In a third mode, when a response data packet of the specified service type is obtained, the number of states corresponding to the specified service type can be reduced by 1; when the request packet of the specified service type is obtained, the number of states corresponding to the specified service type may be increased by 1. Further, the state number corresponding to the specified service type can be determined; if the number of states is smaller than a preset third threshold, it may be determined that a DDoS reflection attack for the specified service type occurs. For example, the ingress device may create a status array as shown in table 6 and monitor each host for request packets sent and each host for response packets received. For example, the number of states corresponding to the SSDP of the host may be decremented by 1 each time the host receives a response packet of the SSDP, and the number of states corresponding to the SSDP of the host may be incremented by 1 each time the host transmits a request packet of the SSDP. Similarly, the number of states corresponding to the NTP of the host is decremented by 1 each time the host receives a response packet of the NTP, and the number of states corresponding to the NTP of the host is incremented by 1 each time the host sends a request packet of the NTP. And so on.

TABLE 6

Based on this status array, the number of statuses corresponding to SSDP is decremented by 1 each time the host receives a response packet of SSDP, and the number of statuses corresponding to SSDP is incremented by 1 each time the host transmits a request packet of SSDP, so that the-80 number of statuses corresponding to SSDP indicates that the difference in number between the number of response packets and the number of request packets is 80. Similarly, the NTP corresponds to a status number of 0, which means that the difference between the number of response packets and the number of request packets is 0. The number of states corresponding to the PORTMAP, 0, indicates that the difference between the number of response packets and the number of request packets is 0. And so on.

In the first, second, and third modes, the request packet may carry information of a specified service type, and the ingress device may determine the specified service type corresponding to the request packet based on the information, and then monitor that the host sends the request packet of the specified service type, which is not described herein again. The response data packet may carry information of a specified service type, and the ingress device may determine, based on the information, a specified service type corresponding to the response data packet, and then monitor that the host receives the response data packet of the specified service type, which is not described herein again.

Step 303, performing a current limiting process on the response packet of the specified service type sent to the host.

For example, when the ingress device determines that host a has a DDoS reflection attack on the SSDP, the ingress device may perform flow limiting processing on a response packet of the SSDP sent to host a.

For example, assuming that the current limit policy is 50% current limit, the ingress device may send 50% of the response packet to host a. Assuming that 100 response packets of SSDP that need to be sent to the host a are received within a preset time (e.g., 1 minute), the ingress device only sends 50 response packets to the host a, and the other 50 response packets are discarded, thereby reducing the number of response packets sent to the host a.

In one example, the process for "the ingress device performs the throttling processing on the response packet of the specified service type sent to the host" may include, but is not limited to, the following ways: counting the number of response data packets of the specified service type to be sent to the host; determining the flow intervals to which the quantity belongs, and determining the flow limiting level corresponding to the flow intervals; and performing current limiting processing on the response data packet based on the current limiting level.

For example, the inlet device may create a mapping table shown in table 7, which is used to record the correspondence between the flow rate intervals and the flow limit levels, where the flow limit level 1 represents 30% of the flow limit, the flow limit level 2 represents 50% of the flow limit, the flow limit level 3 represents 70% of the flow limit, and the flow limit level 4 represents 90% of the flow limit.

TABLE 7

Interval of flow	Level of current limiting
		Flow interval (0, 100)]	Current limiting level 1
Flow interval (100, 300)]	Current limiting level 2
		Flow interval (300,800)]	Current limiting level 3
Flow interval (800,10000)]	Current limiting level 4

The ingress device may count the number of SSDP response packets, e.g., 1000, to be sent to the host a within a preset time (e.g., 1 minute). Then, it may be determined that the number of traffic intervals to which the 1000 belongs is a traffic interval (800,10000), and it may be determined that the throttling level 4 corresponding to the traffic interval represents 90% throttling, and thus, the ingress device may transmit 10% of the response packets to the host a, that is, the throttling portion reaches 90%.

In one example, the host may further send a message carrying a specified service type to the ingress device, where the message is used to enable the ingress device to perform flow limiting processing on a response packet of the specified service type sent to the host. Based on this, the ingress device may parse the specified service type from the message when receiving the message, and perform the current limiting process on the response packet of the specified service type sent to the host.

In the above embodiment, after determining that a DDoS reflection attack for a specified service type occurs, the ingress device may further set a timer for the specified service type of the host, where an aging time of the timer is configured empirically. Before the timer is over, the inlet device performs the current limiting process on the response data packet of the specified service type sent to the host. After the timer expires, the ingress device may clear the statistics of the specified service type for the host (e.g., the number of response packets, the number of request packets, and the number of states in table 5 or table 6 in table 4), and then the ingress device may re-determine whether a DDoS reflection attack for the specified service type occurs, using

steps

301 and 302, and so on.

In an example, Netfilter may be deployed in the entrance device, and the DDoS reflection attack defense method is implemented by Netfilter, but Netfilter is only an example, and the implementation manner is not limited.

Based on the technical scheme, in the embodiment of the application, whether the DDoS reflection attack aiming at the specified service type occurs or not can be determined according to the difference between the number of the response data packet of the specified service type and the number of the request data packet of the specified service type, and the response data packet of the specified service type sent to the host is subjected to flow limiting processing when the DDoS reflection attack occurs, so that a more reliable defense mode aiming at the DDoS reflection attack is provided, the problem of a large number of DDoS reflection attacks can be solved, and an effective defense mode is provided.

Based on the same application concept as the method, an embodiment of the present application further provides a DDoS reflection attack defense device, which is applied to a host, and is a structural diagram of the DDoS reflection attack defense device, as shown in fig. 4.

A determining module 401, configured to determine whether a DDoS reflection attack aiming at a specified service type occurs according to a difference between a number of response data packets of the specified service type and a number of request data packets of the specified service type;

a processing module 402, configured to discard the response data packet for the specified service type when the determining module determines that the DDoS reflection attack for the specified service type occurs.

The determining module 401 is specifically configured to count the number of response packets of a specified service type and the number of request packets of the specified service type, and obtain a number difference between the number of response packets and the number of request packets; if the quantity difference is larger than a preset first threshold value, determining that DDoS reflection attack aiming at the specified service type occurs; or when a response data packet of the specified service type is obtained, adding 1 to the state number corresponding to the specified service type; when a request data packet of a specified service type is obtained, subtracting 1 from the state number corresponding to the specified service type; determining the state number corresponding to the specified service type; if the number of states is larger than a preset second threshold value, determining that DDoS reflection attack aiming at the specified service type occurs; wherein the preset second threshold is an integer greater than 0; or, when obtaining the response data packet of the specified service type, subtracting 1 from the state number corresponding to the specified service type; when a request data packet of a specified service type is obtained, adding 1 to the state number corresponding to the specified service type; determining the state number corresponding to the specified service type; if the number of states is smaller than a preset third threshold value, determining that DDoS reflection attack aiming at the specified service type occurs; wherein the preset third threshold is an integer smaller than 0.

The processing module 402 is specifically configured to, in a process of discarding a response packet for the specified service type, determine a service type of the response packet when the response packet is received; and if the service type is the specified service type in which the DDoS reflection attack has already occurred, discarding the response data packet.

The processing module 402 is further configured to parse a destination IP address from the response packet; and if the destination IP address is not the IP address of the host, discarding the response data packet.

Based on the same application concept as the method, the embodiment of the present application further provides a DDoS reflection attack defense device, which is applied to an ingress device, and as shown in fig. 5, is a structure diagram of the device.

A monitoring module 501, configured to monitor a response packet and a request packet of a specified service type of a host;

a determining module 502, configured to determine whether a DDoS reflection attack aiming at the specified service type occurs according to a difference between the number of the response data packets of the specified service type and the number of the request data packets of the specified service type;

a processing module 503, configured to perform, when the determination result is that a DDoS reflection attack for the specified service type occurs, flow limiting processing on a response data packet of the specified service type sent to the host.

In an example, the determining module 502 is specifically configured to count the number of response packets of the specified service type and the number of request packets of the specified service type, and obtain a difference between the number of response packets and the number of request packets; if the quantity difference is larger than a preset first threshold value, determining that DDoS reflection attack aiming at the specified service type occurs; or, when the response data packet of the specified service type is obtained, adding 1 to the state number corresponding to the specified service type; when the request data packet of the specified service type is obtained, subtracting 1 from the state number corresponding to the specified service type; determining the number of states corresponding to the specified service type, and if the number of states is greater than a preset second threshold value, determining that DDoS reflection attack aiming at the specified service type occurs; wherein the preset second threshold is an integer greater than 0; or, when obtaining the response data packet of the specified service type, subtracting 1 from the state number corresponding to the specified service type; when the request data packet of the specified service type is obtained, adding 1 to the state number corresponding to the specified service type; determining the number of states corresponding to the specified service type, and if the number of states is smaller than a preset third threshold value, determining that DDoS reflection attack aiming at the specified service type occurs; wherein the preset third threshold is an integer smaller than 0.

The processing module 503 is specifically configured to count the number of response data packets of the specified service type to be sent to the host in a process of performing flow limiting processing on the response data packets of the specified service type sent to the host; determining the flow intervals to which the quantity belongs, and determining the flow limiting level corresponding to the flow intervals; and performing current limiting processing on the response data packet based on the current limiting level.

Based on the same application concept as the method, the embodiment of the present application provides a DDoS reflection attack defense device (such as the above-mentioned host or ingress device), including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor; the processor is used for executing machine executable instructions to realize the DDoS reflection attack defense method.

Based on the same application concept as the method, embodiments of the present application further provide a machine-readable storage medium, where a plurality of computer instructions are stored, and when executed, the computer instructions implement the DDoS reflection attack defense method.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. A DDoS reflection attack defense method is characterized by comprising the following steps:

and if so, discarding the response data packet for the specified service type.

2. The method of claim 1,

the determining whether DDoS reflection attack aiming at the specified service type occurs according to the difference between the number of the response data packets of the specified service type and the number of the request data packets of the specified service type includes:

counting the number of response data packets of a specified service type and the number of request data packets of the specified service type, and obtaining the number difference between the number of response data packets and the number of request data packets;

and if the quantity difference is larger than a preset first threshold value, determining that the DDoS reflection attack aiming at the specified service type occurs.

3. The method of claim 1,

adding 1 to the state number corresponding to the specified service type when the response data packet of the specified service type is obtained; when a request data packet of a specified service type is obtained, subtracting 1 from the state number corresponding to the specified service type;

determining the state number corresponding to the specified service type; if the number of states is larger than a preset second threshold value, determining that DDoS reflection attack aiming at the specified service type occurs;

wherein the preset second threshold is an integer greater than 0.

4. The method of claim 1,

when a response data packet of the specified service type is obtained, subtracting 1 from the state number corresponding to the specified service type; when a request data packet of a specified service type is obtained, adding 1 to the state number corresponding to the specified service type;

determining the state number corresponding to the specified service type; if the number of states is smaller than a preset third threshold value, determining that DDoS reflection attack aiming at the specified service type occurs;

wherein the preset third threshold is an integer smaller than 0.

5. The method of claim 1,

the process of discarding the response packet for the specified service type specifically includes:

determining a service type of a response data packet when the response data packet is received; and if the service type is the specified service type in which the DDoS reflection attack has already occurred, discarding the response data packet.

6. The method of claim 5,

before the determining the service type of the response packet, the method further includes:

analyzing a target IP address from the response data packet;

and if the destination IP address is not the IP address of the host, discarding the response data packet.

7. The method of claim 1,

if the DDoS reflection attack aiming at the specified service type is determined to occur, the method further comprises the following steps:

and sending a message carrying the specified service type to an ingress device, wherein the message is used for enabling the ingress device to perform flow limiting processing on a response data packet of the specified service type sent to the host.

8. A DDoS reflection attack defense method is characterized by comprising the following steps:

9. The method of claim 8,

10. The method of claim 8,

determining the number of states corresponding to the specified service type, and if the number of states is greater than a preset second threshold value, determining that DDoS reflection attack aiming at the specified service type occurs;

wherein the preset second threshold is an integer greater than 0.

11. The method of claim 8,

determining the number of states corresponding to the specified service type, and if the number of states is smaller than a preset third threshold value, determining that DDoS reflection attack aiming at the specified service type occurs;

wherein the preset third threshold is an integer smaller than 0.

12. The method according to claim 8, wherein the process of performing the flow restriction processing on the response packet of the specified service type sent to the host specifically includes:

counting the number of response data packets of the specified service type to be sent to the host;

determining the flow intervals to which the quantity belongs, and determining the flow limiting level corresponding to the flow intervals;

and performing current limiting processing on the response data packet based on the current limiting level.

13. The method of claim 8, further comprising:

when receiving a message carrying a specified service type sent by a host, analyzing the specified service type from the message, and performing current limiting processing on a response data packet of the specified service type sent to the host.

14. A DDoS reflection attack defense apparatus, comprising:

15. A DDoS reflection attack defense apparatus, comprising:

16. A DDoS reflection attack defense apparatus, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine executable instructions to perform the method steps of any of claims 1 to 7 or to perform the method steps of any of claims 8 to 13.