access status code difference, etc., and then combined according to these scoring standards.
  • the range of the score is [0,99], 0 is harmless, 99 is the most dangerous, the user can set the danger range, such as 60 no treatment, 60 to 80 is the second danger level, When it is 60 minutes to 80 minutes, only the alarm system is notified to display the alarm, which is used to indicate that there is a current network attack, and 80 points or more is the first dangerous degree level, and when it is 80 points or more, the actual interception is performed.
  • Step 205 Release the TCP connection corresponding to the service access request message.
  • the TCP connection corresponding to the service access request message is released.
  • a TCP connection is first performed, and an HTTP protocol layer session is performed after the TCP connection is established.
  • the HTTP access request packet is discarded, and the TCP connection corresponding to the HTTP access request packet is released, which can effectively reduce the number of TCP connections on the server.
  • the TCP connection corresponding to the service access request message is released, specifically by the following manner:
  • the packet type of the TCP packet corresponding to the TCP connection is changed to the connection reset RST packet, and the purpose of releasing the TCP connection corresponding to the service access request message is achieved.
  • FIG. 3 is a schematic structural diagram of a system for implementing a method for defending against a network attack according to an embodiment of the present invention.
  • the interceptor mainly plays the role of intercepting the attack message at the kernel layer, and intercepts the kernel in the iptabl es.
  • the interceptor sets the matching rule in the kernel by operating the iptables.
  • the interception action is triggered.
  • FIG. 4 shows a schematic diagram of the Storm big data computing platform, including log input module (loginput), filtering module (filter), IP module (IP), configuration module (Conf), and alarm module (alert).
  • log input module loginput
  • filter filter
  • IP IP
  • Conf configuration module
  • alarm module alarm module
  • the filtering module then extracts the feature information of the valid HTTP access request log, such as the request time of the HTTP access request log, and sends the feature information to the IP module after extracting the feature information.
  • the matching parameters are configured in the configuration file of the Storm big data computing platform.
  • the configuration module calculates the matching rules of the configuration files in the platform according to the Storm big data, and the matching rules are applied to the IP module.
  • the IP module sends the filtering module through the filtering module.
  • the feature information is used to classify the HTTP access request message for each received HTTP access request message, for example, to query the historical access frequency of the HTTP access request message by using the feature information, according to the KMP algorithm. Determine the domain name accessed by the HTTP access request packet.
  • the HTTP access request packet is an attack packet, and the HTTP access request packet is sent to the alert module.
  • the alert module performs different actions according to the severity level of the HTTP access request packet, and the risk of the service access request packet is When the degree of severity is the first level of danger, the step of discarding the service access request message at the kernel layer is triggered.
  • the degree of danger of the service access request message is the second degree of danger level, a warning indication is displayed, and the warning indication is used for Indicates that there is currently a cyber attack, wherein the first level of danger is higher than the second level of risk.
  • the embodiment of the present invention provides a method and device for defending a network attack, by obtaining a service access request packet, determining whether the service access request packet is an attack packet, and determining a service access request packet.
  • the service access request packet is discarded at the kernel layer. Therefore, compared with the traditional load balancing layer 7 layer, the attack packet is discarded.
  • the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, so that no large consumption is required. CPU resources can effectively reduce the CPU resources consumed.
  • the method for defending against network attacks is described in the foregoing embodiment of the present invention. Based on the method, the embodiment of the present invention provides a device for defending against network attacks, and the following provides a defense against network attacks according to an embodiment of the present invention. The device is described.
  • FIG. 5 is a schematic structural diagram of an apparatus for defending against network attacks according to an embodiment of the present invention.
  • the apparatus includes an obtaining module 501, a first determining module 502, and a discarding module 503. Function description:
  • the obtaining module 501 is configured to obtain a service access request packet.
  • the first determining module 502 is configured to determine whether the service access request packet obtained by the obtaining module 501 is an attack packet.
  • the discarding module 503 is configured to discard the service access request message at the kernel layer if the first determining module 502 determines that the service access request message is an attack message.
  • the discarding module 503 is specifically configured to:
  • the service access request message is discarded at the kernel layer by operating Iptables.
  • the apparatus further includes:
  • the release module 504 is configured to release the TCP connection corresponding to the service access request message after the service layer discards the service access request message by operating the Iptables.
  • the release module 504 is specifically configured to:
  • the Iptables is used to change the packet type of the TCP packet corresponding to the TCP connection to the connection reset RST packet to release the TCP connection corresponding to the service access request message.
  • the first determining module 502 includes:
  • the collecting unit 5021 is configured to collect a service access request log.
  • the determining unit 5022 is configured to determine, according to the feature information of the service access request log collected by the collecting unit 5021, whether the service access request message is an attack message.
  • the determining unit 5022 is further configured to:
  • the service access request packet is an attack packet according to the feature information of the service access request log and the currently accessed domain name.
  • the determining unit 5022 is specifically configured to:
  • the service access request packet is determined to be an attack packet.
  • the determining unit 5022 is specifically configured to:
  • the service access request packet is determined to be an attack packet.
  • the device further includes:
  • the second determining module 505 is configured to determine a risk level of the service access request message after the first determining module 502 determines that the service access request message is an attack message;
  • the triggering module 506 is configured to: when the second determining module 505 determines that the risk level of the service access request message is the first risk level, triggering the discarding module to discard the service access request message at the kernel layer;
  • the display module 507 is configured to: when the second determining module 505 determines that the risk level of the service access request message is the second degree of danger level, display a warning indication, where the warning indication is used to indicate that the network attack currently exists, and the first risk level is high. At the second level of danger.
  • the embodiment of the present invention provides a method and device for defending a network attack, by obtaining a service access request packet, determining whether the service access request packet is an attack packet, and determining a service access request packet.
  • the service access request packet is discarded at the kernel layer. Therefore, in the embodiment of the present invention, the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, that is, the CPU resources are not consumed, and the consumed CPU resources can be effectively reduced.
  • computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical disc storage, magnetic cartridge, magnetic tape, magnetic disk storage or other magnetic storage device, or may Any other medium used to store the desired information and that can be accessed by the computer.
  • communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
  • the attack packet is discarded at the kernel layer, and complete protocol parsing is not required, that is, the CPU resources are not consumed, and the consumed CPU resources can be effectively reduced.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention concerne un procédé et un appareil de défense contre des attaques de réseau, un support et un dispositif. Le procédé consiste à : acquérir un message de requête d'accès à un service ; déterminer si le message de requête d'accès à un service est un message d'attaque ; si tel est le cas, abandonner, en correspondance d'une couche de noyau, le message de requête d'accès à un service. Dans les modes de réalisation de la présente invention, le message d'attaque est abandonné en correspondance de la couche de noyau, sans avoir besoin d'une analyse syntaxique de protocole complète, c'est-à-dire sans avoir besoin de consommer beaucoup de ressources d'UC de grande taille, réduisant efficacement la consommation de ressources d'UC.
PCT/CN2018/071892 2017-01-10 2018-01-09 Procédé et appareil de défense contre des attaques de réseau, support et dispositif Ceased WO2018130137A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710018349.1 2017-01-10
CN201710018349.1A CN107707513B (zh) 2017-01-10 2017-01-10 一种防御网络攻击的方法以及装置

Publications (1)

Publication Number Publication Date
WO2018130137A1 true WO2018130137A1 (fr) 2018-07-19

Family

ID=61169428

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/071892 Ceased WO2018130137A1 (fr) 2017-01-10 2018-01-09 Procédé et appareil de défense contre des attaques de réseau, support et dispositif

Country Status (2)

Country Link
CN (1) CN107707513B (fr)
WO (1) WO2018130137A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866003A (zh) * 2020-07-27 2020-10-30 中国联合网络通信集团有限公司 一种终端的风险评估方法和装置
CN112134838A (zh) * 2020-08-12 2020-12-25 新华三技术有限公司合肥分公司 防止网络攻击的方法及装置
CN114205116A (zh) * 2021-11-16 2022-03-18 广西中科曙光云计算有限公司 一种零信任无边界安全访问系统
CN115314297A (zh) * 2022-08-09 2022-11-08 深圳星云智联科技有限公司 一种doss攻击防御方法、装置、设备、存储介质
CN115361179A (zh) * 2022-08-04 2022-11-18 四川启睿克科技有限公司 一种基于自定义拦截标识的cc攻击防护方法

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114520766B (zh) * 2022-04-21 2022-08-30 博为科技有限公司 一种路由器的联网控制方法及相关设备
CN115801401A (zh) * 2022-11-15 2023-03-14 北京天融信网络安全技术有限公司 用户访问请求的监控方法、装置、电子设备和存储介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101572701A (zh) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 针对DNS服务的抗DDoS攻击安全网关系统
CN101958883A (zh) * 2010-03-26 2011-01-26 湘潭大学 一种基于Bloom Filter和开源内核防御SYN Flood攻击的方法
CN102833335A (zh) * 2012-08-29 2012-12-19 北京星网锐捷网络技术有限公司 一种控制代理上网服务的方法、装置及客户端
US20130212679A1 (en) * 2007-05-25 2013-08-15 New Jersey Institute Of Technology PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS
CN106209852A (zh) * 2016-07-13 2016-12-07 成都知道创宇信息技术有限公司 一种基于dpdk的dns拒绝服务攻击防御方法

