[go: up one dir, main page]

WO2024002067A1 - Attack tracing method and apparatus, and router, server and storage medium - Google Patents

Attack tracing method and apparatus, and router, server and storage medium Download PDF

Info

Publication number
WO2024002067A1
WO2024002067A1 PCT/CN2023/102734 CN2023102734W WO2024002067A1 WO 2024002067 A1 WO2024002067 A1 WO 2024002067A1 CN 2023102734 W CN2023102734 W CN 2023102734W WO 2024002067 A1 WO2024002067 A1 WO 2024002067A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
fragment
field
target
attack source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2023/102734
Other languages
French (fr)
Chinese (zh)
Inventor
刘颖
冯惠粉
张维庭
闫新成
周娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2024002067A1 publication Critical patent/WO2024002067A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This application relates to the field of communication technology, such as attack source tracing methods, devices, routers, servers and storage media.
  • SDN Software Defined Network
  • SDN is a new network architecture that separates the control plane and data plane to support network virtualization. Due to its many advantages such as flexible structure, easy deployment, programmability, scalability, and decoupling, it provides a new method for mitigating DDoS attacks.
  • most DDoS attack defense solutions in SDN analyze local traffic characteristics in a single network domain for centralized single-point detection, and achieve DDoS attack mitigation by blocking DDoS attack traffic.
  • IoT devices targeted by DDoS attacks are usually located within the jurisdiction of different controllers. That is, DDoS attacks usually target IoT devices in multiple network domains.
  • DDoS attack source tracing method based on log recording.
  • the main idea of this method is that when a data packet is transmitted in the network, the router records the information of the data packet and stores it in the routing log.
  • the attacked IoT device detects that it has been attacked, it sends a query request to the upstream router.
  • the path log in the router it uses a recursive method to find out the router that the data packet passes through, obtains the attack route, and finds the attack based on the attack route. source.
  • the router is required to record a large amount of data information, which increases the router's overhead and reduces the router's performance; second, due to the limited storage capacity of the router, it cannot store data unlimitedly; when the router When the storage reaches the upper limit, the log records will be refreshed, and the traceability of the attack source can only be completed within a certain time limit; thirdly, the log records have security risks. If the router is controlled by an attacker, the attacker can modify or delete the log records at will, making it impossible to trace back. Source of attack.
  • This application provides attack source tracing methods, devices, routers, servers, and storage media to solve the problems in related technologies such as excessive router overhead, limited storage capacity, and inability to accurately trace the attack source.
  • This application provides an attack source tracing method applied to routers, including:
  • Obtain a data packet which is sent from the attack source device to the attacked device; mark the data packet to obtain a marked data packet, so that the attacked device can trace the attack source device according to the target data packet,
  • the target data packet is a marked data packet obtained after final marking of the data packet.
  • This application also provides an attack source tracing method, which is applied to the server.
  • the method includes:
  • the target data packet When an attack is detected, the target data packet is extracted.
  • the target data packet has complete label information.
  • the complete label information includes all autonomous system (Autonomous System, AS) domains between the attack source device and the attacked device. Autonomous system number; reconstruct the AS path between the attack source device and the attacked device according to the fragment storage field in the target data packet; trace the attack source device according to the AS path.
  • AS Autonomous System
  • This application also provides an attack source tracing device, applied to routers, including:
  • the acquisition module is configured to acquire data packets, and the data packets are sent from the attack source device to the attacked device; the marking module is configured to mark the data packets to obtain the marked data packets, so that the attacked device can obtain marked data packets according to the target data.
  • the packet traces back to the attack source device, and the target data packet is a marked data packet obtained after final marking of the data packet.
  • This application also provides an attack source tracing device, applied to the server, including:
  • the extraction module is configured to extract the target data packet when a distributed denial of service attack is detected.
  • the target data packet has complete mark information, and the complete mark information includes all ASs between the attack source device and the attacked device.
  • the autonomous system number of the domain is configured to reconstruct the AS path between the attack source device and the attacked device based on the fragment storage field in the target data packet;
  • the traceback module is configured to reconstruct the AS path between the attack source device and the attacked device based on The AS path traces the attack source device.
  • This application also provides a router, including: a memory, a processor, and a computer program stored in the memory and executable on the processor.
  • a router including: a memory, a processor, and a computer program stored in the memory and executable on the processor.
  • the processor executes the program, the above attack tracing method is implemented.
  • This application also provides a server, including: a memory, a processor, and a computer program stored in the memory and executable on the processor.
  • a server including: a memory, a processor, and a computer program stored in the memory and executable on the processor.
  • the processor executes the program, the above attack tracing method is implemented.
  • This application also provides a storage medium.
  • a computer program is stored on the computer-readable storage medium.
  • the computer program is executed by a processor, the above-mentioned attack traceability method is implemented.
  • FIG. 1 is a schematic diagram of an SDN architecture provided by an embodiment of this application.
  • Figure 2 is a schematic flow chart of an attack source tracing method provided by an embodiment of the present application
  • Figure 3 is a schematic diagram of rewriting the IP header of a data packet into a preset mark area according to an embodiment of the present application
  • Figure 4 is a flow example diagram of another attack source tracing method provided by an embodiment of the present application.
  • Figure 5 is a schematic flow chart of another attack source tracing method provided by an embodiment of the present application.
  • Figure 6 is a schematic diagram of AS path reconstruction in an attack source tracing method provided by an embodiment of the present application.
  • Figure 7 is a schematic diagram of an attack mitigation process provided by an embodiment of the present application.
  • Figure 8 is an example flow chart of another attack source tracing method provided by an embodiment of the present application.
  • Figure 9 is a schematic structural diagram of an attack source tracing device provided by an embodiment of the present application.
  • Figure 10 is a schematic structural diagram of another attack source tracing device provided by an embodiment of the present application.
  • Figure 11 is a schematic diagram of the hardware structure of a router provided by an embodiment of the present application.
  • Figure 12 is a schematic diagram of the hardware structure of a server provided by an embodiment of the present application.
  • FIG 1 is a schematic diagram of an SDN architecture provided by an embodiment of this application.
  • the attacker's attack traffic can reach the victim across multiple network domains.
  • Each network domain includes an SDN controller and multiple edge switches.
  • the attack traffic is forwarded to a network domain, and the SDN controller in the network domain controls the attack traffic to be forwarded in multiple edge switches.
  • IP Internet Protocol
  • DDoS attack In order to hide their true information, attackers usually use forged source Internet Protocol (Internet Protocol) Protocol, IP) address to launch a DDoS attack on the attacker.
  • Internet Protocol Internet Protocol
  • IP Internet Protocol
  • the source IP address locates the attacker's true location and cannot block the DDoS attack from the source.
  • Another way is to first trace the source of the attack after detecting a DDoS attack, and then conduct DDoS defense from the source of the attack based on the traceability results.
  • DDoS attack source tracing refers to the process in which the victim determines the source and propagation path of the attack data packet in a way, because the path forwarded by the data packet in the network will not be forged.
  • the DDoS detection method finds that a DDoS attack has occurred, the victim Using traceability methods to reconstruct the attack path or locate the source of the attack to block DDoS attacks at the source and restore the attack path is an important part of the DDoS attack defense system. Therefore, the real attack source can be traced by reconstructing the attack path. Subsequently, based on the traceability results, the victim can deploy a secure DDoS mitigation strategy to mitigate the impact of the DDoS attack, and can also impose sanctions on the attacker.
  • ASN Autonomous System Number
  • ASNs are represented in two different formats: 2-byte and 4-byte.
  • a 2-byte ASN is a 16-bit number, and this format provides 65,536 ASNs (0 to 65535);
  • a 4-byte ASN is a 32-bit number, and this format provides 232 or 4,294,967,296 ASNs (0 to 4294967295 ).
  • IETF Internet Engineering Task Force
  • RRC Request For Comments
  • An attack source tracing method provided by the embodiment of this application is a DDoS attack source tracing method across multiple network domains. Next, the embodiments of the present application will be described.
  • FIG 2 is a schematic flowchart of an attack source tracing method provided by an embodiment of the present application. This method can be applied to respond to large-scale DDoS attacks across multiple network domains. This method can be executed by an attack source tracing device, wherein the device can be It is implemented in software and/or hardware and is generally integrated on a router. In this embodiment, the router may be a router at the entrance of the AS domain.
  • an attack source tracing method provided by the embodiment of this application is executed by routers at multiple different AS domain entrances.
  • Each router can execute:
  • the attack source device and the attacked device can be IoT devices.
  • the data packets can be traffic data packets sent by the attack source device to the attacked device. There is no limit on the number of data packets here.
  • the data packet can pass through multiple AS domains in the process of being forwarded from the attack source device to the attacked device. After the data packet is forwarded to an AS domain, the router at the entrance in the AS domain can obtain the data packet. There is no limit on how to obtain data packets.
  • Marked packets can be understood as traffic packets with marked information.
  • the target data packet is the traffic data packet with complete marking information obtained after being marked for the last time by the last AS.
  • the data packet when the data packet is forwarded from the attack source device to the attacked device, each time it passes through an AS domain, the data packet can be marked according to the autonomous system number of the current AS domain to obtain the marked data packet.
  • the target data packet can be obtained after the last AS domain is marked for the last time.
  • the server corresponding to the attacked device can trace the attack source device according to the mark information in the target data packet.
  • Marking the data packet to obtain a marked data packet includes: inserting a partial number of the autonomous system number of the current autonomous system AS domain that the data packet passes through as marking information into the data packet to obtain a marked data packet.
  • Each AS domain has a corresponding globally unique number, that is, the autonomous system number ASN.
  • the ASN can be inserted into the data packet as marking information.
  • ASN can be represented as an unsigned 32-bit integer.
  • the data packet includes a preset mark area, which can be understood as a preset free area.
  • the mark area can include different fields, and different fields have different indications.
  • the preset mark area can be obtained by rewriting the IP header of the data packet.
  • Inserting the partial number of the autonomous system number of the current autonomous system AS domain that the data packet passes through as marking information into the data packet includes: evenly dividing the autonomous system number of the current autonomous system AS domain into a preset number fragments, one fragment corresponding to a part of the autonomous system number; according to the instructions of the corresponding field in the preset marking area in the data packet, the target fragments among the preset number of fragments are used as markers The information is inserted into the fragment storage field of the packet.
  • the number of fragments can be determined based on the hop count between the attack source device and the attacked device.
  • the preset number can be greater than or equal to 2.
  • the larger the preset number the more slices an autonomous system number ASN is divided into, and the more slices need to be distributed and stored in more data packets.
  • Each data packet Each time it passes through an AS domain, one shard is added and stored. Therefore, the smaller the number of shards into which an ASN is divided, the smaller the number of data packets required and the less overhead the system has.
  • the number of fragments is the same as the number of data packets.
  • each data packet correspondingly stores one fragment. For example, if the ASN is evenly divided into three fragments, the three fragments need to be stored in three data packets respectively.
  • the ASN can be evenly divided into two pieces.
  • the first half piece corresponds to the first half number of the ASN, and the second half piece corresponds to the second half number of the ASN.
  • the preset mark area can be obtained by rewriting the service type field, reserved field and option field of the data packet IP header. Since the length of the option field of the data packet IP header is variable, the option field can be used as the preset mark area.
  • Shard storage field used to store shards.
  • the preset tag area may include a packet tag field, a fragment tag field, a distance length field, a fragment insertion field, and a fragment storage field.
  • FIG 3 is a schematic diagram of a data packet IP header rewritten into a preset mark area provided by an embodiment of the present application.
  • the shaded part in the figure represents the IP header field, that is, the rewritten part of the data packet IP header. , rewrite the shaded part as the mark field, which is the preset mark area.
  • the mark field can be composed of the 1-bit packet mark field Flag_RF, the 1-bit fragment mark field AS_Num, the 4-bit distance length field Distance, the 1-bit fragment insertion field Frag, and Composed of variable-length shard storage field AS_Path.
  • the packet mark field indicates whether the data packet is marked; the fragment mark field indicates the target fragment among the preset number of fragments obtained by dividing the autonomous system number of the AS domain; the distance length field indicates the number of AS domains that the data packet passes through ; The fragment insertion field indicates the target fragment inserted into the data packet; the fragment storage field stores the target fragments of all AS domains.
  • whether the obtained data packet is marked can be distinguished according to the data packet mark field.
  • the value of the data packet mark field is 0 or 1, 0 means not marked, and 1 means marked; according to the preset
  • the fragmentation mark field of the number of data packets can determine which fragments the ASN is divided into.
  • the fragmentation mark field has values of 0 and 1, 0 indicates the first half fragmentation, and 1 indicates the second half fragmentation; according to the distance
  • the length field can know how many AS domains the data packet passes through.
  • the value of the distance length field can be 0-15.
  • the distance between the attack source device and the attacked device can be known; according to fragmentation
  • the insert field can determine which fragment is inserted into the data packet as the target fragment. For example, the value of the fragment insertion field is 0 or 1. 0 means that the first half of the fragment is inserted into the fragment storage field of the data packet. 1 means inserting the second half of the fragment into the fragment storage field of the packet.
  • the number of the data packets is the preset number.
  • the target fragments among the preset number of fragments are used as markers.
  • Information is inserted into the fragment storage field of the data packet, including: for each data packet, determining the target fragment according to the fragment tag field; using the target fragment as tag information; inserting according to the fragment The indication of the field inserts the mark information into the shard storage field.
  • the fragmentation mark fields of different data packets correspondingly indicate different fragments among the preset number of fragments.
  • the preset number of fragments needs to be stored in a preset number of data packets, and each data packet passes through an AS domain and stores one more. Fragmentation. For each packet, you can insert words based on the fragment tag field and fragment in the packet. The segment determines the target fragment and inserts the target fragment into the packet.
  • the ASN of the first AS domain is divided into two fragments and inserted into different data packets respectively.
  • the fragmentation mark field and fragmentation insertion field of the data packet containing the first half of the fragment as marking information are set to 0, and the fragmentation marking field and fragmentation insertion field of the data packet containing the second half of the fragmentation as marking information are set to 0. is 1; for data packets passing through other AS domains, if the value of the fragment tag field is 0, then the target fragment is determined to be the first half fragment, and the first half fragment is used as the marking information. At this time, the value of the fragment insertion field is If it is also 0, the tag information will be inserted into the fragment storage field of the data packet according to the fragment insertion field instructions. The values of the fragment insertion field and the fragment tag field are the same.
  • the value of the distance length field increases accordingly.
  • a target fragment is added to the data packet.
  • the value of the distance length field in the preset mark area of the data packet is will be increased by 1.
  • the value of the distance length field in the preset mark area of the target data packet indicates the distance between the attacked device and the attack source device.
  • the data packets are acquired within a preset time period, and the data packets are marked.
  • the attack source device can continuously send data packets, and can choose to obtain data packets once within a preset period and mark the data packets. It can effectively avoid the problem of being unable to trace the source after the marked data packet is lost. This application can also obtain the data packet again and mark the data packet after the data packet is lost. In addition, flexible marking of data packets in a preset time period can improve the accuracy of attack source tracing.
  • An attack source tracing method provided by the embodiment of this application has the following effects: first, the number of routers participating in AS traceability marking is much smaller than the number of routers in the network, which can effectively reduce the router overhead; second, the path length based on AS needs to be Far smaller than the IP-based path length in related technologies, the number of data packets required for path reconstruction is small, and the calculation overhead is small; thirdly, only a limited number of data packets are marked in this application, and any router cannot cover the upstream router.
  • Mark information so the marking information will not be lost; fourth, in this application, only the router at the entrance of each AS domain participates in marking, and the traceability is fast; fifth, the marking information in this application is ASN; sixth, based on AS Cross-domain attack source tracing does not require exposing the network topology, and there are no bandwidth requirements.
  • this application provides an embodiment.
  • the number of data packets obtained by the router is 2.
  • the ASN of each AS domain is evenly cut into 2 fragments. .
  • FIG 4 is a flow example diagram of another attack source tracing method provided by the embodiment of the present application.
  • the attacker that is, the attack source device, sends a data packet from the AS 1 domain to the victim in the AS n domain and is attacked. equipment.
  • R 1 can represent the ingress router of the AS 1 domain
  • R 2 can represent the ingress route of the AS 2 domain.
  • R 3 can represent the egress router of the AS 2 domain
  • R 4 can represent the ingress router of the AS 3 domain
  • R 5 can represent the egress router of the AS 3 domain
  • R 6 can represent the ingress router of the AS 4 domain
  • R 7 can Represents the egress router of the AS 4 domain
  • R n can represent the ingress router of the AS n domain.
  • the ingress router R 1 connected to the attacker when it obtains 2 data packets, it can first insert marking information into the 2 data packets and then forward them to the AS 2 domain.
  • the process is as follows: Router R 1 , which is the closest to the attacker, marks the two data packets sent by the attacker respectively, that is, inserting the ASN 1-1 fragment obtained by cutting ASN 1 of the AS 1 domain into data packet 1 as marking information. In the fragment storage field, insert the ASN 1-2 fragments obtained by cutting ASN 1 of the AS 1 domain into the fragment storage field of packet 2 as tag information; then add the packet tag fields in the two packets respectively.
  • R 2 in the AS 2 domain obtains the data packet, through the value of the fragment tag field in the data packet, the router selects which fragment obtained by cutting ASN 2 as the tag information to insert into the data packet based on the value of the fragment insertion field. middle.
  • the value of the fragment tag field in packet 1 is 0, indicating that the target fragment is the first half fragment.
  • the value of the fragment insertion field is 0, indicating that the first half fragment in the ASN of the previous AS domain has been inserted into the data packet.
  • the ASN 2-1 fragment obtained by cutting ASN 2 will be inserted into the fragment storage field of packet 1 as tag information; the value of the fragment tag field in packet 2 is 1, indicating the target The fragment is the second half fragment, and the value of the fragment field is 1, indicating that the second half fragment in the ASN of the previous AS domain has been inserted into the fragment storage field of packet 2, then the ASN obtained by cutting ASN 2
  • the 2-2 fragment is inserted into the fragment storage field of packet 2 as tag information. Since the R 3 domain and the R 2 domain belong to the same network domain, and ASN 2 has been inserted, the insertion is skipped and the data packet is forwarded directly to the next hop router.
  • the attack path can be reconstructed based on the ASNs and the source of the attack can be traced.
  • FIG. 5 is a schematic flowchart of another attack source tracing method provided by an embodiment of the present application. This method can be applied to respond to large-scale DDoS attacks across multiple network domains. This method can be executed by an attack source tracing device, where the device It can be implemented by software and/or hardware, and is generally integrated on a server. In this embodiment, the server can be the server of the attacked device.
  • an attack source tracing method provided by the embodiment of this application includes:
  • the target data packet has complete tag information.
  • the complete tag information includes the autonomous system numbers of all AS domains between the attack source device and the attacked device. .
  • the method in which the attack is detected is not limited.
  • DDoS is detected according to the DDoS attack detection algorithm.
  • multiple target data packets can be extracted to perform path reconstruction based on the tag information in the fragment storage field of the target data packet.
  • S220 Reconstruct the AS path between the attack source device and the attacked device according to the fragment storage field in the target data packet.
  • all AS domains that the data packet passes through during forwarding can be determined based on the mark information in the fragmented storage fields of multiple target data packets. Therefore, the relationship between the attack source device and the attacked device can be reconstructed. AS path.
  • the number of target data packets is a preset number.
  • the AS path between the attack source device and the attacked device is reconstructed based on the fragment storage field in the target data packet, including: Extract the fragments in the fragment storage fields of the preset number of target data packets into the reconstruction path table; when the reconstruction path table includes complete mark information, obtain all the fragments in each target data packet.
  • each target data packet is extracted in sequence according to the sorting order corresponding to the preset number of values; for the fragmentation storage field of each target data packet extracted according to the sorting order, Fragments are extracted; according to the distance length field in each target data packet, the fragments in the fragment storage field of each target data packet are reconstructed to obtain the AS between the attack source device and the attacked device. path.
  • the complete mark information included in the reconstruction path table can be understood as the mark information in the reconstruction path table can be spliced into a complete AS path. At this time, the server no longer fills the fragments in the fragment storage field into the reconstruction path. in the path table.
  • the extraction order of target data packets can be determined based on the value of the fragmentation flag field in each target data packet. For example, if the value of the fragmentation mark field of the first target data packet is 0 and the value of the fragmentation mark field of the second target data packet is 1, then the target data can be sorted in order from 0 to 1. Packets are extracted, that is, the first target data packet is extracted first, and then the second target data packet is extracted.
  • Extracting the fragments in the fragment storage field of the preset number of target data packets into the reconstruction path table may include: according to the distance length field and the fragment mark field of the preset number of target data packets, extracting the preset number of target data packets into the reconstruction path table. Each fragment in the fragment storage field of the target packet is extracted into the reconstructed path table.
  • Extracting fragments from the fragment storage fields of the preset number of target data packets into the reconstruction path table includes: based on the distance length field and fragmentation mark field in the preset number of target data packets, Determine each fragment in the fragment storage field of the preset number of target data packets; extract each fragment in the determined fragment storage field of the preset number of target data packets to the reconstruction path table.
  • Each fragment in the fragment storage field is determined based on the distance length field and fragmentation mark field of the preset number of target data packets, that is, divided according to the distance length field and fragmentation mark field of the preset number of target data packets. Fragmentation.
  • the fragments of each target packet are stored in words according to the distance length field in each target packet. Reconstruct the fragments in the segment to obtain the AS path between the attack source device and the attacked device, including: the value according to the value of the distance length field in each target data packet and the preset number Sort the fragments in the fragment storage field of each target data packet in order from small to large to obtain a preset number of coding blocks.
  • One data packet corresponds to one coding block. ; Splicing the preset number of coding blocks according to the sorting order to obtain a target coding block, where the target coding block includes complete mark information; determining the attack source device to the attacked device according to the complete mark information AS paths between devices.
  • FIG. 6 is a schematic diagram of AS path reconstruction in an attack source tracing method provided by the embodiment of the present application.
  • the attacker that is, the attack source device, passes two data packets from the AS1 domain through the AS2 domain, AS3 domain, etc.
  • the server of the attacked device can extract the fragments in the fragment storage field of the target data packet P1, namely ASN 1-1 , ASN 2-1 , ASN 3-1 ...ASN n- 1. Extract the fragments in the fragment storage field of the target data packet P2, namely ASN 1-2 , ASN 2-2 , ASN 3-2 ...ASN n-2 ; compare the values of P1 and P2 according to the value of the distance length field.
  • the fragments are sorted in order from 0 to n, and the fragments of P1 and P2 are spliced up and down according to the order of the fragment tag field from 0 to 1. For example, ASN 1-1 and ASN 1-2 are spliced up and down. After splicing, ASN 1 is obtained. After splicing ASN 1 , ASN 2 , ASN 3 ...ASN n according to the above splicing method, the AS path is obtained.
  • all AS domains that the data packet passes through during forwarding can be known based on the AS path, and the attack source device can be traced back.
  • the SDN controller in the attacker domain can query the flow table information based on the DDoS attack detection and traceability results, and issue a forwarding request to the edge switch to allow or prohibit communication with the victim host. strategy, and ultimately effectively mitigate DDoS attacks from the source of the attack.
  • FIG. 7 is a schematic diagram of an attack mitigation process provided by an embodiment of the present application. As shown in Figure 7, the attack mitigation process may include:
  • the victim domain After the victim domain detects a DDoS attack, it starts the inter-domain attack source tracing method to obtain ⁇ ASN, IPsrc, IPdst, src.port, dst.port ⁇ and initiates a blocking request.
  • the SDN controller in the attacker's domain queries the flow table entries.
  • the SDN controller in the attacker's domain delivers the new flow table to the edge switch for DDoS attack mitigation.
  • the embodiment of this application provides an attack source tracing method.
  • This method uses the globally unique number ASN corresponding to each AS domain to mark the data packets sent by the attacker.
  • the IP data packet is used as the information carrier for path reconstruction.
  • the IP data packet is Rewrite the packet header, using the service type field, reserved fields and options of the IP header Field to store tag information. Enable the variable part of the IP packet header, i.e.
  • the options field to store the ASN fragment containing all AS domains traversed from the attacker to the victim, when the packet traverses all AS domains from the attacker to the victim , by inserting the globally unique number ASN of each AS domain into equal ASN fragments of fixed length at the ingress router of each AS domain into the custom idle fields of the data packets passing through the ingress router of each AS. That is, in the preset marked area. From the attacker to the victim, each time it passes through an AS domain, the ingress router of the AS domain selects a fragment from the ASN of the AS according to the marking rules and inserts it into the corresponding data packet until all the packets from the attacker are traversed. to the AS domain between victims. Finally, when the AS domain where the victim is located collects data packets that include complete tag information, the complete attacker-to-victim data can be reconstructed based on the correspondence between the distance length field, the fragment tag field, and the fragment storage field. AS path between.
  • Figure 8 is an example flow chart of another attack source tracing method provided by the embodiment of the present application.
  • the ASN is 2 bytes and 4 bytes.
  • Figure 8 shows from the attacker AS234 domain to the victim AS6800 domain.
  • a simple network topology diagram In Figure 8, the router R1, which is directly connected to the attacker, inserts the two fragments of ASN234 into the AS_Path fields of the two data packets, and at the same time sets the Flag_RF field, the data packet mark field.
  • the fragmentation mark field AS_Num and the fragmentation insertion field Frag of the data packet storing fragmentation 000000000000 are set to 0, and the fragmentation is stored.
  • the fragmentation mark field AS_Num and the fragmentation insertion field Frag of the data packet 0000000011101010 are set to 1, and the distance length field Distance is set to 0.
  • attack source tracing begins.
  • the victim server extracts the collected marked information packets and reconstructs the attack path. According to the corresponding relationship between the values of the Distance field and the AS_Num field and the ASN of the AS_Path field, the AS path between the attacker and the victim is finally restored.
  • An attack source tracing method provided by the embodiment of this application is an AS-oriented multi-domain DDoS attack source tracing method. This method has the advantages of fast source tracing speed and low system overhead. This application is to reduce the number of data packets required for path reconstruction, reduce the number of routers participating in marking, reduce the resource overhead of routers, improve the backtracking speed of cross-domain traceability, and improve the capabilities of cross-domain DDoS defense mechanisms.
  • Figure 9 is a schematic structural diagram of an attack source tracing device provided by an embodiment of the present application.
  • the device can be adapted to It is used to deal with large-scale DDoS attacks across multiple network domains.
  • the device can be implemented by software and/or hardware and is generally integrated on a router.
  • the router in this embodiment can be a router at the entrance of the AS domain.
  • the device includes: an acquisition module 110 and a marking module 120.
  • the acquisition module 110 is configured to acquire data packets, which are sent from the attack source device to the attacked device; the marking module 120 is configured to mark the data packets to obtain marked data packets, so that the attacked device can The target data packet traces back to the attack source device, and the target data packet is a marked data packet obtained after final marking of the data packet.
  • This embodiment provides an attack source tracing device that can reduce the number of data packets required for path reconstruction, reduce the number of routers participating in marking, reduce router resource overhead, and improve the backtracking speed of cross-domain traceability.
  • the marking module 120 includes an insertion sub-module, and the insertion sub-module is configured to insert the partial number of the autonomous system number of the current autonomous system AS domain that the data packet passes through as marking information into the data packet to obtain a marked data packet.
  • the insertion sub-module is configured to: evenly divide the autonomous system number of the current autonomous AS domain into a preset number of fragments, one fragment corresponding to a part of the autonomous system number; according to the preset mark in the data packet According to the indication of the corresponding field in the area, the target fragment among the preset number of fragments is inserted into the fragment storage field of the data packet as mark information.
  • the preset mark area includes a data packet mark field, a fragment mark field, a distance length field, a fragment insertion field and a fragment storage field;
  • the data packet mark field indicates whether the data packet is marked;
  • the fragment mark field Indicates the target fragment among the preset number of fragments obtained by dividing the autonomous system number of the AS domain;
  • the distance length field indicates the number of AS domains that the data packet passes through;
  • the fragment insertion field indicates insertion into the data packet The target fragments;
  • the fragment storage field stores the target fragments of all AS domains.
  • the number of the data packets is the preset number.
  • the target fragments among the preset number of fragments are used as markers.
  • Information is inserted into the fragment storage field of the data packet, including: for each data packet, according to the fragment tag field; determining the target fragment; using the target fragment as tag information; according to the fragment
  • the instruction to insert a field inserts the mark information into the shard storage field.
  • the fragmentation mark fields of different data packets correspondingly indicate different fragments among the preset number of fragments.
  • the value of the distance length field increases accordingly.
  • the number of data packets is 2.
  • the data packets are acquired within a preset time period, and the data packets are marked.
  • the attack source tracing device proposed in this embodiment has the same concept as the attack source tracing method proposed in the above embodiment.
  • Technical details that are not described in detail in this embodiment can be found in any of the above embodiments, and this embodiment has the same features as the attack source tracing method. Effect.
  • FIG 10 is a schematic structural diagram of another attack source tracing device provided by an embodiment of the present application.
  • This device can be suitable for responding to large-scale DDoS attacks across multiple network domains.
  • the device can be implemented by software and/or hardware, and is generally Integrated on the server, the server in this embodiment may be a server in the AS domain where the attacked device is located.
  • the device includes: an extraction module 210, a reconstruction module 220 and a traceability module 230.
  • the extraction module 210 is configured to extract a target data packet when a distributed denial-of-service attack is detected.
  • the target data packet has complete mark information, and the complete mark information includes the link between the attack source device and the attacked device.
  • the autonomous system numbers of all AS domains; the reconstruction module 220 is configured to reconstruct the AS path between the attack source device and the attacked device according to the fragment storage field in the target data packet; the traceability module 230. Set to trace the attack source device according to the AS path.
  • This embodiment provides an attack source tracing device, which can reduce the storage of the router, improve the performance of the router, accurately reconstruct the AS path based on the mark information, and quickly trace the attack source device.
  • the number of target data packets is a preset number.
  • the reconstruction module 220 is set to:
  • each target data packet is extracted in sequence according to the sorting order corresponding to the preset number of values; for the fragmentation storage field of each target data packet extracted according to the sorting order, Fragments are extracted; according to the distance length field in each target data packet, the fragments in the fragment storage field of each target data packet are reconstructed to obtain the AS between the attack source device and the attacked device. path.
  • the reconstruction module 220 includes an extraction sub-module, and the extraction sub-module is configured to: determine the fragmented storage of the preset number of target data packets based on the distance length field and fragmentation mark field in the preset number of target data packets. Each fragment in the field; extract each fragment in the fragment storage field of the determined preset number of target data packets into the reconstruction path table.
  • the reconstruction module 220 includes a reconstruction sub-module, and the reconstruction sub-module is configured as:
  • the fragments of each target data packet are stored in ascending order according to the value of the distance length field in each target data packet and the value of the fragmentation mark field in the preset number of target data packets.
  • the fragments in the field are sorted to obtain a preset number of coding blocks, and one data packet corresponds to one coding block; the preset number of coding blocks are spliced according to the sorting order to obtain the target coding block.
  • code block, the target coding block includes complete mark information; the AS path between the attack source device and the attacked device is determined based on the complete mark information.
  • the attack source tracing device proposed in this embodiment has the same concept as the attack source tracing method proposed in the above embodiment.
  • Technical details that are not described in detail in this embodiment can be found in any of the above embodiments, and this embodiment has the same features as the attack source tracing method. Effect.
  • FIG. 11 is a schematic diagram of the hardware structure of a router provided by an embodiment of the present application.
  • the router provided by the embodiment of the present application includes a memory 520, a processor 510, and a computer program stored in the memory and executable on the processor.
  • the processor 510 executes the program, the above-mentioned attack source tracing is implemented. method.
  • the router may also include a memory 520; there may be one or more processors 510 in the router, and one processor 510 is taken as an example in Figure 11; the memory 520 is configured to store one or more programs; the one or more programs is executed by the one or more processors 510, so that the one or more processors 510 implement the attack source tracing method as described in the embodiment of this application.
  • the router also includes: communication device 530, input device 540 and output device 550.
  • the processor 510, memory 520, communication device 530, input device 540 and output device 550 in the router can be connected through a bus or other means.
  • connection through a bus is taken as an example.
  • the input device 540 may be configured to receive input numeric or character information and generate key signal input related to user settings and function control of the terminal device.
  • the output device 550 may include a display device such as a display screen.
  • Communication device 530 may include a receiver and a transmitter.
  • the communication device 530 is configured to perform information transceiver communication according to the control of the processor 510 .
  • the memory 520 can be configured to store software programs, computer executable programs and modules, such as program instructions/modules corresponding to the attack source tracing method described in the embodiments of the present application (for example, the acquisition of the attack source traceability device) module 110 and marking module 120).
  • the memory 520 may include a storage program area and a storage data area, where the storage program area may store an operating system and at least one application program required for a function; the storage data area may store data created according to the use of the router, and the like.
  • memory 520 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device.
  • memory 520 may include memory located remotely from processor 510, and these remote memories may be connected to a router through a network. Examples of the above-mentioned networks include the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
  • FIG. 12 is a schematic diagram of the hardware structure of a server provided by the embodiment of the present application.
  • the server provided by the present application includes a memory 620, The processor 610 and a computer program stored in the memory and executable on the processor implement the above attack source tracing method when the processor 610 executes the program.
  • the server may also include a memory 620; there may be one or more processors 610 in the server, and one processor 610 is taken as an example in Figure 12; the memory 620 is configured to store one or more programs; the one or more programs is executed by the one or more processors 610, so that the one or more processors 610 implement the attack source tracing method as described in the embodiment of this application.
  • the server also includes: communication device 630, input device 640 and output device 650.
  • the processor 610, memory 620, communication device 630, input device 640 and output device 650 in the server can be connected through a bus or other means.
  • connection through a bus is taken as an example.
  • the input device 640 may be configured to receive input numeric or character information and generate key signal input related to user settings and function control of the terminal device.
  • the output device 650 may include a display device such as a display screen.
  • Communication device 630 may include a receiver and a transmitter.
  • the communication device 630 is configured to perform information transceiver communication according to the control of the processor 610 .
  • the memory 620 can be configured to store software programs, computer executable programs and modules, such as program instructions/modules corresponding to the attack source tracing method described in the embodiments of the present application (for example, the extraction method in the attack source tracing device). module 210, reconstruction module 220 and traceability module 230).
  • the memory 620 may include a program storage area and a data storage area, where the program storage area may store an operating system and an application program required for at least one function; the storage data area may store data created according to use of the server, and the like.
  • the memory 620 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device.
  • non-volatile memory such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device.
  • memory 620 may include memory located remotely from processor 610, and these remote memories may be connected to the server through a network. Examples of the above-mentioned networks include the Internet, intranets, local area networks, mobile communication networks and combinations thereof.
  • Embodiments of the present application also provide a storage medium.
  • the storage medium stores a computer program.
  • the computer program is executed by a processor, any of the attack source tracing methods described in the embodiments of the present application is implemented.
  • the attack source tracing method applied to routers, includes: obtaining data packets, which are sent from the attack source device to the attacked device; marking the data packets to obtain marked data packets, so that the attacked device can The data packet traces back to the attack source device, and the target data packet is a marked data packet obtained after final marking of the data packet.
  • the attack source tracing method applied to the server, includes: when an attack is detected, extracting a target data packet, the target data packet has complete mark information, and the complete mark information includes the link between the attack source device and the attacked device. Autonomous system numbers for all AS domains; based on the points in the target packet The slice storage field reconstructs the AS path between the attack source device and the attacked device; the attack source device is traced according to the AS path.
  • the computer storage medium in the embodiment of the present application may be any combination of one or more computer-readable media.
  • the computer-readable medium may be a computer-readable signal medium or a computer-readable storage medium.
  • the computer-readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof.
  • Examples of computer-readable storage media include: an electrical connection having one or more wires, a portable computer disk, a hard drive, random access memory (RAM), read only memory (Read Only) Memory (ROM), Erasable Programmable Read Only Memory (EPROM), flash memory, optical fiber, portable compact disk read-only memory (Compact Disk-Read Only Memory, CD-ROM), optical storage devices, magnetic memory device, or any suitable combination of the above.
  • a computer-readable storage medium may be any tangible medium that contains or stores a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave carrying computer-readable program code therein. This propagated data signal can take many forms, including: electromagnetic signals, optical signals, or any suitable combination of the above.
  • a computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device .
  • Program code embodied on a computer-readable medium may be transmitted using any appropriate medium, including: wireless, wire, optical cable, radio frequency (Radio Frequency, RF), etc., or any suitable combination of the above.
  • any appropriate medium including: wireless, wire, optical cable, radio frequency (Radio Frequency, RF), etc., or any suitable combination of the above.
  • Computer program code for performing operations of the present application may be written in one or more programming languages, including object-oriented programming languages such as Java, Smalltalk, C++, and conventional A procedural programming language, such as the "C" language or similar programming language.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer can be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or it can be connected to an external computer (e.g. Use an Internet service provider to connect via the Internet).
  • LAN Local Area Network
  • WAN Wide Area Network
  • user terminal covers any suitable type of wireless user Devices such as mobile phones, portable data processing devices, portable web browsers or vehicle-mounted mobile stations.
  • the various embodiments of the present application may be implemented in hardware or special purpose circuitry, software, logic, or any combination thereof.
  • some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software that may be executed by a controller, microprocessor, or other computing device, although the application is not limited thereto.
  • Embodiments of the present application may be implemented by a data processor of the mobile device executing computer program instructions, for example in a processor entity, or by hardware, or by a combination of software and hardware.
  • Computer program instructions may be assembly instructions, Instruction Set Architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or written in any combination of one or more programming languages source code or object code.
  • ISA Instruction Set Architecture
  • Any block diagram of a logic flow in the figures of this application may represent program operations, or may represent interconnected logic circuits, modules, and functions, or may represent a combination of program operations and logic circuits, modules, and functions.
  • Computer programs can be stored on memory.
  • the memory may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as ROM, RAM, optical storage devices and systems (Digital Video Disc (DVD) or CD, etc.)
  • the computer may The read media may include non-transitory storage media.
  • the data processor may be any type suitable for the local technical environment, such as a general-purpose computer, a special-purpose computer, a microprocessor, a digital signal processor (Digital Signal Processing, DSP), or an application-specific integrated circuit. (Application Specific Integrated Circuit, ASIC), programmable logic device (Field-Programmable Gate Array, FPGA) and processors based on multi-core processor architecture.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An attack tracing method and apparatus, and a router, a server and a storage medium. The attack tracing method comprises: acquiring a data packet, wherein the data packet is sent from an attack source device to an attacked device (S110); and marking the data packet to obtain a marked data packet, such that the attacked device traces the attack source device according to a target data packet (S120), wherein the target data packet is a marked data packet which is obtained after the data packet is finally marked.

Description

攻击溯源方法、装置、路由器、服务器及存储介质Attack source tracing methods, devices, routers, servers and storage media 技术领域Technical field

本申请涉及通信技术领域,例如涉及攻击溯源方法、装置、路由器、服务器及存储介质。This application relates to the field of communication technology, such as attack source tracing methods, devices, routers, servers and storage media.

背景技术Background technique

随着接入需求的增加,万物互联使得直接暴露在网络空间的物联网设备数量大幅剧增。大量存在安全漏洞的物联网设备容易被黑客攻击,从而组建僵尸网络发动大规模的分布式拒绝服务(Distributed Denial of Service,DDoS)攻击。With the increase in access demand, the Internet of Everything has caused a significant increase in the number of IoT devices directly exposed to cyberspace. A large number of IoT devices with security vulnerabilities are easily attacked by hackers, thereby forming a botnet to launch large-scale distributed denial of service (DDoS) attacks.

软件定义网络(SoftwareDefinedNetwork,SDN)是将控制平面与数据平面分离以实现支持网络虚拟化的新型网络架构。由于其具有结构灵活、易部署、可编程性、可扩展性、解耦性等众多优点,为缓解DDoS攻击提供了新方法。但SDN中的DDoS攻击防御解决方案大多是在单个网络域中分析本地流量特征进行集中式的单点检测,并通过对DDoS攻击流量的阻止实现DDoS攻击缓解。在实际过程中,DDoS攻击的众多物联网设备通常位于不同的控制器管辖范围内,即DDoS攻击通常是对于多个网络域中的物联网设备进行攻击。Software Defined Network (SDN) is a new network architecture that separates the control plane and data plane to support network virtualization. Due to its many advantages such as flexible structure, easy deployment, programmability, scalability, and decoupling, it provides a new method for mitigating DDoS attacks. However, most DDoS attack defense solutions in SDN analyze local traffic characteristics in a single network domain for centralized single-point detection, and achieve DDoS attack mitigation by blocking DDoS attack traffic. In actual practice, many IoT devices targeted by DDoS attacks are usually located within the jurisdiction of different controllers. That is, DDoS attacks usually target IoT devices in multiple network domains.

相关技术提供一种基于日志记录的DDoS攻击溯源方法,该方法的主要思想是数据包在网络中传输时,路由器记录数据包的信息并存储在路由日志中。当被攻击的物联网设备检测到已被攻击时,向上游的路由器发送查询请求,根据路由器中的路日志,采用递归的方式找出数据包经过的路由器,得到攻击路线,根据攻击路线找寻攻击源。Related technology provides a DDoS attack source tracing method based on log recording. The main idea of this method is that when a data packet is transmitted in the network, the router records the information of the data packet and stores it in the routing log. When the attacked IoT device detects that it has been attacked, it sends a query request to the upstream router. According to the path log in the router, it uses a recursive method to find out the router that the data packet passes through, obtains the attack route, and finds the attack based on the attack route. source.

但是,相关技术的方案具有如下缺点:第一,需要路由器记录大量数据信息,增加了路由器的开销,降低了路由器的性能;第二,由于路由器存储能力有限,不能无限制存储数据;当路由器的存储达到上限时会刷新日志记录,只能在一定时限内完成攻击源的追溯;第三,日志记录存在安全隐患,若路由器被攻击者控制,攻击者可任意修改或删除日志记录,导致无法追溯攻击源。However, related technical solutions have the following shortcomings: first, the router is required to record a large amount of data information, which increases the router's overhead and reduces the router's performance; second, due to the limited storage capacity of the router, it cannot store data unlimitedly; when the router When the storage reaches the upper limit, the log records will be refreshed, and the traceability of the attack source can only be completed within a certain time limit; thirdly, the log records have security risks. If the router is controlled by an attacker, the attacker can modify or delete the log records at will, making it impossible to trace back. Source of attack.

发明内容Contents of the invention

本申请提供攻击溯源方法、装置、路由器、服务器及存储介质,用以解决相关技术中路由器开销过大,存储能力有限,无法准确追溯攻击源的问题。This application provides attack source tracing methods, devices, routers, servers, and storage media to solve the problems in related technologies such as excessive router overhead, limited storage capacity, and inability to accurately trace the attack source.

本申请提供了一种攻击溯源方法、应用于路由器,包括: This application provides an attack source tracing method applied to routers, including:

获取数据包,所述数据包从攻击源设备发送至被攻击设备;对所述数据包进行标记得到标记数据包,以使所述被攻击设备根据目标数据包追溯所述攻击源设备,所述目标数据包为对所述数据包进行最终标记后得到的标记数据包。Obtain a data packet, which is sent from the attack source device to the attacked device; mark the data packet to obtain a marked data packet, so that the attacked device can trace the attack source device according to the target data packet, The target data packet is a marked data packet obtained after final marking of the data packet.

本申请还提供了一种攻击溯源方法,应用于服务器,所述方法包括:This application also provides an attack source tracing method, which is applied to the server. The method includes:

在检测到攻击时,提取目标数据包,所述目标数据包具有完整的标记信息,所述完整的标记信息包括攻击源设备到被攻击设备之间的所有自治系统(Autonomous System,AS)域的自治系统编号;根据所述目标数据包中的分片存储字段重构出所述攻击源设备到所述被攻击设备之间的AS路径;根据所述AS路径追溯所述攻击源设备。When an attack is detected, the target data packet is extracted. The target data packet has complete label information. The complete label information includes all autonomous system (Autonomous System, AS) domains between the attack source device and the attacked device. Autonomous system number; reconstruct the AS path between the attack source device and the attacked device according to the fragment storage field in the target data packet; trace the attack source device according to the AS path.

本申请还提供了一种攻击溯源装置,应用于路由器,包括:This application also provides an attack source tracing device, applied to routers, including:

获取模块,设置为获取数据包,所述数据包从攻击源设备发送至被攻击设备;标记模块,设置为对所述数据包进行标记得到标记数据包,以使所述被攻击设备根据目标数据包追溯所述攻击源设备,所述目标数据包为对所述数据包进行最终标记后得到的标记数据包。The acquisition module is configured to acquire data packets, and the data packets are sent from the attack source device to the attacked device; the marking module is configured to mark the data packets to obtain the marked data packets, so that the attacked device can obtain marked data packets according to the target data. The packet traces back to the attack source device, and the target data packet is a marked data packet obtained after final marking of the data packet.

本申请还提供了一种攻击溯源装置,应用于服务器,包括:This application also provides an attack source tracing device, applied to the server, including:

提取模块,设置为在检测到分布式拒绝服务攻击时,提取目标数据包,所述目标数据包具有完整的标记信息,所述完整的标记信息包括攻击源设备到被攻击设备之间的所有AS域的自治系统编号;重构模块,设置为根据所述目标数据包中的分片存储字段重构出所述攻击源设备到所述被攻击设备之间的AS路径;追溯模块,设置为根据所述AS路径追溯所述攻击源设备。The extraction module is configured to extract the target data packet when a distributed denial of service attack is detected. The target data packet has complete mark information, and the complete mark information includes all ASs between the attack source device and the attacked device. The autonomous system number of the domain; the reconstruction module is configured to reconstruct the AS path between the attack source device and the attacked device based on the fragment storage field in the target data packet; the traceback module is configured to reconstruct the AS path between the attack source device and the attacked device based on The AS path traces the attack source device.

本申请还提供了一种路由器,包括:存储器、处理器以及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述的攻击追溯方法。This application also provides a router, including: a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, the above attack tracing method is implemented.

本申请还提供了一种服务器,包括:存储器、处理器以及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述的攻击追溯方法。This application also provides a server, including: a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, the above attack tracing method is implemented.

本申请还提供了一种存储介质,计算机可读存储介质上存储有计算机程序,该计算机程序被处理器执行时实现上述的攻击追溯方法。This application also provides a storage medium. A computer program is stored on the computer-readable storage medium. When the computer program is executed by a processor, the above-mentioned attack traceability method is implemented.

附图说明Description of drawings

图1为本申请实施例提供的一种SDN架构示意图;Figure 1 is a schematic diagram of an SDN architecture provided by an embodiment of this application;

图2为本申请实施例提供的一种攻击溯源方法的流程示意图; Figure 2 is a schematic flow chart of an attack source tracing method provided by an embodiment of the present application;

图3为本申请实施例提供的一种数据包IP头重写为预设标记区域的示意图;Figure 3 is a schematic diagram of rewriting the IP header of a data packet into a preset mark area according to an embodiment of the present application;

图4为本申请实施例提供的另一种攻击溯源方法的流程示例图;Figure 4 is a flow example diagram of another attack source tracing method provided by an embodiment of the present application;

图5为本申请实施例提供的另一种攻击溯源方法的流程示意图;Figure 5 is a schematic flow chart of another attack source tracing method provided by an embodiment of the present application;

图6为本申请实施例提供的一种攻击溯源方法中的AS路径重构的示意图;Figure 6 is a schematic diagram of AS path reconstruction in an attack source tracing method provided by an embodiment of the present application;

图7为本申请实施例提供的一种攻击缓解流程示意图;Figure 7 is a schematic diagram of an attack mitigation process provided by an embodiment of the present application;

图8为本申请实施例提供的另一种攻击溯源方法的示例流程图;Figure 8 is an example flow chart of another attack source tracing method provided by an embodiment of the present application;

图9为本申请实施例提供的一种攻击溯源装置的结构示意图;Figure 9 is a schematic structural diagram of an attack source tracing device provided by an embodiment of the present application;

图10为本申请实施例提供的另一种攻击溯源装置的结构示意图;Figure 10 is a schematic structural diagram of another attack source tracing device provided by an embodiment of the present application;

图11为本申请实施例提供的一种路由器的硬件结构示意图;Figure 11 is a schematic diagram of the hardware structure of a router provided by an embodiment of the present application;

图12为本申请实施例提供的一种服务器的硬件结构示意图。Figure 12 is a schematic diagram of the hardware structure of a server provided by an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述,所描述的实施例仅仅是本申请一部分的实施例。本申请的方法实施方式中记载的多个操作可以按照不同的顺序执行,和/或并行执行。此外,方法实施方式可以包括附加的操作和/或省略执行示出的操作。本申请的范围在此方面不受限制。The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. The described embodiments are only part of the embodiments of the present application. Multiple operations described in the method implementations of the present application may be performed in different orders and/or performed in parallel. Furthermore, method embodiments may include additional operations and/or omit performance of illustrated operations. The scope of the present application is not limited in this respect.

本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列操作或单元的过程、方法、系统、产品或设备不必限于列出的那些操作或单元,而是可包括没有列出的或对于这些过程、方法、产品或设备固有的其它操作或单元。The terms "first", "second", etc. in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments of the application described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., processes, methods, systems, products, or devices that encompass a series of operations or units and are not necessarily limited to those operations listed. or units, but may include other operations or units not listed or inherent to such processes, methods, products, or devices.

本申请实施方式中的多个装置之间所交互的消息或者信息的名称仅用于说明性的目的,而并不是用于对这些消息或信息的范围进行限制。The names of messages or information exchanged between multiple devices in the embodiments of the present application are only for illustrative purposes and are not used to limit the scope of these messages or information.

本申请中DDoS攻击的众多被攻击设备通常位于不同的控制器管辖范围内,异常流量通常会影响多个网络域。图1为本申请实施例提供的一种SDN架构示意图,如图1所示,攻击者的攻击流量可以跨越多个网络域到达受害者,每个网络域内包括一个SDN控制器以及多个边缘交换机,攻击流量被转发到一个网络域内,由该网络域内的SDN控制器控制攻击流量在多个边缘交换机中转发。Many of the attacked devices in the DDoS attack in this application are usually located within the jurisdiction of different controllers, and abnormal traffic usually affects multiple network domains. Figure 1 is a schematic diagram of an SDN architecture provided by an embodiment of this application. As shown in Figure 1, the attacker's attack traffic can reach the victim across multiple network domains. Each network domain includes an SDN controller and multiple edge switches. , the attack traffic is forwarded to a network domain, and the SDN controller in the network domain controls the attack traffic to be forwarded in multiple edge switches.

攻击者为了隐藏自身真实信息,通常会使用伪造源网际互连协议(Internet  Protocol,IP)地址的方式向被攻击者发起DDoS攻击。对网络中DDoS攻击防御主要分为两种:一种方式是当检测到DDoS攻击后,立即做出响应,该方式可以快速对网络中的DDoS攻击做出防御响应,但无法通过解析数据包中的源IP地址定位到攻击者真实位置,无法从根源上阻断DDoS攻击;另一种方式是当检测到DDoS攻击后,先进行攻击溯源,然后根据溯源结果从攻击源头进行DDoS防御。In order to hide their true information, attackers usually use forged source Internet Protocol (Internet Protocol) Protocol, IP) address to launch a DDoS attack on the attacker. There are two main types of defense against DDoS attacks on the network: One method is to respond immediately after detecting a DDoS attack. This method can quickly respond to DDoS attacks on the network, but it cannot parse the data in the data packet. The source IP address locates the attacker's true location and cannot block the DDoS attack from the source. Another way is to first trace the source of the attack after detecting a DDoS attack, and then conduct DDoS defense from the source of the attack based on the traceability results.

DDoS攻击溯源是指受害者以一种方式确定攻击数据包的源头和传播路径的过程,因为数据包在网络中转发的路径并不会被伪造,当DDoS检测方法发现受到DDoS攻击后,受害者利用溯源方式重构攻击路径或定位攻击源头从根源上阻断DDoS攻击并能还原攻击路径,这是DDoS攻击防御体系中重要的一部分。因此可以通过重构攻击路径的方式追踪到真实的攻击源。随后,基于溯源结果,受害者可以部署安全的DDoS缓解策略,缓解DDoS攻击所带来的影响,也可以对攻击者进行制裁。DDoS attack source tracing refers to the process in which the victim determines the source and propagation path of the attack data packet in a way, because the path forwarded by the data packet in the network will not be forged. When the DDoS detection method finds that a DDoS attack has occurred, the victim Using traceability methods to reconstruct the attack path or locate the source of the attack to block DDoS attacks at the source and restore the attack path is an important part of the DDoS attack defense system. Therefore, the real attack source can be traced by reconstructing the attack path. Subsequently, based on the traceability results, the victim can deploy a secure DDoS mitigation strategy to mitigate the impact of the DDoS attack, and can also impose sanctions on the attacker.

全球的互联网被划分为多个AS域,每个AS域将会被分配一个全局唯一的自治系统编号(Autonomous System Number,ASN),用于在相邻的AS域之间交换外部路由信息。ASN有两种不同的格式来表示:2字节和4字节。一个2字节的ASN是一个16位的数字,此格式提供65,536个ASN(0到65535);一个4字节的ASN是一个32位的数字,此格式提供232或4,294,967,296个ASN(0到4294967295)。2012年互联网工程任务组(The Internet Engineering Task Force,IETF)更新标准请求注解(Request For Comments,RFC)6793,2字节和4字节ASN之间不再有区别,所有ASN都应视为4字节。本申请中将ASN定义为无符号的32位整数。The global Internet is divided into multiple AS domains. Each AS domain will be assigned a globally unique Autonomous System Number (ASN), which is used to exchange external routing information between adjacent AS domains. ASNs are represented in two different formats: 2-byte and 4-byte. A 2-byte ASN is a 16-bit number, and this format provides 65,536 ASNs (0 to 65535); a 4-byte ASN is a 32-bit number, and this format provides 232 or 4,294,967,296 ASNs (0 to 4294967295 ). In 2012, the Internet Engineering Task Force (IETF) updated the standard Request For Comments (RFC) 6793. There is no longer a difference between 2-byte and 4-byte ASNs, and all ASNs should be considered 4 byte. ASN is defined in this application as an unsigned 32-bit integer.

本申请实施例提供的一种攻击溯源方法是一种跨多个网络域的DDoS攻击溯源方法。接下来对本申请实施例进行说明。An attack source tracing method provided by the embodiment of this application is a DDoS attack source tracing method across multiple network domains. Next, the embodiments of the present application will be described.

图2为本申请实施例提供的一种攻击溯源方法的流程示意图,该方法可适用于应对跨多个网络域大规模DDoS攻击的情况,该方法可以由攻击溯源装置来执行,其中该装置可由软件和/或硬件实现,并一般集成在路由器上,本实施例中路由器可以为AS域入口处的路由器。Figure 2 is a schematic flowchart of an attack source tracing method provided by an embodiment of the present application. This method can be applied to respond to large-scale DDoS attacks across multiple network domains. This method can be executed by an attack source tracing device, wherein the device can be It is implemented in software and/or hardware and is generally integrated on a router. In this embodiment, the router may be a router at the entrance of the AS domain.

如图2所示,本申请实施例提供的一种攻击溯源方法,由多个不同AS域入口处的路由器执行,每个路由器可以执行:As shown in Figure 2, an attack source tracing method provided by the embodiment of this application is executed by routers at multiple different AS domain entrances. Each router can execute:

S110、获取数据包,所述数据包从攻击源设备发送至被攻击设备。S110. Obtain the data packet sent from the attack source device to the attacked device.

攻击源设备和被攻击设备可以为物联网设备。数据包可以为攻击源设备向被攻击设备发送的流量数据包,此处对数据包的数量不作限制。 The attack source device and the attacked device can be IoT devices. The data packets can be traffic data packets sent by the attack source device to the attacked device. There is no limit on the number of data packets here.

在本实施例中,数据包从攻击源设备转发至被攻击设备的过程中可以经过多个AS域,在数据包转发到一个AS域内后,该AS域内入口处的路由器可以获取数据包。此处不限定以何种方式获取数据包。In this embodiment, the data packet can pass through multiple AS domains in the process of being forwarded from the attack source device to the attacked device. After the data packet is forwarded to an AS domain, the router at the entrance in the AS domain can obtain the data packet. There is no limit on how to obtain data packets.

S120、对所述数据包进行标记得到标记数据包,以使所述被攻击设备根据目标数据包追溯所述攻击源设备。S120. Mark the data packet to obtain a marked data packet, so that the attacked device can trace the attack source device according to the target data packet.

标记数据包可以理解为具有标记信息的流量数据包。目标数据包为经过最后一个AS进行最后一次标记后得到的具有完整标记信息的流量数据包。Marked packets can be understood as traffic packets with marked information. The target data packet is the traffic data packet with complete marking information obtained after being marked for the last time by the last AS.

在本实施例中,数据包从攻击源设备转发至被攻击设备的过程中,每经过一个AS域,可以根据当前AS域的自治系统编号对数据包进行标记得到标记数据包,数据包在经过最后一个AS域进行最后一次标记后可以得到目标数据包。In this embodiment, when the data packet is forwarded from the attack source device to the attacked device, each time it passes through an AS domain, the data packet can be marked according to the autonomous system number of the current AS domain to obtain the marked data packet. The target data packet can be obtained after the last AS domain is marked for the last time.

在本实施例中,当被攻击设备获取目标数据包后,被攻击设备对应的服务器可以根据目标数据包内的标记信息追溯攻击源设备。In this embodiment, after the attacked device obtains the target data packet, the server corresponding to the attacked device can trace the attack source device according to the mark information in the target data packet.

对所述数据包进行标记得到标记数据包,包括:将所述数据包经过的当前自治系统AS域的自治系统编号的部分编号作为标记信息插入到所述数据包中,得到标记数据包。Marking the data packet to obtain a marked data packet includes: inserting a partial number of the autonomous system number of the current autonomous system AS domain that the data packet passes through as marking information into the data packet to obtain a marked data packet.

每个AS域都有对应的全局唯一编号即自治系统编号ASN,可以将ASN作为标记信息插入到数据包中。ASN可以用无符号的32位整数表示。Each AS domain has a corresponding globally unique number, that is, the autonomous system number ASN. The ASN can be inserted into the data packet as marking information. ASN can be represented as an unsigned 32-bit integer.

在本实施例中,数据包中包括预设标记区域,预设标记区域可以理解为预先设置的空闲区域,标记区域内可以包括不同字段,不同字段具有不同的指示。预设标记区域可以通过对数据包IP头进行重写后得到。In this embodiment, the data packet includes a preset mark area, which can be understood as a preset free area. The mark area can include different fields, and different fields have different indications. The preset mark area can be obtained by rewriting the IP header of the data packet.

将所述数据包经过的当前自治系统AS域的自治系统编号的部分编号作为标记信息插入到所述数据包中,包括:将所述当前自治AS域的自治系统编号被均匀分割成预设数量个分片,一个分片对应所述自治系统编号的一部分编号;根据所述数据包中预设标记区域中的对应字段的指示,将所述预设数量个分片中的目标分片作为标记信息插入到所述数据包的分片存储字段中。Inserting the partial number of the autonomous system number of the current autonomous system AS domain that the data packet passes through as marking information into the data packet includes: evenly dividing the autonomous system number of the current autonomous system AS domain into a preset number fragments, one fragment corresponding to a part of the autonomous system number; according to the instructions of the corresponding field in the preset marking area in the data packet, the target fragments among the preset number of fragments are used as markers The information is inserted into the fragment storage field of the packet.

在本实施例中,可以根据攻击源设备和被攻击设备之间的距离跳数确定分片的数量。其中,预设数量可以大于或等于2,预设数量越大表征一个自治系统编号ASN被分成的片数越多,越多的分片需要分布在更多的数据包中存储,每个数据包每经过一个AS域对应增加存储一个分片。因此,ASN被分割成的分片的数量越少,所需的数据包数量越少,系统的开销越少。分片的数量和数据包的数量相同,即将ASN均匀分割成预设数量个分片,则需要对应获取预设数量个数据包,每个数据包对应存储一个分片。示例性的,将ASN均匀分割成3个分片,则需要将3个分片分别存储到3个数据包中。 In this embodiment, the number of fragments can be determined based on the hop count between the attack source device and the attacked device. Among them, the preset number can be greater than or equal to 2. The larger the preset number, the more slices an autonomous system number ASN is divided into, and the more slices need to be distributed and stored in more data packets. Each data packet Each time it passes through an AS domain, one shard is added and stored. Therefore, the smaller the number of shards into which an ASN is divided, the smaller the number of data packets required and the less overhead the system has. The number of fragments is the same as the number of data packets. That is, if the ASN is evenly divided into a preset number of fragments, a preset number of data packets need to be obtained correspondingly, and each data packet correspondingly stores one fragment. For example, if the ASN is evenly divided into three fragments, the three fragments need to be stored in three data packets respectively.

示例性的,可以将ASN均匀分割成两片,前半片对应ASN的前半部分编号,后半片对应ASN的后半部分编号。For example, the ASN can be evenly divided into two pieces. The first half piece corresponds to the first half number of the ASN, and the second half piece corresponds to the second half number of the ASN.

对数据包IP头的服务类型字段、保留字段以及选项字段进行重写可以得到预设标记区域,由于数据包IP头的选项字段的长度可变,因此可以将选项字段作为预设标记区域中的分片存储字段,用于存储分片。预设标记区域可以包括数据包标记字段、分片标记字段、距离长度字段、分片插入字段以及分片存储字段。The preset mark area can be obtained by rewriting the service type field, reserved field and option field of the data packet IP header. Since the length of the option field of the data packet IP header is variable, the option field can be used as the preset mark area. Shard storage field, used to store shards. The preset tag area may include a packet tag field, a fragment tag field, a distance length field, a fragment insertion field, and a fragment storage field.

图3为本申请实施例提供的一种数据包IP头重写为预设标记区域的示意图,如图3所示,图中阴影部分表示IP首部字段即数据包IP头中进行重写的部分,将阴影部分重写为标记域即预设标记区域,标记域可以由1bit的数据包标记字段Flag_RF、1bit的分片标记字段AS_Num、4bit的距离长度字段Distance、1bit的分片插入字段Frag以及可变长度的分片存储字段AS_Path构成。Figure 3 is a schematic diagram of a data packet IP header rewritten into a preset mark area provided by an embodiment of the present application. As shown in Figure 3, the shaded part in the figure represents the IP header field, that is, the rewritten part of the data packet IP header. , rewrite the shaded part as the mark field, which is the preset mark area. The mark field can be composed of the 1-bit packet mark field Flag_RF, the 1-bit fragment mark field AS_Num, the 4-bit distance length field Distance, the 1-bit fragment insertion field Frag, and Composed of variable-length shard storage field AS_Path.

数据包标记字段指示数据包是否被标记;分片标记字段指示AS域的自治系统编号被分割得到的预设数量个分片中的目标分片;距离长度字段指示数据包经过的AS域的数量;分片插入字段指示插入到数据包中的目标分片;分片存储字段存储所述所有AS域的目标分片。The packet mark field indicates whether the data packet is marked; the fragment mark field indicates the target fragment among the preset number of fragments obtained by dividing the autonomous system number of the AS domain; the distance length field indicates the number of AS domains that the data packet passes through ; The fragment insertion field indicates the target fragment inserted into the data packet; the fragment storage field stores the target fragments of all AS domains.

在本实施例中,根据数据包标记字段可以区分获取到的数据包是否被标记,例如,数据包标记字段的取值为0或1,0表示没有被标记,1表示被标记;根据预设数量个数据包的分片标记字段可以确定ASN被分割成哪几个分片,例如,分片标记字段取值为0和1,0表示前半片分片,1表示后半片分片;根据距离长度字段可以知晓数据包经过多少个AS域,距离长度字段的取值可以为0-15,根据目标数据包中的距离长度字段可以知晓攻击源设备和被攻击设备之间的距离;根据分片插入字段可以确定将哪个分片作为目标分片插入到数据包中,例如,分片插入字段的取值为0或1,0表示将前半片分片插入到数据包的分片存储字段中,1表示将后半片分片插入到数据包的分片存储字段中。In this embodiment, whether the obtained data packet is marked can be distinguished according to the data packet mark field. For example, the value of the data packet mark field is 0 or 1, 0 means not marked, and 1 means marked; according to the preset The fragmentation mark field of the number of data packets can determine which fragments the ASN is divided into. For example, the fragmentation mark field has values of 0 and 1, 0 indicates the first half fragmentation, and 1 indicates the second half fragmentation; according to the distance The length field can know how many AS domains the data packet passes through. The value of the distance length field can be 0-15. According to the distance length field in the target data packet, the distance between the attack source device and the attacked device can be known; according to fragmentation The insert field can determine which fragment is inserted into the data packet as the target fragment. For example, the value of the fragment insertion field is 0 or 1. 0 means that the first half of the fragment is inserted into the fragment storage field of the data packet. 1 means inserting the second half of the fragment into the fragment storage field of the packet.

所述数据包的个数为所述预设数量,相应的,根据所述数据包中预设标记区域中的对应字段的指示,将所述预设数量个分片中的目标分片作为标记信息插入到所述数据包的分片存储字段中,包括:针对每个数据包,根据所述分片标记字段确定目标分片;将所述目标分片作为标记信息;根据所述分片插入字段的指示将所述标记信息插入到所述分片存储字段中。其中,不同数据包的所述分片标记字段对应指示所述预设数量个分片中的不同分片。The number of the data packets is the preset number. Correspondingly, according to the indication of the corresponding field in the preset mark area in the data packet, the target fragments among the preset number of fragments are used as markers. Information is inserted into the fragment storage field of the data packet, including: for each data packet, determining the target fragment according to the fragment tag field; using the target fragment as tag information; inserting according to the fragment The indication of the field inserts the mark information into the shard storage field. Wherein, the fragmentation mark fields of different data packets correspondingly indicate different fragments among the preset number of fragments.

在本实施例中,若分片的个数为预设数量,则需要将预设数量个分片分别存储在预设数量个数据包中,每个数据包每经过一个AS域对应增加存储一个分片。针对每个数据包而言,可以根据该数据包中的分片标记字段和分片插入字 段确定目标分片,并将目标分片插入到数据包中。In this embodiment, if the number of fragments is a preset number, then the preset number of fragments needs to be stored in a preset number of data packets, and each data packet passes through an AS domain and stores one more. Fragmentation. For each packet, you can insert words based on the fragment tag field and fragment in the packet. The segment determines the target fragment and inserts the target fragment into the packet.

示例性的,针对经过第一个AS域的数据包,将第一个AS域的ASN均分为两个分片,分别插入到不同的数据包中。同时将包含前半片分片作为标记信息的数据包的分片标记字段和分片插入字段置为0,将包含后半片分片作为标记信息的数据包的分片标记字段和分片插入字段置为1;针对经过其他AS域的数据包而言,分片标记字段取值为0,则确定目标分片为前半片分片,将前半片分片作为标记信息,此时分片插入字段取值也为0,则根据分片插入字段指示将标记信息插入到数据包的分片存储字段中。分片插入字段和分片标记字段的取值相同。For example, for data packets passing through the first AS domain, the ASN of the first AS domain is divided into two fragments and inserted into different data packets respectively. At the same time, the fragmentation mark field and fragmentation insertion field of the data packet containing the first half of the fragment as marking information are set to 0, and the fragmentation marking field and fragmentation insertion field of the data packet containing the second half of the fragmentation as marking information are set to 0. is 1; for data packets passing through other AS domains, if the value of the fragment tag field is 0, then the target fragment is determined to be the first half fragment, and the first half fragment is used as the marking information. At this time, the value of the fragment insertion field is If it is also 0, the tag information will be inserted into the fragment storage field of the data packet according to the fragment insertion field instructions. The values of the fragment insertion field and the fragment tag field are the same.

在所述数据包中加入一个目标分片后,所述距离长度字段的数值对应增加。在本实施例中,数据包每经过一个AS域后都会将一个目标分片加入到该数据包中,每次加入一个目标分片后,数据包的预设标记区域内的距离长度字段的数值会加1,于此,当数据包经过多个AS域到达被攻击设备时,目标数据包的预设标记区域内的距离长度字段的数值表示被攻击设备和攻击源设备之间的距离。After a target fragment is added to the data packet, the value of the distance length field increases accordingly. In this embodiment, each time a data packet passes through an AS domain, a target fragment is added to the data packet. Each time a target fragment is added, the value of the distance length field in the preset mark area of the data packet is will be increased by 1. Here, when the data packet reaches the attacked device through multiple AS domains, the value of the distance length field in the preset mark area of the target data packet indicates the distance between the attacked device and the attack source device.

所述数据包在预设时间周期内获取,并对所述数据包进行标记。The data packets are acquired within a preset time period, and the data packets are marked.

在本实施例中,攻击源设备可以不断发送数据包,可以选择预设周期内获取一次数据包,对数据包进行标记。可以有效避免标记后的数据包丢失后无法追踪溯源的问题,本申请在数据包丢失后还可以再次获取数据包对数据包进行标记。此外,以预设时间周期对数据包进行灵活标记可以提高攻击溯源的精度。In this embodiment, the attack source device can continuously send data packets, and can choose to obtain data packets once within a preset period and mark the data packets. It can effectively avoid the problem of being unable to trace the source after the marked data packet is lost. This application can also obtain the data packet again and mark the data packet after the data packet is lost. In addition, flexible marking of data packets in a preset time period can improve the accuracy of attack source tracing.

本申请实施例提供的一种攻击溯源方法具有以下效果:第一、参与AS溯源标记的路由器数量远远小于网络中路由器的数量,可以有效降低路由器的开销;第二、基于AS的路径长度要远远小于相关技术中的基于IP路径长度,路径重构所需的数据包数量较少,计算开销较小;第三、本申请中只标记有限数量的数据包,任何路由器不可覆盖上游路由器的标记信息,因此标记信息不会丢失;第四、本申请中仅每个AS域入口处的路由器参与标记,溯源速度快;第五、本申请中的标记信息是ASN;第六、基于AS的跨域攻击溯源不需要暴露其网络拓扑结构,而且没有带宽要求。An attack source tracing method provided by the embodiment of this application has the following effects: first, the number of routers participating in AS traceability marking is much smaller than the number of routers in the network, which can effectively reduce the router overhead; second, the path length based on AS needs to be Far smaller than the IP-based path length in related technologies, the number of data packets required for path reconstruction is small, and the calculation overhead is small; thirdly, only a limited number of data packets are marked in this application, and any router cannot cover the upstream router. Mark information, so the marking information will not be lost; fourth, in this application, only the router at the entrance of each AS domain participates in marking, and the traceability is fast; fifth, the marking information in this application is ASN; sixth, based on AS Cross-domain attack source tracing does not require exposing the network topology, and there are no bandwidth requirements.

本申请在上述实施例的基础上,提供一种实施例,在该实施例中,路由器获取的数据包的个数为2,相应的,每个AS域的ASN被均匀切割得到2个分片。Based on the above embodiment, this application provides an embodiment. In this embodiment, the number of data packets obtained by the router is 2. Correspondingly, the ASN of each AS domain is evenly cut into 2 fragments. .

图4为本申请实施例提供的另一种攻击溯源方法的流程示例图,如图4所示,攻击者即攻击源设备从AS1域内将数据包发送到ASn域内的受害者即被攻击设备。其中,R1可以表示AS1域的入口路由器,R2可以表示AS2域的入口路 由器,R3可以表示AS2域的出口路由器,R4可以表示AS3域的入口路由器,R5可以表示AS3域的出口路由器,R6可以表示AS4域的入口路由器,R7可以表示AS4域的出口路由器,Rn可以表示ASn域的入口路由器。Figure 4 is a flow example diagram of another attack source tracing method provided by the embodiment of the present application. As shown in Figure 4, the attacker, that is, the attack source device, sends a data packet from the AS 1 domain to the victim in the AS n domain and is attacked. equipment. Among them, R 1 can represent the ingress router of the AS 1 domain, and R 2 can represent the ingress route of the AS 2 domain. Router, R 3 can represent the egress router of the AS 2 domain, R 4 can represent the ingress router of the AS 3 domain, R 5 can represent the egress router of the AS 3 domain, R 6 can represent the ingress router of the AS 4 domain, and R 7 can Represents the egress router of the AS 4 domain, and R n can represent the ingress router of the AS n domain.

在一个实施例中,当与攻击者相连的入口路由器R1获取到2个数据包后,可以首先将标记信息插入到2个数据包中,然后再转发到AS2域。过程如下:距离攻击者最近的路由器R1在对攻击者发出的两个数据包分别进行标记,即将AS1域的ASN1切割得到的ASN1-1分片作为标记信息插入到数据包1的分片存储字段中,将AS1域的ASN1切割得到的ASN1-2分片作为标记信息插入到数据包2的分片存储字段中;然后分别将两个数据包中的数据包标记字段的值置为1,并将数据包1中的分片标记字段的值置为0,将数据包2中的分片标记字段的值置为1;根据路由转发策略将两个数据包转发到网络中的下一跳。当AS2域中的R2获取数据包后,通过数据包中的分片标记字段的值,路由器根据分片插入字段的值选择将ASN2切割得到的哪个分片作为标记信息插入到数据包中。数据包1中分片标记字段的数值为0,指示目标分片为前半片分片,分片插入字段的数值为0,指示已经将之前的AS域的ASN中的前半片分片插入数据包1的分片存储字段,则将ASN2切割得到的ASN2-1分片作为标记信息插入到数据包1的分片存储字段中;数据包2中分片标记字段的数值为1,指示目标分片为后半片分片,分片片字段的数值为1,指示已经将之前的AS域的ASN中的后半片分片插入数据包2的分片存储字段,则将ASN2切割得到的ASN2-2分片作为标记信息插入到数据包2的分片存储字段中。由于R3域和R2域同属于一个网络域,且ASN2已经插入,则跳过插入,直接转发数据包至下一跳路由器。按照上述过程,直到数据包被转发到受害者所在的ASn域,转发到ASn域的数据包的分片存储字段中包括n个AS域的标记信息。当受害者收集到两个完整的ASN后,可以根据ASN重构攻击路径,追溯攻击源。In one embodiment, when the ingress router R 1 connected to the attacker obtains 2 data packets, it can first insert marking information into the 2 data packets and then forward them to the AS 2 domain. The process is as follows: Router R 1 , which is the closest to the attacker, marks the two data packets sent by the attacker respectively, that is, inserting the ASN 1-1 fragment obtained by cutting ASN 1 of the AS 1 domain into data packet 1 as marking information. In the fragment storage field, insert the ASN 1-2 fragments obtained by cutting ASN 1 of the AS 1 domain into the fragment storage field of packet 2 as tag information; then add the packet tag fields in the two packets respectively. Set the value to 1, set the value of the fragmentation mark field in packet 1 to 0, and set the value of the fragmentation mark field in packet 2 to 1; forward the two packets to The next hop in the network. When R 2 in the AS 2 domain obtains the data packet, through the value of the fragment tag field in the data packet, the router selects which fragment obtained by cutting ASN 2 as the tag information to insert into the data packet based on the value of the fragment insertion field. middle. The value of the fragment tag field in packet 1 is 0, indicating that the target fragment is the first half fragment. The value of the fragment insertion field is 0, indicating that the first half fragment in the ASN of the previous AS domain has been inserted into the data packet. If the fragment storage field of 1 is 1, the ASN 2-1 fragment obtained by cutting ASN 2 will be inserted into the fragment storage field of packet 1 as tag information; the value of the fragment tag field in packet 2 is 1, indicating the target The fragment is the second half fragment, and the value of the fragment field is 1, indicating that the second half fragment in the ASN of the previous AS domain has been inserted into the fragment storage field of packet 2, then the ASN obtained by cutting ASN 2 The 2-2 fragment is inserted into the fragment storage field of packet 2 as tag information. Since the R 3 domain and the R 2 domain belong to the same network domain, and ASN 2 has been inserted, the insertion is skipped and the data packet is forwarded directly to the next hop router. Follow the above process until the data packet is forwarded to the AS n domain where the victim is located, and the fragment storage field of the data packet forwarded to the AS n domain includes the tag information of n AS domains. After the victim collects two complete ASNs, the attack path can be reconstructed based on the ASNs and the source of the attack can be traced.

图5为本申请实施例提供的另一种攻击溯源方法的流程示意图,该方法可适用于应对跨多个网络域大规模DDoS攻击的情况,该方法可以由攻击溯源装置来执行,其中该装置可由软件和/或硬件实现,并一般集成在服务器上,在本实施例中服务器可以为被攻击设备的服务器。Figure 5 is a schematic flowchart of another attack source tracing method provided by an embodiment of the present application. This method can be applied to respond to large-scale DDoS attacks across multiple network domains. This method can be executed by an attack source tracing device, where the device It can be implemented by software and/or hardware, and is generally integrated on a server. In this embodiment, the server can be the server of the attacked device.

如图5所示,本申请实施例提供的一种攻击溯源方法,包括:As shown in Figure 5, an attack source tracing method provided by the embodiment of this application includes:

S210、在检测到攻击时,提取目标数据包,所述目标数据包具有完整的标记信息,所述完整的标记信息包括攻击源设备到所述被攻击设备之间的所有AS域的自治系统编号。S210. When an attack is detected, extract the target data packet. The target data packet has complete tag information. The complete tag information includes the autonomous system numbers of all AS domains between the attack source device and the attacked device. .

在本实施例中,不限定以何种方式检测到攻击,示例性的,根据DDoS攻击检测算法检测到DDoS。 In this embodiment, the method in which the attack is detected is not limited. For example, DDoS is detected according to the DDoS attack detection algorithm.

在本实施例中,在检测到攻击时,可以提取多个目标数据包,以根据目标数据包的分片存储字段中的标记信息进行路径重构。In this embodiment, when an attack is detected, multiple target data packets can be extracted to perform path reconstruction based on the tag information in the fragment storage field of the target data packet.

S220、根据所述目标数据包中的分片存储字段重构出所述攻击源设备到所述被攻击设备之间的AS路径。S220: Reconstruct the AS path between the attack source device and the attacked device according to the fragment storage field in the target data packet.

在本实施例中,根据多个目标数据包的分片存储字段中的标记信息可以确定出数据包在转发过程中经过的所有AS域,因此可以重新构建出攻击源设备到被攻击设备之间的AS路径。In this embodiment, all AS domains that the data packet passes through during forwarding can be determined based on the mark information in the fragmented storage fields of multiple target data packets. Therefore, the relationship between the attack source device and the attacked device can be reconstructed. AS path.

所述目标数据包的个数为预设数量,相应的,所述根据所述目标数据包中的分片存储字段重构出攻击源设备到所述被攻击设备之间的AS路径,包括:将所述预设数量个目标数据包的分片存储字段中的分片提取到重构路径表中;当所述重构路径表中包括完整的标记信息时,获取每个目标数据包中所述分片标记字段的取值,按照所述预设数量个取值对应的排序顺序依次提取每个目标数据包;对按照所述排序顺序提取的每个目标数据包的分片存储字段中的分片进行提取;根据每个目标数据包中的距离长度字段,将每个目标数据包的分片存储字段中的分片进行重构,得到攻击源设备到所述被攻击设备之间的AS路径。The number of target data packets is a preset number. Correspondingly, the AS path between the attack source device and the attacked device is reconstructed based on the fragment storage field in the target data packet, including: Extract the fragments in the fragment storage fields of the preset number of target data packets into the reconstruction path table; when the reconstruction path table includes complete mark information, obtain all the fragments in each target data packet. According to the value of the fragmentation mark field, each target data packet is extracted in sequence according to the sorting order corresponding to the preset number of values; for the fragmentation storage field of each target data packet extracted according to the sorting order, Fragments are extracted; according to the distance length field in each target data packet, the fragments in the fragment storage field of each target data packet are reconstructed to obtain the AS between the attack source device and the attacked device. path.

所述重构路径表中包括完整的标记信息可以理解为重构路径表中的标记信息可以拼接成完整的AS路径,此时,服务器不再将分片存储字段中的分片填充到重构路径表中。The complete mark information included in the reconstruction path table can be understood as the mark information in the reconstruction path table can be spliced into a complete AS path. At this time, the server no longer fills the fragments in the fragment storage field into the reconstruction path. in the path table.

根据每个目标数据包中分片标记字段的取值可以确定目标数据包的提取顺序。示例性的,若第一目标数据包的分片标记字段的取值为0,第二目标数据包的分片标记字段的取值为1,则可以按照从0到1的排序顺序对目标数据包进行提取,即先提取第一目标数据包,再提取第二目标数据包。The extraction order of target data packets can be determined based on the value of the fragmentation flag field in each target data packet. For example, if the value of the fragmentation mark field of the first target data packet is 0 and the value of the fragmentation mark field of the second target data packet is 1, then the target data can be sorted in order from 0 to 1. Packets are extracted, that is, the first target data packet is extracted first, and then the second target data packet is extracted.

将预设数量个目标数据包的分片存储字段中的分片提取到重构路径表中可以包括:根据预设数量个目标数据包的距离长度字段以及分片标记字段,将预设数量个目标数据包的分片存储字段中的每个分片提取到重构路径表中。Extracting the fragments in the fragment storage field of the preset number of target data packets into the reconstruction path table may include: according to the distance length field and the fragment mark field of the preset number of target data packets, extracting the preset number of target data packets into the reconstruction path table. Each fragment in the fragment storage field of the target packet is extracted into the reconstructed path table.

将所述预设数量个目标数据包的分片存储字段中的分片提取到重构路径表中,包括:根据所述预设数量个目标数据包中的距离长度字段和分片标记字段,确定所述预设数量个目标数据包的分片存储字段中的每个分片;将确定的所述预设数量个目标数据包的分片存储字段中的每个分片提取到重构路径表中。Extracting fragments from the fragment storage fields of the preset number of target data packets into the reconstruction path table includes: based on the distance length field and fragmentation mark field in the preset number of target data packets, Determine each fragment in the fragment storage field of the preset number of target data packets; extract each fragment in the determined fragment storage field of the preset number of target data packets to the reconstruction path table.

根据预设数量个目标数据包的距离长度字段以及分片标记字段确定的是分片存储字段中的每个分片,即根据预设数量个目标数据包的距离长度字段以及分片标记字段划分分片。Each fragment in the fragment storage field is determined based on the distance length field and fragmentation mark field of the preset number of target data packets, that is, divided according to the distance length field and fragmentation mark field of the preset number of target data packets. Fragmentation.

根据每个目标数据包中的距离长度字段,将每个目标数据包的分片存储字 段中的分片进行重构,得到攻击源设备到所述被攻击设备之间的AS路径,包括:按照每个目标数据包中的所述距离长度字段的数值的数值以及所述预设数量个目标数据包中的分片标记字段的数值从小到大的顺序将每个目标数据包的分片存储字段中的分片进行排序,得到预设数量个编码块,一个数据包对应一个编码块;根据所述排序顺序将所述预设数量个编码块进行拼接,得到目标编码块,所述目标编码块包括完整的标记信息;根据所述完整的标记信息确定攻击源设备到所述被攻击设备之间的AS路径。The fragments of each target packet are stored in words according to the distance length field in each target packet. Reconstruct the fragments in the segment to obtain the AS path between the attack source device and the attacked device, including: the value according to the value of the distance length field in each target data packet and the preset number Sort the fragments in the fragment storage field of each target data packet in order from small to large to obtain a preset number of coding blocks. One data packet corresponds to one coding block. ; Splicing the preset number of coding blocks according to the sorting order to obtain a target coding block, where the target coding block includes complete mark information; determining the attack source device to the attacked device according to the complete mark information AS paths between devices.

图6为本申请实施例提供的一种攻击溯源方法中的AS路径重构的示意图,如图6所示,攻击者即攻击源设备将2个数据包从AS1域经过AS2域、AS3域等很多个AS域转发到ASn域后,被攻击设备的服务器可以提取目标数据包P1的分片存储字段中的分片即ASN1-1,ASN2-1,ASN3-1……ASNn-1,提取目标数据包P2的分片存储字段中的分片即ASN1-2,ASN2-2,ASN3-2……ASNn-2;根据距离长度字段的取值对P1和P2的分片分别按照从0到n的顺序进行排序,按照分片标记字段从0到1的顺序将P1的分片和P2的分片上下拼接,例如,将ASN1-1与ASN1-2上下拼接后得到ASN1,按照上述拼接方式拼接得到ASN1、ASN2、ASN3…ASNn后,即得到AS路径。Figure 6 is a schematic diagram of AS path reconstruction in an attack source tracing method provided by the embodiment of the present application. As shown in Figure 6, the attacker, that is, the attack source device, passes two data packets from the AS1 domain through the AS2 domain, AS3 domain, etc. After many AS domains are forwarded to the ASn domain, the server of the attacked device can extract the fragments in the fragment storage field of the target data packet P1, namely ASN 1-1 , ASN 2-1 , ASN 3-1 ...ASN n- 1. Extract the fragments in the fragment storage field of the target data packet P2, namely ASN 1-2 , ASN 2-2 , ASN 3-2 ...ASN n-2 ; compare the values of P1 and P2 according to the value of the distance length field. The fragments are sorted in order from 0 to n, and the fragments of P1 and P2 are spliced up and down according to the order of the fragment tag field from 0 to 1. For example, ASN 1-1 and ASN 1-2 are spliced up and down. After splicing, ASN 1 is obtained. After splicing ASN 1 , ASN 2 , ASN 3 ...ASN n according to the above splicing method, the AS path is obtained.

S230、根据所述AS路径追溯所述攻击源设备。S230. Trace the attack source device according to the AS path.

在本实施例中,根据AS路径可以知晓数据包转发过程中经过的所有AS域,进而可以追溯到攻击源设备。In this embodiment, all AS domains that the data packet passes through during forwarding can be known based on the AS path, and the attack source device can be traced back.

在找到攻击源设备后,可以对攻击进行有效的防御。示例性的,找到攻击源设备所在的AS域后,可以结合DDoS攻击检测和溯源结果,由攻击者域的SDN控制器查询流表信息,向边缘交换机下发允许或者禁止与受害主机通信的转发策略,最终有效的从攻击源头实现DDoS的攻击缓解。After finding the attack source device, you can effectively defend against the attack. For example, after finding the AS domain where the attack source device is located, the SDN controller in the attacker domain can query the flow table information based on the DDoS attack detection and traceability results, and issue a forwarding request to the edge switch to allow or prohibit communication with the victim host. strategy, and ultimately effectively mitigate DDoS attacks from the source of the attack.

图7为本申请实施例提供的一种攻击缓解流程示意图,如图7所示,攻击缓解过程可以包括:Figure 7 is a schematic diagram of an attack mitigation process provided by an embodiment of the present application. As shown in Figure 7, the attack mitigation process may include:

S1、受害者域检测到DDoS攻击后,启动域间攻击溯源方法获得{ASN,IPsrc,IPdst,src.port,dst.port},发起阻止请求。S1. After the victim domain detects a DDoS attack, it starts the inter-domain attack source tracing method to obtain {ASN, IPsrc, IPdst, src.port, dst.port} and initiates a blocking request.

S2、攻击者域内的SDN控制器查询流表项。S2. The SDN controller in the attacker's domain queries the flow table entries.

S3、攻击者域内的SDN控制器下发新流表至边缘交换机处进行DDoS攻击缓解。S3. The SDN controller in the attacker's domain delivers the new flow table to the edge switch for DDoS attack mitigation.

本申请实施例提供一种攻击溯源方法,该方法使用每个AS域对应的全局唯一的编号ASN对攻击者发出的数据包进行标记,IP数据包作为路径重构的信息载体,对IP数据包包头进行重写,利用IP头的服务类型字段、保留字段和选项 字段来存储标记信息。启用IP数据包包头的可变部分,即选项字段作为存储包含攻击者到受害者之间遍历的所有AS域的ASN分片,当数据包遍历从攻击者到受害者之间的所有AS域时,通过在每个AS域的入口路由器处将每个AS域的全局唯一的编号ASN以固定长度等分的ASN分片分别插入到经过每个AS的入口路由器的数据包的自定义的空闲字段即预设标记区域中。从攻击者到受害者之间,每经过一个AS域,该AS域的入口路由器按照标记规则选取该AS的ASN中的一个分片插入到相对应的数据包中,直至遍历所有的从攻击者到受害者之间的AS域。最后,当受害者所在的AS域收集包括完整标记信息的数据包后,可根据距离长度字段、分片标记字段分别与分片存储字段的对应关系,从而重构出完整的攻击者到受害者之间的AS路径。The embodiment of this application provides an attack source tracing method. This method uses the globally unique number ASN corresponding to each AS domain to mark the data packets sent by the attacker. The IP data packet is used as the information carrier for path reconstruction. The IP data packet is Rewrite the packet header, using the service type field, reserved fields and options of the IP header Field to store tag information. Enable the variable part of the IP packet header, i.e. the options field, to store the ASN fragment containing all AS domains traversed from the attacker to the victim, when the packet traverses all AS domains from the attacker to the victim , by inserting the globally unique number ASN of each AS domain into equal ASN fragments of fixed length at the ingress router of each AS domain into the custom idle fields of the data packets passing through the ingress router of each AS. That is, in the preset marked area. From the attacker to the victim, each time it passes through an AS domain, the ingress router of the AS domain selects a fragment from the ASN of the AS according to the marking rules and inserts it into the corresponding data packet until all the packets from the attacker are traversed. to the AS domain between victims. Finally, when the AS domain where the victim is located collects data packets that include complete tag information, the complete attacker-to-victim data can be reconstructed based on the correspondence between the distance length field, the fragment tag field, and the fragment storage field. AS path between.

图8为本申请实施例提供的另一种攻击溯源方法的示例流程图,如图8所示,ASN为2字节和4字节,图8展示了从攻击者AS234域到受害者AS6800域的简单的网络拓扑结构图,在图8中,与攻击者直接相连的路由器R1将ASN234的两个分片分别插入到两个数据包的AS_Path字段中,同时将Flag_RF域即数据包标记字段置为1,表示该数据包为标记数据包;根据分片存储字段AS_Path的数据信息,分别将存储分片0000000000000000的数据包的分片标记字段AS_Num以及分片插入字段Frag置为0,存储分片0000000011101010的数据包的分片标记字段AS_Num以及分片插入字段Frag置为1,距离长度字段Distance置为0。当路由器R3收到数据包后,首先根据Flag_RF域检查到达的数据包是否被标记,若到达的数据包被标记,检查数据包的AS_Num域的值,然后根据Frag域的值将ASN 68200分片添加到标记数据包中。若Frag域为0,则在AS_Path插入000000000000001;若Frag域为1在AS_Path插入0000101001101000,并将数据包转发至下一跳路由器R4。R4和R5跳过插入,由于路由器R4和R5与路由器R3位于同一域内,则路由器R4和R5跳过插入ASN信息,因为该域的ASN在路由器R3处已经插入。并将数据包正常转发至R6。R6重复上述过程,将ASN 6800分片分别插入到相应的数据包中。最终在受害者端收到的标记路径数据包中包含路径信息为ASN 234、ASN 68200和ASN 6800的两个分片数据包。当在受害者域检测到攻击时,开始攻击溯源。受害者服务器提取收集到的标记信息数据包,进行攻击路径重构。根据Distance域和AS_Num域的值分别与AS_Path域的ASN的对应关系,最终还原攻击者到受害者之间的AS路径。Figure 8 is an example flow chart of another attack source tracing method provided by the embodiment of the present application. As shown in Figure 8, the ASN is 2 bytes and 4 bytes. Figure 8 shows from the attacker AS234 domain to the victim AS6800 domain. A simple network topology diagram. In Figure 8, the router R1, which is directly connected to the attacker, inserts the two fragments of ASN234 into the AS_Path fields of the two data packets, and at the same time sets the Flag_RF field, the data packet mark field. is 1, indicating that the data packet is a marked data packet; according to the data information of the fragment storage field AS_Path, the fragmentation mark field AS_Num and the fragmentation insertion field Frag of the data packet storing fragmentation 0000000000000000 are set to 0, and the fragmentation is stored. The fragmentation mark field AS_Num and the fragmentation insertion field Frag of the data packet 0000000011101010 are set to 1, and the distance length field Distance is set to 0. When router R3 receives the data packet, it first checks whether the arriving data packet is marked according to the Flag_RF field. If the arriving data packet is marked, it checks the value of the AS_Num field of the data packet, and then fragments the ASN 68200 according to the value of the Frag field. Added to the marked packet. If the Frag field is 0, insert 000000000000001 in AS_Path; if the Frag field is 1, insert 0000101001101000 in AS_Path, and forward the data packet to the next hop router R4. R4 and R5 skip inserting. Since routers R4 and R5 are in the same domain as router R3, routers R4 and R5 skip inserting ASN information because the ASN of this domain has already been inserted at router R3. And forward the data packet to R6 normally. R6 repeats the above process and inserts the ASN 6800 fragments into the corresponding data packets. The marked path packet finally received at the victim end contains two fragmented packets with path information ASN 234, ASN 68200 and ASN 6800. When an attack is detected in the victim domain, attack source tracing begins. The victim server extracts the collected marked information packets and reconstructs the attack path. According to the corresponding relationship between the values of the Distance field and the AS_Num field and the ASN of the AS_Path field, the AS path between the attacker and the victim is finally restored.

本申请实施例提供的一种攻击溯源方法为面向AS的多域DDoS攻击溯源方法,该方法具有溯源速度快,系统的开销低等优点。本申请为减少路径重构所需的数据包的数量、减少参与标记的路由器数量、降低路由器的资源开销和提高跨域溯源的回溯速度,提高跨域DDoS防御机制的能力。An attack source tracing method provided by the embodiment of this application is an AS-oriented multi-domain DDoS attack source tracing method. This method has the advantages of fast source tracing speed and low system overhead. This application is to reduce the number of data packets required for path reconstruction, reduce the number of routers participating in marking, reduce the resource overhead of routers, improve the backtracking speed of cross-domain traceability, and improve the capabilities of cross-domain DDoS defense mechanisms.

图9为本申请实施例提供的一种攻击溯源装置的结构示意图,该装置可适 用于应对跨多个网络域大规模DDoS攻击的情况,其中该装置可由软件和/或硬件实现,并一般集成在路由器上,本实施例中的路由器可以为AS域入口处的路由器。Figure 9 is a schematic structural diagram of an attack source tracing device provided by an embodiment of the present application. The device can be adapted to It is used to deal with large-scale DDoS attacks across multiple network domains. The device can be implemented by software and/or hardware and is generally integrated on a router. The router in this embodiment can be a router at the entrance of the AS domain.

如图9所示,该装置包括:获取模块110和标记模块120。As shown in Figure 9, the device includes: an acquisition module 110 and a marking module 120.

获取模块110,设置为获取数据包,所述数据包从攻击源设备发送至被攻击设备;标记模块120,设置为对所述数据包进行标记得到标记数据包,以使所述被攻击设备根据目标数据包追溯所述攻击源设备,所述目标数据包为对所述数据包进行最终标记后得到的标记数据包。The acquisition module 110 is configured to acquire data packets, which are sent from the attack source device to the attacked device; the marking module 120 is configured to mark the data packets to obtain marked data packets, so that the attacked device can The target data packet traces back to the attack source device, and the target data packet is a marked data packet obtained after final marking of the data packet.

本实施例提供了一种攻击溯源装置,能够减少路径重构所需的数据包的数量、减少参与标记的路由器数量、降低路由器的资源开销和提高跨域溯源的回溯速度。This embodiment provides an attack source tracing device that can reduce the number of data packets required for path reconstruction, reduce the number of routers participating in marking, reduce router resource overhead, and improve the backtracking speed of cross-domain traceability.

标记模块120包括插入子模块,插入子模块设置为:将所述数据包经过的当前自治系统AS域的自治系统编号的部分编号作为标记信息插入到所述数据包中,得到标记数据包。The marking module 120 includes an insertion sub-module, and the insertion sub-module is configured to insert the partial number of the autonomous system number of the current autonomous system AS domain that the data packet passes through as marking information into the data packet to obtain a marked data packet.

插入子模块设置为:将所述当前自治AS域的自治系统编号被均匀分割成预设数量个分片,一个分片对应所述自治系统编号的一部分编号;根据所述数据包中预设标记区域中的对应字段的指示,将所述预设数量个分片中的目标分片作为标记信息插入到所述数据包的分片存储字段中。The insertion sub-module is configured to: evenly divide the autonomous system number of the current autonomous AS domain into a preset number of fragments, one fragment corresponding to a part of the autonomous system number; according to the preset mark in the data packet According to the indication of the corresponding field in the area, the target fragment among the preset number of fragments is inserted into the fragment storage field of the data packet as mark information.

所述预设标记区域包括数据包标记字段、分片标记字段、距离长度字段、分片插入字段以及分片存储字段;所述数据包标记字段指示数据包是否被标记;所述分片标记字段指示AS域的自治系统编号被分割得到的预设数量个分片中的目标分片;所述距离长度字段指示数据包经过的AS域的数量;所述分片插入字段指示插入到数据包中的目标分片;所述分片存储字段存储所述所有AS域的目标分片。The preset mark area includes a data packet mark field, a fragment mark field, a distance length field, a fragment insertion field and a fragment storage field; the data packet mark field indicates whether the data packet is marked; the fragment mark field Indicates the target fragment among the preset number of fragments obtained by dividing the autonomous system number of the AS domain; the distance length field indicates the number of AS domains that the data packet passes through; the fragment insertion field indicates insertion into the data packet The target fragments; the fragment storage field stores the target fragments of all AS domains.

所述数据包的个数为所述预设数量,相应的,根据所述数据包中预设标记区域中的对应字段的指示,将所述预设数量个分片中的目标分片作为标记信息插入到所述数据包的分片存储字段中,包括:针对每个数据包,根据所述分片标记字段;确定目标分片;将所述目标分片作为标记信息;根据所述分片插入字段的指示将所述标记信息插入到所述分片存储字段中。其中,不同数据包的所述分片标记字段对应指示所述预设数量个分片中的不同分片。The number of the data packets is the preset number. Correspondingly, according to the indication of the corresponding field in the preset mark area in the data packet, the target fragments among the preset number of fragments are used as markers. Information is inserted into the fragment storage field of the data packet, including: for each data packet, according to the fragment tag field; determining the target fragment; using the target fragment as tag information; according to the fragment The instruction to insert a field inserts the mark information into the shard storage field. Wherein, the fragmentation mark fields of different data packets correspondingly indicate different fragments among the preset number of fragments.

在所述数据包中加入一个所述目标分片后,所述距离长度字段的数值对应增加。所述一个AS域的自治系统编号被均匀分割成2个分片时,所述数据包的个数为2。 After one of the target fragments is added to the data packet, the value of the distance length field increases accordingly. When the autonomous system number of an AS domain is evenly divided into two fragments, the number of data packets is 2.

所述数据包在预设时间周期内获取,并对所述数据包进行标记。The data packets are acquired within a preset time period, and the data packets are marked.

本实施例提出的攻击溯源装置与上述实施例提出的攻击溯源方法属于同一构思,未在本实施例中详尽描述的技术细节可参见上述任意实施例,并且本实施例具备与执行攻击溯源方法相同的效果。The attack source tracing device proposed in this embodiment has the same concept as the attack source tracing method proposed in the above embodiment. Technical details that are not described in detail in this embodiment can be found in any of the above embodiments, and this embodiment has the same features as the attack source tracing method. Effect.

图10为本申请实施例提供的另一种攻击溯源装置的结构示意图,该装置可适用于应对跨多个网络域大规模DDoS攻击的情况,其中该装置可由软件和/或硬件实现,并一般集成在服务器上,本实施例中的服务器可以为被攻击设备所在的AS域内的服务器。Figure 10 is a schematic structural diagram of another attack source tracing device provided by an embodiment of the present application. This device can be suitable for responding to large-scale DDoS attacks across multiple network domains. The device can be implemented by software and/or hardware, and is generally Integrated on the server, the server in this embodiment may be a server in the AS domain where the attacked device is located.

如图10所示,该装置包括:提取模块210、重构模块220以及追溯模块230。As shown in Figure 10, the device includes: an extraction module 210, a reconstruction module 220 and a traceability module 230.

提取模块210,设置为在检测到分布式拒绝服务攻击时,提取目标数据包,所述目标数据包具有完整的标记信息,所述完整的标记信息包括攻击源设备到所述被攻击设备之间的所有AS域的自治系统编号;重构模块220,设置为根据所述目标数据包中的分片存储字段重构出所述攻击源设备到所述被攻击设备之间的AS路径;追溯模块230,设置为根据所述AS路径追溯所述攻击源设备。The extraction module 210 is configured to extract a target data packet when a distributed denial-of-service attack is detected. The target data packet has complete mark information, and the complete mark information includes the link between the attack source device and the attacked device. The autonomous system numbers of all AS domains; the reconstruction module 220 is configured to reconstruct the AS path between the attack source device and the attacked device according to the fragment storage field in the target data packet; the traceability module 230. Set to trace the attack source device according to the AS path.

本实施例提供了一种攻击溯源装置,能够降低路由器的存储,提高路由器的性能,根据标记信息可以准确的重构AS路径,快速追溯到攻击源设备。This embodiment provides an attack source tracing device, which can reduce the storage of the router, improve the performance of the router, accurately reconstruct the AS path based on the mark information, and quickly trace the attack source device.

所述目标数据包的个数为预设数量,相应的,重构模块220设置为:The number of target data packets is a preset number. Correspondingly, the reconstruction module 220 is set to:

将所述预设数量个目标数据包的分片存储字段中的分片提取到重构路径表中;当所述重构路径表中包括完整的标记信息时,获取每个目标数据包中所述分片标记字段的取值,按照所述预设数量个取值对应的排序顺序依次提取每个目标数据包;对按照所述排序顺序提取的每个目标数据包的分片存储字段中的分片进行提取;根据每个目标数据包中的距离长度字段,将每个目标数据包的分片存储字段中的分片进行重构,得到攻击源设备到所述被攻击设备之间的AS路径。Extract the fragments in the fragment storage fields of the preset number of target data packets into the reconstruction path table; when the reconstruction path table includes complete mark information, obtain all the fragments in each target data packet. According to the value of the fragmentation mark field, each target data packet is extracted in sequence according to the sorting order corresponding to the preset number of values; for the fragmentation storage field of each target data packet extracted according to the sorting order, Fragments are extracted; according to the distance length field in each target data packet, the fragments in the fragment storage field of each target data packet are reconstructed to obtain the AS between the attack source device and the attacked device. path.

重构模块220包括提取子模块,提取子模块设置为:根据所述预设数量个目标数据包中的距离长度字段和分片标记字段,确定所述预设数量个目标数据包的分片存储字段中的每个分片;将确定的所述预设数量个目标数据包的分片存储字段中的每个分片提取到重构路径表中。The reconstruction module 220 includes an extraction sub-module, and the extraction sub-module is configured to: determine the fragmented storage of the preset number of target data packets based on the distance length field and fragmentation mark field in the preset number of target data packets. Each fragment in the field; extract each fragment in the fragment storage field of the determined preset number of target data packets into the reconstruction path table.

重构模块220包括重构子模块,重构子模块设置为:The reconstruction module 220 includes a reconstruction sub-module, and the reconstruction sub-module is configured as:

按照每个目标数据包中的所述距离长度字段的数值的数值以及所述预设数量个目标数据包中的分片标记字段的数值从小到大的顺序将每个目标数据包的分片存储字段中的分片进行排序,得到预设数量个编码块,一个数据包对应一个编码块;根据所述排序顺序将所述预设数量个编码块进行拼接,得到目标编 码块,所述目标编码块包括完整的标记信息;根据所述完整的标记信息确定攻击源设备到所述被攻击设备之间的AS路径。The fragments of each target data packet are stored in ascending order according to the value of the distance length field in each target data packet and the value of the fragmentation mark field in the preset number of target data packets. The fragments in the field are sorted to obtain a preset number of coding blocks, and one data packet corresponds to one coding block; the preset number of coding blocks are spliced according to the sorting order to obtain the target coding block. code block, the target coding block includes complete mark information; the AS path between the attack source device and the attacked device is determined based on the complete mark information.

本实施例提出的攻击溯源装置与上述实施例提出的攻击溯源方法属于同一构思,未在本实施例中详尽描述的技术细节可参见上述任意实施例,并且本实施例具备与执行攻击溯源方法相同的效果。The attack source tracing device proposed in this embodiment has the same concept as the attack source tracing method proposed in the above embodiment. Technical details that are not described in detail in this embodiment can be found in any of the above embodiments, and this embodiment has the same features as the attack source tracing method. Effect.

本申请实施例还提供了一种路由器,图11为本申请实施例提供的一种路由器的硬件结构示意图。如图11所示,本申请实施例提供的路由器,包括存储器520、处理器510以及存储在存储器上并可在处理器上运行的计算机程序,处理器510执行所述程序时实现上述的攻击溯源方法。An embodiment of the present application also provides a router. FIG. 11 is a schematic diagram of the hardware structure of a router provided by an embodiment of the present application. As shown in Figure 11, the router provided by the embodiment of the present application includes a memory 520, a processor 510, and a computer program stored in the memory and executable on the processor. When the processor 510 executes the program, the above-mentioned attack source tracing is implemented. method.

路由器还可以包括存储器520;该路由器中的处理器510可以是一个或多个,图11中以一个处理器510为例;存储器520设置为存储一个或多个程序;所述一个或多个程序被所述一个或多个处理器510执行,使得所述一个或多个处理器510实现如本申请实施例中所述的攻击溯源方法。The router may also include a memory 520; there may be one or more processors 510 in the router, and one processor 510 is taken as an example in Figure 11; the memory 520 is configured to store one or more programs; the one or more programs is executed by the one or more processors 510, so that the one or more processors 510 implement the attack source tracing method as described in the embodiment of this application.

路由器还包括:通信装置530、输入装置540和输出装置550。The router also includes: communication device 530, input device 540 and output device 550.

路由器中的处理器510、存储器520、通信装置530、输入装置540和输出装置550可以通过总线或其他方式连接,图11中以通过总线连接为例。The processor 510, memory 520, communication device 530, input device 540 and output device 550 in the router can be connected through a bus or other means. In Figure 11, connection through a bus is taken as an example.

输入装置540可设置为接收输入的数字或字符信息,以及产生与终端设备的用户设置以及功能控制有关的按键信号输入。输出装置550可包括显示屏等显示设备。The input device 540 may be configured to receive input numeric or character information and generate key signal input related to user settings and function control of the terminal device. The output device 550 may include a display device such as a display screen.

通信装置530可以包括接收器和发送器。通信装置530设置为根据处理器510的控制进行信息收发通信。Communication device 530 may include a receiver and a transmitter. The communication device 530 is configured to perform information transceiver communication according to the control of the processor 510 .

存储器520作为一种计算机可读存储介质,可设置为存储软件程序、计算机可执行程序以及模块,如本申请实施例所述攻击溯源方法对应的程序指令/模块(例如,攻击溯源装置中的获取模块110和标记模块120)。存储器520可包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据路由器的使用所创建的数据等。此外,存储器520可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他非易失性固态存储器件。在一些实例中,存储器520可包括相对于处理器510远程设置的存储器,这些远程存储器可以通过网络连接至路由器。上述网络的实例包括互联网、企业内部网、局域网、移动通信网及其组合。As a computer-readable storage medium, the memory 520 can be configured to store software programs, computer executable programs and modules, such as program instructions/modules corresponding to the attack source tracing method described in the embodiments of the present application (for example, the acquisition of the attack source traceability device) module 110 and marking module 120). The memory 520 may include a storage program area and a storage data area, where the storage program area may store an operating system and at least one application program required for a function; the storage data area may store data created according to the use of the router, and the like. In addition, memory 520 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, memory 520 may include memory located remotely from processor 510, and these remote memories may be connected to a router through a network. Examples of the above-mentioned networks include the Internet, intranets, local area networks, mobile communication networks and combinations thereof.

本申请实施例还提供了一种服务器,图12为本申请实施例提供的一种服务器的硬件结构示意图,如图12所示,本申请提供的服务器,包括存储器620、 处理器610以及存储在存储器上并可在处理器上运行的计算机程序,处理器610执行所述程序时实现上述的攻击溯源方法。The embodiment of the present application also provides a server. Figure 12 is a schematic diagram of the hardware structure of a server provided by the embodiment of the present application. As shown in Figure 12, the server provided by the present application includes a memory 620, The processor 610 and a computer program stored in the memory and executable on the processor implement the above attack source tracing method when the processor 610 executes the program.

服务器还可以包括存储器620;该服务器中的处理器610可以是一个或多个,图12中以一个处理器610为例;存储器620设置为存储一个或多个程序;所述一个或多个程序被所述一个或多个处理器610执行,使得所述一个或多个处理器610实现如本申请实施例中所述的攻击溯源方法。The server may also include a memory 620; there may be one or more processors 610 in the server, and one processor 610 is taken as an example in Figure 12; the memory 620 is configured to store one or more programs; the one or more programs is executed by the one or more processors 610, so that the one or more processors 610 implement the attack source tracing method as described in the embodiment of this application.

服务器还包括:通信装置630、输入装置640和输出装置650。The server also includes: communication device 630, input device 640 and output device 650.

服务器中的处理器610、存储器620、通信装置630、输入装置640和输出装置650可以通过总线或其他方式连接,图12中以通过总线连接为例。The processor 610, memory 620, communication device 630, input device 640 and output device 650 in the server can be connected through a bus or other means. In Figure 12, connection through a bus is taken as an example.

输入装置640可设置为接收输入的数字或字符信息,以及产生与终端设备的用户设置以及功能控制有关的按键信号输入。输出装置650可包括显示屏等显示设备。The input device 640 may be configured to receive input numeric or character information and generate key signal input related to user settings and function control of the terminal device. The output device 650 may include a display device such as a display screen.

通信装置630可以包括接收器和发送器。通信装置630设置为根据处理器610的控制进行信息收发通信。Communication device 630 may include a receiver and a transmitter. The communication device 630 is configured to perform information transceiver communication according to the control of the processor 610 .

存储器620作为一种计算机可读存储介质,可设置为存储软件程序、计算机可执行程序以及模块,如本申请实施例所述攻击溯源方法对应的程序指令/模块(例如,攻击溯源装置中的提取模块210、重构模块220以及追溯模块230)。存储器620可包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据服务器的使用所创建的数据等。此外,存储器620可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他非易失性固态存储器件。在一些实例中,存储器620可包括相对于处理器610远程设置的存储器,这些远程存储器可以通过网络连接至服务器。上述网络的实例包括互联网、企业内部网、局域网、移动通信网及其组合。As a computer-readable storage medium, the memory 620 can be configured to store software programs, computer executable programs and modules, such as program instructions/modules corresponding to the attack source tracing method described in the embodiments of the present application (for example, the extraction method in the attack source tracing device). module 210, reconstruction module 220 and traceability module 230). The memory 620 may include a program storage area and a data storage area, where the program storage area may store an operating system and an application program required for at least one function; the storage data area may store data created according to use of the server, and the like. In addition, the memory 620 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, memory 620 may include memory located remotely from processor 610, and these remote memories may be connected to the server through a network. Examples of the above-mentioned networks include the Internet, intranets, local area networks, mobile communication networks and combinations thereof.

本申请实施例还提供一种存储介质,所述存储介质存储有计算机程序,所述计算机程序被处理器执行时实现本申请实施例中任一所述的攻击溯源方法。Embodiments of the present application also provide a storage medium. The storage medium stores a computer program. When the computer program is executed by a processor, any of the attack source tracing methods described in the embodiments of the present application is implemented.

该攻击溯源方法,应用于路由器,包括:获取数据包,所述数据包从攻击源设备发送至被攻击设备;对所述数据包进行标记得到标记数据包,以使所述被攻击设备根据目标数据包追溯所述攻击源设备,所述目标数据包为所述数据包进行最终标记后得到的标记数据包。The attack source tracing method, applied to routers, includes: obtaining data packets, which are sent from the attack source device to the attacked device; marking the data packets to obtain marked data packets, so that the attacked device can The data packet traces back to the attack source device, and the target data packet is a marked data packet obtained after final marking of the data packet.

该攻击溯源方法,应用于服务器,包括:在检测到攻击时,提取目标数据包,所述目标数据包具有完整的标记信息,所述完整的标记信息包括攻击源设备到被攻击设备之间的所有AS域的自治系统编号;根据所述目标数据包中的分 片存储字段重构出所述攻击源设备到所述被攻击设备之间的AS路径;根据所述AS路径追溯所述攻击源设备。The attack source tracing method, applied to the server, includes: when an attack is detected, extracting a target data packet, the target data packet has complete mark information, and the complete mark information includes the link between the attack source device and the attacked device. Autonomous system numbers for all AS domains; based on the points in the target packet The slice storage field reconstructs the AS path between the attack source device and the attacked device; the attack source device is traced according to the AS path.

本申请实施例的计算机存储介质,可以采用一个或多个计算机可读的介质的任意组合。计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质。计算机可读存储介质例如可以是:电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机存取存储器(Random Access Memory,RAM)、只读存储器(Read Only Memory,ROM)、可擦式可编程只读存储器(Erasable Programmable Read Only Memory,EPROM)、闪存、光纤、便携式光盘只读存储器(Compact Disk-Read Only Memory,CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。The computer storage medium in the embodiment of the present application may be any combination of one or more computer-readable media. The computer-readable medium may be a computer-readable signal medium or a computer-readable storage medium. The computer-readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device or device, or any combination thereof. Examples of computer-readable storage media (a non-exhaustive list) include: an electrical connection having one or more wires, a portable computer disk, a hard drive, random access memory (RAM), read only memory (Read Only) Memory (ROM), Erasable Programmable Read Only Memory (EPROM), flash memory, optical fiber, portable compact disk read-only memory (Compact Disk-Read Only Memory, CD-ROM), optical storage devices, magnetic memory device, or any suitable combination of the above. A computer-readable storage medium may be any tangible medium that contains or stores a program for use by or in connection with an instruction execution system, apparatus, or device.

计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括:电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。A computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave carrying computer-readable program code therein. This propagated data signal can take many forms, including: electromagnetic signals, optical signals, or any suitable combination of the above. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium that can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device .

计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括:无线、电线、光缆、无线电频率(Radio Frequency,RF)等等,或者上述的任意合适的组合。Program code embodied on a computer-readable medium may be transmitted using any appropriate medium, including: wireless, wire, optical cable, radio frequency (Radio Frequency, RF), etc., or any suitable combination of the above.

可以以一种或多种程序设计语言或其组合来编写用于执行本申请操作的计算机程序代码,所述程序设计语言包括面向对象的程序设计语言,诸如Java、Smalltalk、C++,还包括常规的过程式程序设计语言,诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算机上执行、部分地在用户计算机上执行、作为一个独立的软件包执行、部分在用户计算机上部分在远程计算机上执行、或者完全在远程计算机或服务器上执行。在涉及远程计算机的情形中,远程计算机可以通过任意种类的网络,包括局域网(Local Area Network,LAN)或广域网(Wide Area Network,WAN),连接到用户计算机,或者,可以连接到外部计算机(例如利用因特网服务提供商来通过因特网连接)。Computer program code for performing operations of the present application may be written in one or more programming languages, including object-oriented programming languages such as Java, Smalltalk, C++, and conventional A procedural programming language, such as the "C" language or similar programming language. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In situations involving remote computers, the remote computer can be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or it can be connected to an external computer (e.g. Use an Internet service provider to connect via the Internet).

以上所述,仅为本申请的示例性实施例而已,并非用于限定本申请的保护范围。The above descriptions are only exemplary embodiments of the present application and are not used to limit the protection scope of the present application.

本领域内的技术人员应明白,术语用户终端涵盖任何适合类型的无线用户 设备,例如移动电话、便携数据处理装置、便携网络浏览器或车载移动台。Those skilled in the art will understand that the term user terminal covers any suitable type of wireless user Devices such as mobile phones, portable data processing devices, portable web browsers or vehicle-mounted mobile stations.

一般来说,本申请的多种实施例可以在硬件或专用电路、软件、逻辑或其任何组合中实现。例如,一些方面可以被实现在硬件中,而其它方面可以被实现在可以被控制器、微处理器或其它计算装置执行的固件或软件中,尽管本申请不限于此。Generally speaking, the various embodiments of the present application may be implemented in hardware or special purpose circuitry, software, logic, or any combination thereof. For example, some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software that may be executed by a controller, microprocessor, or other computing device, although the application is not limited thereto.

本申请的实施例可以通过移动装置的数据处理器执行计算机程序指令来实现,例如在处理器实体中,或者通过硬件,或者通过软件和硬件的组合。计算机程序指令可以是汇编指令、指令集架构(Instruction Set Architecture,ISA)指令、机器指令、机器相关指令、微代码、固件指令、状态设置数据、或者以一种或多种编程语言的任意组合编写的源代码或目标代码。Embodiments of the present application may be implemented by a data processor of the mobile device executing computer program instructions, for example in a processor entity, or by hardware, or by a combination of software and hardware. Computer program instructions may be assembly instructions, Instruction Set Architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or written in any combination of one or more programming languages source code or object code.

本申请附图中的任何逻辑流程的框图可以表示程序操作,或者可以表示相互连接的逻辑电路、模块和功能,或者可以表示程序操作与逻辑电路、模块和功能的组合。计算机程序可以存储在存储器上。存储器可以具有任何适合于本地技术环境的类型并且可以使用任何适合的数据存储技术实现,例如ROM、RAM、光存储器装置和系统(数码多功能光碟(Digital Video Disc,DVD)或CD等。计算机可读介质可以包括非瞬时性存储介质。数据处理器可以是任何适合于本地技术环境的类型,例如通用计算机、专用计算机、微处理器、数字信号处理器(Digital Signal Processing,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑器件(Field-Programmable Gate Array,FPGA)以及基于多核处理器架构的处理器。 Any block diagram of a logic flow in the figures of this application may represent program operations, or may represent interconnected logic circuits, modules, and functions, or may represent a combination of program operations and logic circuits, modules, and functions. Computer programs can be stored on memory. The memory may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as ROM, RAM, optical storage devices and systems (Digital Video Disc (DVD) or CD, etc.) The computer may The read media may include non-transitory storage media. The data processor may be any type suitable for the local technical environment, such as a general-purpose computer, a special-purpose computer, a microprocessor, a digital signal processor (Digital Signal Processing, DSP), or an application-specific integrated circuit. (Application Specific Integrated Circuit, ASIC), programmable logic device (Field-Programmable Gate Array, FPGA) and processors based on multi-core processor architecture.

Claims (17)

一种攻击溯源方法,由路由器执行,包括:An attack source tracing method, executed by the router, including: 获取数据包,其中,所述数据包从攻击源设备发送至被攻击设备;Obtaining a data packet, wherein the data packet is sent from the attack source device to the attacked device; 对所述数据包进行标记得到标记数据包,以使所述被攻击设备根据目标数据包追溯所述攻击源设备,所述目标数据包为所述数据包进行最终标记后得到的标记数据包。The data packet is marked to obtain a marked data packet, so that the attacked device can trace the attack source device according to the target data packet, and the target data packet is a marked data packet obtained after final marking of the data packet. 根据权利要求1所述的方法,其中,所述对所述数据包进行标记得到标记数据包,包括:The method according to claim 1, wherein marking the data packet to obtain a marked data packet includes: 将所述数据包经过的当前自治系统AS域的自治系统编号的部分编号作为标记信息插入到所述数据包中,得到所述标记数据包。The partial number of the autonomous system number of the current autonomous system AS domain that the data packet passes through is inserted into the data packet as marking information to obtain the marked data packet. 根据权利要求2所述的方法,其中,所述将所述数据包经过的当前自治系统AS域的自治系统编号的部分编号作为标记信息插入到所述数据包中,包括:The method according to claim 2, wherein inserting the partial number of the autonomous system number of the current autonomous system AS domain that the data packet passes through as marking information into the data packet includes: 将所述当前自治AS域的自治系统编号被均匀分割成预设数量个分片,其中,一个分片对应所述自治系统编号的一部分编号;Evenly divide the autonomous system number of the current autonomous AS domain into a preset number of fragments, where one fragment corresponds to a part of the autonomous system number; 根据所述数据包中预设标记区域中的对应字段的指示,将所述预设数量个分片中的目标分片作为标记信息插入到所述数据包的分片存储字段中。According to the indication of the corresponding field in the preset mark area in the data packet, the target fragments among the preset number of fragments are inserted into the fragment storage field of the data packet as mark information. 根据权利要求3所述的方法,其中,所述预设标记区域包括数据包标记字段、分片标记字段、距离长度字段、分片插入字段以及分片存储字段;The method according to claim 3, wherein the preset mark area includes a packet mark field, a fragment mark field, a distance length field, a fragment insertion field and a fragment storage field; 所述数据包标记字段指示所述数据包是否被标记;The data packet marking field indicates whether the data packet is marked; 所述分片标记字段指示AS域的自治系统编号被分割得到的预设数量个分片中的目标分片;The fragment tag field indicates the target fragment among the preset number of fragments obtained by dividing the autonomous system number of the AS domain; 所述距离长度字段指示所述数据包经过的AS域的数量;The distance length field indicates the number of AS domains that the data packet passes through; 所述分片插入字段指示插入到所述数据包中的目标分片;The fragment insertion field indicates the target fragment inserted into the data packet; 所述分片存储字段存储所有AS域的目标分片。The fragment storage field stores target fragments of all AS domains. 根据权利要求4所述的方法,其中,所述数据包的个数为所述预设数量,所述根据所述数据包中预设标记区域中的对应字段的指示,将所述预设数量个分片中的目标分片作为标记信息插入到所述数据包的分片存储字段中,包括:The method according to claim 4, wherein the number of the data packets is the preset number, and the preset number is changed according to the indication of the corresponding field in the preset mark area in the data packet. The target fragment among the fragments is inserted into the fragment storage field of the data packet as marking information, including: 针对每个数据包,根据所述分片标记字段确定所述目标分片;For each data packet, determine the target fragment according to the fragment tag field; 将所述目标分片作为标记信息;Use the target fragments as mark information; 根据所述分片插入字段的指示将所述标记信息插入到所述分片存储字段中。The mark information is inserted into the fragment storage field according to the instruction of the fragment insertion field. 其中,不同数据包的分片标记字段对应指示所述预设数量个分片中的不同 分片。Wherein, the fragment tag fields of different data packets correspondingly indicate different fragments among the preset number of fragments. Fragmentation. 根据权利要求4所述的方法,其中,在所述数据包中加入一个目标分片后,所述距离长度字段的数值对应增加。The method according to claim 4, wherein after a target fragment is added to the data packet, the value of the distance length field increases accordingly. 根据权利要求3所述的方法,其中,在一个AS域的自治系统编号被均匀分割成2个分片的情况下,所述数据包的个数为2。The method according to claim 3, wherein when the autonomous system number of an AS domain is evenly divided into two fragments, the number of the data packets is 2. 根据权利要求1所述的方法,还包括:The method of claim 1, further comprising: 在预设时间周期内获取所述数据包,并对所述数据包进行标记。The data packet is acquired within a preset time period and marked. 一种攻击溯源方法,由服务器执行,包括:An attack source tracing method, executed by the server, including: 在检测到攻击时,提取目标数据包,其中,所述目标数据包具有完整的标记信息,所述完整的标记信息包括攻击源设备到被攻击设备之间的所有自治系统AS域的自治系统编号;When an attack is detected, the target data packet is extracted, wherein the target data packet has complete tag information, and the complete tag information includes the autonomous system numbers of all autonomous system AS domains between the attack source device and the attacked device. ; 根据所述目标数据包中的分片存储字段重构出所述攻击源设备到所述被攻击设备之间的AS路径;Reconstruct the AS path between the attack source device and the attacked device according to the fragment storage field in the target data packet; 根据所述AS路径追溯所述攻击源设备。Trace the attack source device according to the AS path. 根据权利要求9所述的方法,其中,所述目标数据包的个数为预设数量,所述根据所述目标数据包中的分片存储字段重构出攻击源设备到被攻击设备之间的AS路径,包括:The method according to claim 9, wherein the number of target data packets is a preset number, and the distance between the attack source device and the attacked device is reconstructed according to the fragment storage field in the target data packet. AS path, including: 将所述预设数量个目标数据包的分片存储字段中的分片提取到重构路径表中;Extract the fragments in the fragment storage fields of the preset number of target data packets into the reconstruction path table; 在所述重构路径表中包括完整的标记信息的情况下,获取每个目标数据包中的分片标记字段的取值,按照所述预设数量个取值对应的排序顺序依次提取每个目标数据包;When the reconstructed path table includes complete mark information, obtain the value of the fragment mark field in each target data packet, and extract each fragment in sequence according to the sorting order corresponding to the preset number of values. target packet; 对按照所述排序顺序提取的每个目标数据包的分片存储字段中的分片进行提取;Extract the fragments in the fragment storage field of each target data packet extracted according to the sorting order; 根据每个目标数据包中的距离长度字段,将每个目标数据包的分片存储字段中的分片进行重构,得到所述攻击源设备到所述被攻击设备之间的AS路径。According to the distance length field in each target data packet, the fragments in the fragment storage field of each target data packet are reconstructed to obtain the AS path between the attack source device and the attacked device. 根据权利要求10所述的方法,其中,所述将所述预设数量个目标数据包的分片存储字段中的分片提取到重构路径表中,包括:The method according to claim 10, wherein extracting the fragments in the fragment storage fields of the preset number of target data packets into the reconstruction path table includes: 根据所述预设数量个目标数据包中的距离长度字段和分片标记字段,确定所述预设数量个目标数据包的分片存储字段中的每个分片;Determine each fragment in the fragment storage field of the preset number of target data packets according to the distance length field and fragmentation mark field in the preset number of target data packets; 将确定的所述预设数量个目标数据包的分片存储字段中的每个分片提取到 所述重构路径表中。Extract each fragment in the fragment storage field of the determined preset number of target data packets into in the reconstruction path table. 根据权利要求10所述的方法,其中,所述根据每个目标数据包中的距离长度字段,将每个目标数据包的分片存储字段中的分片进行重构,得到所述攻击源设备到所述被攻击设备之间的AS路径,包括:The method according to claim 10, wherein the fragments in the fragment storage field of each target data packet are reconstructed according to the distance length field in each target data packet to obtain the attack source device. The AS path to the attacked device includes: 按照每个目标数据包中的距离长度字段的数值以及所述预设数量个目标数据包中的分片标记字段的数值从小到大的顺序将每个目标数据包的分片存储字段中的分片进行排序,得到预设数量个编码块,其中,一个数据包对应一个编码块;According to the value of the distance length field in each target data packet and the value of the fragmentation mark field in the preset number of target data packets, the fragments in the fragmentation storage field of each target data packet are divided in order from small to large. The slices are sorted to obtain a preset number of coding blocks, in which one data packet corresponds to one coding block; 根据所述排序顺序将所述预设数量个编码块进行拼接,得到目标编码块,其中,所述目标编码块包括完整的标记信息;Splice the preset number of coding blocks according to the sorting order to obtain a target coding block, where the target coding block includes complete mark information; 根据所述完整的标记信息确定所述攻击源设备到所述被攻击设备之间的AS路径。The AS path between the attack source device and the attacked device is determined based on the complete mark information. 一种攻击溯源装置,应用于路由器,包括:An attack source tracing device, applied to routers, including: 获取模块,设置为获取数据包,其中,所述数据包从攻击源设备发送至被攻击设备;The acquisition module is configured to acquire data packets, wherein the data packets are sent from the attack source device to the attacked device; 标记模块,设置为对所述数据包进行标记得到标记数据包,以使所述被攻击设备根据目标数据包追溯所述攻击源设备,所述目标数据包通过对所述数据包进行最终标记后得到标记数据包。A marking module, configured to mark the data packet to obtain a marked data packet, so that the attacked device can trace the attack source device according to the target data packet, and the target data packet is finally marked after the data packet is Get the marked packet. 一种攻击溯源装置,应用于服务器,包括:An attack source tracing device, applied to servers, including: 提取模块,设置为在检测到分布式拒绝服务攻击时,提取目标数据包,其中,所述目标数据包具有完整的标记信息,所述完整的标记信息包括攻击源设备到被攻击设备之间的所有自治系统AS域的自治系统编号;The extraction module is configured to extract the target data packet when a distributed denial of service attack is detected, wherein the target data packet has complete mark information, and the complete mark information includes the link between the attack source device and the attacked device. Autonomous system numbers of all autonomous system AS domains; 重构模块,设置为根据所述目标数据包中的分片存储字段重构出所述攻击源设备到所述被攻击设备之间的AS路径;A reconstruction module configured to reconstruct the AS path between the attack source device and the attacked device based on the fragmented storage field in the target data packet; 追溯模块,设置为根据所述AS路径追溯所述攻击源设备。A tracing module is configured to trace the attack source device according to the AS path. 一种路由器,包括:存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述程序时实现如权利要求1-8中任一项所述的攻击溯源方法。A router, including: a memory, a processor, and a computer program stored on the memory and executable on the processor. When the processor executes the program, any one of claims 1-8 is implemented. The described attack source tracing method. 一种服务器,包括:存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述程序时实现如权利要求9-12中任一项所述的攻击溯源方法。 A server, including: a memory, a processor, and a computer program stored on the memory and executable on the processor. When the processor executes the program, any one of claims 9-12 is implemented. The described attack source tracing method. 一种存储介质,存储有计算机程序,所述程序被处理器执行时实现如权利要求1-12中任一项所述的攻击溯源方法。 A storage medium that stores a computer program. When the program is executed by a processor, the attack source tracing method according to any one of claims 1-12 is implemented.
PCT/CN2023/102734 2022-06-29 2023-06-27 Attack tracing method and apparatus, and router, server and storage medium Ceased WO2024002067A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210760955.1 2022-06-29
CN202210760955.1A CN117353963A (en) 2022-06-29 2022-06-29 An attack source tracing method, device, router, server and storage medium

Publications (1)

Publication Number Publication Date
WO2024002067A1 true WO2024002067A1 (en) 2024-01-04

Family

ID=89367932

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/102734 Ceased WO2024002067A1 (en) 2022-06-29 2023-06-27 Attack tracing method and apparatus, and router, server and storage medium

Country Status (2)

Country Link
CN (1) CN117353963A (en)
WO (1) WO2024002067A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120321040A (en) * 2025-06-16 2025-07-15 北京安帝科技有限公司 Host attack source tracing method

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102801727A (en) * 2012-08-13 2012-11-28 常州大学 DDoS attacker tracing method based on autonomous system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102801727A (en) * 2012-08-13 2012-11-28 常州大学 DDoS attacker tracing method based on autonomous system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LI, GANG; HUA, BEI: "Research on as Collaborating Based Tracebacking Mechanism of Distributed Denial-of-service (Ddos) Attack", JISUANJI-YINGYONG-YU-RUANJIAN : SHUANGYUEKAN COMPUTER APPLICATIONS AND SOFTWARE, SHANGHAI : SHANGHAISHI JISUAN JISHU YANJIUSUO, CN, vol. 24, no. 10, 15 October 2007 (2007-10-15), CN , pages 184 - 187, XP009552035, ISSN: 1000-386X *
YANG LEI, JIN NA, HUANG QIONG: "Research of Improved DPM Scheme Based on AS", CHINA INTERNET, no. 6, 15 June 2013 (2013-06-15), pages 20 - 27, XP009552077, ISSN: 1672-5077 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120321040A (en) * 2025-06-16 2025-07-15 北京安帝科技有限公司 Host attack source tracing method

Also Published As

Publication number Publication date
CN117353963A (en) 2024-01-05

Similar Documents

Publication Publication Date Title
US11057420B2 (en) Detection of malware and malicious applications
KR101889500B1 (en) Method and System for Network Connection-Chain Traceback using Network Flow Data
US8661544B2 (en) Detecting botnets
US7831822B2 (en) Real-time stateful packet inspection method and apparatus
US20160036836A1 (en) Detecting DGA-Based Malicious Software Using Network Flow Information
US20160308770A1 (en) Packet Processing Method, Node, and System
CN102045344B (en) Cross-domain affiliation method and system based on path information elastic sharding
CN113890746B (en) Attack traffic identification method, device, equipment and storage medium
KR100951770B1 (en) How to trace back an IP over an IPv6 network
CN115174676A (en) Convergence and shunt method and related equipment thereof
WO2024002067A1 (en) Attack tracing method and apparatus, and router, server and storage medium
KR101072981B1 (en) Protection system against DDoS
Xiang et al. Trace IP packets by flexible deterministic packet marking (FDPM)
Al-Duwairi et al. A novel packet marking scheme for IP traceback
KR100439170B1 (en) Attacker traceback method by using edge router's log information in the internet
CN115225545A (en) A message transmission method and device
Yang Hybrid single‐packet IP traceback with low storage and high accuracy
CN116633665A (en) Mixed attack tracing method and system for address spoofing
KR20110040152A (en) Attacker packet traceback method and system for same
Vijayalakshmi et al. A novel algorithm on IP traceback to find the real source of spoofed IP packets
JP2004096246A (en) Data transmission method, data transmission system and data transmission device
CN116707873B (en) Attack event analysis method, device, equipment and storage medium
Priyanka et al. IP Traceback Techniques–A Selective Survey
Jain et al. A Survey on Packet Marking and Logging
Kim et al. Tagged fragment marking scheme with distance-weighted sampling for a fast IP traceback

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23830244

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 23830244

Country of ref document: EP

Kind code of ref document: A1