Movatterモバイル変換

[0]ホーム
URL:

CN112804200A - Reflection attack defense method and device, electronic equipment and storage medium - Google Patents

Reflection attack defense method and device, electronic equipment and storage mediumDownload PDF

Info

Publication number
CN112804200A
CN112804200ACN202011610721.6ACN202011610721ACN112804200ACN 112804200 ACN112804200 ACN 112804200ACN 202011610721 ACN202011610721 ACN 202011610721ACN 112804200 ACN112804200 ACN 112804200A
Authority
CN
China
Prior art keywords
network communication
session
flow
equipment
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011610721.6A
Other languages
Chinese (zh)
Other versions
CN112804200B (en
Inventor
邹浩
邝必权
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co LtdfiledCriticalBeijing Topsec Technology Co Ltd
Priority to CN202011610721.6ApriorityCriticalpatent/CN112804200B/en
Publication of CN112804200ApublicationCriticalpatent/CN112804200A/en
Application grantedgrantedCritical
Publication of CN112804200BpublicationCriticalpatent/CN112804200B/en
Activelegal-statusCriticalCurrent
Anticipated expirationlegal-statusCritical

Links

Images

Classifications

Landscapes

Abstract

The application provides a reflection attack defense method, a reflection attack defense device, electronic equipment and a storage medium, and relates to the technical field of network security. The method applied to the cleaning equipment comprises the following steps: mirroring the uplink flow sent to the remote network through the network communication equipment to the cleaning equipment; when linkage information of the detection equipment is received and the traction IP address hits the source IP address of the protection object, the downlink flow is dragged to the cleaning equipment based on the traction IP; establishing a session based on a request message in the uplink flow of the mirror image; on the basis of the conversation, carrying out conversation check on each flow packet of the downlink flow; and sending the normal traffic packet with the normal session check result to the network communication equipment. According to the method, after the IP is dragged to hit the source IP and the reflection attack is determined to occur, the uplink flow is mirrored to the cleaning equipment through a mirroring mode to directly create the session information, synchronization of other equipment is not relied on, reflection defense based on session check is achieved, resource consumption of session creation is reduced, and the problem of mistaken cleaning is avoided.

Description

Reflection attack defense method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a reflection attack defense method, an apparatus, an electronic device, and a storage medium.
Background
The reflection attack, also called reflection amplification attack, is based on the principle that the length or number of the response messages of a server is far larger than the request, and an attacker sends a large amount of request messages to the existing server in the network and sets the source address of the request as the address of an attack target, so that the attack target receives a large amount of response messages, thereby achieving the purpose of network congestion or consumption of attack target resources.
At present, the most effective defense method for the reflection attack is based on a session check mode, namely, the time and the state of a request message are firstly recorded, and when a response message is received, whether the response message is blocked or not is determined by checking the corresponding session state. Of course, the defense method is premised on that the request of normal Service must pass through the DDoS (Distributed Denial of Service Attack) cleaning device, while the request of Attack traffic does not pass through the DDoS cleaning device, which requires that the target to be protected is as close as possible to the DDoS cleaning device, so that the request of Attack traffic cannot pass through the DDoS cleaning device to create a session.
When the anti-DDoS cleaning equipment bypass is deployed, under the default condition, any flow does not pass through the equipment, only when the detection equipment detects an attack, the cleaning equipment is informed, and downlink flow (uplink flow is the direction going to a protected target; downlink flow is the flow sent out from the protected target) is pulled to the equipment for cleaning. In this case, defense can be generally performed only by using simple port identification, or defense modes based on service models (i.e. normal service cannot have such large response traffic). However, the normal response and the abnormal response cannot be distinguished, and the two methods have the defect that false cleaning is easily caused to normal traffic.
Disclosure of Invention
In view of this, an object of the embodiments of the present application is to provide a method and an apparatus for defending against a reflection attack, an electronic device, and a storage medium, so as to solve the problem in the prior art that a false cleaning is easily caused to a normal traffic.
The embodiment of the application provides a reflection attack defense method, which is applied to cleaning equipment, wherein the cleaning equipment is respectively connected with detection equipment and network communication equipment, the detection equipment is also connected with the network communication equipment, a protection object sends uplink flow containing a request message to a far-end network through the network communication equipment, the far-end network sends downlink flow containing a response message to the protection object through the network communication equipment, and the method comprises the following steps: mirroring the upstream traffic sent to the remote network by the network communication device to the cleaning device; when linkage information sent by the detection equipment when the detection equipment determines that a reflection attack exists is received and a traction Internet Protocol (IP) address in the linkage information hits a source IP address of the protection object, the downlink traffic is pulled from the network communication equipment to the cleaning equipment based on the traction IP; establishing a session based on a request message in the uplink flow of the mirror image; based on the session, performing session check for each traffic packet of the downstream traffic; and sending the normal traffic packet with the normal session check result to the network communication equipment so as to enable the normal traffic packet to reach the protection object through the network communication equipment.
In the implementation mode, the session information is directly created by mirroring the uplink flow to the cleaning equipment in a mirroring mode, the synchronization of other equipment is not relied on, and the synchronization of the session information of network resources is not occupied, so that the reflection defense method based on session check is realized in a simple mode.
Optionally, the establishing a session based on the request packet in the uplink traffic includes: and establishing a session based on the five-tuple information of the request message.
In the implementation mode, the session is established through the quintuple information of the request message, so that the abnormal flow message can be accurately determined based on the quintuple information of the session when the subsequent cleaning equipment performs session information check and abnormal flow cleaning, and the cleaning accuracy is improved.
Optionally, the pulling, by the network communication device, the downlink traffic to the cleaning device when receiving the linkage information sent by the detection device when determining that the reflection attack exists includes: receiving the linkage information sent by the detection equipment when the reflection attack is determined to exist; analyzing the linkage information to obtain the traction IP address; and when the traction IP address hits the source address of the protection object, performing dynamic route advertisement to the network communication equipment based on the traction IP address and the attack type so as to draw the downlink traffic to the cleaning equipment.
In the implementation mode, the cleaning equipment carries out downlink flow traction based on the traction IP address and the attack type in the linkage information sent by the detection equipment, so that the detection accuracy of the attack flow is ensured.
Optionally, the session-based session check is performed on each traffic packet of the downstream traffic, and includes: performing quintuple information matching with the session for each flow packet in the downlink flow; and when the quintuple information matched with the current flow packet exists in the session, determining the current flow packet as the normal flow packet.
In the implementation mode, the abnormal traffic packet cleaning of the mismatch of quintuple data is realized by matching the downlink traffic based on quintuple information, and the identification accuracy of the abnormal traffic is improved.
