[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN106254394A - A kind of recording method and device of attack traffic - Google Patents

A kind of recording method and device of attack traffic Download PDF

Info

Publication number
CN106254394A
CN106254394A CN201610867805.5A CN201610867805A CN106254394A CN 106254394 A CN106254394 A CN 106254394A CN 201610867805 A CN201610867805 A CN 201610867805A CN 106254394 A CN106254394 A CN 106254394A
Authority
CN
China
Prior art keywords
flow
record
sequence
time
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610867805.5A
Other languages
Chinese (zh)
Other versions
CN106254394B (en
Inventor
刘文辉
樊宇
张磊
何坤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201610867805.5A priority Critical patent/CN106254394B/en
Publication of CN106254394A publication Critical patent/CN106254394A/en
Application granted granted Critical
Publication of CN106254394B publication Critical patent/CN106254394B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses the recording method and device of a kind of attack traffic, in order to solve ddos attack record redundancy present in prior art, and open the problem that manual packet capturing causes protection tool barrier propterty to decline for a long time, the recording method of described attack traffic, including: receive the first request starting to record flow that flow detection engine sends, described first request carries the sequence of data packet that need to record and obtains the very first time of described sequence of data packet;According to the size of each packet of described sequence of data packet, determine the flow value that described sequence of data packet is corresponding;Discharge record frequency is determined according to described flow value and the described very first time;According to the described discharge record frequency determined, server access flow is recorded and stores.

Description

A kind of recording method and device of attack traffic
Technical field
The present invention relates to computer network security technology field, particularly relate to recording method and the dress of a kind of attack traffic Put.
Background technology
DDoS (Distributed Denial of service, distributed denial of service): a lot of dos attack sources are together Attacking certain station server and just constitute ddos attack, multiple computers, by means of client/server technology, are joined by ddos attack It is together as Attack Platform, one or more targets is initiated DoS attack, thus improves the prestige of Denial of Service attack exponentially Power.The attack strategies of DDOS lay particular emphasis on by a lot " zombie host " (person of being hacked invaded or can the main frame of indirect utilization) to Victim host sends the network packet seeming legal in a large number, thus causes network congestion or server resource to exhaust and cause refusal clothes Business, DDoS is once carried out, and attacking network bag will pour into victim host just as flood, thus the network packet of validated user Flood, cause validated user cannot normally access the Internet resources of server.The attack process of DDoS is carried out complete record, Contribute to research worker and can promptly make prevention policies effectively when DDoS flow attacking is analyzed.
The method that the method for existing record ddos attack flow typically uses manual detection and record, when DDoS being detected During attack, manually opened flow packet capturing, this method is capable of the record to ddos attack flow, but deposits in record result In bulk redundancy information, take the performance resource that protection tool is certain, this is because ddos attack server can be according to attacking simultaneously Hit effect, constantly adjust attack pattern, until hitting server paralysed, i.e. during attacking a certain attack pattern due to attack effect Good reason there may be for a long time, and other attack patterns due to the less-than-ideal reason of attack effect that may be present time Between the shortest, if in this case, continual manual packet capturing, can cause packet capturing exists that same attacks is the most superfluous Remaining record, and other attack in the record that record is buried in these redundancies, simultaneously because attack time uncertain (possible Directly continue, it is also possible to intermittent attack), if always on manual packet capturing, the barrier propterty of protection tool will be affected.
As can be seen here, while recording ddos attack flow the most accurately and efficiently, the most do not affect flow protection tool Barrier propterty becomes one of technical problem urgently to be resolved hurrily in prior art.
Summary of the invention
The embodiment of the present invention provides the recording method and device of a kind of attack traffic, attacks in order to solve DDoS in prior art Hit and record exists bulk redundancy flow information and opens, due to long-time, the problem that packet capturing affects protection tool barrier propterty.
The embodiment of the present invention provides the recording method of a kind of attack traffic, including:
Receiving the first request starting to record flow that flow detection engine sends, carrying in described first request needs note The sequence of data packet recorded and the very first time obtaining described sequence of data packet;
According to the size of each packet comprised in described sequence of data packet, determine the stream that described sequence of data packet is corresponding Value;
Discharge record frequency is determined according to described flow value and the described very first time;
According to the described discharge record frequency determined, server access flow is recorded and stores.
The embodiment of the present invention provides the recording equipment of a kind of attack traffic, including:
Receiving unit, for receiving the first request starting to record flow that flow detection engine sends, described first please Carry the sequence of data packet that need to record in asking and obtain the very first time of described sequence of data packet;
First determines unit, for the size according to each packet comprised in described sequence of data packet, determines described The flow value that sequence of data packet is corresponding;
Second determines unit, for determining discharge record frequency according to described flow value and the described very first time;
Record unit, for recording according to the described discharge record frequency determined server access flow and deposit Storage.
Beneficial effects of the present invention:
The recording method and device of attack traffic that the embodiment of the present invention provides, only sends out receiving flow detection engine Just start to record flow after the first request starting to record flow sent, and in record discharge process, the most each moment All records, but the size of each packet of sequence of data packet according to the need record carried in this first request, determine every The flow value that one packet is corresponding, then according to the described packet carried in the described flow value determined and this first request The very first time of sequence, determine discharge record frequency, according to the discharge record frequency determined, server access flow is carried out Record and store, on the one hand can determine discharge record frequency according to the change of present flow rate neatly, to reject discharge record The record of middle redundancy, improves discharge record quality, on the other hand due to the flow information without repeating record bulk redundancy, thus Decrease the time that discharge record runs, solve and long-time open manual packet capturing and cause what protection tool barrier propterty declined to ask Topic, simultaneously as eliminate substantial amounts of redundancy, saves the space of flow storage record.
Other features and advantages of the present invention will illustrate in the following description, and, partly become from description Obtain it is clear that or understand by implementing the present invention.The purpose of the present invention and other advantages can be by the explanations write Structure specifically noted in book, claims and accompanying drawing realizes and obtains.
Accompanying drawing explanation
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the present invention, this Bright schematic description and description is used for explaining the present invention, is not intended that inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 carries out the implementing procedure schematic diagram of flow detection for the flow detection engine that the embodiment of the present invention provides;
The implementing procedure schematic diagram of the recording method of the attack traffic that Fig. 2 a provides for the embodiment of the present invention;
The recording method of the attack traffic that Fig. 2 b provides for the embodiment of the present invention determines the enforcement stream of discharge record frequency Journey schematic diagram;
The recording method of the attack traffic that Fig. 3 provides for the embodiment of the present invention is deleted flow in discharge record engine internal memory The first method of record;
The recording method of the attack traffic that Fig. 4 provides for the embodiment of the present invention is deleted flow in discharge record engine internal memory The second method of record;
The structural representation of the recording equipment of the attack traffic that Fig. 5 provides for the embodiment of the present invention.
Detailed description of the invention
Embodiments provide the recording method and device of a kind of attack traffic, in order to solve existence in prior art Ddos attack record redundancy, and long-time open the problem that manual packet capturing causes protection tool barrier propterty to decline, saving The memory space that discharge record takies.
Below in conjunction with Figure of description, the preferred embodiments of the present invention are illustrated, it will be appreciated that described herein Preferred embodiment is merely to illustrate and explains the present invention, is not intended to limit the present invention, and in the case of not conflicting, this Embodiment in bright and the feature in embodiment can be mutually combined.
In the embodiment of the present invention, flow detection engine carry out flow detection, detecting that unit interval server is visited Ask and when flow exceedes predetermined threshold value, notify that discharge record engine carries out record, it should be noted that what flow detection engine used It is that server access flow is detected by timing continuous print mode.I.e. flow detection engine according to the default cycle to server Flowing of access detects, when each flow detection cycle arrives, in the flow detection engine statistics current time unit interval Server access flow, concrete, flow detection engine detection server received within the unit interval in current detection cycle Flow value that sequence of data packet is corresponding (the size sum of all packets comprised during i.e. server receives sequence of data packet with The ratio in cycle).The sequence of data packet pair that flow detection engine receives in judging the current detection cycle service device unit interval Whether the flow value answered exceedes predetermined threshold value, if exceeding, then notice discharge record engine carries out record to server access flow.
Owing to flow detection engine and discharge record engine are parallel independent operatings, flow detection engine detection packet The operation of flow has no effect on discharge record engine record server access flow, if flow detection engine is in current detection week Phase judge the server unit interval in flow value corresponding to the sequence of data packet that receives less than predetermined threshold value time, illustrate to take Business device flowing of access in preset threshold range, but, flow detection engine may be when a upper detection cycle judges unit Between server flowing of access exceed predetermined threshold value and notify discharge record engine start record, therefore, when being embodied as, flow When detecting and alarm judges that flow value that sequence of data packet that unit interval server receives is corresponding is less than predetermined threshold value, Also need to determine whether whether discharge record engine starts, if started, then flow detection engine notice discharge record engine Stopping record, without startup, then flow detection engine is when next detection cycle arrives, then enters server access flow Row detection, so circulates so that discharge record engine starts or stop record server according to the notice of flow detection engine Flowing of access.And for discharge record engine, it starts to record server access stream under the triggering of flow detection engine Amount, until receiving flow detection engine to stop the signal of record server access flow.Record clothes are started again receiving The signal of business device flowing of access starts to start record, until again receiving the signal stopping stopping record server access flow Record, so circulates.
Embodiment one,
As it is shown in figure 1, for the embodiment of the present invention provide flow detection engine carry out flow detection implementing procedure signal Figure, may comprise steps of:
S11, when the cycle of detection arrives, each number in the sequence of data packet that flow detection engine receives according to server According to the size of bag, determine the flow value that sequence of data packet is corresponding, in then calculating the unit interval, access the flow value of server.
When being embodied as, flow detection engine is detecting start time in cycle at detection end cycle moment statistical server The size of the entire packet received to the detection unit interval in end cycle moment, received as the current detection cycle The flow value that the sequence of data packet that arrives is corresponding.
S12, judge that the flow value that sequence of data packet that current detection cycle unit interval server receives is corresponding is No exceed predetermined threshold value, if it is, perform step S13, otherwise, perform step S14.
Flow detection engine receives within the unit interval in current detection cycle according to the server determined in step S11 Flow value f corresponding to sequence of data packetn, it is compared with predetermined threshold value, if drawing this flow value fnExceed predetermined threshold value Time, perform step S13;Otherwise, step S14 is performed.
S13, by the sequence of data packet received at current detection cycle service device with receive the of this sequence of data packet One time was sent to discharge record engine.
In step s 13, the sequence of data packet that the current detection cycle is received by flow detection engine and receive this number Very first time t according to packet sequencenIt is sent to discharge record engine, discharge record engine performs follow-up discharge record process.
If during it should be noted that the data packet sequence that receives of current detection cycle is classified as the beginning in current detection cycle Carve the sequence of data packet that server receives, then very first time tnStart time for the current detection cycle;If current detection The data packet sequence that cycle receives is classified as whole numbers that start time in current detection cycle to detection end cycle reception arrives According to bag, then very first time tnFinish time for the current detection cycle.
It is preferred that the flow value that the sequence of data packet that can also be received in the current detection cycle of flow detection engine is corresponding fnIt is sent to discharge record engine in the lump.
S14, flow detection engine judge whether discharge record engine starts, if it is, perform step S15, if it does not, Then perform step S16.
S15, flow detection engine send the signal stopping record flow to discharge record engine.
When step S14 judges that server access flow is recorded by discharge record engine, due to time current Carve flow detection engine have determined that unit interval server flowing of access in preset threshold range, discharge record engine Need not again this flow be carried out record, it is therefore desirable to send the signal stopping record flow to discharge record engine so that stream Amount record engine stops server access flow is carried out record after receiving the signal stopping record flow.
S16, detect whether to arrive next detection cycle, if it is, perform step S11, otherwise, continue executing with step S16.
When being embodied as, owing to ddos attack has intermittence, if flow detection engine is the most continuously to clothes Business device flowing of access detects, and is sent to discharge record engine and carries out record, causes some normal server access streams Amount likely can be stored in internal memory, on the one hand the internal memory of discharge record engine can be caused to waste, on the other hand, also can affect anti- The barrier propterty of nurse's tool, therefore, server is received by the flow detection engine in the embodiment of the present invention according to some cycles Sequence of data packet detect, such as the stream corresponding every 10 seconds detection sequence of data packet of receiving of unit interval server Whether value exceedes predetermined threshold value, so can alleviate storage pressure, does not the most affect the barrier propterty of protection tool simultaneously.
Embodiment two,
As shown in Figure 2 a, for the implementing procedure schematic diagram of recording method of the attack traffic that the embodiment of the present invention provides, can To comprise the following steps:
What S21, reception flow detection engine sent starts to record the first request of flow.
It should be noted that for flow detection engine, this first request detects that server access flow exceedes predetermined threshold value Time send.
Wherein, first request in carry the sequence of data packet that need to record and obtain described sequence of data packet first time Between.
S22, size according to each packet of sequence of data packet, determine the flow value that sequence of data packet is corresponding.
When being embodied as, after receiving the sequence of data packet needing record, discharge record engine can be according to these data The size of each packet that packet sequence comprises, determines total size of this sequence of data packet, thus obtains the data received The flow value that packet sequence is corresponding.
If it is preferred that the first request carries the flow value that this sequence of data packet is corresponding, then when being embodied as, it is possible to Not perform step S22, directly obtain, from the first request, the flow value that the sequence of data packet received is corresponding.
S23, according to flow value corresponding to sequence of data packet and obtain very first time of this sequence of data packet and determine that flow is remembered Record frequency.
S24, according to the discharge record frequency determined, server access flow is recorded and stores.
When being embodied as, in step S24, flow detection engine can be according to the form record server access described in table 1 Flow, wherein, can comprise following field: receive the time of sequence of data packet (corresponding in the embodiment of the present invention in table 1 The very first time), flow value that sequence of data packet is corresponding with sequence of data packet.
Table 1
Receive the time of sequence of data packet Sequence of data packet Corresponding flow value
T1 B1、B2、B3…… 2M
…… …… ……
When being embodied as, step S23 can determine discharge record frequency according to the method shown in Fig. 2 b, can include with Lower step:
S231, the speed determining record server access flow respectively and server access flow in the unit interval.
Wherein, the speed of discharge record engine record server access flow can use vcRepresenting, it can be according in advance If the total bytes of discharge record engine record determines in duration.
When being embodied as, the server access flow in the unit interval can be determined according to below equation:Wherein:
Δ B is the difference between default maximum stream flow threshold value and the flow value determined;
Difference between the second time and the described very first time that reach described maximum stream flow threshold value according to Δ t, wherein The flow value determined according to described second time and the very first time receiving described sequence of data packet record in advance.
Wherein, the maximum stream flow threshold value preset can be the maximum stream flow that can bear of server or maximum bandwidth, is designated as Bmax, flow value corresponding to sequence of data packet that the embodiment of the present invention received with the current detection cycle is as fcWith receive this number Very first time t according to packet sequencecAs a example by illustrate, then Δ B=Bmax-fc
When determining Δ t, need first to determine the second time t reaching described maximum stream flow threshold valuemax, it is preferred that this In inventive embodiments, described second time can be determined according to below equation:Wherein:
tmaxFor described second time;
BmaxFor default maximum stream flow threshold value;
σcFor flow value corresponding to the sequence of data packet received according to the current detection cycle with receive this data packet sequence The correction factor that the very first time of row is determined.
When being embodied as, determine in the formula of the second time, owing to the trend of ddos attack is unstable, typically opening Presenting normal distribution during the beginning, As time goes on tend to be steady, until taking the bandwidth of whole network, causing normally accessing nothing Method meets with a response, and has hence set up the model of the ddos attack flow shown in equation below:
f ( t ) = 1 2 &pi; &sigma; e - t 2 2 , 0 < t < | 2 l n 2 &pi; &sigma; B m a x | B m a x , t > | 2 l n 2 &pi; &sigma; B m a x |
The flow value f that sequence of data packet that discharge record engine received according to the current detection cycle is correspondingcWith receive The very first time value of this sequence of data packet is tc, utilize the model of ddos attack flow, the calculating of correction factor can be derived Formula is:
According to correction factor σ determinedcWith maximum stream flow threshold value BmaxJust can utilize tmaxComputing formula determine Reach maximum stream flow threshold value BmaxThe second time tmax, then can be obtained by the value of Δ t: Δ t=tmax-tc
So far, according to the Δ B determined and the Δ t determined, it is possible to determine the server access in the unit interval Flow:
S232, the ratio determining speed and the server access flow of record server access flow are described discharge record Frequency.
According to step S231, it is possible to determine the discharge record frequency of discharge record engine:Need Bright is, if it is determined that go out the server access flow in the unit interval and/or server access flow volume change values is zero, the most really Fixed described discharge record frequency is default fixed frequency, is designated as fconst, server access flow value is changed to zero and is appreciated that For: when discharge record engine records according to the discharge record frequency that step S231 is determined, within the current detection cycle Find current record reception to the packet received of flow value corresponding to sequence of data packet and previous moment record When flow value that sequence pair is answered is identical, discharge record engine determines that server access flow value is changed to zero, then discharge record draws Holding up, according to default fixed frequency, server access flow is carried out record, wherein this fixed frequency preset can be according to currently The performance of protection tool, network environment etc. are arranged voluntarily.
When being embodied as, the discharge record frequency determined according to step S232, discharge record engine just can be according to this Server access flow is recorded and stores by discharge record frequency, thus achieves and can access stream according to current server The variation tendency of amount, dynamic change discharge record frequency.