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102457489B (zh) * 2010-10-26 2015-11-25 中国民航大学 Low-rate DoS(LDoS)攻击、检测和防御模块
CN104468624B (zh) * 2014-12-22 2018-01-02 上海斐讯数据通信技术有限公司 Sdn控制器、路由/交换设备及网络防御方法
CN105991628A (zh) * 2015-03-24 2016-10-05 杭州迪普科技有限公司 网络攻击的识别方法和装置
CN104954188B (zh) * 2015-06-30 2018-05-01 北京奇安信科技有限公司 基于云的网站日志安全分析方法、装置和系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130212679A1 (en) * 2007-05-25 2013-08-15 New Jersey Institute Of Technology PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS
CN101572701A (zh) * 2009-02-10 2009-11-04 中科正阳信息安全技术有限公司 针对DNS服务的抗DDoS攻击安全网关系统
CN101958883A (zh) * 2010-03-26 2011-01-26 湘潭大学 一种基于Bloom Filter和开源内核防御SYN Flood攻击的方法
CN102833335A (zh) * 2012-08-29 2012-12-19 北京星网锐捷网络技术有限公司 一种控制代理上网服务的方法、装置及客户端
CN106209852A (zh) * 2016-07-13 2016-12-07 成都知道创宇信息技术有限公司 一种基于dpdk的dns拒绝服务攻击防御方法

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866003A (zh) * 2020-07-27 2020-10-30 中国联合网络通信集团有限公司 一种终端的风险评估方法和装置
CN111866003B (zh) * 2020-07-27 2022-04-08 中国联合网络通信集团有限公司 一种终端的风险评估方法和装置
CN112134838A (zh) * 2020-08-12 2020-12-25 新华三技术有限公司合肥分公司 防止网络攻击的方法及装置
CN112134838B (zh) * 2020-08-12 2022-05-27 新华三技术有限公司合肥分公司 防止网络攻击的方法及装置
CN114205116A (zh) * 2021-11-16 2022-03-18 广西中科曙光云计算有限公司 一种零信任无边界安全访问系统
CN114205116B (zh) * 2021-11-16 2023-12-19 广西中科曙光云计算有限公司 一种零信任无边界安全访问系统
CN115361179A (zh) * 2022-08-04 2022-11-18 四川启睿克科技有限公司 一种基于自定义拦截标识的cc攻击防护方法
CN115314297A (zh) * 2022-08-09 2022-11-08 深圳星云智联科技有限公司 一种doss攻击防御方法、装置、设备、存储介质

Also Published As

Publication number Publication date
CN107707513A (zh) 2018-02-16
CN107707513B (zh) 2019-05-17

Similar Documents

Publication Publication Date Title
WO2018130137A1 (fr) Procédé et appareil de défense contre des attaques de réseau, support et dispositif
CN109829310B (zh) 相似攻击的防御方法及装置、系统、存储介质、电子装置
US10608992B2 (en) Hybrid hardware-software distributed threat analysis
EP2289221B1 (fr) Protection d'un réseau contre l'intrusion
US9071576B1 (en) Application rate limiting without overhead
CN117321966A (zh) 用于网络保护的高效威胁上下文感知数据包过滤的方法和系统
CN109194680B (zh) 一种网络攻击识别方法、装置及设备
WO2018095192A1 (fr) Procédé et système de détection et de prévention d'attaque de site web
US20180167361A1 (en) Network Attack Prevention Method, Apparatus and System
US20110083179A1 (en) System and method for mitigating a denial of service attack using cloud computing
US10298613B2 (en) Mitigation of distributed denial-of-service attacks
JP2019021294A (ja) DDoS攻撃判定システムおよび方法
CN110166480B (zh) 一种数据包的分析方法及装置
CN108809749B (zh) 基于采样率来执行流的上层检查
CN103428224A (zh) 一种智能防御DDoS攻击的方法和装置
CN110875907A (zh) 一种访问请求控制方法及装置
JP6548823B2 (ja) 木グラフプロパティを適用するjsonデータのリアルタイムバリデーション
CN111565203B (zh) 业务请求的防护方法、装置、系统和计算机设备
Arafat et al. A practical approach and mitigation techniques on application layer DDoS attack in web server
CN112434304A (zh) 防御网络攻击的方法、服务器及计算机可读存储介质
CN111131309A (zh) 分布式拒绝服务检测方法、装置及模型创建方法、装置
CN118316656A (zh) 数据包处理方法、装置、电子设备及存储介质
CN112202821B (zh) 一种cc攻击的识别防御系统及方法
US20230056625A1 (en) Computing device and method of detecting compromised network devices
Aldaoud et al. Detecting and mitigating DHCP attacks in OpenFlow-based SDN networks: a comprehensive approach

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18738485

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18738485

Country of ref document: EP

Kind code of ref document: A1