The embodiment of the application further provides a method for defending against reflection attacks, which is applied to detection equipment, wherein the detection equipment is respectively connected with cleaning equipment and network communication equipment, the detection equipment is also connected with the network communication equipment, a protection object sends uplink flow containing a request message to a far-end network through the network communication equipment, the far-end network sends downlink flow containing a response message to the protection object through the network communication equipment, and the method comprises the following steps: mirroring the downlink traffic sent to the protected object by the network communication equipment to the detection equipment; when the mirror image-based downlink flow determines that a reflection attack exists, sending linkage information to the cleaning equipment so that the cleaning equipment pulls the downlink flow to the cleaning equipment based on the traction IP when receiving the linkage information and a traction IP address in the linkage information hits a source IP address of a protection object, so that the cleaning equipment establishes a session based on a request message in the uplink flow of the mirror image, performs session check on each flow packet of the downlink flow based on the session, sends a normal flow packet with a normal session check result to the network communication equipment, and sends the normal flow packet to the protection object through the network communication equipment.
In the implementation mode, the detection device informs the cleaning device through the linkage information after carrying out attack detection on the downlink flow and when finding that the reflection attack exists, so that the cleaning device carries out session establishment and flow cleaning based on quintuple information, thereby realizing the reflection defense method based on session check in a simple mode, avoiding carrying out session establishment on the safety flow which does not need to establish the session, realizing effective detection on the attack flow, reducing the resource occupancy rate, improving the detection accuracy of the reflection attack, and further improving the overall accuracy of the reflection attack defense.
Optionally, before the sending linkage information to the cleaning device when it is determined that the reflection attack exists based on the downstream traffic of the mirror image, the method further includes: determining whether a reflection attack exists in the downlink traffic based on traffic anomaly detection.
In the implementation mode, whether the downlink traffic has the reflection attack or not is determined based on the traffic threshold, so that the accuracy of the detection of the reflection attack is simply and effectively ensured, and the detection efficiency is improved.
The embodiment of the present application further provides a reflection attack defense device, which is applied to a cleaning device, the cleaning device is respectively connected to a detection device and a network communication device, the detection device is further connected to the network communication device, a protection object passes through the network communication device to send uplink traffic containing a request message to a far-end network, the far-end network passes through the network communication device to the protection object send downlink traffic containing a response message, and the device includes: the upstream flow mirroring device is used for mirroring the upstream flow which is sent to the remote network through the network communication equipment to the cleaning equipment; a traction module, configured to, when linkage information sent by the detection device when it is determined that a reflection attack exists is received and a traction internet protocol IP address in the linkage information hits a source IP address of the protection object, pull the downlink traffic from the network communication device to the cleaning device based on the traction IP; a session establishing module, configured to establish a session based on the request packet in the mirrored uplink traffic; a session check module, configured to perform session check on each traffic packet of the downlink traffic based on the session; and the flow reinjection module is used for sending a normal flow packet with a normal session check result to the network communication equipment so as to enable the normal flow packet to reach the protection object through the network communication equipment.
In the implementation mode, the uplink flow is mirrored to the cleaning equipment to directly create the session information in a mirroring mode, the synchronization of other equipment is not required, and the synchronization of the session information with network resources is not required to be occupied, so that the reflection defense method based on session check is realized in a simple mode.
Optionally, the session establishing module is specifically configured to: and establishing a session based on the five-tuple information of the request message.
In the implementation mode, the session is established through the quintuple information of the request message, so that the abnormal flow message can be accurately determined based on the quintuple information of the session when the subsequent cleaning equipment performs session information check and abnormal flow cleaning, and the cleaning accuracy is improved.
Optionally, the linkage information includes the traction IP address and an attack type, and the traction module is specifically configured to: receiving the linkage information sent by the detection equipment when the reflection attack is determined to exist; analyzing the linkage information to obtain the traction IP address; and when the traction IP address hits the source address of the protection object, performing dynamic route advertisement to the network communication equipment based on the traction IP address and the attack type so as to draw the downlink traffic to the cleaning equipment.
In the implementation mode, the cleaning equipment carries out downlink flow traction based on the traction IP address and the attack type in the linkage information sent by the detection equipment, so that the detection accuracy of the attack flow is ensured.
Optionally, the session check module is specifically configured to: performing quintuple information matching with the session for each flow packet in the downlink flow; and when the quintuple information matched with the current flow packet exists in the session, determining the current flow packet as the normal flow packet.
In the implementation mode, the abnormal traffic packet cleaning of the mismatch of quintuple data is realized by matching the downlink traffic based on quintuple information, and the identification accuracy of the abnormal traffic is improved.
The embodiment of the present application further provides a reflection attack defense apparatus, which is applied to a detection device, the detection device is respectively connected to a cleaning device and a network communication device, the detection device is further connected to the network communication device, a protection object passes through the network communication device to send uplink traffic containing a request message to a far-end network, the far-end network passes through the network communication device to the protection object send downlink traffic containing a response message, the apparatus includes: the downlink flow mirror module is used for mirroring the downlink flow sent to the protected object by the network communication equipment to the detection equipment; the linkage information sending module is used for sending linkage information to the cleaning equipment when the mirror image-based downlink flow determines that reflection attack exists, so that the cleaning equipment pulls the downlink flow to the cleaning equipment based on the pull IP when receiving the linkage information and the pull IP address in the linkage information hits the source IP address of the protection object, so that the cleaning equipment establishes a session based on a request message in the mirror image-based uplink flow, performs session check on each flow packet of the downlink flow based on the session, sends a normal flow packet with a normal session check result to the network communication equipment, and sends the normal flow packet to the protection object through the network communication equipment.
In the implementation mode, the detection device informs the cleaning device through the linkage information after carrying out attack detection on the downlink flow and when finding that the reflection attack exists, so that the cleaning device carries out session establishment and flow cleaning based on quintuple information, thereby realizing the reflection defense method based on session check in a simple mode, avoiding carrying out session establishment on the safety flow which does not need to establish the session, realizing effective detection on the attack flow, reducing the resource occupancy rate, improving the detection accuracy of the reflection attack, and further improving the overall accuracy of the reflection attack defense. Optionally, the apparatus for defending against reflection attacks further comprises: and the reflection attack judging module is used for determining whether the downlink flow has the reflection attack or not based on flow abnormity detection.
In the implementation mode, whether the downlink traffic has the reflection attack or not is determined based on the traffic threshold, so that the accuracy of the detection of the reflection attack is simply and effectively ensured, and the detection efficiency is improved.
An embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and the processor executes steps in any one of the above implementation manners when reading and executing the program instructions.
The embodiment of the present application further provides a readable storage medium, in which computer program instructions are stored, and the computer program instructions are read by a processor and executed to perform the steps in any of the above implementation manners.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a reflection attack defense system according to an embodiment of the present application.
Fig. 2 is a schematic flow chart of a reflection attack defense method according to an embodiment of the present application.
Fig. 3 is a flowchart illustrating a session recording step for monitoring traffic according to an embodiment of the present application.
Fig. 4 is a schematic block diagram of a reflection attack defense device applied to a cleaning apparatus according to an embodiment of the present disclosure.
Fig. 5 is a schematic block diagram of a reflection attack defense apparatus applied to a detection device according to an embodiment of the present application.
Icon: 10-reflection attack defense system; 11-a protected object; 12-a switch; 13-a router; 14-a remote network; 15-cleaning the equipment; 16-a detection device; 20-reflection attack defense devices; 21-an upstream traffic mirroring device; 22-a traction module; 23-session establishment module; 24-a session check module; 25-flow reinjection module; 30-reflection attack defense devices; 31-downlink traffic mirror module; 32-linkage information sending module.
Detailed Description
The technical solution in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
The research of the applicant finds that the existing reflection attack defense mode technology based on the DDoS cleaning equipment is difficult to realize, session information is generally required to be established on detection equipment at first and then is synchronized to the cleaning equipment, and the requirements on synchronization timeliness, accuracy and stability are high.
Aiming at the defects that the prior art is high in implementation difficulty, extra burden is brought to a network, and false cleaning is easily caused, a reflection attack defense method is provided, and the defects can be effectively solved. The method comprises the steps of setting up a network connection mode (port mirror image), mirroring uplink flow to cleaning equipment, directly creating session information on the cleaning equipment without depending on other equipment for synchronization, and therefore, a reflection defense method based on session check is achieved, the session information does not need to be synchronized, no resource load influence is caused on a network, meanwhile, attack flow and normal flow can be effectively distinguished, and the problem of mistaken cleaning is avoided.
First, the present embodiment provides a reflectionattack defense system 10 for executing a reflection attack defense method, please refer to fig. 1, where fig. 1 is a schematic structural diagram of a reflection attack defense system according to an embodiment of the present application.
The reflectionattack defense system 10 is a bypass deployment, and comprises aprotection object 11, a network communication device, aremote network 14, acleaning device 15 and adetection device 16, wherein theprotection object 11 is in network connection with theremote network 14 through the network communication device, the flow sent by theprotection object 11 is uplink flow, the received flow is downlink flow, thecleaning device 15 is respectively in network connection with thedetection device 16 and the network communication device, and thedetection device 16 is also in network connection with the network communication device.
Optionally, the network communication device in this implementation may include aswitch 12 and arouter 13, theprotected object 11, theswitch 12, therouter 13, and theremote network 14 are sequentially connected through a network, thecleaning device 15 is respectively connected to theswitch 12 and therouter 13 through a network, and thedetection device 16 is connected to therouter 13 through a network.
Referring to fig. 2, fig. 2 is a schematic flow chart of a reflection attack defense method according to an embodiment of the present application, where the specific steps of the reflection attack defense method may be as follows:
the information flow of the request message sent by theprotection object 11 to theremote network 14 is S1 → S2 → S3, which is the upstream traffic, and the upstream traffic is mirrored to thecleaning device 15 when passing through therouter 13, and the mirrored upstream traffic is shown as P0 in fig. 2.
Mirroring in this implementation refers to copying a packet passing through a specified port (source port or mirror port) to another specified port (destination port or view port). The mirror image can copy the message of the mirror image port to the observation port under the condition of not influencing the normal processing of the message by the equipment.
The information flow of the response packet returned by theremote network 14 to thecleaning device 15 based on the request packet is C1 → C2 → C3, which is downstream traffic, and the downstream traffic is sent to thedetection device 16 when passing through therouter 13.
Alternatively, the manner in which thedetection device 16 obtains downstream traffic (P1 shown in fig. 2) from therouter 13 may be by mirroring or NetFlow-based snooping.
Thedetection device 16 detects the downstream traffic to determine whether a reflection attack occurs in the downstream traffic, and sends linkage information to thecleaning device 15 when the reflection attack occurs (as shown in P2 in fig. 2).
Alternatively, the linkage information may include a traction IP (Internet Protocol) address and an attack type. The pull IP address is an attacked IP address, and attack types generally include memcached reflection attack, ntp (network Time Protocol) reflection attack, and SSDP (Simple Service Discovery Protocol) reflection attack.
The detection mode of the reflection attack in this embodiment may be an attack detection mode such as Deep Packet analysis (DPI) and Deep/Dynamic Flow Detection (DFI) that uses a machine learning principle, or may be a mode of constructing a Flow model and setting a security threshold or a security baseline.
Optionally, in this embodiment, a traffic model is constructed, and a security threshold is set to perform the detection of the reflection attack. Based on statistical abnormal traffic detection, it is assumed that the current network environment is in a quasi-steady state. The algorithm collects and arranges a large amount of normal flow data in the previous period, sets an initial threshold value by carrying out statistical analysis or data transformation on historical flow data, then calculates downlink flow data of the current network, and judges whether the current network is abnormal or not by comparing the downlink flow data with the initial threshold value. If certain statistic information in the data of the downlink flow of the current network exceeds a corresponding threshold value, the abnormal flow is represented, namely, the reflection attack exists.
The network flow characteristics commonly used in the abnormal flow detection include byte number, packet number, flow count, audit record data, the number of audit events, interval events, quintuple, resource consumption events and the like.
Thecleaning device 15 may monitor the linkage information of thedetection device 16, analyze a traction IP and an attack type of the linkage information, determine a corresponding network communication device, that is, therouter 13, of the device to which the traction IP belongs, that is, the protectedobject 11 based on the traction IP, then thecleaning device 15 generates a corresponding dynamic route based on the traction IP and the attack type, notifies the dynamic route to therouter 13, and pulls a downlink traffic (such as P3 shown in fig. 2) including the reflection attack to thecleaning device 15.
Optionally, in this embodiment, thecleaning device 15 records a session including a downstream traffic of a reflection attack, that is, a monitored traffic, and a specific manner of the recording may refer to fig. 3, where fig. 3 is a schematic flow diagram of a session recording step of a monitored traffic provided in this embodiment of the present application.
And when the source IP of theprotection object 11 hits the traction IP and the attack type corresponding to the traction IP contains the reflection attack, the fact that the attack type carried in the linkage message contains the reflection attack is indicated, or the cleaning equipment has reflection defense packet loss statistics, a corresponding session is recorded based on the traction IP, otherwise, the monitored flow is directly discarded.
Thecleaning device 15 continuously mirrors the traffic containing the reflection attack in the upstream traffic from therouter 13 to thelocal cleaning device 15, and establishes a session based on the request message therein.
Optionally, in this embodiment, the corresponding session information is recorded based on the five-tuple information of the request packet, and a session is established. Wherein, the quintuple refers to a set composed of five quantities of source IP address, source port, destination IP address, destination port and transport layer protocol.
It should be appreciated that traffic mirrored by thecleaning device 15 from therouter 13 will eventually be directly discarded and not forwarded.
Thecleaning device 15 performs session check on each traffic packet (response traffic including response packet) in each pulled downlink traffic, and when the traffic packet is determined to be a normal traffic packet (P4 shown in fig. 2) through the session check, the traffic packet is back-injected to theswitch 12 and then reaches the protectedobject 11 through C3, where the response packet received by the protectedobject 11 is the response packet corresponding to the previously sent request packet; when the traffic packet is determined to be an abnormal traffic packet through the session check, the abnormal traffic packet is directly discarded.
Optionally, in this embodiment, the specific manner of performing session check by thecleaning device 15 may include: aiming at each flow packet in the downlink flow, carrying out quintuple information matching with the session; and when the quintuple information matched with the current flow packet exists in the session, determining the current flow packet as a normal flow packet.
After the downstream traffic is determined by thedetection device 16 to be traffic that does not contain a reflection attack, thedetection device 16 may send the traffic that does not contain a reflection attack to the protectedobject 11 directly through therouter 13 and theswitch 12.
In addition, when the downstreamtraffic detection device 16 determines that the downstream traffic is the traffic containing the reflection attack, for the previous or current normal upstream traffic, because thecleaning device 15 does not establish the session corresponding to the part of normal upstream traffic, the corresponding downstream traffic cannot be sent to the protectedobject 11, based on the normal request response rule, the protectedobject 11 will send the request message to the remote network again for the unresponsive normal upstream traffic, and the upstream traffic that sends the request message again is recorded by thecleaning device 15, so that the response message can be obtained normally by the protectedobject 11 through the reinjection of thecleaning device 15 in the subsequent traffic cleaning.
In the reflective attack defense method provided by the embodiment, under the condition of bypass deployment, only a networking mode (port mirror image) needs to be modified, the flow with the reflective attack hit by the linkage information is directly mirrored to the cleaning equipment to create the session information, the reflective defense method based on session check is realized in a very simple mode, and the extra network communication and the resource overhead of session establishment are avoided, so that the attack flow and the normal flow can be accurately distinguished, and the mistaken cleaning is avoided.
In order to cooperate with the above-mentioned reflection attack defense method provided by this embodiment, an embodiment of the present application further provides a reflectionattack defense device 20 applied to thecleaning device 15, please refer to fig. 4, and fig. 4 is a schematic block diagram of the reflection attack defense device applied to the cleaning device provided by this embodiment of the present application.
The reflectionattack defense apparatus 20 includes:
an upstreamtraffic mirroring device 21, configured to mirror upstream traffic sent to the remote network through the network communication device to the cleaning device;
thetraction module 22 is configured to, when linkage information sent by the detection device when it is determined that the reflection attack exists is received and a traction IP address in the linkage information hits a source IP address of the protection object, pull downlink traffic from the network communication device to the cleaning device based on the traction IP;
asession establishing module 23, configured to establish a session based on the request packet in the mirrored uplink traffic;
asession check module 24, configured to perform session check on each traffic packet of the downlink traffic based on a session;
and thetraffic reinjection module 25 is configured to send the normal traffic packet with the normal session check result to the network communication device, so that the normal traffic packet reaches the protection object through the network communication device.
Optionally, thesession establishing module 23 is specifically configured to: the session is established based on the five-tuple information of the request message.
Optionally, the linkage information includes a pull internet protocol IP address and an attack type, and thepull module 22 is specifically configured to: receiving linkage information sent by detection equipment when the reflection attack is determined to exist; analyzing the linkage information to obtain a traction IP address and an attack type; dynamic route advertisement is performed to the network communication device based on the towing IP address and the attack type to tow the downstream traffic to the cleaning device.
Optionally, thesession check module 24 is specifically configured to: aiming at each flow packet in the downlink flow, carrying out quintuple information matching with the session; and when the quintuple information matched with the current flow packet exists in the session, determining the current flow packet as a normal flow packet.
In order to cooperate with the above-mentioned reflection attack defense method provided in this embodiment, an embodiment of the present application further provides a reflectionattack defense device 30 applied to thedetection device 16, please refer to fig. 5, and fig. 5 is a schematic block diagram of the reflection attack defense device applied to the detection device provided in this embodiment of the present application.
The reflectionattack defense apparatus 30 includes:
a downlinktraffic mirroring module 31, configured to mirror downlink traffic sent to the protected object through the network communication device to the detection device;
the linkageinformation sending module 32 is configured to send linkage information to the cleaning device when it is determined that there is a reflection attack based on the mirrored downlink traffic, so that the cleaning device pulls the downlink traffic from the network communication device to the cleaning device based on the pull IP when receiving the linkage information and the pull IP address in the linkage information hits the source IP address of the protection object, so that the cleaning device establishes a session based on the request packet in the mirrored uplink traffic, performs session check on each traffic packet of the downlink traffic based on the session, sends a normal traffic packet whose session check result is normal to the network communication device, and sends the normal traffic packet to the protection object through the network communication device.
Optionally, the reflectionattack defense apparatus 30 further includes: and the reflection attack judgment module is used for determining whether the downlink flow has the reflection attack or not based on the flow abnormity detection.
The embodiment of the present application further provides an electronic device, which includes a memory and a processor, where the memory stores program instructions, and when the processor reads and runs the program instructions, the processor executes the steps in any one of the methods of the reflection attack defense method provided in this embodiment.
It should be understood that the electronic device may be a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), or other electronic device having a logical computing function.
The embodiment of the application also provides a readable storage medium, wherein the readable storage medium stores computer program instructions, and the computer program instructions are read by a processor and run to execute the steps in the reflection attack defense method.
To sum up, the embodiment of the present application provides a method, an apparatus, an electronic device, and a storage medium for defending against a reflection attack, which are applied to a method for cleaning a device, where the cleaning device is respectively connected to a detection device and a network communication device, the detection device is further connected to the network communication device, a protected object sends an uplink traffic including a request packet to a remote network through the network communication device, and the remote network sends a downlink traffic including a response packet to the protected object through the network communication device, and the method for applying to the cleaning device includes: mirroring the upstream traffic sent to the remote network by the network communication device to the cleaning device; when linkage information sent by the detection equipment when the detection equipment determines that a reflection attack exists is received and a traction Internet Protocol (IP) address in the linkage information hits a source IP address of the protection object, the downlink traffic is pulled from the network communication equipment to the cleaning equipment based on the traction IP; establishing a session based on a request message in the uplink flow of the mirror image; based on the session, performing session check for each traffic packet of the downstream traffic; and sending the normal traffic packet with the normal session check result to the network communication equipment so as to enable the normal traffic packet to reach the protection object through the network communication equipment.
In the implementation mode, the session information is directly created by mirroring the uplink flow to the cleaning equipment in a mirroring mode, the synchronization of other equipment is not relied on, and the synchronization of the session information of network resources is not occupied, so that the reflection defense method based on session check is realized in a simple mode.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices according to various embodiments of the present application. In this regard, each block in the block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams, and combinations of blocks in the block diagrams, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Therefore, the present embodiment further provides a readable storage medium, in which computer program instructions are stored, and when the computer program instructions are read and executed by a processor, the computer program instructions perform the steps of any of the block data storage methods. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RanDom Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

the linkage information sending module is used for sending linkage information to the cleaning equipment when the mirror image-based downlink flow determines that reflection attack exists, so that the cleaning equipment pulls the downlink flow to the cleaning equipment based on the pull IP when receiving the linkage information and the pull IP address in the linkage information hits the source IP address of the protection object, so that the cleaning equipment establishes a session based on a request message in the mirror image-based uplink flow, performs session check on each flow packet of the downlink flow based on the session, sends a normal flow packet with a normal session check result to the network communication equipment, and sends the normal flow packet to the protection object through the network communication equipment.
CN202011610721.6A2020-12-302020-12-30Reflection attack defense method and device, electronic equipment and storage mediumActiveCN112804200B (en)

Priority Applications (1)

Application NumberPriority DateFiling DateTitle
CN202011610721.6ACN112804200B (en)2020-12-302020-12-30Reflection attack defense method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
CN202011610721.6ACN112804200B (en)2020-12-302020-12-30Reflection attack defense method and device, electronic equipment and storage medium

Publications (2)

Publication NumberPublication Date
CN112804200Atrue CN112804200A (en)2021-05-14
CN112804200B CN112804200B (en)2022-06-24

Family

ID=75804470

Family Applications (1)

Application NumberTitlePriority DateFiling Date
CN202011610721.6AActiveCN112804200B (en)2020-12-302020-12-30Reflection attack defense method and device, electronic equipment and storage medium

Country Status (1)

CountryLink
CN (1)CN112804200B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN115603969A (en)*2022-09-292023-01-13北京天融信网络安全技术有限公司(Cn) A user network traffic statistics method, acquisition method and statistics system
CN116074333A (en)*2022-12-232023-05-05天翼云科技有限公司 A remote mirroring system and method based on p4 programmable chip

Citations (5)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN101309150A (en)*2008-06-302008-11-19华为技术有限公司 Defense method, device and system for distributed denial of service attack
CN107241301A (en)*2016-03-292017-10-10阿里巴巴集团控股有限公司The methods, devices and systems of defense refloex attack
CN110365658A (en)*2019-06-252019-10-22深圳市腾讯计算机系统有限公司A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium
CN110661763A (en)*2018-06-292020-01-07阿里巴巴集团控股有限公司DDoS reflection attack defense method, device and equipment
US20200389487A1 (en)*2019-06-042020-12-10Qatar Foundation For Education, Science And Community DevelopmentMethods and systems for reducing unwanted data traffic in a computer network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN101309150A (en)*2008-06-302008-11-19华为技术有限公司 Defense method, device and system for distributed denial of service attack
CN107241301A (en)*2016-03-292017-10-10阿里巴巴集团控股有限公司The methods, devices and systems of defense refloex attack
CN110661763A (en)*2018-06-292020-01-07阿里巴巴集团控股有限公司DDoS reflection attack defense method, device and equipment
US20200389487A1 (en)*2019-06-042020-12-10Qatar Foundation For Education, Science And Community DevelopmentMethods and systems for reducing unwanted data traffic in a computer network
CN110365658A (en)*2019-06-252019-10-22深圳市腾讯计算机系统有限公司A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN115603969A (en)*2022-09-292023-01-13北京天融信网络安全技术有限公司(Cn) A user network traffic statistics method, acquisition method and statistics system
CN116074333A (en)*2022-12-232023-05-05天翼云科技有限公司 A remote mirroring system and method based on p4 programmable chip

Also Published As

Publication numberPublication date
CN112804200B (en)2022-06-24

Similar Documents

PublicationPublication DateTitle
US11314789B2 (en)System and method for improved anomaly detection using relationship graphs
US8413247B2 (en)Adaptive data collection for root-cause analysis and intrusion detection
US9148437B1 (en)Detecting adverse network conditions for a third-party network site
US20230403296A1 (en)Analyses and aggregation of domain behavior for email threat detection by a cyber security system
US11956208B2 (en)Graphical representation of security threats in a network
US7779465B2 (en)Distributed peer attack alerting
CN111526121B (en)Intrusion prevention method and device, electronic equipment and computer readable medium
CN112804200B (en)Reflection attack defense method and device, electronic equipment and storage medium
KR100950079B1 (en) Probabilistic Network Anomaly Detection Device Using Hidden Markov Model and Its Method
Thakur et al.Detection and prevention of botnets and malware in an enterprise network
CN108234486A (en)A kind of network monitoring method and monitoring server
CA3217707A1 (en)Apparatus and methods for monitoring of data for attack detection and prevention
CN112600844A (en)Data security detection method and device, storage medium and electronic equipment
Anh et al.A baseline investigation into the evolution and prevalence of Mirai and Hajime utilizing a network telescope
US9060021B2 (en)DDoS detection using sensor grid
JP2005316779A (en)Unauthorized access detector, detection rule generation device, detection rule generation method, and detection rule generation program
CN117955729A (en) A method, device and electronic device for detecting malicious software based on flow
CN110198298A (en)A kind of information processing method, device and storage medium
Al-Dayil et al.Detecting social media mobile botnets using user activity correlation and artificial immune system
CN113872987B (en) A method, device, storage medium and gateway for defending against malicious attacks
CN113660291B (en)Method and device for preventing malicious tampering of intelligent large-screen display information
Chen et al.An Internet-worm early warning system
US11184369B2 (en)Malicious relay and jump-system detection using behavioral indicators of actors
KR100862321B1 (en) Method and device for detecting and blocking network attack without signature
CN112134845A (en)Rejection service system

Legal Events

DateCodeTitleDescription
PB01Publication
PB01Publication
SE01Entry into force of request for substantive examination
SE01Entry into force of request for substantive examination
GR01Patent grant
GR01Patent grant
[8]ページ先頭
©2009-2025 Movatter.jp