CN-122027305-A - Port traffic and route deduction-based counterfeit source address DDoS attack tracing method

Abstract

The invention discloses a DDoS attack tracing method of a fake source address based on port flow and route deduction, which belongs to the field of network security and comprises the following steps of S1, network data acquisition, S2, abnormal flow detection, S3, attack path deduction, namely, inquiring a routing table of each router by taking an attack target address as a starting point to determine a local port pointing to the target, carrying out association matching with an abnormal port list, taking the successfully matched port and the router which belongs to the port as nodes of the attack path, S4, path tracing and sorting, generating a complete attack path pointing to the attack target from the attack source direction and arranged according to the actual message forwarding sequence, and finishing tracing. The invention systematically builds the complete forwarding path of the DDoS attack of the counterfeit source address, effectively solves the core problem that the real flow direction and the entry point of the attack are difficult to trace back under the condition that the IP of the attack source is counterfeited, and has low deployment cost and accurate and reliable tracing.

Inventors

• DENG ZHIHAO
• HUANG LISHENG
• WANG WENYONG
• TANG YONG
• XIANG YU
• ZHANG JUN
• YANG TING

Assignees

• 电子科技大学

Dates

Publication Date

20260512

Application Date

20260228

Claims (10)

1. 1. The DDoS attack tracing method for the fake source address based on port traffic and route deduction is characterized by comprising the following steps: s1, network data acquisition, namely periodically acquiring routing table information of each router in a network and flow data of each port through an SNMP (simple network management protocol); S2, detecting abnormal traffic, namely when a DDoS attack event occurs, according to the starting time of the attack event, the target address and the attack traffic, correlating and comparing the collected port traffic data, identifying ports with abnormal sudden increases of the traffic, and forming an abnormal port list; S3, deducing an attack path, taking an attack target address as a starting point, inquiring a routing table of each router to determine a local port pointing to the target, performing association matching with the abnormal port list, and taking a successfully matched port and a router which belongs to the port as nodes of the attack path; s4, backtracking and sequencing the matched path nodes based on the next hop relation among routers, backtracking, searching and logically sequencing the matched path nodes, generating a complete attack path pointing to an attack target from the attack source direction, and finishing tracing according to the actual message forwarding sequence.
2. 2. The method for tracing the DDoS attack of the fake source address based on port traffic and route deduction according to claim 1, wherein in S1, the network data acquisition specifically comprises: S11, acquiring routing table information from each router in a network at intervals of a first fixed time interval T1 through an SNMP protocol; S12, collecting the flow V of each port of each router at intervals of a second fixed time interval T2 through an SNMP protocol, and calculating the average instantaneous flow b=V/T2 of the port in the time of T2; s13, establishing an average instantaneous flow sequence arranged in time sequence for each port of each router, and recording flow change history.
3. 3. The method for tracing DDoS attack based on port traffic and route deduction according to claim 2, wherein each record in the average instantaneous traffic sequence is a multi-element group, and at least comprises IP address of router, port number of router, acquisition time stamp and average instantaneous traffic.
4. 4. The method for tracing the DDoS attack of the fake source address based on port traffic and route deduction according to claim 1, wherein in S2, the abnormal traffic detection specifically comprises: S21, setting an abnormality judgment threshold after acquiring the starting time, the attack target and the average instantaneous attack flow of the DDoS attack event; S22, positioning flow records in a time window before and after attack starting time aiming at the flow sequence of each port; S23, if the difference value between the average instantaneous flow value recorded in any one of the time windows and the previous recorded value exceeds the abnormality judgment threshold, judging that the port is an abnormal port, and adding the port into an abnormal port list.
5. 5. The method for tracing a DDoS attack of a fake source address based on port traffic and route deduction according to claim 4, wherein the anomaly determination threshold is set to a fixed ratio value of the average instantaneous attack traffic.
6. 6. The method for tracing the DDoS attack of the fake source address based on the port traffic and the route deduction according to claim 1, wherein in S3, the attack path deduction specifically comprises the following steps: s31, aiming at an attack target address, traversing a routing table of each router, and searching a local output port corresponding to the target address; s32, comparing the found local output port with the abnormal port list; And S33, if the found local exit port exists in the abnormal port list, recording the IP address and port number of the found router to which the local exit port belongs and the IP address of the next hop router pointing to the target in the routing table as a path node to the initial path set.
7. 7. The method for tracing the DDoS attack of the fake source address based on port traffic and route deduction according to claim 6, wherein in S4, the path tracing and sequencing specifically comprises: S41, path expansion, namely searching whether an upstream abnormal port taking the IP as a source exists in an abnormal port list by taking the router IP of each node in the initial path set as a clue, adding the upstream abnormal port as a new path node, and pointing the next hop address to the current node; s42, path sorting, namely, logically sorting all path nodes according to the next hop relation among routers, so that the next hop address of each node in the sorted list is equal to the router IP address of the next node, and an orderly complete forwarding path from an attack flow inlet to an attack target is formed.
8. 8. The method for tracing the DDoS attack of the fake source address based on port traffic and route deduction according to claim 1, wherein in the network data acquisition, data packet sampling information on a router port is synchronously acquired, and protocol type and message feature analysis are carried out on abnormal traffic on a path after an attack path is generated.
9. 9. The method for tracing the DDoS attack of the fake source address based on port traffic and route deduction according to claim 1, wherein after tracing is completed, a tracing report containing attack paths, related abnormal ports and traffic information is automatically generated.
10. 10. The method for tracing the DDoS attack of the fake source address based on port traffic and route deduction according to claim 1, wherein after tracing, a predefined security policy is triggered, and traffic blocking or speed limiting is implemented.

Description

Port traffic and route deduction-based counterfeit source address DDoS attack tracing method Technical Field The invention relates to the technical field of network security, in particular to a DDoS attack tracing method for a fake source address based on port traffic and route deduction. Background The DDoS attack is a distributed denial of service attack, which is a network attack that sends massive requests to a target system by controlling a large number of infected servers or internet of things devices, and exhausts the bandwidth, computing resources or connection capacity of the servers or the internet of things devices, so that legal users cannot access services. An attacker often counterfeits the source IP address to hide the identity, making it difficult for the attacker to locate the source of the attack, implementing accurate interception. Therefore, the method has important significance in tracing the DDoS attack of the fake source address. The DDoS attack has the characteristics of high burst flow, strong destructiveness and easy counterfeiting of source IP, so that the tracing process for the attack is very difficult. The tracing methods adopted in the current academia and industry are roughly classified into the following categories. (1) The IP message marking method comprises the following steps: modifying router software to realize marking of IP message, realizing tracing by checking the mark in attack message, and typical method comprises probability packet marking algorithm, determining packet marking algorithm and ICMP marking algorithm. Router is needed for IP message marking method the software is customizable. (2) The IP message recording method is that each router records the data packet flowing through, the victim host inquires the router at the upstream of the victim host, and the router compares the recorded data packets to construct the path passed by the data packet. The IP message recording method requires configuration of extra-large storage space for routers. (3) The flow collection method is to widely deploy flow probes in a network to collect and analyze messages, such as collecting target unreachable Internet control messages or message sampling, and combining with the topology structure of a backbone network, attack tracing can be realized to a certain extent. The cost of collecting the whole network message by the flow collection method is high, and the tracing success rate cannot be guaranteed. (4) And (3) manufacturing a congestion method, namely under the condition that a real attack exists, starting from an attacked target, sequentially initiating artificial user datagram protocol flooding attack to an upstream router from the near to the far, so that the flooding flow and the real attack flow together exacerbate the congestion degree of an attack path, and realizing attack tracing by checking the congestion path. Manufacturing congestion methods exacerbate network congestion and do not have high success rates. As can be seen, existing approaches require upgrading the full network router to enable support for specific functions or require deploying high cost acquisition systems or exacerbating network congestion. In practical network systems, the above requirements are hardly met. Therefore, how to realize tracing of the DDoS attack of the fake source address with lower cost is important under the function and performance conditions commonly possessed by the existing router. The Chinese patent application publication No. CN116962065A, publication No. 2023, 10 and 27 discloses a DDoS attack tracing and defending method based on SDN, which collects and counts flow data through SDN switch and reports to SDN controller, and the SDN controller performs DDoS attack detection by using the statistical data, constructs a tracing tree according to the detection result, issues a defending instruction and a statistical data collecting instruction to the SDN switch, and performs layer-by-layer tracing and defending on an attack source with IP address spoofing. According to the DDoS attack tracing and defending method based on SDN disclosed in the patent application document, the victim IP address obtained by attack detection and the attack flow source equipment interface MAC address are used, the global network topology of the SDN controller is utilized to construct a tracing path and realize real-time defending, the additional overhead in a normal network state is avoided, the influence on the normal communication is effectively reduced, and the DDoS attack with IP address spoofing can be traced. However, the architecture has strong dependence and high deployment cost, the tracing and defending logic is completely concentrated on the SDN controller, centralized risks exist, and once the SDN controller is overloaded or is trapped, the whole tracing defending system is invalid. Disclosure of Invention In order to overcome the defects of the prior art, the invention provides a DDoS