A Method to Mitigate Distributed Denial of Service Attack

A distributed rejection and analysis module technology, applied in the field of network security, can solve problems such as large modification of the operating system kernel, inability to record IP packet options and TCP packet options, consumption of server-side CPU resources and memory resources, etc., to alleviate the problem. Effects of Distributed Denial of Service Attacks

Inactive Publication Date: 2011-12-14
HEILONGJIANG UNIV
View PDF3 Cites 22 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Among the existing technologies for detecting or defending against DDoS attacks, methods based on traffic detection such as load prediction have the problem of inaccurate prediction on the one hand, and at the same time cannot effectively resist low-rate denial of service (LDoS) attacks, LDoS Attacks can evade traditional detection methods; methods such as reverse verification of data source legitimacy based on generating relevant parameters or signature information are unable to deal with large-traffic, high-concurrency attacks of illegal data packets due to complex calculations, causing server paralysis and rejection service effect;
[0003]Transmission Control Protocol TCP synchronous SYN message flooding DDoS attack is an attack on the semi-connection table syn_table of the TCP protocol stack, and it is a kind of defense against this flooding attack The method is to control the semi-join table syn_table as a whole according to its total capacity, that is, the percentage x% of the total number of table elements, to mitigate SYN packet flood attacks. This method still cannot effectively deal with large traffic and high concurrent illegal data packets. Attack problem, the high concurrent attack traffic from some areas will affect the normal access of areas without attack sources, the overall service efficiency, that is, the success rate of establishing normal user connections is not high; another way to resist SYN message flood attacks The method is to discard the first connection request SYN message from the same source and ignore it, and only perform normal processing when the connection request SYN message from the same source is received again. On the one hand, this method needs to record and find the source information of each connection request , and requires the user to send the connection request twice, which increases the time required to establish a connection, which is likely to have an adverse effect on user experience. On the other hand, this method only sends one SYN message per attack source. The method works, as long as each attack source sends at least 2 SYN packets each time, this method will fail;
[0004] The SYN Cookie method is another method to defend against SYN packet flood attacks, which can effectively resist SYN packet flood attacks composed of false connection requests, but SYN The Cookie method also has the following shortcomings and potential safety hazards: (1) The implementation process of the SYN Cookie method does not follow the finite state machine regulations of the TCP protocol, and the semi-connected table in the TCP protocol is abandoned; (2) The implementation process of the SYN Cookie method The TCP protocol needs to be modified, and the kernel of the operating system needs to be modified a lot; (3) Since the semi-join table in the TCP protocol is discarded, the server will not be able to use the IP packet option and the TCP packet option in the SYN connection request. Note that some extended functions of the protocol cannot be used; (4) If the attacker obtains the generation method of the server-side generated initial serial number ISN in the SYN Cookie method, the attacker can directly generate and send the serial number as The ACK message of ISN+1 causes the ehash table on the server side to establish a large number of abnormal TCP connections, which not only consumes CPU resources and memory resources on the server side, but also degrades the performance of the service process on the server side; when the total number of connections in the ehash table exceeds If the upper limit value stipulated by the system when the kernel is initialized, all subsequent legal connection requests will also be discarded
Usually, the calculation steps of the encryption algorithm for generating the initial serial number ISN on the server side are relatively complicated, such as using the MD5 algorithm or the RSA algorithm
When there are a large number of false SYN connection request messages and false ACK messages in the network, the server will generate an ISN through complex calculations for each SYN connection request message, and also need to pass complex calculation verification for each ACK message The ACK is used to determine whether a legal connection can be established, which consumes a lot of CPU time to calculate the ISN and verify the ISN, which significantly reduces the server-side service performance

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0029] A method for mitigating distributed denial-of-service attacks, the method of the present invention is deployed on a protected server, or deployed on a gateway device, and the gateway device is located between the client and the protected server; this embodiment is aimed at mitigating Transmission control protocol TCP synchronous SYN message flooding DDoS attack; Given a set of area range area_blocks represented by Internet Protocol IP address blocks, for example, there are m+1 sub-areas, namely sub-area 0, sub-area 1, and sub-area 2 , ..., sub-area m, and a positive integer threshold of the number of packets of the protocol type or message nature allowed in each sub-area within the given area range, where a sub-area such as sub-area 0 corresponds to a TCP SYN message The number of positive integer thresholds is the threshold of the number of semi-join table syn_table cells that can be used in this sub-area. The threshold is set according to experience. For each remaini...

Embodiment 2

[0034] A method for mitigating distributed denial of service attacks, the method of the present invention is either deployed on a protected server, or deployed on a gateway device or router, and the gateway device or router is located between the client and the protected server; this implementation The example is aimed at mitigating the transmission control protocol TCP end FIN message flooding DDoS attack; given a set of area range area_blocks represented by Internet Protocol IP address blocks, for example, there are m+1 sub-areas in total, that is, sub-area 0, sub-area 1, sub-area 2, ..., sub-area m, and the positive integer threshold of the number of TCP FIN packets allowed in each sub-area within the given area range, where a sub-area such as sub-area 0 corresponds to a TCP FIN message The positive integer threshold of the number is the threshold of the number of semi-connected table syn_table cells that can be used in this sub-area. The threshold is set according to expe...

Embodiment 3

[0039] A method for mitigating distributed denial of service attacks, the method of the present invention is either deployed on a protected server, or deployed on a gateway device or router, and the gateway device or router is located between the client and the protected server; this implementation The example is aimed at alleviating the flooding DDoS attack of User Datagram Protocol UDP packets; given a set of area range area_blocks represented by Internet Protocol IP address blocks, and the given area range allowed by each sub-area according to the actual The positive integer threshold of the number of UDP packets determined by the analysis results of the number of UDP packets in normal access traffic; the current value of the number of UDP packets allowed in each sub-area The positive integer threshold of the number: the given area_blocks is either based on the IP address allocation information and whois information, or based on the analysis results of the actual normal ac...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method for easing distributed denial of service attacks, which solves the defects in the prior detection or defense technologies. The method provided by the invention comprises the following steps of: presetting a group of regional scope presented by an IP (Internet Protocol) address block, and a threshold of the number of messages of a protocol type or a message property allowed by each sub-region in the regional scope; when receiving one message of the corresponding protocol type or message property, searching the sub-region to which the message belongs according to a source IP address; if a cv (current value) of the number of the messages of the protocol type or message property corresponding to the sub-region to which the message belongs is more than 0, subtracting 1 from the cv, and further processing the received messages regularly according to the protocol type or message property; if the cv is equal to 0, or directly discarding the messages or discarding the messages after recording related information of the messages; aiming at the request on easing different types of distributed denial of service attacks, concurrently executing different recovery processing for the cv of the number of the messages of the corresponding protocol type or message property in corresponding sub-region within a given scope. The method is used in an IP network.

Description

technical field [0001] The invention belongs to the technical field of network security, and relates to a method for alleviating distributed denial-of-service DDoS attacks in an IP network. Background technique [0002] Large-scale, highly concurrent distributed denial-of-service (DDoS) attacks are an attack method that is difficult to completely defend against on the attacked side. In particular, the emergence and expansion of botnets have further aggravated the difficulty of defending against DDoS attacks. How to effectively mitigate large-scale, The effect of high concurrent DDoS attacks makes it important and valuable for the attacked party to continue to provide services to some normal users to a certain extent during the period of the attack. One of the characteristics of large-scale botnets is that, from the perspective of IP address block distribution, the distribution of bot hosts has a certain degree of regional concentration. Among the existing technologies for d...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/08
Inventor 姜誉任健方滨兴周黎明
Owner HEILONGJIANG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap