Method and protecting apparatus for defending denial of service attack

A denial of service attack and protection device technology, applied in the field of network communication, can solve the problems of difficult server protection, unrealistic scanning, and high processing cost, and achieve the effect of defending against denial of service attacks

Inactive Publication Date: 2009-08-12
NEW H3C TECH CO LTD
View PDF0 Cites 24 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0009] However, although the prevention method based on known defect attacks can accurately prevent known defect attacks, it needs to be specially processed for each defect attack. The more types of defect attacks, the higher the processing cost. If the attack traffic is large, It is unrealistic to scan for every vulnerability attack, so this solution is only used as a secondary means
However, the defense method based on fixed feature statistics can obtain an appropriate threshold based on historical data as long as the protected service type and characteristics are known, and can also screen illegal traffic to a certain extent. It is simple to implement and high in processing efficiency. It is the current DDoS protection device The main method used, but the disadvantage is that there are many types of servers at present, among which game servers account for a large proportion. The protocol characteristics of each game server are different, and it is difficult to conduct a comprehensive analysis of this type of server according to the service type and characteristics. good protection

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and protecting apparatus for defending denial of service attack
  • Method and protecting apparatus for defending denial of service attack
  • Method and protecting apparatus for defending denial of service attack

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0037] Embodiment one: count the service flow of a certain service port (herein referred to as port A) of the protected host or server (comprising five-tuple information including protocol number, source IP, source port, destination IP and destination port are the same The statistical distribution of the value of each byte in the first 16 bytes of the first message), if the probability of a certain byte in the 16 bytes taking the same value is greater than the preset value, such as 80 %, the byte is regarded as a feature word.

[0038] For example, the statistical distribution of the values ​​of the first 16 bytes of the first packets of 1237 HTTP service flows on port A is counted. Here, the threshold is set to 90%, and the probability that the first 5 bytes take the same value is found. More than 90%, as follows:

[0039] Byte[i]--->>>

[0040] count / total:value

[0041] Byte[0]--->>>

[0042] 1173 / 1237:71 29 / 1237:80 18 / 1237:60 2 / 1237:0 2 / 1237:112 2 / 1237:115

[0043] 2 / ...

Embodiment 2

[0066] Embodiment two: count each byte of the first 16 bytes of all messages of the service flow of a service port (comprising protocol number, destination IP address and destination port identical message collection) of a protected host or server Statistical distribution of the value of , if the probability of a certain byte in the 16 bytes taking the same value is greater than the preset value, the byte is regarded as a feature word.

[0067] For example, statistical distribution of the values ​​of the first 16 bytes of packets whose destination port is server port 8000 is found to be relatively concentrated in the values ​​of the first 4 bytes, as shown below:

[0068] FlowNum=329, PacketNum=1502 Explanation: 329 service flows are counted, and the total number of packets is 1502.

[0069] Byte[i]--->>>

[0070] count / total:value

[0071] Byte[0]--->>>

[0072] 1202 / 1502:2 169 / 1502:3 49 / 1502:56 36 / 1502:254 21 / 1502:0 21 / 1502:4 4 / 1502:1

[0073] Byte[3]--->>>

[0074] 118...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method for defending a denial of service attack. The method comprises the following steps: acquiring value statistic distribution of an appointed field of a message received by an appointed port of a host or a server; taking the appointed field as a characteristic field if the probability of extracting the same value from the appointed field is higher that a preset threshold; and determining the message to be an attack message or a service message according to the value of the characteristic field of the message and the value statistic distribution of the characteristic field for the message received by the appointed port. The invention also discloses a device for defending the denial of service attack. The technical proposal can effectively identify attack messages in large capacity, and achieves the aim of defending the denial of service attack.

Description

technical field [0001] The invention relates to the technical field of network communication, in particular to a method and protection device for defending against denial of service attacks. Background technique [0002] Distributed Denial of Service (DDoS, Distributed Denial of Service) attack is an attack method in which multiple attackers (hosts) attack the same victim (including hosts, servers, and network devices), making the victim unable to work normally . The typical feature of DDoS is to launch an attack on the victim through the method of "multiple hitting one", and achieve the purpose of denial of service attack by consuming the bandwidth, CPU processing power and memory occupation of the victim, especially in the way of bandwidth consumption. The most common and most effective. [0003] figure 1 It is a schematic diagram of the existing DDoS attack architecture. Such as figure 1 As shown, the attacker sends attack packets by controlling tens of thousands of ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L9/00H04L29/06
Inventor 陈光辉
Owner NEW H3C TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap