CN101753315B - Method, device and system for testing DDOS (distributed denial of service) attacks - Google Patents
Method, device and system for testing DDOS (distributed denial of service) attacks Download PDFInfo
- Publication number
- CN101753315B CN101753315B CN2008102276222A CN200810227622A CN101753315B CN 101753315 B CN101753315 B CN 101753315B CN 2008102276222 A CN2008102276222 A CN 2008102276222A CN 200810227622 A CN200810227622 A CN 200810227622A CN 101753315 B CN101753315 B CN 101753315B
- Authority
- CN
- China
- Prior art keywords
- packet
- cluster
- tested
- ddos attack
- linux kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 60
- 238000000034 method Methods 0.000 title abstract description 16
- 230000004044 response Effects 0.000 claims abstract description 43
- 238000004088 simulation Methods 0.000 claims description 35
- 238000001914 filtration Methods 0.000 claims description 32
- 230000006870 function Effects 0.000 claims description 31
- 238000010998 test method Methods 0.000 claims description 29
- 238000007726 management method Methods 0.000 claims description 26
- 238000012986 modification Methods 0.000 claims description 23
- 230000004048 modification Effects 0.000 claims description 23
- 230000005540 biological transmission Effects 0.000 claims description 13
- 230000008859 change Effects 0.000 claims description 9
- 238000011144 upstream manufacturing Methods 0.000 claims description 8
- 230000002123 temporal effect Effects 0.000 claims description 6
- 206010012186 Delayed delivery Diseases 0.000 claims description 4
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 2
- 238000013461 design Methods 0.000 abstract description 4
- 239000000047 product Substances 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 241000208340 Araliaceae Species 0.000 description 3
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 3
- 235000003140 Panax quinquefolius Nutrition 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 235000008434 ginseng Nutrition 0.000 description 3
- 238000011056 performance test Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 101150012579 ADSL gene Proteins 0.000 description 1
- 102100020775 Adenylosuccinate lyase Human genes 0.000 description 1
- 108700040193 Adenylosuccinate lyases Proteins 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000005284 basis set Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method, a device and a system for testing DDOS (distributed denial of service) attacks. The method comprises the following steps of: modifying the network subsystem and the memory management subsystem of a Linux kernel; invoking a kernel package sending engine in the modified kernel network subsystem to generate massive data packets and sending a generated data packet to a cluster to be tested; wherein the source address of the generated data packet randomly changes in a preset range, and a target address is a service address provided by a cluster to be tested; when receiving a response data packet returned by the cluster to be tested, discarding the response data packet sent by the cluster to be tested; or sending a partial request data packet to the cluster to be tested; or sending a complete request data packet to the cluster to be tested, and when receiving the request/response data packet returned by the cluster to be tested, discarding the request/response data packet. The invention realizes the DDoS attack tests based on the modified Linux kernel without special hardware for design, thereby reducing the cost of DDoS attack test products.
Description
Technical field
The present invention relates to network security technology, particularly relate to a kind of distributed denial of service (Distributed Denial-of-Service is called for short DDoS) attack test methods, devices and systems.
Background technology
It is the main security threat that large-scale website faces that distributed denial of service (Distributed Denial-of-service is called for short DDoS) is attacked always.In order to improve the performance of large-scale website defending DDoS (Distributed Denial of Service) attacks, the Protection Product of attacking at DDos (or security solution) emerges fast.
Because attacking, DDos has common denial of service (Deny of Service, abbreviation DoS) attacks some characteristics that do not possess, for example: attack the dispersiveness of source IP address, the diversity of TCP/IP parameter etc., and there are reasons such as packet loss and time delay in true environment, make and the accurately actual protective benefits and the protection limiting performance of assessment Protection Product have become a difficult point.
To accurately assess the actual protective benefits and the protection limiting performance of Protection Product, real as far as possible ddos attack environment need be provided.Ddos attack is except the ddos attack of traditional protocol level, for example SYN flood (SYN-Flood) is attacked, ICMP flood (ICMP-Flood) is attacked etc., occurred various ddos attack modes (application leve lfloods) in recent years again, for example connected exhaustion attacks (connection-flood), connection attack or the like slowly based on application layer.Though existing dedicated network test products can be used to carry out ddos attack test, these products are based on the software and hardware platform of special use, product cost height, and customizability is poor, and the training cycle is long, is not suitable for the miscellaneous goods line is carried out sample testing.
Summary of the invention
The technical problem to be solved in the present invention is: a kind of ddos attack method of testing, device and system are provided, are used to reduce the cost of ddos attack test, improve the flexibility of ddos attack test.
The invention provides a kind of ddos attack method of testing, comprising:
Revise the network subsystem and the memory management subsystem of linux kernel; Modification to described network subsystem comprises the spin lock that flow-control module comprises in the network subsystem of removing linux kernel; According to predefined data packet format, expand the device of giving out a contract for a project of kernel in the described linux kernel network subsystem and allow the packets fields of customization; Modification to described memory management subsystem comprises: the attribute of the packet Memory Allocation interface function that the memory management subsystem of linux kernel provides is set to storage allocation in the privately owned memory pool of each CPU, and the attribute of packet internal memory realizing interface function is set to discharge internal memory in the privately owned memory pool of each CPU;
Call in the amended linux kernel network subsystem kernel device of giving out a contract for a project, generate the mass data bag, and send the mass data bag that generates to cluster to be tested; Source address change at random in the scope that sets in advance of the described packet that generates, the address of service that destination address provides for cluster to be tested;
When receiving the response data packet that described cluster to be tested returns, abandon the response data packet that described cluster to be tested sends; Or, send the part request data package to described cluster to be tested based on amended linux kernel; Or, send complete request data package, and when receiving the request response data packet that described cluster to be tested returns, abandon the described request response data packet to described cluster to be tested based on amended linux kernel.
The present invention also provides a kind of ddos attack testing apparatus, comprising:
Linux kernel is used to provide network subsystem API and the memory management subsystem application DLL (dynamic link library) of revising the back kernel; Modification to described network subsystem comprises the spin lock that flow-control module comprises in the network subsystem of removing linux kernel; According to predefined data packet format, expand the device of giving out a contract for a project of kernel in the described linux kernel network subsystem and allow the packets fields of customization; Modification to described memory management subsystem comprises: the attribute of the packet Memory Allocation interface function that the memory management subsystem of linux kernel provides is set to storage allocation in the privately owned memory pool of each CPU, and the attribute of packet internal memory realizing interface function is set to discharge internal memory in the privately owned memory pool of each CPU;
The packet generation module is used for calling the amended linux kernel network subsystem kernel device of giving out a contract for a project, and generates the mass data bag, and sends the mass data bag that generates to cluster to be tested; Source address change at random in the scope that sets in advance of the described packet that generates, the address of service that destination address provides for cluster to be tested;
The packet reflecting module is used for when receiving the response data packet that described cluster to be tested returns, and abandons the response data packet that described cluster to be tested sends; Or, send the part request data package to described cluster to be tested based on amended linux kernel; Or, send complete request data package, and when receiving the request response data packet that described cluster to be tested returns, abandon the described request response data packet to described cluster to be tested based on amended linux kernel.
The present invention provides a kind of ddos attack test macro again, comprise two layers of convergence device and cluster to be tested, also comprise above arbitrary described ddos attack testing apparatus, described ddos attack testing apparatus and the mutual packet of described cluster to be tested filter and transmit by described two layers of convergence device.
Ddos attack method of testing provided by the invention, device and system, can realize that treating test cluster carries out the ddos attack analogue simulation based on amended linux kernel, also can realize the time delay and the packet loss simulation of link simultaneously, make the ddos attack of simulating more near the ddos attack in the real network environment, the present invention is formed the emulation attack source of the ddos attack of cluster to be tested, help improving the accuracy of cluster protection ddos attack usefulness to be tested and limiting performance test; In addition, ddos attack method of testing of the present invention and device may operate in the hardware of supporting linux kernel, therefore, do not need hardware for the special use of ddos attack Test Design, obviously reduced the cost of ddos attack test products, help improving the flexibility of DDoS test, the present invention can satisfy product line, and particularly the miscellaneous goods line is to the technical need of test and diverse network new industrial research under assessment, the line on protocol layer/application layer ddos attack line.
Description of drawings
Fig. 1 is the ddos attack method of testing first embodiment flow chart of the present invention;
Fig. 2 is the ddos attack method of testing second embodiment flow chart of the present invention;
Fig. 3 is a ddos attack test system structure schematic diagram one of the present invention;
Fig. 4 is ddos attack method of testing the 3rd an embodiment flow chart of the present invention;
Fig. 5 is a ddos attack test system structure schematic diagram two of the present invention;
Fig. 6 is ddos attack method of testing the 4th an embodiment flow chart of the present invention;
Fig. 7 is a ddos attack test system structure schematic diagram three of the present invention;
Fig. 8 is a ddos attack testing apparatus link simulation modular structure schematic diagram of the present invention.
Embodiment
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Fig. 1 is the ddos attack method of testing first embodiment flow chart of the present invention.As shown in Figure 1, present embodiment comprises:
The network subsystem (Network Subsystem) and the memory management subsystem (Memory Management Subsystem) of step 11, modification Li nux kernel;
Modification to described network subsystem comprises: the spin lock (Qdisc) that flow-control module comprises in the network subsystem of removal linux kernel; According to predefined data packet format, expand the device (pktgen) of giving out a contract for a project of kernel in the described core network subsystem and allow the packets fields of customization;
Modification to described memory management subsystem comprises: the attribute of the packet Memory Allocation interface function that the memory management subsystem of linux kernel provides is set to storage allocation in the privately owned memory pool of each CPU, and the attribute of packet internal memory realizing interface function is set to discharge internal memory in the privately owned memory pool of each CPU.
Present embodiment is to the modification of code in the linux kernel or function, based on the mass data bag of amended linux kernel to cluster transmission source address change at random to be tested.
When receiving the response data packet that cluster to be tested returns,, can realize that the DDoS of protocol level connects the simulation of exhaustion attacks if the response data packet that receives is carried out discard processing;
If when receiving response data packet, the partial data section (that is: part request data package) in full request packet of cluster transmission to be tested can realize the simulation of connection slowly (the reading overtime) attack of application;
If when receiving response data packet, send a full request packet to cluster to be tested, when when receiving the request response data packet of cluster transmission to be tested, abandon all response data packet, can realize that then application connects the simulation that (writing overtime) attacks slowly.
Because present embodiment is based on amended linux kernel, having realized treating test cluster carries out simulation, application layer that protocol layer in the ddos attack connects exhaustion attacks and connects the simulation of exhaustion attacks, the analogue simulation that application layer connects the multiple ddos attack types such as simulation of attack slowly, can be used as the emulation attack source of the ddos attack of cluster to be tested, help the accuracy of cluster protection ddos attack usefulness to be tested and limiting performance test; In addition, present embodiment ddos attack method of testing may operate in the hardware of supporting linux kernel, therefore, does not need the hardware for the special use of ddos attack Test Design, obviously reduce the cost of ddos attack test products, helped improving the flexibility of DDoS test.
Fig. 2 is the ddos attack method of testing second embodiment flow chart of the present invention.It is example that present embodiment is attacked with distributed synchronization-flood (SYN-FLOOD), and the technical scheme of present embodiment based on the simulation of linux kernel realization protocol layer ddos attack is described.Fig. 3 is a ddos attack test system structure schematic diagram one of the present invention.Embodiment illustrated in fig. 2 can based on system configuration as shown in Figure 3.Ginseng Fig. 2 and shown in Figure 3, ddos attack method of testing of the present invention comprises:
Core network subsystem and the memory management subsystem of step 21, modification linux kernel A11.
The spin lock (Qdisc) that flow-control module comprises in the network subsystem of step 211, removal linux kernel.
Spin lock is to aim at a kind of lock that prevents that multiprocessor is concurrent and introduce, and it is widely used in parts such as Interrupt Process in kernel.Spin lock can only be held by a kernel task at most, if kernel task attempts to ask one by contention or the spin lock held, this task circulation of will always hurrying so is until waiting for that spin lock is available again; If spin lock is by contention, just ask its kernel task to obtain it at once and proceed.Step 21 is removed spin lock (Qdisc) back in the linux kernel code and is realized not having lock and give out a contract for a project, but concurrent running kernel task, competition shared resource on the multiprocessor, thus promote the processing data packets ability of linux kernel.
Packet Memory Allocation interface function dev_alloc_skb and internal memory realizing interface kfree_skb function that step 212, modification memory management subsystem provide make it to distribute and discharge internal memory in the privately owned memory pool of every CPU.
In the prior art, dev_alloc_skb is assigned as the allocation of packets internal memory in global memory pool; Kfree_skb discharges internal memory in global memory pool.Under the situation of many CPU or single CPU multinuclear/multithreading, need fight for the protection spin lock of global memory pool.If revise above-mentioned two interfaces; make it in the privately owned memory pool of every CPU, to distribute and discharge internal memory; then can avoid contention to the protection spin lock of memory pool; thereby can further improve processing data packets speed; that is: the attribute of the packet Memory Allocation interface function that provides of the memory management subsystem of linux kernel is set to storage allocation in the privately owned memory pool of each CPU, and the attribute of packet internal memory realizing interface function is set to discharge internal memory in the privately owned memory pool of each CPU.
If do not have microprocessor (the Microprocessor withoutInterlocked Piped Stages of inner interlocking pipelining-stage at some, abbreviation MIPS) on the hardware platform (for example XLR7 series processors of RMI Corp.), the hardware memory management mechanism that can utilize hardware platform to provide realizes this purpose, for example: fast message bus (the Fast Message Ring that calls the XLR-732 processor and provide is provided for dev_alloc_skb and kfree_skb function, be called for short FMR) interface, thus realize that the hardware memory management mechanism that carries by the XLR-732 processor realizes the distribution and the release of packet internal memory.
The linux kernel device (pktgen) of giving out a contract for a project only can send the packet of limited several types in the prior art, and customizability is not strong.This step need internally be authorized bag device (pktgen) and be allowed the packets fields of customization to expand, and comprising: the field, data load content and the length that comprise in each field that comprises in each field that comprises in ether (Ethernet) frame head, the IP data head and the tcp data head; Kernel is given out a contract for a project after function pktgen_if_write carries out relative set according to the value of the above-mentioned fields of data structure among the device pktgen, generates packet.Owing to expansion back each field of skb kernel data structure can freely customize combination by configuration, message loaded length/content that the transmission packet comprises also can realize freely customizing by configuration.This step also can directly be added packet and sends thread by handling at the kernel data bag in the framework, replace kernel device (pktgen) realization of giving out a contract for a project.
Suppose: need the ddos attack analog type of simulation to attack for synchronous-flood (SYN-FLOOD), service cluster to be tested is the Web service cluster; Step 22 comprises:
After so being provided with, can form the mass data bag of source IP address, point to same destination address simultaneously.
The target MAC (Media Access Control) address of the packet of step 222, generation is set to the interface MAC of Web service cluster, and the source MAC of packet is set to a non-existent MAC Address (that is: pseudo-MAC Address).
After so being provided with, when the Web service cluster returned response data packet, because the source MAC of packet is pseudo-MAC Address, the response data packet that makes the Web service cluster return can't be sent to and be dropped.
More similar for the packet that analogue data bag generation module generates to the packet that (SuSE) Linux OS main frame or Windows operating system main frame send, can be arranged on [60S-62S] or [120S-125S] change at random in information life span (TTL) field with the Transmission Control Protocol type data packets.
For the packet that makes the packet generation module generate more approaches packet in the real network environment, but also tcp option is set to support maximum transmission data segmentation (Maximum Segment is called for short MSS Size) and time mark (timestamp).
Owing to, can form the mass data bag of source IP address by the setting of step 221 and step 222, point to same destination address simultaneously, i.e. Web service cluster, therefore, but the packet generation module can be to the different mass data bag of Web service cluster transmission source address.
Because by the setting of step 223, when the Web service cluster returned response data packet, because the source MAC of packet is pseudo-MAC Address, the response data packet that makes the Web service cluster return can't be sent to, thereby is abandoned by two layers of convergence device.
Present embodiment packet generation module constantly sends the SYN packet of magnanimity to the Web service cluster, and the SYN/ACK response data packet that the Web service cluster returns is abandoned by two layers of convergence device, thereby can set up the ample resources that a large amount of connections consumes the Web service cluster by protocol layer, thereby, help improving the test accuracy of Web service cluster security protection performance and limiting performance for Web service cluster to be tested provides the simulated strike of the DDoS protocol layer in the high real network environment of fidelity.
Fig. 4 is ddos attack method of testing the 3rd an embodiment flow chart of the present invention.Present embodiment connects to set up TCP/IP that to set up process be example, illustrate that present embodiment realizes the technical scheme that the application layer ddos attack is simulated based on linux kernel.Fig. 5 is a ddos attack test system structure schematic diagram two of the present invention.Embodiment illustrated in fig. 4 can based on system configuration as shown in Figure 5.Ginseng Fig. 4 and shown in Figure 5, ddos attack method of testing of the present invention comprises:
Core network subsystem, memory management subsystem and the Packet Filtering framework (Netfilter) of step 41, modification linux kernel A11.
This step can repeat no more referring to the record of step 21 in embodiment illustrated in fig. 2 about the core network subsystem of modification linux kernel A11 and the detailed description of memory management subsystem.
This step comprises about the modification to Packet Filtering framework in the linux kernel: PRE_ROUTING point in the Packet Filtering framework, add a Hook function (hereinafter referred to as the PRE_ROUTING_Hook point) that is used for direct reversal data Bao Yuan/destination address after receiving packet.Concrete, PRE_ROUTING point at linux kernel A11 Packet Filtering framework has added a new hook (Hook) function, this function is after having received that SYN/ACK sign, source MAC are the packet of MAC Address of packet reflecting module A13 place main frame, direct reversal data Bao Yuan/purpose IP address and source/target MAC (Media Access Control) address, and ACK flag bit and other necessary fields (for example the ACK sequence number is that the SYN/ACK sequence of data packet number adds 1) are set on this packet, and A13 sends by the packet reflecting module.This step can avoid reflecting module A3 to repeat to call the allocation of packets/release function of kernel, can further improve the processing data packets ability of packet reflecting module A13.
Be different from the setting of source data packet MAC Address in the step 223 embodiment illustrated in fig. 2, the source MAC of present embodiment packet is set to the MAC Address of packet reflecting module A13 place host network card; And the default gateway ip address that tested cluster is set is the IP address of packet reflecting module A13 place host network card.
After so being provided with, packet reflecting module A13 will be used to receive the rate of discharge that Web service cluster A8 sends via two layers of convergence device, and send the response packet.
The SYN/ACK packet that step 45, two layers of convergence device A7 return Web service cluster A8 sends to packet reflecting module A13.
This moment is from the angle of Web server, and the Web service cluster is connected to set up with TCP between the packet reflecting module A13 to be finished, and the Web service cluster is waited for distributing system resource the request data package of the further transmission of packet reflecting module A13.
Step 481-step 483 is respectively to realize the specific implementation of three kinds of different application layer ddos attack analog types.
Step 481, when predefined ddos attack analog type is application layer DDoS exhaustion attacks when simulation, packet reflecting module A13 does not send the GET request data package to the Web service cluster.
After above-mentioned steps finishes, because packet reflecting module A13 has set up being connected of magnanimity with the Web service cluster, the Web service cluster is respectively these connections and has all distributed resource, this step is attempted by setting up a large amount of connections, cause the Web service cluster resource to exhaust and stop response, thereby can realize the simulation of the distributed connection exhaustion attacks of application layer.
Step 482, when predefined ddos attack analog type be that application layer DDoS connects when reading overtime attack simulation slowly, packet reflecting module A13 calls the linux kernel function of giving out a contract for a project, send part GET request data package, and abandon reply data bag from the Web service cluster.
Packet reflecting module A13 calls network interface card and sends function hard_start_xmit, to ask (GET) packet to be divided into a plurality of data segments, with the partial data section in full request packet of Web service cluster transmission of the default time interval successively, promptly send part request (GET) packet.The time interval that the part request data package sends can be provided with according to the operating system and the hardware of actual motion linux kernel, as: it is 100us that this time interval is set.This step attempts to allow a large amount of processes of Web service cluster be in the state (read states) of waiting for user's request, thereby can realize that application layer DDoS connects slowly reads overtime attack simulation.
DDoS connects the attack commonly used in the Web application when reading overtime the attack slowly, for example: apache-httpd can use the mechanism of overtime disconnection connection to prevent server overload to the assailant of the request that do not send that only connects, and to connecting but only send the assailant of part request, there is not suitable timeout mechanism to handle, so this kind attack is very common in the Web based on apache-httpd uses.Present embodiment can be and need carry out DDoS and connect the Web service cluster of reading overtime attack test slowly, and the ddos attack source of emulation is provided, and helps improving the test accuracy of Web service cluster security protection performance and limiting performance.
Step 483, when predefined ddos attack analog type be that application layer DDoS connects when writing overtime attack simulation slowly, packet reflecting module A13 calls the linux kernel function of giving out a contract for a project, send complete GET request data package, and abandon the reply data bag that the Web service cluster sends subsequently.
For the very long HTTP request (for example video flowing) of reply data, because reply data need divide a plurality of packets to send, if the Web service cluster does not receive the packet reflecting module according to the affirmation packet (ACK) that reply data sends, will cause the Web server end to write obstruction.Present embodiment can be and need carry out DDoS and connect the Web service cluster of reading overtime attack test slowly, and the ddos attack source of emulation is provided, and helps improving the test accuracy of Web service cluster security protection performance and limiting performance.
Except 3 kinds of above-mentioned attacks, for also realizing simulation by the ddos attack that dwindles type such as TCP receive window.
Fig. 6 is ddos attack method of testing the 4th an embodiment flow chart of the present invention.Present embodiment is on the basis of above-mentioned ddos attack method of testing first embodiment to the three embodiment technical schemes, also can comprise: based on amended linux kernel, to with the mutual packet of cluster to be tested, the time delay of giving out a contract for a project control or selectivity packet loss control, promptly to packet generation module and packet reflecting module and the mutual packet of cluster to be tested, the time delay of giving out a contract for a project control or selectivity packet loss control are with time delay or the packet loss simulation that realizes true link.Fig. 7 is a ddos attack test system structure schematic diagram three of the present invention.Embodiment illustrated in fig. 6 can based on system configuration as shown in Figure 7.Ginseng Fig. 6 and shown in Figure 7, ddos attack method of testing of the present invention comprises:
Step 61, abandon the downlink data packet that satisfies the packet filtering rules set in advance.
Step 61 can specifically comprise the steps:
The packet filtering rules that step 611, basis set in advance, and utilize and revise back Packet Filtering framework, the integer grid generated.
Step 612, be a random number in each allocation of packets default value scope, as the numbering of packet, according to the numbering and the packet size information of packet, the positional information of the integer grid of calculated data bag correspondence.
The control information of the integer grid of step 613, the positional information correspondence that calculate to obtain according to step 612 selects to abandon or keep this packet.
Illustrate:
The size of supposing downlink data packet in 1 byte between 500 bytes.Table 1 is the relation of packet size and packet loss in the real network environment, and wherein, the probability distribution of packet loss meets normal distribution.
Table 1 is the relation of packet size and packet loss
| Packet size (byte) | Packet loss |
| 1-50 | 0.0175 |
| 51-100 | 0.0439 |
| 101-150 | 0.2178 |
| 151-200 | 0.2178 |
| 201-250 | 0.3332 |
| 251-300 | 0.3331 |
| 301-350 | 0.2178 |
| 351-400 | 0.1109 |
| 401-450 | 0.0439 |
| 451-500 | 0.0175 |
Need the normal distribution packet loss of simulation now according to the packet size.Supposing that the integer grid is the two-dimensional array of 10 row * 10000 row, is n for length, is numbered the packet of m, the positional information of the integer grid of calculated data bag correspondence, i.e. integer grid subscript (n mod 10, m mod 10000); N and m are the integer greater than 0.If the control information of grid subscript correspondence position is " 0 ", then the retention data bag; If the control information of grid subscript correspondence position is " 1 ", then packet discard.By be provided with control information in i (1≤i≤10) row for the number of " 1 " divided by 10000 numerical value that equal i row in the table 2, can simulate normal distribution packet loss according to the packet size.
According to the Meng Takaluo principle, because the numbering m of packet is equally distributed, so the corresponding control information of the positional information of the integer grid of packet correspondence is the probability of " 0 " or " 1 ", number decision by the control information that distributes in the integer grid " 0 " and " 1 ", so, as long as guarantee that the distribution ratio of the control information " 0 " that distributes in each row integer grid and " 1 " meets normal distribution and requires, the position of " 0 " and " 1 " do not had specific (special) requirements.
Obviously grid is thin more, and is good more to the simulate effect of normal distribution packet loss.Can use the integer two-dimension array of fixing 4096 row * 4096 row to form grid in actual applications.
If the individual percentage of control information " 0 " and " 1 " is a steady state value in each row of grid, then deteriorate to even distribution, this example is the special case of carrying out the selectivity packet loss control.
Use the advantage of grid to be, grid just finishes after setting as calculated, only need afterwards to calculate a random number for each packet, and carry out twice modulo operation according to packet size and package number and get final product, need not call complicated function and calculate packet loss, therefore, under big flow, can improve data throughput significantly.
On the basis of technique scheme, the packet filtering rules that sets in advance by adjustment, can realize probability packet loss according to difference bag type, bag content, bag size distribution, by adjusting the generating algorithm of integer grid, can realize specific probability Distribution Model, as: evenly distribution, Poisson distribution and normal distribution packet loss model, the ddos attack better authenticity that makes the simulation of employing present embodiment.
Step 62, link simulator are provided with the temporal information of the delayed delivery of packet when receiving the downlink data packet of packet generation module and packet reflecting module transmission, the time delay value of packet promptly is set.
Step 63, link simulator utilize the POST_ROUTING Hook dot generation downlink data packet transmit queue of linux kernel processing data packets framework, and wherein, the added field of each packet in the downlink data packet transmit queue records the timestamp of joining the team.This timestamp, is added on the packet by the PRE_ROUTINGHook point when utilizing the PRE_ROUTING Hook dot generation downlink data packet transmit queue of processing data packets framework at link simulator.
The timestamp of joining the team comprises that packet adds the corresponding time delay value of packet of the join the team temporal information and step 61 setting of downlink data packet transmit queue.As: the time delay value of tentation data bag setting is t, and packet is joined the team and is ti constantly, and the timestamp of then joining the team is Ti=ti+t.
Step 64, link simulator utilize the timestamp of joining the team of the first packet of POST_ROUTING Hook point poll downlink data packet transmit queue, and join the team timestamp and the current time of the first packet of downlink data packet transmit queue compared, when the timestamp of joining the team of first packet is less than or equal to current time, send first packet.
Like this, give out a contract for a project the time with respect to without crossing giving out a contract for a project the time after the time delay processing, postpone default time delay value t through the first packet after the time delay processing.
In addition, according to from the Web service cluster to the upstream data bag that packet generation module or packet reflecting module send, set up upstream data bag transmit queue, and it is similar to step 62-step 64 that the upstream data bag is carried out the method for time delay control, repeats no more.
Present embodiment can be on the basis in analog D DoS attack source, to simulating of chain-circuit time delay, make the ddos attack simulation consider the factor of physical link time delay, the authenticity of ddos attack is more reliable, helps improving the test accuracy of Web service cluster security protection performance and limiting performance.
Can be the time delay value that user's real experiences arrives in the real network environment for the time delay value of packet setting in the step 62.For example: in real network environment, the ADSL user experience on, downlink delay and packet loss are different, suppose descending time delay 10ms, packet loss 0.1%, descending time delay 5ms, packet loss 0.2%, then can simulate this situation by following configuration:
The packet loss that sets in advance downlink packet is a steady state value 0.1%, and time delay is 10ms; And the packet loss that sets in advance uplink data packet is a steady state value 0.2%, and time delay is 5ms; And adopt the technical scheme of step 61-64, can realize the time delay and the packet loss of the true link of packet.
Because present embodiment is based on linux kernel, realized treating the simulation that test cluster carries out protocol layer connection exhaustion attacks in the ddos attack, application layer connects the simulation of exhaustion attacks, application layer connects the analogue simulation of the multiple ddos attack types such as simulation of attack slowly, also can realize the time delay and the packet loss simulation of link simultaneously, make the ddos attack of simulating more near the ddos attack in the real network environment, embodiment of the invention method is formed the emulation attack source of the ddos attack of cluster to be tested, help the accuracy of cluster protection ddos attack usefulness to be tested and limiting performance test; In addition, present embodiment ddos attack method of testing may operate in the hardware of supporting linux kernel, therefore, do not need hardware for the special use of ddos attack Test Design, obviously reduced the cost of ddos attack test products, help improving the flexibility of DDoS test, ddos attack method of testing of the present invention can satisfy product line, and particularly the miscellaneous goods line is to the technical need of test and diverse network new industrial research under assessment, the line on protocol layer/application layer ddos attack line.
On the basis of technique scheme, the present invention also provides a kind of ddos attack testing apparatus.The structure of ddos attack testing apparatus can be referring to Fig. 3, Fig. 5 and shown in Figure 7.Concrete, ddos attack testing apparatus A1 can comprise: linux kernel A11, packet generation module A12 and packet reflecting module A13; Packet generation module A12 and packet reflecting module A13 communicate to connect with linux kernel A11 respectively.
Linux kernel A11 is used to provide network subsystem API and the memory management subsystem application DLL (dynamic link library) of revising the back kernel; Modification to described network subsystem comprises the spin lock that flow-control module comprises in the network subsystem of removing linux kernel; According to predefined data packet format, expand the device of giving out a contract for a project of kernel in the described core network subsystem and allow the packets fields of customization; Modification to described memory management subsystem comprises: the attribute of the packet Memory Allocation interface function that the memory management subsystem of linux kernel provides is set to storage allocation in the privately owned memory pool of each CPU, and the attribute of packet internal memory realizing interface function is set to discharge internal memory in the privately owned memory pool of each CPU.
