CN108810008A - Transmission control protocol traffic filtering method, apparatus, server and storage medium - Google Patents
Transmission control protocol traffic filtering method, apparatus, server and storage medium Download PDFInfo
- Publication number
- CN108810008A CN108810008A CN201810685411.7A CN201810685411A CN108810008A CN 108810008 A CN108810008 A CN 108810008A CN 201810685411 A CN201810685411 A CN 201810685411A CN 108810008 A CN108810008 A CN 108810008A
- Authority
- CN
- China
- Prior art keywords
- message
- transmission control
- control protocol
- address
- baseline
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of transmission control protocol traffic filtering method, apparatus, server and storage mediums, belong to network safety filed.The method includes:When server is challenged by black hole to be attacked, source internet protocol address trust list based on server determines the trusted source internet protocol address in the source internet protocol address for the transmission control protocol message for being sent to server and non-trusted source internet protocol address.The transmission control protocol message of trusted source internet protocol address is sent to server.Using synchronizing sequence number message rate baseline, transmission control protocol message length baseline and the transmission control protocol message rate baseline of non-trusted source internet protocol address, judge whether that the transmission control protocol message to non-trusted source internet protocol address intercepts.
Description
Technical field
The present invention relates to network safety filed, more particularly to a kind of transmission control protocol traffic filtering method, apparatus, service
Device and storage medium.
Background technology
Distributed denial of service (Distributed Denial of Service, DDoS) is attacked, and refers to that hacker passes through control
The ossified network of system distribution throughout initiates a large amount of abnormal flows to destination server, and server is busy with handling abnormal flow, nothing
Method handles normal users request or even system crash, and refusal is caused to service.
It is a kind of very common ddos attack gimmick that (Chanllenge Collapsar, CC) attack is challenged in black hole.It attacks
It hits end (for example, the client controlled) and first establishes transmission control protocol with by attack end (for example, by attack server)
(Transmission Control Protocol, TCP) is connected, and then sends a large amount of TCP rubbish message to by attack end,
Obstruction causes business to be paralysed by attack end bandwidth.
Traditional CC attack protectiving schemes are realized using watermark protection, when user end to server sends uplink TCP message,
It needs to carry the mark field calculated by the algorithm arranged in advance in TCP message.Setting is between clients and servers
Protection end, by verifying the legitimacy of mark field in the uplink TCP message, to judge whether to forward the TCP message
To server, realization intercepts invalid packet.However, this protectiving scheme needs to modify to the code of client,
Cost of access and threshold are higher;In addition, the TCP message length for carrying mark field increases, uplink traffic cost is increased.
Invention content
When in order to solve present in the relevant technologies using watermark protection CC attacks, client cost of access and threshold compared with
Height, while increasing uplink traffic cost problem.An embodiment of the present invention provides a kind of TCP flow amount filter method, device, services
Device and storage medium.The technical solution is as follows:
On the one hand, a kind of TCP flow amount filter method is provided, the method includes:
When server is attacked by CC, the source IP address trust list based on the server determines described in being sent to
Trust source IP address in the source IP address of the TCP message of server and non-trusted source IP address, the trust source IP address are
Source IP address in source IP address trust list, the non-trusted source IP address are to be not in source IP address trust list
Source IP address.The TCP message for trusting source IP address is sent to the server.Utilize the non-trusted source IP address
SYN message rates baseline, TCP message length baseline and TCP message rate baseline, judge whether to the non-trusted source IP
The TCP message of location is intercepted.
On the other hand, a kind of TCP flow amount filter device is additionally provided, described device includes:
Judgment module, for when server is attacked by CC, the source IP address trust list based on the server, really
Surely the trust source IP address and non-trusted source IP address being sent in the source IP address of the TCP message of the server, the letter
It is the source IP address in source IP address trust list to appoint source IP address, and the non-trusted source IP address is with being not at source IP
Source IP address in the trust list of location.Filtering module, for the TCP message for trusting source IP address to be sent to the service
Device;Using the SYN message rates baseline, TCP message length baseline and TCP message rate baseline of the non-trusted source IP address,
Judge whether that the TCP message to the non-trusted source IP address intercepts.
On the other hand, a kind of server is additionally provided, the server includes processor and memory, in the memory
It is stored at least one instruction, described instruction is loaded by the processor and executed to realize TCP flow as described in relation to the first aspect
Measure filter method.
On the other hand, a kind of computer readable storage medium is additionally provided, at least one is stored in the storage medium
Instruction, described instruction are loaded by processor and are executed to realize TCP flow amount filter method as described in relation to the first aspect.
The advantageous effect that technical solution provided in an embodiment of the present invention is brought is:
By when server is attacked by CC, first judging that each source IP address of TCP message of the server sent is
It is no not interfere with normal client if it is, directly forwarding the TCP message of the trust source IP address to trust source IP address
TCP traffic.If it is not, then using SYN message rates baseline, TCP message length baseline and TCP message rate baseline to non-
Trust source IP address to be judged, judge whether the TCP message of the non-trusted source IP address is abnormal, and then determinations is that this is non-for discarding
The TCP message for trusting source IP address, still forwards the TCP message of the non-trusted source IP address.In this way, it is not necessarily to upper
Mark field is carried in row TCP message, there is no need to the codes to client to modify, at low cost, threshold is low, and be suitable for
Cloud service scene.TCP message length is constant simultaneously, saves uplink traffic cost.
Description of the drawings
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, other are can also be obtained according to these attached drawings
Attached drawing.
Fig. 1 is a kind of flow diagram of CC attacks;
Fig. 2 is a kind of topological schematic diagram of TCP flow amount filtration system provided in an embodiment of the present invention;
Fig. 3 is a kind of flow chart of TCP flow amount filter method provided in an embodiment of the present invention;
Fig. 4 is the flow chart of another TCP flow amount filter method provided in an embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of TCP flow amount filter device provided in an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of server provided in an embodiment of the present invention.
Specific implementation mode
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.
For ease of the understanding to technical solution provided in an embodiment of the present invention, existing CC attack protectiving schemes are deposited below
The problem of illustrate:
Fig. 1 is a kind of flow diagram of CC attacks, and CC attacks here are attacked for four layers of CC, wherein four layers refer to opening
Formula system interconnects the 4th layer in (Open System Interconnection, OSI), and detailed process is referring to Fig. 1, attack
It holds first and is shaken hands by 3 times by attack end (by attack server) and establish TCP connection.As shown in Figure 1, attack end is first to being attacked
End sends synchronizing sequence and numbers (Synchronize Sequence Numbers, SYN) message, and returning to SYN by attack end confirms
Then (SYN Acknowledgement, SYNACK) message attacks end and sends ACK messages to by attack end, completes to shake hands for 3 times.
After establishing TCP connection, attack end sends a large amount of TCP rubbish message to by attack end, and obstruction leads to business by attack end bandwidth
Paralysis.
Traditional CC attack protectiving schemes realize that client is needed when uplink TCP message is transmitted using watermark protection
The mark field calculated by the algorithm arranged in advance is carried in TCP message.Setting is in client (attack end) and server (quilt
Attack end) between protection end, by verifying the legitimacy of mark field in the uplink TCP message, to which judge whether should
TCP message is transmitted to server, and realization intercepts invalid packet.As shown in Figure 1, the water in protection end detection TCP message
Whether lettering section is correct, since TCP rubbish message is sent by attacking end, wherein not carrying correct mark field, therefore, prevents
Shield end can abandon the TCP rubbish messages.
However, this protectiving scheme needs to modify to the code of client, time-consuming and laborious, cost of access is high, meanwhile,
This scheme also causes access threshold higher.In addition, the TCP message length for carrying mark field increases, uplink traffic is increased
Cost.To solve the above-mentioned problems, an embodiment of the present invention provides a kind of TCP flow amount filter methods.In the TCP for introducing the application
Before traffic filtering method, first the framework of TCP flow amount filtration system (namely previous protective end) is briefly described.
Fig. 2 is a kind of topological schematic diagram of TCP flow amount filtration system provided in an embodiment of the present invention, referring to Fig. 2, the TCP
Traffic filtering system 10 connects router 20, which is usually the core router in network, the connection fortune of router 20
Quotient's network 30 is sought, router 20 is by 40 Connection Service device 50 of interchanger, to realize server 50 and network other equipment
Connection.Wherein, router 20 can connect multiple switch 40, which can be core switch, each interchanger
40 can connect one or more servers 50.
TCP flow amount filtration system 10 includes detection study subsystem 101, protects subsystem 102 and control subsystem 103,
Independent equipment (such as server) realization can be both respectively adopted in three subsystems, can also two of which or three whole collection
At on one device.
Router 20 will produce mirror image flow, and mirror image flow is sent when transmission is sent to the flow of server 50
Learn subsystem 101 to detection.Detection study subsystem 101 is according to mirror image flow to the TCP message of each server
It practises, obtains source IP address trust list, SYN message rates baseline, TCP message length baseline and TCP message rate baseline;And it will
Source IP address trust list, SYN message rates baseline, TCP message length baseline and the storage of TCP message rate baseline are sub to control
In the database of system 103.Meanwhile detecting study subsystem 101 and detecting whether each server 50 is attacked by CC, it is detecting
When being attacked to server 50 by CC, to protection subsystem 102 and 103 outputting alarm information of control subsystem.
When protection subsystem 102 receives warning information, the source IP address that the server is obtained from protection subsystem 102 is trusted
List, SYN message rates baseline, TCP message length baseline and TCP message rate baseline.Meanwhile protecting subsystem 102 and road
By carrying out flow lead between device 20, the TCP message of server is drawn to protection subsystem 102, protects 102 basis of subsystem
Source IP address trust list, SYN message rates baseline, TCP message length baseline and TCP message rate baseline are to server
TCP message is filtered, and the TCP message of filtered server is returned to router 20, then be transferred to clothes by router 20
Business device 50.
Wherein, server is any one server that aforementioned router 20 connects.
Fig. 3 is a kind of flow chart of TCP flow amount filter method provided in an embodiment of the present invention, and referring to Fig. 3, this method is by preceding
The execution of TCP flow amount filtration system is stated, this method includes:
Step 101:When server is attacked by CC, the source IP address trust list based on server, determination is sent to
Trust source IP address in the source IP address of the TCP message of the server and non-trusted source IP address.
In embodiments of the present invention, it is the source IP address in source IP address trust list, non-letter to trust source IP address
It is the source IP address being not in source IP address trust list to appoint source IP address.
In embodiments of the present invention, server is referred to that server receives a large amount of TCP attack traffics by CC attacks, at this
In application, can by the newly-built connection number of server, connection concurrency and abnormal connection number come determine server whether by
CC is attacked.
In embodiments of the present invention, TCP flow amount namely use Transmission Control Protocol are transferred to the data of server, are reported by multiple TCP
Text composition.
In embodiments of the present invention, a server can establish TCP connection with multiple client, to receive multiple visitors
The IP address of the TCP message that family end is sent, the client of the TCP message sent to server is aforementioned source IP address.It is taking
It when business device is attacked by CC, needs to distinguish the TCP message of the server, will attack under the TCP message interception that end is sent
Come, the TCP message that normal client is sent is transmitted to server.
In embodiments of the present invention, source IP address trust list namely the white list of the corresponding client of the server, should
The TCP message that the corresponding client of source IP address described in source IP address trust list is sent needs not move through step 103 again
Secondary verification can be directly forwarded to server.Each server corresponds to a source IP address trust list, source IP address letter respectively
Appointing the IP address in list is got by study in normal transmission time (time that do not attacked), avoids attacking
The IP address at end is mixed into wherein.
In this step, the trust source IP address and non-in the source IP address for the TCP message for being sent to the server is determined
Trust source IP address, may include:The source IP for the TCP message for being sent to the server is searched in source IP address trust list
Location;If found, illustrate that the source IP address is to trust source IP address to illustrate the source IP address if do not found
For non-trusted source IP address.
Step 102:The TCP message for trusting source IP address is sent to server.
Here, the TCP message for trusting source IP address specifically refers to, and source IP address is to trust source IP address in TCP message
TCP message.All TCP messages for trusting source IP address can be sent to server in this step.
TCP message for trusting source IP address is directly forwarded, and risk is manslaughtered in reduction, avoids TCP flow amount filtering side
Method impacts normal TCP traffic.
Step 103:Utilize SYN message rates baseline, TCP message length baseline and the TCP message of non-trusted source IP address
Rate baseline judges whether that the TCP message to non-trusted source IP address intercepts.
In step 103, the transmission rate of the SYN messages of SYN message rates baseline and non-trusted source IP address is first used
It is compared, judges SYN messages with the presence or absence of exception, and then determine the need for intercepting the TCP message of non-trusted source IP address.
If SYN messages are abnormal, it is determined that need to intercept the TCP message of non-trusted source IP address, abandon the non-trusted source IP address
TCP message avoids attacking server.
If there is no exceptions for SYN messages, judge that the TCP of non-trusted source IP address is reported using TCP message length baseline
With the presence or absence of abnormal big message in text.If there is no abnormal big messages in the TCP message of non-trusted source IP address, will trust
The TCP message of source IP address is sent to server;If there is abnormal big message in the TCP message of non-trusted source IP address,
Judge whether the non-trusted source IP address is abnormal using TCP message rate baseline.If it is judged that for the non-trusted source IP
The TCP message of the non-trusted source IP address is then sent to server by location without exception;If it is judged that being the non-trusted source
IP address is abnormal, then will abandon the TCP message of the non-trusted source IP address.
Each source IP that the application passes through the TCP message for the server for when server is attacked by CC, first judging to send
Whether address is to trust source IP address, if it is, directly forwarding the TCP message of the trust source IP address, is not interfered with normal
The TCP traffic of client.If it is not, then utilizing SYN message rates baseline, TCP message length baseline and TCP message rate base
Line judges non-trusted source IP address, judges whether the TCP message of the non-trusted source IP address is abnormal, and then determination is to lose
The TCP message of the non-trusted source IP address is abandoned, the TCP message of the non-trusted source IP address is still forwarded.In this way, nothing
Mark field need to be carried in uplink TCP message, there is no need to the codes to client to modify, at low cost, threshold is low, and
Suitable for cloud service scene.TCP message length is constant simultaneously, saves uplink traffic cost.
Fig. 4 is the flow chart of another TCP flow amount filter method provided in an embodiment of the present invention, referring to Fig. 4, this method by
Aforementioned TCP flow amount filtration system executes, and this method flow includes:
Step 201:Newly-built connection number, connection concurrency and the abnormal connection number of statistical unit time server.
Specifically, the mirror image flow that TCP flow amount filtration system receiving router is sent, the mirror image flow had both included TCP flow
Amount also includes other flows, such as UDP flow amount.The newly-built connection number of the TCP connection of each server, company in the statistical unit time
Connect concurrency and abnormal connection number.
Wherein, according to the five-tuple of message in TCP flow amount (agreement, source port, source IP address, destination interface, destination IP
Location) to count the TCP connection of the server, and newly-built connection number and company are determined according to the TCP connection of the server of statistics
Connect concurrency.Wherein, it refers to comparing newly-increased TCP of previous unit interval the current one times (such as one minute) to create connection number
The quantity of connection, connection concurrency refer to current one time memory TCP connection quantity.
Wherein, abnormal connection number refer to current one time memory TCP connection in there is the number of abnormal TCP connection
Amount.Abnormal TCP connection may be used under type such as and determine:When TCP connection meets any one of the following conditions, it is determined that should
TCP connection is abnormal:
The load of the message of TCP connection transmission is started with GET fields, and message length is more than 500 bytes.
It is more than preset value that the single byte of load of the message of TCP connection transmission, which continuously repeats number, and message length is 500
It is more than byte.
The load of the message of TCP connection transmission is started with #, and message length is more than 500 bytes.
The sequence (seq) number of the message transmitted in TCP connection, message is continuously increased, but determines that (ack) number is kept not
Become.
Because by big data analysis, it is found that the four layers of CC now netted attacks have general character, i.e., these types of situation often occurs,
And it is normal business is minimum will appear such case, so these situations are judged as abnormal T CP connections.
In embodiments of the present invention, the mirror image flow that router is sent includes the TCP flow amount of multiple servers, so uniting
Timing counts the newly-built connection number of each server, connection concurrency and abnormal connection number respectively.When mirror image flow packet
When including the TCP flow amount of multiple servers, follow-up each step is also required to execute respectively for the TCP flow amount of each server.
Step 202:According to the newly-built connection number of server, connection concurrency and abnormal connection number, judge that the server is
It is no to be attacked by CC.
Specifically, the newly-built connection number secure threshold of the newly-built connection number of unit interval server and server is done into ratio
Compared with the connection concurrency secure threshold of the connection concurrency of unit interval server and server being compared, when by unit
Between the abnormal connection number of server and the abnormal connection number secure threshold of server compare.
When any of the newly-built connection number of server, connection concurrency and abnormal connection number are more than corresponding safety threshold
When value, determine that server is attacked by CC.When the newly-built connection number of server, connection concurrency and abnormal connection number are to be more than
When corresponding secure threshold, determine that server is not affected by CC attacks.
In embodiments of the present invention, connection number secure threshold, connection concurrency secure threshold and abnormal connection number peace are created
Full threshold value may be used under type such as and determine:Determine the newly-built connection base line and connection concurrency baseline of server.Using new
It builds connection base line and is multiplied by A and obtain newly-built connection number secure threshold, being multiplied by B using connection concurrency baseline obtains connection concurrency
Secure threshold, using newly-built connection base line be multiplied by C obtain it is abnormal connect number secure threshold, wherein A and B be more than 1, C be more than 0 and
Less than 1.
Wherein, the threshold value that connection base line is specially a newly-built connection number is created, connection concurrency baseline is specially one
The threshold value of a connection concurrency, newly-built connection base line and connection concurrency baseline can first pass through study and obtain, and then store
In the database.
Wherein, the value of A, B and C can be chosen according to actual needs, such as the value of A and B can be with for the value of 2, C
It is 2/3.
Newly-built connection base line and connection concurrency baseline feature regular traffic behavior, and secure threshold is then for limiting
Abnormal business conduct, it is therefore desirable to it is multiplied by a coefficient on the basis of newly-built connection base line and connection concurrency baseline,
I.e. above-mentioned A, B, C.
Further, this method further includes:Record time for being attacked by CC of server, server by CC attack when
Between include initial time and end time.Wherein, initial time refers to detecting that server starts to be attacked by CC in step 202
Time, the end time be step 202 in detect that server starts the time that do not attacked by CC.
Step 203:The TCP message of server is learnt, source IP address trust list, SYN message rate bases are obtained
Line, TCP message length baseline and TCP message rate baseline.
Wherein, source IP address trust list namely the white list of the corresponding client of the server, the source IP address are trusted
The TCP message that the corresponding client of source IP address described in list is sent needs not move through the verification again of step 103, Ke Yizhi
Switch through and issues server.Each server corresponds to a source IP address trust list, the IP in source IP address trust list respectively
Address is got in normal transmission time by study, and the IP address at attack end is avoided to be mixed into wherein.
In embodiments of the present invention, the learning process of source IP address trust list is as follows:
The source IP address of the TCP message of record.It is needed in record while recording source IP address and corresponding time, that is, obtained
Get the time of the TCP message of source IP address transmission.
The source IP address recorded when server is attacked by CC is deleted.
The source IP address that at least M period occurred being chosen in continuous N number of period generates source IP address and trusts row
Table, N and M are integer, and N >=M > 1.
Wherein, continuous N number of period can be designed as needed, such as continuous 7 periods, such as 7 days.If 7 week
The source IP address that 2 interim periods occurred, it is determined that trust source IP address, source IP address trust list is written.
In embodiments of the present invention, SYN message rates baseline, TCP message length baseline and TCP message rate baseline
Habit process is as follows:
Obtain SYN message rates, TCP message length and TCP message rate in the TCP message of server.It is needed in record
SYN message rates, TCP message length and TCP message rate and corresponding time and source IP address are recorded simultaneously, wherein
SYN message rates, TCP message rate can record once each unit interval, such as 1 minute record is primary.
SYN message rates, TCP message length and the TCP message rate got when server is attacked by CC is deleted.
Periodically according to SYN message rates, TCP message length and the TCP message rate got, SYN messages are generated
Rate baseline, TCP message length baseline and TCP message rate baseline.
In this step, at the end of each cycle time, the SYN message speed to the server obtained in the cycle time
Rate, TCP message length and TCP message rate are counted, and SYN message rates baseline, TCP length baseline and TCP message are obtained
Rate baseline.After each period generates SYN message rates baseline, TCP length baseline and TCP message rate baseline, to last week
SYN message rates baseline, TCP length baseline and the TCP message rate baseline that phase obtains are updated.
Illustratively, cycle time can be one day.
Wherein, SYN is periodically generated according to SYN message rates, TCP message length and the TCP message rate got
Message rate baseline, TCP message length baseline and TCP message rate baseline, including:
The standard deviation of SYN message rates in calculating cycle, and the average value of SYN message rates is added into X times of standard deviation,
The first numerical value is obtained, if the first numerical value is less than or equal to first rate threshold value, using first rate threshold value as SYN messages
Rate baseline, if the first numerical value is more than first rate threshold value, using the first numerical value as SYN message rate baselines, X is more than
1.For example, the average value of SYN message rates to be added to 5 times of standard deviation (i.e. average value+5 × standard deviation), the first numerical value is obtained,
If the first numerical value is less than or equal to 20/second, SYN message rate baselines are used as using 20, if the first numerical value is more than 20,
Then use the first numerical value as SYN message rate baselines.
The average value and standard deviation of TCP message length in calculating cycle, and the average value of TCP message length is added Y times
Standard deviation, obtain second value, if second value be less than or equal to message length threshold value, using message length threshold value make
Use second value as TCP message length if second value is more than message length threshold value for TCP message length baseline
Baseline, Y are more than 1.Wherein, the value of Y can be 5, and second value can be chosen according to actual needs, and unit is byte.
The average value and standard deviation of TCP message rate in calculating cycle, and the average value of TCP message rate is added Z times
Standard deviation, obtain third value, if third value be less than or equal to the second rate-valve value, using the second rate-valve value make
Use third value as TCP message rate if third value is more than the second rate-valve value for TCP message rate baseline
Baseline, Z are more than 1.Wherein, the value of Z can be 5, and third value can be chosen according to actual needs, and unit is a/second.
Optionally, source IP message rate baseline, learning method and TCP message rate can also be learnt in step 203
Baseline is identical, difference lies in source IP message rate baseline and be sent to server various flows (such as TCP, UDP, control report
(Internet Control Message Protocol, ICMP) flow etc. is discussed by cultural association) message rate it is related.
Further, TCP flow amount filtration system also need to aforementioned newly-built connection base line and connection concurrency baseline into
Row study.
In embodiments of the present invention, the learning process for creating connection base line and connection concurrency baseline is as follows:
The newly-built connection number and connection concurrency of record unit time server.It is needed in record while record is newly-built
Connect number and connection concurrency and corresponding time.Newly-built connection number and the recording method for connecting concurrency can be with steps
201 is identical.
The newly-built connection number and connection concurrency recorded when server is attacked by CC is deleted.
Periodically according to the newly-built connection number of the unit interval server got and connection concurrency, generate newly-built
Connect base line and connection concurrency baseline.
Wherein, raw periodically according to the newly-built connection number of the unit interval server got and connection concurrency
At newly-built connection base line and connection concurrency baseline, including:
The average value and standard deviation of connection number are created in calculating cycle, and by the average value of newly-built connection number plus P times
Standard deviation obtains the 4th numerical value, if the 4th numerical value is less than or equal to connection number threshold value, using connection number threshold value as newly-built
Base line is connected, if the 4th numerical value is more than connection number threshold value, using the 4th numerical value as newly-built connection base line, P is more than
1.For example, the standard deviation of newly-built connection number is multiplied by 5 times, the 4th numerical value is obtained, if the 4th numerical value is less than or equal to 400,
Using 400 as newly-built connection base line, if the 4th numerical value is more than 400, using the 4th numerical value as newly-built connection base
Line.
The average value and standard deviation of connection concurrency in calculating cycle, and the average value of concurrency will be connected plus Q times
Standard deviation obtains the 5th numerical value, if the 5th numerical value is less than or equal to concurrency threshold value, using concurrency threshold value as connection
Concurrency baseline, if the 5th numerical value is more than concurrency threshold value, using the 5th numerical value as connection concurrency baseline, Q is more than
1.Wherein, the value of Q can be 5, and the 5th numerical value can be chosen according to actual needs.
In this method flow, the detection study in the TCP flow amount filtration system of step 201,202,203 as shown in Figure 2
Subsystem executes.
Step 204:Preserve source IP address trust list, SYN message rates baseline, TCP message length baseline and TCP message
Rate baseline.
In order to express easily fingerprint characteristic base-line data used below is fast to refer to source IP address trust list, SYN messages
Rate baseline, TCP message length baseline and TCP message rate baseline.
In embodiments of the present invention, it refers to being stored in the fingerprint characteristic base-line data to preserve fingerprint characteristic base-line data
In database.The fingerprint characteristic base-line data of each server is stored in database.Specifically, may include referring in database
The address of line feature base-line data and its corresponding server, to ensure can be obtained according to the address of server in subsequent process
Get corresponding fingerprint characteristic base-line data.
The database can be arranged in the control subsystem in TCP flow amount filtration system, and step 204 is by TCP flow amount mistake
Detection study subsystem in filter system executes, and fingerprint characteristic base-line data is stored in control subsystem by detection study subsystem
In database.Since fingerprint characteristic base-line data is to generate in the period, so the fingerprint characteristic base-line data in database is also
It periodically updates.Wherein, update refers to fingerprint characteristic baseline original in new fingerprint characteristic base-line data replacement data library
Data.
Step 205:When server is attacked by CC, the source IP address trust list based on server, determination is sent to
Trust source IP address in the source IP address of the TCP message of the server and non-trusted source IP address, it is place to trust source IP address
Source IP address in source IP address trust list, non-trusted source IP address are the source IP being not in source IP address trust list
Address.
In embodiments of the present invention, step 205 may include:Server is obtained from database according to the address of server
Source IP address trust list;Determine the source IP address of each TCP message whether in source IP address trust list.
Step 205 can be executed by the protection subsystem in TCP flow amount filtration system.
Optionally, this method further includes:When server is attacked by CC, warning information is generated.
Wherein, warning information may include receiving time, the address of server and attack type.Wherein, attack type is
CC is attacked.
The warning information is generated by detection study subsystem, is then output to control subsystem and protection subsystem.When anti-
When shield subsystem receives warning information, server is obtained from control subsystem according to the address of the server in warning information
Fingerprint characteristic base-line data.
Step 206:The TCP message for trusting source IP address is sent to server.
In embodiments of the present invention, step 206 is executed by the protection subsystem in TCP flow amount filtration system, and step 206 can
To include:Flow lead is carried out between protection subsystem and router, the TCP message of server is drawn to protection subsystem.
Then the TCP message of server is filtered according to fingerprint characteristic base-line data, the TCP message for trusting source IP address is returned
To router, server is sent to by router.
Wherein, it protects between subsystem and router and carries out flow lead, the TCP message of server is drawn to TCP flow
Amount filtration system can be realized in the following way:Protection subsystem passes through the Border Gateway Protocol established with router
(Border Gateway Protocol, BGP) neighborhood.It is route to the traction of router publisher server, by server
TCP message is sent to protection subsystem.
Specifically, two routers can be fictionalized in router:First virtual router and the second virtual router, the
One virtual router is responsible for receiving the TCP message of server, and the second virtual router is responsible for the TCP message of server being sent to
Server.Subsystem is protected to be route to the traction of the first virtual router publisher server, the next-hop of traction routing is anti-
Protect subsystem, subnet mask of the subnet mask which route than the routing for the server that the first virtual router learns
Long, according to longest mask matches principle, the first virtual router route the routing as server using the traction.First is virtual
The TCP message of the server received is sent to protection subsystem by router, and protection subsystem carries out TCP flow amount filtering.?
Server terminates after being attacked, and protection subsystem can send declaration traction to the first virtual router and route invalid information,
TCP message when server being made to be not affected by CC attacks is never sent to protection subsystem.
It protects subsystem that filtered TCP message is returned to router, server is sent to by router.
Specifically, it is empty to be sent to aforementioned second by protection subsystem after carrying out TCP flow amount filtering for the TCP message of server
Quasi- router, server is sent to by the second virtual router.
Step 207:Utilize SYN message rates baseline, TCP message length baseline and the TCP message of non-trusted source IP address
Rate baseline judges whether that the TCP message to non-trusted source IP address intercepts.
In embodiments of the present invention, judge whether that the TCP message to non-trusted source IP address intercepts, including:
Judge the transmission rate of the SYN messages of non-trusted source IP address whether more than SYN message rate baselines.Here, it needs
First to determine the transmission rate of the SYN messages of non-trusted source IP address, then the biography of the SYN messages of more non-trusted source IP address
The size of defeated rate and SYN message rate baselines.Since attack end is more more frequent than the number of normal client foundation connection,
It can determine whether non-trusted source IP address is attack end by SYN message rates baseline.
When the transmission rate of the SYN messages of non-trusted source IP address is more than SYN message rate baselines, non-trusted source is intercepted
The TCP message of IP address abandons the TCP message of the non-trusted source IP address.Further, this method can also include:
The non-trusted source IP address drawing for having abandoned TCP message is black, and the follow-up TCP message of the non-trusted source IP address is all blocked
It cuts.
When the transmission rate of the SYN messages of non-trusted source IP address is less than SYN message rate baselines, judge non-trusted
It whether there is message length in the TCP message of source IP address more than TCP message length baseline and rate be more than TCP message rate base
The message of line.Here, the message length and rate for needing first to determine the TCP message of non-trusted source IP address, can be first when comparing
Compare message length, then compare rate, if message length is more than TCP message length baseline, then compares rate, if message is long
Degree is less than TCP message length baseline, no longer needs to compare rate.Certainly, above-mentioned comparative sequence can also be first compare rate, then
Compare message length.Due to attack end send message is longer than the message that normal client is sent, rate faster, pass through
TCP message length baseline and TCP message rate baseline can determine whether non-trusted source IP address is attack end.
It is more than the message that TCP message length baseline and rate are more than TCP message rate baseline if there is message length, then
Intercept the TCP message of non-trusted source IP address;If there is no message length be more than TCP message length baseline and rate is more than
The message of TCP message rate baseline, then be sent to server by the TCP message of non-trusted source IP address.
Wherein, the TCP message of non-trusted source IP address is sent to the mode of server referring to step 206.
Each source IP that the application passes through the TCP message for the server for when server is attacked by CC, first judging to send
Whether address is to trust source IP address, if it is, directly forwarding the TCP message of the trust source IP address, is not interfered with normal
The TCP traffic of client.If it is not, then being judged non-trusted source IP address using SYN message rates baseline, if sentenced
If disconnected SYN messages are abnormal, the TCP message of non-trusted source IP address is intercepted, abandons the TCP reports of the non-trusted source IP address
Text avoids attacking server.If SYN messages there is no abnormal, further use TCP message length baseline and
TCP message rate baseline judges whether the TCP message of the non-trusted source IP address is abnormal.If it is judged that being the non-trusted source
The TCP message of non-trusted source IP address is then sent to server by the TCP message of IP address without exception.If it is judged that
It is abnormal for the TCP message of the non-trusted source IP address, then abandon the TCP message of the non-trusted source IP address.In this fashion,
Mark field need not be carried in uplink TCP message, there is no need to the codes to client to modify, at low cost, threshold
It is low, while TCP message length is constant, saves uplink traffic cost.In addition, above-mentioned source IP address trust list, SYN message speed
Rate baseline, TCP message length baseline and TCP message rate baseline ensure that the program can adapt to difference by study
Network, have a wide range of application.
Fig. 5 is a kind of structural schematic diagram of TCP flow amount filter device provided in an embodiment of the present invention, referring to Fig. 5, the device
300 include:Judgment module 301 and filtering module 302.
Judgment module 301 is used for when server is attacked by CC, the source IP address trust list based on server, is determined
The trust source IP address and non-trusted source IP address being sent in the source IP address of the TCP message of the server, trusted source IP
Location is the source IP address in source IP address trust list, and non-trusted source IP address is to be not in source IP address trust list
Source IP address.Filtering module 302 is used to the TCP message for trusting source IP address being sent to server;Utilize non-trusted source IP
SYN message rates baseline, TCP message length baseline and the TCP message rate baseline of address, judge whether to non-trusted source IP
The TCP message of location is intercepted.
In embodiments of the present invention, the filtering module 302, the transmission of the SYN messages for judging non-trusted source IP address
Whether rate is more than SYN message rate baselines.When the transmission rate of the SYN messages of non-trusted source IP address is more than SYN message speed
When rate baseline, the TCP message of non-trusted source IP address is intercepted.When the transmission rate of the SYN messages of non-trusted source IP address does not surpass
When crossing SYN message rate baselines, judge in the TCP message of non-trusted source IP address with the presence or absence of message length more than TCP message
Length baseline and rate are more than the message of TCP message rate baseline.If there is message length be more than TCP message length baseline and
Rate is more than the message of TCP message rate baseline, then intercepts the TCP message of non-trusted source IP address, long if there is no message
Degree is more than the message that TCP message length baseline and rate are more than TCP message rate baseline, then by the TCP of non-trusted source IP address
Message is sent to server.
Further, which further includes:Study module 303 and memory module 304.
Study module 303 obtains source IP address trust list, SYN messages for learning to the TCP message of server
Rate baseline, TCP message length baseline and TCP message rate baseline.Memory module 304 trusts row for preserving source IP address
Table, SYN message rates baseline, TCP message length baseline and TCP message rate baseline.
In embodiments of the present invention, source IP address of the study module 303 for the TCP message of record.By server by
The source IP address recorded when being attacked to CC is deleted.With being chosen at the source IP that at least M period occurred in continuous N number of period
Location generates source IP address trust list, N and M as integer, and N >=M > 1.
In embodiments of the present invention, the study module 303 be used to obtain SYN message rates in the TCP message of server,
TCP message length and TCP message rate.SYN message rates, the TCP message length got when server is attacked by CC
It is deleted with TCP message rate.It is raw periodically according to SYN message rates, TCP message length and the TCP message rate got
At SYN message rates baseline, TCP message length baseline and TCP message rate baseline.
In embodiments of the present invention, average value and standard of the study module 303 for SYN message rates in calculating cycle
Difference, and the average value of SYN message rates is obtained into the first numerical value, if the first numerical value is less than or equal to plus X times of standard deviation
First rate threshold value then uses first rate threshold value as SYN message rate baselines, if the first numerical value is more than first rate threshold
Value, then use the first numerical value as SYN message rate baselines, and X is more than 1.The average value and mark of TCP message length in calculating cycle
It is accurate poor, and the average value of TCP message length is obtained into second value, if second value is less than or waits plus Y times of standard deviation
In message length threshold value, then use message length threshold value as TCP message length baseline, if second value is more than message length
Threshold value, then use second value as TCP message length baseline, and Y is more than 1.In calculating cycle the average value of TCP message rate and
Standard deviation, and the average value of TCP message rate is added Z times of standard deviation, obtains third value, if third value be less than or
Equal to the second rate-valve value, then use the second rate-valve value as TCP message rate baseline, if third value is more than the second speed
Rate threshold value, then use third value as TCP message rate baseline, and Z is more than 1.
Further, which further includes:Detection module 305.
Newly-built connection number, connection concurrency and exception of the detection module 305 for statistical unit time server connect
Connect number.The newly-built connection number secure threshold of the newly-built connection number of unit interval server and server is compared, by unit
The connection concurrency of time server and the connection concurrency secure threshold of server compare, by unit interval server
Abnormal connection number and the abnormal connection number secure threshold of server compare.When the newly-built connection number of server, connection are concurrent
When any of amount and abnormal connection number are more than corresponding secure threshold, determine that server is attacked by CC.
In embodiments of the present invention, which is additionally operable to the newly-built connection number of record unit time server
With connection concurrency.The newly-built connection number and connection concurrency recorded when server is attacked by CC is deleted.Periodically root
According to the newly-built connection number and connection concurrency of the unit interval server got, newly-built connection base line and connection are generated simultaneously
Hair amount baseline.A is multiplied by using newly-built connection base line and obtains newly-built connection number secure threshold, is multiplied by using connection concurrency baseline
B obtains connection concurrency secure threshold, using newly-built connection base line be multiplied by C obtain it is abnormal connect number secure threshold, wherein A with
B is more than 1, C and is more than 0 and is less than 1.
In embodiments of the present invention, average value and standard of the study module 303 for creating connection number in calculating cycle
Difference, and the average value of newly-built connection number is obtained into the 4th numerical value, if the 4th numerical value is less than or equal to plus P times of standard deviation
Number threshold value is connected, then is adopted as newly-built connection base line if the 4th numerical value is more than connection number threshold value using connection number threshold value
Use the 4th numerical value as newly-built connection base line, P is more than 1.The average value and standard deviation of connection concurrency in calculating cycle, and will
The average value for connecting concurrency adds Q times of standard deviation, obtains the 5th numerical value, if the 5th numerical value is less than or equal to concurrency threshold
Value then uses concurrency threshold value as connection concurrency baseline, if the 5th numerical value is more than concurrency threshold value, using the 5th number
Value is more than 1 as connection concurrency baseline, Q.
It should be noted that:Above-described embodiment provide TCP flow amount filter device when realizing TCP flow amount filter method,
It only the example of the division of the above functional modules, can be as needed and by above-mentioned function distribution in practical application
It is completed by different function modules, i.e., the internal structure of device is divided into different function modules, it is described above to complete
All or part of function.In addition, TCP flow amount filter device and TCP flow amount filtration method embodiment that above-described embodiment provides
Belong to same design, specific implementation process refers to embodiment of the method, and which is not described herein again.
Fig. 6 is a kind of structural schematic diagram of server provided in an embodiment of the present invention.The server can be TCP flow amount mistake
Filter system.Specifically:
TCP flow amount filtration system 400 includes central processing unit (CPU) 401 including random access memory (RAM) 402
With the system storage 404 of read-only memory (ROM) 403, and connection system storage 404 and central processing unit 401
System bus 405.TCP flow amount filtration system 400 further include help computer in each device between transmission information it is basic
Input/output (I/O systems) 406, and it is used for storage program area 413, application program 414 and other program modules 415
Mass-memory unit 407.
Basic input/output 406 includes display 408 for showing information and for user's input information
The input equipment 409 of such as mouse, keyboard etc.Wherein display 408 and input equipment 409 is all by being connected to system bus
405 input and output controller 410 is connected to central processing unit 401.Basic input/output 406 can also include defeated
Enter o controller 410 for receiving and handling from the defeated of multiple other equipments such as keyboard, mouse or electronic touch pen
Enter.Similarly, input and output controller 410 also provides output to display screen, printer or other kinds of output equipment.
Mass-memory unit 407 is connected by being connected to the bulk memory controller (not shown) of system bus 405
To central processing unit 401.Mass-memory unit 407 and its associated computer-readable medium are TCP flow amount filtering system
System 400 provides non-volatile memories.It is driven that is, mass-memory unit 407 may include such as hard disk or CD-ROM
The computer-readable medium (not shown) of dynamic device etc.
Without loss of generality, computer-readable medium may include computer storage media and communication media.Computer stores
13 media include times of the information such as computer-readable instruction, data structure, program module or other data for storage
The volatile and non-volatile of what method or technique realization, removable and irremovable medium.Computer storage media includes
RAM, ROM, EPROM, EEPROM, flash memory or other solid-state storages its technologies, CD-ROM, DVD or other optical storages, tape
Box, tape, disk storage or other magnetic storage apparatus.Certainly, skilled person will appreciate that computer storage media not office
It is limited to above-mentioned several.Above-mentioned system storage 404 and mass-memory unit 407 may be collectively referred to as memory.
According to various embodiments of the present invention, TCP flow amount filtration system 400 can also be connected by networks such as internets
The remote computer operation being connected on network.Namely TCP flow amount filtration system 400 can be by being connected on system bus 405
Network Interface Unit 411 be connected to network 412, in other words, other classes can also be connected to using Network Interface Unit 411
The network or remote computer system (not shown) of type.
Above-mentioned memory further includes one, and either more than one program one or more than one program are stored in storage
In device, it is configured to be executed by CPU.CPU 401 realizes Fig. 3 or shown in Fig. 4 by executing one or more programs
TCP flow amount filter method.
The embodiment of the present invention additionally provides a kind of non-transitorycomputer readable storage medium, when the instruction in storage medium
When being executed by the processor of TCP flow amount filtration system so that TCP flow amount filtration system is able to carry out Fig. 3 or embodiment illustrated in fig. 4
The TCP flow amount filter method of offer.
A kind of computer program product including instruction, when run on a computer so that computer executes above-mentioned
The TCP flow amount filter method that Fig. 3 or embodiment illustrated in fig. 4 provide.
One of ordinary skill in the art will appreciate that realizing that all or part of step of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can be stored in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all the present invention spirit and
Within principle, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.
Claims (10)
1. a kind of transmission control protocol traffic filtering method, which is characterized in that the method includes:
When server is challenged by black hole to be attacked, the source internet protocol address trust list based on the server determines
It is sent to the trusted source internet protocol address in the source internet protocol address of the transmission control protocol message of the server
With non-trusted source internet protocol address, trusted source internet protocol address is to trust to arrange in source internet protocol address
Source internet protocol address in table, the non-trusted source internet protocol address are to be not at source internet protocol address trust
Source internet protocol address in list;
The transmission control protocol message of trusted source internet protocol address is sent to the server;
Utilize synchronizing sequence number message rate baseline, the transmission control protocol message of the non-trusted source internet protocol address
Length baseline and transmission control protocol message rate baseline judge whether the transmission to the non-trusted source internet protocol address
Control protocol message is intercepted.
2. according to the method described in claim 1, it is characterized in that, described judge whether to the non-trusted source internet protocol
The transmission control protocol message of address is intercepted, including:
Judge whether the transmission rate of the synchronizing sequence number message of the non-trusted source internet protocol address is more than synchronous sequence
Column number message rate baseline;
When the transmission rate of the synchronizing sequence number message of the non-trusted source internet protocol address is numbered more than synchronizing sequence
When message rate baseline, the transmission control protocol message of the non-trusted source internet protocol address is intercepted;
It is compiled when the transmission rate of the synchronizing sequence number message of the non-trusted source internet protocol address is less than synchronizing sequence
When number message rate baseline, judge in the transmission control protocol message of the non-trusted source internet protocol address with the presence or absence of report
Literary length is more than transmission control protocol message length baseline and rate is more than the message of transmission control protocol message rate baseline;Such as
Fruit is more than transmission control protocol message length baseline there are message length and rate is more than transmission control protocol message rate baseline
Message, then the transmission control protocol message of the non-trusted source internet protocol address is intercepted, if there is no message length
More than transmission control protocol message length baseline and rate is more than the message of transmission control protocol message rate baseline, then will be described
The transmission control protocol message of non-trusted source internet protocol address is sent to the server.
3. method according to claim 1 or 2, which is characterized in that the method further includes:
The transmission control protocol message of the server is learnt, obtain source internet protocol address trust list,
Synchronizing sequence number message rate baseline, transmission control protocol message length baseline and transmission control protocol message rate baseline;
Preserve source internet protocol address trust list, synchronizing sequence number message rate baseline, transmission control protocol report
Literary length baseline and transmission control protocol message rate baseline.
4. according to the method described in claim 3, it is characterized in that, transmission control protocol message to the server
It practises, obtains source internet protocol address trust list, including:
Record the source internet protocol address of the transmission control protocol message sent to the server;
The server is challenged the source internet protocol address that the when of attacking records by black hole to delete;
The source internet protocol address that at least M period being chosen in continuous N number of period occurred, generates the source internet
Protocol address trust list, N and M are integer, and N >=M > 1.
5. according to the method described in claim 3, it is characterized in that, transmission control protocol message to the server
It practises, obtains the synchronizing sequence number message rate baseline, transmission control protocol message length baseline and transmission control protocol report
Literary rate baseline, including:
It is long to obtain synchronizing sequence number message rate, transmission control protocol message in the transmission control protocol message of the server
Degree and transmission control protocol message rate;
The server is challenged into synchronizing sequence number message rate, the transmission control protocol report that the when of attacking gets by black hole
Literary length and transmission control protocol message rate are deleted;
Periodically according to synchronizing sequence number message rate, transmission control protocol message length and the biography transport control protocol got
Message rate is discussed, the synchronizing sequence number message rate baseline, transmission control protocol message length baseline and transmission control are generated
Protocol massages rate baseline processed.
6. according to the method described in claim 5, it is characterized in that, described periodically according to the synchronizing sequence number got
Message rate, transmission control protocol message length and transmission control protocol message rate generate the synchronizing sequence number message
Rate baseline, transmission control protocol message length baseline and transmission control protocol message rate baseline, including:
The average value and standard deviation of synchronizing sequence number message rate in calculating cycle, and the synchronizing sequence number message is fast
The average value of rate adds X times of standard deviation, obtains the first numerical value, if first numerical value is less than or equal to first rate threshold
Value, then using the first rate threshold value as the synchronizing sequence number message rate baseline, if first numerical value is big
In first rate threshold value, then using first numerical value as the synchronizing sequence number message rate baseline, X is more than 1;
The average value and standard deviation of transmission control protocol message length in calculating cycle, and the transmission control protocol message is long
The average value of degree adds Y times of standard deviation, obtains second value, if the second value is less than or equal to message length threshold
Value then uses the message length threshold value as the transmission control protocol message length baseline, if the second value is big
In message length threshold value, then use the second value as the transmission control protocol message length baseline, Y is more than 1;
The average value and standard deviation of transmission control protocol message rate in calculating cycle, and the transmission control protocol message is fast
The average value of rate adds Z times of standard deviation, obtains third value, if the third value is less than or equal to the second rate threshold
Value then uses second rate-valve value as the transmission control protocol message rate baseline, if the third value is big
In the second rate-valve value, then use the third value as the transmission control protocol message rate baseline, Z is more than 1.
7. method according to claim 1 or 2, which is characterized in that the method further includes:
The newly-built connection number of the server, connection concurrency and abnormal connection number in the statistical unit time;
When any of the newly-built connection number of the server, connection concurrency and abnormal connection number are more than corresponding safety threshold
When value, determines that the server is challenged by black hole and attack.
8. a kind of transmission control protocol traffic filtering device, which is characterized in that described device includes:
Judgment module is used for when server is challenged by black hole and attacked, the source internet protocol address based on the server
Trust list determines the trusted source English in the source internet protocol address for the transmission control protocol message for being sent to the server
Special fidonetFido address and non-trusted source internet protocol address, trusted source internet protocol address are to be assisted in source internet
The source internet protocol address in the trust list of address is discussed, the non-trusted source internet protocol address is to be not at source internet
Source internet protocol address in protocol address trust list;
Filtering module, for the transmission control protocol message of trusted source internet protocol address to be sent to the service
Device;Utilize synchronizing sequence number message rate baseline, the transmission control protocol message of the non-trusted source internet protocol address
Length baseline and transmission control protocol message rate baseline judge whether the transmission to the non-trusted source internet protocol address
Control protocol message is intercepted.
9. a kind of server, which is characterized in that the server includes processor and memory, be stored in the memory to
A few instruction, described instruction are loaded by the processor and are executed to realize transmission as described in any one of claim 1 to 7
Control protocol traffic filtering method.
10. a kind of computer readable storage medium, which is characterized in that be stored at least one instruction, institute in the storage medium
Instruction is stated to be loaded by processor and executed to realize transmission control protocol traffic filtering as described in any one of claim 1 to 7
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810685411.7A CN108810008B (en) | 2018-06-28 | 2018-06-28 | Transmission control protocol flow filtering method, device, server and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810685411.7A CN108810008B (en) | 2018-06-28 | 2018-06-28 | Transmission control protocol flow filtering method, device, server and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108810008A true CN108810008A (en) | 2018-11-13 |
CN108810008B CN108810008B (en) | 2020-06-30 |
Family
ID=64071322
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810685411.7A Active CN108810008B (en) | 2018-06-28 | 2018-06-28 | Transmission control protocol flow filtering method, device, server and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108810008B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110661722A (en) * | 2019-09-09 | 2020-01-07 | 新华三信息安全技术有限公司 | Flow control method and device |
CN113132331A (en) * | 2019-12-31 | 2021-07-16 | 奇安信科技集团股份有限公司 | Abnormal message detection method, device, electronic equipment and medium |
CN113452647A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
TWI768462B (en) * | 2020-09-09 | 2022-06-21 | 中華電信股份有限公司 | Method and electronic device for detecting abnormal connection behavior of terminal emulator |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101136917A (en) * | 2007-07-12 | 2008-03-05 | 中兴通讯股份有限公司 | Transmission control protocol blocking module and soft switch method |
CN101478387A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Defense method, apparatus and system for hyper text transmission protocol attack |
CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
US20130055349A1 (en) * | 2011-08-24 | 2013-02-28 | Electronics And Telecommunications Research Institute | Method and apparatus for releasing tcp connections in defense against distributed denial of service attacks |
CN103001958A (en) * | 2012-11-27 | 2013-03-27 | 北京百度网讯科技有限公司 | Exception transmission control protocol (TCP) message processing method and device |
CN104113559A (en) * | 2014-08-13 | 2014-10-22 | 浪潮电子信息产业股份有限公司 | Method for resisting tcp full-link attack |
CN105119942A (en) * | 2015-09-16 | 2015-12-02 | 广东睿江科技有限公司 | Flood attack detection method |
CN105991632A (en) * | 2015-04-20 | 2016-10-05 | 杭州迪普科技有限公司 | Network security protection method and device |
CN106357685A (en) * | 2016-10-28 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending distributed denial of service attack |
CN106790310A (en) * | 2017-03-31 | 2017-05-31 | 网宿科技股份有限公司 | Distributed denial of service attack protects the method and system integrated with load balancing |
CN107104929A (en) * | 2016-02-23 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defending against network attacks |
-
2018
- 2018-06-28 CN CN201810685411.7A patent/CN108810008B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101136917A (en) * | 2007-07-12 | 2008-03-05 | 中兴通讯股份有限公司 | Transmission control protocol blocking module and soft switch method |
CN101478387A (en) * | 2008-12-31 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Defense method, apparatus and system for hyper text transmission protocol attack |
CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
US20130055349A1 (en) * | 2011-08-24 | 2013-02-28 | Electronics And Telecommunications Research Institute | Method and apparatus for releasing tcp connections in defense against distributed denial of service attacks |
CN103001958A (en) * | 2012-11-27 | 2013-03-27 | 北京百度网讯科技有限公司 | Exception transmission control protocol (TCP) message processing method and device |
CN104113559A (en) * | 2014-08-13 | 2014-10-22 | 浪潮电子信息产业股份有限公司 | Method for resisting tcp full-link attack |
CN105991632A (en) * | 2015-04-20 | 2016-10-05 | 杭州迪普科技有限公司 | Network security protection method and device |
CN105119942A (en) * | 2015-09-16 | 2015-12-02 | 广东睿江科技有限公司 | Flood attack detection method |
CN107104929A (en) * | 2016-02-23 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defending against network attacks |
CN106357685A (en) * | 2016-10-28 | 2017-01-25 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending distributed denial of service attack |
CN106790310A (en) * | 2017-03-31 | 2017-05-31 | 网宿科技股份有限公司 | Distributed denial of service attack protects the method and system integrated with load balancing |
Non-Patent Citations (1)
Title |
---|
廖鹏: "基于异常特征的DDoS检测模型", 《经济发展方式转变与自主创新——第十二届中国科学技术协会年会》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110661722A (en) * | 2019-09-09 | 2020-01-07 | 新华三信息安全技术有限公司 | Flow control method and device |
CN110661722B (en) * | 2019-09-09 | 2022-07-22 | 新华三信息安全技术有限公司 | Flow control method and device |
CN113132331A (en) * | 2019-12-31 | 2021-07-16 | 奇安信科技集团股份有限公司 | Abnormal message detection method, device, electronic equipment and medium |
CN113452647A (en) * | 2020-03-24 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
CN113452647B (en) * | 2020-03-24 | 2022-11-29 | 百度在线网络技术(北京)有限公司 | Feature identification method, feature identification device, electronic equipment and computer-readable storage medium |
TWI768462B (en) * | 2020-09-09 | 2022-06-21 | 中華電信股份有限公司 | Method and electronic device for detecting abnormal connection behavior of terminal emulator |
Also Published As
Publication number | Publication date |
---|---|
CN108810008B (en) | 2020-06-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
US7768921B2 (en) | Identification of potential network threats using a distributed threshold random walk | |
US7958549B2 (en) | Attack defending system and attack defending method | |
US6487666B1 (en) | Intrusion detection signature analysis using regular expressions and logical operators | |
US6973040B1 (en) | Method of maintaining lists of network characteristics | |
US7870611B2 (en) | System method and apparatus for service attack detection on a network | |
CN108810008A (en) | Transmission control protocol traffic filtering method, apparatus, server and storage medium | |
CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
CN109005175A (en) | Network protection method, apparatus, server and storage medium | |
RU2480937C2 (en) | System and method of reducing false responses when detecting network attack | |
JP4774307B2 (en) | Unauthorized access monitoring device and packet relay device | |
US20130298220A1 (en) | System and method for managing filtering information of attack traffic | |
JP2007521718A (en) | System and method for protecting network quality of service against security breach detection | |
CN108156079B (en) | Data packet forwarding system and method based on cloud service platform | |
US11811820B2 (en) | Malicious C and C channel to fixed IP detection | |
US8006303B1 (en) | System, method and program product for intrusion protection of a network | |
Yao et al. | VASE: Filtering IP spoofing traffic with agility | |
JP2007325293A (en) | System and method for attack detection | |
JP2006067605A (en) | Attack detecting system and attack detecting method | |
CN113259387B (en) | Method for preventing honeypot from being controlled to jump board machine based on virtual exchange | |
CN112350939B (en) | Bypass blocking method, system, device, computer equipment and storage medium | |
JP3822588B2 (en) | Unauthorized access detection device, unauthorized access detection method, and management terminal | |
Khirwadkar | Defense against network attacks using game theory | |
Cisco | Working With Sensor Signatures | |
Cisco | Working with Sensor Signatures |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |