CN100420197C - Method for guarding against attack realized for networked devices - Google Patents
Method for guarding against attack realized for networked devices Download PDFInfo
- Publication number
- CN100420197C CN100420197C CNB200410044215XA CN200410044215A CN100420197C CN 100420197 C CN100420197 C CN 100420197C CN B200410044215X A CNB200410044215X A CN B200410044215XA CN 200410044215 A CN200410044215 A CN 200410044215A CN 100420197 C CN100420197 C CN 100420197C
- Authority
- CN
- China
- Prior art keywords
- message
- connection
- user
- udp
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000005540 biological transmission Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 abstract description 4
- 238000012790 confirmation Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 3
- 235000014510 cooky Nutrition 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000004904 shortening Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention discloses a method for realizing preventing a network device from attack. The method comprises that when the network device receives a message, the network device looks up a corresponding connection table entry according to related information in the message, and if the connection table entry is found, then the message is forwarded according to a corresponding forwarding table entry, else, the number of connections established by a user who sends the message is obtained according to a source IP address in the message, and whether the number is less than a preset value or not is judged; if the number is less than the preset value, the connection table entry and the forwarding table entry are established for the user, and service processing is carried out, else, the message is discarded. The present invention prevents attack by limiting the number of the connections of the same user, and discards a new connection message of the user when the number of the connections of the user exceeds a specified value, and therefore, that the resources of a system can not be exhausted when the system suffers the attack of network storms can be ensured, and normal services can also be provided, so that the capability of the system for preventing from attack, is improved.
Description
Technical field
The present invention relates to network technology, relate in particular to a kind of method that realizes preventing network equipment from attacking.
Background technology
Being applied in rapidly of network popularized in recent years, and network has also left over a large amount of systems and protocol bug in the process of fast development, and the user also will face the threat that it brings in the convenience that enjoy network is brought.Below be some attack means and principles commonly used:
TCP SYN Flood: when the user carries out transmission control protocol (TCP) connection of a standard, have 3 handshake procedures.At first be that request service side sends a synchronization message, after synchronization message is received by service side, can represent to confirm to confirmation of synchronization message of requesting party's loopback, after the requesting party receives confirmation of synchronization message, send a confirmation of receipt message to service side once more, like this, a TCP connection is set up successfully.The attack principle of TCP-SYN flood is: only carry out preceding two steps in implementation procedure, receive the confirmation of synchronization message of service side as the requesting party after, the requesting party stops to send confirmation of receipt message to service side, and service side will be at certain hour and wait for reception requesting party confirmation of receipt condition of information.For certain station server, it is limited that available TCP connects, if malicious attack side in extremely rapid succession sends this type of connection request, this server can with TCP connect formation and will get clogged very soon, system's available resources sharply reduce, network availability bandwidth dwindles rapidly, and if things go on like this, network can't provide normal service to the user.
UDP Flood:, also more based on UDP attack kind because the application of User Datagram Protocol (UDP) in network is more extensive.Nowadays provide on because of the spy and surf the web and service equipment such as Email typically uses the server of Unix, they are given tacit consent to some and are served by the UDP of malicious exploitation, as echo and chargen service, it can show each packet that receives, and originally when receiving each packet, feed back some characters at random as the chargen service meeting of test function, if malicious attacker is with these two UDP service coreferences, then network availability bandwidth will exhaust very soon.
In order to prevent TCP SYN Flood to attack the following two kinds of methods that adopt usually: first kind is wait deletion (SYN Timeout) time time that shortens service side, because the effect that SYN Flood attacks depends on half linking number that keeps on the server, the frequency * SYN Timeout of this value=attack, so it is invalid and abandon the time that changes connection to definite this message by shortening from receiving sync message, for example be set to below 20 seconds (low excessively SYN Timeout is provided with the normal visit that may influence the client), the load of reduction server that can be at double.Second method is that SYN Cookie is set, be exactly the Cookie of IP address assignment that connects to each request, if be subjected to the repetition SYN message of certain IP in the short time continuously, just assert it is to be subjected to attack, all bags of sending from this IP address later all are dropped.
Usually adopt following method for the attack that prevents UDP Flood, first kind is to close some obsolete udp port, and Echo and Chargen are not provided service, re-uses order and open this function when needs use this function; Second kind is to adopt flow control technique, flow restriction within the specific limits, all will be dropped in case surpass the new message of this flow, can guarantee that like this other services of system are still normal.
In addition, also can utilize fire compartment wall to come the safety of protecting network.In networking, between each network equipment, add a fire compartment wall respectively, and on fire compartment wall definition what be legal connection, and stop disabled user's invasion.Fire compartment wall is according to these predefined rules, and just can discern these and attack the attack method that is adopted, and outside attack packets is blocked in.Many commercial fire compartment walls can in time show the attack sign by being provided with.The detail record of fire compartment wall can be provided to equipment control department, and information is detailed more, and they just can more quickly fall Packet Filtering, prevents that these attack packets from entering network.The person that also helps the pursuit attack during these information of same.
Though said method can play the effect of attack protection on certain program, have following shortcoming:
Two kinds of methods that tackle TCP SYN Flood can only tackle more original SYN Flood and attack, and the shortening SYN Timeout time only attacks under the not high situation of frequency the other side and comes into force, and effect is relatively poor under the high situation of attack frequency.
In order to prevent UDP Flood to attack the related port of UDP is closed, also shielded simultaneously the normal function that this port provides, if employing flow control technique, just the assurance system can not crash under abnormal conditions, because in case surpass the flow that is provided with, system may cause uncertain problem with abandoning a lot of normal messages simultaneously.
Use fire compartment wall can effectively prevent various attack, but need operator's extra fire compartment wall of buying when networking, increased the complexity of cost and network.
Summary of the invention
The object of the present invention is to provide a kind of method that realizes preventing network equipment from attacking, exist attack protection power relatively poor and influence the problem of regular traffic in the existing anti-attack method to solve.
Realize technical scheme of the present invention:
A kind of method that realizes preventing network equipment from attacking is that the network equipment carries out following step when receiving message:
A, search corresponding connection list item,, then E-Packet by corresponding forwarding-table item if find the connection list item according to relevant information in the message; Otherwise carry out step B;
B, to send the number of connection that the user of described message has set up according to the source IP address in the message at least;
C, whether judge described number of connection less than predetermined value, if then be engaged in handling for user's list item and forwarding-table item industry of going forward side by side that connects, the number of connection that will be stored in the described source IP address correspondence in the statistical form upgrades; Otherwise abandon described message.
Wherein:
If the user disconnects the connection of having set up, then upgrade the number of connection of the source IP address correspondence of storing in the described statistical form.
Described relevant information is can unique five-tuple information of determining a connection.
Described message is transmission control protocol (TCP) message or User Datagram Protoco (UDP) (UDP) message, and described transmission control protocol (TCP) or the User Datagram Protoco (UDP) (UDP) of being connected to connects.
The present invention passes through the restriction to same user's connection message, can effectively prevent to attack, strengthen the strick precaution ability of the network equipment, resist the attack in the automatic network attacking, guarantee that equipment can also provide normal business under attack, the maintaining network order.
Description of drawings
Fig. 1 is a flow chart of the present invention.
Embodiment
The present invention prevents the attack of TCP SYN Flood and UDP Flood by transmission control protocol/User Datagram Protoco (UDP) (TCP/UDP) linking number that limits each user.
It is that the assailant sends to server with a large amount of first packet message SYN that network storm (SYN Flood) is attacked, server can send first packet response message SYN ACK after receiving each first packet message, and set up the half-open connection of transmission control protocol (TCP), wait for the back message using ACK that client's side is sent then.But the back message using ACK that the assailant can send server wait for causes server to be full of half-open connection.Because server constantly outwards sends the first packet response message SYN ACK that can not get any response, make server be in unusual busy state, it is processed that normal connection request is difficult to, and finally causes regular traffic to interrupt.
Because transmission control protocol is connection-oriented, and User Datagram Protoco (UDP) (UDP) is towards disconnected, but exchange/routing device is after receiving the UDP message of client, still will be this client's Resources allocation, thereby first, second message of a large amount of not back UDP messages will take a large amount of resources.
The network equipment is because the TCP/UDP linking number is too many in the system unusually in the attack that is subjected to TCP SYN Flood and UDP Flood, has taken due to the too many system resource.Therefore, the TCP/UDP that each user of system constraint can only set up some connects, and surpasses predetermined value in case find the linking number that certain user uses, and system just forbids new establishment of connection, unless the connection that took originally disconnection, just can set up new connection.So just can limit the quantity that TCP/UDP connects in the system to a certain extent.Described predetermined value is set at normally the surf the Net twice of number of connection of a user.
Article one, connection is to be that source IP address, purpose IP address, source port number, destination slogan and protocol type are determined by five-tuple, the different website of user capture is set up different connections possibly on the network equipment, all set up different connections possibly even visit the identical different content in the inside, website.Though these purpose of connecting IP address, the destination slogan may be different with protocol type, but source IP address is identical, therefore set up a statistics (IP_CON) table, the number of connection that each user has set up in the list item register system of this table is an index with user's source IP address.
After the newly-built connection of user or disconnecting a connection of having set up, upgrade the number of connection of this user in the statistical form.
Consult shown in Figure 1, as follows to the handling process of message:
Step 10: the network equipment receives a message.
Step 20: judge whether the connection list item of having set up of this user's correspondence according to the five-tuple information that can determine unique connection in the message, if having then carry out step 30; Otherwise carry out step 40.
Five-tuple information comprises source IP address, source port number, purpose IP address, destination slogan and protocol type, certainly also source MAC and target MAC (Media Access Control) address of source port number wherein and destination slogan.
Step 30: transmit the message of receiving according to the forwarding-table item that connects the list item correspondence.
Owing to can find the connection list item, transmitted similarly message before illustrating, therefore, can find the forwarding-table item of this connection, directly message is carried out Business Processing and forwarding then.
Step 40: obtain the number of connection that this user has set up according to the source IP address in the message.
Do not find the connection list item of this connection, illustrate that this is that a new TCP or UDP connect, the network equipment need be delivered to controlling platform to this message and handle, and checks by the processing module of controlling platform how many bars this user has had connect.
Step 50: judge that whether the quantity that this user has connected surpasses predetermined value, if then carry out step 60, otherwise carry out step 70.
Step 60: abandon the message of receiving, and finish processing to this message.
Step 70: set up corresponding list item and the forwarding-table item of connecting for this connects, after setting up successfully, list item searches the IP_CON table according to user's source IP address, if find corresponding list item, the number of connection that then direct renewal has been set up, otherwise be the newly-built list item of this user, it is 1 that its corresponding number of connection is set simultaneously.
Behind connect list item and forwarding-table item, this follow-up message that connects is up just directly handled according to connecting list item and forwarding-table item.
The present invention prevents to attack by the linking number that limits same user, and when same user's linking number surpasses setting, new connection packet loss with this user, the resource that so just can guarantee system when suffering that network storm is attacked can not exhaust, and can also provide normal business, thereby improve the ability of system's attack protection.
Claims (6)
1. a method that realizes preventing network equipment from attacking is characterized in that, the network equipment carries out following step when receiving message:
A, search corresponding connection list item,, then E-Packet by corresponding forwarding-table item if find the connection list item according to relevant information in the message; Otherwise carry out step B;
B, to send the number of connection that the user of described message has set up according to the source IP address in the message;
C, whether judge described number of connection less than predetermined value, if then be engaged in handling for user's list item and forwarding-table item industry of going forward side by side that connects, the number of connection that will be stored in the described source IP address correspondence in the statistical form upgrades; Otherwise abandon described message.
2. the method for claim 1 is characterized in that, if the user disconnects the connection of having set up, then upgrades the number of connection of the source IP address correspondence of storing in the described statistical form.
3. the method for claim 1 is characterized in that, described relevant information is can unique five-tuple information of determining a connection.
4. method as claimed in claim 3 is characterized in that, described five-tuple information comprises source IP address, purpose IP address, source port number, destination slogan and protocol type.
5. the method for claim 1 is characterized in that, described predetermined value is set at normally the surf the Net twice of number of connection of user.
6. as the arbitrary described method of claim 1 to 5, it is characterized in that described message is transmission control protocol TCP message or User Datagram Protoco (UDP) UDP message, describedly be connected to that transmission control protocol TCP connects or User Datagram Protoco (UDP) UDP connects.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB200410044215XA CN100420197C (en) | 2004-05-13 | 2004-05-13 | Method for guarding against attack realized for networked devices |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB200410044215XA CN100420197C (en) | 2004-05-13 | 2004-05-13 | Method for guarding against attack realized for networked devices |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1697397A CN1697397A (en) | 2005-11-16 |
CN100420197C true CN100420197C (en) | 2008-09-17 |
Family
ID=35349933
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB200410044215XA Expired - Lifetime CN100420197C (en) | 2004-05-13 | 2004-05-13 | Method for guarding against attack realized for networked devices |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100420197C (en) |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100454839C (en) * | 2005-11-24 | 2009-01-21 | 华为技术有限公司 | Antiattacking apparatus and method based on user |
CN101202742B (en) * | 2006-12-13 | 2011-10-26 | 中兴通讯股份有限公司 | Method and system for preventing refusal service attack |
CN101001249A (en) * | 2006-12-31 | 2007-07-18 | 华为技术有限公司 | Method and device for preventing IGMP message attack |
CN101022458B (en) * | 2007-03-23 | 2010-10-13 | 杭州华三通信技术有限公司 | Conversation control method and control device |
CN101034975B (en) * | 2007-04-05 | 2010-05-26 | 华为技术有限公司 | Method and device for preventing the small message attack |
CN100583835C (en) * | 2007-06-28 | 2010-01-20 | 华为技术有限公司 | Message forwarding method and network device |
CN101355419B (en) * | 2008-08-22 | 2011-01-05 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for avoiding network attack |
CN101854333B (en) * | 2009-03-30 | 2013-06-05 | 华为技术有限公司 | Method and device for detecting incomplete session attack |
CN101969637A (en) * | 2009-07-28 | 2011-02-09 | 华为技术有限公司 | Network connection management method and related device |
CN102045331B (en) * | 2009-10-22 | 2014-01-22 | 成都市华为赛门铁克科技有限公司 | Method, device and system for processing inquiry request message |
CN101743966B (en) * | 2009-12-29 | 2012-10-31 | 华南农业大学 | Mixed insecticide of tea saponin and acaricide |
CN101800707B (en) | 2010-04-22 | 2011-12-28 | 华为技术有限公司 | Method for establishing stream forwarding list item and data communication equipment |
CN103685329B (en) * | 2012-08-30 | 2017-11-21 | 华耀(中国)科技有限公司 | Advanced access control system and method based on load balancing |
CN102882894A (en) * | 2012-10-30 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for identifying attack |
CN103384221A (en) * | 2013-06-26 | 2013-11-06 | 汉柏科技有限公司 | Method for optimizing service precedence message fast forwarding |
CN104363176A (en) * | 2014-10-24 | 2015-02-18 | 杭州华三通信技术有限公司 | Message control method and equipment |
CN104601542A (en) * | 2014-12-05 | 2015-05-06 | 国云科技股份有限公司 | DDOS (distributed denial of service) active protection method applicable to virtual machine |
CN104580225B (en) * | 2015-01-14 | 2017-11-03 | 南京烽火星空通信发展有限公司 | A kind of cloud platform security protection encryption device and method |
CN110071939B (en) * | 2019-05-05 | 2021-06-29 | 江苏亨通工控安全研究院有限公司 | Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998034384A1 (en) * | 1997-01-30 | 1998-08-06 | At & T Corp. | Communications protocol with improved security |
US20040054924A1 (en) * | 2002-09-03 | 2004-03-18 | Chuah Mooi Choo | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks |
CN1152517C (en) * | 2002-04-23 | 2004-06-02 | 华为技术有限公司 | Method of guarding network attack |
CN1265598C (en) * | 2002-10-25 | 2006-07-19 | 英特尔公司 | Dynamic network safety device and method of network treatment apparatus |
-
2004
- 2004-05-13 CN CNB200410044215XA patent/CN100420197C/en not_active Expired - Lifetime
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998034384A1 (en) * | 1997-01-30 | 1998-08-06 | At & T Corp. | Communications protocol with improved security |
CN1152517C (en) * | 2002-04-23 | 2004-06-02 | 华为技术有限公司 | Method of guarding network attack |
US20040054924A1 (en) * | 2002-09-03 | 2004-03-18 | Chuah Mooi Choo | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks |
CN1265598C (en) * | 2002-10-25 | 2006-07-19 | 英特尔公司 | Dynamic network safety device and method of network treatment apparatus |
Non-Patent Citations (4)
Title |
---|
基于策略系统的SYN Flooding 攻击防御机制. 仇小锋,陈鸣,蒋序平.电信科学. 2004 |
基于策略系统的SYN Flooding 攻击防御机制. 仇小锋,陈鸣,蒋序平.电信科学. 2004 * |
网络安全检测与监控系统总体设计. 孙修善.信息技术,第27卷第11期. 2003 |
网络安全检测与监控系统总体设计. 孙修善.信息技术,第27卷第11期. 2003 * |
Also Published As
Publication number | Publication date |
---|---|
CN1697397A (en) | 2005-11-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100420197C (en) | Method for guarding against attack realized for networked devices | |
US8320242B2 (en) | Active response communications network tap | |
CN101589595B (en) | A containment mechanism for potentially contaminated end systems | |
CN108173812B (en) | Method, device, storage medium and equipment for preventing network attack | |
US6816910B1 (en) | Method and apparatus for limiting network connection resources | |
CN101175013B (en) | Refused service attack protection method, network system and proxy server | |
EP2020136B1 (en) | Out-of-band authentication method and system for communication over a data network | |
CN101019405B (en) | Method and system for mitigating denial of service in a communication network | |
US6973040B1 (en) | Method of maintaining lists of network characteristics | |
JP5826920B2 (en) | Defense method against spoofing attacks using blocking server | |
US8879388B2 (en) | Method and system for intrusion detection and prevention based on packet type recognition in a network | |
CN101378395B (en) | Method and apparatus for preventing reject access aggression | |
US7818795B1 (en) | Per-port protection against denial-of-service and distributed denial-of-service attacks | |
US7854000B2 (en) | Method and system for addressing attacks on a computer connected to a network | |
EP1482709A2 (en) | Queuing methods for mitigation of packet spoofing | |
US7404210B2 (en) | Method and apparatus for defending against distributed denial of service attacks on TCP servers by TCP stateless hogs | |
CN101426014B (en) | Method and system for multicast source attack prevention | |
CN102510385A (en) | Method for preventing fragment attack of IP (Internet Protocol) datagram | |
CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
EP1804465A1 (en) | Collaborative communication traffic control network | |
US7464398B2 (en) | Queuing methods for mitigation of packet spoofing | |
CN101478537B (en) | Network security protection method and apparatus in uni-direction environment | |
CN108667829A (en) | A kind of means of defence of network attack, device and storage medium | |
CN100479419C (en) | Method for preventing refusal service attack | |
CN111294330B (en) | Method for managing memory |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CX01 | Expiry of patent term |
Granted publication date: 20080917 |