Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system

A DDOS and identification method technology, applied in the field of computer communication, can solve the problem that the real attack source of small traffic DDOS attack cannot be effectively traced.

Active Publication Date: 2015-02-11
SHENZHEN TENCENT COMP SYST CO LTD
View PDF4 Cites 21 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the routing devices of operators generally use flow-based statistical counting methods, which are effective for large-traffic DDOS statist

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system
  • Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system
  • Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system

Examples

Experimental program
Comparison scheme
Effect test

no. 1 example

[0022] see figure 2 , which is a flow chart of the method for identifying a source of a network layer DDOS attack provided by the first embodiment of the present invention. Such as figure 2 As shown, this embodiment describes the processing flow of the detection server, combined with figure 1 The network layer DDOS attack source identification method provided by the present embodiment includes the following steps:

[0023] Step 21: When the detection server detects that the first server is attacked by DDOS, it obtains the DDOS attack packet from the first server, and extracts the attack source IP address and the TTL value of the attack source IP address in the DDOS attack packet.

[0024]Specifically, the detection server 103 monitors whether the first server is attacked by a DDOS (Distributed Denial of Service) by monitoring the data flow information of the first server 101 in real time. When it is detected that the first server 101 is attacked by a DDOS, it also That is...

no. 2 example

[0039] see image 3 , which is a flowchart of a method for identifying a source of a network layer DDOS attack provided by the second embodiment of the present invention. Such as image 3 As shown, this embodiment describes the processing flow of the first server, combined with figure 1 The network layer DDOS attack source identification method provided by the present embodiment includes the following steps:

[0040] Step 31 , when the detection server detects that the first server is attacked by DDOS, it sends a request for obtaining all DOOS attack packets to the first server.

[0041] For details of step 31, please refer to the corresponding content of the first embodiment, which will not be repeated here.

[0042] Step 32, receiving all DDOS attack packets returned by the first server according to the request.

[0043] Specifically, the first server 101 starts a full packet capture according to the request for obtaining all DOOS attack packets sent by the detection ser...

no. 3 example

[0060] see Figure 4 , is a flowchart of a method for identifying a source of a network layer DDOS attack provided by the third embodiment of the present invention. Such as Figure 4 As shown, this embodiment describes the processing flow of the user terminal, combined with figure 1 The network layer DDOS attack source identification method provided by the present embodiment includes the following steps:

[0061] Step 41 , when the detection server detects that the first server is under DDOS attack, it sends a DDOS attack packet acquisition request to the first server.

[0062]Specifically, the detection server 103 monitors whether the first server is attacked by a DDOS (Distributed Denial of Service) by monitoring the data flow information of the first server 101 in real time. When it is detected that the first server 101 is attacked by a DDOS, it also That is, when the data traffic of the first server 101 is detected to be abnormal, for example, when there is a large flow...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a network layer DDOS (Distributed Denial of Service) attack source identification method. The method comprises the following steps: when a detection server monitors that a first server is under DDOS attacks, acquiring a DDOS attack packet from the first server, and extracting an attack source IP (Internet Protocol) address in the DDOS attack packet and the TTL (Time to Live) value of the attack source IP address; sending a detection command comprising the attack source IP address to a second server; receiving a detection response packet returned by the second server according to the detection command, and extracting a detection source IP address in the detection response packet and the TTL value of the detection source IP address; and judging whether a difference value between the TTL value of the attack source IP address and the TTL value of the detection source IP address is greater than a preset value or not, if so, determining that the attack source IP address is a forgery IP address, otherwise, determining that the attack source IP address is a real IP address. Moreover, the invention further provides a network layer DDOS attack source identification device and system. By adopting the network layer DDOS attack source identification method, device and system, a network layer DDOS attack source can be identified rapidly and effectively.

Description

technical field [0001] The invention relates to the technical field of computer communication, in particular to a network layer DDOS attack source identification method, device and system. Background technique [0002] DOS (Denial of Service, denial of service) attack refers to an attack that can cause the server to fail to provide normal services. The most common DOS attacks are network bandwidth attacks and connectivity attacks. Among them, the bandwidth attack refers to impacting the network with a huge amount of traffic, so that all available network resources are exhausted, and finally legitimate user requests cannot be passed. Connectivity attack refers to the impact of a large number of connection requests on the server, so that all available operating system resources are exhausted, and finally the server can no longer process legitimate user requests. [0003] DDOS (Distributed Denial of Service, Distributed Denial of Service) attack refers to the use of client / se...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/1416
Inventor 罗喜军陈勇
Owner SHENZHEN TENCENT COMP SYST CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap