CN109688136B - Detection method, system and related components for forging IP attack behavior - Google Patents
Detection method, system and related components for forging IP attack behavior Download PDFInfo
- Publication number
- CN109688136B CN109688136B CN201811612079.8A CN201811612079A CN109688136B CN 109688136 B CN109688136 B CN 109688136B CN 201811612079 A CN201811612079 A CN 201811612079A CN 109688136 B CN109688136 B CN 109688136B
- Authority
- CN
- China
- Prior art keywords
- data packet
- packet
- ratio
- source
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/141—Denial of service attacks against endpoints in a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a detection method for forging IP attack behaviors, which comprises the steps of judging whether a source IP of an IP data packet conforms to an authentication condition or not when the IP data packet is detected to be a data packet to be authenticated; if yes, determining the sending times of the source IP sending data packet; and when the sending times are more than the preset times, detecting whether a forged IP attack behavior exists or not in a TCP authentication and/or DNS authentication mode. The method can defend the counterfeit IP attack behavior and improve the detection accuracy. The application also discloses a detection system for counterfeiting IP attack behaviors, a computer readable storage medium and an electronic device, which have the beneficial effects.
Description
Technical Field
The invention relates to the field of firewalls, in particular to a method and a system for detecting counterfeit IP attack behavior, a computer readable storage medium and an electronic device.
Background
With the development of internet technology, the network security problem is more and more prominent, and DDoS attack is one of the most common means in network attack, and the development speed in recent years has obviously exceeded the defense technology. According to the 2010 safety annual report of the Arbor Networks company, the flow of DDoS attacks shows a geometric growth trend in recent years, and the flow is increased from 50Gbps in 2009 to 100Gbps in 2010. In many international major events in 2010 and 2011, the body shadow of the DDoS attack exists. With the increasing cost of the difficulty of defending the DDOS, if interception can be carried out at the source of attack initiation, namely, a mode of positioning a poisoning host and intercepting abnormal outgoing traffic is adopted, the cost can be greatly reduced, namely, the defense of the DDOS of the intranet is realized.
In the prior art, the method for detecting intranet DDOS attack mainly comprises the following steps: the host is judged whether the host is abnormal or not by simply counting the host SYN, icmp, udp and the like, but the method cannot defend the attack form of the forged source IP.
Therefore, how to defend against counterfeit IP attacks and improve the detection accuracy is a technical problem that needs to be solved by those skilled in the art at present.
Disclosure of Invention
The application aims to provide a method and a system for detecting a counterfeit IP attack behavior, a computer readable storage medium and an electronic device, which can defend the counterfeit IP attack behavior and improve the detection accuracy.
In order to solve the above technical problem, the present application provides a method for detecting a counterfeit IP attack behavior, where the method includes:
when the IP data packet is detected to be a data packet to be authenticated, judging whether the source IP of the IP data packet meets the authentication condition;
if yes, determining the sending times of the source IP sending data packet;
and when the sending times are more than the preset times, detecting whether a forged IP attack behavior exists or not in a TCP authentication and/or DNS authentication mode.
Optionally, the method further includes:
and when the sending times are less than or equal to the preset times, discarding the data packet corresponding to the source IP.
Optionally, the detecting whether there is a counterfeit IP attack behavior by means of TCP authentication and/or DNS authentication includes:
constructing a SYN-ACK data packet with a preset sequence number according to a SYN packet of a TCP protocol corresponding to the IP data packet, and discarding the SYN packet;
constructing a DNS response packet with a preset mark and/or a response packet of a target IP according to the DNS request packet corresponding to the data packet, and discarding the DNS request packet;
judging whether a RST packet with a preset serial number and/or a client preset operation are detected; if not, judging that a forged IP attack behavior exists; the client preset operation comprises DNS rechecking operation corresponding to the preset mark and/or access operation corresponding to the target IP.
Optionally, when the source IP of the IP packet does not meet the authentication condition, the method further includes:
counting the flow characteristic data of the source IP; the traffic characteristic data comprises the number of uplink and downlink traffic data packets, the number of connectivity data packets and the total number of data packets;
respectively calculating a first ratio and a second ratio according to the flow characteristic data; the first ratio is the ratio of the number of the connectivity data packets to the total number of the data packets, and the second ratio is the ratio of the number of the uplink and downlink traffic data packets to the total number of the data packets;
judging whether the first ratio is smaller than a first preset value and the second ratio is smaller than a second preset value; and if not, judging that the DDoS attack behavior is detected.
Optionally, the first ratio includes a ratio of the delSYN packet, the SYN-ACK packet, the FIN packet, and the RST packet of the TCP protocol to the total number of the data packets, respectively;
correspondingly, the second ratio comprises the ratio of the number of the uplink flow data packets and the number of the downlink flow data packets to the total number of the data packets of the UDP protocol and the ICMP protocol, respectively.
Optionally, before determining whether the source IP of the IP data packet meets the authentication condition, the method further includes:
receiving an IP data packet and judging whether the IP data packet is an authentication data packet or not; the authentication data packet comprises a TCP protocol and a DNS protocol and carries a TCP data packet with a preset specific sequence number;
if so, adding a source IP corresponding to the IP data packet into the real IP hash table;
if not, the IP data packet is set as a data packet to be authenticated, and the data packet to be authenticated is judged to be detected.
Optionally, the determining whether the source IP of the IP data packet meets the authentication condition includes:
judging whether a source IP of the IP data packet is in a real IP hash table or not to obtain a first judgment result;
judging whether the number of the real IP hash tables is smaller than a maximum preset value or not to obtain a second judgment result;
judging whether the first judgment result and the second judgment result are both yes; if so, judging that the source IP meets the authentication condition; if not, the source IP is judged not to be in accordance with the authentication condition.
The application also provides a detection system for forging the IP attack behavior, which comprises:
the authentication condition judging module is used for judging whether the source IP of the IP data packet conforms to the authentication condition or not when the IP data packet is detected to be the data packet to be authenticated;
the first packet determining module is used for determining the sending times of the data packets sent by the source IP when the source IP of the IP data packets accords with the authentication condition;
and the forged IP attack detection module is used for detecting whether a forged IP attack behavior exists or not in a TCP authentication and/or DNS authentication mode when the sending times are larger than the preset times.
Optionally, the method further includes:
and the packet loss module is used for discarding the data packet corresponding to the source IP when the sending times are less than or equal to the preset times.
Optionally, the forged IP attack detection module includes:
a TCP authentication unit, configured to construct a SYN-ACK packet with a preset sequence number according to a SYN packet of a TCP protocol corresponding to the IP packet when the sending times are greater than a preset number, and discard the SYN packet;
the DNS authentication unit is used for constructing a DNS response packet with a preset mark and/or a response packet of a target IP according to a DNS request packet corresponding to the data packet when the sending times are greater than the preset times, and discarding the DNS request packet;
the monitoring unit is used for judging whether the RST packet with the preset serial number and/or the preset operation of the client side are detected; if not, judging that a forged IP attack behavior exists; the client preset operation comprises DNS rechecking operation corresponding to the preset mark and/or access operation corresponding to the target IP.
Optionally, when the source IP of the IP packet does not meet the authentication condition, the method further includes:
the flow characteristic counting module is used for counting the flow characteristic data of the source IP; the traffic characteristic data comprises the number of uplink and downlink traffic data packets, the number of connectivity data packets and the total number of data packets;
the ratio calculation module is used for respectively calculating a first ratio and a second ratio according to the flow characteristic data; the first ratio is the ratio of the number of the connectivity data packets to the total number of the data packets, and the second ratio is the ratio of the number of the uplink and downlink traffic data packets to the total number of the data packets;
the attack detection module is used for judging whether the first ratio is smaller than a first preset value and the second ratio is smaller than a second preset value; and if not, judging that the DDoS attack behavior is detected.
Optionally, the first ratio includes a ratio of the delSYN packet, the SYN-ACK packet, the FIN packet, and the RST packet of the TCP protocol to the total number of the data packets, respectively;
correspondingly, the second ratio comprises the ratio of the number of the uplink flow data packets and the number of the downlink flow data packets to the total number of the data packets of the UDP protocol and the ICMP protocol, respectively.
Optionally, the method further includes:
the data packet authentication module is used for receiving the IP data packet and judging whether the IP data packet is an authentication data packet or not; the authentication data packet comprises a TCP protocol and a DNS protocol and carries a TCP data packet with a preset specific sequence number;
the first processing module is used for adding a source IP corresponding to the IP data packet into the real IP hash table when the IP data packet is an authentication data packet;
and the second processing module is used for setting the IP data packet as a data packet to be authenticated and judging that the data packet to be authenticated is detected when the IP data packet is not the authentication data packet.
Optionally, the determining whether the source IP of the IP data packet meets the authentication condition includes:
judging whether a source IP of the IP data packet is in a real IP hash table or not to obtain a first judgment result;
judging whether the number of the real IP hash tables is smaller than a maximum preset value or not to obtain a second judgment result;
judging whether the first judgment result and the second judgment result are both yes; if so, judging that the source IP meets the authentication condition; if not, the source IP is judged not to be in accordance with the authentication condition.
The application also provides a computer readable storage medium, on which a computer program is stored, which when executed, realizes the steps executed by the detection method for the forged IP attack behavior.
The application also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps executed by the detection method for the fake IP attack behavior when calling the computer program in the memory.
The invention provides a method for detecting forged IP attack behaviors, which comprises the following steps: when detecting that the IP data packet is a data packet to be authenticated, judging whether a source IP of the IP data packet conforms to an authentication condition; if yes, determining the sending times of the source IP sending data packet; and when the sending times are more than the preset times, detecting whether a forged IP attack behavior exists or not in a TCP authentication and/or DNS authentication mode.
The method and the device judge whether the IP data packet is the first packet sent by the source IP by determining the sending times of the source IP sending data packet corresponding to the IP data packet, indicate that the source IP sends a certain number of data packets before the IP data packet is greater than the preset times, and can detect whether the forged IP attack behavior exists in a TCP authentication and/or DNS authentication mode. Because both the TCP authentication and the DNS authentication are authentication modes requiring client response, the TCP authentication or the DNS authentication can be passed only when the source IP is a real IP. Therefore, the method and the device can defend the forged IP attack behavior and improve the detection accuracy. The application also provides a detection system for counterfeiting IP attack behaviors, a computer readable storage medium and an electronic device, which have the beneficial effects and are not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a method for detecting a counterfeit IP attack behavior according to an embodiment of the present application;
fig. 2 is a flowchart of a method for detecting DDoS attack behavior according to an embodiment of the present application;
fig. 3 is a flowchart of a method for detecting an attack behavior according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a system for detecting a counterfeit IP attack behavior according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a method for detecting a counterfeit IP attack behavior according to an embodiment of the present application.
The specific steps may include:
s101: when the IP data packet is detected to be a data packet to be authenticated, judging whether the source IP of the IP data packet meets the authentication condition; if yes, entering S102;
the embodiment can be applied to various abnormal flow monitoring devices, such as an equal-protection all-in-one machine, a flow detection device and the like. The IP data packet mentioned in this step may be interactive data of the host device, specifically, when this embodiment is applied to the traffic detection device, the traffic detection device is generally set at an exit boundary of the internet, the intranet device may be interconnected with the boundary traffic device through the two-layer switch, or may perform IP conversion through the router, and the IP data packet mentioned above may be traffic output by the two-layer switch or the boundary traffic device.
In this step, an operation of detecting whether an IP data packet is a to-be-authenticated data packet is defaulted to exist, when the IP data packet includes a CP protocol and a DNS protocol and the IP data packet carries a TCP data packet with a preset specific sequence number, it may be determined that the IP data packet is an authentication data packet, and otherwise, it is determined that the IP data packet is a to-be-authenticated data packet, and the detection process may specifically include the following steps:
step 1: receiving an IP data packet and judging whether the IP data packet is an authentication data packet or not; the authentication data packet comprises a TCP protocol and a DNS protocol and carries a TCP data packet with a preset specific sequence number; if yes, entering step 2; if not, entering step 3;
step 2: adding a source IP corresponding to the IP data packet into a real IP hash table;
and if the source IP of the data packet is in the list to be authenticated and the current data packet is the authentication data packet, adding the source IP into the real IP list, and intercepting other data packets of the IP to be authenticated within set time. Authentication packets include mandatory use of TCP, DNS, and TCP packets with specific sequence numbers.
And step 3: and setting the IP data packet as a data packet to be authenticated, and judging that the data packet to be authenticated is detected.
When the IP data packet is an authentication data packet, the IP data packet is credible, and the counterfeit IP attack behavior cannot exist, and the source IP can be used as a real IP and added into a real IP hash table; when the IP packet is a packet to be authenticated, there may be a counterfeit IP attack behavior, and the related operation of S102 needs to be performed. In this embodiment, the default is to preset an authentication condition to determine whether the source IP meets the authentication condition. For example, determining that a source IP requires no authentication requires the following conditions: if the source IP is not in the real IP list and the number of the real IP lists exceeds a preset upper limit, the source IP accords with the non-authentication condition, otherwise, the source IP accords with the authentication condition.
S102: determining the sending times of a source IP sending data packet;
because the relevant authentication process of the source IP requiring authentication needs to construct a response packet, and certain consumption is caused to the performance of the protection device, the IP packet whose transmission times are less than or equal to the preset times (such as the first transmission of the IP packet) can be discarded (i.e., a packet discarding operation) so as to reduce the pressure of the defense performance of the firewall. As a preferred embodiment, whether the source IP has sent a packet before this can be determined by means of a relevant search performed by the bloom filter.
S103: and when the sending times are more than the preset times, detecting whether a forged IP attack behavior exists or not in a TCP authentication and/or DNS authentication mode.
When the sending times are larger than a preset value, the source IP sends a certain number of data packets before, and whether the forged IP attack behavior exists can be detected in a TCP authentication and/or DNS authentication mode. TCP (Transmission Control Protocol) authentication is an IP authentication method based on TCP, and the specific process may be: constructing a SYN-ACK data packet with a preset sequence number according to a SYN packet of a TCP protocol corresponding to the IP data packet, and discarding the SYN packet; in this step, the SYN-ACK data packet is sent to the client by default, if the source IP is not a fake IP, the client returns the RST packet with the preset sequence number, otherwise, the RST packet with the preset sequence number is not returned. The DNS (Domain Name System ) authentication is an IP authentication method based on DNS, and the specific process may be: and constructing a DNS response packet with a preset mark and/or a response packet of the target IP according to the DNS request packet corresponding to the data packet, and discarding the DNS request packet, wherein the client executes a preset operation if the source IP is not the forged IP, the preset operation of the client comprises a DNS rechecking operation corresponding to the preset mark and/or an access operation corresponding to the target IP, and otherwise, the client does not execute the preset operation. The significance of discarding SYN packets and DNS request packets in this step is: since it is not determined whether or not the source IP is a counterfeit IP, the SYN packet and the DNS request packet cannot be directly processed to improve security, and thus a discard process (equivalent to a packet loss) is performed.
As a preferred embodiment, when the source IP is detected to be a forged IP, it is indicated that there is a forged IP attack behavior, and when the forged IP attack behavior is detected, further detection (for example, detecting DDoS attack) may be performed on the IP data packet, and a specific type of the forged IP attack behavior is determined so as to execute a corresponding operation. Forged source IP can be added into the list and blocked for a certain time, so that the influence on the network is avoided. The embodiment can be applied to attack behavior detection in the intranet.
In this embodiment, whether the IP data packet is the first packet sent by the source IP is determined by determining the sending times of the source IP sending data packet corresponding to the IP data packet, and when the sending times is greater than the preset times, it is indicated that the source IP has sent a certain number of data packets, and whether a counterfeit IP attack behavior exists can be detected by means of TCP authentication and/or DNS authentication. Because both the TCP authentication and the DNS authentication are authentication modes requiring client response, the TCP authentication or the DNS authentication can be passed only when the source IP is a real IP. Therefore, the embodiment can defend the forged IP attack behavior and improve the detection accuracy.
Preferably, the value of the preset number of times mentioned in the above embodiment may be 1, so as to indicate that the source IP has transmitted the data packet before the preset number of times when the transmission number is greater than the preset number of times. Of course, the preset times can be flexibly set according to the application scene, and the greater the preset times, the higher the safety is.
As an alternative implementation, when the sending time is less than or equal to the preset time, it indicates that the credibility of the data packet is low, and the data packet corresponding to the source IP may be directly discarded. When the value of the preset number of times is 1, it is described that the detection principle of first packet discarding is adopted in this embodiment.
Referring to fig. 2, fig. 2 is a flowchart of a method for detecting DDoS attack behavior according to an embodiment of the present application; the present embodiment is a further supplement to the previous embodiment, and provides a method for detecting whether a DDoS attack behavior exists in an IP data packet, which may be combined with the embodiment in fig. 1, and the specific steps may include:
s201: when the source IP of the IP data packet does not accord with the authentication condition, counting the flow characteristic data of the source IP; the traffic characteristic data comprises the number of uplink and downlink traffic data packets, the number of connectivity data packets and the total number of data packets;
s202: respectively calculating a first ratio and a second ratio according to the flow characteristic data; the first ratio is the ratio of the number of the connectivity data packets to the total number of the data packets, and the second ratio is the ratio of the number of the uplink and downlink traffic data packets to the total number of the data packets;
the normal TCP connection includes a complete interaction process, such as SYN, SYN-ACK, and ACK packets in the connection establishment phase, FIN-ACK, and other packets in the connection closing phase, and ACK packets in the data interaction process. The rate of the data packets can be counted to judge whether a high-flow host is normal service or abnormal attack, so that the problem of misjudgment is avoided.
Specifically, the connectivity data packet may include a delSYN packet, a SYN-ACK packet, a FIN packet, and a RST packet; the uplink and downlink traffic data packets may include uplink traffic data packets and downlink traffic data packets of UDP protocol and ICMP protocol. Therefore, the first ratio in this embodiment includes the ratio of the delSYN packet, SYN-ACK packet, FIN packet, and RST packet of the TCP protocol to the total number of data packets, respectively; correspondingly, the second ratio comprises the ratio of the number of the uplink flow data packets and the number of the downlink flow data packets to the total number of the data packets of the UDP protocol and the ICMP protocol, respectively.
S203: judging whether the first ratio is smaller than a first preset value and the second ratio is smaller than a second preset value; and if not, judging that the DDoS attack behavior is detected.
The specific values of the first preset value and the second preset value are not limited in this embodiment, and those skilled in the art can set the values according to actual application scenarios. The data link based on normal service is mainly used for transmitting data, and the purpose of the data packet of the attack is mainly to perform resource consumption, so that after the frequency of the data packet of one source IP exceeds a preset threshold value, the characteristics of the data packet sent by one source IP are counted so as to determine whether the data packet is abnormal or not. For TCP, the present embodiment determines whether there is DDoS attack behavior by determining whether the duty ratio of SYN, SYN-ACK, FIN, RST, etc. is too large. For UDP, ICMP and other protocols determine whether DDoS attack behaviors exist or not through the fact that the ratio of uplink traffic to downlink traffic is too large.
Referring to fig. 3, fig. 3 is a flowchart of a method for detecting an attack behavior according to an embodiment of the present application;
s301: receiving an IP data packet and judging whether the IP data packet is an authentication data packet or not; the authentication data packet comprises a TCP protocol and a DNS protocol and carries a TCP data packet with a preset specific sequence number; if so, adding a source IP corresponding to the IP data packet into the real IP hash table; if not, entering S302;
s302: and setting the IP data packet as a data packet to be authenticated, and judging that the data packet to be authenticated is detected.
As a preferred embodiment, before S302, there may be a black IP data filtering operation, and a preset black list is used to intercept data corresponding to a known forged IP, so that a user may set a blocking time of the black list.
S303: judging whether the source IP of the IP data packet meets the authentication condition or not; if yes, entering S304; if not, the process proceeds to S307
S304: determining the sending times of a source IP sending data packet; when the sending times are more than the preset times, constructing a SYN-ACK data packet with a preset sequence number according to the SYN packet of the TCP protocol corresponding to the IP data packet, and discarding the SYN packet;
s305: constructing a DNS response packet with a preset mark and/or a response packet of a target IP according to the DNS request packet corresponding to the data packet, and discarding the DNS request packet;
s306: judging whether a RST packet with a preset serial number and/or a client preset operation are detected; if not, judging that a forged IP attack behavior exists; and ending the flow.
The client preset operation comprises DNS rechecking operation corresponding to the preset mark and/or access operation corresponding to the target IP.
S307: counting the flow characteristic data of the source IP;
the traffic characteristic data comprises the number of uplink and downlink traffic data packets, the number of connectivity data packets and the total number of data packets;
s308: respectively calculating a first ratio and a second ratio according to the flow characteristic data;
the first ratio is the ratio of the number of the connectivity data packets to the total number of the data packets, and the second ratio is the ratio of the number of the uplink and downlink traffic data packets to the total number of the data packets;
s309: judging whether the first ratio is smaller than a first preset value and the second ratio is smaller than a second preset value; if not, the DDoS attack behavior is judged to be detected, and the process is ended.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a system for detecting a counterfeit IP attack behavior according to an embodiment of the present application;
the system may include:
an authentication condition determining module 100, configured to determine whether a source IP of an IP data packet meets an authentication condition when it is detected that the IP data packet is a to-be-authenticated data packet;
a first packet determining module 200, configured to determine, when a source IP of an IP data packet meets an authentication condition, a number of times that the source IP sends the data packet;
and a counterfeit IP attack detection module 300, configured to detect whether a counterfeit IP attack behavior exists in a TCP authentication and/or DNS authentication manner when the sending times are greater than a preset number.
In this embodiment, whether the IP data packet is the first packet sent by the source IP is determined by determining the sending times of the source IP sending data packet corresponding to the IP data packet, and when the sending times is greater than the preset times, it is described that the source IP has sent a certain number of data packets, and whether a counterfeit IP attack behavior exists can be detected by means of TCP authentication and/or DNS authentication. Because both the TCP authentication and the DNS authentication are authentication modes requiring client response, the TCP authentication or the DNS authentication can be passed only when the source IP is a real IP. Therefore, the embodiment can defend the forged IP attack behavior and improve the detection accuracy.
Further, the method also comprises the following steps:
and the packet loss module is used for discarding the data packet corresponding to the source IP when the sending times are less than or equal to the preset times.
Further, the counterfeit IP attack detection module includes:
a TCP authentication unit, configured to construct a SYN-ACK packet with a preset sequence number according to a SYN packet of a TCP protocol corresponding to the IP packet when the sending times are greater than a preset number, and discard the SYN packet;
the DNS authentication unit is used for constructing a DNS response packet with a preset mark and/or a response packet of a target IP according to a DNS request packet corresponding to the data packet when the sending times are greater than the preset times, and discarding the DNS request packet;
the monitoring unit is used for judging whether the RST packet with the preset serial number and/or the preset operation of the client side are detected; if not, judging that a forged IP attack behavior exists; the client preset operation comprises DNS rechecking operation corresponding to the preset mark and/or access operation corresponding to the target IP.
Further, when the source IP of the IP data packet does not meet the authentication condition, the method further includes:
the flow characteristic counting module is used for counting the flow characteristic data of the source IP; the traffic characteristic data comprises the number of uplink and downlink traffic data packets, the number of connectivity data packets and the total number of data packets;
the ratio calculation module is used for respectively calculating a first ratio and a second ratio according to the flow characteristic data; the first ratio is the ratio of the number of the connectivity data packets to the total number of the data packets, and the second ratio is the ratio of the number of the uplink and downlink traffic data packets to the total number of the data packets;
the attack detection module is used for judging whether the first ratio is smaller than a first preset value and the second ratio is smaller than a second preset value; and if not, judging that the DDoS attack behavior is detected.
Further, the first ratio comprises the ratio of the delSYN packet, the SYN-ACK packet, the FIN packet and the RST packet of the TCP protocol to the total number of the data packets respectively;
correspondingly, the second ratio comprises the ratio of the number of the uplink flow data packets and the number of the downlink flow data packets to the total number of the data packets of the UDP protocol and the ICMP protocol, respectively.
Further, the method also comprises the following steps:
the data packet authentication module is used for receiving the IP data packet and judging whether the IP data packet is an authentication data packet or not; the authentication data packet comprises a TCP protocol and a DNS protocol and carries a TCP data packet with a preset specific sequence number;
the first processing module is used for adding a source IP corresponding to the IP data packet into the real IP hash table when the IP data packet is an authentication data packet;
and the second processing module is used for setting the IP data packet as a data packet to be authenticated and judging that the data packet to be authenticated is detected when the IP data packet is not the authentication data packet.
Further, the determining whether the source IP of the IP data packet meets the authentication condition includes:
judging whether a source IP of the IP data packet is in a real IP hash table or not to obtain a first judgment result;
judging whether the number of the real IP hash tables is smaller than a maximum preset value or not to obtain a second judgment result;
judging whether the first judgment result and the second judgment result are both yes; if so, judging that the source IP meets the authentication condition; if not, the source IP is judged not to be in accordance with the authentication condition.
Since the embodiment of the system part corresponds to the embodiment of the method part, the embodiment of the system part is described with reference to the embodiment of the method part, and is not repeated here.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the electronic device may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (14)
1. A method for detecting counterfeit IP attack behavior is characterized by comprising the following steps:
when detecting that the IP data packet is a data packet to be authenticated, judging whether a source IP of the IP data packet conforms to an authentication condition;
if yes, determining the sending times of the source IP sending data packet;
when the sending times are larger than the preset times, detecting whether a forged IP attack behavior exists or not in a TCP authentication and/or DNS authentication mode;
wherein, judging whether the source IP of the IP data packet accords with the authentication condition comprises:
judging whether the source IP of the IP data packet is in a real IP hash table or not to obtain a first judgment result;
judging whether the number of the real IP hash tables is smaller than a maximum preset value or not to obtain a second judgment result;
judging whether the first judgment result and the second judgment result are both yes; if so, judging that the source IP meets the authentication condition; if not, the source IP is judged not to be in accordance with the authentication condition.
2. The detection method according to claim 1, further comprising:
and when the sending times are less than or equal to the preset times, discarding the data packet corresponding to the source IP.
3. The detection method according to claim 1, wherein detecting whether the counterfeit IP attack behavior exists through TCP authentication and/or DNS authentication comprises:
constructing a SYN-ACK data packet with a preset sequence number according to a SYN packet of a TCP protocol corresponding to the IP data packet, and discarding the SYN packet;
constructing a response packet of a target IP and/or a DNS response packet with a preset mark according to the DNS request packet corresponding to the data packet, and discarding the DNS request packet;
judging whether the RST packet with the preset serial number and/or the preset operation of the client side are detected; if not, judging that the forged IP attack behavior exists; and the preset operation of the client comprises an access operation corresponding to the target IP and/or a DNS (domain name system) rechecking operation corresponding to the preset mark.
4. The method according to claim 1, wherein when the source IP of the IP packet does not comply with the authentication condition, the method further comprises:
counting the flow characteristic data of the source IP; the traffic characteristic data comprises the number of uplink and downlink traffic data packets, the number of connectivity data packets and the total number of data packets;
respectively calculating a first ratio and a second ratio according to the flow characteristic data; wherein the first ratio is a ratio of the number of the connectivity packets to the total number of the packets, and the second ratio is a ratio of the number of the uplink and downlink traffic packets to the total number of the packets;
judging whether the first ratio is smaller than a first preset value and the second ratio is smaller than a second preset value; and if not, judging that the DDoS attack behavior is detected.
5. The method of claim 4, wherein the first ratio comprises a ratio of a delSYN packet, a SYN-ACK packet, a FIN packet, and a RST packet of a TCP protocol to the total number of data packets, respectively;
correspondingly, the second ratio includes a ratio of the number of uplink traffic packets of the UDP protocol and the ICMP protocol to the total number of packets, and a ratio of the number of downlink traffic packets of the UDP protocol and the ICMP protocol to the total number of packets.
6. The method according to claim 1, before determining whether the source IP of the IP packet meets the authentication condition, further comprising:
receiving the IP data packet and judging whether the IP data packet is an authentication data packet or not; the authentication data packet comprises a TCP protocol and a DNS protocol and carries a TCP data packet with a preset specific sequence number;
if so, adding a source IP corresponding to the IP data packet into a real IP hash table;
if not, setting the IP data packet as the data packet to be authenticated, and judging that the data packet to be authenticated is detected.
7. A system for detecting counterfeit IP attacks, comprising:
the authentication condition judging module is used for judging whether the source IP of the IP data packet conforms to the authentication condition or not when the IP data packet is detected to be the data packet to be authenticated;
a first packet determining module, configured to determine, when a source IP of the IP data packet conforms to an authentication condition, a number of times that the source IP sends the data packet;
the forged IP attack detection module is used for detecting whether a forged IP attack behavior exists or not in a TCP authentication and/or DNS authentication mode when the sending times are larger than the preset times;
wherein, the process that the authentication condition judging module judges whether the source IP of the IP data packet accords with the authentication condition comprises the following steps: judging whether the source IP of the IP data packet is in a real IP hash table or not to obtain a first judgment result; judging whether the number of the real IP hash tables is smaller than a maximum preset value or not to obtain a second judgment result; judging whether the first judgment result and the second judgment result are both yes; if so, judging that the source IP meets the authentication condition; if not, the source IP is judged not to be in accordance with the authentication condition.
8. The detection system of claim 7, further comprising:
and the packet loss module is used for discarding the data packet corresponding to the source IP when the sending times are less than or equal to the preset times.
9. The detection system according to claim 7, wherein the spoofed IP attack detection module comprises:
a TCP authentication unit, configured to construct a SYN-ACK packet with a preset sequence number according to the SYN packet of the TCP protocol corresponding to the IP packet when the sending times is greater than the preset times, and discard the SYN packet;
a DNS authentication unit, configured to construct a response packet of a target IP and/or a DNS response packet with a preset tag according to the DNS request packet corresponding to the data packet when the sending times are greater than the preset times, and discard the DNS request packet;
the monitoring unit is used for judging whether the RST packet with the preset serial number and/or the preset operation of the client side are detected; if not, judging that the forged IP attack behavior exists; and the preset operation of the client comprises an access operation corresponding to the target IP and/or a DNS (domain name system) rechecking operation corresponding to the preset mark.
10. The detection system according to claim 7, wherein when the source IP of the IP packet does not comply with the authentication condition, further comprising:
the flow characteristic statistic module is used for counting the flow characteristic data of the source IP; the traffic characteristic data comprises the number of uplink and downlink traffic data packets, the number of connectivity data packets and the total number of data packets;
the ratio calculation module is used for respectively calculating a first ratio and a second ratio according to the flow characteristic data; wherein the first ratio is a ratio of the number of the connectivity packets to the total number of the packets, and the second ratio is a ratio of the number of the uplink and downlink traffic packets to the total number of the packets;
the attack detection module is used for judging whether the first ratio is smaller than a first preset value and the second ratio is smaller than a second preset value; and if not, judging that the DDoS attack behavior is detected.
11. The detection system of claim 10, wherein the first ratio comprises a ratio of a delSYN packet, a SYN-ACK packet, a FIN packet, and a RST packet, respectively, of a TCP protocol to the total number of data packets;
correspondingly, the second ratio includes a ratio of the number of uplink traffic packets of the UDP protocol and the ICMP protocol to the total number of packets, and a ratio of the number of downlink traffic packets of the UDP protocol and the ICMP protocol to the total number of packets.
12. The detection system of claim 7, further comprising:
the data packet authentication module is used for receiving the IP data packet and judging whether the IP data packet is an authentication data packet or not; the authentication data packet comprises a TCP protocol and a DNS protocol and carries a TCP data packet with a preset specific sequence number;
the first processing module is used for adding a source IP corresponding to the IP data packet into a real IP hash table when the IP data packet is an authentication data packet;
and the second processing module is used for setting the IP data packet as the data packet to be authenticated and judging that the data packet to be authenticated is detected when the IP data packet is not an authentication data packet.
13. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method of detecting counterfeit IP attack behaviour according to any one of claims 1 to 6 when executing said computer program.
14. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method for detecting counterfeit IP attack behavior according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811612079.8A CN109688136B (en) | 2018-12-27 | 2018-12-27 | Detection method, system and related components for forging IP attack behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811612079.8A CN109688136B (en) | 2018-12-27 | 2018-12-27 | Detection method, system and related components for forging IP attack behavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109688136A CN109688136A (en) | 2019-04-26 |
| CN109688136B true CN109688136B (en) | 2021-08-13 |
Family
ID=66190455
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811612079.8A Active CN109688136B (en) | 2018-12-27 | 2018-12-27 | Detection method, system and related components for forging IP attack behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109688136B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110881212B (en) * | 2019-12-09 | 2023-08-25 | Oppo广东移动通信有限公司 | Method and device for saving power of equipment, electronic equipment and medium |
| CN112953895B (en) * | 2021-01-26 | 2022-11-22 | 深信服科技股份有限公司 | Attack behavior detection method, device and equipment and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101321055A (en) * | 2008-06-28 | 2008-12-10 | 华为技术有限公司 | Attack protection method and device |
| US9350758B1 (en) * | 2013-09-27 | 2016-05-24 | Emc Corporation | Distributed denial of service (DDoS) honeypots |
| CN106357622A (en) * | 2016-08-29 | 2017-01-25 | 北京工业大学 | Network anomaly flow detection and defense system based on SDN (software defined networking) |
| CN106357660A (en) * | 2016-09-29 | 2017-01-25 | 广州华多网络科技有限公司 | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system |
| CN108833450A (en) * | 2018-08-22 | 2018-11-16 | 网宿科技股份有限公司 | A kind of realization server anti-attack method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100571994B1 (en) * | 2004-03-31 | 2006-04-17 | 이화여자대학교 산학협력단 | Method for detecting the source IP address spoofing packet and identifying the origin of the packet |
| CN102014110A (en) * | 2009-09-08 | 2011-04-13 | 华为技术有限公司 | Method for authenticating communication flows, communication system and protective device |
-
2018
- 2018-12-27 CN CN201811612079.8A patent/CN109688136B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101321055A (en) * | 2008-06-28 | 2008-12-10 | 华为技术有限公司 | Attack protection method and device |
| US9350758B1 (en) * | 2013-09-27 | 2016-05-24 | Emc Corporation | Distributed denial of service (DDoS) honeypots |
| CN106357622A (en) * | 2016-08-29 | 2017-01-25 | 北京工业大学 | Network anomaly flow detection and defense system based on SDN (software defined networking) |
| CN106357660A (en) * | 2016-09-29 | 2017-01-25 | 广州华多网络科技有限公司 | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system |
| CN108833450A (en) * | 2018-08-22 | 2018-11-16 | 网宿科技股份有限公司 | A kind of realization server anti-attack method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109688136A (en) | 2019-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101594269B (en) | Method, device and gateway device for detecting abnormal connection | |
| US8966627B2 (en) | Method and apparatus for defending distributed denial-of-service (DDoS) attack through abnormally terminated session | |
| CN109756512B (en) | Traffic application identification method, device, equipment and storage medium | |
| US8438639B2 (en) | Apparatus for detecting and filtering application layer DDoS attack of web service | |
| US7478429B2 (en) | Network overload detection and mitigation system and method | |
| US8423645B2 (en) | Detection of grid participation in a DDoS attack | |
| RU2666289C1 (en) | System and method for access request limits | |
| US11206286B2 (en) | Methods and systems for reducing unwanted data traffic in a computer network | |
| US10693908B2 (en) | Apparatus and method for detecting distributed reflection denial of service attack | |
| EP2136526A1 (en) | Method, device for identifying service flows and method, system for protecting against a denial of service attack | |
| JP2006512856A (en) | System and method for detecting and tracking DoS attacks | |
| EP3343871A1 (en) | Method and system for detecting and mitigating denial-of-service attacks | |
| Kavisankar et al. | A mitigation model for TCP SYN flooding with IP spoofing | |
| JP2005073272A (en) | Method and apparatus for defending against distributed denial-of-service attack due to tcp stateless hog on tcp server | |
| KR102685997B1 (en) | Harmful ip determining method | |
| CN109688136B (en) | Detection method, system and related components for forging IP attack behavior | |
| Mopari et al. | Detection and defense against DDoS attack with IP spoofing | |
| JP2004140524A (en) | Method and apparatus for detecting dos attack, and program | |
| CN108737344B (en) | Network attack protection method and device | |
| CN107454065B (en) | Method and device for protecting UDP Flood attack | |
| Gonzalez et al. | The impact of application-layer denial-of-service attacks | |
| EP2112800B1 (en) | Method and system for enhanced recognition of attacks to computer systems | |
| CN113242260B (en) | Attack detection method and device, electronic equipment and storage medium | |
| Echevarria et al. | An experimental study on the applicability of SYN cookies to networked constrained devices | |
| KR20110027386A (en) | Apparatus, system and method for protecting malicious packets transmitted outside from user terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |