A distributed denial of service attack defense method, device and system

Abstract

Embodiments of the invention disclose a method, a device and a system defending an attack of distributed denial-of-service (DDoS). The method comprises the steps of receiving, by a controller, first characteristic information attack information sent by an attack detection device and comprising a detected attack packet; acquiring, from each network node, second characteristic information node information comprising a packet forwarded by a corresponding network node; matching the first characteristic information and the second characteristic information so as to determine a network node, among reference network nodes, forwarding the attack packet and being closest to the source of the attack packet as an attack defend device; and finally, controlling the attack defend device to filter attackpackets. In the process, the controller executes a defending operation on a network node at an operator network edge, and blocks the attack packet at the operator network entrance, thereby effectively reducing attack packets entering the operator network, saving bandwidth resources, and keeping the internal network of the operator network smooth.

Description

technical field [0001] The present invention relates to the field of communication technology, in particular to a distributed denial-of-service (English: distributed denial-of-service, DDoS for short) attack defense method, device and system. Background technique [0002] DDoS is an attack behavior that uses multiple hosts to send attack packets to a target host, causing the target host to deny service to normal service requests. DDoS creates a high flow of useless data, flooding the network where the target host is located with a large number of useless data packets, causing network congestion and making the target host unable to communicate with the outside world normally. [0003] Such as figure 1 The shown operator network includes network nodes C1 to C4 located inside the operator network, and network nodes E1 to E5 located at the edge of the operator network. Among them, network node C1 is located at the core layer of the operator's network and is used to undertake c...

AI Technical Summary

Problems solved by technology

[0004] However, the inventor found through research that during the DDoS attack process, the attack message sent by the attacking host connected to the network node E5 attacks the target host through the network node C4, the network node C1, the network node C2 and the network node E1. ; The attack message sent by the attacking host connected to the network node E2 passes through the network node E2, the network node C2 and the network node E1 to attack the target host; if traffic cleaning is performed, the cleaning device will divert the attack message to itself , then when the traffic of the attack packets is large, it is easy to cause a large amount of bandwidth resources between the network node C1 and the network node C4, and the network node C1 and the network node C2 to be consumed, thereby causing the network near the network node C1 to Congestion, difficult to meet DDoS defense requirements

Images