CN108810008A - Transmission control protocol traffic filtering method, apparatus, server and storage medium - Google Patents

Transmission control protocol traffic filtering method, apparatus, server and storage medium Download PDF

Info

Publication number
CN108810008A
CN108810008A CN201810685411.7A CN201810685411A CN108810008A CN 108810008 A CN108810008 A CN 108810008A CN 201810685411 A CN201810685411 A CN 201810685411A CN 108810008 A CN108810008 A CN 108810008A
Authority
CN
China
Prior art keywords
message
transmission control
control protocol
address
baseline
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810685411.7A
Other languages
Chinese (zh)
Other versions
CN108810008B (en
Inventor
陈国�
杨磊
罗喜军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201810685411.7A priority Critical patent/CN108810008B/en
Publication of CN108810008A publication Critical patent/CN108810008A/en
Application granted granted Critical
Publication of CN108810008B publication Critical patent/CN108810008B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of transmission control protocol traffic filtering method, apparatus, server and storage mediums, belong to network safety filed.The method includes:When server is challenged by black hole to be attacked, source internet protocol address trust list based on server determines the trusted source internet protocol address in the source internet protocol address for the transmission control protocol message for being sent to server and non-trusted source internet protocol address.The transmission control protocol message of trusted source internet protocol address is sent to server.Using synchronizing sequence number message rate baseline, transmission control protocol message length baseline and the transmission control protocol message rate baseline of non-trusted source internet protocol address, judge whether that the transmission control protocol message to non-trusted source internet protocol address intercepts.

Description

Transmission control protocol traffic filtering method, apparatus, server and storage medium
Technical field
The present invention relates to network safety filed, more particularly to a kind of transmission control protocol traffic filtering method, apparatus, service Device and storage medium.
Background technology
Distributed denial of service (Distributed Denial of Service, DDoS) is attacked, and refers to that hacker passes through control The ossified network of system distribution throughout initiates a large amount of abnormal flows to destination server, and server is busy with handling abnormal flow, nothing Method handles normal users request or even system crash, and refusal is caused to service.
It is a kind of very common ddos attack gimmick that (Chanllenge Collapsar, CC) attack is challenged in black hole.It attacks It hits end (for example, the client controlled) and first establishes transmission control protocol with by attack end (for example, by attack server) (Transmission Control Protocol, TCP) is connected, and then sends a large amount of TCP rubbish message to by attack end, Obstruction causes business to be paralysed by attack end bandwidth.
Traditional CC attack protectiving schemes are realized using watermark protection, when user end to server sends uplink TCP message, It needs to carry the mark field calculated by the algorithm arranged in advance in TCP message.Setting is between clients and servers Protection end, by verifying the legitimacy of mark field in the uplink TCP message, to judge whether to forward the TCP message To server, realization intercepts invalid packet.However, this protectiving scheme needs to modify to the code of client, Cost of access and threshold are higher;In addition, the TCP message length for carrying mark field increases, uplink traffic cost is increased.
Invention content
When in order to solve present in the relevant technologies using watermark protection CC attacks, client cost of access and threshold compared with Height, while increasing uplink traffic cost problem.An embodiment of the present invention provides a kind of TCP flow amount filter method, device, services Device and storage medium.The technical solution is as follows:
On the one hand, a kind of TCP flow amount filter method is provided, the method includes:
When server is attacked by CC, the source IP address trust list based on the server determines described in being sent to Trust source IP address in the source IP address of the TCP message of server and non-trusted source IP address, the trust source IP address are Source IP address in source IP address trust list, the non-trusted source IP address are to be not in source IP address trust list Source IP address.The TCP message for trusting source IP address is sent to the server.Utilize the non-trusted source IP address SYN message rates baseline, TCP message length baseline and TCP message rate baseline, judge whether to the non-trusted source IP The TCP message of location is intercepted.
On the other hand, a kind of TCP flow amount filter device is additionally provided, described device includes:
Judgment module, for when server is attacked by CC, the source IP address trust list based on the server, really Surely the trust source IP address and non-trusted source IP address being sent in the source IP address of the TCP message of the server, the letter It is the source IP address in source IP address trust list to appoint source IP address, and the non-trusted source IP address is with being not at source IP Source IP address in the trust list of location.Filtering module, for the TCP message for trusting source IP address to be sent to the service Device;Using the SYN message rates baseline, TCP message length baseline and TCP message rate baseline of the non-trusted source IP address, Judge whether that the TCP message to the non-trusted source IP address intercepts.
On the other hand, a kind of server is additionally provided, the server includes processor and memory, in the memory It is stored at least one instruction, described instruction is loaded by the processor and executed to realize TCP flow as described in relation to the first aspect Measure filter method.
On the other hand, a kind of computer readable storage medium is additionally provided, at least one is stored in the storage medium Instruction, described instruction are loaded by processor and are executed to realize TCP flow amount filter method as described in relation to the first aspect.
The advantageous effect that technical solution provided in an embodiment of the present invention is brought is:
By when server is attacked by CC, first judging that each source IP address of TCP message of the server sent is It is no not interfere with normal client if it is, directly forwarding the TCP message of the trust source IP address to trust source IP address TCP traffic.If it is not, then using SYN message rates baseline, TCP message length baseline and TCP message rate baseline to non- Trust source IP address to be judged, judge whether the TCP message of the non-trusted source IP address is abnormal, and then determinations is that this is non-for discarding The TCP message for trusting source IP address, still forwards the TCP message of the non-trusted source IP address.In this way, it is not necessarily to upper Mark field is carried in row TCP message, there is no need to the codes to client to modify, at low cost, threshold is low, and be suitable for Cloud service scene.TCP message length is constant simultaneously, saves uplink traffic cost.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, other are can also be obtained according to these attached drawings Attached drawing.
Fig. 1 is a kind of flow diagram of CC attacks;
Fig. 2 is a kind of topological schematic diagram of TCP flow amount filtration system provided in an embodiment of the present invention;
Fig. 3 is a kind of flow chart of TCP flow amount filter method provided in an embodiment of the present invention;
Fig. 4 is the flow chart of another TCP flow amount filter method provided in an embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of TCP flow amount filter device provided in an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of server provided in an embodiment of the present invention.
Specific implementation mode
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.
For ease of the understanding to technical solution provided in an embodiment of the present invention, existing CC attack protectiving schemes are deposited below The problem of illustrate:
Fig. 1 is a kind of flow diagram of CC attacks, and CC attacks here are attacked for four layers of CC, wherein four layers refer to opening Formula system interconnects the 4th layer in (Open System Interconnection, OSI), and detailed process is referring to Fig. 1, attack It holds first and is shaken hands by 3 times by attack end (by attack server) and establish TCP connection.As shown in Figure 1, attack end is first to being attacked End sends synchronizing sequence and numbers (Synchronize Sequence Numbers, SYN) message, and returning to SYN by attack end confirms Then (SYN Acknowledgement, SYNACK) message attacks end and sends ACK messages to by attack end, completes to shake hands for 3 times. After establishing TCP connection, attack end sends a large amount of TCP rubbish message to by attack end, and obstruction leads to business by attack end bandwidth Paralysis.
Traditional CC attack protectiving schemes realize that client is needed when uplink TCP message is transmitted using watermark protection The mark field calculated by the algorithm arranged in advance is carried in TCP message.Setting is in client (attack end) and server (quilt Attack end) between protection end, by verifying the legitimacy of mark field in the uplink TCP message, to which judge whether should TCP message is transmitted to server, and realization intercepts invalid packet.As shown in Figure 1, the water in protection end detection TCP message Whether lettering section is correct, since TCP rubbish message is sent by attacking end, wherein not carrying correct mark field, therefore, prevents Shield end can abandon the TCP rubbish messages.
However, this protectiving scheme needs to modify to the code of client, time-consuming and laborious, cost of access is high, meanwhile, This scheme also causes access threshold higher.In addition, the TCP message length for carrying mark field increases, uplink traffic is increased Cost.To solve the above-mentioned problems, an embodiment of the present invention provides a kind of TCP flow amount filter methods.In the TCP for introducing the application Before traffic filtering method, first the framework of TCP flow amount filtration system (namely previous protective end) is briefly described.
Fig. 2 is a kind of topological schematic diagram of TCP flow amount filtration system provided in an embodiment of the present invention, referring to Fig. 2, the TCP Traffic filtering system 10 connects router 20, which is usually the core router in network, the connection fortune of router 20 Quotient's network 30 is sought, router 20 is by 40 Connection Service device 50 of interchanger, to realize server 50 and network other equipment Connection.Wherein, router 20 can connect multiple switch 40, which can be core switch, each interchanger 40 can connect one or more servers 50.
TCP flow amount filtration system 10 includes detection study subsystem 101, protects subsystem 102 and control subsystem 103, Independent equipment (such as server) realization can be both respectively adopted in three subsystems, can also two of which or three whole collection At on one device.
Router 20 will produce mirror image flow, and mirror image flow is sent when transmission is sent to the flow of server 50 Learn subsystem 101 to detection.Detection study subsystem 101 is according to mirror image flow to the TCP message of each server It practises, obtains source IP address trust list, SYN message rates baseline, TCP message length baseline and TCP message rate baseline;And it will Source IP address trust list, SYN message rates baseline, TCP message length baseline and the storage of TCP message rate baseline are sub to control In the database of system 103.Meanwhile detecting study subsystem 101 and detecting whether each server 50 is attacked by CC, it is detecting When being attacked to server 50 by CC, to protection subsystem 102 and 103 outputting alarm information of control subsystem.
When protection subsystem 102 receives warning information, the source IP address that the server is obtained from protection subsystem 102 is trusted List, SYN message rates baseline, TCP message length baseline and TCP message rate baseline.Meanwhile protecting subsystem 102 and road By carrying out flow lead between device 20, the TCP message of server is drawn to protection subsystem 102, protects 102 basis of subsystem Source IP address trust list, SYN message rates baseline, TCP message length baseline and TCP message rate baseline are to server TCP message is filtered, and the TCP message of filtered server is returned to router 20, then be transferred to clothes by router 20 Business device 50.
Wherein, server is any one server that aforementioned router 20 connects.
Fig. 3 is a kind of flow chart of TCP flow amount filter method provided in an embodiment of the present invention, and referring to Fig. 3, this method is by preceding The execution of TCP flow amount filtration system is stated, this method includes:
Step 101:When server is attacked by CC, the source IP address trust list based on server, determination is sent to Trust source IP address in the source IP address of the TCP message of the server and non-trusted source IP address.
In embodiments of the present invention, it is the source IP address in source IP address trust list, non-letter to trust source IP address It is the source IP address being not in source IP address trust list to appoint source IP address.
In embodiments of the present invention, server is referred to that server receives a large amount of TCP attack traffics by CC attacks, at this In application, can by the newly-built connection number of server, connection concurrency and abnormal connection number come determine server whether by CC is attacked.
In embodiments of the present invention, TCP flow amount namely use Transmission Control Protocol are transferred to the data of server, are reported by multiple TCP Text composition.
In embodiments of the present invention, a server can establish TCP connection with multiple client, to receive multiple visitors The IP address of the TCP message that family end is sent, the client of the TCP message sent to server is aforementioned source IP address.It is taking It when business device is attacked by CC, needs to distinguish the TCP message of the server, will attack under the TCP message interception that end is sent Come, the TCP message that normal client is sent is transmitted to server.
In embodiments of the present invention, source IP address trust list namely the white list of the corresponding client of the server, should The TCP message that the corresponding client of source IP address described in source IP address trust list is sent needs not move through step 103 again Secondary verification can be directly forwarded to server.Each server corresponds to a source IP address trust list, source IP address letter respectively Appointing the IP address in list is got by study in normal transmission time (time that do not attacked), avoids attacking The IP address at end is mixed into wherein.
In this step, the trust source IP address and non-in the source IP address for the TCP message for being sent to the server is determined Trust source IP address, may include:The source IP for the TCP message for being sent to the server is searched in source IP address trust list Location;If found, illustrate that the source IP address is to trust source IP address to illustrate the source IP address if do not found For non-trusted source IP address.
Step 102:The TCP message for trusting source IP address is sent to server.
Here, the TCP message for trusting source IP address specifically refers to, and source IP address is to trust source IP address in TCP message TCP message.All TCP messages for trusting source IP address can be sent to server in this step.
TCP message for trusting source IP address is directly forwarded, and risk is manslaughtered in reduction, avoids TCP flow amount filtering side Method impacts normal TCP traffic.
Step 103:Utilize SYN message rates baseline, TCP message length baseline and the TCP message of non-trusted source IP address Rate baseline judges whether that the TCP message to non-trusted source IP address intercepts.
In step 103, the transmission rate of the SYN messages of SYN message rates baseline and non-trusted source IP address is first used It is compared, judges SYN messages with the presence or absence of exception, and then determine the need for intercepting the TCP message of non-trusted source IP address. If SYN messages are abnormal, it is determined that need to intercept the TCP message of non-trusted source IP address, abandon the non-trusted source IP address TCP message avoids attacking server.
If there is no exceptions for SYN messages, judge that the TCP of non-trusted source IP address is reported using TCP message length baseline With the presence or absence of abnormal big message in text.If there is no abnormal big messages in the TCP message of non-trusted source IP address, will trust The TCP message of source IP address is sent to server;If there is abnormal big message in the TCP message of non-trusted source IP address, Judge whether the non-trusted source IP address is abnormal using TCP message rate baseline.If it is judged that for the non-trusted source IP The TCP message of the non-trusted source IP address is then sent to server by location without exception;If it is judged that being the non-trusted source IP address is abnormal, then will abandon the TCP message of the non-trusted source IP address.
Each source IP that the application passes through the TCP message for the server for when server is attacked by CC, first judging to send Whether address is to trust source IP address, if it is, directly forwarding the TCP message of the trust source IP address, is not interfered with normal The TCP traffic of client.If it is not, then utilizing SYN message rates baseline, TCP message length baseline and TCP message rate base Line judges non-trusted source IP address, judges whether the TCP message of the non-trusted source IP address is abnormal, and then determination is to lose The TCP message of the non-trusted source IP address is abandoned, the TCP message of the non-trusted source IP address is still forwarded.In this way, nothing Mark field need to be carried in uplink TCP message, there is no need to the codes to client to modify, at low cost, threshold is low, and Suitable for cloud service scene.TCP message length is constant simultaneously, saves uplink traffic cost.
Fig. 4 is the flow chart of another TCP flow amount filter method provided in an embodiment of the present invention, referring to Fig. 4, this method by Aforementioned TCP flow amount filtration system executes, and this method flow includes:
Step 201:Newly-built connection number, connection concurrency and the abnormal connection number of statistical unit time server.
Specifically, the mirror image flow that TCP flow amount filtration system receiving router is sent, the mirror image flow had both included TCP flow Amount also includes other flows, such as UDP flow amount.The newly-built connection number of the TCP connection of each server, company in the statistical unit time Connect concurrency and abnormal connection number.
Wherein, according to the five-tuple of message in TCP flow amount (agreement, source port, source IP address, destination interface, destination IP Location) to count the TCP connection of the server, and newly-built connection number and company are determined according to the TCP connection of the server of statistics Connect concurrency.Wherein, it refers to comparing newly-increased TCP of previous unit interval the current one times (such as one minute) to create connection number The quantity of connection, connection concurrency refer to current one time memory TCP connection quantity.
Wherein, abnormal connection number refer to current one time memory TCP connection in there is the number of abnormal TCP connection Amount.Abnormal TCP connection may be used under type such as and determine:When TCP connection meets any one of the following conditions, it is determined that should TCP connection is abnormal:
The load of the message of TCP connection transmission is started with GET fields, and message length is more than 500 bytes.
It is more than preset value that the single byte of load of the message of TCP connection transmission, which continuously repeats number, and message length is 500 It is more than byte.
The load of the message of TCP connection transmission is started with #, and message length is more than 500 bytes.
The sequence (seq) number of the message transmitted in TCP connection, message is continuously increased, but determines that (ack) number is kept not Become.
Because by big data analysis, it is found that the four layers of CC now netted attacks have general character, i.e., these types of situation often occurs, And it is normal business is minimum will appear such case, so these situations are judged as abnormal T CP connections.
In embodiments of the present invention, the mirror image flow that router is sent includes the TCP flow amount of multiple servers, so uniting Timing counts the newly-built connection number of each server, connection concurrency and abnormal connection number respectively.When mirror image flow packet When including the TCP flow amount of multiple servers, follow-up each step is also required to execute respectively for the TCP flow amount of each server.
Step 202:According to the newly-built connection number of server, connection concurrency and abnormal connection number, judge that the server is It is no to be attacked by CC.
Specifically, the newly-built connection number secure threshold of the newly-built connection number of unit interval server and server is done into ratio Compared with the connection concurrency secure threshold of the connection concurrency of unit interval server and server being compared, when by unit Between the abnormal connection number of server and the abnormal connection number secure threshold of server compare.
When any of the newly-built connection number of server, connection concurrency and abnormal connection number are more than corresponding safety threshold When value, determine that server is attacked by CC.When the newly-built connection number of server, connection concurrency and abnormal connection number are to be more than When corresponding secure threshold, determine that server is not affected by CC attacks.
In embodiments of the present invention, connection number secure threshold, connection concurrency secure threshold and abnormal connection number peace are created Full threshold value may be used under type such as and determine:Determine the newly-built connection base line and connection concurrency baseline of server.Using new It builds connection base line and is multiplied by A and obtain newly-built connection number secure threshold, being multiplied by B using connection concurrency baseline obtains connection concurrency Secure threshold, using newly-built connection base line be multiplied by C obtain it is abnormal connect number secure threshold, wherein A and B be more than 1, C be more than 0 and Less than 1.
Wherein, the threshold value that connection base line is specially a newly-built connection number is created, connection concurrency baseline is specially one The threshold value of a connection concurrency, newly-built connection base line and connection concurrency baseline can first pass through study and obtain, and then store In the database.
Wherein, the value of A, B and C can be chosen according to actual needs, such as the value of A and B can be with for the value of 2, C It is 2/3.
Newly-built connection base line and connection concurrency baseline feature regular traffic behavior, and secure threshold is then for limiting Abnormal business conduct, it is therefore desirable to it is multiplied by a coefficient on the basis of newly-built connection base line and connection concurrency baseline, I.e. above-mentioned A, B, C.
Further, this method further includes:Record time for being attacked by CC of server, server by CC attack when Between include initial time and end time.Wherein, initial time refers to detecting that server starts to be attacked by CC in step 202 Time, the end time be step 202 in detect that server starts the time that do not attacked by CC.
Step 203:The TCP message of server is learnt, source IP address trust list, SYN message rate bases are obtained Line, TCP message length baseline and TCP message rate baseline.
Wherein, source IP address trust list namely the white list of the corresponding client of the server, the source IP address are trusted The TCP message that the corresponding client of source IP address described in list is sent needs not move through the verification again of step 103, Ke Yizhi Switch through and issues server.Each server corresponds to a source IP address trust list, the IP in source IP address trust list respectively Address is got in normal transmission time by study, and the IP address at attack end is avoided to be mixed into wherein.
In embodiments of the present invention, the learning process of source IP address trust list is as follows:
The source IP address of the TCP message of record.It is needed in record while recording source IP address and corresponding time, that is, obtained Get the time of the TCP message of source IP address transmission.
The source IP address recorded when server is attacked by CC is deleted.
The source IP address that at least M period occurred being chosen in continuous N number of period generates source IP address and trusts row Table, N and M are integer, and N >=M > 1.
Wherein, continuous N number of period can be designed as needed, such as continuous 7 periods, such as 7 days.If 7 week The source IP address that 2 interim periods occurred, it is determined that trust source IP address, source IP address trust list is written.
In embodiments of the present invention, SYN message rates baseline, TCP message length baseline and TCP message rate baseline Habit process is as follows:
Obtain SYN message rates, TCP message length and TCP message rate in the TCP message of server.It is needed in record SYN message rates, TCP message length and TCP message rate and corresponding time and source IP address are recorded simultaneously, wherein SYN message rates, TCP message rate can record once each unit interval, such as 1 minute record is primary.
SYN message rates, TCP message length and the TCP message rate got when server is attacked by CC is deleted.
Periodically according to SYN message rates, TCP message length and the TCP message rate got, SYN messages are generated Rate baseline, TCP message length baseline and TCP message rate baseline.
In this step, at the end of each cycle time, the SYN message speed to the server obtained in the cycle time Rate, TCP message length and TCP message rate are counted, and SYN message rates baseline, TCP length baseline and TCP message are obtained Rate baseline.After each period generates SYN message rates baseline, TCP length baseline and TCP message rate baseline, to last week SYN message rates baseline, TCP length baseline and the TCP message rate baseline that phase obtains are updated.
Illustratively, cycle time can be one day.
Wherein, SYN is periodically generated according to SYN message rates, TCP message length and the TCP message rate got Message rate baseline, TCP message length baseline and TCP message rate baseline, including:
The standard deviation of SYN message rates in calculating cycle, and the average value of SYN message rates is added into X times of standard deviation, The first numerical value is obtained, if the first numerical value is less than or equal to first rate threshold value, using first rate threshold value as SYN messages Rate baseline, if the first numerical value is more than first rate threshold value, using the first numerical value as SYN message rate baselines, X is more than 1.For example, the average value of SYN message rates to be added to 5 times of standard deviation (i.e. average value+5 × standard deviation), the first numerical value is obtained, If the first numerical value is less than or equal to 20/second, SYN message rate baselines are used as using 20, if the first numerical value is more than 20, Then use the first numerical value as SYN message rate baselines.
The average value and standard deviation of TCP message length in calculating cycle, and the average value of TCP message length is added Y times Standard deviation, obtain second value, if second value be less than or equal to message length threshold value, using message length threshold value make Use second value as TCP message length if second value is more than message length threshold value for TCP message length baseline Baseline, Y are more than 1.Wherein, the value of Y can be 5, and second value can be chosen according to actual needs, and unit is byte.
The average value and standard deviation of TCP message rate in calculating cycle, and the average value of TCP message rate is added Z times Standard deviation, obtain third value, if third value be less than or equal to the second rate-valve value, using the second rate-valve value make Use third value as TCP message rate if third value is more than the second rate-valve value for TCP message rate baseline Baseline, Z are more than 1.Wherein, the value of Z can be 5, and third value can be chosen according to actual needs, and unit is a/second.
Optionally, source IP message rate baseline, learning method and TCP message rate can also be learnt in step 203 Baseline is identical, difference lies in source IP message rate baseline and be sent to server various flows (such as TCP, UDP, control report (Internet Control Message Protocol, ICMP) flow etc. is discussed by cultural association) message rate it is related.
Further, TCP flow amount filtration system also need to aforementioned newly-built connection base line and connection concurrency baseline into Row study.
In embodiments of the present invention, the learning process for creating connection base line and connection concurrency baseline is as follows:
The newly-built connection number and connection concurrency of record unit time server.It is needed in record while record is newly-built Connect number and connection concurrency and corresponding time.Newly-built connection number and the recording method for connecting concurrency can be with steps 201 is identical.
The newly-built connection number and connection concurrency recorded when server is attacked by CC is deleted.
Periodically according to the newly-built connection number of the unit interval server got and connection concurrency, generate newly-built Connect base line and connection concurrency baseline.
Wherein, raw periodically according to the newly-built connection number of the unit interval server got and connection concurrency At newly-built connection base line and connection concurrency baseline, including:
The average value and standard deviation of connection number are created in calculating cycle, and by the average value of newly-built connection number plus P times Standard deviation obtains the 4th numerical value, if the 4th numerical value is less than or equal to connection number threshold value, using connection number threshold value as newly-built Base line is connected, if the 4th numerical value is more than connection number threshold value, using the 4th numerical value as newly-built connection base line, P is more than 1.For example, the standard deviation of newly-built connection number is multiplied by 5 times, the 4th numerical value is obtained, if the 4th numerical value is less than or equal to 400, Using 400 as newly-built connection base line, if the 4th numerical value is more than 400, using the 4th numerical value as newly-built connection base Line.
The average value and standard deviation of connection concurrency in calculating cycle, and the average value of concurrency will be connected plus Q times Standard deviation obtains the 5th numerical value, if the 5th numerical value is less than or equal to concurrency threshold value, using concurrency threshold value as connection Concurrency baseline, if the 5th numerical value is more than concurrency threshold value, using the 5th numerical value as connection concurrency baseline, Q is more than 1.Wherein, the value of Q can be 5, and the 5th numerical value can be chosen according to actual needs.
In this method flow, the detection study in the TCP flow amount filtration system of step 201,202,203 as shown in Figure 2 Subsystem executes.
Step 204:Preserve source IP address trust list, SYN message rates baseline, TCP message length baseline and TCP message Rate baseline.
In order to express easily fingerprint characteristic base-line data used below is fast to refer to source IP address trust list, SYN messages Rate baseline, TCP message length baseline and TCP message rate baseline.
In embodiments of the present invention, it refers to being stored in the fingerprint characteristic base-line data to preserve fingerprint characteristic base-line data In database.The fingerprint characteristic base-line data of each server is stored in database.Specifically, may include referring in database The address of line feature base-line data and its corresponding server, to ensure can be obtained according to the address of server in subsequent process Get corresponding fingerprint characteristic base-line data.
The database can be arranged in the control subsystem in TCP flow amount filtration system, and step 204 is by TCP flow amount mistake Detection study subsystem in filter system executes, and fingerprint characteristic base-line data is stored in control subsystem by detection study subsystem In database.Since fingerprint characteristic base-line data is to generate in the period, so the fingerprint characteristic base-line data in database is also It periodically updates.Wherein, update refers to fingerprint characteristic baseline original in new fingerprint characteristic base-line data replacement data library Data.
Step 205:When server is attacked by CC, the source IP address trust list based on server, determination is sent to Trust source IP address in the source IP address of the TCP message of the server and non-trusted source IP address, it is place to trust source IP address Source IP address in source IP address trust list, non-trusted source IP address are the source IP being not in source IP address trust list Address.
In embodiments of the present invention, step 205 may include:Server is obtained from database according to the address of server Source IP address trust list;Determine the source IP address of each TCP message whether in source IP address trust list.
Step 205 can be executed by the protection subsystem in TCP flow amount filtration system.
Optionally, this method further includes:When server is attacked by CC, warning information is generated.
Wherein, warning information may include receiving time, the address of server and attack type.Wherein, attack type is CC is attacked.
The warning information is generated by detection study subsystem, is then output to control subsystem and protection subsystem.When anti- When shield subsystem receives warning information, server is obtained from control subsystem according to the address of the server in warning information Fingerprint characteristic base-line data.
Step 206:The TCP message for trusting source IP address is sent to server.
In embodiments of the present invention, step 206 is executed by the protection subsystem in TCP flow amount filtration system, and step 206 can To include:Flow lead is carried out between protection subsystem and router, the TCP message of server is drawn to protection subsystem. Then the TCP message of server is filtered according to fingerprint characteristic base-line data, the TCP message for trusting source IP address is returned To router, server is sent to by router.
Wherein, it protects between subsystem and router and carries out flow lead, the TCP message of server is drawn to TCP flow Amount filtration system can be realized in the following way:Protection subsystem passes through the Border Gateway Protocol established with router (Border Gateway Protocol, BGP) neighborhood.It is route to the traction of router publisher server, by server TCP message is sent to protection subsystem.
Specifically, two routers can be fictionalized in router:First virtual router and the second virtual router, the One virtual router is responsible for receiving the TCP message of server, and the second virtual router is responsible for the TCP message of server being sent to Server.Subsystem is protected to be route to the traction of the first virtual router publisher server, the next-hop of traction routing is anti- Protect subsystem, subnet mask of the subnet mask which route than the routing for the server that the first virtual router learns Long, according to longest mask matches principle, the first virtual router route the routing as server using the traction.First is virtual The TCP message of the server received is sent to protection subsystem by router, and protection subsystem carries out TCP flow amount filtering.? Server terminates after being attacked, and protection subsystem can send declaration traction to the first virtual router and route invalid information, TCP message when server being made to be not affected by CC attacks is never sent to protection subsystem.
It protects subsystem that filtered TCP message is returned to router, server is sent to by router.
Specifically, it is empty to be sent to aforementioned second by protection subsystem after carrying out TCP flow amount filtering for the TCP message of server Quasi- router, server is sent to by the second virtual router.
Step 207:Utilize SYN message rates baseline, TCP message length baseline and the TCP message of non-trusted source IP address Rate baseline judges whether that the TCP message to non-trusted source IP address intercepts.
In embodiments of the present invention, judge whether that the TCP message to non-trusted source IP address intercepts, including:
Judge the transmission rate of the SYN messages of non-trusted source IP address whether more than SYN message rate baselines.Here, it needs First to determine the transmission rate of the SYN messages of non-trusted source IP address, then the biography of the SYN messages of more non-trusted source IP address The size of defeated rate and SYN message rate baselines.Since attack end is more more frequent than the number of normal client foundation connection, It can determine whether non-trusted source IP address is attack end by SYN message rates baseline.
When the transmission rate of the SYN messages of non-trusted source IP address is more than SYN message rate baselines, non-trusted source is intercepted The TCP message of IP address abandons the TCP message of the non-trusted source IP address.Further, this method can also include: The non-trusted source IP address drawing for having abandoned TCP message is black, and the follow-up TCP message of the non-trusted source IP address is all blocked It cuts.
When the transmission rate of the SYN messages of non-trusted source IP address is less than SYN message rate baselines, judge non-trusted It whether there is message length in the TCP message of source IP address more than TCP message length baseline and rate be more than TCP message rate base The message of line.Here, the message length and rate for needing first to determine the TCP message of non-trusted source IP address, can be first when comparing Compare message length, then compare rate, if message length is more than TCP message length baseline, then compares rate, if message is long Degree is less than TCP message length baseline, no longer needs to compare rate.Certainly, above-mentioned comparative sequence can also be first compare rate, then Compare message length.Due to attack end send message is longer than the message that normal client is sent, rate faster, pass through TCP message length baseline and TCP message rate baseline can determine whether non-trusted source IP address is attack end.
It is more than the message that TCP message length baseline and rate are more than TCP message rate baseline if there is message length, then Intercept the TCP message of non-trusted source IP address;If there is no message length be more than TCP message length baseline and rate is more than The message of TCP message rate baseline, then be sent to server by the TCP message of non-trusted source IP address.
Wherein, the TCP message of non-trusted source IP address is sent to the mode of server referring to step 206.
Each source IP that the application passes through the TCP message for the server for when server is attacked by CC, first judging to send Whether address is to trust source IP address, if it is, directly forwarding the TCP message of the trust source IP address, is not interfered with normal The TCP traffic of client.If it is not, then being judged non-trusted source IP address using SYN message rates baseline, if sentenced If disconnected SYN messages are abnormal, the TCP message of non-trusted source IP address is intercepted, abandons the TCP reports of the non-trusted source IP address Text avoids attacking server.If SYN messages there is no abnormal, further use TCP message length baseline and TCP message rate baseline judges whether the TCP message of the non-trusted source IP address is abnormal.If it is judged that being the non-trusted source The TCP message of non-trusted source IP address is then sent to server by the TCP message of IP address without exception.If it is judged that It is abnormal for the TCP message of the non-trusted source IP address, then abandon the TCP message of the non-trusted source IP address.In this fashion, Mark field need not be carried in uplink TCP message, there is no need to the codes to client to modify, at low cost, threshold It is low, while TCP message length is constant, saves uplink traffic cost.In addition, above-mentioned source IP address trust list, SYN message speed Rate baseline, TCP message length baseline and TCP message rate baseline ensure that the program can adapt to difference by study Network, have a wide range of application.
Fig. 5 is a kind of structural schematic diagram of TCP flow amount filter device provided in an embodiment of the present invention, referring to Fig. 5, the device 300 include:Judgment module 301 and filtering module 302.
Judgment module 301 is used for when server is attacked by CC, the source IP address trust list based on server, is determined The trust source IP address and non-trusted source IP address being sent in the source IP address of the TCP message of the server, trusted source IP Location is the source IP address in source IP address trust list, and non-trusted source IP address is to be not in source IP address trust list Source IP address.Filtering module 302 is used to the TCP message for trusting source IP address being sent to server;Utilize non-trusted source IP SYN message rates baseline, TCP message length baseline and the TCP message rate baseline of address, judge whether to non-trusted source IP The TCP message of location is intercepted.
In embodiments of the present invention, the filtering module 302, the transmission of the SYN messages for judging non-trusted source IP address Whether rate is more than SYN message rate baselines.When the transmission rate of the SYN messages of non-trusted source IP address is more than SYN message speed When rate baseline, the TCP message of non-trusted source IP address is intercepted.When the transmission rate of the SYN messages of non-trusted source IP address does not surpass When crossing SYN message rate baselines, judge in the TCP message of non-trusted source IP address with the presence or absence of message length more than TCP message Length baseline and rate are more than the message of TCP message rate baseline.If there is message length be more than TCP message length baseline and Rate is more than the message of TCP message rate baseline, then intercepts the TCP message of non-trusted source IP address, long if there is no message Degree is more than the message that TCP message length baseline and rate are more than TCP message rate baseline, then by the TCP of non-trusted source IP address Message is sent to server.