Packet generation module A12 is used for based on linux kernel A11, calls in the amended core network subsystem kernel device of giving out a contract for a project, and generates the mass data bag, and sends the mass data bag that generates to cluster to be tested; Source address change at random in the scope that sets in advance of the described packet that generates, the address of service that destination address provides for cluster to be tested;
Packet reflecting module A13 is used for when receiving the response data packet that described cluster to be tested returns, and abandons the response data packet that described cluster to be tested sends; Perhaps, based on amended linux kernel, send the part request data package to described cluster to be tested; Perhaps,, send complete request data package, and when receiving the request response data packet that described cluster to be tested returns, abandon the described request response data packet to described cluster to be tested based on amended linux kernel.
On the basis of technique scheme, linux kernel A11 also is used to provide amended Packet Filtering framework; Modification to described Packet Filtering framework comprises: PRE_ROUTING point in described Packet Filtering framework, add hook (Hook) function that is used for direct reversal data Bao Yuan/destination address after receiving packet.
On the basis of technique scheme, ddos attack testing apparatus A1 also can comprise link simulation modules A 14; Link simulation modules A 14 communicates to connect with linux kernel A11, packet generation module A12 and packet reflecting module A13 respectively.
Link simulation modules A 14 is used for based on amended linux kernel A11, to packet generation module A12 and packet reflecting module A13 and the mutual packet of cluster to be tested, and the time delay of giving out a contract for a project control or selectivity packet loss control.
Fig. 8 is a ddos attack testing apparatus link simulation modular structure schematic diagram of the present invention.As shown in Figure 8, on the basis of technique scheme, link simulation modules A 14 can further comprise:
Packet filtering unit A141 is used to abandon the packet that satisfies the packet filtering rules that sets in advance.
Time-delay calculation unit A142 is used to packet generation module A12, packet reflecting module A13 and each mutual packet of cluster to be tested, respectively the delay time information of calculated data packet delay transmission;
Packet transmit queue generation unit A143 is used for based on amended linux kernel A11, generate upstream or downstream packet transmit queue according to described packet generation module A12, packet reflecting module A13 and the mutual packet of cluster to be tested, the added field of each packet in the described packet transmit queue records the timestamp of joining the team; The described timestamp of joining the team comprises that packet adds the join the team temporal information and the corresponding delay time information of described packet of described packet transmit queue;
Delayed delivery unit A144 is used for the timestamp of joining the team of the first packet of the described packet transmit queue of poll, and join the team timestamp and the current time of described first packet compared, when the timestamp of joining the team of described first packet is less than or equal to current time, send described first packet.
Concrete, packet filtering unit A141 can specifically comprise:
The integer grid generates subelement A1411 and is used for generating the integer grid according to the packet filtering rules that sets in advance.
Contraposition subelement A1412 is used to a random number in each allocation of packets default value scope, as the numbering of packet, according to the numbering and the packet size information of packet, calculates the positional information of the integer grid of described packet correspondence.
Filtration subelement A1413 is used for the numerical information according to the integer grid of described positional information correspondence, selects to abandon or keep described packet.
The present invention also provides a kind of ddos attack test macro.This system comprises ddos attack testing apparatus, two layers of convergence device and cluster to be tested, wherein, the ddos attack testing apparatus is connected with trunking communication to be tested by two layers of convergence device, in service at native system, ddos attack testing apparatus and the mutual packet of cluster to be tested filter and transmit by described two layers of convergence device.
The structural representation of ddos attack test macro provided by the invention such as Fig. 3, Fig. 5 and shown in Figure 7, the ddos attack device that comprises in the system can be referring to the record of ddos attack testing apparatus embodiment of the present invention, the operation principle of system repeats no more referring to the specific descriptions of ddos attack method of testing embodiment of the present invention.
One of ordinary skill in the art will appreciate that: accompanying drawing is the schematic diagram of a preferred embodiment, and module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
One of ordinary skill in the art will appreciate that: the module in the device among the embodiment can be described according to embodiment and be distributed in the device of embodiment, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that previous embodiment is put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of embodiment of the invention technical scheme.
Claims (14)
1. a ddos attack method of testing is characterized in that, comprising:
Revise the network subsystem and the memory management subsystem of linux kernel; Modification to described network subsystem comprises the spin lock that flow-control module comprises in the network subsystem of removing linux kernel; According to predefined data packet format, expand the device of giving out a contract for a project of kernel in the described linux kernel network subsystem and allow the packets fields of customization; Modification to described memory management subsystem comprises: the attribute of the packet Memory Allocation interface function that the memory management subsystem of linux kernel provides is set to storage allocation in the privately owned memory pool of each CPU, and the attribute of packet internal memory realizing interface function is set to discharge internal memory in the privately owned memory pool of each CPU;
Call in the amended linux kernel network subsystem kernel device of giving out a contract for a project, generate the mass data bag, and send the mass data bag that generates to cluster to be tested; Source address change at random in the scope that sets in advance of the described packet that generates, the address of service that destination address provides for cluster to be tested;
When receiving the response data packet that described cluster to be tested returns, abandon the response data packet that described cluster to be tested sends; Or, send the part request data package to described cluster to be tested based on amended linux kernel; Or, send complete request data package, and when receiving the request response data packet that described cluster to be tested returns, abandon the described request response data packet to described cluster to be tested based on amended linux kernel.
2. ddos attack method of testing according to claim 1, it is characterized in that the described packets fields of expansion comprises: the field that comprises in the field that comprises in the field that comprises in the ether frame head, the IP data head, the tcp data head, data load content and length field.
3. ddos attack method of testing according to claim 1 is characterized in that, also comprises the Packet Filtering framework of revising linux kernel;
Modification to described Packet Filtering framework comprises: in described Packet Filtering framework, add the Hook Function that is used for direct reversal data Bao Yuan/destination address after receiving packet.
4. ddos attack method of testing according to claim 3 is characterized in that, also comprises:
Based on amended linux kernel, to the mutual packet of cluster to be tested, the time delay of giving out a contract for a project control or selectivity packet loss control.
5. ddos attack method of testing according to claim 4 is characterized in that, described to the mutual packet of cluster to be tested, the time delay of giving out a contract for a project control comprises:
The temporal information of the delayed delivery of the upstream or downstream packet that calculating and described cluster to be tested are mutual;
According to the mutual upstream or downstream packet of described cluster to be tested, and utilize and revise the described Packet Filtering framework in back, generate upstream or downstream packet transmit queue, the added field of each packet in the described packet transmit queue records the timestamp of joining the team; The described timestamp of joining the team comprises that packet adds the join the team temporal information and the corresponding delay time information of described packet of described packet transmit queue;
Utilize and revise the described Packet Filtering framework in back, the timestamp of joining the team of the first packet of the described packet transmit queue of poll, and join the team timestamp and the current time of described first packet compared, when the timestamp of joining the team of described first packet is less than or equal to current time, send described first packet.
6. ddos attack method of testing according to claim 4 is characterized in that, described to the mutual packet of cluster to be tested, carry out the selectivity packet loss control, comprising:
Abandon the packet that satisfies the packet filtering rules that sets in advance.
7. ddos attack method of testing according to claim 6 is characterized in that, the described packet that satisfies the packet filtering rules that sets in advance that abandons comprises:
According to the packet filtering rules that sets in advance, and utilize and revise the described Packet Filtering framework in back, generate the integer grid;
For a random number in each allocation of packets default value scope,,, calculate the positional information of the integer grid of described packet correspondence according to the numbering and the packet size information of packet as the numbering of packet;
According to the control information of the integer grid of described positional information correspondence, select to abandon or keep described packet.
8. a ddos attack testing apparatus is characterized in that, comprising:
Linux kernel is used to provide network subsystem API and the memory management subsystem application DLL (dynamic link library) of revising the back kernel; Modification to described network subsystem comprises the spin lock that flow-control module comprises in the network subsystem of removing linux kernel; According to predefined data packet format, expand the device of giving out a contract for a project of kernel in the described linux kernel network subsystem and allow the packets fields of customization; Modification to described memory management subsystem comprises: the attribute of the packet Memory Allocation interface function that the memory management subsystem of linux kernel provides is set to storage allocation in the privately owned memory pool of each CPU, and the attribute of packet internal memory realizing interface function is set to discharge internal memory in the privately owned memory pool of each CPU;
The packet generation module is used for calling the amended linux kernel network subsystem kernel device of giving out a contract for a project, and generates the mass data bag, and sends the mass data bag that generates to cluster to be tested; Source address change at random in the scope that sets in advance of the described packet that generates, the address of service that destination address provides for cluster to be tested;
The packet reflecting module is used for when receiving the response data packet that described cluster to be tested returns, and abandons the response data packet that described cluster to be tested sends; Or, send the part request data package to described cluster to be tested based on amended linux kernel; Or, send complete request data package, and when receiving the request response data packet that described cluster to be tested returns, abandon the described request response data packet to described cluster to be tested based on amended linux kernel.
9. ddos attack testing apparatus according to claim 8 is characterized in that, described linux kernel also is used to provide amended Packet Filtering framework; Modification to described Packet Filtering framework comprises: in described Packet Filtering framework, add the Hook Function that is used for direct reversal data Bao Yuan/destination address after receiving packet.
10. according to Claim 8 or 9 described ddos attack testing apparatuss, it is characterized in that, also comprise:
The link simulation module is used for based on amended linux kernel, to packet generation module and packet reflecting module and the mutual packet of cluster to be tested, and the time delay of giving out a contract for a project control or selectivity packet loss control.
11. ddos attack testing apparatus according to claim 10 is characterized in that, described link simulation module comprises:
The time-delay calculation unit is used to each mutual packet of described packet generation module, packet reflecting module and cluster to be tested, respectively the delay time information of calculated data packet delay transmission;
Packet transmit queue generation unit, be used for based on amended linux kernel, generate upstream or downstream packet transmit queue according to the mutual packet of described packet generation module, packet reflecting module and cluster to be tested, the added field of each packet in the described packet transmit queue records the timestamp of joining the team; The described timestamp of joining the team comprises that packet adds the join the team temporal information and the corresponding delay time information of described packet of described packet transmit queue;
The delayed delivery unit, the timestamp of joining the team that is used for the first packet of the described packet transmit queue of poll, and join the team timestamp and the current time of described first packet compared, when the timestamp of joining the team of described first packet is less than or equal to current time, send described first packet.
12. ddos attack testing apparatus according to claim 11 is characterized in that, described link simulation module also comprises:
The packet filtering unit is used to abandon the packet that satisfies the packet filtering rules that sets in advance.
13. ddos attack testing apparatus according to claim 12 is characterized in that, described packet filtering unit comprises:
The integer grid generates subelement, is used for generating the integer grid according to the packet filtering rules that sets in advance;
The contraposition subelement is used to a random number in each allocation of packets default value scope, as the numbering of packet, according to the numbering and the packet size information of packet, calculates the positional information of the integer grid of described packet correspondence;
Filter subelement, be used for numerical information, select to abandon or keep described packet according to the integer grid of described positional information correspondence.
14. ddos attack test macro, comprise two layers of convergence device and cluster to be tested, it is characterized in that, also comprise the arbitrary described ddos attack testing apparatus of claim 8-13, described ddos attack testing apparatus and the mutual packet of described cluster to be tested filter and transmit by described two layers of convergence device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102276222A CN101753315B (en) | 2008-11-27 | 2008-11-27 | Method, device and system for testing DDOS (distributed denial of service) attacks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102276222A CN101753315B (en) | 2008-11-27 | 2008-11-27 | Method, device and system for testing DDOS (distributed denial of service) attacks |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101753315A CN101753315A (en) | 2010-06-23 |
| CN101753315B true CN101753315B (en) | 2011-09-21 |
Family
ID=42479758
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102276222A Active CN101753315B (en) | 2008-11-27 | 2008-11-27 | Method, device and system for testing DDOS (distributed denial of service) attacks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101753315B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103023942B (en) * | 2011-09-27 | 2016-08-03 | 北京奇虎科技有限公司 | A kind of server load balancing method, Apparatus and system |
| CN106301994B (en) * | 2015-06-24 | 2023-11-03 | 北京京东尚科信息技术有限公司 | A network communication abnormality testing method and device |
| CN106911526A (en) * | 2015-12-22 | 2017-06-30 | 中国电信股份有限公司 | Method and system for realizing pressure test |
| CN106302412A (en) * | 2016-08-05 | 2017-01-04 | 江苏君立华域信息安全技术有限公司 | A kind of intelligent checking system for the test of information system crushing resistance and detection method |
| CN106407016B (en) * | 2016-10-19 | 2021-06-25 | 腾讯科技(深圳)有限公司 | Method and device for simulating multithreading contention and robbery of resources |
| CN106789954A (en) * | 2016-11-30 | 2017-05-31 | 杭州迪普科技股份有限公司 | A kind of method and apparatus of the DDOS attack identification based on multi -CPU |
| CN106685962B (en) * | 2016-12-29 | 2020-06-23 | 广东睿江云计算股份有限公司 | Defense system and method for reflective DDOS attack flow |
| CN106998323B (en) * | 2017-03-06 | 2020-08-14 | 深信服科技股份有限公司 | Application layer network attack simulation method, device and system |
| CN107517218A (en) * | 2017-09-26 | 2017-12-26 | 上海斐讯数据通信技术有限公司 | A kind of method and system of test router DoS attack safeguard function |
| CN109818912B (en) * | 2017-11-22 | 2021-11-26 | 北京金山云网络技术有限公司 | Method and device for preventing flooding attack, load balancing equipment and storage medium |
| CN108111501B (en) * | 2017-12-15 | 2021-08-20 | 百度在线网络技术(北京)有限公司 | Control method and device for cheating flow and computer equipment |
| CN109040086B (en) * | 2018-08-15 | 2020-11-03 | 广东电网有限责任公司 | An industrial control system DDOS attack simulation method and device |
| CN109728975B (en) * | 2018-12-29 | 2021-03-12 | 广东电网有限责任公司 | Network protocol attack testing method, device, equipment and readable storage medium |
| CN110365693B (en) * | 2019-07-23 | 2021-10-08 | 光通天下网络科技股份有限公司 | DoS attack testing method and device based on multi-azimuth monitoring and electronic equipment |
| CN110955899B (en) * | 2019-12-13 | 2022-02-22 | 中国工商银行股份有限公司 | Safety test method, device, test equipment and medium |
| CN111935198B (en) * | 2020-10-15 | 2021-01-15 | 南斗六星系统集成有限公司 | Visual V2X network security defense method and equipment |
| CN118381671B (en) * | 2024-06-21 | 2024-08-20 | 武汉盛博汇信息技术有限公司 | Smart medical big data security risk processing method and related equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1640090A (en) * | 2001-07-03 | 2005-07-13 | 英特尔公司 | An apparatus and method for secure, automated response to distributed denial of service attacks |
| CN101083563A (en) * | 2007-07-20 | 2007-12-05 | 杭州华三通信技术有限公司 | Method and apparatus for preventing distributed refuse service attack |
-
2008
- 2008-11-27 CN CN2008102276222A patent/CN101753315B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1640090A (en) * | 2001-07-03 | 2005-07-13 | 英特尔公司 | An apparatus and method for secure, automated response to distributed denial of service attacks |
| CN101083563A (en) * | 2007-07-20 | 2007-12-05 | 杭州华三通信技术有限公司 | Method and apparatus for preventing distributed refuse service attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101753315A (en) | 2010-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101753315B (en) | Method, device and system for testing DDOS (distributed denial of service) attacks | |
| TW576044B (en) | Apparatus and method for using a network processor to guard against a ""denial-of-service"" attack on a server or server cluster | |
| Zhao et al. | A window protocol for transmission of time-constrained messages | |
| Yang et al. | Blockchain-based secure distributed control for software defined optical networking | |
| US11863570B2 (en) | Blockchain-based network security system and processing method | |
| Tian et al. | Accelerating distributed deep learning using multi-path RDMA in data center networks | |
| Diovu et al. | A cloud-based openflow firewall for mitigation against DDoS attacks in smart grid AMI networks | |
| Kumar et al. | Performance enhancement in buffered delta networks using crossbar switches and multiple links | |
| CN106330951A (en) | Network protection method, network protection device and network protection system | |
| CA3000654C (en) | Software-defined network threat control | |
| Li et al. | Towards the tradeoffs in designing data center network architectures | |
| Huang et al. | FSDM: Fast recovery saturation attack detection and mitigation framework in SDN | |
| EP4042359A1 (en) | Distributed network with consensus mechanism | |
| Chen et al. | Norma: Towards practical network load testing | |
| EP2974161A1 (en) | Multi-ring reliable messaging system | |
| Agbaria et al. | LMPI: MPI for heterogeneous embedded distributed systems | |
| CN114629853B (en) | Flow classification control method based on security service chain analysis in security resource pool | |
| US12058201B2 (en) | Read access for computational results of a distributed network | |
| Thai et al. | On detection of malicious users using group testing techniques | |
| Tam et al. | Efficient scheduling of complete exchange on clusters | |
| CN1411215A (en) | Pacing synchronizing method for rout selecting information in data exchange environmemt | |
| Abbasi Zadeh et al. | Load migration in distributed softwarized network controllers | |
| Zheng et al. | A flexible and efficient container-based NFV platform for middlebox networking | |
| CN116318945A (en) | A multi-target service function chain deployment method based on endogenous dynamic defense architecture | |
| Fan et al. | Software-Defined Networking Integrated with Cloud Native and Proxy Mechanism: Detection and Mitigation System for TCP SYN Flooding Attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING BAIDU NETWORK INFORMATION TECHNOLOGY CO., Free format text: FORMER OWNER: BAIDU ON LINE NETWORK TECH. (BEIJING) CO., LTD. Effective date: 20120131 Owner name: BAIDU ON LINE NETWORK TECH. (BEIJING) CO., LTD. Effective date: 20120131 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100080 HAIDIAN, BEIJING TO: 100085 HAIDIAN, BEIJING |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20120131 Address after: 100085 Beijing, Haidian District, No. ten on the ground floor, No. 10 Baidu building, layer 2 Co-patentee after: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd. Patentee after: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd. Address before: 100080, International Building, No. 58 West Fourth Ring Road, Haidian District, Beijing, 12 floor Patentee before: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY Co.,Ltd. |