DDoS attack detection method and equipment

Abstract

The invention discloses a distributed denial of service DDoS attack detection method and equipment. The method comprises the following steps: acquiring a data stream sent to protection object equipment in each detection period and acquiring total duration of various data streams; dividing various data streams into long data streams or short data streams according to the total duration of various data streams; according to the passed detection period of the long data streams, numbering the total data traffic of the long data streams into the statistical traffic of various passed detection periods of the long data streams; stacking the data traffic of the short data streams occurring in various detection periods and the data traffic of the long data streams numbered into the corresponding detection period so as to determine the statistical traffic in each detection period; and determining a fact that the protection object equipment is under the DDoS attack in the detection period if thestatistical traffic exceeds the detection period of the preset traffic threshold. By adopting the detection method disclosed by the invention, the DDoS attack detection precision is improved, and a false alarm rate of the DDoS attack detection is reduced.

Description

technical field [0001] The present application relates to the technical field of the Internet, in particular to a distributed denial of service (Distributed Denial of Service, DDoS) attack detection method and device. Background technique [0002] DDoS attack refers to the combination of multiple computers as an attack platform, using reasonable service requests to occupy a large number of service resources of one or more target servers, so that legitimate users cannot get the service response of the server. [0003] As an intrusion detection mechanism, sampling devices (such as routers, switches, etc.) collect the information arriving at the protected device and send it to the sampling and analysis server, and the sampling and analyzing server regularly aggregates the statistical data of different data flows arriving at the same protected device. According to the statistical results of each detection cycle, it can be judged whether the protected device is attacked by DDoS. ...

AI Technical Summary

Problems solved by technology

However, in the attack detection mechanism of the prior art, the data flow reported to the sampling analysis server in a certain detection cycle may be the sum of the traffic in multiple detection cycles, and the sampling analysis server records the data flow to the corresponding In the traffic statistics data in the detection cycle, the data traffic that does not belong to the detection cycle is counted into the traffic statistics data of the detection cycle, so that the traffic in the detection cycle is too large, resulting in the following figure 1 The statistical results shown, but in fact, the detection period (such as 15, 33, 171) with a large statistical traffic value may not be attacked by DDoS. Therefore, the accuracy of attack detection is reduced due to inaccurate statistical data

Images