Further, which further includes:Study module 303 and memory module 304.
Study module 303 obtains source IP address trust list, SYN messages for learning to the TCP message of server Rate baseline, TCP message length baseline and TCP message rate baseline.Memory module 304 trusts row for preserving source IP address Table, SYN message rates baseline, TCP message length baseline and TCP message rate baseline.
In embodiments of the present invention, source IP address of the study module 303 for the TCP message of record.By server by The source IP address recorded when being attacked to CC is deleted.With being chosen at the source IP that at least M period occurred in continuous N number of period Location generates source IP address trust list, N and M as integer, and N >=M > 1.
In embodiments of the present invention, the study module 303 be used to obtain SYN message rates in the TCP message of server, TCP message length and TCP message rate.SYN message rates, the TCP message length got when server is attacked by CC It is deleted with TCP message rate.It is raw periodically according to SYN message rates, TCP message length and the TCP message rate got At SYN message rates baseline, TCP message length baseline and TCP message rate baseline.
In embodiments of the present invention, average value and standard of the study module 303 for SYN message rates in calculating cycle Difference, and the average value of SYN message rates is obtained into the first numerical value, if the first numerical value is less than or equal to plus X times of standard deviation First rate threshold value then uses first rate threshold value as SYN message rate baselines, if the first numerical value is more than first rate threshold Value, then use the first numerical value as SYN message rate baselines, and X is more than 1.The average value and mark of TCP message length in calculating cycle It is accurate poor, and the average value of TCP message length is obtained into second value, if second value is less than or waits plus Y times of standard deviation In message length threshold value, then use message length threshold value as TCP message length baseline, if second value is more than message length Threshold value, then use second value as TCP message length baseline, and Y is more than 1.In calculating cycle the average value of TCP message rate and Standard deviation, and the average value of TCP message rate is added Z times of standard deviation, obtains third value, if third value be less than or Equal to the second rate-valve value, then use the second rate-valve value as TCP message rate baseline, if third value is more than the second speed Rate threshold value, then use third value as TCP message rate baseline, and Z is more than 1.
Further, which further includes:Detection module 305.
Newly-built connection number, connection concurrency and exception of the detection module 305 for statistical unit time server connect Connect number.The newly-built connection number secure threshold of the newly-built connection number of unit interval server and server is compared, by unit The connection concurrency of time server and the connection concurrency secure threshold of server compare, by unit interval server Abnormal connection number and the abnormal connection number secure threshold of server compare.When the newly-built connection number of server, connection are concurrent When any of amount and abnormal connection number are more than corresponding secure threshold, determine that server is attacked by CC.
In embodiments of the present invention, which is additionally operable to the newly-built connection number of record unit time server With connection concurrency.The newly-built connection number and connection concurrency recorded when server is attacked by CC is deleted.Periodically root According to the newly-built connection number and connection concurrency of the unit interval server got, newly-built connection base line and connection are generated simultaneously Hair amount baseline.A is multiplied by using newly-built connection base line and obtains newly-built connection number secure threshold, is multiplied by using connection concurrency baseline B obtains connection concurrency secure threshold, using newly-built connection base line be multiplied by C obtain it is abnormal connect number secure threshold, wherein A with B is more than 1, C and is more than 0 and is less than 1.
In embodiments of the present invention, average value and standard of the study module 303 for creating connection number in calculating cycle Difference, and the average value of newly-built connection number is obtained into the 4th numerical value, if the 4th numerical value is less than or equal to plus P times of standard deviation Number threshold value is connected, then is adopted as newly-built connection base line if the 4th numerical value is more than connection number threshold value using connection number threshold value Use the 4th numerical value as newly-built connection base line, P is more than 1.The average value and standard deviation of connection concurrency in calculating cycle, and will The average value for connecting concurrency adds Q times of standard deviation, obtains the 5th numerical value, if the 5th numerical value is less than or equal to concurrency threshold Value then uses concurrency threshold value as connection concurrency baseline, if the 5th numerical value is more than concurrency threshold value, using the 5th number Value is more than 1 as connection concurrency baseline, Q.
It should be noted that:Above-described embodiment provide TCP flow amount filter device when realizing TCP flow amount filter method, It only the example of the division of the above functional modules, can be as needed and by above-mentioned function distribution in practical application It is completed by different function modules, i.e., the internal structure of device is divided into different function modules, it is described above to complete All or part of function.In addition, TCP flow amount filter device and TCP flow amount filtration method embodiment that above-described embodiment provides Belong to same design, specific implementation process refers to embodiment of the method, and which is not described herein again.
Fig. 6 is a kind of structural schematic diagram of server provided in an embodiment of the present invention.The server can be TCP flow amount mistake Filter system.Specifically:
TCP flow amount filtration system 400 includes central processing unit (CPU) 401 including random access memory (RAM) 402 With the system storage 404 of read-only memory (ROM) 403, and connection system storage 404 and central processing unit 401 System bus 405.TCP flow amount filtration system 400 further include help computer in each device between transmission information it is basic Input/output (I/O systems) 406, and it is used for storage program area 413, application program 414 and other program modules 415 Mass-memory unit 407.
Basic input/output 406 includes display 408 for showing information and for user's input information The input equipment 409 of such as mouse, keyboard etc.Wherein display 408 and input equipment 409 is all by being connected to system bus 405 input and output controller 410 is connected to central processing unit 401.Basic input/output 406 can also include defeated Enter o controller 410 for receiving and handling from the defeated of multiple other equipments such as keyboard, mouse or electronic touch pen Enter.Similarly, input and output controller 410 also provides output to display screen, printer or other kinds of output equipment.
Mass-memory unit 407 is connected by being connected to the bulk memory controller (not shown) of system bus 405 To central processing unit 401.Mass-memory unit 407 and its associated computer-readable medium are TCP flow amount filtering system System 400 provides non-volatile memories.It is driven that is, mass-memory unit 407 may include such as hard disk or CD-ROM The computer-readable medium (not shown) of dynamic device etc.
Without loss of generality, computer-readable medium may include computer storage media and communication media.Computer stores 13 media include times of the information such as computer-readable instruction, data structure, program module or other data for storage The volatile and non-volatile of what method or technique realization, removable and irremovable medium.Computer storage media includes RAM, ROM, EPROM, EEPROM, flash memory or other solid-state storages its technologies, CD-ROM, DVD or other optical storages, tape Box, tape, disk storage or other magnetic storage apparatus.Certainly, skilled person will appreciate that computer storage media not office It is limited to above-mentioned several.Above-mentioned system storage 404 and mass-memory unit 407 may be collectively referred to as memory.
According to various embodiments of the present invention, TCP flow amount filtration system 400 can also be connected by networks such as internets The remote computer operation being connected on network.Namely TCP flow amount filtration system 400 can be by being connected on system bus 405 Network Interface Unit 411 be connected to network 412, in other words, other classes can also be connected to using Network Interface Unit 411 The network or remote computer system (not shown) of type.
Above-mentioned memory further includes one, and either more than one program one or more than one program are stored in storage In device, it is configured to be executed by CPU.CPU 401 realizes Fig. 3 or shown in Fig. 4 by executing one or more programs TCP flow amount filter method.
The embodiment of the present invention additionally provides a kind of non-transitorycomputer readable storage medium, when the instruction in storage medium When being executed by the processor of TCP flow amount filtration system so that TCP flow amount filtration system is able to carry out Fig. 3 or embodiment illustrated in fig. 4 The TCP flow amount filter method of offer.
A kind of computer program product including instruction, when run on a computer so that computer executes above-mentioned The TCP flow amount filter method that Fig. 3 or embodiment illustrated in fig. 4 provide.
One of ordinary skill in the art will appreciate that realizing that all or part of step of above-described embodiment can pass through hardware It completes, relevant hardware can also be instructed to complete by program, the program can be stored in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all the present invention spirit and Within principle, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.

Claims (10)

1. a kind of transmission control protocol traffic filtering method, which is characterized in that the method includes:
When server is challenged by black hole to be attacked, the source internet protocol address trust list based on the server determines It is sent to the trusted source internet protocol address in the source internet protocol address of the transmission control protocol message of the server With non-trusted source internet protocol address, trusted source internet protocol address is to trust to arrange in source internet protocol address Source internet protocol address in table, the non-trusted source internet protocol address are to be not at source internet protocol address trust Source internet protocol address in list;
The transmission control protocol message of trusted source internet protocol address is sent to the server;
Utilize synchronizing sequence number message rate baseline, the transmission control protocol message of the non-trusted source internet protocol address Length baseline and transmission control protocol message rate baseline judge whether the transmission to the non-trusted source internet protocol address Control protocol message is intercepted.
2. according to the method described in claim 1, it is characterized in that, described judge whether to the non-trusted source internet protocol The transmission control protocol message of address is intercepted, including:
Judge whether the transmission rate of the synchronizing sequence number message of the non-trusted source internet protocol address is more than synchronous sequence Column number message rate baseline;
When the transmission rate of the synchronizing sequence number message of the non-trusted source internet protocol address is numbered more than synchronizing sequence When message rate baseline, the transmission control protocol message of the non-trusted source internet protocol address is intercepted;
It is compiled when the transmission rate of the synchronizing sequence number message of the non-trusted source internet protocol address is less than synchronizing sequence When number message rate baseline, judge in the transmission control protocol message of the non-trusted source internet protocol address with the presence or absence of report Literary length is more than transmission control protocol message length baseline and rate is more than the message of transmission control protocol message rate baseline;Such as Fruit is more than transmission control protocol message length baseline there are message length and rate is more than transmission control protocol message rate baseline Message, then the transmission control protocol message of the non-trusted source internet protocol address is intercepted, if there is no message length More than transmission control protocol message length baseline and rate is more than the message of transmission control protocol message rate baseline, then will be described The transmission control protocol message of non-trusted source internet protocol address is sent to the server.
3. method according to claim 1 or 2, which is characterized in that the method further includes:
The transmission control protocol message of the server is learnt, obtain source internet protocol address trust list, Synchronizing sequence number message rate baseline, transmission control protocol message length baseline and transmission control protocol message rate baseline;
Preserve source internet protocol address trust list, synchronizing sequence number message rate baseline, transmission control protocol report Literary length baseline and transmission control protocol message rate baseline.
4. according to the method described in claim 3, it is characterized in that, transmission control protocol message to the server It practises, obtains source internet protocol address trust list, including:
Record the source internet protocol address of the transmission control protocol message sent to the server;
The server is challenged the source internet protocol address that the when of attacking records by black hole to delete;
The source internet protocol address that at least M period being chosen in continuous N number of period occurred, generates the source internet Protocol address trust list, N and M are integer, and N >=M > 1.
5. according to the method described in claim 3, it is characterized in that, transmission control protocol message to the server It practises, obtains the synchronizing sequence number message rate baseline, transmission control protocol message length baseline and transmission control protocol report Literary rate baseline, including:
It is long to obtain synchronizing sequence number message rate, transmission control protocol message in the transmission control protocol message of the server Degree and transmission control protocol message rate;
The server is challenged into synchronizing sequence number message rate, the transmission control protocol report that the when of attacking gets by black hole Literary length and transmission control protocol message rate are deleted;
Periodically according to synchronizing sequence number message rate, transmission control protocol message length and the biography transport control protocol got Message rate is discussed, the synchronizing sequence number message rate baseline, transmission control protocol message length baseline and transmission control are generated Protocol massages rate baseline processed.
6. according to the method described in claim 5, it is characterized in that, described periodically according to the synchronizing sequence number got Message rate, transmission control protocol message length and transmission control protocol message rate generate the synchronizing sequence number message Rate baseline, transmission control protocol message length baseline and transmission control protocol message rate baseline, including:
The average value and standard deviation of synchronizing sequence number message rate in calculating cycle, and the synchronizing sequence number message is fast The average value of rate adds X times of standard deviation, obtains the first numerical value, if first numerical value is less than or equal to first rate threshold Value, then using the first rate threshold value as the synchronizing sequence number message rate baseline, if first numerical value is big In first rate threshold value, then using first numerical value as the synchronizing sequence number message rate baseline, X is more than 1;
The average value and standard deviation of transmission control protocol message length in calculating cycle, and the transmission control protocol message is long The average value of degree adds Y times of standard deviation, obtains second value, if the second value is less than or equal to message length threshold Value then uses the message length threshold value as the transmission control protocol message length baseline, if the second value is big In message length threshold value, then use the second value as the transmission control protocol message length baseline, Y is more than 1;
The average value and standard deviation of transmission control protocol message rate in calculating cycle, and the transmission control protocol message is fast The average value of rate adds Z times of standard deviation, obtains third value, if the third value is less than or equal to the second rate threshold Value then uses second rate-valve value as the transmission control protocol message rate baseline, if the third value is big In the second rate-valve value, then use the third value as the transmission control protocol message rate baseline, Z is more than 1.
7. method according to claim 1 or 2, which is characterized in that the method further includes:
The newly-built connection number of the server, connection concurrency and abnormal connection number in the statistical unit time;
When any of the newly-built connection number of the server, connection concurrency and abnormal connection number are more than corresponding safety threshold When value, determines that the server is challenged by black hole and attack.
8. a kind of transmission control protocol traffic filtering device, which is characterized in that described device includes:
Judgment module is used for when server is challenged by black hole and attacked, the source internet protocol address based on the server Trust list determines the trusted source English in the source internet protocol address for the transmission control protocol message for being sent to the server Special fidonetFido address and non-trusted source internet protocol address, trusted source internet protocol address are to be assisted in source internet The source internet protocol address in the trust list of address is discussed, the non-trusted source internet protocol address is to be not at source internet Source internet protocol address in protocol address trust list;
Filtering module, for the transmission control protocol message of trusted source internet protocol address to be sent to the service Device;Utilize synchronizing sequence number message rate baseline, the transmission control protocol message of the non-trusted source internet protocol address Length baseline and transmission control protocol message rate baseline judge whether the transmission to the non-trusted source internet protocol address Control protocol message is intercepted.
9. a kind of server, which is characterized in that the server includes processor and memory, be stored in the memory to A few instruction, described instruction are loaded by the processor and are executed to realize transmission as described in any one of claim 1 to 7 Control protocol traffic filtering method.
10. a kind of computer readable storage medium, which is characterized in that be stored at least one instruction, institute in the storage medium Instruction is stated to be loaded by processor and executed to realize transmission control protocol traffic filtering as described in any one of claim 1 to 7 Method.
CN201810685411.7A 2018-06-28 2018-06-28 Transmission control protocol flow filtering method, device, server and storage medium Active CN108810008B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810685411.7A CN108810008B (en) 2018-06-28 2018-06-28 Transmission control protocol flow filtering method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810685411.7A CN108810008B (en) 2018-06-28 2018-06-28 Transmission control protocol flow filtering method, device, server and storage medium

Publications (2)

Publication Number Publication Date
CN108810008A true CN108810008A (en) 2018-11-13
CN108810008B CN108810008B (en) 2020-06-30

Family

ID=64071322

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810685411.7A Active CN108810008B (en) 2018-06-28 2018-06-28 Transmission control protocol flow filtering method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN108810008B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110661722A (en) * 2019-09-09 2020-01-07 新华三信息安全技术有限公司 Flow control method and device
CN113132331A (en) * 2019-12-31 2021-07-16 奇安信科技集团股份有限公司 Abnormal message detection method, device, electronic equipment and medium
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
TWI768462B (en) * 2020-09-09 2022-06-21 中華電信股份有限公司 Method and electronic device for detecting abnormal connection behavior of terminal emulator

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136917A (en) * 2007-07-12 2008-03-05 中兴通讯股份有限公司 Transmission control protocol blocking module and soft switch method
CN101478387A (en) * 2008-12-31 2009-07-08 成都市华为赛门铁克科技有限公司 Defense method, apparatus and system for hyper text transmission protocol attack
CN101594269A (en) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of detection method of unusual connection, device and gateway device
US20130055349A1 (en) * 2011-08-24 2013-02-28 Electronics And Telecommunications Research Institute Method and apparatus for releasing tcp connections in defense against distributed denial of service attacks
CN103001958A (en) * 2012-11-27 2013-03-27 北京百度网讯科技有限公司 Exception transmission control protocol (TCP) message processing method and device
CN104113559A (en) * 2014-08-13 2014-10-22 浪潮电子信息产业股份有限公司 Method for resisting tcp full-link attack
CN105119942A (en) * 2015-09-16 2015-12-02 广东睿江科技有限公司 Flood attack detection method
CN105991632A (en) * 2015-04-20 2016-10-05 杭州迪普科技有限公司 Network security protection method and device
CN106357685A (en) * 2016-10-28 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Method and device for defending distributed denial of service attack
CN106790310A (en) * 2017-03-31 2017-05-31 网宿科技股份有限公司 Distributed denial of service attack protects the method and system integrated with load balancing
CN107104929A (en) * 2016-02-23 2017-08-29 阿里巴巴集团控股有限公司 The methods, devices and systems of defending against network attacks

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136917A (en) * 2007-07-12 2008-03-05 中兴通讯股份有限公司 Transmission control protocol blocking module and soft switch method
CN101478387A (en) * 2008-12-31 2009-07-08 成都市华为赛门铁克科技有限公司 Defense method, apparatus and system for hyper text transmission protocol attack
CN101594269A (en) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of detection method of unusual connection, device and gateway device
US20130055349A1 (en) * 2011-08-24 2013-02-28 Electronics And Telecommunications Research Institute Method and apparatus for releasing tcp connections in defense against distributed denial of service attacks
CN103001958A (en) * 2012-11-27 2013-03-27 北京百度网讯科技有限公司 Exception transmission control protocol (TCP) message processing method and device
CN104113559A (en) * 2014-08-13 2014-10-22 浪潮电子信息产业股份有限公司 Method for resisting tcp full-link attack
CN105991632A (en) * 2015-04-20 2016-10-05 杭州迪普科技有限公司 Network security protection method and device
CN105119942A (en) * 2015-09-16 2015-12-02 广东睿江科技有限公司 Flood attack detection method
CN107104929A (en) * 2016-02-23 2017-08-29 阿里巴巴集团控股有限公司 The methods, devices and systems of defending against network attacks
CN106357685A (en) * 2016-10-28 2017-01-25 北京神州绿盟信息安全科技股份有限公司 Method and device for defending distributed denial of service attack
CN106790310A (en) * 2017-03-31 2017-05-31 网宿科技股份有限公司 Distributed denial of service attack protects the method and system integrated with load balancing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
廖鹏: "基于异常特征的DDoS检测模型", 《经济发展方式转变与自主创新——第十二届中国科学技术协会年会》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110661722A (en) * 2019-09-09 2020-01-07 新华三信息安全技术有限公司 Flow control method and device
CN110661722B (en) * 2019-09-09 2022-07-22 新华三信息安全技术有限公司 Flow control method and device
CN113132331A (en) * 2019-12-31 2021-07-16 奇安信科技集团股份有限公司 Abnormal message detection method, device, electronic equipment and medium
CN113452647A (en) * 2020-03-24 2021-09-28 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
CN113452647B (en) * 2020-03-24 2022-11-29 百度在线网络技术(北京)有限公司 Feature identification method, feature identification device, electronic equipment and computer-readable storage medium
TWI768462B (en) * 2020-09-09 2022-06-21 中華電信股份有限公司 Method and electronic device for detecting abnormal connection behavior of terminal emulator

Also Published As

Publication number Publication date
CN108810008B (en) 2020-06-30

Similar Documents

Publication Publication Date Title
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
US7768921B2 (en) Identification of potential network threats using a distributed threshold random walk
US7958549B2 (en) Attack defending system and attack defending method
US6487666B1 (en) Intrusion detection signature analysis using regular expressions and logical operators
US6973040B1 (en) Method of maintaining lists of network characteristics
US7870611B2 (en) System method and apparatus for service attack detection on a network
CN108810008A (en) Transmission control protocol traffic filtering method, apparatus, server and storage medium
CN108737447B (en) User datagram protocol flow filtering method, device, server and storage medium
CN109005175A (en) Network protection method, apparatus, server and storage medium
RU2480937C2 (en) System and method of reducing false responses when detecting network attack
JP4774307B2 (en) Unauthorized access monitoring device and packet relay device
US20130298220A1 (en) System and method for managing filtering information of attack traffic
JP2007521718A (en) System and method for protecting network quality of service against security breach detection
CN108156079B (en) Data packet forwarding system and method based on cloud service platform
US11811820B2 (en) Malicious C and C channel to fixed IP detection
US8006303B1 (en) System, method and program product for intrusion protection of a network
Yao et al. VASE: Filtering IP spoofing traffic with agility
JP2007325293A (en) System and method for attack detection
JP2006067605A (en) Attack detecting system and attack detecting method
CN113259387B (en) Method for preventing honeypot from being controlled to jump board machine based on virtual exchange
CN112350939B (en) Bypass blocking method, system, device, computer equipment and storage medium
JP3822588B2 (en) Unauthorized access detection device, unauthorized access detection method, and management terminal
Khirwadkar Defense against network attacks using game theory
Cisco Working With Sensor Signatures
Cisco Working with Sensor Signatures

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant