CN109889470B - Method and system for defending DDoS attack based on router - Google Patents
Method and system for defending DDoS attack based on router Download PDFInfo
- Publication number
- CN109889470B CN109889470B CN201711279446.2A CN201711279446A CN109889470B CN 109889470 B CN109889470 B CN 109889470B CN 201711279446 A CN201711279446 A CN 201711279446A CN 109889470 B CN109889470 B CN 109889470B
- Authority
- CN
- China
- Prior art keywords
- router
- server
- message
- attack
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and a system for defending DDoS attacks based on a router, wherein the method for defending DDoS attacks based on the router is applied to a system consisting of the router, a connecting device and a server and comprises the following steps: the router periodically reports the equipment information and the flow statistic information of the connection equipment to the server; the server side carries out data analysis and statistics on the information reported by the router and judges whether the connection equipment externally launches DDoS attack or not; when it is determined that a connection device is initiating a DDoS attack to the outside, the server sends a message instruction for capturing the specified connection device to the router, and the router sends the captured message to the server; the server generates a new security protection strategy based on the attack characteristics of the message and informs the router to download the new security protection strategy; and the router executes a new security protection strategy to carry out attack protection. The invention intelligently and dynamically adjusts the security protection strategy aiming at the DDoS attack which is constantly changed through the server side, and prevents the DDoS attack from happening.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a system for defending DDoS attack based on a router.
Background
DDoS, known as Distributed Denial of Service, is named as Distributed Denial of Service in chinese, and its principle is to combine multiple computers as an attack platform to consume all server resources of an attack target with false access, resulting in a condition that a Service system is paralyzed and a normal user cannot access the server. In the past, what would become "broiler" was typically a personal computer and a small number of smart phones. However, with the development of network security technology and the improvement of people's awareness of prevention, the cost of such attacks is getting higher and higher, and hackers gradually take internet of things devices and home networking devices as new targets for attacks. The equipment such as an intelligent refrigerator, an intelligent camera and an intelligent gateway in a family generally has the characteristics of long-time online and weak security, is very easy to be utilized by network hackers to become 'broiler chicken' equipment in botnet, and is used for large-scale DDoS attack.
In a home network, a home router is a first-level device of a network connecting internet-of-things devices and home intelligent terminals, and is an optimal position for discovering what the intelligent devices are doing. If the attack traffic sent by the device to the outside can be timely found and limited on the router, the device can be prevented from participating in the DDoS attack from the source.
The existing methods for preventing DDoS attacks on home routers generally adopt a localized protection method, for example, an access control list is manually configured on a default firewall of the home router or local traffic of a monitoring network is monitored, when total traffic exceeds a set obstacle condition, DDoS attacks are judged to be participated in, and then protective measures such as current limiting and speed limiting are implemented. However, the existing technical methods have some disadvantages, for example, the adoption of a manual configuration method has serious hysteresis for preventing DDoS attack, and cannot respond in time according to dynamically changing DDoS attack; the total traffic threshold checking policy cannot be distinguished according to the device type, cannot dynamically adjust the total traffic threshold, and may cause a limitation and a false judgment on the networking access of a part of devices. Therefore, further analysis and research is needed to investigate how to prevent DDoS attacks from being launched to the outside on home routers.
Disclosure of Invention
The embodiment of the invention provides a method and a system for defending against DDoS (distributed denial of service) attacks based on a router, which are used for solving the problems that in the prior art, when equipment networked based on a home router is hijacked as 'broiler' to conduct DDoS attacks to the outside, the equipment cannot be discovered in time, different security protection strategies cannot be implemented aiming at different equipment, and the security protection strategies of the router cannot be intelligently and dynamically updated.
In order to achieve the above object, an aspect of the present invention provides a method for defending against DDoS attacks based on a router, which is applied to a system composed of the router, a connection device and a server, and includes the following steps: the router periodically reports the equipment information and the flow statistic information of the connection equipment to the server; the server analyzes and counts the data of the information reported by the router, and judges whether the connection equipment launches DDoS attack to the outside; when it is determined that a connection device is initiating a DDoS attack to the outside, a server sends a message instruction for capturing the specified connection device to the router, and the router sends the captured message to the server; the server generates a new security protection strategy based on the attack characteristics of the message and informs the router to download the new security protection strategy; and the router executes the new security protection strategy to carry out attack protection.
Preferably, the server side determines whether the connection device is initiating a DDoS attack to the outside, and specifically includes: the router judges according to the flow statistical data reported to the server in the last N reporting periods; and when the flow data of the connecting equipment in the flow statistical data in each of the latest N reporting periods is greater than a given monitoring flow threshold value, judging that the connecting equipment is initiating DDoS attack to the outside.
Preferably, the method further comprises the following steps: when the flow data of the connection equipment is greater than a given monitoring flow threshold value in the flow statistical data in at least N/2 periods in the last N reporting periods, judging that the connection equipment possibly launches a DDoS attack to the outside; after a server side sends a message capturing instruction to a router, analyzing a message captured by the router, and judging whether an attack flow message exists in the message or not; and when the message has an attack flow message, judging that the connection equipment is attacking the external DDoS, and informing the router that the reporting period interval of the flow statistic adjustment is the original 1/2.
Preferably, the monitoring flow threshold of the connection device includes: when the server side is initialized, an initial monitoring flow threshold value is distributed to each connecting device of the router; during operation, when a server side detects that the connection equipment does not externally initiate DDoS attack in a recent history period M, adjusting a monitoring flow threshold value of the connection equipment; updating the monitoring flow threshold value to be an average value in each reporting period statistical time period in the historical period M; and the server side stores the updated monitoring flow threshold value of each time period of the connecting equipment.
Preferably, the sending, by the server, a message instruction for capturing the specified connection device to the router specifically includes: the server sends a message instruction for periodically capturing the designated equipment to the router; the message capturing instruction specifies specific connection equipment of the router through the MAC address of the connection equipment; the message grabbing instruction comprises MAC addresses of the connecting devices of the plurality of routers.
Preferably, the server captures an attack feature of the packet based on the router, and specifically includes: the new security protection strategy is used for limiting a connection device which is initiating DDoS attack to the outside; the server side continuously generates and updates the new security protection strategy according to the periodic message replied by the router; when the server detects that the traffic statistic data of the designated connection equipment of the router does not meet the preset fault condition again, the server sends a message instruction for stopping capturing the designated connection equipment to the router; and when the reporting period interval of the router is adjusted, informing the router to restore the reporting period interval to a default value.
Another aspect provides a system for defending against DDoS attacks based on a router, including: the router, the connection equipment and the server side; the router periodically reports the equipment information and the flow statistic information of the connection equipment to the server; the server analyzes and counts the data of the information reported by the router, and judges whether the connection equipment launches DDoS attack to the outside; when it is determined that a connection device is initiating a DDoS attack to the outside, a server sends a message instruction for capturing the specified connection device to the router, and the router sends the captured message to the server; the server generates a new security protection strategy based on the attack characteristics of the message and informs the router to download the new security protection strategy; and the router executes the new security protection strategy to carry out attack protection.
Preferably, the server includes: a receiving module, configured to receive data request related information of the router, periodically reported data information, and a packet captured by the router; the analysis module is used for analyzing the equipment information and the flow statistic information reported by the router and the messages captured by the router; the storage module is used for storing the reporting cycle interval, the continuous judgment cycle number N, the monitoring flow threshold value of each connecting device in each time period in the operation cycle M and the latest safety protection strategy of the router; a judging module, configured to judge whether the connection device is initiating a DDoS attack to the outside according to the device information and traffic statistic information reported by the router and a monitored traffic threshold of the connection device; the router is used for judging whether an attack exists according to the message captured by the router; the strategy generation module generates a new safety protection strategy according to the attack characteristics of the message captured by the router; and the sending module is used for sending related information and message instructions to the router, and the related information and message instructions comprise a message instruction for capturing the specified connection equipment of the router, an instruction for adjusting the reporting period interval of the router and an instruction for informing the router to download a new security protection strategy.
Preferably, the router includes: the data receiving module is used for receiving a message instruction for capturing the specified connection equipment and an instruction for adjusting the data reporting period interval, which are sent to the router by the server; the data statistics module is used for periodically carrying out statistics on the equipment information and the flow statistics information of the router connection equipment; the message capturing module is used for capturing the message from the router according to the message capturing instruction received from the server; the security defense module is used for downloading and executing the new security protection strategy downloaded by the server side and limiting the access of the connection equipment of the DDoS attack which is initiated to the outside on the router; and the data sending module is used for requesting the relevant attribute information of the router to a server, periodically sending the equipment information and the flow statistic information of the router connecting equipment to the server, sending the captured message to a server and downloading the new security protection strategy.
The method and the system for defending against DDoS attack based on the router can prevent the connection equipment of the router from initiating the DDoS attack from the source, and the server can dynamically update the security protection parameters of the router, thereby effectively protecting the connection equipment of the router from being hijacked maliciously as an attack source.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic diagram of a system architecture relationship of a method for defending against DDoS attacks based on a router according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for defending against DDoS attacks based on a router according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a method for a server to determine whether a connection device of a router is sending a DDOS attack to the outside according to an embodiment of the present application;
fig. 4 is a flowchart of a server dynamically adjusting a monitoring traffic threshold of a router connection device according to an embodiment of the present application;
fig. 5 is a structural diagram of a server for defending against DDoS attacks based on a router according to an embodiment of the present application;
fig. 6 is a structural diagram of a router for defending against DDoS attacks according to the embodiment of the present application.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present invention more clear, the technical solutions of the present invention are further described in detail below with reference to the accompanying drawings and the embodiments.
Fig. 1 is a schematic diagram of a system architecture relationship of a method for defending against DDoS attacks based on a router according to an embodiment of the present invention. As shown in fig. 1, the internet of things devices and some other intelligent terminal devices related to the home environment perform external access by connecting to the home router. In a real environment, in addition to normal traffic access, a hacker may send a large amount of attack traffic to the internet by using internet of things devices and home networking devices as attack sources. The invention can find the network devices in time and collect their flow in the network by using the technical characteristics of the router, then periodically report the flow statistical data of the devices to the server, further, the server judges whether the connection device of the router initiates DDOS attack to the outside according to the flow statistical data reported by the router and the flow monitoring threshold value of the router connection device determined by historical flow data, if the DDOS attack occurs, the server captures the message by the router to analyze the characteristics of the attack message, generates the corresponding security protection strategy to limit the generation of the attack flow, thus preventing the devices from joining the botnet to participate in the DDOS attack in time. Therefore, the installation of the device of the invention on the home router can prevent the equipment in the home environment from participating in DDoS attack from the source.
Fig. 2 is a flowchart of a method for defending against DDoS attacks based on a router according to an embodiment of the present application. As shown in fig. 2, one aspect of the present invention provides a method for defending against DDoS attacks based on a router, which is applied to a system composed of the router, a connection device, and a server, and includes the following steps:
in step S201, the router periodically reports the device information and the traffic statistic information of the connected device to the server.
Specifically, the router collects device information and traffic statistical information of the router connection device, and then periodically uploads the collected information to the server.
The device information includes basic information such as Mac address, device type, device name, and IP address of the device.
Step S202, the server side carries out data analysis and statistics on the information reported by the router, and judges whether the connection equipment externally launches DDoS attack.
Specifically, the router judges according to the traffic statistical data reported to the server in the last N reporting periods;
when the flow data of the connection equipment is greater than a given monitoring flow threshold value in the flow statistical data in each of the latest N reporting periods, judging that the connection equipment is initiating a DDoS attack to the outside;
when the flow data of the connection equipment is greater than a given monitoring flow threshold value in the flow statistical data in at least N/2 periods in the last N reporting periods, judging that the connection equipment possibly launches a DDoS attack to the outside;
after the server sends a message capturing instruction to the router, analyzing messages captured by the router and judging whether attack flow messages exist in the messages or not;
when the message has an attack flow message, judging that the connection equipment is attacking the external DDoS, informing the router that the reporting period interval of the adjustment flow statistics is the original 1/2, otherwise judging that the connection equipment does not attack the external DDoS.
In the process of determining whether a connection device is initiating a DDoS attack, the monitoring traffic threshold of the connection device is an important determination criterion, and how to determine the monitoring traffic threshold of the connection device and how to perform dynamic adjustment is described below with reference to fig. 3.
Step S401, when the server side initializes, an initial monitoring flow threshold value is distributed to each connection device of the router, and then step S402 is carried out;
step S402, during the operation period, the server detects whether the connection device of the router has externally initiated DDoS attack in the latest history period M; if yes, keeping the monitoring flow threshold unchanged, continuing to execute S402, and if not, executing step S403;
step S403: updating the monitoring flow threshold value to be an average value in each reporting period statistical time period in the history period M, and then going to step S404;
step S404: and the server side stores the updated monitoring flow threshold value of each time period of the connection equipment.
In a preferred embodiment, when there is no monitoring traffic threshold of each connection device of the router at the beginning, the server pre-allocates a larger monitoring traffic threshold to each connection device; within a certain period M of operation, if it is detected that the connected equipment does not externally initiate DDoS attack, the monitoring flow threshold value can be reduced; if the connection equipment is detected to have DDoS attack, the message characteristics are analyzed by capturing the message and no attack exists, the flow in the operation process of the connection equipment is increased, and the monitoring flow threshold value can be increased; if DDoS attack is detected in the running process, the monitoring flow threshold value is kept unchanged; the adjusted monitoring flow threshold value is equal to the average value in each reporting period statistical time period in the historical period M.
Step S203, when it is determined that a connection device is initiating a DDoS attack to the outside, the server sends a message instruction for capturing the specified connection device to the router, and the router sends the captured message to the server.
The method comprises the steps that a server side sends a message instruction for capturing appointed equipment to a router, and specifically can send a message instruction for periodically capturing appointed connection equipment to the router; the specific connection device of the router is specified by the MAC address of the device in the message grabbing instruction, and the message may include MAC addresses of a plurality of router connection devices.
Step S204, the server generates a new security protection strategy based on the attack characteristics of the message and informs the router to download the new security protection strategy; and the router executes a new security protection strategy to carry out attack protection.
The server side captures the attack characteristics of the message based on the router, generates a new security protection strategy, and can limit the equipment which is only used for initiating the DDoS attack to the outside; continuously generating an updated security protection strategy according to the periodic message replied by the router; and when the server detects that the traffic statistical data of the designated equipment of the router does not meet the preset fault condition again, sending a message instruction for stopping capturing the designated equipment to the router. If the interval of the reporting period of the router is adjusted, the router is informed to restore the reporting period to a default value.
In a preferred embodiment, when determining whether the connection device is initiating a DDoS attack to the outside, if the result is a fuzzy determination result, it is determined that the router may initiate a DDoS attack to the outside, and in this case, the router needs to capture a packet for further analysis and determination. If the server side analyzes that an attack message exists through capturing the message, the sending interval of the attack flow of the attacker is smaller than the flow interval reported by the server side, at the moment, the server side informs the router to reduce the reporting period interval of the data, the value adjusted each time is equal to the original 1/2, the server side simultaneously generates a corresponding safety protection strategy according to the characteristics of the attack message, after the router downloads the new safety protection strategy, the server side judges that the attack flow is eliminated or limited according to the flow statistical data newly reported by the router, and then the server side restores the reporting period interval of the router to a default value.
Another aspect of the present invention provides a system for defending against DDoS attacks based on a router, comprising: the router, the connection equipment and the server side;
the router periodically reports the equipment information and the flow statistic information of the connection equipment to the server;
the server side carries out data analysis and statistics on the information reported by the router and judges whether the connection equipment externally launches DDoS attack or not;
when it is determined that a connection device is initiating a DDoS attack to the outside, the server sends a message instruction for capturing the specified connection device to the router, and the router sends the captured message to the server;
the server generates a new security protection strategy based on the attack characteristics of the message and informs the router of the new security protection strategy; and the router executes a new security protection strategy to carry out attack protection.
Specifically, the structure of the server is shown in fig. 5, and includes:
the receiving module is used for receiving data request related information of the router, periodically reported data information and messages captured by the router;
the analysis module is used for analyzing the equipment information and the flow statistic information reported by the router and the messages captured by the router;
the storage module is used for storing the reporting cycle interval of the router, the continuous judgment cycle number N, the monitoring flow threshold value of each connecting device in each time period in the operation cycle M and the latest security protection strategy of the router;
the judging module is used for judging whether the connection equipment externally launches DDoS attack or not according to the equipment information reported by the router, the traffic statistic information and the monitoring traffic threshold of the connection equipment; the router is used for judging whether an attack exists according to the message captured by the router;
the strategy generation module generates a new safety protection strategy according to the attack characteristics of the message captured by the router;
and the sending module is used for sending related information and message instructions to the router, wherein the related information and message instructions comprise a message instruction for capturing the equipment appointed to be connected by the router, an instruction for adjusting the reporting period interval of the router and an instruction for informing the router to download a new security protection strategy.
In the following detailed description, the workflow of each module of the server is described.
Firstly, a receiving module receives flow statistic information periodically reported by a router, then the information is sent to an analysis module for analysis, the analysis module obtains flow statistic values of all connecting devices of the router in a certain time period from the information, the information is sent to a judgment module for judgment, and meanwhile, a storage module stores the flow statistic values of all the connecting devices in the certain time period; the judging module compares a traffic statistic K1 of the connection equipment in a reporting time period of the router with a monitoring traffic threshold S1 of the connection equipment in the storage module, if K1 is greater than S1, the abnormal condition of the period is marked, if N continuous periods are abnormal, the connection equipment is judged to initiate DDoS attack to the outside, and a message capturing instruction is sent to the router through the sending module; the receiving module receives the captured message data of the router and sends the captured message data to the analysis module for analysis, the judgment module further judges whether an attack message exists or not, if the attack message exists, the judgment module sends the attack message to the strategy generation module to generate a new safety protection strategy, the sending module informs the router to download the new safety protection strategy, and meanwhile, the new safety protection strategy is stored in the storage module.
The policy generation module of the server side updates a plurality of security protection policies for the router, and mainly lists the following:
(1) setting access control policy of message
In practical application, two different access control strategies can be determined to be released or discarded according to the quintuple (source IP address, destination IP address, source port number, destination port number and protocol);
(2) modifying a protection parameter threshold value for protocol messages such as syn, ack, http and udp sent by the messages, wherein the unit of the protection parameter threshold value can be bit per second bps or packet per second bps;
(3) setting matching rules of protocol feature fields
In a specific implementation process, for some protocols, such as the udp protocol, the payload characteristics of the udp protocol in the packet captured by the router may be analyzed by the analysis module, and when configuring the protection policy, whether to discard or release the matched packet may be determined.
(4) Setting the access speed of the message
And setting speed limit parameters for sending rates of protocol messages such as syn, ack, http, udp, icmp and the like sent by the messages.
Specifically, the structure of the router is shown in fig. 6, and includes:
the data receiving module is used for receiving a message instruction for capturing the specified connection equipment and an instruction for adjusting the data reporting period interval, which are sent to the router by the server;
the data statistics module is used for periodically carrying out statistics on equipment information and flow statistics information of the router connection equipment;
the message capturing module is used for capturing messages for the router according to message capturing instructions received from the server;
the security defense module is used for downloading and executing a new security protection strategy downloaded by the server side and carrying out access limitation on the connection equipment of the DDoS attack which is initiated on the router;
and the data sending module is used for requesting the relevant attribute information of the router from the server, periodically sending the equipment information and the flow statistic information of the router connecting equipment to the server, sending the captured message to the server and downloading a new safety protection strategy.
In the following detailed description, the workflow of the modules of the router is described.
The data statistics module collects basic information of router connection equipment, such as MAC address, equipment type, equipment name, IP address of the equipment and the like; meanwhile, attribute information of the router is also collected, wherein the attribute information at least comprises the equipment number of the router, the MAC address of the router, the name of the router and the IP address of the router, and the uniqueness of the router at the whole service end is ensured. And the server forms a corresponding router information database according to the equipment information reported by the router. The router periodically sends the equipment information and the flow statistic information of the router connection equipment to the server through the data sending module according to the reporting period interval specified by the server; after analyzing the reported information of the router, if the server judges that the connecting equipment is sending DDoS attack, the server informs the router to grab the message, after receiving a message grabbing instruction through the data receiving module, the router gives the message to the message grabbing module to grab the message, and after the message grabbing is finished, the message is sent to the server through the data sending module; the server side generates a new safety protection strategy after analyzing the attack characteristics of the message, informs the router to download the new safety protection strategy, the router receives an instruction of informing the downloading of the new safety protection strategy through the data receiving module, then the safety protection module of the router initiates a request of downloading the new safety protection strategy to the server side through the data sending module, then receives the new safety protection strategy, and finally sends the new safety protection strategy to the safety protection module to execute the new safety protection strategy on the router.
According to the method and the system for defending against DDoS attack based on the router, provided by the embodiment of the invention, when the server judges that the connection equipment of the router sends the DDoS attack to the outside, the protection parameters can be dynamically updated for the router in real time; the server can dynamically adjust the period interval of the data reported by the router and the monitoring flow threshold value of the connection equipment according to the running state and the historical flow data of the connection equipment of the router, so as to monitor more intelligently; the server sends a periodic message grabbing instruction to the router, and can continuously generate an updated security protection strategy for the router until detecting that the connection equipment of the router does not meet the preset fault condition.
In conclusion, the server can intelligently and dynamically adjust the security protection strategy aiming at the continuously changing DDoS attack method, thereby reducing manual intervention, preventing the possibility that the connection equipment of the router becomes 'broiler' in advance, and preventing the DDoS attack from occurring from the source.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (6)
1. A method for defending DDoS attack based on a router is applied to a system composed of the router, a connection device and a service end, and is characterized by comprising the following steps:
the router periodically reports the equipment information and the flow statistic information of the connection equipment to the server;
the server analyzes and counts the data of the information reported by the router, and judges whether the connection equipment launches DDoS attack to the outside;
when it is determined that a connection device is initiating a DDoS attack to the outside, a server sends a message instruction for capturing the specified connection device to the router, and the router sends the captured message to the server;
the server generates a new security protection strategy based on the attack characteristics of the message and informs the router to download the new security protection strategy; the router executes the new security protection strategy to carry out attack protection;
the method for judging whether the connection device externally launches the DDoS attack by the server side specifically comprises the following steps:
the router judges according to the flow statistical data reported to the server in the last N reporting periods;
when the traffic data of the connection equipment is greater than a given monitoring traffic threshold value in the traffic statistical data in each of the latest N reporting periods, judging that the connection equipment is initiating a DDoS attack to the outside;
the router judges according to the traffic statistical data reported to the server in the last N reporting periods, and the method further comprises the following steps:
when the flow data of the connection equipment is greater than a given monitoring flow threshold value in the flow statistical data in at least N/2 periods in the last N reporting periods, judging that the connection equipment possibly launches a DDoS attack to the outside;
after a server side sends a message capturing instruction to a router, analyzing a message captured by the router, and judging whether an attack flow message exists in the message or not;
when the message has an attack flow message, judging that the connection equipment is attacking the external DDoS, and informing the router that the reporting period interval of the flow statistic adjustment is 1/2 of the original value;
the monitoring flow threshold of the connection device comprises:
when the server side is initialized, an initial monitoring flow threshold value is distributed to each connecting device of the router;
during operation, when a server side detects that the connection equipment does not externally initiate DDoS attack in a recent history period M, adjusting a monitoring flow threshold value of the connection equipment;
updating the monitoring flow threshold value to be an average value in each reporting period statistical time period in the historical period M;
and the server side stores the updated monitoring flow threshold value of each time period of the connecting equipment.
2. The method according to claim 1, wherein the server sends, to the router, a message instruction to grab the specified connection device, and specifically includes:
the server sends a message instruction for periodically capturing the designated equipment to the router;
the message capturing instruction specifies specific connection equipment of the router through the MAC address of the connection equipment;
the message grabbing instruction comprises MAC addresses of the connecting devices of the plurality of routers.
3. The method according to claim 1, wherein the server captures an attack feature of the packet based on the router, and specifically includes:
the new security protection strategy is used for limiting a connection device which is initiating DDoS attack to the outside;
the server side continuously generates and updates the new security protection strategy according to the periodic message replied by the router;
when the server detects that the traffic statistic data of the designated connection equipment of the router does not meet the preset fault condition again, the server sends a message instruction for stopping capturing the designated connection equipment to the router; and when the reporting period interval of the router is adjusted, informing the router to restore the reporting period interval to a default value.
4. A system for defending against DDoS attacks based on a router, applied to the method of claim 1, comprising: the router, the connection equipment and the server side;
the router periodically reports the equipment information and the flow statistic information of the connection equipment to the server;
the server analyzes and counts the data of the information reported by the router, and judges whether the connection equipment launches DDoS attack to the outside;
when it is determined that a connection device is initiating a DDoS attack to the outside, a server sends a message instruction for capturing the specified connection device to the router, and the router sends the captured message to the server;
the server generates a new security protection strategy based on the attack characteristics of the message and informs the router to download the new security protection strategy; and the router executes the new security protection strategy to carry out attack protection.
5. The system of claim 4, wherein the server comprises:
a receiving module, configured to receive data request related information of the router, periodically reported data information, and a packet captured by the router;
the analysis module is used for analyzing the equipment information and the flow statistic information reported by the router and the messages captured by the router;
the storage module is used for storing the reporting cycle interval, the continuous judgment cycle number N, the monitoring flow threshold value of each connecting device in each time period in the operation cycle M and the latest safety protection strategy of the router;
a judging module, configured to judge whether the connection device is initiating a DDoS attack to the outside according to the device information and traffic statistic information reported by the router and a monitored traffic threshold of the connection device; the router is used for judging whether an attack exists according to the message captured by the router;
the strategy generation module generates a new safety protection strategy according to the attack characteristics of the message captured by the router;
and the sending module is used for sending related information and message instructions to the router, and the related information and message instructions comprise a message instruction for capturing the specified connection equipment of the router, an instruction for adjusting the reporting period interval of the router and an instruction for informing the router to download a new security protection strategy.
6. The system of claim 4, wherein the router comprises:
the data receiving module is used for receiving a message instruction for capturing the specified connection equipment and an instruction for adjusting the data reporting period interval, which are sent to the router by the server;
the data statistics module is used for periodically carrying out statistics on the equipment information and the flow statistics information of the router connection equipment;
the message capturing module is used for capturing the message from the router according to the message capturing instruction received from the server;
the security defense module is used for downloading and executing the new security protection strategy downloaded by the server side and limiting the access of the connection equipment of the DDoS attack which is initiated to the outside on the router;
and the data sending module is used for requesting the relevant attribute information of the router to a server, periodically sending the equipment information and the flow statistic information of the router connecting equipment to the server, sending the captured message to a server and downloading the new security protection strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711279446.2A CN109889470B (en) | 2017-12-06 | 2017-12-06 | Method and system for defending DDoS attack based on router |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711279446.2A CN109889470B (en) | 2017-12-06 | 2017-12-06 | Method and system for defending DDoS attack based on router |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109889470A CN109889470A (en) | 2019-06-14 |
| CN109889470B true CN109889470B (en) | 2020-06-26 |
Family
ID=66924320
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711279446.2A Active CN109889470B (en) | 2017-12-06 | 2017-12-06 | Method and system for defending DDoS attack based on router |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109889470B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112153649A (en) * | 2019-06-28 | 2020-12-29 | 北京奇虎科技有限公司 | Router |
| CN111953569B (en) * | 2020-08-27 | 2022-04-29 | 浪潮电子信息产业股份有限公司 | State information reporting method, device, equipment and medium |
| CN114422240B (en) * | 2022-01-19 | 2024-03-15 | 湖南警察学院 | Internet of things cross-layer attack path identification method based on attack behavior analysis |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753381A (en) * | 2009-12-25 | 2010-06-23 | 华中科技大学 | Method for detecting network attack behaviors |
| CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
| CN106161333A (en) * | 2015-03-24 | 2016-11-23 | 华为技术有限公司 | DDOS attack means of defence based on SDN, Apparatus and system |
| CN106357685A (en) * | 2016-10-28 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending distributed denial of service attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9412381B2 (en) * | 2010-03-30 | 2016-08-09 | Ack3 Bionetics Private Ltd. | Integrated voice biometrics cloud security gateway |
-
2017
- 2017-12-06 CN CN201711279446.2A patent/CN109889470B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753381A (en) * | 2009-12-25 | 2010-06-23 | 华中科技大学 | Method for detecting network attack behaviors |
| CN102821002A (en) * | 2011-06-09 | 2012-12-12 | 中国移动通信集团河南有限公司信阳分公司 | Method and system for network flow anomaly detection |
| CN106161333A (en) * | 2015-03-24 | 2016-11-23 | 华为技术有限公司 | DDOS attack means of defence based on SDN, Apparatus and system |
| CN106357685A (en) * | 2016-10-28 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending distributed denial of service attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109889470A (en) | 2019-06-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11201882B2 (en) | Detection of malicious network activity | |
| US8001601B2 (en) | Method and apparatus for large-scale automated distributed denial of service attack detection | |
| US7854000B2 (en) | Method and system for addressing attacks on a computer connected to a network | |
| US11005865B2 (en) | Distributed denial-of-service attack detection and mitigation based on autonomous system number | |
| US10911473B2 (en) | Distributed denial-of-service attack detection and mitigation based on autonomous system number | |
| US20060137009A1 (en) | Stateful attack protection | |
| EP2661049A2 (en) | System and method for malware detection | |
| TW201738796A (en) | Prevention and control method, apparatus and system for network attack | |
| US9800593B2 (en) | Controller for software defined networking and method of detecting attacker | |
| US20190149573A1 (en) | System of defending against http ddos attack based on sdn and method thereof | |
| US20140259140A1 (en) | Using learned flow reputation as a heuristic to control deep packet inspection under load | |
| WO2007072157A2 (en) | System and method for detecting network-based attacks on electronic devices | |
| KR20120060655A (en) | Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof | |
| Hong et al. | Dynamic threshold for DDoS mitigation in SDN environment | |
| CN109889470B (en) | Method and system for defending DDoS attack based on router | |
| CN102882894A (en) | Method and device for identifying attack | |
| Singh et al. | Prevention mechanism for infrastructure based denial-of-service attack over software defined network | |
| CN106534068A (en) | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system | |
| Wang et al. | Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks | |
| JP2008211464A (en) | Traffic abnormality detection system, traffic information observation device, traffic information management device, traffic information observation program, and traffic information management program | |
| Dang-Van et al. | A multi-criteria based software defined networking system Architecture for DDoS-attack mitigation | |
| US20040264371A1 (en) | Perimeter-based defense against data flooding in a data communication network | |
| CN110868393A (en) | Protection method based on abnormal flow of power grid information system | |
| CN110611683A (en) | Method and system for alarming attack source | |
| CN107547561B (en) | Method and device for carrying out DDOS attack protection processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210818 Address after: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District Patentee after: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES Address before: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District Patentee before: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES Patentee before: BEIJING INTELLIX TECHNOLOGIES Co.,Ltd. Effective date of registration: 20210818 Address after: Room 1601, 16th floor, East Tower, Ximei building, No. 6, Changchun Road, high tech Industrial Development Zone, Zhengzhou, Henan 450001 Patentee after: Zhengzhou xinrand Network Technology Co.,Ltd. Address before: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District Patentee before: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210826 Address after: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District Patentee after: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES Address before: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District Patentee before: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES Patentee before: BEIJING INTELLIX TECHNOLOGIES Co.,Ltd. Effective date of registration: 20210826 Address after: Room 1601, 16th floor, East Tower, Ximei building, No. 6, Changchun Road, high tech Industrial Development Zone, Zhengzhou, Henan 450001 Patentee after: Zhengzhou xinrand Network Technology Co.,Ltd. Address before: 100190, No. 21 West Fourth Ring Road, Beijing, Haidian District Patentee before: INSTITUTE OF ACOUSTICS, CHINESE ACADEMY OF SCIENCES |
|
| TR01 | Transfer of patent right |