Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Network layer ddos ​​attack source identification method, device and system

A DDOS and identification method technology, applied in the field of computer communication, can solve the problem that the real attack source of small traffic DDOS attack cannot be effectively traced.

Active Publication Date: 2019-07-16
SHENZHEN TENCENT COMP SYST CO LTD
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the routing devices of operators generally use flow-based statistical counting methods, which are effective for large-traffic DDOS statistics, but are ineffective for distributed small-traffic DDOS attacks, and cannot effectively track small-traffic DDOS attacks. real source of attack

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Network layer ddos ​​attack source identification method, device and system
  • Network layer ddos ​​attack source identification method, device and system
  • Network layer ddos ​​attack source identification method, device and system

Examples

Experimental program
Comparison scheme
Effect test

no. 1 example

[0022] see figure 2 , which is a flow chart of the method for identifying a source of a network layer DDOS attack provided by the first embodiment of the present invention. Such as figure 2 As shown, this embodiment describes the processing flow of the detection server, combined with figure 1 The network layer DDOS attack source identification method provided by the present embodiment includes the following steps:

[0023] Step 21: When the detection server detects that the first server is attacked by DDOS, it obtains the DDOS attack packet from the first server, and extracts the attack source IP address and the TTL value of the attack source IP address in the DDOS attack packet.

[0024]Specifically, the detection server 103 monitors whether the first server is attacked by a DDOS (Distributed Denial of Service) by monitoring the data flow information of the first server 101 in real time. When it is detected that the first server 101 is attacked by a DDOS, it also That is...

no. 2 example

[0039] see image 3 , which is a flowchart of a method for identifying a source of a network layer DDOS attack provided by the second embodiment of the present invention. Such as image 3 As shown, this embodiment describes the processing flow of the first server, combined with figure 1 The network layer DDOS attack source identification method provided by the present embodiment includes the following steps:

[0040] Step 31 , when the detection server detects that the first server is attacked by DDOS, it sends a request for obtaining all DOOS attack packets to the first server.

[0041] For details of step 31, please refer to the corresponding content of the first embodiment, which will not be repeated here.

[0042] Step 32, receiving all DDOS attack packets returned by the first server according to the request.

[0043] Specifically, the first server 101 starts a full packet capture according to the request for obtaining all DOOS attack packets sent by the detection ser...

no. 3 example

[0060] see Figure 4 , is a flowchart of a method for identifying a source of a network layer DDOS attack provided by the third embodiment of the present invention. Such as Figure 4 As shown, this embodiment describes the processing flow of the user terminal, combined with figure 1 The network layer DDOS attack source identification method provided by the present embodiment includes the following steps:

[0061] Step 41 , when the detection server detects that the first server is under DDOS attack, it sends a DDOS attack packet acquisition request to the first server.

[0062]Specifically, the detection server 103 monitors whether the first server is attacked by a DDOS (Distributed Denial of Service) by monitoring the data flow information of the first server 101 in real time. When it is detected that the first server 101 is attacked by a DDOS, it also That is, when the data traffic of the first server 101 is detected to be abnormal, for example, when there is a large flow...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a network layer DDOS attack source identification method, comprising: when the detection server detects that the first server is attacked by DDOS, obtains the DDOS attack packet from the first server, and extracts the attack source IP address and the attack source in the DDOS attack packet The TTL value of the IP address; send a probe command containing the attack source IP address to the second server; receive the probe response packet returned by the second server according to the probe command, and extract the probe source IP address and the TTL of the probe source IP address in the probe response packet and determine whether the difference between the TTL value of the attack source IP address and the TTL value of the detection source IP address is greater than the preset value, if so, then determine that the attack source IP address is a forged IP address, if not, then determine the attack source IP The address is a real IP address. In addition, the present invention also provides a network layer DDOS attack source identification device and system. The above-mentioned network layer DDOS attack source identification method, device and system can quickly and effectively identify the network layer DDOS attack source.

Description

technical field [0001] The invention relates to the technical field of computer communication, in particular to a network layer DDOS attack source identification method, device and system. Background technique [0002] DOS (Denial of Service, denial of service) attack refers to an attack that can cause the server to fail to provide normal services. The most common DOS attacks are network bandwidth attacks and connectivity attacks. Among them, the bandwidth attack refers to impacting the network with a huge amount of traffic, so that all available network resources are exhausted, and finally legitimate user requests cannot be passed. Connectivity attack refers to the impact of a large number of connection requests on the server, so that all available operating system resources are exhausted, and finally the server can no longer process legitimate user requests. [0003] DDOS (Distributed Denial of Service, Distributed Denial of Service) attack refers to the use of client / se...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06
Inventor 罗喜军陈勇
Owner SHENZHEN TENCENT COMP SYST CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products