Defence method and device for flood attack, storage medium and electronic equipment
By sampling the real-time network interface card traffic of the network server and dynamically updating the blacklist, the problems of low accuracy and latency in flood attack defense in existing technologies are solved, and efficient flood attack defense is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM CORP LTD
- Filing Date
- 2021-12-09
- Publication Date
- 2026-06-23
AI Technical Summary
Existing flood attack defense methods fail to update IP blacklists in real time, allowing attackers to bypass detection by changing IP addresses. This results in low defense accuracy and significant issues with latency and resource waste in the defense strategies.
By sampling the real-time network interface card traffic of the network server based on a preset frequency, data flow characteristics are extracted, access control list rules are generated, the blacklist is dynamically updated, and the target blacklist is used to filter flood attacks.
It improves the accuracy of flood attack defense, reduces resource waste, reduces defense latency, and enables timely response to real-time traffic.
Smart Images

Figure CN116260599B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the fields of network technology and security technology, and more specifically, to a method for defending against flood attacks, a device for defending against flood attacks, a computer-readable storage medium, and an electronic device. Background Technology
[0002] With the rapid development of artificial intelligence, big data, and 5G technologies, cybersecurity has become an indispensable safeguard for the internet industry. Among the many types of cyberattacks, DDoS (Distributed Denial of Service) attacks are the most common. Attackers send a large number of forged packets to the target server, thereby consuming the network server's CPU (Central Processing Unit) resources and occupying network bandwidth.
[0003] When a network server is under a DDoS attack, the most prominent characteristic is the proliferation of useless data packets from fake sources, causing network congestion and preventing users from communicating normally with the outside world. To counter this type of attack, the industry has proposed numerous countermeasures, such as three-level TM (Traffic Manager) scheduling, attack attribution, and dynamic link protection. Among these defensive measures, IP (Internet Protocol) blacklists demonstrate unique value in the field of network security due to their ability to filter attack sources.
[0004] Specifically, IP blacklists record the IP information of historical attackers and are an important component of threat intelligence. By applying IP blacklists appropriately, enterprises can filter out the vast majority of known attack sources. However, since a blacklist is merely a snapshot of historical attack sources, if it is not updated in real time, attackers can exploit this snapshot characteristic by simply changing their IP address to evade detection, thus reducing the accuracy of defenses.
[0005] Therefore, there is a need to provide a new method and device for defending against flood attacks.
[0006] It should be noted that the information in the background section above is only used to enhance the understanding of the background of this disclosure, and therefore may include information that does not constitute prior art known to those skilled in the art. Summary of the Invention
[0007] The purpose of this disclosure is to provide a method for defending against flood attacks, a device for defending against flood attacks, a computer-readable storage medium, and an electronic device, thereby overcoming, at least to some extent, the problem of low accuracy in defense due to limitations and defects in related technologies.
[0008] According to one aspect of this disclosure, a method for defending against flood attacks is provided, comprising:
[0009] Based on a preset sampling frequency, the real-time network card traffic of the network server is sampled to obtain a sampled packet to be processed. The current data stream included in the sampled packet to be processed, as well as the number of bytes and the first time of the current data stream flowing through the network card of the network server within a first time interval corresponding to the sampling frequency, are extracted.
[0010] Based on the first number of bytes and the first flow time, the real-time flow rate of the current data stream is calculated, and when it is determined that the real-time flow rate of the current data stream is greater than the preset flow threshold, the current data stream is determined as the target data stream.
[0011] Extract the target flow features of the target data stream from the sampled message to be processed, and generate access control list rules corresponding to the target data stream based on the target flow features;
[0012] The access control list rules are used to update the current blacklist to obtain the target blacklist, and the uploaded packets are filtered based on the target blacklist to defend against flooding attacks included in the uploaded packets.
[0013] In one exemplary embodiment of this disclosure, after sampling the real-time network interface card traffic of the network server based on a preset sampling frequency to obtain the sampled packets to be processed, the flood attack defense method further includes:
[0014] The sampled message to be processed is sent to the Netflow process in user space via a socket channel;
[0015] The user-space Netflow process generates a hash queue corresponding to the sampled message to be processed, and stores the sampled message to be processed into the hash queue.
[0016] In one exemplary embodiment of this disclosure, extracting target flow features of the target data stream from the sampled message to be processed, and generating access control list rules corresponding to the target data stream based on the target flow features, includes:
[0017] The user-space Netflow process extracts the target flow features of the target data stream from the sampled packets to be processed stored in the hash queue; wherein, the target flow features include multiple types such as the target source IP address, the target destination IP address, the target communication protocol, and the target port number;
[0018] Based on the target source IP address, target destination IP address, target communication protocol, and target port number, generate an access control list rule corresponding to the target data stream.
[0019] In one exemplary embodiment of this disclosure, updating the current blacklist using the access control list rules to obtain the target blacklist includes:
[0020] The access control list rules are sent to the Redis database via the user-space Netflow process. When the blacklist processing unit subscribes to the existence of access control list rules in the Redis database, the access control list rules are added to the current blacklist to obtain the target blacklist.
[0021] In one exemplary embodiment of this disclosure, filtering of uploaded messages based on the target blacklist is used to defend against flooding attacks included in the uploaded messages, including:
[0022] The Netflow chip is used to extract the traffic features to be identified from the uploaded messages; wherein, the traffic features to be identified include the source IP address to be identified, the destination IP address to be identified, the communication protocol to be identified, and the port number to be identified.
[0023] Determine whether any of the following—the source IP address to be identified, the destination IP address to be identified, the communication protocol to be identified, and the port number to be identified—exists in the target blacklist;
[0024] If any one of the source IP address, destination IP address, communication protocol, or port number to be identified is found in the target blacklist, the sent message is discarded to defend against flooding attacks included in the sent message.
[0025] In one exemplary embodiment of this disclosure, the method for defending against flooding attacks further includes:
[0026] If it is determined that none of the source IP address, destination IP address, communication protocol, and port number to be identified exist in the target blacklist, the sent message is reported and a traffic sampling step is performed.
[0027] In one exemplary embodiment of this disclosure, the method for defending against flooding attacks further includes:
[0028] Acquire historical data streams of multiple historical flooding attacks, and acquire the second number of bytes and the second flow time of each historical data stream within a first time interval corresponding to the sampling frequency, which flows through the network interface card of the network server.
[0029] Calculate the average number of bytes for each of the second byte counts and the average time for the second flow time, and calculate the byte count variance and the time variance based on the average number of bytes and the average time.
[0030] The number of bytes in the flood attack is calculated based on the average number of bytes and the variance of the number of bytes, and the flood attack time is calculated based on the average time and the variance of the time.
[0031] The preset traffic threshold is calculated based on the number of bytes in the flood attack and the duration of the flood attack.
[0032] According to one aspect of this disclosure, a flood attack defense device is provided, comprising:
[0033] The first sampling module is used to sample the real-time network card traffic of the network server based on a preset sampling frequency, obtain the sampled packet to be processed, and extract the current data stream included in the sampled packet to be processed, as well as the first number of bytes and the first time of the current data stream flowing through the network card of the network server within a first time interval corresponding to the sampling frequency.
[0034] The flow rate calculation module is used to calculate the real-time flow rate of the current data stream based on the first number of bytes and the first flow time, and to determine the current data stream as the target data stream when it is determined that the real-time flow rate of the current data stream is greater than the preset flow threshold.
[0035] The access control list rule generation module is used to extract the target flow features of the target data flow from the sampled message to be processed, and generate access control list rules corresponding to the target data flow based on the target flow features;
[0036] The flood attack defense module is used to update the current blacklist using the access control list rules to obtain the target blacklist, and to filter the uploaded packets based on the target blacklist in order to defend against flood attacks included in the uploaded packets.
[0037] According to one aspect of this disclosure, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements the flood attack defense method described in any of the preceding claims.
[0038] According to one aspect of this disclosure, an electronic device is provided, comprising:
[0039] Processor; and
[0040] Memory for storing the executable instructions of the processor;
[0041] The processor is configured to execute the flood attack defense method described above by executing the executable instructions.
[0042] This disclosure provides a method for defending against flooding attacks. Firstly, it samples the real-time network interface card (NIC) traffic of a network server based on a preset sampling frequency to obtain a sampled packet to be processed. Then, it extracts the current data stream, the number of bytes flowing through the NIC of the network server within a first time interval corresponding to the sampling frequency, and the first flow time from the sampled packet. Next, it calculates the real-time traffic rate of the current data stream based on the number of bytes and the first flow time. When the real-time traffic rate of the current data stream is determined to be greater than a preset traffic threshold, the current data stream is identified as the target data stream. Then, it extracts the target flow characteristics of the target data stream from the sampled packet to be processed and generates an access control list (ACL) rule corresponding to the target data stream based on the target flow characteristics. Finally, it updates the current blacklist using the ACL rules to obtain a target blacklist and filters the uploaded packets based on the target blacklist to defend against flooding attacks included in the uploaded packets. This method achieves defense based on the real-time data stream traffic. The real-time traffic rate of the current data stream is included in the sampled packets obtained by sampling network interface card (NIC) traffic. The current blacklist is updated in real time, and the uploaded packets are filtered based on the updated target blacklist. This solves the problem in the prior art where the IP blacklist is not updated in real time, allowing attackers to exploit the snapshot feature and bypass the blacklist detection by changing the IP, thus resulting in low defense accuracy. This improves the accuracy of flood attack defense. On the other hand, since the real-time NIC traffic of the network server can be sampled based on a preset sampling frequency, and the real-time traffic rate of the current data stream is calculated based on the number of bytes sampled and the first flow time, the current data stream is identified as a flood attack when the real-time traffic rate is greater than a preset traffic threshold. Appropriate defense is then implemented, avoiding the delay caused by manually issuing defense policies, improving the timeliness of flood attack defense, and reducing network server resource waste.
[0043] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description
[0044] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure. It is obvious that the drawings described below are merely some embodiments of this disclosure, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.
[0045] Figure 1 This diagram illustrates an example of a defense scenario against a flood attack.
[0046] Figure 2 The flowchart schematically illustrates a method for defending against flood attacks according to an exemplary embodiment of the present disclosure.
[0047] Figure 3 The diagram illustrates an example application environment of a flood attack defense method according to an exemplary embodiment of the present disclosure.
[0048] Figure 4 The diagram illustrates a structural example of a network server according to an exemplary embodiment of the present disclosure.
[0049] Figure 5 The flowchart illustrates a method for filtering uploaded messages based on a target blacklist, according to an example embodiment of the present disclosure, to defend against flooding attacks included in the uploaded messages.
[0050] Figure 6 The flowchart illustrates a method for calculating a preset flow rate according to an example embodiment of the present disclosure.
[0051] Figure 7 A flowchart illustrating another method for defending against flood attacks according to an example embodiment of this disclosure is shown.
[0052] Figure 8 The diagram schematically illustrates a block diagram of a flood attack defense device according to an exemplary embodiment of the present disclosure.
[0053] Figure 9 An electronic device for implementing a defense method against the above-described flooding attack, according to an example embodiment of this disclosure, is illustrated schematically. Detailed Implementation
[0054] Example embodiments will now be described more fully with reference to the accompanying drawings. However, example embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided to make this disclosure more comprehensive and complete, and to fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics can be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a full understanding of embodiments of this disclosure. However, those skilled in the art will recognize that the technical solutions of this disclosure can be practiced with one or more of the specific details omitted, or other methods, components, apparatus, steps, etc., can be employed. In other instances, well-known technical solutions are not shown or described in detail to avoid obscuring various aspects of this disclosure.
[0055] Furthermore, the accompanying drawings are merely illustrative of this disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and therefore repeated descriptions of them will be omitted. Some block diagrams shown in the drawings are functional entities and do not necessarily correspond to physically or logically independent entities. These functional entities may be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.
[0056] Currently, DDoS attacks can be categorized into three types: IP spoofing attacks, slow connection attacks, and flood attacks. Among them:
[0057] IP spoofing attacks, a widely used DDoS attack method, are employed by various attack types, such as synflood attacks, ICMP flood attacks, UDP flood attacks, amplification attacks, and reflection attacks. The principle behind IP spoofing attacks is that when an attacker sends IP packets to a victim, they modify the source IP field of the packets. This misleads the firewall into believing the packets originate from a trusted source, while simultaneously concealing the attacker's real address, making it difficult for the victim to locate the attacker's true location. Furthermore, IP spoofing can also set the source IP of the packets to the victim's IP, enabling reflection and amplification attacks through services like public DNS and NTP.
[0058] Slow connection attacks are application layer attacks, and HTTP slow connection attacks are a typical example. When an HTTP slow connection attack occurs, the attacker will split an HTTP packet into multiple parts and send them to the victim. Each part is very small and the time interval between them is relatively large.
[0059] Flood attacks are a common DDoS attack method. At the network layer, there are UDP Flood and SYN Flood attacks, while at the application layer, there are HTTP Flood attacks. The most significant characteristic is that the attacker sends a large number of data packets to the victim, resulting in a large amount of attack traffic. Moreover, network layer flood attacks are often accompanied by IP spoofing.
[0060] NetFlow is a technology that monitors the IP data flow (flow) forwarded by network devices. It can collect statistical information and forwarding information of data packets received and sent by network devices, and send the statistical information and forwarding information to the NetFlow analysis server. The NetFlow statistics are analyzed to troubleshoot network faults and network congestion.
[0061] When the network server enables NetFlow and performs statistics on data packets, it can automatically learn relevant characteristics of the data packets and also supports user-configured specific data flows to perform NetFlow statistics. The switching chip inside the network device supports performing NetFlow processing on data packets in both the inbound and outbound directions. For different scenarios, the system software allocates separate memory for inbound and outbound NetFlow processing. This memory stores NetFlow entries that record packet statistics and forwarding information. The memory address index serves as the starting storage space, and inbound and outbound NetFlow statistics are stored in different storage spaces to independently implement the two NetFlow processes.
[0062] Furthermore, while Netflow sampling offers real-time system traffic monitoring, traditional applications of Netflow sampling information are limited to acquiring device traffic information through Netflow collectors and then formulating relevant configurations or usage strategies. This ignores the significant role Netflow sampling monitoring can play in DDoS attack and defense, which is undoubtedly a waste of device resources. In addition, real-world flood attacks are often completed within a short period, and the ability of operators to formulate appropriate response strategies based on feedback information and the timely response capability of the equipment are key indicators of equipment stability.
[0063] Furthermore, refer to Figure 1 As shown, when the Netflow chip 101 receives the data stream to be identified (arrow 1 represents normal traffic, arrow 2 represents attack traffic from a new attack source, and arrow 3 represents attack traffic from a historical attack source) 102, it can determine whether the data stream matches the IP blacklist rule. If it matches, it is filtered out using the IP blacklist rule 104 specified according to the historical attack record 103. However, this IP blacklist rule has relatively low coverage and is prone to failure once the attack source changes.
[0064] Based on this, this example implementation first provides a method for defending against flood attacks. (See reference...) Figure 2 As shown, the defense method against this flood attack may include the following steps:
[0065] Step S210. Sample the real-time network card traffic of the network server based on a preset sampling frequency to obtain a sampled packet to be processed, and extract the current data stream included in the sampled packet to be processed, as well as the first number of bytes and the first time of the current data stream flowing through the network card of the network server within a first time interval corresponding to the sampling frequency.
[0066] Step S220. Calculate the real-time flow rate of the current data stream based on the first number of bytes and the first flow time, and determine the current data stream as the target data stream when it is determined that the real-time flow rate of the current data stream is greater than the preset flow threshold;
[0067] Step S230. Extract the target flow feature of the target data stream from the sampled message to be processed, and generate an access control list rule corresponding to the target data stream based on the target flow feature;
[0068] Step S240. Update the current blacklist using the access control list rules to obtain the target blacklist, and filter the uploaded packets based on the target blacklist to defend against flooding attacks included in the uploaded packets.
[0069] In the aforementioned method for defending against flooding attacks, on the one hand, the real-time network interface card (NIC) traffic of the network server can be sampled based on a preset sampling frequency to obtain sampled packets to be processed. The current data stream, the number of bytes flowing through the NIC of the network server within a first time interval corresponding to the sampling frequency, and the first flow time are extracted from the sampled packets. Then, based on the number of bytes and the first flow time, the real-time traffic rate of the current data stream is calculated. When the real-time traffic rate of the current data stream is determined to be greater than a preset traffic threshold, the current data stream is identified as the target data stream. Next, the target flow characteristics of the target data stream are extracted from the sampled packets to be processed, and access control list (ACL) rules corresponding to the target data stream are generated based on these characteristics. Finally, the current blacklist is updated using the ACL rules to obtain a target blacklist, and the uploaded packets are filtered based on the target blacklist to defend against flooding attacks included in the uploaded packets. This method achieves defense based on the real-time NIC traffic. The sampling process obtains real-time traffic rates of the current data stream from the sampled packets, updates the current blacklist in real time, and filters the sent packets based on the updated target blacklist. This solves the problem in existing technologies where the failure to update the IP blacklist in real time allows attackers to exploit the snapshot feature and bypass blacklist detection by changing their IP address, resulting in low defense accuracy. This improves the accuracy of flood attack defense. On the other hand, since the real-time network interface card traffic of the network server can be sampled based on a preset sampling frequency, and the real-time traffic rate of the current data stream is calculated based on the number of bytes sampled and the first flow time, the current data stream is identified as a flood attack when the real-time traffic rate exceeds a preset traffic threshold, and corresponding defense is then implemented. This avoids the delay caused by manually issuing defense strategies, improves the timeliness of flood attack defense, and reduces network server resource waste.
[0070] The following will provide a detailed explanation and description of the flood attack defense method of the exemplary embodiments of this disclosure, in conjunction with the accompanying drawings.
[0071] First, the inventive purpose of the exemplary embodiments of this disclosure will be explained and described. Specifically, the exemplary embodiments of this disclosure provide an IP blacklist anti-flooding attack strategy based on Netflow sampling information. By utilizing the characteristics of Netflow's real-time monitoring of system traffic, ACL (Access Control Lists) rules are dynamically generated and directly bound to the IP blacklist to defend against flooding attacks. This fully utilizes the real-time monitoring and flexible defense features of Netflow, while solving the problem that existing IP blacklist technologies are difficult to accurately identify attack sources.
[0072] Secondly, an example diagram of the network environment involved in the flooding attack in the exemplary embodiments of this disclosure will be explained and described.
[0073] Specifically, the flood attack defense method provided in this disclosure can be applied to, for example... Figure 3 The application environment shown includes a network server 310, a network 320, and multiple terminal devices 330. Each terminal device 330 refers to a device connected to the network, which can be a fixed device, such as a desktop computer or server, or a mobile device, such as a laptop, mobile phone, or tablet. Terminal devices 330 can connect to the network via wired or wireless means. For example, they can connect via wired means such as a network cable or switch, or wirelessly via means such as Wi-Fi, mobile base stations, hotspot signals, or Bluetooth signals. Terminal devices 330 connect to the internet through a gateway 340 in the network, for example, by accessing the network server 310 via the internet.
[0074] Further reference Figure 4 As shown, the network server may include a blacklist processing unit 401, a Netflow sampling unit 402, a Netflow chip 403, and a central processing unit 404. The blacklist processing unit is network-connected to the Netflow chip, the Netflow chip is network-connected to the central processing unit, the central processing unit is network-connected to the Netflow sampling unit, and the Netflow sampling unit is network-connected to the blacklist processing unit. The blacklist processing unit stores a blacklist of flood attacks, allowing the Netflow chip to filter incoming packets based on this blacklist. The Netflow chip then reports the filtered incoming packets to the central processing unit, enabling the Netflow sampling unit to sample the real-time network interface card traffic sent to the central processing unit of the network server based on a preset sampling frequency. Based on the sampled data, it generates access control list rules and then updates the current blacklist in the blacklist processing unit in real time based on these access control list rules to obtain a target blacklist. This allows the Netflow chip to filter incoming packets based on the target blacklist, forming a cyclical system to achieve precise filtering of incoming packets and ultimately provide accurate defense against flood attacks.
[0075] The following, combined with Figure 3 as well as Figure 4 right Figure 2 The methods for defending against flood attacks shown in the diagram will be explained and illustrated.
[0076] In step S210, the real-time network card traffic of the network server is sampled based on a preset sampling frequency to obtain a sampled packet to be processed. The current data stream included in the sampled packet to be processed, as well as the number of bytes and the first time of the current data stream flowing through the network card of the network server within a first time interval corresponding to the sampling frequency, are extracted.
[0077] Specifically, in normal application scenarios, the network server kernel monitors the real-time network interface card (NIC) traffic information of a specified NIC and samples the real-time NIC traffic information according to the configured sampling rate (preset sampling frequency). The sampling frequency can be determined according to the user's actual needs or according to the attack frequency of historical flooding attacks. This example does not impose any special restrictions on this.
[0078] Furthermore, after obtaining the sampled packets to be processed, the defense method against this flooding attack also includes: sending the sampled packets to be processed to the user-space Netflow process via a socket channel; generating a hash queue corresponding to the sampled packets to be processed through the user-space Netflow process, and storing the sampled packets to be processed in the hash queue. That is, after obtaining the sampled packets to be processed, the sampled packets can be sent to the user-space Netflow process via a Netlink (socket) channel; then, the user-space Netflow process maintains a corresponding hash queue for each current data stream included in the sampled packets to be processed, and then stores the sampled packets of the current data stream in the hash queue, recording in the hash queue the first number of bytes flowing through the network interface card of the network server and the first flow time within a first time interval corresponding to the sampling frequency.
[0079] Furthermore, when it is necessary to calculate the real-time traffic rate, the user-space Netflow process can extract the first number of bytes and the first flow time of all current data streams included in the sampled packet to be processed within the first time interval from the hash queue; wherein, the first time interval can be calculated based on the sampling frequency.
[0080] In step S220, the real-time flow rate of the current data stream is calculated based on the first number of bytes and the first flow time, and when it is determined that the real-time flow rate of the current data stream is greater than the preset flow threshold, the current data stream is determined as the target data stream.
[0081] Specifically, in practical applications, the user-space Netflow process monitors newly added hash queues in real time and calculates the real-time traffic rate of the current data stream by dividing the first byte count by the first transit time. Then, it determines whether the real-time traffic rate of the current data stream is greater than a preset traffic threshold. If the real-time traffic rate is greater than the preset traffic threshold, the current data stream is identified as the target data stream and processed. Otherwise, the current data stream is considered normal traffic, and its access to the corresponding application can be controlled based on the port number included in the current data stream.
[0082] It's important to note that a key characteristic of DDoS attacks is source IP spoofing, making tracing the attack source extremely difficult. Furthermore, a side effect of source IP spoofing is the generation of data streams with a small number of packets, approximately 3 packets per stream. Considering that normal communication typically involves more packets, we calculate the average number of packets per stream. Then, we divide the total number of bytes in all flow table information within the first time interval by the total number of data streams to obtain the average number of bytes in the current data stream. Finally, we calculate the real-time traffic rate based on this average number of bytes and the first flow time. This method improves the accuracy of the real-time traffic rate.
[0083] In step S230, the target flow feature of the target data stream is extracted from the sampled message to be processed, and an access control list rule corresponding to the target data stream is generated based on the target flow feature.
[0084] In this example embodiment, firstly, the user-space Netflow process extracts the target flow characteristics of the target data stream from the sampled packets to be processed stored in the hash queue. The target flow characteristics include multiple factors such as the target source IP address, target destination IP address, target communication protocol, and target port number. Secondly, based on the target source IP address, target destination IP address, target communication protocol, and target port number, an access control list rule corresponding to the target data stream is generated. Specifically, if the real-time traffic rate of a current data stream exceeds a predetermined threshold (preset traffic threshold), the user-space Netflow process will identify it as attack traffic (target data stream). Then, the user-space Netflow process will extract the target flow characteristics of the target data stream from the hash queue containing the target data stream, and then construct the corresponding control list rule.
[0085] In step S240, the current blacklist is updated using the access control list rules to obtain the target blacklist, and the uploaded packets are filtered based on the target blacklist to defend against flooding attacks included in the uploaded packets.
[0086] In this example embodiment, firstly, the current blacklist is updated using the access control list rules to obtain the target blacklist. Specifically, this may include: sending the access control list rules to the Redis database via a user-space Netflow process, and adding the access control list rules to the current blacklist when the blacklist processing unit subscribes to the existence of access control list rules in the Redis database, thus obtaining the target blacklist. That is, after the user-space Netflow process constructs the access control list rules based on the target flow characteristics, it can send them to the Redis database; when the blacklist processing unit subscribes to data changes related to access control list rules in the Redis database, it extracts the access control list rules and adds them to the current blacklist, thus obtaining the target blacklist. It should be noted that the target blacklist described here is different from the IP blacklist. This target blacklist may include the target source IP address, the target destination IP address, the target communication protocol, and the target port number, thereby facilitating accurate filtering of uploaded packets based on the target blacklist.
[0087] Furthermore, once the target blacklist is obtained, the uploaded messages can be filtered based on the target blacklist to defend against flooding attacks included in the uploaded messages. Specifically, refer to... Figure 5 As shown, the following steps may be included:
[0088] Step S510: Extract the traffic features to be identified from the uploaded message using the Netflow chip; wherein, the traffic features to be identified include the source IP address to be identified, the destination IP address to be identified, the communication protocol to be identified, and the port number to be identified;
[0089] Step S520: Determine whether any of the following—the source IP address to be identified, the destination IP address to be identified, the communication protocol to be identified, and the port number to be identified—exists in the target blacklist.
[0090] Step S530: When it is determined that any one of the source IP address to be identified, the destination IP address to be identified, the communication protocol to be identified, and the port number to be identified exists in the target blacklist, the uploaded message is discarded to defend against the flooding attack included in the uploaded message.
[0091] The following will explain and illustrate steps S510-S530. Specifically, after obtaining the target blacklist, when a new uploading message appears, the Netflow chip extracts the traffic characteristics to be identified from the uploading message and determines whether these characteristics match the target blacklist. If they match, the uploading message is discarded (filtered out). This method dynamically generates access control list rules based on real-time traffic and binds them to the blacklist. When a DDoS attack occurs, it promptly identifies and filters attack messages, effectively improving the communication equipment's responsiveness and defense capabilities against DDoS attacks.
[0092] Furthermore, if it is determined that none of the source IP address, destination IP address, communication protocol, and port number to be identified exist in the target blacklist, the uploaded message is reported and a traffic sampling step is performed. That is, if the target blacklist is not matched, the uploaded message can be sent to the CPU of the network server and sampled and processed by the Netflow sampling unit.
[0093] Figure 6 This illustration schematically depicts another method for defending against flood attacks according to an example embodiment of this disclosure. Reference Figure 6 As shown, the defense method against this flood attack may include the following steps:
[0094] Step S610: Obtain historical data streams of multiple historical flooding attacks, and obtain the second number of bytes and the second flow time of each historical data stream flowing through the network card of the network server within a first time interval corresponding to the sampling frequency;
[0095] Step S620: Calculate the average number of bytes for each of the second byte counts and the average time for the second flow time, and calculate the byte count variance and the time variance based on the average number of bytes and the average time.
[0096] Step S630: Calculate the number of bytes for the flood attack based on the average number of bytes and the variance of the number of bytes, and calculate the flood attack time based on the average time and the variance of the time.
[0097] Step S640: Calculate the preset traffic threshold based on the number of bytes in the flood attack and the duration of the flood attack.
[0098] exist Figure 6The flood attack defense method shown has several advantages. First, by fully considering the average number of bytes, the average time, the variance of the number of bytes, and the variance of the time during the calculation of the preset traffic threshold, the accuracy of the preset traffic threshold is further improved. Second, based on historical data streams from multiple historical flood attacks, the second number of bytes and the second flow time of each historical data stream within a first time interval corresponding to the sampling frequency can be obtained. Then, the average number of bytes, the average time, the variance of the number of bytes, and the variance of the time can be calculated based on the second number of bytes and the second flow time. Compared with setting it manually, this method can further improve the efficiency and accuracy of setting the preset traffic threshold, thereby achieving precise defense against flood attacks and avoiding the need for prediction.
[0099] The following, combined with Figure 7 The flood attack defense method of the exemplary embodiments of this disclosure will be further explained and described. Specifically, refer to... Figure 7 As shown, the defense method against this flood attack may include the following steps:
[0100] In step S701, the Netflow chip receives an uplink message containing mixed traffic and parses the uplink message to obtain the traffic characteristics to be identified.
[0101] Step S702: Determine whether the traffic feature to be identified matches the blacklist; if yes, proceed to step S703; if no, proceed to step S704.
[0102] Step S703: Identify the uploaded message as a flood attack flow and discard the uploaded message;
[0103] Step S704: The uploaded message is sampled by the Netflow sampling unit to obtain the sampled message to be processed;
[0104] Step S705: Calculate the real-time flow rate of the current data stream included in the sampled packet to be processed through the user-space Netflow process;
[0105] Step S706: Determine whether the real-time traffic rate is greater than the preset traffic threshold; if yes, proceed to step S707; if no, consider the current data stream to be normal traffic and proceed with normal access.
[0106] Step S707: Determine the current data stream as the target data stream and extract the target stream features of the target data stream;
[0107] Step S708: Generate ACL rules based on the target flow characteristics and send the ACL rules to the Redis database;
[0108] Step S709: Subscribe to the ACL rules in the Redis database using the blacklist, add the ACL rules to the blacklist (denied access list), and then send the new blacklist to the Netflow chip.
[0109] The flood attack defense method provided in this exemplary embodiment can dynamically generate blacklist rules, avoiding the low coverage problem of existing IP blacklist technologies. Simultaneously, it can automatically monitor network card traffic status in real time, avoiding the delays and errors of manually issuing policies in DDoS protection. Furthermore, if the traffic volume of a flow significantly exceeds a preset threshold, it will be identified as attack traffic by the system. The system will construct ACL rules based on characteristics such as source IP, destination IP, protocol, and port number in the flow's sampling information and issue them to the chip. Afterward, when the mixed flow continues to flow through the chip, the chip will filter the attack traffic according to the new blacklist and no longer send it to the CPU. Thus, although some attack flows from new attack sources may initially bypass blacklist detection, they can be added to the new blacklist rules in a timely manner after monitoring by the Netflow sampling unit, effectively avoiding the low coverage problem of existing blacklist technologies.
[0110] This disclosure also provides an example embodiment of a flood attack defense device. (See reference...) Figure 8 As shown, the defense device against flooding attacks may include a first sampling module 810, a flow rate calculation module 820, an access control list rule generation module 830, and a flooding attack defense module 840. Wherein:
[0111] The first sampling module 810 can be used to sample the real-time network card traffic of the network server based on a preset sampling frequency, obtain a sampled packet to be processed, and extract the current data stream included in the sampled packet to be processed, as well as the number of bytes and the first time of the current data stream flowing through the network card of the network server within a first time interval corresponding to the sampling frequency.
[0112] The flow rate calculation module 820 can be used to calculate the real-time flow rate of the current data stream based on the first number of bytes and the first flow time, and determine the current data stream as the target data stream when it is determined that the real-time flow rate of the current data stream is greater than the preset flow threshold.
[0113] The access control list rule generation module 830 can be used to extract the target flow features of the target data stream from the sampled message to be processed, and generate access control list rules corresponding to the target data stream based on the target flow features;
[0114] The flood attack defense module 840 can be used to update the current blacklist using the access control list rules to obtain the target blacklist, and filter the uploaded packets based on the target blacklist to defend against flood attacks included in the uploaded packets.
[0115] In the aforementioned flood attack defense device, on the one hand, the real-time network interface card (NIC) traffic of the network server can be sampled based on a preset sampling frequency to obtain sampled packets to be processed. The device then extracts the current data stream, the number of bytes flowing through the NIC of the network server within a first time interval corresponding to the sampling frequency, and the first flow time from the sampled packets. Next, based on the number of bytes and the first flow time, the real-time traffic rate of the current data stream is calculated. If the real-time traffic rate of the current data stream is greater than a preset traffic threshold, the current data stream is identified as the target data stream. Then, the target flow characteristics of the target data stream are extracted from the sampled packets to be processed, and access control list (ACL) rules corresponding to the target data stream are generated based on these characteristics. Finally, the ACL rules are used to update the current blacklist to obtain a target blacklist, and the uploaded packets are filtered based on the target blacklist to defend against flood attacks included in the uploaded packets. This achieves the goal of defending against flood attacks based on real-time NIC traffic. The sampling process obtains real-time traffic rates of the current data stream from the sampled packets, updates the current blacklist in real time, and filters the sent packets based on the updated target blacklist. This solves the problem in existing technologies where the failure to update the IP blacklist in real time allows attackers to exploit the snapshot feature and bypass blacklist detection by changing their IP address, resulting in low defense accuracy. This improves the accuracy of flood attack defense. On the other hand, since the real-time network interface card traffic of the network server can be sampled based on a preset sampling frequency, and the real-time traffic rate of the current data stream is calculated based on the number of bytes sampled and the first flow time, the current data stream is identified as a flood attack when the real-time traffic rate exceeds a preset traffic threshold, and corresponding defense is then implemented. This avoids the delay caused by manually issuing defense strategies, improves the timeliness of flood attack defense, and reduces network server resource waste.
[0116] In one exemplary embodiment of this disclosure, the flood attack defense device further includes:
[0117] The unprocessed sampled message sending module can be used to send the unprocessed sampled message to the user-space Netflow process through a socket channel;
[0118] The hash queue generation module can be used to generate a hash queue corresponding to the sampled message to be processed through the user-space Netflow process, and store the sampled message to be processed into the hash queue.
[0119] In one exemplary embodiment of this disclosure, extracting target flow features of the target data stream from the sampled message to be processed, and generating access control list rules corresponding to the target data stream based on the target flow features, includes:
[0120] The user-space Netflow process extracts the target flow features of the target data stream from the sampled packets to be processed stored in the hash queue; wherein, the target flow features include multiple types such as the target source IP address, the target destination IP address, the target communication protocol, and the target port number;
[0121] Based on the target source IP address, target destination IP address, target communication protocol, and target port number, generate an access control list rule corresponding to the target data stream.
[0122] In one exemplary embodiment of this disclosure, updating the current blacklist using the access control list rules to obtain the target blacklist includes:
[0123] The access control list rules are sent to the Redis database via the user-space Netflow process. When the blacklist processing unit subscribes to the existence of access control list rules in the Redis database, the access control list rules are added to the current blacklist to obtain the target blacklist.
[0124] In one exemplary embodiment of this disclosure, filtering of uploaded messages based on the target blacklist is used to defend against flooding attacks included in the uploaded messages, including:
[0125] The Netflow chip is used to extract the traffic features to be identified from the uploaded messages; wherein, the traffic features to be identified include the source IP address to be identified, the destination IP address to be identified, the communication protocol to be identified, and the port number to be identified.
[0126] Determine whether any of the following—the source IP address to be identified, the destination IP address to be identified, the communication protocol to be identified, and the port number to be identified—exists in the target blacklist;
[0127] If any one of the source IP address, destination IP address, communication protocol, or port number to be identified is found in the target blacklist, the sent message is discarded to defend against flooding attacks included in the sent message.
[0128] In one exemplary embodiment of this disclosure, the flood attack defense device further includes:
[0129] The uploading message reporting module can be used to report the uploading message and perform traffic sampling steps when it is determined that none of the source IP address to be identified, destination IP address to be identified, communication protocol to be identified, and port number to be identified exist in the target blacklist.
[0130] In one exemplary embodiment of this disclosure, the flood attack defense device further includes:
[0131] The historical data stream acquisition module can be used to acquire historical data streams of multiple historical flooding attacks, and to acquire the second number of bytes and the second flow time of each historical data stream flowing through the network card of the network server within a first time interval corresponding to the sampling frequency.
[0132] The first calculation module can be used to calculate the average number of bytes for each of the second bytes and the average time for the second flow time, and calculate the variance of the number of bytes and the variance of the time based on the average number of bytes and the average time.
[0133] The second calculation module can be used to calculate the number of bytes in the flood attack based on the average number of bytes and the variance of the number of bytes, and to calculate the flood attack time based on the average time and the variance of the time.
[0134] The third calculation module can be used to calculate the preset traffic threshold based on the number of bytes in the flood attack and the duration of the flood attack.
[0135] The specific details of each module in the aforementioned flood attack defense device have been described in detail in the corresponding flood attack defense methods, so they will not be repeated here.
[0136] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of this disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.
[0137] Furthermore, although the steps of the method in this disclosure are described in a specific order in the accompanying drawings, this does not require or imply that the steps must be performed in that specific order, or that all the steps shown must be performed to achieve the desired result. Additional or alternative steps may be omitted, multiple steps may be combined into one step, and / or a step may be broken down into multiple steps.
[0138] In an exemplary embodiment of this disclosure, an electronic device capable of implementing the above-described method is also provided.
[0139] Those skilled in the art will understand that various aspects of this disclosure can be implemented as a system, method, or program product. Therefore, various aspects of this disclosure can be specifically implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software aspects, collectively referred to herein as a "circuit," "module," or "system."
[0140] The following reference Figure 9 To describe an electronic device 900 according to such an embodiment of the present disclosure. Figure 9 The electronic device 900 shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments disclosed herein.
[0141] like Figure 9 As shown, the electronic device 900 is manifested in the form of a general-purpose computing device. The components of the electronic device 900 may include, but are not limited to: at least one processing unit 910, at least one storage unit 920, a bus 930 connecting different system components (including storage unit 920 and processing unit 910), and a display unit 940.
[0142] The storage unit stores program code that can be executed by the processing unit 910, causing the processing unit 910 to perform the steps described in the "Exemplary Methods" section of this specification according to various exemplary embodiments of this disclosure. For example, the processing unit 910 can perform actions such as... Figure 2Step S210: Sample the real-time network interface card (NIC) traffic of the network server based on a preset sampling frequency to obtain a sampled packet to be processed, and extract the current data stream, the number of bytes flowing through the NIC of the network server within a first time interval corresponding to the sampling frequency, and the first flow time included in the sampled packet to be processed; Step S220: Calculate the real-time traffic rate of the current data stream based on the first byte count and the first flow time, and determine the current data stream as the target data stream when the real-time traffic rate of the current data stream is greater than the preset traffic threshold; Step S230: Extract the target flow feature of the target data stream from the sampled packet to be processed, and generate an access control list rule corresponding to the target data stream based on the target flow feature; Step S240: Update the current blacklist using the access control list rule to obtain a target blacklist, and filter the uploaded packets based on the target blacklist to defend against flooding attacks included in the uploaded packets.
[0143] Storage unit 920 may include readable media in the form of volatile storage units, such as random access memory (RAM) 9201 and / or cache memory 9202, and may further include read-only memory (ROM) 9203.
[0144] Storage unit 920 may also include a program / utility 9204 having a set (at least one) program module 9205, such program module 9205 including but not limited to: operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.
[0145] Bus 930 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.
[0146] Electronic device 900 can also communicate with one or more external devices 1000 (e.g., keyboard, pointing device, Bluetooth device, etc.), and with one or more devices that enable a user to interact with electronic device 900, and / or with any device that enables electronic device 900 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 950. Furthermore, electronic device 900 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 960. As shown, network adapter 960 communicates with other modules of electronic device 900 via bus 930. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with electronic device 900, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.
[0147] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.
[0148] In exemplary embodiments of this disclosure, a computer-readable storage medium is also provided, on which a program product capable of implementing the methods described above is stored. In some possible implementations, various aspects of this disclosure may also be implemented as a program product including program code that, when the program product is run on a terminal device, causes the terminal device to perform the steps of the various exemplary embodiments of this disclosure described in the "Exemplary Methods" section above.
[0149] The program product for implementing the above-described method according to embodiments of the present disclosure may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto. In this document, the readable storage medium may be any tangible medium containing or storing a program that may be used by or in conjunction with an instruction execution system, apparatus, or device.
[0150] The program product may employ any combination of one or more readable media. A readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of readable storage media (a non-exhaustive list) include: an electrical connection having one or more wires, a portable disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.
[0151] Computer-readable signal media may include data signals propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of sending, propagating, or transmitting programs for use by or in conjunction with an instruction execution system, apparatus, or device.
[0152] The program code contained on the readable medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.
[0153] Program code for performing the operations of this disclosure can be written in any combination of one or more programming languages, including object-oriented programming languages such as Java and C++, and conventional procedural programming languages such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's computing device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).
[0154] Furthermore, the above figures are merely illustrative of the processes included in the method according to exemplary embodiments of this disclosure and are not intended to be limiting. It is readily understood that the processes shown in the above figures do not indicate or limit the temporal order of these processes. Additionally, it is readily understood that these processes may be executed synchronously or asynchronously, for example, in multiple modules.
[0155] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention described herein. This application is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not invented by this disclosure. The specification and embodiments are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the claims.
Claims
1. A method for defending against flood attacks, characterized in that, include: Based on a preset sampling frequency, the real-time network card traffic of the network server is sampled to obtain a sampled packet to be processed. The current data stream included in the sampled packet to be processed, as well as the number of bytes and the first time of the current data stream flowing through the network card of the network server within a first time interval corresponding to the sampling frequency, are extracted. Therefore, the real-time network card traffic is the traffic filtered through the current blacklist. Based on the first number of bytes and the first flow time, the real-time flow rate of the current data stream is calculated, and when the real-time flow rate of the current data stream is determined to be greater than a preset flow threshold, the current data stream is identified as the target data stream; the preset flow threshold is determined based on the number of bytes in a historical flood attack and the flood attack time. The target flow features of the target data stream are extracted from the unprocessed sampled packets stored in the hash queue by the Netflow process in user space; wherein, the target flow features include multiple of the following: target source IP address, target destination IP address, target communication protocol, and target port number; and access control list rules corresponding to the target data stream are generated based on the target source IP address, target destination IP address, target communication protocol, and target port number. The access control list rules are sent to the Redis database via the user-space Netflow process. When the blacklist processing unit subscribes to the existence of access control list rules in the Redis database, the access control list rules are added to the current blacklist to obtain the target blacklist. The Netflow chip then extracts the traffic characteristics to be identified from the uploaded packets. The traffic characteristics to be identified include the source IP address, destination IP address, communication protocol, and port number. It is determined whether any of these three criteria exist in the target blacklist. If any one of these criteria is found to exist in the target blacklist, the uploaded packets are discarded to defend against flooding attacks included in the uploaded packets.
2. The method for defending against flood attacks according to claim 1, characterized in that, After sampling the real-time network interface card traffic of the network server based on a preset sampling frequency to obtain the sampled packets to be processed, the defense method against flooding attacks further includes: The sampled message to be processed is sent to the Netflow process in user space via a socket channel; The user-space Netflow process generates a hash queue corresponding to the sampled message to be processed, and stores the sampled message to be processed into the hash queue.
3. The method for defending against flood attacks according to claim 1, characterized in that, The defense methods against flooding attacks also include: If it is determined that none of the source IP address, destination IP address, communication protocol, and port number to be identified exist in the target blacklist, the sent message is reported and a traffic sampling step is performed.
4. The method for defending against flooding attacks according to claim 1, characterized in that, The defense methods against flooding attacks also include: Acquire historical data streams of multiple historical flooding attacks, and acquire the second number of bytes and the second flow time of each historical data stream within a first time interval corresponding to the sampling frequency, which flows through the network interface card of the network server. Calculate the average number of bytes for each of the second byte counts and the average time for the second flow time, and calculate the byte count variance and the time variance based on the average number of bytes and the average time. The number of bytes in the flood attack is calculated based on the average number of bytes and the variance of the number of bytes, and the flood attack time is calculated based on the average time and the variance of the time. The preset traffic threshold is calculated based on the number of bytes in the flood attack and the duration of the flood attack.
5. A flood defense device, characterized in that, include: The first sampling module is used to sample the real-time network card traffic of the network server based on a preset sampling frequency, obtain the sampled packet to be processed, and extract the current data stream included in the sampled packet to be processed, as well as the first number of bytes and the first time of the current data stream flowing through the network card of the network server within a first time interval corresponding to the sampling frequency. Therefore, the real-time network card traffic is the traffic filtered through the current blacklist. The flow rate calculation module is used to calculate the real-time flow rate of the current data stream based on the first number of bytes and the first flow time, and to determine the current data stream as the target data stream when the real-time flow rate of the current data stream is determined to be greater than a preset flow threshold; the preset flow threshold is determined based on the number of bytes of the flood attack and the flood attack time of the historical flood attack. The access control list rule generation module is used to extract the target flow features of the target data flow from the sampled packets to be processed stored in the hash queue through the Netflow process in user space; wherein, the target flow features include multiple of the following: target source IP address, target destination IP address, target communication protocol, and target port number; and generate access control list rules corresponding to the target data flow based on the target source IP address, target destination IP address, target communication protocol, and target port number. The flood attack defense module is used to send the access control list rules to the Redis database through the user-space Netflow process. When the blacklist processing unit subscribes to the existence of access control list rules in the Redis database, it adds the access control list rules to the current blacklist to obtain the target blacklist. The module then extracts the traffic characteristics to be identified from the uploaded packets using the Netflow chip. These traffic characteristics include the source IP address, destination IP address, communication protocol, and port number. The module determines whether any one of these three criteria exists in the target blacklist. If any one of these criteria is found to exist in the target blacklist, the uploaded packet is discarded to defend against flood attacks contained in the uploaded packet.
6. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the flood attack defense method according to any one of claims 1-4.
7. An electronic device, characterized in that, include: processor; as well as Memory for storing the executable instructions of the processor; The processor is configured to execute the flood attack defense method according to any one of claims 1-4 by executing the executable instructions.