During it is preferred that be embodied as, in order to alleviate the memory pressure of discharge record engine, what the embodiment of the present invention provided attacks Hit in the recording method of flow, further comprising the steps of: to stop the of record flow receive that flow detection engine sends During two requests, stopping record server access flow, wherein, for flow detection engine, the second request detects that the unit interval takes orally Business device flowing of access is less than transmission during predetermined threshold value.Based on this, discharge record engine is without always to server access stream Amount carries out record, saves the internal memory of discharge record engine, thus improves the barrier propterty of protection tool.
When being embodied as, owing to the internal memory of discharge record engine is limited, along with server is visited by discharge record engine Ask the record of flow, cause the internal memory of discharge record engine to reach its storage cap, in order to avoid flow detection engine internal memory overflows Go out, in the embodiment of the present invention, it is also possible to the internal memory of discharge record engine is optimized, embodiments provide two kinds of sides Method deletes discharge record in discharge record engine internal memory, introduces it individually below.
Method one,
Fig. 3 deletes the first method of discharge record in discharge record engine internal memory for what the embodiment of the present invention provided, can To comprise the following steps:
S31, the data packet sequence number of columns of statistic record.
When being embodied as, according to the data of record in table 1, the corresponding sequence of data packet of every a line, therefore, it can statistics The data acknowledgment number that table 1 comprises measures the data packet sequence number of columns of record.
S32 if it exceeds present count value, then deletes preset time range according to the time sequencing obtaining sequence of data packet Interior sequence of data packet.
When being embodied as, after the quantity of the sequence of data packet of step S31 statistics overwriting, it is entered with present count value Row compares, if it exceeds present count value, illustrates that current memory headroom residue is less or the fullest, owing to ddos attack divides attack Start, attack is middle and attack terminates three periods, is attacking beginning and is connecing two periods of bundle, and attack traffic is respectively compared less, Attack interlude, attack relatively more frequent, and ddos attack is not big especially attacking interim changes in flow rate, if will This time the flow of ddos attack all stores in internal memory, can take bigger memory headroom, therefore, it can the data that will receive Packet sequence is ranked up sequentially in time, deletes the discharge record in preset time range, and this preset time range can be This time interlude scope of ddos attack, this is not defined by the present invention.Such as, the discharge record time of record in internal memory It is divided into for t0、t1、t2、t3、t4And t5, corresponding flow value is L0、L1、L2、L3、L4And L5, and meet t0< t1< t2< t3< t4 < t5And L0< L1< L2< L3< L4< L5, traffic management module, when judging that data packet number exceedes present count value, is looked for To the t being in interlude scope2、t3The sequence of data packet that reception arrives, and delete sequence of data packet corresponding to this moment, Or it is when the flow value that the discharge record of record in internal memory is corresponding is identical, then corresponding during discharge record deleted by traffic management engine The sequence of data packet that flow value is identical, it is of course also possible to use other method to delete the stream in discharge record engine internal memory Amount record, this is not defined by the present invention.
Method two,
Fig. 4 deletes the second method of discharge record in discharge record engine internal memory for what the embodiment of the present invention provided, can To comprise the following steps:
The memory space that S41, the sequence of data packet of statistic record take.
When being embodied as, can obtain recording what sequence of data packet took according to the flow value that each sequence of data packet is corresponding Memory space.
If the memory space shared by sequence of data packet of S42 record exceedes default memory threshold, then according to obtaining number The sequence of data packet in preset time range is deleted according to the time sequencing of packet sequence.
When being embodied as, the enforcement of step S42 can delete discharge record engine internal memory according to the method that step S32 is similar In discharge record, do not repeat them here.
The recording method of the attack traffic that the embodiment of the present invention provides, is only receiving opening of flow detection engine transmission Begin just to start to record flow after the first request of record flow, and in record discharge process, all records of the most each moment, And after receiving the first request starting to record flow that flow detection engine sends, according to the need carried in this first request The size of each packet of sequence of data packet of record, determines the flow value that each packet is corresponding, then according to determining Described flow value and this first request in very first time of described sequence of data packet of carrying, determine discharge record frequency, press According to the discharge record frequency determined, server access flow is recorded and stores, on the one hand, can be neatly according to working as The change of front flow changes discharge record frequency, for reducing the record of repetition flow, on the other hand, according to discharge record frequency Rate, controls the start and stop of discharge record, thus reduces the impact on barrier propterty of the discharge record engine, decrease redundancy stream simultaneously Internal memory is taken by amount information, improves the quality of DDos attack traffic record.
Embodiment three,
Based on same inventive concept, the embodiment of the present invention additionally provides the recording equipment of a kind of attack traffic, due to upper The principle stating device solution problem is similar to the recording method of attack traffic, and therefore the enforcement of said apparatus may refer to method Implement, repeat no more in place of repetition.
As it is shown in figure 5, the structural representation of recording equipment of the attack traffic provided for the embodiment of the present invention, including: connect Receive unit 50, first determine unit 51, second determine unit 52 and record unit 53, wherein:
Receive unit 50, for receiving the first request starting to record flow that flow detection engine sends, described first Request carries the sequence of data packet that need to record and obtains the very first time of described sequence of data packet;
When being embodied as, for described flow detection engine, described first request detects that unit interval server accesses stream Amount sends when exceeding predetermined threshold value.
First determines unit 51, for the size according to each packet comprised in described sequence of data packet, determines institute State the flow value that sequence of data packet is corresponding;
Second determines unit 52, for determining discharge record frequency according to described flow value and the described very first time;
Record unit 53, for recording also server access flow according to the described discharge record frequency determined Storage.
When being embodied as, described second determines unit 52, specifically includes first and determines that module and second determines module, its In:
First determines module, for determining the speed of record server access flow and the server in the unit interval respectively Flowing of access;
Second determines module, and the ratio of speed with server access flow for determining record server access flow is Described discharge record frequency.
When being embodied as, described first determines module, specifically for determining the service in the unit interval according to below equation Device flowing of access:Wherein:
Δ B is the difference between default maximum stream flow threshold value and described flow value;
Difference between the second time and the described very first time that reach described maximum stream flow threshold value according to Δ t, wherein According to described second time, described flow value and the prediction of the described very first time obtain.
Described first determines module, specifically for determining described second time according to below equation: Wherein:
tmaxFor described second time;
BmaxFor default maximum stream flow threshold value;
σcAccording to the correction factor determined of described flow value and the very first time.
Described first determines module, specifically for according to described flow value and the described very first time according to below equation Determine σc:Wherein:
Concrete, described second determines module, if specifically for first determine module determine the unit interval in clothes Business device flowing of access and/or server access flow volume change values are zero, it is determined that described discharge record frequency is default fixing Frequency.
When being embodied as, described device, also include control unit 54, wherein:
Control unit 54, for receiving the second request stopping record flow that described flow detection engine sends Time, stop record server access flow, wherein, in described second request detects the unit interval for described flow detection engine Server access flow is less than transmission during predetermined threshold value.
When being embodied as, described device, also include: the first statistic unit 55 and first deletes unit 56, wherein:
First statistic unit 55, for the data packet sequence number of columns of statistic record;
First deletes unit 56, if the data packet sequence number of columns for the first statistic unit 55 statistic record exceedes default Quantitative value, then delete the sequence of data packet in preset time range according to the time sequencing obtaining sequence of data packet.
When being embodied as, described device, also include: the second statistic unit 57 and second deletes unit 58, wherein:
Second statistic unit 57, for the memory space shared by the sequence of data packet of statistic record;
Second deletes unit 58, if for the memory space shared by sequence of data packet of the second statistic unit 57 record Exceed default memory threshold, then delete the data packet sequence in preset time range according to the time sequencing obtaining sequence of data packet Row.
For convenience of description, above each several part is divided by function and is respectively described for each module (or unit).Certainly, exist Implement the function of each module (or unit) to be realized in same or multiple softwares or hardware during the present invention.Such as, originally The recording equipment of the attack traffic that inventive embodiments three provides can be arranged in discharge record engine, complete by discharge record engine The record of server access flow in pairs.
The recording method of attack traffic, device and the discharge record engine that the embodiment of the present invention provides, discharge record engine After receiving the first request starting to record flow that flow detection engine sends, need note according to what this first request was carried The size of each packet of sequence of data packet of record, determines the flow value that each packet is corresponding, and then basis is determined The very first time of the described sequence of data packet carried in described flow value and this first request, determine discharge record frequency, according to Server access flow is recorded and stores by the discharge record frequency determined, on the one hand, can be neatly according to current The change of flow changes discharge record frequency, for reducing the record of repetition flow, on the other hand, according to discharge record frequency, Control the start and stop of discharge record, thus reduce the impact on barrier propterty of the discharge record engine, decrease redundant flow simultaneously Internal memory is taken by information, improves the quality of DDos attack traffic record.
The recording equipment of the attack traffic that embodiments herein is provided can be realized by computer program.This area skill Art personnel are it should be appreciated that above-mentioned Module Division mode is only the one in numerous Module Division mode, if be divided into Other modules or do not divide module, as long as the record of attack traffic has above-mentioned functions, all should be at the protection domain of the application Within.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or computer program Product.Therefore, the reality in terms of the present invention can use complete hardware embodiment, complete software implementation or combine software and hardware Execute the form of example.And, the present invention can use at one or more computers wherein including computer usable program code The upper computer program product implemented of usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) The form of product.
The present invention is with reference to method, equipment (system) and the flow process of computer program according to embodiments of the present invention Figure and/or block diagram describe.It should be understood that can the most first-class by computer program instructions flowchart and/or block diagram Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided Instruction arrives the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce A raw machine so that the instruction performed by the processor of computer or other programmable data processing device is produced for real The device of the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame now.
These computer program instructions may be alternatively stored in and computer or other programmable data processing device can be guided with spy Determine in the computer-readable memory that mode works so that the instruction being stored in this computer-readable memory produces and includes referring to Make the manufacture of device, this command device realize at one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The function specified in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that at meter Perform sequence of operations step on calculation machine or other programmable devices to produce computer implemented process, thus at computer or The instruction performed on other programmable devices provides for realizing at one flow process of flow chart or multiple flow process and/or block diagram one The step of the function specified in individual square frame or multiple square frame.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creation Property concept, then can make other change and amendment to these embodiments.So, claims are intended to be construed to include excellent Select embodiment and fall into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and the modification essence without deviating from the present invention to the present invention God and scope.So, if these amendments of the present invention and modification belong to the scope of the claims in the present invention and equivalent technologies thereof Within, then the present invention is also intended to comprise these change and modification.

Claims (20)

1. the recording method of an attack traffic, it is characterised in that including:
Receive the first request starting to record flow that flow detection engine sends, described first request carries and need to record Sequence of data packet and obtain very first time of described sequence of data packet;
According to the size of each packet comprised in described sequence of data packet, determine the flow that described sequence of data packet is corresponding Value;
Discharge record frequency is determined according to described flow value and the described very first time;
According to the described discharge record frequency determined, server access flow is recorded and stores.
2. the method for claim 1, it is characterised in that described first request detects list for described flow detection engine Bit time server flowing of access sends when exceeding predetermined threshold value.
3. the method for claim 1, it is characterised in that also include:
When receiving the second request stopping record flow that described flow detection engine sends, stop record server access Flow, wherein, for described flow detection engine, described second request detects that unit interval server flowing of access is less than Send during predetermined threshold value.
4. the method for claim 1, it is characterised in that determine that flow is remembered according to described flow value and the described very first time Record frequency, specifically includes:
Determine the speed of record server access flow and the server access flow in the unit interval respectively;
Determine that the speed of record server access flow is described discharge record frequency with the ratio of server access flow.
5. method as claimed in claim 4, it is characterised in that also include:
If unit interval server flowing of access and/or server access flow volume change values are zero, it is determined that described flow Recording frequency is default fixed frequency.
6. method as claimed in claim 4, it is characterised in that determine the server access in the unit interval according to below equation Flow:Wherein:
Δ B is the difference between default maximum stream flow threshold value and described flow value;
Δ t is the difference between the second time and the described very first time reaching described maximum stream flow threshold value, wherein said second According to time, described flow value and the prediction of the described very first time obtain.
7. method as claimed in claim 6, it is characterised in that determine described second time according to below equation:Wherein:
tmaxFor described second time;
BmaxFor default maximum stream flow threshold value;
σcAccording to the correction factor determined of described flow value and the very first time.
8. method as claimed in claim 7, it is characterised in that true according to below equation according to described flow value and the very first time Determine σc:Wherein:
tcFor the described very first time;
fcFor described flow value.
9. the method for claim 1, it is characterised in that also include:
The data packet sequence number of columns of statistic record;
If it exceeds present count value, then delete the data in preset time range according to the time sequencing obtaining sequence of data packet Packet sequence.
10. the method for claim 1, it is characterised in that also include:
Memory space shared by the sequence of data packet of statistic record;
If the memory space shared by sequence of data packet of record exceedes default memory threshold, then according to obtaining sequence of data packet Time sequencing delete the sequence of data packet in preset time range.
The recording equipment of 11. 1 kinds of attack traffics, it is characterised in that including:
Receive unit, for receiving the first request starting to record flow that flow detection engine sends, in described first request Carry the sequence of data packet that need to record and obtain the very first time of described sequence of data packet;
First determines unit, for the size according to each packet comprised in described sequence of data packet, determines described data The flow value that packet sequence is corresponding;
Second determines unit, for determining discharge record frequency according to described flow value and the described very first time;
Record unit, for recording according to the described discharge record frequency determined server access flow and store.
12. devices as claimed in claim 11, it is characterised in that described first request detects for described flow detection engine Unit interval server flowing of access sends when exceeding predetermined threshold value.
13. devices as claimed in claim 11, it is characterised in that also include:
Control unit, for when receiving the second request stopping record flow that described flow detection engine sends, stopping Record server access flow, wherein, described second request detects unit interval server for described flow detection engine Flowing of access is less than transmission during predetermined threshold value.
14. devices as claimed in claim 11, it is characterised in that described second determines unit, specifically includes:
First determines module, for determining the speed of record server access flow and the server access in the unit interval respectively Flow;
Second determines module, is described for determining the speed of record server access flow with the ratio of server access flow Discharge record frequency.
15. devices as claimed in claim 14, it is characterised in that
Described second determines module, if specifically for first determine module determine the unit interval in server access flow And/or server access flow volume change values is zero, it is determined that described discharge record frequency is default fixed frequency.
16. devices as claimed in claim 14, it is characterised in that described first determines module, specifically for according to following public affairs Formula determines the server access flow in the unit interval:Wherein:
Δ B is the difference between default maximum stream flow threshold value and described flow value;
Difference between the second time and the described very first time that reach described maximum stream flow threshold value according to Δ t, wherein said According to second time, described flow value and the prediction of the described very first time obtain.
17. devices as claimed in claim 16, it is characterised in that described first determines module, specifically for according to following public affairs Formula determines described second time:Wherein:
tmaxFor described second time;
BmaxFor default maximum stream flow threshold value;
σcAccording to the correction factor determined of described flow value and the very first time.
18. devices as claimed in claim 17, it is characterised in that described first determines module, specifically for according to described institute State flow value and the described very first time determines σ according to below equationc:Wherein:
tcFor the described very first time;
fcFor described flow value.
19. devices as claimed in claim 11, it is characterised in that also include:
First statistic unit, for the data packet sequence number of columns of statistic record;
First deletes unit, if the data packet sequence number of columns for the first statistic unit statistic record exceedes present count value, Then delete the sequence of data packet in preset time range according to the time sequencing obtaining sequence of data packet.
20. devices as claimed in claim 11, it is characterised in that also include:
Second statistic unit, for the memory space shared by the sequence of data packet of statistic record;
Second deletes unit, if the memory space shared by sequence of data packet for the second statistic unit record exceedes default Memory threshold, then delete the sequence of data packet in preset time range according to the time sequencing obtaining sequence of data packet.
CN201610867805.5A 2016-09-29 2016-09-29 A kind of recording method and device of attack traffic Active CN106254394B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610867805.5A CN106254394B (en) 2016-09-29 2016-09-29 A kind of recording method and device of attack traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610867805.5A CN106254394B (en) 2016-09-29 2016-09-29 A kind of recording method and device of attack traffic

Publications (2)

Publication Number Publication Date
CN106254394A true CN106254394A (en) 2016-12-21
CN106254394B CN106254394B (en) 2019-07-02

Family

ID=57611203

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610867805.5A Active CN106254394B (en) 2016-09-29 2016-09-29 A kind of recording method and device of attack traffic

Country Status (1)

Country Link
CN (1) CN106254394B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234516A (en) * 2018-01-26 2018-06-29 北京安博通科技股份有限公司 A kind of detection method and device of network flood attack
CN110213118A (en) * 2018-02-28 2019-09-06 中航光电科技股份有限公司 A kind of FC network system and its flow control methods
CN111510418A (en) * 2019-01-31 2020-08-07 上海旺链信息科技有限公司 Block chain link point structure safety guarantee method, guarantee system and storage medium
CN113364752A (en) * 2021-05-27 2021-09-07 鹏城实验室 Flow abnormity detection method, detection equipment and computer readable storage medium
CN115118529A (en) * 2022-08-29 2022-09-27 广州弘日恒天光电技术有限公司 Data transmission method based on block chain

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050278779A1 (en) * 2004-05-25 2005-12-15 Lucent Technologies Inc. System and method for identifying the source of a denial-of-service attack
CN105681211A (en) * 2015-12-31 2016-06-15 北京安天电子设备有限公司 Traffic recording method and system based on information extraction
CN105763561A (en) * 2016-04-15 2016-07-13 杭州华三通信技术有限公司 Attack defense method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050278779A1 (en) * 2004-05-25 2005-12-15 Lucent Technologies Inc. System and method for identifying the source of a denial-of-service attack
CN105681211A (en) * 2015-12-31 2016-06-15 北京安天电子设备有限公司 Traffic recording method and system based on information extraction
CN105763561A (en) * 2016-04-15 2016-07-13 杭州华三通信技术有限公司 Attack defense method and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234516A (en) * 2018-01-26 2018-06-29 北京安博通科技股份有限公司 A kind of detection method and device of network flood attack
CN108234516B (en) * 2018-01-26 2021-01-26 北京安博通科技股份有限公司 Method and device for detecting network flooding attack
CN110213118A (en) * 2018-02-28 2019-09-06 中航光电科技股份有限公司 A kind of FC network system and its flow control methods
CN111510418A (en) * 2019-01-31 2020-08-07 上海旺链信息科技有限公司 Block chain link point structure safety guarantee method, guarantee system and storage medium
CN113364752A (en) * 2021-05-27 2021-09-07 鹏城实验室 Flow abnormity detection method, detection equipment and computer readable storage medium
CN115118529A (en) * 2022-08-29 2022-09-27 广州弘日恒天光电技术有限公司 Data transmission method based on block chain

Also Published As

Publication number Publication date
CN106254394B (en) 2019-07-02

Similar Documents

Publication Publication Date Title
US11122067B2 (en) Methods for detecting and mitigating malicious network behavior and devices thereof
JP7157222B2 (en) Session security split and application profiler
CN106254394A (en) A kind of recording method and device of attack traffic
CN104067569B (en) Methods to combine stateless and stateful server load balancing
CN103179132B (en) A kind of method and device detecting and defend CC attack
CN103428224B (en) A kind of method and apparatus of intelligence defending DDoS (Distributed Denial of Service) attacks
EP3488559B1 (en) Network attack defense system and method
Mirkovic et al. Towards user-centric metrics for denial-of-service measurement
US20060075489A1 (en) Streaming algorithms for robust, real-time detection of DDoS attacks
US10560364B1 (en) Detecting network anomalies using node scoring
CN108259426B (en) DDoS attack detection method and device
EP3334117A1 (en) Method, apparatus and system for quantizing defence result
US11108813B2 (en) Dynamic rate limiting for mitigating distributed denial-of-service attacks
CN110875907A (en) Access request control method and device
WO2019052469A1 (en) Network request processing method and apparatus, electronic device, and storage medium
US11700233B2 (en) Network monitoring with differentiated treatment of authenticated network traffic
US20200412760A1 (en) Region-based prioritization for mitigating distributed denial-of-service attacks
CN102075535B (en) Distributed denial-of-service attack filter method and system for application layer
CN105592070B (en) Application layer DDoS defence methods and system
CN106850632A (en) The detection method and device of a kind of unusual combination data
CN109246157A (en) A kind of HTTP requests at a slow speed the association detection method of dos attack
CN107888388A (en) A kind of charging method and system of network acceleration service
TW201828084A (en) User log storage method and apparatus capable of effectively avoiding the problem of disordered logs and ensuring the orderliness of the entire cloud platform log system
Flach et al. Diagnosing slow web page access at the client side
CN111835719A (en) Computer network firewall system based on multi-terminal inspection and working method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Co-patentee after: NSFOCUS TECHNOLOGIES Inc.

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Co-patentee before: NSFOCUS TECHNOLOGIES Inc.

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder