CN109889470B - A method and system for defending against DDoS attacks based on routers - Google Patents

Abstract

The invention relates to a method and a system for defending DDoS attacks based on a router, wherein the method for defending DDoS attacks based on the router is applied to a system consisting of the router, a connecting device and a server and comprises the following steps: the router periodically reports the equipment information and the flow statistic information of the connection equipment to the server; the server side carries out data analysis and statistics on the information reported by the router and judges whether the connection equipment externally launches DDoS attack or not; when it is determined that a connection device is initiating a DDoS attack to the outside, the server sends a message instruction for capturing the specified connection device to the router, and the router sends the captured message to the server; the server generates a new security protection strategy based on the attack characteristics of the message and informs the router to download the new security protection strategy; and the router executes a new security protection strategy to carry out attack protection. The invention intelligently and dynamically adjusts the security protection strategy aiming at the DDoS attack which is constantly changed through the server side, and prevents the DDoS attack from happening.

Description

A method and system for defending against DDoS attacks based on routers

technical field

The invention relates to the technical field of network security, in particular to a method and system for defending against DDoS attacks based on routers.

Background technique

DDoS, the full name of "Distributed Denial of Service", the Chinese name is Distributed Denial of Service, its principle is to combine multiple computers as an attack platform, use false access to consume all the server resources of the attack target, causing the service system to be paralyzed and Inaccessible to normal users. In the past, the "broilers" were generally personal computers and a small number of smartphones. However, with the development of network security technology and the improvement of people's awareness of prevention, the cost of such attacks is getting higher and higher, and hackers gradually take IoT devices and home networking devices as new attack targets. Devices such as smart refrigerators, smart cameras, and smart gateways in the home are generally online for a long time and have weak security. They are easily used by network hackers to become "broiler" devices in botnets for large-scale DDoS attacks.

In the home network, the home router is the first-level device for IoT devices and home smart terminals to connect to the network, and it is the best place to discover what these smart devices are doing. If the router can detect and limit the attack traffic sent by the device in time, then the device can be prevented from participating in the DDoS attack from the source.

Existing methods to prevent DDoS attacks on home routers generally use localized protection methods. For example, manually configure the access control list on the default firewall of the home router or monitor the local traffic of the network. When the total traffic exceeds the set barrier When the conditions are met, it is judged that it has participated in a DDoS attack, and then protective measures such as current limiting and speed limiting are implemented. However, these existing technical methods have some shortcomings. For example, the manual configuration method has a serious lag in protecting against DDoS attacks, and cannot respond in time to dynamically changing DDoS attacks; the total traffic threshold inspection strategy cannot be based on device types. To distinguish, the total traffic threshold cannot be dynamically adjusted, which will limit the network access of some devices and cause misjudgment and so on. Therefore, it is necessary to further analyze and study how to prevent DDoS attacks from being launched on home routers.

SUMMARY OF THE INVENTION

Embodiments of the present invention provide a router-based method and system for defending against DDoS attacks, so as to solve the problem that in the prior art, when a device connected to the Internet based on a home router is hijacked as a "broiler" to carry out DDoS attacks externally, it cannot be discovered and processed in time. The problem of not being able to implement different security protection strategies for different devices and not being able to intelligently and dynamically update the security protection strategies of the router.

In order to achieve the above object, one aspect of the present invention provides a method for defending against DDoS attacks based on a router, which is applied to a system formed by a router, a connecting device and a server, including the following steps: the router will connect the device information and traffic statistics of the device. The information is periodically reported to the server; the server performs data analysis and statistics on the information reported by the router, and determines whether the connected device is launching a DDoS attack externally; when it is determined that a connected device is launching a DDoS attack, the server Send a packet instruction for grabbing a specified connected device to the router, and the router sends the grabbed packet to the server; the server generates a new security protection strategy based on the attack characteristics of the packet and notifies the The router downloads the new security protection policy; the router executes the new security protection policy for attack protection.

Preferably, the server determines whether the connected device is launching a DDoS attack externally, which specifically includes: the router determines according to the traffic statistics reported to the server in the last N reporting periods; In the traffic statistics data within a period, if the traffic data of the connected device is all greater than the given monitoring traffic threshold, it is determined that the connected device is launching a DDoS attack externally.

Preferably, it also includes: when the traffic data of the connected device in at least N/2 of the last N reporting cycles is greater than a given monitoring traffic threshold, it is determined that the connected device may be A DDoS attack is being launched externally; after the server sends a packet capture command to the router, it analyzes the packet captured by the router to determine whether the packet contains an attack traffic packet; when the packet contains an attack traffic packet , then it is determined that the connected device is attacking external DDoS, and the router is notified to adjust the reporting period interval of the traffic statistics to 1/2 of the original.

Preferably, the monitoring traffic threshold of the connected device includes: when the server is initialized, assigning an initial monitoring traffic threshold to each connected device of the router; during operation, when the server detects that the connected device is in If no DDoS attack was launched in the recent historical period M, the monitoring traffic threshold of the connected device is adjusted; the monitoring traffic threshold is updated to the average value in the statistical time period of each reporting period in the historical period M; the server saves all The monitoring traffic threshold for each time period after the connected device is updated.

Preferably, the server sends a packet instruction to the router to grab the specified connected device, which specifically includes: the server sends to the router a packet instruction to periodically grab the designated device; The MAC address of the connecting device is used to specify the specific connecting device of the router; the grabbing packet instruction includes the MAC addresses of the connecting devices of multiple routers.

Preferably, the server captures attack characteristics of packets based on the router, specifically including: the new security protection policy is limited to connecting devices that are initiating DDoS attacks externally; The new security protection policy is continuously generated and updated; when the server re-detects that the traffic statistics data of the connected device specified by the router does not meet the preset fault conditions, the server sends a stop crawling designation to the router. The message instruction of the connection device; when the reporting period interval of the router is adjusted, the router is notified to restore the reporting period interval to the default value.

On the other hand, a system for defending against DDoS attacks based on a router is provided, including: a router, a connecting device and a server; the router periodically reports the device information and traffic statistics of the connecting device to the server; Data analysis and statistics are performed on the information reported by the router to determine whether the connected device is launching a DDoS attack externally; when it is determined that a connected device is launching a DDoS attack externally, the server sends a report to the router to capture the specified connected device. The router sends the captured message to the server; the server generates a new security protection strategy based on the attack characteristics of the message and notifies the router to download the new security protection strategy; the The router executes the new security protection policy for attack protection.

Preferably, the server includes: a receiving module for receiving data request-related information from the router, periodically reported data information, and packets captured by the router; an analysis module for analyzing the router's report The device information, traffic statistics information and the packets captured by the router; the storage module is used to store the reporting period interval of the router, the number of continuous judgment periods N, and the monitoring of each connected device in each time period in the operating period M. The traffic threshold and the latest security protection policy of the router; the judgment module is used to judge whether the connected device is initiating a DDoS attack externally according to the device information and traffic statistics reported by the router and the monitored traffic threshold of the connected device ; Be used for judging whether there is an attack according to the message captured by the router; the strategy generation module generates a new security protection strategy according to the attack feature of the message captured by the router; The router sends relevant information and message instructions, including an instruction to grab a packet specified by the router to connect to a device, an instruction to adjust the reporting period interval of the router, and an instruction to notify the router to download a new security protection policy.

Preferably, the router includes: a data receiving module for receiving a packet instruction for grabbing a specified connected device and an instruction for adjusting a data reporting period interval sent by a server to the router; a data statistics module for periodically Statistics on the device information and traffic statistics of the devices connected to the router; the packet capture module is used to capture packets from the router according to the packet capture instruction received from the server; the security defense module is used for Downloading and executing the new security protection policy downloaded by the server, and restricting the access to the connected device of the DDoS attack that is being launched externally on the router; the data sending module is used to request the server for the relevant attribute information of the router , periodically send the device information and traffic statistics information of the router connected device to the server, send the captured message to the server, and download the new security protection policy.

The method and system for defending against DDoS attacks based on routers provided by the embodiments of the present invention can prevent the connected devices of the routers from launching DDoS attacks externally from the source, and the server can dynamically update the security protection parameters of the routers to effectively protect the connected devices of the routers. Maliciously hijacked as an attack source.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings that are used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention, and for those of ordinary skill in the art, other drawings can also be obtained from these drawings without creative effort.

1 is a schematic diagram of a system architecture relationship of a router-based method for defending against DDoS attacks provided by an embodiment of the present invention;

2 is a flowchart of a router-based method for defending against DDoS attacks provided by an embodiment of the present application;

Fig. 3 is the flow chart that the server that the embodiment of this application provides judging whether the connection device of the router is sending DDOS attack externally;

4 is a flowchart of a server dynamically adjusting a monitoring traffic threshold of a router-connected device according to an embodiment of the present application;

5 is a structural diagram of the composition of a server based on a router-based defense against DDoS attack provided by an embodiment of the present application;

FIG. 6 is a structural diagram of a router for defending against DDoS attacks based on a router according to an embodiment of the present application.

Detailed ways

In order to express the technical solutions and advantages of the embodiments of the present invention more clearly, the technical solutions of the present invention are further described in detail below through the accompanying drawings and embodiments.

FIG. 1 is a schematic diagram of a system architecture relationship of a router-based method for defending against DDoS attacks according to an embodiment of the present invention. As shown in Figure 1, related IoT devices and some other smart terminal devices in the home environment are accessed externally by connecting to a home router. In the real environment, it is often found that in addition to normal traffic access, hackers will use IoT devices and home networking devices as attack sources to send a large amount of attack traffic to the Internet. The invention utilizes the technical characteristics of routers, can timely discover networked devices in the network and collect their traffic, and then periodically report the traffic statistics of the devices to the server, and further, the server according to the traffic statistics reported by the router The data and the traffic monitoring threshold of the router-connected device determined by the historical traffic data determine whether the router-connected device is launching a DDoS attack externally. Generate corresponding security protection policies to limit the generation of attack traffic, so as to prevent devices from joining botnets and participating in DDoS attacks in time. Therefore, installing the device of the present invention on a home router can prevent devices in the home environment from participating in DDoS attacks from the source.

FIG. 2 is a flowchart of a method for defending against a DDoS attack based on a router according to an embodiment of the present application. As shown in Figure 2, one aspect of the present invention provides a router-based method for defending against DDoS attacks, which is applied to a system composed of a router, a connection device and a server, including the following steps:

Step S201, the router periodically reports the device information and traffic statistics information of the connected device to the server.

Specifically, the router collects device information and traffic statistics information of devices connected to the router, and then periodically uploads the collected information to the server.

The device information includes basic information such as Mac address, device type, device name, and device IP address.

Step S202, the server performs data analysis and statistics on the information reported by the router, and determines whether the connected device is launching a DDoS attack externally.

Specifically, the router makes judgments according to the traffic statistics reported to the server in the last N reporting periods;

When the traffic statistics data in each of the last N reporting cycles are greater than the given monitoring traffic threshold, it is determined that the connected device is launching a DDoS attack.

When the traffic statistics of the connected device in at least N/2 of the last N reporting cycles are greater than the given monitoring traffic threshold, it is determined that the connected device may be launching a DDoS attack externally;

After the server sends a packet capture command to the router, it analyzes the packets captured by the router to determine whether the packets contain attack traffic packets;

When there is attack traffic in the packet, it is determined that the connected device is under DDoS attack, and the router is notified to adjust the reporting period of traffic statistics to 1/2 of the original. Otherwise, it is determined that the connected device has not launched a DDoS attack.

The present invention determines whether the connected device is in the process of launching a DDoS attack externally, and the monitoring traffic threshold of the connected device is an important basis for judgment. The following describes how the server determines the monitoring traffic threshold of the connected device and how to dynamically adjust it with reference to FIG. 3 .

Step S401, during initialization, the server assigns an initial monitoring traffic threshold to each connected device of the router, and then goes to step S402;

Step S402, during operation, the server detects the connected device of the router, whether there is a DDoS attack launched externally in the recent historical period M; if so, keep the monitoring traffic threshold unchanged, continue to execute S402, if not, execute step S402 S403;

Step S403: Update the monitoring traffic threshold value as the average value in the statistical time period of each reporting period in the historical period M, and then go to step S404;

Step S404: The server saves the monitoring traffic thresholds of each time period after the connected device is updated.

In a preferred embodiment, when the server does not have the monitoring traffic threshold of each connected device of the router at the beginning, it will pre-allocate a larger monitoring traffic threshold to each connected device; If the connected device does not initiate a DDoS attack externally, you can lower the monitoring traffic threshold; if it is detected that the connected device may have a DDoS attack, and no attack exists by capturing the packet and analyzing the packet characteristics, it means that the connected device is running. If DDoS attacks are detected during operation, the monitoring traffic threshold will remain unchanged; the above-mentioned adjusted monitoring traffic thresholds are equal to the statistical time of each reporting period in the historical period M. Average value within the segment.

Step S203, when it is determined that a connected device is initiating a DDoS attack externally, the server sends a packet command to the router to capture the specified connected device, and the router sends the captured packet to the server.

The server sends a packet command to the router to capture the specified device. Specifically, it can send a command to periodically capture the packet of the specified connected device to the router; in the command to capture the packet, the MAC address of the device is used to specify the specific connected device of the router. , the message can contain the MAC addresses of multiple routers connected to the device.

Step S204, the server generates a new security protection strategy based on the attack characteristics of the message and notifies the router to download the new security protection strategy; the router executes the new security protection strategy for attack protection.

The server generates a new security protection policy based on the attack characteristics of the packets captured by the router, which can be limited to only the devices that are launching DDoS attacks externally; based on the periodic packets replied by the router, it continuously generates updated security protection policies; When the server re-detects that the traffic statistics data of the device specified by the router do not meet the preset fault conditions, it sends a command to stop capturing the packets of the specified device to the router. If the reporting cycle interval of the router has been adjusted, the router will be notified to restore the reporting cycle interval to the default value.

In a preferred embodiment, when judging whether the connected device is launching a DDoS attack externally, if the conclusion is a vague judgment result, it is determined that the router may launch a DDoS attack externally. Confirmed by further analysis. If the server analyzes the presence of attack packets by grabbing the packets, the attack traffic sending interval of the attacker is smaller than the traffic interval we report. At this time, the server informs the router to adjust the data reporting period interval, and the value of each adjustment is equal to For the original 1/2, the server generates corresponding security protection policies according to the characteristics of the attack packets. After the router downloads the new security protection policy, it determines that the attack traffic has been eliminated or restricted according to the traffic statistics newly reported by the router. Then restore the router's reporting cycle interval to the default value.

Another aspect of the present invention provides a system for defending against DDoS attacks based on a router, comprising: a router, a connection device and a server;

The router periodically reports the device information and traffic statistics of the connected device to the server;

The server performs data analysis and statistics on the information reported by the router, and determines whether the connected device is launching a DDoS attack externally;

When it is determined that a connected device is launching a DDoS attack, the server sends a packet command to the router to capture the specified connected device, and the router sends the captured packet to the server;

Based on the attack characteristics of the message, the server generates a new security protection strategy and notifies the router of the new security protection strategy; the router executes the new security protection strategy for attack protection.

Specifically, the composition structure of the server is shown in Figure 5, including:

The receiving module is used to receive the data request related information of the router, the data information reported periodically and the packets captured by the router;

The analysis module is used to analyze the device information reported by the router, the traffic statistics information and the packets captured by the router;

The storage module is used to store the reporting period interval of the router, the number of consecutive judgment periods N, the monitoring traffic thresholds of each connected device in each time period in the operating period M, and the latest security protection policy of the router;

The judging module is used to judge whether the connected device is launching a DDoS attack externally according to the device information, traffic statistics information and the monitoring traffic threshold of the connected device reported by the router; it is used to judge whether there is an attack according to the packets captured by the router;

The policy generation module generates a new security protection policy according to the attack characteristics of the packets captured by the router;

The sending module is used to send relevant information and message instructions to the router, including the instruction of grabbing the packet of the connected device specified by the router, the instruction of adjusting the reporting period interval of the router, and the instruction of notifying the router to download a new security protection policy.

In the following specific implementation manner, the workflow of each module of the server is described.

First, the receiving module receives the traffic statistics information periodically reported by the router, and then sends the information to the analysis module for analysis. The judgment module makes a judgment, and the storage module stores the traffic statistics value of each connected device in a certain period of time; the judgment module reports the traffic statistics value K1 of the connected equipment in the time period and the monitoring traffic threshold value S1 of the connected equipment in the storage module. For comparison, if K1 is greater than S1, the cycle is marked as abnormal. If there are abnormalities in N consecutive cycles, it is determined that the connected device is launching a DDoS attack externally, and the sending module sends a packet capture command to the router; the receiving module receives the message. The captured packet data to the router is sent to the analysis module for analysis, and then the judgment module further determines whether there is an attack packet. If there is an attack packet, it is handed over to the policy generation module to generate a new security protection policy, and then the sending module notifies the The router downloads the new security protection policy and stores the new security protection policy in the storage module.

The above server-side policy generation module updates many security protection policies for routers, mainly listed as follows:

(1) Set the access control policy of the message

In practical applications, according to the quintuple (source IP address, destination IP address, source port number, destination port number, protocol), two different access control policies can be determined to release or discard;

(2) Modify the protection parameter thresholds for protocol packets such as syn, ack, http, and udp sent by the packets, where the unit of the protection parameter thresholds can be bits per second, bps, or packets per second, pps;

(3) Set the matching rule of the protocol feature field

In the specific implementation process, for some protocols, such as the udp protocol, the payload characteristics of the udp protocol in the packets captured by the router can be analyzed according to the analysis module. When configuring the protection policy, it can be determined whether to discard or release the matching packets. .

(4) Set the access speed of the message

Set rate limit parameters for the sending rate of protocol packets such as syn, ack, http, udp, and icmp.

Specifically, the composition structure of the router is shown in Figure 6, including:

The data receiving module is used to receive the instruction of grabbing the message of the specified connected device and the instruction of adjusting the interval of the data reporting period sent by the server to the router;

The data statistics module is used to periodically count the device information and traffic statistics of the devices connected to the router;

The packet capture module is used to capture packets from the router according to the packet capture instructions received from the server;

The security defense module is used to download and execute the new security protection strategy downloaded by the server, and restrict the access to the connected devices on the router that are launching DDoS attacks externally;

The data sending module is used to request the relevant attribute information of the router from the server, periodically send the device information and traffic statistics information of the router connected to the device to the server, send the captured packets to the server, and download new security protection policies.

In the following specific implementation manner, the workflow of each module of the router is described.

The data statistics module collects basic information such as the MAC address, device type, device name, and IP address of the device connected to the router; it also collects the attribute information of the router, including at least the device number of the router, the MAC address of the router, the name of the router, and the router. The IP address of the router ensures the uniqueness of the router in the entire server. The server forms a corresponding router information database according to the device information reported by the router. The router periodically sends the device information and traffic statistics information of the devices connected to the router to the server through the data sending module according to the reporting cycle interval specified by the server; after the server analyzes the report information of the router, if it determines that a connected device is sending DDoS If the attack is attacked, the router will be notified to grab the packet. After the router receives the instruction of grabbing the packet through the data receiving module, it will hand it over to the packet grabbing module to grab the packet. Server; the server analyzes the attack characteristics of the packet and generates a new security protection strategy, and notifies the router to download the new security protection strategy. The module initiates a request for downloading a new security protection policy to the server through the data sending module, then receives the new security protection policy, and finally hands it over to the security defense module to execute the new security protection policy on the router.

The embodiments of the present invention provide a method and system for defending against DDoS attacks based on a router. When the server determines that a device connected to the router is sending DDoS attacks to the outside world, it can dynamically update protection parameters for the router in real time; The running status and historical traffic data can dynamically adjust the periodic interval of data reported by the router and the monitoring traffic threshold of the connected device, so as to monitor more intelligently; the server sends periodic packet capture instructions to the router, which can continuously provide the router with An updated security protection policy is generated until it is detected that the connected devices of the router no longer meet the preset failure conditions.

In summary, the server can intelligently and dynamically adjust the security protection strategy for the ever-changing DDoS attack methods, reducing manual intervention, preventing the possibility of the router connected to the device becoming a "broiler" in advance, and preventing the occurrence of DDoS attacks from the source. .

The specific embodiments described above further describe the objectives, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (6)

1. a method based on router defense DDoS attack, is applied in the system that is made up of router, connecting device and server, it is characterized in that, comprise the following steps: The router periodically reports the device information and traffic statistics of the connected device to the server; The server performs data analysis and statistics on the information reported by the router, and determines whether the connected device is launching a DDoS attack externally; When it is determined that a connected device is launching a DDoS attack externally, the server sends a packet instruction to the router to grab the specified connected device, and the router sends the captured packet to the server; The server generates a new security protection strategy based on the attack characteristics of the message and notifies the router to download the new security protection strategy; the router executes the new security protection strategy for attack protection; The server determines whether the connected device is launching a DDoS attack, specifically including: The router judges according to the traffic statistics reported to the server in the most recent N reporting periods; When, in the traffic statistics data in each of the most recent N reporting periods, the traffic data of the connected device is greater than the given monitoring traffic threshold, it is determined that the connected device is launching a DDoS attack externally; The router judges according to the traffic statistics reported to the server in the most recent N reporting periods, and further includes: When, in the traffic statistics data in at least N/2 of the most recent N reporting cycles, the traffic data of the connected device is greater than the given monitoring traffic threshold, it is determined that the connected device may be launching a DDoS attack externally; After the server sends a packet capture instruction to the router, it analyzes the packet captured by the router, and determines whether the packet contains an attack traffic packet; When there is an attack traffic packet in the packet, it is determined that the connected device is attacking external DDoS, and the router is notified to adjust the reporting period interval of the traffic statistics to 1/2 of the original; The monitoring traffic threshold of the connected device, including: During initialization, the server assigns an initial monitoring traffic threshold to each connected device of the router; During operation, when the server detects that the connected device has not launched a DDoS attack in the most recent historical period M, it adjusts the monitoring traffic threshold of the connected device; Updating the monitoring traffic threshold value is the average value in the statistical time period of each reporting period in the historical period M; The server saves the monitoring traffic thresholds for each time period after the connection device is updated. 2. The method according to claim 1, wherein the server sends to the router a packet instruction for grabbing a designated connected device, specifically comprising: The server sends a packet instruction to periodically grab the specified device to the router; The specific connection device of the router is specified by the MAC address of the connection device in the grab message instruction; The fetching packet instruction includes the MAC addresses of the connected devices of the multiple routers. 3. The method according to claim 1, wherein the server captures the attack characteristics of the packet based on the router, specifically comprising: The new security protection policy is limited to connecting devices that are launching DDoS attacks externally; The server continuously generates and updates the new security protection policy according to the periodic message replied by the router; When the server re-detects that the traffic statistics data of the connected device designated by the router does not meet the preset fault conditions, the server sends a packet instruction to the router to stop grabbing the designated connected device; when the reporting cycle of the router If the interval is adjusted, the router is notified to restore the reporting period interval to the default value. 4. a system based on router defense DDoS attack, is applied to the method as claimed in claim 1, is characterized in that, comprises: router, connecting device and server form; The router periodically reports the device information and traffic statistics of the connected device to the server; The server performs data analysis and statistics on the information reported by the router, and determines whether the connected device is launching a DDoS attack externally; When it is determined that a connected device is launching a DDoS attack externally, the server sends a packet instruction to the router to grab the specified connected device, and the router sends the captured packet to the server; The server generates a new security protection policy based on the attack characteristics of the message and notifies the router to download the new security protection policy; the router executes the new security protection policy for attack protection. 5. The system according to claim 4, wherein the server comprises: a receiving module, configured to receive the data request-related information of the router, the periodically reported data information, and the message captured by the router; an analysis module, configured to analyze the device information and traffic statistics reported by the router and the packets captured by the router; a storage module, used for storing the reporting period interval of the router, the number N of consecutive judgment periods, the monitoring traffic thresholds of each connected device in each time period in the operating period M, and the latest security protection policy of the router; The judgment module is used for judging whether the connected device is launching a DDoS attack externally according to the device information, the traffic statistics information reported by the router, and the monitoring traffic threshold of the connected device; used for according to the packets captured by the router , to determine whether there is an attack; a strategy generation module, which generates a new security protection strategy according to the attack characteristics of the packets captured by the router; The sending module is used to send relevant information and message instructions to the router, including grabbing the packet instructions specified by the router to connect to the device, adjusting the instructions of the router reporting period interval, and informing the router to download a new security protection policy instruction. 6. The system of claim 4, wherein the router comprises: The data receiving module is used for receiving the instruction of grabbing the message of the designated connecting device and the instruction of adjusting the interval of the data reporting period sent by the server to the router; A data statistics module, used to periodically count the device information and traffic statistics of the devices connected to the router; a packet grabbing module, used for grabbing the message from the router according to the grabbing instruction received from the server; A security defense module, used for downloading and executing the new security protection policy downloaded by the server, and restricting access to the connected devices on the router that are initiating the DDoS attack externally; The data sending module is used to request the relevant attribute information of the router from the server, periodically send the device information and traffic statistics information of the router connected to the server to the server, send the captured message to the server, and download the New security protection strategy.

Images